Then have a look at the arp cache to see if its got any stale data. And double check the routing table on ALL the boxes to see if there is anything odd.

Also try allowing the iptables foward rule with logging, so you can easily see the packets passing by. Might give you some more info.

This should tell you if it is a routing or filtering problem.

Also when you do the ping, are you getting a timeout or a specific error message either from the local machine or the firewall?

<It sounds like the default gateway (or routing) entries are not set correctly. It sounds like 192.168.251.1 does not have 192.168.251.10 as its default gateway (or gw to 192.168.254/24) . I'd double check things first.>

That's correct.. it does not have that address as its default gateway, because that is not this device's default gateway. 192.168.251.1 has another interface that connects it to the internet, and has the default gateway set there. That's why I've created the static route to route traffic destined for 192.168.254.0/24 to 192.168.251.10.

<Then have a look at the arp cache to see if its got any stale data. And double check the routing table on ALL the boxes to see if there is anything odd.>

Nothing strange here.

<Also try allowing the iptables foward rule with logging, so you can easily see the packets passing by. Might give you some more info.>

After clearing out iptables, I tried the following:

iptables -I FORWARD -j LOG --log-level DEBUG
iptables -I FORWARD -j ACCEPT

Here is what's entered in to my debug log file when I try to ping across the router:

May 29 14:59:54 host kernel: IN=eth1 OUT=br0 SRC=192.168.254.16 DST=192.168.251.1 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=30246 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=20994

eth1 and br0 are the correct interface names.

jam13,

<Does it work if you switch off iptables/ipchains entirely?>

Nope.. that's how I started, and then tried using iptables because that didn't work.

<Also when you do the ping, are you getting a timeout or a specific error message either from the local machine or the firewall?>

I am just getting a timeout, no error message.. and to clarify, there is no firewall.

May 29 14:59:54 host kernel: IN=eth1 OUT=br0 SRC=192.168.254.16 DST=192.168.251.1 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=30246 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=20994

This happens when 192.168.254.16 tried to ping 192.168.251.1. Everything looks good, but it times out,

When I go the other way and have 192.168.251.1 try to ping 192.168.254.16, it does not log anything, though I would expect it to.

iptables -L looks like this:

Chain INPUT (policy ACCEPT) 
target prot opt source destination  

Chain FORWARD (policy ACCEPT) 
target prot opt source destination  
LOG all -- anywhere anywhere LOG level debug  
ACCEPT all -- anywhere anywhere  

Chain OUTPUT (policy ACCEPT) 
target prot opt source destination  

When I go the other way and have 192.168.251.1 try to ping 192.168.254.16, it does not log anything, though I would expect it to.

This suggests that it's the routing on 192.168.251.1 that is at fault. Maybe a subnet mask error? If the subnet mask on 192.168.251.1 was set to /16 rather than /24 it would produce this result.

<This suggests that it's the routing on 192.168.251.1 that is at fault. Maybe a subnet mask error? If the subnet mask on 192.168.251.1 was set to /16 rather than /24 it would produce this result.>

That's what I thought to.. though a double-, triple-, and quadruple-check reveal that it is set to /24.

Of course, while checking that.. I did find the problem, and I knew it was something stupid, something simple.. and even though I knew that it woul dbe, I still can't believe I actually did this.

On 192.168.251.1, the route was specified to go through a particular interface for its gateway, but the gateway address itself (of 192.168.254.17) was not specified.

I appreciate everyone's effort.. thank you!