Keep it simple. Have an “inside” network and an “outside”

Use a vpn access stuff inside your network. Split tunneling is fine for mobile devices.

Secure services that are exposed from outside to inside. Requiring mfa for all accounts goes a long way here. You can use some sort of proxy service.

Your should manage the firewall, so watch out for Upnp services that try to set up inbound ports automatically.