diff --git a/main.go b/main.go
index e3dfbd49..9253290f 100644
--- a/main.go
+++ b/main.go
@@ -85,6 +85,12 @@ func initialize() { // Client Mode Prereq Check
 			logger.FatalLog("could not inintialize comms network")
 		}
 	}
+
+	err = serverctl.SetDefaultACLS()
+	if err != nil {
+		logger.FatalLog("error setting default acls: ", err.Error())
+	}
+
 	// initialize iptables to ensure gateways work correctly and mq is forwarded if containerized
 	if servercfg.ManageIPTables() != "off" {
 		if err = serverctl.InitIPTables(); err != nil {
diff --git a/serverctl/serverctl.go b/serverctl/serverctl.go
index 5b96390a..46ec7a45 100644
--- a/serverctl/serverctl.go
+++ b/serverctl/serverctl.go
@@ -10,6 +10,8 @@ import (
 	"github.com/gravitl/netmaker/database"
 	"github.com/gravitl/netmaker/logger"
 	"github.com/gravitl/netmaker/logic"
+	"github.com/gravitl/netmaker/logic/acls"
+	"github.com/gravitl/netmaker/logic/acls/nodeacls"
 	"github.com/gravitl/netmaker/models"
 	"github.com/gravitl/netmaker/netclient/ncutils"
 	"github.com/gravitl/netmaker/servercfg"
@@ -144,3 +146,31 @@ func SyncServerNetwork(network string) error {
 	*/
 	return nil
 }
+
+// SetDefaultACLS - runs through each network to see if ACL's are set. If not, goes through each node in network and adds the default ACL
+func SetDefaultACLS() error {
+	// upgraded systems will not have ACL's set, which is why we need this function
+	var err error
+	networks, err := logic.GetNetworks()
+	if err != nil {
+		return err
+	}
+	for i, _ := range networks {
+		_, err := nodeacls.FetchAllACLs(nodeacls.NetworkID(networks[i].NetID))
+		if err != nil {
+			if database.IsEmptyRecord(err) {
+				nodes, err := logic.GetNetworkNodes(networks[i].NetID)
+				if err != nil {
+					return err
+				}
+				for j, _ := range nodes {
+					_, err = nodeacls.CreateNodeACL(nodeacls.NetworkID(networks[i].NetID), nodeacls.NodeID(nodes[j].ID), acls.Allowed)
+					if err != nil {
+						return err
+					}
+				}
+			}
+		}
+	}
+	return err
+}