DMZ - Network Topology and Pfsense - Home/Work Lab

At this point in my adventure I have Pfsense behind the cable modem and the DMZ assigned as a VLAN.

I have a 24 Port Switch that I can split by VLANs/Trunks and seem to be headed down that road...

I find myself asking....

  1. I have 9 physical interfaces on my Pfsense box (ports to spare).

Does it make better sense to assign a physical Interface to my DMZ rather than a Virtual one (Will this reduce the risk of VLAN hopping or is this just silly thinking?)

  1. In non-SOHO (corporate) configurations what I see is

Internet <--> Firewall <--> DMZ <--> Firewall


Internet <-- Pfsense <--> LAN1/LAN2/DMZ/etc.

Does it makes sense to
put a light weight router up in front of my DMZ
add another switch for those devices
then move my overkill Pfsense router back to protect the LANs?

Does it make sense to use virtual routers as opposed to another hardware device on the shelf?

In practice, most of the servers will be virtualized with test clients on the LAN being hardware.

It looks like I'm going down the Nagios path for monitoring.

You'll get better performance using physical NICs for each network rather than sharing a single one and using VLANs. If it's all set up correctly then it shouldn't be any more or less secure. Same for the firewall, there's a firewall on each interface so you essentially have a firewall between each network without having to physically have a separate firewall between each one. So assuming it's configured correctly it would be just as secure.