The configuration of internal and external packet filter and a single home bastion host provide very good security.
Inside of the firewall the only permit destination for traffic from the interior or exterior route is the bastion host.
The topology be define by the bastion host or host and the packet filter route used
Ip forwarding must be turned off in the bastion host