How to Create a Secure IoT VLAN with NETGEAR Plus Switches

Isolate Your Smart Home Devices for Enhanced Network Security

πŸ“… Published: October 11, 2024 | ⏱️ Reading Time: 12 minutes | 🏷️ Network Security, Smart Home, VLANs

🎯 What You'll Learn

In this comprehensive guide, you'll learn how to create a completely isolated network for your IoT devices using NETGEAR Plus switches. This setup will keep your smart home gadgets on a separate network while still allowing them internet accessβ€”protecting your computers, servers, and sensitive data from potential IoT security vulnerabilities.

πŸ“‹ Table of Contents

πŸ”’ Why You Need a Separate IoT VLAN

IoT devices are notorious for having security vulnerabilities. From smart cameras to voice assistants, these devices often:

  • Lack regular security updates from manufacturers
  • Use weak default passwords that are rarely changed
  • Collect and transmit data that you may not be aware of
  • Provide entry points for malicious actors into your network

By creating a separate VLAN (Virtual Local Area Network) for IoT devices, you accomplish several important security goals:

βœ… Benefits of IoT Network Segmentation:
  • Prevents IoT devices from accessing your computers and servers
  • Isolates compromised devices to prevent lateral network movement
  • Allows IoT devices to communicate with each other when needed
  • Maintains internet access for cloud-connected smart devices
  • Simplifies network monitoring and traffic analysis

πŸ› οΈ What You'll Need

Before we begin, make sure you have the following equipment and access:

Hardware Requirements

  • NETGEAR Plus Switch (Models: GS105Ev2, GS108Ev3, GS116Ev2, GS305E, GS308E, JGS516PE, JGS524Ev2, JGS524PE, or similar)
  • Router with VLAN Support (Most modern routers support 802.1Q VLANs)
  • Wireless Access Point (for WiFi-connected IoT devices)
  • Ethernet Cables (Cat5e or higher recommended)

Network Access

  • Administrative access to your switch (default password: password)
  • Administrative access to your router
  • Computer connected to the same network as the switch
πŸ’‘ Pro Tip: Before making any changes, document your current network configuration and save your switch settings (System > Maintenance > Save Configuration). This allows you to restore your configuration if something goes wrong.

πŸ—ΊοΈ Network Overview

Here's what your network will look like after configuration:

Network Topology Diagram

Internet Router / Gateway VLAN 1: 192.168.1.0/24 VLAN 10: 192.168.10.0/24 Firewall: Block IoTβ†’Main NETGEAR Plus Switch Port 1 Uplink Tagged Port 2-4 Main Net VLAN 1 Port 5 WAP VLAN 10 Port 6-8 IoT Wired VLAN 10 Main Network (VLAN 1) 192.168.1.0/24 πŸ’» Computers πŸ–₯️ Servers βœ“ Internet access βœ— Protected from IoT IoT Network (VLAN 10) 192.168.10.0/24 πŸ“‘ WiFi AP πŸ“± Smart Home πŸ“· Cameras πŸ“Ί Smart TVs βœ“ Internet access βœ“ See other IoT devices βœ— Cannot access Main Net

Port Assignment Summary

Port(s) Purpose VLAN Assignment Tagging
Port 1 Uplink to Router VLAN 1 + VLAN 10 Both Tagged (Trunk)
Ports 2-4 Main Network Devices VLAN 1 Untagged, PVID 1
Port 5 Wireless Access Point VLAN 10 Untagged, PVID 10
Ports 6-8 Wired IoT Devices (optional) VLAN 10 Untagged, PVID 10

βš™οΈ Step-by-Step Switch Configuration

1 Access Your Switch

  1. Open a web browser on a computer connected to your network
  2. Enter your switch's IP address in the address bar (e.g., http://192.168.1.100)
  3. Log in with your password (default is password)
πŸ” Don't know your switch's IP address?
Check your router's DHCP client list, use the NETGEAR Switch Discovery Tool, or if the switch is off-network, it uses the default IP: 192.168.0.239

2 Enable Advanced 802.1Q VLAN

  1. Navigate to VLAN > 802.1Q > Advanced > VLAN Configuration
  2. Select the Enable radio button
  3. When warned that current VLAN settings will be lost, click OK
  4. Click Apply to save your settings
⚠️ Important: This will reset any existing VLAN configuration. Make sure you've backed up your current settings first!

3 Create the IoT VLAN

  1. You should still be on the VLAN Configuration page
  2. In the VLAN ID field, enter 10 (or any number 2-4093)
  3. Click Add
  4. The new VLAN 10 appears in the VLAN Identifier Setting table
πŸ’‘ Why VLAN 10? You can use any VLAN ID between 2 and 4093. VLAN 10 is commonly used for guest/IoT networks and is easy to remember. Just make sure it doesn't conflict with existing VLANs on your network.

4 Configure the Uplink Port

The uplink port connects your switch to your router and must carry traffic for both VLANs.

  1. Navigate to VLAN > 802.1Q > Advanced > VLAN Membership
  2. In the VLAN ID menu, select VLAN 1
  3. Locate your uplink port (let's assume it's Port 1)
  4. Make sure Port 1 is checked and marked as Tagged (T)
  5. Click Apply
  6. Now select VLAN 10 from the VLAN ID menu
  7. Check Port 1 and mark it as Tagged (T)
  8. Click Apply
βœ… What You've Accomplished: Port 1 is now a "trunk port" that carries traffic for both VLANs, properly tagged so your router can identify which VLAN each packet belongs to.

5 Configure the Wireless Access Point Port

  1. In the VLAN ID menu, select VLAN 10
  2. Select Port 5 (or whichever port you'll use for your WAP)
  3. Mark it as Untagged (U)
  4. Click Apply

6 Configure Additional IoT Ports (Optional)

If you have wired IoT devices (smart TVs, game consoles, etc.):

  1. Still in VLAN 10 membership
  2. Select Ports 6, 7, and 8 (or any additional ports)
  3. Mark them as Untagged (U)
  4. Click Apply

7 Set Port PVIDs

PVID (Port VLAN ID) tells the switch which VLAN to assign to untagged traffic on a port.

  1. Navigate to VLAN > 802.1Q > Advanced > Port PVID
  2. Select Port 5 (your WAP port)
  3. Enter 10 in the PVID field
  4. Click Apply
  5. Repeat for Ports 6-8 if you configured them for IoT
πŸŽ‰ Switch Configuration Complete! Your switch is now properly configured with VLAN segmentation. Next, we need to configure your router.

🌐 Router Configuration

Your router configuration is crucial for this setup to work properly. The exact steps vary by router manufacturer, but here are the general principles:

Required Router Capabilities

  • 802.1Q VLAN Support: Your router must support VLAN tagging
  • Multiple VLAN Interfaces: Ability to create separate network interfaces for each VLAN
  • Firewall Rules: Ability to create inter-VLAN firewall rules

General Router Setup Steps

Step 1: Create VLAN Interfaces

  1. Log into your router's admin interface
  2. Navigate to the VLAN configuration section (location varies)
  3. Identify the port connected to your switch
  4. Create two VLAN interfaces on that port:
    • VLAN 1: 192.168.1.1/24 (your main network)
    • VLAN 10: 192.168.10.1/24 (your IoT network)

Step 2: Enable DHCP for Both VLANs

  1. Configure DHCP server for VLAN 1:
    • Range: 192.168.1.100 - 192.168.1.254
    • Gateway: 192.168.1.1
    • DNS: Your preferred DNS servers
  2. Configure DHCP server for VLAN 10:
    • Range: 192.168.10.100 - 192.168.10.254
    • Gateway: 192.168.10.1
    • DNS: Your preferred DNS servers

Step 3: Configure Firewall Rules

This is the most critical step for security. You need to create firewall rules that:

# Firewall Rule Priority (Top to Bottom) Rule 1: ALLOW VLAN 10 β†’ Internet (WAN) Allow IoT devices to access the internet Rule 2: DENY VLAN 10 β†’ VLAN 1 (All Protocols) Block IoT devices from accessing main network Rule 3: ALLOW VLAN 1 β†’ VLAN 10 (Optional) Allow main network to access IoT devices (for management) Rule 4: ALLOW All Established/Related Connections Allow return traffic for established connections
⚠️ Critical Security Note: The order of firewall rules matters! Make sure the DENY rule comes before any general ALLOW rules. Test thoroughly to ensure IoT devices cannot reach your main network.

Router Brand-Specific Tips

  • pfSense/OPNsense: Create VLAN interfaces under Interfaces > Assignments, then configure firewall rules under Firewall > Rules
  • UniFi (Ubiquiti): Create networks under Settings > Networks, then configure firewall rules under Settings > Security
  • MikroTik: Use Bridge VLAN Filtering or create VLAN interfaces, then configure firewall rules in IP > Firewall
  • TP-Link Omada: Configure under Settings > Wired Networks > LAN, then use ACL rules

πŸ“‘ Wireless Access Point Setup

Your wireless access point needs to be configured to broadcast an IoT-specific SSID:

WAP Configuration Steps

  1. Connect the WAP to Port 5 on your switch (or whichever port you configured for VLAN 10)
  2. Set WAP to Bridge/AP Mode: Not router mode! It should pass through DHCP requests to your router
  3. Create a new SSID:
    • Name: Something like "IoT-Network" or "Smart-Home"
    • Security: WPA2-PSK or WPA3-PSK (strong password required!)
    • Network: Leave on default/untagged (it inherits VLAN 10 from the switch port)
  4. Disable client isolation if you want IoT devices to communicate with each other
  5. Save and reboot the access point
πŸ’‘ Pro Tip: Consider using a different WiFi channel for your IoT network than your main WiFi network to reduce interference and improve performance.

πŸ§ͺ Testing Your Configuration

Before migrating all your IoT devices, it's crucial to test that the network segmentation is working correctly.

Test 1: IoT Device Internet Access

  1. Connect a test device (smartphone) to your IoT WiFi network
  2. Open a web browser and navigate to a website (e.g., google.com)
  3. Expected result: Website loads successfully βœ…

Test 2: IoT to Main Network Isolation

  1. While connected to the IoT WiFi, try to ping a device on your main network:
    ping 192.168.1.10
  2. Expected result: Request times out or "Destination unreachable" βœ…
  3. Try to access your main network file shares or devices
  4. Expected result: Connection refused or times out βœ…

Test 3: IoT Device Communication

  1. Connect two IoT devices to the IoT network
  2. Try to access one device from the other (e.g., view a camera from a smart display)
  3. Expected result: Devices can see and communicate with each other βœ…

Test 4: Main Network to IoT (Optional Management Access)

  1. From a computer on your main network, try to access an IoT device's IP
  2. Expected result: Depends on your firewall rules (typically allowed for management) βœ…
βœ… All Tests Passed? Congratulations! Your IoT VLAN is properly configured and secure. You can now start migrating your IoT devices to the new network.

πŸ”§ Troubleshooting Tips

Problem: IoT Devices Can't Get Internet Access

  • Check router DHCP: Make sure DHCP is enabled for VLAN 10
  • Verify VLAN tagging: Ensure Port 1 is tagged for VLAN 10
  • Check firewall rules: Make sure you have an ALLOW rule for VLAN 10 β†’ Internet
  • Test with static IP: Manually assign 192.168.10.50 to a device to rule out DHCP issues

Problem: IoT Devices CAN Access Main Network

  • Check firewall rule order: DENY rules must come before ALLOW rules
  • Verify rule syntax: Make sure the DENY rule specifies correct source/destination networks
  • Clear router connection table: Some routers cache connections; reboot to clear
  • Check for bypass rules: Some routers have default "allow established" rules that might bypass your DENY rule

Problem: Some IoT Devices Won't Connect

  • Check WiFi security: Some older IoT devices only support WPA2, not WPA3
  • Disable AP isolation: If enabled, devices can't discover each other
  • Check 2.4GHz vs 5GHz: Many IoT devices only work on 2.4GHz
  • Verify DHCP pool size: Make sure you have enough IP addresses for all devices

Problem: Lost Access to Switch Configuration

  • If switch is on VLAN 1: Connect from a device on your main network
  • If you can't access: Factory reset the switch (hold reset button for 2+ seconds)
  • Prevention: Always save your configuration before major changes

πŸ“Š Configuration Summary Checklist

Switch Configuration βœ“

  • ☐ Advanced 802.1Q VLAN enabled
  • ☐ VLAN 10 created
  • ☐ Port 1 tagged for VLAN 1 and VLAN 10
  • ☐ Port 5 untagged for VLAN 10, PVID 10
  • ☐ Ports 6-8 untagged for VLAN 10, PVID 10 (if used)
  • ☐ Configuration saved

Router Configuration βœ“

  • ☐ VLAN 1 interface: 192.168.1.1/24
  • ☐ VLAN 10 interface: 192.168.10.1/24
  • ☐ DHCP enabled for both VLANs
  • ☐ Firewall rule: ALLOW VLAN 10 β†’ Internet
  • ☐ Firewall rule: DENY VLAN 10 β†’ VLAN 1
  • ☐ Rules tested and verified

WAP Configuration βœ“

  • ☐ WAP in bridge/AP mode (not router mode)
  • ☐ IoT SSID created with strong password
  • ☐ Client isolation disabled
  • ☐ WAP connected to Port 5

🎯 Best Practices and Recommendations

Security Best Practices

  • Use strong WiFi passwords: Minimum 16 characters with mixed case, numbers, and symbols
  • Regularly update firmware: Keep your switch, router, and WAP firmware up to date
  • Monitor network traffic: Use your router's logging to watch for suspicious activity
  • Disable unused ports: On your switch, disable any ports you're not using
  • Document your setup: Keep notes on your VLAN configuration for future reference

IoT Device Management

  • Change default passwords: On every IoT device, change the default password immediately
  • Disable unused features: Turn off UPnP, remote access, and other features you don't need
  • Update regularly: Keep IoT device firmware current (if updates are available)
  • Inventory your devices: Keep a list of all IoT devices and their IP addresses

Network Performance

  • Monitor bandwidth: Some IoT devices (cameras) use significant bandwidth
  • Consider QoS: If needed, configure Quality of Service to prioritize critical traffic
  • Use Gigabit connections: Ensure all inter-switch connections are Gigabit or faster
  • Separate WiFi channels: Use different channels for main and IoT WiFi networks

πŸš€ Advanced Configurations

Multiple IoT VLANs

For even better security, you can create separate VLANs for different types of IoT devices:

  • VLAN 10: Smart home devices (lights, thermostats)
  • VLAN 20: Security cameras (often the most vulnerable)
  • VLAN 30: Voice assistants (privacy concerns)
  • VLAN 40: Guest network

VLAN-Aware Switch Stacking

If you need more ports, you can stack multiple NETGEAR Plus switches while maintaining VLAN configuration:

  1. Configure the first switch as described in this guide
  2. On the second switch, enable the same VLANs
  3. Connect the switches using a trunk port (tagged for all VLANs)
  4. Configure ports on the second switch as needed

πŸ’Ύ Backup and Recovery

Save Your Configuration

Always maintain a backup of your switch configuration:

  1. Log into the switch
  2. Navigate to System > Maintenance > Save Configuration
  3. Click Save and download the .cfg file
  4. Store the file in a secure location with a descriptive name (e.g., "switch-config-2024-10-11.cfg")

Restore Configuration

If you need to restore a saved configuration:

  1. Navigate to System > Maintenance > Restore Configuration
  2. Click Browse and select your saved .cfg file
  3. Click Apply
  4. The switch will reboot with the restored configuration

πŸ“š Additional Resources

  • NETGEAR Support: netgear.com/support
  • Switch Documentation: Download your model-specific manual from the NETGEAR support site
  • Network Security Resources: Visit NIST Cybersecurity Framework for best practices
  • Home Network Forum: Join the NETGEAR Community for help and advice

πŸŽ“ Conclusion

Congratulations! You've successfully created a secure, isolated network for your IoT devices. This configuration provides several important benefits:

What You've Achieved:

  • βœ… Enhanced Security: Your main network is protected from IoT vulnerabilities
  • βœ… Network Segmentation: IoT devices are isolated but can still access the internet
  • βœ… Device Communication: IoT devices can discover and communicate with each other
  • βœ… Flexible Management: You can control access policies from your router
  • βœ… Scalability: Easy to add more devices or create additional VLANs

Remember to:

  • Regularly test your firewall rules to ensure they're working as expected
  • Keep all firmware updated on switches, routers, and IoT devices
  • Document any changes you make to your network configuration
  • Monitor your network for unusual traffic or security events

Network security is an ongoing process, not a one-time setup. Stay informed about IoT security best practices and adjust your configuration as needed.

Questions or Issues? If you run into problems or have questions about this setup, feel free to leave a comment below or reach out through the contact form. I'm happy to help troubleshoot any issues you might encounter!

Found This Guide Helpful?

Share it with others who might benefit from better IoT security!

Share on Twitter Share on Facebook Share on LinkedIn

Related Articles