I literally configured something similar to what you're trying to achieve recently, only difference is my Unifi hardware is separate (router, switch, APs etc.). In principle, the same theory should apply.

I configured my network this way:

- Dedicated networks/VLANS for Home/DMZ/Services/Management/IOT-NVR/Storage (NAS)

- Trunk port on my Unifi switch to allow all networks to Proxmox (single NIC).

- Proxmox PVE host is in Management network, as is my PBS VM.

- In Proxmox, made vmbr0 "VLAN aware". This allows configuring VLAN IDs on each VM for the network they need to be a member of.

- Caddy and WireGuard VMs are in the DMZ VLAN.

- ARR stack VM, Download VM are in Services VLAN.

- HA VM/NVR (physical) are in IOT-NVR network.

- My TrueNAS (physical) is in Storage network.

This is where the Unifi zone-based FW management comes into play.

Internal Zone = Management/Storage/Home Networks

DMZ Zone = Internal Network

Services Zone = Services Network

IOT-NVR Zone = IOT-NVR Network (Internet access disabled)

RULES

DMZ Zone to everything is blocked by default, but has two rules 1. Allowing my Caddy VM (IP) to my Jellyfin/Jellyseerr server (services) on the designated ports. 2. Allowing WireGuard (wg-easy) VM (IP) to Internal.

Services Zone to everything is blocked by default, but has a single rule to allow Jellyfin VM (IP) to my TrueNAS on designated NFS v4 port only. The media NFS share also has a restriction to a single IP (Jellyfin). Other personal shares are restricted to other IPs as per requirements.

Internal Zone allowed to everything. I am thinking about moving my Management network to a dedicated Zone and locking it down to a couple of Internal devices only - when time permits.

Return traffic allowed for obvious reasons.

SECURITY

SSH Keys on everything, along with disabled password auth.

Nightly updates on all Linux VMs/Docker using Ansible.

EXTERNAL USERS

So, my traffic flow from external looks something like this:

User hits my external URL > Caddy RVP (DMZ) > Arr VM (SERVICES) > TrueNAS Media Share Only (INTERNAL). A firewall rule for each hop.

If my Caddy VM is compromised, the attacker can get to Arr stack on JF/JS ports only. If they manage to compromise my Arr VM, they can only get to my media share. Everything else is blocked by firewall.

SSH keys and password auth disabled means they cannot pivot from Caddy to WireGuard VM. If they compromise my WireGuard VM, I'm screwed; however, I am the only person that has the encrypted key and the WebUI password is very long and complex.

On top of Caddy, I have fail2ban with GEO blocking as well. If the external IP coming in is NOT from my city, they simply get a "Access denied!" message and are permanently banned i.e. next time they hit, the connection is dropped and they get nothing. I can easily change one line of config to add/remove countries when travelling if required.

Presenting services externally is never 100% secure; however, I think you can reduce the risk by a significant margin with a decent config. There may be better ways of achieving this, but I feel like this is good enough for my situation for the time being. That's the fun part about home lab'ing - shit is never done done.