Hi all,
One possible solution is to activate proxy-ARP on your firewall machine for the internal and external interface, and give both interfaces the same IP number, in your case x.x.x.50.
router firewall ---------- ------------ ISP ----|.2 .49|----|.50 .50|-----DMZ ---------- ------------ eth1 eth0
The router will now "see" the hardware address of eth1 for all machines in the DMZ, and these will see the hardware address of eth0 both for x.x.x.50 and x.x.x.49. The firewall machine should route packets to x.x.x.49 over eth1 and all the rest over eth0. No changes are needed on the DMZ machines, they will only see one more hop in a traceroute.
OK this is a solution, also received a NAT solution offlist which would eliminate the need for using public IP's in the DMZ, and thanks for both of these. I guess what I am really asking is not is there a solution to avoid routing, but how is it done in the real world? What is the proper way to do it? If I do one of the above, am I implementing a hack to get around an ISP restriction, or should it be done using routing, or is this the way everyone does it? TIA, Tom tom@songfield.com