OS-Level VLAN Tagging for Dual-Homed Workstation
Runbook Goal
Use one physical PC link to keep:
internet and game traffic on the untagged Personal network (via Dream Machine SE), and
NAS traffic on a tagged Geek VLAN path at switch speed.
This avoids asymmetric routing side effects from L3 inter-VLAN routing while preserving high-throughput NAS transfers.
When to Use This Runbook
You previously enabled L3 inter-VLAN routing for performance.
Port forwarding or game NAT became unreliable (Moderate/Strict NAT).
Your PC and NAS are connected through
USW Pro Max 16 PoE.
Prerequisites
UniFi controller access with permission to edit switch port profiles.
Windows PC with Hyper-V available.
One physical NIC on the PC connected to
USW Pro Max 16 PoE.VLAN details for:
Personal network (untagged/native)
Geek network (tagged, example VLAN
5)
NAS subnet details (example
192.168.55.0/24).
Topology
Execution
Phase 1: Configure the Switch Port as Trunk
Allow Personal (native) and Geek (tagged) on the PC port
Open UniFi Network and navigate to UniFi Devices | USW Pro Max 16 PoE.
Open Ports (or Port Manager) and select the port connected to the PC.
Set the Primary Network (Native VLAN) to Personal.
Under advanced VLAN settings, allow Geek Network (VLAN 5) as tagged traffic on that same port.
Apply changes and wait for the port to reprovision.
Phase 2: Create the Windows Tagged Interface
Create Hyper-V virtual switch and VLAN-tagged adapter
Open PowerShell as Administrator.
Identify your physical adapter name:
Get-NetAdapter | Where-Object { $_.Virtual -eq $false }Create an external virtual switch bound to the physical adapter:
New-VMSwitch -Name "PhysicalBridge" ` -NetAdapterName "10G Nic" ` -AllowManagementOS $trueCreate a host virtual adapter for Geek VLAN traffic:
Add-VMNetworkAdapter -ManagementOS ` -Name "Geek-VLAN" ` -SwitchName "PhysicalBridge"Apply VLAN tagging to the new adapter:
Set-VMNetworkAdapterVlan -ManagementOS ` -VMNetworkAdapterName "Geek-VLAN" ` -Access -VlanId 5
Phase 3: Set IP Without Gateway on Tagged Adapter
Keep NAS path local and avoid default route conflicts
Open Network Connections (`ncpa.cpl`).
Open properties for `vEthernet (Geek-VLAN)`.
Configure IPv4 with a static address in the NAS subnet (example `192.168.55.20/24`).
Leave Default Gateway and DNS empty on this adapter.
Save and close.
Verification
Validate routing behavior and expected outcomes
Confirm the tagged adapter exists and has the expected IPv4:
Get-NetIPAddress ` -InterfaceAlias "vEthernet (Geek-VLAN)" ` -AddressFamily IPv4Confirm route preference for NAS subnet:
route printVerify the NAS subnet route points to `vEthernet (Geek-VLAN)`.
Test local NAS reachability:
ping 192.168.55.14Run a file transfer test to NAS and confirm high throughput (target similar to prior baseline, e.g. `~1.8Gbps+` in your environment).
Validate gaming/internet path still uses the primary interface and NAT returns to Open where expected.
Rollback
Return to pre-change state
Remove VLAN-tagged host adapter:
Remove-VMNetworkAdapter -ManagementOS -Name "Geek-VLAN"If needed, remove external switch:
Remove-VMSwitch -Name "PhysicalBridge" -ForceRestore original UniFi port profile for the PC port.
Troubleshooting
No NAS connectivity: confirm VLAN 5 is allowed on switch port and tagged adapter VLAN ID is5.Internet breaks after switch creation: wait for NIC rebind, then verify primary adapter default gateway.Traffic still hairpins through router: check Geek adapter has no default gateway and correct subnet mask.NAT still Moderate/Strict: confirm game/device port forwarding is mapped to the primary untagged Personal IP.