Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Routing a /26 to Multiple /32

    Scheduled Pinned Locked Moved Routing and Multi WAN
    7 Posts 3 Posters 770 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      c0re
      last edited by

      Hi everyone,

      I've been trying to wrap my mind around this for a couple of days now and can't quite figure out the best way to do this and I'm pretty sure I'm missing something so please bear with me.

      We have a fiber line coming in and our ISP provides us with a /30 and a /26 routed to us. What we are trying to do is take the /26 and hand out one IP (/32) to every tenant in a 50 tenant building via DHCP, preferably without any NAT.

      We also want to have complete isolation between each tenant and each tenant will have their own CPE router so what they get should be direct internet access without any NAT, etc.

      My initial gut reaction was to put every tenant on a separate VLAN and create one interface with its own DHCP server with a range of only one IP to hand out only a single /32 address per user and set the client's gateway address to the router's IP address that we got from the /30 block. Each port on a managed switch would be assigned one untagged VLAN.

      Last thing may be to create firewall rules to block access between the VLAN interfaces to ensure total isolation.

      Does this make even the slightest bit of sense? Is there a better way to do it? We are trying to be efficient with the IP space and I'm not familiar at all working with larger blocks of WAN addresses.

      Thanks!

      1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator
        last edited by

        "nd hand out one IP (/32) to every tenant in a 50 tenant building"

        /27 does not equal 50 IPs so how exactly are going to do this??

        Did you mean a /26?

        If you want isolation between tenants just use a private vlan on the switch you connect between pfsense and their routers.  What switch(es) are you working with?

        But you would create pfsense lan as this /27 routed to you but that is NOT 50 ips.. And then hand out IPs to the tenants routers via dhcp.. You could set reservations so they always get the same IP, etc.

        But unless you had a typo /27 is only 30 IPs you can actually use.

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        1 Reply Last reply Reply Quote 0
        • C
          c0re
          last edited by

          Yes sorry they will be providing a /26. I updated the original post to correct that.

          1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator
            last edited by

            Ok with a /26 its easy - see my edit..  What switch are you using to connect pfsense to these routers.

            https://en.wikipedia.org/wiki/Private_VLAN

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.8, 24.11

            1 Reply Last reply Reply Quote 0
            • C
              c0re
              last edited by

              Thanks very much for the link, I'll do some research into private VLANs.

              The specific switch isn't defined until I figure out how we are going to do this, but I'm quite familiar with the Ubiquiti EdgeSwitch series and will check to see if they meet all the requirements.

              On the pfSense side, what would the configuration look like to do this? From what I have read, I would want to disable outbound NAT under Firewall > NAT > Outbound.

              Otherwise would I just have a single LAN interface on pfSense tagged on all the VLANs and set the DHCP pool to match our /26?

              Is there anything that can be done in case somebody tries to manually configure their router's IP for whatever reason and creates an IP conflict? This would be a fairly secondary concern but I'm just trying to understand how this all fits together.

              1 Reply Last reply Reply Quote 0
              • DerelictD
                Derelict LAYER 8 Netgate
                last edited by

                That will all be in your Layer 2 gear. Nothing in pfSense can prevent someone from creating an IP address conflict on the network outside of its control.

                I am not sure why you care if they are isolated from each other.

                Some switches have features for things like disallowing traffic from an IP address if that address was not obtained via DHCP from upstream and other assorted gimmickery that might work for you. Some wi-fi gear can do this sort of thing too.

                In a perfect world you would use a layer 3 switch and a /30 to each customer.

                In pfSense yeah you would disable NAT and place rules so they can't access the webgui, other private networks off that firewall, etc.

                pfSense is a firewall not an ISP subscriber management system. Can it do something at this scale? Probably.

                Is the physical topology such that they will all be connected to one switch or switch stack? True private VLANs get a LOT more complicated when multiple switches / devices are in play. It sounds like you can probably make do with nothing but basic port isolation called "Private VLAN Edge" by Cisco. Still not sure why you care if they can communicate with each other. Shouldn't they be installing their own firewalls? I don't want my ISP blocking any of my traffic.

                Chattanooga, Tennessee, USA
                A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                Do Not Chat For Help! NO_WAN_EGRESS(TM)

                1 Reply Last reply Reply Quote 0
                • johnpozJ
                  johnpoz LAYER 8 Global Moderator
                  last edited by

                  As Derelict says pfsense has really nothing to do with this - it would all be at your switch setup.  Layer 3 switch with /30 would be way to go - but your /26 is not going to allow for that.

                  Why would your users be setting static IPs on their routers that could conflict when your just going to hand them their IP via dhcp..

                  If you do not have a single switch that can handle all the ports, prob want to break your /26 into say 2 /27 and use 2 48 port switches for each half, etc.  or a 48 and 24…

                  There are much better switches than the unifi ones with much better feature sets at same sort of price point.. But if your worried about isolation of the customers you would have to check to see if it does private vlans, etc.

                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                  If you get confused: Listen to the Music Play
                  Please don't Chat/PM me for help, unless mod related
                  SG-4860 24.11 | Lab VMs 2.8, 24.11

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.