How Do I Segment My Network?
I have a lot of different stuff that I’m dealing with on my home network, and I like to keep it segmented. There’s no reason to dump everything on one VLAN when I can isolate certain things.
I have a lot of VLANs, and all but management are /24s. This allows me to encapsulate all of the /24s with the /16. This means that for, say, my ESXi server at
10.0.10.10, the iDRAC on that server for out of band management is
Admins is an alias in the pfSense firewall, that contains my main computer, my laptop, and my phone. This lets me access things like management without allowing the whole VLAN access.
VLAN 10, Servers
For server-related things, such as ESXi and most VMs.
- Can access storage, and media.
- The ansible controller can access DMZ and IoT.
VLAN 20, Storage
Sort of similar, but for storage devices. I have things like Unraid sitting here.
- Can access Servers, and end devices.
VLAN 30, Media
This VLAN houses things like Plex and Funkwhale.
- Can access servers, and storage.
VLAN 70, Security
Eventually, when I get around to installing and setting up some cameras, they’ll go here.
Security is isolated
VLAN 80, DMZ
Anything I want public-facing goes here.
DMZ is isolated
VLAN 99, Management
Houses management interfaces for switches, out of band management for servers, access points, and the like.
- Can access the syslog server on 601, and UDP 514.
VLAN 100, End devices
My main user-facing devices, like computers, laptops, and such go here.
- Can access servers, storage, media, and IoT (for Chromecasts and such).
- Admins can access security, DMZ, and management.
VLAN 101, IoT
Things like Google Home, or Alexa devices.
- Can access media, and end devices.
VLAN 199, Guest
Guests that want internet have their own isolated VLAN so they can’t see anything else.
Guest is isolated
Guest has limiters, since I’m on a 20/5 connection