← Writing

VLANs are the cheapest security you can buy

Walk into most small businesses and you'll find one network. The point-of-sale, the office laptops, the guest Wi-Fi, the security cameras, and that Wi-Fi smart plug someone bought off a marketplace for $9 — all on the same flat LAN, all able to talk to each other freely.

That's a problem, because your security is now only as strong as the weakest device on it. And the weakest device is almost never the one you're worried about. It's the cheap camera running firmware from 2019 that nobody will ever patch.

Segmentation fixes this, and it's close to free. You already own the capability — it's sitting unused in your router.

The mental model: trust zones

I don't start with VLAN numbers. I start with a question: which groups of devices should be allowed to talk to each other, and which shouldn't? For a typical small business that shakes out to something like:

  • Work — the machines that run the business. Trusted.
  • Point-of-sale / payments — kept apart from everything, including work.
  • Guest — internet only, no visibility into anything internal.
  • IoT / cameras — the untrusted junk drawer. Internet where needed, and otherwise walled off.
  • Management — the switches, access points, and the router itself. The most restricted zone of all.

Each of those becomes a VLAN — its own broadcast domain, its own subnet. The magic isn't the VLAN by itself; it's that once traffic between zones has to pass through the router, you get to write rules about it.

Where the actual security happens

A VLAN without firewall rules is just tidy. The security comes from the forward chain — the rules governing traffic moving between networks. On MikroTik I lean on interface lists so the intent reads clearly:

/ip firewall filter
add chain=forward action=accept connection-state=established,related \
    comment="let existing conversations continue"
add chain=forward action=drop connection-state=invalid
add chain=forward action=drop in-interface-list=IOT out-interface-list=LAN \
    comment="IoT can never start a conversation with the work network"

Read that third rule out loud: the IoT network can never initiate a connection to the work network. Your accounting PC can't be reached by the compromised smart plug, because the router drops the packet before it ever gets there. Return traffic for connections your side started still works, thanks to the established,related rule up top.

That's the whole idea. You default to deny between zones, then open only the specific paths that need to exist — the cameras' NVR reaching the cameras, say, but nothing else reaching either.

Why MikroTik for this

You can do segmentation on any competent platform, and I'll work with whatever a client already runs. But MikroTik / RouterOS is my default for small business because you get real VLAN support, connection-tracking firewalls, and full scripting control at a price point where there's no excuse not to segment. The same capabilities the enterprise vendors gate behind licensing tiers are just... there.

The cost of segmenting a small network is an afternoon of planning and config. The cost of not doing it is that your business's crown-jewel machines share a broadcast domain with the cheapest, least-trustworthy hardware you own. That's a bad trade, and it's an easy one to fix.

Want your network segmented properly — or want to know how bad your current flat setup really is? Let's talk.


Need this kind of thinking applied to your own setup? Get in touch →