diff --git a/fickit-frontend.yml b/fickit-frontend.yml
index b98f0533..f8441a77 100644
--- a/fickit-frontend.yml
+++ b/fickit-frontend.yml
@@ -27,9 +27,6 @@ onboot:
     command: ["/usr/bin/mountie", "-device", "/dev/md0", "/var/lib/fic" ]
 
     # Network
-#  - name: dhcpcd
-#    image: linuxkit/dhcpcd:0d59a6cc03412289ef4313f2491ec666c1715cc9
-#    command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"]
 #  - name: ntp
 #    image: linuxkit/openntpd:536e5947607c9e6a6771957c2ff817230cba0d3c
   - name: nginx-ip-setup
@@ -43,26 +40,26 @@ onboot:
           peer: veth-nginx
       bindNS:
         net: /run/netns/nginx
-  - name: frontal-ip-setup # without bonding
-    image: linuxkit/ip:v0.6
-    command: ["/bin/sh", "-c", "ip link set eth1 up; ip a add 172.23.42.1/24 dev eth1; ip a add 163.5.55.58/32 dev eth1;" ]
-    net: /run/netns/nginx
-    runtime:
-      interfaces:
-        - name: eth1
-        - name: eth2
-        - name: eth3
-#  - name: frontal-ip-setup # with bonding
+#  - name: frontal-ip-setup # without bonding
 #    image: linuxkit/ip:v0.6
-#    command: ["/bin/sh", "-c", "ip link set bond-frontal up; ifenslave bond-frontal eth1 eth2 eth3; ip a add 172.23.42.1/24 dev bond-frontal; ip a add 163.5.55.58/32 dev bond-frontal;" ]
+#    command: ["/bin/sh", "-c", "ip link set eth1 up; ip a add 172.23.42.1/24 dev eth1; ip a add 163.5.55.58/32 dev eth1; ip link add link eth1 name internet type vlan id 1; ip link set internet up;" ]
 #    net: /run/netns/nginx
 #    runtime:
 #      interfaces:
 #        - name: eth1
 #        - name: eth2
 #        - name: eth3
-#        - name: bond-frontal
-#          add: bond
+  - name: frontal-ip-setup # with bonding
+    image: linuxkit/ip:v0.6
+    command: ["/bin/sh", "-c", "ip link set bond-frontal up; ifenslave bond-frontal eth1 eth2 eth3; ip a add 172.23.42.1/24 dev bond-frontal; ip a add 163.5.55.58/32 dev bond-frontal; ip link add link bond-frontal name internet type vlan id 1; ip link set internet up;" ]
+    net: /run/netns/nginx
+    runtime:
+      interfaces:
+        - name: eth1
+        - name: eth2
+        - name: eth3
+        - name: bond-frontal
+          add: bond
   - name: frontend-ip-setup
     image: linuxkit/ip:v0.6
     command: ["/bin/sh", "-c", "ip a add 172.17.1.3/24 dev vethin-frontend; ip link set vethin-frontend up;" ]
@@ -113,6 +110,11 @@ services:
 #      - INSECURE=true
   - name: rngd
     image: linuxkit/rngd:v0.6
+  - name: dhcpcd
+    image: linuxkit/dhcpcd:v0.6
+    net: /run/netns/nginx
+    binds:
+      - /etc/dhcpcd.conf:/dhcpcd.conf:ro
   - name: nginx
     image: nginx:alpine
     capabilities:
@@ -371,6 +373,43 @@ files:
     source: frontend/static/robots.txt
     mode: "0644"
 
+  - path: etc/dhcpcd.conf
+    contents: |
+      # Only configure standard external ethernet
+      allowinterfaces internet
+      # Inform the DHCP server of our hostname for DDNS.
+      hostname
+      # Use the hardware address of the interface for the Client ID.
+      clientid
+      # or
+      # Use the same DUID + IAID as set in DHCPv6 for DHCPv4 ClientID as per RFC4361.
+      # Some non-RFC compliant DHCP servers do not reply with this set.
+      # In this case, comment out duid and enable clientid above.
+      #duid
+      # Persist interface configuration when dhcpcd exits.
+      persistent
+      # Rapid commit support.
+      # Safe to enable by default because it requires the equivalent option set
+      # on the server to actually work.
+      option rapid_commit
+      # A list of options to request from the DHCP server.
+      option domain_name_servers, domain_name, domain_search, host_name
+      option classless_static_routes
+      # Most distributions have NTP support.
+      option ntp_servers
+      # Respect the network MTU. This is applied to DHCP routes.
+      option interface_mtu
+      # A ServerID is required by RFC2131.
+      require dhcp_server_identifier
+      # Generate Stable Private IPv6 Addresses instead of hardware based ones
+      slaac private
+      # Do not wait
+      nodelay
+      # Do not arp to check IP
+      noarp
+      # wait for ipv4 address
+      waitip 4
+    mode: "0440"
   - path: etc/iptables/rules.v6
     contents: |
       *filter
@@ -400,9 +439,18 @@ files:
     mode: "0440"
   - path: etc/iptables/rules-frontal.v4
     contents: |
+      *nat
+      :PREROUTING ACCEPT [0:0]
+      :INPUT ACCEPT [0:0]
+      :OUTPUT ACCEPT [0:0]
+      :POSTROUTING ACCEPT [0:0]
+      [0:0] -A PREROUTING -p tcp -m tcp -i br0 ! -d 172.23.42.254/32 --dport 53 -j DNAT --to-destination 172.23.42.254
+      [0:0] -A PREROUTING -p udp -m udp -i br0 ! -d 172.23.42.254/32 --dport 53 -j DNAT --to-destination 172.23.42.254
+      [0:0] -A POSTROUTING -o internet -j MASQUERADE
+      COMMIT
       *filter
       :INPUT DROP [0:0]
-      :FORWARD DROP [0:0]
+      :FORWARD ACCEPT [0:0]
       :OUTPUT DROP [0:0]
       [0:0] -A INPUT -i lo -j ACCEPT
       [0:0] -A INPUT -m conntrack --ctstate INVALID -j DROP
@@ -417,7 +465,8 @@ files:
       [0:0] -A OUTPUT -p icmp --icmp-type 0 -j ACCEPT
       [0:0] -A OUTPUT -p icmp --icmp-type 8 -j ACCEPT
       [0:0] -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-      [0:0] -A OUTPUT -i vethin-nginx -d 172.17.1.3 -p tcp -m conntrack --ctstate NEW -m tcp --dport 8080 -j ACCEPT
+      [0:0] -A OUTPUT -o vethin-nginx -d 172.17.1.3 -p tcp -m conntrack --ctstate NEW -m tcp --dport 8080 -j ACCEPT
+      [0:0] -A OUTPUT -o internet -j ACCEPT
       [0:0] -A OUTPUT -j LOG
       [0:0] -A OUTPUT -j REJECT
       COMMIT