I think your basic setup for testing is flawed. You are trying to test going through a firewall by going from a local network, out to the internet, back in through the WAN side of your firewall, and on to your second box (on the same LAN).
If this is not what you're trying to do, ignore most of what follows, as I clearly misunderstood what you're trying :-) [SNIP to second trace] > > 15:33:09.30 > ss00.44378 > m31-mp1.cvx3-a.pop.dial.ntli.net.5800: S 1000303348:1000303348(0) win 5840 <mss 1460,sackOK,timestamp 260101419 0,nop,wscale 0> (DF) ====>try to connect to port on firewall > 15:33:09.30 B arp who-has qgw tell ss02fw /* firewall determining where to send the inbound traffic I guess? */ ====>firewall forwards the request to local 'qgw' > 15:33:09.30 P arp reply qgw is-at 0:c0:9f:7:92:93 (0:80:c8:e0:e5:72) > 15:33:09.30 P ss00.44378 > qgw.5800: S 1000303348:1000303348(0) win 5840 <mss 1460,sackOK,timestamp 260101419 0,nop,wscale 0> (DF) ====> packet is forwarded. Note that source address would be 'ss00' dest address has likely been changed by firewall to 'qgw' > 15:33:09.30 B arp who-has ss00 tell qgw /*wtf??*/ ====> 'ss0' sees that 'qgw' is on local LAN, so will send directly back to 'qgw'. So it does an ARP request > 15:33:09.30 > arp reply ss00 (0:a0:cc:52:96:36) is-at 0:a0:cc:52:96:36 (0:c0:9f:7:92:93) > 15:33:09.30 < qgw.5800 > ss00.44378: S 284564:284564(0) ack 1000303349 win 8760 <mss 1460> (DF) ====> sso tries to ACK the connection. Note that is source address is 'SS0' not 'm31......' > 15:33:09.30 > ss00.44378 > qgw.5800: R 1000303349:1000303349(0) win 0 (DF) ====> 'qgw' doesn't accept the ACK (cause he's trying to talk to 'M31....', not 'QGW'\ [SNIP rest of mail] Basically, everything is working as it should. I presume that the firewall is running NAT, in which case it would normally translate addresses originating from the inside. Except, in this case, since the traffic is destined for an internal address it appears to your firewall that the connection is one initiated from an external address===> in this case it will not translate the source address. Clear as mud. To test your setup, you're going to have to move the second system off the local LAN. Regards, -EricZ _______________________________________________ VNC-List mailing list [EMAIL PROTECTED] http://www.realvnc.com/mailman/listinfo/vnc-list
