Guidance on architecture setup: IoT DMZ with OpenWRT

Hi folks,

I’m essentially a n00b here, having had a crack at HA/HA-OS on a few different platforms, including RasPi & baremetal x86-64, etc, to get more familiar with the stack(s).

I’ve finally managed to lay my hands on a NUC, popped on the Supervisor OS & setting up from scratch.

I’m quite familiar with OpenWRT & its ilk. My LAN is pretty basic & presently consists of pfSense & Ubiquity gear.

I’m planning on treating all my IoT nodes as hostile, planning on setting up an OpenWRT for a dedicated network for this stuff & run them in isolation mode, and then the NUC/HA-OS as a gateway to control devices & flow of data to the WAN (probably a desperate interface/vLAN on my pf router).

So back-of-envelope typography may look something like:

WAN <-> pfSense WiFi-AP ((<-vLAN?->)) HA-OS NUC <-GBE-> OpenWRT-AP ((<->)) IoT nodes

So on the HA-OS NUC, my WiFi interface would be my ‘WAN’ & ethernet my ‘LAN’, as I may place the physical box elsewhere on my premises for better node connectivity.

An alternative layout to the above may be to use my OpenWRT-AP as my ‘DMZ’ gateway
& have my HASSio-NUC client to that:

WAN <-> pfSense WiFi-AP ((<-vLAN?->)) OpenWRT-AP <-GBE-> HA-OS NUC ((<->)) IoT nodes

This is a little round-about, but means I don’t need to mess around too much trying with having to set up ow-level routing on the HA-OS NUC & let the OpenWRT-AP handle that & other networking tasks, but down-side is that more explicitly controlling traffic may be a little more tricky, as the HA-OS NUC is no longer my bottleneck for filtering.

So I guess is more around the question of whether this makes sense?
Just wanna bounce some ideas around before heading too far down a dead-end.