diff --git a/salt/firewall/mgmt-gw.sh b/salt/firewall/mgmt-gw.sh
index 06d8bf6..be3c9f7 100644
--- a/salt/firewall/mgmt-gw.sh
+++ b/salt/firewall/mgmt-gw.sh
@@ -1,25 +1,24 @@
 #!/bin/sh
 
-if [ "$IFACE" = "{{ interface }}" ]; then
-    iptables -F FORWARD
-    ip6tables -F FORWARD
-    iptables -P FORWARD DROP
-    ip6tables -P FORWARD DROP
-    iptables -A FORWARD -m state --state ESTABLISHED -j ACCEPT
-    ip6tables -A FORWARD -m state --state ESTABLISHED -j ACCEPT
-    # DNS
-    iptables -A FORWARD -i $IFACE -p udp --dport 53 -j ACCEPT
-    ip6tables -A FORWARD -i $IFACE -p udp --dport 53 -j ACCEPT
-    # NTP
-    iptables -A FORWARD -i $IFACE -p udp --dport 123 -j ACCEPT
-    ip6tables -A FORWARD -i $IFACE -p udp --dport 123 -j ACCEPT
-    # collectd
-    iptables -A FORWARD -i $IFACE -p udp --dport 25826 -j ACCEPT
-    ip6tables -A FORWARD -i $IFACE -p udp --dport 25826 -j ACCEPT
-    # downloads.lede-project.org
-    iptables -A FORWARD -i $IFACE --dest 148.251.78.235 -j ACCEPT
-    ip6tables -A FORWARD -i $IFACE --dest 2a01:4f8:202:43ea::3 -j ACCEPT
-    # Deny by default
-    iptables -A FORWARD -j REJECT
-    ip6tables -A FORWARD -j REJECT
-fi
+IFACE=mgmt
+iptables -F FORWARD
+ip6tables -F FORWARD
+iptables -P FORWARD DROP
+ip6tables -P FORWARD DROP
+iptables -A FORWARD -m state --state ESTABLISHED -j ACCEPT
+ip6tables -A FORWARD -m state --state ESTABLISHED -j ACCEPT
+# DNS
+iptables -A FORWARD -i $IFACE -p udp --dport 53 -j ACCEPT
+ip6tables -A FORWARD -i $IFACE -p udp --dport 53 -j ACCEPT
+# NTP
+iptables -A FORWARD -i $IFACE -p udp --dport 123 -j ACCEPT
+ip6tables -A FORWARD -i $IFACE -p udp --dport 123 -j ACCEPT
+# collectd
+iptables -A FORWARD -i $IFACE -p udp --dport 25826 -j ACCEPT
+ip6tables -A FORWARD -i $IFACE -p udp --dport 25826 -j ACCEPT
+# downloads.lede-project.org
+iptables -A FORWARD -i $IFACE --dest 148.251.78.235 -j ACCEPT
+ip6tables -A FORWARD -i $IFACE --dest 2a01:4f8:202:43ea::3 -j ACCEPT
+# Deny by default
+iptables -A FORWARD -j REJECT
+ip6tables -A FORWARD -j REJECT
diff --git a/salt/lxc-containers/config b/salt/lxc-containers/config
index 4309f90..0cb55ed 100644
--- a/salt/lxc-containers/config
+++ b/salt/lxc-containers/config
@@ -55,6 +55,10 @@ lxc.network.name={{ net }}
 {%- set n = n + 1 %}
 {%- endfor %}
 
+{%- if id == 'mgmt-gw' %}
+lxc.network.script.up=/etc/network/if-pre-up.d/firewall
+{%- endif %}
+
 
 lxc.cap.drop = sys_module sys_time sys_nice sys_pacct sys_rawio sys_time mknod