Question Small home lab / SOHO network design: IP addressing, VLANs and router vs L3 switch
Question Small home lab / SOHO network design: IP addressing, VLANs and router vs L3 switch
Here’s a revised version of your message with the same length and structure:
Hi all,
I’m a student studying data communication and infrastructure, and I need some feedback on a mini “home lab / SOHO” network design. The aim is to gain practical experience while building a secure and organized setup.
Scenario:
Internet: Fiber 500/500 Mbps
One router from ISP (can operate in bridge mode)
My own equipment (planned or partially existing):
- 1 small router/firewall (planning pfSense/OPNsense or similar)
- 1 managed switch (8–16 ports, VLAN support)
- 1–2 Wi-Fi access points (ceiling/wall mounted)
I want to segregate traffic into distinct logical networks:
- LAN
– trusted devices (PCs, laptops, NAS)
- Guest Wi-Fi
– Internet only
- IoT
– smart TV, smart plugs, etc. (limited access to LAN)
- Lab / test
– for testing servers, VMs, etc.
My questions:
For a setup like this, should I enable inter-VLAN routing on the router/firewall only, or is it better to use an L3 switch in such a small configuration?
Also, are these IP ranges/CIDR blocks appropriate, or would you prefer a different structure?
- LAN: 192.168.10.0/24
- Guest: 192.168.20.0/24
- IoT: 192.168.30.0/24
- Lab: 192.168.40.0/24
From a security standpoint, which basic firewall rules would you consider essential between:
- LAN ↔ IoT
- LAN ↔ Guest
- Guest ↔ Internet
- Lab ↔ LAN/Internet
Are there any common pitfalls when mixing VLANs, DHCP scopes, and Wi-Fi SSIDs (such as misconfigurations that are easy to make in small setups)?
I’m mainly focused on developing good habits and design principles that go beyond a typical all-in-one home router, yet remain practical for a small environment.
Thanks for your advice!
The purpose of VLANs is to limit or eliminate traffic between them. If you're concerned about routing between VLANs, it means your VLAN setup is incorrect.
You're not very familiar with VLAN concepts, but you have some solid resources for learning VLAN and routing. Check out GNS3 tutorials:
https://www.youtube.com/results?search_query=GNS3
https://www.youtube.com/results?search_query=GNS3+VLAN
For free ESXi options, see the Broadcom article:
https://knowledge.broadcom.com/external/...ble-a.html
You can also find ESXi VLAN guides on YouTube:
https://www.youtube.com/results?search_query=ESXi+VLAN
PfSense is essential for inter-VLAN routing, though managed switches only support VLANs without routing between them:
https://www.youtube.com/results?search_q...sense+VLAN
And check out Amazon listings for mini PCs with pfSense:
https://www.amazon.com/s?k=pfsense+mini+pc
Because you include WIFI in your hardware list, I suggest considering Ubiquiti UniFI for your complete set of devices. It offers one management interface for routers, switches, WIFI, cameras, door access, and VOIP. While it doesn’t match the extensive features of pfSense, it’s a better option than managing ten different GUIs for VLAN setup.
I would like to share another idea for students like you...
Do you have a diagram of your network that includes all devices, cables, ports, etc.?
For example, showing the structure and organization of your network and its components.
Being able to visualize and record a network is crucial for planning, reference, and troubleshooting.
This becomes especially important when you test or adjust your network and configuration.
Start by searching online for resources like "How to document and diagram a network."
You don’t need expensive or complicated tools—just the essentials that fit your current learning and tasks.
Many useful options exist, some free or offering trial periods.
Consider this perspective:
In the future, you might have Network A. Someone—possibly even you—will need to modify Network B.
This could involve adding more devices, subnets, or other changes.
Whatever the case, it helps to convince others of the approach, costs, plans, implementation, testing, and support required.
A clear picture will be extremely helpful when explaining these details to non-technical people or even more experienced managers who need to understand the justification for all the expenses and time involved.
Developing good documentation habits early on is very beneficial.
Additionally, it might be wise to look for a slightly older refurbished or used network switch on platforms such as eBay. You can find options like a Brocade/Ruckus ICX 7250 for around $100, which is a full L3 switch with 8x SFP+ ports (and either 24 or 48 RJ45 ports depending on the model). It operates on FastIron OS, closely resembling CISCO IOS in command structure. This device supports most network functions except BGP; for BGP you’d need a different model like the ICX6610, which is more suited for datacenter environments and can reach higher signal levels. This setup allows you to experiment with various configurations and become comfortable with network commands used in large business settings (such as CISCO). It also enables you to configure ACL rules and inter-VLAN routing, making it a valuable investment if you plan to enter this area, offering practical skills that are in demand.