diff --git a/playbooks/prometheus/prometheus.yml.j2 b/playbooks/prometheus/prometheus.yml.j2
index 9608013..ac7c106 100644
--- a/playbooks/prometheus/prometheus.yml.j2
+++ b/playbooks/prometheus/prometheus.yml.j2
@@ -37,6 +37,14 @@ scrape_configs:
           group: '{{ group }}'
 {% endfor %}
 
+  - job_name: "fastd"
+    scheme: "https"
+    static_configs:
+      - targets:
+{% for host in groups['ffmwu-gateways'] %}
+        - '{{ host }}:9281'
+{% endfor %}
+
   - job_name: "icmp6"
     metrics_path: /probe
     params:
diff --git a/roles/service-fastd-mesh/handlers/main.yml b/roles/service-fastd-mesh/handlers/main.yml
index 3910b0e..be87c15 100644
--- a/roles/service-fastd-mesh/handlers/main.yml
+++ b/roles/service-fastd-mesh/handlers/main.yml
@@ -3,6 +3,16 @@
   systemd:
     daemon_reload: yes
 
+- name: restart fastd-nginx
+  systemd:
+    name: nginx.service
+    state: restarted
+
+- name: restart fastd-exporter
+  systemd:
+    name: fastd-exporter.service
+    state: restarted
+
 - name: restart fastd mesh instances
   systemd:
     name: "fastd@{{ item.0.id }}vpn-{{ item.1.mtu }}"
diff --git a/roles/service-fastd-mesh/meta/main.yml b/roles/service-fastd-mesh/meta/main.yml
index 2f66f75..924e8d3 100644
--- a/roles/service-fastd-mesh/meta/main.yml
+++ b/roles/service-fastd-mesh/meta/main.yml
@@ -1,5 +1,7 @@
 ---
 dependencies:
+  - { role: golang }
   - { role: git-repos }
   - { role: network-fastd }
   - { role: service-fastd }
+  - { role: service-nginx }
diff --git a/roles/service-fastd-mesh/tasks/main.yml b/roles/service-fastd-mesh/tasks/main.yml
index 8ac2938..56a9939 100644
--- a/roles/service-fastd-mesh/tasks/main.yml
+++ b/roles/service-fastd-mesh/tasks/main.yml
@@ -147,3 +147,25 @@
     enabled: yes
     state: started
   loop: "{{ meshes | subelements('fastd.nodes.instances') }}"
+
+- name: build fastd-exporter binary
+  shell: "GOPATH={{ gopath }} go get -v -u github.com/freifunk-darmstadt/fastd-exporter"
+  notify: restart fastd-exporter
+
+- name: copy vhost fastd_exporter.conf
+  template:
+    src: "fastd_exporter_vhost.conf.j2"
+    dest: "/etc/nginx/conf.d/fastd_exporter.conf"
+  notify: restart nginx
+
+- name: create systemd unit for fastd-exporter
+  template:
+    src: "fastd-exporter.service.j2"
+    dest: "/etc/systemd/system/fastd-exporter.service"
+  notify: reload systemd
+
+- name: configure fastd-exporter systemd unit
+  systemd:
+    name: "fastd-exporter.service"
+    enabled: yes
+    state: started
diff --git a/roles/service-fastd-mesh/templates/fastd-exporter.service.j2 b/roles/service-fastd-mesh/templates/fastd-exporter.service.j2
new file mode 100644
index 0000000..844ac26
--- /dev/null
+++ b/roles/service-fastd-mesh/templates/fastd-exporter.service.j2
@@ -0,0 +1,19 @@
+[Unit]
+Description=Fastd Prometheus Exporter
+Documentation=https://github.com/freifunk-darmstadt/fastd-exporter
+Wants=network-online.target
+After=network-online.target
+
+[Service]
+Type=simple
+
+{% if fastd_exporter_opts is defined %}
+ExecStart={{ fastd_exporter_path }} {{ fastd_exporter_default_opts }} {{ fastd_exporter_opts }} --instances="{% for mesh in meshes %}{% for instance in mesh.fastd.nodes.instances %}{{ mesh.id }}vpn-{{ instance.mtu }}{% if not loop.last %},{% endif %}{% endfor %}{% if not loop.last %},{% endif %}{% endfor %}"
+{% else %}
+ExecStart={{ fastd_exporter_path }} {{ fastd_exporter_default_opts }} --instances="{% for mesh in meshes %}{% for instance in mesh.fastd.nodes.instances %}{{ mesh.id }}vpn-{{ instance.mtu }}{% if not loop.last %},{% endif %}{% endfor %}{% if not loop.last %},{% endif %}{% endfor %}"
+{% endif %}
+Restart=always
+RestartSec=5s
+
+[Install]
+WantedBy=multi-user.target
diff --git a/roles/service-fastd-mesh/templates/fastd_exporter_vhost.conf.j2 b/roles/service-fastd-mesh/templates/fastd_exporter_vhost.conf.j2
new file mode 100644
index 0000000..89f1148
--- /dev/null
+++ b/roles/service-fastd-mesh/templates/fastd_exporter_vhost.conf.j2
@@ -0,0 +1,22 @@
+server {
+    listen {{ lookup('dig', inventory_hostname, 'qtype=A') }}:9281 ssl;
+    listen [{{ lookup('dig', inventory_hostname, 'qtype=AAAA') }}]:9281 ssl;
+    server_name {{ inventory_hostname_short }}.{{ http_domain_external }} {{ inventory_hostname_short }}.{{ http_domain_internal }};
+
+    ssl_certificate     /etc/nginx/ssl/{{ inventory_hostname_short }}.{{ http_domain_external }}/fullchain.pem;
+    ssl_certificate_key /etc/nginx/ssl/{{ inventory_hostname_short }}.{{ http_domain_external }}/privkey.pem;
+
+    include /etc/nginx/snippets/letsencrypt-acme-challenge.conf;
+
+    location / {
+      proxy_pass http://127.0.0.1:9281;
+
+      allow 127.0.0.0/8;
+      allow ::1/128;
+{% for host in groups['ffmwu-monitoring'] %}
+      allow {{ lookup('dig', host, 'qtype=A') }};
+      allow {{ lookup('dig', host, 'qtype=AAAA') }};
+      deny all;
+{% endfor %}
+    }
+}
diff --git a/roles/service-fastd-mesh/vars/main.yml b/roles/service-fastd-mesh/vars/main.yml
new file mode 100644
index 0000000..e05bf0a
--- /dev/null
+++ b/roles/service-fastd-mesh/vars/main.yml
@@ -0,0 +1,2 @@
+fastd_exporter_path: "{{ gopath }}/bin/fastd-exporter"
+fastd_exporter_default_opts: "--web.listen-address=localhost:9281"