Thanks for the tip about the EdgeRouter upgrade. I had a quick skim of the release notes and may get mine out of the box to have look at it in the coming weeks after a few more people have tested the new release. I’ve not regularly used Ubiquiti gear in several years, but when I did I always found that waiting for something ending in .0.1 or hotfix was a less frustrating approach overall!
Agreed. I think that the slightly different terminology and configuration methods with every vendor doesn’t help. It’s the type of thing where it’s helpful to understand the high level theory, then once that makes sense, figure out how the theory maps to your preferred vendor(s) terminology.
Also agree with this, but at home I’ll admit to frequent configuration changes using the below approach too. It’s a bad habit but the stakes are a lot lower on the home network, so 
.
Something like draw.io can be helpful to do rough sketching out, although I’ll normally use scrap paper and a pen because I find that easier than trying to fight with Visio, draw.io, et al. I think you’ve got a good plan there to get started with your “big piece of paper” idea too.
Looking at the rest of your post - a few places that might be fun to start:
- Set up a separate VLAN in OPNsense/your switch/etc. and spin 1-2 VMs in Proxmox with that VLAN tag on their virtual NICs. Route between that VLAN and the rest of your network using OPNsense.
- Move a single or spare camera over to a separate SSID/VLAN and get that working in motioneye either via OPNsense routing between those VLANs/subnets or by setting docker up to tag traffic with that VLAN (here be dragons - I’m not familiar with docker and assume it can tag traffic but have no idea?).
Once you’ve set up a few test configurations and get the rough gist of the implementation, that’ll give you an idea of what your gear can do, and how to work with it. There’s probably no point in setting goals and mapping things out until the theory makes sense and capabilities of your equipment are known. I’m sure others in the group will have different views. I’m a big fan of the “just screw around with it and try to solve a real world problem in a low stakes environment” approach.
Finally, if you have the gear/physical space/inclination, setting up a test & eval environment can help keep your “production” stuff online (i.e., keep your family happy) and give you somewhere where you can tinker freely. In this instance, plug the WAN of your new OPNsense router into the DrayTek’s LAN, and have the “public” IP of the OPNsense be a private IP assigned by the DrayTek. Experiment all you want with OPNsense and on the network past the OPNsense box with the knowledge that you’re behind the DrayTek’s firewall and aren’t tinkering with the DrayTek’s config either. This sort of config gives you a special LAN to ruin, it’s over there.
