I'm working with a small wireless network with a 3mb connection to the internet the majority of the wireless clients are behind the LAN interface using DHCP. I have a couple customers that want static real world IP Addresses. I would like to maintain ability to monitor and have some control of the network to prevent one of these customers from using all the bandwidth. These customers will add their own firewall to provide their own VPN connections and other firewall related tasks.
Here are the options that I can see. Option 1 a. By pass the pfSense firewall. Cons: Gives up monitoring and control of the customers that will be given the static IP addresses. Option 2 a. Add a new network card. b. Bridge with the WAN. c. Plug the new card into the switch that connects to the wireless network along with the LAN. Pros: In theory the traffic might show up on the WAN graph. Cons: As far as I'm aware this is not compatible with traffic shaping. Option 3 a. Add a new network card. b. Create a subnet for the DMZ and use NAT c. Setup rules to make the DMZ wide open in both directions Pros: This method would work with traffic shaping. Cons: I'm a little worried about this causing unknown problems with the customers VPNs any advice? I would appreciate any comments! Which of these options or other options not mentioned here would be the best practice? Thanks in advance. P.S. I'm working on the freeradius package so that it can be pointed to an external database server from the pfSense freeradius package GUI. I will share the changes if anyone is interested when it is completed and tested. Best Regards, Mark