If all hosts are in one big subnet, then traffic between them never needs to go to your firewall, therefore the firewall's zone configuration and policies are irrelevant. VLANs and subinterfaces are indeed what you'd need here.

I tried with vlan's and subinterfaces for a couple of hours this afternoon but seemed to be unable to get anywhere, could not even ping the ip of the subinterfaces let alone get out to the internet and this was even being connected straight to the interface with a client.

I believe using secondary ip's on the interface should be able to get me to hide the different networks from each other, but would still like to have a go at vlan's and subinterfaces if anyone can give step by step at all that would be most helpful.

 

Thanks in advance

Connecting a client machine directly to the firewall won't work, and isn't supposed to work.

 

Please advise what switch(es) you are using.

It is an SSG-320 and a Cisco Catalyst 3550 I was using. I had created 3 subinterfaces on the firewall with 3 vlan tags 100, 200 and 300. Did I need to create these same vlan's with identical tags on the switch as well, was that were I was going wrong?

Yes, you need to configure VLANs with the same tags on the switch, and configure the switch port connecting to the firewall in trunk mode. Then you need to set aside switch ports for each of the three networks, put them in access mode and assign them to the appropriate VLAN.