diff --git a/group_vars/dnagw.yml b/group_vars/dnagw.yml
index e533ff6..d6f1446 100644
--- a/group_vars/dnagw.yml
+++ b/group_vars/dnagw.yml
@@ -45,7 +45,10 @@ unbound_zones:
   - home.foo.sh
 
 # use custom firewall config
-firewall_src: pf.conf.gw_home
+firewall_src: pf.conf.gw_home.j2
+
+# unbound config
+unbound_config: unbound.conf.dna.j2
 
 # ifstated config
 ifstated_config: ifstated-dna.conf.j2
diff --git a/roles/unbound/templates/unbound.conf.dna-gw02.home.foo.sh.j2 b/roles/unbound/templates/unbound.conf.dna-gw02.home.foo.sh.j2
deleted file mode 100644
index afac857..0000000
--- a/roles/unbound/templates/unbound.conf.dna-gw02.home.foo.sh.j2
+++ /dev/null
@@ -1,49 +0,0 @@
-server:
-    # https://nlnetlabs.nl/documentation/unbound/howto-optimise/
-    num-threads: {{ ansible_processor_cores }}
-    msg-cache-slabs: {{ ansible_processor_cores | int | pow(2) | int }}
-    rrset-cache-slabs: {{ ansible_processor_cores | int | pow(2) | int }}
-    infra-cache-slabs: {{ ansible_processor_cores | int | pow(2) | int }}
-    key-cache-slabs: {{ ansible_processor_cores | int | pow(2) | int }}
-
-    outgoing-range: {{ ( 1024 / ansible_processor_cores | int - 50 ) | int }}
-
-    interface: 172.20.20.10@53
-    interface: 172.20.20.10@853
-    interface: 172.20.20.11@53
-    interface: 172.20.20.11@853
-    interface: 172.20.20.12@53
-    interface: 172.20.20.12@853
-    interface: 172.20.21.2@53
-
-    tls-service-key: {{ tls_private }}/dns.home.foo.sh.key
-    tls-service-pem: {{ tls_certs }}/dns.home.foo.sh.crt
-    tls-cert-bundle: {{ tls_bundle }}
-
-    access-control: 127.0.0.0/8 allow
-    access-control: ::1 allow
-    access-control: 172.20.20.0/22 allow
-
-    extended-statistics: yes
-
-    hide-identity: yes
-    hide-version: yes
-
-    prefetch: yes
-    unblock-lan-zones: yes
-
-remote-control:
-    control-enable: yes
-    control-interface: /var/run/unbound.sock
-
-forward-zone:
-    name: "."
-    forward-tls-upstream: yes
-    forward-addr: 8.8.8.8@853#dns.google
-    forward-addr: 8.8.4.4@853#dns.google
-
-{% for zone in unbound_zones %}
-auth-zone:
-    name: "{{ zone }}"
-    zonefile: "{{ unbound_zonedir }}/{{ zone }}"
-{% endfor %}
diff --git a/roles/unbound/templates/unbound.conf.dna-gw01.home.foo.sh.j2 b/roles/unbound/templates/unbound.conf.dna.j2
similarity index 75%
rename from roles/unbound/templates/unbound.conf.dna-gw01.home.foo.sh.j2
rename to roles/unbound/templates/unbound.conf.dna.j2
index 8e3a7b5..335da99 100644
--- a/roles/unbound/templates/unbound.conf.dna-gw01.home.foo.sh.j2
+++ b/roles/unbound/templates/unbound.conf.dna.j2
@@ -8,13 +8,12 @@ server:
 
     outgoing-range: {{ ( 1024 / ansible_processor_cores | int - 50 ) | int }}
 
-    interface: 172.20.20.10@53
-    interface: 172.20.20.10@853
-    interface: 172.20.20.11@53
-    interface: 172.20.20.11@853
-    interface: 172.20.20.12@53
-    interface: 172.20.20.12@853
-    interface: 172.20.21.1@53
+    interface: {{ intnet_prefix }}.10@53
+    interface: {{ intnet_prefix }}.10@853
+    interface: {{ intnet_prefix }}.11@53
+    interface: {{ intnet_prefix }}.11@853
+    interface: {{ intnet_prefix }}.12@53
+    interface: {{ intnet_prefix }}.12@853
 
     tls-service-key: {{ tls_private }}/dns.home.foo.sh.key
     tls-service-pem: {{ tls_certs }}/dns.home.foo.sh.crt
@@ -22,9 +21,10 @@ server:
 
     access-control: 127.0.0.0/8 allow
     access-control: ::1 allow
-    access-control: 172.20.20.0/22 allow
+    access-control: {{ intnet_prefix }}.0/{{ (intnet_prefix + '.0/' + intnet_netmask) | ansible.utils.ipaddr('prefix') }} allow
 
     extended-statistics: yes
+    verbosity: 1
 
     hide-identity: yes
     hide-version: yes