diff --git a/hosts b/hosts
index 0de1547..f629ee7 100644
--- a/hosts
+++ b/hosts
@@ -29,7 +29,7 @@ gw-ah.kanzlei-kiel.netz
 gw-ebs.oopen.de
 gw-akb.akb.netz
 gw-ckubu.local.netz
-b3.homelinux.org
+gw-b3.oopen.de
 gw-blkr.oopen.de
 gw-d11.oopen.de
 gw-flr.oopen.de
@@ -201,7 +201,7 @@ gw-123.oopen.de
 gw-ah.kanzlei-kiel.netz
 gw-ebs.oopen.de
 gw-akb.akb.netz
-b3.homelinux.org
+gw-b3.oopen.de
 gw-blkr.oopen.de
 gw-d11.oopen.de
 gw-flr.oopen.de
@@ -993,11 +993,11 @@ b.mx.oopen.de
 # - GA - Gemeinschaft Altensclirf
 ga-st-mail.ga.netz
 
+
 # ---
 # Warenform
 # ---
 
-
 server16.warenform.de
 helden.warenform.de
 
@@ -1024,6 +1024,10 @@ lists.mx.warenform.de
 k1371.dyndns.org
 
 
+[caching_nameserver:children]
+gateway_server
+
+
 [backup_server]
 
 # ---
@@ -1459,60 +1463,24 @@ gitea.so36.net
 bbb.b3-bornim.netz
 
 
-[gateway_server]
-
-# ---
-#  O.OPEN office network
-# ---
-
-gw-ah.oopen.de
-gw-ebs.oopen.de
-gw-ak.oopen.de
-gw-akb.oopen.de
-gw-ckubu.local.netz
-gw-irights.oopen.de
-gw-km.oopen.de
-gw-mbr.oopen.de
-gw-opp.oopen.de
-gw-spr.oopen.de
-
-gw-kb.oopen.de
-
-k1371.dyndns.org
-
-ga-st-gw-ersatz.ga.netz
-ga-st-gw.oopen.de
-ga-al-gw.oopen.de
-ga-nh-gw.oopen.de
-
-# - readonly gateways
-gw-123.oopen.de
-b3.homelinux.org
-gw-blkr.oopen.de
-gw-d11.oopen.de
-gw-flr.oopen.de
-gw-replacement.local.netz
-gw-replacement2.local.netz
-
-
 [gateway_server_ro]
 
 gw-123.oopen.de
 gw-blkr.oopen.de
 gw-flr.oopen.de
-gw-replacement.local.netz
 gw-replacement2.local.netz
 
 
 [gateway_server_rw]
 
 gw-ah.oopen.de
-b3.homelinux.org
+gw-b3.oopen.de
 gw-d11.oopen.de
 gw-ebs.oopen.de
 gw-ak.oopen.de
 gw-akb.oopen.de
 gw-ckubu.local.netz
+gw-replacement.local.netz
 gw-irights.oopen.de
 gw-km.oopen.de
 gw-mbr.oopen.de
@@ -1529,6 +1497,15 @@ ga-al-gw.oopen.de
 ga-nh-gw.oopen.de
 
 
+# Gateway/Firewall Server office network
+#
+[gateway_server:children]
+
+gateway_server_ro
+
+gateway_server_rw
+
+
 
 [warenform_server]
 
diff --git a/roles/common/tasks/caching-nameserver.yml b/roles/common/tasks/caching-nameserver.yml
index 7ad6b7d..8e53f1d 100644
--- a/roles/common/tasks/caching-nameserver.yml
+++ b/roles/common/tasks/caching-nameserver.yml
@@ -50,7 +50,7 @@
     mode: '0755'
 
 
-- name: (caching-nameserver.yml) update named.conf.options configuration file
+- name: (caching-nameserver.yml) update named.conf.options configuration file (normal server)
   template:
     src: etc/bind/named.conf.options.j2
     dest: /etc/bind/named.conf.options
@@ -63,6 +63,36 @@
   tags:
     - apt-caching-nameserver
     - caching-nameserver
+  when: 
+    - inventory_hostname not in groups["gateway_server"]
+
+# --------------------
+
+# In case of gateway gateway servers ONLY if bind ption file NOT exists
+#
+- name: Check if file '/etc/bind/named.conf.options' exists
+  stat:
+    path: /etc/bind/named.conf.options
+  register: file_named_conf_options
+
+- name: (caching-nameserver.yml) update named.conf.options configuration file (gateway server)
+  template:
+    src: etc/bind/named.conf.options.gateway.j2
+    dest: /etc/bind/named.conf.options
+    backup: yes
+    owner: root
+    group: bind
+    mode: 0644
+    #validate: visudo -cf %s
+  notify: Reload bind9
+  tags:
+    - apt-caching-nameserver
+    - caching-nameserver
+  when: 
+    - inventory_hostname in groups["gateway_server"]
+    - not file_named_conf_options.stat.exists
+
+# --------------------
 
 
 - name: (caching-nameserver.yml) Add 127.0.0.1 as first nameserver entry to /etc/resolv.conf
diff --git a/roles/common/templates/etc/bind/named.conf.options.gateway.j2 b/roles/common/templates/etc/bind/named.conf.options.gateway.j2
new file mode 100644
index 0000000..9d28786
--- /dev/null
+++ b/roles/common/templates/etc/bind/named.conf.options.gateway.j2
@@ -0,0 +1,113 @@
+# {{ ansible_managed }}
+
+acl local-net {
+   127.0.0.0/8;
+   172.16.0.0/12;
+   192.168.0.0/16;
+   10.0.0.0/8;
+   fc00::/7;
+   fe80::/10;
+   ::1/128;
+};
+
+options {
+   directory "/var/cache/bind";
+
+   // If there is a firewall between you and nameservers you want
+   // to talk to, you may need to fix the firewall to allow multiple
+   // ports to talk.  See http://www.kb.cert.org/vuls/id/800113
+
+   // If your ISP provided one or more IP addresses for stable
+   // nameservers, you probably want to use them as forwarders.
+   // Uncomment the following block, and insert the addresses replacing
+   // the all-0's placeholder.
+
+   // forwarders {
+   //    0.0.0.0;
+   // };
+
+   //========================================================================
+   // If BIND logs error messages about the root key being expired,
+   // you will need to update your keys.  See https://www.isc.org/bind-keys
+   //========================================================================
+   dnssec-validation auto;
+
+   auth-nxdomain no;    # conform to RFC1035
+
+   // version statement - inhibited for security
+   // (avoids hacking any known weaknesses)
+   version "not currently available";
+
+   // disables all zone transfer requests
+   allow-transfer{"none";};
+
+   listen-on-v6 { none; };
+   listen-on { any; };
+
+   allow-query {
+      local-net;
+   };
+   allow-query-cache {
+      local-net;
+   };
+
+   // caching name services
+   recursion yes;
+
+   allow-recursion {
+      local-net;
+   };
+
+};
+
+logging {
+   channel simple_log {
+      file "/var/log/named/bind.log" versions 3 size 5m;
+      severity warning;
+      print-time yes;
+      print-severity yes;
+      print-category yes;
+   };
+   channel queries_log {
+      file "/var/log/named/query.log" versions 5 size 2m;
+      severity info;
+      print-time yes;
+      print-severity yes;
+      print-category no;
+   };
+   channel log_zone_transfers {
+      file "/var/log/named/axfr.log" versions 5 size 2m;
+      severity info;
+      print-time yes;
+      print-severity yes;
+      print-category yes;
+   };
+   channel dnssec_log {
+      file "/var/log/named/dnssec.log" versions 5 size 2m;
+      severity debug 3;
+      print-time yes;
+      print-severity yes;
+      print-category yes;
+   };
+   category resolver {
+      queries_log;
+   };
+   category queries {
+      queries_log;
+   };
+    category xfer-in {
+      log_zone_transfers;
+   };
+   category xfer-out {
+      log_zone_transfers;
+   };
+   category notify {
+      log_zone_transfers;
+   };
+   category dnssec {
+      dnssec_log;
+   };
+   category default{
+      simple_log;
+   };
+};
diff --git a/roles/firewall/tasks/ipt-gateway.yml b/roles/firewall/tasks/ipt-gateway.yml
index ba249c2..8fa723a 100644
--- a/roles/firewall/tasks/ipt-gateway.yml
+++ b/roles/firewall/tasks/ipt-gateway.yml
@@ -203,6 +203,9 @@
      - load_modules_ipv6.conf
      - logging_ipv4.conf
      - logging_ipv6.conf
+     - default_basic_behavior.conf
+     - default_ipv4.conf
+     - default_ipv6.conf
      - default_ports.conf
      - post_decalrations.conf
   register: diff_output
@@ -215,6 +218,9 @@
      - load_modules_ipv6.conf
      - logging_ipv4.conf
      - logging_ipv6.conf
+     - default_basic_behavior.conf
+     - default_ipv4.conf
+     - default_ipv6.conf
      - default_ports.conf
      - post_decalrations.conf
   when:
diff --git a/roles/modify-ipt-gateway-ro/tasks/main.yml b/roles/modify-ipt-gateway-ro/tasks/main.yml
index 4fc3cba..d2b3c5e 100644
--- a/roles/modify-ipt-gateway-ro/tasks/main.yml
+++ b/roles/modify-ipt-gateway-ro/tasks/main.yml
@@ -88,6 +88,26 @@
   notify:
     - Restart IPv6 Firewall
 
+- name: addjust line 'bigbluebutton_udp_ports' (IPv4)
+  lineinfile:
+    path: /ro/etc/ipt-firewall/main_ipv4.conf
+    regexp: '^bigbluebutton_udp_ports='
+    line: 'bigbluebutton_udp_ports="$standard_bigbluebutton_udp_ports"'
+  when:
+    - main_ipv4_exists.stat.exists
+  notify:
+    - Restart IPv4 Firewall
+
+- name: addjust line 'bigbluebutton_udp_ports' (IPv6)
+  lineinfile:
+    path: /ro/etc/ipt-firewall/main_ipv6.conf
+    regexp: '^bigbluebutton_udp_ports='
+    line: 'bigbluebutton_udp_ports="$standard_bigbluebutton_udp_ports"'
+  when: 
+      - main_ipv6_exists.stat.exists
+  notify:
+    - Restart IPv6 Firewall
+
 
 # ---
 # Allow local services from ALL extern netwoks
diff --git a/roles/modify-ipt-gateway/tasks/main.yml b/roles/modify-ipt-gateway/tasks/main.yml
index baa0e3f..c7b1545 100644
--- a/roles/modify-ipt-gateway/tasks/main.yml
+++ b/roles/modify-ipt-gateway/tasks/main.yml
@@ -54,7 +54,7 @@
   lineinfile:
     path: /etc/ipt-firewall/main_ipv6.conf
     regexp: '^zoom_udp_ports='
-    line: 'zoom_udp_ports="$"standard_zoom_udp_ports'
+    line: 'zoom_udp_ports="$standard_zoom_udp_ports"'
   when: 
     - main_ipv6_exists.stat.exists
   notify:
@@ -74,7 +74,27 @@
   lineinfile:
     path: /etc/ipt-firewall/main_ipv6.conf
     regexp: '^jitsi_udp_ports='
-    line: 'jitsi_udp_ports="$"standard_jitsi_udp_ports'
+    line: 'jitsi_udp_ports="$standard_jitsi_udp_ports"'
+  when: 
+    - main_ipv6_exists.stat.exists
+  notify:
+    - Restart IPv6 Firewall
+
+- name: addjust line 'bigbluebutton_udp_ports' (IPv4)
+  lineinfile:
+    path: /etc/ipt-firewall/main_ipv4.conf
+    regexp: '^bigbluebutton_udp_ports='
+    line: 'bigbluebutton_udp_ports="$standard_bigbluebutton_udp_ports"'
+  when: 
+    - main_ipv4_exists.stat.exists
+  notify:
+    - Restart IPv4 Firewall
+
+- name: addjust line 'bigbluebutton_udp_ports' (IPv6)
+  lineinfile:
+    path: /etc/ipt-firewall/main_ipv6.conf
+    regexp: '^bigbluebutton_udp_ports='
+    line: 'bigbluebutton_udp_ports="$standard_bigbluebutton_udp_ports"'
   when: 
     - main_ipv6_exists.stat.exists
   notify: