I am in the process of setting up some firewalls to segment different parts of my network. I'm curious how some of you configure the external interface in this case. These firewalls will be internal only, no direct connection to an ISP, and no public IPs. Just use a private IP space then NAT it at the edge gateway? Then define as external in topology for address spoofing? Seems like it should be easier than this. Let me know how you solve this.