-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Zitat von Lui <batman(a)schmudde.com>om>: Hi, independet of the kind of the solution for the internet gateway, each node that offers can do some vandalism. It only needs to use its own firmware or compiled batmand version. So we should trust each node client that it is not modified in such a bad way. If a tunnel is used or other parts of the firmware run some tests and setup default routes doesn't matter. As you know dresden freifunk is very in the beginning and therefore I like to take the opportunity to use badmand because of its clear usage and functionality. but for our tests I have used policy routing and a similar technic to check for all possible gateways a node may have. this eliminates the following problem: A------B(HNA: allinet)-----C(HNA:one Inet ip) Node C only has a HNA for a specific internet server but does not offer a verified internet gateway. If A access this ip than Node B did not use its verified offered gateway and forwards the request to C. The problem is, that the HNA of C may be brocken or missconfigured. Policy routing allows to filter for all Internet addresses on Node B and redirects the packets to the proofed gateway. Please let me know if I didn't got anything right. For the first glace I would prever standard routing without tunnel, which let me see where the packet go to the internet and which way they use (inc.timings traceroute). I now I can traceroute the gateway and the internet in two step to get the same info. Bye Stephan