> > > > Long time here too... But MASQUERADE on both interfaces feels wrong given what it does... Shouldn't this only be on the 'outside' of a router... Or did this change at some point in the last few years? That's what I get for checking mailing lists when I first wake up... The OP has eth+ lines in his iptables but the interfaces are em+ OP was this iptables generated from some sort of tool or hand crafted? I'd go back to basics personally and flush it all starting from scratch and do it properly for the system at hand...