diff --git a/debian/wit-network-config.postinst b/debian/wit-network-config.postinst
index 6a426c9..d5ec86c 100755
--- a/debian/wit-network-config.postinst
+++ b/debian/wit-network-config.postinst
@@ -24,13 +24,19 @@ case "$1" in
         IFCONFIG="/etc/network/interfaces"
         UDEVCONFIG="/etc/udev/rules.d/70-persistent-net.rules"
         FRRCONFIG="/etc/frr/frr.conf.wit"
+	IPSECCONFIG="/etc/ipsec.conf.wit"
 
 
-        HOSTNAME=edge2.usw2.admin.wit.com
+	#HOSTNAME=d21.usw2.admin.wit.com
+        HOSTNAME=bastion.usw2.admin.wit.com
+        #HOSTNAME=edge2.usw2.admin.wit.com
+
         IFCONFIG="/tmp/interfaces"
         UDEVCONFIG="/tmp/70-persistent-net.rules"
         FRRCONFIG="/tmp/frr.conf.wit"
+	IPSECCONFIG="/tmp/ipsec.conf.wit"
         cp files/frr.conf.wit /tmp
+        cp files/ipsec.conf.wit /tmp
 
 
      ## START gather all the info from the box and generate the variabels
@@ -60,7 +66,7 @@ case "$1" in
      ## START nic config compile
 
 
-      # wiping existing config in prep for de-deploying it
+      # wiping existing config in prep for re-deploying it
         mv -f ${IFCONFIG} ${IFCONFIG}.dpkg-old || true
         mv -f ${UDEVCONFIG} ${UDEVCONFIG}.dpkg-old || true
 
@@ -200,6 +206,7 @@ case "$1" in
 
      ## START compiling frr config
 
+         ## compile public IP space prefix lists, this is what's going to be advertised out the upstream provider
             i=1
             while true; do 
                 TEMP="$(dig_txt $i.ipv4.public.prefixlist.usw2.admin.wit.com)" || break
@@ -220,6 +227,8 @@ case "$1" in
                 let i+=1
             done
 
+
+         ## compile customer IP blocks that we accept. this in theory should be a combination of *all* public blocks used accross regions while limiting it a smaller subnet size
             i=1
             while true; do 
                 TEMP="$(dig_txt $i.ipv4.customers.prefixlist.usw2.admin.wit.com)" || break
@@ -237,11 +246,14 @@ case "$1" in
             done
 
 
+	 ## compile loopback IP blocks that we wanna accept to be injected into the bgp
             i=1
             while true; do 
                 TEMP="$(dig_txt $i.ipv4.loopback.prefixlist.usw2.admin.wit.com)" || break
                 TEMPSUM="ip prefix-list LOOPBACKv4 seq $((i*5)) permit ${TEMP} ge 32\n"
                 FRR_IPV4_LOOPBACK_PFLIST="${FRR_IPV4_LOOPBACK_PFLIST}${TEMPSUM}"
+		[ -z $IPSEC_IPV4_SUBNETS ] || IPSEC_IPV4_SUBNETS="${IPSEC_IPV4_SUBNETS},"
+		IPSEC_IPV4_SUBNETS="${IPSEC_IPV4_SUBNETS}${TEMP}"
                 let i+=1
             done
 
@@ -250,6 +262,8 @@ case "$1" in
                 TEMP="$(dig_txt $i.ipv6.loopback.prefixlist.usw2.admin.wit.com)" || break
                 TEMPSUM="ipv6 prefix-list LOOPBACKv6 seq $((i*5)) permit ${TEMP} ge 128\n"
                 FRR_IPV6_LOOPBACK_PFLIST="${FRR_IPV6_LOOPBACK_PFLIST}${TEMPSUM}"
+		[ -z $IPSEC_IPV6_SUBNETS ] || IPSEC_IPV6_SUBNETS="${IPSEC_IPV6_SUBNETS},"
+		IPSEC_IPV6_SUBNETS="${IPSEC_IPV6_SUBNETS}${TEMP}"
                 let i+=1
             done
 
@@ -275,16 +289,22 @@ case "$1" in
                 -e "s/NODEASN/${NODEASN}/"  \
                 $FRRCONFIG
 	[ -z $FRR_EDGE_NEIGH ] || sed -i -e 's/!!!  //' $FRRCONFIG
-exit 2
-        chown frr.frr $FRRCONFIG /etc/frr/daemons.wit
 
 
 
       # set ipsec config
-        sed -i -e "s/FQHOSTNAME/${HOSTNAME}/" /etc/ipsec.conf.wit
+        sed -i \
+                -e "s/FQHOSTNAME/${HOSTNAME}/" \
+                -e "s/IPSEC_IPV4_SUBNETS/$IPSEC_IPV4_SUBNETS/" \
+                -e "s/IPSEC_IPV6_SUBNETS/$IPSEC_IPV6_SUBNETS/" \
+                $IPSECCONFIG
+exit 100
         echo ": RSA ${HOSTNAME}.key" >/etc/ipsec.secrets
 
 
+        chown frr.frr $FRRCONFIG /etc/frr/daemons.wit
+
+
 
       # wite grub rules for serial terminal
         sed -i -e '/GRUB_CMDLINE_LINUX_DEFAULT=/d' -e '/GRUB_CMDLINE_LINUX=/d' -e '/GRUB_SERIAL_COMMAND=/d' -e '/GRUB_TERMINAL=/d' /etc/default/grub
diff --git a/files/frr.conf.wit b/files/frr.conf.wit
index 8bb1513..bcbcbda 100644
--- a/files/frr.conf.wit
+++ b/files/frr.conf.wit
@@ -186,12 +186,8 @@ route-map LOCALNETSv6 permit 5
 !!!   match ip address prefix-list DEFAULT
 !!!  !
 !!!  route-map FABRICv4-OUT permit 10
-!!!   description "allow loopback IPs"
-!!!   match ip address prefix-list LOOPBACKv4
-!!!  !
-!!!  route-map FABRICv4-OUT permit 15
-!!!   description "allow WIT public IPs"
-!!!   match ip address prefix-list WITV4
+!!!   description "allow WIT customer IPs"
+!!!   match ip address prefix-list WITv4-CUSTOMERS
 !!!  !
 
 
diff --git a/files/ipsec.conf.wit b/files/ipsec.conf.wit
index fbfdf0c..553ff5a 100644
--- a/files/ipsec.conf.wit
+++ b/files/ipsec.conf.wit
@@ -27,14 +27,14 @@ conn %default
 
 conn loopback4
     leftsourceip=%config4
-    leftsubnet=10.1.0.0/16
-    rightsubnet=10.1.0.0/16
+    leftsubnet=IPSEC_IPV4_SUBNETS
+    rightsubnet=IPSEC_IPV4_SUBNETS
     right=%any4
 
 
 conn loopback6
     leftsourceip=%config6
-    leftsubnet=2604:bbc0:0:100::/56
-    rightsubnet=2604:bbc0:0:100::/56
+    leftsubnet=IPSEC_IPV6_SUBNETS
+    rightsubnet=IPSEC_IPV6_SUBNETS
     right=%any6