I've added and added and there isn't much organization.  I've got a pfSense box with almost everything on the 192.168.1.X.  Access points, servers (dedicated Plex, backup, other), IoT things (thermostats, Amazon Echos, Smartthings Hub, etc), plus all the entertainment stuff (Rokus, Chromecasts, Xbox, etc).

I have several extra RJ45 ports on my pfSense box, so I've added seperate LANs (192.168.2.X) for phones and (192.168.3.X) for a Blue Iris machine and IP cameras.

Most of the main servers are connected to a 10GbE switch too, which in turn is connected to the 1Gb switch.

What's a best practice to organize all this?  Just seperate VLANs with the switches?  I have a bunch more ethernet ports on my pfSense box, so I could add new subnets too.

Any suggestions are appreciated.

Are your switches managed switches?  If so, create some VLANs.  Sounds like you already have a logical way to separate the devices.  VLAN 10 Wireless, VLAN 20 servers, VLAN 30 IOT, VLAN 40 Media, ETC.  Once you determine your strategy, create the VLANs on your switches, tag interfaces appropriately.  You can use the different interfaces on your PFsense to connect your different subnets or you can create subinterfaces for each VLAN on the PFsense.  Whatever switch interface you are connected to will need to be set up as a trunk port tagging all the VLAN's you have created.  Your router will learn the different networks and pass traffic between them.

https://www.netgate.com/docs/pfsense/book/vlan/pfsense-vlan-configuration.html

Here's how I have my setup.

Wired devices (such as APs, switches and servers) in the house are in a 192.168.10.0/24 subnet. Wireless devices are in a 192.168.11.0/24 subnet. My wireless is currently broken out into two SSIDs, a modern 802.11ac/n network and a legacy 802.11g/n network (which is 2.4 GHz only). I'm using a Mikrotik hEX S as my router/firewall and Mikrotik's CAPsMAN as the wireless AP controller. I haven't finished it yet but my "lab/office" is slated for 10.254.0.0/24 and 10.254.1.0/24 with a small /29 connecting the two buildings. My office will have more things and I will likely end up adding some physical VLAN interfaces (CAPsMAN uses virtual interfaces that it tracks and manages to segregate traffic).

Okay, I've been reading about network setup and organization since my original post a couple days ago and I think I know how I'm going to do it.  Please let me know if it is sound.

Right now, I have 8 ethernet ports on my pfSense box and had planned to just run separate LANs, but from everything I'm reading, I think I'll just let the switches do the switching and do the "router on a stick" method.  I've had good luck with Chelsio 10GbE cards and I figure I could run a 10GbE trunk from my pfSense box to my main switch, so I'll scrap the onboard NICs and run a dual Chelsio 10GbE NIC.  Hell, since the cards are dual ports, I could run 10GbE in LACP if I wanted to.

Then, the main switch will be segmented out into 8 VLANs.

1) Managment (switches, access points, IPMI, etc)  
2) Phone  
3) Security system/Blue Iris and all the IP cameras  
4) Guest LAN (only has access to the internet)  
5) Main internet access for all home computers
6) Entertainment (TVs, Rokus, X-Box, Amazon Echos)  
7) Utility/IoT (Smarthings Hub, Ring Doorbell, Thermostats, etc)  
8) Secure (backup servers)

I think with this kind of organization, I'll have room to grow (if need be), be able to set proper rules and have decent security.

Looks good!

Sorry for the hijack but I have a mess of a network as well.  I have 25 years in IT but absolutely no experience in networking.  What advantages do I get with VLANs?  Can my Roku on one VLAN communicate with my media NAS drive on another VLAN?

I have an assortment of hardware currently connected.  It starts with an Arris cable modem in my office to an Asus RT-AC68U wireless router centrally located in the house.  One wired connection from my router back to the office connects to an 8 port TP-Link smart managed switch.  That connects to my work laptop, home PC and 3 NAS drives.  Another wired connection from my router to my theater room connects to a Rosewill 8 port switch.  That connects to my Roku, DirecTV receivers, Blu-ray player and Samsung Smartthings device.  Another wired connection from my router connects to a WD MyCloud NAS for backing up all of the wireless laptops in the house.

I have the beginnings of a 6U rack to hold a much larger switch.  I was thinking of a 24 port smart managed one from TP-Link.  The Asus RT-AC68U is moved to the office and becomes just a wired router.  I'll add an access point downstairs to replace the wireless functionality.  I also want to add a small Linux box with a multi-port Ethernet card and aggregate a couple of ports on the switch.  This box will handle FTP work between the different NAS drives.  Finally, I have a POE camera system/NVR to add.  It came with it's one 9 port POE switch but I'm unsure if I want to connect the cameras directly to the large switch if I go with POE.  Any advantages to that?

The main advantage of VLANs that I see is that one can separate things on the network for organization and security.

That's exactly what they are for.

I have 4 or 5 at home right now.  Mainly I wanted Guests, IoT, and Surveillance to be segregated from eachother and my main network.

Another thing, for me anyway, since I currently have everything on the same subnet, I'm running out of IP addresses pretty quickly with everything nowadays being connected.

VLANs provide zero security if you are allowing all the networks to be reached from any other network. You need to limit what networks are reachable from others.

For example, there is no reason for your Echo to communicate with BlueIris, so dont allow it.

Another issue with many networks is limiting the outbound connection to networks outside of North America. Your Chinese camera will try to call home. Dont believe me, run wire shark and watch. So block the outbound connections.

As for address space, increase the mask size from. Switch to a 10./8 or 172.16-31/16.

Agree with everything above except the part in red. Don't do that. If you need more address space, change your mask to a /23 (255.255.254.0). That gives you 510 usable addresses. Unless you're doing something very different from the normal home network use case you don't need that much space. Creating giant networks like a /8 or /12 may cause issues if your ISP decides to use RFC1918 addresses at the edge, the way AT&T does at my home.

I've done networking since 2000 at medium to large companies.

As I see it, here are the use cases for vlans in a home network:
1. security - want to control where hosts on a network can go, and what hosts are allowed to reach the network.
2. size - in practical terms, a /23 network with 500+ hosts will work just fine for most things. Most homes won't get to this point.
3. OCD - If you just have to be organized, and want to be able to easily determine what type of device something is based on IP.
4. Learning - What better way to learn, then to play around on your network?

I completely agree with the person who said to block outbound traffic from your cameras to the Internet. Same thing for any IoT devices that don't need Internet access. That may be the most compelling use case for doing VLANs.

In my home network, I have a /24 for all my hosts, and a /24 for client vpn connections. I don't do IoT, but I still have ~26 real and virtual devices on my network. I have a stack of Meraki gear that will let me vlan and create barriers between segments. It just isn't worth it to me. I do watch all of my network traffic via full NetFlow. I can see everything on the network as well as stuff coming and going to the Internet. I get alarms when certain things fire.

If you aren't using OpenDNS for your DNS servers, you're doing yourself a disfavor. It is free, fast, reliable and will help prevent you and your family from connecting to harmful sites. Cisco purchased OpenDNS a few years back, but seems to have pretty much let the people who know what they are doing keep doing it. Same for Meraki.

I guess that I assumed he would be blocking inter-VLAN communication but that was probably a poor assumption on my part.

IPv6

I thought that was kind of the point...keep the IoT stuff on one VLAN.  Keep servers on another, etc.

I've been using the built in pfSense DNS Resolver.  What's the difference?

Yep.  IoT devices for example, often come with shit security and an "updates? hahahaha" policy.  You don't want that stuff near your junk, so you wrap it.

Quick answer: improved security posture.

Longer answer:
OpenDNS Home doesn't resolve known bad websites. If your system can't resolve a hostname/URL to an IP address, you can't connect, and bad things are less likely to happen. You can sign up for a free account, which allows you to do some filtering. Free signup: https://www.opendns.com/home-internet-security/
I work for Cisco, but am not in sales and have no direct ties to the OpenDNS/Umbrella business Unit. I use OpenDNS for my home network. At work, we use it too.

What's a decent brand of switch to allow vlan config at home? Waaaay back in the day I did all Cisco stuff but it was commercial stuff and very expensive

Ubiquiti

Mikrotik (only advisable if you are familiar with Router OS)

I've got a couple of Netonix WISP switches deployed that I like but Ubiquiti supports more PoE modes.