On Thu, Dec 06, 2001 at 05:54:36PM -0600, Bill Williamson wrote: Bill, please do not silently move discussions away from the mailinglist! I am not a free consulting firm! > > Run 'tcpdump -e -s 1500 -n -i eth0' while you try to connect to yourself > and > > supply us with the IP addresses. Replace eth0 with the right interface. > Sanitized output of the tcpdump you provided: 5.4 a8:d7 1b:94 192.168.0.3.53395 > x.y.z.w.80: S 912730624:912730624(0) win 5840 <mss 1460,sackOK,timestamp 43698736 0,nop,wscale 0> (DF) 5.4 1b:94 a8:d7 x.y.z.w.53395 > 192.168.0.3.80: S 912730624:912730624(0) win 5840 <mss 1432,sackOK,timestamp 43698736 0,nop,wscale 0> (DF) This part is good, your .0.3 host tries to connect to the external address, your router immediately sends a reply back, properly NATted. 5.4 a8:d7 1b:94 192.168.0.3.53395 > x.y.z.w.80: . ack 1 win 5840 <nop,nop,timestamp 43698736 43698736> (DF) Linux doesn't go for it. It basically says 'I know this session already'! This trace is all very very broken, and I think parts of it are missing. I suspect that your router gets confused by timestamp and SACK options, but I'm not sure. Regards, bert -- http://www.PowerDNS.com Versatile DNS Software & Services Trilab The Technology People Netherlabs BV / Rent-a-Nerd.nl - Nerd Available - 'SYN! .. SYN|ACK! .. ACK!' - the mating call of the internet