diff --git a/machines/kat-manah/configuration.nix b/machines/kat-manah/configuration.nix
index 3905e94..cc6d91a 100644
--- a/machines/kat-manah/configuration.nix
+++ b/machines/kat-manah/configuration.nix
@@ -126,14 +126,48 @@
   };
 
   networking = {
-    nftables.tables.nat = {
-      family = "ip";
-      content = ''
-        chain postrouting {
-          type nat hook postrouting priority 100;
-          ip saddr 192.168.122.0/24 ip daddr != 192.168.122.0/24 masquerade
-        };
-      '';
+    nftables.tables = {
+      nat = {
+        family = "ip";
+        content = ''
+          chain postrouting {
+            type nat hook postrouting priority 100;
+            ip saddr 192.168.122.0/24 ip daddr != 192.168.122.0/24 masquerade
+          };
+        '';
+      };
+      filter = {
+        family = "inet";
+        content = ''
+          chain forward {
+            type filter hook forward priority filter; policy accept;
+            ct state vmap {
+              invalid: drop,
+              established: accept,
+              related: accept,
+              new: jump forward_decide,
+              untracked: jump forward_decide,
+            };
+          }
+          chain forward_decide {
+            # Allow samba access
+            ip saddr 192.168.1.0/24 ip daddr 192.168.1.0/24 accept;
+
+            # Block access to vpn
+            ip saddr {
+              192.168.1.0/24,
+              192.168.122.0/24,
+            } ip daddr {
+              100.80.0.0/16,
+              192.168.0.0/16,
+              10.42.0.0/16,
+            } jump forward_reject;
+          }
+          chain forward_reject {
+            reject with icmpx type admin-prohibited;
+          }
+        '';
+      };
     };
     firewall = {
       allowedTCPPorts = [
diff --git a/machines/kat-probook/configuration.nix b/machines/kat-probook/configuration.nix
index d787d3e..54c5442 100644
--- a/machines/kat-probook/configuration.nix
+++ b/machines/kat-probook/configuration.nix
@@ -67,6 +67,12 @@ in
         address = [
           "10.42.1.1/16"
         ];
+        networkConfig = {
+          DNS = [
+            "100.80.129.176"
+          ];
+          Domains = "dgnum";
+        };
       };
       "50-wg1" = {
         name = "wg1";
diff --git a/machines/kat-watcher/configuration.nix b/machines/kat-watcher/configuration.nix
index 049cec9..608b880 100644
--- a/machines/kat-watcher/configuration.nix
+++ b/machines/kat-watcher/configuration.nix
@@ -1,6 +1,11 @@
 {
   pkgs,
+  lib,
   meta,
+  kat-path,
+  ssh-keys,
+  sources,
+  self-meta,
   ...
 }:
 {
@@ -27,8 +32,53 @@
   networking = {
     useDHCP = false;
     firewall.allowedUDPPorts = [ 1194 ];
-    nftables = {
-      enable = true;
+    nftables.tables = {
+      nat = {
+        family = "ip";
+        content = ''
+          chain postrouting {
+            type nat hook postrouting priority 100;
+            ip saddr 192.168.121.2 masquerade
+          };
+        '';
+      };
+      filter = {
+        family = "inet";
+        content = ''
+          set vpn {
+            type ipv4_addr
+            flags interval
+            auto-merge
+            elements = {
+              100.80.0.0/16,
+              10.42.0.0/16,
+              192.168.1.0/24,
+              192.168.122.0/24,
+            }
+          };
+          chain forward {
+            type filter hook forward priority filter; policy accept;
+            ct state vmap {
+              invalid: drop,
+              established: accept,
+              related: accept,
+              new: jump forward_decide,
+              untracked: jump forward_decide,
+            };
+          }
+          chain forward_decide {
+            # Allow vpn inside
+            ip saddr @vpn ip daddr @vpn accept;
+
+            ip saddr 192.168.121.2 ip daddr != @vpn accept;
+
+            jump forward_reject;
+          }
+          chain forward_reject {
+            reject with icmpx type admin-prohibited;
+          }
+        '';
+      };
     };
   };
   systemd.network = {
@@ -55,6 +105,15 @@
         name = "wg0";
         address = [ "10.42.0.2/16" ];
       };
+      "25-netbird" = {
+        name = "ve-dgnum-neoKM9";
+        routes = [
+          {
+            Destination = "100.80.0.0/16";
+            Gateway = "192.168.121.2";
+          }
+        ];
+      };
     };
     netdevs = {
       "50-wg0" = {
@@ -73,6 +132,54 @@
       };
     };
   };
+  containers.dgnum-netbird = {
+    privateNetwork = true;
+    hostAddress = "192.168.121.1";
+    localAddress = "192.168.121.2";
+    autoStart = true;
+    specialArgs = {
+      inherit
+        kat-path
+        ssh-keys
+        sources
+        self-meta
+        ;
+    };
+    config = {
+      imports = [ kat-path ];
+      kat.addArgs = false;
+      boot.kernel = {
+        enable = false;
+        sysctl."net.ipv4.ip_forward" = true;
+      };
+      systemd.network.networks."10-eth0" = {
+        name = "eth0";
+        dns = [
+          "8.8.8.8"
+          "1.1.1.1"
+        ];
+      };
+      networking = {
+        useHostResolvConf = false;
+        firewall.allowedUDPPorts = [ 53 ];
+        nftables.tables.nat = {
+          family = "ip";
+          content = ''
+            chain postrouting {
+              type nat hook postrouting priority 100;
+              ip daddr 100.80.0.0/16 masquerade
+            };
+          '';
+        };
+      };
+      services = {
+        resolved.enable = lib.mkForce true;
+        openssh.enable = true;
+        netbird.enable = true;
+      };
+      system.stateVersion = "24.11";
+    };
+  };
 
   security.acme = {
     acceptTerms = true;
diff --git a/machines/kat-watcher/default.nix b/machines/kat-watcher/default.nix
index 6e0456d..1a690f1 100644
--- a/machines/kat-watcher/default.nix
+++ b/machines/kat-watcher/default.nix
@@ -3,6 +3,9 @@
     version = "unstable";
     wg-key = "BgLBrWG7DRj2Gwoyj+vHZTjiB3gPEnwVcDFEQH/BYgg=";
     fqdn = "watcher.katvayor.net";
+    subnets = [
+      "100.80.0.0/16"
+    ];
     vpn-ip4 = "10.42.0.2";
     vpn-hub = true;
   };