New to PFSense/Netgate and wanted to run this by someone with more experience…
A client of mine who is a building owner and wants to offer Internet services to his tenants (a max of about 10-15 tenants) where each tenant would have a private LAN (dedicated VLAN per tenant) but will share the AT&T fiber internet connection running into the building (currently 200 Mbs up/down but might go up to 1 Gbps up/down eventually).
Looking at using a Netgate SG-3100 or 5100 router/firewall at the head-end (behind the AT&T managed router which I don’t have access to), then downstream from that several UniFi switches and APs with a dedicated VLAN for each tenant so the traffic for each tenant is isolated from each other for security. VLANs could potentially span across more than one switch/AP.
Since the 3100s and 5100s can’t do port aggregation, and don’t support Spanning Tree, I would only have a single uplink from one of the LAN ports on the Netgate FW to a single UniFi “distribution” switch, which would then connect to several other UniFi “access” Switches and APs. I have a CloudKey Gen2 Plus in place already as well as a bunch of Uni/Fi Cameras which would be on their own VLAN.
Some of the tenants might need remote VPN client access (via OpenVPN) so I assume I could restrict them to specific VLANs (or networks?) based on user name.
Lastly, I plan to use the traffic shaping capabilities in PFSense to manage bandwidth hogging and create service levels for each tenant (limit tenants to 10, 25, 50Mbps up/down, etc.).
As a PFSense newbie, let me know if I am missing anything or something else I should consider.
Thanks so much!