Rokas, : ADSL modem-----ppp0[LINUX box]eth0 (192.168.1.254)---HUB---LAN Got it. : I use HTB to shape download and upload traffic. I use HTB shape on eth0 : interface for download traffic, and shape on ppp0 interface for upload : traffic. Perfect. : I want to connect some other computers to the LAN, but I want to give : them IP adresses from 192.168.2.1-254 range that these new PC's : couldn't "see" old PC's in the LAN. If you are indeed using a hub, then each of the machines on the internal network will be able to see the others, and all of the traffic, but only under two potential conditions: - a user puts the NIC into promiscuous mode - a user adds a route to the other IP network via the NIC But, these are security considerations, and probably not a problem for you. : But I want these new PC's to be able to get to the Internet through my : LINUX box. I think I have to use IP aliasing on my LINUX box's eth0 : interface to do this. Yes, you can do this. There'd be no problem here. : Am I right, or is it any other mean to do it ? (I don't want to install : a new ethernet interface for the new subnet to my LINUX box). This will bring up a new address on eth0, cause the kernel to respond for ARP, and add a route to the 192.168.2.0/24 network: ip address add 192.168.2.254/24 dev eth0 I'd recommend, additionally that you block all traffic to/from each of the 192.168.x.0/24 networks: iptables -A FORWARD -s 192.168.2.0/24 -d 192.168.1.0/24 -j DROP iptables -A FORWARD -s 192.168.1.0/24 -d 192.168.2.0/24 -j DROP Note, that still doesn't prevent users on each segment from potentially seeing each other (see above)--it just means that the IP networks will not be able to forward packets through your linux box to each other. : But if I used IP aliasing on eth0 interface, would I be able to shape : download traffic, because I have to shape eth0 interface for download : traffic ??? Please give me some comments about this question. You may need to alter your traffic control configuration to include references to the new IP range, but there is no problem with this solution. -Martin -- Martin A. Brown --- SecurePipe, Inc. --- mabrown@xxxxxxxxxxxxxx
