diff --git a/roles/nodogsplash/defaults/main.yml b/roles/nodogsplash/defaults/main.yml
new file mode 100644
index 000000000..6398ca9d6
--- /dev/null
+++ b/roles/nodogsplash/defaults/main.yml
@@ -0,0 +1,3 @@
+nodogsplash_install : False
+nodogsplash_enabled : False
+nodogsplash_arm_deb : nodogsplash_2.0.0-1_armhf.deb
diff --git a/roles/nodogsplash/tasks/main.yml b/roles/nodogsplash/tasks/main.yml
new file mode 100644
index 000000000..909fca4b1
--- /dev/null
+++ b/roles/nodogsplash/tasks/main.yml
@@ -0,0 +1,3 @@
+- name: Install nodogsplash (Raspbian only)
+  include_tasks: rpi.yml
+  when: is_rpi
diff --git a/roles/nodogsplash/tasks/rpi.yml b/roles/nodogsplash/tasks/rpi.yml
new file mode 100644
index 000000000..0354a708f
--- /dev/null
+++ b/roles/nodogsplash/tasks/rpi.yml
@@ -0,0 +1,68 @@
+- name: nodogsplash dependencies
+  package:
+    name: libmicrohttpd12
+    state: present
+
+- name: Get the nodogsplash software
+  get_url:
+     url: "{{ iiab_download_url }}/{{ nodogsplash_arm_deb }}"
+     dest: "{{ downloads_dir }}/{{ nodogsplash_arm_deb }}"
+  when: internet_available
+  async: 300
+  poll: 5
+
+- name: Install nodogsplash
+  apt:
+    deb="{{ downloads_dir }}/{{ nodogsplash_arm_deb }}"
+
+#- name: Create nodogsplash.service # deb file has one
+#  template:
+#    backup: no
+#    src: nodogsplash.service.j2
+#    dest: "/etc/systemd/system/nodogsplash.service"
+#    owner: root
+#    group: root
+#    mode: 0644
+
+- name: Install custom files
+  template:
+    backup: no
+    src: "{{ item.src }}"
+    dest: "{{ item.dest }}"
+    owner: root
+    group: root
+    mode: "{{ item.mode }}"
+  with_items:
+    - { src: 'nodogsplash.conf.j2', dest: '/etc/nodogsplash/nodogsplash.conf', mode: '0644'}
+    - { src: 'splash.html.j2', dest: '/etc/nodogsplash/htdocs/splash.html', mode: '0644'}
+
+# We should probably only start this service on next boot
+- name: Enable nodogsplash service
+  service:
+    name: nodogsplash
+    enabled: yes
+    state: started
+  when: nodogsplash_enabled
+
+- name: Disable nodogsplash service
+  service:
+    name: nodogsplash
+    enabled: no
+    state: stopped
+  when: not nodogsplash_enabled
+
+- name: Add 'nodogsplash' to list of services at /etc/iiab/iiab.ini
+  ini_file:
+    dest: "{{ service_filelist }}"
+    section: nodogsplash
+    option: "{{ item.option }}"
+    value: "{{ item.value }}"
+  with_items:
+  - option: name
+    value: nodogsplash
+  - option: description
+    value: '"Nodogsplash is a lightweight Captive Portal."'
+  - option: source
+    value: "{{ nodogsplash_arm_deb }}"
+  - option: enabled
+    value: "{{ nodogsplash_enabled }}"
diff --git a/roles/nodogsplash/templates/nodogsplash.conf.j2 b/roles/nodogsplash/templates/nodogsplash.conf.j2
new file mode 100644
index 000000000..b8be95ab4
--- /dev/null
+++ b/roles/nodogsplash/templates/nodogsplash.conf.j2
@@ -0,0 +1,413 @@
+#
+# Nodogsplash Configuration File
+#
+
+# Parameter: GatewayInterface
+# Default: NONE
+#
+# GatewayInterface is not autodetected, has no default, and must be set here.
+# Set GatewayInterface to the interface on your router
+# that is to be managed by Nodogsplash.
+# Typically br0 for the wired and wireless lan on OpenWrt White Russian.
+# May be br-lan on OpenWrt Kamikaze.
+#
+GatewayInterface br0
+
+# FirewallRuleSet: authenticated-users
+#
+# Control access for users after authentication.
+# These rules are inserted at the beginning of the
+# FORWARD chain of the router's filter table, and
+# apply to packets that have come in to the router
+# over the GatewayInterface from MAC addresses that
+# have authenticated with Nodogsplash, and that are
+# destined to be routed through the router.  The rules are
+# considered in order, and the first rule that matches
+# a packet applies to it.
+# If there are any rules in this ruleset, an authenticated
+# packet that does not match any rule is rejected.
+# N.B.: This ruleset is completely independent of
+# the preauthenticated-users ruleset.
+#
+FirewallRuleSet authenticated-users {
+
+ # You may want to open access to a machine on a local
+ # subnet that is otherwise blocked (for example, to
+ # serve a redirect page; see RedirectURL).  If so,
+ # allow that explicitly here, e.g:
+ #  FirewallRule allow tcp port 80 to 192.168.254.254
+
+ # Your router may have several interfaces, and you
+ # probably want to keep them private from the GatewayInterface.
+ # If so, you should block the entire subnets on those interfaces, e.g.:
+    FirewallRule block to 192.168.0.0/16
+    FirewallRule block to 10.0.0.0/8
+
+ # Typical ports you will probably want to open up include
+ # 53 udp and tcp for DNS,
+ # 80 for http,
+ # 443 for https,
+ # 22 for ssh:
+    FirewallRule allow tcp port 53
+    FirewallRule allow udp port 53
+    FirewallRule allow tcp port 80
+    FirewallRule allow tcp port 443
+    FirewallRule allow tcp port 22
+
+ # You might use ipset to easily allow/block range of ips, e.g.:
+ # FirewallRule allow ipset WHITELISTED_IPS
+ # FirewallRule allow tcp port 80 ipset WHITELISTED_IPS
+}
+# end FirewallRuleSet authenticated-users
+
+
+# FirewallRuleSet: preauthenticated-users
+#
+# Control access for users before authentication.
+# These rules are inserted in the PREROUTING chain
+# of the router's nat table, and in the
+# FORWARD chain of the router's filter table.
+# These rules apply to packets that have come in to the
+# router over the GatewayInterface from MAC addresses that
+# are not on the BlockedMACList or TrustedMACList,
+# are *not* authenticated with Nodogsplash.  The rules are
+# considered in order, and the first rule that matches
+# a packet applies to it. A packet that does not match
+# any rule here is rejected.
+# N.B.: This ruleset is completely independent of
+# the authenticated-users and users-to-router rulesets.
+#
+FirewallRuleSet preauthenticated-users {
+ # For preauthenticated users to resolve IP addresses in their initial
+ # request not using the router itself as a DNS server,
+ # you probably want to allow port 53 udp and tcp for DNS.
+    FirewallRule allow tcp port 53
+    FirewallRule allow udp port 53
+ # For splash page content not hosted on the router, you
+ # will want to allow port 80 tcp to the remote host here.
+ # Doing so circumvents the usual capture and redirect of
+ # any port 80 request to this remote host.
+ # Note that the remote host's numerical IP address must be known
+ # and used here.
+ #    FirewallRule allow tcp port 80 to 123.321.123.321
+}
+# end FirewallRuleSet preauthenticated-users
+
+
+# FirewallRuleSet: users-to-router
+#
+# Control access to the router itself from the GatewayInterface.
+# These rules are inserted at the beginning of the
+# INPUT chain of the router's filter table, and
+# apply to packets that have come in to the router
+# over the GatewayInterface from MAC addresses that
+# are not on the TrustedMACList, and are destined for
+# the router itself.  The rules are
+# considered in order, and the first rule that matches
+# a packet applies to it.
+# If there are any rules in this ruleset, a
+# packet that does not match any rule is rejected.
+#
+FirewallRuleSet users-to-router {
+ # Nodogsplash automatically allows tcp to GatewayPort,
+ # at GatewayAddress, to serve the splash page.
+ # However you may want to open up other ports, e.g.
+ # 53 for DNS and 67 for DHCP if the router itself is
+ # providing these services.
+    FirewallRule allow udp port 53
+    FirewallRule allow tcp port 53
+    FirewallRule allow udp port 67
+ # You may want to allow ssh, http, and https to the router
+ # for administration from the GatewayInterface.  If not,
+ # comment these out.
+    FirewallRule allow tcp port 22
+    FirewallRule allow tcp port 80
+    FirewallRule allow tcp port 443
+    # FirewallRule allow tcp port 3000
+}
+# end FirewallRuleSet users-to-router
+
+# EmptyRuleSetPolicy directives
+# The FirewallRuleSets that NoDogSplash permits are:
+#
+# authenticated-users
+# preauthenticated-users
+# users-to-router
+# trusted-users
+# trusted-users-to-router
+#
+# For each of these, an EmptyRuleSetPolicy can be specified.
+# An EmptyRuleSet policy applies to a FirewallRuleSet if the
+# FirewallRuleSet is missing from this configuration file,
+# or if it exists but contains no FirewallRules.
+#
+# The possible values of an EmptyRuleSetPolicy are:
+# allow  -- packets are accepted
+# block  -- packets are rejected
+# passthrough -- packets are passed through to pre-existing firewall rules
+#
+# Default EmptyRuleSetPolicies are set as follows:
+# EmptyRuleSetPolicy authenticated-users passthrough
+# EmptyRuleSetPolicy preauthenticated-users block
+EmptyRuleSetPolicy users-to-router allow
+# EmptyRuleSetPolicy trusted-users allow
+# EmptyRuleSetPolicy trusted-users-to-router allow
+
+
+# Parameter: GatewayName
+# Default: NoDogSplash
+#
+# Set  GatewayName to the name of your gateway.  This value
+# will be available as variable $gatewayname in the splash page source
+# and in status output from ndsctl, but otherwise doesn't matter.
+# If none is supplied, the value "NoDogSplash" is used.
+#
+# GatewayName NoDogSplash
+
+# Parameter: GatewayAddress
+# Default: Discovered from GatewayInterface
+#
+# This should be autodetected on an OpenWRT system, but if not:
+# Set GatewayAddress to the IP address of the router on
+# the GatewayInterface.  This is the address that the Nodogsplash
+# server listens on.
+#
+# GatewayAddress 192.168.1.1
+
+# Parameter: RedirectURL
+# Default: none
+#
+# After authentication, normally a user is redirected
+# to their initially requested page.
+# If RedirectURL is set, the user is redirected to this URL instead.
+#
+# RedirectURL http://www.ilesansfil.org/
+
+# Parameter: GatewayPort
+# Default: 2050
+#
+# Nodogsplash's own http server uses GatewayAddress as its IP address.
+# The port it listens to at that IP can be set here; default is 2050.
+#
+# GatewayPort 2050
+
+# Parameter: MaxClients
+# Default: 20
+#
+# Set MaxClients to the maximum number of users allowed to
+# connect at any time.  (Does not include users on the TrustedMACList,
+# who do not authenticate.)
+#
+# MaxClients 20
+
+# ClientIdleTimeout
+# Parameter: ClientIdleTimeout
+# Default: 10
+#
+# Set ClientIdleTimeout to the desired of number of minutes
+# of inactivity before a user is automatically 'deauthenticated'.
+#
+# ClientIdleTimeout 10
+
+# Parameter: ClientForceTimeout
+# Default: 360
+#
+# Set ClientForceTimeout to the desired number of minutes before
+# a user is automatically 'deauthenticated', whether active or not
+#
+# ClientForceTimeout 360
+
+# Parameter: AuthenticateImmediately
+# Default: no
+#
+# Set to yes (or true or 1), to immediately authenticate users
+# who make a http port 80 request on the GatewayInterface (that is,
+# do not serve a splash page, just redirect to the user's request,
+# or to RedirectURL if set).
+#
+# AuthenticateImmediately no
+
+# Parameter: MACMechanism
+# Default: block
+#
+# Either block or allow.
+# If 'block', MAC addresses on BlockedMACList are blocked from
+# authenticating, and all others are allowed.
+# If 'allow', MAC addresses on AllowedMACList are allowed to
+# authenticate, and all other (non-trusted) MAC's are blocked.
+#
+# MACMechanism block
+
+# Parameter: BlockedMACList
+# Default: none
+#
+# Comma-separated list of MAC addresses who will be completely blocked
+# from the GatewayInterface.  Ignored if MACMechanism is allow.
+# N.B.: weak security, since MAC addresses are easy to spoof.
+#
+# BlockedMACList 00:00:DE:AD:BE:EF,00:00:C0:1D:F0:0D
+
+# Parameter: AllowedMACList
+# Default: none
+#
+# Comma-separated list of MAC addresses who will not be completely
+# blocked from the GatewayInterface.  Ignored if MACMechanism is block.
+# N.B.: weak security, since MAC addresses are easy to spoof.
+#
+# AllowedMACList 00:00:12:34:56:78
+
+# Parameter: TrustedMACList
+# Default: none
+#
+# Comma-separated list of MAC addresses who are not subject to
+# authentication, and are not restricted by any FirewallRuleSet.
+# N.B.: weak security, since MAC addresses are easy to spoof.
+#
+# TrustedMACList 00:00:CA:FE:BA:BE, 00:00:C0:01:D0:0D
+
+
+# Parameter: PasswordAuthentication
+# Default: no
+# Set to yes (or true or 1), to require a password matching
+# the Password parameter to be supplied when authenticating.
+#
+#
+# PasswordAuthentication no
+
+# Parameter: Password
+# Default: none
+# Whitespace delimited string that is compared to user-supplied
+# password when authenticating.
+#
+#
+# Password nodog
+
+# Parameter: UsernameAuthentication
+# Default: no
+# Set to yes (or true or 1), to require a username matching
+# the Username parameter to be supplied when authenticating.
+#
+#
+# UsernameAuthentication no
+
+# Parameter: Username
+# Default: none
+# Whitespace delimited string that is compared to user-supplied
+# username when authenticating.
+#
+#
+# Username guest
+
+# Parameter: PasswordAttempts
+# Default: 5
+# Integer number of failed password/username entries before
+# a user is forced to reauthenticate.
+#
+#
+# PasswordAttempts 5
+
+# Parameter: TrafficControl
+# Default: no
+#
+# Set to yes (or true or 1), to enable traffic control in Nodogsplash.
+#
+# TrafficControl no
+
+# Parameter: DownloadLimit
+# Default: 0
+#
+# If TrafficControl is enabled, this sets the maximum download
+# speed to the GatewayInterface, in kilobits per second.
+# For example if you have an ADSL connection with 768 kbit
+# download speed, and you want to allow about half of that
+# bandwidth for the GatewayInterface, set this to 384.
+# A value of 0 means no download limiting is done.
+#
+# DownloadLimit 384
+
+# Parameter: UploadLimit
+# Default: 0
+#
+# If TrafficControl is enabled, this sets the maximum upload
+# speed from the GatewayInterface, in kilobits per second.
+# For example if you have an ADSL connection with 128 kbit
+# upload speed, and you want to allow about half of that
+# bandwidth for the GatewayInterface, set this to 64.
+# A value of 0 means no upload limiting is done.
+#
+# UploadLimit 64
+
+# Parameter: GatewayIPRange
+# Default: 0.0.0.0/0
+#
+# By setting this parameter, you can specify a range of IP addresses
+# on the GatewayInterface that will be responded to and managed by
+# Nodogsplash.  Addresses outside this range do not have their packets
+# touched by Nodogsplash at all.
+# Defaults to 0.0.0.0/0, that is, all addresses.
+#
+# GatewayIPRange 0.0.0.0/0
+
+# Parameter: ImagesDir
+# Default: images
+#
+# Set the directory from which images are served.
+# Use $imagesdir in HTML files to reference this directory.
+#
+# ImagesDir images
+
+# Parameter: BinVoucher
+# Default: None
+#
+# Enable Voucher Support.
+# If set, an alphanumeric voucher HTTP parameter is accepted
+# and passed to a command line call along with the clients MAC:
+#
+# $<BinVoucher> auth_voucher <mac> <voucher>
+#
+# BinVoucher must point to a program that will be called as described above.
+# The call is expected to output the number of seconds the client
+# is to be authenticated. Zero or negative seconds will cause the
+# authentification request to be rejected.
+# The output may contain a user specific download and upload limit in KBit/s:
+# <seconds> <upload> <download>
+#
+# BinVoucher "/bin/myauth"
+
+# Parameter: ForceVoucher
+# Default: no
+#
+# Force the use of a voucher. Authentification is not possible without voucher.
+#
+# ForceVoucher no
+
+# Parameter: EnablePreAuth
+# Default: no
+#
+# Enable pre-authentication support.
+# Pass the MAC of a client to a command line call before the splash page
+# would be send:
+#
+# $<BinVoucher> auth_status <mac>
+#
+# The call is expected to output the number of seconds the client
+# is to be authenticated. Zero or negative seconds will cause the
+# splash page to be displayed.
+# The output may contain a user specific download and upload limit in KBit/s:
+# <seconds> <download> <upload>
+#
+# EnablePreAuth no
+
+
+# Parameter: FW_MARK_BLOCKED
+# Default: 0x100
+#
+# Parameter: FW_MARK_TRUSTED
+# Default: 0x200
+#
+# Parameter: FW_MARK_AUTHENTICATED
+# Default: 0x400
+#
+# Nodogsplash uses specific values to mark packet using iptables.
+# In rare cases these might conflict with other programs and need
+# to be changed.
diff --git a/roles/nodogsplash/templates/nodogsplash.service.j2 b/roles/nodogsplash/templates/nodogsplash.service.j2
new file mode 100644
index 000000000..0d5b46b08
--- /dev/null
+++ b/roles/nodogsplash/templates/nodogsplash.service.j2
@@ -0,0 +1,12 @@
+[Unit]
+Description=NoDogSplash Captive Portal
+After=network.target
+
+[Service]
+Type=forking
+ExecStart=/usr/bin/nodogsplash -d 5 $OPTIONS
+ExecStop=/usr/bin/ndsctl stop
+Restart=on-failure
+
+[Install]
+WantedBy=multi-user.target
\ No newline at end of file
diff --git a/roles/nodogsplash/templates/splash.html.j2 b/roles/nodogsplash/templates/splash.html.j2
new file mode 100644
index 000000000..d82af20a7
--- /dev/null
+++ b/roles/nodogsplash/templates/splash.html.j2
@@ -0,0 +1,91 @@
+<!DOCTYPE html>
+<html>
+<head>
+<!--
+A client is authenticated by requesting the page $authtarget.
+	So, href to it here, with an img or link text the user can click on.
+	Alternatively submit an HTTP form method=get, passing $authaction, $tok and $redir
+	Also, note that any images you reference must reside in the
+	subdirectory that is the value of $imagesdir (default: "images").
+
+Available variables:
+	error_msg: $error_msg
+	gatewayname: $gatewayname
+	tok: $tok
+	redir: $redir
+	authaction: $authaction
+	denyaction: $denyaction
+	authtarget: $authtarget
+	clientip: $clientip
+	clientmac: $clientmac
+	gatewaymac: $gatewaymac
+	nclients: $nclients
+	maxclients: $maxclients
+	uptime: $uptime
+	imagesdir: $imagesdir
+	pagesdir: $pagesdir
+
+Additional Variables that can also be passed back via HTTP get.
+Or just append them to the authentication link:
+	nodoguser
+	nodogpass
+	info
+	voucher
+-->
+
+<meta http-equiv="Cache-Control" content="no-cache, no-store, must-revalidate" />
+<meta http-equiv="Pragma" content="no-cache" />
+<meta http-equiv="Expires" content="0" />
+<meta charset="utf-8" />
+<meta name="viewport" content="width=device-width, initial-scale=1.0">
+<link rel='shortcut icon' href='$imagesdir/splash.jpg' type='image/x-icon' />
+<title>$gatewayname Entry</title>
+
+<style>
+body
+{
+background-color:lightgrey;
+color:black;
+max-width: 500px;
+margin: auto;
+text-align: left;
+}
+
+img
+{
+width: 40%;
+max-width: 180px;
+margin-left: 0%;
+margin-right: 5%;
+}
+
+input[type=submit]
+{
+color:black;
+margin-left: 0%;
+margin-right: 5%;
+text-align:left;
+font-size: 1.0em;
+line-height: 2.5em;
+font-weight: bold;
+border: 1px solid;
+}
+</style>
+</head>
+
+<body>
+<br>
+<h3>If not redirected to Internet in a Box, <BR>please click Continue Burron.</h3>
+<br>
+<br>
+
+<form method='get' action='$authaction'>
+<input type='hidden' name='tok' value='$tok'>
+<input type='hidden' name='redir' value='http://{{ iiab_hostname }}.{{ iiab_domain }}{{ iiab_home_url }}'>
+<input type='submit' value='Continue to Internet in a Box'>
+</form>
+
+</body>
+<script type="text/javascript">
+</script>
+</html>