diff --git a/modules/networking.nix b/modules/networking.nix
index 2193a19..ab522b0 100644
--- a/modules/networking.nix
+++ b/modules/networking.nix
@@ -26,11 +26,9 @@
     nssmdns = true;
     publish = {
       enable = true;
-      userServices = true;
+      addresses = true;
       domain = true;
-      workstation = true;
     };
-    reflector = true;
   };
 
   # Firewall configuration
@@ -38,6 +36,7 @@
     allowedTCPPorts = [
       445 # Samba
       139 # Samba
+      2222 # VM SSH
       5000 # Sybase
     ];
     allowedUDPPorts = [
@@ -48,11 +47,21 @@
     allowPing = true;
   };
 
-  # Enable NAT for wireguard
+  # Enable NAT for wireguard and forward ports to sica VM
   networking.nat = {
     enable = true;
     externalInterface = "eth0";
-    internalInterfaces = [ "wg0" ];
+    internalInterfaces = [ "wg0" "br0" ];
+    forwardPorts = [
+      {
+        destination = "192.168.122.100:22";
+        sourcePort = 2222;
+      }
+      {
+        destination = "192.168.122.100:5000";
+        sourcePort = 5000;
+      }
+    ];
   };
 
   # Wireguard setup
@@ -71,4 +80,29 @@
     };
   };
 
+  # QEMU virtual bridge
+  networking.interfaces.br0 = {
+    ipv4.addresses = [{
+      address = "192.168.122.1";
+      prefixLength = 24;
+    }];
+  };
+  networking.bridges.br0.interfaces = [ ];
+
+  services.dhcpd4 = {
+    enable = true;
+    interfaces = [ "br0" ];
+    extraConfig = ''
+      option routers 192.168.122.1;
+      option broadcast-address 192.168.122.255;
+      option subnet-mask 255.255.255.0;
+      option domain-name-servers 1.1.1.1, 8.8.8.8;
+      default-lease-time -1;
+      max-lease-time -1;
+      subnet 192.168.122.0 netmask 255.255.255.0 {
+        range 192.168.122.100 192.168.122.200;
+      }
+    '';
+  };
+
 }
diff --git a/modules/virtualization.nix b/modules/virtualization.nix
index f86fb9f..1fceb42 100644
--- a/modules/virtualization.nix
+++ b/modules/virtualization.nix
@@ -4,9 +4,10 @@
   # Enable virtualisation
   virtualisation.libvirtd = {
     enable = true;
+    qemuRunAsRoot = false;
     onBoot = "ignore";
     onShutdown = "shutdown";
-    qemuPackage = pkgs.qemu_kvm;
+    allowedBridges = [ "br0" ];
   };
 
   # Declarative configuration of the VMs
@@ -16,7 +17,7 @@
     script = ''
       disk=/vault/VMs/sica.qcow2
       sock=/run/qemu-sica.mon.sock
-      ${pkgs.qemu_kvm}/bin/qemu-kvm -m 1G -nic user,hostfwd=tcp::2222-:22,hostfwd=tcp::5000-:5000 -hda $disk -monitor unix:$sock,server,nowait -nographic
+      ${pkgs.qemu}/bin/qemu-kvm -m 1G -nic bridge,br=br0,model=virtio --hda $disk -monitor unix:$sock,server,nowait -nographic
     '';
     preStop = ''
       echo 'system_powerdown' | ${pkgs.socat}/bin/socat - UNIX-CONNECT:/run/qemu-sica.mon.sock