So I figured out part of the problem. The masquerading on 198.168.1.5 was being done incorrectly---it was doing it for /all/ 198.168.1.0/24 at the POSTROUTING level (SNAT), so it was mangling more packets than I wanted. A couple changes to the firewalling rules, and 198.168.1.0/24 and 198.168.2.0/24 can see 192.168.1.1 now. It also turned out that I misread the output of who -R on my test machine on 198.168.1.0/24. 198.168.1.5 wasn't making connections from 192.168.1.1 appear to be from 68.x.y.z after all. Now the only trick is why this damn IRIX box sends *every* packet from 128.d.e.f, regardless of which network it's sending them to.... grrrr.... (ping 192.168.1.1 from shows packets to/from 128.d.e.f in tcpdump and not 192.168.1.50 how it should be!) Oh, btw, if anybody has any AIX experience, drop me a line ;) --os (the orange squid) a.k.a. Matt Williams os@udel.edu os@os.us.eu.org
