Two Customers Using One Firewall

General pfSense Questions
Log in to reply
  • K

    We have a customer that is subleasing a space and has agreed to provide the tenant with internet. The tenant is requesting that we provide them with a public IP as they want all traffic for them to pass through the pfSense without any interaction with the owner's firewall.

    We have enough static IP addresses, my question is there a way to have LAN1 functioning normally for the owner and then LAN2 in bridge mode to connect the tenant's firewall directly to the internet?

    0
  • dotdash

    Why don't you just connect them at the ISP's equipment? Passing it through your firewall just makes everything more complicated.

    0
  • K

    I apologize, I forgot to include the main reason we were trying to use the pfSense for this project. The owner wants us to limit the bandwidth that the tenant can use to 50%.

    0
  • johnpoz
    LAYER 8 Global Moderator

    Why not just do a 1:1 nat to this other firewall, vs a "bridge" I would be more inclined to rate limit at a switch vs running it through pfsense and doing rate limiting that way.

    This takes your firewall completely out of the scenario.. Any 40$ smart switch should be able to rate limit..

    0
  • JKnott

    Lemme get this straight... You have Internet access, which you are sharing with a tenant, who in turn wants to share that shared access with their tennant? Is there some reason why they don't get there own access? Also, does that ISP have any restrictions on sharing connections?

    0
  • T

    See if this thread helps: https://forum.netgate.com/topic/151020/setup-of-multiple-wan-ip-addresses-and-bypass-of-nat-for-a-multi-client-deployment/

    With LAN2 a different interface you can 1:1 NAT to a private IP (the WAN of their router) and they can NAT to their internal LAN subnet. (otherwise you wouldn't want their WAN IP to be in your LAN subnet...you could do it with one interface and both you and the tenant have their own routers, so 3 total routers)

    0
  • stephenw10
    Netgate Administrator

    Yes, you can bridge a 2nd interface to your WAN and allow them to use a single public IP directly.
    You should also be able to apply Limiters to that traffic.
    Whether or not you should is a different question.

    Steve

    0

Products

Services

Support

News

Resources

Company

Our Mission

We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

© 2020 Rubicon Communications, LLC | Privacy Policy