diff --git a/.gitignore b/.gitignore
index 16d183efad0bfb34f030f87e0f46c86c316c39d4..a2b61aed062e235874d03d5c5fec8de93b8af8aa 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,2 +1,4 @@
 /.vagrant
 /playbook.retry
+secret*
+/artifacts
diff --git a/host_vars/burgtor.yml b/host_vars/burgtor.yml
deleted file mode 100644
index 949e137acea14848e624a3342f2cd0807f837071..0000000000000000000000000000000000000000
--- a/host_vars/burgtor.yml
+++ /dev/null
@@ -1,16 +0,0 @@
-ip4: 10.130.0.255
-ip6: 2001:67c:2d50::e01
-ip6_ula: fdef:ffc0:3dd7::e01
-fastd_mac: 52:54:00:f3:62:d9
-fastd_mac_2: ea:af:13:66:6d:71
-fastd_gw_mac: 52:54:00:f3:62:da
-freifunk_mac: 52:54:00:ee:5c:d7
-dhcpd_start: 10.130.12.63
-dhcpd_end: 10.130.15.254
-snat_dev: ffrhein-+
-snat_ip4: 185.66.193.32
-icvpn_name: luebeck2
-icvpn_ip4: 10.207.0.131
-icvpn_ip6: fec0::a:cf:0:83
-units_enable:
-  - "'fastd@dn42\\x2dchaos.service'"
diff --git a/host_vars/holstentor.yml b/host_vars/holstentor.yml
index 669c093b11e3e429ae442667e6d70c552a6ea46b..547d4ea4e9332ea81e5c14e3cfec61f28050a37d 100644
--- a/host_vars/holstentor.yml
+++ b/host_vars/holstentor.yml
@@ -1,16 +1,17 @@
 ip4: 10.130.0.253
 ip6: 2001:67c:2d50::c01
 ip6_ula: fdef:ffc0:3dd7::c01
-fastd_mac: d6:89:49:08:f6:9d
-fastd_mac_2: ce:69:95:f0:a9:53
+fastd_mesh_mac: d6:89:49:08:f6:9d
 fastd_gw_mac: d6:89:49:08:f6:9e
 freifunk_mac: 52:54:00:0c:bb:eb
 dhcpd_start: 10.130.4.191
 dhcpd_end: 10.130.8.126
+
+# additional config
 snat_dev: ffrhein-+
 snat_ip4: 185.66.193.33
 icvpn_name: luebeck1
 icvpn_ip4: 10.207.0.130
 icvpn_ip6: fec0::a:cf:0:82
 units_enable:
-  - "'fastd@dn42\\x2dchaos.service'"
+  - "'fastd@dn42-chaos.service'"
diff --git a/host_vars/huextertor.yml b/host_vars/huextertor.yml
index 1dedb9f8187fe9f0b31d1bf9f196adac9092d82f..88e55077a0a20696469874178a69f048899d5bd6 100644
--- a/host_vars/huextertor.yml
+++ b/host_vars/huextertor.yml
@@ -1,9 +1,8 @@
 ip4: 10.130.0.252
-ip6: 2001:67c:2d50::801
-ip6_ula: fdef:ffc0:3dd7::801
-fastd_mac: d2:d0:93:63:f7:da
-fastd_mac_2: 66:3a:16:58:af:5c
-fastd_gw_mac: d2:d0:93:63:f7:db
-freifunk_mac: 6e:e4:d2:8a:3b:63
-dhcpd_start: 10.130.1.0
-dhcpd_end: 10.130.4.190
+ip6: 2001:67c:2d50::d01
+ip6_ula: fdef:ffc0:3dd7::d01
+fastd_mesh_mac: de:ad:ca:fe:aa:bb
+fastd_gw_mac: de:ad:ca:fe:bb:dd
+freifunk_mac: de:ad:ca:fe:cc:dd
+dhcpd_start: 10.130.12.63
+dhcpd_end: 10.130.15.255
diff --git a/host_vars/kaisertor.yml b/host_vars/kaisertor.yml
new file mode 100644
index 0000000000000000000000000000000000000000..98e37c249da37da07a042f27dc2a9adb584bb335
--- /dev/null
+++ b/host_vars/kaisertor.yml
@@ -0,0 +1,8 @@
+ip4: 10.130.0.255
+ip6: 2001:67c:2d50::b01
+ip6_ula: fdef:ffc0:3dd7::b01
+fastd_mesh_mac: de:ad:ca:fe:aa:aa
+fastd_gw_mac: de:ad:ca:fe:bb:bb
+freifunk_mac: de:ad:ca:fe:cc:bb
+dhcpd_start: 10.130.1.0
+dhcpd_end: 10.130.4.190
diff --git a/host_vars/muehlentor.yml b/host_vars/muehlentor.yml
index a6ae397f4299e406fb7505c8c90045de41ebf0ce..b0db1fb3ded08e237f7e4a727ea3cb951f871c75 100644
--- a/host_vars/muehlentor.yml
+++ b/host_vars/muehlentor.yml
@@ -1,8 +1,7 @@
 ip4: 10.130.0.254
 ip6: 2001:67c:2d50::a01
 ip6_ula: fdef:ffc0:3dd7::a01
-fastd_mac: 26:9c:57:9b:5c:b2
-fastd_mac_2: 6a:0a:8d:97:50:69
+fastd_mesh_mac: 26:9c:57:9b:5c:b2
 fastd_gw_mac: 26:9c:57:9b:5c:b3
 freifunk_mac: de:ad:ca:fe:46:1d
 dhcpd_start: 10.130.8.127
diff --git a/hosts b/hosts
index 491e0d393e332f5c5a8a9cd8c40f821bb7d28baa..b740cbab9cb1c9ed1c8d82233c19634deabe9da5 100644
--- a/hosts
+++ b/hosts
@@ -1,5 +1,8 @@
 [gateways]
-ffhl-gateway ansible_ssh_host=10.10.1.100 ansible_ssh_user=root
+burgtor ansible_ssh_host=burgtor.luebeck.freifunk.net
+holstentor ansible_ssh_host=holstentor.luebeck.freifunk.net
+muehlentor ansible_ssh_host=muehlentor.luebeck.freifunk.net
+huextertor ansible_ssh_host=huextertor.luebeck.freifunk.net
 
 [gateways:vars]
 ansible_python_interpreter=/usr/bin/env python2
diff --git a/hosts_new b/hosts_new
new file mode 100644
index 0000000000000000000000000000000000000000..03eaa0b80d3e71e7547a2d5541027547e747bd3c
--- /dev/null
+++ b/hosts_new
@@ -0,0 +1,5 @@
+[gateways]
+kaisertor ansible_ssh_host=10.8.1.50 ansible_ssh_user=root
+
+[gateways:vars]
+ansible_python_interpreter=/usr/bin/env python2
diff --git a/revert_and_setup.sh b/revert_and_setup.sh
new file mode 100755
index 0000000000000000000000000000000000000000..ac9813c20aabb872d1b0f39598338f408c621609
--- /dev/null
+++ b/revert_and_setup.sh
@@ -0,0 +1,17 @@
+#!/bin/sh
+
+set -e
+
+# virsh snapshot-revert --domain ffhl-test-gateway --current
+virsh snapshot-revert --domain ffhl-test-gateway 1579128050
+echo "restarting timesyncd and ntp"
+ssh -q root@10.8.1.50 systemctl restart systemd-timesyncd
+ssh -q root@10.8.1.50 systemctl restart ntp
+echo "waiting..."
+sleep 7
+
+echo "removing artifacts"
+rm -rf artifacts
+
+echo "run the playbook"
+ansible-playbook -vvvv -i hosts debian_setup.yml
diff --git a/roles/debian_base/files/etc/bird.conf b/roles/debian_base/files/etc/bird.conf
deleted file mode 100644
index a44d2a5d7cfadee4a7cb4637af4fdce4bc959465..0000000000000000000000000000000000000000
--- a/roles/debian_base/files/etc/bird.conf
+++ /dev/null
@@ -1 +0,0 @@
-include "bird/bird.conf";
diff --git a/roles/debian_base/files/bird/base/bird.conf b/roles/debian_base/files/etc/bird/bird.conf
similarity index 97%
rename from roles/debian_base/files/bird/base/bird.conf
rename to roles/debian_base/files/etc/bird/bird.conf
index 610391d0c7bb4869b72010d07653fd3573ca6a77..78507ac8503d3f34991cf1f4ee7621f43454a715 100644
--- a/roles/debian_base/files/bird/base/bird.conf
+++ b/roles/debian_base/files/etc/bird/bird.conf
@@ -53,13 +53,6 @@ protocol static mesh_freifunk {
   route 10.0.0.0/8 reject;
 };
 
-# 464XLAT
-##########
-
-protocol static static_464xlat {
-  route 10.130.64.0/18 via "nat64";
-}
-
 # Mesh-internal routing
 ########################
 
diff --git a/roles/debian_base/files/bird/base/bird6.conf b/roles/debian_base/files/etc/bird/bird6.conf
similarity index 95%
rename from roles/debian_base/files/bird/base/bird6.conf
rename to roles/debian_base/files/etc/bird/bird6.conf
index 0f7d3fbbecc74bc3fa07f6f1ddcbad0bc08fc65c..c69b49996a5741a00ed7319430a469318c61d184 100644
--- a/roles/debian_base/files/bird/base/bird6.conf
+++ b/roles/debian_base/files/etc/bird/bird6.conf
@@ -22,9 +22,10 @@ define KERNEL_TABLE = ipt_freifunk;
 # ROA table
 ############
 
-roa table roa_icvpn {
-  include "roa.ip6";
-}
+# roa table roa_icvpn {
+#   include "roa.ip6";
+# }
+
 
 # filter helpers
 #################
@@ -49,14 +50,15 @@ function is_self_mgmt()   { return net ~ [ 2001:67c:2d50:1::a82:7fe0/123+ ]; }
 filter bgp_import_filter {
   if is_self_net() then reject;
   if is_ula() then accept;
-  if roa_check(roa_icvpn) = ROA_VALID then {
-    accept;
-  } else {
-    print "ROA check failed for ", net, " ASN ", bgp_path.last;
-  }
-  reject;
+  # if roa_check(roa_icvpn) = ROA_VALID then {
+  #   accept;
+  # } else {
+  #   print "ROA check failed for ", net, " ASN ", bgp_path.last;
+  # }
+  accept;
 }
 
+
 # static routes
 ################
 
diff --git a/roles/debian_base/files/bird/base/bird6_ibgp.conf b/roles/debian_base/files/etc/bird/bird6_ibgp.conf
similarity index 100%
rename from roles/debian_base/files/bird/base/bird6_ibgp.conf
rename to roles/debian_base/files/etc/bird/bird6_ibgp.conf
diff --git a/roles/debian_base/files/bird/base/bird_ibgp.conf b/roles/debian_base/files/etc/bird/bird_ibgp.conf
similarity index 100%
rename from roles/debian_base/files/bird/base/bird_ibgp.conf
rename to roles/debian_base/files/etc/bird/bird_ibgp.conf
diff --git a/roles/debian_base/files/etc/bird/password.conf b/roles/debian_base/files/etc/bird/password.conf
new file mode 100644
index 0000000000000000000000000000000000000000..efc2d5e75489057774e0179f6d739cdb55655983
--- /dev/null
+++ b/roles/debian_base/files/etc/bird/password.conf
@@ -0,0 +1 @@
+password "dummy";
diff --git a/roles/debian_base/files/etc/bird6.conf b/roles/debian_base/files/etc/bird6.conf
deleted file mode 100644
index 2c9b7eddeca079109ac7b7e24c69ebf500d6823f..0000000000000000000000000000000000000000
--- a/roles/debian_base/files/etc/bird6.conf
+++ /dev/null
@@ -1 +0,0 @@
-include "bird/bird6.conf";
diff --git a/roles/debian_base/files/etc/fastd/ffhl-gw-vpn/fastd.conf b/roles/debian_base/files/etc/fastd/ffhl-gw-vpn/fastd.conf
deleted file mode 100644
index 0b1fdd29ccfafbea2ea3301718fa83f20f80834f..0000000000000000000000000000000000000000
--- a/roles/debian_base/files/etc/fastd/ffhl-gw-vpn/fastd.conf
+++ /dev/null
@@ -1,15 +0,0 @@
-log to syslog level debug;
-user "fastd";
-interface "ffhl-gw-vpn";
-method "salsa2012+umac";
-bind any:10001;
-include "secret.conf";
-mtu 1280;
-status socket "/run/fastd/gw-vpn.sock";
-
-include peers from "gateways";
-
-on up "
-        ip link set address $(cat mac) dev $INTERFACE
-        ip link set up $INTERFACE
-";
diff --git a/roles/debian_base/files/etc/fastd/ffhl-gw-vpn/gateways/burgtor b/roles/debian_base/files/etc/fastd/ffhl-gw-vpn/gateways/burgtor
deleted file mode 100644
index 63f3adbce70d66b21f76a0aa788c83f24b879650..0000000000000000000000000000000000000000
--- a/roles/debian_base/files/etc/fastd/ffhl-gw-vpn/gateways/burgtor
+++ /dev/null
@@ -1,3 +0,0 @@
-key "5a15ffbef06ba2f887a17a60bf1feeae56fa6a9a94f3ea7f84390291406b0b4e";
-remote "burgtor.mesh.ffhl.chaotikum.org" port 10001;
-float yes;
diff --git a/roles/debian_base/files/etc/fastd/ffhl-gw-vpn/gateways/huextertor b/roles/debian_base/files/etc/fastd/ffhl-gw-vpn/gateways/huextertor
deleted file mode 100644
index 8d70194b0c53f2b42c367f4f1de83c8853560c85..0000000000000000000000000000000000000000
--- a/roles/debian_base/files/etc/fastd/ffhl-gw-vpn/gateways/huextertor
+++ /dev/null
@@ -1,3 +0,0 @@
-key "eb2ef5487527ec1643448943dd9427d9965870bc1a5db37f8edc8aea84005f9f";
-remote "huextertor.mesh.ffhl.chaotikum.org" port 10001;
-float yes;
diff --git a/roles/debian_base/files/etc/fastd/ffhl-mesh-vpn-2/fastd.conf b/roles/debian_base/files/etc/fastd/ffhl-mesh-vpn-2/fastd.conf
deleted file mode 100644
index e640465a6884ed85b3b1369a0907d528964cf87d..0000000000000000000000000000000000000000
--- a/roles/debian_base/files/etc/fastd/ffhl-mesh-vpn-2/fastd.conf
+++ /dev/null
@@ -1,17 +0,0 @@
-log to syslog level debug;
-user "fastd";
-interface "ffhl-mesh-vpn-2";
-method "null";
-method "salsa2012+umac";
-bind any:10002;
-include "../ffhl-mesh-vpn/secret.conf";
-mtu 1280;
-hide ip addresses yes;
-status socket "/run/fastd/mesh-vpn-2.sock";
-
-include peers from "../ffhl-mesh-vpn/peers";
-
-on up "
-        ip link set address $(cat mac) dev $INTERFACE
-        ip link set up $INTERFACE
-";
diff --git a/roles/debian_base/files/etc/fastd/ffhl-mesh-vpn/fastd.conf b/roles/debian_base/files/etc/fastd/ffhl-mesh-vpn/fastd.conf
deleted file mode 100644
index 338dd95bf6ddf325fe5e38e91381b20e4b1f8fa6..0000000000000000000000000000000000000000
--- a/roles/debian_base/files/etc/fastd/ffhl-mesh-vpn/fastd.conf
+++ /dev/null
@@ -1,19 +0,0 @@
-log to syslog level debug;
-user "fastd";
-interface "ffhl-mesh-vpn";
-method "salsa2012+umac";
-method "salsa2012+gmac";
-method "xsalsa20-poly1305";
-bind 0.0.0.0:10000;
-include "secret.conf";
-mtu 1426;
-hide ip addresses yes;
-secure handshakes no;
-status socket "/run/fastd/mesh-vpn.sock";
-
-include peers from "peers";
-
-on up "
-        ip link set address $(cat mac) dev $INTERFACE
-        ip link set up $INTERFACE
-";
diff --git a/roles/debian_base/files/etc/fastd/ffhl_mesh_gwvpn/fastd.conf b/roles/debian_base/files/etc/fastd/ffhl_mesh_gwvpn/fastd.conf
new file mode 100644
index 0000000000000000000000000000000000000000..27354e073a277da81ac361e974722e9a17490bba
--- /dev/null
+++ b/roles/debian_base/files/etc/fastd/ffhl_mesh_gwvpn/fastd.conf
@@ -0,0 +1,11 @@
+log to syslog level debug;
+user "fastd";
+interface "ffhl_mesh_gwvpn";
+method "salsa2012+umac";
+bind any:10001;
+include "secret.conf";
+mtu 1280;
+status socket "/run/fastd/ffhl_mesh_gwvpn.sock";
+on up "./fastd-up";
+
+include peers from "gateways";
diff --git a/roles/debian_base/files/etc/fastd/ffhl-gw-vpn/gateways/holstentor b/roles/debian_base/files/etc/fastd/ffhl_mesh_gwvpn/gateways/holstentor
similarity index 100%
rename from roles/debian_base/files/etc/fastd/ffhl-gw-vpn/gateways/holstentor
rename to roles/debian_base/files/etc/fastd/ffhl_mesh_gwvpn/gateways/holstentor
diff --git a/roles/debian_base/files/etc/fastd/ffhl-gw-vpn/gateways/muehlentor b/roles/debian_base/files/etc/fastd/ffhl_mesh_gwvpn/gateways/muehlentor
similarity index 100%
rename from roles/debian_base/files/etc/fastd/ffhl-gw-vpn/gateways/muehlentor
rename to roles/debian_base/files/etc/fastd/ffhl_mesh_gwvpn/gateways/muehlentor
diff --git a/roles/debian_base/files/etc/fastd/ffhl_mesh_vpn/fastd.conf b/roles/debian_base/files/etc/fastd/ffhl_mesh_vpn/fastd.conf
new file mode 100644
index 0000000000000000000000000000000000000000..93b46e4e66a693f317ca49ae0a7c729a86b7982e
--- /dev/null
+++ b/roles/debian_base/files/etc/fastd/ffhl_mesh_vpn/fastd.conf
@@ -0,0 +1,14 @@
+log to syslog level debug;
+user "fastd";
+interface "ffhl_mesh_vpn";
+method "null";
+method "salsa2012+umac";
+bind any:10002;
+include "secret.conf";
+mtu 1280;
+hide ip addresses yes;
+hide mac addresses yes;
+status socket "/run/fastd/fastd-ffhl_mesh_vpn.sock";
+include peers from "peers";
+
+on up "./fastd-up";
diff --git a/roles/debian_base/files/etc/iptables/ip6tables.rules b/roles/debian_base/files/etc/iptables/ip6tables.rules
index 24b8ff1d26f42a43cc5b4e1333afaa11fb66871b..f9d67a6c56f03f126a6d2e9c6ed94724ed2cbb22 100644
--- a/roles/debian_base/files/etc/iptables/ip6tables.rules
+++ b/roles/debian_base/files/etc/iptables/ip6tables.rules
@@ -4,6 +4,5 @@
 COMMIT
 *mangle
 -A PREROUTING -i freifunk-+ -j MARK --set-xmark 0x1/0xffffffff
--A PREROUTING -i nat64 -j MARK --set-xmark 0x1/0xffffffff
 -A PREROUTING -i icvpn -j MARK --set-xmark 0x1/0xffffffff
 COMMIT
diff --git a/roles/debian_base/files/etc/ntp.conf b/roles/debian_base/files/etc/ntp.conf
deleted file mode 100644
index bbe02813451aae8e45c8b8487d284d469bbf7fe2..0000000000000000000000000000000000000000
--- a/roles/debian_base/files/etc/ntp.conf
+++ /dev/null
@@ -1,23 +0,0 @@
-# With the default settings below, ntpd will only synchronize your clock.
-#
-# For details, see:
-# - the ntp.conf man page
-# - http://support.ntp.org/bin/view/Support/GettingStarted
-# - https://wiki.archlinux.org/index.php/Network_Time_Protocol_daemon
-
-# Associate to public NTP pool servers; see http://www.pool.ntp.org/
-server 0.pool.ntp.org
-server 1.pool.ntp.org
-server 2.pool.ntp.org
-
-# Only allow read-only access from localhost
-restrict default noquery nopeer
-restrict 127.0.0.1
-restrict ::1
-
-# ffhl mesh
-restrict fdef:ffc0:3dd7:: mask ffff:ffff:ffff:ffff:: nomodify notrap nopeer
-restrict 2001:67c:2d50:: mask ffff:ffff:ffff:ffff:: nomodify notrap nopeer
-
-# Location of drift file
-driftfile /var/lib/ntp/ntp.drift
diff --git a/roles/debian_base/files/etc/systemd/network/00-nat64.network b/roles/debian_base/files/etc/systemd/network/00-nat64.network
deleted file mode 100644
index cc0e092ff0b10f6020a34559f536bd0a7261c6be..0000000000000000000000000000000000000000
--- a/roles/debian_base/files/etc/systemd/network/00-nat64.network
+++ /dev/null
@@ -1,7 +0,0 @@
-[Match]
-Name=nat64
-
-[Network]
-IPForward=yes
-Address=fe80::1/64
-Address=127.0.0.2/8
diff --git a/roles/debian_base/files/etc/systemd/network/04-anycast-dns.netdev b/roles/debian_base/files/etc/systemd/network/04-anycast-dns.netdev
deleted file mode 100644
index af7baec58d500b3f3a9de3e122e03807b553ef85..0000000000000000000000000000000000000000
--- a/roles/debian_base/files/etc/systemd/network/04-anycast-dns.netdev
+++ /dev/null
@@ -1,3 +0,0 @@
-[NetDev]
-Name=anycast-dns
-Kind=dummy
diff --git a/roles/debian_base/files/etc/systemd/network/04-anycast-dns.network b/roles/debian_base/files/etc/systemd/network/04-anycast-dns.network
deleted file mode 100644
index 47153f1072fe09486ca3b3c8a5f2b6d5cfbabfcd..0000000000000000000000000000000000000000
--- a/roles/debian_base/files/etc/systemd/network/04-anycast-dns.network
+++ /dev/null
@@ -1,5 +0,0 @@
-[Match]
-Name=anycast-dns
-
-[Network]
-Address=2001:67c:2d50:1::10.130.127.224/128
diff --git a/roles/debian_base/files/etc/systemd/network/22-ffhl-bat0.network b/roles/debian_base/files/etc/systemd/network/22-ffhl-bat0.network
new file mode 100644
index 0000000000000000000000000000000000000000..79f1f3e8b47a58ee034ee75c2913569d8ca8fb54
--- /dev/null
+++ b/roles/debian_base/files/etc/systemd/network/22-ffhl-bat0.network
@@ -0,0 +1,5 @@
+[Match]
+Name=ffhl_bat0
+
+[Network]
+Bridge=ffhl
diff --git a/roles/debian_base/files/etc/systemd/network/22-mesh-hl.network b/roles/debian_base/files/etc/systemd/network/22-mesh-hl.network
deleted file mode 100644
index ec1f92d46f50cd2b29cfb689782aa090f2d17c05..0000000000000000000000000000000000000000
--- a/roles/debian_base/files/etc/systemd/network/22-mesh-hl.network
+++ /dev/null
@@ -1,5 +0,0 @@
-[Match]
-Name=mesh-hl
-
-[Network]
-Bridge=freifunk-hl
diff --git a/roles/debian_base/files/etc/systemd/network/25-ffhl-mesh-vpn-2.network b/roles/debian_base/files/etc/systemd/network/25-ffhl-mesh-vpn-2.network
deleted file mode 100644
index a72a6119917a850548907aff8e8744a876057ca7..0000000000000000000000000000000000000000
--- a/roles/debian_base/files/etc/systemd/network/25-ffhl-mesh-vpn-2.network
+++ /dev/null
@@ -1,2 +0,0 @@
-[Match]
-Name=ffhl-mesh-vpn-2
diff --git a/roles/debian_base/files/etc/systemd/network/25-ffhl-mesh-vpn.network b/roles/debian_base/files/etc/systemd/network/25-ffhl-mesh-vpn.network
deleted file mode 100644
index 2902fe34fa6aa00040cb02a7533813109d95a94e..0000000000000000000000000000000000000000
--- a/roles/debian_base/files/etc/systemd/network/25-ffhl-mesh-vpn.network
+++ /dev/null
@@ -1,2 +0,0 @@
-[Match]
-Name=ffhl-mesh-vpn
diff --git a/roles/debian_base/files/etc/systemd/network/26-ffhl-gw-vpn.network b/roles/debian_base/files/etc/systemd/network/26-ffhl-gw-vpn.network
deleted file mode 100644
index 846c180f3a6bb025615c9652503663c4645d7154..0000000000000000000000000000000000000000
--- a/roles/debian_base/files/etc/systemd/network/26-ffhl-gw-vpn.network
+++ /dev/null
@@ -1,2 +0,0 @@
-[Match]
-Name=ffhl-gw-vpn
diff --git a/roles/debian_base/files/etc/systemd/network/26-ffhl-mesh.network b/roles/debian_base/files/etc/systemd/network/26-ffhl-mesh.network
new file mode 100644
index 0000000000000000000000000000000000000000..1c1e3cbef8a3330d350f51fb2f373459e7952033
--- /dev/null
+++ b/roles/debian_base/files/etc/systemd/network/26-ffhl-mesh.network
@@ -0,0 +1,5 @@
+[Match]
+Name=ffhl_mesh_*
+
+[Network]
+LinkLocalAddressing = no
diff --git a/roles/debian_base/files/etc/systemd/system/alfred@.service b/roles/debian_base/files/etc/systemd/system/alfred@.service
deleted file mode 100644
index b88012ed4ff61bf63978062c875573e4f750435b..0000000000000000000000000000000000000000
--- a/roles/debian_base/files/etc/systemd/system/alfred@.service
+++ /dev/null
@@ -1,11 +0,0 @@
-[Unit]
-Description=A.L.F.R.E.D.
-Wants=network.target
-BindsTo=sys-subsystem-net-devices-mesh\x2d%i.device
-After=sys-subsystem-net-devices-mesh\x2d%i.device
-
-[Service]
-ExecStart=/usr/bin/alfred -i freifunk-%i -b mesh-%i
-
-[Install]
-WantedBy=multi-user.target
diff --git a/roles/debian_base/files/etc/systemd/system/batadv-vis@.service b/roles/debian_base/files/etc/systemd/system/batadv-vis@.service
deleted file mode 100644
index 872072bcd60dc455ff26e3d26a628b3a675bc365..0000000000000000000000000000000000000000
--- a/roles/debian_base/files/etc/systemd/system/batadv-vis@.service
+++ /dev/null
@@ -1,10 +0,0 @@
-[Unit]
-Description=A.L.F.R.E.D. batadv-vis
-After=alfred@%i.service
-
-[Service]
-ExecStart=/usr/bin/batadv-vis -s -i mesh-%i
-
-[Install]
-WantedBy=multi-user.target
-
diff --git a/roles/debian_base/files/etc/systemd/system/batman-freifunk@.service b/roles/debian_base/files/etc/systemd/system/batman-freifunk@.service
deleted file mode 100644
index 52c66fc0e39bdca79555e9f1412714b430018b33..0000000000000000000000000000000000000000
--- a/roles/debian_base/files/etc/systemd/system/batman-freifunk@.service
+++ /dev/null
@@ -1,17 +0,0 @@
-[Unit]
-Description=batman setup for freifunk
-Wants=network.target
-BindsTo=sys-subsystem-net-devices-ff%i\x2dmesh\x2dvpn.device sys-subsystem-net-devices-ff%i\x2dmesh\x2dvpn\x2d2.device sys-subsystem-net-devices-ff%i\x2dgw\x2dvpn.device
-After=sys-subsystem-net-devices-ff%i\x2dmesh\x2dvpn.device sys-subsystem-net-devices-ff%i\x2dmesh\x2dvpn\x2d2.device sys-subsystem-net-devices-ff%i\x2dgw\x2dvpn.device
-
-[Service]
-Type=oneshot
-RemainAfterExit=yes
-ExecStart=/usr/bin/batctl -m mesh-%i if add ff%i-mesh-vpn
-ExecStart=/usr/bin/batctl -m mesh-%i if add ff%i-mesh-vpn-2
-ExecStart=/usr/bin/batctl -m mesh-%i if add ff%i-gw-vpn
-ExecStart=/usr/bin/batctl -m mesh-%i gw server
-ExecStart=-/usr/bin/batctl -m mesh-%i nc disable
-
-[Install]
-WantedBy=multi-user.target
diff --git a/roles/debian_base/files/etc/systemd/system/batman@.service b/roles/debian_base/files/etc/systemd/system/batman@.service
new file mode 100644
index 0000000000000000000000000000000000000000..85ab7f0c434186b64da23789780d073a2acc3b60
--- /dev/null
+++ b/roles/debian_base/files/etc/systemd/system/batman@.service
@@ -0,0 +1,17 @@
+[Unit]
+Description=batman setup for freifunk
+Wants=network.target
+# BindsTo=sys-subsystem-net-devices-%i_mesh_vpn.device sys-subsystem-net-devices-%i_mesh_gwvpn.device
+# After=sys-subsystem-net-devices-%i_mesh_vpn.device sys-subsystem-net-devices-%i_mesh_gwvpn.device
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+ExecStart=ip link add %i type batadv
+# ExecStart=batctl -m %i_bat0 if add %i_mesh_vpn
+# ExecStart=batctl -m %i_bat0 if add %i_mesh_gwvpn
+# ExecStart=batctl -m %i_bat0 gw server
+# ExecStart=-batctl -m %i_bat0 nc disable
+
+[Install]
+WantedBy=multi-user.target
diff --git a/roles/debian_base/files/etc/systemd/system/dhcpd4.service b/roles/debian_base/files/etc/systemd/system/dhcpd4.service
deleted file mode 100644
index c1105f2f434e8ea12b58a1772dd0bea33998b237..0000000000000000000000000000000000000000
--- a/roles/debian_base/files/etc/systemd/system/dhcpd4.service
+++ /dev/null
@@ -1,13 +0,0 @@
-[Unit]
-Description=IPv4 DHCP server
-BindsTo=sys-subsystem-net-devices-freifunk\x2dhl.device
-After=network.target sys-subsystem-net-devices-freifunk\x2dhl.device
-
-[Service]
-Type=forking
-PIDFile=/run/dhcpd4.pid
-ExecStart=/usr/bin/dhcpd -4 -q -pf /run/dhcpd4.pid
-KillSignal=SIGINT
-
-[Install]
-WantedBy=multi-user.target
diff --git a/roles/debian_base/files/etc/systemd/system/fastd@.service.d/override.conf b/roles/debian_base/files/etc/systemd/system/fastd@.service.d/override.conf
index cd828b90746ab065ce3d4b9b5103fa16d56fa71e..3df0c4fda624abbcba182f65ca8b07dcdd272e18 100644
--- a/roles/debian_base/files/etc/systemd/system/fastd@.service.d/override.conf
+++ b/roles/debian_base/files/etc/systemd/system/fastd@.service.d/override.conf
@@ -1,3 +1,4 @@
 [Service]
-ExecStartPre=-/usr/bin/mkdir /run/fastd
-ExecStartPre=/usr/bin/chown fastd:fastd /run/fastd
+# make sure these dirs exists for fastd dignostics/metrics socket
+ExecStartPre=mkdir -p /run/fastd
+ExecStartPre=chown fastd:fastd /run/fastd
diff --git a/roles/debian_base/files/etc/systemd/system/freifunk-ip-rule.service b/roles/debian_base/files/etc/systemd/system/freifunk-ip-rule.service
index 30fa7462d24dbd5918ec0965093902db1615adec..63c926e7701a15b677e0a0119c9abd0e5ae71d29 100644
--- a/roles/debian_base/files/etc/systemd/system/freifunk-ip-rule.service
+++ b/roles/debian_base/files/etc/systemd/system/freifunk-ip-rule.service
@@ -4,20 +4,20 @@ Before=network.target
 
 [Service]
 Type=oneshot
-ExecStart=/usr/sbin/ip rule add from 10.130.0.0/16 table freifunk
-ExecStart=/usr/sbin/ip rule add from 10.207.0.0/16 table freifunk
-ExecStart=/usr/sbin/ip rule add from all fwmark 0x1 table freifunk
-ExecStart=/usr/sbin/ip rule add from 185.66.193.32/29 table freifunk
-ExecStart=/usr/sbin/ip -6 rule add from 2001:67c:2d50::/48 table freifunk
-ExecStart=/usr/sbin/ip -6 rule add from all fwmark 0x1 table freifunk
-ExecStart=/usr/sbin/ip -6 rule add from all table freifunk priority 32767
-ExecStop=/usr/sbin/ip rule del from 10.130.0.0/16 table freifunk
-ExecStop=/usr/sbin/ip rule del from 10.207.0.0/16 table freifunk
-ExecStop=/usr/sbin/ip rule del from all fwmark 0x1 table freifunk
-ExecStop=/usr/sbin/ip rule del from 185.66.193.32/29 table freifunk
-ExecStop=/usr/sbin/ip -6 rule del from 2001:67c:2d50::/48 table freifunk
-ExecStop=/usr/sbin/ip -6 rule del from all fwmark 0x1 table freifunk
-ExecStop=/usr/sbin/ip -6 rule del from all table freifunk priority 32767
+ExecStart=ip rule add from 10.130.0.0/16 table freifunk
+ExecStart=ip rule add from 10.207.0.0/16 table freifunk
+ExecStart=ip rule add from all fwmark 0x1 table freifunk
+ExecStart=ip rule add from 185.66.193.32/29 table freifunk
+ExecStart=ip -6 rule add from 2001:67c:2d50::/48 table freifunk
+ExecStart=ip -6 rule add from all fwmark 0x1 table freifunk
+ExecStart=ip -6 rule add from all table freifunk priority 32767
+ExecStop=ip rule del from 10.130.0.0/16 table freifunk
+ExecStop=ip rule del from 10.207.0.0/16 table freifunk
+ExecStop=ip rule del from all fwmark 0x1 table freifunk
+ExecStop=ip rule del from 185.66.193.32/29 table freifunk
+ExecStop=ip -6 rule del from 2001:67c:2d50::/48 table freifunk
+ExecStop=ip -6 rule del from all fwmark 0x1 table freifunk
+ExecStop=ip -6 rule del from all table freifunk priority 32767
 RemainAfterExit=yes
 
 [Install]
diff --git a/roles/debian_base/files/etc/systemd/system/iptables-up.service b/roles/debian_base/files/etc/systemd/system/iptables-up.service
new file mode 100644
index 0000000000000000000000000000000000000000..26b57087b67dac2f8f26c5c9ef3f7c287aad421c
--- /dev/null
+++ b/roles/debian_base/files/etc/systemd/system/iptables-up.service
@@ -0,0 +1,10 @@
+[Unit]
+Description=Load *.rules from /etc/iptables and apply them
+After=systemd-networkd
+
+[Service]
+Type=oneshot
+ExecStart=/usr/local/bin/iptables-up
+
+[Install]
+WantedBy=multi-user.target
diff --git a/roles/debian_base/files/etc/systemd/system/isc-dhcp-server.service.d/override.service b/roles/debian_base/files/etc/systemd/system/isc-dhcp-server.service.d/override.service
new file mode 100644
index 0000000000000000000000000000000000000000..521366d1a00171e614680264157c979731eb5a3b
--- /dev/null
+++ b/roles/debian_base/files/etc/systemd/system/isc-dhcp-server.service.d/override.service
@@ -0,0 +1,3 @@
+[Unit]
+BindsTo=sys-subsystem-net-devices-ffhl.device
+After=network.target sys-subsystem-net-devices-ffhl.device
diff --git a/roles/debian_base/files/etc/systemd/system/update-ffhl-mesh-vpn.service b/roles/debian_base/files/etc/systemd/system/update-ffhl-mesh-vpn.service
index 76ddf5305c9a987a2f76048a930c63d73e3b0ca3..304b0aef5afbb64cec1dc036271425e41e27afb2 100644
--- a/roles/debian_base/files/etc/systemd/system/update-ffhl-mesh-vpn.service
+++ b/roles/debian_base/files/etc/systemd/system/update-ffhl-mesh-vpn.service
@@ -1,4 +1,4 @@
 [Service]
 Type=oneshot
-WorkingDirectory=/etc/fastd/ffhl-mesh-vpn/peers
+WorkingDirectory=/etc/fastd/ffhl_mesh_vpn/peers
 ExecStart=/usr/bin/git pull
diff --git a/roles/debian_base/files/etc/tayga.conf b/roles/debian_base/files/etc/tayga.conf
deleted file mode 100644
index 5b441c1a239fb0f75cd9a0dcf728e44d4a507fb1..0000000000000000000000000000000000000000
--- a/roles/debian_base/files/etc/tayga.conf
+++ /dev/null
@@ -1,3 +0,0 @@
-tun-device nat64
-ipv4-addr 10.130.127.225
-prefix 2001:67c:2d50:1::/96
diff --git a/roles/debian_base/files/bird/burgtor/bird6_local.conf b/roles/debian_base/files/host/burgtor/etc/bird/bird6_local.conf
similarity index 100%
rename from roles/debian_base/files/bird/burgtor/bird6_local.conf
rename to roles/debian_base/files/host/burgtor/etc/bird/bird6_local.conf
diff --git a/roles/debian_base/files/bird/burgtor/bird_local.conf b/roles/debian_base/files/host/burgtor/etc/bird/bird_local.conf
similarity index 100%
rename from roles/debian_base/files/bird/burgtor/bird_local.conf
rename to roles/debian_base/files/host/burgtor/etc/bird/bird_local.conf
diff --git a/roles/debian_base/files/netconfig/burgtor/30-he-ipv6.netdev b/roles/debian_base/files/host/burgtor/etc/systemd/network/30-he-ipv6.netdev
similarity index 100%
rename from roles/debian_base/files/netconfig/burgtor/30-he-ipv6.netdev
rename to roles/debian_base/files/host/burgtor/etc/systemd/network/30-he-ipv6.netdev
diff --git a/roles/debian_base/files/netconfig/burgtor/30-he-ipv6.network b/roles/debian_base/files/host/burgtor/etc/systemd/network/30-he-ipv6.network
similarity index 100%
rename from roles/debian_base/files/netconfig/burgtor/30-he-ipv6.network
rename to roles/debian_base/files/host/burgtor/etc/systemd/network/30-he-ipv6.network
diff --git a/roles/debian_base/files/netconfig/burgtor/31-ffrhein-fra3-v4.netdev b/roles/debian_base/files/host/burgtor/etc/systemd/network/31-ffrhein-fra3-v4.netdev
similarity index 100%
rename from roles/debian_base/files/netconfig/burgtor/31-ffrhein-fra3-v4.netdev
rename to roles/debian_base/files/host/burgtor/etc/systemd/network/31-ffrhein-fra3-v4.netdev
diff --git a/roles/debian_base/files/netconfig/burgtor/31-ffrhein-fra3-v4.network b/roles/debian_base/files/host/burgtor/etc/systemd/network/31-ffrhein-fra3-v4.network
similarity index 100%
rename from roles/debian_base/files/netconfig/burgtor/31-ffrhein-fra3-v4.network
rename to roles/debian_base/files/host/burgtor/etc/systemd/network/31-ffrhein-fra3-v4.network
diff --git a/roles/debian_base/files/netconfig/burgtor/32-ffrhein-fra3-v6.netdev b/roles/debian_base/files/host/burgtor/etc/systemd/network/32-ffrhein-fra3-v6.netdev
similarity index 100%
rename from roles/debian_base/files/netconfig/burgtor/32-ffrhein-fra3-v6.netdev
rename to roles/debian_base/files/host/burgtor/etc/systemd/network/32-ffrhein-fra3-v6.netdev
diff --git a/roles/debian_base/files/netconfig/burgtor/32-ffrhein-fra3-v6.network b/roles/debian_base/files/host/burgtor/etc/systemd/network/32-ffrhein-fra3-v6.network
similarity index 100%
rename from roles/debian_base/files/netconfig/burgtor/32-ffrhein-fra3-v6.network
rename to roles/debian_base/files/host/burgtor/etc/systemd/network/32-ffrhein-fra3-v6.network
diff --git a/roles/debian_base/files/netconfig/burgtor/33-ffrhein-dus-v4.netdev b/roles/debian_base/files/host/burgtor/etc/systemd/network/33-ffrhein-dus-v4.netdev
similarity index 100%
rename from roles/debian_base/files/netconfig/burgtor/33-ffrhein-dus-v4.netdev
rename to roles/debian_base/files/host/burgtor/etc/systemd/network/33-ffrhein-dus-v4.netdev
diff --git a/roles/debian_base/files/netconfig/burgtor/33-ffrhein-dus-v4.network b/roles/debian_base/files/host/burgtor/etc/systemd/network/33-ffrhein-dus-v4.network
similarity index 100%
rename from roles/debian_base/files/netconfig/burgtor/33-ffrhein-dus-v4.network
rename to roles/debian_base/files/host/burgtor/etc/systemd/network/33-ffrhein-dus-v4.network
diff --git a/roles/debian_base/files/netconfig/burgtor/34-ffrhein-dus-v6.netdev b/roles/debian_base/files/host/burgtor/etc/systemd/network/34-ffrhein-dus-v6.netdev
similarity index 100%
rename from roles/debian_base/files/netconfig/burgtor/34-ffrhein-dus-v6.netdev
rename to roles/debian_base/files/host/burgtor/etc/systemd/network/34-ffrhein-dus-v6.netdev
diff --git a/roles/debian_base/files/netconfig/burgtor/34-ffrhein-dus-v6.network b/roles/debian_base/files/host/burgtor/etc/systemd/network/34-ffrhein-dus-v6.network
similarity index 100%
rename from roles/debian_base/files/netconfig/burgtor/34-ffrhein-dus-v6.network
rename to roles/debian_base/files/host/burgtor/etc/systemd/network/34-ffrhein-dus-v6.network
diff --git a/roles/debian_base/files/bird/holstentor/bird6_local.conf b/roles/debian_base/files/host/holstentor/etc/bird/bird6_local.conf
similarity index 100%
rename from roles/debian_base/files/bird/holstentor/bird6_local.conf
rename to roles/debian_base/files/host/holstentor/etc/bird/bird6_local.conf
diff --git a/roles/debian_base/files/bird/holstentor/bird_local.conf b/roles/debian_base/files/host/holstentor/etc/bird/bird_local.conf
similarity index 100%
rename from roles/debian_base/files/bird/holstentor/bird_local.conf
rename to roles/debian_base/files/host/holstentor/etc/bird/bird_local.conf
diff --git a/roles/debian_base/files/netconfig/holstentor/00-eth1.network b/roles/debian_base/files/host/holstentor/etc/systemd/network/00-eth1.network
similarity index 100%
rename from roles/debian_base/files/netconfig/holstentor/00-eth1.network
rename to roles/debian_base/files/host/holstentor/etc/systemd/network/00-eth1.network
diff --git a/roles/debian_base/files/netconfig/holstentor/30-he-ipv6.netdev b/roles/debian_base/files/host/holstentor/etc/systemd/network/30-he-ipv6.netdev
similarity index 100%
rename from roles/debian_base/files/netconfig/holstentor/30-he-ipv6.netdev
rename to roles/debian_base/files/host/holstentor/etc/systemd/network/30-he-ipv6.netdev
diff --git a/roles/debian_base/files/netconfig/holstentor/30-he-ipv6.network b/roles/debian_base/files/host/holstentor/etc/systemd/network/30-he-ipv6.network
similarity index 100%
rename from roles/debian_base/files/netconfig/holstentor/30-he-ipv6.network
rename to roles/debian_base/files/host/holstentor/etc/systemd/network/30-he-ipv6.network
diff --git a/roles/debian_base/files/netconfig/holstentor/31-ffrhein-ber.netdev b/roles/debian_base/files/host/holstentor/etc/systemd/network/31-ffrhein-ber.netdev
similarity index 100%
rename from roles/debian_base/files/netconfig/holstentor/31-ffrhein-ber.netdev
rename to roles/debian_base/files/host/holstentor/etc/systemd/network/31-ffrhein-ber.netdev
diff --git a/roles/debian_base/files/netconfig/holstentor/31-ffrhein-ber.network b/roles/debian_base/files/host/holstentor/etc/systemd/network/31-ffrhein-ber.network
similarity index 100%
rename from roles/debian_base/files/netconfig/holstentor/31-ffrhein-ber.network
rename to roles/debian_base/files/host/holstentor/etc/systemd/network/31-ffrhein-ber.network
diff --git a/roles/debian_base/files/netconfig/holstentor/32-ffrhein-fra3.netdev b/roles/debian_base/files/host/holstentor/etc/systemd/network/32-ffrhein-fra3.netdev
similarity index 100%
rename from roles/debian_base/files/netconfig/holstentor/32-ffrhein-fra3.netdev
rename to roles/debian_base/files/host/holstentor/etc/systemd/network/32-ffrhein-fra3.netdev
diff --git a/roles/debian_base/files/netconfig/holstentor/32-ffrhein-fra3.network b/roles/debian_base/files/host/holstentor/etc/systemd/network/32-ffrhein-fra3.network
similarity index 100%
rename from roles/debian_base/files/netconfig/holstentor/32-ffrhein-fra3.network
rename to roles/debian_base/files/host/holstentor/etc/systemd/network/32-ffrhein-fra3.network
diff --git a/roles/debian_base/files/bird/huextertor/bird6_local.conf b/roles/debian_base/files/host/huextertor/etc/bird/bird6_local.conf
similarity index 100%
rename from roles/debian_base/files/bird/huextertor/bird6_local.conf
rename to roles/debian_base/files/host/huextertor/etc/bird/bird6_local.conf
diff --git a/roles/debian_base/files/bird/huextertor/bird_local.conf b/roles/debian_base/files/host/huextertor/etc/bird/bird_local.conf
similarity index 100%
rename from roles/debian_base/files/bird/huextertor/bird_local.conf
rename to roles/debian_base/files/host/huextertor/etc/bird/bird_local.conf
diff --git a/roles/debian_base/files/host/kaisertor/etc/bird/bird6_local.conf b/roles/debian_base/files/host/kaisertor/etc/bird/bird6_local.conf
new file mode 100644
index 0000000000000000000000000000000000000000..6284a73452d8a7e0a571ad54e142efa66895cb79
--- /dev/null
+++ b/roles/debian_base/files/host/kaisertor/etc/bird/bird6_local.conf
@@ -0,0 +1,27 @@
+# public BGP
+#############
+
+protocol bgp ffrhein_ber from bgp_public {
+        neighbor 2a03:2260:0:59::1 as 201701;
+}
+
+protocol bgp ffrhein_fra3 from bgp_public {
+        neighbor 2a03:2260:0:60::1 as 201701;
+}
+
+protocol bgp he from bgp_public {
+        neighbor 2001:470:12:35::1 as 6939;
+}
+
+# dn42
+#######
+
+protocol bgp bgp_dn42_chaos from bgp_dn42 {
+	source address fe80::ac16:fd92;
+	neighbor fe80::ac16:fd91%dn42_chaos as 64784;
+}
+
+protocol bgp bgp_nbsp_router from bgp_dn42 {
+  source address 2001:67c:2d50::c01;
+  neighbor 2001:67c:2d50::2b as 76129;
+}
diff --git a/roles/debian_base/files/host/kaisertor/etc/bird/bird_local.conf b/roles/debian_base/files/host/kaisertor/etc/bird/bird_local.conf
new file mode 100644
index 0000000000000000000000000000000000000000..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391
diff --git a/roles/debian_base/files/bird/muehlentor/bird6_local.conf b/roles/debian_base/files/host/muehlentor/etc/bird/bird6_local.conf
similarity index 100%
rename from roles/debian_base/files/bird/muehlentor/bird6_local.conf
rename to roles/debian_base/files/host/muehlentor/etc/bird/bird6_local.conf
diff --git a/roles/debian_base/files/bird/muehlentor/bird_local.conf b/roles/debian_base/files/host/muehlentor/etc/bird/bird_local.conf
similarity index 100%
rename from roles/debian_base/files/bird/muehlentor/bird_local.conf
rename to roles/debian_base/files/host/muehlentor/etc/bird/bird_local.conf
diff --git a/roles/debian_base/files/scripts/iptables-up b/roles/debian_base/files/scripts/iptables-up
new file mode 100644
index 0000000000000000000000000000000000000000..83d6093e7ffaa4f58fbd0206c96e98d2418eaa51
--- /dev/null
+++ b/roles/debian_base/files/scripts/iptables-up
@@ -0,0 +1,8 @@
+#!/bin/bash
+
+# this loads all files *.rules in /etc/iptables
+
+
+for i in /etc/iptables/*.rules; do
+	iptables-restore < "$i"
+done
diff --git a/roles/debian_base/tasks/bird.yml b/roles/debian_base/tasks/bird.yml
index ca6ed3e36bc16b935284fcf83d9efdfdfada7404..3862993f92a1324469dfb0fce1ffd1b98eee61a4 100644
--- a/roles/debian_base/tasks/bird.yml
+++ b/roles/debian_base/tasks/bird.yml
@@ -1,5 +1,3 @@
 ---
-- copy: src=bird/base/ dest=/etc/bird
-- copy: src=bird/{{ inventory_hostname }}/ dest=/etc/bird
 - template: src=bird_host.conf.j2 dest=/etc/bird/bird_host.conf
 - template: src=bird6_host.conf.j2 dest=/etc/bird/bird6_host.conf
diff --git a/roles/debian_base/tasks/dhcpd.yml b/roles/debian_base/tasks/dhcpd.yml
new file mode 100644
index 0000000000000000000000000000000000000000..0c75b93e506537887d24b1e5d186dc0478b9889b
--- /dev/null
+++ b/roles/debian_base/tasks/dhcpd.yml
@@ -0,0 +1,12 @@
+- name: process dhcpd templates
+  tags:
+    - dhcp
+  template: src=dhcpd.conf.j2 dest=/etc/dhcp/dhcpd.conf
+
+- name: tell dhcpd what interfaces it should listen
+  tags:
+    - dhcp
+  lineinfile:
+    path: /etc/default/isc-dhcp-server
+    regexp: '^INTERFACESv4='
+    line: INTERFACESv4="ffhl"
diff --git a/roles/debian_base/tasks/fastd.yml b/roles/debian_base/tasks/fastd.yml
new file mode 100644
index 0000000000000000000000000000000000000000..fa5b21ad15ee8459fdc5982629bc8d91cd4ee372
--- /dev/null
+++ b/roles/debian_base/tasks/fastd.yml
@@ -0,0 +1,43 @@
+---
+- user: name=fastd system=yes home=/etc/fastd
+
+
+- template:
+    src: fastd/{{ item }}/fastd-up
+    dest: /etc/fastd/{{ item }}/fastd-up
+    owner: fastd
+    mode: 0744
+
+- name: generate fastd key
+  shell:
+    cmd: fastd --generate-key | awk '/Secret/ {print "secret \"" $2 "\";" }' > /etc/fastd/{{ item }}/secret.conf
+    creates: /etc/fastd/{{ item }}/secret.conf
+
+- name: generate peer file
+  shell:
+    cmd: fastd --show-key -c /etc/fastd/{{ item }}/fastd.conf | awk '/Public/ {print "key \"" $2 "\";" }' > /etc/fastd/{{ item }}/peer.conf
+
+
+- systemd:
+    enabled: yes
+    name: fastd@{{ item }}
+
+
+- fetch:
+    src: /etc/fastd/{{ item }}/peer.conf
+    dest: artifacts/
+
+
+
+
+        #
+        # - template:
+        #     src: fastd/ffhl_mesh_vpn/fastd-up
+        #     dest: /etc/fastd/ffhl_mesh_vpn/fastd-up
+        #     owner: fastd
+        #     mode: 0744
+        #
+        #     - name: generate fastd key
+        #     command: fastd --generate-key | awk  -e '/Secret/ {print "secret \"" $2 "\";" }' > /etc/fastd/ffhl_mesh_vpn/secret.conf
+        #     args:
+        #         creates: /etc/fastd/ffhl_mesh_vpn/secret.conf
diff --git a/roles/debian_base/tasks/ffhl-peers.yml b/roles/debian_base/tasks/ffhl-peers.yml
index e2ab059a45ea62681e6e0aced01e284cb637b977..12af7797211afe7be33b410379d1557f78cbe9b7 100644
--- a/roles/debian_base/tasks/ffhl-peers.yml
+++ b/roles/debian_base/tasks/ffhl-peers.yml
@@ -1,3 +1,3 @@
 ---
-- git: repo=git@srv01.luebeck.freifunk.net:fastd-keys dest=/etc/fastd/ffhl-mesh-vpn/peers accept_hostkey=True
-- copy: src=post-merge/ffhl-mesh-vpn dest=/etc/fastd/ffhl-mesh-vpn/peers/.git/hooks/post-merge mode=a+x
+- git: repo=git@srv01.luebeck.freifunk.net:fastd-keys dest=/etc/fastd/ffhl_mesh_vpn/peers accept_hostkey=True
+- copy: src=post-merge/ffhl-mesh-vpn dest=/etc/fastd/ffhl_mesh_vpn/peers/.git/hooks/post-merge mode=a+x
diff --git a/roles/debian_base/tasks/main.yml b/roles/debian_base/tasks/main.yml
index f03319fe6b1e1b1cb7c4f0bbae42e51f2cd08d7a..2513d6eb1ea1a13ba931eec0dd0aa0b6f6b4c2dc 100644
--- a/roles/debian_base/tasks/main.yml
+++ b/roles/debian_base/tasks/main.yml
@@ -1,25 +1,62 @@
 ---
-- include: update.yml
+-
 - include: software.yml
+
 - name: Disable root login with password
   lineinfile: dest=/etc/ssh/sshd_config regexp="^#?PermitRootLogin" line="PermitRootLogin without-password"
-- user: name=fastd system=yes home=/etc/fastd
-- copy: src=etc/ dest=/etc
-- copy: src=netconfig/{{ inventory_hostname }}/ dest=/etc/systemd/network
-  ignore_errors: True
-- copy: src=host/{{ inventory_hostname }}/etc/ dest=/etc
-  ignore_errors: True
-- file: state=link src=/usr/share/zoneinfo/Europe/Berlin dest=/etc/localtime
-- template: src=fastd-mac.j2 dest=/etc/fastd/ffhl-mesh-vpn/mac
-- template: src=fastd-mac-2.j2 dest=/etc/fastd/ffhl-mesh-vpn-2/mac
-- template: src=fastd-gw-mac.j2 dest=/etc/fastd/ffhl-gw-vpn/mac
-- template: src=dhcpd.conf.j2 dest=/etc/dhcpd.conf
-- template: src=radvd.conf.j2 dest=/etc/radvd.conf
-- template: src=10-freifunk-hl.netdev.j2 dest=/etc/systemd/network/10-freifunk-hl.netdev
-- template: src=12-freifunk-hl.network.j2 dest=/etc/systemd/network/12-freifunk-hl.network
-- command: systemctl daemon-reload
-- copy: content="createUser guest SHA guestffhl AES guestffhl" dest=/var/net-snmp/snmpd.conf
+
+- name: copy base configs
+  copy: src=etc/ dest=/etc
+
+- name: copy host specific configs
+  copy: src=host/{{ inventory_hostname }}/etc/ dest=/etc
+
+- name: copy scripts
+  copy: src=scripts/iptables-up dest=/usr/local/bin/iptables-up mode=755
+
+
+
+# configurations and stuff
+
+- name: set local timezone
+  file: state=link src=/usr/share/zoneinfo/Europe/Berlin dest=/etc/localtime
+
+- name: configure ntp
+  blockinfile:
+    path: /etc/ntp.conf
+    block: |
+      restrict fdef:ffc0:3dd7:: mask ffff:ffff:ffff:ffff:: nomodify notrap nopeer
+      restrict 2001:67c:2d50:: mask ffff:ffff:ffff:ffff:: nomodify notrap nopeer
+
+
+- name: networkd templates
+  block:
+    - template: src=network/10-ffhl.netdev.j2 dest=/etc/systemd/network/10-ffhl.netdev
+    - template: src=network/12-ffhl.network.j2 dest=/etc/systemd/network/12-ffhl.network
+
+# sometimes disabled (dunno why)
+- name: enable systemd-networkd
+  command: systemctl enable systemd-networkd
+
+
+- name: create fastd configs
+  include_tasks: fastd.yml
+  loop:
+    - ffhl_mesh_vpn
+    - ffhl_mesh_gwvpn
+
+
+- include: radvd.yml
+
+- include: dhcpd.yml
+
+
+- name: reload systemd
+  command: systemctl daemon-reload
+
+
 - lineinfile: dest=/etc/iproute2/rt_tables line="42\tfreifunk"
+
 - include: bird.yml
   tags:
     - bird
diff --git a/roles/debian_base/tasks/radvd.yml b/roles/debian_base/tasks/radvd.yml
new file mode 100644
index 0000000000000000000000000000000000000000..1853b432e52e45f40694562f794edcb13466eb5b
--- /dev/null
+++ b/roles/debian_base/tasks/radvd.yml
@@ -0,0 +1,3 @@
+---
+- name: radvd templates
+  template: src=radvd/radvd.conf.j2 dest=/etc/radvd.conf
diff --git a/roles/debian_base/tasks/software.yml b/roles/debian_base/tasks/software.yml
index c0381bbe92c8cedd96f2dc07d280eb55ac0f3de0..3aef30eb4c7a56f03f050e10490dcd703d4da74f 100644
--- a/roles/debian_base/tasks/software.yml
+++ b/roles/debian_base/tasks/software.yml
@@ -1,6 +1,44 @@
 ---
-- apt: update_cache=yes
+# - lineinfile:
+#     path: /etc/apt/sources.list
+#     regexp: '^deb .* main$'
+#     line: deb http://deb.debian.org/debian stable main
+
+- name: apt python update
+  command: apt-get update
+
+- name: install python-apt
+  command: apt-get install -y python-apt
+
 - name: install tools
-  apt: state=present name=openssh-server,openssh-client,git,wget,curl,zsh,tcpdump,iftop,iputils-ping,htop,bridge-utils,batctl
-- name: install networking stuff
-  apt: state=present name=bird,tinc,bind9,fastd,radvd,dhcpd,ntp,haveged
+  apt:
+    update_cache: yes
+    state: present
+    name:
+      - iptables-persistent
+      - apt-file
+      - batctl
+      - bind9
+      - bird
+      - bridge-utils
+      - curl
+      - isc-dhcp-server
+      - fastd
+      - git
+      - haveged
+      - htop
+      - iftop
+      - iputils-ping
+      - ntp
+      - openssh-client
+      - openssh-server
+      - python-apt
+      - radvd
+      - tcpdump
+      - tinc
+      - vim
+      - wget
+      - iperf3
+
+- name: load batman-adv
+  command: modprobe batman-adv
diff --git a/roles/debian_base/tasks/units.yml b/roles/debian_base/tasks/units.yml
index d3e92ce28a94bd67fdfe1bb3d48176075720b38d..31cd13da03354058f58a7ef9cf5a10037b3c1ba5 100644
--- a/roles/debian_base/tasks/units.yml
+++ b/roles/debian_base/tasks/units.yml
@@ -1,30 +1,27 @@
 ---
 - command: systemctl mask display-manager.service
-- command: systemctl enable {{ item }}
+
+
+- name: restart services
+  systemd:
+    state: restarted
+    name: "{{ item }}"
   with_items:
-    #    - alfred@hl.service
-    #    - batadv-vis@hl.service
-    - batman-freifunk@hl.service
+    - batman@ffhl_bat0.service
     - bird6.service
     - bird.service
-    - dhcpd4.service
-    - "'fastd@ffhl\\x2dmesh\\x2dvpn.service'"
-    - "'fastd@ffhl\\x2dmesh\\x2dvpn\\x2d2.service'"
-    - "'fastd@ffhl\\x2dgw\\x2dvpn.service'"
+    - systemd-networkd.service
+    - isc-dhcp-server.service
+    - "fastd@ffhl_mesh_vpn.service"
+    - "fastd@ffhl_mesh_gwvpn.service"
     - freifunk-ip-rule.service
     - haveged.service
-    - ip6tables.service
-    - iptables.service
-    - named.service
-    - ntpd.service
+    - bind9.service
+    - ntp.service
     - radvd.service
-    - snmpd.service
     - sshd.service
-    - systemd-networkd.service
-    - tayga.service
     - update-ffhl-dns.timer
     - update-ffhl-mesh-vpn.timer
-    - vnstat.service
+
 - command: systemctl enable {{ item }}
   with_items: "{{ units_enable|default([]) }}"
-
diff --git a/roles/debian_base/templates/dhcpd.conf.j2 b/roles/debian_base/templates/dhcpd.conf.j2
index 22af242b6402affd71eb597c0b9996e563f21a7c..e8bb6edbb554fbf097b75310839e6b9c6cbd7950 100644
--- a/roles/debian_base/templates/dhcpd.conf.j2
+++ b/roles/debian_base/templates/dhcpd.conf.j2
@@ -5,6 +5,6 @@ max-lease-time 600;
 subnet {{ dhcpd_subnet }} netmask {{ dhcpd_netmask }} {
 	range {{ dhcpd_start }} {{ dhcpd_end }};
 
-	option routers {{ ip4 }};
-	option domain-name-servers {{ ip4 }};
+    option routers {{ ip4 }};
+    option domain-name-servers {{ ip4 }};
 }
diff --git a/roles/debian_base/templates/fastd-gw-mac.j2 b/roles/debian_base/templates/fastd-gw-mac.j2
deleted file mode 100644
index e15d4e1260aeb555c8cbc10a5c81b85a91ca7d59..0000000000000000000000000000000000000000
--- a/roles/debian_base/templates/fastd-gw-mac.j2
+++ /dev/null
@@ -1 +0,0 @@
-{{ fastd_gw_mac }}
diff --git a/roles/debian_base/templates/fastd-mac-2.j2 b/roles/debian_base/templates/fastd-mac-2.j2
deleted file mode 100644
index 1a27d4c9a3c7046c27ebe3f0525427b5d14e4a88..0000000000000000000000000000000000000000
--- a/roles/debian_base/templates/fastd-mac-2.j2
+++ /dev/null
@@ -1 +0,0 @@
-{{ fastd_mac_2 }}
diff --git a/roles/debian_base/templates/fastd-mac.j2 b/roles/debian_base/templates/fastd-mac.j2
deleted file mode 100644
index 6ee50b1941995abbee72c7bcc0fc918cc24e3394..0000000000000000000000000000000000000000
--- a/roles/debian_base/templates/fastd-mac.j2
+++ /dev/null
@@ -1 +0,0 @@
-{{ fastd_mac }}
diff --git a/roles/debian_base/templates/fastd/ffhl_mesh_gwvpn/fastd-up b/roles/debian_base/templates/fastd/ffhl_mesh_gwvpn/fastd-up
new file mode 100644
index 0000000000000000000000000000000000000000..88480f03db10a7d7c294418ffef7b2f9757b3758
--- /dev/null
+++ b/roles/debian_base/templates/fastd/ffhl_mesh_gwvpn/fastd-up
@@ -0,0 +1,5 @@
+#!/bin/bash
+
+ip link set address {{ fastd_gw_mac }} dev $INTERFACE
+ip link set up $INTERFACE
+batctl -m ffhl_bat0 if add $INTERFACE
diff --git a/roles/debian_base/templates/fastd/ffhl_mesh_gwvpn/gateways/holstentor b/roles/debian_base/templates/fastd/ffhl_mesh_gwvpn/gateways/holstentor
new file mode 100644
index 0000000000000000000000000000000000000000..4ac8d290fb4f00039c4cd2ebcfcedb8ff3294cea
--- /dev/null
+++ b/roles/debian_base/templates/fastd/ffhl_mesh_gwvpn/gateways/holstentor
@@ -0,0 +1,3 @@
+key "07197da0ff4a294f4356b50c567f957334728d8a1a31b2855ddd1f6f4d2fed07";
+remote "holstentor.mesh.ffhl.chaotikum.org" port 10001;
+float yes;
diff --git a/roles/debian_base/templates/fastd/ffhl_mesh_gwvpn/gateways/muehlentor b/roles/debian_base/templates/fastd/ffhl_mesh_gwvpn/gateways/muehlentor
new file mode 100644
index 0000000000000000000000000000000000000000..d218c3d1adfd472cbc3718424f3f61f1bd737d9d
--- /dev/null
+++ b/roles/debian_base/templates/fastd/ffhl_mesh_gwvpn/gateways/muehlentor
@@ -0,0 +1,3 @@
+key "2eba0e70a6b834a8435f7142b06f3ee79849b97f884d961f3dd899861373e54e";
+remote "muehlentor.mesh.ffhl.chaotikum.org" port 10001;
+float yes;
diff --git a/roles/debian_base/templates/fastd/ffhl_mesh_vpn/fastd-up b/roles/debian_base/templates/fastd/ffhl_mesh_vpn/fastd-up
new file mode 100644
index 0000000000000000000000000000000000000000..a105b0a4c4621e8cda07719fbcd318600b66608d
--- /dev/null
+++ b/roles/debian_base/templates/fastd/ffhl_mesh_vpn/fastd-up
@@ -0,0 +1,5 @@
+#!/bin/bash
+
+ip link set address {{ fastd_mesh_mac }} dev $INTERFACE
+ip link set up $INTERFACE
+batctl -m ffhl_bat0 if add $INTERFACE
diff --git a/roles/debian_base/templates/10-freifunk-hl.netdev.j2 b/roles/debian_base/templates/network/10-ffhl.netdev.j2
similarity index 75%
rename from roles/debian_base/templates/10-freifunk-hl.netdev.j2
rename to roles/debian_base/templates/network/10-ffhl.netdev.j2
index c3bee1aea4ceb96c4a42e45e09dbacf4953387f5..943e09dcad2b3105534d9e9a34cb870f0a946c08 100644
--- a/roles/debian_base/templates/10-freifunk-hl.netdev.j2
+++ b/roles/debian_base/templates/network/10-ffhl.netdev.j2
@@ -1,4 +1,4 @@
 [NetDev]
-Name=freifunk-hl
+Name=ffhl
 Kind=bridge
 MACAddress={{ freifunk_mac }}
diff --git a/roles/debian_base/templates/12-freifunk-hl.network.j2 b/roles/debian_base/templates/network/12-ffhl.network.j2
similarity index 74%
rename from roles/debian_base/templates/12-freifunk-hl.network.j2
rename to roles/debian_base/templates/network/12-ffhl.network.j2
index 3f83eaa2a94b26b0b2e018da8011e4b2cbc212fd..e82136fd34a7ba56b4922c6460aa6a752464890a 100644
--- a/roles/debian_base/templates/12-freifunk-hl.network.j2
+++ b/roles/debian_base/templates/network/12-ffhl.network.j2
@@ -1,8 +1,10 @@
 [Match]
-Name=freifunk-hl
+Name=ffhl
 
 [Network]
 IPForward=yes
 Address={{ ip4 }}/20
 Address={{ ip6 }}/64
 Address={{ ip6_ula }}/64
+
+LinkLocalAddressing=no
diff --git a/roles/debian_base/templates/radvd.conf.j2 b/roles/debian_base/templates/radvd.conf.j2
deleted file mode 100644
index b38646f2a982aa40e6b163a413729b965cedfe9c..0000000000000000000000000000000000000000
--- a/roles/debian_base/templates/radvd.conf.j2
+++ /dev/null
@@ -1,16 +0,0 @@
-interface freifunk-hl
-{
-  AdvSendAdvert on;
-  IgnoreIfMissing on;
-  MaxRtrAdvInterval 200;
-
-{% for prefix in radvd_prefixes %}
-  prefix {{ prefix }}
-  {
-  };
-
-{% endfor %}
-  RDNSS 2001:67c:2d50:1::a82:7fe0
-  {
-  };
-};
diff --git a/roles/debian_base/templates/radvd/radvd.conf.j2 b/roles/debian_base/templates/radvd/radvd.conf.j2
new file mode 100644
index 0000000000000000000000000000000000000000..f7ab35485ce6cce03f8819d9434893db87c3d27b
--- /dev/null
+++ b/roles/debian_base/templates/radvd/radvd.conf.j2
@@ -0,0 +1,14 @@
+interface freifunk-hl
+{
+	AdvSendAdvert on;
+	IgnoreIfMissing on;
+	MaxRtrAdvInterval 200;
+
+{% for prefix in radvd_prefixes %}
+	prefix {{ prefix }} {
+	};
+{% endfor %}
+
+	RDNSS 2001:67c:2d50:1::a82:7fe0 {
+	};
+};
diff --git a/todo.md b/todo.md
new file mode 100644
index 0000000000000000000000000000000000000000..bbb07f075029a471ab2461ccfae846b2e1c9b783
--- /dev/null
+++ b/todo.md
@@ -0,0 +1,8 @@
+Things for a working Gateway:
+
+[x] fastd
+[x] batman
+[ ] DHCP
+[ ] radvd
+[ ] BGP
+[x] prometheus