Remote work network policies that keep the LAN tidy

I wanted a remote work setup that stayed tidy without getting in the way. The useful bit is simple: VLANs by role, tight DHCP pools, sane remote access, and policies that stop the whole thing turning into a mess.

Start with VLANs that match roles, not desks. I use simple IDs: VLAN 10 for office staff (192.168.10.0/24), VLAN 20 for contractors and remote-access endpoints (192.168.20.0/24), VLAN 30 for IoT and printers (192.168.30.0/24), and VLAN 99 for guest Wi‑Fi (192.168.99.0/24). On the switch, tag access ports for the right VLAN and keep trunk ports to only the VLANs you actually need. The intent is straightforward: access ports in VLAN 10, trunks allowing 10,20,30,99, and a native VLAN 999 or no native VLAN at all.

For DHCP, use a separate server or the router’s DHCP for each VLAN. Keep the pools tight and the gateways fixed. For VLAN 10, use 192.168.10.10–192.168.10.200 with gateway 192.168.10.1 and a 24h lease for desk devices. For VLAN 20, use 192.168.20.50–192.168.20.150 with a 4h lease so stale entries clear out faster. Put static IPs for servers, printers, and network gear outside the pools. Use DHCP option 121 or static routes on the router for inter-VLAN services.

Policy belongs on the router or firewall, not scattered across switch ports. Set ACLs to allow only the traffic you need between VLANs. For example, allow VLAN 10 to reach VLAN 20 on TCP 22 and 443, but block VLAN 30 from reaching management. Use DHCP class-based options or DDNS to tag devices from specific subnets if your policy engine needs that. For remote access, I prefer WireGuard for a small, predictable tunnel, or a managed option such as Tailscale if you want less setup. If you use a traditional VPN, put the concentrator in VLAN 20 and hand remote clients internal addresses from that VLAN. Use split tunnelling when you want to keep office internet traffic down, and full tunnelling when all traffic needs inspection. Open only the port you need; WireGuard commonly uses UDP 51820. Add MFA at the VPN gateway and use short-lived certificates or keys for remote endpoints.

Policies turn a tidy network into something that keeps working. Write them down: what device state is acceptable, how often patching happens, and how remote access is requested and approved. Map those rules to your VLANs. Devices that meet policy get VLAN 10 access; unmanaged devices go to VLAN 99 with internet only. Set DHCP lease policy to match the device type, with longer leases for fixed desk gear and short leases for mobile or hotspot use. Keep an eye on the network with simple tools: Netflow or sFlow on the core switches, SNMP polling for interface errors, and a daily check of DHCP lease counts. When you change an ACL or add a VLAN, test isolation by trying to reach something that should be blocked and by checking the DHCP bindings. After creating VLAN 30, confirm a device there cannot ping the management IP on VLAN 1, then confirm a printer in VLAN 30 gets a lease in the right range.

After changes, ask a few remote staff to run normal tasks and note latency, VPN connection time, and any blocked services. Use that feedback to tighten or relax ACLs and adjust lease times. Keep change windows small and reversible. Push ACL rules in stages, keep backups of routing and DHCP configs, and script rollbacks. That is enough to keep remote access usable without letting the rest of the network wander off on its own.

Related posts

Weekly Tech Digest | 06 Jul 2026

Stay updated with the latest in tech! This digest covers AI ethics, auto industry shifts, and the impact of politics on technology, exploring today's pressing issues.

wolfCOSE zero-allocation parsing in embedded C

wolfCOSE looks sensible only if you care about what your firmware actually has to carry. I like that, because on small targets the wrong crypto feature can cost more than the message itself, and there...

restic | v0.19.1

restic v0 19 1: safer FUSE mounts and mountpoint checks, robust backup source and exclude handling, clearer CLI JSON output, Windows SFTP deletion fixes