Pfsense & hosting public services at home

Hi there!

I’m running Pfsense for my firewall and I want to make sure I’ve configured a separate network that is properly secured. I have some publicly available services (minecraft/plex) that I want to confirm can’t see the rest of my internal network.

I have a T620 Plus with a quad port nic, one of the ports goes to the cable modem (WAN), one of them goes to a physical switch with all my network devices (“SwitchLan”), and one goes directly to a ESXi virtualization server with a vSwitch with the VMs that I want to be publicly accessible (“PublicLan”).

Below is a diagram of the network. Is it sufficient to have the physical switch & devices be on the 192.168.3.X network, and the vSwitch be on the 192.168.5.X network, and just create firewall rules to block traffic between the networks, or should I really be doing more?

Yeah that should work fine. You may want to add a software firewall to the VM server depending on how your network is configured so the VMs can’t talk to the host, but as far as isolating the two networks in pfsense that will work fine.

The networks are physically separate except for the esxi host and pfsense. As long as you secure the two (don’t route or bridge unnecessarily and do the firewalling you mentioned) you should be good.

if you want to be a little more secure get a switch that handles vlans and set your mindcraft server on its own vlan with own ip subnet and yes do not bridge the subnet to your existing lan.

The switch he has supports VLANs, but separate physical cable is just as good.