The setup involved in this issue was working perfectly fine with oss 10.X and 11.1. The problem arose after an in-place upgrade to oss 11.2. Basically the machine (call it machine A with internal IP address 192.168.10.10) is configured to do masquerade via iptables (with a custom script). The relevant line is: $IPTABLES -t mangle -A PREROUTING -m iprange --src-range 192.168.10.50-192.168.10.200 -j MARK --set-mark 2 $IPTABLES -t mangle -A FORWARD -m iprange --src-range 192.168.10.50-192.168.10.200 -j MARK --set-mark 2 $IPTABLES -t nat -A POSTROUTING -m mark --mark 2 -o comcast1 -j MASQUERADE Once this is in place, initiating (for example) ping www.yahoo.com from a machine with ip address 192.168.10.52 shows that traffic is making it's way to machine A on A's internal interface, then the traffic is getting "masqueraded" (packets source ip gets changed to the valid public address of machine A) and sent out the interface called comcast1, reply comes back from www.yahoo.com and enters machine A properly on interface comcast1 and that's it ... the packet never gets mapped back to the inside host that sent it. I see this sequence of events in a packet capture btw (Wireshark with capture on pseudo-interface to capture all interfaces). This exact same script worked fine with oss11.1 and earlier versions - is anyone here aware of any changes in oss11.2 that could prevent something like this from working? Thanks in advance for any help, -- --Moby They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety. -- Benjamin Franklin -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org