PFsense / UniFi design sanity check

New to PFSense/Netgate and wanted to run this by someone with more experience…

A client of mine who is a building owner and wants to offer Internet services to his tenants (a max of about 10-15 tenants) where each tenant would have a private LAN (dedicated VLAN per tenant) but will share the AT&T fiber internet connection running into the building (currently 200 Mbs up/down but might go up to 1 Gbps up/down eventually).

Looking at using a Netgate SG-3100 or 5100 router/firewall at the head-end (behind the AT&T managed router which I don’t have access to), then downstream from that several UniFi switches and APs with a dedicated VLAN for each tenant so the traffic for each tenant is isolated from each other for security. VLANs could potentially span across more than one switch/AP.

Since the 3100s and 5100s can’t do port aggregation, and don’t support Spanning Tree, I would only have a single uplink from one of the LAN ports on the Netgate FW to a single UniFi “distribution” switch, which would then connect to several other UniFi “access” Switches and APs. I have a CloudKey Gen2 Plus in place already as well as a bunch of Uni/Fi Cameras which would be on their own VLAN.

Some of the tenants might need remote VPN client access (via OpenVPN) so I assume I could restrict them to specific VLANs (or networks?) based on user name.

Lastly, I plan to use the traffic shaping capabilities in PFSense to manage bandwidth hogging and create service levels for each tenant (limit tenants to 10, 25, 50Mbps up/down, etc.).

As a PFSense newbie, let me know if I am missing anything or something else I should consider.

Thanks so much!


1 Like

Everything you said was fine until openvpn. I would not get myself into running services for the tenants. If a tenant wants to set something up themself, I would consider forwarding a port to them - although that obviously becomes a sharing/availability issue. You could recommend the tenants use things like ZeroTier which do hole punching on their own.

Something to consider is whether or not to allow UPnP on the network. In this situation I would say yes.

Hey thanks for the reply brwainer, something to consider for sure as managing VPNs users could be a pain.

ZeroTier just provides access to a single host device right and not the whole network? Also requires a host to run it on vs OpenVPN where I just provision it on PFSense and I’m done.


I don’t think you understood. You don’t want to be running ANY services for the tenants. My recommendation for ZeroTier, was for something that you could tell Tenants to look into if the ask about remote access to their LAN. You want to purely be a service provider of basic internet access.

It would be even better if you use CGNAT IPs for the tenants, instead of RFC1918 addresses, so that if they choose to run their one router they can with a little less headache (but they still would be double NATed, with no way to run their own public servers).

I’d go similar to @brwainer but not so hard against running a VPN.

If you have or can have a public IP per tenant then give them the option to forward that in so they can run what they want.

If not then a separate openvpn config for each tenant. If you are happy to manage users (and someone is going to pay you to do so) then great. If not then one user / config per tenant provided
to them when they move in that they can then put on as many external machines as they want

On a side note, i didn’t realise that the Netgate stuff didn’t support Link Agg / Spanning tree so thats good to know!

pfsense does support link aggregation,some%20combination%20of%20the%20two.

And doing per tenant VLAN does work well, we have setup a few site that way. We have never had a request to manage tenant OpenVPN access, but you can create rules to restrict it on a per network basis.

Thanks everyone for the feedback…

Tom - your YouTube channel rocks… just became a patron.

1 Like