Hi Robert, --On 10. August 2008 10:04:37 -0400 Robert Spangler <mlists at zoominternet.net> wrote: > On Sunday 10 August 2008 08:36, Dirk H. Schulz wrote: > >> That works as expected. If e.g. I ping from an inside server to >> somewhere outside, ICMP request leaves via router2, the answer comes >> back via router1. conntrack -e on router1 shows this session (as >> unreplied), BUT the firewall blocks it as new connection - that means >> iptables does not recognize conntrackd's addition to the session table. > > First off if you have traffic leaving one router and coming back on > another router that is Asynchronous routing and is not a good thing, as > you are seeing. > > Firewall 1 doesn't know what firewall 2 is doing so firewall 1 is going > to block this traffic as it was setup to do. Firewall 1 is thinking > this is a new connection. That is why I used conntrack-tools to synchronize the session tables of both firewalls. According to "conntrackd -e" it works - it shows (e. g. on router 1) the sessions that have been synchronized over (e.g. from router 2). But the sync'd sessions seem not to bother netfilter. > > Since I don't know your setup my question is; > > 1. how many Internet connections do you have? This is still in setup phase, but they will be very many. > 2. does router 2 have a valid public ip on the interface connecting to > the Internet? Yes. Both routers have public ips as they both are connected to upstream routers. Dirk