diff --git a/group_vars/reverseproxy.yml b/group_vars/reverseproxy.yml
new file mode 100644
index 00000000..cd01d6a3
--- /dev/null
+++ b/group_vars/reverseproxy.yml
@@ -0,0 +1,81 @@
+certbot:
+  dns_rfc2136_name: certbot_challenge.
+  dns_rfc2136_secret: "{{ vault_certbot_dns_secret }}"
+  mail: root@crans.org
+  certname: crans.org
+  domains: "crans.org, *.crans.org, crans.fr, *.crans.fr, crans.eu, *.crans.eu"
+
+nginx:
+  contact: contact@crans.org
+  who: "l'équipe technique du Cr@ns"
+  ssl:
+    cert: /etc/letsencrypt/live/crans.org/fullchain.pem
+    cert_key: /etc/letsencrypt/live/crans.org/privkey.pem
+    trusted_cert: /etc/letsencrypt/live/crans.org/chain.pem
+
+  redirect_dnames:
+    - crans.eu
+    - crans.fr
+
+  reverseproxy_sites:
+    # Services web Crans
+    #    - {from: lutim.crans.org, to: 10.231.136.69}
+    #    - {from: zero.crans.org, to: 10.231.136.76}
+    #    - {from: pad.crans.org, to: "10.231.136.76:9001"}
+    #    - {from: ethercalc.crans.org, to: "10.231.136.203:8000"}
+    #    - {from: mediadrop.crans.org, to: 10.231.136.106}
+    #    - {from: videos.crans.org, to: 10.231.136.106}
+    #    - {from: video.crans.org, to: 10.231.136.106}
+    #    - {from: roundcube.crans.org, to: 10.231.136.105}
+    #    - {from: phabricator.crans.org, to: 10.231.136.123}
+    #    - {from: trackerusercontent.crans.org, to: 10.231.136.123}
+    #    - {from: cas.crans.org, to: 10.231.136.18}
+    #    - {from: auth.crans.org, to: 10.231.136.18}
+    #    - {from: login.crans.org, to: 10.231.136.18}
+    #    - {from: webmail.crans.org, to: 10.231.136.107}
+    #    - {from: horde.crans.org, to: 10.231.136.107}
+    #    - {from: owncloud.crans.org, to: 10.231.136.26}
+    #    - {from: ftps.crans.org, to: 10.231.136.98}
+    #    - {from: wiki.crans.org, to: 10.231.136.204}
+    #    - {from: www.crans.org, to: 10.231.136.46}
+    #    - {from: doc.crans.org, to: 10.231.136.46}
+    #    - {from: limesurvey.crans.org, to: 10.231.136.253}
+    #    - {from: perso.crans.org, to: 10.231.136.1}
+    #    - {from: webnews.crans.org, to: 10.231.136.63}
+    #    - {from: re2o.crans.org, to: 10.231.136.9}
+    #    - {from: intranet.crans.org, to: 10.231.136.9}
+    #    - {from: autoconfig.crans.org, to: 10.231.136.46}
+    #    - {from: grafana.crans.org, to: "10.231.136.102:3000"}
+    #    - {from: webirc.crans.org, to: "10.231.136.1:9000"}
+    - {from: framadate.crans.org, to: 172.16.10.109}
+    #    - {from: mailman.crans.org, to: 10.231.136.180}
+    #
+    #    # Zamok
+    #    - {from: install-party.crans.org, to: 10.231.136.1}
+    #    - {from: med.crans.org, to: 10.231.136.1}
+    #    - {from: med-cartons.crans.org, to: 10.231.136.1}
+    #    - {from: amap.crans.org, to: 10.231.136.1}
+    #    - {from: pot-vieux.crans.org, to: 10.231.136.1}
+    #    - {from: bonvivens.crans.org, to: 10.231.136.1}
+    #
+  redirect_sites: []
+    #    - {from: crans.org, to: www.crans.org}
+    #
+    #    # Aliases or legacy support
+    #    - {from: factures.crans.org, to: intranet.crans.org}
+    #    - {from: accounts.crans.org, to: intranet.crans.org}
+    #    - {from: intranet2.crans.org, to: intranet.crans.org}
+    #    - {from: clubs.crans.org, to: perso.crans.org}
+    #    - {from: task.crans.org, to: phabricator.crans.org}
+    #    - {from: adopteunpingouin.crans.org, to: install-party.crans.org}
+    #    - {from: i-p.crans.org, to: install-party.crans.org}
+    #
+    #    # To the wiki
+    #    - {from: wikipedia.crans.org, to: wiki.crans.org}
+    #    - {from: wifi.crans.org, to: wiki.crans.org/CransD%C3%A9marrage}
+    #    - {from: television.crans.org, to: wiki.crans.org/CransTv}
+    #    - {from: tv.crans.org, to: wiki.crans.org/CransTv}
+    #
+    #    # ENS Cachan
+    #    - {from: crans.ens-cachan.fr, to: www.crans.org}
+    #    - {from: install-party.ens-cachan.fr, to: install-party.crans.org}
diff --git a/host_vars/re2o-newinfra.adm.crans.org.yml b/host_vars/re2o-newinfra.adm.crans.org.yml
index 92db5fa6..19f4c3f6 100644
--- a/host_vars/re2o-newinfra.adm.crans.org.yml
+++ b/host_vars/re2o-newinfra.adm.crans.org.yml
@@ -1,7 +1,7 @@
 ---
 interfaces:
   adm: eth0
-  srv-nat: eth1
+  srv_nat: eth1
 
 
 loc_re2o:
diff --git a/host_vars/routeur-daniel.adm.crans.org.yml b/host_vars/routeur-daniel.adm.crans.org.yml
index 555ebd7d..284bf31a 100644
--- a/host_vars/routeur-daniel.adm.crans.org.yml
+++ b/host_vars/routeur-daniel.adm.crans.org.yml
@@ -2,10 +2,10 @@
 interfaces:
   adm: ens18
   srv: ens19
-  srv-nat: ens20
+  srv_nat: ens20
   infra: ens21
   adh: ens22
-  adh-nat: ens23
+  adh_nat: ens23
 
 
 loc_keepalived:
diff --git a/host_vars/routeur-sam.adm.crans.org.yml b/host_vars/routeur-sam.adm.crans.org.yml
index bf3d8f77..9c76a958 100644
--- a/host_vars/routeur-sam.adm.crans.org.yml
+++ b/host_vars/routeur-sam.adm.crans.org.yml
@@ -2,10 +2,11 @@
 interfaces:
   adm: ens18
   srv: ens19
-  srv-nat: ens20
+  srv_nat: ens20
   infra: ens21
   adh: ens22
-  adh-nat: ens23
+  adh_nat: ens23
+  srv_old: ens1
 
 
 loc_keepalived:
diff --git a/hosts b/hosts
index b28a03af..7cd1edd4 100644
--- a/hosts
+++ b/hosts
@@ -25,6 +25,10 @@
 # [test_vm]
 # re2o-test.adm.crans.org
 
+[reverseproxy]
+hodaur.adm.crans.org
+frontdaur.adm.crans.org
+
 [radius]
 routeur-sam.adm.crans.org
 
@@ -67,12 +71,14 @@ daniel.adm.crans.org
 jack.adm.crans.org
 
 [crans_vm]
+voyager.adm.crans.org
 silice.adm.crans.org
 routeur-sam.adm.crans.org
 routeur-daniel.adm.crans.org
 belenios # on changera plus tard
 re2o-ldap.adm.crans.org
 gitlab-ci.adm.crans.org
+hodaur.adm.crans.org
 
 [ovh_physical]
 sputnik.adm.crans.org
diff --git a/lookup_plugins/ldap.py b/lookup_plugins/ldap.py
index 87cee458..7810204e 100644
--- a/lookup_plugins/ldap.py
+++ b/lookup_plugins/ldap.py
@@ -52,11 +52,28 @@ class LookupModule(LookupBase):
         result = [res.decode('utf-8') for res in result['ipHostNumber']]
         return result
 
+    def subnet_ipv4(self, subnet):
+        """
+        Retrive used IP addresses on a subnet
+        query('ldap', 'subnet_ipv4', SUBNET)
+        """
+        network_query_id = self.base.search(f"cn={subnet},ou=networks,{self.base_dn}", ldap.SCOPE_BASE)
+        network_result = self.base.result(network_query_id)
+        network = network_result[1][0][1]
+        network, hostmask = network['ipNetworkNumber'][0].decode('utf-8'), network['ipNetmaskNumber'][0].decode('utf-8')
+        subnet = ipaddress.IPv4Network(f"{network}/{hostmask}")
+        query_id = self.base.search(f"ou=hosts,{self.base_dn}", ldap.SCOPE_SUBTREE, "objectClass=ipHost")
+        result = self.base.result(query_id)
+        result = [ip.decode('utf-8') for dn, entry in result[1] for ip in entry['ipHostNumber'] if ipaddress.ip_address(ip.decode('utf-8')) in subnet]
+        return result
+
     def run(self, terms, variables=None, **kwargs):
         if terms[0] == 'query':
             result = self.query(*terms[1:])
         elif terms[0] == 'ip':
             result = self.ip(*terms[1:])
+        elif terms[0] == 'subnet_ipv4':
+            result = self.subnet_ipv4(*terms[1:])
         elif terms[0] == 'group':
             query_id = self.base.search(f"ou=group,{self.base_dn}", ldap.SCOPE_SUBTREE, "objectClass=posixGroup")
             result = self.base.result(query_id)
diff --git a/plays/firewall.yml b/plays/firewall.yml
index 61065447..720c2f97 100755
--- a/plays/firewall.yml
+++ b/plays/firewall.yml
@@ -1,11 +1,14 @@
 #!/usr/bin/env ansible-playbook
 ---
-# Deploy iproute2 and sysctl config files
+# Deploy sysctl config files
 - hosts: crans_routeurs
   roles:
-    - iproute2
     - sysctl-forwarding
 
+- hosts: routeur-sam.adm.crans.org
+  roles:
+    - arp-proxy
+
 # Deploy firewall
 - hosts: crans_routeurs
   vars:
diff --git a/plays/reverse-proxy.yml b/plays/reverse-proxy.yml
index 5daf6670..b7a8d3ad 100755
--- a/plays/reverse-proxy.yml
+++ b/plays/reverse-proxy.yml
@@ -1,53 +1,6 @@
 #!/usr/bin/env ansible-playbook
 ---
-# Deploy reverse proxy
-# Frontdaur is the backup of bakdaur (keepalived)
-- hosts: bakdaur.adm.crans.org,frontdaur.adm.crans.org
-  vars:
-    certbot:
-      dns_rfc2136_name: certbot_challenge.
-      dns_rfc2136_secret: "{{ vault_certbot_dns_secret }}"
-      mail: root@crans.org
-      certname: crans.org
-      domains: "crans.org, *.crans.org, crans.fr, *.crans.fr, crans.eu, *.crans.eu"
-    bind:
-      masters: "{{ lookup('re2oapi', 'get_role', 'dns-authoritary-master')[0] }}"
-    nginx:
-      ssl:
-        cert: /etc/letsencrypt/live/crans.org/fullchain.pem
-        cert_key: /etc/letsencrypt/live/crans.org/privkey.pem
-        trusted_cert: /etc/letsencrypt/live/crans.org/chain.pem
-
-      redirect_dnames:
-        - crans.eu
-        - crans.fr
-
-      reverseproxy_sites:
-        # Services web Crans
-        - {from: lutim.crans.org, to: 10.231.136.69}
-        - {from: zero.crans.org, to: 10.231.136.76}
-        - {from: pad.crans.org, to: "10.231.136.76:9001"}
-        - {from: ethercalc.crans.org, to: "10.231.136.203:8000"}
-        - {from: mediadrop.crans.org, to: 10.231.136.106}
-        - {from: videos.crans.org, to: 10.231.136.106}
-        - {from: video.crans.org, to: 10.231.136.106}
-        - {from: roundcube.crans.org, to: 10.231.136.105}
-        - {from: phabricator.crans.org, to: 10.231.136.123}
-        - {from: trackerusercontent.crans.org, to: 10.231.136.123}
-        - {from: cas.crans.org, to: 10.231.136.18}
-        - {from: auth.crans.org, to: 10.231.136.18}
-        - {from: login.crans.org, to: 10.231.136.18}
-        - {from: webmail.crans.org, to: 10.231.136.107}
-        - {from: horde.crans.org, to: 10.231.136.107}
-        - {from: owncloud.crans.org, to: 10.231.136.26}
-        - {from: ftps.crans.org, to: 10.231.136.98}
-        - {from: wiki.crans.org, to: 10.231.136.204}
-        - {from: calendrier.crans.org, to: 10.231.136.204}
-        - {from: www.crans.org, to: 10.231.136.46}
-        - {from: doc.crans.org, to: 10.231.136.46}
-        - {from: limesurvey.crans.org, to: 10.231.136.253}
-        - {from: perso.crans.org, to: 10.231.136.1}
-        - {from: webnews.crans.org, to: 10.231.136.63}
-        - {from: re2o.crans.org, to: 10.231.136.9}
-        - {from: intranet.crans.org, to: 10.231.136.9}
-        - {from: autoconfig.crans.org, to: 10.231.136.46}
+- hosts: reverseproxy
+  roles:
+    - certbot
+    - nginx-reverseproxy
diff --git a/roles/arp-proxy/tasks/main.yml b/roles/arp-proxy/tasks/main.yml
new file mode 100644
index 00000000..8962be05
--- /dev/null
+++ b/roles/arp-proxy/tasks/main.yml
@@ -0,0 +1,11 @@
+---
+- name: Deploy interfaces config
+  template:
+    src: network/interfaces.d/{{ item }}.j2
+    dest: /etc/network/interfaces.d/{{ item }}
+    mode: 0644
+    owner: root
+    group: root
+  loop:
+    - 02-srv
+    - 24-srv-old
diff --git a/roles/arp-proxy/templates/network/interfaces.d/02-srv.j2 b/roles/arp-proxy/templates/network/interfaces.d/02-srv.j2
new file mode 100644
index 00000000..18428467
--- /dev/null
+++ b/roles/arp-proxy/templates/network/interfaces.d/02-srv.j2
@@ -0,0 +1,6 @@
+auto {{ interfaces.srv }}
+iface {{ interfaces.srv }} inet manual
+	up /sbin/sysctl -w net.ipv4.conf.{{ interfaces.srv }}.proxy_arp=1
+{% for ip in query('ldap', 'subnet_ipv4', 'srv') %}
+	up /sbin/ip route add {{ ip }}/32 dev {{ interfaces.srv }}
+{% endfor %}
diff --git a/roles/arp-proxy/templates/network/interfaces.d/24-srv-old.j2 b/roles/arp-proxy/templates/network/interfaces.d/24-srv-old.j2
new file mode 100644
index 00000000..902fae42
--- /dev/null
+++ b/roles/arp-proxy/templates/network/interfaces.d/24-srv-old.j2
@@ -0,0 +1,9 @@
+auto {{ interfaces.srv_old }}
+iface {{ interfaces.srv_old }} inet static
+	address 185.230.79.2/24
+	gateway 185.230.79.254
+	up /sbin/sysctl -w net.ipv4.conf.{{ interfaces.srv_old }}.proxy_arp=1
+	up /sbin/ip addr add 185.230.79.204/24 dev {{ interfaces.srv_old }}
+	up /sbin/ip addr add 185.230.79.205/24 dev {{ interfaces.srv_old }}
+	up /sbin/ip addr add 185.230.79.206/24 dev {{ interfaces.srv_old }}
+	up /sbin/ip addr add 185.230.79.207/24 dev {{ interfaces.srv_old }}
diff --git a/roles/certbot/tasks/main.yml b/roles/certbot/tasks/main.yml
index 2e9c8b26..377a0ad2 100644
--- a/roles/certbot/tasks/main.yml
+++ b/roles/certbot/tasks/main.yml
@@ -12,7 +12,9 @@
 
 - name: Lookup DNS masters IPv4
   set_fact:
-    dns_masters_ipv4: "{{ bind.masters | json_query('servers[].interface[?vlan_id==`2`].ipv4[]') }}"
+    #dns_masters_ipv4: "{{ bind.masters | json_query('servers[].interface[?vlan_id==`2`].ipv4[]') }}"
+    dns_masters_ipv4:
+      - "185.230.79.9"
     cacheable: true
 
 - name: Add DNS credentials
diff --git a/roles/home-nounous/tasks/main.yml b/roles/home-nounous/tasks/main.yml
index 25c533e0..b3ea1062 100644
--- a/roles/home-nounous/tasks/main.yml
+++ b/roles/home-nounous/tasks/main.yml
@@ -13,7 +13,7 @@
   template:
     src: systemd/system/home.mount.j2
     dest: /etc/systemd/system/home.mount
-    mode: 0755
+    mode: 0644
 
 - name: Load and activate nfs systemd mount
   systemd:
diff --git a/roles/nginx-reverseproxy/tasks/main.yml b/roles/nginx-reverseproxy/tasks/main.yml
index c021eef7..5a23f992 100644
--- a/roles/nginx-reverseproxy/tasks/main.yml
+++ b/roles/nginx-reverseproxy/tasks/main.yml
@@ -15,16 +15,10 @@
     - options-ssl.conf
     - options-proxypass.conf
 
-- name: Has dhparam been copied?
-  stat:
-    path: /etc/letsencrypt/dhparam
-  register: stat_result
-
 - name: Copy dhparam
   template:
     src: letsencrypt/dhparam.j2
     dest: /etc/letsencrypt/dhparam
-  when: not stat_result.stat.exists
 
 - name: Copy reverse proxy sites
   template:
@@ -46,6 +40,7 @@
     - reverseproxy_redirect_dname
     - redirect
   notify: Reload nginx
+  ignore_errors: "{{ ansible_check_mode }}"
 
 - name: Copy 50x error page
   template:
diff --git a/roles/nginx-reverseproxy/templates/www/html/50x.html.j2 b/roles/nginx-reverseproxy/templates/www/html/50x.html.j2
index b4bde1f9..078e2de2 100644
--- a/roles/nginx-reverseproxy/templates/www/html/50x.html.j2
+++ b/roles/nginx-reverseproxy/templates/www/html/50x.html.j2
@@ -57,7 +57,7 @@
     <h1>502</h1>
     <p>Whoops, le service prend trop de temps à répondre…</p>
     <p>Essayez de rafraîchir la page. Si le problème persiste, pensez
-    à contacter <a href="mailto:contact@crans.org">l'équipe technique du Cr@ns</a>.</p>
+    à contacter <a href="mailto:{{ nginx.contact }}">{{ nginx.who }}</a>.</p>
 </body>
 </html>