Ray Leach wrote:

Yes.

example:

Router has LAN iface 196.38.2.161/28 and firewall connected via xover cable has 196.38.2.162/28.

That's your problem. The kernel can't work out what to do with the packets. AFAIK, the only way is to have separate subnets. Given the addresses above (which don't fall on a subnet boundary), your subnet allocation has to be 196.38.2.160/28 which gives you ussable addresses of .161 to .174. which is 14 hosts. Depending on what you want to do in the DMZ you could use a /29 internally, which would be usable addresses of .169 to 174 (6 hosts). That way, the firewall box is in a different subnet. If you need all 14 addresses, then you need to ask the ISP to change the subnet at the router. No doubt, if I'm wrong, someone will enlighten me! Cheers, Laurie. -- --------------------------------------------------------------------- Laurie Brown laurie@brownowl.com PGP key at http://pgpkeys.mit.edu:11371 ---------------------------------------------------------------------