I’ll have to check out Visio, sure did make a nice diagram. Lot of hours, that’s just par for the course, isn’t it… lol
Putting Vonage directly on the Netgate lets you shove it in its own subnet and isolate it, plus lets you QoS more effectively imo.
The media players, Roku/Chromecast/Etc, in an ideal world, work best if their on the same subnet as the controllers are (eg. phones, tablets, etc). This isn’t always something someone is willing to do though in the name of securing things. It’s a choice you’ll have to make, given the pro’s and con’s. Try it with them on separate vlans and see how it works, if there’s no issues, consider yourself lucky and congrats. If a device isn’t playing nice, then you’ll choose either to move it or kill it, as those are your basic options. Moving them, I would run strict fw rules and let it fly. Killing them, well, may end you up in the doghouse with someone. As always, ymmv…
Device trusting is subjective, some choose to trust, others, do not. Generally, there is no right or wrong answer and everyone is free to choose how big their tinfoil hat is. Personally, mine is fairly large, but most people don’t know what it even is, which is tragic, but I digress.
Why would there be a reason to move the Vonage device to the Netgate, yet keep it vlan’d? This doesn’t make sense to me as you’re giving the device a dedicated port on the firewall itself.