Help With Networking Decisions

[statecowboy]

Hi guys, I'm starting to get into VLANs and network segregation.  I will list my gear below so you can see what I'm working with.  In short, I started by setting up VLANs for my guest wifi and  "IOT" devices on my network to separate them from my server and other PCs on my LAN.  However, doing so presented some obstacles such as my Harmony Hub took forever to communicate with my Roku (the harmony hub was on IOT while the Roku was on LAN).  After switching the Roku to IOT as well then I could not direct access my local plex server (it switched over to remote access).  So, I'm now investigating VLANs in unraid and potentially running Plex in the same VLAN.  I currently run all my dockers in bridge mode.  My problem is there are so many apparent ways of segregating things I'm a bit overwhelmed on what to learn first.  I eventually intend on adding POE cams to my network as well, so that will bring new complexity.  What i would like to do is have my unraid server (for management access) on my LAN network protected from IOT devices (and WAN exposed dockers), while at the same time allowing IOT devices access to dockers as needed.  I also want to keep guest wifi access segregated from everything (I think I've achieved this with my current setup).  I serve up a plex server for family so need to keep that accessible from outside.  To add complexity I run organizr and rev proxy all my services back into the LE container. 

 

So far I've set up a VLAN on my eth1 interface for dockers and tinkered with rev proxying a service back to my LE container from that VLAN.  The rev proxy does not work, presumably because it's on a different subnet.  So, it seems that if I do go the docker VLAN route, I will need all of my services that are reverse proxied on the same VLAN/subnet.  Is this correct?

 

Given the hardware/software available to me, is there another recommended route?  I assume there are others here with a similar setup and goals, would you mind sharing what approach you take?    

 

Gear:

ISP - Google Fiber (1Gb) - 

Firewall - PFSense Dedicated Box in lieu of google fiber network box  (4 NICs available, 2 in use now for LAN and WAN, I have created VLANS for IOT, Guest, and Dockers, also running Avahi for LAN to IOT communication and an OpenVPN server for remote access)

Switch -  US-24-250W (Unifi 250W POE+ switch), 8 Port Unifi POE switch (currently not in use)

APs - 2 Unifi AP Pros and 1 AP-LR (3 SSIDs corresponding to LAN and VLANs for Guest and IOT)

Unifi Controller - running as docker service 

4-port 1Gb PCIe NIC card - currently un-used (but accessible from Unraid).  I had this going when I was running PFsense as a VM before purchasing a dedicated box.

My MOBO also has 2 1Gb NICs available.  Currently only 1 is in use.