The problem with a flat network isn't just about what comes in from the internet — it's about what happens after something gets in, or arrives compromised from the factory. A smart TV with embedded advertising software can enumerate other devices on your network. An IoT camera with a weak default password becomes a pivot point for an attacker who wants access to your work laptop. A compromised guest device can intercept traffic intended for other machines.
Segmentation creates walls between categories of devices so that a problem in one segment can't easily spread to others. It's the same principle that enterprise networks have used for decades, scaled down to something a technical home user can actually deploy.
What Network Segmentation Actually Does
At the physical layer, network segmentation means devices in different segments can't directly communicate unless there's a firewall rule explicitly permitting it. Traffic between segments must pass through a router or firewall — which means you control exactly what's allowed, and you can log what crosses the boundary.
The standard mechanism is VLANs (Virtual Local Area Networks). A VLAN is a logical network partition that operates over the same physical cabling and switch hardware. Devices in VLAN 10 and VLAN 20 can coexist on the same switch without being able to directly reach each other — the switch tags packets with the appropriate VLAN ID and enforces the separation.
On wireless networks, multiple SSIDs can be mapped to separate VLANs. Your "Home Trusted" Wi-Fi connects to VLAN 10 (computers, phones). Your "IoT" Wi-Fi connects to VLAN 30 (thermostats, cameras, smart speakers). A compromised IoT device is stuck in VLAN 30 — it can't reach your laptop because there's no route from VLAN 30 to VLAN 10, and your firewall enforces that.
A Practical Segmentation Design
Here's a four-segment design that covers most home threat models without becoming an operational burden:
| Segment | What Goes Here | Internet Access | Can Reach Other Segments |
|---|---|---|---|
| Trusted (VLAN 10) | Personal laptops, phones, tablets | Full | Limited (printer only, via rule) |
| Work (VLAN 20) | Work laptop, work phone | Full (via work VPN) | None |
| IoT (VLAN 30) | Smart TVs, cameras, thermostats, speakers | Full (required for cloud features) | None |
| Guest (VLAN 40) | Visitor devices | Full | None |
The key firewall rules that make this work:
- VLANs 20, 30, 40 → VLAN 10: blocked (no untrusted device reaches your personal machines)
- VLAN 10 → VLAN 30: blocked by default, with specific exceptions (e.g., allow port 80/443 to your home assistant if you manage it)
- All VLANs → internet: allowed (with your preferred DNS resolver)
- VLAN 30 → internet: allowed, but consider blocking DNS except to your router and logging connections to understand what your IoT devices are actually calling home to
Before locking down your IoT VLAN's internet access, spend a week logging its DNS queries. Smart TVs in particular make a remarkable number of connections to advertising and analytics infrastructure — this list is often instructive about what exactly your devices are doing. Tools like Pi-hole can block categories of these queries while still allowing firmware updates and core functionality.
Hardware That Supports This
Consumer routers from ISPs almost never support VLANs properly. You need hardware that gives you actual control. The main options:
Ubiquiti UniFi: The most capable option for prosumer home users. UniFi Dream Machine (or Dream Router) acts as router, switch, and wireless controller in one device. VLAN configuration is done through the UniFi dashboard, which is reasonably approachable. The ecosystem is well-documented and has a large community. Cost is higher than consumer gear but significantly less than enterprise alternatives.
pfSense / OPNsense on dedicated hardware: Open-source firewall operating systems that run on mini PCs (a Protectli vault, a used thin client, a Raspberry Pi 4 with an external switch). Full VLAN support, extremely granular firewall rules, excellent logging. Higher learning curve, but complete control and no vendor lock-in. The hardware cost can be quite low if you use recycled hardware.
Firewalla: A middle ground — easier to configure than pfSense, more capable than consumer routers. Supports VLANs and has a mobile app interface. Good for technical users who want capable segmentation without managing a full firewall OS.
Consumer routers with DD-WRT or OpenWrt: If you already have a supported router, open-source firmware can add VLAN support. Compatibility varies significantly by hardware. Check the OpenWrt hardware table before purchasing or flashing.
DNS as a Segmentation Tool
DNS is often overlooked in home segmentation setups but deserves specific attention. By default, every device on your network resolves DNS through your ISP's resolver — which means your ISP sees every domain name your devices look up, across all segments.
Running your own DNS resolver (Pi-hole with Unbound is a common combination) keeps DNS resolution internal, removes your ISP from the query path, and lets you apply per-segment DNS policies. IoT devices on VLAN 30 can be directed to a resolver that blocks known advertising and telemetry domains. Guest devices can use a public encrypted resolver like Cloudflare's 1.1.1.1 with DNS-over-HTTPS.
This pairs well with DNS-over-HTTPS, which encrypts DNS queries to prevent interception at the ISP or network level. The combination — local resolver for most queries, encrypted upstream for anything that leaves your network — closes a significant privacy gap that application-layer encryption alone doesn't address.
What Segmentation Can't Fix
Network segmentation reduces lateral movement and limits the blast radius of a compromised device, but it doesn't address everything:
- Internet-side threats: Segmentation only controls east-west traffic (device to device). Attacks that come from the internet and target a specific device on your network bypass segmentation entirely — keep software updated.
- Physical access: Someone with physical access to your network can plug into your switch and potentially bypass VLAN tagging, depending on configuration. Disable unused switch ports.
- Your own devices: If your laptop is compromised, segmentation doesn't protect it from itself. Disk encryption and keeping software current matter independently of network architecture.
- Cloud data: Your smart TV's cloud services still receive usage data regardless of which VLAN it's on. Segmentation controls what the device can reach internally — you're still trusting (or not) the device manufacturer's server-side handling.
Network segmentation is defense in depth, not a complete solution. It raises the cost of lateral movement significantly, which is valuable — but it works best as one layer in a broader security posture, not as a replacement for device hygiene or application-layer encryption.
Getting Started Without Replacing Everything
If replacing your router isn't immediately practical, you can take an incremental approach. Most consumer routers support a separate guest network — enable it, and move IoT and untrusted devices onto it. Guest network isolation (which prevents guest devices from reaching LAN devices) is a meaningful first step even without full VLAN support.
From there, adding a capable router upstream of your existing hardware — running pfSense or OPNsense — gives you full VLAN support while preserving your existing wiring. Your ISP modem feeds the pfSense box; pfSense handles all routing and VLANs; your existing consumer router operates in access-point mode on one of the VLANs.
The investments that matter most, ranked: first, guest network isolation for IoT; second, a capable router with VLAN support; third, local DNS with per-segment policies; fourth, logging and monitoring so you can see what's actually crossing your segment boundaries. The first step is low-cost and immediate. Each subsequent step adds meaningful protection.