> First, a question:
> 
> Do you assign IP addresses on your LAN yourself, or does your cable
> modem act as a DHCP server?
>
> If the former, all you have to do is divide your LAN into two subnets
> and set up a static IP routing table on your "router" NetBSD box.  By
> *not* routing the AppleTalk traffic, you can isolate your cable modem
> and keep it happy.  If you don't set up an atalk routing table on the
> router box, atalk traffic won't be forwarded over the router box.
>
> If the latter, you have two choices:
>
>  a) Forward DHCP requests from your Macs to the cable modem.
>  b) Run NAT on your router box.

I've wanted to do this for a while now, and the only way I've been able to pull
it off is (b) running IP NAT.  For whatever reason forwarding DHCP is a
disaster.  I can get the requests to forward out, but the replies don't get
forwarded back through.  Maybe there is a HOWTO I missed but I've been wholly
unable to get dhcrelay to work properly under Net/68k or Linux/PPC.

IP NAT works great though and provides a layer of protection against evil
outside packets. :)

You might check the configuration on your cable modem to see if you can shutoff
it's AppleTalk support.  The DSL modem I have can be setup to explicitly _not_
bridge AppleTalk, which I've done.  I'd also recommend IP NAT, or IP aliasing
because (at least with my DSL service) I'm often assigned IP's on different
subnets.  This forces traffic out across the DSL line to the router and then it
has to come back again, needless to say this is slower than a 10 Mb LAN.

My $0.02 -- Andy