I have a Debian Linux based router that is working good. We now have to add a second router for a VPN connection back to a vendor. The eth1 interface of the Debian router is at 192.168.1.254. The LAN interface for the new router is set to 192.168.1.253. I added a static route for the network on the Debian router and I can ping hosts on the VPN connected network. I cannot ping any host on the VPN connected network from any LAN computers (all of which have 192.168.1.254 as the default gateway). I tried adding a DNAT rule to the POSTROUTING chain but that didn't seem to help. I am guessing I am missing something glaring here but am tired of beating my head against the keyboard. I can post examples if that would help. I just typed this quick while drinking a um coffee, yea that's it.