Hi All! I've no hit the same problem I hit quite some time back in trying to replace a rather limited script based iptables rule generator. Now I have no option really. The customer now has add a nice new 5M fibre connection to supplement the existing 1< leased line as well as an adsl link that is only for emergencies! Okay! The Problem! There are a few staff members the need to use a standard M$ PPiP vpn to connect to their biggest and almost only customers tracking system. I know the ideal is to set it up on the firewall but that will be a future project! Right now I need to get it working! I ran a tcpdump on the old script based system and the tcp 1723 and GRE packets just hapily fly back and forth! Stopped the old service and started shorewall. Another tcpdump showed no GRE packets being masq'd out. I can rule out anything with the kernel as that is the same for both firewall generators! Maybe it's just me misreading or misunderstanding the docs! Or maybe I just need my bum kicked! I have bziped up the shorewall dump and it is attached as ross.dump.bz2/ Ang -- Angela Williams angierfw at gmail dot com Linux/Networking Hacker Blog http://angierfw.wordpress.com Smile! Yeshua Loves You! ------------------------------------------------------------------------------