VLANs are not the #1 smart home network security solution you are looking for
Network VLAN

Smart home network techie details

If you use the modem/router/Wi-Fi box provided by your Internet Service Provider (ISP) as the sole piece of networking gear in your home, you can probably skip the rest of this.

Don’t feel bad, something like 70% to 80% of all residential home networks are like yours. By the numbers, only a small fraction of homeowners upgrade their network equipment and spend way too much time managing and obsessing over it.

Don’t get me wrong; there are many good reasons to take control of your home network and stop using the stock gear. Just don’t do it for the wrong reasons..

VLANS – The lure of better security

A common topic in geek circles is adding virtual lans (VLANs) to home networks for better security.

I see too many clueless people setting up VLANs purely for bragging rights and boasting how cool (i.e. complicated) their home network setups have become.

There is always the obligatory photo of a rack, shelf, closet, or pile of equipment. Add extra points for hours spent neatly arranging all the wires and cables for visual appeal.

Then there’s the guys with 3D printers that couldn’t resist making custom plastic shelving, mounts, and cable holders.

After all, that $300 to $3000 invested in a printer “has” to be useful for something other than plastic Star Wars figures, right?

Equipment vendors add to the hype. What better way to sell $300 to $1000 routers, switches, firewalls, and other advanced networking gear to replace free or inexpensive boxes then proclaiming it’s the only way to have a truly secure protected home network.

The quick pitch can be very motivating: As you install many smart home products, you will be letting lots of different devices onto your home network that you know very little about.

They could be spying on you, “phoning home” to offshore servers and data centers sending your private data and information to hackers unknown or selling your data to the highest bidder.

The pitch continues: Protect yourself by segregating all these nefarious devices on their own isolated network segment, restrict their access to each other, to other devices on your network like your phone and computer, and keep them from reaching out to the Internet.

VLANs – The magic cure to all these problems is just a credit card payment and express delivery away.

VLAN complexity

Why VLANs are not for most consumers

Used properly, and in conjunction with other hardware and techniques, VLANs can be helpful. Most wanna-be network admins turn to VLANs blindly because they have heard from others or read something online about how important they are but have no understanding of the reality.

Quick history lesson: VLANs were invented to solve a specific problem – reduce network traffic on LANS by breaking networks up into segments (“divide and conquer”) without the performance penalty of using a LAN router.

The method used before VLANs was to have routers with multiple Ethernet ports that moved data between the Ethernet segments. If you physically implemented your network carefully, like putting all workstations on one segment, all servers on another, the natural grouping kept more traffic local to a single segment, reducing overall congestion.

Keep in mind that at this time routers were expensive and complicated devices.

Using a router simply to reduce traffic between groups of devices would be like building a superhighway to connect two small towns. Way overkill, but it did get the job done.

VLANs solved the problem more cost effectively with simpler Ethernet switches instead of actual routers. (For a deeper dive, research online the difference between network bridges, routers, and switches. The boundaries are now blurry, but there are distinct differences that still matter.)

The segmentation is done in hardware/firmware (switching fabric specialized silicon processors) using tags on the packets to identify which virtual segment each packet belonged.

But the ##1 issue that created all the congestion that these methods are used to solve is broadcast traffic versus unicast traffic.

Broadcast traffic is needed for Smart Home devices

Unicast is when one station sends data to only another station. Broadcast is where one station’s packet needs to be sent to every other station on the network.

The multicast DNS protocol (mDNS) is used by many IoT smart home devices including Apple HomeKit, Google Home, Google Chromecast, and Sonos. mDNS, a broadcast protocol, is blocked by VLANs.

VLANs consider these broadcasts a problem and seek to limit their effect by constraining them to local segments. But all these smart home devices need mDNS and broadcast protocols to talk amongst themselves and to work.

When you segment your IoT network, you are blocking the main protocol that is needed for them to work. So you have to enable a hack – an “mDNS repeater” which is a separate processing task that forcefully listens for all broadcast traffic (mDNS) and re-creates it across the VLAN to other segments.

Note that the word “security” has not be used in conjunction with this description and history of VLANs. Security benefits are a side-effect, when configured properly, but not the primary design of VLANs. Routers, Firewalls and other security appliances are still needed for a complete security solution.

Smart home devices

Using VLANs for a smart home network is complicated

VLANs by themselves are very useful. In business or corporate networks, they help isolate network segments from each other reducing broadcast traffic and congestion.

The challenge with home networks is the inherent conflict. VLANs block the very network traffic that most smart home devices need.

These devices need to communicate between themselves and also with your smartphone, laptop, tablet, or desktop computer.

Isolating smart home devices in their own segment blocks you from being able to open the appropriate app on your smartphone and controlling the device.

So to make things work, you have create bypass routes to allow one-way or two-way communications between devices.

If you allow everything to talk to everything, then you have completely negated the reason for creating VLANs. The compromise is to allow only specific devices, such as your own smartphone but not your guests or visitors, to communicate with the lighting dimmers and controls.

Furthermore, you probably will have to create one-way rules too. Allowing the devices to respond back to your smartphone, but not allowing outside devices from the Internet to communicate. But that might prevent getting firmware and software updates, so you have to create exceptions for that too.

Without getting into all the specifics, I hope you can see how adding VLANs requires creating intricate and complex firewall rules, traffic routing, and security exceptions.

They are hard to figure out, hard to get right, and hard to change 6 months later when something stops working or needs adjustment.

Sure, they work for business and corporate networks because they have a staff of full-time Information Technology (IT) analysts and engineers that design and keep a close eye on all of this.

Why does one build a complex, hard to support and maintain infrastructure when there is a simpler alternative?

If you truly need the micro-segmentation of VLANs, then have at it and manage your firewall, traffic rules, and other SDN network overlays to make everything work that you just brute force broke by creating VLANs in the first place.

Intelligent smart home

The Intelligent option

I’m reminded of a famous Dad joke. Patient complains to his physician, “Doctor, my arm hurts whenever I twist it this way. Can you fix it?”

Doctor replies “Just don’t do it!”

The simplest solution to all these security worries is common sense: Don’t use questionable devices. Stick with known products from very well known companies and you can simply avoid VLANs completely.

Instead of that $10 smart dimmer from a company where you can’t even pronounce the name, buy from Lutron, Hue, or other companies with a strong reputation for quality, reliability, and customer service.

Sure, it might cost you $50, or even $100, but what is your own time and frustration worth? If you can buy brand name gear and install it yourself or have it professionally installed and never have to worry about all these security threats, what is that peace of mind worth?

It is really true – you get what you pay for.


Automation technologist and problem solver

Follow Us Around the Web