Best way to protect one host with a DMZ

  • I'm new to the pfSense world and need help deciding the best way to configure the software.  This pfSense firewall IS NOT protecting us from the internet, we have a different firewall doing that on the LAN.

    I have one host that is behind a hardware firewall and this firewall in EOL so I need to replace it.  This host has a MPLS connection (WAN) from a vendor that needs access to the data. We NAT the vendor traffic at the firewall and only allow certain ports to the host in the DMZ from the vendor.  My internal users (LAN) also have access to the data on this one host as well.

    So if I want to restrict traffic from the Vendor, would they still be considered a WAN interface or would I put them in an Option Interface and just not use a WAN interface?

    I'm also unable to check for version updates because I think it is trying to send internet traffic to the WAN but that is the vendor interface and there is no internet access on it.  Can this changed to route the traffic to the LAN?

    Any suggestions to how to best achieve this would be appreciated.