Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    PfSense to serve public IPs to multiple routers

    Scheduled Pinned Locked Moved General pfSense Questions
    4 Posts 2 Posters 380 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • F
      fredfred5
      last edited by

      Hello all,

      I have a customer who is setting up a managed office and they have asked me to help setup the internet, they have several customers, say 10, each of which will have their own office in the building. Each customer will be using their own router.

      There is a leased line comming in to the building which has multiple public IPs assigned. I would like to put a pfSense in front of this and have it distribute the internet to the other customers routers where each router gets it own public IP from the block on the leased line. What I have in mind so far is to disable nat on the pfsense, attach it to a managed switch (ubiquiti edgeswitch) and create a vlan for each customer.

      This is where I am having trouble, I'm not sure how to ensure each customer router can get its public IP and only that IP, I dont want them to be able to assign one of the other IPs to themselves. I did think of putting a DHCP server on each VLAN and having it assign the public IP that way but that seems like a very clunky solution and I'm not sure if it would even work.

      Any advice would be very welcome, even if its to tell me I am going about it completely the wrong way!

      Thanks in advance

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        The customer WANs can't each be on separate VLANs and all be on the same subnet. Your switch may have a "private VLAN" style isolation option where you designate the pfSense port as an upstream port and all the others as clients, and they can't reach each other at all that way.

        For the IP address problem, you could setup static mappings in DHCP and enable static ARP so that each entry is tied to the specific router MAC address they have. Doing that, however, means you'll also need to know their router MAC ahead of time and if they change it, you'll have to update it in the firewall.

        Your switch may also have some kind of L2/port security option to limit what they can do.

        If you have a ton of IP addresses to spare you could setup a /30 or /31 for each customer and use separate VLANs, and then there wouldn't be any way they could use a different address. However, to do that you'd need, at a minimum, two IP addresses for each customer.

        And all of that goes out the window if you only have a subnet shared with the WAN interface of pfSense and not a separate routed subnet. If you only have one flat subnet on the WAN of pfSense then your options are either some ugly bridging concoction or giving each customer a separate private network and then doing NAT to their assigned public address.

        Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • F
          fredfred5
          last edited by

          Hi Jimp,

          Thanks for the reply, I'll check with my customer to see what kind of IPs they are being assigned.

          Thinking about it it may be that I don't need the pfsense at all, could what I am trying to acheieve be accomplished with just a layer 3 switch?

          1 Reply Last reply Reply Quote 0
          • jimpJ
            jimp Rebel Alliance Developer Netgate
            last edited by

            If you don't need to filter anything to/from the customers, only isolate them, then even an L2 switch with private VLANs or a similar feature would be good enough.

            Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

            Need help fast? Netgate Global Support!

            Do not Chat/PM for help!

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.