Let's say I have a perimiter network on a firewall segment that I want to protect with PVLAN. We would use the PVLAN to force all communication between machines within that perimeter to go through the firewall. The problem I am seeing with this configuration is that the firewall would normally just ignore communications between computers on the same segment, figuring that such communication is direct between the computers.
To make this work, are we supposed to configure a proxy arp on the firewall segment, to fake out machines on the network into thinking that all the target IPs on that network go the firewall's port? Do we need to configure the network on the firewall to be a single IP (class mask 255.255.255.255)? Obviously the answer may be firewall dependent, but how would you make the firewall work with a PVLAN perimeter network for the case of Checkpoint Firewall-1, Microsoft ISA Server, and Cisco PIX?
It looks like the only "easy" way to make this work is to be sure that all machines in one PVLAN don't need to ever talk to each other....