I intend to run a FreePBX distro PLUS an Apache web server to carry my online store. Is it a bad idea to have them both running on the same machine in security terms?
The FreePBX will handle a max of 6 concurrent calls at once and the Apache will handle an online store with a low volume of hits: max of 10 concurrent users. I believe performance is not a question here as I intend to run them inside a Intel® Core™ i5-3427U with 8GB of RAM and 500GB MSATA III HD.
Is it less safer to run them both on the same machine compared to running these services on separated machines but inside the same network in 2 different VLANs?
In your case I would suggest you run two different servers, not that you couldn’t do what you want or that is a good or bad idea, but more because you haven’t yet got how FreePBX/httpd(apache)/Asterisk are already working together as defined in the /etc/http* hierarchy ( /etc/apache2* for debian like systems ). A little research into how web servers serve different sites and where the will be, will benefit you before you go forward.
Enjoy the trip, you will get all your answers on the way.
As my title said you could use lighttpd instead of apache to work with freepbx running on different port and apache could serve your web store on the port 80. It is a little bit of reconfiguration to use lighttpd instead of apache, I am doing it myself as it has lighter footprint on my machine (which is basically a junk with 256MB of memory). I still use it though since it is passively cooled with flash memory (0 noise) and negligible power consumption.
If I run both services do you think I’ll face more security risks then running them apart but sharing the same internet and router?
Of course you expose yourself to more risk, a penetration of one server could expose the data of the other and vice versa.
Will this separated setup add more security considering that both servers will be behind the same router?
No it won’t add any security, that is always up to you and not really to do with how many virtual sites you have and on how many boxes with how many webserver varieties, but it might save your bacon if one of them is compromised.
(well it might save half your bacon )