I concur with u/Bellegr4ine amd will add a little more:
- If your WAN is PPOE then another more elegant solution that might fit is to set up 3 ports on a on the manged switch for use in FRONT of the main router, and have your cable/carrier WAN ethernet output and the wan interfaces of both the wifi router and the pfsense all plugged into these ports.
- This creates a shared carrier WAN VLAN in front of both firewalls.
- In most cases, both wifi router and pfsense should get their own public IP, basically splitting one internet connection into two separate public IPs. Many carrriers cant limit this to suport landline phone services
- This scenario will also work where the carrier also needs a vlan tag to connects to PPOE, just set the VLAN ID of the carrer the came as the carrer requires.
- The only thing this breaks is the ability to manage QoS on the link because there are two connections, but no central QoS.
- Both rtouer and PF sense then plug thier LAN output into the approriate VLAN ports on the managed swirch.
I do this and is allows me to run a family LAN network and also to have a completely separate internet environement for my lab
I'm an old datacentre guy, so please take note.
You should aim for zero public IP exposure to services. It is not good what you've got there.
If all those hosts are on public IPs and your'e not really in control of any upstream device to manage network traffic to them if you do this - you are at the whim of your provider.
How are you going to centrally authenticate and manage/monitor all this? You're missing some sort of gateway that YOU control. You've actually drawn up a honeypot for hackers.
Please run your own virutal firewall at least, and cofigure the vswitches accordingly in layers and microsegment separate each service so one compromised system does not give over the whole network. Setup VLANs to allow for this sort of flexibility (and future flexibilty).
Depending on how may public IPS you have, consider putting everthing behind NAT or PAT. Make a separate netowork just to access the VMware kit and secure this, (no web mgmt consoled on public ips!)
What you've got here is asking for trouble and will be a management mess.
Create somthing like 4 tiers of network and seprate these with your firewall, or two firewalls.
- DMZ (private IPs and nginx go here and pass through to #2 only required ports)
- main docker and VMS (only allow access between DMZ and data layers, no outgoing/egress.
- Your data - the core, only allow layer #2 devices that need access.
- VMWare mangment (it called out of band netwoking) - this is where you have use a private way of accessing this network for back end manamgent. This network cant accress 1,2 or 3)
RCLONE is your friend!
Datacentre + 25 years of Linux expertise here:
Design the system around how you use your data, how important your data is, and where you want to back it up etc. Forget about chossing te platfor first..but..
Open source gives you WAY more options, Windows will just share files.
Eg Open souce NAS will ley you sync and aggregate all your cloud storage and backup apps as one single virtual cached storage directory all avaiable in your file explorer. No stupid clients and bloat. Open source will give you snapshots too. All sync happen in the backgroud with real intergrity checking. (For example, look at RCLONE as a wonderful onedrive client replacement for a virtual cloud filesystem, just run this on your NAS. )
Open source also lets you add unlimited Backblaze backup to you NAS without the business subscription (if you've got a few basic Linux skills.)
Open source also allows a wide array of virutual machines or containers for other handy home network utilities (think always-on pi hole, DNS add blockers etc)
Even though I have a lifetime LastPass subscripion I still choose to pay the $10 bucks and stay with Bitwarden not just becuse I wanted the yubikey support, its also just so simple to use and I love its simplicity. Its also polite and does not bring any extra bloatware. Its really quite good value. It just does its job really nicely
heres one thats worthwhile if you have thunderbolt:
I've bought 3 nucs to get 40GBPS networking and HA between them and then run Vmware VSAN express. From there you can go nuts with the possibilites.
You will be fine with just a few simple things to make sure of:
- The hardware will probably be just fine.
- Just dont hang your data out on the internet . If you just need remote access to manage the NAS then a jump sever like Gucamole in a DMZ or container somhow will be great. If you want remote access to your actual data over SMB and such then options like Tailscale may be useful to you.
- Look into other backup methods like Backblaze or similar if the data has any value. You could even setup rync to another location.