Well, I've done some more testing and am still having trouble. I added another IP to eth0: ip addr add 10.4.44.1224 brd 10.4.44.255 dev eth0 It pings fine from either router. I changed the 10.4.44.1 router to forward port 80 to 10.4.44.11, and changed 10.4.44.2 to forward to 10.4.44.12. When I execute the commands below, I get the same old thing -- connections to the 10.4.44.1 router work fine, but connections to 10.4.44.2 are never established. I also tried changing the 'from' keyword below to 'to', with the same result. Here's a tcpdump snippet of a request I made externally to the (external ip of) the 10.4.44.2 router: 23:15:33.694184 eth0 < 199.182.120.202.33921 > 10.4.44.12.http: S 1955898960:1955898960(0) win 8760 <mss 1460> (DF) 23:15:33.694281 eth0 > 10.4.44.12.http > 199.182.120.202.33921: S 2999353690:2999353690(0) ack 1955898961 win 32120 <mss 1460> (DF) 23:15:33.724810 eth0 < 199.182.120.202.33921 > 10.4.44.12.http: . 1:1(0) ack 1 win 8760 (DF) 23:15:35.347623 eth0 < 199.182.120.202.33921 > 10.4.44.12.http: P 1:8(7) ack 1 win 8760 (DF) 23:15:35.347696 eth0 > 10.4.44.12.http > 199.182.120.202.33921: . 1:1(0) ack 8 win 32120 (DF) 23:15:35.355858 eth0 > 10.4.44.12.http > 199.182.120.202.33921: P 1:1461(1460) ack 8 win 32120 (DF) 23:15:35.355913 eth0 > 10.4.44.12.http > 199.182.120.202.33921: P 1461:2921(1460) ack 8 win 32120 (DF) 23:15:35.571995 eth0 < 199.182.120.202.33921 > 10.4.44.12.http: . 8:8(0) ack 1461 win 8760 (DF) 23:15:35.572119 eth0 > 10.4.44.12.http > 199.182.120.202.33921: P 2921:4381(1460) ack 8 win 32120 (DF) 23:15:35.572144 eth0 > 10.4.44.12.http > 199.182.120.202.33921: P 4381:5841(1460) ack 8 win 32120 (DF) 23:15:35.572157 eth0 > 10.4.44.12.http > 199.182.120.202.33921: FP 5841:7223(1382) ack 8 win 32120 (DF) 23:15:35.984004 eth0 < 199.182.120.202.33921 > 10.4.44.12.http: . 8:8(0) ack 2921 win 8760 (DF) 23:15:36.203976 eth0 < 199.182.120.202.33921 > 10.4.44.12.http: . 8:8(0) ack 4381 win 8760 (DF) 23:15:36.210403 eth0 < 199.182.120.202.33921 > 10.4.44.12.http: . 8:8(0) ack 5841 win 8760 (DF) 23:15:36.330731 eth0 < 199.182.120.202.33921 > 10.4.44.12.http: . 8:8(0) ack 7224 win 8760 (DF) 23:15:36.336468 eth0 < 199.182.120.202.33921 > 10.4.44.12.http: F 8:8(0) ack 7224 win 8760 (DF) 23:15:36.336519 eth0 > 10.4.44.12.http > 199.182.120.202.33921: . 7224:7224(0) ack 9 win 32120 (DF) The packets seem to hit the correct ip on the webserver, but I can't tell what happens next. I'm assuming that the packets are routed back through the system default gw (10.4.44.1), and therefore never received by the client. One thing that I've noticed is strange -- when I issue an 'ip route' command after setting up the two rules and routes, I get: 10.4.44.0/24 dev eth0 proto kernel scope link src 10.4.44.11 127.0.0.0/8 dev lo scope link default via 10.4.44.1 dev eth0 It looks like I'm missing one of the routes I've added, but I can only ever get one route to appear there. Last point: I'm currently using a 2.2.16-22 kernel, with the iproute2 tools installed. Here's the appropriate section of my .config: # # Networking options # CONFIG_PACKET=y CONFIG_NETLINK=y CONFIG_RTNETLINK=y CONFIG_NETLINK_DEV=y CONFIG_FIREWALL=y CONFIG_FILTER=y CONFIG_UNIX=y CONFIG_INET=y CONFIG_IP_MULTICAST=y CONFIG_IP_ADVANCED_ROUTER=y CONFIG_IP_MULTIPLE_TABLES=y CONFIG_IP_ROUTE_MULTIPATH=y CONFIG_IP_ROUTE_TOS=y CONFIG_IP_ROUTE_VERBOSE=y CONFIG_IP_ROUTE_LARGE_TABLES=y CONFIG_IP_ROUTE_NAT=y # CONFIG_IP_PNP is not set CONFIG_IP_FIREWALL=y CONFIG_IP_FIREWALL_NETLINK=y CONFIG_NETLINK_DEV=y CONFIG_IP_ROUTE_FWMARK=y CONFIG_IP_TRANSPARENT_PROXY=y CONFIG_IP_MASQUERADE=y Any further ideas? I seem to be close, but missing some crucial step ;) Thanks for the help, Ross -----Original Message----- From: lartc-admin@xxxxxxxxxxxxxxx [mailto:lartc-admin@xxxxxxxxxxxxxxx]On Behalf Of Kristian Hoffmann Sent: Tuesday, December 04, 2001 11:15 PM To: lartc@xxxxxxxxxxxxxxx Subject: Re: [LARTC] multiple gateway problem I think the second addess on the inner-most machine would be necessary. The inner machine could even have two private addresses and have your two routers do NAT. Then setup multiple routing tables with different default gateways (one 10.4.44.1, the other 10.4.44.2) and policy routing rules on your inner machine. Then outgoing traffic can be sent through either internet connection. Ex. ip rule add from 10.4.44.11 table 100 ip route add default table 100 via 10.4.44.1 ip rule add from 10.4.44.12 table 101 ip route add default table 101 via 10.4.44.2 It also helps sometimes to add the contents of your main routing table to any others you setup that have default routes since nothing will get past the default route in that table. -Kristian
