diff --git a/salt/firewall/mgmt-gw.sh b/salt/firewall/mgmt-gw.sh
index a0c49ef..743a3c7 100644
--- a/salt/firewall/mgmt-gw.sh
+++ b/salt/firewall/mgmt-gw.sh
@@ -2,27 +2,28 @@
 
 export PATH=/sbin:/bin:/usr/sbin:/usr/bin
 
-IFACE=mgmt
-iptables -F FORWARD
-ip6tables -F FORWARD
-iptables -P FORWARD DROP
-ip6tables -P FORWARD DROP
-iptables -A FORWARD -m state --state ESTABLISHED -j ACCEPT
-ip6tables -A FORWARD -m state --state ESTABLISHED -j ACCEPT
-# DNS
-iptables -A FORWARD -i $IFACE -p udp --dport 53 -j ACCEPT
-ip6tables -A FORWARD -i $IFACE -p udp --dport 53 -j ACCEPT
-# NTP
-iptables -A FORWARD -i $IFACE -p udp --dport 123 -j ACCEPT
-ip6tables -A FORWARD -i $IFACE -p udp --dport 123 -j ACCEPT
-# collectd
-iptables -A FORWARD -i $IFACE -p udp --dport 25826 -j ACCEPT
-ip6tables -A FORWARD -i $IFACE -p udp --dport 25826 -j ACCEPT
-# downloads.lede-project.org
-iptables -A FORWARD -i $IFACE --dest 148.251.78.235 -j ACCEPT
-ip6tables -A FORWARD -i $IFACE --dest 2a01:4f8:202:43ea::3 -j ACCEPT
-# radius.hq.c3d2.de
-iptables -A FORWARD -i $IFACE --dest 172.22.99.22 -j ACCEPT
-# Deny by default
-iptables -A FORWARD -j REJECT
-ip6tables -A FORWARD -j REJECT
+if [ "$IFACE" = "{{ interface }}" ]; then
+    iptables -F FORWARD
+    ip6tables -F FORWARD
+    iptables -P FORWARD DROP
+    ip6tables -P FORWARD DROP
+    iptables -A FORWARD -m state --state ESTABLISHED -j ACCEPT
+    ip6tables -A FORWARD -m state --state ESTABLISHED -j ACCEPT
+    # DNS
+    iptables -A FORWARD -i $IFACE -p udp --dport 53 -j ACCEPT
+    ip6tables -A FORWARD -i $IFACE -p udp --dport 53 -j ACCEPT
+    # NTP
+    iptables -A FORWARD -i $IFACE -p udp --dport 123 -j ACCEPT
+    ip6tables -A FORWARD -i $IFACE -p udp --dport 123 -j ACCEPT
+    # collectd
+    iptables -A FORWARD -i $IFACE -p udp --dport 25826 -j ACCEPT
+    ip6tables -A FORWARD -i $IFACE -p udp --dport 25826 -j ACCEPT
+    # downloads.lede-project.org
+    iptables -A FORWARD -i $IFACE --dest 148.251.78.235 -j ACCEPT
+    ip6tables -A FORWARD -i $IFACE --dest 2a01:4f8:202:43ea::3 -j ACCEPT
+    # radius.hq.c3d2.de
+    iptables -A FORWARD -i $IFACE --dest 172.22.99.22 -j ACCEPT
+    # Deny by default
+    iptables -A FORWARD -j REJECT
+    ip6tables -A FORWARD -j REJECT
+fi
diff --git a/salt/lxc-containers/config b/salt/lxc-containers/config
index 0cb55ed..4309f90 100644
--- a/salt/lxc-containers/config
+++ b/salt/lxc-containers/config
@@ -55,10 +55,6 @@ lxc.network.name={{ net }}
 {%- set n = n + 1 %}
 {%- endfor %}
 
-{%- if id == 'mgmt-gw' %}
-lxc.network.script.up=/etc/network/if-pre-up.d/firewall
-{%- endif %}
-
 
 lxc.cap.drop = sys_module sys_time sys_nice sys_pacct sys_rawio sys_time mknod