Hi Jon, It was a huge hassle to configure this way!! I almost killed somebody. Eventually I managed to get it working with a mishmash of static host routes and ARP entries. BTW when I posted re: this problem it was dismissed as an OT routing issue. However I think this config is somewhat commonly desired for FW's and as such is worthy. ***for me, it only worked with /etc/route.conf entries and a restart of routing...Specifying the routes at the command line didn't work! I know this makes no sense. for the firewall (assuming eth0 is external and eth1 is internal) -declare the subnet on the external interface my.subnet.add.ress 0.0.0.0 my.net.mas.k eth0 -hostroutes to each internal host with interface specified default my.routers.ip.addr int.ernal.host.ip1 0.0.0.0 255.255.255.255 eth1 int.ernal.host.ip2 0.0.0.0 255.255.255.255 eth1 -published arp entries for every internal host (in a bootscript ideally) arp -vn -i eth1 -s int.ernal.host.ip1 int:ernal:host:mac:addr:ess1 pub arp -vn -i eth1 -s int.ernal.host.ip2 int:ernal:host:mac:addr:ess2 pub for the internal machines: -only the obvious in route.conf my.subnet.add.ress 0.0.0.0 my.net.mas.k eth0 The router seems to get the necessary arp info from the firewall, as no published arp entries were necessary. There should definitely should be a HOWTO of some sort, besides http://www.linuxdoc.org/HOWTO/mini/Proxy-ARP-Subnet/ which is a decent resource. I think Marc's firewall scripts are awesome; 2.4 is has matured into a sturdy FW. But for this particular application ipf for BSD is probably less of a headache as a firewall host...saves real IP's too. HTH -gabriel