Last week, we explored the fundamentals of planning and mapping your network, including how to inventory devices, assign logical IP addresses, and name each element in your homelab for clarity. By organizing your infrastructure before making changes, you ensure that future expansions and security improvements remain manageable and predictable. If you missed it, you can review the full guide here: Mapping & Naming Your Network.

With a clear map and naming convention in place, the next step is segmenting your network for security and operational efficiency. Instead of allowing all devices to communicate freely, logical divisions limit access between systems, protect sensitive infrastructure, and set the stage for more advanced security practices. This guide provides a practical example of network segmentation: creating a dedicated Management VLAN.

Tip: Segmenting early avoids headaches later. A VLAN plan done before expanding the network saves time and reduces risk.

The Management VLAN is reserved for critical infrastructure devices, such as your firewall, switches, and access points. Isolating these devices from general network traffic reduces the risk of accidental misconfigurations or compromise from less trusted devices. This guide shows how to create the VLAN, assign IP addresses, and configure devices so that your infrastructure remains both isolated and fully manageable.

Beyond simply creating a VLAN, this guide demonstrates how to enforce security policies, including blocking internet access for the Management VLAN and restricting web-based management to a single trusted PC. While our lab uses specific devices and IPs, the principles—planning, VLAN tagging, firewall rules, and verification—apply to any VLAN added later, from server segments to guest networks. Following these steps establishes a secure, organized framework for any homelab.

Understanding VLANs and Traffic Segmentation

VLANs, or Virtual Local Area Networks, create logical networks over the same physical infrastructure. Instead of separate switches for every device group, VLAN tags (802.1Q) segment traffic. Tagged frames carry VLAN identifiers, allowing switches and routers to determine which network the traffic belongs to. This grouping improves organization by function, security level, or trust, reduces unnecessary communication, and minimizes the attack surface.

Traffic segmentation benefits:

• Security: Devices on separate VLANs cannot communicate unless explicitly allowed
• Performance: Broadcast traffic remains contained within each VLAN
• Management: Logical grouping makes monitoring and troubleshooting simpler

Understanding these principles makes network tools more effective, including those covered in Mastering Network Tools, allowing scans and monitoring to target specific VLANs with precision.

In this example, the Management VLAN isolates devices such as OPNSense, Dell and 3Com switches, and Wi‑Fi access points. This separation reduces exposure to less trusted devices while providing a secure space for administrative traffic. The same approach applies to other VLANs: workstations, servers, IoT devices, or guest networks. Isolation alone is insufficient; VLANs must be paired with proper firewall rules and access restrictions to maintain security. This principle reinforces concepts introduced in Ports for Everyone and Firewall Rules and Policies.

Quote: “A VLAN without firewall rules is just a virtual free-for-all.”

VLANs also serve as a foundation for advanced security setups. For example, combining a Management VLAN with a VPN allows remote access to infrastructure without exposing devices directly to the internet. Techniques like those described in Implementing WireGuard VPN on OPNSense complement VLAN segmentation by adding encrypted remote access for administrators.

Planning Your Management VLAN

A detailed plan is crucial before creating a VLAN. Start by determining which devices will reside in the Management VLAN:

• Firewalls (OPNSense or equivalent)
• Network switches (Dell, 3Com, etc.)
• Access points
• Trusted administrative PCs

Next, decide whether each device will use static IP addresses or DHCP. Static IPs are recommended for infrastructure devices to ensure predictable connectivity, simplify firewall rules, and make monitoring straightforward. DHCP can be useful for larger, dynamic VLANs, but fixed IPs reduce ambiguity and configuration errors in critical segments.

Map switch ports to identify whether they should be tagged (trunk) or untagged (access). Trunk ports carry multiple VLANs between switches; access ports connect a single device to its designated VLAN. Preparing a diagram or table of this mapping before making changes prevents configuration mistakes and reduces troubleshooting later.

Example IP Layout for VLAN 10

Other lab IP ranges for context:

• 192.168.20.10–19 – General PCs
• 192.168.20.20–29 – Servers
• 192.168.20.30–39 – Phones and tablets
• 192.168.20.40–49 – Printers and peripherals
• 192.168.20.100+ – DHCP clients
• 192.168.30.x – Work network on a third NIC

Using static IPs simplifies troubleshooting, makes firewall rules predictable, and ensures logs are easy to interpret. Even in small networks, static addresses help maintain clarity, especially when combined with monitoring tools. Maintaining consistent conventions supports repeatable, organized expansion for future VLANs.

VLAN Tagging vs Port Type

Tip: Always use access ports for endpoints and trunk ports for uplinks. Misconfiguring these can break connectivity or expose networks unintentionally.

Configuring the VLAN in OPNSense and Switches

Follow this order to ensure VLANs are fully functional and devices remain reachable. We are using VLAN10 as an example below.

Create the VLAN in OPNSense

• Navigate: Interfaces → Assignments → VLANs
• Add a new VLAN:
  • Parent Interface: LAN
  • VLAN Tag: 10
  • Description: Management

Assign the VLAN interface in OPNSense

• Go to Interfaces → Assignments
• Add the new VLAN10 interface
• Enable the interface
• Do not assign static IPs yet – IPs come later after switch configuration

Configure VLANs on Switches

Correct switch configuration ensures devices are placed in the proper VLAN and communication flows as expected.

Dell PowerConnect Switch:

• Create VLAN 10
• Assign ports connected to infrastructure devices as untagged/access members of VLAN 10
• Set uplink ports connecting to other switches or the firewall as tagged/trunk

3Com PoE Switch:

• Create VLAN 10
• Assign APs, hotspot gear, and other infrastructure devices to untagged/access
• Ensure uplink to Dell switch or firewall is tagged/trunk

Tip: Verify that all switches have the correct VLAN configuration before moving to IP assignment. Misconfigured trunks or access ports will break connectivity when IPs are assigned.

Wi‑Fi extenders or repeaters may participate in VLAN10 for monitoring while serving clients on another subnet. This allows administrators to manage devices without exposing infrastructure to general traffic.

Assign static IPs to devices

Once OPNSense and all switches are configured and VLAN10 exists across the network:

• Assign static IPs to infrastructure devices (firewall, switches, access points, and trusted PCs) according to your VLAN plan
• Set subnet mask and gateway consistent with VLAN10
• Do not assign IPs earlier – assigning IPs before VLAN exists can make devices unreachable

Configure firewall rules in OPNSense

• Block all outbound internet traffic for VLAN10:

  • Action: Block

    Source: VLAN10 net

    Destination: any

• Allow internal management traffic:

  • Action: Pass

    Source: VLAN10 net

    Destination: VLAN10 net

• Allow web access only from the trusted PC:

  • Action: Pass

    Source: 192.168.20.10

    Destination ports: 80,443

Verify connectivity and functionality

• Ping devices within VLAN10 to confirm connectivity
• Access management interfaces from the trusted PC
• Confirm internet access is blocked from VLAN10
• Review VLAN membership tables on switches
• Test trunk and access ports to ensure proper tagging and isolation

Pullout Tip: Treat verification as part of configuration. Segmentation isn’t complete until connectivity, firewall rules, and access restrictions are tested.

Summary

This guide demonstrated establishing a Management VLAN to isolate critical infrastructure devices, including OPNSense, switches, and access points. By creating a dedicated network, exposure to less trusted devices is reduced, providing a foundation for secure, controlled network management.

We planned the VLAN, assigned IP addresses, and mapped devices to specific ports. The example lab illustrates OPNSense as the central routing and firewall point, enforcing communication rules while giving a clear view of traffic between VLANs.

Configuration on both OPNSense and the Dell and 3Com switches covered creating interfaces, tagging ports, assigning trunk and access ports, and verifying connectivity. Firewall rules prevent internet access for management devices while allowing selective access for trusted systems.

Finally, testing and verification ensure segmentation and access restrictions operate as intended. By running connectivity checks and confirming that only authorized devices can reach management interfaces, you close potential security gaps and maintain confidence in your network design. These steps provide a repeatable framework for deploying additional VLANs and maintaining an organized, secure homelab environment.