Complex setup - am i doing it right?

Hey all, i've been an openwrt user from somewhat the beginning (kamikaze on Asus WL500gP) but i've complexified my setup quite a bit the last few days and i would like some advice on what i'm doing right/wrong, because... well... it's not easy.
First off: This is my home setup, so nothing corporate/special!
Lets start with the physical layout:

Now, my proxmox system:


and then the OpenWRT VM config itself:
image

And then obviously, i want to have my networks separated from eachother, except my own "internal" lan network, only for the trusted one, that can connect to all subnets. The camera network is also full of "call home" devices that obviously are not allowed to do so :slight_smile: ):

questions/issue that I have:
First and foremost:

  • Does my setup make sense? I know that theoretically putting a router on a VM is not considered best practice, but let's also stay somewhat realistic here.
  • Masquerade on WAN seems "logical"... but is it? shouldn't SNAT make more sense?
  • I have also added a Wireguard interface and put that in my LAN zone, to make my life easier, as i only want trusted people who can access my LAN, to access my VPN). Makes sense?
  • Everything seems to work well, except connecting from my LAN network to my proxmox management console if i put it on the management network (feels like asymmetric routing issue)
  • Maybe not the correct place to ask: Do i need these linux VLANs in proxmox? I don't feel like they serve a purpose, as i configure the interfaces on the VM "per VLAN" on the main bridge anyway.
  • Putting the LAN (my most sacred network) untagged also feels strange, however... i want this to "fail open" if something ever goes wrong and i have to "just plug in another router off the shelf"
  • I didn't configure the USB part where, in case the ISP messes up, I plug in my cellphone that then will be put in the WAN-group and as such provide the house of the required connectivity as a backup.

So there... long post. First post... please advise/tell me where i'm right, where i'm wrong and let us all learn from this! If you need more info/details, i'll obviously let you know.

Less related to OpenWRT: I also have a LXC context with adguard home available in all my subnets