Routing Public Subnet to Multiple Tennants

  • Hi Everyone

    Hopefully someone can help me with something I am working on.

    I have a PfSense 2.1.5 system in place that has 2 existing WAN links and our local LAN. This part of the network is not changing.
    We have had a 50Mbit fibre service with a /28 IPv4 block installed that is to become WAN3. The purpose of this connection is so we can provide internet services to 5 tenants in the premises. The tenants are other businesses not affiliated.

    If we were to NAT this then I would be done already, however, I want to do something different here. I want to provide each tenant with their own true public IP [from the /28 block], this way they can NAT their own networks and can still run VPN services and control their own port forwarding. I do not want to get involved in that side of things.

    I was previously successful in implementing public IPs through pfsense, but outside NAT here, so I believe I could make it work with that method.

    The difference here is that I had intended to implement this with each tenant on their own unique VLAN. I would also like to, if possible, supply the IP via DHCP server rather than have them statically configure it.

    In my lab, I can make this work perfectly if I assign if VLAN a separate non publicly routeable subnet, all clients can connect and data flows in all directions that I allow via firewall rules. However, when I set this up using the public IP block, only the first tenant to be setup can make data flow. In fact, the second a subsequent tenant cannot even ping the pfsense box.

    I do not want to use 1:1 NAT [or any NAT] due to wanting each client to have their own ability to fully manage their inbound services [like an ISP].

    Where I am up to is thinking that maybe my wanting to use VLANs is the issue. Do I really need them if the IPs are already public space anyway?

    Am I missing something really simple about how to set this up, and can anyone share any experience with a set up like this?

    I know I have not supplied a great deal of technical info about the current config, I am happy to give more details if anyone thinks it may help.


  • Why not just put a small managed (or unmanaged?) 8 port switch on the public facing side of the /28 and then take one (or however many you need) for yourself and hand off a cable to your tenants and let them take their own public IPs off the /28.  Yes you won't be able to use DHCP to hand out their IPs as you mentioned but that isn't a very common scenario from what I've seen.  The only downside to that setup is that you wouldn't be able to use limiters or shaping on the subtenants. You didn't mention if that was a requirement.

  • If I am understanding your suggestion, [assuming a little here] then you are suggesting to do away with the VLANs for each tenant, and just provide the client with an IP, netmask and gateway.
    Ultimately, I can see that this would work as it is essentially what I did with the cpanel servers in the past [as referenced]

    To be honest, I am questioning whether the VLANs really accomplish anything here anyway. If the client has a publicly routable IP on the WAN side of their router, then technically, the VLAN is not segregating them from anything is it?

    I was not really concerned about traffic shaping, I was of the belief that it was only possible if the tenants were NAT'd.

    Is there any better way to accomplish this? Is there a way to actually provide the tenants with an IP like an ISP would, or is that simply not possible using a set up like this one?


  • LAYER 8 Netgate

    If it were me, I would:

    1. Not be using pfSense 2.1.5, but 2.3.1_5

    2. Order the WAN3 ISP to give you a /29 (or a /30 if they're stingy but a /29 interface network is easily-justifiable because you are going to do high-availability ;) ) with the /28 routed to an address on that.

    3. Put the /28 on a LAN side interface and let your customers connect to that. Just put them on a switch port.

    If you're going to provide internet, then provide internet. I would actually go one step further and if the tenants are fixed, obtain enough addresses to assign every tenant a /30 and put them on layer 3 switch ports. pfSense/VLANs might suffice if the number of tenants is reasonable. Since you're talking about a /28 that's likely the case. Change the /28 to a /26 and put each tenant on their own VLAN with a /30.

  • Thanks.

    1. I know the 2.1.5 is on the older side but it has been in place for a while. It also runs about 8 iPSec VPNs to to other sites of ours. I had issues with 2.2.0 with iPSec dropping a could not get it back without a reboot. That may be fixed now, but I have not revisited. Is there something specifically in 2.3.x that would assist me here or are you just suggesting that 'newer is better'?

    2. I should have stated that I actually have a separate single IP [provided via PPPoE] that the /28 is routed to.

    3. If I do it this way, am I correct that the tenants can fully manage their own incoming services such as VPN and port forwarding? I want to stay away from that part of the service. The provider say they cannot allocate anything larger than a /28 due to limited available addresses in their network. It is just internet being provided, I just want it to be transparent to the tenants that it runs through our equipment.

    So to confirm, I should drop the idea of using VLANs in the above scenario, correct?


  • LAYER 8 Netgate

    If you use VLANs on pfSense you can do that by just passing all traffic and disabling NAT. You will need a /30 for every VLAN unless the end user device supports /31.

    With the subnet routed, you can use that network (or a portion of it) on inside interfaces. You can servce the addresses using DHCP if you want, etc. Put that into a switch and patch to the tenants. The problem with this is misconfigurations on the customer side can take your network down (Like they configure their WAN with the same IP address as pfSense.) Some of this can be mitigated in the switch, depending on capabilities there.

    You could route it to a layer 3 switch and let it talk directly to the customers. That's probably how I would do it. Simplifies traffic shaping since there's only one interface as far as pfSense is concerned and you don't need to filter between their WAN IPs.

  • Thanks for your help.

    I have now set this up in the lab and I have dropped the VLAN component. Still using DHCP with a static MAC address mapping.

    This is all working well from what I can see.

    I have found a possible future issue though.

    From a client on the LAN side of pfsense, I cannot access the IP of a tennant. I thought I might need a static mapping for this but I couldnt seem to make that work either.

    It might not be a major issue, but I would like to know what I need to setup to make this work.

    INTERNET > PFSENSE > –|-------- LAN [10.1.1.X/24]
                                            |–------- TENNANT ROUTER [123.321.123.321/28]

    It is not a blocking issue from the tennant endpoint, as I have a non-firewalled windows PC connected there currently. Not pingable.

    I am thinking that pfsense needs to somehow know that the 123.321.123.321/28 addresses are internal to it.

    I have no Virtual IPs configured currently. It cannot be that simple can it?


  • LAYER 8 Netgate

    How many pfSense interfaces is that?

    Post what you've actually done.

  • Only 3 interfaces.

    WAN - PPPoE - Ip Address 123.321.123.320 [Routed subnet of 123.321.123.321/28 is here]
    LAN -
    LAN2 - 123.321.123.322/28 [DHCP runs here serving the remainder of the /28]

    Any IP in LAN2 can connect to the main WAN IP [port forwarding to the LAN works]

    Any machine in the LAN cannot connect to any of the /28 IPs.

    As for what I have done, the above is the interface config, I have not setup any virtual IPs.
    I have created a rule on LAN2 to allow all traffic to pass.

    As I write this I have answered my own question. I created a rule on LAN to allow all traffic from LAN destined for LAN2 Subnet to the default gateway and that seems to have solved it.
    My outbound LAN rules are not allow all so that must be where the block was.

    Asked and answered. Thanks for all your help so far.

Log in to reply