NETWORK SEGMENTATION
> iptables -L --line-numbers | grep VLAN
graph TD
INFRA["Infrastructure\nManagement Plane"] --> TRUSTED["Trusted Personal\nAdmin Devices"]
TRUSTED --> WORK["Work Devices\nEmployer-Managed"]
TRUSTED --> KIDS["Children's Devices\nContent-Filtered"]
WORK --> MEDIA["Media / Streaming\nEntertainment"]
KIDS --> MEDIA
MEDIA --> IOT["IoT Devices\nSmart Home"]
IOT --> GUEST["Guest Network\nInternet Only"]
CAM["Surveillance\nAir-Gapped"] -.->|"View-only access\nfrom Infrastructure"| INFRA
style INFRA fill:#0B0014,stroke:#00FFFF,color:#00FFFF
style TRUSTED fill:#0B0014,stroke:#39FF14,color:#39FF14
style WORK fill:#0B0014,stroke:#7B2FBE,color:#7B2FBE
style KIDS fill:#0B0014,stroke:#FF6B35,color:#FF6B35
style MEDIA fill:#0B0014,stroke:#FF00FF,color:#FF00FF
style IOT fill:#0B0014,stroke:#E8E8E8,color:#E8E8E8
style GUEST fill:#0B0014,stroke:#E8E8E8,color:#666666
style CAM fill:#0B0014,stroke:#FF0000,color:#FF0000 | ZONE NAME | PURPOSE | TRUST | INTERNET |
|---|---|---|---|
| The Fifth Dimension | Network infrastructure, management plane | Highest | Yes |
| Beyond the Pale | Trusted personal devices (admin access) | High | Yes |
| Sector 51 | Employer-managed work devices | Isolated | Yes |
| Junior Dimension | Children's devices — content-filtered | Restricted | Filtered |
| The Viewing Chamber | TVs, streaming devices | Low | Yes |
| The Loading Dock | Media ingest, download quarantine | Low | Yes |
| The Machine Realm | IoT, smart home devices | Very Low | Limited |
| The Outer Limits | Guest devices — internet only | Lowest | Yes |
| The Surveillance Sector | Cameras, video recorder — local only | Special | Blocked |
The default rule is DENY ALL. Every allowed path is an explicit exception with a documented reason. The key patterns:
ALLOWED
- > Infrastructure can reach all zones (management)
- > Trusted can reach infrastructure (admin tasks)
- > Trusted can view surveillance (camera access)
- > Media zones can reach media services (Plex)
- > All zones reach DNS server (Pi-hole)
- > VPN clients route into trusted zone
BLOCKED
- > IoT cannot reach any internal zone
- > Guests cannot reach any internal resource
- > Surveillance has zero internet access
- > Work devices cannot reach personal devices
- > Children cannot bypass content filtering
- > No lateral movement between low-trust zones
The short answer: because flat networks are a single-exploit environment. One compromised IoT lightbulb on a flat network can sniff traffic from your work laptop, your kids' devices, and your security cameras.
Each VLAN represents a trust boundary. Devices within a zone share a trust level. Devices across zones cannot communicate unless there's an explicit firewall rule allowing it. This is the same model used in enterprise data centers — applied to a home with four kids and a lot of smart devices.
The Twilight Zone naming convention makes it easier to remember what each zone does. "Is this device in The Machine Realm or Junior Dimension?" is a more intuitive question than "Is this on VLAN 50 or VLAN 30?"