Best protection setup for encrypted traffic? Best network segmentation?

[Default4408]

Hello, I'm new to firewalls and have a few questions.

1. I run a commercial VPN locally on my devices and use encrypted DNS (DoH & DoT). Since my traffic is encrypted, what free and open source tools and settings are recommended to fortify my network's security? From my understanding, IDS/IPS and next gen firewall solutions aren't useful with encrypted traffic and getting them to work with a VPN is complicated and prone to issues. Are there any other tools or settings that are recommended?

2. What method is the recommended method to segment the the LAN and OPT1 interfaces so that LAN can communicate with OPT1 but OPT1 can't contact LAN? I plan on reserving OPT1 as a guest/untrusted network and assume this is the optimal setup. Please correct me if I'm wrong.

Any input is much appreciated!

[charles.adams]

I can't answer question 1 but as to question 2 I would say you'd want to use a firewall run on LAN that lets all LAN net sources reach OPT1 network ports but on the OPT1 Firewall inbound rule you'd only have the OPT network source be able to reach the a inverted alias for RFC1918 addresses. Or perhaps another method you like to have OPT1 reach the internet in the firewall that doesn't let it reach the LAN net.