Hi, > from hostINT back to extIP, gets routed to gw1 through eth1 Looks like the default route for 'any' source has too much priority; without looking at the code, it seems that the assumption is that there's no point checking the other routes, if there is an 'any' route. I suggest removing the 'any' route and relying on SNAT for 'hidden' clients. Add more routing rules if neccessary. sunny
