I currently host several services on my docker swarm, all of which are exposed to the internet but protected by Authelia and routed through Traefik.

I’d like to improve security and split my network into several vlans, one of which would be a DMZ for services exposed to the internet (Foundry VTT, Matrix, Searx, maybe some others), and another vlan for services that are only accessible while on a vpn (*arrs, Jellyfin, Nextcloud, etc.).

I’m not sure what is the safest and easiest way to do this. Some ideas I have:

1. Setup a specfic server for my external services and connect it to a DMZ tagged vlan port.
2. Run all of my services in the same docker swarm on the internal VLAN, and only have my Traefik service running in the DMZ (I don’t know if this is possible with physical vlan ports)
3. Run all of my services in the DMZ, but with an IP whitelist to control access for services I only want accesible from the VPN
4. Something else I haven’t thought of?

Thanks, and I appreciate the help.