PfSense to serve public IPs to multiple routers



  • Hello all,

    I have a customer who is setting up a managed office and they have asked me to help setup the internet, they have several customers, say 10, each of which will have their own office in the building. Each customer will be using their own router.

    There is a leased line comming in to the building which has multiple public IPs assigned. I would like to put a pfSense in front of this and have it distribute the internet to the other customers routers where each router gets it own public IP from the block on the leased line. What I have in mind so far is to disable nat on the pfsense, attach it to a managed switch (ubiquiti edgeswitch) and create a vlan for each customer.

    This is where I am having trouble, I'm not sure how to ensure each customer router can get its public IP and only that IP, I dont want them to be able to assign one of the other IPs to themselves. I did think of putting a DHCP server on each VLAN and having it assign the public IP that way but that seems like a very clunky solution and I'm not sure if it would even work.

    Any advice would be very welcome, even if its to tell me I am going about it completely the wrong way!

    Thanks in advance


  • Rebel Alliance Developer Netgate

    The customer WANs can't each be on separate VLANs and all be on the same subnet. Your switch may have a "private VLAN" style isolation option where you designate the pfSense port as an upstream port and all the others as clients, and they can't reach each other at all that way.

    For the IP address problem, you could setup static mappings in DHCP and enable static ARP so that each entry is tied to the specific router MAC address they have. Doing that, however, means you'll also need to know their router MAC ahead of time and if they change it, you'll have to update it in the firewall.

    Your switch may also have some kind of L2/port security option to limit what they can do.

    If you have a ton of IP addresses to spare you could setup a /30 or /31 for each customer and use separate VLANs, and then there wouldn't be any way they could use a different address. However, to do that you'd need, at a minimum, two IP addresses for each customer.

    And all of that goes out the window if you only have a subnet shared with the WAN interface of pfSense and not a separate routed subnet. If you only have one flat subnet on the WAN of pfSense then your options are either some ugly bridging concoction or giving each customer a separate private network and then doing NAT to their assigned public address.



  • Hi Jimp,

    Thanks for the reply, I'll check with my customer to see what kind of IPs they are being assigned.

    Thinking about it it may be that I don't need the pfsense at all, could what I am trying to acheieve be accomplished with just a layer 3 switch?


  • Rebel Alliance Developer Netgate

    If you don't need to filter anything to/from the customers, only isolate them, then even an L2 switch with private VLANs or a similar feature would be good enough.


Log in to reply