This is the setup:
Internet <-> Router <-> Firewall <- DNAT -> DMZ
The DMZ can browse the network via a proxy on the firewall. The internet cannot browse the DMZ (this is what I'm trying to fix)
It seems that the router is sending ARP requests to the firewall network, but does not get any responses. These would be arp requests for the DNATed DMZ servers. For example: I want to access a machine in the DMZ with a private IP of 192.168.1.5 and a public IP of 196.34.3.130 from the internet. I can see (using tcpdump) that the router is sending arp requests for the public IP onto the firewall network, but doesn't get any responses.
Ahhhh, different game altogether. The firewall and the router get along just fine, it's just that the router doesn't know how to get to the DMZ. Your router's IP configuration doesn't seem to be correct after all. If it's sending ARP requests for 196.34.3.130 to the firewall network, which is confined to 196.34.3.160..175. You can do either of two things to remedy the situation: 1. Configure the firewall to perform proxy-arp on behalf of the public servers. You do this on the firewall. 2. Configure the firewall to be the router for the official subnet of the public servers. This is performed on the router. HTH Tobias