February 6, 2026
After improving my Wi-Fi setup, I started to focus on a wider rehaul of my whole home network. I knew I wanted to accomplish a few things:
- remove my ISP’s router and replace it with a custom router, located in my home office instead of the networking cupboard in my living room
- support VLANs for better security as I slowly incorporate more home automation
- support 10Gbps networking for speed and future proofing
- separate my NAS storage from the compute layer by building a new server and migrating all hosted services there
The first item on the list was actually the biggest constraint for me, and it led me down the rabbit hole of discovering VLANs in the first place: I had no idea what they were and that I needed them before I started researching. Don’t worry, if you don’t know what they are either I will do my best to explain it very carefully below.
My first thought was: the fibre enters my house in my living room, so how can I have my router in the office? I figured it meant the connection would need to first go into the office, through the router, then back out to the living room across a second cable. I spent a bit of time looking into how to lay additional cables, and then realised it was going to be extremely expensive and annoying, so started trying to understand whether it was possible to use a single cable to accomplish what I wanted.
It was in this state that I turned to the r/homelab subreddit, which is a really great source of information (and photos of peoples’ gear that will make you jealous). I asked a question about how to accomplish what I wanted, and received an answer suggesting that I check out “VLANs” and “router on a stick” topology. Apparently this would give me a way to tag packets (or more accurately, frames) entering my network through the living room networking cupboard as WAN, have them automatically be forwarded to the router in the office, and then routed to the correct part of my network, which could be a device in the office, or back in the living room again.
In order to get this to work, I discovered, I would need to upgrade my switches not just from 1Gbps to 10Gbps, but they would also need to be managed: rather than just a simple switch that “splits” the network and provides additional ports, managed switches give you a lot more configurability, crucially in my case the ability to define VLANs, which will give the packet-tagging setup that will allow my topology to work.
Note
A note before we get started about the actual build order. As you will note below, I needed a VLAN-compatible router in order to change the network, so I actually did the router build and the network changes at the same time. I’ve split the posts up into two, so take a look at the next post for lots of details on my OPNsense router build and configuration.
VLANs
When you’re learning something complicated and (to me at least) new like networking, it can take a while to understand that there is a single term for something that you need. If you don’t know the word, you can spend ages poking in the wrong directions, but once you learn it you suddenly realise that your problem has been solved for decades and is so common that it has an industry standard name. The CAT6 cable between my home and garden office carries a trunk link: a single physical connection between two managed switches, configured to carry traffic from multiple VLANs simultaneously. Each frame travelling along the cable is tagged with its VLAN ID using the 802.1Q standard, so the switch at either end knows which VLAN it belongs to and can forward it accordingly.
A “VLAN” then requires several different things working in tandem:
- switches which know how to tag and untag frames and transfer them around the network
- a router/firewall which knows which IPs correspond to which VLANs, and can set rules for communication between them (e.g. VLAN $x$ cannot access devices on VLAN $y$)
- a table like the one below, which probably sits in the network designer’s head, or their documentation system of choice, which decides which devices get assigned to which VLANs
| Trunk | ||
| 1 | Management | |
| 10 | WAN | |
| 20 | Trusted LAN | |
| 30 | Untrusted IoT | |
| 40 | Guest LAN | |
| 50 | DMZ | |
| 60 | AI DMZ | |
After quite a bit of research I settled on the seven VLANs in the table above. The numbers are the actual tags used when things are going around the network, but you can also use a very common and genius mnemonic of setting the devices in each VLAN to receive (static or through DHCP) IPs from the subnet 192.168.{$ID}.0/24. (Unfortunately this doesn’t hold up so well in IPv6 land where IP addresses are like sand).
Management VLAN (1)
The management VLAN will just have my router, and my three core managed switches, which all have a nice web UI for management. After a lot of research I ended up buying the following switches.
| Type | Switch | 1Gbps | Multigig RJ45 | 10Gbps SFP+ |
| Managed | 2x Zyxel XGS 1250-12 | 8 | 3 | 1 |
| Managed | MikroTik CRS305-1G-4S+IN | 1 | — | 4 |
| Unmanaged | TP-Link TL-SG1005P (PoE) | 5 | — | — |
| Unmanaged | TP-Link TL-SG1008MP (PoE) | 8 | — | — |
This setup gives me a combined total of 30 x 1Gbps RJ45 Ethernet ports (of which 13 are PoE), 6 x “multigig” RJ45 Ethernet ports, which support 1/2.5/5/10Gbps, and 6 x 10Gbps SFP+ ports. So that’s 42 ports in total, and I have an additional 3 dumb 1Gbps switches with 5 ports each from my old setup if I ever need them. So I don’t think I’ll be buying a switch again in the near future.
The Zyxels were great buys. They’re sturdy, good quality, with a simple management interface that gives you exactly what you need and nothing more: it seems like if you are a “prosumer” and you want a managed switch, you pretty much need two features: VLANs and link aggregation (LAGG), which lets you combine multiple physical Ethernet links into a single virtual link for additional bandwidth and redundancy.
You can see above my VLAN configuration for the Zyxel switch in my living room. The first port has my Apple TV connected (VLAN 20) and the second my Hive hub (VLAN 30). Port 10 has the trunk line connected, and Port 9 is connected to the ISP’s ONT for the WAN link. If you look at the switch configuration screenshot above, green means untagged and orange means tagged, which I was mentally thinking about the wrong way around for a while at the start, leading to some problems (see below for some more details).
The MikroTik, which I used to add more 10Gbps ports in my office where I have all my 10Gbps capable devices, is a lot more capable and consequently a lot harder to figure out how to use. It even has a CLI!
SFP+ was new to me. It’s a different interface to RJ45 (which is used synonymously with “Ethernet” by most folks) and it’s a bit more flexible but trickier to use so hasn’t gained as much exposure and usage, except in 10Gbps and beyond where its benefits start to outweigh its drawbacks. I’ll write some more in a future post about how I set up the SFP+ ports with the right modules and fibre optics.
WAN VLAN (10)
I defined a VLAN for my WAN traffic. Like I showed in the diagrams above, this lets WAN traffic travel along the same trunk as LAN traffic in either direction, and be handled correctly by OPNsense (more on how to set this up in OPNsense in a future post).
Trusted VLAN (20)
All the main devices in my house that I want to be able access the main LAN, and that I trust, are assigned IPs in this VLAN. This includes my and my wife’s laptops, the NAS, our Apple TV and in the future the Proxmox server I want to build. The main Wi-Fi network used by all our phones and computers is set up through the UniFi controller to be assigned to this VLAN as well.
IoT VLAN (30)
Our Hive Hub, which controls the thermostat in our house, as well as some cheap AliExpress IoT stuff (another thermostat to control my office heater, some smart switches and plugs) is no longer on the same network as all our trusted devices. These sit in their own VLAN, which has access to the internet but not “sideways” to the trusted LAN. I had to set up a second WiFi network with a different SSID on this VLAN, and make sure the connection to the PoE switch that connects to the APs (port 8 in the image above) is also a trunk line carrying the 20, 30 and 40 VLANs (see below).
Guest VLAN (40)
Similarly, there’s no reason guests need to access the files and media we store on our LAN devices. So I set up an additional Wi-Fi network in this VLAN that guests can access. Like the IoT VLAN, it can access the Internet but has no access to our trusted devices. It also has a bandwidth limit.
DMZ and AI DMZ VLANs (50 and 60)
The last two VLANs are even more “tightly secured”. Here I have very tight firewall rules defined because services here can be accessed from the Internet: it’s where this site is served from. I also wanted very fine, port-level control over a second VLAN for AI agents, and to have these separated from my regular DMZ. Again, more about this in the next post.
Lessons learned
Setting up VLANs is a notoriously frustrating process. There were several times in the process where I locked myself out of the network by misconfiguring the Wi-Fi network that my laptop was using to access the switches. If I had known what I was doing upfront, there are ways to avoid this, but most important is to work through a physical connection to the switch wherever possible, and to design your network over multiple iterations on paper (or draw.io) before actually configuring anything.
The main lockout incident happened while configuring the living room Zyxel switch. I changed the VLAN tags on Port 8 (which connected to the PoE switch feeding my APs), which immediately killed the Wi-Fi. I then tried accessing the switch via a different port, but that port was on VLAN 20 while switch management was still on VLAN 1, with no routing between them.
A power cycle didn’t help because the config had already been saved. I tried accessing the living room switch from the office switch, but hit the same VLAN 1 vs VLAN 20 routing problem across the trunk. Eventually the resolution required a factory reset of the living room switch (holding the physical reset button), reconfiguring from scratch, and being careful to set up management access on VLAN 20 before changing port assignments.
There was also a second lockout around the trunk link between the two switches. The living room switch had VLAN 1 set to untagged on the trunk port instead of tagged (like I mentioned above I was thinking about VLAN tagging/untagging the wrong way around), which broke management access across switches. I had to plug into the switch and fix the trunk tagging.
The pattern was always the same: changing a port’s VLAN assignment while connected through that port (or a dependent path), then losing the ability to reach the switch management interface to undo the change. So it’s important to always maintain a known-good management path before touching VLAN configs, and work through a direct physical connection to the switch you’re modifying.
The finished product
Below is a simplified diagram of my new setup, colour-coded to show the VLAN setup. You can compare it to the diagram of my old setup in the introduction post to see how much of an improvement this is, and that it accomplishes all the goals I set out at the start of this post. It took quite a bit of frustration and effort to get it working, but it is supremely satisfying now it’s all up and running.
In future posts I will go into a lot more detail about the router setup, the 10Gbps side of the networking (the thicker lines in the diagram above represent links which are 10Gbps), and the biggest part of the setup: the new Proxmox server I am planning to build to host all my applications and services.