diff --git a/ansible/playbook.yaml b/ansible/playbook.yaml
index 6e7fb63..34a0a74 100644
--- a/ansible/playbook.yaml
+++ b/ansible/playbook.yaml
@@ -10,7 +10,7 @@
     # - network
     # - sshd
     # - base
-    # #    - firewall
+    - firewall
     # - cpu
     # - ntp
     # - build
diff --git a/ansible/roles/firewall/files/odofreebsd_pf.conf b/ansible/roles/firewall/files/odofreebsd_pf.conf
index fa5f23c..1b942d0 100644
--- a/ansible/roles/firewall/files/odofreebsd_pf.conf
+++ b/ansible/roles/firewall/files/odofreebsd_pf.conf
@@ -1,7 +1,8 @@
 ext_if = "{ igb0 igb1 ix0 ix1 wlan0 }"
+jail_net_v4 = "10.10.11.0/24"
 
 dhcp = "{ bootpc, bootps }"
-# allow = "{ }"
+allow = "{ nat_uplink0 }"
 
 tcp_pass_in = "{ 22 }"
 udp_pass_in = "{ 53 51820 }"
@@ -12,9 +13,11 @@ udp_pass_in = "{ 53 51820 }"
 set skip on lo
 
 # redirections
+nat on $ext_if inet from $jail_net_v4 to { any, !$jail_net_v4 } tag ALLOWED -> (wlan0)
 
 # filtering
 block log all
+pass quick on $ext_if tagged ALLOWED
 pass out on $ext_if
 
 # We pass on the interfaces listed in allow rather than skipping on
@@ -22,7 +25,7 @@ pass out on $ext_if
 # `service pf reload` but interfaces that we `skip` will not update (I
 # forget if its from adding, removing, or both. TODO: test to figure
 # it out)
-# pass quick on $allow
+pass quick on $allow
 
 pass on $ext_if proto icmp all
 pass on $ext_if proto icmp6 all
diff --git a/ansible/roles/jail/tasks/freebsd.yaml b/ansible/roles/jail/tasks/freebsd.yaml
index 2ab0242..e2b7e6e 100644
--- a/ansible/roles/jail/tasks/freebsd.yaml
+++ b/ansible/roles/jail/tasks/freebsd.yaml
@@ -125,3 +125,12 @@
   file:
     path: /etc/rc.conf.d/setup_netgraph
     state: absent
+
+- name: Enable gateway
+  community.general.sysrc:
+    name: "{{ item }}"
+    value: "YES"
+    path: /etc/rc.conf.d/routing
+  loop:
+    - gateway_enable
+    - ipv6_gateway_enable