diff --git a/ansible/roles/bhyve/files/bhyve_netgraph_bridge.bash b/ansible/roles/bhyve/files/bhyve_netgraph_bridge.bash
index a5e0ff8..ca90800 100644
--- a/ansible/roles/bhyve/files/bhyve_netgraph_bridge.bash
+++ b/ansible/roles/bhyve/files/bhyve_netgraph_bridge.bash
@@ -19,29 +19,109 @@ function main {
 
 function create_disk {
     zfs_path="$1"
-    gigabytes="$2"
-    zfs create "-V${gigabytes}G" -o volmode=dev "$zfs_path"
+    mount_path="$2"
+    gigabytes="$3"
+    zfs create -o "mountpoint=$mount_path" "$zfs_path"
+    cp /usr/local/share/edk2-bhyve/BHYVE_UEFI_VARS.fd "${mount_path}/"
+    tee "${mount_path}/settings" <<EOF
+CPU_CORES=1
+MEMORY=1G
+EOF
+    zfs create -s "-V${gigabytes}G" -o volmode=dev "$zfs_path/disk0"
 }
 
 function start_vm {
     name="$1"
     zfs_path="$2"
+    mount_path="$3"
+    host_interface_name="$4"
+    bridge_name="bridge_${host_interface_name}"
+    ip_range="$5"
+
+    assert_bridge "$host_interface_name" "$bridge_name" "$ip_range"
+    bridge_link_name=$(detect_available_link "${bridge_name}")
+
+
     CPU_CORES=1
     MEMORY=1G
+    if [ -e "${mount_path}/settings" ]; then
+        source "${mount_path}/settings"
+    fi
     # -H release the CPU when guest issues HLT instruction. Otherwise 100% of core will be consumed.
-    bhyve \
-         -c $CPU_CORES \
-         -m $MEMORY \
-         -H \
-         -s 0,hostbridge \
-         -s 3,ahci-cd,/vm/.iso/archlinux-2023.04.01-x86_64.iso \
-         -s 4,virtio-blk,/dev/zvol/${zfs_path} \
-         -s 2:0,virtio-net,netgraph,path=bridge_jail_nat:,peerhook=link90 \
-         -s 29,fbuf,tcp=0.0.0.0:5900,w=1920,h=1080,wait \
-         -s 30,xhci,tablet \
-         -s 31,lpc -l com1,stdio \
-         -l bootrom,/usr/local/share/uefi-firmware/BHYVE_UEFI.fd \
-         "$name"
+         # -s 3,ahci-cd,/vm/.iso/archlinux-2023.04.01-x86_64.iso \
+             # -s 29,fbuf,tcp=0.0.0.0:5900,w=1920,h=1080,wait \
+    while true; do
+        set -x
+        bhyve \
+            -c $CPU_CORES \
+            -m $MEMORY \
+            -H \
+            -s 0,hostbridge \
+            -s "4,nvme,/dev/zvol/${zfs_path}/disk0" \
+            -s "2:0,virtio-net,netgraph,path=${bridge_name}:,peerhook=${bridge_link_name}" \
+            -s 29,fbuf,tcp=0.0.0.0:5900,w=1920,h=1080 \
+            -s 30,xhci,tablet \
+            -s 31,lpc -l com1,stdio \
+            -l "bootrom,/usr/local/share/uefi-firmware/BHYVE_UEFI.fd,${mount_path}/BHYVE_UEFI_VARS.fd" \
+            "$name"
+        exit_code=$?
+        set +x
+        if [ $exit_code -eq 0 ]; then
+            echo "Rebooting."
+        elif [ $exit_code -eq 1 ]; then
+            echo "Powered off."
+            break
+        elif [ $exit_code -eq 2 ]; then
+            echo "Halted."
+            break
+        elif [ $exit_code -eq 3 ]; then
+            echo "Triple fault."
+            break
+        elif [ $exit_code -eq 4 ]; then
+            echo "Exited due to an error."
+            break
+        fi
+    done
 }
 
+function detect_available_link {
+    bridge_name="$1"
+    linknum=1
+    while true; do
+        link_name="link${linknum}"
+        if ! ng_exists "${bridge_name}:${link_name}"; then
+            echo "$link_name"
+            return
+        fi
+        linknum=$((linknum + 1))
+        if [ "$linknum" -gt 90 ]; then
+            (>&2 echo "No available links on bridge $bridge_name")
+            exit 1
+        fi
+    done
+}
+
+function assert_bridge {
+    host_interface_name="$1"
+    bridge_name="$2"
+    ip_range="$3"
+
+    if ! ng_exists "${bridge_name}:"; then
+        ngctl -d -f - <<EOF
+mkpeer . eiface hook ether
+name .:hook $host_interface_name
+EOF
+        ngctl -d -f - <<EOF
+mkpeer ${host_interface_name}: bridge ether link0
+name ${host_interface_name}:ether $bridge_name
+EOF
+        ifconfig $(ngctl msg "${host_interface_name}:" getifname | grep Args | cut -d '"' -f 2) name "${host_interface_name}" "$ip_range" up
+    fi
+}
+
+function ng_exists {
+    ngctl status "${1}" >/dev/null 2>&1
+}
+
+
 main "${@}"
diff --git a/ansible/roles/firewall/files/odofreebsd_pf.conf b/ansible/roles/firewall/files/odofreebsd_pf.conf
index 89f1832..95897f9 100644
--- a/ansible/roles/firewall/files/odofreebsd_pf.conf
+++ b/ansible/roles/firewall/files/odofreebsd_pf.conf
@@ -22,7 +22,10 @@ rdr pass on $not_ext_if proto {tcp, udp} from any to 10.215.1.1 port 53 -> 1.1.1
 # filtering
 block log all
 pass out on $ext_if
+
 pass in on jail_nat
+# Allow traffic from my machine to the jails/virtual machines
+pass out on jail_nat from jail_nat
 
 # We pass on the interfaces listed in allow rather than skipping on
 # them because changes to pass rules will update when running a