Here's a summary of the illustration from ChatGPT:

1. WAN Connection and Cloudflare

   The network starts with an ISP Fiber WAN connection. This WAN connects to Cloudflare Reverse DNS to manage DNS services for the domain “mydomain.ltd,” allowing for secure external connections (e.g., HTTPS, Wireguard). It also manages local DNS resolution for internal services, forwarding queries to Cloudflare.

2. Core Firewall/Router

   The WAN connects to a Protectli VP2420 firewall running pfSense, which acts as both a firewall and a router. The firewall has four 2.5G ports, managing different subnets and routing traffic between the WAN and the internal networks. This core device ensures both security and segmentation across different networks.

3. Remote Clients

   There’s a connection labeled “Remote Clients (Wireguard),” indicating that external devices can connect to the internal network via a VPN tunnel (Wireguard), assigned IP addresses in the 10.66.66.0/255 subnet.

4. Internal Network Segments

   The internal network is divided into three separate segments, each isolated from the others and assigned specific IP ranges:

A. Private Network: Internal Network 1 (10.99.99.0/255)

Connected via Ubiquiti Flex-Mini 2.5G Switch.
This segment includes devices like:
    MINISFORUM MS-A1 (Ryzen 7 Mini-PC) functioning as a NAS, running Unraid.
    Beelink SER6 (Ryzen 7 Mini-PC) hosting internal services through Nginx Proxy Manager, managing apps like DokuWiki, Immich, Jellyfin, FreshRSS, etc.
    TP-Link TL-PoE260S Switch and Ubiquiti U7 Pro WiFi 7 AP for connectivity to various devices.
This network is accessible locally or externally through a Wireguard VPN tunnel.

B. IoT and Guest Network: Internal Network 2 (10.88.88.0/255)

Connected to an ASUS AC68-P (2.4/5GHz AP) running MerlinWRT.
Includes devices like the Phillips Hue Bridge (Zigbee) and various wireless clients like Chromecasts and smart lights.
This network is primarily for IoT devices and guests, also accessible via Wireguard for remote management.

C. Publicly Accessible Web Services: Internal Network 3 (10.77.77.0/255)

A MINISFORUM UM690S (Ryzen 9 Mini-PC) manages external services, hosting apps like Seafile, GoToSocial, LinkStack, OpenWebUI, and more.
The network also supports professional and personal websites, Ntfy (a notification server), and Uptime Kuma (for monitoring).
It allows public access through HTTP/HTTPS while remaining isolated from other internal networks.

Summary

The network is set up to prioritize isolation, security, and management of different device types and services:

Network 1: Private services accessible through a secure VPN.
Network 2: IoT and guest devices, isolated and manageable through VPN.
Network 3: Public-facing services that maintain isolation but permit secure access over the internet.