Am 08. Aug, 2002 schwätzte Alaric Fox so:

> I thought this would be quicker for me to implement, as I'm not
> super familiar with the administration-side of things.  As I
> intend the system to be expandable, I planned to move to
> switched private networks later.  However, after thinking about
> it, what you suggested is probably simpler.  Let me make sure
> I'm clear on this:
>
>                                N1  N2
>       +---------+               |  |
>       |         |            +--------+
> ------| gateway |------------| switch |
>  eth0 |         | eth1       +--------+
>       +---------+               |  |
>                                N3  N4
>
> I bind eth0 whatever way I need to connect to my 'public'
> network, and I bind eth1 to two addresses, say 10.0.0.1 and
> 10.0.1.1.  I then set N1 and N2 as 10.0.0.x/y using 10.0.0.1 as
> the default gateway and N3 and N4 as 10.0.1.x/y using 10.0.1.1
> as the default gateway.  I set up all the net mask of all Nn as
> 255.255.255.0.  This means that, even though physically
> conected to the same switch, N1 and N2 can talk to each other
> directly, but not N3 and N4 (and vice versa).  In order to for,

You've understood what George was suggesting.

> say, N1 to talk to N3, I'd have my choice of just allowing it
> in the firewall software (which is what, btw?  ipchains?), or
> requiring users to log into applications I create and run on
> the gateway?

I'm using rules that I originally created with FireStarter. It doesn't yet
understand more than two networks. It's easy to fix the script that
FireStarter creates, though.

You want to use iptables/netfilter on 2.4.x.

> If I want all machines to be physically separate, I just expand
> the example and put each node on its own subnet -- 10.0.n.x
> bind a default router on eth1 (10.0.n.1)?

Toss each of the internal networks on its own switch/hub.

> Of course, it may hinge on the availability of extra NICs vs.
> switches (and a hub just won't do, correct?).  As this is an
> internal experiment, we're looking to use as many (i.e., all)
> in house parts as possible.

Hubs will work fine. It would be better to separate the networks if you use
a hub, though.

ciao,

der.hans
-- 
#  https://www.LuftHans.com/
#  The Internet is the front line of the battle
#  to protect our freedom. -- Nathaniel Borenstein