I''ve been trying to make this work but don''t know how yet. The problem is that I have a linux box doing the routing and nat for several private subnets and we want to limit the bandwith for eache subnet to different ammounts of the bandwith. For the upload was pretty easy, but for the download of each one of them it''s been a PITA, the mayor problem is that the same linux box is a squid-proxy server and we don''t want to loose the speed boost they get when the object they want is already in cache so I can''t just set some tbf on the download side for each network because they won''t get the files from the cache fast. So my big question is how to make a filter that can get all the packets going to network X but are not originated from the router-squid-nat box. Can anyone give me a hand with this. Ingress works fine but for the whole system, I can''t set an ingress filter for each subnet because ingress sits on the outgoing interface and the packets are already nated. Any ideas will be great. TIA.