Originally the idea to put the spaceBridge on a dedicated network was decided upon as a matter of performance. That is, if we want the PC's running the bridge to have minimal software, services, and configuration as they have dedicated roles, not having to install anti-virus software, check for Windows Updates, or fend for themselves with a local firewall would help them to that end.
Secondarily, there was hope that this could reduce pop-ups about updates. However, it can result in more pop-ups if not configured properly as such pop-ups would be warning of no anti-virus, firewall or updates were present. Additional considerations include added security via such isolation, and not being subjected to broadcast traffic on the upstream network.
Currently all six bridge machines, both brainboxes (old and new) and the maintenance laptop, are on a private LAN behind a LinkSys WRT320n router, modified with DD-WRT firmware.
A connection to the router's web admin interface can only be made from the PTC subnet. Adding the ability to connect from the CMU VPN is planned as soon as I figure out how to do iptables chains.
As of January 2012, the six bridge machines and both brainboxes now have a presence on the upstream network via StaticNAT, but still firewalled by the router itself. DynamicNAT was interfering with the use of Windows File Sharing, so funneling all traffic to Randon via one IP address on the upstream network was not working.
StaticNAT cannot be set up within the web admin GUI directly, but rather must be confiured as text commands added to the Commands page in the interface. This was acheived using this guide...