Routed Subnet - Need Advice
-
This is for supplying internet to a multi-tenant office building. I am not a networking expert by any means, so be gentle!
I have a /30 IP Block from my ISP that's routed to a /27. I'd like to break that /27 into multiple /30's. I am not sure that this is possible, and if it is - I'm not sure my approach is the correct one (let alone best practice).
ISP Provides me with x.x.x.64/30 and y.y.y.128/27 routed to it.
Setup WAN IP Block on pfSense x.x.x.64/30
Create VLAN 101 - Set Static IP y.y.y.128/30
Create VLAN 102 - Set Static IP y.y.y.132/30
etc… y.y.y.156/30
Hybrid NAT - Disable NAT on WAN with source of all newly created /30 subnets.
Setup switch accordingly with these VLANs.
Firewall for each VLAN - Reject all to LAN, Allow all other traffic (all traffic should be behind another connected firewall of the Tenant's responsibility).
So my question is - Can I actually break up the subnet like this, or will it not work as intended?
My first thought was to set the whole /27 block to one internal network, but I'd have no way to regulate who's using what IP without reservations. If a tenant had to replace their gateway, they'd have no internet until I can grant access to their new MAC address - not exactly a good solution. This process kills a bunch of IP addresses, so I'm not too keen on this either. Anyone have any insight into what's the best solution?
Thanks in advance!
-
It looks like you have a pretty good handle on things.
A couple design choices I might make are using a downstream layer 3 switch to actually connect to the tenants. I would choose one with some good rate limiting so you can apply that easily to each port/tenant. You could also use a downstream pfSense with VLANs as you describe. The reason for this is pfSense (via altq) has some limitations on traffic shaping multiple interfaces. You can't take, say, 250Mbit/s download on your circuit and shape it across multiple interfaces.
If you have just one interface where the shaping is done you can shape (or limit) individual /30s on that to your heart's content.
But as an ISP you have to deliver consistency, which is why I would use limiters in the switch. If your tenants want to do their own shaping, it is best if their bandwidth is consistent and not fluctuate based on what the others are doing.
You might consider doing something like a discount if the customer can support a /31 interface (or a surcharge if they can't - they can always run pfSense). That would only use two addresses per tenant instead of 4. pfSense supports it and I would imagine most L3 switches you would buy these days can handle it.
You are correct that putting them all on the same broadcast domain is not a good choice. Do it right and give them all their own interface subnets.
If the /27 is not enough for all of your tenants I would bite the bullet and get more addresses now. If you have to you can probably get away with using a /29 for each tenant in your justification. Just say they are all going to be HA clusters.
How many units are you talking?
You probably want to do IPv6 at the same time while you can test before going into production.
-
For switches - I'm using Ubiquiti Unifi 48 port switches. It seems they do not have bandwidth limiting available. My connection is a symmetrical gig. I'd like to limit each tenant to 100 mbps (10 total in the building) and deny P2P. Are you saying that pfSense is not capable of doing that (or at least not efficiently) across 10 VLANs?
I'll talk with my boss and my ISP about increasing our subnet size. I really only see this working if I'm supplying at least /30's to each tenant. As you said - do it right the first time. Is there anything stopping me from breaking up a subnet into mixed sizes, or is that just poor form?
The way I'm planning on setting up the firewall - does that expose anything for me? Is there a better configuration for that? I need to make sure there are no security vulnerabilities as the LAN on that pfsense has the building's access control on it. I also don't want to expose access to pfsense itself.
I really appreciate your help. Thanks for your time
-
For switches - I'm using Ubiquiti Unifi 48 port switches. It seems they do not have bandwidth limiting available. My connection is a symmetrical gig. I'd like to limit each tenant to 100 mbps (10 total in the building) and deny P2P. Are you saying that pfSense is not capable of doing that (or at least not efficiently) across 10 VLANs
No, not at all. For that scenario I would use limiters on VLAN interfaces. That will be fine.
I'll talk with my boss and my ISP about increasing our subnet size. I really only see this working if I'm supplying at least /30's to each tenant. As you said - do it right the first time. Is there anything stopping me from breaking up a subnet into mixed sizes, or is that just poor form?
For 10 customers you need at least a /26 to give them each a /30.
No, making different size subnets is fine. /31s are your friend here. You might want to leave
The way I'm planning on setting up the firewall - does that expose anything for me? Is there a better configuration for that? I need to make sure there are no security vulnerabilities as the LAN on that pfsense has the building's access control on it. I also don't want to expose access to pfsense itself.
On the customer interfaces, pass anything on the firewall they need access to like DNS, then block any any any to This firewall and any management or private LANs, then pass all traffic.
