How to setup my network with VLANS, DMZ and servers?

I’m a homelab’er just wanting to learn how to setup networking.

I would very much appreciate some advice on how to structure and secure my network and servers.

I have a home network consisting of:

  • A pfSense firewall + VPN server (Dell r210II)
  • EdgeSwitch 48 port
  • 3x Unifi Nano AP
  • XCP-NG (Dell r630) running dfferent VMs
  • TrueNAS/Freenas (Dell r720xd)
  • Variety of PC/Mac/Game consoles
  • IOT devices

So far I have moved my IOT devices on VLAN 50 segregated from my default VLAN.

I have a Minecraft server that I would like to open up for the my kids and their friends, but what I undersand is that I should put it in a DMZ. I have watched this guide:

The guide advices to have dedicated NICs to the DMZ and the rest of the network. In my current setup the servers are hosted on my XCP-NG that also host VMs that should not be in the DMZ. My Unifi controller and media plex server for example. Is there a smart way of during this or is it not possible?

I’m sorry if this is a basic question but I really would like to learn more about networking and servers so every help and advice is highly appreciated.

Thanks in advance.

I have a video here on how to setup VLANs in pfsense here which covers the UnFi swtich so you will have modify the setup to apply to your Edgeswitch. This video describes how to use VLAN’s with XCP-NG

Thanks for the quick reply.

I have actually watched your fantastic video on how to set up VLANs on pfSense and Unifi. That actually helped me a lot setting up my VLAN 50 for my IOT wifi devices. So thanks a lot for that video. It really help very much.

I would defiantly watch the one with VLANS on XCP-NG. This might be a stupid question - but should I understand it like that a VLAN is the same as a DMZ? Or should a DMZ be on a seperat NIC in order to be a DMZ? Or could I run a server on a seperat VLAN?

Once again, thank you very much for so much great rich content.

A VLAN and DMZ are separate things. A VLAN helps you segment your network without having to add a new physical NIC. It is basically a virtual NIC. A DMZ is basically a network that is segmented from your main LAN. It is usually used in PROD for servers that serve content outside the LAN. You can create A VLAN on your router, pass it to XCP-NG, and then pass it to whatever virtual machine you want to. Whatever VM that it is passed to, sits on the DMZ. If the DMZ is segmented correctly, then the VM is also segmented as well. Think of a scenario where the PROD web server is hacked, the hacker has no access to the local network, or database network, or any other network. It basically limits the damage that the hacker can cause. Hopefully, this helped explain things a little bit. Plus I am no expert, so feel free to correct whatever is wrong.