diff --git a/playbooks/01-vpn.yml b/playbooks/01-vpn.yml
index efb8d50..1315e52 100644
--- a/playbooks/01-vpn.yml
+++ b/playbooks/01-vpn.yml
@@ -3,5 +3,4 @@
   hosts: asgard
 
   tasks:
-    - import_tasks: tasks/vpn/bridge.yml
     - import_tasks: tasks/vpn/wireguard.yml
diff --git a/playbooks/filesystem/valkyrie/etc/network/interfaces.d/br0.j2 b/playbooks/filesystem/valkyrie/etc/network/interfaces.d/br0.j2
deleted file mode 100644
index 57d8276..0000000
--- a/playbooks/filesystem/valkyrie/etc/network/interfaces.d/br0.j2
+++ /dev/null
@@ -1,20 +0,0 @@
-auto br0
-iface br0 inet static
-    pre-up ip link add $IFACE type bridge
-
-    post-up /usr/local/sbin/post-up-$IFACE-inet.nft
-    post-up /usr/local/sbin/post-up-$IFACE-ipv4.nft
-
-    pre-down /usr/local/sbin/pre-down-$IFACE-ipv4.nft
-    pre-down /usr/local/sbin/pre-down-$IFACE-inet.nft
-
-    post-down ip link del dev $IFACE
-
-    bridge_stp off
-    bridge_waitport 0
-    bridge_fd 0
-    bridge_ports none
-
-    address {{ vpn_br0_address }}
-    broadcast {{ vpn_br0_broadcast }}
-    netmask {{ vpn_br0_netmask }}
diff --git a/playbooks/filesystem/valkyrie/usr/local/sbin/post-up-br0-ipv4.nft.j2 b/playbooks/filesystem/valkyrie/usr/local/sbin/post-up-br0-ipv4.nft.j2
deleted file mode 100644
index a60f253..0000000
--- a/playbooks/filesystem/valkyrie/usr/local/sbin/post-up-br0-ipv4.nft.j2
+++ /dev/null
@@ -1,13 +0,0 @@
-#!/usr/bin/env -S nft -f
-
-table ip br0_ipv4 {
-        chain prerouting {
-                type nat hook prerouting priority -100;
-                iif {{ ethx }} tcp dport { 80, 443 } dnat to {{ services['rproxy'].address }};
-        }
-
-        chain postrouting {
-                type nat hook postrouting priority 100;
-                iif br0 oif {{ ethx }} masquerade;
-        }
-}
diff --git a/playbooks/filesystem/yggdrasil/etc/network/interfaces.d/br0.j2 b/playbooks/filesystem/yggdrasil/etc/network/interfaces.d/br0.j2
deleted file mode 100644
index 35e482b..0000000
--- a/playbooks/filesystem/yggdrasil/etc/network/interfaces.d/br0.j2
+++ /dev/null
@@ -1,24 +0,0 @@
-auto br0
-iface br0 inet static
-    pre-up ip link add $IFACE type bridge
-
-    post-up /usr/local/sbin/post-up-$IFACE-inet.nft
-    post-up /usr/local/sbin/post-up-$IFACE-ipv4.nft
-    post-up ip rule add dev $IFACE table 66
-    post-up ip rule add dev $IFACE to {{ subnet }} table main priority 1
-
-    pre-down ip rule del dev $IFACE to {{ subnet }} table main priority 1
-    pre-down ip rule del dev $IFACE table 66
-    pre-down /usr/local/sbin/pre-down-$IFACE-ipv4.nft
-    pre-down /usr/local/sbin/pre-down-$IFACE-inet.nft
-
-    post-down ip link del dev $IFACE
-
-    bridge_stp off
-    bridge_waitport 0
-    bridge_fd 0
-    bridge_ports none
-
-    address {{ vpn_br0_address }}
-    broadcast {{ vpn_br0_broadcast }}
-    netmask {{ vpn_br0_netmask }}
diff --git a/playbooks/filesystem/yggdrasil/usr/local/sbin/post-up-br0-inet.nft.j2 b/playbooks/filesystem/yggdrasil/usr/local/sbin/post-up-br0-inet.nft.j2
deleted file mode 100644
index ba234a7..0000000
--- a/playbooks/filesystem/yggdrasil/usr/local/sbin/post-up-br0-inet.nft.j2
+++ /dev/null
@@ -1,5 +0,0 @@
-#!/usr/bin/env -S nft -f
-
-table inet br0_inet {
-
-}
diff --git a/playbooks/filesystem/yggdrasil/usr/local/sbin/pre-down-br0-inet.nft.j2 b/playbooks/filesystem/yggdrasil/usr/local/sbin/pre-down-br0-inet.nft.j2
deleted file mode 100644
index e7b5064..0000000
--- a/playbooks/filesystem/yggdrasil/usr/local/sbin/pre-down-br0-inet.nft.j2
+++ /dev/null
@@ -1,4 +0,0 @@
-#!/usr/bin/env -S nft -f
-
-flush table inet br0_inet
-delete table inet br0_inet
diff --git a/playbooks/filesystem/yggdrasil/usr/local/sbin/pre-down-br0-ipv4.nft.j2 b/playbooks/filesystem/yggdrasil/usr/local/sbin/pre-down-br0-ipv4.nft.j2
deleted file mode 100644
index 34d95a9..0000000
--- a/playbooks/filesystem/yggdrasil/usr/local/sbin/pre-down-br0-ipv4.nft.j2
+++ /dev/null
@@ -1,4 +0,0 @@
-#!/usr/bin/env -S nft -f
-
-flush table ip br0_ipv4
-delete table ip br0_ipv4
diff --git a/plays/system/main.yml b/plays/system/main.yml
index a37c354..8599d62 100644
--- a/plays/system/main.yml
+++ b/plays/system/main.yml
@@ -1,11 +1,11 @@
 ---
-- name: "system : group:ups"
+- name: "system : ups"
   hosts: "ups"
   roles:
     - role: "ups"
       tags: "system:ups"
 
-- name: "system : group:smart"
+- name: "system : smart"
   hosts: "smart"
   roles:
     - role: "smart"
@@ -13,13 +13,13 @@
         system_base_smartd_conf_file: "files/smart/smartd.conf"
       tags: "system:smart"
 
-- name: "system : group:zfs"
+- name: "system : zfs"
   hosts: "zfs"
   roles:
     - role: "zfs"
       tags: "system:zfs"
 
-- name: "system : group:all"
+- name: "system : all"
   hosts: "all"
   roles:
     - role: "mail"
diff --git a/plays/vpn/main.yml b/plays/vpn/main.yml
index 7267bf8..6a0f9d0 100644
--- a/plays/vpn/main.yml
+++ b/plays/vpn/main.yml
@@ -1,6 +1,18 @@
 ---
-- name: "vpn : group:all"
+- name: "vpn : all"
   hosts: "all"
   roles:
     - role: "base"
       tags: "vpn:base"
+
+# - name: "vpn : bifrost"
+#   hosts: "bifrost"
+#   roles:
+#     - role: "gateway"
+#       tags: "vpn:gateway"
+
+- name: "vpn : asgard"
+  hosts: "asgard"
+  roles:
+    - role: "bridge"
+      tags: "vpn:bridge"
diff --git a/plays/vpn/roles/base/files/ip-link-add.sh b/plays/vpn/roles/base/files/ip-link-add.sh
new file mode 100644
index 0000000..547b866
--- /dev/null
+++ b/plays/vpn/roles/base/files/ip-link-add.sh
@@ -0,0 +1,8 @@
+#!/usr/bin/env bash
+
+set -u
+
+if ! ip link show dev "${1}" > /dev/null 2>&1
+then
+    ip link add "${@}"
+fi
diff --git a/plays/vpn/roles/base/tasks/main.yml b/plays/vpn/roles/base/tasks/main.yml
index 0d8fdea..21ef04b 100644
--- a/plays/vpn/roles/base/tasks/main.yml
+++ b/plays/vpn/roles/base/tasks/main.yml
@@ -8,3 +8,9 @@
 - name: "install wireguard"
   ansible.builtin.apt:
     name: "wireguard"
+
+- name: "script for creating virtual interfaces"
+  ansible.builtin.copy:
+    src: "./ip-link-add.sh"
+    dest: "/usr/local/sbin/ip-link-add.sh"
+    mode: 0755
diff --git a/playbooks/filesystem/valkyrie/usr/local/sbin/pre-down-br0-inet.nft.j2 b/plays/vpn/roles/bridge/files/br0/pre-down-br0-inet.nft
similarity index 100%
rename from playbooks/filesystem/valkyrie/usr/local/sbin/pre-down-br0-inet.nft.j2
rename to plays/vpn/roles/bridge/files/br0/pre-down-br0-inet.nft
diff --git a/playbooks/filesystem/valkyrie/usr/local/sbin/pre-down-br0-ipv4.nft.j2 b/plays/vpn/roles/bridge/files/br0/pre-down-br0-ipv4.nft
similarity index 100%
rename from playbooks/filesystem/valkyrie/usr/local/sbin/pre-down-br0-ipv4.nft.j2
rename to plays/vpn/roles/bridge/files/br0/pre-down-br0-ipv4.nft
diff --git a/plays/vpn/roles/bridge/meta/argument_specs.yml b/plays/vpn/roles/bridge/meta/argument_specs.yml
new file mode 100644
index 0000000..858f9ee
--- /dev/null
+++ b/plays/vpn/roles/bridge/meta/argument_specs.yml
@@ -0,0 +1,26 @@
+argument_specs:
+  main:
+    options:
+      ansible_default_ipv4:
+        interface:
+          type: "str"
+          required: true
+      local_network:
+        type: "str"
+        required: false
+      vpn_routing_table:
+        type: "int"
+        required: true
+      vpn_bridge_dnat:
+        type: "list"
+        elements: "dict"
+        required: true
+      vpn_bridge_br0_address:
+        type: "str"
+        required: true
+      vpn_bridge_br0_broadcast:
+        type: "str"
+        required: true
+      vpn_bridge_br0_netmask:
+        type: "str"
+        required: true
diff --git a/plays/vpn/roles/bridge/tasks/include/br0.yml b/plays/vpn/roles/bridge/tasks/include/br0.yml
index 48234e5..d6a8ff8 100644
--- a/plays/vpn/roles/bridge/tasks/include/br0.yml
+++ b/plays/vpn/roles/bridge/tasks/include/br0.yml
@@ -1,21 +1,21 @@
-- name: Bridge interface post-up nftables inet script
-  template:
-    src: ./filesystem/{{ ansible_hostname }}/usr/local/sbin/post-up-br0-inet.nft.j2
-    dest: /usr/local/sbin/post-up-br0-inet.nft
+- name: "br0 : post-up nftables inet script"
+  ansible.builtin.template:
+    src: "./br0/post-up-br0-inet.nft.j2"
+    dest: "/usr/local/sbin/post-up-br0-inet.nft"
     mode: 0755
-  register: br_intf_post_up_inet
+  register: vpn_bridge_post_up_br0_inet_nft
 
-- name: Bridge interface post-up nftables ipv4 script
-  template:
-    src: ./filesystem/{{ ansible_hostname }}/usr/local/sbin/post-up-br0-ipv4.nft.j2
-    dest: /usr/local/sbin/post-up-br0-ipv4.nft
+- name: "br0 : post-up nftables ipv4 script"
+  ansible.builtin.template:
+    src: "./br0/post-up-br0-ipv4.nft.j2"
+    dest: "/usr/local/sbin/post-up-br0-ipv4.nft"
     mode: 0755
-  register: br_intf_post_up_ipv4
+  register: vpn_bridge_post_up_br0_ipv4_nft
 
-- name: Create bridge interface
-  template:
-    src: ./filesystem/{{ ansible_hostname }}/etc/network/interfaces.d/br0.j2
-    dest: /etc/network/interfaces.d/br0
+- name: "br0 : configure interface"
+  ansible.builtin.template:
+    src: "./br0/br0.j2"
+    dest: "/etc/network/interfaces.d/br0"
     mode: 0644
     validate: >
       bash -c
@@ -23,32 +23,29 @@
        then
            ifdown br0 ;
        fi'
-  register: br_intf
-
-- block:
-    - name: Restart bridge interface
-      shell: if ip link show dev br0 ; then ifdown br0 && ifup br0 ; else ifup br0 ; fi
-
-    - name: Reconnect all services
-      systemd:
-        name: connect-pod-service@{{ item }}.service
-        state: started
-      with_items:
-        - "{{ host_services }}"
+  register: vpn_bridge_br0_conf
 
+- name: "br0 : restart interface"
+  ansible.builtin.shell: |
+    if ip link show dev br0
+    then
+        ifdown br0 && ifup br0
+    else
+        ifup br0
+    fi
   when:
-    br_intf_post_up_inet is changed or
-    br_intf_post_up_ipv4 is changed or
-    br_intf is changed
+    vpn_bridge_post_up_br0_inet_nft.changed or
+    vpn_bridge_post_up_br0_ipv4_nft.changed or
+    vpn_bridge_br0_conf.changed
 
-- name: Bridge interface pre-down nftables inet script
-  template:
-    src: ./filesystem/{{ ansible_hostname }}/usr/local/sbin/pre-down-br0-inet.nft.j2
-    dest: /usr/local/sbin/pre-down-br0-inet.nft
+- name: "br0 : pre-down nftables inet script"
+  ansible.builtin.copy:
+    src: "./br0/pre-down-br0-inet.nft"
+    dest: "/usr/local/sbin/pre-down-br0-inet.nft"
     mode: 0755
 
-- name: Bridge interface pre-down nftables ipv4 script
-  template:
-    src: ./filesystem/{{ ansible_hostname }}/usr/local/sbin/pre-down-br0-ipv4.nft.j2
-    dest: /usr/local/sbin/pre-down-br0-ipv4.nft
+- name: "br0 : pre-down nftables ipv4 script"
+  ansible.builtin.copy:
+    src: "./br0/pre-down-br0-ipv4.nft"
+    dest: "/usr/local/sbin/pre-down-br0-ipv4.nft"
     mode: 0755
diff --git a/plays/vpn/roles/bridge/tasks/main.yml b/plays/vpn/roles/bridge/tasks/main.yml
new file mode 100644
index 0000000..a8e844f
--- /dev/null
+++ b/plays/vpn/roles/bridge/tasks/main.yml
@@ -0,0 +1,3 @@
+- name: "play:vpn : role:bridge : tasks:br0"
+  ansible.builtin.import_tasks: "include/br0.yml"
+  tags: "vpn:bridge:br0"
diff --git a/plays/vpn/roles/bridge/templates/br0/br0.j2 b/plays/vpn/roles/bridge/templates/br0/br0.j2
new file mode 100644
index 0000000..4c7c7d5
--- /dev/null
+++ b/plays/vpn/roles/bridge/templates/br0/br0.j2
@@ -0,0 +1,26 @@
+auto br0
+iface br0 inet static
+    pre-up /usr/local/sbin/ip-link-add.sh $IFACE type bridge
+
+    post-up /usr/local/sbin/post-up-$IFACE-inet.nft
+    post-up /usr/local/sbin/post-up-$IFACE-ipv4.nft
+{% if local_network is defined %}
+    post-up ip rule add dev $IFACE table {{ vpn_routing_table }}
+    post-up ip rule add dev $IFACE to {{ local_network }} table main priority 1
+{% endif %}
+
+{% if local_network is defined %}
+    pre-down ip rule del dev $IFACE to {{ local_network }} table main priority 1
+    pre-down ip rule del dev $IFACE table {{ vpn_routing_table }}
+{% endif %}
+    pre-down /usr/local/sbin/pre-down-$IFACE-ipv4.nft
+    pre-down /usr/local/sbin/pre-down-$IFACE-inet.nft
+
+    bridge_stp off
+    bridge_waitport 0
+    bridge_fd 0
+    bridge_ports none
+
+    address {{ vpn_bridge_br0_address }}
+    broadcast {{ vpn_bridge_br0_broadcast }}
+    netmask {{ vpn_bridge_br0_netmask }}
diff --git a/playbooks/filesystem/valkyrie/usr/local/sbin/post-up-br0-inet.nft.j2 b/plays/vpn/roles/bridge/templates/br0/post-up-br0-inet.nft.j2
similarity index 100%
rename from playbooks/filesystem/valkyrie/usr/local/sbin/post-up-br0-inet.nft.j2
rename to plays/vpn/roles/bridge/templates/br0/post-up-br0-inet.nft.j2
diff --git a/playbooks/filesystem/yggdrasil/usr/local/sbin/post-up-br0-ipv4.nft.j2 b/plays/vpn/roles/bridge/templates/br0/post-up-br0-ipv4.nft.j2
similarity index 50%
rename from playbooks/filesystem/yggdrasil/usr/local/sbin/post-up-br0-ipv4.nft.j2
rename to plays/vpn/roles/bridge/templates/br0/post-up-br0-ipv4.nft.j2
index 7442e62..70484bc 100644
--- a/playbooks/filesystem/yggdrasil/usr/local/sbin/post-up-br0-ipv4.nft.j2
+++ b/plays/vpn/roles/bridge/templates/br0/post-up-br0-ipv4.nft.j2
@@ -3,18 +3,21 @@
 table ip br0_ipv4 {
         chain prerouting {
                 type nat hook prerouting priority -100;
-                iif {{ ethx }} tcp dport { 80, 443 } dnat to {{ services['lrproxy'].address }};
-                iif {{ ethx }} tcp dport {{ services['git'].ssh_port }} dnat to {{ services['git'].address }};
+{% for forward in vpn_bridge_dnat %}
+                iif {{ ansible_default_ipv4.interface }} tcp dport { {{ forward.ports | join(", ") }} } dnat to {{ forward.address }};
+{% endfor %}
         }
 
+{% if local_network is defined %}
         chain input {
                 type filter hook input priority 0;
                 ct state established,related accept;
-                iif br0 ip daddr {{ subnet }} drop;
+                iif br0 ip daddr {{ local_network }} drop;
         }
 
+{% endif %}
         chain postrouting {
                 type nat hook postrouting priority 100;
-                iif br0 oif {{ ethx }} masquerade;
+                iif br0 oif {{ ansible_default_ipv4.interface }} masquerade;
         }
 }