A|S
DATA EXTREMES
HomeLab HQ.hub

Lab: Create a VLAN on Your Router

Carve out an isolated VLAN for homelab services with tagged uplinks and a DHCP scope.

Difficulty: BeginnerTime: 20 minutes

Prerequisites:

  • Router/switch that supports VLANs
  • One wired client you can reconfigure
  • Access to router UI or CLI

Step 1: Plan the VLAN

  • VLAN ID: 30 (example), subnet: 192.168.30.0/24.
  • Gateway: 192.168.30.1, DHCP range: 192.168.30.50-150.
  • Decide which switch ports will carry the tagged VLAN (trunk) and which will be access ports.

Step 2: Create VLAN Interface

  1. In the router UI, add VLAN 30 on the LAN bridge or parent interface.
  2. Assign IP 192.168.30.1/24 to the VLAN interface.
  3. Enable DHCP for VLAN 30 with the planned range.

Step 3: Tag the Uplink

On your switch:

  • Mark the port facing the router as a trunk/tagged member of VLAN 30 (and untagged on your default VLAN).
  • Pick one access port to place into VLAN 30 untagged for a test client.

Step 4: Test a Client

  1. Plug a laptop into the VLAN 30 access port.
  2. Check it receives an IP in 192.168.30.0/24.
  3. Ping the gateway (192.168.30.1) and the internet (e.g., 1.1.1.1).
Confirm isolation by trying to reach devices on your main LAN; traffic should be blocked unless you add firewall rules.

Step 5: Add Firewall Rules (Optional)

  • Allow VLAN 30 to the internet.
  • Block VLAN 30 to the main LAN except for needed services (e.g., DNS at 192.168.1.10).
  • Log drops to verify the policy is working.
If you lose management access, move your laptop back to a known-good untagged port on the default LAN to recover.

≈·*•—[ A|S ]—•*·≈