Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    PfSense to distribute internet to multiple sites

    Scheduled Pinned Locked Moved General pfSense Questions
    4 Posts 2 Posters 1.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • F Offline
      fredfred5
      last edited by

      Hi Guys,

      I have a pfsense running my network with a leased line. All is good  :).

      I have someone on the floor above me that would like internet and I have come to the agreement that I could provide this to him. I have a spare interface on my pfSense box and can easily get a cable to his router.

      Here is a brief layout:

      Lets say I have 60mbps of total bandwidth available to me, I would like to keep 30 for me and give 30 to him. I would also like to provide one of my public IP addresses to him.
      The 2 LANs should also not be able to communicate.

      Whats the best way to approach this? What I have in my head at the moment is:

      Firewall rule to block traffic between the 2 LANs
      Set outbound NAT for the Customer LAN, set the translation address to 200.123.123.122
      Make a limiter in traffic shaping, for 30mbps and apply it to the "in" rule in the advanced section of the Customer LAN firewall rule

      My confusion revolves around how best to set the Customer LAN interface IP address as he will be connecting his own routing equipment to it. I don't want to set it as a private IP range as this could cause issues with his equipment.
      Also if he has a router with NAT this would lead to a double NAT situation wouldn't it? Would it be best to disable NAT on the customer router? Can I disable NAT per interface on pfSense and still have it route traffic over a certain public IP?

      Thanks in advance for your help.

      1 Reply Last reply Reply Quote 0
      • M Offline
        muswellhillbilly
        last edited by

        @fredfred5:

        Also if he has a router with NAT this would lead to a double NAT situation wouldn't it? Would it be best to disable NAT on the customer router? Can I disable NAT per interface on pfSense and still have it route traffic over a certain public IP?

        I would have thought you'd be best getting your neighbour to remove his router and have the PFS connect directly to his internal network via a switch. You avoid double-NATing and managing the whole thing will be a lot simpler. Otherwise, your thinking looks pretty sound to me.

        1 Reply Last reply Reply Quote 0
        • F Offline
          fredfred5
          last edited by

          @muswellhillbilly:

          I would have thought you'd be best getting your neighbour to remove his router and have the PFS connect directly to his internal network via a switch. You avoid double-NATing and managing the whole thing will be a lot simpler. Otherwise, your thinking looks pretty sound to me.

          Hmm, that's probably the easiest way to go. I will suggest that to him, thanks!

          Although you have got me thinking now, hypothetically how could pfSense be setup to deliver internet like a local mini isp? Like the below, giving each router a public IP to use like a 1 to 1 NAT.

          1 Reply Last reply Reply Quote 0
          • M Offline
            muswellhillbilly
            last edited by

            In principle, something like this would be possible, but I personally wouldn't go this route as you'd be double-NATing in every instance. In this scenario, you're treating the firewall like an upstream router, which it really isn't. Assuming your clients are all located locally, you'd still be better off having their own networks directly connected to separate NICs (or virtual NICs) on your PFS and routing them out on their own separately assigned external IPs through the firewall. Otherwise, if they decide to use their own routers, assign them their own external IPs and connect them directly through your pipe to your upstream ISP router. This is just my own opinion, of course.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.