![](https://feddit.nl/pictrs/image/1fc6ce2b-657a-42a4-b52a-5701df7e7eea.jpeg)
![](https://lemmy.world/pictrs/image/8286e071-7449-4413-a084-1eb5242e2cf4.png)
Then use Wireguard to get into your local network. Simple as. All security risks that don’t need to be accessed by the public (document servers, ssh, internal tools, etc…) can be accessed via VPN while the port forwarded servers are behind a reverse proxy, TLS, and an authentication layer like Authelia/authentik for things that only a small group needs to access.
Sorry, but there is 1 case in 10000 where a home user would have to have publicly exposed SSH and 9999 cases of 10000 where it is not needed at all and would only be done out of laziness or lack of knowledge of options.
But to be fair, even 2 ASUS WiFi 6E on their zenwifi like for example are like >300€. A Cloud gateway ultra + U7 pro + PoE injector is around that too. For me the router/AP entrance is in a place that barely gives a signal so it makes so sense to have an access point there.
So I would get more or less the same signal with 1 access point + a wired router than 2 access points.
Depends on your situation of course.