> Couldn't one just put the m0n0 box in the DMZ zone and everyone behind
> the m0n0?
this is sort of like the best situation I'm thinking of.
m0n0wall has to have two interfaces on distinct subnets, making this a
bit more difficult. Due to a lack of better options...I think I'd put
a DMZ interface on the IPcop box, put m0n0wall's WAN on that DMZ, and
put m0n0wall's LAN on the LAN. Leave IPcop as the default gateway,
keep m0n0wall's LAN on the same LAN subnet as IPcop, and use a PPTP
subnet on the LAN.
Then for DHCP use the hidden config.xml gateway option to assign
IPcopy as the default gateway.
and that should do it. pass GRE and TCP 1723 to m0n0wall's WAN, and
you're set. Passing GRE might be a problem though, unless IPcop has a
PPTP forwarder like m0n0wall does, or unless it supports NAT'ing GRE
in situations other than 1:1 NAT (m0n0wall doesn't, though the PPTP
forwarder makes that unnecessary).
This isn't pretty any way you do it. Good luck!