diff --git a/apps/rego-tunnel/build/setup-network.sh b/apps/rego-tunnel/build/setup-network.sh
index bba4070..1aa8b12 100755
--- a/apps/rego-tunnel/build/setup-network.sh
+++ b/apps/rego-tunnel/build/setup-network.sh
@@ -16,6 +16,12 @@ VM_NET_IP="${VM_NET_IP:-100.100.0.2}"
 VM_SUBNET="${VM_SUBNET:-100.100.0.0}"
 TARGET_IP="${TARGET_IP:-10.35.33.230}"
 
+# Optional second bridge/tap for a second VM NIC (pure L2 with the container).
+# This is opt-in: set BRIDGE2_NAME and TAP2_NAME (and optionally BRIDGE2_CIDR).
+BRIDGE2_NAME="${BRIDGE2_NAME:-}"
+TAP2_NAME="${TAP2_NAME:-}"
+BRIDGE2_CIDR="${BRIDGE2_CIDR:-}"
+
 if [[ "$BRIDGE_CIDR" != */* ]]; then
     BRIDGE_CIDR="$BRIDGE_CIDR/24"
 fi
@@ -49,6 +55,31 @@ fi
 ip link set "$TAP_NAME" master "$BRIDGE_NAME" 2>/dev/null || true
 ip link set "$TAP_NAME" up
 
+# Optional second bridge/tap (no NAT rules are applied here)
+if [ -n "$BRIDGE2_NAME" ] || [ -n "$TAP2_NAME" ]; then
+    if [ -z "$BRIDGE2_NAME" ] || [ -z "$TAP2_NAME" ]; then
+        echo "[rego-tunnel] WARN: BRIDGE2_NAME and TAP2_NAME must both be set to enable the second bridge"
+    else
+        if ! ip link show "$BRIDGE2_NAME" &>/dev/null; then
+            ip link add "$BRIDGE2_NAME" type bridge
+        fi
+        if [ -n "$BRIDGE2_CIDR" ]; then
+            if [[ "$BRIDGE2_CIDR" != */* ]]; then
+                BRIDGE2_CIDR="$BRIDGE2_CIDR/24"
+            fi
+            ip addr show dev "$BRIDGE2_NAME" | grep -qF "$BRIDGE2_CIDR" || ip addr add "$BRIDGE2_CIDR" dev "$BRIDGE2_NAME" 2>/dev/null || true
+        fi
+        ip link set "$BRIDGE2_NAME" up
+
+        if ! ip link show "$TAP2_NAME" &>/dev/null; then
+            ip tuntap add "$TAP2_NAME" mode tap
+        fi
+        ip link set "$TAP2_NAME" master "$BRIDGE2_NAME" 2>/dev/null || true
+        ip link set "$TAP2_NAME" up
+        echo "[rego-tunnel] Second bridge enabled: $BRIDGE2_NAME (tap $TAP2_NAME)"
+    fi
+fi
+
 # Enable IP forwarding
 echo 1 > /proc/sys/net/ipv4/ip_forward
 
@@ -75,3 +106,8 @@ echo "Bridge: $BRIDGE_NAME = $BRIDGE_CIDR"
 echo "TAP: $TAP_NAME attached to $BRIDGE_NAME"
 echo "Route: $TARGET_IP via $VM_NET_IP (VM)"
 echo "Outbound interface: ${WAN_IF}"
+
+if [ -n "$BRIDGE2_NAME" ] && [ -n "$TAP2_NAME" ]; then
+    echo "Bridge2: $BRIDGE2_NAME${BRIDGE2_CIDR:+ = $BRIDGE2_CIDR}"
+    echo "TAP2: $TAP2_NAME attached to $BRIDGE2_NAME"
+fi
diff --git a/apps/rego-tunnel/build/start-vm.sh b/apps/rego-tunnel/build/start-vm.sh
index 00805c9..6ba3031 100755
--- a/apps/rego-tunnel/build/start-vm.sh
+++ b/apps/rego-tunnel/build/start-vm.sh
@@ -45,6 +45,23 @@ if [ "$AUTO_MOUNT_9P" = "1" ]; then
 		qemu-nbd --connect "$NBD_DEV" "$QCOW2_PATH"
 		sleep 1
 
+		# In containers, the kernel may create sysfs partition entries but not
+		# auto-create the corresponding /dev/nbd0p* nodes. Create them if missing.
+		base_dev="$(basename "$NBD_DEV")"
+		for sysfs_dev in /sys/class/block/${base_dev}p*; do
+			[ -e "$sysfs_dev" ] || continue
+			part_name="$(basename "$sysfs_dev")"
+			devnode="/dev/$part_name"
+			[ -e "$devnode" ] && continue
+			if [ -r "$sysfs_dev/dev" ]; then
+				IFS=: read -r major minor < "$sysfs_dev/dev" || true
+				if [ -n "${major:-}" ] && [ -n "${minor:-}" ]; then
+					mknod "$devnode" b "$major" "$minor" 2>/dev/null || true
+					chmod 660 "$devnode" 2>/dev/null || true
+				fi
+			fi
+		done
+
 		mkdir -p "$VMROOT_MNT"
 		ROOT_PART=""
 		for part in "${NBD_DEV}"p*; do
@@ -71,6 +88,8 @@ if [ "$AUTO_MOUNT_9P" = "1" ]; then
 			umount "$VMROOT_MNT" >/dev/null 2>&1 || true
 		else
 			echo "[rego-tunnel] WARN: could not locate guest root partition; skipping auto-mount setup"
+			lsblk -fp "$NBD_DEV" 2>/dev/null || true
+			blkid "$NBD_DEV"* 2>/dev/null || true
 		fi
 
 		qemu-nbd --disconnect "$NBD_DEV" >/dev/null 2>&1 || true