Creating an Isolated Network For VMware Homelab Environments

GuidesVirtuallyWired

If you’re managing a VMware home lab and want to segregate your home network and homelab network traffic for better security and organisation, VLANs are the way to go. In this post, I’ll guide you through how I set up an additional network using OPNsense, running as a virtual machine in my VMware environment, and isolated my VMware lab into its own VLAN-based network.

Background

  • My VMware infrastructure serves multiple purposes, including hosting my home network devices and IoT devices.
  • I wanted to isolate my VMware demo lab environment into its own VLAN and subnet for better segmentation and security.
  • For this setup, I used the TP-Link TL-SG108E, an affordable unmanaged-plus switch supporting features like VLAN tagging (802.1Q), port-based VLANs, and basic QoS. Despite its low price point, it’s an excellent choice for a home lab setup. I manage my network using OPNsense, a fork of the well-known pfSense firewall, though this setup will work with any firewall solution capable of VLAN tagging and routing.

Steps to Set Up VLAN Isolation

Step 1: Plan the Network

  • Primary Network: Existing home network managed by OPNsense.
  • New Network: A dedicated VLAN-based network for VMware lab devices:
    • VLAN ID: 100
    • Subnet: 172.100.100.0/24
    • DHCP Enabled: Yes (to automatically assign IPs to devices in this VLAN).

Step 2: Configure OPNsense

2.1 Add VLAN in OPNsense

  1. Log in to your OPNsense web interface.
  2. Navigate to Interfaces > Other Types > VLANs.
  3. Add a new VLAN:
    • Parent Interface: OPNsense LAN interface.
    • VLAN Tag: 100.
    • Description: VLAN100.
  4. Save the configuration.

2.2 Assign the VLAN to an Interface

  1. Go to Interfaces > Assignments.
  2. Add the VLAN interface (VLAN100) to the interface list.
  3. Configure the new VLAN interface:
    • Enable: Check the box to enable the interface.
    • IPv4 Configuration Type: Static.
    • IPv4 Address: 172.100.100.1/24.
  4. The interface name is automatically labelled OPT2, click to rename the description if desired. I renamed mine to VLAN100
  5. Save the changes.

2.3 Enable DHCP for VLAN100

  1. Go to Services > DHCPv4 > VLAN100.
  2. Enable DHCP and configure the range (e.g., 172.100.100.11 - 172.100.100.100).
  3. Set the DNS and gateway for the clients as needed; I use OPNsense Gateway to forward DNS requests; that way, I can leverage unbound DNS to set DNS overrides.
  4. Save and apply the configuration.

2.4 Set Firewall Rules

  1. Navigate to Firewall > Rules > VLAN100.
  2. Add a rule to allow all traffic from VLAN100:
    • Action: Pass.
    • Protocol: IPv4+6.
    • Source: VLAN100 net.
    • Destination: Any.
  3. Save and make sure to press Apply Changes to commit the rule.

Step 3: Configure TP-Link TL-SG108E Switch

3.1 Add VLAN Configuration

  1. Log in to your TL-SG108E switch interface.
  2. Navigate to 802.1Q VLAN Configuration.
  3. Add a new VLAN (VLAN100) and Tag the physical ports connected to your VMware infrastructure:
    • Tagged Ports: Mark the ports connected to VMware ESXi hosts.
    • Untagged Ports: Leave untagged for non-VLAN devices.
  4. Apply the configuration.

Note: Port 1 is not configured as a member of VLAN 100 because it is dedicated to the Internet WAN connection. This port has a PVID of VLAN 20, which ensures that untagged traffic on this port is associated with VLAN 20. It connects to the WAN interface of my OPNsense virtual firewall via a VMware port group configured with VLAN tag 20.

Step 4: Configure VMware Networking

4.1 Modify the OPNsense LAN Port Group

  1. Log in to the VMware vSphere Client.
  2. Go to Networking > Port Groups.
  3. Edit the port group connected to the OPNsense LAN interface:
    • VLAN ID: Set to 4095 (to allow all VLAN-tagged traffic).

4.2 Create a New Port Group for VLAN100

  1. Create a new port group on the same vSwitch.
  2. Set the VLAN ID to 100.
  3. Name the port group (e.g., VLAN100_PG).

Step 5: Test the Configuration

  1. Attach a test VM (e.g., a Windows VM) to the VLAN100_PG port group.
  2. Verify that the VM:
    • Automatically receives an IP address from the 172.100.100.0/24 network.
    • Can access the internet.
    • Can communicate with devices on the primary home network if allowed by OPNsense rules.

Conclusion

By leveraging VLANs on OPNsense and a budget-friendly switch like the TP-Link TL-SG108E with VLAN support, I successfully isolated my VMware demo lab environment into its own VLAN and subnet for better segmentation and security. This setup not only enhances the organisation and security of lab workloads but also ensures seamless internet connectivity and inter-network communication where necessary. The TP-Link TL-SG108E demonstrates that even affordable networking equipment can provide robust VLAN functionality, making it an excellent choice for home lab environments.

If you found this post helpful, feel free to share it with others who might benefit. I’d also love to hear your thoughts; whether you have questions, suggestions, or insights from your own implementation, drop a comment below.

Thank you for reading, and happy configuring!