Netgate SG-1000 microFirewall

Author Topic: Add interface so tenant can use their own router with public IP and speed limit  (Read 176 times)

0 Members and 1 Guest are viewing this topic.

Offline willko

  • Newbie
  • *
  • Posts: 1
  • Karma: +0/-0
    • View Profile
Hi all,

First post, please be gentle....  I wasn't sure of the terminology so I've had a hard time searching for answers.

So,..  I have a PF sense box setup and working with a WAN interface that has a /28 set of public IPs (we use 6 so have a few spare).  I have 2 interfaces setup as LANs with DHCP,DNS etc all working on each ( & 

We have great broadband and some spare office space so we're going to help another business (6 users) for a few months and let them move into a spare office.

I want to let them bring their existing network gear (router, small switch & PCs) and set them up so their router can use one of our public IPs and limit their bandwidth (100Mbps).

On the PFsense box I have 2 unused interfaces...  I want to add an interface that they can plug the WAN port of their router into, be able to use a single public IP of our /28 set and set a traffic shaper bandwidth limit on this interface.  Their router is a Draytek 2830 & can use a static WAN IP - the rest of the config I want to leave as is so when they leave its easy for them...

I guess its sort of like being a proxy ISP in a way..

If anyone can help/point me in the direction for a guide etc.. or even just correct my terminology so I can search better.  I've been looking for "router behind pfsense", "pfsense as isp" etc...

Many thanks!!

Offline johnkeates

  • Hero Member
  • *****
  • Posts: 917
  • Karma: +65/-1
    • View Profile
Basically, you'd be bridging WAN to that interface and firewall everything that doesn't match the static IP you want that tenant to use.

Offline Derelict

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 10001
  • Karma: +1133/-312
    • View Profile
Do it right.

Tell your ISP to give you a small WAN interface subnet for your WAN interface, say a /29 or /30, and to route the /28 to that instead of putting so many addresses on the interface.

Then you can do what you want how it should be done without this hacky bridging.
Las Vegas, Nevada, USA
Use this diagram to describe your issue.
The pfSense Book is now available for just $24.70!