How to VLAN-Segregate Home/Office Networks with pfSense/OpenWRT: A Sysadmin’s Guide


3 views

html

As a remote developer, I recently faced a critical network segmentation challenge: My home lab's IoT devices were sharing broadcast domains with corporate VPN traffic. This setup violated basic security hygiene and exposed both networks to potential lateral movement attacks.

  • Router supporting VLANs (pfSense/OpenWRT recommended)
  • Managed switch (TP-Link SG108E works well)
  • Separate WiFi AP or VLAN-capable unit
INTERNET
|
[pfSense Router]
|-- VLAN10 (Corporate)
|   |-- Ethernet to VPN device
|   |-- No WiFi access
|
|-- VLAN20 (Personal)
    |-- WiFi AP (isolated)
    |-- Personal devices

# Create VLAN interfaces
interface_vlan10 = interface_vlan.add()
interface_vlan10.tag = 10
interface_vlan10.if = "igb0"
interface_vlan10.descr = "CORPORATE_VLAN"

interface_vlan20 = interface_vlan.add()
interface_vlan20.tag = 20
interface_vlan20.if = "igb0"
interface_vlan20.descr = "PERSONAL_VLAN"

# Firewall rules
corporate_rule = rule.add()
corporate_rule.interface = "VLAN10"
corporate_rule.source = "VLAN10 net"
corporate_rule.destination = "!COMPANY_VPN_SERVER"
corporate_rule.action = "block"

For TP-Link Archer C7 running OpenWRT:

config device
    option type 'bridge'
    option name 'br-personal'
    list ports 'eth0.20'

config interface 'personal'
    option device 'br-personal'
    option proto 'dhcp'

config wifi-iface
    option device 'radio0'
    option network 'personal'
    option mode 'ap'
    option ssid 'HomeNetwork'
    option encryption 'psk2'
    option key 'YourStrongPassword'

Verify segmentation with these commands:

# From corporate VLAN
ping 192.168.20.1 # Should fail
traceroute 8.8.8.8 # Should show VPN gateway

# From personal VLAN
nmap -sP 192.168.10.0/24 # Should show no hosts
  • Enable MAC filtering on corporate VLAN
  • Implement 802.1X authentication if possible
  • Regularly audit firewall rules
  • Monitor VPN connection attempts

Common issues and fixes:

# If VLANs aren't communicating:
swconfig dev switch0 show # Verify port memberships

# If WiFi devices see corporate network:
iptables -I FORWARD -i br-personal -d 192.168.10.0/24 -j DROP

Many remote developers face this scenario: Your home router feeds both personal devices and a company VPN router through the same physical connection. This creates several security concerns:

  • Potential lateral movement if a personal device gets compromised
  • Unintended corporate resource exposure
  • Mixed traffic making monitoring difficult

For a proper segmentation, you'll need:

1. A VLAN-capable router (e.g., Ubiquiti EdgeRouter, MikroTik, or OpenWRT device)
2. Managed switch (optional but recommended)
3. Your existing VPN router
4. WiFi access point (preferably VLAN-aware)

Here's how to implement network isolation:

1. VLAN Architecture

# Sample VLAN configuration on OpenWRT
config device
    option name 'eth0.10'
    option type '8021q'
    option ifname 'eth0'
    option vid '10'

config interface 'corporate'
    option proto 'static'
    option ifname 'eth0.10'
    option ipaddr '192.168.10.1'
    option netmask '255.255.255.0'

2. Firewall Rules

# iptables rules to enforce isolation
iptables -A FORWARD -i eth0.10 -o wlan0 -j DROP
iptables -A FORWARD -i wlan0 -o eth0.10 -j DROP
iptables -A FORWARD -i eth0.10 -o eth0 -j ACCEPT  # Allow VPN traffic out

3. WiFi Network Isolation

# Configure separate SSID for personal devices
config wifi-iface
    option device 'radio0'
    option network 'lan'
    option mode 'ap'
    option ssid 'Personal_Network'
    option encryption 'psk2'
    option key 'yourstrongpassword'
    option isolate '1'  # Client isolation

For those without VLAN-capable hardware:

# Use a separate physical interface for corporate traffic
ip link set eth1 up
ip addr add 192.168.20.1/24 dev eth1

Test your isolation with:

# Check routes
ip route show table all

# Test connectivity
ping -I eth0.10 192.168.10.2  # Should succeed
ping -I wlan0 192.168.10.2    # Should fail
  • Enable MAC filtering on corporate VLAN
  • Implement 802.1X authentication if supported
  • Regularly update router firmware

Common issues and fixes:

# If VLAN traffic isn't passing:
ethtool -K eth0 rx-vlan-offload off
ethtool -K eth0 tx-vlan-offload off

# For persistent firewall rules:
apt install iptables-persistent
netfilter-persistent save