So here’s the diagram:

double line with a chevron means wired and single line means wireless. Legend is also in the image.

whatI would like to do is use a pfsense VM (can’t make it a hardware unit for reasons outside of this thread) for routing and the firewall and DHCP because the wireless things like my HomePod and other things need to be visible to other wired items like my Apple TV which sits wired to the wall.
Another wrinkle to figure out is if/how I can turn off NAT on the ASUS router I’ll be using for Wi-Fi and can I just tell it that the pfsense machine will give it DHCP? Hope this all makes sense.


Well, the usual way is all the internal LAN wired stuff comes to a switch. The switch has a connection to the pfsense box, which has another connection for the WAN side, which goes to the cable modem or whatever. pfsense being a VM or metal doesn't matter, the basics are the same. The Asus router should be able to be put into AP mode. No connection to the WAN port, LAN port to the switch. Tell it to use DHCP for LAN, or assign it a static address, both should work.

The switch can be the wifi AP if you like. It has one built in for the LAN ports. If that's enough wired ports, you're good to go there.

Your pfsense VM, needs 2 interfaces. One for LAN, one for WAN. Those can be virtual interfaces, but the hypervisor will need two NICs or you need to get into VLANs and such.
