Homelab Network Architecture — VLANs, OpenWrt, and a Managed Switch
The problem#
When the homelab was just a Raspberry Pi, everything sat on the same flat network — my gaming PC, phones, TV, and all the homelab services. That’s fine until you start running things like Frigate NVR, Pi-hole DNS, and a dozen Docker containers. One misconfigured service and suddenly your gaming session is lagging because Jellyfin is saturating the network with a transcode.
The fix: VLANs. Separate the homelab into its own isolated network segment, with controlled routing between them.
The gear#
| Device | Role |
|---|---|
| ISP Router | Internet uplink, DHCP for VLAN 1 |
| TP-Link TL-SG108E (8-port) | Managed switch handling VLAN tagging |
| OpenWrt Router | Routes between VLAN 1 and VLAN 2, firewall, DHCP for homelab |
| Proxmox (Lenovo ThinkCentre) | Hypervisor on the homelab VLAN |
| Raspberry Pi | Services on the homelab VLAN |
| Old Laptop | Services on the homelab VLAN |
Network topology#
Internet
│
▼
ISP Router (192.168.0.1)
│
▼
TP-Link TL-SG108E (Managed Switch)
│
├── VLAN 1: Management Network (192.168.0.0/24)
│ ├── Gaming PC
│ └── OpenWrt Router (eth0 — WAN side)
│
└── VLAN 2: Homelab Network (192.168.1.0/24)
├── OpenWrt Router (eth1 — LAN side, gateway)
├── Proxmox (Lenovo ThinkCentre)
├── Old Laptop
├── Raspberry Pi
├── TV, phones, other devices
└── NAS
The key idea: the OpenWrt router bridges the two VLANs. Its eth0 sits on VLAN 1 (gets internet from the ISP router), and eth1 sits on VLAN 2 (serves as the gateway for all homelab devices). This gives the homelab its own subnet, DHCP server, firewall rules, and DNS — completely isolated from the management network.
Switch port assignments#
The TP-Link TL-SG108E is a cheap managed switch (~₹2,500) that supports 802.1Q VLAN tagging. Here’s how the ports are assigned:
| Port | VLAN | Device |
|---|---|---|
| 0 | VLAN 1 | WAN from ISP Router |
| 1 | VLAN 1 | Gaming PC |
| 2 | VLAN 1 | OpenWrt Router (eth0) |
| 3 | VLAN 2 | OpenWrt Router (eth1) |
| 4 | VLAN 2 | Proxmox (Lenovo ThinkCentre) |
| 5 | VLAN 2 | Old Laptop |
| 6 | VLAN 2 | NAS |
Ports 0–2 carry VLAN 1 (management) traffic. Ports 3–6 carry VLAN 2 (homelab) traffic. The OpenWrt router has a foot in both VLANs, which is what makes the routing work.
Why two VLANs?#
VLAN 1 — Management Network#
This is the “normal” home network. The ISP router handles DHCP and internet. The gaming PC lives here because it needs low-latency, direct internet access without going through an extra hop. Double NAT restricts peer-to-peer connectivity, frequently resulting in strict NAT types and matchmaking errors in online games.
VLAN 2 — Homelab Network#
All homelab infrastructure lives here — Proxmox, the Pi, the laptop, and every Docker service. The OpenWrt router is the gateway, running:
- DHCP — assigns IPs to all homelab devices
- DNS — forwards to Pi-hole for ad blocking
- Firewall — controls what can talk to what
- NAT — masquerades homelab traffic to reach the internet via VLAN 1
This means even if a homelab service goes haywire, it can’t touch the gaming PC or flood the management network.
OpenWrt router config highlights#
The OpenWrt router is the brain of this setup. Key configuration:
Network interfaces#
# /etc/config/network
config interface 'wan'
option device 'eth0'
option proto 'dhcp'
config interface 'lan'
option device 'eth1'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
eth0(VLAN 1) → gets an IP from the ISP router via DHCPeth1(VLAN 2) → static IP192.168.1.1, acts as the homelab gateway
DHCP for the homelab#
# /etc/config/dhcp
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
list dhcp_option '6,192.168.1.2,192.168.1.3' # Pi-hole DNS
The dhcp_option 6 line pushes the two Pi-hole instances as DNS servers to every device on the homelab VLAN. Ad blocking everywhere, automatically.
Firewall rules#
# /etc/config/firewall
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config forwarding
option src 'lan'
option dest 'wan'
Simple and effective:
- Homelab devices can reach the internet (LAN → WAN forwarding with masquerade)
- Nothing from VLAN 1 can initiate connections into the homelab
- Homelab devices can talk to each other freely
How Tailscale fits in#
Tailscale runs on key homelab nodes and advertises subnet routes for 192.168.1.0/24. This means when I’m away from home, my phone and laptop can access every homelab service as if they were on the local network — Grafana dashboards, Jellyfin streaming, Joplin sync, everything.
# On the Pi (or any node with subnet routing)
tailscale up --advertise-routes=192.168.1.0/24 --accept-routes
Security summary#
| Layer | What |
|---|---|
| Network segmentation | VLAN 1 (management) isolated from VLAN 2 (homelab) |
| Firewall | OpenWrt firewall blocks unsolicited inbound traffic |
| DNS filtering | Pi-hole (×2) blocks ads, trackers, and telemetry |
| Remote access | Tailscale VPN — no exposed ports to the internet |
| Updates | Regular apt upgrade and Docker image pulls |
Was it worth it?#
Absolutely. The total hardware cost was just the TP-Link switch (~₹2,500) since the OpenWrt router was already running. The benefits:
- No more cross-talk — homelab traffic doesn’t touch the gaming PC
- Easy debugging — if something breaks, I know which VLAN to look at
- Better security — compromised containers can’t reach the management network
- Clean DHCP — separate IP ranges, no conflicts, no surprises
If you’re running more than a couple of services on your homelab, VLAN segmentation is one of the best upgrades you can make.
See also: Hardware overview · Running services