First, thank you very much for all the work you put into this. Everything appears to be nicely researched, and it serves incredibly well as a crash course into the ER line (which I certainly needed).
There's something towards the end I was curious about--is there any particular reason that traffic from the IOT + Guest VLANs needs to be filtered in HOME_OUT? Judging by the diagram, if WIRED_IOT_IN (as an example) had a default accept + rules to drop new packets destined towards secure subnets, you'd eliminate a fair amount of packet pushing. It also seems to answer the question/issue at the bottom of page 68; you could do away with HOME_OUT entirely, and the vast majority of other traffic wouldn't be penalized. I may very well be missing something obvious that creates the need for rules on the _OUT side, though.
Similarly, for the question on page 64, I assume it's because invalid packets are an exception, rather than the norm; they'll never match the accept, and the priority should be getting the other 99% of legitimate traffic to its destination. Granted you're only looking at one extra rule in this particular instance, but an extra check is an extra check.
First, thank you very much for all the work you put into this. Everything appears to be nicely researched, and it serves incredibly well as a crash course into the ER line (which I certainly needed).
There's something towards the end I was curious about--is there any particular reason that traffic from the IOT + Guest VLANs needs to be filtered in HOME_OUT? Judging by the diagram, if WIRED_IOT_IN (as an example) had a default accept + rules to drop new packets destined towards secure subnets, you'd eliminate a fair amount of packet pushing. It also seems to answer the question/issue at the bottom of page 68; you could do away with HOME_OUT entirely, and the vast majority of other traffic wouldn't be penalized. I may very well be missing something obvious that creates the need for rules on the _OUT side, though.
Similarly, for the question on page 64, I assume it's because invalid packets are an exception, rather than the norm; they'll never match the accept, and the priority should be getting the other 99% of legitimate traffic to its destination. Granted you're only looking at one extra rule in this particular instance, but an extra check is an extra check.