I've been told that I should put my IoT devices on a separate VLAN from everything else, but what other steps can I take to make sure that my devices don't get hacked? Note: I will be using a dedicated wifi router for my IoT and hooking that up (on it's own VLAN) to a OPNsense firewall server. I'm using a dedicated router for this because 1. I have an extra one and 2. my IoT requires both wifi and ethernet connections. Right now Google is controlling my IoT but I hope to set up my own app for it at some point.

One perk that someone told me about is that you can use your domain to get around not having a static IP (because the DNS will compensate). If I were to get a Cloudflare domain name then what would be some other pros and cons?

I know that this is not the TrueNAS subreddit, but I wanted to get a fresh "outside of the box" opinion that might not be possible to get over there. I don't really know much about networking, but I do know that ideal networks would theoretically have a single server perform a single task (ie web/email/file storage) and that each server would have a firewall server between them. TrueNAS throws this out of the window because you can pretty much host everything together. My question is to ask you guys what best security practices could be implemented (other than keep everything patched/updated frequently) if I were to try to run NextCloud and Navidrome and Jellyfin. What threat mitigation tactics could I use inside and outside of this system to have reasonable security? The apps I listed seem to have pretty good support in TrueNAS Core, but maybe I should consider separate servers? I wanted to add that I have a [Sophos XG 115](https://www.corporatearmor.com/sophos-xg-115/) that I will be putting OPNsense on and learning how to configure, and I have various Linksys routers that I can throw OpenWRT on too.