Know the why

A VLAN (Virtual Local Area Network) is a feature on a switch that groups devices together and prevents them from seeing traffic from other groups. Each group is a layer 2 broadcast domain.

But what does that actually mean, and why does it matter?

To understand that, it helps to go back to the early days of networking.

Hubs

Before switches existed, computers were commonly connected using a hub. A hub looks similar to a modern switch, but it worked very differently. When one computer sent data, the hub simply repeated that signal to every connected device.

This caused two problems.

First, performance.
Only one device could talk at a time, so as more computers were added, the network became slower. Each computer had to wait its turn to send data. It was one big collision domain.

Second, security.
Because a hub sent all traffic to every port, any connected computer could see traffic meant for others.

Switches

The successor to the hub was the switch. Unlike hubs, switches had some intelligence. They learned the MAC addresses of connected devices and kept track of which MAC address was on each port. This allowed switches to send traffic only to the port where the destination device was connected, instead of flooding it to every port. Broadcast traffic still used the special MAC address FF:FF:FF:FF:FF:FF.

VLANs

The problem is that all devices on a switch still share the same Layer 2 network. They can communicate directly using MAC addresses or indirectly through broadcast traffic. A VLAN divides connected devices into separate groups, making one physical switch behave like multiple separate switches.

For example, if you create VLAN 10 and VLAN 20, any port assigned to VLAN 10 can only communicate at Layer 2 with other ports in VLAN 10. The same is true for VLAN 20.

Tailscale is a mesh VPN that uses WireGuard to create end-to-end encrypted tunnels between all your devices. Tailscale helps your devices find each other, exchange keys, and handle all the NAT traversal and firewall trickery behind the scenes. Most of the time it creates a direct connection between devices. If the network makes that impossible, it uses a relay in the cloud so the connection still works.

Before we continue, it helps to understand a few terms Tailscale uses. These definitions will make the setup steps and screenshots much clearer.

Tailnet:
A “tailnet” is your private network inside Tailscale. It belongs to your account, and only the people and devices you approve can join it. All devices in your tailnet can securely communicate with each other.

Devices in a Tailnet:
When you add a device to your tailnet, such as a desktop, Raspberry Pi, or Apple TV, Tailscale calls that device a “machine”.

You can see below that I added a couple of machines to my tailnet. Adding a machine is straightforward. Click Add device, then choose whether you are adding a Linux server or a client device. Follow the instructions for your platform. After installing, sign in with your Tailscale account. Once you do, that machine is added to your tailnet.

On the Machines page, you can expand each machine to see its address. Every machine in your tailnet gets a unique IPv4 address, a unique IPv6 address, and a DNS name. These addresses only work inside your tailnet. To reach another device, your own device must have the Tailscale client installed and be signed in to the same tailnet.

Here are a few examples of how you can reach services over your tailnet:

If you install Tailscale on a laptop that is running an SSH server, any device in your tailnet can connect to it using its Tailscale IP:

ssh user@100.89.251.22

If you add a server that hosts a website, you can open your browser on any device in the tailnet and go to its tailnet DNS name:

http://webserver.tailnet-name.ts.net