diff --git a/lib.sh b/lib.sh
index 3e9adff..1c24c75 100644
--- a/lib.sh
+++ b/lib.sh
@@ -34,6 +34,7 @@ function _getnet() {
     echo "$net"
 }
 
+# TODO: -bios /usr/share/OVMF/OVMF_CODE.fd
 function qemu() {
     local maxram; maxram="$(_getmaxram)"
     local net; net="$(_getnet)"
diff --git a/startnat.sh b/startnat.sh
index 252d32c..367ab6d 100755
--- a/startnat.sh
+++ b/startnat.sh
@@ -24,7 +24,6 @@ if [ "$EUID" != 0 ]; then
 fi
 
 BRIDGE="${1-virbr0}"
-DEV="$(ip route | grep -Po '^default.*dev\s+\K\w+')"
 
 sysctl net.ipv4.conf.all.forwarding=1
 
@@ -35,22 +34,21 @@ fi
 ip link set dev "$BRIDGE" up
 
 ip address flush dev "$BRIDGE"
-ip address add 192.168.122.1/24 dev "$BRIDGE"
+ip address add 192.168.123.1/24 dev "$BRIDGE"
 
+# TODO: firewalld/nft?
 newtable INPUT
 newtable FORWARD
-newtable OUTPUT
 newtable POSTROUTING -tnat
 
-_iptables INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-_iptables INPUT -i virbr0 -j ACCEPT
-_iptables FORWARD -i "$BRIDGE" -o "$DEV" -j ACCEPT
-_iptables FORWARD -i "$DEV" -o "$BRIDGE" -m state --state RELATED,ESTABLISHED -j ACCEPT
+_iptables INPUT   -i virbr0 -j ACCEPT
+_iptables FORWARD -i virbr0 -j ACCEPT
+_iptables FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
 
-_iptables POSTROUTING -o "$DEV" -j MASQUERADE -tnat
+_iptables POSTROUTING -t nat -i "$BRIDGE" -j MASQUERADE
 
 pidof dnsmasq | grep -q "$(cat /var/run/dnsmasq-virbr0.pid)" \
-    || dnsmasq --bind-dynamic \
+    || dnsmasq -z \
         -i "$BRIDGE" \
-        -F 192.168.122.2,192.168.122.254,255.255.255.0 \
+        -F 192.168.123.2,192.168.123.254,255.255.255.0 \
         -x /var/run/dnsmasq-virbr0.pid