Hi list, does anybody here use shorewall and vtun (http://vtun.sourceforge.net/) together for firewall and vpn? I have the effect, that when i connect two sites running shorewall with vtun, i cannot establish a connection between the vpn endpoints and no masquerading between them. vtun runs in ether mode so it uses tap device, which are configured just like any other nic, they are configured in interfaces, have own zones and all masq and rule entries are correct. When the other endpoint has no shorewall it is enough to add following after the setting the route to the other end: /sbin/iptables -t nat -A POSTROUTING -j MASQUERADE /sbin/iptables -A FORWARD -s 195.127.121.0/24 -d 192.168.0.0/24 -j ACCEPT that just works, but what has to be done in shorewall? Cheers Michael