5WAN –> 5 LAN



  • Hey !

    I am a newbie on pfsense .

    It is so that we have two solid fiber ropes on the 100/100 and to this we have bought 25 ip addresses.
    I have installed pfsense on a physical server with five pieces of 1Gb / s Ethernet cards, and we now want to give some customers in our house internet where they get their own fixed IP .

    My idea is that customers get a personal firewall supplied by us, this is configured as in advance with one of these 25 addresses that we own .
    What I want to do with pfsense is to control the speed , and ensure that they do not thoughts downloaded from torrent sites . and shut down those who do not pay.

    Have Googled but can not find a solution for this setup!



  • I have fixed a neat drawing so that everyone understands what solution I'm looking for  :o ;D

    ![PfSense lösning.png](/public/imported_attachments/1/PfSense lösning.png)
    ![PfSense lösning.png_thumb](/public/imported_attachments/1/PfSense lösning.png_thumb)



  • So no one can help me with my problem ?


  • Banned

    I do not think you want 5 LANs. You want one LAN with public IP range on it, assigned to the customer routers via DHCP. No idea what do you want to do with those WANs (load ballancing, failover, policy routing…)



  • @doktornotor:

    I do not think you want 5 LANs. You want one LAN with public IP range on it, assigned to the customer routers via DHCP. No idea what do you want to do with those WANs (load ballancing, failover, policy routing…)

    I want a different LAN addresses depending on the customer.
    Then I want that each "Customer" should have its own WAN address, and one of these when will be our own.



  • You could set up each customer device on their own VLAN off your pfSense, then port forward everything on 1 of the public IP addresses to the internal address of the customer device. That way the customer device sees whatever comes on that public IP. Or you could even give the customers a whole subnet on a VLAN and just let them use it, if you are happy to receive requests from the customers for you to forward certain ports to certain IP addresses in their VLAN subnet…

    Then use a limiter on that VLAN to restrict the up/down speed to whatever the customer pays for.



  • @phil.davis:

    You could set up each customer device on their own VLAN off your pfSense, then port forward everything on 1 of the public IP addresses to the internal address of the customer device. That way the customer device sees whatever comes on that public IP. Or you could even give the customers a whole subnet on a VLAN and just let them use it, if you are happy to receive requests from the customers for you to forward certain ports to certain IP addresses in their VLSN subnet…

    Then use a limiter on that VLAN to restrict the up/down speed to whatever the customer pays for.

    Hello !

    Thank you for a good answer. How do I do this installation / setup?
    As I said earlier , I am new to the system knows almost nothing about pfsense .



  • If you need to know almost everything from the start, then I suggest you buy the Gold membership and that will get you the draft 2.* book plus access to monthly hangouts - that will help you educate yourself. Since you have customers that pay something, it also seems reasonable to contribute something financial. This way you learn and the project gets funding also.
    Some clues:

    1. VLANs - Interfaces->(assign), VLANs tab, add VLANs to the interface you are using for that.
    2. Put rule/s on each VLAN to pass all traffic (I am assuming you are letting the clients do whatever they want from their end)
    3. Firewall->NAT, 1:1, add an entry for each client external = public IP they get, internal = the internal private IP that will receive the forwarded traffic.
    4. Firewall->Traffic Shaper, Limiter tab - add 2 limiters for each client - 1 to use for Down and 1 to use for Up, give them some naming you understand.
    5. In the rule/s on the client VLAN interface, Advanced section, choose the appropriate limiters.


  • hm, this is more an architectural question than a technical. if you go for one firewall with all 5 networks and alias interfaces and nat-ing, you get it all in one place, but are also creating a single-point-of-failure (that can also fail upon mis-configuration)

    on the other hand, visualization with vmware or similar has become quite stable, why not running 5 pfsense installations in parallel? just hook all WAN-if's into the fiber, and then lan-patch-up your customer with or without vlan's, that depends on how the cabling can be done on-site. bandwidth-mgmt becomes then a bit tricky, but getting-started is much more easy, especially if you're new to these technologies. when you're settled you still can change the architecture later on and implement what you learned.

    going gold is platinum!


Log in to reply