Hi, I''m seeking advice for the following setup. Shorewall 2.2.2, debian/sarge on Soekris net4501 boards. We have two ISP feeds (let''s call them ISP-1 and ISP-2) and get 8 static IPs with each feed. The plan is to have the publicly accessible servers sitting in the DMZ connected to ISP-1. Our local intranet (LOC) will be connected to ISP-2. There will be 3 firewall/routers: fw1 between DMZ and ISP-1, fw2 between LOC and ISP-2 and fw3 between LOC and DMZ. Since a picture is worth a 1000 words, here''s the picture (hoping that gmail won''t mangle it): ________ ________ _/ \_ +----------------+ +-------+ / / \__ | | | | | | DMZ ---+ if1 if0 +----+ ISP-1 +------- \_ _/ | | | | / \___________/ | Linux Router | +-------+ | | | | / | +----------------+ \ +------+-------+ fw1 | | if1 | / | | | | Linux Router |fw3 | | | \ | if0 | \ +------+-------+ | | / | / Internet _|__ | _/ \_ fw2 | _/ \__ +--------------+ +-------+ / / \ | | | | | | Local network -----+ if1 if0 +-----+ ISP-2 +---| \_ __/ | | | | | \__ __/ | Linux Router | +-------+ \ \___/ | | | +--------------+ \ | \ | \________ So, the advice I need concerns proxyarp versus one-to-one NAT for the DMZ. I would like to allow connections from LOC to DMZ but not the other way. It would seem to me that having LOC be 192.168.8.0 an DMZ be 192.168.6.0 would make it easier for routing and dns from the LOC computers accessing the DMZ (all the DMZ systems would have dns entries in the intranet dns server). All of the public servers in the DMZ would then be one-to-one NAT''ed and accessible via the external static IP addresses. The intranet would be strictly standard NAT to ISP-2 and we don''t care about extra 7 IP addresses right now. Is this a sane solution? Any one have some thoughts to share as to possible issues with this setup? Possible improvements? How would this work with proxyarp (if at all)? Thanks for your time. Ted Roth