diff --git a/ansible/roles/firewall/files/homeserver_pf.conf b/ansible/roles/firewall/files/homeserver_pf.conf
index dee2303..933fea2 100644
--- a/ansible/roles/firewall/files/homeserver_pf.conf
+++ b/ansible/roles/firewall/files/homeserver_pf.conf
@@ -19,12 +19,16 @@ set skip on lo
 nat pass on $ext_if inet from $jail_nat_v4 to $not_jail_nat_v4 -> (wlan0)
 rdr pass on $not_ext_if proto {tcp, udp} from any to 10.215.1.1 port 53 -> 1.1.1.1 port 53
 
-nat pass on host_uplink0 inet proto tcp from any to any port 8081 tag ALLOWED -> (host_uplink0)
-rdr pass on $ext_if inet proto tcp from any to any port 8081 tag ALLOWED -> 10.193.223.20 port 8081
+# cloak
+nat pass on $ext_if inet from 10.215.2.0/24 to !10.215.2.0/24 -> (wlan0)
+rdr pass on $not_ext_if proto {tcp, udp} from any to 10.215.2.1 port 53 -> 1.1.1.1 port 53
+
+nat pass on restricted_nat inet proto tcp from any to any port 8081 -> (restricted_nat)
+rdr pass on $ext_if inet proto tcp from any to any port 8081 -> 10.215.2.2 port 8081
 
 # Forward ports for unifi controller
-rdr pass on $ext_if inet proto tcp from any to any port 65022 tag ALLOWED -> 10.213.177.8 port 22
-rdr pass on $ext_if inet proto {udp, tcp} from any to any port $unifi_ports tag ALLOWED -> 10.213.177.8
+rdr pass on $ext_if inet proto tcp from any to any port 65022 -> 10.213.177.8 port 22
+rdr pass on $ext_if inet proto {udp, tcp} from any to any port $unifi_ports -> 10.213.177.8
 
 # filtering
 block log all
@@ -34,6 +38,8 @@ pass in on jail_nat
 # Allow traffic from my machine to the jails/virtual machines
 pass out on jail_nat from $jail_nat_v4
 
+pass in on restricted_nat proto {udp, tcp} from any to any port { 53 51820 }
+
 # We pass on the interfaces listed in allow rather than skipping on
 # them because changes to pass rules will update when running a
 # `service pf reload` but interfaces that we `skip` will not update (I
@@ -46,7 +52,3 @@ pass on $ext_if proto icmp6 all
 
 pass in on $ext_if proto tcp to any port $tcp_pass_in
 pass in on $ext_if proto udp to any port $udp_pass_in
-
-# pass in on host_uplink0 proto udp from any to any port { 53 51820 }
-# pass out on host_uplink0 proto tcp from any to any port 8081
-# pass on host_uplink1
diff --git a/ansible/roles/jail/files/jails/cloak.conf b/ansible/roles/jail/files/jails/cloak.conf
index 181974f..dac8985 100644
--- a/ansible/roles/jail/files/jails/cloak.conf
+++ b/ansible/roles/jail/files/jails/cloak.conf
@@ -1,8 +1,11 @@
 cloak {
-    path = "/jail/main/jails/cloak";
+    path = "/jail/main/jails/${name}";
     vnet;
-    vnet.interface += "host_link2";
-    vnet.interface += "wg_uplink0";
+    exec.prestart += "/usr/local/bin/jail_netgraph_bridge start restricted_nat jail${name} 10.215.2.1/24";
+    exec.poststop += "/usr/local/bin/jail_netgraph_bridge stop restricted_nat jail${name}";
+    vnet.interface += "jail${name}";
+    vnet.interface += "cloak";
+
     devfs_ruleset = 13;
     mount.devfs; # To expose tun device
 
diff --git a/ansible/roles/jail/files/jails/dagger.conf b/ansible/roles/jail/files/jails/dagger.conf
index cab230e..97034c8 100644
--- a/ansible/roles/jail/files/jails/dagger.conf
+++ b/ansible/roles/jail/files/jails/dagger.conf
@@ -1,7 +1,7 @@
 dagger {
-    path = "/jail/main/jails/dagger";
+    path = "/jail/main/jails/${name}";
     vnet;
-    vnet.interface += "wg_link2";
+    vnet.interface += "dagger";
 
     exec.start += "/bin/sh /etc/rc";
     exec.stop = "/bin/sh /etc/rc.shutdown jail";
diff --git a/ansible/roles/jail/files/setup_netgraph_homeserver b/ansible/roles/jail/files/setup_netgraph_homeserver
index 2b2d583..cfa53bf 100644
--- a/ansible/roles/jail/files/setup_netgraph_homeserver
+++ b/ansible/roles/jail/files/setup_netgraph_homeserver
@@ -1,56 +1,13 @@
 #!/usr/local/bin/bash
 
 cleanup() {
-    # ngctl shutdown host_link2:
-    # ngctl shutdown host_uplink0:
-    # ngctl shutdown host_bridge0:
-    # ngctl shutdown wg_link2:
-    # ngctl shutdown wg_uplink0:
-    # ngctl shutdown wg_bridge0:
-    echo ""
+    /usr/local/bin/jail_netgraph_bridge stop cloak dagger
 }
 
 setup_netgraph_start() {
     cleanup
 
-#     # Create a bridge for jails that only speak wireguard
-#     ngctl -d -f - <<EOF
-# mkpeer . eiface hook ether
-# name .:hook host_uplink0
-# EOF
-
-#     ngctl -d -f - <<EOF
-# mkpeer host_uplink0: bridge ether link0
-# name host_uplink0:ether host_bridge0
-# EOF
-
-#     ngctl -d -f - <<EOF
-# mkpeer host_bridge0: eiface link2 ether
-# name host_bridge0:link2 host_link2
-# EOF
-
-#     ifconfig $(ngctl msg 'host_uplink0:' getifname | grep Args | cut -d '"' -f 2) name host_uplink0 10.193.223.1/24 up
-#     ifconfig $(ngctl msg 'host_bridge0:link2' getifname | grep Args | cut -d '"' -f 2) name host_link2
-
-#     # Create internal bridge for jails that are forced through wireguard
-#     ngctl -d -f - <<EOF
-# mkpeer . eiface hook ether
-# name .:hook wg_uplink0
-# EOF
-
-#     ngctl -d -f - <<EOF
-# mkpeer wg_uplink0: bridge ether link0
-# name wg_uplink0:ether wg_bridge0
-# EOF
-
-#     ngctl -d -f - <<EOF
-# mkpeer wg_bridge0: eiface link2 ether
-# name wg_bridge0:link2 wg_link2
-# EOF
-
-#     ifconfig $(ngctl msg 'wg_uplink0:' getifname | grep Args | cut -d '"' -f 2) name wg_uplink0 10.241.199.1/24 up
-#     ifconfig $(ngctl msg 'wg_bridge0:link2' getifname | grep Args | cut -d '"' -f 2) name wg_link2
-
+    /usr/local/bin/jail_netgraph_bridge start cloak dagger 192.168.1.0/24
 }
 
 setup_netgraph_stop() {