APC Symmetra LX 16kVa wired to a secondary panel. That panel feeds both the rack and computer receptacles in my office.
For extended outages I have a natural gas powered permanently installed backup generator. Generator start and transfer switch is fully automatic
As far as the rack and my office machines are concerned the power never goes out, even though my area experiences frequent brownouts and winter has a pretty good chance of seeing an extended blackout
You'll need to keep the pfSense, as that will remain your default router, as well as firewall and vpn if youre using it. You would then trunk your VLANs to a managed switch.
A Cisco WS-C3850-12X48U-L is a 48 port gigabit switch that includes 12 100Mbps/1/2.5/5/10 Gbps Base-T UPOE Ethernet ports, but you would need to bump your budget to about $600. It has a network module slot that can accommodate 10 and 40 gig SFP+ If you wanted to run a fiber uplink
If you dont wanna blow the budget on the switch, something like a WS-C3750X-48P would be perfectly usable, its a 48 port 1G Base-T PoE+ switch with modular and redundant PSUs, and it has the option for a 2 port 10g SFP+ network module and you can usually find switches with the C3KX-NM-10G module installed for $100 or less.
Paessler PRTG is among my favorites outside of LogicMonitor, and has a freeware version https://www.paessler.com/howto-free-network-monitoring
I'd also look into Nagios Core, Prometheus, Zabbix, and Zenoss - All capable monitoring solutions, just dig into to see what it can do and if the feature set and layout works for you
If self hosting, I'd virtualize the workstations and utilize GPUs designed for virtualized engineering workstations, like a Nvidia A100
As for access, you could go through the trouble and expense of exposing something like VMware Horizon VDI to the internet through a reverse proxy if using virtualized workstations.
A better option would be to go with Cloudflare Zero Trust. You run a small agent on your side, and people outside needing access sign in through Cloudflare, and you can grant very specific access to what they need. It's kind of like a VPN but with much greater control over where someone can go while connected
You'll want to segment the workstations off into their own VLAN, and you should be using a good firewall on its own hardware to lock down access between outside and the workstation VLAN (ie only allow connection from Cloudflare service endpoint urls to IP range of your workstations)