Hallo Jorge! > I'm guessing a routing problem here. If you see the log you can see that the > packet marked as invalid have the same incoming/outgoing interface. Yes, it's the same interface but that is intention. > Your diagram, as you said is: > > eth2 > | > | > +--- gtw 194.95.188.25 --- LAN 194.95.188.192/26 > | > | > LAN 194.95.188.0/26 You'r right that's the situation. We know the problem could be solved by setting appropriate routes to the gateways in all servers in the 194.95.188.0/26 network. But we don't like that. Is the routing the reason for the kernel to mark this packet as invalid? The firewall is our default gateway and also a gateway to some more networks. We don't want to put detailed routes in all servers in the 194.95.188.0/26 network. They all only know the default gateway (and firewall) 194.95.188.7. They all get the information about the better next hop by the fireall via icmp redirects automatically we think. But why is the packet invalid? Regards Lars
