diff --git a/hosts/ward/net.nix b/hosts/ward/net.nix
index 82f5fdc..6cf5f71 100644
--- a/hosts/ward/net.nix
+++ b/hosts/ward/net.nix
@@ -98,7 +98,7 @@ in {
     zones = lib.mkForce {
       lan.interfaces = ["lan-self"];
       wan.interfaces = ["wan"];
-      "local-vms".interfaces = ["wg-local-vms"];
+      local-vms.interfaces = ["local-vms"];
     };
 
     rules = lib.mkForce {
diff --git a/modules/microvms.nix b/modules/microvms.nix
index 6536ef0..37fee8e 100644
--- a/modules/microvms.nix
+++ b/modules/microvms.nix
@@ -165,7 +165,7 @@
         networking.nftables.firewall = {
           zones = mkForce {
             "${vmCfg.networking.mainLinkName}".interfaces = [vmCfg.networking.mainLinkName];
-            "local-vms".interfaces = ["wg-local-vms"];
+            local-vms.interfaces = ["local-vms"];
           };
 
           rules = mkForce {
@@ -175,7 +175,7 @@
             };
 
             local-vms-to-local = {
-              from = ["wg-local-vms"];
+              from = ["local-vms"];
               to = ["local"];
             };
           };
@@ -193,6 +193,7 @@
             via = nodeName;
             keepalive = false;
           };
+          linkName = "local-vms";
           ipv4 = net.cidr.host vmCfg.id cfg.networking.wireguard.cidrv4;
           ipv6 = net.cidr.host vmCfg.id cfg.networking.wireguard.cidrv6;
         };
@@ -401,9 +402,25 @@ in {
           inherit (cfg.networking) host;
           inherit (cfg.networking.wireguard) openFirewallRules port;
         };
+        linkName = "local-vms";
         ipv4 = net.cidr.host 1 cfg.networking.wireguard.cidrv4;
         ipv6 = net.cidr.host 1 cfg.networking.wireguard.cidrv6;
       };
+
+      # Create a firewall zone for the secure vm traffic
+      # TODO mkForce nftables
+      networking.nftables.firewall = {
+        zones = mkForce {
+          local-vms.interfaces = ["local-vms"];
+        };
+
+        rules = mkForce {
+          local-vms-to-local = {
+            from = ["local-vms"];
+            to = ["local"];
+          };
+        };
+      };
     }
     // extraLib.mergeToplevelConfigs ["disko" "microvm" "systemd"] (mapAttrsToList microvmConfig vms)
   );
diff --git a/modules/wireguard.nix b/modules/wireguard.nix
index 52f33d1..315515f 100644
--- a/modules/wireguard.nix
+++ b/modules/wireguard.nix
@@ -87,11 +87,12 @@
     # Adds context information to the assertions for this network
     assertionPrefix = "Wireguard network '${wgName}' on '${nodeName}'";
 
-    # Calculates which traffic should be routed to a given server node
+    # Calculates the allowed ips for another server from our perspective.
     # Usually we just want to allow other peers to route traffic
     # for our "children" through us, additional to traffic to us of course.
     # If a server exposes additional network access (global, lan, ...),
-    # these can be added aswell. TODO (do that)
+    # these can be added aswell.
+    # TODO (do that)
     serverAllowedIPs = serverNode: let
       snCfg = wgCfgOf serverNode;
     in
@@ -160,7 +161,7 @@
     systemd.network.netdevs."${toString wgCfg.priority}-${wgName}" = {
       netdevConfig = {
         Kind = "wireguard";
-        Name = "${wgName}";
+        Name = wgCfg.linkName;
         Description = "Wireguard network ${wgName}";
       };
       wireguardConfig =
@@ -228,7 +229,7 @@
     };
 
     systemd.network.networks."${toString wgCfg.priority}-${wgName}" = {
-      matchConfig.Name = wgName;
+      matchConfig.Name = wgCfg.linkName;
       address = map toNetworkAddr wgCfg.addresses;
     };
   };
@@ -315,6 +316,12 @@ in {
           description = mdDoc "The order priority used when creating systemd netdev and network files.";
         };
 
+        linkName = mkOption {
+          default = "wg-${name}";
+          type = types.str;
+          description = mdDoc "The name for the created network interface.";
+        };
+
         ipv4 = mkOption {
           type = net.types.ipv4;
           description = mdDoc "The ipv4 address for this machine.";