diff --git a/ansible/roles/base/tasks/freebsd.yaml b/ansible/roles/base/tasks/freebsd.yaml
index 0b3dbc8..6d3315b 100644
--- a/ansible/roles/base/tasks/freebsd.yaml
+++ b/ansible/roles/base/tasks/freebsd.yaml
@@ -79,7 +79,7 @@
 - name: Delete rc.conf
   file:
     path: /etc/rc.conf
-    start: absent
+    state: absent
   when: rc_conf is not defined
 
 - name: Add fstab entries
diff --git a/ansible/roles/firewall/files/odofreebsd_pf.conf b/ansible/roles/firewall/files/odofreebsd_pf.conf
index f7649ff..a672763 100644
--- a/ansible/roles/firewall/files/odofreebsd_pf.conf
+++ b/ansible/roles/firewall/files/odofreebsd_pf.conf
@@ -1,5 +1,6 @@
 ext_if = "{ igb0 igb1 ix0 ix1 wlan0 }"
 jail_net_v4 = "10.193.223.0/24"
+full_nat_v4 = "10.213.177.0/24"
 
 dhcp = "{ bootpc, bootps }"
 # allow = "{ host_uplink0 }"
@@ -14,8 +15,10 @@ set skip on lo
 
 # redirections
 nat on $ext_if inet from $jail_net_v4 to { any, !$jail_net_v4 } tag ALLOWED -> (wlan0)
+nat on $ext_if inet from $full_nat_v4 to { any, !$full_nat_v4 } tag ALLOWED -> (wlan0)
 
 rdr on host_uplink0 inet proto {tcp, udp} from any to 10.193.223.1 port 53 tag ALLOWED -> 1.1.1.1 port 53
+rdr on host_uplink1 inet proto {tcp, udp} from any to 10.213.177.1 port 53 tag ALLOWED -> 1.1.1.1 port 53
 
 # filtering
 block log all
@@ -38,3 +41,4 @@ pass in on $ext_if proto udp to any port $udp_pass_in
 pass quick on $ext_if proto udp from any port $dhcp to any port $dhcp
 
 pass in on host_uplink0 proto udp from any to any port { 53 51820 }
+pass in on host_uplink1
diff --git a/ansible/roles/jail/files/setup_netgraph_odo b/ansible/roles/jail/files/setup_netgraph_odo
index 7ed26c9..1a0cef7 100644
--- a/ansible/roles/jail/files/setup_netgraph_odo
+++ b/ansible/roles/jail/files/setup_netgraph_odo
@@ -7,11 +7,15 @@ cleanup() {
     ngctl shutdown wg_link2:
     ngctl shutdown wg_uplink0:
     ngctl shutdown wg_bridge0:
+    ngctl shutdown host_link3:
+    ngctl shutdown host_uplink1:
+    ngctl shutdown host_bridge1:
 }
 
 setup_netgraph_start() {
     cleanup
 
+    # Create a bridge for jails that only speak wireguard
     ngctl -d -f - <<EOF
 mkpeer . eiface hook ether
 name .:hook host_uplink0
@@ -48,6 +52,26 @@ EOF
 
     ifconfig $(ngctl msg 'wg_uplink0:' getifname | grep Args | cut -d '"' -f 2) name wg_uplink0 10.241.199.1/24 up
     ifconfig $(ngctl msg 'wg_bridge0:link2' getifname | grep Args | cut -d '"' -f 2) name wg_link2
+
+    # Create a bridge for jails given full access to NAT
+    ngctl -d -f - <<EOF
+mkpeer . eiface hook ether
+name .:hook host_uplink1
+EOF
+
+    ngctl -d -f - <<EOF
+mkpeer host_uplink1: bridge ether link0
+name host_uplink1:ether host_bridge1
+EOF
+
+    ngctl -d -f - <<EOF
+mkpeer host_bridge1: eiface link2 ether
+name host_bridge1:link2 host_link3
+EOF
+
+    ifconfig $(ngctl msg 'host_uplink1:' getifname | grep Args | cut -d '"' -f 2) name host_uplink1 10.213.177.1/24 up
+    ifconfig $(ngctl msg 'host_bridge1:link2' getifname | grep Args | cut -d '"' -f 2) name host_link3
+
 }
 
 setup_netgraph_stop() {