Your post is very interesting, but you don't cover the case of an external firewall/router, which is the standard for any company seriously involved in security.