I can explain you how my network is set up. And I think it is not far from your setup.
Only difference is that I use Proxmox as virtualization layer instead of ESXi.
I have 2 instances of NethServer running:
- gateway with firewall IDS/IPS etc having 2 (virt) interfaces: RED and GREEN
- DC + all other services having 1 interface: GREEN
First the layout:
Internet - ISP Router - Red interface of NS7GW - Green Interface of NS7GW - switch - Internal LAN
Internal Lan consists of 2 Accesspoints, 1 printer and several wifi clients (laptops and android phones) and of course the NethServer instance that serves AD + Fileserver + networking services for the LAN.
The easiest way would be if you can put your ISP router in transparent mode. Then your RED interface for your NS GW instance will get an external IP address. If that is not possible, you need to ‘double-NAT’ your network.
I would advice against condensing storage and service together with GW/Firewall. Better would be to use 2 instances of NethServer instead of 1.
Besides the use of a virtualization layer this is all quite basic networking. Since you have 3 interfaces, you can use the 3rd interface as a blue ‘lab’ interface. So your blue lab environment can not reach your green LAN environment.
I have used Unifi accesspoints for a long time. And instead of installing the controller on NethServer I opted for a small container (proxmox can do containers too) with debian server 8 and installed the controller on that instance. Instead of a container, you can choose to install a (small) VM.