Seconding that Ubiquiti Edgerouter if you want a mostly GUI guided config. They're solid enough for gigabit internet in the better models and the builtin firewall and tunneling options are good enough for most purposes -- the recent releases also let you install Wireguard, which is getting to be the preferred low-effort VPN solution for most platforms if you have a limited set of remote clients.
PFSense or OPNSense, which are based on FreeBSD, are also great if you have any remotely modern spare x64 computer lying around with two network ports.
IPv4 is purely outbound NAT, IPv6 I have several subnets carved off that will allow IPSEC traffic to certain local hosts for some of my remote office setup but I've mostly switched to using Wireguard from basically everything that hits the Edgerouter and drops me onto a private v4 and real V6 space.
Works great for my phone and laptops from basically anywhere and tunnels all my traffic back to my homelab and then out to the internet again. I have Wireguard uses UDP port 443 on v4/v6, which now that QUIC is common enough can tunnel out of every network I've tried, even normally hyper-anal corporate ones.
Locally I have a Microtik switch with 10G fiber between my work machines and gigabit ethernet to the rest of the house, then a few Ubiquiti Unifi "semi-pro" APs for the house and back yard.
Primary storage host is running FreeBSD serving iSCSI from local zfs raid with consumer NVME SSDs as cache on top of generic and easily replaceable SATA drives. I still have this IPV6 accessible with IPSEC so I can basically treat it like local storage from all over the world, but I'll probably turn that off now that I'm using wireguard nearly all the time (IPSEC is faster since the tiny EdgeRouter processor isn't having to handle it).
It's pretty neat being basically "in your home office" from almost anywhere with decent internet.
Great write up and nice setup! I’ve been running Unraid on a fast box for my local storage host and using NFS and SMB with dismal performance. I’m looking at 10gbe and building up my cache pool, but as it stands it takes 40+ seconds for my laptop to mount and browse even a small share. I’m intrigued by zfs + iSCSI- do you think it would give me some improvements over SMB?
Probably highly dependent on what you're doing with it and whether or not your SMB implementation supports the direct RDMA extensions.
In my case its mostly because I tend to run VMs on various older semi-retired machines with limited or slow local storage that I only turn on when I need them, and VMware's VMFS is cluster-aware, so it really doesn't matter which hypervisor is the one I end up spinning it up on.
I haven't dealt with Unraid specifically but there are a lot of caching and network parameters that can wildly affect performance -- VMware for example wants to do synchronous writes on network storage for obvious reasons, and having a safe write-cache and large transfers with enough in-flight commands can make a night and day difference.
If you're primarily just using NFS/SMB as file shares then getting iSCSI working probably isn't going to be a good use of your time versus figuring out why the existing setup behaves that way -- Samba and SMB performance tuning can be a frustrating experience but iSCSI is far more opaque and inscrutable on Windows particularly.
USG and PoE switch are on my short list to increase functionality of my single Unifi AP AC lite that covers my apartment very well. I'd like the wireguard option and sort out how to redirect my laptop back to my home network for simple management. At the moment I just connect to a VM using Chreom remote desktop and remote out to systems from there.
PFSense or OPNSense, which are based on FreeBSD, are also great if you have any remotely modern spare x64 computer lying around with two network ports.
IPv4 is purely outbound NAT, IPv6 I have several subnets carved off that will allow IPSEC traffic to certain local hosts for some of my remote office setup but I've mostly switched to using Wireguard from basically everything that hits the Edgerouter and drops me onto a private v4 and real V6 space.
Works great for my phone and laptops from basically anywhere and tunnels all my traffic back to my homelab and then out to the internet again. I have Wireguard uses UDP port 443 on v4/v6, which now that QUIC is common enough can tunnel out of every network I've tried, even normally hyper-anal corporate ones.
Locally I have a Microtik switch with 10G fiber between my work machines and gigabit ethernet to the rest of the house, then a few Ubiquiti Unifi "semi-pro" APs for the house and back yard.
Primary storage host is running FreeBSD serving iSCSI from local zfs raid with consumer NVME SSDs as cache on top of generic and easily replaceable SATA drives. I still have this IPV6 accessible with IPSEC so I can basically treat it like local storage from all over the world, but I'll probably turn that off now that I'm using wireguard nearly all the time (IPSEC is faster since the tiny EdgeRouter processor isn't having to handle it).
It's pretty neat being basically "in your home office" from almost anywhere with decent internet.