Building a "reasonable secure" network

[Frank K Dahl <frank_(_at_)_inout_(_dot_)_no>]

Hi all,

Got a network at work which i want to sharpen up, as this network also
includes also includes servers I want an DMZ. The Internal computers I
want behind a NAT mainly because of avaible IP-space, so we are
talking a 1-to-many NAT. Just for the record, inside the NAT there is
no servers that will be needed from the outside, so PAT should not be
needed I guess. Bridge will also be used to filter administration by MAC
address, yes I know MAC can be faked, but at least its better than
nothing.. ;)


Thus,

{WAN}--[Router1]--[Bridge]--[Router/NAT]--{Internal LAN}
                                 [Bridge]--{DMZ}

Note: "Bouth" bridges is the same box, I just wanted to prevent
missunderstanding because of uncorrect formated ASCII..


I only got three questions:

1.) Will this work? I mean, I read WAN--Bridge--NAT does not work,
but seems WAN--Router--Bridge--NAT does. Please correct me if I am
wrogn. And if anyone feel like it, a short explanation would be moust
appriciated.

2.) Is there a smarter way doing it? Something I might missed? As I rather
want a OpenBSD box for Router instead of a hardware one, this means 3
boxes.. any way I might shorten it down without loosing functionality,
assumed this setup really is valid?

3.) I also want to set up a VPN between our two offices. So, again
assumed the setup is valid, and I need thses three boxes, which will be the
best to use as VPN? I assume "Router1" Thinking that I might mess up
the Bridge by adding this to it? Again, please correct me if I am wrogn.


Thanks in advance for any help or gudiance.

- Frank