diff --git a/roles/network/tasks/computed_services.yml b/roles/network/tasks/computed_services.yml
index 5b5bac4da..1ba1283d7 100644
--- a/roles/network/tasks/computed_services.yml
+++ b/roles/network/tasks/computed_services.yml
@@ -2,16 +2,12 @@
   set_fact:
     dansguardian_enabled: False
     squid_enabled: False
-    named_enabled: True
-    dhcpd_enabled: False
     wondershaper_enabled: False
     iiab_network_mode: "Appliance"
   when: iiab_lan_iface == "none" or user_lan_iface == "none"
 
 - name: LAN configured - 'LanController' mode
   set_fact:
-    named_enabled: True
-    dhcpd_enabled: True
     dansguardian_enabled: False
     squid_enabled: False
     wondershaper_enabled: False
@@ -20,11 +16,32 @@
 
 - name: LAN configured - 'Gateway' mode
   set_fact:
-    named_enabled: True
-    dhcpd_enabled: True
     iiab_network_mode: "Gateway"
   when: 'iiab_lan_iface != "none" and iiab_wan_iface != "none"'
 
+- name: No LAN configured - non-dnsmasq
+  set_fact:
+    named_enabled: True
+    dhcpd_enabled: False
+    dns_service2: "{{ dns_service }}"
+  when: iiab_lan_iface == "none" or user_lan_iface == "none" and dns_service!= "dnsmasq"
+#  when: iiab_lan_iface == "none" or user_lan_iface == "none" and not dnsmasq_enabled"
+
+- name: LAN configured - non-dnsmasq
+  set_fact:
+    named_enabled: True
+    dhcpd_enabled: True
+    dns_service2: "{{ dns_service }}"
+    when: dns_service != "dnsmasq" and iiab_network_mode != "Appliance"
+#    when: not dnsmasq_enabled and iiab_network_mode != "Appliance"
+
+#- name: LAN configured - dnsmasq
+#  set_fact:
+#    named_enabled: False
+#    dhcpd_enabled: False
+#    dns_service2: dnsmasq
+#    when: dnsmasq_enabled and iiab_network_mode != "Appliance"
+
 - name: Add location section to config file
   ini_file: dest='{{ iiab_config_file }}'
             section=network
diff --git a/roles/network/tasks/debian.yml b/roles/network/tasks/debian.yml
index 8be1ec8f6..97346ac07 100644
--- a/roles/network/tasks/debian.yml
+++ b/roles/network/tasks/debian.yml
@@ -25,11 +25,6 @@
         state=absent
   when: iiab_lan_iface != "br0" and wan_ip == "dhcp"
 
-- name: Default to 'lan_controller'
-  set_fact:
-      gui_desired_network_role: "lan_controller"
-  when: not gui_desired_network_role is defined
-
 - name: Supply resolvconf.conf
   template: dest=/etc/resolvconf.conf
             src=network/resolvconf.j2
@@ -45,26 +40,33 @@
   register: interface
   when: iiab_lan_iface == "br0" or wan_ip != "dhcp"
 
-- name: Start up the dhcpcd service
-  service: name=dhcpcd
-           enabled=True
-           state=started
-
 - name: If this was a change, things need to shift
   service: name=hostapd state=stopped
   when: interface.changed
 
-- name: dhcpd may be affected
-  service: name=bind9 state=stopped
+#- name: dhcpcd may be affected
+#  service: name=dhcpcd state=stopped
+#  when: interface.changed and dhcpcd_result == "enabled"
+
+- name: dns may be affected
+  service: name={{ dns_service2 }} state=stopped
   when: interface.changed
 
-- name: Restart the networking service
+- name: reload systemd
+  shell: systemctl daemon-reload
+
+# now pick up denyinterfaces
+- name: restart dhcpcd
+  service: name=dhcpcd state=restarted
+  when: interface.changed and dhcpcd_result == "enabled"
+
+- name: restart the networking service
   service: name=networking state=restarted
   when: interface.changed
-
-- name: start up dhcpcd again
-  service: name=dhcpcd state=started
-  when: interface.changed and dhcpcd_result == "enabled"
+  
+- name: dns may be affected
+  service: name={{ dns_service2 }} state=started
+  when: interface.changed
 
 #create lan br0 if lan_controller or gateway
 #create wan br0 if appliance
diff --git a/roles/network/tasks/enable_services.yml b/roles/network/tasks/enable_services.yml
index dd968341a..e6e47cd48 100644
--- a/roles/network/tasks/enable_services.yml
+++ b/roles/network/tasks/enable_services.yml
@@ -39,7 +39,23 @@
            enabled=no
   when: not named_enabled
 
-- name: Enable DansGuardian
+#- name: Enable dnsmasq
+#  service: name=dnsmasq
+#           enabled=no
+#  when: dnsmasq_enabled
+
+# copy config file
+#- name: Supply dnsmasq.conf
+#  template: dest=
+#            src=
+#  when: dnsmasq_enabled
+
+#- name: Enable dnsmasq
+#  service: name=dnsmasq
+#           enabled=yes
+#  when: dnsmasq_enabled
+
+- name: Enable dansguardian
   service: name=dansguardian
            enabled=yes
   when: dansguardian_enabled and dansguardian_install
diff --git a/roles/network/tasks/ifcfg_mods.yml b/roles/network/tasks/ifcfg_mods.yml
index b98c9a019..89b03a922 100644
--- a/roles/network/tasks/ifcfg_mods.yml
+++ b/roles/network/tasks/ifcfg_mods.yml
@@ -67,6 +67,10 @@
 - include: enable_wan.yml
   when: not installing and not iiab_demo_mode
 
+- name: ask systemd to reread the unit files, picks up changes done
+  shell: systemctl daemon-reload
+  when: not installing
+
 # monitor-connection-files defaults to no with F21, F18-F20 defaults to yes
 - name: Re-read network config files
   shell: nmcli con reload
diff --git a/roles/network/tasks/main.yml b/roles/network/tasks/main.yml
index 0d8b2b8cc..9bb1763f2 100644
--- a/roles/network/tasks/main.yml
+++ b/roles/network/tasks/main.yml
@@ -40,7 +40,6 @@
     - network
     - domain
 
-
 ##### Start static ip address info for first run #####
 #- include: static.yml
 #  when: 'iiab_wan_iface != "none" and wan_ip != "dhcp"'
@@ -50,6 +49,9 @@
   tags:
     - network
 
+##### end hostname setup
+##### start install portion
+# only needs to be done once
 - include: named.yml
   tags:
     - named
@@ -80,9 +82,20 @@
   tags:
     - network
 
-- name: Ask systemd to reread the unit files, picks up changes done
-  shell: systemctl daemon-reload
+#### end install portion
+#### start network layout
+# setting installing would skip configuring network
+# but would configure but not start services
+- include: computed_network.yml
   when: not installing
+  tags:
+    - network
+    - network-discover
+
+# templates needed from above install section live here
+- include: enable_services.yml
+  tags:
+    - network
 
 - include: ifcfg_mods.yml
   tags:
@@ -99,6 +112,11 @@
     - network
   when: is_debuntu and is_rpi  and not installing
 
+- include: hostapd.yml
+  when: not installing
+  tags:
+    - network
+
 - name: Create IIAB network flags
   template: src=network/{{ item }}.j2
             dest=/etc/sysconfig/{{ item }}
@@ -109,21 +127,15 @@
   when: not installing
   tags:
     - network
+#### end network layout
+#### start services
 
 - include: computed_services.yml
   tags:
     - network
 
-- include: enable_services.yml
-  tags:
-    - network
-
 - include: restart.yml
   when: not installing
   tags:
     - network
-
-- include: hostapd.yml
-  when: not installing
-  tags:
-    - network
+#### end services
diff --git a/roles/network/tasks/restart.yml b/roles/network/tasks/restart.yml
index 61833144b..4de5c37c4 100644
--- a/roles/network/tasks/restart.yml
+++ b/roles/network/tasks/restart.yml
@@ -15,12 +15,14 @@
            state=stopped
   when: not named_enabled
 
+#- name: Stop dnsmasq service
+#  service: name=dnsmasq
+#           state=stopped
+#  when: not dnsmasq_enabled
+
 - name: Start named service
-  service: name={{ dns_service }}
+  service: name={{ dns_service2 }}
            state=started
-  ignore_errors: True
-  when: named_enabled
-  register: dns_started
 
 - name: Stop DansGuardian
   service: name=dansguardian
diff --git a/roles/network/tasks/rpi_debian.yml b/roles/network/tasks/rpi_debian.yml
index 2f4219aff..b26cd84f4 100644
--- a/roles/network/tasks/rpi_debian.yml
+++ b/roles/network/tasks/rpi_debian.yml
@@ -47,8 +47,8 @@
   service: name=hostapd state=stopped
   when: interface.changed
 
-- name: dhcpd may be affected
-  service: name=bind9 state=stopped
+- name: dhcpcd may be affected
+  service: name=dhcpcd state=stopped
   when: interface.changed
 
 - name: Tear down any bridge and start fresh
@@ -69,6 +69,10 @@
 - name: start up dhcpcd again
   service: name=dhcpcd state=started
 
+# now pick up denyinterfaces
+- name: restart dhcpcd
+  service: name=dhcpcd state=restarted
+
 - name: restart the networking service
   service: name=networking state=restarted
 
diff --git a/roles/network/templates/network/systemd.j2 b/roles/network/templates/network/systemd.j2
index fb2e3a28f..58260354b 100644
--- a/roles/network/templates/network/systemd.j2
+++ b/roles/network/templates/network/systemd.j2
@@ -3,9 +3,9 @@
 
 {% if iiab_network_mode == "Appliance"  %}
 #################   APPLIANCE #########################
-{% if dhcpcd_result != "enabled" or wan_in_interfaces == "false" %}
+{% if dhcpcd_result == "enabled" and wan_in_interfaces == "false" %}
 auto {{ iiab_wan_iface }}
-iface {{ iiab_wan_iface }} inet dhcp
+iface {{ iiab_wan_iface }} inet manual
 {% else %} # gui_static_wan_ip is set 
 iface {{ iiab_wan_iface }} inet manual
 {% endif %} {# end of dhcp_wan #}
@@ -29,9 +29,9 @@ iface br0 inet static
     address {{ lan_ip }}
     netmask {{ lan_netmask }}
     dns-nameservers {{ lan_ip }}
-{% if dhcpcd_result != "enabled" or wan_in_interfaces == "false" %}
+{% if dhcpcd_result == "enabled" and wan_in_interfaces == "false" %}
 auto {{ iiab_wan_iface }}
-iface {{ iiab_wan_iface }} inet dhcp
+iface {{ iiab_wan_iface }} inet manual
 {% else %} # gui_static_wan_ip is set 
 iface {{ iiab_wan_iface }} inet manual
 {% endif %} {# end of dhcp_wan #}