Hi We have the following situation: A hypervisor using KVM-Qemu/libvirt with a single VM. The VM has the internal IP 192.168.122.151 on the default network pool using virbr0 on the hypervisor. We've set up netfilter rules to DNAT requests on one IP of the hypervisor to the VM. So, first of all, forwarding to the internal IP range is allowed: Then we're forwarding a few ports from the hypervisor's public IP to the VM, imaps being one of them: Since the VM is also doing SMTP, we need it to send out mail via a dedicated IPv4, which we achieve through the following SNAT rule: Now, on this mailserver, we're also running a roundcube instance. For authentication, roundcube connects to the imaps port of the local dovecot instance. In order for the SSL certificate check to succeed, it needs to do so using the actual domain name, and cannot use "localhost" or the loopback IP address. The problem is that, given the above iptables rules, connecting from inside the VM to itself via the hypervisor's external interface doesn't work. The connection simply times out, logging reveals they're not getting forwarded. We've added logging to iptables and testing in promisc mode vs. not-promisc: This is what gets logged when virbr0 is not in promisc mode: And this when the device is in promisc mode: Another workaround we found is to disable iptables on the bridge interface. But I do not consider this a solution, merely a workaround. I do not understand why the forward rule mentioned above does not apply to the situation where IN and OUT are both virbr0? Thank you for any advice, David -- TenTwentyFour S.à r.l. W: www.tentwentyfour.lu T: +352 20 211 1024 F: +352 20 211 1023 9, avenue des Hauts-Fourneaux L-4362 Esch/Alzette