Not at all. The hardware architecture of the Firebrick isn’t like that, or isn’t set up like that at any rate; I’m not sure whether or not it could be set up to have a h/w configuration more like what you could possibly be thinking about, if I’m even understanding you, that is. My apologies if not. The FB2900 manual is downloadable on the firebrick website at
https://www.firebrick.co.uk/support/manuals/ if you’re interested.
I simply forced the routing by having explicit, exceptional-‘firewall’ rules telling it to take traffic that hit rfc1918 addresses and redirect it to the modem in the appropriate interface, which would be a 2-node ‘LAN’ with RFC1918 src and dest addresses by NATing. If I had made the ports into a big switch then I would have confused everything as I need a ‘physical’ port+VLAN tag num pair to act as the target to map the PPPoEoE to WAN object to. The WAN is in any event
inside a PPPoEoE object and on the far side of a VLAN mux/demux because there are not enough free ports for four modems, so they are MUXed using VLAN tags by a small 8-port VLAN-speaking switch.
It’s discussed more fully in an older thread somewhere. If it helps I can post up the config that I used.
Another reason why it’s secure is that there are special ACLs allowing only whitelisted machines to access the modems’ admin i/fs through the firebrick; These ACLs are set up by whitelisted MAC addresses of sysadmins’ machines only. The machines in the main LAN have IPv4 addresses which are global/routable, not RFC1918, and each modem’s admin i/f is 192.168.
n.1, is not in the same LAN according to addressing and is not in the same LAN by definition ie. not in the same broadcast domain; traffic from the main LAN to a modem admin i/f is routed through the firebrick, as default gateway, to the modem as its address is outside the LAN address range. Anyway, random users on the main LAN have a firewall rule blocking their attempts to ping a modem’s admin i/f.
[Typo corrected as requested - roseway]