I am planning to set up a dedicated hardware firewall like Protectli and run a pfsense on it. I already know that:
- it is a good practice NOT to have a wireless adapter on the firewall unit
- it is ok to run two independent LANs from the same server (one for the intranet, one for internet-facing servers)
Will it be secure to run local DHCP, DNS and VPN services on that very same hardware box as well?
This is a small office environment with just a couple of desktops and a couple of servers running basic things like CUPs, KVM, file systems, so if possible I would want to keep the number of hardware nodes to the minimum. That is without compromising the security of the entire LAN.
EDITED: Two classes of threats are considered:
- a motivated attacker to gain access to sensitive data on the LAN file server
- automated ransomware attacks on the entire LAN architecture