Least intrusive rules for Tenants



  • I have a /27 block routed to a /30 from my ISP.  I've broken up that /27 into 4x /29 blocks.  From there, I've assigned these to 4 tenants in my building.  (Hybrid NAT, no NAT on these subnets)

    On each of these vlans, I've created a rule set that follows this mold:

    X.X.X.136/29

    Pass DNS
    Pass ICMP echoreq to X.X.X.137
    Reject all traffic to X.X.X.137
    Pass all traffic to X.X.X.136/29
    Reject all traffic to This Firewall
    Reject all traffic LAN net
    Reject all traffic to /27 block and /30 via alias.
    Pass all traffic

    I think these rules are okay - not sure if this is too Tin Foil Hat.  Maybe someone with more experience than me can review those.  This assumes the tenant is going to have their own router/firewall behind pfSense.

    The big question I have is my WAN side.  What kind of rules should I have in place so I don't impact any services they may be running?  Are rules on WAN even necessary for this setup?  I'd hate for them to be attempting an openVPN connection and have my WAN block that from working.

    Thanks so much for any advice.  If critical information is missing, I'll be glad to provide it.

    Dan



  • What kind of rules should I have in place so I don't impact any services they may be running?

    None.  Unless your tenants are running servers that need to be forwarded from WAN, you don't need anything.

    Are rules on WAN even necessary for this setup?

    No.  You only need rules on WAN to handle unsolicited inbound traffic.

    I'd hate for them to be attempting an openVPN connection and have my WAN block that from working.

    pf is a stateful firewall that automatically allows replies from traffic you initiate.


Log in to reply