Additional VLAN/Interface

It sounds like you want to end up with a total of three networks, two of which are VLANs and one is the main Mac LAN. It also sounds like you already have one VLAN added to the Mac and used for VPN server purposes.

There are undoubtedly more than one means to do this, here are two possibilities.

Option 1

• Add another VLAN to the Mac to match what you want to use for the Parallels VM machines
• Add another rule on the Mac server to forward packets to/from that VLAN just the same as you have done for the existing VPN VLAN

(You are already probably aware of how to create VLAN interfaces on a Mac since you seem to have already done so for the VPN services but see OS X Yosemite: Use a virtual local area network this applies to El Capitan as well.)

Option 2

• Fit an additional network adapter to the Mac mini either a USB or Thunderbolt adapter
• Connect this additional Ethernet adapter to a second port on a network switch which is configured for this additional VLAN
• Have the switch do the routing between this additional VLAN and the main network

Note: If you have a hardware router and/or firewall between this Mac and the Internet you are almost certainly going to need to add static IP routes to it to tell it where to route traffic to, to get to the VLANs.

For what it's worth it is possible to run ESXi on a Mac mini and even to have OS X running as a guest in ESXi. There are varying opinions by non-Lawyers about exactly what Apple's software license for OS X specifically means but to some extent running a virtual copy of OS X on a real Mac is allowed. See section 2.B - http://images.apple.com/legal/sla/docs/OSX1011.pdf

Arguable it allows running OS X in a VM specifically to use it as a 'server' which seems to cover your situation, but equally arguable it does not allow using ESXi but only allows using Parallels, VMware or Virtualbox. This later issue being due to the fact that while Parallels, VMware and Virtualbox all run under OS X, ESXi does not. This is as per 2.B.iii which says 'that is already running the Apple Software'.

Note: There are two new virtualisation tools for Mac called Veertu and Xhyve which have the potential of becoming options which like Parallels etc. would based on the above still count as means to legally run OS X VMs but as yet they do not support OS X guests only Linux and Windows.

With regards to forwarding traffic to the additional VLAN the settings need to be a little different because I am presuming that while using NAT for the VPN is fine for the other you probably don't want NAT. You would have to lookup details of the same command used for the VPN setup and see what additional options are available.

With regards to NTP the functionality is built-in to OS X Server but needs manually enabling.

See a previous post of mine here Re: OS X Server as NTP server and follow the links in it for more details. To summarise you make sure the Mac is set to sync to an external NTP server and then 'turn on' the ability to listen for NTP requests from other clients. The Mac will only act as an NTP server if it itself can contact another NTP server, this is why in one of my own cases I need to create a special loopback address.