>>>>> "BW" == Bryan Wright <bryan@xxxxxxxxxxxx> writes: BW> Unfortunately, it doesn't. Watching with wireshark, it BW> appears that the hosts fail to set up a TCP session because of BW> confusion about addresses. Traffic arriving at "B" appears to come BW> from "A.internal", so "B" answers directly to this, causing the BW> reply arriving at "A" to appear to be from "B.internal", which BW> isn't what "A" was looking for. I believe the solution is referred to as "hairpinning". Basically, you add iptables -t nat -A POSTROUTING -i $LAN -o $LAN -j SNAT ... (or MASQUERADE). All the traffic then goes to the firewall and back, even for internal traffic. It's a waste of firewall capacity and network bandwidth, of course. /Benny
