Citing @StorageNinja: "...Do not use CrystalDiskMark for testing a hypervisor or server workload. It was designed for sanity tests on desktop systems. Virtual environments involve multiple disks on different controllers, on different VMs and parallel IO can either yield higher results or far worse (IO blender effect). Test something realistic with what you are running.
VMware HCIbench isn't bad for spinning up a bunch of workers and running different profiles or DiskSPD and Intel IOmeter. If you are going to run SQL, HammerDB might be worth running (or SLOB if you will be running Oracle). Given people using CrystalDiskMark and stuff tend to either test unrealistically small or large working sets (and therefore test Cache, or what the storage layer looks like with a full file system)..."

Whatever device does the local routing for you, it needs to be aware of the Eth 4 LAN and have
a static route pointing to it as @Dashrender already advised. ICMP needs to be allowed on Windows Firewall of the host to test this. You should only have a single default gateway per host. Create a persistent route in CMD on the host for your 10.200.1.0 network traffic to exit out of its own interface or next-hop address instead.

Looks like it really boils down to the lack of following the 3-2-1 rule or its revised version - 3-2-2 where you have both cloud-based and local external backups of your NAS' important data in your case.

@openit Not sure whether the same way would work with QNAP RAID but Synology has a KB on it: https://www.synology.com/en-global/knowledgebase/DSM/tutorial/Storage/How_can_I_recover_data_from_my_DiskStation_using_a_PC

On a side note, why on Earth are you using SMB1 protocol? Turn it off everywhere, It's insanely insecure. Ransomware loves SMB1. Also, turn on SMB support on the Synology all the way up to SMB3.

These are the current Australian government cybersecurity guidelines on recommended cryptographic algorithms. Can be a good reference point to start from.

EDIT: link - https://www.cyber.gov.au/ism/guidelines-for-using-cryptography

Are you sure, you were actually getting 1.6 GB/s, not 1.6 Gbit/sec with iPerf or similar? 1.6 GB/s is more than the theoretical maximum bandwidth of a 10 Gbit link unless it's a sum of results for each of two vNICs or something. Copypasting the file across remote desktops won't give you an accurate figure, btw. With coping large files over 10 Gbit links or above you'd need Jumbo Frames enabled on all devices along the path. Otherwise, you won't be able to fully utilise the available bandwidth. Your storage config should not be a bottleneck. On the other hand, file copy is not a real measuring tool for VM storage performance. You should be using something like diskSPD or IOmeter to get more accurate results inside VMs for typical virtual workloads (random in nature). Storage latency and IOPS are more accurate metrics for them IMO.

From my experience, most docking stations work seamlessly plug and play, even cheaper ones. There used to be a need for a manual DisplayLink driver update for Win 10 but not anymore.

I have to deal with this from time to time. Usually, some crappy legacy client-server LOB apps. The workloads are normally so tiny and simple that suggesting server hardware for them is a waste of money. Some of their vendors don't even add server O/Ses in the technical requirements. Most small shops don't even have enough physical space to run server hardware properly let alone willing to spend a few grand on a server, MS licencing and the labour to set it all up for them.

I remember the advice @Obsolesce gave the other day, just buy the least expensive Server Essentials licence and stick it on a Win 10 box where the app runs. This won't help anyone with more than 25 users or devices, though

HA doesn't come cheap most of times.