My current setup has:

• a pfsense firewall with 4 NICs and potential for a 5th
• 1 48 port 3com switch, 1 24 port HP switch, willing to purchase more
• subnet 1) edge (Windows Server 2003 for vpn through routing and remote access) and
• subnet 2) LAN with one WS2003 domain controller/dns/wins etc., one WS2008 file server, one WS2003 running Vipre anti-virus and Time Limit Manager which controls client computer use, and about 50 pcs

I am looking for a network design for separating clients and staff. I could do two totally isolated subnets, but I'm wondering if there is anything in between so that staff and clients could share some resources such as printers and anti-virus servers, staff could access client resources, but not vice versa. I guess what I'm asking is can you configure subnets and/or vlans like this:

• 1)edge for vpn
• 2)services available to all other internal networks
• 3)staff which can access services and clients
• 4)clients which can access services but not staff

By access/non-access, I mean stronger separation than domain usernames and passwords.