My home network has about 40 devices. A third of them are IoT junk I would not let near a corporate VLAN. Hardening this is not glamorous work. It is mostly segmentation and saying no to default settings. Here is the short list that actually matters.
1. Separate VLAN for IoT
Your Ring doorbell, robot vacuum, smart bulbs, and TV do not need to speak to your laptop. Ever. Put them on their own VLAN with these rules:
- IoT VLAN can reach the internet.
- IoT VLAN cannot initiate traffic to your trusted VLAN.
- Trusted VLAN can initiate traffic into IoT (so Home Assistant still works).
- Allow mDNS reflection or use Avahi if you need Cast/AirPlay discovery.
On UniFi, this is three minutes in the Networks tab plus a Traffic Rule. On OPNsense, a floating rule on the IoT interface with block in from IOT_net to RFC1918.
2. DNS Filtering
Pi-hole on a Raspberry Pi 4 with the StevenBlack unified list catches roughly 15-20% of all queries on my network. NextDNS does the same thing as a managed service with better mobile profiles for about $20/year.
Configure your router's DHCP to hand out the Pi-hole IP as the only DNS server. Block outbound DNS (UDP/53 and DoT/853) from every client except Pi-hole itself. Otherwise your smart TV will happily hard-code 8.8.8.8 and bypass you.
# OPNsense floating rule, all interfaces except LAN
# Block outbound 53 and 853 except from Pi-hole
source: !PIHOLE_IP
dest: any dest_port: 53, 853
action: block, log3. WPA3 with a Long Passphrase
If your access point supports WPA3 (any decent hardware made after 2020 does), turn it on. Use WPA3-Personal in transition mode if you have stragglers that only do WPA2. Pick a passphrase that is long, not clever — four random words from an EFF dice list, 25+ characters. WPA2 PSKs are offline-crackable in a weekend if they are short. WPA3 SAE is not.
4. A Real Guest Network
Guest SSID on its own VLAN, client isolation on, bandwidth cap optional. No access to any internal resource. This is where every friend, babysitter, and Airbnb guest gets put. Rotate the passphrase yearly — it is not a secret, but old ones tend to end up in group chats.
5. WireGuard for Remote Access
Do not open RDP to the internet. Do not open SSH on port 22 to the internet. Do not forward port 3306 because "it is only for me."
Install WireGuard on your router or on a dedicated Pi. UDP on a random high port. Each device gets its own keypair. When you want to reach anything at home, connect the tunnel first.
[Interface]
Address = 10.8.0.1/24
ListenPort = 51820
PrivateKey = ...
[Peer] # laptop
PublicKey = ...
AllowedIPs = 10.8.0.2/32Tailscale is the easier version of this and is fine. Just pick one and use it instead of port-forwards.
6. Disable UPnP
UPnP lets any device on your network ask your router to open an inbound port. Every "works magically" device you own abuses this. Turn it off. When a Sonos or a game console breaks, manually forward the one port it actually needs. The list is shorter than you would think.
The Rest of the Checklist
- Change the default router admin password. Yes, people still have not.
- Disable WPS — the PIN attack is a decade old and still works on cheap gear.
- Update router firmware every 6 months. Calendar it.
- Turn off "remote management" / cloud admin on the router unless you genuinely use it.
- Enable IPv6 firewalling. A lot of people block inbound v4 and forget v6 is wide open.
- Log DNS queries for a week after any new device shows up. You will spot the one phoning home to a third-party analytics domain every 30 seconds.
None of this is exotic. It is the equivalent of locking your doors and putting shades on the windows. An attacker moving laterally from a compromised smart plug to your work laptop is not a movie plot — it is Tuesday. Spend an evening, build the VLANs, and forget about most of it for a few years.