Smart home, less surveillance: a practical IoT segregation guide
Smart homes saw 29 attempted attacks per day in 2026, and 38% of IoT devices were compromised at least once. Here is how to put your cheap doorbell on a leash without giving up Spotify on the fridge.
The IoT industry shipped a billion devices in 2025 and patched maybe a third of them. The 2026 numbers are ugly: an average smart home sees 29 attempted attacks per day, 38% of IoT devices have been compromised at least once in their lifetime, and 35% still ship with default credentials that a high schooler could find on Shodan in ninety seconds.
You are not going to fix the industry. You can fix your house. The fix has a name — network segregation — and the technical building block is a VLAN. This guide is about getting one, configured correctly, on a router you already own or can buy for under $200.
What a VLAN actually is, in plain English
A VLAN (Virtual Local Area Network) is a way to make one physical network behave like multiple separate networks. Your laptop on VLAN 10 and your security camera on VLAN 20 are connected to the same router and use the same internet, but they cannot see each other. The camera cannot scan your laptop for open ports. Your laptop cannot stream from the camera unless you explicitly punch a hole in the rules.
Think of it like an apartment building. Same address, same elevator, separate doors with separate keys. The mailman (your internet connection) reaches everyone. The neighbors (your devices) do not have keys to each other.
The three networks you actually want
- Trusted: laptops, phones, your own NAS, work devices. Full local access.
- IoT: cameras, smart bulbs, plugs, vacuums, doorbells, the fridge. Internet only. No lateral access.
- Guest: visiting friends, the contractor on Wi-Fi, devices you do not trust at all. Internet only. No access to anything.
Some setups add a fourth — a "media" VLAN for Chromecast, Apple TV, Sonos — because those need to talk to your phone. We will get to that.
Setting up VLANs on the router you already have
Asus (with Merlin firmware or recent stock firmware)
- 1Go to Guest Network Pro (newer firmware) or LAN > VLAN.
- 2Create a new SSID called "House-IoT".
- 3Set Access Intranet to OFF (this is the lateral block).
- 4Assign it to a separate VLAN ID (10 is fine).
- 5Save. Move IoT devices over.
Ubiquiti UniFi
- 1In the UniFi controller, go to Settings > Networks > Create New Network.
- 2Choose Corporate type, set name "IoT", VLAN ID 20, subnet 192.168.20.0/24.
- 3Go to Settings > WiFi > Create New WiFi.
- 4Set the Network to "IoT", enable Client Device Isolation.
- 5Go to Settings > Routing > Firewall > LAN In and add a rule: drop traffic from VLAN 20 to RFC1918 (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) except return traffic.
GL.iNet (great budget option)
- 1Open the admin panel and go to Network > Wireless.
- 2Add a new SSID, mark it as "Guest" — GL.iNet's guest network is automatically isolated.
- 3For finer control, switch to LuCI (the OpenWRT advanced UI) and configure a real VLAN.
- 4In LuCI: Network > Interfaces > Add new interface. Bridge it to the IoT SSID, assign a different subnet.
OpenWRT (anything supported)
- 1Install the luci-app-firewall and luci-proto-vlan packages if missing.
- 2Network > Switch > add VLAN ID 20, tagged on the CPU port.
- 3Network > Interfaces > Add new interface bound to the new VLAN, give it a subnet (e.g. 192.168.20.1/24).
- 4Network > Wireless > Add SSID bound to the new interface.
- 5Network > Firewall > add a zone "iot" with input REJECT, forward REJECT, output ACCEPT, and only "iot -> wan" allowed.
The firewall rules you actually need
Isolation by itself is not enough. You also want to block IoT devices from reaching parts of the internet they have no business reaching. The minimum rule set:
- IoT VLAN -> WAN: ALLOW. Devices need internet to phone home; that is unavoidable.
- IoT VLAN -> Trusted VLAN: BLOCK. The whole point.
- IoT VLAN -> Other IoT devices on same VLAN: BLOCK if your router supports client isolation. (Most do.)
- IoT VLAN -> Router admin: BLOCK. A compromised camera should not be able to reconfigure your network.
- IoT VLAN -> DNS: ALLOW only to your chosen resolver. Drop any device trying to use 8.8.8.8 directly (lots of IoT devices hardcode Google DNS to bypass parental controls).
The Chromecast / AirPlay problem
Chromecast, AirPlay, Sonos, and a handful of other "cast from your phone" devices use mDNS (multicast DNS) to discover each other. mDNS does not cross VLANs. So if you put your Chromecast on the IoT network, your phone on the trusted network cannot see it.
Three options:
- 1Run an mDNS reflector. UniFi calls this "Multicast DNS" and it is a single toggle. OpenWRT can run avahi-daemon configured as a reflector. This forwards mDNS announcements between specific VLANs.
- 2Put cast devices on the trusted network, accept the risk, and only buy cast devices from vendors with a track record (Apple, Google, Sonos).
- 3Make a fourth "media" VLAN, allow trusted -> media on specific ports (5353/udp for mDNS, plus the streaming ports), and keep the cheap IoT junk separate.
What if your router does not support VLANs?
Use the Guest Network feature as a poor-man's VLAN. Almost every consumer router has one, and almost every modern implementation includes client isolation. It is not a true VLAN — under the hood it is usually just a bridge with isolation flags — but it gives you the one property that matters: IoT devices cannot reach your laptop.
- 1Enable Guest Network in router admin.
- 2Set client isolation to ON (it may be called "AP Isolation" or "Allow guests to see each other").
- 3Set "Allow access to local network" to OFF.
- 4Use this network for all IoT devices.
- 5Accept that you have only two tiers (trusted + guest) instead of three; for most homes that is enough.
Devices to put on IoT regardless of how trusted you think they are
- Anything that came with default credentials (cameras, especially budget brands).
- Anything that has not had a firmware update in 12 months.
- Anything from a vendor that has been acquired, gone bankrupt, or been "sunset."
- Anything that runs Android 7 or older (looking at you, smart TVs).
- Anything you bought for under $30.
Network segregation is the single most cost-effective security improvement you can make for a smart home. It does not stop a determined attacker who already has remote code execution on your camera — but it stops that attacker from pivoting to your laptop, your NAS, and your password manager. Which, in 2026, is the entire game.
Run PlanetProxy for seven days, on us.
Same purple tile cards you see on this page, plus the green lock and a 50 ms hop to wherever you want to be.
Start the trial →More from the dispatch
GuidesPP · DispatchA survival kit for public Wi-FiGuides · 6 minA survival kit for public Wi-Fi
Hotel networks. Airport lounges. The cafe with the cute logo. Six concrete habits that take ten seconds and stop 95% of network-level attacks against you.
GuidesPP · DispatchSplit tunneling: when it's a feature, when it's a foot-gunGuides · 5 minSplit tunneling: when it's a feature, when it's a foot-gun
Letting some apps skip the VPN sounds great until you discover your banking app went out the back door. Here's a clean rule for when to use split tunneling.
GuidesPP · DispatchWhy your VPN keeps getting blocked by streaming services (and the fix)Guides · 7 minWhy your VPN keeps getting blocked by streaming services (and the fix)
Netflix says "you appear to be using a proxy." Disney+ shows the wrong library. Here is what is actually happening on the back end and how we route around it.