Shared WAN



  • Hello,

    A question from a pfSense newb to pfSense pro's out there. A client wants to share there fast fibre line with their sub-tenants. I'd really like to provide them with a routable public IP which they can use in their own router/firewall.

    Can pfSense be configured in a Transparent IP mode (Layer 3) so that a single WAN connection can be shared out and providing them a routable public IP?

    If this is possible, can I then use pfSense's traffic shaper to provide a Guaranteed Minimum bandwidth?

    Thank you

    Max



  • If they obtain a range of public facing IP's from the ISP, Yes you can do exactly that (ISPs usually charge for a block of Public IP's to use.)

    Then you could in theory add the extra public IP's to the "Virtual IP's" section of PFSense, and then create 1:1 NAT Routes and Firewall rules to each tenant's router to break the IP down into the more common 192.168 or 10.10 style subnetworks.

    This would be of benefit if the tenants need to do anything that would require communication Back into their private networks (running servers, remote desktop access, etc.)

    You could technically also keep everything in a local network setting using a managed switch that supports VLANs

    Ex:

    Public IP's > PFSense with 1:1 NAT + Routes > Switch > Tenant Routers > Tenant Computers (*More Complex)

    OR

    Single Public IP > PFSense with VLANs > Switch w/ VLANs > Tenant Routers > Tenant Computers (*Less Complex)

    My knowledge is by far basic on this but either way is doable, And it depends on one factor, Do the tenants need to run a server or do they *Need a static IP thats public facing? Because if not, Just get a decent multiport managed switch and do VLAN's to isolate each tenant while still sharing the single public IP the landlord is already assigned from the ISP.

    As for traffic shaping, Yes, across the board… You can use Traffic Shaper to create limits that are applied via Firewall Rules. to throttle clients as much or as little as you would like.

    One last word of caution, Have the client make REAL sure that his ISP contracts allow him to sublease the connection to other parties. Paid or not... Some can be a real stickler about what you do with the connection you pay for. (its lame, but it happens...)