Main Page/Network infrastructure
Some thoughts I had based some of the discussion on the mailing list. I thought I should write down what I had seen thus far. This is editable by anyone, so feel free to change/fix/modify however you see fit. The Google Doc at the bottom of the page has this all roughly drawn out, and can also be edited.
The basic logic is this: 1u server acting as main firewall (running PFSense, since it offers flexibility with an easy to use web interface), with single connection to a managed switch (this implies VLAN support is included on switch, something like a Cisco would be perfect). Managed switch has numerous ports, with at least one port assigned to each VLAN:
VLAN1 - Default LAN, unsecured Wifi, unfettered access to internet
VLAN10 - WAN1, attached to internet
VLAN11 - WAN2, attached to backup internet if available
VLAN20 - 'Bordertown' lawless unsecured network for testing security/vulnerable machines, limited access to web
VLAN30 - LVL1 Infrastructure, where the internal LVL1 servers, routers, equipment will be. Secured from both LAN and Bordertown networks, and has inbound services from WAN
The port connected to firewall has VLAN Trunking enabled, so that the router can create a virtual interface for each VLAN and do its firewalling thing.
Servers can either be physically plugged into ports assigned to VLAN30, or be virtual on a single host, with trunking enabled so servers can be placed on any available network.
This will get around having to figure out how to cram 5+ nics into a single router box, plus have 4+ separate switches (although the diagram shows a separate switch for each VLAN, thit is not needed). Let the switch handle most of the traffic! Plus this will be an awesome demonstration on what VLANs can do.