>then can you not just mark on the vlan interface rather than eth1? Andrew is right. Thats the best option. Ethy, just change eth1 to vlan+ in following rules: /usr/sbin/iptables -t mangle -A POSTROUTING -o eth1 -m mark ! --mark 2 \ -j IPMARK --addr src --and-mask 0xffff --or-mask 0x0 /usr/sbin/iptables -t mangle -A POSTROUTING -o eth1 -m mark --mark 2 \ -j IPMARK --addr src --and-mask 0xffff --or-mask 0x40000 Best regards, Marek Kierdelewicz -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
