diff --git a/roles/base/tasks/main.yml b/roles/base/tasks/main.yml
index 5c121a6..4a29445 100644
--- a/roles/base/tasks/main.yml
+++ b/roles/base/tasks/main.yml
@@ -9,6 +9,7 @@
     - imagemagick
     - keychain
     - libarchive-tools
+    - lsof
     - mg
     - nmap
     - nvi
diff --git a/roles/development/tasks/main.yml b/roles/development/tasks/main.yml
index 62c5086..7f26653 100644
--- a/roles/development/tasks/main.yml
+++ b/roles/development/tasks/main.yml
@@ -10,6 +10,7 @@
     - cmake
     - devscripts
     - gcc
+    - ghc
     - git
     - golang-google-genproto-dev
     - golang-goprotobuf-dev
diff --git a/roles/server/defaults/main.yaml b/roles/server/defaults/main.yaml
index 8487512..4d58ff6 100644
--- a/roles/server/defaults/main.yaml
+++ b/roles/server/defaults/main.yaml
@@ -1,2 +1,2 @@
 router_server: False
-
+router_if: eth0
diff --git a/roles/server/files/20-router.yaml.j2 b/roles/server/files/20-router.yaml.j2
new file mode 100644
index 0000000..dc75bc8
--- /dev/null
+++ b/roles/server/files/20-router.yaml.j2
@@ -0,0 +1,8 @@
+network:
+  version: 2
+  ethernets:
+    "{{ router_if }}":
+      dhcp4: False
+      dhcp6: False
+      addresses:
+        - "192.168.3.254/24"
\ No newline at end of file
diff --git a/roles/server/files/dnsmasq.conf.j2 b/roles/server/files/dnsmasq.conf.j2
new file mode 100644
index 0000000..a650ab5
--- /dev/null
+++ b/roles/server/files/dnsmasq.conf.j2
@@ -0,0 +1,11 @@
+listen-address=::1,127.0.0.1,192.168.3.254
+interface={{ router_if }}
+domain=wntrmute.lan
+expand-hosts
+server=8.8.8.8
+server=8.8.4.4
+
+dhcp-range=192.168.3.1,192.168.3.30,24h
+dhcp-option=option:router,192.168.3.254
+dhcp-option=option:dns-server,8.8.8.8
+dhcp-authoritative
\ No newline at end of file
diff --git a/roles/server/files/hosts b/roles/server/files/hosts
new file mode 100644
index 0000000..0b4ed71
--- /dev/null
+++ b/roles/server/files/hosts
@@ -0,0 +1,4 @@
+127.0.0.1	localhost
+
+192.168.3.1	cdev
+192.168.3.254	orion
\ No newline at end of file
diff --git a/roles/server/files/resolv.conf b/roles/server/files/resolv.conf
new file mode 100644
index 0000000..0bb9939
--- /dev/null
+++ b/roles/server/files/resolv.conf
@@ -0,0 +1,2 @@
+nameserver 8.8.8.8
+nameserver 8.8.4.4
\ No newline at end of file
diff --git a/roles/server/tasks/router.yaml b/roles/server/tasks/router.yaml
index f06958d..db513b1 100644
--- a/roles/server/tasks/router.yaml
+++ b/roles/server/tasks/router.yaml
@@ -1,16 +1,54 @@
-- name: set up netplan
+- name: set up IPv4 forwarding
   become: true
-  ansible.builtin.file:
-    content: |
-      network:
-        version: 2
-        ethernets:
-          eth0:
-            dhcp4: False
-            dhcp6: False
-            addresses:
-              - "192.168.4.254/24"
-    dest: /etc/netplan/20-router-eth0.yaml
+  ansible.posix.sysctl:
+    name: net.ipv4.ip_forward
+    value: '1'
+    sysctl_set: true
+    state: present
+    reload: true
+
+# # iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
+- name: set up NAT table
+  become: true
+  ansible.builtin.iptables:
+    table: nat
+    chain: POSTROUTING
+    jump: MASQUERADE
+    in_interface: "{{ router_if }}"
+
+# iptables -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
+- name: set up forwarding from {{ router_if }} to wlo1
+  become: true
+  ansible.builtin.iptables:
+    chain: FORWARD
+    in_interface: "{{ router_if }}"
+    out_interface: wlo1
+    ctstate: ESTABLISHED,RELATED
+    jump: ACCEPT
+
+# iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
+- name: set up forwarding
+  become: true
+  ansible.builtin.iptables:
+    chain: FORWARD
+    in_interface: "{{ router_if }}"
+    out_interface: wlo1
+    jump: ACCEPT
+
+- name: copy hosts
+  become: true
+  ansible.builtin.copy:
+    src: "{{ role_path }}/files/hosts"
+    dest: /etc/hosts
+    mode: 0644
+    owner: root
+    group: root
+
+- name: set up netplan for {{ router_if }}
+  become: true
+  ansible.builtin.template:
+    src: "{{ role_path }}/files/20-router.yaml.j2"
+    dest: /etc/netplan/20-router-{{ router_if }}.yaml
     mode: 0644
     owner: root
     group: root
@@ -22,16 +60,29 @@
 
 - name: copy dnsmasq.conf
   become: true
-  ansible.builtin.copy:
-    src: "{{ role_path }}/files/dnsmasq.conf"
+  ansible.builtin.template:
+    src: "{{ role_path }}/files/dnsmasq.conf.j2"
     dest: /etc/dnsmasq.conf
     mode: 0644
     owner: root
     group: root
 
-- name: install netmasq
+- name: disable systemd-resolved
+  become: true
+  ansible.builtin.service:
+    name: systemd-resolved
+    enabled: false
+    state: stopped
+
+- name: install dnsmasq
   become: true
   ansible.builtin.apt:
     name: dnsmasq
     state: present
 
+- name: enable dnsmasq
+  become: true
+  ansible.builtin.service:
+    name: dnsmasq
+    enabled: true
+    state: restarted
diff --git a/site.yml b/site.yml
index 4e123ce..bee2ca9 100644
--- a/site.yml
+++ b/site.yml
@@ -40,3 +40,5 @@
     dev_virt: True
     dev_embedded: True
     dev_rust: True
+    router_server: true
+    router_if: enp89s0