ITNETnetwork store
All articles

VLAN in Small Office: Why and How to Set Up

2026-04-26 11 min readITNET
vlanubiquitimikrotiknetwork-securityoffice

VLAN in Plain Words

VLAN (Virtual LAN) — splits one physical network into several logical ones, like rooms in a building. Analogy: office = building (physical net). VLAN = room walls: accounting, IT, director, meeting room. All in one building but isolated until they hit the common hallway (router).

Why VLAN in Small Office

Even 5-person offices benefit:

  • Guest Wi-Fi isolation — couriers, clients with infected laptops don't share network with accounting
  • POS protection — cashier separate from guest traffic
  • Cameras separate — high traffic, occasional bugs
  • IoT separate — smart bulbs/sensors are often poorly secured
  • Schedule control — turn off guest Wi-Fi after 10pm

    • Basic Schema (10-20 people)

    VLANIDPurposeDHCPInternet Default1ManagementNoYes Office10Staff laptops, printer10.10.10.0/24Yes POS20Cashier, accounting10.10.20.0/24Bank only Guest30Guest Wi-Fi10.10.30.0/24Yes, rate-limited IoT40Cameras, IoT10.10.40.0/24Cloud only Voice50VoIP10.10.50.0/24Yes

    Firewall Rules

  • Office → POS: block
  • Office → IoT: allow
  • Guest → anything but internet: block
  • IoT → Office: block
  • POS → internet: bank/updates only
  • Voice → all: allow

    • UniFi Setup (UDM-Pro, UCG-Ultra)

  • Settings → Networks → Create: Office, VLAN 10, 10.10.10.1/24, DHCP on
  • Repeat for POS, Guest, IoT
  • Settings → WiFi → Create: Office-WiFi, WPA3, Network: Office
  • Same for Guest, POS WiFi
  • Settings → Security → Firewall Rules: Guest → Local: Reject

    • 20-30 min basic setup, all GUI.

    MikroTik Setup

    More powerful, harder:

  • Create vlan10 interface (Bridge → VLANs)
  • DHCP server on vlan10
  • Assign switch ports to VLAN
  • /ip firewall filter rules

    • For small offices UniFi is easier.

    Real Case

    80 m² cafe, 6 staff.

    Before: one network, guest saw "CASHIER-1", almost-leak, Friday rush kills router. After: 4 VLANs, POS isolated, guests rate-limited 5 Mbps, cashier QoS priority. Works flawlessly with 30 guests.

    Setup: 1 hour, $0 (existing UniFi).

    FAQs

    Will it break existing network? Done carefully — no. Need managed switch? Yes, L2 with 802.1Q (USW-Lite-8-PoE works). Mobile app setup? UniFi yes (iOS/Android). How many VLANs? 802.1Q allows 4094; UDM-Pro handles dozens easily.

    Checklist

  • ☐ Plan VLANs (min: Office, Guest, IoT)
  • ☐ Assign IDs/subnets
  • ☐ Create on router
  • ☐ DHCP per VLAN
  • ☐ SSID per VLAN
  • ☐ Firewall rules
  • ☐ Port assignments
  • ☐ Test isolation

    • Bottom Line

    VLAN isn't enterprise-only — it's basic security for any office with public Wi-Fi or POS. UniFi: 30 min. MikroTik: 1+ hour.

    Ubiquiti MikroTik Contact