Thanks all for the helpful suggestions. It looks like I solved the problem by adjusting my forward chain. I have a the local network on eth0 and the external network on eth1 and my forward chain looked like: -I FORWARD -i eth0 -o eth1 -s 2001:db8::/64 -j ACCEPT -I FORWARD -i eth1 -o eth0 -d 2001:db8::/64 -j ACCEPT Changing it to the following made it work: -I FORWARD -s 2001:470:85cd::/64 -j ACCEPT -I FORWARD -d 2001:470:85cd::/64 -j ACCEPT I am not sure if it'd be less secure to not make it specific to the interfaces. How would I change the first set of rules, using the -i parameter and still make it work? I also have a 6in4 interface for the IPv6 tunnel. -- http://goldmark.org/jeff/stupid-disclaimers/ http://linuxmafia.com/~rick/faq/plural-of-virus.html