In a sample scenario you could have three vSwitches. vSwitch0 for Management of the host on your LAN, vSwitch1 connected to the Internet and vSwitch2 (without uplinks) used for a DMZ. With these vSwitches, create a pfSense firewall with 3 virtual NICs, each one connected to another vSwitche. Make sure the "LAN" port is connected to vSwitch0 (your internal network). The web servers will only be connected to the DMZ vSwitch with private IP addresses. With this setup you can now configure firewall rules to be able to access the web servers from your internal network and also create NAT rules to forward external traffic to the web servers. E.g. 213.x.x.10 Port 80 (external) to web server 192.168.x.10, and 213.x.x.11 Port 80 (external) to web server 192.168.x.11, ...
André