Home Network Security: VLANs, Pi-hole, and Secure Remote Access Setup

Your home network is only as secure as its weakest link. Smart TVs, IoT devices, and guest users can expose your entire network to threats. This guide covers three essential layers of home network security: network segmentation with VLANs, DNS-level ad blocking with Pi-hole, and zero-config remote access with Tailscale.

Why Network Security Matters

Consider what's on your home network:

• Personal computers with banking and sensitive data
• Work laptops with corporate access
• Smart home devices (cameras, locks, thermostats)
• Smart TVs that phone home constantly
• Guest devices from friends and family

One compromised IoT device can lead to data theft, crypto mining, or a gateway for attacks on your more sensitive devices.

Layer 1: Network Segmentation with VLANs

VLANs (Virtual Local Area Networks) let you create logical network separations. A device on one VLAN can't directly access devices on another without explicit rules.

Recommended VLAN Structure

VLAN	Purpose	Devices	Priority
1 (Default)	Main network	Personal devices, phones, laptops	High
10	IoT/Smart Home	Smart bulbs, plugs, sensors	Medium
20	Guests	Guest devices, IoT for others	Low
30	Servers	Home server, NAS, media servers	High

Hardware Requirements

You'll need a managed switch that supports VLANs:

• Budget: TP-Link TL-SG108E (8-port, ~$30)
• Recommended: NETGEAR GS108Tv2 (8-port, ~$50)
• Pro: UniFi Switch 8 (PoE, ~$150)

VLAN Configuration Example

# Example on a TP-Link managed switch
# Create VLANs
vlan 10 create
vlan 20 create
vlan 30 create

# Assign ports to VLANs
# Port 1-2: Main network (VLAN 1)
# Port 3-4: IoT devices (VLAN 10)
# Port 5-6: Guest network (VLAN 20)
# Port 7-8: Server network (VLAN 30)

vlan 1 add port 1-2 untagged
vlan 10 add port 3-4 untagged
vlan 20 add port 5-6 untagged
vlan 30 add port 7-8 untagged

Router Configuration

On your router (assuming OpenWrt):

# Create interface for IoT VLAN
config interface 'iot'
    option device 'eth0.10'
    option proto 'static'
    option ipaddr '192.168.10.1'
    option netmask '255.255.255.0'

# Create interface for Guest VLAN
config interface 'guest'
    option device 'eth0.20'
    option proto 'static'
    option ipaddr '192.168.20.1'
    option netmask '255.255.255.0'

# Create interface for Server VLAN
config interface 'servers'
    option device 'eth0.30'
    option proto 'static'
    option ipaddr '192.168.30.1'
    option netmask '255.255.255.0'

# Firewall zones
config zone
    option name 'iot'
    list network 'iot'
    input 'reject'
    output 'accept'
    forward 'reject'

config zone
    option name 'guest'
    list network 'guest'
    input 'reject'
    output 'accept'
    forward 'reject'

Layer 2: Pi-hole DNS Filtering

Pi-hole acts as a DNS sinkhole, blocking queries to known malicious and advertising domains at the network level.

What Pi-hole Blocks

• Advertising domains (ads, trackers)
• Telemetry domains from smart devices
• Known malware and phishing domains
• Custom blocklists for specific threats

Docker Setup (Recommended)

version: "3.8"
services:
  pihole:
    image: pihole/pihole:latest
    container_name: pihole
    hostname: pihole
    ports:
      - "53:53/tcp"
      - "53:53/udp"
      - "67:67/udp"
      - "8080:80/tcp"
      - "8443:443/tcp"
    environment:
      - TZ=America/New_York
      - WEBPASSWORD=your-secure-password
      - DNSMASQ_LISTEN=local
    volumes:
      - ./etc-pihole:/etc/pihole
      - ./etc-dnsmasq.d:/etc/dnsmasq.d
    restart: unless-stopped
    network_mode: host

Essential Blocklists

Add these to your Pi-hole blocklists:

# Steven Black's unified hosts (ads + malware + fake news + social)
https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts

# OISD Big
https://big.oisd.nl

# AdGuard DNS filter
https://adguardteam.github.io/AdGuardSDNSFilter/Filters/filter.txt

# IoT specific (block smart TV telemetry)
https://raw.githubusercontent.com/Perflyst/PiHoleBlocklist/master/SmartTV.txt

Pi-hole as DHCP Server

For full control, let Pi-hole handle DHCP instead of your router:

# In Pi-hole Web UI > Settings > DHCP
# Enable DHCP server
# Range: 192.168.1.100 - 192.168.1.250
# Router: 192.168.1.1
# Domain: local

Layer 3: Secure Remote Access with Tailscale

Tailscale creates a WireGuard-based mesh VPN that "just works." No port forwarding, no dynamic DNS, no configuring NAT traversal.

Why Not Port Forwarding?

• Every open port is an attack surface
• ISP NAT and CGNAT makes it impossible in many cases
• Dynamic IPs require DNS updates
• No easy way to give guests temporary access

Tailscale Setup

# Install on your home server
curl -fsSL https://tailscale.com/install.sh | sh

# Connect to your tailnet
sudo tailscale up

# Authenticate via the URL provided

# Access your server from anywhere
# On your laptop/phone, install Tailscale and log in
# Now you can access: ssh user@hostname.tailnet.tsd.net

Accessing Services

# Instead of http://192.168.30.10:8080
# Access via https://home-server.tailnet.tsd.net

# With a custom domain, use Tailscale Funnel
tailscale serve --bg
tailscale funnel 443

Exit Nodes (Access LAN from anywhere)

# On your home server, enable exit node
sudo tailscale set --exit-node

# On your laptop, route traffic through home network
tailscale up --exit-node=home-server

MagicDNS: Access by Name

Once connected, access any device by name:

ssh server@home-server.tailnet.tsd.net
# or
ssh server@home-server            # MagicDNS resolves this

Complete Security Stack

Here's how all three layers work together:

1. VLANs: Isolate IoT and guest devices from your main network
2. Pi-hole: Block ads, trackers, and malware at DNS level
3. Tailscale: Securely access your network without opening ports

Router Recommendations for VLANs

• Easiest: UniFi Dream Machine Pro (built-in VLAN support)
• Open Source: Any router running OpenWrt
• Mesh: eero Pro 6 (basic VLAN support in settings)
• Budget: GLinet routers (pre-flashed with OpenWrt)

Monitoring Your Network

After setting up these security layers, monitor what's happening:

• Pi-hole Web UI: Query logs, top blocked domains
• Tailscale Admin: See connected devices, activity logs
• UniFi Network: Traffic monitoring, device activity

Next Steps

Ready to implement these? Here's the order:

1. Set up Pi-hole first (easiest, immediate benefit)
2. Add Tailscale to your devices (start with your phone and laptop)
3. Upgrade to a managed switch for VLANs (if needed)

For more on self-hosting services securely, see our Ubuntu Home Server Setup Guide.