I have the following scenario: Verizon Aps are configured to run associated devices through a GRE tunnel between Verizon to our network, using a 10.99.0.0/16 subnet which is mangled to 10.10.1.1 (local network) Policy based routing sends all port 80 and 443 traffic originating from 10.99.0.0/16 to qlproxy IP (10.10.1.85) (squid proxy). IPtables on qlproxy box port-forwards all 80 and 443 traffic to 3126 & 3127. Qlproxy (4.0) has appropriate transparent and ssl_bump rules to process incoming traffic. Squid logs show the request for web pages is made via the policy based routing (Mikrotik Firewall/Router), but nothing is returned to the requesting device. It just simply times out after a long wait. However, if I configure a tunnelled device to use port 3128 in the proxy settings of the browser, or if a tunnelled device requests the proxy url via port 80, web requests start working, as expected for the configured device , as well as for all devices that are hitting the proxy transparently from the tunnel. This will work as long as some form of traffic from the tunnelled devices is generated. If things are left dormant for 3-5 minutes traffic will stop working again, until a device requests the proxy url via port 80. As a workaround to minimize complaints I created a cron job, using wget of the proxy url, which runs every couple minutes. As long as the wget command runs, Internet works fine for all tunnelled devices. On a side note, policy routing of local 10.10.0.0/16 devices works just fine running through the proxy transparently, without interruptions, even when the tunnelled devices cease working. Internet works fine if we send tunnelled traffic through and NAT the same as the 10.10.0.0/16 network Any ideas? -- Raymond Norton LCTN 952.955.7766