Thanks for the input.  I'll read some more of your pieces on an OPNsense router.

I completed an experiment just before weekend and prior to your reply and set my Buffalo Air station to different subnet and now when I'm on it, I can print.  But I lost wifi admin access so I need to sort that our to plug in to directly.
Note,  I'm a networking noob ....

1. I may miss use terms  (access point vs modem vs wireless router vs ...)
1. I have been told by a coworker to look into "expanding my subnet", but I'm not sure what to read about first.
1. I'm willing to install new OS on either segment 2 or segment 3  modem/router/wifi tools if necessary
Let's start with the end in mind.
Overview of what I'm trying to solve/answer/improve:

  • I want to be able to safely / securely host web apps on Ubuntu Server that's accessible from the public internet
  • intermediate step would be to just allow segment 1 to access to segment 2
  • I want to be able to contribute to an opensource   blockchain consensus on an ubuntu server
  • future segment 3 has a Kubernetes Pi cluster with control plane and applications web accessible

My first time making a networking diagram and this is my attempt.

This is both a current and future state.  Questions below about what needs to be modified.

How did I get to this diagram?

1.  Segment 1 was quick and simple.
     1. a  when I'm on the Segment 1 wifi broadcast, the Pi-Hole is handles DNS.
2.  Working from home, I found video calls sucked so I built Segment 2
     2. a    Segment 2 I attempted to just use the AirStation as an Access Point  (? may have misused the term) but the couldn't figure get it successful, so I now just switch to a different broadcast network.  I get the lower latency and it works fine.
     2. b  I deployed a Docker container on the Segment 2 running Nginx web server ...
         2.b.1  I understand that I can only access localhost from the wifi connection on the AC1750 modem
         2.b.2  I don't understand, why -- when I'm on the segment 1--  can't I access the Nginx app via port address ?