Ok, I need a reality check here... I've been setting up pf based firewalls
and the occasional bridge for about two years now, so I should by now know a
few things, but I cannot get my head around this.

Normally when I setup a firewall, I will two IP ranges on the respective
sides of the firewall, with the internal range more often than not a NAT'd
invalid range. The few cases where I have had a range of valid IP's that I
had to protect, I usually end up putting a bridge in with and IP address one
of the interfaces so I can get into the box remotely. However I now need a
combination of the two but I am not even sure what to call it. Let me
explain.

I have a situation where the (existing) network has a bridge on it which
protects a 32 IP range of valid IP addresses. Most of these addresses are
give to an internal DHCP pool for the clients but a small handful are
reserved for servers, including those with a need for external access, such
as web and email. Via the bridge the rules in PF allow for these ports to
be accessible without any problems. However the user base is increasing
past the point of not having enough IP's for the number of clients, so I
would like to convert this site to an internal invalid range. Easy enough,
I could drop a second firewall in, this one acting as a NAT'd range to the
internal users leaving the current real IP area as a DMZ. Problem is the
client in question has very little funds and space and does not want to put
a second computer in - so I have to make this work with my one existing
firewall.

So, how do I both bridge a network and firewall it at the same time using a
single server? In other words, if I put in a third NIC, how can I can have
a bridge from the WAN to the DMZ nic and a NAT'd firewall from the LAN to
the rest of the world?

Thanks,
Peter