diff --git a/ansible/roles/firewall/files/homeserver_pf.conf b/ansible/roles/firewall/files/homeserver_pf.conf
index 84edc5f..3054fea 100644
--- a/ansible/roles/firewall/files/homeserver_pf.conf
+++ b/ansible/roles/firewall/files/homeserver_pf.conf
@@ -64,3 +64,5 @@ pass in on $ext_if proto udp to (wlan0) port $udp_pass_in
 pass in on restricted_nat proto {udp, tcp} from 10.215.2.2 to any port { 53 51820 } tag NATOUT
 # bastion -> cloak
 pass in on jail_nat proto {udp, tcp} from 10.215.1.217 to 10.215.2.2 port 8081 tag NATRESTRICTED
+# Allow outgoing connections from certificate
+pass in on jail_nat proto {udp, tcp} from 10.215.1.220 to any port { 53 80 443 } tag NATOUT