Routing a /26 to Multiple /32



  • Hi everyone,

    I've been trying to wrap my mind around this for a couple of days now and can't quite figure out the best way to do this and I'm pretty sure I'm missing something so please bear with me.

    We have a fiber line coming in and our ISP provides us with a /30 and a /26 routed to us. What we are trying to do is take the /26 and hand out one IP (/32) to every tenant in a 50 tenant building via DHCP, preferably without any NAT.

    We also want to have complete isolation between each tenant and each tenant will have their own CPE router so what they get should be direct internet access without any NAT, etc.

    My initial gut reaction was to put every tenant on a separate VLAN and create one interface with its own DHCP server with a range of only one IP to hand out only a single /32 address per user and set the client's gateway address to the router's IP address that we got from the /30 block. Each port on a managed switch would be assigned one untagged VLAN.

    Last thing may be to create firewall rules to block access between the VLAN interfaces to ensure total isolation.

    Does this make even the slightest bit of sense? Is there a better way to do it? We are trying to be efficient with the IP space and I'm not familiar at all working with larger blocks of WAN addresses.

    Thanks!


  • Rebel Alliance Global Moderator

    "nd hand out one IP (/32) to every tenant in a 50 tenant building"

    /27 does not equal 50 IPs so how exactly are going to do this??

    Did you mean a /26?

    If you want isolation between tenants just use a private vlan on the switch you connect between pfsense and their routers.  What switch(es) are you working with?

    But you would create pfsense lan as this /27 routed to you but that is NOT 50 ips.. And then hand out IPs to the tenants routers via dhcp.. You could set reservations so they always get the same IP, etc.

    But unless you had a typo /27 is only 30 IPs you can actually use.



  • Yes sorry they will be providing a /26. I updated the original post to correct that.


  • Rebel Alliance Global Moderator

    Ok with a /26 its easy - see my edit..  What switch are you using to connect pfsense to these routers.

    https://en.wikipedia.org/wiki/Private_VLAN



  • Thanks very much for the link, I'll do some research into private VLANs.

    The specific switch isn't defined until I figure out how we are going to do this, but I'm quite familiar with the Ubiquiti EdgeSwitch series and will check to see if they meet all the requirements.

    On the pfSense side, what would the configuration look like to do this? From what I have read, I would want to disable outbound NAT under Firewall > NAT > Outbound.

    Otherwise would I just have a single LAN interface on pfSense tagged on all the VLANs and set the DHCP pool to match our /26?

    Is there anything that can be done in case somebody tries to manually configure their router's IP for whatever reason and creates an IP conflict? This would be a fairly secondary concern but I'm just trying to understand how this all fits together.


  • Netgate

    That will all be in your Layer 2 gear. Nothing in pfSense can prevent someone from creating an IP address conflict on the network outside of its control.

    I am not sure why you care if they are isolated from each other.

    Some switches have features for things like disallowing traffic from an IP address if that address was not obtained via DHCP from upstream and other assorted gimmickery that might work for you. Some wi-fi gear can do this sort of thing too.

    In a perfect world you would use a layer 3 switch and a /30 to each customer.

    In pfSense yeah you would disable NAT and place rules so they can't access the webgui, other private networks off that firewall, etc.

    pfSense is a firewall not an ISP subscriber management system. Can it do something at this scale? Probably.

    Is the physical topology such that they will all be connected to one switch or switch stack? True private VLANs get a LOT more complicated when multiple switches / devices are in play. It sounds like you can probably make do with nothing but basic port isolation called "Private VLAN Edge" by Cisco. Still not sure why you care if they can communicate with each other. Shouldn't they be installing their own firewalls? I don't want my ISP blocking any of my traffic.


  • Rebel Alliance Global Moderator

    As Derelict says pfsense has really nothing to do with this - it would all be at your switch setup.  Layer 3 switch with /30 would be way to go - but your /26 is not going to allow for that.

    Why would your users be setting static IPs on their routers that could conflict when your just going to hand them their IP via dhcp..

    If you do not have a single switch that can handle all the ports, prob want to break your /26 into say 2 /27 and use 2 48 port switches for each half, etc.  or a 48 and 24…

    There are much better switches than the unifi ones with much better feature sets at same sort of price point.. But if your worried about isolation of the customers you would have to check to see if it does private vlans, etc.