diff --git a/roles/2-common/tasks/iptables.yml b/roles/2-common/tasks/iptables.yml
deleted file mode 100644
index 94c1ff003..000000000
--- a/roles/2-common/tasks/iptables.yml
+++ /dev/null
@@ -1,54 +0,0 @@
-- name: Disable firewalld service (OS's other than debuntu)
-  service:
-    name: firewalld
-    enabled: no
-  when: not is_debuntu
-
-# Likely no longer nec as of 2019
-- name: Use larger hammer -- systemctl disable firewalld -- 2 symbolic links involved (OS's other than debuntu)
-  shell: systemctl disable firewalld.service
-  when: not is_debuntu
-
-- name: Mask firewalld service (OS's other than debuntu)
-  shell: systemctl mask firewalld
-  ignore_errors: yes
-  when: not installing and not is_debuntu
-
-- name: Stop firewalld service (OS's other than debuntu)
-  service:
-    name: firewalld
-    state: stopped
-  ignore_errors: yes
-  when: not installing and not is_debuntu
-
-- name: Remove /etc/systemd/system/iptables.service
-  file:
-    path: /etc/systemd/system/iptables.service
-    state: absent
-
-- name: Install package iptables-persistent (debuntu)
-  package:
-    name: iptables-persistent
-    state: present
-  when: is_debuntu
-
-- name: Install package iptables-services (OS's other than debuntu)
-  package:
-    name: iptables-services
-    state: present
-  when: not is_debuntu
-
-- name: Install /etc/sysconfig/iptables-config from template
-  template:
-    src: iptables-config
-    dest: /etc/sysconfig/iptables-config
-    # owner: root
-    # group: root
-    # mode: '0644'
-
-- name: Install /etc/network/if-pre-up.d/iptables from template (debuntu)
-  template:
-    src: iptables
-    dest: /etc/network/if-pre-up.d/iptables
-    mode: '0755'
-  when: is_debuntu
diff --git a/roles/2-common/tasks/main.yml b/roles/2-common/tasks/main.yml
index 66fedacd4..e55d12c05 100644
--- a/roles/2-common/tasks/main.yml
+++ b/roles/2-common/tasks/main.yml
@@ -19,7 +19,7 @@
   when: xo_model != "none" or osbuilder is defined
 
 - include_tasks: packages.yml
-- include_tasks: iptables.yml
+- include_tasks: network.yml
 
 # Ongoing rework (e.g. PR #2652) arising from ansible.posix collection changes:
 - name: Use 'sysctl' to set 5 network/kernel settings, turning off IPv6 if possible
diff --git a/roles/2-common/tasks/network.yml b/roles/2-common/tasks/network.yml
new file mode 100644
index 000000000..3056e98fb
--- /dev/null
+++ b/roles/2-common/tasks/network.yml
@@ -0,0 +1,23 @@
+- name: Install package networkd-dispatcher (OS's other than RaspOS)
+  package:
+    name: networkd-dispatcher
+    state: present
+  when: not is_raspbian
+
+# used in the network role
+- name: Install network related packages (debuntu)
+  package:
+    name:
+      - iproute2
+      - iptables-persistent
+      - hostapd
+      - netmask
+    state: present
+  when: is_debuntu
+
+- name: Install /etc/network/if-pre-up.d/iptables from template (debuntu)
+  template:
+    src: iptables
+    dest: /etc/network/if-pre-up.d/iptables
+    mode: '0755'
+  when: is_debuntu
diff --git a/roles/2-common/tasks/packages.yml b/roles/2-common/tasks/packages.yml
index 474f09d5c..3b76d7beb 100644
--- a/roles/2-common/tasks/packages.yml
+++ b/roles/2-common/tasks/packages.yml
@@ -27,7 +27,7 @@
     state: present
   when: is_debuntu
 
-- name: "Install 22 common packages: acpid, bridge-utils, bzip2, curl, gawk, hostapd, htop, i2c-tools, logrotate, make, mlocate, netmask, net-tools, ntfs-3g, pandoc, pastebinit, rsync, sqlite3, tar, unzip, usbutils, wget"
+- name: "Install 20 common packages: acpid, bridge-utils, bzip2, curl, gawk, hostapd, htop, i2c-tools, logrotate, make, mlocate, netmask, net-tools, ntfs-3g, pandoc, pastebinit, rsync, sqlite3, tar, unzip, usbutils, wget"
   package:
     name:
       - acpid         # Daemon for ACPI (power mgmt) events
@@ -35,7 +35,6 @@
       - curl          # Used to install roles/nodejs and roles/nodered
       #- etckeeper    # "nobody is really using etckeeper and it's bloating the filesystem every time apt runs" per @jvonau at https://github.com/iiab/iiab/issues/1146
       - gawk
-      - hostapd
       - htop
       - i2c-tools     # Low-level bus/chip/register/EEPROM tools e.g. for RTC
       - iproute2
@@ -43,7 +42,6 @@
       #- lynx         # Installed by 1-prep's roles/iiab-admin/tasks/access.yml
       - make          # 2021-04-26: What roles (if any) truly still use this?
       - mlocate
-      - netmask
       - net-tools     # 2021-04-26: @jvonau suggests possibly deleting this...unless oldtimers really want these older commands in iiab-diagnostics output?
       - ntfs-3g       # Possibly no longer nec, similar to exfat packages above?
       #- openssh-server    # ssh (Raspbian) or openssh-server (other OS's) already installed by 1-prep's roles/sshd/tasks/main.yml
diff --git a/roles/network/tasks/NM-debian.yml b/roles/network/tasks/NM-debian.yml
index ece7fa8cd..8cf977c8a 100644
--- a/roles/network/tasks/NM-debian.yml
+++ b/roles/network/tasks/NM-debian.yml
@@ -70,9 +70,14 @@
     mode: 0600
   when: wan_ip != "dhcp"
 
+- name: Use systemd-networkd to handle br0
+  include_tasks: sysd-netd-debian.yml
+  when: iiab_lan_iface == "br0" and not systemd_networkd_active
+
 - name: Reload systemd
   systemd:
     daemon_reload: yes
+  when: not iiab_lan_iface == "br0"
 
 - name: Restart the NetworkManager service
   systemd:
diff --git a/roles/network/tasks/netplan.yml b/roles/network/tasks/netplan.yml
index b103f3331..afa33c3ce 100644
--- a/roles/network/tasks/netplan.yml
+++ b/roles/network/tasks/netplan.yml
@@ -23,17 +23,19 @@
     - systemd-networkd-wait-online
   when: systemd_networkd_active
 
-- name: Unmask and enable the systemd-networkd service for br0
-  systemd:
-    name: systemd-networkd
-    enabled: yes
-    masked: no
-  when: network_manager_active and iiab_lan_iface == "br0"
+# Moved to NM-debian.yml 2020-12-07
+#- name: Unmask and enable the systemd-networkd service for br0
+#  systemd:
+#    name: systemd-networkd
+#    enabled: yes
+#    masked: no
+#  when: network_manager_active and iiab_lan_iface == "br0"
 
-- name: Ensure systemd-networkd gets enabled for br0
-  set_fact:
-    systemd_networkd_active: True
-  when: network_manager_active and iiab_lan_iface == "br0"
+# Moved to NM-debian.yml 2020-12-07
+#- name: Ensure systemd-networkd gets enabled for br0
+#  set_fact:
+#    systemd_networkd_active: True
+#  when: network_manager_active and iiab_lan_iface == "br0"
 
 # ICO will always set gui_static_wan_ip away from the default of 'unset' while
 # gui_static_wan turns dhcp on/off through wan_ip in computed_network and
diff --git a/roles/network/tasks/sysd-netd-debian.yml b/roles/network/tasks/sysd-netd-debian.yml
index c334d6688..622663462 100644
--- a/roles/network/tasks/sysd-netd-debian.yml
+++ b/roles/network/tasks/sysd-netd-debian.yml
@@ -57,10 +57,19 @@
     state: started
   when: wifi_up_down and discovered_wireless_iface != "none"
 
-- name: Restart the systemd-networkd service
+- name: Enable & Restart systemd-networkd.service
   systemd:
     name: systemd-networkd
     state: restarted
+    enabled: yes
+    masked: no
+
+- name: Enable & Restart networkd-dispatcher.service
+  systemd:
+    name: networkd-dispatcher
+    state: restarted
+    enabled: yes
+    masked: no
 
 - name: Restart hostapd when WiFi is present but not when using WiFi as gateway with wifi_up_down False
   systemd: