Masquerading over a Link using Dynamic Addresses ------------------------------------------------ 1. Your initial set up must allow packets to forwarded with *no* masquerading to diald's proxy. At this stage you do not know what to masquerade as... 2. Diald receives an unmasqueraded packet on its proxy and brings the link up. 3. You now allow packets to be forwarded on the real interface *with* masquerading. You can do this in your diald addroute script, or your ip-up script. [N.B. ip-up is non-blocking so your masq setup may not be completed before diald forwards buffered packets.] [Hint: do not use the defaultroute option. Use addroute to set the masq rules, then add a default route. That way there is no window where unmasqueraded packets may be sent over the real link.] 4. Diald forwards the buffered packets it received on the proxy link. Remember, these have not yet been masqueraded. If the dynamic option has been used diald sends the buffered packets *back* to the kernel via the proxy interface rather than sending them direct to the real interface. The kernel now handles them as any other incoming packet, routing them to the real interface and applying the masquerade rules. 5. When the real link goes down you should delete the masquerade rules. You can do this in your diald delroute script or ip-down script.