diff --git a/Rakefile b/Rakefile
index dc44a66..a6a2287 100644
--- a/Rakefile
+++ b/Rakefile
@@ -2,40 +2,29 @@
 
 require 'rake'
 require 'rspec/core/rake_task'
-require 'yaml'
+require_relative 'spec/ansible_inventory'
 require 'pry'
 
-ansible_inventory = YAML.safe_load(File.read('./inventory.yml'))
-ansible_groups = ansible_inventory.keys
-
-ansible_groups.each do |group|
-  ansible_inventory[group]['hosts'] ||= {}
-  ansible_inventory[group]['hosts'].tap do |hosts|
-    hosts.each_pair do |host, _vars|
-      host_vars = File.join('host_vars', "#{host}.yml")
-
-      if File.exist? host_vars
-        hosts[host] = YAML.safe_load(File.read(host_vars))
-      else
-        puts "Warning: #{host_vars} doesn't exist"
-      end
-    end
-  end
-end
-
 task spec: 'spec:all'
 task default: :spec
 
+AnsibleInventory.read
+
 namespace :spec do
   desc 'Run serverspec'
-  task all: (ansible_groups.map do |group|
+  task all: (AnsibleInventory.groups.map do |group|
     "#{group}:all"
   end)
 
-  ansible_groups.each do |group|
-    short_names = ansible_inventory[group]['hosts'].map do |_, vars|
-      [vars['ekumen'], vars['ansible_host']]
-    end.to_h
+  AnsibleInventory.groups.each do |group|
+    short_names = AnsibleInventory.inventory[group]['hosts'].map do |host, vars|
+      {
+        vars['ekumen'] => {
+          host: vars['ansible_host'],
+          hostname: host
+        }
+      }
+    end.inject(&:merge) || {}
 
     namespace group.to_sym do
       desc "Run serverspec on #{group}"
@@ -44,10 +33,11 @@ namespace :spec do
       short_names.each_key do |name|
         desc "Run serverspec on #{group}:#{name}"
         RSpec::Core::RakeTask.new(name) do |t|
-          ENV['TARGET_HOST'] = short_names[name]
+          ENV['TARGET_HOST'] = short_names[name][:host]
+          ENV['TARGET_HOSTNAME'] = short_names[name][:hostname]
 
           puts "Running serverspec on #{group}:#{name}"
-          t.pattern = "spec/{base,#{group}}/*_spec.rb"
+          t.pattern = "spec/{base,#{group},#{name}}/*_spec.rb"
         end
       end
     end
diff --git a/spec/ansible_inventory.rb b/spec/ansible_inventory.rb
new file mode 100644
index 0000000..9d5e05b
--- /dev/null
+++ b/spec/ansible_inventory.rb
@@ -0,0 +1,41 @@
+# frozen_string_literal: true
+
+require 'yaml'
+
+# Represents Ansible inventory
+module AnsibleInventory
+  # @return [Hash]
+  def self.inventory
+    @@inventory ||= YAML.safe_load(File.read('./inventory.yml'))
+  end
+
+  # @return [Array]
+  def self.groups
+    @@groups ||= inventory.keys
+  end
+
+  # @return [nil]
+  def self.read
+    groups.each do |group|
+      inventory[group]['hosts'] ||= {}
+      inventory[group]['hosts'].tap do |hosts|
+        hosts.each_pair do |host, _vars|
+          hosts[host] = host_vars(host)
+        end
+      end
+    end
+
+    nil
+  end
+
+  def self.host_vars(host)
+    file = File.join('host_vars', "#{host}.yml")
+
+    if File.exist? file
+      YAML.safe_load(File.read(file))
+    else
+      puts "Warning: #{file} doesn't exist"
+      {}
+    end
+  end
+end
diff --git a/spec/base/networking_spec.rb b/spec/base/networking_spec.rb
new file mode 100644
index 0000000..95362f2
--- /dev/null
+++ b/spec/base/networking_spec.rb
@@ -0,0 +1,12 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+require 'ansible_inventory'
+
+host_name = ENV['TARGET_HOSTNAME']
+host_vars = AnsibleInventory.host_vars host_name
+
+describe default_gateway do
+  its(:ipaddress) { should eq host_vars['gateway'] }
+  its(:interface) { should eq 'eth0' }
+end
diff --git a/spec/base/ekumen_spec.rb b/spec/dockers/docker_spec.rb
similarity index 55%
rename from spec/base/ekumen_spec.rb
rename to spec/dockers/docker_spec.rb
index 1444a71..91333b0 100644
--- a/spec/base/ekumen_spec.rb
+++ b/spec/dockers/docker_spec.rb
@@ -2,15 +2,11 @@
 
 require 'spec_helper'
 
-describe package('tinc') do
+describe package('docker') do
   it { should be_installed }
 end
 
-describe service('tincd') do
+describe service('docker') do
   it { should be_enabled }
   it { should be_running }
 end
-
-describe port(65_000) do
-  it { should be_listening }
-end
diff --git a/spec/dockers/ekumen_spec.rb b/spec/dockers/ekumen_spec.rb
new file mode 100644
index 0000000..0033efa
--- /dev/null
+++ b/spec/dockers/ekumen_spec.rb
@@ -0,0 +1,22 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+describe package('tinc') do
+  it { should be_installed }
+end
+
+describe service('tincd') do
+  it { should be_enabled }
+  it { should be_running }
+end
+
+describe port(65_000) do
+  it { should be_listening.with('tcp') }
+  it { should be_listening.with('udp') }
+end
+
+describe interface('ekumen') do
+  it { should exist }
+  its(:ipv6_address) { should match /\Afd00:acab::/ }
+end
diff --git a/spec/dockers/firewall_spec.rb b/spec/dockers/firewall_spec.rb
new file mode 100644
index 0000000..c6290d2
--- /dev/null
+++ b/spec/dockers/firewall_spec.rb
@@ -0,0 +1,22 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+require 'ansible_inventory'
+
+host_name = ENV['TARGET_HOSTNAME']
+host_vars = AnsibleInventory.host_vars host_name
+
+describe service('ipset') do
+  it { should be_enabled }
+  it { should be_running }
+end
+
+describe service('iptables') do
+  it { should be_enabled }
+  it { should be_running }
+end
+
+describe service('ip6tables') do
+  it { should be_enabled }
+  it { should be_running }
+end