diff --git a/hosts/sausebiene/esphome.nix b/hosts/sausebiene/esphome.nix
index 89da3d6..422ee98 100644
--- a/hosts/sausebiene/esphome.nix
+++ b/hosts/sausebiene/esphome.nix
@@ -51,6 +51,9 @@ in
         extraConfig = ''
           allow ${globals.net.home-lan.vlans.home.cidrv4};
           allow ${globals.net.home-lan.vlans.home.cidrv6};
+          # Firezone traffic
+          allow ${globals.net.home-lan.vlans.services.hosts.ward.ipv4};
+          allow ${globals.net.home-lan.vlans.services.hosts.ward.ipv6};
           deny all;
         '';
       };
diff --git a/hosts/sausebiene/home-assistant.nix b/hosts/sausebiene/home-assistant.nix
index 821bbf3..06beefe 100644
--- a/hosts/sausebiene/home-assistant.nix
+++ b/hosts/sausebiene/home-assistant.nix
@@ -234,8 +234,12 @@ in
           allow ${globals.net.home-lan.vlans.home.cidrv6};
           allow ${globals.net.home-lan.vlans.devices.cidrv4};
           allow ${globals.net.home-lan.vlans.devices.cidrv6};
+          # Self-traffic (needed for media in Voice PE)
           allow ${globals.net.home-lan.vlans.services.hosts.sausebiene.ipv4};
           allow ${globals.net.home-lan.vlans.services.hosts.sausebiene.ipv6};
+          # Firezone traffic
+          allow ${globals.net.home-lan.vlans.services.hosts.ward.ipv4};
+          allow ${globals.net.home-lan.vlans.services.hosts.ward.ipv6};
           deny all;
         '';
       };
diff --git a/hosts/sentinel/firezone.nix b/hosts/sentinel/firezone.nix
index 249ee6c..41cce45 100644
--- a/hosts/sentinel/firezone.nix
+++ b/hosts/sentinel/firezone.nix
@@ -7,6 +7,9 @@
 }:
 let
   firezoneDomain = "firezone.${globals.domains.me}";
+  # FIXME: dont hardcode, filter global service domains by internal state
+  # FIXME: new entry here? make new adguardhome entry too.
+  # FIXME: new entry here? make new firezone gateway on ward entry too.
   homeDomains = [
     globals.services.grafana.domain
     globals.services.immich.domain
@@ -91,8 +94,6 @@ in
             };
           };
 
-        # FIXME: dont hardcode, filter global service domains by internal state
-        # FIXME: new entry here? make new adguardhome entry too.
         resources =
           lib.genAttrs homeDomains (domain: {
             type = "dns";
@@ -152,6 +153,8 @@ in
     openFirewall = true;
   };
 
+  systemd.services.firezone-relay.environment.HEALTH_CHECK_ADDR = "127.0.0.1:17999";
+
   services.nginx = {
     upstreams.firezone = {
       servers."127.0.0.1:${toString config.services.firezone.server.web.port}" = { };
diff --git a/hosts/sentinel/secrets/firezone-relay-token.age b/hosts/sentinel/secrets/firezone-relay-token.age
index f8b6943..2981a85 100644
Binary files a/hosts/sentinel/secrets/firezone-relay-token.age and b/hosts/sentinel/secrets/firezone-relay-token.age differ
diff --git a/hosts/ward/default.nix b/hosts/ward/default.nix
index f5ed3ec..1a14726 100644
--- a/hosts/ward/default.nix
+++ b/hosts/ward/default.nix
@@ -7,6 +7,21 @@
   nodes,
   ...
 }:
+let
+  # FIXME: dont hardcode, filter global service domains by internal state
+  # FIXME: new entry here? make new adguardhome entry too.
+  # FIXME: new entry here? make new firezone entry too.
+  homeDomains = [
+    globals.services.grafana.domain
+    globals.services.immich.domain
+    globals.services.influxdb.domain
+    globals.services.loki.domain
+    globals.services.paperless.domain
+    globals.services.esphome.domain
+    globals.services.home-assistant.domain
+    "fritzbox.${globals.domains.personal}"
+  ];
+in
 {
   imports = [
     inputs.nixos-hardware.nixosModules.common-cpu-intel
@@ -63,6 +78,9 @@
     rekeyFile = config.node.secretsDir + "/firezone-gateway-token.age";
   };
 
+  networking.hosts.${globals.net.home-lan.vlans.services.hosts.ward-web-proxy.ipv6} = homeDomains;
+  networking.hosts.${globals.net.home-lan.vlans.services.hosts.ward-web-proxy.ipv4} = homeDomains;
+  systemd.services.firezone-gateway.environment.HEALTH_CHECK_ADDR = "127.0.0.1:17999";
   services.firezone.gateway = {
     enable = true;
     name = "ward";
diff --git a/hosts/ward/guests/adguardhome.nix b/hosts/ward/guests/adguardhome.nix
index b7c900c..d5f99ed 100644
--- a/hosts/ward/guests/adguardhome.nix
+++ b/hosts/ward/guests/adguardhome.nix
@@ -110,6 +110,7 @@ in
             [
               # FIXME: dont hardcode, filter global service domains by internal state
               # FIXME: new entry here? make new firezone entry too.
+              # FIXME: new entry here? make new firezone gateway on ward entry too.
               globals.services.grafana.domain
               globals.services.immich.domain
               globals.services.influxdb.domain
diff --git a/hosts/ward/net.nix b/hosts/ward/net.nix
index a45039b..1f06a95 100644
--- a/hosts/ward/net.nix
+++ b/hosts/ward/net.nix
@@ -169,6 +169,7 @@
       {
         untrusted.interfaces = [ "wan" ];
         proxy-home.interfaces = [ "proxy-home" ];
+        firezone.interfaces = [ "tun-firezone" ];
         adguardhome.ipv4Addresses = [ globals.net.home-lan.vlans.services.hosts.ward-adguardhome.ipv4 ];
         adguardhome.ipv6Addresses = [ globals.net.home-lan.vlans.services.hosts.ward-adguardhome.ipv6 ];
         web-proxy.ipv4Addresses = [ globals.net.home-lan.vlans.services.hosts.ward-web-proxy.ipv4 ];
@@ -260,6 +261,28 @@
         to = [ "proxy-home" ];
         verdict = "accept";
       };
+
+      # masquerade firezone traffic
+      masquerade-firezone = {
+        from = [ "firezone" ];
+        to = [ "vlan-services" ];
+        masquerade = true;
+        late = true; # Only accept after any rejects have been processed
+        verdict = "accept";
+      };
+
+      # forward firezone traffic
+      forward-incoming-firezone-traffic = {
+        from = [ "firezone" ];
+        to = [ "vlan-services" ];
+        verdict = "accept";
+      };
+
+      forward-outgoing-firezone-traffic = {
+        from = [ "vlan-services" ];
+        to = [ "firezone" ];
+        verdict = "accept";
+      };
     };
   };
 
diff --git a/hosts/ward/secrets/firezone-gateway-token.age b/hosts/ward/secrets/firezone-gateway-token.age
index cff2ce4..f6cc050 100644
Binary files a/hosts/ward/secrets/firezone-gateway-token.age and b/hosts/ward/secrets/firezone-gateway-token.age differ
diff --git a/secrets/rekeyed/sentinel/7b54639dac73dffe8f9b3ef8f8397aa8-firezone-relay-token.age b/secrets/rekeyed/sentinel/7b54639dac73dffe8f9b3ef8f8397aa8-firezone-relay-token.age
new file mode 100644
index 0000000..084905f
Binary files /dev/null and b/secrets/rekeyed/sentinel/7b54639dac73dffe8f9b3ef8f8397aa8-firezone-relay-token.age differ
diff --git a/secrets/rekeyed/ward/4c7905ddc4c355cd7b02931f73a0b7e9-firezone-gateway-token.age b/secrets/rekeyed/ward/4c7905ddc4c355cd7b02931f73a0b7e9-firezone-gateway-token.age
new file mode 100644
index 0000000..03ae176
Binary files /dev/null and b/secrets/rekeyed/ward/4c7905ddc4c355cd7b02931f73a0b7e9-firezone-gateway-token.age differ