Hi,

after reading extensively about TCP/IP and routing and firewall rules
trying out NAT and static routes and many more, I'm still having problems
accessing DMZ from WAN.

After digging into the firewall protocoll I found out what seems to be the
problem:

14:23:56.103360 xl2 @200:5 p 213.y.y.108,58439 -> 212.x.x.123,80 PR tcp len
20 48 -S K-S IN
14:23:56.103384 xl1 @200:5 p 213.y.y.108,58439 -> 212.x.x.123,80 PR tcp len
20 48 -S K-S OUT
14:23:56.103519 xl1 @200:5 p 212.x.x.123,80 -> 213.y.y.108,58439 PR tcp len
20 44 -AS K-S IN
14:23:56.103554 xl2 @200:5 p 212.x.x.98,45456 -> 213.y.y.108,58439 PR tcp
len 20 44 -AS K-S OUT
xl1 = DMZ interface, xl2 = WAN interface

when accessing the web server on 212.x.x.123, the response from it is sent
back under a wrong IP: i.e. 212.x.x.98
what can be the cause for this problem:

here is my configuration:
my interfaces are as follows:
xl0: LAN:  IP address: 198.168.0.1 / 24
xl1: DMZ:  IP address: 212.x.x.113 / 28, no bridge
xl2: WAN: static IP address: 212.x.x.98 / 30, Gateway:    212.x.x.97

I have no NAT configured, and I have no static routes either.

for testing reasons the firewall rules allow everything at the moment:
interface LAN: prot: any, source: LAN, dest: any
interface DMZ: prot: any, source: any, dest: any
interface WAN: prot: any, source: any, dest: any

everything else works fine, i.e. accessing DMZ or WAN from LAN and
accessing LAN or WAN from DMZ

any ideas ? or could there be a bug somewhere?
I'm hoping it is not too simple and obvious for you guys to answer ;-)

Dietmar