Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Two Customers Using One Firewall

    Scheduled Pinned Locked Moved General pfSense Questions
    7 Posts 6 Posters 831 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • K
      kgolden
      last edited by

      We have a customer that is subleasing a space and has agreed to provide the tenant with internet. The tenant is requesting that we provide them with a public IP as they want all traffic for them to pass through the pfSense without any interaction with the owner's firewall.

      We have enough static IP addresses, my question is there a way to have LAN1 functioning normally for the owner and then LAN2 in bridge mode to connect the tenant's firewall directly to the internet?

      1 Reply Last reply Reply Quote 0
      • dotdashD
        dotdash
        last edited by

        Why don't you just connect them at the ISP's equipment? Passing it through your firewall just makes everything more complicated.

        1 Reply Last reply Reply Quote 0
        • K
          kgolden
          last edited by

          I apologize, I forgot to include the main reason we were trying to use the pfSense for this project. The owner wants us to limit the bandwidth that the tenant can use to 50%.

          1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator
            last edited by

            Why not just do a 1:1 nat to this other firewall, vs a "bridge" I would be more inclined to rate limit at a switch vs running it through pfsense and doing rate limiting that way.

            This takes your firewall completely out of the scenario.. Any 40$ smart switch should be able to rate limit..

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.8, 24.11

            1 Reply Last reply Reply Quote 0
            • JKnottJ
              JKnott
              last edited by

              Lemme get this straight... You have Internet access, which you are sharing with a tenant, who in turn wants to share that shared access with their tennant? Is there some reason why they don't get there own access? Also, does that ISP have any restrictions on sharing connections?

              PfSense running on Qotom mini PC
              i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
              UniFi AC-Lite access point

              I haven't lost my mind. It's around here...somewhere...

              1 Reply Last reply Reply Quote 0
              • S
                SteveITS Galactic Empire
                last edited by

                See if this thread helps: https://forum.netgate.com/topic/151020/setup-of-multiple-wan-ip-addresses-and-bypass-of-nat-for-a-multi-client-deployment/

                With LAN2 a different interface you can 1:1 NAT to a private IP (the WAN of their router) and they can NAT to their internal LAN subnet. (otherwise you wouldn't want their WAN IP to be in your LAN subnet...you could do it with one interface and both you and the tenant have their own routers, so 3 total routers)

                Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
                When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
                Upvote 👍 helpful posts!

                1 Reply Last reply Reply Quote 0
                • stephenw10S
                  stephenw10 Netgate Administrator
                  last edited by

                  Yes, you can bridge a 2nd interface to your WAN and allow them to use a single public IP directly.
                  You should also be able to apply Limiters to that traffic.
                  Whether or not you should is a different question.

                  Steve

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.