Dears, my problem: (I hope the ascii art arives you in the correct shape) Internet | | Router from providers 194.123.123.49/25.255.255.248 | | |-----------------third computer for testing 194.123.123.53 | | | | | | I have two physical Interfaces 194.123.123.51 und .52 | | on the external side of the firewall | | Firewall--192.168.10.1----------------DMZ with two IP numbers | | | 192.168.10.11 und 12 | | | | | | | | | Internal networks with private adresses 192.168.0.0 192.168.230.0 and such My Aim is to forward 194.123.123.51:80 to 192.168.10.11:80 and 194.123.123.52:80 to 192.168.10.12:80 Now I recognize the following behavior: A request from the third computer on 194.123.123.52:80 is forwarded to 192.168.10.11:80 independet from the firewall-config of SusEfirewall2 (vers 5.0 on SuSE 7.3). Next step: I disconnectet the Kabel of the Interface 194.123.123.52. But the request from the third computer on 194.123.123.52 is also replayed until I disconnect the the cable from the Interface 194.123.123.51 too. I have verified, that the ip of the interfaces are correct! (I do a retry on 194.123.123.51 with the same behavior). Parts of my firewall config (Ip addresses changed): FW_DEV_EXT="eth3 eth6" #with IPs 194.123.123.51 und .52 FW_DEV_INT="eth0 eth1 eth4" FW_DEV_DMZ="eth2" FW_ROUTE="yes" FW_MASQUERADE="yes" FW_MASQ_DEV="$FW_DEV_EXT" FW_MASQ_NETS=" 192.168.10.0/24" FW_FORWARD_MASQ=" 0/0,192.168.10.11,tcp,80" and I try in the custom config fw_custom_before_port_handling() { # could also be named "after_antispoofing()" ....... iptables -A PREROUTING -j DNAT -t nat -p tcp -s 0.0/24 -d 194.123.217.52 --dport 80 --to-destination 192.168.10.12:80 -i eth6 ... Thanks for hints Harald Wallus