diff --git a/nix/os/containers/mailserver.nix b/nix/os/containers/mailserver.nix
index b906d8b..c821bf4 100644
--- a/nix/os/containers/mailserver.nix
+++ b/nix/os/containers/mailserver.nix
@@ -1,5 +1,6 @@
 {
   specialArgs,
+  hostBridge,
   hostAddress,
   localAddress,
   imapsPort ? 993,
@@ -227,5 +228,5 @@
     }
   ];
 
-  inherit hostAddress localAddress;
+  inherit hostBridge hostAddress localAddress;
 }
diff --git a/nix/os/containers/syncthing.nix b/nix/os/containers/syncthing.nix
index 12421c7..8c0ba82 100644
--- a/nix/os/containers/syncthing.nix
+++ b/nix/os/containers/syncthing.nix
@@ -1,5 +1,6 @@
 {
   specialArgs,
+  hostBridge,
   hostAddress,
   localAddress,
   syncthingPort ? 22000,
@@ -56,5 +57,5 @@
     }
   ];
 
-  inherit hostAddress localAddress;
+  inherit hostBridge hostAddress localAddress;
 }
diff --git a/nix/os/containers/webserver.nix b/nix/os/containers/webserver.nix
index c2c166c..0611f60 100644
--- a/nix/os/containers/webserver.nix
+++ b/nix/os/containers/webserver.nix
@@ -1,5 +1,6 @@
 {
   specialArgs,
+  hostBridge,
   hostAddress,
   localAddress,
   httpPort,
@@ -330,5 +331,5 @@ in {
     }
   ];
 
-  inherit hostAddress localAddress;
+  inherit hostBridge hostAddress localAddress;
 }
diff --git a/nix/os/devices/router0-dmz0/configuration.nix b/nix/os/devices/router0-dmz0/configuration.nix
index 4d82178..33a6ed3 100644
--- a/nix/os/devices/router0-dmz0/configuration.nix
+++ b/nix/os/devices/router0-dmz0/configuration.nix
@@ -87,13 +87,16 @@
     then bridgeInterfaceName
     else "${bridgeInterfaceName}.${toString vlanid}";
 
-  dmzExposedHost = "sj-srv1.dmz.internal";
+  dmzExposedHost = "sj-srv1";
+  dmzExposedHostDomain = "dmz.internal";
+  dmzExposedHostFQDN = "${dmzExposedHost}.${dmzExposedHostDomain}";
   dmzExposedHostIpv4 = mkVlanIpv4HostAddr {
     vlanid = vlansByName.dmz.id;
     host = 99;
     cidr = false;
   };
-  # "sj-srv1.dmz.internal";
+
+  dmzExposedHostMACaddr = repoFlake.nixosConfigurations.${dmzExposedHost}.config.systemd.network.netdevs."10-dmz0".netdevConfig.MACAddress;
 in {
   imports = [
     nixos-sbc.nixosModules.default
@@ -1126,8 +1129,11 @@ in {
         )
         vlanRangeWith0;
 
-      # TODO: double-check that this works
-      dhcp-host = "1c:69:7a:07:08:5f,${dmzExposedHostIpv4},${dmzExposedHost}";
+      dhcp-host = builtins.concatStringsSep "," [
+        dmzExposedHostMACaddr
+        dmzExposedHostIpv4
+        dmzExposedHostFQDN
+      ];
 
       expand-hosts = true;
 
diff --git a/nix/os/devices/sj-srv1/system.nix b/nix/os/devices/sj-srv1/system.nix
index bd23a9e..a6498a4 100644
--- a/nix/os/devices/sj-srv1/system.nix
+++ b/nix/os/devices/sj-srv1/system.nix
@@ -25,15 +25,64 @@
   networking.usePredictableInterfaceNames = false;
 
   networking.useNetworkd = true;
-  networking.useDHCP = true;
+  networking.useDHCP = false;
 
   networking.nat = {
     enable = true;
-    internalInterfaces = ["ve-*"];
-    externalInterface = "eth0";
+    internalInterfaces = ["br0"];
+    externalInterface = "dmz0";
   };
+
+  networking.bridges = {
+    br0 = {
+      interfaces = [];
+    };
+  };
+  networking.interfaces = {
+    br0 = {
+      ipv4.addresses = [
+        {
+          address = "192.168.101.1";
+          prefixLength = 24;
+        }
+      ];
+    };
+  };
+
+  systemd.network.netdevs."10-dmz0" = {
+    enable = true;
+    netdevConfig = {
+      Name = "dmz0";
+      Kind = "macvlan";
+      MACAddress = "1c:69:7a:07:08:6f";
+    };
+
+    macvlanConfig = {
+      Mode = "bridge";
+    };
+  };
+
+  systemd.network.networks."20-eth0" = {
+    enable = true;
+    matchConfig.Name = "eth0";
+
+    # TODO: i'm not sure if and if so why this is required
+    macvlan = [
+      "dmz0"
+    ];
+
+    DHCP = "no";
+  };
+
+  systemd.network.networks."30-dmz0" = {
+    enable = true;
+    matchConfig.Name = "dmz0";
+    DHCP = "yes";
+  };
+
   boot.kernel.sysctl = {
     "net.ipv4.ip_forward" = 1;
+    "net.ipv6.ip_forward" = 1;
   };
 
   # virtualization
@@ -84,14 +133,15 @@
 
       autoStart = true;
 
-      hostAddress = "192.168.100.10";
-      localAddress = "192.168.100.11";
+      hostBridge = "br0";
+      hostAddress = "192.168.101.1";
+      localAddress = "192.168.101.10/24";
 
       imapsPort = 993;
       sievePort = 4190;
     };
 
-    websrv0 =
+    webserver =
       import ../../containers/webserver.nix
       {
         specialArgs = {
@@ -100,8 +150,9 @@
 
         autoStart = true;
 
-        hostAddress = "192.168.100.12";
-        localAddress = "192.168.100.13";
+        hostBridge = "br0";
+        hostAddress = "192.168.101.1";
+        localAddress = "192.168.101.11/24";
 
         httpPort = 80;
         httpsPort = 443;
@@ -114,8 +165,9 @@
       };
       autoStart = true;
 
-      hostAddress = "192.168.100.14";
-      localAddress = "192.168.100.15";
+      hostBridge = "br0";
+      hostAddress = "192.168.101.1";
+      localAddress = "192.168.101.12/24";
 
       syncthingPort = 22000;
     };