diff --git a/README b/README
index 7544db7..2c60c4f 100644
--- a/README
+++ b/README
@@ -10,7 +10,7 @@ offers ansible playbooks and instructions for the following machines:
      - set up as gateway to some external network (WAN)
      - providing TFTP installation on the LAN interface
      - automatic installs: preseeding and ansible playbooks
-     - squid package cache
+     - package cache
      use case: orchestration of automatic installs in the LAN
 
  • Kiosk:
diff --git a/installbox.yml b/installbox.yml
index fac5ea7..56cc456 100644
--- a/installbox.yml
+++ b/installbox.yml
@@ -6,33 +6,37 @@
   remote_user: ansible
   become: yes
   vars:
-    if_lan: ""           #  ← interface name here, like:  ens3 or enp2s0"
+    ## this interface provides the default route:
     if_wan: "{{ ansible_default_ipv4.interface }}"
-    hostname: "{{ ansible_hostname }}" # change this to not use the DNS-provided name
+    ## use the first remaining interface for the LAN:
+    if_lan: "{{ ansible_interfaces | difference([if_wan, 'lo']) | first}}"
+    ## change this to not use the DNS-provided name:
+    hostname: "{{ ansible_hostname }}"
     ipaddr_lan: 192.168.0.10
     dhcp_range: 192.168.0.50,192.168.0.150,2h
     dhcp_list: "{{ lookup('sequence', 'start=50 end=150 format=192.168.0.%d', wantlist=True) }}"
     tftp_root: "/var/lib/tftpboot"
-    deb_mirror: "cdn-fastly.deb.debian.org" # SRV records ("deb.debian.org") do not work with squid
+    deb_mirror: "deb.debian.org"
     di_dist: "buster"
     di_version: "10"
     di_pkg: "debian-installer-{{ di_version }}-netboot-amd64"
     ansible_user: ansible
     repo_dir: "/home/{{ ansible_user }}/kiosk"
+    ansible_python_interpreter: "/usr/bin/python3"  # needed for firewalld module
 
   pre_tasks:
-    - name: validate if interface is available
+    - name: validate if interfaces are available
       fail:
-        msg: "Interface {{ if_lan }} does not exist or is already used."
-      when: if_lan not in ansible_interfaces or if_lan == if_wan
+        msg: "Interfaces {{ ansible_interfaces }} found. WAN: '{{ if_wan }}', LAN: '{{ if_lan }}'.  Two NICs needed."
+      when: if_lan not in ansible_interfaces or if_wan not in ansible_interfaces or if_lan == if_wan
 
   roles:
     - up2date-debian
-    - two-interface-shorewall
+    - two-interface-firewalld
     - dhcp-dns-dnsmasq
-    - transparent-squid
     - tftp-netboot-installer
     - preseed-installer
+    - apt-cacher
     - installbox2kiosk
 
   post_tasks:
diff --git a/roles/apt-cacher/files/apt.conf b/roles/apt-cacher/files/apt.conf
new file mode 100644
index 0000000..d5e98b3
--- /dev/null
+++ b/roles/apt-cacher/files/apt.conf
@@ -0,0 +1 @@
+Acquire::http::Proxy "http://localhost:3142";
diff --git a/roles/apt-cacher/handlers/main.yml b/roles/apt-cacher/handlers/main.yml
new file mode 100644
index 0000000..2d70698
--- /dev/null
+++ b/roles/apt-cacher/handlers/main.yml
@@ -0,0 +1,3 @@
+- name: start apt-cacher-ng
+  service: name=apt-cacher-ng state=started enabled=yes
+  listen: "start apt-cacher-ng"
diff --git a/roles/apt-cacher/tasks/main.yml b/roles/apt-cacher/tasks/main.yml
new file mode 100644
index 0000000..c54a3a9
--- /dev/null
+++ b/roles/apt-cacher/tasks/main.yml
@@ -0,0 +1,13 @@
+- name: install apt-cacher-ng package
+  apt:
+    name: apt-cacher-ng
+    state: latest
+
+- name: enable apt-cacher-ng for localhost
+  copy:
+    src: apt.conf
+    dest: /etc/apt/apt.conf
+    backup: yes
+  notify: "start apt-cacher-ng"
+
+- meta: flush_handlers
diff --git a/roles/dhcp-dns-dnsmasq/tasks/main.yml b/roles/dhcp-dns-dnsmasq/tasks/main.yml
index 9d553f7..0a0997a 100644
--- a/roles/dhcp-dns-dnsmasq/tasks/main.yml
+++ b/roles/dhcp-dns-dnsmasq/tasks/main.yml
@@ -12,6 +12,6 @@
 
 - name: configure dnsmasq
   template:
-    src: dnsmasq-transparent-proxy.j2
-    dest: /etc/dnsmasq.d/transparent-proxy
+    src: dnsmasq-dhcp.j2
+    dest: /etc/dnsmasq.d/dnsmasq-dhcp
   notify: "restart dnsmasq"
diff --git a/roles/dhcp-dns-dnsmasq/templates/dnsmasq-transparent-proxy.j2 b/roles/dhcp-dns-dnsmasq/templates/dnsmasq-dhcp.j2
similarity index 100%
rename from roles/dhcp-dns-dnsmasq/templates/dnsmasq-transparent-proxy.j2
rename to roles/dhcp-dns-dnsmasq/templates/dnsmasq-dhcp.j2
diff --git a/roles/preseed-installer/tasks/main.yml b/roles/preseed-installer/tasks/main.yml
index 3a37138..8435208 100644
--- a/roles/preseed-installer/tasks/main.yml
+++ b/roles/preseed-installer/tasks/main.yml
@@ -9,11 +9,17 @@
     dest: "{{ tftp_root }}/d-i/{{ di_dist }}"
     force: no
 
+- name: enable apt-cacher-ng for install-clients
+  replace:
+    dest: "{{ tftp_root }}/d-i/{{ di_dist }}/preseed.cfg"
+    regexp: '^(d-i mirror/http/proxy string.*)$'
+    replace: 'd-i mirror/http/proxy string http://{{ hostname }}:3142/'
+    
 - name: make the hostname resolvable from the LAN
-  lineinfile:
+  replace:
     path: /etc/hosts
-    insertafter: '^127.0.1.1'
-    line: '{{ ipaddr_lan }}	{{ hostname }}'
+    regexp: '^(127\.0\.1\.1.*)$'
+    replace: '#\1\n{{ ipaddr_lan }}	{{ hostname }}'
 
 - name: add auto pxe boot entry to di-netboot-assistant
   blockinfile:
@@ -22,12 +28,12 @@
     block: |
       TIMEOUT 100
       LABEL autoinstall
-         MENU LABEL Debian {{ di_version }} (amd64) + preseed
+         MENU LABEL Debian {{ di_version }} (amd64) + preseed + kiosk.yml
          kernel ::/d-i/n-pkg/images/{{ di_version }}/amd64/text/debian-installer/amd64/linux
          append initrd=::/d-i/n-pkg/images/{{ di_version }}/amd64/text/debian-installer/amd64/initrd.gz auto=true priority=critical url=tftp://{{ hostname }} playbook=kiosk.yml ---
 
          #LABEL daily
-         #MENU LABEL Debian daily (amd64) + preseed
+         #MENU LABEL Debian daily (amd64) + preseed + kiosk.yml
          #kernel ::/d-i/n-a/daily/amd64/linux
          #append initrd=::/d-i/n-a/daily/amd64/initrd.gz auto=true priority=critical url=tftp://{{ hostname }} playbook=kiosk.yml ---
   notify: "rebuild di-netboot-assistant menu"
@@ -37,12 +43,12 @@
     dest: /etc/di-netboot-assistant/grub.cfg.HEAD
     insertbefore: EOF
     block: |
-      menuentry 'Debian {{ di_version }} (amd64) + preseed' {
+      menuentry 'Debian {{ di_version }} (amd64) + preseed + kiosk.yml' {
          linux   /d-i/n-pkg/images/{{ di_version }}/amd64/text/debian-installer/amd64/linux auto=true priority=critical url=tftp://{{ hostname }} playbook=kiosk.yml ---
          initrd  /d-i/n-pkg/images/{{ di_version }}/amd64/text/debian-installer/amd64/initrd.gz
       }
 
-      #menuentry 'Debian daily (amd64) + preseed' {
+      #menuentry 'Debian daily (amd64) + preseed + kiosk.yml' {
       #   linux   /d-i/n-a/daily/amd64/linux auto=true priority=critical url=tftp://{{ hostname }} playbook=kiosk.yml ---
       #   initrd  /d-i/n-a/daily/amd64/initrd.gz
       #}
diff --git a/roles/two-interface-firewalld/handlers/main.yml b/roles/two-interface-firewalld/handlers/main.yml
new file mode 100644
index 0000000..51bb215
--- /dev/null
+++ b/roles/two-interface-firewalld/handlers/main.yml
@@ -0,0 +1,9 @@
+- name: restart networking
+  systemd: name=networking state=restarted enabled=yes
+  listen: restart networking
+  when: not run_in_installer|default(false)|bool
+
+- name: start firewalld
+  systemd: name=firewalld state=started enabled=yes
+  listen: "start firewalld"
+  when: not run_in_installer|default(false)|bool
diff --git a/roles/two-interface-firewalld/tasks/main.yml b/roles/two-interface-firewalld/tasks/main.yml
new file mode 100644
index 0000000..4df3564
--- /dev/null
+++ b/roles/two-interface-firewalld/tasks/main.yml
@@ -0,0 +1,69 @@
+- name: add if_lan with static address
+  template:
+    src: interfaces-static.j2
+    dest: /etc/network/interfaces.d/static
+  notify: "restart networking"
+
+- name: install firewalld package
+  apt: name=firewalld state=latest
+  notify: "start firewalld"
+
+- meta: flush_handlers
+
+
+## Do not run the following in the installer:
+
+- name: add WAN interface to zone public
+  firewalld:
+    zone: public
+    interface: "{{ if_wan }}"
+    permanent: yes
+    state: enabled
+  when: not run_in_installer|default(false)|bool
+
+- name: enable masquerading
+  firewalld:
+    zone: public
+    masquerade: yes
+    permanent: yes
+    state: enabled
+  when: not run_in_installer|default(false)|bool
+
+- name: add LAN interface to zone intern
+  firewalld:
+    zone: internal
+    interface: "{{ if_lan }}"
+    permanent: yes
+    state: enabled
+  when: not run_in_installer|default(false)|bool
+
+- name: enable services
+  firewalld:
+    zone: internal
+    service: "{{ item }}"
+    permanent: yes
+    state: enabled
+  with_items:
+    - dhcp
+    - dns
+    - tftp
+    - git
+  when: not run_in_installer|default(false)|bool
+
+## Use firewall-offline-cmd when run during installation:
+
+- name: add WAN interface to zone public
+  command: "firewall-offline-cmd --zone=public --add-interface={{ if_wan }}"
+  when: run_in_installer|default(false)|bool
+
+- name: enable masquerading
+  command: "firewall-offline-cmd --zone=public --add-masquerade"
+  when: run_in_installer|default(false)|bool
+
+- name: add LAN interface to zone intern
+  command: "firewall-offline-cmd --zone=internal --add-interface={{ if_lan }}"
+  when: run_in_installer|default(false)|bool
+
+- name: enable services
+  command: "firewall-offline-cmd --zone=internal --add-service=dhcp --add-service=dns --add-service=tftp --add-service=git"
+  when: run_in_installer|default(false)|bool
diff --git a/roles/two-interface-firewalld/templates/interfaces-static.j2 b/roles/two-interface-firewalld/templates/interfaces-static.j2
new file mode 100644
index 0000000..c9fe71c
--- /dev/null
+++ b/roles/two-interface-firewalld/templates/interfaces-static.j2
@@ -0,0 +1,4 @@
+auto {{ if_lan }}
+allow-hotplug {{ if_lan }}
+iface {{ if_lan }} inet static
+  address {{ ipaddr_lan }}/24