Lesson 3 of 5 5 min read

Configuring VLANs on Your Router and Switch

With a clear understanding of what VLANs are and a plan for your network layout, it is time to actually build it. This lesson walks through the configuration process step by step, using the Ubiquiti UniFi ecosystem as the primary example while noting where other platforms differ. The same core concepts apply whether you are using TP-Link Omada, pfSense, OPNsense, or Firewalla.

Step 1: Create VLANs on Your Router/Gateway

The router (or gateway/firewall) is the central point where VLANs are defined, DHCP is served, and firewall rules are enforced. All VLAN creation starts here.

UniFi (UDM / UDM Pro / UDM SE)

  1. Open the UniFi Network application and navigate to Settings > Networks.
  2. Click Create New Network (or + New Virtual Network in newer firmware).
  3. Give the network a descriptive name, such as “IoT” or “Smart Home Devices.”
  4. Set the VLAN ID to the number you planned (e.g., 20).
  5. Under Gateway IP/Subnet, enter the gateway address and subnet mask: 192.168.20.1/24.
  6. Enable DHCP Server and set the range (e.g., 192.168.20.100 to 192.168.20.254), leaving the lower range for static assignments.
  7. Set the DNS server to your preferred resolver. If you run Pi-hole or AdGuard Home, enter its IP here.
  8. Click Apply Changes.

Repeat this process for each VLAN in your plan (cameras, guest, management). The default LAN network typically serves as your trusted VLAN.

pfSense / OPNsense

On pfSense or OPNsense, you create VLAN interfaces under Interfaces > Assignments > VLANs. Select the parent interface (usually the LAN port or a trunk port), assign the VLAN tag number, then go to Interfaces > Assignments to add the new VLAN as an interface. Once added, configure the interface with a static IP (the gateway address for that VLAN) and enable DHCP under Services > DHCP Server for the new interface.

Firewalla

On Firewalla Gold or Purple, navigate to Network > Network Manager and create a new network segment. Firewalla provides a guided setup that handles VLAN ID assignment, subnet configuration, and DHCP in a single workflow.

Step 2: Assign SSIDs to VLANs for Wireless Devices

Most IoT devices connect over Wi-Fi, so you need wireless networks (SSIDs) that map to your VLANs. This requires VLAN-aware access points.

UniFi Access Points

  1. In the UniFi Network app, go to Settings > WiFi.
  2. Click Create New WiFi Network.
  3. Set the SSID name (e.g., “Home-IoT”).
  4. Under Network, select the VLAN you created (e.g., “IoT” / VLAN 20).
  5. Set the security type to WPA2 or WPA3. Note that many IoT devices only support WPA2-Personal, and some older devices do not support WPA3 at all. If you use WPA3, enable the WPA2/WPA3 transitional mode.
  6. Consider setting the WiFi band to 2.4 GHz only for the IoT SSID. Many IoT devices only have 2.4 GHz radios, and forcing 2.4 GHz avoids connectivity issues caused by band steering.
  7. Click Apply Changes.

You now have a separate SSID that places any device that connects to it directly onto VLAN 20. Your trusted devices connect to your primary SSID on the trusted VLAN, and IoT devices connect to the IoT SSID.

TP-Link Omada

In the Omada controller, create the VLAN under Settings > Wired Networks > LAN, then assign the VLAN to an SSID under Settings > Wireless Networks. The workflow is similar to UniFi.

Step 3: Configure Managed Switch Ports

For wired IoT devices (smart hubs, Ethernet cameras, Hue Bridge, etc.), you need to assign switch ports to the correct VLAN.

Access Ports for End Devices

Each port connecting to an end device should be configured as an access port (also called “untagged”) on the appropriate VLAN:

  • Port 1 (Philips Hue Bridge): Access / Untagged on VLAN 20 (IoT)
  • Port 2 (Home Assistant server): Access / Untagged on VLAN 1 (Trusted) — or VLAN 20, depending on your architecture
  • Port 3 (PoE camera): Access / Untagged on VLAN 30 (Cameras)
  • Port 4 (Office desktop): Access / Untagged on VLAN 1 (Trusted)

In UniFi, you assign a port profile by selecting the switch in the Devices tab, clicking on the port, and selecting the network/VLAN under Port Profile. On TP-Link smart switches, this is done under VLAN > 802.1Q VLAN where you set each port as untagged on one VLAN and “not a member” on all others.

Trunk Ports for Infrastructure Links

The connection between your switch and your router must be a trunk port (also called a “tagged” port) that carries all VLANs. Both the switch port and the router port must be configured as trunks with the same set of tagged VLANs.

In UniFi, the uplink port between a managed switch and the UDM is automatically configured as a trunk carrying all networks. If you are using a non-UniFi switch, you must manually configure the uplink port to tag all relevant VLANs.

If you have multiple switches, the link between switches must also be a trunk carrying all VLANs. Every switch in the chain needs the same VLAN definitions.

Step 4: Configure DHCP Scopes Per VLAN

Each VLAN needs its own DHCP scope so devices receive IP addresses from the correct subnet. If you set this up in Step 1, verify the configuration:

  • VLAN 1 (Trusted): DHCP range 192.168.1.100–192.168.1.254, gateway 192.168.1.1, DNS 192.168.1.1 (or Pi-hole IP).
  • VLAN 20 (IoT): DHCP range 192.168.20.100–192.168.20.254, gateway 192.168.20.1, DNS 192.168.20.1 (or Pi-hole IP).
  • VLAN 30 (Cameras): DHCP range 192.168.30.100–192.168.30.254, gateway 192.168.30.1.
  • VLAN 40 (Guest): DHCP range 192.168.40.100–192.168.40.254, gateway 192.168.40.1.

For critical infrastructure devices like a Home Assistant server or a Hue Bridge, consider assigning static DHCP reservations (also called DHCP reservations or fixed IP mappings) so they always receive the same IP address. This makes firewall rules and service configuration more predictable.

Step 5: Test VLAN Isolation

After configuration, verify that isolation is working before you rely on it:

  1. Connect a device to the IoT VLAN (either via the IoT SSID or a wired access port). Verify it receives an IP address from the correct DHCP scope (e.g., 192.168.20.x).
  2. Ping the IoT gateway: ping 192.168.20.1 — this should succeed.
  3. Ping a device on the trusted VLAN: ping 192.168.1.100 — this should fail (or time out) if no inter-VLAN routing rules have been created yet. If it succeeds, check your firewall rules.
  4. Test internet access: ping 8.8.8.8 — this should succeed if you have not blocked outbound traffic from the IoT VLAN.
  5. Test DNS resolution: nslookup google.com — this should succeed if DNS is properly configured for the VLAN.

If the IoT device can reach the trusted VLAN, the most common issue is that no firewall rules have been created to block inter-VLAN traffic. By default, many routers (including UniFi) allow all inter-VLAN routing. You must explicitly create deny rules, which we cover in the next lesson.

Common Pitfalls and Troubleshooting

Forgetting the Trunk Uplink

The most common VLAN mistake is configuring switch ports as access ports but forgetting to configure the uplink to the router as a trunk. If the uplink is an access port on VLAN 1, only VLAN 1 traffic will reach the router. All other VLANs will have no gateway, no DHCP, and no internet access. Always verify the uplink port is a trunk carrying all VLANs.

Double Tagging

If you accidentally configure an end-device port as a trunk instead of an access port, the device may receive tagged frames it cannot understand, resulting in no connectivity. End devices (IoT gadgets, computers, cameras) should always connect to access ports.

DHCP Not Working on a VLAN

If devices on a new VLAN are not receiving IP addresses, check: (1) the DHCP server is enabled for that VLAN on the router, (2) the trunk port between the switch and router carries the VLAN, (3) the switch port is correctly set to the right VLAN.

Native VLAN Mismatch

If the native VLAN on the switch trunk port does not match the native VLAN on the router trunk port, untagged traffic will be misrouted. Keep native VLAN settings consistent on both ends of every trunk link.

Summary

Configuring VLANs involves creating VLAN networks on your router with dedicated subnets and DHCP scopes, assigning SSIDs to VLANs for wireless devices, setting switch ports as access ports for end devices and trunk ports for infrastructure links, and verifying isolation through ping tests. The most common pitfalls involve forgotten trunk configurations, double tagging, and DHCP misconfiguration. With VLANs operational and verified, the next step is creating firewall rules that define exactly what traffic is permitted between segments.

Lesson Complete