Technically Acceptable
ENTRY 01.02 / VLANS
READ 14 MIN
STATUS IN PROGRESS
UTC--:--:--Z
Home Lab: Lesson 02

VLANs

A VLAN lets one physical switch carry several logically separate networks at once. This is the cheapest, highest-leverage segmentation you can do in a home lab: isolate untrusted devices, contain blast radius, and shape traffic without buying more hardware.

What a VLAN actually is

A Virtual LAN partitions a single Layer 2 network into multiple independent broadcast domains. Devices on VLAN 20 cannot reach devices on VLAN 30 by switching alone. Traffic between them has to be routed, which means it can be filtered. One managed switch becomes many networks.

The mechanism is the 802.1Q tag: a 4-byte header inserted into the Ethernet frame carrying a 12-bit VID (VLAN ID, 1 to 4094). Switches read that tag to decide where a frame may go.

  • Access port: belongs to exactly one VLAN. Frames leave untagged; the end device never sees the tag. This is where laptops, printers, and IoT plugs live.
  • Trunk port: carries many VLANs, each frame tagged with its VID. Trunks connect switch ↔ switch and switch ↔ router.
  • Native VLAN: the one VLAN on a trunk whose frames travel untagged. Treat it as a footgun (see warning below).

The plan for this lab

Four segments, one trunk up to the firewall. Each VLAN gets its own subnet (sized in the next lesson) and its own firewall policy in OPNsense.

DIAGRAM: trunk + access topology
FIG 02.1 Mini-PC (router-on-a-stick) → trunk → managed switch → access ports per VLAN.

Define the VLANs on the switch

Most managed switches expose this over their CLI. The example below tags VLANs 10/20/30/99 and assigns port roles. Adapt the interface names to your hardware.

switch.cfg (802.1Q) 
# create the VLANs
vlan 10 name MGMT
vlan 20 name TRUSTED
vlan 30 name IOT
vlan 99 name GUEST

# port 1 -> trunk to the firewall, all VLANs tagged
interface eth1
  switchport mode trunk
  switchport trunk allowed vlan 10,20,30,99

# port 5 -> a trusted laptop, untagged access
interface eth5
  switchport mode access
  switchport access vlan 20
ⓘ  Note

VLAN 1 is the default on virtually every switch and is impossible to delete. Don’t put real hosts on it. Park unused ports in a dead VLAN (e.g. 999, no uplink) so a patch-cable mistake lands nowhere instead of on your management network.

Create the tagged interfaces on the router

On a Linux-based router (or OPNsense’s shell) each VLAN becomes a sub-interface of the physical trunk NIC. Here the trunk is eth0 and we give the router the gateway address for the trusted segment.

router (iproute2) 
$ ip link add link eth0 name eth0.20 type vlan id 20
$ ip addr add 10.0.20.1/24 dev eth0.20
$ ip link set eth0.20 up

Verify the switch sees the right tags on the trunk before you trust anything. Most failures are a port left in access mode or a VLAN missing from allowed.

verify 
$ bridge vlan show dev eth1
port    vlan-id
eth1    10 20 30 99
$ ping -c2 10.0.20.1   # gateway reachable from the trusted VLAN
⚠  Warning

Put management (VLAN 10) on its own segment, but keep a wired access port into it before you cut over. If you tag the port you’re currently connected through and get the native VLAN wrong, you will lock yourself out of the switch, and the only fix is the console cable.

Done when

You can ping each VLAN gateway from a host on that VLAN, hosts on different VLANs cannot reach each other without a firewall rule, and bridge vlan show lists every expected VID on the trunk. Routing and per-segment policy come together in Lesson 04: OPNsense Setup.