I was just wondering what a step by step good setup would be? I have ProtonVPN wireguard to setup with I think I’m going to use NEXTDNS. Should i have many devices on the Guest network or not. Should I use AP isolation and Binding in the dns? Should I configure anything else for basic router from my telus modem which will be bridged? I guess I’m just looking for some help as I’ll be also setting up another router to use as an AP upstairs.
Hmm, do you ask if you need to apply extra security when your isp modem is set to bridge mode?
In that case, no.
It does not mean all your devices are suddenly exposed to the internet because the flint 2 still uses a firewall, although a misconfiguration can be like ssh on wan with a weak password, allowing dmz, or allowing https remotely these are wrong options.
Any unsolicitated traffic not started by your devices first will be dropped, any traffic started from the devices in your local network allows the other side to communicate back on the same line.
So... Your router and firewall is not the security issue, but what could pose a risk is when a device was already infected/hacked and starts communicating first with strange communication.
^ nextdns could definitely help acting as a sinkhole.
But there are also ip block lists which you could use with a luci plugin called banip.
About ipv6:
There is a known misconception about this, and even I when I became forced to learn how ipv6 works had it wrong, and that is that the majority thinks that all devices are exposed to the public internet because IPV6 has no NAT.
Let me tell you that NAT does not equals firewall, but it equals what it says network address translation, so portforwarding does normally not exist, but there is still a firewall blocking unsolicitated inbound traffic to these devices 
, this means nothing actually changed in security in principe between ipv4 and ipv6 except how that the translation from a portforward no longer exists and for ipv6 it just opens the port.
Actually the benefit is, that your cpu needs to do less cpu cycles because it does not need to translate addresses, which mean faster internet (kinda).
Yeah, thank you for the reply. I had it running ok one time but my dns was screwing up because I had it double natted. I shoot you my filesystem I was looking at one time through SSH and then I ran it through CHATgpt and it said some of my folders shouldn’t be in there so I’ll post that.