Topic: firewall between network users

[little bark, BIG BYTE!!]

Okay,
We have a collage dorm with sixty rooms, they are all on the same network of course. We have been asked to replace the existing network, it seems a couple of enterprising young fellows were running Porn servers from their dorm room.
Questions or requirements as follows.

1. I need to make sure the guy in room 3 doesn't get to bang at the doors of room 7's computer, i.e. hack it. We do NOT want them to be able to share files alla network neighborhood.

2. A need to be able to monitor bandwidth and print reports. If this can be on the server this is better, but a good linux workstation app would be fine also. Off topic but I'd appreciate a some ideas.

3. Throttle bandwidth.

4. Anything else I've forgotten.

Thanks People

[Boris]

Switch with VLANs seperating the ports, so they ONLY can comunicate via FW-Router. SME:-) with IP alias's setup (eth1:1,eth1:2 etc..), Network Monitor from contib. should do the job without costing arm and a leg.

[little bark, BIG BYTE!!]

Okay Boris,

Could you go into a bit clearer detail please? Sound like you know what I need, I don't completly understand you explination though.

Wouldn't it work something like this...

internet - - - >router - - - >nic{SME}nic - - ->vlan enabled switch.

My questions to your answer are

1. how to set up the ip aliasing?
2. This will give me my division right?
3. Aren't vlan enabled switches limited in how many vlans they will support?
4. If they are limited, how do I set up a number of them in order to get my 60 plus vlans?
Again, thank you for your time.

Garret

[Boris]

Garret,
Your drawing is correct.

1. ifconfig eth0:1 192.168.1.1 netmask 255.255.255.0
ifconfig eth0:2 192.168.2.1 netmask 255.255.255.0 etc.
2. I didn't get your question. This setup creates number of independent networks and prevents users from directly communicate with each other. VLANs are used to prevent them from changing their networks. Example: if users changes his/her IP from 192.168.40.5 (connected to VLAN “192_168_40”) to IP in the “Neighbor’s network” 192.168.42.5 it will not work as this VLAN “192_168_40” connects to eth0:40 with IP 192.168.40.1 on the router (SME). Further, you use ipchanes rules on the SME server to block traffic between the networks 192.168.1.0, 192.168.2.0, … 192.168.40.0 192.168.42.0 etc.
3. Yes and limit is much higher then you need. Even "small" C2950 supports 64 VLANs per switch. Something like C3550 will give you more then a 1000 VLANs.
4. See above. I am not sure now many IP aliases supported by Linux (32?, 127?, 255?).
you can add, third, forth  real NIC in your SME server as well. Search phorum for how-to add third NIC.

Sorry, I am not good in writing how-tos, but hopefully you will get the basic idea.
Boris.