List, I currently have a three interface Shorewall box running version 4.5.11.2 on opensuse 13.1. Given my limited knowledge of networking, it is a testimony to the docs that such a firewall is functioning without problems. In the DMZ there is a web server, an email server, and a wireless router. They all have private ips in 192.168.2.x range and the appropriate ports are fowarded from the public ips. The router is basically to provide internet access to guests and smartphones. The wireless router is a Buffalo WZR-600DHP. It is simultaneous dual band and runs the DD-WRT firmware. The wireless router has a DHCP server 9uses DNsMasq) and habds out addresses in the 192.168.12.x range. the wireless router is in Gateway mode, which according to the DD-WRT docs, means it does NAT/MASQ and all the devices on the 192.168.11.x range appear as the static WAN of the wireless router. Everyone has internet access and all is well. I would like to treat the 5 GZ and the 2.4 Gz bands separately and for that reason put them on separate subnets. The DD-WRT docs explain various ways to do that. I have chosen one way and it is mostly successful. ath0 is the 2.4GZ wireless band ath0.1 is a virtual interface ath1 is the 5 GZ wireless band By putting ath0.1 in unbridged mode you can assign it an ip address in a different subnet. I gave it 192.168.13.1. You can also set up dnsmasq to do dhcp on that subnet. Here is what I have. Connect wirelessly to ath0 or ath1 you get an address in the 192.168.12.x range and you can connect to the internet just fine. Connect wirelessly to ath0.1 and you get an address in the 19.168.13.x range and you cannot connect tot he internet. I can ping the WAN of the wireless router but not the dmz NIC of the shorewall box. I can ping the DMZ NIC of the shorewall box from the other subnet just fien. I suspect that the virtual interface does not get NATed retains its ip address in the 192.168.13.x range and the wireless router and/or shorewall don't know what to do with the packets. I have read a lot today about adding routes. That is actually a good result, because then I can use Squid on the Shorewall box to treat that subnet differently. I have several questions. How do I tell where the 192.168.13.x packets get stopped. Traceroute, wireshark, shorewall logs? I have seen lots of references to these in the list, but haven't used them. The shorewall firewall logs don't seem to be applicable Do I need to add a static route to both Shorewall and the wireless router, or to just one. The third question is whether there is a better way to do what I am doing. The DD-WRT docs did add the possibility of adding a bridge and then assigning ath0.1 to that bridge. Sorry for the long question that partly involves DD-WRT. i have spent hours fiddling with this and this list is the most knowledgeable and responsive I have ever followed. Mike -- Michael A. Coan Woodlawn Foundation 56 Harrison Street, Suite 401 New Rochelle, NY 10801-6560 Tel: 914-632-3778 Fax: 914-632-5502 ------------------------------------------------------------------------------ CenturyLink Cloud: The Leader in Enterprise Cloud Services. Learn Why More Businesses Are Choosing CenturyLink Cloud For Critical Workloads, Development Environments & Everything In Between. Get a Quote or Start a Free Trial Today. http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk