Designing a Modern Home Network with VLANs, Zones, and Wi-Fi 7

Networking
Wednesday, Dec 17, 2025
TL;DR: A deep dive into a segmented home network built with VLANs, firewall zones, Wi-Fi 7, VPN access, and amateur radio routing.

Overview

In a previous post, I spoke about Why I do not use the ISP provided modem and router and I use my own gear. In this article, I will talk more about my home netwrok design and the decisions I took into it.

My home network is designed with production-grade principles: explicit trust boundaries, least-privilege communication, observability, and intentional routing.

At the center of the setup is a Ubiquiti Dream Router 7, providing:

  • Wi-Fi 7 (802.11be)
  • 2.4 GHz, 5 GHz, and 6 GHz radios
  • VLAN-aware routing and switching
  • Zone-based firewall policies
  • Integrated traffic inspection and filtering

Rather than operating a flat LAN, the network is segmented by function, risk, and access pattern, while still remaining practical for day-to-day use.

SSID Strategy (Role-Based & Band-Aware)

The wireless network is exposed through four SSIDs, each mapped to a specific VLAN, trust model, and radio configuration.

1. Personal Devices

This SSID is used for trusted personal hardware such as phones, tablets, and personal computers.

  • Uses 5 GHz and 6 GHz
  • Takes advantage of Wi-Fi 7 features where supported
  • Optimized for performance and low latency

Devices on this network can:

  • Communicate freely with other personal devices
  • Initiate connections to IoT devices
  • Access internal services and the internet

2. Work Devices

The work SSID is intentionally restricted to 5 GHz only.

It is used exclusively for:

  • Work laptops
  • Development machines
  • Local virtual machines

Key characteristics:

  • No 2.4 GHz support (reduces interference and legacy device attachment)
  • Devices can communicate only within the same VLAN
  • Full outbound internet access
  • No access to Personal or IoT networks

This keeps work environments cleanly isolated while still providing stable, high-throughput connectivity.

3. IoT Devices

The IoT SSID is optimized for compatibility and containment.

  • Operates on 2.4 GHz and 5 GHz
  • 2.4 GHz supports low-bandwidth smart devices
  • 5 GHz supports media hubs and smart speakers

Devices such as media streamers and smart speakers live on this network, even though they act as application-level bridges between personal devices and smart-home endpoints.

This allows:

  • Control flows from Personal → IoT
  • Media playback and automation to function normally

While maintaining strict network-level isolation.

4. Guest Network

The guest SSID is fully isolated and hardened.

  • Operates on 2.4 GHz and 5 GHz
  • Band steering enabled, encouraging capable devices to prefer 5 GHz
  • Client isolation enabled
  • Internet access only

Guest devices cannot:

  • See other guest devices
  • Access internal networks
  • Reach router services beyond what is required

Network & VLAN Layout

Each SSID and service maps to a dedicated VLAN and subnet.

PurposeSubnetNotes
Core / Infrastructure172.21.1.0/24Router and internal services
Personal172.21.10.0/24Trusted personal devices
VPN Clients172.21.11.0/24Remote access, treated as Personal
Work172.21.20.0/24Fully isolated work network
IoT172.21.30.0/24Smart home and media devices
Amateur Radio Bridge172.21.100.0/24RF and ham radio routing
Guest172.21.200.0/24Isolated guest access

This layout makes routing intent explicit and avoids accidental overlap or trust leakage.

I inetentionally moved away form using 192.168.x.x networks as those are the default for most devices and I did not want any confusion as to what netwrok a device should be on.

I also decided to not use 10.x.x.x networks as those will be used by the AREDN netowrk (more on that below).

Firewall Zones & Trust Model

Traffic is governed using zone-based firewalling, which makes policies readable and intentional.

Internal Zone

Includes:

  • Personal
  • Work
  • IoT
  • VPN (treated as Personal)

However, not all internal networks trust each other equally.

Communication Rules

  • Work

    • Can communicate only within its own VLAN
    • Full internet access
    • No access to Personal, IoT, or Amateur Radio networks

  • Personal

    • Full access to Personal devices
    • Can initiate connections to IoT devices
    • Can access Amateur Radio networks

  • IoT

    • Cannot initiate connections to Personal or Work
    • Responds only to established sessions
    • Internet access is monitored and controlled

  • VPN

    • Treated as equivalent to Personal
    • Same access rights and routing behavior
    • Enables secure remote access when away from home

This creates a directional trust model: control flows from trusted devices outward, never inward.

DNS Filtering & Security Services

The network uses UniFi’s CyberSecure service to provide baseline protections at the DNS layer.

This includes:

  • Network-wide ad blocking
  • Blocking known malicious domains
  • Filtering adult content

By handling this at the router level, protections apply consistently across:

  • Wired devices
  • Wireless clients
  • IoT hardware
  • VPN connections

Without requiring per-device configuration.

Observability & IoT Traffic Monitoring

IoT devices are treated as untrusted but observable.

Outbound traffic from the IoT network is continuously monitored. If any device begins communicating with unexpected destinations or exhibiting suspicious behavior, firewall rules can be tightened further.

So far:

  • No anomalous traffic patterns
  • No unexpected beaconing
  • No concerning destinations

This approach favors visibility first, rather than blindly blocking or blindly trusting.

Amateur Radio Routing Integration

One unique aspect of the network is its integration with amateur radio infrastructure.

RF Mesh Routing

  • A dedicated subnet acts as a routing bridge to the amateur radio community
  • A MikroTik RouterBOARD hAP serves as the gateway to an RF-based AREDN mesh
  • A static route sends all 10.0.0.0/8 traffic to this router

AMPRNet (44/8) Connectivity

  • A Raspberry Pi maintains tunnels into the AMPRNet
  • Routes are advertised for:
    • 44.0.0.0/9
    • 44.128.0.0/10

This allows devices on the Personal and VPN networks to reach amateur radio networks transparently — even when I’m away from home.

From a routing perspective, RF networks are simply another reachable domain, not a special-case setup.

Why This Design Works

This architecture succeeds because:

  • SSIDs encode intent, not convenience
  • VLANs enforce hard trust boundaries
  • Firewall zones make policies readable
  • Wi-Fi 7 is applied selectively and intentionally
  • VPN access behaves exactly like being on-site
  • Amateur radio networks are first-class routed peers

Every packet has a clear, intentional path.

Final Thoughts

This isn’t an enterprise network — but it borrows enterprise and carrier-grade ideas where they make sense.

By combining:

  • Role-based SSIDs
  • Band-aware wireless design
  • Directional trust models
  • Zone-based firewalling
  • VPN equivalence
  • RF and IP routing integration

A home network can be secure, fast, observable, and genuinely interesting — without becoming fragile or opaque.