I apologize in advance for the length of the following. If you take the time to read it, know that I very much appreciate your time and consideration! 
I'm going from an inexpensive, consumer-grade (mesh WiFi) network to a fully managed home network with pfSense, a managed switch, and managed APs. There's a lot that I don't understand, yet but I want to learn so I'm not looking to "keep it simple". I want the challenge; I want to do things (that make sense) in my home network that would emulate the things I'd be doing in an enterprise environment. My goals, here, are to build a solid, secure home network while learning some sysadmin skills in the process.
Here are the functional areas of my network...
I'm going from an inexpensive, consumer-grade (mesh WiFi) network to a fully managed home network with pfSense, a managed switch, and managed APs. There's a lot that I don't understand, yet but I want to learn so I'm not looking to "keep it simple". I want the challenge; I want to do things (that make sense) in my home network that would emulate the things I'd be doing in an enterprise environment. My goals, here, are to build a solid, secure home network while learning some sysadmin skills in the process.
Here are the functional areas of my network...
- Home segment - primarily my/wife's iPhones and iPads
- Infrastructure/(network) management/admin
- Work segment - I'll be getting a remote job. I want to isolate work stuff from everything else, primarily so that a security breach in one of my networks doesn't make it to my employer's network, but also for the sake of my own privacy.
- Guest segment - internet access for visitors to my house who should have little or no access to anything inside my home. I plan to use the same SSID and password that I've been using for my simple home network so that previous visitors will transparently have access to the internet without needing to ask me for the new SSID and password.
- Homelab - a variety of servers and clusters (bare metal, VMs, and containers) providing several services (NextCloud, etc.) that are available to me both inside the home and (some, such as Emby, will be shared) outside the home as well as specific network environments for learning various stuff. I'll be playing around with/learning a lot of different things, here, and I don't want some stupid mistake (or getting hacked because I'm exposing some of my servers to the internet) to impact other areas of my network. I will, of course, be implementing plenty of security measures but I may make mistakes that leave my homelab network vulnerable.
- IoT - Alexa, smart plugs, switches, bulbs, lock, thermostat, etc. - all controlled by Home Assistant, most needing internet access, most having a high risk of being compromised. Over time, I hope to install new firmware on many of these devices so that they don't need internet access. I may, at that point, want to have an IoT-local segment...
- Security/surveillance - currently just a few Wyze cameras on WiFi. I'd like to move toward a MotionEye or Blue Iris system using wired cameras that don't need internet access but for now, my cameras need internet access)
- Media - a few Roku devices and an Emby server - I don't think the Rokus have much of a risk profile but since the Emby server will be exposed to the internet, I think I'm going to want to isolate this segment as much as possible.
- For separating/securing these segments, should I use subnetting, VLANs, both? - are their dis/advantages for each?
- Am I overthinking/over-complicating the segmentation? Should I combine (e.g.) the IoT and security/surveillance segments? Or others?
- How do I allow nodes on one segment access to nodes (i.e. with nodes that are less secure/higher risk) on other segments while minimizing the extra risk introduced? (This is Examples would be allowing Home Assistant on the IoT segment to access camera feeds from the Security/surveillance segment, accessing the Home Assistant dashboard on the IoT segment from my iPad on the home segment, allowing my iPhone on the home segment to cast to a Roku on the media segment?
- Thinking about the above examples, can I allow traffic in one direction (e.g. casting from my iPad to a Roku), while disallowing any traffic in the other direction? Is that even workable since there's an initial handshake required for casting?
- To the extent that Home Assistant is going to be really important (providing lots of home automation services that my wife and I will come to depend on), I'll want to protect it, as much as possible, from hacking. Should I move it to my home segment so it's not exposed to the security risks of all that Chinese firmware? If I did, how would HA control (and get information from) all those devices? And if it's not practical to move the HA controller to a different segment, what can I do to give it some extra protection from all those risky IoT devices?
- Should containers in my homelab have their own subnet/VLAN? Assuming I want to create a network environment (for learning) - potentially utilizing containers on more than one host, can I put containers on separate/different (maybe even multiple) segments?
- Would a lot of the above issues correlate to issues that I'd face in a corporate networking environment or should I just simplify in certain areas since there's no real learning opportunities there?
- Are there questions I should be asking that I don't even know to ask yet?
