PfSense to distribute internet to multiple sites



  • Hi Guys,

    I have a pfsense running my network with a leased line. All is good  :).

    I have someone on the floor above me that would like internet and I have come to the agreement that I could provide this to him. I have a spare interface on my pfSense box and can easily get a cable to his router.

    Here is a brief layout:

    Lets say I have 60mbps of total bandwidth available to me, I would like to keep 30 for me and give 30 to him. I would also like to provide one of my public IP addresses to him.
    The 2 LANs should also not be able to communicate.

    Whats the best way to approach this? What I have in my head at the moment is:

    Firewall rule to block traffic between the 2 LANs
    Set outbound NAT for the Customer LAN, set the translation address to 200.123.123.122
    Make a limiter in traffic shaping, for 30mbps and apply it to the "in" rule in the advanced section of the Customer LAN firewall rule

    My confusion revolves around how best to set the Customer LAN interface IP address as he will be connecting his own routing equipment to it. I don't want to set it as a private IP range as this could cause issues with his equipment.
    Also if he has a router with NAT this would lead to a double NAT situation wouldn't it? Would it be best to disable NAT on the customer router? Can I disable NAT per interface on pfSense and still have it route traffic over a certain public IP?

    Thanks in advance for your help.



  • @fredfred5:

    Also if he has a router with NAT this would lead to a double NAT situation wouldn't it? Would it be best to disable NAT on the customer router? Can I disable NAT per interface on pfSense and still have it route traffic over a certain public IP?

    I would have thought you'd be best getting your neighbour to remove his router and have the PFS connect directly to his internal network via a switch. You avoid double-NATing and managing the whole thing will be a lot simpler. Otherwise, your thinking looks pretty sound to me.



  • @muswellhillbilly:

    I would have thought you'd be best getting your neighbour to remove his router and have the PFS connect directly to his internal network via a switch. You avoid double-NATing and managing the whole thing will be a lot simpler. Otherwise, your thinking looks pretty sound to me.

    Hmm, that's probably the easiest way to go. I will suggest that to him, thanks!

    Although you have got me thinking now, hypothetically how could pfSense be setup to deliver internet like a local mini isp? Like the below, giving each router a public IP to use like a 1 to 1 NAT.



  • In principle, something like this would be possible, but I personally wouldn't go this route as you'd be double-NATing in every instance. In this scenario, you're treating the firewall like an upstream router, which it really isn't. Assuming your clients are all located locally, you'd still be better off having their own networks directly connected to separate NICs (or virtual NICs) on your PFS and routing them out on their own separately assigned external IPs through the firewall. Otherwise, if they decide to use their own routers, assign them their own external IPs and connect them directly through your pipe to your upstream ISP router. This is just my own opinion, of course.


Log in to reply