diff --git a/infra/mno-template/openshift/50-restricted-forwarding-control.yaml b/infra/mno-template/openshift/50-restricted-forwarding-control.yaml
deleted file mode 100644
index 4abf732..0000000
--- a/infra/mno-template/openshift/50-restricted-forwarding-control.yaml
+++ /dev/null
@@ -1,30 +0,0 @@
----
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-metadata:
-  labels:
-    machineconfiguration.openshift.io/role: master
-  name: 99-worker-enable-restricted-forwarding-controlplane
-spec:
-  config:
-    ignition:
-      version: 3.2.0
-    storage:
-      files:
-      - contents:
-          source: data:text/plain;charset=utf-8;base64,bmV0LmlwdjQuY29uZi5ib25kMC8xMS5mb3J3YXJkaW5nID0gMQpuZXQuaXB2NC5jb25mLmJvbmQwLzEyLmZvcndhcmRpbmcgPSAxCg==
-        filesystem: root
-        mode: 0420
-        path: /etc/sysctl.d/restricted-forwarding.conf
-    systemd:
-      units:
-      - contents: |
-          [Unit]
-          After=network.target
-          [Service]
-          Type=oneshot
-          ExecStart=iptables -P FORWARD DROP
-          [Install]
-          WantedBy=multi-user.target
-        enabled: true
-        name: one-shot-forward-drop.service
diff --git a/infra/mno-template/openshift/50-restricted-forwarding.yaml b/infra/mno-template/openshift/50-restricted-forwarding.yaml
deleted file mode 100644
index 8e99850..0000000
--- a/infra/mno-template/openshift/50-restricted-forwarding.yaml
+++ /dev/null
@@ -1,30 +0,0 @@
----
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-metadata:
-  labels:
-    machineconfiguration.openshift.io/role: worker
-  name: 99-worker-enable-restricted-forwarding
-spec:
-  config:
-    ignition:
-      version: 3.2.0
-    storage:
-      files:
-      - contents:
-          source: data:text/plain;charset=utf-8;base64,bmV0LmlwdjQuY29uZi5ib25kMC8xMS5mb3J3YXJkaW5nID0gMQpuZXQuaXB2NC5jb25mLmJvbmQwLzEyLmZvcndhcmRpbmcgPSAxCg==
-        filesystem: root
-        mode: 0420
-        path: /etc/sysctl.d/restricted-forwarding.conf
-    systemd:
-      units:
-      - contents: |
-          [Unit]
-          After=network.target
-          [Service]
-          Type=oneshot
-          ExecStart=iptables -P FORWARD DROP
-          [Install]
-          WantedBy=multi-user.target
-        enabled: true
-        name: one-shot-forward-drop.service
diff --git a/pkg/run-ipforwarding.go b/pkg/run-ipforwarding.go
index 81cff3c..683320b 100644
--- a/pkg/run-ipforwarding.go
+++ b/pkg/run-ipforwarding.go
@@ -37,9 +37,9 @@ tmux send-keys -t Good.1 "tcpdump -i any -nnn port 2311" C-m
 tmux send-keys -t Good.0 "curl http://5.5.5.1:5555/hostname --local-port 2311" C-m
 
 tmux new-window -n Nodes; tmux split-window -h -t Nodes; tmux split-window -h -t Nodes; tmux select-layout -t Nodes even-vertical; 
-tmux send-keys -t Nodes.0 "podman-remote -c lab0  exec -it red-in /bin/bash" C-m
-tmux send-keys -t Nodes.0 "ip route add 203.100.100.0/24 via 12.12.12.119" C-m
-tmux send-keys -t Nodes.0 "ping -c 1 203.100.100.100"
+tmux send-keys -t Nodes.0 "docker exec -it clab-vlab-sidecar-gw1 /bin/bash" C-m
+tmux send-keys -t Nodes.0 "ip route add vrf red 203.100.100.0/24 via 12.12.12.119" C-m
+tmux send-keys -t Nodes.0 "ip vrf exec red ping -c 1 203.100.100.100"
 tmux send-keys -t Nodes.0 "nc -u 5.5.5.5 8888 -p 2424"
 tmux send-keys -t Nodes.1 "oc debug node/w0 --image quay.io/karampok/snife:latest" C-m
 tmux send-keys -t Nodes.1 "chroot /host" C-m C-m C-m
diff --git a/telco-ocp-lab b/telco-ocp-lab
index 2470c65..db58b4d 100755
Binary files a/telco-ocp-lab and b/telco-ocp-lab differ
diff --git a/topo.clab.yml b/topo.clab.yml
index b74dd2f..970b603 100644
--- a/topo.clab.yml
+++ b/topo.clab.yml
@@ -16,14 +16,15 @@ topology:
     r01:
       kind: linux
       image: quay.io/frrouting/frr:9.0.2
+      network-mode: none
       binds:
         - config/frr-zero/daemons:/etc/frr/daemons
         - config/frr-zero/frr.conf:/etc/frr/frr.conf
         - config/frr-zero/vtysh.conf:/etc/frr/vtysh.conf
       exec:
-        # - ip addr add 192.168.0.166/24 dev upstream
-        # - ip route add default via 192.168.0.254
-        - iptables -t nat -I POSTROUTING -o eth0 -j MASQUERADE
+        - ip addr add 10.1.104.46/23 dev upstream
+        - ip route add default via 10.1.105.254
+        - iptables-nft -t nat -I POSTROUTING -o upstream -j MASQUERADE
     sidecar-r01:
       kind: linux
       network-mode: container:r01
@@ -80,14 +81,17 @@ topology:
     infra:
       kind: linux
       image: quay.io/karampok/infra:latest
+      network-mode: none
       exec:
         - ip addr add 10.10.20.200/24 dev eth1
         - ip addr add 192.168.100.200/24 dev bmc
+        - ip addr add 10.1.104.28/23 dev vpn
+        - ip route add 10.39.192.0/20 via 10.1.105.254
         - ip route add 10.10.10.0/24 via 10.10.20.1
         - sysctl -w "net.ipv4.ip_forward=1"
-        - iptables -t nat -A PREROUTING -p udp --dport 51820 -j DNAT --to 10.10.20.200
         - echo "nameserver 10.10.20.10" > /etc/resolv.conf
-        # - ip route add default via 10.10.20.254
+        - ip route add default via 10.10.20.254
+        # - iptables -t nat -A PREROUTING -p udp --dport 51820 -j DNAT --to 10.10.20.200
       binds:
         - infra/:/workdir
         - /root/.ssh/authorized_keys:/root/.ssh/authorized_keys:ro
@@ -98,10 +102,11 @@ topology:
 
   links:
     - endpoints: ["r01:eth1", "ixp-net:ixp-port0"]
-      # - endpoints: ["r01:upstream", "host:r01-up"] #"macvlan:bond0"]
+    - endpoints: ["r01:upstream", "macvlan:eno12399"]
     - endpoints: ["dns:eth1", "ixp-net:ixp-port10"]
     - endpoints: ["infra:eth1", "ixp-net:ixp-port200"]
     - endpoints: ["infra:bmc", "bmc:infra"]
+    - endpoints: ["infra:vpn", "macvlan:eno12399"]
     - endpoints: ["sushy:eth1", "bmc:sushy"]
     - endpoints: ["gw1:eth0", "ixp-net:ixp-port1"]
     - endpoints: ["gw1:eth1", "sw1:sw1-port1"]