diff --git a/hw/straylight/default.nix b/hw/straylight/default.nix
index ad36e7b..9172441 100644
--- a/hw/straylight/default.nix
+++ b/hw/straylight/default.nix
@@ -22,6 +22,26 @@
     # Let the mcp user reach /dev/kvm directly as well.
     users.users.mcp.extraGroups = [ "kvm" ];
 
+    # Isolated host-only bridge for unikernel VMs (Phase 2). Each unikernel
+    # gets a TAP on this bridge and a 10.99.0.0/24 static IP. The bridge has
+    # NO uplink and NO NAT, and the firewall drops any VM traffic leaving the
+    # bridge, so a VM can reach only the host gateway (10.99.0.1) -- mediation
+    # is enforced by network topology, not convention.
+    networking.bridges.mcp-br0.interfaces = [ ];
+    networking.interfaces.mcp-br0.ipv4.addresses = [
+      { address = "10.99.0.1"; prefixLength = 24; }
+    ];
+    # The host accepts traffic from VMs (so mc-proxy on the gateway can serve
+    # them); the FORWARD drop prevents VMs from routing anywhere off-bridge.
+    networking.firewall.trustedInterfaces = [ "mcp-br0" ];
+    networking.firewall.extraCommands = ''
+      iptables -D FORWARD -i mcp-br0 ! -o mcp-br0 -j DROP 2>/dev/null || true
+      iptables -A FORWARD -i mcp-br0 ! -o mcp-br0 -j DROP
+    '';
+    networking.firewall.extraStopCommands = ''
+      iptables -D FORWARD -i mcp-br0 ! -o mcp-br0 -j DROP 2>/dev/null || true
+    '';
+
     # Allow rootless containers (podman) to bind low ports (53 for MCNS,
     # 443/8443/9443 for mc-proxy) as straylight takes over the core role.
     boot.kernel.sysctl."net.ipv4.ip_unprivileged_port_start" = 53;