Ok, gotcha now... Still do ip rule add from $WAN_IP table $WAN_TABLE ip rule add from $WLAN_IP table $WLAN_TABLE and ip route add default via $WAN_PEER_IP dev $WAN_IF table $WAN_TABLE ip route add default via $WLAN_PEER_IP dev $WAN_IF table $WLAN_TABLE Add iptables rules approximately as follows: $IPTABLES -t nat -A PREROUTING -i $WAN_IF -j DNAT $DMZ_IP_0-16 $IPTABLES -t nat -A PREROUTING -i $WLAN_IF -j DNAT $DMZ_IP_17-32 $IPTABLES -t nat -A POSTROUTING -o $WAN_IF -j SNAT $WAN_IP $IPTABLES -t nat -A POSTROUTING -o $WLAN_IF -j SNAT $WLAN_IP $IPTABLES -t filter -A FORWARD -i $WAN_IF -o $DMZ_IF -j ACCEPT $IPTABLES -t filter -A FORWARD -i $WLAN_IF -o $DMZ_IF -j ACCEPT That takes care of the initial connection i.e. SYN packets. The IPTables nat table is only used on the initial packet on each connection. For the actual routing, the only thing that I can think of is assigning two IPs (aliases) to each server in the DMZ say .0-16 for WAN and 17-32 for WLAN then using $IPTABLES -t mangle -A PREROUTING -s $DMZ_IP_0-16 -j MARK --set-mark 1 and $IPTABLES -t mangle -A PREROUTING -s $DMZ_IP_17-32 -j MARK --set-mark 2 then add ip rule add fwmark 1 table $WAN_TABLE and ip rule add fwmark 2 table $WLAN_TABLE Sorry but that is all I can come up with at the moment. PJ -- Quitters never win, and winners never quit, but those who never quit AND never win are idiots.
