For an actual router, I run OPNsense in a VM (on the same box as HA, funnily enough). My server has dual 10 gig ports, so I pass through one of them to OPNsense and run it as a "router on a stick", where the basic internal network is the untagged VLAN, and the public side is VLAN 99. My switch then strips the VLAN 99 tag from the packet before sending it to the cable modem, and vice-versa. My switch is https://mikrotik.com/product/crs328_24p_4s_rm, which was $379 in 2018. However, you can get similar functionality from MUCH cheaper microtik or unifi/ubiquity switches if you don't need 10 gig support.
If you're starting from scratch I might get something like https://store.ui.com/collections/unifi-network-unifi-os-cons..., and an el cheapo dumb switch, as long as it'd pass through vlan tagged traffic. You want anything that's crossing a vlan boundary to end up on the router anyway, so you can apply firewall rules to it.
Do you feel that using a virtualized router with other things on the box puts you at greater risk? I.e. you're putting an awful lot of eggs in that one basket. I've considered setting that up before but shied away from it.
Availability risk? Sure, but that's 99.9% my own doing (constant experiments, etc)
Security risk? Not in the slightest. I'm running an up to date proxmox which is just KVM+QEMU with some scripting and a website on top, basically. I know how to setup IOMMU groups and such. If it's good enough for the big cloud providers, it's good enough for me.
Yeah primarily I'm concerned with availability. I have a "production" hypervisor now with all of the household services running on it that I've promised my spouse I wouldn't mess around with which cuts off one avenue of experiments.
Yes, the Unifi OS console they talk about is similar to the Unifi controller that you can run standalone on your desktop. It'll handle the adoption, handoff coordination, everything you need.
The Ubiquiti Access Point AC Mesh Pro[0] (~$200) appears to support multiple SSIDs and VLANs. Of course you'd need at least two of them to count as a "mesh", which is $400… was your $500 budget per access point or for the whole system (and if so, for how many APs)?
2 will cover my needs. Do they actually work like a mesh? As in use backhaul radio to communicate between them and allow seamless switch from one to another as you travel around your home?
Yes, this model supports Wireless Uplink with Plug & Play Mesh:
> Wireless Uplink functionality enables wireless connectivity between APs for extended range. One wired UniFi AP uplink supports up to four wireless downlinks on a single operating band, allowing wireless adoption of devices in their default state and real-time changes to network topology. For devices that support Plug & Play Mesh, this functionality is extended to allow multi-hop wireless uplink – so wirelessly uplinked APs can support uplink to other wirelessly uplinked APs.
