Concept questions (VLAN and DMZ) on virtual Pfsense (esxi v.6.5)

  • Hi my pfsense friends,

    Warning: It's getting complex and long... ;=).... don't read if you don't have time.

    I'm a pfsense user since a couple years now. So I think that I have a good general understanding of networking and pfsense. Unfortunately I'm kind of a noob concerning VLAN's. My home network is growing and growing and now it's time to create VLAN's (also for security reasons).

    I'm running pfsense on a esxi 6.5. I also have other VM's running on Esxi as well as nested HYP-V. So probably around 20 VM's. I also have connected 2 OpenVPN connection <- (I let them be as they are at the moment.)

    DL380 G6 with Esxi
    1 Port = WAN
    2 Port = LAN (192.168.0.X) <- My private Network with all VM's and Notebooks and stuff...
    3 PORT = OPT1 (192.168.20.X) <- Planned
    4 PORT = Management Esxi (192.168.0.X)

    I have now connected PORT 3 (physically) to a Netgear GS110TP Switch on Port 6. I added there VLAN Tag 4 on this port.

    Virtual Machine:
    Then I added this as a new virtual switch on esxi with a new portgroup. I also tagged everything with 4. <- I didn't create a new TCP/IP Stack on the esxi <- I have to read into that ^^.
    I added this new Portgroup to the virtual machine which should be part of this new VLAN (Gateway

    Then I added this new portgroup to my pfsense as OPT1. I created the VLAN and mapped it to OPT1.
    I can see the interface is "up" on in the pfsense. I created a rule on the pfsense on OPT1 and allowed any to any <- (Test)

    I don't know somewhere I miss something because I can't reach the internet from the VM and I can't get into my Lan network.
    The part I don't understand is: where to I say on the pfsense that I allow traffic from VLAN 4 to my private network?

    Concept question:
    When I create this setup like I described and I unplugg now OPT1 (physically) all my machines which are connected to this VLAN on this hypervisor are going offline?
    This means all the traffic which is "internal on the esxi server" because everything is virtual is going out and makes a turnaround on the GS110TP?

    Can I solve that easier? Is it stupid what I'm trying to do, if yes why?

    How can I create a "save" DMZ Zone in my Network?

    I hope someone can help, any ideas are welcome.


