diff --git a/docs/package/gluon-alt-esc-client.rst b/docs/package/gluon-alt-esc-client.rst
new file mode 100644
index 00000000..449988bc
--- /dev/null
+++ b/docs/package/gluon-alt-esc-client.rst
@@ -0,0 +1,41 @@
+gluon-alt-esc-client
+====================
+
+The *gluon-alt-esc-client* package allows to create an additional wifi interface
+with an alternative default gateway.
+
+Accessibility
+-------------
+
+The alternative default gateway is configured by its MAC address in the config
+mode. This host with its MAC needs to be a accessible directly within the mesh
+network (client zone).
+
+An easy way is to use the *gluon-alt-esc-provider* package and copy the
+MAC address it presents in the config mode and paste it into the client
+side configuration. However, the provider package is not mandatory - in fact
+any host in the mesh network can potentially be chosen as an alternative default
+gateway (as long as it allows routing, of course).
+
+Only Off-link subnets are rerouted to the alternative exit. On-link subnets are
+excluded. They are currently determined via *prefix4*, *prefix6*, *extra_prefixes4*
+and *extra_prefixes6* from the site.conf.
+
+Naming / ESSID
+--------------
+
+The name (so called ESSID) for the newly created wifi interface can be
+freely chosen. However the author suggests to not use the word "Freifunk"
+in it (for quite a while the internet is not a free/libre network anymore).
+
+The following two hash tags are automatically appended:
+
+*Zone-ID*: It prevents potential roaming conflicts. (Technically, it is generated
+by taking the first four bytes of the hexadecimal form of an md5sum over
+"<ipv4-gw-MAC>,<ipv6-gw-MAC>,<essid>")
+
+*Site Code*: The communities site code is appended. To Freifunk enthusiasts it
+signalizes:
+
+- free and unaltered access to the Freifunk intranet of the local community
+- that this node contributes to the local Freifunk community as a mesh node
diff --git a/docs/package/gluon-alt-esc-provider.rst b/docs/package/gluon-alt-esc-provider.rst
new file mode 100644
index 00000000..b144764c
--- /dev/null
+++ b/docs/package/gluon-alt-esc-provider.rst
@@ -0,0 +1,17 @@
+gluon-alt-esc-provider
+======================
+
+The *gluon-alt-esc-provider* package is the counterpart to the *gluon-alt-esc-client*
+package. It configures the firewall of the according Gluon node to grant permission
+to route packets between the client (mesh clients) and wan zone (private network
+behind the WAN port).
+
+Packets from the client to the wan zone are NAT'ed both for IPv4 and IPv6.
+
+Two notes: Beware of the security implications for routers and hosts in your wan
+zone (yes, your 192.168.x.x devices will be accessible from the mesh).
+
+Secondly, note that the Gluon Alt-ESC provider package is not mandatory for the
+Gluon Alt-ESC client package. In fact, any client device in the mesh network
+can be chosen and configured to provide internet access for the Alt-ESC
+client package.
diff --git a/package/gluon-alt-esc-client/Makefile b/package/gluon-alt-esc-client/Makefile
new file mode 100644
index 00000000..dd4191e1
--- /dev/null
+++ b/package/gluon-alt-esc-client/Makefile
@@ -0,0 +1,16 @@
+include $(TOPDIR)/rules.mk
+
+PKG_NAME:=gluon-alt-esc-client
+PKG_VERSION:=1
+PKG_RELEASE:=1
+
+include ../gluon.mk
+
+define Package/gluon-alt-esc-client
+  DEPENDS:=+gluon-web-admin \
+	+@GLUON_SPECIALIZE_KERNEL:KERNEL_BRIDGE_EBT_DNAT \
+	+@GLUON_SPECIALIZE_KERNEL:KERNEL_BRIDGE_EBT_REDIRECT
+  TITLE:=Gluon Alternative Exit Service Collaborator - Client
+endef
+
+$(eval $(call BuildPackageGluon,gluon-alt-esc-client))
diff --git a/package/gluon-alt-esc-client/files/etc/config/gluon-alt-esc-client b/package/gluon-alt-esc-client/files/etc/config/gluon-alt-esc-client
new file mode 100644
index 00000000..018b018c
--- /dev/null
+++ b/package/gluon-alt-esc-client/files/etc/config/gluon-alt-esc-client
@@ -0,0 +1,5 @@
+config client
+	option disabled '1'
+	option exit4 ''
+	option exit6 ''
+	option altesc_on_lan '0'
diff --git a/package/gluon-alt-esc-client/files/etc/init.d/gluon-alt-esc-client b/package/gluon-alt-esc-client/files/etc/init.d/gluon-alt-esc-client
new file mode 100755
index 00000000..078737d5
--- /dev/null
+++ b/package/gluon-alt-esc-client/files/etc/init.d/gluon-alt-esc-client
@@ -0,0 +1,86 @@
+#!/bin/sh /etc/rc.common
+
+. $IPKG_INSTROOT/usr/share/libubox/jshn.sh
+
+START=60
+sitejson="/lib/gluon/site.json"
+
+
+__get_ifnames() {
+	local lanif
+	local altesc_on_lan=`uci get gluon-alt-esc-client.@client[0].altesc_on_lan`
+
+	for wifi in `uci show wireless | grep "wireless.altesc_radio.*\.ifname" | sed "s/\.ifname=.*//"`; do
+		[ "`uci get $wifi.disabled`" = 0 ] && \
+			uci get $wifi.ifname
+	done
+
+	[ "$altesc_on_lan" = "1" ] && cat /lib/gluon/core/sysconfig/lan_ifname
+}
+
+get_ifnames() {
+	ifnames=`__get_ifnames | sort`
+}
+
+setup_onlink_prefixes() {
+	json_load "$(cat /lib/gluon/site.json)"
+	json_get_var prefix4 prefix4
+	json_get_var prefix6 prefix6
+	json_get_values extra_prefixes4 extra_prefixes4
+	json_get_values extra_prefixes6 extra_prefixes6
+
+	if [ -n "$1" ]; then
+		M="$1"
+		OUT="2> /dev/null"
+	else
+		M="-I"
+		OUT=""
+	fi
+
+	for p4 in $prefix4 $extra_prefixes4; do
+		eval ebtables-tiny -t nat "$M" ALT_ESC_OFFLINK -p IPv4 --ip-dst $p4 -j RETURN $OUT
+	done
+	for p6 in $prefix6 $extra_prefixes6; do
+		eval ebtables-tiny -t nat "$M" ALT_ESC_OFFLINK -p IPv6 --ip6-dst $p6 -j RETURN $OUT
+	done
+}
+
+start() {
+	local exit4="`uci get gluon-alt-esc-client.@client[0].exit4 2> /dev/null | tr 'A-Z' 'a-z'`"
+	local exit6="`uci get gluon-alt-esc-client.@client[0].exit6 2> /dev/null | tr 'A-Z' 'a-z'`"
+	local ownmac="`uci get network.client.macaddr 2> /dev/null | tr 'A-Z' 'a-z'`"
+	local disabled="`uci get gluon-alt-esc-client.@client[0].disabled 2> /dev/null`"
+
+	get_ifnames
+	stop
+	[ ! "$disabled" = "0" ] && exit 0
+
+	for i in $ifnames; do
+		ebtables-tiny -t nat -A ALT_ESC -i $i --logical-in br-client -j ALT_ESC_OFFLINK
+	done
+
+	setup_onlink_prefixes
+
+
+	[ -n "$exit4" ] && {
+		if [ "$ownmac" = "$exit4" ]; then
+			ebtables-tiny -t nat -A ALT_ESC_DNAT -p IPv4 -j redirect --redirect-target ACCEPT
+		else
+			ebtables-tiny -t nat -A ALT_ESC_DNAT -p IPv4 -j dnat --to-dst "$exit4" --dnat-target ACCEPT
+		fi
+	}
+
+	[ -n "$exit6" ] && {
+		if [ "$ownmac" = "$exit6" ]; then
+			ebtables-tiny -t nat -A ALT_ESC_DNAT -p IPv6 -j redirect --redirect-target ACCEPT
+		else
+			ebtables-tiny -t nat -A ALT_ESC_DNAT -p IPv6 -j dnat --to-dst "$exit6" --dnat-target ACCEPT
+		fi
+	}
+}
+
+stop() {
+	ebtables-tiny -t nat -F ALT_ESC_DNAT
+	ebtables-tiny -t nat -F ALT_ESC
+	setup_onlink_prefixes "-D"
+}
diff --git a/package/gluon-alt-esc-client/files/lib/gluon/ebtables/100-alt-esc-chains b/package/gluon-alt-esc-client/files/lib/gluon/ebtables/100-alt-esc-chains
new file mode 100644
index 00000000..861b76d9
--- /dev/null
+++ b/package/gluon-alt-esc-client/files/lib/gluon/ebtables/100-alt-esc-chains
@@ -0,0 +1,4 @@
+chain('ALT_ESC', 'ACCEPT', 'nat')
+chain('ALT_ESC_OFFLINK', 'ACCEPT', 'nat')
+chain('ALT_ESC_STDGW', 'RETURN', 'nat')
+chain('ALT_ESC_DNAT', 'RETURN', 'nat')
diff --git a/package/gluon-alt-esc-client/files/lib/gluon/ebtables/120-alt-esc-rules b/package/gluon-alt-esc-client/files/lib/gluon/ebtables/120-alt-esc-rules
new file mode 100644
index 00000000..dac2cf21
--- /dev/null
+++ b/package/gluon-alt-esc-client/files/lib/gluon/ebtables/120-alt-esc-rules
@@ -0,0 +1,5 @@
+rule ('PREROUTING -d Unicast -j ALT_ESC', 'nat')
+
+rule ('ALT_ESC_OFFLINK -p IPv6 --ip6-src fe80::/ffc0:: -j RETURN', 'nat')
+rule ('ALT_ESC_OFFLINK -p IPv4 --ip-dst 0.0.0.0 -j RETURN', 'nat')
+rule ('ALT_ESC_OFFLINK -j ALT_ESC_STDGW', 'nat')
diff --git a/package/gluon-alt-esc-client/files/usr/lib/micron.d/gluon-alt-esc b/package/gluon-alt-esc-client/files/usr/lib/micron.d/gluon-alt-esc
new file mode 100644
index 00000000..5e7b1d83
--- /dev/null
+++ b/package/gluon-alt-esc-client/files/usr/lib/micron.d/gluon-alt-esc
@@ -0,0 +1 @@
+* * * * * nice /usr/sbin/altesc-update
diff --git a/package/gluon-alt-esc-client/files/usr/sbin/altesc-update b/package/gluon-alt-esc-client/files/usr/sbin/altesc-update
new file mode 100755
index 00000000..400f9b84
--- /dev/null
+++ b/package/gluon-alt-esc-client/files/usr/sbin/altesc-update
@@ -0,0 +1,34 @@
+#!/bin/sh
+
+disabled=`uci get gluon-alt-esc-client.@client[0].disabled`
+
+if [ ! "$disabled" = "0" ]; then
+	ebtables-tiny -t nat -F ALT_ESC_STDGW
+	exit 0
+fi
+
+
+get_gw_hosts() {
+	for gw in `batctl gwl -n -H | sed "s/.* \(..:..:..:..:..:..\) (.*/\1/"`; do
+		batctl tg -n -H | grep ".* ..:..:..:..:..:.. .* $gw"
+	done | sed "s/^.* \(..:..:..:..:..:..\) .* ..:..:..:..:..:.. .*/\1/" | sort
+}
+
+gwhosts="`get_gw_hosts`"
+gwhostssum="`echo "$gwhosts" | md5sum`"
+oldgwhosts="`cat /var/run/gluon-alt-esc.hosts 2> /dev/null`"
+oldgwhostssum="`cat /var/run/gluon-alt-esc.hosts.md5sum 2> /dev/null`"
+
+if [ "$gwhostssum" = "$oldgwhostssum" ]; then
+	echo "Stayed the same"
+	exit 0
+fi
+
+ebtables-tiny -t nat -F ALT_ESC_STDGW
+
+for host in $gwhosts; do
+	ebtables-tiny -t nat -A ALT_ESC_STDGW -d "$host" -j ALT_ESC_DNAT
+done
+
+echo "$gwhosts" > /var/run/gluon-alt-esc.hosts
+echo "$gwhostssum" > /var/run/gluon-alt-esc.hosts.md5sum
diff --git a/package/gluon-alt-esc-client/i18n/de.po b/package/gluon-alt-esc-client/i18n/de.po
new file mode 100644
index 00000000..d056e362
--- /dev/null
+++ b/package/gluon-alt-esc-client/i18n/de.po
@@ -0,0 +1,58 @@
+msgid ""
+msgstr ""
+"Project-Id-Version: PACKAGE VERSION\n"
+"PO-Revision-Date: 2017-11-13 08:00+0200\n"
+"Last-Translator:  Linus Lüssing <linus.luessing@c0d3.blue>\n"
+"Language-Team: German\n"
+"Language: de\n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=UTF-8\n"
+"Content-Transfer-Encoding: 8bit\n"
+"Plural-Forms: nplurals=2; plural=(n != 1);\n"
+
+msgid ""
+"Here you can add a WiFi interface with an alternative gateway for its "
+"Internet connectivity. Usually, you connect to a node which has the "
+"Alt-ESC-Provider package activated (although other systems can "
+"provide access too)."
+msgstr ""
+"Hier kannst du ein WiFi Interface mit einem alternativen Gateway für "
+"dessen Internetzugang hinzufügen. Normalerweise verbindest du dich mit "
+"einem Knoten, welcher das Alt-ESC-Provider Paket aktiviert hat (wobei "
+"auch andere Systeme Zugang bieten können)."
+
+msgid "Name (SSID)"
+msgstr "Name (SSID)"
+
+msgid "Example: \"Lisa's Garden Gate\""
+msgstr "Beispiel: \"Lisas Gartentor\""
+
+msgid "Enable IPv4 redirection"
+msgstr "Umleitung für IPv4 aktivieren"
+
+msgid "Exit ID for IPv4"
+msgstr "Exit ID für IPv4"
+
+msgid "E.g. MAC address of the node serving as Alt-ESC-Provider for the IPv4 internet"
+msgstr "Z.B. die MAC-Adresse eines Knoten, der als Alt-ESC-Provider für das IPv4 Internet dient"
+
+msgid "Enable IPv6 redirection"
+msgstr "Umleitung für IPv6 aktivieren"
+
+msgid "Exit ID for IPv6"
+msgstr "Exit ID für IPv6"
+
+msgid "E.g. MAC address of the node serving as Alt-ESC-Provider for the IPv6 internet"
+msgstr "Z.B. die MAC-Adresse eines Knoten, der als Alt-ESC-Provider für das IPv6 Internet dient"
+
+msgid "Enable redirection on LAN ports"
+msgstr "Umleitung auf LAN-Ports aktivieren"
+
+msgid "Enable Password"
+msgstr "Passwort aktivieren"
+
+msgid "Password"
+msgstr "Passwort"
+
+msgid "8-63 characters. Note: No strict enforcement (yet)"
+msgstr "8-63 Zeichen. Hinweis: (Bisweilen) keine strikte Durchsetzung"
diff --git a/package/gluon-alt-esc-client/i18n/gluon-alt-esc-client.pot b/package/gluon-alt-esc-client/i18n/gluon-alt-esc-client.pot
new file mode 100644
index 00000000..2acd6ea5
--- /dev/null
+++ b/package/gluon-alt-esc-client/i18n/gluon-alt-esc-client.pot
@@ -0,0 +1,45 @@
+msgid ""
+msgstr "Content-Type: text/plain; charset=UTF-8"
+
+msgid ""
+"Here you can add a WiFi interface with an alternative gateway for its "
+"Internet connectivity. Usually, you connect to a node which has the "
+"Alt-ESC-Provider package activated (although other systems can "
+"provide access too)."
+msgstr ""
+
+msgid "Name (SSID)"
+msgstr ""
+
+msgid "Example: \"Lisa's Garden Gate\""
+msgstr ""
+
+msgid "Enable IPv4 redirection"
+msgstr ""
+
+msgid "Exit ID for IPv4"
+msgstr ""
+
+msgid "E.g. MAC address of the node serving as Alt-ESC-Provider for the IPv4 internet"
+msgstr ""
+
+msgid "Enable IPv6 redirection"
+msgstr ""
+
+msgid "Exit ID for IPv6"
+msgstr ""
+
+msgid "E.g. MAC address of the node serving as Alt-ESC-Provider for the IPv6 internet"
+msgstr ""
+
+msgid "Enable redirection on LAN ports"
+msgstr ""
+
+msgid "Enable Password"
+msgstr ""
+
+msgid "Password"
+msgstr ""
+
+msgid "8-63 characters. Note: No strict enforcement (yet)"
+msgstr ""
diff --git a/package/gluon-alt-esc-client/luasrc/lib/gluon/config-mode/controller/admin/altesc-client.lua b/package/gluon-alt-esc-client/luasrc/lib/gluon/config-mode/controller/admin/altesc-client.lua
new file mode 100644
index 00000000..7e99a909
--- /dev/null
+++ b/package/gluon-alt-esc-client/luasrc/lib/gluon/config-mode/controller/admin/altesc-client.lua
@@ -0,0 +1 @@
+entry({"admin", "altesc-client"}, model("admin/altesc-client"), _("Alt-ESC Client"), 61)
diff --git a/package/gluon-alt-esc-client/luasrc/lib/gluon/config-mode/model/admin/altesc-client.lua b/package/gluon-alt-esc-client/luasrc/lib/gluon/config-mode/model/admin/altesc-client.lua
new file mode 100644
index 00000000..bf6ab016
--- /dev/null
+++ b/package/gluon-alt-esc-client/luasrc/lib/gluon/config-mode/model/admin/altesc-client.lua
@@ -0,0 +1,160 @@
+local uci = require("simple-uci").cursor()
+local util = require 'gluon.util'
+local site = require 'gluon.site'
+local hash = require 'hash'
+
+local function get_client(uci)
+  local client
+  uci:foreach('gluon-alt-esc-client', 'client',
+              function(s)
+                 client = s
+                 return false
+              end
+  )
+  return client
+end
+
+local client = get_client(uci)['.name']
+local disabled = uci:get_first('gluon-alt-esc-client', 'client', "disabled")
+
+local site_code
+
+if site.site_code then
+  sitecode = site.site_code()
+else
+  sitecode = "ff"
+end
+
+-- reserve space for suffixes, SSID limited to 32 characters by standard
+local ssidlen = 32 - string.len(" #abcd #" .. sitecode)
+local ssiddata = uci:get('wireless', 'altesc_radio0', "ssid")
+
+-- Remove sitecode suffix
+if ssiddata and string.match(ssiddata, " #" .. sitecode .. "$") then
+  ssiddata = string.match(ssiddata, "^(.*) #" .. sitecode .. "$")
+end
+
+-- Remove zone suffix
+if ssiddata and string.match(ssiddata, " #%x%x%x%x$") then
+  ssiddata = string.match(ssiddata, "^(.*) #%x%x%x%x$")
+end
+
+local f = Form(translate("Alternative Exit Service Collaborator - Client"))
+local s = f:section(Section, nil, translate(
+		'Here you can add a WiFi interface with an alternative gateway for its '
+		.. 'Internet connectivity. Usually, you connect to a node which has the '
+		.. 'Alt-ESC-Provider package activated (although other systems can '
+		.. 'provide access too).'
+))
+
+local enabled = s:option(Flag, "enabled", translate("Enable"))
+enabled.default = ssiddata and disabled and disabled == "0"
+
+local ssid = s:option(Value, "ssid", translate("Name (SSID)"), translate('Example: "Lisa\'s Garden Gate"'))
+ssid:depends(enabled, true)
+ssid.datatype = "maxlength(" .. ssidlen .. ")"
+ssid.default = ssiddata
+
+local exit4data = uci:get_first('gluon-alt-esc-client', 'client', "exit4")
+local exit4flag = s:option(Flag, "exit4flag", translate("Enable IPv4 redirection"))
+exit4flag:depends(enabled, true)
+exit4flag.default = (exit4data and exit4data ~= "")
+
+local exit4 = s:option(Value, "exit4", translate("Exit ID for IPv4"), translate("E.g. MAC address of the node serving as Alt-ESC-Provider for the IPv4 internet"))
+exit4:depends(exit4flag, true)
+--exit4.datatype = "macaddr"
+exit4.default = exit4data
+
+local exit6data = uci:get_first('gluon-alt-esc-client', 'client', "exit6")
+local exit6flag = s:option(Flag, "exit6flag", translate("Enable IPv6 redirection"))
+exit6flag:depends(enabled, true)
+exit6flag.default = (exit6data and exit6data ~= "")
+
+local exit6 = s:option(Value, "exit6", translate("Exit ID for IPv6"), translate("E.g. MAC address of the node serving as Alt-ESC-Provider for the IPv6 internet"))
+exit6:depends(exit6flag, true)
+--exit6.datatype = "macaddr"
+exit6.default = exit6data
+
+local landata = uci:get_first('gluon-alt-esc-client', 'client', "altesc_on_lan")
+local altesc_on_lan = s:option(Flag, "altesc_on_lan", translate("Enable redirection on LAN ports"))
+altesc_on_lan:depends(enabled, true)
+altesc_on_lan.default = landata and landata == '1'
+
+local keydata = uci:get_first('gluon-alt-esc-client', 'client', "encryption")
+local keyflag = s:option(Flag, "keyflag", translate("Enable Password"))
+keyflag:depends(enabled, true)
+keyflag.default = (keydata and keydata ~= "" and keydata ~= "none")
+
+local key = s:option(Value, "key", translate("Password"), translate("8-63 characters. Note: No strict enforcement (yet)"))
+key:depends(keyflag, true)
+key.datatype = "wpakey"
+key.default = uci:get_first('gluon-alt-esc-client', 'client', "key")
+
+function f:write(self, state, data)
+  local client = get_client(uci)['.name']
+
+  uci:set('gluon-alt-esc-client', client, 'disabled', enabled.data and '0' or '1')
+  uci:set('gluon-alt-esc-client', client, 'exit4', exit4.data or '')
+  uci:set('gluon-alt-esc-client', client, 'exit6', exit6.data or '')
+  uci:set('gluon-alt-esc-client', client, 'altesc_on_lan', altesc_on_lan.data and '1' or '0')
+
+  uci:commit('gluon-alt-esc-client')
+
+  i=0
+  util.foreach_radio(uci,
+    function(radio, index, config)
+      local name = "altesc_" .. radio['.name']
+
+      if enabled.data then
+        local macaddr = util.get_wlan_mac(uci, radio, index, 4)
+        local exit4data = exit4.data or ""
+        local exit6data = exit4.data or ""
+        local sitecode
+        local zone = string.sub(hash.md5(exit4data .. "," .. exit6data .. "," .. ssid.data), 0, 4)
+
+        if site.site_code then
+          sitecode = site.site_code()
+        else
+          sitecode = "ff"
+        end
+
+        if keyflag.data and key.data then
+          uci:section('wireless', "wifi-iface", name,
+                      {
+                        ifname = "altesc" .. i,
+                        device = radio['.name'],
+                        network = "client",
+                        mode = "ap",
+                        macaddr = macaddr,
+                        ssid = ssid.data .. " #" .. zone .. " #" .. sitecode,
+                        encryption = "psk2",
+                        key = key.data,
+                        disabled = '0',
+                      }
+          )
+        else
+          uci:section('wireless', "wifi-iface", name,
+                      {
+                        ifname = "altesc" .. i,
+                        device = radio['.name'],
+                        network = "client",
+                        mode = "ap",
+                        macaddr = macaddr,
+                        ssid = ssid.data .. " #" .. zone .. " #" .. sitecode,
+                        encryption = "",
+                        key = "",
+                        disabled = '0',
+                      }
+          )
+        end
+      else
+        uci:set('wireless', name, "disabled", 1)
+      end
+
+      i=i+1
+    end
+  )
+  uci:commit('wireless')
+end
+
+return f
diff --git a/package/gluon-alt-esc-provider/Makefile b/package/gluon-alt-esc-provider/Makefile
new file mode 100644
index 00000000..3ebf58ad
--- /dev/null
+++ b/package/gluon-alt-esc-provider/Makefile
@@ -0,0 +1,14 @@
+include $(TOPDIR)/rules.mk
+
+PKG_NAME:=gluon-alt-esc-provider
+PKG_VERSION:=1
+PKG_RELEASE:=1
+
+include ../gluon.mk
+
+define Package/gluon-alt-esc-provider
+  DEPENDS:=+gluon-web-admin +ip6tables-mod-nat
+  TITLE:=Gluon Alternative Exit Service Collaborator - Provider
+endef
+
+$(eval $(call BuildPackageGluon,gluon-alt-esc-provider))
diff --git a/package/gluon-alt-esc-provider/files/etc/config/gluon-alt-esc-provider b/package/gluon-alt-esc-provider/files/etc/config/gluon-alt-esc-provider
new file mode 100644
index 00000000..49ad86e8
--- /dev/null
+++ b/package/gluon-alt-esc-provider/files/etc/config/gluon-alt-esc-provider
@@ -0,0 +1,2 @@
+config provider
+	option disabled '1'
diff --git a/package/gluon-alt-esc-provider/files/lib/gluon/alt-esc-provider/iptables.rules b/package/gluon-alt-esc-provider/files/lib/gluon/alt-esc-provider/iptables.rules
new file mode 100644
index 00000000..0de1ac19
--- /dev/null
+++ b/package/gluon-alt-esc-provider/files/lib/gluon/alt-esc-provider/iptables.rules
@@ -0,0 +1,3 @@
+*nat
+-I POSTROUTING -o br-wan -j MASQUERADE
+COMMIT
diff --git a/package/gluon-alt-esc-provider/i18n/de.po b/package/gluon-alt-esc-provider/i18n/de.po
new file mode 100644
index 00000000..a9a12ac6
--- /dev/null
+++ b/package/gluon-alt-esc-provider/i18n/de.po
@@ -0,0 +1,42 @@
+msgid ""
+msgstr ""
+"Project-Id-Version: PACKAGE VERSION\n"
+"PO-Revision-Date: 2017-11-13 08:00+0200\n"
+"Last-Translator:  Linus Lüssing <linus.luessing@c0d3.blue>\n"
+"Language-Team: German\n"
+"Language: de\n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=UTF-8\n"
+"Content-Transfer-Encoding: 8bit\n"
+"Plural-Forms: nplurals=2; plural=(n != 1);\n"
+
+msgid ""
+"<p>Here you can share your Internet connection from the WAN port directly "
+"(bypassing the community gateways), so this same or other nodes can "
+"get Internet access via this node via the Alt-ESC-Client, for instance.</p>"
+"<p><strong>- Be aware of the legal obligations your jurisdiction might "
+"require you to follow. -</strong></p>"
+"<p><strong>USE AT YOUR OWN RISK!</strong></p>"
+msgstr ""
+"<p>Hier kannst deine Internetverbindung vom WAN-Port direkt teilen "
+"(dies umgeht den Community-Gateway), sodass dieser oder andere "
+"Knoten einen Internetzugang über diesen Knoten zum Beispiel durch den "
+"Alt-ESC-Client bekommen können.</p>"
+"<p><strong>- Sei dir über die gesetzlichen Verpflichtungen bewusst, deren "
+"Befolgung dein Rechtssystem möglichrweise vorschreibt. -</strong></p>"
+"<p><strong>BENUTZUNG AUF EIGENE GEFAHR!</strong></p>"
+
+msgid "Enable"
+msgstr "Aktivieren"
+
+msgid "Note: When enabling this you will probably want to enable the Mesh-VPN in the wizard, too."
+msgstr "Anmerkung: Wenn du dies aktivierst, willst du vermutlich auch das Mesh-VPN im Wizard aktivieren."
+
+msgid "I am brave and I know what I am doing."
+msgstr "Ich bin mutig und weiß was ich tue."
+
+msgid "Your Exit ID is:"
+msgstr "Deine Exit ID ist:"
+
+msgid "(unchangeable, your nodes MAC address)"
+msgstr "(unveränderlich, die MAC Adresse deines Knotens)"
diff --git a/package/gluon-alt-esc-provider/i18n/gluon-alt-esc-provider.pot b/package/gluon-alt-esc-provider/i18n/gluon-alt-esc-provider.pot
new file mode 100644
index 00000000..684e5197
--- /dev/null
+++ b/package/gluon-alt-esc-provider/i18n/gluon-alt-esc-provider.pot
@@ -0,0 +1,26 @@
+msgid ""
+msgstr "Content-Type: text/plain; charset=UTF-8"
+
+msgid ""
+"<p>Here you can share your Internet connection from the WAN port directly "
+"(bypassing the community gateways), so this same or other nodes can "
+"get Internet access via this node via the Alt-ESC-Client, for instance.</p>"
+"<p><strong>- Be aware of the legal obligations your jurisdiction might "
+"require you to follow. -</strong></p>"
+"<p><strong>USE AT YOUR OWN RISK!</strong></p>"
+msgstr ""
+
+msgid "Enable"
+msgstr ""
+
+msgid "Note: When enabling this you will probably want to enable the Mesh-VPN in the wizard, too."
+msgstr ""
+
+msgid "I am brave and I know what I am doing."
+msgstr ""
+
+msgid "Your Exit ID is:"
+msgstr ""
+
+msgid "(unchangeable, your nodes MAC address)"
+msgstr ""
diff --git a/package/gluon-alt-esc-provider/luasrc/lib/gluon/config-mode/controller/admin/altesc-provider.lua b/package/gluon-alt-esc-provider/luasrc/lib/gluon/config-mode/controller/admin/altesc-provider.lua
new file mode 100644
index 00000000..a6f1c5af
--- /dev/null
+++ b/package/gluon-alt-esc-provider/luasrc/lib/gluon/config-mode/controller/admin/altesc-provider.lua
@@ -0,0 +1 @@
+entry({"admin", "altesc-provider"}, model("admin/altesc-provider"), _("Alt-ESC Provider"), 60)
diff --git a/package/gluon-alt-esc-provider/luasrc/lib/gluon/config-mode/model/admin/altesc-provider.lua b/package/gluon-alt-esc-provider/luasrc/lib/gluon/config-mode/model/admin/altesc-provider.lua
new file mode 100644
index 00000000..11632cf9
--- /dev/null
+++ b/package/gluon-alt-esc-provider/luasrc/lib/gluon/config-mode/model/admin/altesc-provider.lua
@@ -0,0 +1,87 @@
+local uci = require("simple-uci").cursor()
+local util = require 'gluon.util'
+local site = require 'gluon.site'
+
+local function get_provider(uci)
+  local provider
+  uci:foreach('gluon-alt-esc-provider', 'provider',
+              function(s)
+                 provider = s
+                 return false
+              end
+  )
+  return provider
+end
+
+local mac = uci:get('network', 'client', 'macaddr')
+local disabled = uci:get_first('gluon-alt-esc-provider', 'provider', "disabled")
+
+local f = Form(translate("Alternative Exit Service Collaborator - Provider"))
+local s = f:section(Section, nil, translate(
+		'<p>Here you can share your Internet connection from the WAN port directly '
+		.. '(bypassing the community gateways), so this same or other nodes can '
+		.. 'get Internet access via this node via the Alt-ESC-Client, for instance.</p>'
+		.. '<p><strong>- Be aware of the legal obligations your jurisdiction might '
+		.. 'require you to follow. -</strong></p>'
+		.. '<p><strong>USE AT YOUR OWN RISK!</strong></p>'
+))
+
+local enabled = s:option(Flag, "enabled", translate("Enable"), translate("Note: When enabling this you will probably want to enable the Mesh-VPN in the wizard, too."))
+enabled.default = disabled and disabled == "0"
+
+local brave = s:option(Flag, "brave", translate("I am brave and I know what I am doing."))
+brave:depends(enabled, true)
+brave.default = disabled and disabled == "0"
+
+local id = s:option(Value, "id", translate("Your Exit ID is:"), translate("(unchangeable, your nodes MAC address)"))
+id:depends(brave, true)
+id.default = mac
+
+function f:write(self, state, data)
+  local disabled
+  local provider = get_provider(uci)['.name']
+
+  if not(enabled.data and brave.data) then
+    disabled = "1"
+
+    uci:delete('firewall', 'client2wan')
+    uci:delete('firewall', 'wan2client')
+    uci:delete('firewall', 'wan_nat6')
+    uci:delete('network', 'wan6client_lookup')
+  else
+    disabled = "0"
+
+    uci:section('firewall', 'forwarding', 'client2wan',
+                {
+                  src = 'mesh',
+                  dest = 'wan',
+                }
+    )
+    uci:section('firewall', 'forwarding', 'wan2client',
+                {
+                  src = 'wan',
+                  dest = 'mesh',
+                }
+    )
+    uci:section('firewall', 'include', 'wan_nat6',
+                {
+                  family = 'ipv6',
+                  type = 'restore',
+                  path = '/lib/gluon/alt-esc-provider/iptables.rules',
+                }
+    )
+    uci:section('network', 'rule6', 'wan6client_lookup',
+                {
+                  lookup = '1',
+                }
+    )
+    uci:set('network', 'wan6client_lookup', 'in', 'client')
+  end
+
+  uci:set('gluon-alt-esc-provider', provider, 'disabled', disabled)
+  uci:commit('gluon-alt-esc-provider')
+  uci:commit('firewall')
+  uci:commit('network')
+end
+
+return f