$ ~/registry/skill/affaan-m-docs-ja-jp-skills-homelab-vlan-segmentation

SKILL

homelab-vlan-segmentation

帮助用户规划家庭实验室的VLAN分段、访问控制与流量隔离策略。

星标

★ 209,790

来源

GitHub

更新于

2026-06-07

// 安全评估低风险

仅提示词，不执行代码
开源可审计
社区验证· 209.8k

正在进行安全审计…

凭证密钥
网络外发
代码执行
数据访问
来源供应链

// 安装

复制安装指令，让 AI 自动完成配置 · 推荐新手

请帮我安装 askskill 上的 "homelab-vlan-segmentation" 技能：
1. 下载 https://raw.githubusercontent.com/affaan-m/ECC/main/docs/ja-JP/skills/homelab-vlan-segmentation/SKILL.md
2. 保存为 ~/.claude/skills/homelab-vlan-segmentation/SKILL.md
3. 装好后重载技能，告诉我可以用了

// 下载

下载 SKILL.md机读安装清单 ↗

// 用法示例

设计家庭实验室网络分段

输入

请为我的家庭实验室设计 VLAN 分段方案。现有设备包括 Proxmox 服务器、NAS、IoT 设备、个人电脑和访客 Wi-Fi。请给出 VLAN 划分、子网建议、设备归属、跨 VLAN 访问规则和安全注意事项。

预期产出

一份清晰的 VLAN 架构方案，包含网段分配、设备分类和访问控制建议。

制定跨网段访问策略

输入

我已经划分了管理网、服务器网、IoT 网和访客网。请帮我制定最小权限访问策略，说明哪些 VLAN 可以互通、哪些必须隔离，并给出防火墙规则示例。

预期产出

一套基于最小权限原则的互访矩阵与防火墙规则示例。

优化流量管理与服务暴露

输入

请评估我的家庭实验室网络：媒体服务器需要被家庭设备访问，管理界面只允许管理员设备访问，IoT 设备不能主动访问服务器。请给出 VLAN 优化建议、带宽管理思路和服务暴露方式。

预期产出

针对服务可达性、安全隔离和流量控制的网络优化方案。

// 文档

Homelab VLAN Segmentation

How to split a home network into isolated VLANs so IoT devices, guests, and your main PCs cannot talk to each other. The most impactful security upgrade for a home network.

All firewall rules shown here add isolation between segments — they do not remove existing protections. Apply changes in a maintenance window and verify connectivity between segments after each step before moving on.

When to Use

Setting up VLANs on a home network for the first time
Isolating IoT devices (smart bulbs, cameras, TVs) from trusted devices
Creating a guest Wi-Fi network that cannot reach home devices
Explaining how VLANs work to someone unfamiliar with the concept
Configuring trunk ports, access ports, and SSID-to-VLAN mapping
Troubleshooting inter-VLAN routing or firewall rule issues on pfSense/OPNsense/UniFi

How It Works

Without VLANs — flat network:
  All devices on 192.168.1.0/24
  Smart TV (potential malware) → can reach your NAS, PCs, everything

With VLANs:
  VLAN 10 — Trusted    192.168.10.0/24  (PCs, phones, laptops)
  VLAN 20 — IoT        192.168.20.0/24  (smart TV, bulbs, cameras)
  VLAN 30 — Servers    192.168.30.0/24  (NAS, Pi, VMs)
  VLAN 40 — Guest      192.168.40.0/24  (visitor Wi-Fi)
  VLAN 99 — Management 192.168.99.0/24  (switch/AP web UIs)

  Smart TV → blocked from reaching 192.168.10.0/24 and 192.168.30.0/24
  Guests → internet only, cannot see any home devices

VLAN Design Template

VLAN  Name        Subnet              Gateway         Purpose
10    trusted     192.168.10.0/24     192.168.10.1    PCs, phones, laptops
20    iot         192.168.20.0/24     192.168.20.1    Smart home devices
30    servers     192.168.30.0/24     192.168.30.1    NAS, Pi, self-hosted
40    guest       192.168.40.0/24     192.168.40.1    Visitor Wi-Fi
99    management  192.168.99.0/24     192.168.99.1    Network gear web UIs

Examples

Typical homelab with UniFi AP and managed switch:

Scenario: 3-bedroom house, UniFi Dream Machine + UniFi 8-port switch + 2 APs

VLAN 10 — Trusted    192.168.10.0/24   MacBook, iPhones, iPad
VLAN 20 — IoT        192.168.20.0/24   Nest thermostat, Philips Hue, Ring doorbell, smart TVs
VLAN 30 — Servers    192.168.30.0/24   Synology NAS (192.168.30.10), Pi-hole (192.168.30.2)
VLAN 40 — Guest      192.168.40.0/24   Visitor Wi-Fi — internet only

SSID → VLAN mapping:
  "Home"      → VLAN 10 (WPA2, strong password, trusted devices only)
  "IoT"       → VLAN 20 (WPA2, separate password, printed on router for setup)
  "Guest"     → VLAN 40 (WPA2, simple password you can share freely)

Switch port behavior:
  Port 1  → trunk to router (tagged VLANs 10,20,30,40,99)
  Port 2  → trunk to APs (tagged VLANs 10,20,40; AP handles per-SSID tagging)
  Port 3  → access VLAN 30 (NAS — untagged, no VLAN awareness needed)
  Port 4  → access VLAN 30 (Pi-hole — untagged)
  Port 5–8 → access VLAN 10 (wired workstations)

Firewall rules applied (all rules add isolation, none remove existing protections):
  IoT → Trusted: BLOCK
  IoT → Servers: BLOCK except 192.168.30.2:53 (Pi-hole DNS allowed)
  IoT → Internet: ALLOW
  Guest → Local networks: BLOCK
  Guest → Internet: ALLOW
  Trusted → everywhere: ALLOW

UniFi Configuration

Create Networks in UniFi Controller

Settings → Networks → Create New Network

For each VLAN:
  Name: IoT
  Purpose: Corporate  (gives DHCP + routing)
  VLAN ID: 20
  Network: 192.168.20.0/24
  Gateway IP: 192.168.20.1
  DHCP: Enable
  DHCP Range: 192.168.20.100 – 192.168.20.254

Map SSIDs to VLANs (UniFi)

Settings → WiFi → Create New WiFi

  Name: IoT-Network
  Password: <separate password>
  Network: IoT  ← select your VLAN here
  # All devices connecting to this SSID land in VLAN 20

  Name: Guest
  Password: <guest password>
  Network: Guest
  Guest Policy: Enable  ← isolates guests from each other too

UniFi Firewall Rules (Traffic Rules)

Settings → Traffic & Security → Traffic Rules

…

查看完整文档 ↗

// 同源资产

MCP 工具★210k

ECC

帮助开发者为代码代理配置性能优化、安全防护与研究优先工作流。

affaan-m装→

技能★210k

database-migrations

提供数据库迁移、回滚与零停机发布的最佳实践指导，适用于多种 ORM 与 SQL 数据库。

affaan-m装→

技能★210k

santa-method

通过双评审智能体对结果进行对抗式校验，提升输出发布前的可靠性

affaan-m装→

技能★210k

rust-patterns

帮助你掌握地道 Rust 模式、所有权与并发实践，编写安全高性能应用。

affaan-m装→

技能★210k

cpp-coding-standards

基于 C++ Core Guidelines 编写、审查并重构更安全现代的 C++ 代码。

affaan-m装→

技能★210k

verification-loop

为 Claude Code 会话提供系统化校验流程，帮助检查结果正确性与质量。

affaan-m装→

// 功能相似

技能★210k

homelab-network-setup

帮助用户规划并配置家庭实验室网络、设备连通与安全分段。

affaan-m装→

技能★210k

homelab-network-readiness

为家庭实验室网络改造提供分段、DNS过滤与远程访问变更前检查清单

affaan-m装→

技能★210k

homelab-wireguard-vpn

帮助用户配置家庭实验室 WireGuard VPN，实现安全远程访问与密钥管理。

affaan-m装→

技能★210k

homelab-network-setup

帮助你规划家庭与实验室网络拓扑、地址分配、设备连接与常见避坑。

affaan-m装→

技能★210k

homelab-network-readiness

帮助用户评估家庭实验室网络的安全性、性能与部署就绪度。

affaan-m装→

技能★210k

homelab-wireguard-vpn

帮助用户搭建 WireGuard VPN、配置客户端并安全远程访问家庭网络。

affaan-m装→

$ loading_