📰 Your Site Name

Zero-trust style VLAN segmentation for a homelab that stays manageable

2026-02-06
#homelab#networking#cybersecurity#sysadmin#automation

For a long time my homelab lived on a single flat network.
It worked. Nothing felt broken. Everything could talk to everything.

Then one evening a misconfigured container started scanning the entire LAN.
Nothing catastrophic happened, but that moment made something very clear:
a flat network is calm until the exact moment it isn’t.

This guide is not about enterprise zero trust theory.
It is about a realistic VLAN layout that improves security without turning your firewall into a full-time job.

The goal is simple:

  • Limit damage when something gets compromised
  • Keep management access clean and predictable
  • Stay maintainable months from now

If a design is secure but too complex to live with, it will slowly decay.
Homelabs need balance more than perfection.

The typical homelab problem

Most homelabs slowly grow into a mix of:

  • Hypervisors and switches
  • VMs and containers
  • NAS or backup storage
  • Personal devices
  • Random IoT gear that nobody fully trusts

At first everything sits in one subnet because it is easy.
Later, that same simplicity becomes the biggest risk.

The real issue is uncontrolled lateral movement.
If one device is compromised, nothing stops it from reaching everything else.

Segmentation fixes that.
But segmentation must stay simple, or nobody will maintain it.

Step 1. Start with five VLANs, not twenty

A small, opinionated layout works best:

VLAN 10 – Clients
Laptops, desktops, phones.

VLAN 20 – Servers
VMs, containers, reverse proxy, applications.

VLAN 30 – Infrastructure / Management
Hypervisors, switches, firewall UI, IPMI or iDRAC.

VLAN 40 – Storage and backup
NAS, Ceph, Proxmox Backup Server, storage networks.

VLAN 50 – IoT or untrusted devices
Smart home gear, printers, anything cloud-heavy.

This is enough separation to matter without becoming painful to manage.

In my own lab I started with only three VLANs.
Clients, Servers, Infrastructure.
Storage and IoT were split later when risk actually justified the effort.
You do not need perfection on day one.

Step 2. Default deny between VLANs

This is the single change that improves security the most.

Set the rule:

Block inter-VLAN traffic by default.

Then add only the flows you truly need.

Yes, this creates extra work in the beginning.
But it also creates something surprisingly valuable:
a calm network where nothing unexpected can talk across boundaries.

Once you experience that calm, it is hard to go back.

Step 3. Six firewall rules that cover most homelabs

You rarely need dozens of rules.
Most labs function well with a small, clear set.

1. Clients to Servers

Allow web traffic to applications or reverse proxy.
Allow SSH or RDP only from an admin workstation if required.

2. Clients to Infrastructure

Permit management access only from a trusted admin device or subnet.
Block everyone else.

3. Servers to Storage

Allow only required storage protocols such as NFS, SMB, or iSCSI.
Avoid allowing storage systems to initiate connections back.

4. Servers to Infrastructure

Permit DNS, NTP, and monitoring targets.
Nothing more unless you have a clear reason.

5. IoT to Internet only

Block IoT access to internal VLANs.
If something must integrate locally, allow only that specific path.

Your smart light bulb does not need to reach Proxmox.
Ever.

6. Infrastructure outbound access

Keep this minimal.
Most infrastructure devices should not initiate random connections across the network.

These six patterns solve most real problems without complexity.

Step 4. Use a jump host or dedicated admin device

Allowing every laptop to access every management interface feels convenient.
It is also risky and difficult to audit.

A cleaner pattern:

  • One trusted admin workstation
  • Or a small jump host VM

All management flows originate there.

This reduces firewall rules, improves visibility, and limits exposure if a normal device is compromised.

Step 5. Centralize DNS and time services

Many segmentation problems are actually DNS problems.

Choose:

  • One internal DNS resolver
  • One NTP source

Allow VLANs to reach only those services.
Avoid broad “access to infrastructure” rules just to make name resolution work.

Small discipline here prevents large rule sprawl later.

Step 6. Add a reverse proxy as the publishing layer

Instead of exposing many services directly:

  • Place a reverse proxy in the Servers VLAN
  • Allow Clients to reach only ports 80 and 443 on that proxy
  • Let the proxy talk to backend services internally

Benefits:

  • One place for TLS
  • One place for authentication in the future
  • Much simpler firewall logic

This pattern scales extremely well as the lab grows.

Step 7. Document rules in plain language

Firewall rules without context become fragile.

A simple table is enough:

  • Source
  • Destination
  • Port
  • Reason

Nothing fancy.
Just clarity for future you.

Because future you will forget.
We all do.

Is this true zero trust?

No.
And that is perfectly fine.

This is a practical security baseline for a homelab run by a real human with limited time.

In my experience, this design is the first one that felt both:

  • Secure enough to trust
  • Simple enough to maintain

And that combination matters far more than theoretical perfection.

What to do next

  1. Create the five VLANs.
  2. Enable default deny between them.
  3. Add only the six essential rule patterns.
  4. Introduce a reverse proxy as the single entry point.

Do just those steps and your network will already feel different.
Quieter.
More predictable.
Much harder to break by accident.

That is usually the moment segmentation finally feels worth it.