There are several potential configurations for the Firewall and the Webmail / Web Proxy Server functionality. The Firewall is a PC with at least two Ethernet ports running the Ubuntu Server LTS operating system.
The Firewall Server uses the iptables system to manage network packet routing. One of the Ethernet ports is connected to the Internet (i.e., directly to your Internet Modem) and the other is used for the Private Network and goes to the Private Network Switch to which the other systems on the Private Network are connected.
The Firewall Server runs other Server Software, including Dynamic Host Configuration Protocol (DHCP) which assigns IP addresses to the various systems on the Private Network, the Domain Name Service (DNS) which allows systems on the Private Network to obtain the IP addresses of outside systems, and the Network Time Protocol (NTP) to keep all of the computers’ clocks synchronized. By including this Server software internally, you not only reduce unnecessary traffic over your Internet Modem but also allow better performance of the various systems.
The other functionality which can also be located on the Firewall Server is the Webmail Server and/or the Web Proxy Server.
The Webmail server allows systems on the Private Network to safely access email without having access to email attachments, which are the dangerous vector used by most hacking attacks on small office servers.
The Web Proxy Server allows systems on the Private Network to browse to certain whitelisted websites, without being able to access websites which are not whitelisted.
If the Webmail server and Web Proxy server software are located on the Firewall Server, you will want to carefully configure iptables on the Firewall Server to allow access to them only from the Private Network and not over the Internet. This can be done, but is a little tricky, and there is a chance it will not be done correctly. Also, if the Webmail server and/or Web Proxy server are installed using Docker containers, which I recommend, the Docker Compose system will need to be allowed to modify the iptables to allow access to the Docker containers, but this will also allow access both from the Private Network and also from the Internet. Then, an additional iptables script will need to be run to revoke access from the Internet. These problems can be avoided and simplified by running the Webmail Server and Web Proxy Server on a separate PC with the Ubuntu Server LTS operating system.