> Except if it's being dropped by conntrack... And remember, tcpdump sees stuff > before the stack does its thing to the packets. is there a logical reason (besides some bug in the code) why it should drop something? i thought (but aint sure) that the "demasquerading" happens right in the prerouting, before the routing process, so that no routing rule in the world could disturb it? > An ICMP is not being sent for another ICMP. But I guess an ICMP for ping > can be sent, though. .. you made me think with that.. ;) but i've just tested it with http requests. no icmp errors either. > You got me there. Try to reduce the complexity of your setup (just bring > up one ppp, remove the unnecessary tables and so forth) and retest again. > If the test passes then add little by little to your setup. I'm sure you'll > find/locate the problem that way. i just did it. killed all other ppp connections, there was just eth4 (the local lan interface), ppp0 and a bunch of non-ip ethernet interfaces. but the result was the same, and no mis-guided packages in either direction. i've really no clue what to do now. i will try to reproduce the configuration on another server here.
