Nice journey, keep digging!

Just one suggestion, I would put the lab network on a separate vlan and access it through a VPN (or tailscale, netbird, etc.) that way you don’t bother with any security risk and only you can access it once you are authenticated to the network, and even if you want to expose a service to the public, you can do so by reverse proxy or service-specific features like funnel from tailscale, so you replace ddns and portforwarding and keeping things secure.