Overview
Once the M920q Tiny was prepped and pfSense CE was installed, the next step was laying out the network design. I wanted everything separated cleanly: homelab systems, my normal home devices, and all IoT gear. Each needed its own VLAN with its own DHCP scope, firewall rules, and traffic restrictions.
The goal wasn’t anything fancy. I just needed a layout that keeps things organized, limits cross-communication, and lets me manage everything predictably as the homelab grows.
VLAN Setup
I created three primary VLANs that cover every type of device in my environment.
Lab VLAN
This holds all homelab-related equipment:
- Proxmox nodes
- Containers
- VMs
- Monitoring systems
- Anything experimental or in testing
This VLAN stays isolated unless I specifically need access from Home or IoT.
Home VLAN
This is the normal user network:
- Phones
- Laptops
- Desktops
Clean traffic, nothing noisy, and it stays separate from the lab unless I explicitly permit exceptions.
IoT VLAN
This is where all the untrusted stuff goes:
- Smart plugs
- Smart appliances
- Cameras
- Anything internet-enabled that I don’t control firmware on
This one stays as stripped down as possible. No device in here needs outbound access to anything except the internet, and it definitely doesn’t need internal access to my lab or home devices.
DHCP and Addressing
Each VLAN got its own subnet and DHCP scope.
- Lab: DHCP pool with reservations
- Home: DHCP pool with some reservations but mostly dynamic
- IoT: Dynamic
Using reservations helps keep things predictable when referencing devices inside Proxmox, scripts, or future services like reverse proxies or monitoring. Most of these services are on static IP’s though to always ensure they’re up.
Firewall Rules
Firewall rules were built on a simple idea: everything is blocked unless it needs to be opened.
Default behavior:
- No VLAN-to-VLAN communication
- Only Lab → IoT and Home → Lab where required
- WAN → internal only through VPN
Rules added:
- Lab → IoT: Only the ports I need for device control or management
- Home → Lab: Very limited, mostly for maintenance or accessing UI of specific services
- VPN ingress: OpenVPN traffic routed where needed, nothing else exposed
I used pfSense aliases for network groups and common ports so the rule list stays clean and readable.
VPN Configuration
Set up OpenVPN with user + certificate authentication.
Configured it so remote access lands exactly in the networks it needs to, not across the entire environment.
Remote access rules are separate from LAN rules, which keeps everything organized and makes it harder for anything to accidentally overlap.
Additional Notes
- VLANs stay completely separated unless I manually allow exceptions
- DHCP scopes are easy to manage and expand if needed
- The rule set is small, readable, and organized
- Adding new VLANs or moving devices around doesn’t require redesigning anything
- Traffic flow is predictable and easy to audit
This setup gives me the segmentation I need without adding unnecessary complexity.