My network have evolved continuously and looks like this at the moment:
1gbps ISP (Single mode fibre)
|
Route10
|
3 x Switch S8
|
2 x AP6 Pro (on separate switches)
wireless & wired devices like PC, NAS, SBCs, IPTV box, LG SmartTV, IoT devices, Multiroom HiFi, etc.
Hardware controller is offline at the moment, and I haven’t gotten it up and running properly again after some experimenting and major network breakdown.
WiFi SSIDs:
- Main (VLAN 2 & 4, WPA2, Standard/Internet, multi-pwd multi VLAN)
- Guest (VLAN 10, Internet, ditto)
- IoT (VLANs 20, 21, 30 & 31, IoT/Internet/Standard/Internet, ditto)
VLANs:
- 1: Network devices: Route10, SwitchS8, AP6Pro
- 2: Main WiFi: Android devices, Win PC
- 3: Main Wired: Win PC
- 4: Kids WiFi (isolated): Tablets
- 10: Guest WiFi (isolated)
- 20: IoT: AC
- 21: IoT (isolated): Roborock, Shelly IoT devices, etc.
- 30: Multimedia: Multiroom HiFi, SmartTV with Cromecast
- 31: Multimedia (isolated); IPTV, XBox
- 40: SBCs: Raspberry Pis for Home automation and utility
- 50: NAS: Synology NAS
Ports for wired devices/clients set to Native VLAN X and Allowed VLAN X.
Firewall with:
- Allow Main traffic to some of the other VLANs
- Allow some specific Multimedia to NAS and SBC
- Allow specific return traffic from other VLANs back to Main+more
- Drop inter-VLAN traffic to and from isolated VLANs (to still have them fully isolated of I experiment and disable final drop rule)
- Final drop all inter-VLAN (otherwise all inter-VLAN-traffic would be allowed)
Now a lot of customization with fail2ban integration, integration of abuseipdb lookup and reporting. Also, bogon, geo and abuse IP blocking, more for experimenting than anything else 
Furthermore, LED and link status lights control and scheduling. Tied it all together with a couple of management scripts for symlinking, path setup and cron scheduling. Also, some customization of the AP brackets and using standoffs to get slightly better cooling for the 