What do you mean by "separate"? If you're using a bridge, that suggests you're *bridging* them together. Routing denotes some level os separation. The purpose of a DMZ is to isolate hostile traffic. If you're going to bridge this traffic with your LAN, you don't really have a DMZ.
Allright, I'll try to make myself more clear :)
Let's assume that for now, I only have one LAN nated behind an OpenBSD firewall. Some servers on the LAN are accessible from the Internet thanks to port forwarding.
Now, I would like to put those servers in another network segment so that I could filter what's coming from the Internet (since they will be behind the firewall, just like they are now) and in the meanwhile, I could also filter traffic from/to this new segment (which I uncorrectly called DMZ) from/to the LAN, without changing their original private IPs. So, the firewall would have an external IP and 2 internal IP-less NICs.
Does this make more sense ? I hope so, I'm trying my best English here :)
So, now you have looks something like this
(internet) <-[x]obsd firewall[i]-> (private address range LAN with some port forewarding)
and what you are wanting to do is something like this
(internet) <-[x]obsd firewall[i0][i1]
[x]obsd firewall[i0]-> (private address range{A} LAN with no port forewarding)
[x]obsd firewall[i1]-> (private address range{B} LAN with port forwarding)
but without assigning IP addresses to i0 and i1.
And you need bridging rules for the firewall to route from i0 to i1. Is that right?
And you don't want to change the private range addresses assigned to the boxes that are being port forewarded.
(Not that I can suggest rules, I'm just trying to understand the question.)
