• We have a customer that is subleasing a space and has agreed to provide the tenant with internet. The tenant is requesting that we provide them with a public IP as they want all traffic for them to pass through the pfSense without any interaction with the owner's firewall.

    We have enough static IP addresses, my question is there a way to have LAN1 functioning normally for the owner and then LAN2 in bridge mode to connect the tenant's firewall directly to the internet?

  • Why don't you just connect them at the ISP's equipment? Passing it through your firewall just makes everything more complicated.

  • I apologize, I forgot to include the main reason we were trying to use the pfSense for this project. The owner wants us to limit the bandwidth that the tenant can use to 50%.

  • LAYER 8 Global Moderator

    Why not just do a 1:1 nat to this other firewall, vs a "bridge" I would be more inclined to rate limit at a switch vs running it through pfsense and doing rate limiting that way.

    This takes your firewall completely out of the scenario.. Any 40$ smart switch should be able to rate limit..

  • Lemme get this straight... You have Internet access, which you are sharing with a tenant, who in turn wants to share that shared access with their tennant? Is there some reason why they don't get there own access? Also, does that ISP have any restrictions on sharing connections?

  • See if this thread helps: https://forum.netgate.com/topic/151020/setup-of-multiple-wan-ip-addresses-and-bypass-of-nat-for-a-multi-client-deployment/

    With LAN2 a different interface you can 1:1 NAT to a private IP (the WAN of their router) and they can NAT to their internal LAN subnet. (otherwise you wouldn't want their WAN IP to be in your LAN subnet...you could do it with one interface and both you and the tenant have their own routers, so 3 total routers)

  • Netgate Administrator

    Yes, you can bridge a 2nd interface to your WAN and allow them to use a single public IP directly.
    You should also be able to apply Limiters to that traffic.
    Whether or not you should is a different question.