MAC,

Glad to see you've got it working

For completeness, as they say, the reason you couldn't get DHCP working from M3 to M2 is that (to oversimplify somewhat) DHCP requires broadcasts to work between client and server, since the client (a) doesn't know the server's IP, and (b) doesn't have an IP address yet for the server to send to -- that's why you are DHCPing in the first place . In your original setup, M1 was acting as sort of very basic router -- well, an IP forwarder really -- and broadcasts do not cross routed-network boundaries (that's one of the many reasons that you have routing in the first place.) So the original DHCP broadcast requests were not crossing the "router" that was M1. By putting M2 onto a network that can "see" M3 directly (into the same broadcast domain), you enable M2's DHCP broadcasts to get to M3 and the replies to get back again, if you see what I mean

I'm not quite sure why (on a quick reading) you need the differing levels of protection for the two systems, but from a quick browse of the FreeSCO site it appears to support multiple interfaces: therefore, as somebody else suggested, put multiple ethernet cards into the freesco box and set up policies to give you the level of access control that you need. This is a sort-of DMZ (de-militarised zone) setup; you'll see many references to DMZs in the security literature. If freescso's worth having at all (and I haven't taken a good look yet -- will try and get a play in over Xmas) then it ought to be able to setup policies to give you the protection you need, without having to resort to running IPX/SPX or other tricks...

Please ask further if this was as clear as mud...

RTFM