Running 2+ isolated workstations on a single gateway

So I have the Whonix configuration as follows:

Gateway
10.152.152.10 (eth1)
Internal Network: whonix

Workstation 1
10.152.152.11 (eth1)
Internal Network: whonix

Workstation 2
10.152.152.12 (eth1)
Internal Network: whonix

So the two workstations are using the same gateway in a pretty standard setup. But the problem is, let’s say, workstation 1 has been hijacked and an attacker now has root control of Workstation 1, how would I be able to defend workstation 2?

Now one solution is of course things like IP tables and firewalls, but these are a half measure. Preferably, for the sake of anonymity and proper safety, I would prefer they not even be able to communicate at all in the first place and thus can be immune from application exploits etc. So I changed the settings to as follows:

Gateway
10.152.152.10 (eth1)
Internal Network: whonix
10.152.153.10 (eth2)
Internal Network: whonix-1

Workstation 1
10.152.152.11 (eth1)
Internal Network: whonix

Workstation 2
10.152.153.11 (eth1)
Internal Network: whonix-1

I also went to /etc/network/interfaces on the gateway and added the following to try and enable workstation 2:

auto eth2
iface eth2 inet static
address 10.152.153.10
netmask 255.255.192.0

This is basically a clone of eth1 except notching up the IP addresses. However, this configuration does not work. Workstation 2 is unable to get any connection despite me double checking that all the IPs and networks match up correctly. As a matter of disclosing information, I also followed up on a suggestion to look into how the gateways and workstations interact, and it appears they can still communicate when the gateway is completely offline, so there is nothing on the gateway software which can be done to my knowledge to help this (ie so IPTables on the gateway won’t help).

What more do I need to do or is there a better way to implement entirely separate internal networks so workstations cannot talk to each other?

To those saying I should just start a second gateway, that sure is possible, but when scaled to many workstations (30-40 per server) it becomes too onerous on the hardware. My full intent of this information is to setup an .onion VPS hosting service based on the Whonix model (I don’t use the whonix gateway or workstation, but I use the same idea/model to do it) so keeping client separate is quite important so they cannot attack each other.

Just now cooked something up.

Worked for me. See this chapter:

Documentation is very chaotic. Needs more work. Hope that helps. Will clean up and retest instructions later.