Network 1 - My Work PC + 2 'Home Entertainment' PC's for my kids to play on. These are hooked up to a 4-port Network Hub then to my DSL router.
Network 2 - My Gaming PC Rig + 3 Gaming PC Rigs. These are also hooked up to another 4-Port Network Hub then to my DSL router.
*** The Problem ***
Due to some... uhhh... errrr... ummmm... problems with someone who 'I' [Yes! Me!] invite over... I need to change the WAY the networks are setup and I'm unsure of exactely how to do it.
-The 'new' network setup-
Network 1 - My Work PC [Only one ALLOWED to access the DSL connection from Network 1], accessing the 2 'Entertainment PCs' network as well. Note: I do NOT wish my Work PC or the 2 Ent'PCs to have ANY access to the Network 2 PCs at all. The 2 Ent'PCs are NOT to have any DSL/Internet access.
Network 2 - My Gaming Rig [Only one to have access to the DSL connection on Network 2] accessing the other 3 Gaming PC Rigs. Note: I do not wish My Gaming PC Rig or the 3 Gaming PCs to have access to Network 1, nor the 3 Gaming PC Rigs to have access to the DSL/Internet connection.
(-- Potential Solutions??? --)
 Setup Network 1's Work PC with dual  NIC's with one NIC corresponding subnet mask specific to the DSL [ie. 255.255.255.1] router, and the other NIC's subnet mask specific to the 2 Ent'PCs subnet throught the 4-port hub [ie. 255.255.255.2].
Setup Network 2 similarly to Network 1. In this case My Gaming Rig will have 2 NICs with one of them having the subnet of the DSL router [ie. 255.255.255.1] and the other NIC having the subnet of the 3 other Gaming PC Rigs running on their 4-port hub [ie. 255.255.255.3].
I ^think^ this will work to keep the 2 Ent'PCs from accessing the Internet, my Gaming Rig or the 3 Gaming PC Rigs on Network 2. Conversely this should keep the 3 Gaming PC Rigs on Network 2 from accessing the internet, My Work PC or the 2 Ent'PCs.
 Setup a Proxy Server before the hubs head to the DSL router. That'll stop external accesses to the Internet through the DSL router. It'll not block inter-Network 1 & 2 communications though.
 Setup 2 Switches before the Proxy server [which is before the DSL router]. That'll solve the DSL issue and should also solve the cross network comms between Networks 1 & 2. But this solution [unless I'm just missing something here] will be quite costly overall and require a good bit of time to setup compared to Solution .
 [The final option] Leave the networks as is and just setup the DSL router to only 'see' the IP addresses of 'My Work PC' and 'My Gaming Rig'. This only fixes the issue of DSL/Internet access [AFAIK] and would still allow accesses between Network 1 & 2. If it ~would~ block the crossnetwork accesses as is... would it be open to hackerdom from Network 1 OR Network 2 [ie. some scripting or a proggie to 'openup' the DSL router to allow covert Inet and cross-Network 1/2 accesses]?
I think this is prolly better than setting up a Proxy server AFAIK. Also, there aren't any 'decently priced' switches that can do 'private IP' addressing and block cross communications between these networks are there? If so... what setup would any of you advise.
Have I hit the nail on the head with this setup in 'Solution '? Or will there be file-sharing difficulties between My Work PC and the 2 Ent'PCs when I browse the Internet too?
Will the Dual NIC setup in the Work PC and also My Gaming Rig forward packets from Network 1 to Network 2 and consequently to the DSL router for Internet access? If so, is there a 'packet forwarding' feature on NICs themselves that I need to be aware of? [Note: I'm not referring to what used to be called 'Server NICs' for the NICs I intended to install, AFAIK the Proxy Server System does Software-based forwarding of those requests out to the DSL/Internet based on its IP filtering que]
Can the Proxy Server setup actually block crosstalk between Networks 1 & 2 also instead of just blocking Internet calls out from the 2 Ent'PCs and the 3 Gaming PC Rigs [after their IPs are setup in the Proxy Server correctly]?
Well, any help would be greatly appreciated.
[Posted this in the 'Routers' and in the 'General Network' sections but noone answered there. Hoped more eyes might be abouts the room here also.]
<P ID="edit"><FONT SIZE=-1><EM>Edited by PCUser on 01/13/04 01:03 PM.</EM></FONT></P>
This option depends entirely on how much you are trying to <i>prevent</i> people from accessing the internet assuming that they really want to and will try to circumvent your measures... You could use the 10.1.1.x range for some but not all your PCs. Set the IP addresses for the ethernet ports as follows:
internal network = 192.168.1.x
internal router IP = 192.168.1.1
Your gaming PC:
one port on 10.1.1.x, another on 192.168.1.x
Your work PC:
one port on 10.1.2.x, another on 192.168.1.x
Your two "home entertainment PCs":
both on 10.1.2.x
Your three other Gaming PCs:
all three on 10.1.1.x
Give all ports on all computers the subnet 255.255.255.0
Plug all ethernet ports to the same switch and it should keep the separation while still preserving the separation you want in the actual ability to communicate.
Of course, you must use static IP addresses, and if your users are savvy and have access to change network settings, they can easily cause their computers to access the internet or access any other segment by changing their IP address. And if your DNS server addresses ever change, you will have to reset those settings manually.
Another option is to still use the different IP addresses, but use actual separate segments and multiple pieces of hardware (more expensive) like you said in option 1. Put all four gaming PCs on a hub/switch with IP range 10.1.1.x. Plug your gaming PC's second ethernet port to the router, and ensure it is not bridged or it will end up being the same situation as my other suggestion. Do the same thing with your work PC and two Home Entertainment PCs, but use IP range 10.1.2.x just to keep them separate (who knows, the work PC and game PC might notice that each had the same subnet address on the other side and get confused - stranger things have happened in networking). That will <i>physically</i> separate the segments, and users will not be able to change their IP addresses and gain access to any other segment in the network.
In either of these scenarios, the three gaming PCs will be able to print to Your Gaming PC, the two 'home entertainment' PCs will be able to print to Your Work PC, and Your Work PC will be able to print to Your Gaming PC and vice versa. However, the Home Entertainment PCs cannot print to Your Gaming PC (that's what you wanted I think), and Your Work PC cannot access any of the three hidden gaming PCs at all.
One advantage of the first option:
If you ever need to have one of the kids' home entertainment PCs access the internet, you can change its IP address temporarily and do some quick downloads or windows updates, same with the three gaming pcs. Same if you have a big file you downloaded to the work PC that has the latest big 500MB game demo in it, and you want to put it on the gaming PCs - you can change your network layout in software. (but so can your users if they know how and you haven't denied them access to the settings.)
I'm a complete noob with networking so if I'm way off just tell me to take a flying leap, but it just seems you are making this way more complicated than it needs to be.
Couldn't you use two NICs in your gaming rig? Connect one directly to the DSL router. Connect the other to a dumb hub. Connect the guest gaming rigs to that same hub. DO NOT connect the hub to the DSL router.
As long as you don't turn on Internet Connection Sharing on YOUR game PC then the other gaming PC's have no access to the Internet nor the other network.
<b>56K, slow and steady does not win the race on internet!</b>