At this point in my adventure I have Pfsense behind the cable modem and the DMZ assigned as a VLAN.
I have a 24 Port Switch that I can split by VLANs/Trunks and seem to be headed down that road...
I find myself asking....
- I have 9 physical interfaces on my Pfsense box (ports to spare).
Does it make better sense to assign a physical Interface to my DMZ rather than a Virtual one (Will this reduce the risk of VLAN hopping or is this just silly thinking?)
- In non-SOHO (corporate) configurations what I see is
Internet <--> Firewall <--> DMZ <--> Firewall
Internet <-- Pfsense <--> LAN1/LAN2/DMZ/etc.
Does it makes sense to
put a light weight router up in front of my DMZ
add another switch for those devices
then move my overkill Pfsense router back to protect the LANs?
Does it make sense to use virtual routers as opposed to another hardware device on the shelf?
In practice, most of the servers will be virtualized with test clients on the LAN being hardware.
It looks like I'm going down the Nagios path for monitoring.