Advanced Guide: VLANs + Managed Switch | AIMF Security
πŸ”§ Advanced Guide

VLANs + Managed Switch + Wi-Fi AP

Enterprise-grade network segmentation for your home or small office. Full isolation between trusted, IoT, and lab networks.

SOHO Network Hub → Advanced Guide

⚠️ Prerequisites

This guide assumes you have already completed the Beginner Guide and are comfortable with Firewalla basics. You should understand DHCP, IP addresses, and basic networking concepts.

  • Required: Firewalla Purple already set up and working
  • Required: Comfort level with logging into device admin panels via a browser
  • Recommended: ISP router already in bridge mode (see our Bridge Mode Guide)
  • Time estimate: 60-90 minutes for the full setup

What You Will Achieve

By the end of this guide, your network will have:

🛡️ VLAN Segmentation

Completely separate network segments at the switch level. IoT devices cannot even see your trusted LAN β€” they're on different broadcast domains with no route between them.

🔧 Firewall Rules

Granular control over what can talk to what. Block IoT from reaching your work devices while still allowing you to manage IoT from the trusted network.

📡 Multiple Wi-Fi Networks

Separate SSIDs for trusted devices, IoT, and guests β€” each mapped to its own VLAN with its own password and security policy.

🔴 Lab / Red Team Network

Fully isolated testing environment. Run Nmap scans, test exploits, or analyze malware without any risk to your main network or IoT devices.

Network Design

Here is the target architecture with three VLANs:

VLANIDSubnetPurposeSSID
Trusted10192.168.10.0/24Work laptops, phones, desktopsHomeNetwork
IoT20192.168.20.0/24Smart TVs, cameras, speakers, thermostatsIoT-Devices
Lab30192.168.30.0/24Security testing, red team toolsLab-Network
         Internet
             |
             v
    +------------------+
    |   ISP Router     |  Bridge Mode (just a modem)
    +------------------+
             |
             v
    +------------------+
    | Firewalla Purple |  Router Mode - manages all VLANs
    |  (Router Mode)   |  DHCP for each VLAN
    +------------------+
         |       |
         v       v
    +---------+  +------------------+
    | Managed |  | Zyxel Wi-Fi AP   |
    | Switch  |  | VLAN-tagged SSIDs|
    | (GS1900)|  +------------------+
    +---------+       |   |   |
     | | | | |        v   v   v
     Ports by VLAN:  Trusted IoT Lab
     Green = VLAN 10  (3 separate SSIDs)
     Orange = VLAN 20
     Red = VLAN 30

What You Need

Firewalla Purple

Your network router and firewall in one. In Router Mode, Firewalla manages all VLANs, runs DHCP for each segment, and enforces inter-VLAN firewall rules. It also handles NAT, VPN, and threat detection.

~$350

Zyxel GS1900-8HP Switch

8-port managed switch with PoE (Power over Ethernet). Supports 802.1Q VLANs so you can assign each physical port to a specific network segment. PoE powers the Wi-Fi AP through the Ethernet cable β€” no separate power adapter needed.

~$120

Zyxel NWA50AX Wi-Fi 6 AP

Supports up to 8 SSIDs, each tagged to a different VLAN. PoE powered directly from the managed switch β€” mount it on a wall or ceiling for optimal coverage. Same AP from the Beginner Guide, now unlocking its full VLAN capabilities.

~$130

Total: ~$600. As an Amazon Associate, we earn from qualifying purchases.

Step 1: Put ISP Router in Bridge Mode

1 Bridge Your ISP Router

This turns your ISP router into a simple modem so Firewalla becomes the only router on your network. No more double NAT, no more fighting with ISP router settings.

  1. Follow our ISP Bridge Mode Guide for step-by-step instructions for your specific ISP (AT&T, Xfinity, Verizon, Cox, Spectrum, etc.)
  2. After bridging, Firewalla's WAN port will receive a public IP directly from your ISP
  3. No more double NAT β€” VPN works without port forwarding, and Firewalla has full visibility into all traffic
  4. Verify bridge mode is working: in Firewalla app, go to Network β†’ WAN and confirm the IP is a public address (not 192.168.x.x or 10.x.x.x)

💡 Why Bridge Mode?

In Beginner Mode, your ISP router and Firewalla both do NAT (double NAT). This causes VPN issues and limits Firewalla's control. Bridge mode eliminates the ISP router's routing, giving Firewalla full control.

Step 2: Switch Firewalla to Router Mode

2 Enable Router Mode

  1. Open Firewalla app
  2. Go to Network tab
  3. Tap Network Mode
  4. Select Router Mode
  5. Firewalla will reboot (takes 2-3 minutes) and become your primary router
  6. Once it's back online, verify internet works by loading a website on a wired device

⚠️ Heads Up

Switching to Router Mode will temporarily disconnect all devices. Make sure you have the Firewalla app ready on cellular data (not Wi-Fi) so you can monitor the transition. If anything goes wrong, you can switch back to DHCP Mode from the app.

💡 Router Mode vs. DHCP Mode

DHCP Mode (Beginner Guide) creates an overlay β€” your ISP router is still routing. Router Mode makes Firewalla the sole router. This gives you full control over VLANs, eliminates double NAT, and lets Firewalla see all traffic without any blind spots. It's the foundation for everything in this guide.

Step 3: Create VLANs in Firewalla

3 Create VLAN Networks

  1. In Firewalla app, go to Network
  2. Tap Create New Network
  3. Create VLAN 10 - Trusted:
    • VLAN ID: 10
    • Subnet: 192.168.10.0/24
    • DHCP: Enabled
  4. Create VLAN 20 - IoT:
    • VLAN ID: 20
    • Subnet: 192.168.20.0/24
    • DHCP: Enabled
  5. Create VLAN 30 - Lab:
    • VLAN ID: 30
    • Subnet: 192.168.30.0/24
    • DHCP: Enabled

Step 4: Configure the Managed Switch

4 Access the Switch

  1. Connect the switch to Firewalla's LAN port
  2. Find the switch IP in Firewalla's device list
  3. Open a browser and navigate to the switch IP
  4. Login (default: admin / 1234)

💡 Zyxel Switch Tip

If you cannot find the switch, download the Zyxel ZON Utility which discovers switches via Layer 2 (no IP needed). Connect your PC directly to the switch with Wi-Fi disabled.

5 Configure VLANs on the Switch

Go to VLAN > 802.1Q VLAN in the switch web UI:

PortVLAN 10 (Trusted)VLAN 20 (IoT)VLAN 30 (Lab)Use
Port 1 (Uplink)TaggedTaggedTaggedTo Firewalla
Port 2Untagged--Trusted wired device
Port 3Untagged--Trusted wired device
Port 4-Untagged-IoT wired device
Port 5-Untagged-IoT wired device
Port 6--UntaggedLab wired device
Port 7TaggedTaggedTaggedTo Wi-Fi AP (trunk)
Port 8Untagged--Spare (Trusted)

⚠️ Important

Port 1 (uplink to Firewalla) and Port 7 (to AP) must be Tagged for all VLANs. This is called a "trunk port." Wired device ports should be Untagged on their respective VLAN only.

Step 5: Configure the Wi-Fi AP

6 Set Up VLAN-Tagged SSIDs

  1. Connect the AP to the switch trunk port (Port 7) β€” the AP will be powered via PoE from the switch
  2. Access the AP web interface (find its IP in Firewalla's device list)
  3. Go to Wireless β†’ AP Management and create three SSIDs:
    • HomeNetwork β€” VLAN 10 (Trusted) β€” WPA3 if your devices support it, otherwise WPA2
    • IoT-Devices β€” VLAN 20 (IoT) β€” WPA2 (many IoT devices don't support WPA3)
    • Lab-Network β€” VLAN 30 (Lab) β€” WPA2 or WPA3
  4. For each SSID, set the VLAN ID in the SSID's advanced settings to match the table above
  5. Use strong, unique passwords for each SSID β€” don't reuse passwords across networks
  6. Enable Intra-BSS Traffic Blocking (client isolation) on the IoT SSID β€” this prevents IoT devices from attacking each other even within the same VLAN

💡 Why Separate SSIDs?

Each SSID maps to a VLAN. When a device connects to "IoT-Devices," it automatically lands on VLAN 20 with its own subnet and firewall rules. Your phone on "HomeNetwork" is on VLAN 10 β€” completely separate. The AP handles the VLAN tagging transparently over the trunk port to the switch.

Step 6: Create Firewall Rules

7 Set Up Inter-VLAN Rules

In Firewalla app, go to Rules and create these inter-VLAN firewall rules:

  1. Block IoT β†’ Trusted: Block all traffic from VLAN 20 to VLAN 10. This is the most critical rule β€” it prevents a compromised smart TV or camera from attacking your work laptop.
  2. Block Lab β†’ Trusted: Block all traffic from VLAN 30 to VLAN 10. Your lab experiments should never touch your real devices.
  3. Block Lab β†’ IoT: Block all traffic from VLAN 30 to VLAN 20. Full isolation for the lab.
  4. Allow Trusted β†’ IoT: Allow VLAN 10 to reach VLAN 20 so you can manage IoT devices (e.g., configure a smart thermostat from your phone).
  5. Block IoT β†’ Lab: Block all traffic from VLAN 20 to VLAN 30. IoT has no business talking to your lab.

💡 Rule Logic

The principle is simple: trusted devices can reach everything, but nothing can reach trusted devices uninvited. IoT gets internet only. Lab is completely isolated. Think of it as a one-way mirror β€” you can see out, but nothing can see in.

⚠️ Test Each Rule

After creating each rule, test it immediately. From an IoT device, try to ping a Trusted device IP (e.g., ping 192.168.10.x). It should fail. From a Trusted device, try to ping an IoT device β€” it should succeed. If a rule isn't working, check that you selected the correct source and destination networks in Firewalla.

8 Enable Protections Per VLAN

  1. Go to each VLAN network in Firewalla
  2. Enable Ad Block on all VLANs
  3. Enable Active Protect on all VLANs
  4. Enable Safe Search on Trusted and IoT
  5. Consider disabling internet on Lab VLAN by default (enable only when testing)

Step 7: Set Up VPN

9 Configure VPN Server

  1. In Firewalla app, go to VPN Server
  2. Enable WireGuard (recommended for speed and battery life)
  3. Create a profile for each device you want to connect remotely
  4. VPN now works without port forwarding β€” since Firewalla has the public IP in Router Mode, incoming VPN connections reach it directly
  5. When connected via VPN, you'll land on the Trusted VLAN by default β€” full access to manage your network from anywhere

💡 VPN + VLANs

One of the biggest advantages of Router Mode: your VPN connection places you on the Trusted network. You get the same access as if you were sitting at home on your wired connection β€” including the ability to manage IoT devices, access your NAS, or check security cameras. All while your traffic is encrypted and routed through your home Firewalla's threat protection.

Verification Checklist

✅ Test Your Setup

Run through each of these tests to confirm everything is working correctly. If any test fails, check the troubleshooting section below.

  • Trusted device β†’ Internet: Open a browser and load any website. Should work normally.
  • Trusted device β†’ IoT: Ping an IoT device IP (e.g., ping 192.168.20.x). Should succeed β€” you need this to manage IoT devices.
  • IoT device β†’ Trusted: From an IoT device or phone on the IoT SSID, try to ping a Trusted IP (e.g., ping 192.168.10.x). Should fail β€” this is your most important security boundary.
  • IoT device β†’ Internet: Load a website from the IoT network. Should work β€” IoT devices need internet for updates and cloud services.
  • Lab device β†’ Trusted: Should fail. Complete isolation.
  • Lab device β†’ IoT: Should fail. Complete isolation.
  • Lab device β†’ Internet: Should fail by default (if you disabled it). Enable only when actively testing.
  • VPN from outside: Disconnect from home Wi-Fi, connect via cellular, enable WireGuard VPN. Verify you get a 192.168.10.x IP (Trusted VLAN).
  • Wi-Fi VLAN check: Connect to each SSID and check your IP address. HomeNetwork should give 192.168.10.x, IoT-Devices should give 192.168.20.x, Lab-Network should give 192.168.30.x.

Troubleshooting

Cannot access switch web UI?

  • Download the Zyxel ZON Utility (free) β€” it discovers Zyxel switches via Layer 2, even if you don't know the IP
  • Connect your PC directly to the switch with an Ethernet cable and disable Wi-Fi on the PC
  • If ZON doesn't find it, set your PC's IP manually to 192.168.1.10 (subnet 255.255.255.0) and try http://192.168.1.1
  • Default credentials: admin / 1234 β€” change these immediately after first login
  • If you've already changed the IP and forgot it, hold the reset button on the switch for 10 seconds to factory reset

Devices on wrong VLAN?

  • Check the device's IP address β€” it should match the VLAN subnet (10.x = Trusted, 20.x = IoT, 30.x = Lab)
  • For wired devices: verify the switch port is assigned to the correct VLAN (Untagged on the right VLAN)
  • For Wi-Fi devices: verify the AP's SSID has the correct VLAN ID tag in its wireless settings
  • After any VLAN changes, disconnect and reconnect the device to get a fresh DHCP lease on the correct subnet
  • In Firewalla, check Devices β€” each device should show which network/VLAN it belongs to

No internet on a VLAN?

  • In Firewalla, go to Network and verify DHCP is enabled for that VLAN
  • Check that the switch uplink port (Port 1) is Tagged for that VLAN β€” if it's not tagged, traffic for that VLAN can't reach Firewalla
  • Check your firewall rules β€” make sure you haven't accidentally blocked internet access for that VLAN
  • On the device, release and renew DHCP: on Mac/Linux run sudo dhclient -r && sudo dhclient, on Windows run ipconfig /release && ipconfig /renew
  • Verify the device got an IP in the correct subnet range for its VLAN

VPN not connecting from outside?

  • Confirm Firewalla has a public IP (check Network β†’ WAN). If it shows a private IP (192.168.x.x or 10.x.x.x), bridge mode isn't working correctly
  • Make sure WireGuard is enabled in VPN Server settings
  • Try regenerating the VPN profile and re-importing the QR code
  • Some public Wi-Fi networks block VPN ports β€” try switching to cellular data to test

🎉 Congratulations!

You now have enterprise-grade network segmentation at home. Your IoT devices are isolated, your work devices are protected, and you have a dedicated lab for security testing.

Need help with ISP bridge mode? See our ISP Bridge Mode Guide.

Want to go back to basics? See the Beginner Guide.

← Back to Hub ISP Bridge Mode →
AI Marketing Flow logo
Quick Links

Case Studies

Video Library

Defense Guides

About AIMF

About

Contact Us

Site Info

Privacy Policy

Terms of Use