Advice on net setup.

[ZioNemo]

Hi,
I *did* read the manual, but I'm a bit confused nonetheless.

I have a fairly up-to-date ubuntu 8.4 host.
I have two real NICs on my host.

One is connected to a small home net (eth0:192.168.0.x) and the other is connected to my ISP (eth1:192.168.120.x; I need to use an OpenVPN tunnel to get to the Internet).

What I would like to implement is the following:

A)Install a dedicated firewall distribution (pfsense) with three logical NICs:
1) connected to the Internet
2) connected to the home LAN
3) connected to a private DMZ LAN

B)Install a dedicated Web server (Apache+FTPd,+...) with just:
1) logical NIC connected to the DMZ private net.

I understand I should build three bridges (WAN, LAN and DMZ) in the host and four virtual NICs (three for the router/firewall and one for the WebServer), but here I got a few doubts:

a) should I run OpenVPN on the host, creating /dev/tap device and then I should bridge it to the virtual device A1? or can I just attach A1 to the tap device created with OpenVPN? Can this be done? or should I just bridge the ISP NIC (eth1) to the router/firewall VBox and run OpenVPN there?

b) is there a way to prevent the host from using the created tap device? I would like to avoid bypassing the firewall!

c) DMZ should be clear: create one bridge (brDMZ) and two host interfaces (DMZ0 & DMZ1) and then bind them together.
in /etc/network/interfaces:
auto brDMZ
iface brDMZ inet dhcp
bridge_ports
then:
VBoxAddIF DMZ0 mauro brDMZ
VBoxAddIF DMZ1 mauro brDMZ

d) The LAN interface should also be clear:
in /etc/network/interfaces:
auto brLAN
iface brLAN inet dhcp
bridge_ports eth0
then:
VBoxAddIF LAN0 mauro brLAN

e) how do I make sure the ISP interface (192.168.120.x) is used only by OpenVPN? can I do this?

f) Is this correct? Will any of this work?

Thanks in Advance
ZioNemo