Designing a Home Network for Hostile Devices

Between everyone's PCs (4), Laptops (4), tablets (3), phones (4), servers (3), NAS (3), VM's (15+), managed switches (5), printers (3), security appliances (2, Cujo/Bit Defender Box), Toys (7, ex: Repurposed Barracuda Web Filter 210), VOIP phones (5), IP cameras (6), IOT, etc..I have well over 100+ connected devices on my phone network. I've found that relying on just one (or even two) layers of protecting just leaves you vulnerable (as I haven't found one box that does it all). Based on several functions I do that are impacted (VPN, Voip, etc...) I do not allow a double NAT situation in my network. So far that I at the core of the network is a Dell 6224 L3 switch as my core switch which handles VLAN routing. An HP 1810-48 port L2 switch for home runs back to the server closet. I found a number of devices don't work at all or very well if you have multiple hops. Also anything that handles large files/media I found I get better performance doing a direct run to the patch panel. Here are typically the steps I take on a new (non enterprise) network: 1. Identify and remediate what targets you have on your network. I am a big fan of nmap/zenmap, Nessus Home, NTOPNG and wireshark and yes there is a learning curve to some of these but well worth it I think. I also use NetCrunch Tools, Graphical Network Monitor, NetBeez. 2. Secure the endpoints. I typically have Bitdefender as the EP AV (although the Sophos Home suite is free and VERY nice) and Glasswire as a local firewall. 3. Secure. Deploy your firewall, IDS, IP blocker, Ad-blocker, etc... * 4. Setup reporting/alerts. 5. Test your setup. I'm currently running pfSense with Suricata (IDS) and pfblockerng /with DNSBL as my firewall/router/gateway. This was pretty easy to setup even to a non linux wiz like myself. I am looking to move away from pfSense b/c it's reporting/alerts leave a great deal to be desired. For example I would never have known that one of my Synology NAS boxes had opened up port 5000 and I was getting dozens of remote connection attempts every day. I currently have a Cujo security appliance. This was a bit more of a PITA to setup due to my network topology and I DO NOT recommend running it in DHCP mode (which hinders some features but can mess with a few things on your network). I'm currently using it as a last line of defense and reporting tool. It notifies me whenever it detects anything shady (which is how I got alerted to the port 5000 issue). BUT it is not feature complete yet and you get very little data/information currently so it's not a good primary solution. Additionally my DNS is currently handled on a different VM that is just running Pi-Hole. It was a bit wonky until I restarted the VM but EVERYONE loves how it kills just about 100% (so far) of all craptastic ads on websites. I really like the Sophos/Untangled UTMs for a number of reasons but I really want better AV at the core then available with pfSense. I also want to consolidate to one pane of glass and not have Bitdefender be the website net-nanny (one less place to manage from). I'm also in the process of deploying/playing with a Mikrotik hEX to my parents house as they are retired and non-technical and just need a simple low powered solution (they have been hacked once already). I haven't played with these units yet but based on performance reports they spank the EdgeRouter Lite's that everyone seems to love (and has a nice gui) so I'm excited about that. I also want to check out the netgate SG-1000 and maybe play around with a Beaglebone Black with simple iptables/nftables firewall.