IoT Isolation for Homelabs: VLANs, Firewall Rules, and mDNS
Tech GuruIoT isolation has a bad reputation because the first version often breaks everything. The smart TV vanishes from casting. The speaker stops responding. The printer is suddenly a mystery box. The family is unimpressed. Then the firewall rules get opened too wide and the network becomes flat again, just with more VLAN names.
The better pattern is to isolate by default and add small, documented exceptions. That matches the way security guidance talks about IoT. NIST IR 8259A focuses on device cybersecurity capabilities, CISA has consumer guidance on securing IoT devices, and ETSI EN 303 645 gives baseline consumer IoT security expectations. At home, your network is the enforcement layer you actually control.
Design principle: IoT devices should reach the internet and the controllers they need. They should not have broad access to trusted clients, servers, or management gear.
Classify Devices Before Moving Them
| Device Type | Examples | Network Need | Typical Policy |
|---|---|---|---|
| Cloud-only IoT | Smart plugs, appliances, bulbs | Internet, DNS, NTP | No LAN access. |
| Controller-based IoT | Home Assistant devices, Zigbee bridges | Controller IP and sometimes mDNS | Allow only controller paths. |
| Media / casting | TVs, speakers, streaming boxes | Internet, DNS, mDNS, selected controller access | Allow scoped discovery and media control. |
| Cameras | IP cameras, doorbells | NVR or controller, maybe internet if cloud-required | Prefer camera-to-NVR only where possible. |
| Printers | Network printers | Trusted clients to printer, not printer to LAN | Allow client-initiated print protocols only. |
Recommended VLANs
- Trusted VLAN for phones, laptops, and daily computers.
- IoT VLAN for smart devices that do not deserve trusted LAN membership.
- Media VLAN only if you need to separate TVs and speakers from general IoT.
- Camera VLAN if cameras or NVR traffic deserve their own rules and retention policy.
- Management VLAN for network gear, hypervisors, and admin interfaces.
Firewall Baseline
| Rule | Source | Destination | Ports | Action |
|---|---|---|---|---|
| IoT to DNS | IoT VLAN | Internal DNS | 53 TCP/UDP | Allow |
| IoT to NTP | IoT VLAN | Gateway or NTP server | 123 UDP | Allow |
| IoT to internet | IoT VLAN | WAN | Required outbound | Allow |
| IoT to trusted LAN | IoT VLAN | Trusted VLAN | Any | Deny and log |
| IoT to management | IoT VLAN | Management VLAN | Any | Deny and log |
| Trusted to IoT | Trusted VLAN | Selected IoT devices | Required app ports | Allow where needed |
| IoT to controller | IoT VLAN | Home Assistant / NVR | Specific ports | Allow only as documented |
mDNS Without Giving Up
mDNS is why devices can discover each other without central DNS, and RFC 6762 defines that behavior. Across VLANs, you need a gateway or controller feature that can relay or reflect selected discovery traffic. The important distinction is this: discovery is not permission. Letting a phone discover a speaker does not mean every IoT device should reach every trusted client.
- Enable mDNS reflection only between the VLANs that need discovery.
- Test one workflow at a time: phone to speaker, phone to TV, Home Assistant to device, client to printer.
- Add firewall allows for the actual control or media ports after discovery works.
- Log denials during testing so you can see what the app is trying to do.
- Remove temporary broad rules after testing.
Home Assistant Pattern
For Home Assistant, put the controller in a server or controller VLAN. Let it reach IoT devices that require local polling or control. Let trusted phones reach Home Assistant. Deny IoT devices from initiating broad access into trusted clients or management. This preserves automation without turning the IoT VLAN into a hidden bypass.
Validation Checklist
- An IoT device gets the IoT VLAN address and correct DNS.
- The IoT device reaches the internet if its function requires cloud access.
- The IoT device cannot reach laptop shares, NAS admin, hypervisor UI, or network gear.
- Trusted phones can control approved media devices.
- Home Assistant or NVR can reach the devices it manages.
- Firewall logs show blocked lateral attempts without breaking expected use.
Useful Gear And Buyer Notes
Affiliate disclosure: As an Amazon Associate, TechGeeks may earn from qualifying purchases. The product links below are buying references, not a requirement to buy a specific brand or seller. Verify compatibility, seller quality, warranty, and current specs before ordering.
| Need | Good Choice | Why It Fits | Affiliate Link |
|---|---|---|---|
| Segmentation gateway | UniFi Cloud Gateway Ultra or Max | Good fit for VLANs, firewall rules, and AP-integrated IoT SSIDs. | Amazon: UCG Ultra Amazon: UCG Max No Storage |
| Managed switch | TP-Link TL-SG2008P or UniFi switch | Needed for VLAN-aware wired IoT, APs, and PoE devices. | Amazon: TP-Link TL-SG2008P |
| Smart-home controller | Home Assistant Green or mini PC | Keeps automations local and gives you a clear controller target for firewall rules. | Search Amazon: Home Assistant Green |
| Radio coordinator | Zigbee or Z-Wave coordinator | Moves some devices off Wi-Fi and into a local controller model. | Search Amazon: Zigbee coordinator Home Assistant |
| Cable and labels | Short Cat6 patch cables and labeler | IoT networks get messy fast without port and device labels. | Amazon: Cable Matters 1ft Cat6 10-pack Amazon: Brother PTD220 label maker |
Common Mistakes
- Moving every smart device at once and then not knowing what broke.
- Allowing IoT to trusted LAN because one casting workflow failed.
- Forgetting DNS and NTP, then blaming the device.
- Treating mDNS as scary magic instead of scoped discovery.
- Letting cameras initiate traffic to everything instead of only the NVR or cloud path they need.
References
- NIST IR 8259A IoT Device Cybersecurity Capability Core Baseline
- CISA: Securing the Internet of Things
- ETSI EN 303 645 Consumer IoT Cyber Security
- RFC 6762 Multicast DNS
Final Thought
The win is not a perfectly pure IoT VLAN. The win is a smart-home network that still works while giving untrusted devices fewer places to wander. Start strict, add small exceptions, keep logs, and document why every exception exists.
This article is part of the TechGeeks homelab foundation series. The series is designed to build practical home infrastructure in the right order: remote access, segmentation, exposure control, DNS, IoT isolation, and recoverable backups.
Need help applying this?
Bring TechGeeks into the real environment.
If you are working through this on a live network, WordPress site, Linux server, AI workflow, or PisoWiFi deployment, send the context and we can help turn it into a practical plan.
