diff --git a/salt-pillar/vlans/init.sls b/salt-pillar/vlans/init.sls
index 977df8b..dd805aa 100644
--- a/salt-pillar/vlans/init.sls
+++ b/salt-pillar/vlans/init.sls
@@ -1,4 +1,4 @@
 vlans:
   core: 1
-  server: 2
-  public: 3
+  serv: 2
+  pub: 3
diff --git a/salt/forwarding/forwarding.conf b/salt/forwarding/forwarding.conf
new file mode 100644
index 000000000..6e3ae11
--- /dev/null
+++ b/salt/forwarding/forwarding.conf
@@ -0,0 +1,4 @@
+net.ipv4.conf.all.forwarding = 1
+net.ipv4.conf.default.forwarding = 1
+net.ipv6.conf.all.forwarding = 1
+net.ipv6.conf.default.forwarding = 1
diff --git a/salt/forwarding/init.sls b/salt/forwarding/init.sls
new file mode 100644
index 000000000..080c6ce
--- /dev/null
+++ b/salt/forwarding/init.sls
@@ -0,0 +1,9 @@
+/etc/sysctl.d/80-forwarding.conf:
+  file.managed:
+    - source: "salt://forwarding/forwarding.conf"
+
+apply:
+  cmd.run:
+    - name: sysctl -p /etc/sysctl.d/80-forwarding.conf
+      require:
+        - file: /etc/sysctl.d/80-forwarding.conf
diff --git a/salt/lxc-containers-1/config b/salt/lxc-containers-1/config
index 8547ec7..19951b4 100644
--- a/salt/lxc-containers-1/config
+++ b/salt/lxc-containers-1/config
@@ -10,7 +10,7 @@ lxc.kmsg = 0
 {%- for net, conf in container['interfaces'].items() %}
 lxc.network.type={{ conf['type'] }}
 lxc.network.flags=up
-{% if conf['type'] == 'veth' %}
+{%- if conf['type'] == 'veth' %}
 lxc.network.veth.pair={{ id }}-{{ net }}
 {%- endif %}
 {%- set inet_addr = pillar['hosts-inet'][net].get(id) %}
@@ -20,11 +20,16 @@ lxc.network.ipv4={{ inet_addr }}/{{ prefix_len }}
 {%- endif %}
 {%- if conf['type'] == 'veth' %}
 lxc.network.link=br-{{ net }}
+{%- elif conf['type'] == 'phys' %}
+lxc.network.link=bond0.{{ pillar['vlans'].get(net) }}
 {%- endif %}
 lxc.network.name={{ net }}
-#lxc.network.ipv4.gateway=
+{%- if net == 'core' %}
+lxc.network.ipv4.gateway=172.20.72.1
+{%- endif %}
 #lxc.network.ipv6=
 #lxc.network.ipv6.gateway=fe80::1
 {%- endfor %}
 
 ## TODO: limits + caps
+## TODO: include Debian.common.conf
\ No newline at end of file
diff --git a/salt/lxc-containers-1/containers.yaml b/salt/lxc-containers-1/containers.yaml
index 5d5c84c..1c140b9 100644
--- a/salt/lxc-containers-1/containers.yaml
+++ b/salt/lxc-containers-1/containers.yaml
@@ -9,6 +9,8 @@ serv-gw:
   interfaces:
     core:
       type: veth
+    serv:
+      type: veth
 
 priv1-gw:
   interfaces:
diff --git a/salt/lxc-containers-1/init.sls b/salt/lxc-containers-1/init.sls
index 5ba6382..d3ed14f 100644
--- a/salt/lxc-containers-1/init.sls
+++ b/salt/lxc-containers-1/init.sls
@@ -39,5 +39,5 @@ start-{{ id }}:
       - name: lxc@{{ id }}
         require:
           - service: autostart-{{ id }}
-        
+
 {% endfor %}
diff --git a/salt/netmasks.yaml b/salt/netmasks.yaml
new file mode 100644
index 000000000..f26707e
--- /dev/null
+++ b/salt/netmasks.yaml
@@ -0,0 +1,33 @@
+'0': 0.0.0.0
+'1': 128.0.0.0
+'2': 192.0.0.0
+'3': 224.0.0.0
+'4': 240.0.0.0
+'5': 248.0.0.0
+'6': 252.0.0.0
+'7': 254.0.0.0
+'8': 255.0.0.0
+'9': 255.128.0.0
+'10': 255.192.0.0
+'11': 255.224.0.0
+'12': 255.240.0.0
+'13': 255.248.0.0
+'14': 255.252.0.0
+'15': 255.254.0.0
+'16': 255.255.0.0
+'17': 255.255.128.0
+'18': 255.255.192.0
+'19': 255.255.224.0
+'20': 255.255.240.0
+'21': 255.255.248.0
+'22': 255.255.252.0
+'23': 255.255.254.0
+'24': 255.255.255.0
+'25': 255.255.255.128
+'26': 255.255.255.192
+'27': 255.255.255.224
+'28': 255.255.255.240
+'29': 255.255.255.248
+'30': 255.255.255.252
+'31': 255.255.255.254
+'32': 255.255.255.255
diff --git a/salt/ospf/init.sls b/salt/ospf/init.sls
index 1b87024..32e1e55 100644
--- a/salt/ospf/init.sls
+++ b/salt/ospf/init.sls
@@ -1,2 +1,28 @@
-bird:
+quagga:
   pkg.installed: []
+
+{%- for daemon in ['zebra', 'ospfd'] %}
+/etc/systemd/system/{{ daemon }}.service:
+  file.managed:
+    - source: salt://ospf/{{ daemon }}.service
+
+/etc/quagga/{{ daemon }}.conf:
+  file.managed:
+    - source: salt://ospf/{{ daemon }}.conf
+    - template: 'jinja'
+
+autostart-{{ daemon }}:
+  service.enabled:
+    - name: {{ daemon }}
+      require_in:
+        - file: /etc/systemd/system/{{ daemon }}.service
+        - file: /etc/quagga/{{ daemon }}.conf
+
+start-{{ daemon }}:
+  service.running:
+    - name: {{ daemon }}
+      require:
+        - service: autostart-{{ daemon }}
+
+{%- endfor %}
+          
diff --git a/salt/ospf/ospfd.conf b/salt/ospf/ospfd.conf
new file mode 100644
index 000000000..b7b8b2a
--- /dev/null
+++ b/salt/ospf/ospfd.conf
@@ -0,0 +1,22 @@
+{%- set id = salt['grains.get']('id') %}
+{%- set core_ifaces = ['br-core', 'core'] %}
+
+{%- for iface in core_ifaces %}
+interface {{ iface }}
+    ip ospf network multicast
+    ip ospf authentication message-digest
+    ip ospf authentication-key secret
+
+{%- endfor %}
+
+router ospf
+    router-id {{ pillar['hosts-inet']['core'][id] }}
+    
+    passive-interface default
+{%- for iface in core_ifaces %}
+    no passive-interface {{ iface }}
+{%- endfor %}
+
+    network {{ pillar['subnets-inet']['core'] }} area 0
+    area 0 authentication message-digest
+    redistribute connected
diff --git a/salt/ospf/ospfd.service b/salt/ospf/ospfd.service
new file mode 100644
index 000000000..a686e4c
--- /dev/null
+++ b/salt/ospf/ospfd.service
@@ -0,0 +1,9 @@
+[Unit]
+Requires = zebra.service
+After = network.target
+
+[Service]
+ExecStart = /usr/lib/quagga/ospfd
+
+[Install]
+WantedBy = default.target
diff --git a/salt/ospf/zebra.conf b/salt/ospf/zebra.conf
new file mode 100644
index 000000000..e69de29
diff --git a/salt/ospf/zebra.service b/salt/ospf/zebra.service
new file mode 100644
index 000000000..bc4983a
--- /dev/null
+++ b/salt/ospf/zebra.service
@@ -0,0 +1,8 @@
+[Unit]
+After = network.target
+
+[Service]
+ExecStart = /usr/lib/quagga/zebra
+
+[Install]
+WantedBy = default.target
diff --git a/salt/server1-network.sls b/salt/server1-network.sls
index fbddb54..7b81ddc 100644
--- a/salt/server1-network.sls
+++ b/salt/server1-network.sls
@@ -1,3 +1,4 @@
+{%- import_yaml "netmasks.yaml" as netmasks -%}
 {% set bond_slaves = ['eth1', 'eth2'] %}
 
 {% for slave in bond_slaves %}
@@ -17,17 +18,18 @@ bond0:
       slaves: {{ ' '.join(bond_slaves) }}
       miimon: 100
 
-{% for vlan in range(1, 15) %}
+{% for name, vlan in pillar['vlans'].items() %}
 bond0.{{ vlan }}:
   network.managed:
     - type: vlan
+      proto: manual
       use:
         - network: bond0
       require:
         - network: bond0
 {% endfor %}
 
-{%- for net in ['core', 'public'] %}
+{%- for net in ['core'] %}
 {%- set vlan = pillar['vlans'][net] %}
 br-{{ net }}:
   network.managed:
@@ -36,13 +38,12 @@ br-{{ net }}:
 {%- set ip_addr = pillar['hosts-inet'][net].get('server1') %}
 {%- if ip_addr %}
 {%- set prefix_len = pillar['subnets-inet'][net].split('/')[1] %}
-      proto: manual
-      address: {{ ip_addr }}/{{ prefix_len }}
-{%- else %}
       proto: static
+      address: {{ ip_addr }}
+      netmask: {{ netmasks[prefix_len] }}
+{%- else %}
+      proto: manual
 {%- endif %}
-      address: {{ pillar['subnets-inet']['core'] }}
-      bypassfirewall: True
       use:
         - network: bond0.{{ vlan }}
       require:
diff --git a/salt/top.sls b/salt/top.sls
index 816733a..d42bb98 100644
--- a/salt/top.sls
+++ b/salt/top.sls
@@ -6,12 +6,15 @@ base:
     - ospf
   '*-gw':
     - no-ssh
+    - forwarding
     - ospf
   'upstream*':
     - no-ssh
+    - forwarding
     - ospf
     - unbound
   'anon*':
     - no-ssh
+    - forwarding
     - ospf
     - unbound