Hello, Got an issue that seems to be related to few technologies at same time. My setup: one eth0 iface, connected to bridge br0. server runs strongswan, nat rules to nat user connections. Problem: Clients connects via ipsec and can't ping anything on internet, but can ping gateway. If i set promisc mode on br0 - traffic goes fine. Test1: Disable bridge, use eth0 as main iface - everything works fine, eth0 not in promisc mode. Test2: Bridged setup, using tcpdump (-p for non-promisc mode), checking 2 ifaces - eth0 and br0, two modes - promisc/non-promisc. in all cases ips and macs in packets are all same, flags too. Only difference is: In br0 non promisc mode I can see responce (responce to ping) on eth0 arrived, but I can't see it on br0 in promisc mode I see this responce on br0. Any ideas where to digg ? Thanks in advance. -- Denis