Current networking layout consists of various VLANs:

• Default VLAN for all wireless and typical devices such as printers

• Homelab VLAN for my desktop, proxmox server, and majority of VMs/servers

• IoT VLAN for all wireless smart plugs and similar IoT devices to isolate them from my networking and only allow them to access the Internet

• Guest VLAN for guest wifi devices that would any guests to connect to internet but keep them isolated from my devices/servers

• DMZ VLAN for all static IP servers that are publicly accessable. Provides some isolation to other VLANs and is used to host devices that are port-forwarded or used to proxy external connections

Cloudflare tunnels are the primary way I remotely connect to devices and servers behind my firewall/NATs. The cloudflare tunnel is essentially a reverse proxy where I can configure public subdomains that route to private servers within my Homelab. This tunnels connection is established with redundant connections from a docker container in my proxmox cluster and as a bare-metal service running on a raspberry pi. I chose to use Cloudflare tunnels since all public subdomains are protected by cloudflare access and proxied through cloudflare routing instead of resolving to my public IP and having to port-forward each connection. Additionally I can route connecitons using the same port (unlike port-forwarded connections) since I can specify the private IP for each connection and the cloudflare service will proxy the connection via the docker container or raspberry pi behind my firewall.

Current Networking hardware consists of a Ubiquiti UDM-Pro-SE as the primary router/firewall where any important servers or PoE devices are connected. There's then 10Gb DAC links to a Ubiquiti 10Gb Aggregation switch which is where I land any fiber or 10Gb RJ45 connections from servers and my Desktop. If I need more 1Gb ports down the road I have a 24 port netgear switch ready to be connected via one of the DAC cables which I can daisy chain with the UDM-Pro and Aggregation switch for redundancy. Additionally, I've added a Microtik RB1100 that establishes a Wireguard tunnel with a remote Hex PoE RouterBoard that acts as a physical VPN router to my home network wqhen traveling. I have the UDM-SE configured as my primary Wireguard server for virtual VPNs on my devices, but I got the Microtiks for free and it's been a fun project