@R3dH00d Not at all. Border router is a Ubiquiti ER-POE with the only purpose of running NAT. Subsequently: OpenBSD routers in a failover configuration (will also be running OpenVPN, but not yet); Ubiquiti switchgear (all up to date). Network segmented on VLANs, with all management functions on their own VLAN. Also, a Security Onion IDS on the main egress.
@R3dH00d Among the things I'm thinking about doing: running host intrusion on all computers (right now, all user machines are Windows machines running Malwarebytes and Windows Defender); tuning Security Onion rules further (the professional Emerging Threats database is too expensive, though); maybe taking management off of a VLAN and running it truly out-of-band with a separate internet connection