OK, now I am not doing this exactly every day, so I may be wrong, but iirc:
how about host routes?
I am interested in all your suggestions because I had a similar design problem to that of the OP. How can this work if the NIC that connects to the ISP has to have one of the IP addresses which are part of the whole subnet linked with another NIC on the same machine? (My ISP gave me a separate IP for this purpose.)
this is ugly, but it should work. ( If I am wrong, shout at me :) o.X: official, p.X: private :p.64---p.Y:private LAN / ISP----router o.1----o.2:firewall:p.1----o.3:DMZ host on router: default: ISP host o.2/32 via o.1 host o.3/32 via o.2 host o.4/32 via o.2 etc. host o.Proxy for LAN via o.2 ... last three lines could be replaced by a normal subnet route, net o.0/28 via o.1 since host routes take precedence, so the subnet route is not active for o.2 on firewall: [ LAN normal configuration ] defaul: o.1 host o.1 via o.2 host o.3 (DMZ) via p.1 on DMZ: default: p.1 host p.1 via o.3
if you have control over the router yourself, or can talk someone at your ISP to reconfigure it, my prfered config would be host routes.
This is difficult if the ISP won't commit itself to a particular gateway at its end (mine has n routers, where n increases with time).
maybe I did not understand this question. it is the routers job to cope with this, isn't it. regardless of the routing at your site, the ISP side is their problem.
if that fails, you can do arp bridging on the firewall.
This sounds like a good idea, is it difficult if the firewall is also acting as a router for 2 different subnets and the ISP, though? (As in OP, and my setup!) you can turn this on/off by interface.
or use aliases on your firewall outside interface, and use private ips in the DMZ.
If you do this, are all packets transparently routed between the aliases, or do you have to use masquerading, with all the potential protocol problems, and port forwarding? of course you have to NAT in this case. may or may not be easy...
cheers, lge