Hi Grant, thanks very much for your reply. Really kind of you to take so much time to explain things nice and clearly for me. I had implemented exactly what you described, along with some SNAT rules to make the packets look like they were coming from the VC unit on the way back to the provider, but due to complications (H323 & NAT over two Linux firewalls are *not* cooperative) we had to abandon the whole idea of NATing. Instead we opted to bypass the ipsec connection for the VC traffic (which is encrypted anyway) using some policy routing and a couple of extra aliases on either side of the connection. I was fortunate enough to stumble onto an alternative kernel for the Smoothwalls which has the stuff required for source-based policy routing using iproute2. This approach was successful, and the implications of not using the ipsec for the H323 traffic isn't too severe as the traffic is encrypted at any rate, and our wireless is highly directional and would be difficult to sniff anyway. Thanks again for staying up late mulling over my predicament. It's always great to find people like yourself who are so generous with their time. Regards, Paul
