Hi,
pfSense has a build in VPN server for remote management, and, why not, give access to your LAN based devices (if these accept remote connection).
VPN became lately a total buzz word ... I advise you to look at the VPN related video's from Netgate (they have a Youtuve channel with every subject explain step by step).
IDS : to reduce a long story in two words : forget it.
If you insist, first, use your favourite info source, make your self very comfortable (because this one will last for days) and get to know what 'SSL' (TLS) really is.
Now you know that IDS was fun, in the past, when all traffic was travelling 'in clear' - these days it's all encrypted : only most DNS traffic is still visible, and even that changes these days. mails, web access, SSH, whatever : it's encrypted in a way the Mossad, NSA en KGB - or whatever these guys are called these days - can't access it - not without throwing a multi billion installation on it.
And yo want to IDS/IPS ?
Still, please, I'm just trying to make you understand what needs to be done. Do not believe my words, again : look up the (some) details.
DMZ : that was - on of - my boys dream : hosting my web/teamspeak/mail server.
It took a moment or two to understand that I would be needing a something called a DMZ.
A couple of clicks later I understood that the off the shelves basic ISP router wasn't up to the task. To day, ISP router let you set a .... DMZ ..... IP ( ? !!?).
Or, a DMZ is a separated ... isolated ... network like 192.168.10.0/24 NOT 192.168.10.20 (an IP), although 192.168.10.20could be the IP of a web server that operates in the network 192.168.10.0/24.
pfSense let you create more then one LAN type interface, and it will be called OPT1, OPT etc. rename them in "Pincky" or "DMZ" and you're done.
The rest of the setup is : create firewall rules that enforces a typical DMZ type of operation.
See https://docs.netgate.com/pfsense/en/latest/book/intro/interface-naming-terminology.html#dmz
Or a good Netgate Youtube video about the subject.
A DMZ network has one or more NAT rules (IPv4 still exists these days) that let Global Internet user actually visit - contact - connect to - you server type devices, situated on your DMZ.
Finally : I decided to create my own DMZ in the middle of world's biggest "MZ " The internet itself. Like everybody else. A motivation was also that hosting servers behind a ISP line normally just plain s*cks ("big" dwonload, but small "upload").
I rented dedicated servers on the Internet to host my servers. The most incredible thing is : you won't be bothered with firewall rules any more. Just the servers apps like apache2, nginx, postfix, bind, teamspeak, etc. Mastering these will eat up a part of your actual live time (be warned).
