diff --git a/docs/MultiISP.xml b/docs/MultiISP.xml
index 90d088914..bcbc329bf 100644
--- a/docs/MultiISP.xml
+++ b/docs/MultiISP.xml
@@ -648,6 +648,19 @@ Feb 9 17:23:45 gw.ilinx kernel: ll header: 00:a0:24:2a:1f:72:00:13:5f:07:97:05:
application to use). See below.
+
+ If all else fails, remove the routefilter option from your external interfaces.
+ If you do this, you may wish to add rules to log and drop packets from
+ the Internet that have source addresses in your local networks. For
+ example, if the local LAN in the above diagram is 192.168.1.0/24, then
+ you would add this rule:
+
+ #ACTION SOURCE DEST
+DROP:info net:192.168.1.0/24 all
+
+ Be sure the above rule is added before any other rules with
+ net in the SOURCE column.
diff --git a/docs/netmap.xml b/docs/netmap.xml
index e55c165b3..92f0363da 100644
--- a/docs/netmap.xml
+++ b/docs/netmap.xml
@@ -303,14 +303,11 @@ SNAT 192.168.1.0/24 vpn 10.10.10.0/24 #RULE 2B
Can't I do this with one router? Why do I need two?
- The single router would have to be able to route to two different
- 192.168.1.0/24 networks. In Netfilter parlance, that would mean that the
- destination IP address would have to be rewritten after the packet had
- been routed; Netfilter doesn't have that capability.
-
- Note that if you do it with two routers, then adding a third is
- easy. There's no reason why you can't have yet another network that is
- 192.168.1.0/24 on the inside, but you can allocated it 10.10.12.0/24 for
- everybody else.
+ I wrote this article before Shorewall included multiple provider support. You should be able
+ to accomplish the same thing with just one router through careful use of
+ /etc/shorewall/netmap and multiple
+ providers. If you try it and get it working, please contribute an
+ update to this article.
\ No newline at end of file