diff --git a/bgpwtf/machines/modules/anchorvm.nix b/bgpwtf/machines/modules/anchorvm.nix
index 9c7b17fb..9eddde96 100644
--- a/bgpwtf/machines/modules/anchorvm.nix
+++ b/bgpwtf/machines/modules/anchorvm.nix
@@ -24,6 +24,15 @@ in {
     };
   };
 
+  config.environment = {
+    # qemu-bridge-helper (needed for -nic bridge) requires this file to exist.
+    # We're running as root and don't care about the ACL functionality, so just
+    # make a minimal file that allows the interface.
+    # This snippet stolen from nixpkgs//libvirtd.nix
+    etc."qemu/bridge.conf".text = lib.concatMapStringsSep "\n" (e:
+      "allow ${e}") [cfg.bridge];
+  };
+
   config.systemd.services.anchorvm = {
     wantedBy = [ "multi-user.target" ];
     after = [