DiagnosticSignal
Small Business Tech #VLAN#network

How to Set Up VLANs to Separate Guest, IoT, and Office Networks

A practical VLAN plan for small business — separating staff, guests, IoT devices, and cameras without expensive enterprise gear or networking degrees.

J.D. Sweeney May 27, 2026 9 min read

If your small business is running everything — staff laptops, the guest Wi-Fi, the smart thermostat, four IP cameras, a POS terminal, and a printer — on one flat network, you have a problem you cannot see yet. The day a guest brings in a compromised laptop, the day an IoT device gets pulled into a botnet, or the day a camera firmware vulnerability gets exploited, your whole network is exposed.

The fix is VLANs (Virtual LANs). They sound enterprise. They are not. With a managed switch and a router that supports them, a competent person can segment a small business network in an afternoon and meaningfully reduce risk.

What a VLAN Actually Does

A VLAN takes a single physical network and slices it into multiple logical networks that cannot talk to each other unless you explicitly allow it. Each VLAN gets its own subnet, its own DHCP scope, and its own firewall rules.

Practically, that means:

  • The guest on your Wi-Fi cannot see your file server
  • The cheap IP camera cannot phone home to ports on your POS system
  • A compromised IoT thermostat cannot scan your laptop for SMB shares
  • The HVAC contractor’s tablet on guest Wi-Fi cannot reach your printer

VLANs do not eliminate threats — they limit the blast radius. A device that gets compromised on the IoT VLAN can still attack other devices on the IoT VLAN, but it cannot pivot to your business systems.

What You Need

  • A managed or smart-managed switch that supports 802.1Q VLAN tagging (most TP-Link Omada, UniFi, MikroTik, Netgear ProSafe, and Cisco SG350-series switches do)
  • A router or firewall that supports VLANs — UniFi Cloud Gateways, MikroTik, pfSense, OPNsense, or business-grade Synology routers all qualify; most consumer routers do not
  • Wi-Fi access points that support multiple SSIDs each tied to a VLAN — UniFi U6/U7, TP-Link Omada EAP, Aruba Instant On, and Ubiquiti dream machines all do this
  • A few hours and a willingness to label cables

You do not need a server, an MSP contract, or anything you would call “enterprise.” A UniFi Cloud Gateway, a 24-port managed switch, and two access points will run all of this for under $1,200.

A Sensible Small Business VLAN Plan

Do not over-engineer this. Four to five VLANs covers nearly every small business cleanly:

VLAN IDNameSubnetPurpose
1 (native)Management192.168.1.0/24Switches, APs, router admin only
10Office192.168.10.0/24Staff laptops, desktops, file server
20POS192.168.20.0/24Point of sale, payment terminals
30IoT192.168.30.0/24Cameras, smart plugs, thermostats, printers
40Guest192.168.40.0/24Customer and visitor Wi-Fi

The Management VLAN is for the network gear itself. Keep it on its own subnet so a compromised user device cannot reach the switch’s admin interface.

For very small setups you can combine POS into Office, but if you take card payments, keeping them separate makes PCI compliance dramatically easier.

Step 1: Plan Your Inter-VLAN Rules Before You Build

The default behavior for most routers is “VLANs cannot reach each other.” That is what you want as a starting point. Then add exceptions explicitly.

A reasonable rule set:

  • Office → IoT: allow (so staff can manage the printer and cameras)
  • Office → POS: deny (staff laptops should not reach payment terminals)
  • IoT → Office: deny
  • IoT → IoT: allow (some smart home stuff needs peer discovery)
  • Guest → anything internal: deny
  • Guest → internet: allow
  • POS → internet (specific endpoints only): allow
  • POS → Office: deny
  • Management → all: allow (you need to administer everything)
  • All → Management: deny

Write this down before you start clicking. It is much faster to implement a plan than to invent rules as you discover what is broken.

Step 2: Configure the Switch

On a managed switch, VLAN configuration has three pieces:

  1. Create the VLANs by ID and name in the switch’s VLAN table
  2. Tag the uplink to the router/firewall as a trunk port that carries all VLANs
  3. Assign each access port to a single VLAN as an “untagged” or “access” port

For example, on a 24-port switch:

  • Port 1 → trunk (uplink to router): tagged 10, 20, 30, 40, native 1
  • Ports 2–10 → access port, untagged VLAN 10 (Office desks)
  • Ports 11–14 → access port, untagged VLAN 20 (POS terminals)
  • Ports 15–18 → access port, untagged VLAN 30 (printer, cameras)
  • Ports 19–24 → trunk (uplink to APs): tagged 10, 20, 30, 40, native 1

The “native VLAN” carries untagged traffic. Keep it on the Management VLAN if your gear supports it, and never put a user device on the native VLAN.

Step 3: Configure the Router/Firewall

On the router, each VLAN needs:

  • An interface (often named vlan10, vlan20, etc., on the trunk port to the switch)
  • A subnet and a gateway IP
  • A DHCP scope handing out addresses on that subnet
  • Firewall rules implementing your inter-VLAN policy

On a UniFi Cloud Gateway, this is mostly point-and-click under Settings → Networks. On pfSense or OPNsense, you create VLAN interfaces under Interfaces → Assignments, then add firewall rules per interface. The principle is the same regardless of gear.

Critical rule to add first: block all inter-VLAN traffic except what you explicitly allow. Some platforms call this an implicit deny; others require you to add an explicit “block all” rule at the bottom of each interface’s rule set.

Step 4: Configure Wireless

Create one SSID per VLAN that needs wireless:

  • Office Wi-Fi → tagged to VLAN 10, WPA3 or WPA2-Enterprise with RADIUS if you have it
  • IoT Wi-Fi → tagged to VLAN 30, WPA2 PSK with a complex shared password; enable client isolation off if devices need to talk to each other
  • Guest Wi-Fi → tagged to VLAN 40, WPA2 PSK or open with a captive portal; enable client isolation so guests cannot see each other’s devices

Most prosumer APs let you broadcast multiple SSIDs from the same radio. You do not need separate hardware for each.

For the IoT SSID specifically, consider running it on the 2.4 GHz band only. Many IoT devices only support 2.4 GHz, and confining them there cuts down on confusion. The flip side: if you have IoT devices that need 5 GHz, do not exclude it.

Step 5: Test Before Trusting

After everything is configured, sit down at each VLAN and verify the rules actually do what you intended.

From a guest Wi-Fi client, try to:

  • Ping the office file server (should fail)
  • Reach the printer (should fail)
  • Open the router admin page at its Management VLAN IP (should fail)
  • Reach the internet (should succeed)

From an office laptop, try to:

  • Print to the IoT-VLAN printer (should succeed)
  • Reach the POS terminal (should fail)
  • Reach a camera’s web interface (should succeed if you allowed it)

From a camera or IoT device, the test is more limited but you should at least confirm it cannot reach the office subnet. Use a network scanner like Fing from a wired test laptop on the IoT VLAN.

If something that should work does not, add the specific rule needed. Resist the temptation to “open it up and come back to it.” That is how everything ends up on one flat network six months later.

What This Buys You

After this is done, the next time something on your network gets compromised — and statistically it eventually will — the damage is contained to one VLAN. A breached IP camera is a problem. A breached IP camera that can pivot to your accounting machine is a business-ending event. VLANs are the cheapest insurance you can buy against the second one.

The setup takes an afternoon. The protection lasts as long as you keep the firewall rules clean.

Related Articles