Network Segmentation • VLANs • ACLs • Host Firewalls

Network Segmentation and Layered Access Control Design

I designed a segmented homelab network to separate systems by trust level and function, then controlled inter-VLAN communication with router-based policy instead of broad default access.

VLAN 10 Management VLAN 20 Services VLAN 30 Clients VLAN 40 IoT VLAN 50-60 Labs

Environment

VLAN 10

Management network for administration and infrastructure access.

VLAN 20

Services network for hosted applications and internal service endpoints.

VLAN 30

Client network for user devices.

VLAN 40

Internet of Things (IoT) network for lower-trust smart devices.

VLAN 50-60

Lab networks, kept separate so Kali and other testing systems are isolated from the rest of the environment.

Problem

A flatter network makes early setup easier, but it also creates too much trust between systems that should not communicate freely. I wanted to separate management, services, clients, IoT, and lab traffic so that access between networks had to be explicitly allowed.

Approach

I divided the network by both function and trust level, then treated inter-VLAN routing as a policy decision rather than an automatic convenience. Management needed broad access for administration, while other networks needed tighter boundaries. Lab networks were further separated because offensive tooling such as Kali should not sit on the same trust level as the rest of the environment.

Implementation

  • Created VLANs based on role and trust boundaries.
  • Used access and trunk ports to correctly segment Layer 2 traffic.
  • Relied on Layer 3 routing to control communication between VLANs.
  • Implemented router-based Access Control Lists (ACLs) to define allowed and denied traffic paths.
  • Applied host-level firewalls to enforce additional security controls at the system level:
    • Used Proxmox host firewall rules to protect the hypervisor and management interfaces.
    • Configured UFW (Uncomplicated Firewall) on Linux nodes to restrict inbound and outbound traffic.
    • Used iptables on TrueNAS to control service-level access and network exposure.

Key Lesson

One of the biggest lessons from this project was that VLAN segmentation alone is not enough to provide real security. While VLANs separate broadcast domains at Layer 2, traffic is still routed at Layer 3 where policy must be enforced. Adding host-based firewalls created a layered security model, ensuring that even if network-level controls were misconfigured, individual systems still enforced their own access restrictions.

Validation

  • Tested expected connectivity between approved networks.
  • Verified blocked paths stayed blocked.
  • Confirmed management retained the broader access it needed.
  • Used troubleshooting to distinguish switching issues from routing or ACL issues.

Outcome

The final design gave each part of the homelab a clearer trust boundary and made inter-VLAN access intentional instead of automatic. It also gave me a better troubleshooting model because I could separate switching problems, routing problems, and Access Control List (ACL) policy problems during testing. The design also evolved from simple segmentation into a layered security model combining VLANs, routing policy, and host-based firewalls.

What I Learned

  • VLANs separate broadcast domains, but routed traffic still needs policy control.
  • Access Control List (ACL) order matters because rule evaluation is top-down.
  • Trust boundaries should be designed intentionally, not added later as an afterthought.
  • Segmentation only works when the intended behavior is tested and verified.
  • Effective security comes from layered controls, not a single mechanism.

What I'd Improve Next

The next step would be turning the policy model into a cleaner source-of-truth document with an explicit flow matrix for every VLAN. That would make future rule changes easier to reason about and reduce the chance of accidental over-permissive access as the environment grows.

← Back to Projects