Later this week, I am going to be installing a NetBSD box running Squid
(amongst other things). The machine it will be replacing is an aged NT
box. The network IP structure is (say) 10.0.0.x and the router is
10.0.0.1. However, the NT box has two network cards which are 10.0.0.2 and
10.0.0.3. 10.0.0.2 is directly connected to the router and 10.0.0.3 is
connected to the rest of the network (there is no other link). NT allows
you to set up a default gateway on a per-interface basis and so 10.0.0.1
has 10.0.0.1 as its gateway and thus internal machines can access 10.0.0.3
as a proxy and everything seems to work.

Unsurprisingly, NetBSD routing doesn't work like this (thank god). The
site would like to keep the internal machines separate from the outside
world (and ignore the fact that I've used 10.x.y.z addresses, these are
part of a private WAN). As far as I can see I have multiple options:

a) bridge the networks with bridge - but this does not allow ipf rules
(currently), so I might as well just join everything together.
b) Use some userland bridging software (e.g. bridged) - how
does this fit in with ipf?
c) Use fastroute with ipf - help appreciated on this; my attempts were
unsuccessful.
d) Do some mad routing tricks (e.g. tell it that 10.0.0.1 is on one
interface and 10.0.0.0/16 is on the other) - this won't forward packets,
but this probably isn't so crucial. man 8 route doesn't give many clues on
usage of the interface, ifa or ifb options.

Ideas?

-- 
Stephen