Pass Public IPs to Tenants

DanC

Hello pfsense community; I hope there's some light at the end of this dark tunnel.  Here's my scenario:

Our company owns a 12 story building with a gigabit fiber connection.  We want to function as the building's ISP, essentially just reselling our connection.  We have a /27 CIDR block:

x.x.x.128 subnet
x.x.x.129 gateway
x.x.x.130 pfsense
x.x.x.131-157 useable (to assign in smaller blocks)

I have a server for pfsense (that's likely overkill) and several ubiquiti unifi switches.

My initial thought was to set up 12 VLANs and 1:1 NAT public IPs (VIPs) to each VLAN.

Public              Private (VLAN)      Tag
x.x.x.131        172.x.101.1          101  (Floor 1)
x.x.x.132        172.x.101.2          101  (Floor 1)
x.x.x.133        172.x.102.1          102  (Floor 2)
x.x.x.134        172.x.102.2          102  (Floor 2)
etc..

The issue I'm going to run into is if the tenants have their own router and VoIP or hosting behind it.  Our company is also in the building, and this scenario affects us too.

I'd rather route these Public IPs on the VLANs with no NAT.  I've read plenty of forum posts about this being the correct solution, but very little substance about how to execute this task.  If there's another approach to solving this issue, I'm eager to learn even if my whole approach is incorrect.

Thanks in advance

Derelict

How many units/subscriptions?

To do what you want you will need at least one IP address for every unit plus some for your router interfaces, etc. Better would be a /30 for every unit with layer 3 switches handling the per-unit interfaces.

You will also need a "routed subnet."  That means your ISP WAN interface is, say, a /29 and they route the /27 to an address on that. You can then put the /27 on an OPT interface and dole it out to your units.

Unless your ISP is completely out of addresses, you shouldn't have a problem justifying enough addresses for a /30 for everyone. You could go with /31s but all your customers' firewalls (and your switches) will have to support it. You could maybe offer a discount for a /31 or something and mix/match but it's generally easier to have the same config all around.

Also, depending on the volume of adds/moves/changes/past-dues/etc you would probably want some way to for the switch to hit a RADIUS server when the switch interface comes up and get the config of the port (VLAN, Layer 3 config, etc) from it.

DanC

It's a commercial building, so we'll only have one tenant per floor (max possible of 11 tenants).  Currently, our company is the only one occupying the building as it's still under construction.

From the /27 pool that we have now, I'd think we'd have enough to make this work until we fill out the building and increase as needed.  Our ISP has plenty to hand out.

I guess my question should be more broad - What's the best practice in pfsense to hand out public IP addresses without NAT?

Derelict

Routed subnet as I said before.