OPNsense VLAN Configuration: Segment IoT, Guest, and Trusted Networks

Proper network segmentation prevents your smart TV from talking to your NAS. This guide covers creating VLANs in OPNsense and the firewall rules that make segmentation actually work.

Design: Three-VLAN baseline

VLAN ID	Name	Subnet	Purpose
10	TRUSTED	192.168.10.0/24	Workstations, servers, phones you control
20	IOT	192.168.20.0/24	Smart home devices, printers, cameras
30	GUEST	192.168.30.0/24	Guest Wi-Fi — internet only

Step 1: Create VLANs

Interfaces → Other Types → VLAN → Add:

• Parent interface: your LAN NIC (e.g., igb1)
• VLAN tag: 10
• Description: TRUSTED

Repeat for VLAN 20 (IOT) and VLAN 30 (GUEST).

Step 2: Assign interfaces

Interfaces → Assignments → add each new VLAN interface. Then enable each:

• Enable interface
• Set IPv4 to Static
• Assign the subnet (e.g., 192.168.10.1/24 for TRUSTED)
• Enable DHCP server for each: Services → DHCPv4

Step 3: Firewall rules

IoT VLAN — block all inter-VLAN, allow internet

On the IOT interface:

Action: Block
Protocol: any
Source: IOT net
Destination: 192.168.0.0/8 (RFC1918 aggregate)
Description: Block IoT → private ranges

Action: Pass
Protocol: any
Source: IOT net
Destination: any
Description: Allow IoT → internet

Guest VLAN — internet only, block RFC1918

Same pattern as IoT, applied to the GUEST interface.

Trusted VLAN — full access

Allow all by default (or lock down as needed for your threat model).

Step 4: Test segmentation

From an IoT device, confirm:

ping 192.168.10.1   # Should fail (blocked by firewall rule)
curl https://example.com   # Should succeed

Managed switch tagging

If your switch is VLAN-aware (e.g., a UniFi switch), configure trunk ports carrying all VLANs to OPNsense and access ports assigning devices to the correct VLAN. The OPNsense VLAN sub-interfaces receive tagged traffic and route accordingly.

Running UniFi APs? See UniFiGuide ↗ for SSID-to-VLAN mapping in the Network Application.