Prox host network isolation assistance

[paddyirishman]

Hello,

I am struggling to get my head around this as networking isn't my strong point. I think I might be overdoing this in my mind, looking for a little assistance please and thanks. This is a home setup, I use prox to host a portainer host for multimedia purposes/containers, and using a plex lxc container and a separate NAS that is mapped to prox and shared to all the above where applicable.

Setup:

• prox host (vmbr0 192.168.1.11)
  • dual port 2.5gbe nics (bridged to vmbr1 and vmbr2)
  • 1 USB c nic for management purposes (vmbr0)
    
    
• pfsense VM (vmbr2 192.168.1.2)
  • WAN vmbr1
  • LAN vmbr2
  • VLANS100+200 are for VPN and have VPN gateways setup and are fine
  • VLAN300+400 are just setup as interfaces on pfsense 10.242.30 10.242.40
    
• Pfsense DHCP LAN clients are all on 192.168.1.0/24
  
  
• QNAP NAS 192.168.1.5

PROBLEM TO SOLVE: I would like to improve my network security and move prox and pfsense onto a different network or vlan and be able to access from LAN/WIFI. Its not safe to have these all under one roof. Perhaps having the NAS on the infra VLAN makes sense too then just define rules in pfsense. The prox host should always be reachable regardless of if the pfsense VM is up or down.

I'm struggling to understand how to get vmbr0 to be able to communicate with the pfsense / be reachable from WIFI/LAN to accommodate this.

vmbr0 (management nic) isn't visible to pfsense as its only vmbr1 and vmbr2 that are assigned to WAN LAN in the pfense VM.

If vmbr2 is VLAN aware do I need to create a VLAN on the vmbr0 that matches the pfsense one I would like it to live on?
I've tried assigning VLAN300 IP to the bridge and setting vmbr0 to IP on this VLAN and allowing LAN net access to VLAN300 but still cant ping (allowed all traffic on VLAN300 also to test)

Any help is appreciated.. Feeling like a retard right now.

Danke danke,