My problem is very similar to gr8razorx's with a couple of differences.

Given:
(fictitious #s)
Domain Name: EXAMPLE.com
Static IP, say 65.111.201.160
subnet: 255.255.255.128
assigned gateway: 65.111.201.129
dmz: 10.07.07.0-24

Synopsis:
DSL modem/bridge into router/firewall (OpenBSD3.4) with 3 NICs;
eth0 to bridge, eth1 to HTTP Server and eth2 to 24-node Hub.
Propose to utilize 10.0.0.0 DHCP on Server node of dmz Hub/network.

Problem: Where do the #s go?

###.###.###.###__eth0_______[192.168.0.0-DSL_Bridge]__{ISP-internet}
__________
L_R_|
I_O_|
N_U_|_###.###.###.###-eth1______________###.###.###.###-HTTP_Srvr
U_T_|
X_E_|
_R_|
___|_###.###.###.###eth2______________24node_Hub___###.###.###.###-DHCP_Srvr

The other nodes comming off the Hub get their 10.x.x.x #s from the DHCP Srvr.

Note: Not that it is important but the nodes are a mixture of RH 9, Lindows 4, OpenBSD 3.4, then experimental linux boxes from time to time. I do have (1) each dual boot M$WinDo$3.11WFW, M$WinDo$95, M$WinDo$98, but we won't worry about Samba, I don't have use for M$ very often! I'm DAMN sure NOT going to work in M$. Life is too short and linux is too solid!

Any help with my little problem is much appreciated.

What you're doing is quite normal, separate interfaces for separate functions...

With only 1 external number, you need to create separate ip ranges (subnets) off eth1 & eth2.
If your dhcp is issuing 10.07.07.x/24 numbers, that's a whole subnet taken for eth2.
So you have a free choice for eth1... eg 10.08.08.x/29... depends on how many pc's are going to live in the dmz zone.
It's good practice to keep the dmz subnet mask very tight to avoid having unused numbers and the possibility of someone/something pumping packets down there to explore the subnet.

Port forward (DNAT) the http server's ports on the router.

To provide the http server's local eth1 ip number in response to url name queries from the eth2 lan, you will need to have a dns in the eth2 lan or you will need to run a dns masquerade on the router only listening on eth2. The eth2 lan can't use the http server's external ip number coz it will reply directly using it's eth1 number, and the eth2 lan pc's will ignore the packets, wrong source ip number. They are expecting only the external ip number to reply.

You would also need to have some dmz rules in the router to protect the local lan from the http server, if it was ever compromised/abused. Basically, it should only originate NEW requests to the Internet, never back into the LAN, and only certain types of NEW requests, eg dns, time, update traffic, ssh/scp...

Thanks Peter for the response. I was about to give up! 8>)

Not really, just kidding.

You do good work! I wasn't sure I described the problem properly.

Please check the following to see if I am reading you correctly.

Do I have the #s correctly placed for what we want?

Especially the gateway?

Is this the way it's supposed to work?

Inbound traffic is only to Http_Srvr.

I/O from any node on Hub would masquerade 65.111.201.160.

Good idea on dmz router rules.

Many thanks again!

NOTE: I've edited the "quote."

*"DO WE HAVE THESE RIGHT?"*