Distribute Internet to Multiple Tenants

I need to provide internet connectivity for multiple tenants (about 70) of a building that will be sharing one large internet connection.  Every tenant needs to have their own public IP address, which we will assign from the block given by the ISP.  The ISP is providing a copper layer 2 handoff.

Due to wiring constraints (distance, cost), we have to use coax cable to each unit.  The coax goes to an endpoint device in each unit, which then converts back to CAT5 ethernet.  The coax cables get aggregated back to master units, which would then go to an ethernet switch (haven't purchased one yet).

I am trying to figure out how to isolate the tenants from each other.  I don't see what prevents a tenant from misconfiguring their router, possibly using the IP address given to a different tenant.  Even worse, I don't see what stops someone from connecting a laptop and ARP spoofing the gateway and sniffing everyone's traffic.  In reality, this probably won't happen, but the fact that it could gives me pause.

What can I do to prevent this possibility?  I was thinking of a layer 3 switch and VLANS, but I'm not entirely sure how I would apply it.  The coax endpoint units (in the tenants offices) can supposedly handle VLANS.

Any suggestions regarding either design or equipment? Thanks.
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Fred MarshallPrincipalCommented:
If the tenants all have public IP addresses as you say then they would generally not be separable.  After all, that's the purpose of a public address.  Anyone can reach/see them.  If not then it's a waste of public addresses and probably money.
That means they can reach each other just as well as Yahoo!

Is there something I don't understand about this?
Kyle AbrahamsSenior .Net DeveloperCommented:
ds1010Author Commented:
What I mean is that all of the tenants would be sharing the same layer 2 broacast domain in the switch.

For instance, if the public IP block given by the ISP was, I would have 126 usable IP addresses, minus one for the gateway.  If the gateway was and I started giving out the addresses as follows:

Tenant 1:
Tenant 2:
Tenant 3:
Tenant 4:

The potential problem that I see is that I cannot prevent one Tenant 1 from configuring their router with Tenant 4's IP address.  This could cause problems.  While it isn't guaranteed to happen, it could.

The other problem is that Tenant 4 could connect a laptop and would then be directly connected to the broadcast domain.  He could then ARP spoof the gateway, redirecting everyone's traffic through him.  Again, while this probably won't happen, it could.

How can I limit certain endpoints to only be able use public IPs assigned to them? Also, how can I eliminate the possibility of ARP spoofing and/or other shenanigans?

I'm curious how other people would handle this type of deployment.  Am I just being paranoid?
How the Cloud Can Help You as an MSSP

Today, every Managed Security Service Provider (MSSP) needs a platform to deliver effective and efficient security-as-a-service to their customers. Scale, elasticity and profitability are a few of the many features that a Cloud platform offers. Register today to learn more!

Fred MarshallPrincipalCommented:
Those addresses are private addresses.  So there is no public address waste and likely no cost involved beyond the pipe.  
It's a little odd but not unheard of for the ISP to provide you with a private subnet.
It's more common for the ISP's *modem* or *router* on your site to do that.

Since they are all private addresses you may be able to deal with the situation like shown in the paper.  That will require 70 routers plus one.

So, you have
I will assume you have a router with address
So, at each tenant site set up a router with NAT using: on the LAN side.
So there's no confusion and so that you can implement communication between tenants when needed, use different subnets on the LANs:
Fred MarshallPrincipalCommented:
And, of course, you'll need 80 switch ports or so at the central connection point to distribute to the tenants.  
You could put the 70 routers right there also.
That will depend on who will be responsible for them.
If it's you then I'd put them in one room.
If it's them then I'd have them provide or maintain and certainly house them.
ds1010Author Commented:

The network I used in my earlier comment was just for illustration purposes as an example.  Assume that it is a public IP range.

Sorry for the confusion.
Fred MarshallPrincipalCommented:
Well, either way.
You might do this then:

Bring in the internet connection according to the ISP requirements.  Either a router or a switch.  If a router, follow it with a switch.  Still 80 ports.
No need that I can see for separation with them being public.
But each tenant will want to have their own firewall.  That could be a router, which is very typical on a public address to NAT and provide private addresses.
So it really isn't much different except their publicly-addressed devices will be accessible as they no doubt want.  But routers need not be all that accessible except as a port into the rest of the network .. as in an internet gateway.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Khandakar Ashfaqur RahmanExpert/ConsultantCommented:
You could go for VLAN.
You need Layer3 switch but what are you thinking? For each user separate VLAN?
Which router are you using?

Well ARP spoofing is really annoying and could mess up the network.My easiest suggestion would be to block ICMP only into gateway address.
Another way is making each clients ARP satic into your router.But it's not applicable if client has multiple computers and they connect directly to the cable.
Yup, looks like you'll need firewalls/router for each tenant.

Private VLANs is what you are looking for. I think this is similar to what ISPs use.

ds1010Author Commented:
@fmarshall: Every tenant would have their own router, that's a given.  The issue I am trying to resolve is how to make sure that a tenant is only able to use the public IP address that is given to them.  Otherwise someone could accidentally misconfigure their router and end up using another tenant's IP address. This would create connection issues for both tenants.

@rigan123: We haven't purchased any equipment yet, this is still in the planning phase.  I am thinking about a separate vlan for each user.  If I do that, does that mean that I have to chop up the the address space into /30 subnets?  If so, that seems like it would be a huge waste of IPs.

@agonza07: Thanks for the link. I'm going to read through that now.
Khandakar Ashfaqur RahmanExpert/ConsultantCommented:

That's why I asked you the question.

The way I mentioned(blocking ICMP into gateway) could protect you from ARP Spoofing.
Might be there are some managable switches (Like:Cisco,HP Procurve,3Com etc)has Port Isolation option which could isolate users within same address range.That also could help you to resolve the issue.Just find out the suitable one.

For buying a router I could suggest you to buy Mikrotik (RouterBoard OS).It's cheap and have a wonderful performance too.
Fred MarshallPrincipalCommented:
Maybe the routers should be centrally located and managed then..... ??

Or maybe the routers should be set up for DHCP and fed by MAC address reserved IP addresses.  That will take care of any "mistakes".  You just need to have a master router that will do DHCP with public addresses.  Some commodity routers won't.  And you will want to make sure that the reserved pool can be large enough to meet your needs.  Likely that won't be an issue but I can imagine such pools being of size "32" or "64" just because.
Khandakar Ashfaqur RahmanExpert/ConsultantCommented:

Author wants security of his clients.Might be the most important thing is: each client should be separated than others so that none can ping each other.Otherwise, anyone could attempt to access others computer or spoofing.For that case, it needs Switchport Isolation or VLAN.But VLAN needs more IP and it'd take time time completely configure for all clients.
Fred MarshallPrincipalCommented:
If a device is accessible on the internet then it's accessible.  I don't see the difference between having a public address on the same switch as having a public address in Bangla Desh.  They are all interconnected by design.

Security of the clients depends on the individual firewalls and that's all there is to it.  So, reserved public IP addresses by DHCP seems a good way to go.  How do you prevent someone in Bangla Desh from using one of your public IP addresses?  Usually by virtue of ISP subnets but that's all isn't it?
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.