hi all, i have this situation: isp1 | dmz ----- FW linux ----- isp2 |----------------------------------- vpn concentrator ----- various ipsec lan-2-lan | LAN In lan i have "pc zone" and "server zone", same network. Dmz and server zone browse internet through isp1, lan use isp2, and remote lan too (connected with vpn concentrator) using squid proxy installed on linux firewall. My problem: server zone and firewall are unreachable by remote lan, but a pc in a remote lan can ping/rdp/smb/vnc/ecc all the other pc in local lan. Firewall linux is the default gw, and it have a routing rules to route connections from lan to remote lan to vpn concentrator. If i use only one isp, all works fine, so the problem was in my iproute setup. If i set a static route in servers bypassing the default gw (firewall linux) that point directly vpn concentrator, the remote lan can connect the server. Some details. cat /etc/iproute2/rt_tables # # reserved values # 255 local 254 main 253 default 0 unspec 100 isp2 101 isp1 # # local # #1 inr.ruhep This is the iproute script: ISP1_NET="x.x.x.192/29" ISP1_IP="x.x.x.195" ISP1_GW="x.x.x.193" ISP1_IF="bad0" ISP2_NET="x.x.x.96/29" ISP2_IP="x.x.x.98" ISP2_GW="x.x.x.97" ISP2_IF="bad1" DMZ_NET="192.168.0.0/24" DMZ_IF="dmz0" LAN_NET="10.0.0.0/24" LAN_IF="lan0" SERVER_MAIL="10.0.0.50" SERVER_1="10.0.0.10" SERVER_2="10.0.0.2" SERVER_3="10.0.0.3" /sbin/ip rule add fwmark 100 table ISP2 /sbin/ip rule add fwmark 101 table ISP1 /sbin/ip route add $ISP1_NET dev $ISP1_IF src $ISP1_IP table 1 /sbin/ip route add default via $ISP1_GW table 101 /sbin/ip route add $ISP2_NET dev $ISP2_IF src $ISP2_IP table 2 /sbin/ip route add default via $ISP2_GW table 100 /usr/sbin/iptables -t mangle -A PREROUTING -i $LAN_IF -s $SERVER_1 -j MARK --set-mark 101 /usr/sbin/iptables -t mangle -A PREROUTING -i $LAN_IF -s $SERVER_2 -j MARK --set-mark 101 /usr/sbin/iptables -t mangle -A PREROUTING -i $LAN_IF -s $SERVER_3 -j MARK --set-mark 101 /usr/sbin/iptables -t mangle -A PREROUTING -i $LAN_IF -s $SERVER_MAIL -j MARK --set-mark 101 /usr/sbin/iptables -t mangle -A PREROUTING -i $DMZ_IF -s $DMZ_NET -j MARK --set-mark 101 /sbin/ip route add default dev bad1 table ISP2 /sbin/ip route add default dev bad0 table ISP1 for f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 0 > $f; done /bin/echo 1 > /proc/sys/net/ipv4/route/flush /sbin/ifconfig dummy0 1.2.3.4 /sbin/ip route add default dev dummy0 Can somebody help me? best regards bizza _______________________________________________ LARTC mailing list LARTC@xxxxxxxxxxxxxxx http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc