If it can help, here is the scheme of our network. There are of course three NICS on the packet filter.
Network 193.x.x.0/30 (= 193.x.x.0/24 for the internet, static routing table setup by our ISP: the rest of the world knows that the trafic must pass through x.x.x.2 to reach our network) gateway ----x.x.x.1 (don't know the other IP of the | router ) +---------------------------------+ | x.x.x.2 | Packet filter---|=================================| | x.x.x.9 | x.x.x.33 | | (Gateway) | (Gateway) | +---------------------------------+ / | / | / | / | Subnet 1:x.x.x.8/29 / | Subnet 2:x.x.x.32/27 / | +-----------------------------+ | | Bastion Host: | | | x.x.x.10(BH out) | | +-------------------+ | x.x.x.11(BH in) | |--| Server1 (x.x.x.34)| +-----------------------------+ | +-------------------+ | | | +-------------------+ |--| server2 (x.x.x.43)| | +-------------------+ | | +-------------------+ |--| server3 (x.x.x.44)| | +-------------------+ | | | +-----------------------------------------+ | x.x.x.42 (gateway to private net) | |=========================================| | 192.168.x.1 (Private Gateways) | | 172.16.x.1 (Private Gateways) | +-----------------------------------------+ Of course, every machine in subnet x.x.x.0/30 has a netmask of 255.255.255.252; every machine in subnet x.x.x.8/29 has a netmask of 255.255.255.248; every machine in subnet x.x.x.32/27 has a netmask of 255.255.255.224. There are no possible contacts through hubs or cables except the packet-filter. The packet filter is configured to route the IP packets (of course :-) The routing table of the packet filter is (it's OpenBSD, but the principle is the same) Destination Gateway Flags Refs Use Mtu Interface default x.x.x.1 UGS 0 9300794 1500 de0 127/8 127.0.0.1 UGRS 0 0 32972 lo0 127.0.0.1 127.0.0.1 UH 2 97 32972 lo0 172.16/16 x.x.x.51 UGS 0 80 1500 de2 192.168/16 x.x.x.51 UGS 0 124529 1500 de2 x.x.x.0/30 link#1 UC 0 0 1500 de0 x.x.x.8/29 link#2 UC 0 0 1500 de1 x.x.x.32/27 link#3 UC 0 0 1500 de2 I'm not sure that arp could manage to proxy three differents subnets, but with two, there are no problems at all: Let's say the subnet 2 (x.x.x.8) is still in x.x.x.0/24 for the net: all I have to do is to publish the MAC address of the router for all IPs inside x.x.x.8. All the machines in subnet x.x.x.8 would know thy are in that subnet, and their gateway would be x.x.x.9. (in fact, I think linux's arp can manage to proxy complete subnets, which Obsd can't: it need to be checked) By the way, asking your ISP to change his routing tables once the disgn of your network is made would be a beter solution. Marc Dubrowski Kind of a Network Administrator K.B.I.N.I.R.Sc.N.B. 29 rue Vautier B-1040 Brussels, Belgium