The secure, upscale network in the single-family house

You should remove the RAM

In the sense of upgrading, right? Otherwise, that seems counterproductive, but with Windows, you never know...

Yes, just put in a few more bars.

Why don’t you put the Fritzbox into bridge mode or replace it with a pure modem? Then you won’t have double NAT. DHCP in the VLAN can actually be done by any router that supports VLANs. What do you want to run on the Synology? You should remove RAM. Then Windows runs somewhat okay. But nothing for compute-intensive tasks. Radius and DNS can be neglected. Anyway, in my home network. There aren’t many devices, so no big load.

As for the Fritzbox, honestly laziness and uncertainty. Laziness because I have no clue about telephony, SIP, and such, and the Fritzbox provides the telephone system. Uncertainty because I don’t know how Magenta-TV handles it when another router has to take over. On the Synology, I would run a Domain Controller, file server, probably DNS, all Windows Servers. Possibly a WSUS. Then monitoring (Zabbix or something similar).

As for the Fritzbox, honestly laziness and uncertainty. Laziness because I have no clue about telephony, SIP, and the like, and the Fritzbox provides the telephone system. Uncertainty because I don't know how Magenta-TV handles it if another router has to take over. With the Synology, I would run a domain controller, file server, probably DNS, all Windows servers. Possibly a WSUS. Then monitoring (Zabbix or something similar).

I would, in your place, also let these parts be handled by the Fritzbox and only separate the network behind it where necessary. Otherwise, depending on the router/firewall, you'll invest a lot of time and nerves to get SIP and Magenta TV running smoothly. This does create more individual network segments but significantly less effort. I agree with Rick about the servers; there isn’t much load in the home network. You just need to keep in mind with the DNS server that the browsing experience suffers enormously if, for example, it shows 150ms response time because the Synology is struggling. You usually don't notice this with AD, Radius, or file server, but with DNS it becomes immediately apparent.

If I were you, I would also have these parts done by the fritzbox and only separate the network behind it where necessary. Otherwise, depending on the router/firewall, you will invest a lot of time and nerves to get SIP and Magenta TV running smoothly.
It results in more individual network segments, but significantly less effort.

I agree with Rick about the servers; there is not much load on the home network. You should only keep in mind with the DNS server that the browsing experience suffers enormously if it, for example, shows 150ms response time because the Synology is struggling. You don't really notice that with AD, Radius, or file servers. With DNS, it is immediately noticeable.

Then we’re back to double NAT...
Is it really as problematic as often "advertised"?
Pushing DNS to something else shouldn't be a problem. Although I wonder whether, say, 30 clients really generate a large load on the DNS service.

Then we are back to double NAT... Is it really as problematic as it is often "advertised"? Pushing DNS to something else shouldn't be a problem. Although I wonder if, say, 30 clients really generate a heavy load on the DNS service.

It's not the performance of the DNS that can become a problem, but the overall performance of your VM environment. With the other servers, you just don't notice it, but you do with the DNS.

Double NAT can simply be switched off with a proper router/firewall behind the Fritz. The Fritz does the NAT; in return, it gets a static route or several for the traffic behind the router/firewall. But only one NAT towards the internet.

Though I have also been running a Fritz behind a Speedport Hybrid for 3 years now. Problems with double NAT so far: 0.