Shorewall users - Nov 2006 - MultiISP - local to net issue

Hello list,
I have two ISP connections (different providers), both with dynamic IP
addresses.
I have three interfaces, two external and one internal and am trying to balance
traffic over the two ppp connections.
Shorewall Version: Shorewall-3.2.4
The Problem:
Using a browser on the firewall (braveheart), traffic is balanced over both
links, but clients (geronimo) behind the server are unable to connect to
external hosts, e.g. to connect to an external POP3 server.
I have gone through  the Shorewall MultiISP document a number of times, but am
unable to make things work correctly.
Please see configs/logs below for more detail - is there a  glaring omission or
misconception on my part?
Many thanks for any assistance.
Gero.
..............................................................................................................................................
/etc/shorewall/interfaces
#ZONE   INTERFACE       BROADCAST       OPTIONS
net     ppp0            detect          dhcp,routefilter,norfc1918,tcpflags
net     ppp1            detect          dhcp,routefilter,norfc1918,tcpflags
loc     eth2            detect          tcpflags
mob     tun0            detect          tcpflags

.............................................................................................................................................
/etc/shorewall/masq
INTERFACE              SUBNET          ADDRESS         PROTO   PORT(S)
#eth0                   eth2
#eth1                   eth2
ppp0                   $PPP1        $PPP0
ppp1                   $PPP0        $PPP1
ppp0                   eth2             $PPP0
ppp1                   eth2             $PPP1
.............................................................................................................................................
/etc/shorewall/providers
NAME   NUMBER  MARK    DUPLICATE       INTERFACE       GATEWAY         OPTIONS  
COPY
ADSL    1       1       -            ppp0              detect         
track,balance    eth2
IBURST  2       2       -            ppp1              detect         
track,balance    eth2
.............................................................................................................................................
braveheart shorewall # ip route ls
10.8.0.2 dev tun0  proto kernel  scope link  src 10.8.0.1
196.2.112.1 dev ppp1  proto kernel  scope link  src 196.2.113.182
41.242.64.1 dev ppp0  proto kernel  scope link  src 41.242.68.98
10.8.0.0/24 via 10.8.0.2 dev tun0
10.100.10.0/24 dev eth2  proto kernel  scope link  src 10.100.10.1
127.0.0.0/8 dev lo  scope link
default
        nexthop via 41.242.64.1  dev ppp0 weight 1
        nexthop via 196.2.112.1  dev ppp1 weight 1
.............................................................................................................................................

braveheart shorewall # ip rule ls
0:      from all lookup local
10001:  from all fwmark 0x1 lookup ADSL
10002:  from all fwmark 0x2 lookup IBURST
20000:  from 165.145.127.86 lookup ADSL
20000:  from 165.145.124.131 lookup ADSL
20000:  from 41.242.68.98 lookup ADSL
20256:  from 196.2.104.214 lookup IBURST
20256:  from 41.208.195.204 lookup IBURST
20256:  from 196.2.126.97 lookup IBURST
20256:  from 196.2.113.182 lookup IBURST
32766:  from all lookup main
32767:  from all lookup default
.............................................................................................................................................
braveheart shorewall # netstat -nr
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
10.8.0.2        0.0.0.0         255.255.255.255 UH        0 0          0 tun0
196.2.112.1     0.0.0.0         255.255.255.255 UH        0 0          0 ppp1
41.242.64.1     0.0.0.0         255.255.255.255 UH        0 0          0 ppp0
10.8.0.0        10.8.0.2        255.255.255.0   UG        0 0          0 tun0
10.100.10.0     0.0.0.0         255.255.255.0   U         0 0          0 eth2
127.0.0.0       0.0.0.0         255.0.0.0       U         0 0          0 lo
0.0.0.0         41.242.64.1     0.0.0.0         UG        0 0          0 ppp0
.............................................................................................................................................
Pinging from a client behind the firewall results in the below - packets are
rejected for some reason.
geronimo # ping 196.4.160.2
PING 196.4.160.2 (196.4.160.2) 56(84) bytes of data.

/var/log/messages:
Nov 19 08:18:52 braveheart kernel: Shorewall:FORWARD:REJECT:IN=ppp1 OUT=ppp1 
SRC=196.4.160.2 DST=10.100.10.50 LEN=84 TOS=0x00 PREC=0x00 TTL=55 ID=38403 DF 
PROTO=ICMP TYPE=0 CODE=0 ID=47879 SEQ=8
.............................................................................................................................................


-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net''s Techsay panel and you''ll get the chance
to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

Gero Theilig wrote:
> 
> Please see configs/logs below for more detail - is there a glaring
> omission or misconception on my part?
Yes. See below. Also, the next time that you ask for help please follow the
Shorewall Support Guidelines (http://www.shorewall.net/support.htm#Guidelines).
> /etc/shorewall/providers
> 
> NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS COPY
> 
> ADSL 1 1 - ppp0 detect track,balance eth2
> 
> IBURST 2 2 - ppp1 detect track,balance eth2
You have inexplicably left the DUPLICATE column empty! You should have specified
''main'' in that column.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net''s Techsay panel and you''ll get the chance
to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV