diff --git a/roles/dhcpd/templates/dhcpd.conf.j2 b/roles/dhcpd/templates/dhcpd.conf.j2
index 3a0bc58..3f48b10 100644
--- a/roles/dhcpd/templates/dhcpd.conf.j2
+++ b/roles/dhcpd/templates/dhcpd.conf.j2
@@ -2,6 +2,28 @@
 authoritative;
 ddns-update-style none;
 
+{% if network_interfaces[0].vlan == 30 %}
+# failover config
+{%   for host in groups['dnagw_' + intdomain.split('.')[0]] %}
+{%     if host != inventory_hostname %}
+failover peer "failover-peer" {
+{%       if inventory_hostname.split('.')[0][-2:] | int % 2 == 0 %}
+    secondary;
+{%       else %}
+    primary;
+    mclt 3600;
+    split 128;
+{%       endif %}
+    address {{ inventory_hostname }};
+    peer address {{ host }};
+    max-response-delay 60;
+    max-unacked-updates 10;
+    load balance max seconds 3;
+}
+{%     endif %}
+{%   endfor %}
+
+{% endif %}
 # custom options
 option arch code 93 = unsigned integer 16;
 
@@ -47,7 +69,14 @@ subnet {{ intnet | ansible.utils.ipaddr('network') }} netmask {{ intnet | ansibl
     use-host-decl-names on;
 {% if network_interfaces[0].vlan == 30 %}
 
-    range {{ intnet | ansible.utils.ipaddr(100) | ansible.utils.ipaddr('address') }} {{ intnet | ansible.utils.ipaddr(200) | ansible.utils.ipaddr('address') }};
+    pool {
+{% for host in groups['dnagw_' + intdomain.split('.')[0]] %}
+{%   if host != inventory_hostname %}
+      failover peer "failover-peer";
+{%   endif %}
+{% endfor %}
+      range {{ intnet | ansible.utils.ipaddr(100) | ansible.utils.ipaddr('address') }} {{ intnet | ansible.utils.ipaddr(200) | ansible.utils.ipaddr('address') }};
+    }
 {% endif %}
 }
 
diff --git a/roles/pf/templates/pf.conf.gw_dna.j2 b/roles/pf/templates/pf.conf.gw_dna.j2
index bae9ee8..b4cc151 100644
--- a/roles/pf/templates/pf.conf.gw_dna.j2
+++ b/roles/pf/templates/pf.conf.gw_dna.j2
@@ -50,6 +50,11 @@ pass in quick on $ext_if proto tcp from {{ gw_lan_ip }}/32 to self port ssh
 pass in quick on $int_if proto tcp from $int_net to self port 9100
 pass in quick on $int_if proto tcp from $int_net to self port 9167
 
+# allow dhcpd failover
+{% for host in groups['dnagw_' + intdomain.split('.')[0]] %}
+pass in quick on $int_if proto tcp from {{ hostvars[host]['network_interfaces'][0].ipaddr }} to self port 647
+{% endfor %}
+
 # allow dns queries from internal net
 pass in quick on $int_if proto { tcp, udp } from $int_net to self port domain
 pass in quick on $int_if proto tcp from $int_net to self port domain-s
@@ -71,6 +76,11 @@ pass out quick on $int_if from self to any
 # allow traffic from outside
 pass out quick on $int_if from any to $int_net
 
+{% if intdomain == 'iot.foo.sh' %}
+# block ip's 50-100 from iot network
+block in quick on $int_if from 172.20.27.192/26 to !$int_net
+
+{% endif %}
 # allow communication from internal to world
 pass in quick on $int_if from $int_net to !$int_net