Setting up small Inner office ISP

completetech

what I have is the following situation….... ???

I want to provide "internet access" to people in my executive office space who do not have internet.  i want to be able to use 1-4 of my static ip's provided by Comcast Business class internet and have traffic route to them.  lock down possible sites if customer wants and of course not let each one of them see what the other is doing as far as on the network side.  Also thinking of doing some sort of “free WiFi” but with time limits.  Basically only visitors using it for a short amount of time then limit a time frame before the same MAC can reconnect.

I will be running a direct run to the customers suite.  they will use they own equipment such as wireless router and the like to provide access themselves within their area.  I will simply be terminating to a RJ45 jack to allow them to use their own router.

I would like to setup a VPN of sorts for myself to access the pf Sense box for remote management and whatnot.  I would also like to be able to “bill” for this service and in cases of the bill not being paid, shut them down.

XIII

you would need multiwan setup for each ip and i believe that would require a nic each (The easiest, its what i do). or some kind of 1:1 nat or wan on a stick type thing.

for  having the visitor get kicked off and have to reauth you would use captive portal but it can only be bound to one interface.

Dont need vpn to manage. what you would do is deny all interfaces access to the firewalls management ports except your interface.

setup a rule that blocks everything outbound, have it at the top and disable it. when they dont pay, enable it. billing would not be built in though (2.0 has it i believe, it with the captive portal which does support more than one interface)

jimp

@XIII:

for  having the visitor get kicked off and have to reauth you would use captive portal but it can only be bound to one interface.

In 2.0 you can run Captive Portal on multiple interfaces, though in an ISP type scenario it probably wouldn't be ideal, especially if your "customers" need to run servers, the portal wouldn't allow that without a bypass for an IP, which would defeat the purpose.

If someone doesn't pay, as XIII suggested you could block them with firewall rules, Or if everyone will be hardwired, get a nice managed switch and you can shut down their port so they are completely cut off.

With such a limited number of customers, a manual process would probably suffice, especially since billing would only be an issue once a month.

Alternately, you could run a PPPoE server on pfSense which authenticates against a RADIUS database that would let you control customer access instead. Then setup the interface such that clients must use PPPoE to obtain a connection to the Internet. Pretty much any router they would have should support PPPoE. You could deactivate their account in RADIUS if they don't pay, and there are RADIUS packages out there that also handle the accounting/billing data (though the cost for a full billing system may be prohibitive for such a small setup)

completetech

I have 4 more IP's I can use.  I was thinking of using one for the WiFi and the otehr for teh actual internet traffic for the "customers"

I have a afew older PC's laying around I was thinking of using or maybe building a new one just for this project depending on what I will need.  but either way a old P4 laying around should cut it.

I could try and figure out radius server for the WiFi thing as I am being asked about this for another project of ours coming up withing the next month or so.  but the aspect I am really not sure of is how to "seperate" the different "customers" from each other in any case.

XIII

you separate them via firewall rules.

for example if you only want them to access the Internet, copy the default allow rule to each interface, then modify it to allow access out their designated WAN interface, they can access anything on the net but nothing internally, also block access to the Firewalls management ports as well.

If you need help with the rules I can post some examples.

completetech

any help you could give on something like the firewall rules would be great. ???  I am just not sure how to set this up.

I want to take one out of my 4 free IP's left and use it to "provide" internet access to the customers.

I would also like to possibly use my main IP I am using now for our internet and have our ip or our usage take priority over anything else as we are using a lot of VoIP traffic as well.

XIII

How soon are you planing on implementing this?
Also make sure you can resell your service (not all business Internet service can be resold or given away)

Heres some sample rules, what you need to do are block and allow rules at the top, then a block all rule at the bottom. So you block the them from accessing the other subnets:

Proto Source Port Destination Port Gateway Schedule Description

• *              *       all lan ips   *        *                                
                                            but theirs

and have it as a block rule then another so they cant touch(access its management ports) the firewall (theres an interface on each lan)

Proto Source Port Destination Port         Gateway Schedule Description

• *              *       the ip of   ssh/https        *              
                                         the firewall  and http

edit(accidentally tabbed to post)