On Sunday 10 August 2008 08:36, Dirk H. Schulz wrote: > That works as expected. If e.g. I ping from an inside server to somewhere > outside, ICMP request leaves via router2, the answer comes back via > router1. conntrack -e on router1 shows this session (as unreplied), BUT > the firewall blocks it as new connection - that means iptables does not > recognize conntrackd's addition to the session table. First off if you have traffic leaving one router and coming back on another router that is Asynchronous routing and is not a good thing, as you are seeing. Firewall 1 doesn't know what firewall 2 is doing so firewall 1 is going to block this traffic as it was setup to do. Firewall 1 is thinking this is a new connection. Since I don't know your setup my question is; 1. how many Internet connections do you have? 2. does router 2 have a valid public ip on the interface connecting to the Internet? -- Regards Robert Smile... it increases your face value! Linux User #296285 http://counter.li.org