diff --git a/debian/wit-network-config.postinst b/debian/wit-network-config.postinst
index c138e8d..a345366 100755
--- a/debian/wit-network-config.postinst
+++ b/debian/wit-network-config.postinst
@@ -248,7 +248,11 @@ case "$1" in
                 FRR_IFS="${FRR_IFS} ipv6 nd other-config-flag\n"
                 FRR_IFS="${FRR_IFS} ipv6 nd prefix ${ipv6}\n"
                 FRR_IFS="${FRR_IFS} ipv6 nd ra-interval 10\n"
-                FRR_IFS="${FRR_IFS} no ipv6 nd suppress-ra\n!\n"
+                FRR_IFS="${FRR_IFS} no ipv6 nd suppress-ra\n!\n\n"
+
+                [[ $ifname = mgmtgw1 ]] && listnum=10
+                [[ $ifname = ipmigw1 ]] && listnum=20
+                FRR_IFS="${FRR_IFS}ipv6 prefix-list MGMT seq $listnum permit ${ipv6}\n"
 
             fi
 
@@ -392,13 +396,10 @@ case "$1" in
 
     ## START configuring services as we need it
 
-        #systemctl disable strongswan    # disable ipsec till we have the certs and all ansible will enable it after dropping certs
         systemctl enable firewall
         systemctl restart firewall
-        systemctl enable systemd-timesyncd
-        systemctl restart systemd-timesyncd || true
         systemctl restart ssh
-        systemctl reload strongswan
+        systemctl reload strongswan || true       ## in case we kick-start or done have it enabled for some reason
         
         update-grub
         
diff --git a/files/frr.conf.wit b/files/frr.conf.wit
index 9edb7f5..6201216 100644
--- a/files/frr.conf.wit
+++ b/files/frr.conf.wit
@@ -157,7 +157,10 @@ route-map LOCALNETSv4 permit 5
 route-map LOCALNETSv6 permit 5
  description "permit ipv6 loopback ips"
  match ipv6 address prefix-list LOOPBACKv6
-!
+
+!!BASTION  route-map LOCALNETSv6 permit 10
+!!BASTION   description permit bastion mgmt ip
+!!BASTION   match ipv6 address prefix-list MGMT
 
 
 !!!  route-map eBGPv4-IN deny 5