A more common structure nowadays uses a de-militarised
zone (DMZ) between the internal LAN and the Internet,
thus:
Both of the routers in this diagram are configured as packet
filtering firewalls.
The DMZ is also called a "stub network". Note that the DMZ is, of
necessity, a separate subnet.
There are many options for the level of filtering in the routers,
and for the functionality of the bastion host. These are examined
in the next slides.
