Linux router

Alaric Fox plug-discuss@lists.plug.phoenix.az.us
Thu, 08 Aug 2002 09:36:37 -0700 

8/8/02 4:44:11 AM, George Toft <george@georgetoft.com> wrote:

>Alaric Fox wrote:
>> 
>> 8/6/02 2:30:26 PM, "Dallas Helquist" 
<dallas@oldbrownjeep.net>
>> wrote:
>> 
>> <snip>
>> 
>> >Are you going to put all 5 cards on different IP networks, 
or
>> bridge them
>> >together?
>> >
>> It's going to look something like this:
>> 
>>        +-------+
>>    E1--|       |--E3
>>        |gateway|
>>    E2--|       |--E4
>>        +-------+
>>            |
>>            |
>>           E0
>> 
>> E0 will be the "real" network, E1 and E2 will be on one 
>> private network, and E3 and E4 will be on another private 
>> network.
>> 
>> --Alaric
>
>Why not set up "E0" (eth0) as your public interface, and "E1" 
>(eth1) as your private interface, and bind one IP from each 
>network onto "E1"?  For example, if your private networks are 
>10.0.0.0/24 and 10.0.1.0/24, you would have this:
>
>      +---------+
>  eth0|         |eth1 - 10.0.0.1    +--------+
>------| gateway |-------------------| Switch |
>  DHCP|         |eth1:0 - 10.0.1.1  +--------+
>      +---------+
>
>then plug in all of your computers to the switch.  The default 
>gateway for each network becomes 10.0.0.1 and 10.0.1.1, 
>respectively, wheras
>your way requires different default gateways depending on your 
>segment.  If you have a specific requirement to keep the 
>segments physically isolated, I would suggest subnetting 
>rather than bridging.
>
I thought this would be quicker for me to implement, as I'm not 
super familiar with the administration-side of things.  As I 
intend the system to be expandable, I planned to move to 
switched private networks later.  However, after thinking about 
it, what you suggested is probably simpler.  Let me make sure 
I'm clear on this:

                               N1  N2
      +---------+               |  |
      |         |            +--------+
------| gateway |------------| switch |
 eth0 |         | eth1       +--------+
      +---------+               |  |
                               N3  N4

I bind eth0 whatever way I need to connect to my 'public' 
network, and I bind eth1 to two addresses, say 10.0.0.1 and 
10.0.1.1.  I then set N1 and N2 as 10.0.0.x/y using 10.0.0.1 as 
the default gateway and N3 and N4 as 10.0.1.x/y using 10.0.1.1 
as the default gateway.  I set up all the net mask of all Nn as 
255.255.255.0.  This means that, even though physically 
conected to the same switch, N1 and N2 can talk to each other 
directly, but not N3 and N4 (and vice versa).  In order to for, 
say, N1 to talk to N3, I'd have my choice of just allowing it 
in the firewall software (which is what, btw?  ipchains?), or 
requiring users to log into applications I create and run on 
the gateway?

If I want all machines to be physically separate, I just expand 
the example and put each node on its own subnet -- 10.0.n.x 
bind a default router on eth1 (10.0.n.1)?

Of course, it may hinge on the availability of extra NICs vs. 
switches (and a hub just won't do, correct?).  As this is an 
internal experiment, we're looking to use as many (i.e., all) 
in house parts as possible.

--Alaric