diff --git a/group_vars/all.yml b/group_vars/all.yml
index 17041d68c1a49862b7facbbf18d1d7276829f4d2..ffbd17507866c099df7bff6c6597fe3811f7a429 100644
--- a/group_vars/all.yml
+++ b/group_vars/all.yml
@@ -2,4 +2,4 @@ radvd_prefixes:
   - fdef:ffc0:3dd7::/64
   - 2001:67c:2d50::/64
 dhcpd_subnet: 10.130.0.0
-dhcpd_netmask: 255.255.240.0
+dhcpd_netmask: 255.255.0.0
diff --git a/host_vars/huextertor.yml b/host_vars/huextertor.yml
index 88e55077a0a20696469874178a69f048899d5bd6..d56342fd27a70b8ca1035f436c75072118af5e03 100644
--- a/host_vars/huextertor.yml
+++ b/host_vars/huextertor.yml
@@ -1,8 +1,9 @@
 ip4: 10.130.0.252
-ip6: 2001:67c:2d50::d01
-ip6_ula: fdef:ffc0:3dd7::d01
-fastd_mesh_mac: de:ad:ca:fe:aa:bb
-fastd_gw_mac: de:ad:ca:fe:bb:dd
-freifunk_mac: de:ad:ca:fe:cc:dd
-dhcpd_start: 10.130.12.63
-dhcpd_end: 10.130.15.255
+ip6: 2001:67c:2d50::bb
+ip6_ula: fdef:ffc0:3dd7::bb
+fastd_mesh_mac: de:ad:ca:fe:bb:bb
+fastd_gw_mac: de:ad:ca:fe:bb:cc
+freifunk_mac: de:ad:ca:fe:bb:aa
+dhcpd_start: 10.130.24.1
+dhcpd_end: 10.130.31.254
+internet_iface_mac: 52:54:00:57:84:a3
diff --git a/host_vars/kaisertor.yml b/host_vars/kaisertor.yml
index 98e37c249da37da07a042f27dc2a9adb584bb335..0c54b77bec7fab3b583cedc43c0935e508d20111 100644
--- a/host_vars/kaisertor.yml
+++ b/host_vars/kaisertor.yml
@@ -1,8 +1,9 @@
 ip4: 10.130.0.255
-ip6: 2001:67c:2d50::b01
-ip6_ula: fdef:ffc0:3dd7::b01
-fastd_mesh_mac: de:ad:ca:fe:aa:aa
-fastd_gw_mac: de:ad:ca:fe:bb:bb
-freifunk_mac: de:ad:ca:fe:cc:bb
-dhcpd_start: 10.130.1.0
-dhcpd_end: 10.130.4.190
+ip6: 2001:67c:2d50::aa
+ip6_ula: fdef:ffc0:3dd7::aa
+fastd_mesh_mac: de:ad:ca:fe:aa:bb
+fastd_gw_mac: de:ad:ca:fe:aa:cc
+freifunk_mac: de:ad:ca:fe:aa:aa
+dhcpd_start: 10.130.16.1
+dhcpd_end: 10.130.23.254
+internet_iface_mac: 52:54:00:57:84:a3
diff --git a/revert_and_setup.sh b/revert_and_setup.sh
index ac9813c20aabb872d1b0f39598338f408c621609..d7a7e2a0495ee00ebc33996890f593f224322a5e 100755
--- a/revert_and_setup.sh
+++ b/revert_and_setup.sh
@@ -3,10 +3,10 @@
 set -e
 
 # virsh snapshot-revert --domain ffhl-test-gateway --current
-virsh snapshot-revert --domain ffhl-test-gateway 1579128050
+virsh snapshot-revert --domain ffhl-gw01 --current
 echo "restarting timesyncd and ntp"
 ssh -q root@10.8.1.50 systemctl restart systemd-timesyncd
-ssh -q root@10.8.1.50 systemctl restart ntp
+# ssh -q root@10.8.1.50 systemctl restart ntp
 echo "waiting..."
 sleep 7
 
@@ -14,4 +14,4 @@ echo "removing artifacts"
 rm -rf artifacts
 
 echo "run the playbook"
-ansible-playbook -vvvv -i hosts debian_setup.yml
+ansible-playbook -vvvv -i hosts_new debian_setup.yml
diff --git a/roles/debian_base/files/etc/bind/named.conf.local b/roles/debian_base/files/etc/bind/named.conf.local
new file mode 100644
index 0000000000000000000000000000000000000000..f24c71cb5ebc290200b00cc806f8f3e75f716284
--- /dev/null
+++ b/roles/debian_base/files/etc/bind/named.conf.local
@@ -0,0 +1,17 @@
+zone "ffhl" IN {
+	type master;
+	file "ffhl/ffhl.zone";
+	allow-transfer { any; };
+};
+
+zone "130.10.in-addr.arpa" IN {
+	type master;
+	file "ffhl/10.130.zone";
+	allow-transfer { any; };
+};
+
+zone "7.d.d.3.0.c.f.f.f.e.d.f.ip6.arpa" IN {
+	type master;
+	file "ffhl/fdef:ffc0:3dd7.zone";
+	allow-transfer { any; };
+};
diff --git a/roles/debian_base/files/etc/bind/named.conf.options b/roles/debian_base/files/etc/bind/named.conf.options
new file mode 100644
index 0000000000000000000000000000000000000000..0587a30ba2f4e37aa65f20515a7c155ccc30a354
--- /dev/null
+++ b/roles/debian_base/files/etc/bind/named.conf.options
@@ -0,0 +1,22 @@
+options {
+	directory "/var/cache/bind";
+	auth-nxdomain yes;
+	datasize default;
+	listen-on { any; };
+	listen-on-v6 { any; };
+
+	allow-recursion {
+		::1/128;
+		127.0.0.1/8;
+		2001:67c:2d50::/48;
+		fdef:ffc0:3dd7::/48;
+		10.130.0.0/16;
+	};
+
+	allow-transfer { none; };
+	allow-update { none; };
+	version none;
+	hostname none;
+	server-id none;
+	empty-zones-enable yes;
+};
diff --git a/roles/debian_base/files/etc/bind/named_.conf b/roles/debian_base/files/etc/bind/named_.conf
new file mode 100644
index 0000000000000000000000000000000000000000..61ccbc27c0af51dc9ee1412d63f3040e2bc912c2
--- /dev/null
+++ b/roles/debian_base/files/etc/bind/named_.conf
@@ -0,0 +1,19 @@
+zone "0.0.127.in-addr.arpa" IN {
+	type master;
+	file "127.0.0.zone";
+};
+
+zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" {
+	type master;
+	file "localhost.ip6.zone";
+};
+
+zone "255.in-addr.arpa" IN {
+	type master;
+	file "empty.zone";
+};
+
+zone "0.in-addr.arpa" IN {
+	type master;
+	file "empty.zone";
+};
diff --git a/roles/debian_base/files/etc/named.conf b/roles/debian_base/files/etc/named.conf
deleted file mode 100644
index a878271bcfb82869826d6fc95aac3675dddaba7c..0000000000000000000000000000000000000000
--- a/roles/debian_base/files/etc/named.conf
+++ /dev/null
@@ -1,73 +0,0 @@
-options {
-	directory "/var/named";
-	pid-file "/var/run/named/named.pid";
-	auth-nxdomain yes;
-	datasize default;
-	listen-on { any; };
-	listen-on-v6 { any; };
-
-	allow-recursion {
-		::1/128;
-		127.0.0.1/8;
-		2001:67c:2d50::/48;
-		fdef:ffc0:3dd7::/48;
-		10.130.0.0/16;
-	};
-
-	allow-transfer { none; };
-	allow-update { none; };
-	version none;
-	hostname none;
-	server-id none;
-	empty-zones-enable yes;
-};
-
-zone "localhost" IN {
-	type master;
-	file "localhost.zone";
-};
-
-zone "0.0.127.in-addr.arpa" IN {
-	type master;
-	file "127.0.0.zone";
-};
-
-zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" {
-	type master;
-	file "localhost.ip6.zone";
-};
-
-zone "255.in-addr.arpa" IN {
-	type master;
-	file "empty.zone";
-};
-
-zone "0.in-addr.arpa" IN {
-	type master;
-	file "empty.zone";
-};
-
-zone "." IN {
-	type hint;
-	file "root.hint";
-};
-
-zone "ffhl" IN {
-	type master;
-	file "ffhl/ffhl.zone";
-	allow-transfer { any; };
-};
-
-zone "130.10.in-addr.arpa" IN {
-	type master;
-	file "ffhl/10.130.zone";
-	allow-transfer { any; };
-};
-
-zone "7.d.d.3.0.c.f.f.f.e.d.f.ip6.arpa" IN {
-	type master;
-	file "ffhl/fdef:ffc0:3dd7.zone";
-	allow-transfer { any; };
-};
-
-include "/etc/named_ffdns.conf";
diff --git a/roles/debian_base/files/etc/systemd/system/update-ffhl-dns.service b/roles/debian_base/files/etc/systemd/system/update-ffhl-dns.service
index 0ab4a9d40b1362dc1bfce972a550f4b53e3bec0a..0f128f7d6ceadc1d2d2521b0f06bfcba4df276fa 100644
--- a/roles/debian_base/files/etc/systemd/system/update-ffhl-dns.service
+++ b/roles/debian_base/files/etc/systemd/system/update-ffhl-dns.service
@@ -1,4 +1,4 @@
 [Service]
 Type=oneshot
-WorkingDirectory=/var/named/ffhl
+WorkingDirectory=/var/cache/bind
 ExecStart=/usr/bin/git pull
diff --git a/roles/debian_base/files/host/huextertor/etc/openvpn/hideio.conf b/roles/debian_base/files/host/huextertor/etc/openvpn/hideio.conf
deleted file mode 100644
index 90ff7b6df34164f92336634c0babcc5fe7e9ced4..0000000000000000000000000000000000000000
--- a/roles/debian_base/files/host/huextertor/etc/openvpn/hideio.conf
+++ /dev/null
@@ -1,20 +0,0 @@
-client
-dev hideio
-dev-type tun
-proto udp
-remote nl.hide.io 3478
-cipher AES-128-CBC
-resolv-retry infinite
-nobind
-persist-key
-persist-tun
-mute-replay-warnings
-ca hideio/TrustedRoot.pem
-verb 3
-auth-user-pass hideio/password.txt
-reneg-sec 0
-
-auth-retry nointeract
-mtu-test
-script-security 2
-route-nopull
diff --git a/roles/debian_base/files/host/huextertor/etc/openvpn/hideio/TrustedRoot.pem b/roles/debian_base/files/host/huextertor/etc/openvpn/hideio/TrustedRoot.pem
deleted file mode 100755
index 9e6810ab70cfa112fe066ec8b2122fbf76586317..0000000000000000000000000000000000000000
--- a/roles/debian_base/files/host/huextertor/etc/openvpn/hideio/TrustedRoot.pem
+++ /dev/null
@@ -1,23 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDxTCCAq2gAwIBAgIQAqxcJmoLQJuPC3nyrkYldzANBgkqhkiG9w0BAQUFADBs
-MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
-d3cuZGlnaWNlcnQuY29tMSswKQYDVQQDEyJEaWdpQ2VydCBIaWdoIEFzc3VyYW5j
-ZSBFViBSb290IENBMB4XDTA2MTExMDAwMDAwMFoXDTMxMTExMDAwMDAwMFowbDEL
-MAkGA1UEBhMCVVMxFTATBgNVBAoTDERpZ2lDZXJ0IEluYzEZMBcGA1UECxMQd3d3
-LmRpZ2ljZXJ0LmNvbTErMCkGA1UEAxMiRGlnaUNlcnQgSGlnaCBBc3N1cmFuY2Ug
-RVYgUm9vdCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMbM5XPm
-+9S75S0tMqbf5YE/yc0lSbZxKsPVlDRnogocsF9ppkCxxLeyj9CYpKlBWTrT3JTW
-PNt0OKRKzE0lgvdKpVMSOO7zSW1xkX5jtqumX8OkhPhPYlG++MXs2ziS4wblCJEM
-xChBVfvLWokVfnHoNb9Ncgk9vjo4UFt3MRuNs8ckRZqnrG0AFFoEt7oT61EKmEFB
-Ik5lYYeBQVCmeVyJ3hlKV9Uu5l0cUyx+mM0aBhakaHPQNAQTXKFx01p8VdteZOE3
-hzBWBOURtCmAEvF5OYiiAhF8J2a3iLd48soKqDirCmTCv2ZdlYTBoSUeh10aUAsg
-EsxBu24LUTi4S8sCAwEAAaNjMGEwDgYDVR0PAQH/BAQDAgGGMA8GA1UdEwEB/wQF
-MAMBAf8wHQYDVR0OBBYEFLE+w2kD+L9HAdSYJhoIAu9jZCvDMB8GA1UdIwQYMBaA
-FLE+w2kD+L9HAdSYJhoIAu9jZCvDMA0GCSqGSIb3DQEBBQUAA4IBAQAcGgaX3Nec
-nzyIZgYIVyHbIUf4KmeqvxgydkAQV8GK83rZEWWONfqe/EW1ntlMMUu4kehDLI6z
-eM7b41N5cdblIZQB2lWHmiRk9opmzN6cN82oNLFpmyPInngiK3BD41VHMWEZ71jF
-hS9OMPagMRYjyOfiZRYzy78aG6A9+MpeizGLYAiJLQwGXFK3xPkKmNEVX58Svnw2
-Yzi9RKR/5CYrCsSXaQ3pjOLAEFe4yHYSkVXySGnYvCoCWw9E1CAx2/S6cCZdkGCe
-vEsXCS+0yx5DaMkHJ8HSXPfqIbloEpw8nL+e/IBcm2PN7EeqJSdnoDfzAIJ9VNep
-+OkuE6N36B9K
------END CERTIFICATE-----
diff --git a/roles/debian_base/files/post-merge/ffhl-dns b/roles/debian_base/files/post-merge/ffhl-dns
index 4a1bd3ed1d001e7cf924ad353930c94ef2e0ffd0..e5419ba4dc6de44a65fdab2d56ce666a4039465a 100755
--- a/roles/debian_base/files/post-merge/ffhl-dns
+++ b/roles/debian_base/files/post-merge/ffhl-dns
@@ -1,5 +1,5 @@
 #!/bin/sh
 
-systemctl reload named.service
+systemctl reload bind9.service
 
 exit 0
diff --git a/roles/debian_base/tasks/ffhl-dns.yml b/roles/debian_base/tasks/ffhl-dns.yml
index 44fa5c5c787ef2d99cfe9a3c5ffacd2d6f0a651f..ca7bdfa9a8d5f2aa809b28307aaf93a674e2fb23 100644
--- a/roles/debian_base/tasks/ffhl-dns.yml
+++ b/roles/debian_base/tasks/ffhl-dns.yml
@@ -1,3 +1,3 @@
 ---
-- git: repo=https://github.com/freifunk-luebeck/ffhl-dns.git dest=/var/named/ffhl
-- copy: src=post-merge/ffhl-dns dest=/var/named/ffhl/.git/hooks/post-merge mode=a+x
+- git: repo=https://gitlab.com/freifunk-luebeck/ffhl-dns.git dest=/var/cache/bind/ffhl
+- copy: src=post-merge/ffhl-dns dest=/var/cache/bind/ffhl/.git/hooks/post-merge mode=a+x
diff --git a/roles/debian_base/tasks/main.yml b/roles/debian_base/tasks/main.yml
index 2513d6eb1ea1a13ba931eec0dd0aa0b6f6b4c2dc..58c8078c7b83c7d864b2d6b7933cd80a6980ee17 100644
--- a/roles/debian_base/tasks/main.yml
+++ b/roles/debian_base/tasks/main.yml
@@ -33,6 +33,7 @@
   block:
     - template: src=network/10-ffhl.netdev.j2 dest=/etc/systemd/network/10-ffhl.netdev
     - template: src=network/12-ffhl.network.j2 dest=/etc/systemd/network/12-ffhl.network
+    - template: src=network/10-internet.link.j2 dest=/etc/systemd/network/12-internet.link
 
 # sometimes disabled (dunno why)
 - name: enable systemd-networkd
diff --git a/roles/debian_base/templates/network/10-internet.link.j2 b/roles/debian_base/templates/network/10-internet.link.j2
new file mode 100644
index 0000000000000000000000000000000000000000..107285759dc478444e56fd2c6576f582d4d5b8b8
--- /dev/null
+++ b/roles/debian_base/templates/network/10-internet.link.j2
@@ -0,0 +1,5 @@
+[Match]
+MACAddress={{ internet_iface_mac }}
+
+[Link]
+Name=internet
diff --git a/roles/debian_base/templates/network/12-ffhl.network.j2 b/roles/debian_base/templates/network/12-ffhl.network.j2
index e82136fd34a7ba56b4922c6460aa6a752464890a..45d85f455c7b82b452c18a00253099617847bdbb 100644
--- a/roles/debian_base/templates/network/12-ffhl.network.j2
+++ b/roles/debian_base/templates/network/12-ffhl.network.j2
@@ -3,7 +3,7 @@ Name=ffhl
 
 [Network]
 IPForward=yes
-Address={{ ip4 }}/20
+Address={{ ip4 }}/16
 Address={{ ip6 }}/64
 Address={{ ip6_ula }}/64
 
diff --git a/todo.md b/todo.md
index b252e8ac19c288dc9f2d1dc8e3acb4cda3979f19..3be118bc3728304ada16af658c1cb384dca81ab5 100644
--- a/todo.md
+++ b/todo.md
@@ -3,6 +3,6 @@ Things for a working Gateway:
 - [x] fastd
 - [x] batman
 - [ ] DHCP
-- [ ] radvd
+- [x] radvd
 - [ ] BGP
 - [x] prometheus