@metu: is the manageable switch alone is enough to create a vlan? i'm talking about hardware requirements. so from my pfsense box-manageable switch-different vlans?
Yes, a small VLAN capable switch is sufficient for your needs. I'm not sure that all manageable switches are VLAN capable.
@stephen: sorry but i don't understand what you are saying. If i have a vlan-capable client, i can separate this client from others in my LAN directly? And this client is the one who can control/manage the VLAN and not me? what if i have 3 vlan-capable clients, how are they going to communicate? thinking vlan alone makes my head aches.
Notice also that Stephen said it would not provide much by way of security
so I think that rules his idea out for your circumstances.
Myy current situation, I have one LAN composes of Group A(staff) and Group B(guests). My LAN has a file server of which Group B should not have access for confidentiality reason. I read that I cannot filter traffic coming in and out in the same interface. But I need to restrict Group B to access the file server. The question is how?
You need to be able to configure separate interfaces for group A and group B so you can create distinct firewall rules for each group. You can use separate physical interfaces for each group (but your slots are all in use so you might need to replace a single port card by a dual port card to get the additional interface) or you can use VLANs to get distinct "virtual" interfaces over a single physical interface. If you use VLANs you will need at least a small VLAN capable switch. Where I live small VLAN capable switches are available for under the local equivalent of US$100.
Given that you aren't allowing significant traffic between group A and group B you should see any significant performance difference between the two options.
Actually money is not the factor, it is our office location. We are currently situated in a place of nowhere. Buying gadgets like this will require us at least a 3-hour travel or at worst, needs to wait 30-45 days for our supplier to get the hardware from their manufacturer/distributor.
If your superiors are not prepared to fund someone for the three hour trip and are not prepared to wait 30-45 days for your current supplier to provide and are not prepared to authorise an "exception" to get suitable equipment sooner and want the solution "now" then they are not serious about the security.
To get the security you appear to need you require either an additional port or the VLAN capable switch.
On thinking through this a bit more, I notice its not clear how groups A and B currently connect to pfSense: possibly both groups connect to a single switch, maybe there is a wireless access point or two etc. What you will need will actually depend somewhat on the mix of devices in the different groups. For example, if every device in group B is WiFi capable then you could get away with configuring a USB Wireless NIC that can act as an access point in your pfSense box. Group B devices would then come in over WiFi and would have their own separate firewall rules. (I'm presuming your existing pfSense box has at least one spare USB slot.)