We have some very fragile vendor supplied systems.
Crash all the time.
They blame our network, ie: we are sending them unexpected traffic.
So we decided to segment them as much as possible.
Except we are not allowed to change any IP addresses.
So we reconfigured the switches that they are on, and made sure that no non-vendor equipment were on them.
I then constructed a bridging firewall using OpenBSD and pf. I had originally tried using Debian and iptables. Pain in the ass. Threw it away.
The OpenBSD was EASY, and the pf language is very easy to use and explain. Auditing the rules is a breeze.
Heartily recommended if you want to setup an invisible firewall.