Resiliency in place and complete. Zero single point of failure on the network apart from the switch and cable going to the device.
Storage upgraded to TrueNAS, encrypted ZFS file system, loads of solid state caching, logging read ahead and write behind alongside handling dedupe for spinning rust.
Mail server currently running on QNAP NAS moving into new VLAN. Sensitive data to be removed from QNAP NAS: living only in TrueNAS and encrypted cloud backup. Copies of data as encrypted archives only left on the QNAP for DR, removal of 50% of disks from it. Boring, non-sensitive stuff only to remain on it. Mail service will be moved from it in time.
Native VLAN is where the internal traffic from us lives. It is in the SOHO security zone and is protected from the other zones inbound. It can talk to them, they may not to it.
102, the IoT network, goes out to the Internet via intrusion detection and prevention system. It's an a different VRF from everything else so from its point of view the rest of the LAN doesn't exist.
105, Guest, also own VRF. The traffic goes via both local intrusion detection and then a cloud-based Secure Web Gateway. DNS is snooped to assist with identification.
106 will be a management network. Security policy to be confirmed.
107 is a lab network. Only thing on it right now is a router that sits in between the interface and a 'dirty' network sinkholed. I don't want the stuff behind that router trying to chat to devices in the 107 network so they can't.