diff --git a/machines/iana/setup.sh b/machines/iana/setup.sh
index 3a748ef..b69cbab 100755
--- a/machines/iana/setup.sh
+++ b/machines/iana/setup.sh
@@ -26,3 +26,9 @@ ip addr add 2a01:4f8:c0c:36b8:ffe0::1/126 dev homeisp_ve
 ip link set dev homeisp_ve up
 ip route add 100.64.224.0/20 via 100.64.224.2 dev homeisp_ve
 ip route add 2a01:4f8:c0c:36b8:ffe0::/76 via 2a01:4f8:c0c:36b8:ffe0::2 dev homeisp_ve
+
+# Location 1
+ip addr add 100.64.254.1/30 dev loc1
+ip addr add 2a01:4f8:c0c:36b8:fffe::1/126 dev loc1
+ip link set dev loc1 up
+# No other routes, IPv4-only and behind NAT anyway…
diff --git a/machines/iana/start.sh b/machines/iana/start.sh
index ca83210..466a941 100755
--- a/machines/iana/start.sh
+++ b/machines/iana/start.sh
@@ -10,3 +10,5 @@ unshare $namespaces /bin/true # just create the namespaces
 veth_to_bridge vps_ve vpsuplink
 
 veth_to_bridge homeisp_ve homeisp_up
+
+veth_to_bridge loc1 loc1_up ve_loc1up_iana
diff --git a/machines/loc1gw/attach.sh b/machines/loc1gw/attach.sh
new file mode 100755
index 0000000..9d0b686
--- /dev/null
+++ b/machines/loc1gw/attach.sh
@@ -0,0 +1,6 @@
+#!/bin/sh
+set -eu
+. ./lib.shs
+. machines/$mach/opts.shs
+
+nsenter --wdns=$nethorror_root $namespaces "$@"
diff --git a/machines/loc1gw/opts.shs b/machines/loc1gw/opts.shs
new file mode 100644
index 0000000..f0998ef
--- /dev/null
+++ b/machines/loc1gw/opts.shs
@@ -0,0 +1,3 @@
+#!/bin/false
+
+namespaces="--net=./state/$mach/netns --mount=./state/$mach/mntns"
diff --git a/machines/loc1gw/run-shim.sh b/machines/loc1gw/run-shim.sh
new file mode 100755
index 0000000..2f42dd8
--- /dev/null
+++ b/machines/loc1gw/run-shim.sh
@@ -0,0 +1,7 @@
+#!/bin/sh
+
+set -eu
+. ./lib.shs
+
+ensure_started
+attach machines/$mach/setup.sh
diff --git a/machines/loc1gw/setup.sh b/machines/loc1gw/setup.sh
new file mode 100755
index 0000000..c33a3ea
--- /dev/null
+++ b/machines/loc1gw/setup.sh
@@ -0,0 +1,26 @@
+#!/bin/sh
+set -eu
+
+. ./lib.shs
+
+# typically: bring up the networks
+ip link set dev lo up
+
+setup_for_router
+
+# uplink
+# glue networks for both AFs
+ip addr add 100.64.254.2/30 dev up_ve
+ip addr add 2a01:4f8:c0c:36b8:fffe::2/126 dev up_ve
+# (cg)NAT: use 10.0.0.0/24 inside the network and 192.168.0.1/24 for the client network
+nft add table ip nat
+nft add chain ip nat postrouting { type nat hook postrouting priority srcnat \; }
+nft add rule ip nat postrouting oifname \"up_ve\" ip saddr 10.0.0.0/24 masquerade
+ip link set dev up_ve up
+ip route add default via 100.64.254.1 dev up_ve
+ip route add default via 2a01:4f8:c0c:36b8:fffe::1 dev up_ve
+
+# network for APs
+ip addr add 10.0.0.1/24 dev ap_ve
+# No IPv6 at public spaces lol
+ip link set dev ap_ve up
diff --git a/machines/loc1gw/start.sh b/machines/loc1gw/start.sh
new file mode 100755
index 0000000..4fddaf5
--- /dev/null
+++ b/machines/loc1gw/start.sh
@@ -0,0 +1,11 @@
+#!/bin/sh
+set -eu
+. ./lib.shs
+. machines/$mach/opts.shs
+
+setup_statedir
+
+unshare $namespaces /bin/true # just create the namespaces
+
+veth_to_bridge up_ve loc1_up ve_loc1up_gw
+veth_to_bridge ap_ve loc1_ap
diff --git a/networks/loc1_ap/up.sh b/networks/loc1_ap/up.sh
new file mode 100755
index 0000000..19c7ca2
--- /dev/null
+++ b/networks/loc1_ap/up.sh
@@ -0,0 +1,5 @@
+#!/bin/sh
+set -eu
+
+. ./lib.shs
+make_bridge
diff --git a/networks/loc1_up/up.sh b/networks/loc1_up/up.sh
new file mode 100755
index 0000000..19c7ca2
--- /dev/null
+++ b/networks/loc1_up/up.sh
@@ -0,0 +1,5 @@
+#!/bin/sh
+set -eu
+
+. ./lib.shs
+make_bridge