Well yes, it is one hop, because you’ve got the router doing TLS termination. Inside your network you point to the server that has the TLS certs. Outside of the network you do port forwarding, or use a tunnel with cloudflare agents.

Why is the router involved at all? It’s all local traffic. The external traffic comes through the cloud flare tunnel, right? Maybe I’m not understanding the architecture you’ve got.

It’s possible but it’s an extra pain in the butt.

Internally, have you tried pointing the DNS directly to the ngnix server, not the router? There’s no reason to have that extra hop (I don’t think).

If you are establishing a TLS connection to a server, the server will need a certificate. It sounds like you’re trying to have two instances of a reverse proxy - one on the server, and one on the router. It may be my ignorance of the particulars, but my immediate thought is that you should select one point in the network to do reverse proxying.

The amplifi line is the plug and play line closest to the google/eero/etc. experience. It is specifically the one I was referring to which has less than enthusiastic feedback.

I neglected to mention Mikrotik. They’re a Latvian company that is also in the space. I think they’d be farther to the professional/complex end of the spectrum. Omada is in the middle, and Ubiquiti leans toward the easier to use side. They’re all going to need more work than google wifi, unfortunately.

The “other” site has a wealth of information; evanmccann.net is a good source for demystifying their product line as well.

Google‘s (and Facebook, and all the social media ad companies’) business model is predicated on the notion they have a better profile of their victims than the other ad network. They’ll never tell your uncle about what you search for at 2am, but they’ll indirectly sell it.

The best thing to do is to run a wired backhaul, if it’s remotely possible. MoCa or power line adapters are possible options but do your research and assess your own situation. Wifi is more complex that it can seem on the surface, and wireless backhaul adds its own nuance.

With higher end products you may find that you don’t need a mesh network - just one AP may solve the problem. All my neighbours have f’ing extenders which take up a ton of airspace and the houses are 30sqm footprint.

Ubiquiti makes the UniFi line which is prosumer. You’ll need several components; unless you’ve got more than 1gbps service, the UDM is a good starting point. They also make the amplifi line; I don’t think there’s a lot of positive feedback on those products.

Tplink is a Chinese company and therefore immediately suspect in some eyes, but their Omada line is pretty reliable. They also make the Deco line for more home-focused solutions. They’ve been in the news a bit lately, more so because people don’t change passwords from what I recall, but I wanted to mention it.

And it’s getting harder to find powder. Try finding powder dishwasher detergent… locally, nothing.

What brand are those power strips? Last time I went shopping for power strips, they were all the rage and I could hardly find one WITHOUT that feature. Today, several years later, I can’t find any. Except, perhaps, some Chinese ones without safety approvals. I need one for my tv.