The rise in remote operate since 2020 forced a question most of us ignored for years: is your home network actually secure, or just protected by the default password your ISP gave you?
That shift exposed millions of home networks as soft targets – vulnerable to drive-by attacks, credential stuffing, and worse. What used to be a hobbyist concern (locking down your router settings) became mission-critical the moment your employer’s VPN started routing through the same network as your smart doorbell (depending on who you ask).
The rise in remote work since 2020 forced a question most of us ignored for years: is your home network actually secure, or just protected by the default password your ISP gave you?
Here’s what we’re fixing today.
By the end of this process, you’ll have a properly segmented home network with separate VLANs for run devices, IoT gadgets (your mileage may vary).
And guest access.
Not great.
Takes about 90 minutes if you’ve never touched router firmware before, closer to 45 if you’re comfortable with admin panels.
What You’ll Need Before Starting
Look, don’t even think about starting this without the right equipment. I’ve watched people get halfway through, realize their ISP-provided router can’t handle VLANs (which, honestly, most can’t). And have to start completely over with new hardware. Here’s the specific gear you’ll need:
- A router with VLAN support – I employ the Ubiquiti Dream Machine SE ($499), but the TP-Link Omada ER605 ($59.99) works if you’re budget-conscious. The Netgear Nighthawk won’t cut it for this – no VLAN capability.
- UniFi Network Application – Free software, runs on Windows/Mac/Linux. Download version 8.0 or newer from ui.com.
- Managed switch (optional but recommended) – The TP-Link TL-SG108E ($39.99) handles 8 ports with VLAN tagging. You necessitate this if you’re connecting wired devices to varied network segments.
- Admin access to your modem – You’ll need to put your ISP’s modem/router combo into bridge mode. Call your ISP now and get the admin password. Comcast charges $14/month to rent their gateway – you can buy your own Motorola MB8600 ($169) and eliminate that fee.
- 1-2 hours of uninterrupted time – You’ll lose internet access during parts of this process. Don’t do it before a Zoom meeting.
One more thing: if you’re running a mesh Wi-Fi system like Google Wifi or Eero, you can’t do this. Those systems don’t support VLANs. but you’ll demand to replace them entirely.
Step-by-Step Network Segmentation Process
Step 1: Put your ISP modem into bridge mode. Log into the modem’s admin panel — usually 192.168.1.1 or 192.168.0.1. so navigate to Gateway > Connection > Bridge Mode, then flip it on. or this basically turns your modem into a dumb pipe and lets your router handle all the networking logic.
Step 2: Connect and configure your new router. Plug the modem’s ethernet output into your router’s WAN port. Connect your computer to LAN port 1 with an ethernet cable.
Open a browser and go to the router’s default IP (check the sticker on the bottom – usually 192.168.1.
1). The UniFi Dream Machine will prompt you to install the Network Application. Do that first. yet set a strong admin password – at least 16 characters, mix of letters/numbers/symbols. This is your keys to the kingdom.
Fair enough.
Step 3: Create your first VLAN for trusted devices. In the UniFi controller, go to Settings > Networks > Create New Network. Name it “Trusted” and assign VLAN ID 10. Set the gateway IP to 192.168.10.1 with a subnet mask of 255.255.255.0. Enable DHCP with a range of 192.168.10.100 to 192.168.10.200. This network is for your work laptop, personal computers, and phones – devices you control and keep updated. Click Apply. The router will provision this network in about 30 seconds. You should see “Trusted” appear in your network list with a green checkmark.
Expected outcome: the modem’s Wi-Fi network disappears completely, and you lose internet until Step 3. If you can’t find bridge mode (and some ISPs bury this thing), search “[your modem model] bridge mode” — they hide this setting in different places depending on the manufacturer.
Step 4: Create an IoT network with restricted access. Go back to Settings > Networks > Create New Network. Name it “IoT”, assign VLAN ID 20, gateway 192.168.20.1. Here’s the critical part (bear with me here): under Advanced > Security, enable “Block LAN to WLAN” and “Isolate Network”. This prevents your smart TV from scanning the rest of your network, you know?
Step 6: Configure your wireless networks. Go to Settings > WiFi > Create New WiFi Network. Create three SSIDs: “Home-Secure” (maps to VLAN 10), “Home-IoT” (VLAN 20), and “Home-Guest” (VLAN 30). Use WPA3 encryption if your router supports it, WPA2 if not. and set unique passwords for each. The guest network password can be simple – you’ll share it. The others should be 20+ character passphrases. For Home-Secure, I utilize a sentence I’ll remember: “Coffee tastes better at 6am when nobody’s awake!” – 48 characters, easy to type.
Troubleshooting: If devices won’t connect to the new networks, check the wireless security settings. Some older devices (pre-2018) can’t handle WPA3. but downgrade to WPA2 temporarily, connect the device, then try upgrading again. I’ve also seen issues where the router doesn’t properly tag VLAN traffic on the wireless side – go to Settings > WiFi > [your network] > Advanced and verify the VLAN ID matches what you set earlier.
Set DHCP range to 192.168.20.100-200. so every smart home device goes here — thermostats, cameras, voice assistants, all of it. (Side note: if you knew how many IoT devices phone home to Chinese servers by default, you’d air-gap them entirely. This is sort of the next best thing.)
Step 5: Set up a guest network. Create another network: “Guest”, VLAN 30, gateway 192.168.30.1. Enable both isolation settings like you did for IoT. or add one extra step: under Advanced > Content Filtering, enable “Block Malware Sites” and “Block Adult Content” if you’re letting neighbors’ kids use this.
Hard to argue with that.
Troubleshooting: If your smart home automations break after segmentation, it’s because the control app (on Trusted) can’t discover devices (on IoT). You have two options: enable mDNS reflection in the router settings (Settings > Services > mDNS), or install the control apps on a tablet that lives permanently on the IoT network. I do the latter – a cheap Fire tablet for $40 that never leaves the house (for what it’s worth).
Common Mistakes That Kill Network Security
Reusing Passwords Across Network Segments
Expected outcome: three distinct networks, none of which can see the others. Test by connecting a device to Guest and trying to ping 192.168.10.1 — it should time out completely.
Forgetting to Update Router Firmware
You just spent 90 minutes hardening your network, then left it vulnerable because the router is running 18-month-old firmware with known exploits. Go to Settings > System > Firmware and check for updates right now. Enable auto-update if available. The UniFi line pushes updates every 6-8 weeks. TP-Link is slower – check manually every quarter. A zero-day exploit in router firmware is how the Mirai botnet compromised 600,000 devices in 2016.
Opening Too Many Firewall Exceptions
Step 7: Configure firewall rules between VLANs. By default, VLAN isolation blocks everything. Which is great, except you need to punch specific holes. Go to Settings > Security > Firewall > Create Rule.
What You’ve Built and Where to Go Next
You now have a three-tier network that isolates untrusted devices from critical ones. Next step: set up VPN access so you can manage this network remotely without exposing the admin panel to the internet. Look into WireGuard (built into UniFi OS) or Tailscale for zero-trust access. Also consider implementing DNS filtering with Pi-hole or NextDNS – blocks ads and malware at the network level before they reach any device.
Create a rule allowing VLAN 10 (Trusted) to access VLAN 20 (IoT) on ports 80, 443. And any device-specific ports (8080 for some cameras). yet direction: LAN In, Action: Accept, Source: Trusted network, Destination: IoT network. This lets you control your smart home from your phone without giving those devices reverse access. Don’t allow IoT to initiate connections to Trusted — ever.
Step 8: Move devices to their correct networks. Start with IoT devices since they’re the easiest to migrate. Forget the old network on each device, scan for the Home-IoT SSID, connect with the new password. Your Alexa, Ring doorbell, Roku — all of it goes here. and operate devices go on Home-Secure.
Not even close (and yes, I checked).
For more on locking down specific IoT devices, see our guide on identifying which smart home gadgets are phoning home without your knowledge.
Sources & References
If you have a managed switch, you can also assign physical ports to specific VLANs — port 2 for your work desktop on VLAN 10, port 5 for a security camera NVR on VLAN 20. Check the switch documentation for VLAN tagging instructions, right?
Here’s the thing: the most common issue I see is people setting identical passwords for all three SSIDs. The whole point of segmentation kind of collapses if someone on your Guest network can guess their way onto Trusted. Employ a password manager (I use 1Password) to generate and store unique credentials for each network. The router admin password should be different from all of them.