← Return to Blog

Note: This is simply a template for network mapping and security measures. It is general-purpose and does not fit every case.
View Companion Firewall Rules →

PCI-Compliant Network Roadmap

A simple, affordable roll-out strategy for small businesses that handle card transactions

Design rationale: VoIP phones, printers, and IoT devices are moved to dedicated VLANs because these devices are particularly susceptible to exploitation. Security cameras are isolated on their own VLAN with cloud-only access — a compromised camera cannot pivot to staff machines. Cross-communication is allowed only where necessary — office workstations can reach printers for jobs, but all other cross-VLAN traffic is denied.

Environment: Small brick-and-mortar business — office, service areas
Internet: Internet → firewall → managed switch → wired and wireless endpoints
VLANs: 7 segments — Operations, Voice, Print, PCI, Staff Wi-Fi, IoT, Untrusted Wi-Fi
Cross-VLAN: Printing allowed from Operations and Staff Wi-Fi to Print VLAN via IPP/RAW ports
Guest Wi-Fi: Not offered — deliberate decision to minimize attack surface on a PCI-compliant network

Internet Router

Internet Gateway — Bridge Mode

Firewall

Firewall / Router — Inter-VLAN Routing

Managed Switch

VLAN Trunking

Ops VLAN

Desktops

Wired — Cross-VLAN

Print VLAN

Printer

Wired — Cross-VLAN

Voice VLAN

Phones

Wired — Isolated

PCI VLAN

Card Reader

Wired — Isolated

Wi-Fi AP VLAN

Access Point

VLAN 30

Staff Wi-Fi

Laptops

Wireless — Cross-VLAN

IoT

Cameras

Wireless — Isolated

Untrusted Wi-Fi

Cell Phones

Wireless — Isolated

Gateway

Firewall

Switch

Operations

Voice (Isolated)

Print (Cross-VLAN)

PCI / Untrusted (Isolated)

Wireless

Device Inventory

Device	Role	VLAN	Connection	Notes
Internet Router	Internet gateway	—	WAN	Satellite internet, bridge mode
Firewall	Security gateway	All (trunk)	Wired	Inter-VLAN routing, PCI compliance, VPN
Managed Switch	Distribution	All (trunk)	Wired	VLAN trunking to all access ports
Desktops	Workstations	Operations	Wired	Office machines, Windows 10/11
Phones	VoIP	Voice	Wired	Isolated — no cross-VLAN access
Printer	Office printer	Print	Wired	Reachable from Operations and Staff Wi-Fi via IPP/RAW
Card Reader	POS terminal	PCI	Wired	Payment processing, fully isolated
Access Point	Wi-Fi	Trunk	Wired	Serves Staff Wi-Fi, IoT, and Untrusted Wi-Fi SSIDs
Laptops	Mobile workstations	Staff Wi-Fi	Wireless	Can print to Print VLAN
Cameras	Security	IoT	Wireless	Isolated — cloud upload only, no cross-VLAN access
Cell Phones	Personal devices	Untrusted Wi-Fi	Wireless	Fully isolated, no inter-device or cross-VLAN access

VLAN Assignments

VLAN ID	Name	Subnet	DHCP Range	Purpose
`10`	Operations	`192.168.10.0/24`	`.100 – .200`	Desktops only — daily business use
`15`	Voice	`192.168.15.0/24`	`.100 – .120`	VoIP phones — isolated, internet for SIP/RTP only
`18`	Print	`192.168.18.0/24`	`.100 – .105`	Printer — reachable from Ops and Staff Wi-Fi via IPP/RAW
`20`	PCI	`192.168.20.0/24`	`.100 – .110`	Card reader only — fully isolated for PCI compliance
`30`	AP Management	`192.168.30.0/24`	`.100 – .110`	Access point management interface
`40`	Staff Wi-Fi	`192.168.40.0/24`	`.100 – .200`	Staff laptops — wireless, can print
`45`	IoT	`192.168.45.0/24`	`.100 – .120`	Security cameras — cloud upload only, fully isolated
`50`	Untrusted Wi-Fi	`192.168.50.0/24`	`.100 – .250`	Employee cell phones — internet only, fully isolated

DHCP ranges are intentionally narrow on Voice, Print, PCI, and AP Management VLANs to limit the number of devices that can obtain an address.

Design note: VLAN 15 (Voice) and VLAN 18 (Print) are broken out from the Operations VLAN. Phones and printers no longer share a broadcast domain with workstations.

Inter-VLAN Traffic Matrix

Read as: "Can [Row] talk to [Column]?"

	Ops	Voice	Print	PCI	AP Mgmt	Staff Wi-Fi	IoT	Untrusted	Internet
Operations	—	DENY	PRINT	DENY	ALLOW	ALLOW	DENY	DENY	ALLOW
Voice	DENY	—	DENY	DENY	DENY	DENY	DENY	DENY	SIP/RTP
Print	DENY	DENY	—	DENY	DENY	DENY	DENY	DENY	DENY
PCI	DENY	DENY	DENY	—	DENY	DENY	DENY	DENY	PAY *
AP Mgmt	DENY	DENY	DENY	DENY	—	DENY	DENY	DENY	CLOUD
Staff Wi-Fi	DENY	DENY	PRINT	DENY	DENY	—	DENY	DENY	ALLOW
IoT	DENY	DENY	DENY	DENY	DENY	DENY	—	DENY	CLOUD
Untrusted	DENY	DENY	DENY	DENY	DENY	DENY	DENY	—	WEB

* PCI internet access restricted to payment processor endpoints only. PRINT = TCP 631 (IPP) + TCP 9100 (RAW) only.

Firewall Rules — Inter-VLAN

Rules are evaluated top-down. First match wins.

#	Source	Destination	Protocol / Port	Action	Purpose
1	`VLAN 20 (PCI)`	`Any local VLAN`	Any	Deny	PCI isolation — no lateral movement
2	`Any local VLAN`	`VLAN 20 (PCI)`	Any	Deny	Nothing reaches the card reader
3	`VLAN 15 (Voice)`	`Any local VLAN`	Any	Deny	Phones cannot reach internal resources
4	`Any local VLAN`	`VLAN 15 (Voice)`	Any	Deny	Nothing reaches the phones
5	`VLAN 45 (IoT)`	`Any local VLAN`	Any	Deny	Cameras cannot reach internal resources
6	`Any local VLAN`	`VLAN 45 (IoT)`	Any	Deny	Nothing reaches IoT devices
7	`VLAN 50 (Untrusted)`	`Any local VLAN`	Any	Deny	Cell phones cannot reach internal resources
8	`Any local VLAN`	`VLAN 50 (Untrusted)`	Any	Deny	Nothing reaches untrusted devices
9	`VLAN 10 (Ops)`	`VLAN 18 (Print)`	TCP 631, 9100	Allow	Desktops can print (IPP + RAW)
10	`VLAN 40 (Staff Wi-Fi)`	`VLAN 18 (Print)`	TCP 631, 9100	Allow	Laptops can print (IPP + RAW)
11	`VLAN 18 (Print)`	`Any local VLAN`	Any	Deny	Printer cannot initiate outbound connections
12	`VLAN 10 (Ops)`	`VLAN 30 (AP Mgmt)`	TCP 443	Allow	Admin desktop can manage the access point
13	`VLAN 10 (Ops)`	`VLAN 40 (Staff Wi-Fi)`	Any	Allow	Ops can reach staff devices for support
14	`Any VLAN`	`Any VLAN`	UDP 5353	Deny	Block Bonjour/mDNS service discovery between VLANs (optional)
15	`Any VLAN`	`Any VLAN`	Any	Deny	Default deny — catch-all

PCI Note: Rules 1 and 2 must remain at the top. The card reader VLAN has no path to any internal resource.

Design note: Rules 3–4 isolate the Voice VLAN. Rules 5–6 isolate IoT devices (cameras) — they can only reach their cloud provider, nothing internal. Rules 9–11 create a controlled print path: desktops and laptops can send print jobs to the printer, but the printer itself cannot initiate connections to anything. Without these separations, cameras and printers would sit on the same VLAN as desktops — a compromised device would have direct access to workstations.

Rule 14 (optional): Apple devices broadcast Bonjour (mDNS) on UDP 5353 for service discovery — AirPrint, AirPlay, file sharing. Blocking it between VLANs prevents an Apple device on one segment from discovering services on another. The default deny (rule 15) technically catches this, but some firewalls handle multicast traffic separately from unicast — an explicit rule removes ambiguity. Trade-off: AirPrint auto-discovery will not work across VLANs. Staff will need to add printers by IP address instead of relying on Bonjour. Within each VLAN, auto-discovery still works normally. Skip this rule if you have no Apple devices on the network.

Firewall Rules — Outbound (WAN)

#	Source	Destination	Protocol / Port	Action	Purpose
1	`VLAN 20 (PCI)`	`Payment processor IPs`	TCP 443	Allow	Card reader → payment gateway (HTTPS only)
2	`VLAN 20 (PCI)`	`Any`	Any	Deny	Card reader cannot reach anything else
3	`VLAN 15 (Voice)`	`VoIP provider IPs`	UDP 5060; UDP 10000–20000	Allow	VoIP signaling (SIP) + media (RTP)
4	`VLAN 15 (Voice)`	`Any`	Any	Deny	Phones cannot reach anything beyond VoIP provider
5	`VLAN 18 (Print)`	`Any`	Any	Deny	Printer has no internet access
6	`VLAN 10 (Ops)`	`Any`	TCP 80, 443	Allow	Web browsing
7	`VLAN 10 (Ops)`	`Any`	TCP 587, 993	Allow	Email (SMTP submission + IMAP over TLS)
8	`VLAN 10 (Ops)`	`VPN provider endpoints`	UDP 1194; TCP 443	Allow	VPN tunnel for privacy and security
9	`VLAN 40 (Staff Wi-Fi)`	`Any`	TCP 80, 443	Allow	Web access for staff laptops
10	`VLAN 45 (IoT)`	`Camera cloud IPs`	TCP 443; UDP 8554	Allow	Security cameras → cloud storage/streaming
11	`VLAN 45 (IoT)`	`Any`	Any	Deny	Cameras cannot reach anything else
12	`VLAN 50 (Untrusted)`	`Any`	TCP 80, 443	Allow	Internet-only for cell phones
13	`VLAN 30 (AP Mgmt)`	`Vendor cloud`	TCP 443	Allow	AP firmware updates and cloud management
14	`Firewall (self)`	`208.67.222.222, 208.67.220.220`	UDP 53	Allow	DNS forwarding to OpenDNS only
15	`Any`	`Any`	Any	Deny	Default deny — catch-all

Note: "Payment processor IPs," "VoIP provider IPs," and "Camera cloud IPs" should be replaced with the actual IP ranges provided by those vendors.

Inbound Rules (WAN → LAN)

#	Source	Destination	Protocol / Port	Action	Purpose
1	`VPN provider endpoints`	`VLAN 10 (Ops)`	UDP 1194; TCP 443	Allow	Inbound VPN tunnel
2	`Any`	`Any`	Any	Deny	No unsolicited inbound traffic

No ports are exposed directly to the internet.

Additional Security Measures

Measure	Setting	Rationale
DNS filtering	OpenDNS (`208.67.222.222`, `208.67.220.220`)	Firewall forwards all DNS to OpenDNS — blocks malicious domains before they resolve. All VLANs forced to use firewall as DNS server, preventing bypass.
Content filtering	Enabled on VLAN 50 (Untrusted)	Block malware, phishing, and adult content on the cell phone network
WPA3	Enabled on Staff Wi-Fi and Untrusted Wi-Fi SSIDs	Stronger wireless encryption — prevents eavesdropping and offline dictionary attacks that WPA2 is vulnerable to
DHCP snooping	Enabled on managed switch, all VLANs — Firewall uplink port marked as trusted	Drops rogue DHCP responses from untrusted ports. Builds a MAC-to-IP binding table used by ARP inspection.
Dynamic ARP inspection	Enabled on managed switch, all VLANs — requires DHCP snooping	Validates ARP packets against the DHCP snooping binding table. Prevents ARP spoofing / man-in-the-middle attacks on the LAN.
UPnP	Disabled	Prevents devices from automatically opening ports
Firewall management	Cloud management — no local admin interface exposed	Managed via app or web dashboard; no ports open for router administration
Remote desktop	Chrome Remote Desktop — no ports exposed	Encrypted remote access for service maintenance; NAT traversal via Google relay, no open inbound ports
Firmware updates	Automatic via vendor cloud	Firewall receives patches without manual intervention
Guest Wi-Fi	Not configured	Deliberate decision — reduces attack surface on a PCI-compliant network

Estimated Equipment Cost

This roadmap can be implemented with off-the-shelf small business networking equipment. No enterprise licensing or recurring subscription fees are required — all options below include free cloud management.

Equipment	What to Look For	Price Range
Firewall / Security Gateway	Stateful inspection, inter-VLAN routing with ACLs, NAT, VPN, IDS/IPS, logging. Must enforce rules between VLANs — segmentation alone does not satisfy PCI. Prefer cloud-managed — see note below.	$130 – $280
Managed PoE Switch	802.1Q VLAN tagging and trunking, port security, PoE+ (802.3at) to power access points and VoIP phones. Minimum 8 ports.	$100 – $200
Wi-Fi Access Point	Multiple SSIDs mapped to separate VLANs, WPA3, client isolation on untrusted networks. Wi-Fi 6 (802.11ax) or newer.	$85 – $190
VPN Service	Encrypts traffic off-site. Look for business plans with centralized management. Some firewalls include WireGuard or OpenVPN natively.	Free – $8/user/mo

Total estimated hardware cost: $315 – $670 — one-time purchase, no recurring fees. VPN may add a small monthly cost per user.

Example products: Ubiquiti UCG-Ultra, Ubiquiti UCG-Fiber, TP-Link Omada ER7206 (firewalls); Ubiquiti USW-Lite-8-PoE, TP-Link Omada SG2210P, Netgear GS310TP (switches); Ubiquiti U6 Pro, TP-Link EAP610, TP-Link EAP670 (access points); Tailscale, Cloudflare WARP, OpenVPN, WireGuard (VPN).
List updated May 2026.

Why cloud-managed firewalls are safer than local admin portals

A traditional firewall exposes a local admin portal — a web interface running on the firewall’s LAN IP address, typically on port 80 or 443. Any device on the network that can reach that IP can attempt to log in. That means a compromised camera, an infected workstation, or a rogue device on any VLAN with a route to the firewall can try to brute-force the admin password, exploit a vulnerability in the web UI, or hijack an active session. The admin portal itself becomes an attack surface.

Cloud-managed firewalls (Ubiquiti, TP-Link Omada, Meraki) work differently. The firewall talks outbound to the vendor’s cloud over an encrypted connection. You manage it through the vendor’s app or web dashboard — also over an encrypted connection to their cloud. The two never meet on the local network. No ports are open on the firewall for administration, which means there is nothing for a local attacker to connect to.

Phone app vs. local admin portal: When you manage your firewall from the Ubiquiti or Omada app on your phone, the connection goes through the vendor’s cloud — encrypted end-to-end, authenticated with your vendor account (which should have MFA enabled). A local admin portal sits on the LAN waiting for anyone to knock. For a PCI environment, cloud management eliminates an entire class of attack by removing the admin interface from the network entirely.

Guide To: PCI Compliance

Part 1: The Importance of PCI Compliance — Breach costs, compliance tiers, the business case

▸ Part 2: PCI-Compliant Network Roadmap (you are here)

Part 3: Firewall & VLAN Rules — VLAN segmentation, inter-zone policies, DNS filtering

Part 4: PCI Hardening Basics — Endpoint protection, passwords, POS security

Part 5: Employee Security Training — Phishing, social engineering, incident reporting

Companion: Ransomware Backup Strategy — Three-tier backup, encrypted SSDs, calendar reminders

This guide is provided for educational and portfolio purposes. It reflects general best practices and does not constitute professional security consulting for your specific environment. Consult a qualified professional for your business’s security needs.