I have a lot of different stuff that I’m dealing with on my home network, and I like to keep it segmented. There’s no reason to dump everything on one VLAN when I can isolate certain things.

I have a lot of VLANs, and all but management are /24s. This allows me to encapsulate all of the /24s with the /16. This means that for, say, my ESXi server at 10.0.10.10, the iDRAC on that server for out of band management is 10.99.10.10.

Admins is an alias in the pfSense firewall, that contains my main computer, my laptop, and my phone. This lets me access things like management without allowing the whole VLAN access.

VLAN 10, Servers

For server-related things, such as ESXi and most VMs.

  • Can access storage, and media.
  • The ansible controller can access DMZ and IoT.

VLAN 20, Storage

Sort of similar, but for storage devices. I have things like Unraid sitting here.

  • Can access Servers, and end devices.

VLAN 30, Media

This VLAN houses things like Plex and Funkwhale.

  • Can access servers, and storage.

VLAN 70, Security

Eventually, when I get around to installing and setting up some cameras, they’ll go here.

Security is isolated

VLAN 80, DMZ

Anything I want public-facing goes here.

DMZ is isolated

VLAN 99, Management

Houses management interfaces for switches, out of band management for servers, access points, and the like.

  • Can access the syslog server on 601, and UDP 514.

VLAN 100, End devices

My main user-facing devices, like computers, laptops, and such go here.

  • Can access servers, storage, media, and IoT (for Chromecasts and such).
  • Admins can access security, DMZ, and management.

VLAN 101, IoT

Things like Google Home, or Alexa devices.

  • Can access media, and end devices.

VLAN 199, Guest

Guests that want internet have their own isolated VLAN so they can’t see anything else.

Guest is isolated

Guest has limiters, since I’m on a 20/5 connection