One that could be served similarly with an older computer you already own, or a router that supports custom firmware like Merlin, tomato or ddwrt. You will not really have a requirement for it, the hardware for Pi is not exceptional, it has decent software support, poor hardware interfaces, higher cost to comparable SBCs. Check this out. https://advancedtomato.com/ I have hosts blocking, VPN, prioritization, and used it with USB3.0 as NAS and it was $40 (Asus AC68U I think its called 1900 as well).
The kind of home routing that involves running your own Linux distro and firewall configuration.
That may not be for everyone, it's more for tinkering. You can also run other things like VPN services, DNS, DHCP and all that shit, fully configured to your likening / needs.
Someone mentioned above, and so I ask: have you given banana-pi r1 with openwrt a try? Would that setup be simpler than the current one with VLAN and netplan?
Speaking of netplan: I didn't quite catch head or tail of it.
What does it do and why is it required (in the context of the setup).
For ex:
ethernets:
enp2s0f0:
dhcp4: no # only dhcp6 allowed?
# or, is dhcp now handled by wifi-ap?
enp2s0f0.10:
id: 10
link: enp2s0f0 # down-link?
addresses:
- 68.69.70.71/24 # is this modem's public-ip subnet?
# or, could be anything?
gateway4: 68.69.70.1 # modem's public-ip?
enp2s0f0.20:
id: 20
link: enp2s0f0 # up-link?
addresses:
- 192.168.0.1/24 # subnet for the internal network?
# what does dhcp for this one?
> So all the routing and NAT that needs to happen, just happens on those two virtual interfaces instead.
The managed-switch NATs traffic? Or, you mean to say that rpi4 does? Or, am I misunderstanding how all of this actually works?