> vr0 and vr1 are bridged together as bridge0. > > I was puzzled as to how it was working until you said this...
I have a similar setup as you. I have a public interface with my public IP attached to the cable modem, then I have two other interfaces, one for internal hosts and another for DMZ hosts. In order to give a good amount of separation, logical and physical, I've setup two unique subnets, one for private side and the other for the DMZ. I simply point the DMZ hosts to the DMZ gateway address and then handle it through pf and do the same with internal/private hosts. I understand you don't want to use the fourth port, but it would make for clean separation and wouldn't require another public IP if you used a private subnet. An added benefit of such a setup is port redirects from the public IP to the other hosts, or using some sort of proxy to proxy connections to the DMZ hosts.
