Pretty simple simple ‘castle & moat’ setup. Lots of firewall, IPS, dynamic threat, etc around it with separate subnets and all the usual biz. My ISP doesn’t use CGNAT so I’m lucky that way, though they did question WTF I was doing last I made a service call to them based on the bandwidth usage.