Quick background. I built a pfsense box from an old destop tower—-i3 8100, 16g ram, 125g ssd, and it has 8 physical gigabit interface ports to use. It has Suricata, pfblocker, openvpn/pia setup and running smooth thanks to Tom’s fantastic youtube videos. My question is related to segmentation.
My used physical ports are Wan, Lan, and Sec (security cams). The openvpn is setup logically
I have 8 security cams on their own Sec lan network, and everything else via the Lan. One wifi AP. One managed d-link 24 port switch (which has been a PIA).
Wan:68. Etc. etc
Lan:192.168.1.0/24
Sec:192.168.2.0/24
My end goal would be to add a guest wifi ap on its own physical lan port seperate from the lan port, an iot ap wifi on its own physical port, a NAS (with local network access only), and a single management lan for a few computers for pfsense box management in addition to the already created networks. My question is related to the proper segmentation of them through the switch. Is this accomplished by creating access ports on the switch to block other network traffic or via Vlans, since i have enough physical interfaces to start from on the pfsense box? Ive already made rules to only allow access to the security cams via a few lan devices, and blocked the cams from the internet and other networks. I can remote view them via openvpn, or at home via the interface rules i created. Are the rules all i need or are there additional things needed via the switch to better the segmentation? I hope this all doesnt sound too garbled, and thank you in advance!