What do you mean by "separate"? If you're using a bridge, that suggests you're *bridging* them together. Routing denotes some level os separation. The purpose of a DMZ is to isolate hostile traffic. If you're going to bridge this traffic with your LAN, you don't really have a DMZ.
Allright, I'll try to make myself more clear :)
Let's assume that for now, I only have one LAN nated behind an OpenBSD firewall. Some servers on the LAN are accessible from the Internet thanks to port forwarding.
Now, I would like to put those servers in another network segment so that I could filter what's coming from the Internet (since they will be behind the firewall, just like they are now) and in the meanwhile, I could also filter traffic from/to this new segment (which I uncorrectly called DMZ) from/to the LAN, without changing their original private IPs. So, the firewall would have an external IP and 2 internal IP-less NICs.
Does this make more sense ? I hope so, I'm trying my best English here :)
Thanks.
Antoine
