I'm not sure which is the best approach...
1. Use the layer 3 managed switch (port based) for each server/workstation,
eth0 for LAN only, eth1 for Internet only ?
2. Use a dedicated Firewall 'before' the router and assign the
wireless a 10.0.0.0 network to keep them off the lan 192.168.100.0
3. Use another router
The issue I'm concerned with most is using one of the servers for a Samba file share
(LAN access only), but the server needs updating from the Internet as well. My understanding
is that it's best to separate the LAN/Internet traffic with an entirely different subnet.
I wish to prevent a setup where a server/workstation could be accidentally misconfigured
to use Internet traffic on the wrong eth0/eth1 interface.
All server/workstations are Debian amd64 Testing.
Can someone please recommend an approach to properly isolate LAN/Internet traffic for
the proposed network layouts at the above links?
Sorry, I'm not 100 percent clear. Do you mean use all eth1 nics (Internet access) and
connect directly to the Firewall or a seperate proxy server on 10.0.0.0 ?
>"...Option 2 just have the firewall added. Routing is the key here."
? Do you mean 'static routing' ? If so which source/destinations?
>"...Set your ADSL gateway as the default gateway on clients or proxy server and then only set default gateway of the wan link for other clients that you want to go over the wan"
? In the diagrams above, where are you assigning the gateways ?