diff --git a/server.yml b/server.yml
index 88bf4d9..3187d2f 100644
--- a/server.yml
+++ b/server.yml
@@ -37,22 +37,6 @@ onboot:
       bindNS:
         net: /run/netns/login
 
-    # Network: exposed ################################################
-
-    # VLAN7, path to internet
-  - name: netvlan-iface-setup
-    image: linuxkit/ip:v0.6
-    command: ["/bin/sh", "-c", "ip link add link eth0 name eth0.7 type vlan id 7; ip a add 172.23.191.254/18 dev eth0.7; ip link set eth0.7 up;" ]
-
-    # Bridge between std LAN, PXE LAN services (login-validator) and default route (as it uses the same wire)
-  - name: bridge-ext-setup
-    image: linuxkit/ip:v0.6
-    command: ["/bin/sh", "-c", "ip a add 172.23.255.1/24 dev br-ext; ip a add 172.17.0.16/16 dev br-ext; ip a add 10.224.32.252/24 dev br-ext; ip a add 172.23.0.1/17 dev br-ext; ip link set eth0 master br-ext; ip link set veth-login master br-ext; ip link set br-ext up; ip link set veth-login up; ip link set eth0 up; ip route add default via 10.224.32.1;" ]
-    runtime:
-      interfaces:
-        - name: br-ext
-          add: bridge
-
     # Network: DMZ ####################################################
 
     # token-validator
@@ -107,20 +91,9 @@ onboot:
       bindNS:
         net: /run/netns/dmz-mail
 
-    # Bridge for DMZ services
-  - name: bridge-int-setup
-    image: linuxkit/ip:v0.6
-    command: ["/bin/sh", "-c", "ip a add 172.23.200.254/24 dev br-int; ip link set veth-validator master br-int; ip link set veth-ns master br-int; ip link set veth-time master br-int; ip link set veth-mail master br-int; ip link set br-int up; ip link set veth-validator up; ip link set veth-ns up; ip link set veth-time up; ip link set veth-mail up" ]
-    runtime:
-      interfaces:
-        - name: br-int
-          add: bridge
+    # Network: exposed ################################################
 
-  - name: fw
-    image: linuxkit/ip:v0.6
-    command: ["/bin/bash", "-c", "/sbin/iptables-restore < /etc/iptables/rules.v4" ]
-    binds:
-      - /etc/iptables/rules.v4:/etc/iptables/rules.v4:ro
+    # See etc/init.d/011-adlin instead
 
 services:
   - name: rngd
@@ -281,23 +254,39 @@ files:
       echo nameserver 172.23.200.2 > /etc/resolv.conf
     mode: "0755"
 
-#  - path: etc/init.d/011-adlin
-#    contents: |
-#      #!/bin/sh
-#      ip route add default via 172.17.0.1
-#      /sbin/sysctl -w net.ipv4.ip_forward=1
-#      echo nameserver 8.8.8.8 > /etc/resolv.conf
-#      mkdir /tmp/newroot
-#      mount -t tmpfs none /tmp/newroot
-#      mkdir /tmp/newroot/etc
-#      cp -r /etc/apk /tmp/newroot/etc
-#      apk add --no-cache --initdb -p /tmp/newroot iptables nftables
-#      LD_LIBRARY_PATH=/tmp/newroot/usr/lib /tmp/newroot/sbin/iptables-restore < /etc/iptables/rules.v4
-#      LD_LIBRARY_PATH=/tmp/newroot/usr/lib /tmp/newroot/sbin/ip6tables-restore < /etc/iptables/rules.v6
-#      LD_LIBRARY_PATH=/tmp/newroot/usr/lib /tmp/newroot/usr/sbin/nft add table nat
-#      LD_LIBRARY_PATH=/tmp/newroot/usr/lib /tmp/newroot/usr/sbin/nft add chain nat postrouting { type nat hook postrouting priority 100 \; }
-#      LD_LIBRARY_PATH=/tmp/newroot/usr/lib /tmp/newroot/usr/sbin/nft add rule nat postrouting oif br-ext masquerade
-#    mode: "0755"
+  - path: etc/init.d/011-adlin-net
+    contents: |
+      #!/bin/sh
+      ip l add br-int type bridge
+      ip a add 172.23.200.254/24 dev br-int;
+      ip link set veth-validator master br-int;
+      ip link set veth-ns master br-int;
+      ip link set veth-time master br-int;
+      ip link set veth-mail master br-int;
+      ip link set br-int up;
+      ip link set veth-validator up;
+      ip link set veth-ns up;
+      ip link set veth-time up;
+      ip link set veth-mail up;
+
+      ip l add br-ext type bridge
+      ip a add 172.23.255.1/24 dev br-ext;
+      ip a add 172.17.0.15/16 dev br-ext;
+      ip a add 10.224.32.252/24 dev br-ext;
+      ip a add 172.23.0.1/17 dev br-ext;
+      ip link set eth0 master br-ext;
+      ip link set veth-login master br-ext;
+      ip link set br-ext up;
+      ip link set veth-login up;
+      ip link set eth0 up;
+      grep adlin.network=alt /proc/cmdline > /dev/null &&
+        ip route add default via 10.224.32.254 ||
+        ip route add default via 10.224.32.1
+
+      wg-quick up wg0
+
+      /sbin/iptables-restore < /etc/iptables/rules.v4;
+    mode: "0755"
 
   - path: etc/sysctl.d/99-ipfwd.conf
     contents: |
@@ -360,15 +349,17 @@ files:
       [0:0] -A INPUT -m conntrack --ctstate INVALID -j DROP
       [0:0] -A INPUT -p icmp -j ACCEPT
       [0:0] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-      [0:0] -A INPUT -i br-ext -m tcp --dport ssh -j ACCEPT
+      [0:0] -A INPUT -i br-ext -p tcp --dport 22 -j ACCEPT
       [0:0] -A INPUT -i br-ext -p udp --sport 68 --dport 67 -j ACCEPT
       [0:0] -A INPUT -i br-ext -p udp --dport 69 -j ACCEPT
       [0:0] -A INPUT -i br-ext -p tcp --dport 80 -j ACCEPT
+      [0:0] -A INPUT -i br-ext -p tcp -s 172.17.0.0/16 -d 172.17.0.15 --dport 81 -j ACCEPT
+      [0:0] -A INPUT -i br-ext -p udp -s 172.17.0.0/16 -d 172.17.0.15 --dport 12912 -j ACCEPT
       [0:0] -A INPUT -p udp --sport 7000 -j DROP
       [0:0] -A INPUT -p udp --dport 7000 -j DROP
       [0:0] -A INPUT -j LOG
-      [0:0] -A FORWARD -i eth0.7 -o br-ext -j ACCEPT
-      [0:0] -A FORWARD -o eth0.7 -i br-ext -j ACCEPT
+      [0:0] -A FORWARD -i wg0 -o br-ext -j ACCEPT
+      [0:0] -A FORWARD -o wg0 -i br-ext -j ACCEPT
       [0:0] -A FORWARD -i br-int -j ACCEPT
       [0:0] -A FORWARD -o br-int -j ACCEPT
       [0:0] -A FORWARD -i br-ext -d 172.23.200.0/24 -j ACCEPT