1U Firewall/router. This depends on how much you want to spend and how secure you want it. For 1G internet, the fastest and cheapest you can get with full security features enabled is probably a Watchguard Firebox M370.

I got a home lab I like to set up to use the key for easy login and learning how to set that up. While I didn build with the latest and greatest Xeon D I did built out a NAS using the Xeon D 1521 and it works well for a virtualization host, I have FreeNAS virtualized as well as several linux VM My biggest hit is if I accidentally stumble on media that Plex is unable to direct play to my device and needs to transcode, that is my biggest issue, but I simply just replace that media file when I come across it. believe the newer gen Xeon D stuff will have a place in labs where individuals want something small and compact as well as low power, but of course you pay for that luxury. Why would wireless require a pentest while their current configuration wouldn would additional firewalls be needed? Only internal users are using it, the same firewalls used for wired access should apply here. Lockouts can be configured to the auditor specifications on the Radius device or in AD/their authentication solution. Monitoring/SIEM tons of open source solutions exist but you should be running one already. I get it not going to be an overnight thing but this seems like a mostly solved problem that should be free or very cheap to implement, mostly reusing existing infrastructure. You may want to just save your config and then do a fresh install and import your old config that will preserve your jails etc. Do note that 11.2 u3 should be released in the next few days. It fixes a possible data loss bug that can happen during an upgrade. May want to let that version get released and then wait a couple of days and go from there. A bunch of changes to jails have been made resulting in issues and having to use the new or old UI for certain actions or old jails not working in new versions

