Cluster-Wide Virtual Firewall using SDN

[snowturtle]

Hi all, I've been reading up on the PVE docs, reading some articles and watching some YouTube videos on how proxmox's SDN works. This gave me an idea of a setup for my homelab, which I think should work, but I'm not too sure how to configure it in the SDN zones/vnets.

My home network has abysmal DNS for local devices (curse you Google WiFi), out of 50 devices on the network (including my homelab), only 4 devices can actually be found by their hostname / DNS name; this makes it a pain for certificates and Kubernetes because I'd have to bind the certificates and DNS to specific reserved ips.
My idea was to run a virtual firewall (something like *sense or sophos home) on my 4 node pve cluster and have it configured in such a way that any vm/ct on any of the 4 nodes can talk to the virtual firewall and be on it's LANnetwork. I'm just not sure what type of zone(s) I'd need for that.

• I'd need one that's able to talk to my home LAN to act as my WAN connection
• I'd need one that's not able to talk to my home LAN to act as my virtual LAN
• I need it to be cluster-wide, so any of the ct's/vm's can talk to the virtual firewall over the virtual LAN, regardless of which node the ct's/vm's are on and regardless of which node the virtual firewall is on.

Does anyone have any idea's? let me know if I need to provide more information.
I did find this thread which seems to be similar to what I want to do: https://forum.proxmox.com/threads/vxlan-sense-with-a-cluster.146400/