Hi, > > To get packets NATed as you want them to, they have to reach PREROUTING > chain on the firewall. That means when access router wants to forward > theses packets, it must get an ARP reply for their destination IP. If > NATed IPs were not aliased on firewall, then nobody would answer access > router's ARP requests, and connections would not get established. > I don't totally agree on this. How about POST ROUTING? > > The only thing you have to keep in mind is that packets you want to NAT > have to reach the firewall. As they're not destined to, you have to > force them a bit ;) > Can anyone explain why we don't have to do the same for POSTROUTING? - Jet
