diff --git a/salt/freifunk/base/ddmesh/var/www_freifunk/04-additional.sh b/salt/freifunk/base/ddmesh/var/www_freifunk/04-additional.sh
index 4fda7240..82ec75f8 100755
--- a/salt/freifunk/base/ddmesh/var/www_freifunk/04-additional.sh
+++ b/salt/freifunk/base/ddmesh/var/www_freifunk/04-additional.sh
@@ -21,7 +21,7 @@ if [ "$?" -eq 0 ] && [ "$IP" != '10.200.0.1' ]; then
 	EOM
 
 	# tools
-	if [ "$(uci -qX get ffdd.sys.apache_ddos_prevent)" -eq '0' ]; then
+	if [ "$(uci -qX get ffdd.sys.apache_ddos_prevent)" -eq '0' ] && [ "$(uci -qX get ffdd.sys.apache_speedtest)" -eq '1' ]; then
 		cat <<-EOM
 			<TR><TD><BIG CLASS="plugin">Tools</BIG></TD></TR>
 			<TR><TD><DIV CLASS="plugin"><A CLASS="plugin" TARGET="_blank" HREF="http://speedtest.$hostname_short.ffdd/">Speedtest</A></DIV></TD></TR>
diff --git a/salt/freifunk/base/uci/etc/config/ffdd b/salt/freifunk/base/uci/etc/config/ffdd
index 2e274f5b..b63d9024 100644
--- a/salt/freifunk/base/uci/etc/config/ffdd
+++ b/salt/freifunk/base/uci/etc/config/ffdd
@@ -46,9 +46,12 @@ config 'ffdd' 'sys'
 	# To disable tunneled clear text passwords and allow only pub-key auth.
 	option 'ssh_pwauth' '1'
 
-	# To disable ddos protection in apache2 (0=off 1=on)
+	# DDOS-protection in apache2 (0=off 1=on)
 	option 'apache_ddos_prevent' '1'
 
+	# speedtest plugin (0=off 1=on) (needs a disabled apache_ddos_prevent)
+	option 'apache_speedtest' '1'
+
 	# DNS-Server
 	list 'default_dns' '194.150.168.168'
 	list 'default_dns' '5.9.164.112'
diff --git a/salt/freifunk/base/uci/usr/local/bin/uci_check_config_options.sh b/salt/freifunk/base/uci/usr/local/bin/uci_check_config_options.sh
index 3eb82fad..0fa125fd 100755
--- a/salt/freifunk/base/uci/usr/local/bin/uci_check_config_options.sh
+++ b/salt/freifunk/base/uci/usr/local/bin/uci_check_config_options.sh
@@ -6,8 +6,6 @@
 ## ffdd.sys
 
 	test -z "$(uci -qX get ffdd.sys.devmode)" && uci -q set ffdd.sys.devmode=0
-	test -z "$(uci -qX get ffdd.sys.apache_ddos_prevent)" && uci -q set ffdd.sys.apache_ddos_prevent=1
-
 	test -z "$(uci -qX get ffdd.sys.network_id)" && uci -q set ffdd.sys.network_id=0
 	test -z "$(uci -qX get ffdd.sys.community_server)" && uci -q set ffdd.sys.community_server=0
 
@@ -16,6 +14,8 @@
 	test -z "$(uci -qX get ffdd.sys.group_id)" && uci -q set ffdd.sys.group_id=0
 	test -z "$(uci -qX get ffdd.sys.firewall_log)" && uci -q set ffdd.sys.firewall_log=0
 
+	test -z "$(uci -qX get ffdd.sys.apache_ddos_prevent)" && uci -q set ffdd.sys.apache_ddos_prevent=1
+	test -z "$(uci -qX get ffdd.sys.apache_speedtest)" && uci -q set ffdd.sys.apache_speedtest=1
 
 ## ffdd.wireguard