diff --git a/debian/control b/debian/control
index 2b188d6a..d6a39ed0 100644
--- a/debian/control
+++ b/debian/control
@@ -50,7 +50,7 @@ Depends: dbus,
 # TODO: make legacy edk2 optional (suggests) for PVE 9 and warn explicitly about it
          pve-edk2-firmware-legacy | pve-edk2-firmware (<< 4~),
          pve-edk2-firmware-ovmf (>= 4.2025.02-3),
-         pve-firewall (>= 5.0.4),
+         pve-firewall (>= 6.0.1),
          pve-ha-manager (>= 3.0-9),
          pve-qemu-kvm (>= 7.1~),
          socat,
diff --git a/src/PVE/QemuServer.pm b/src/PVE/QemuServer.pm
index 50352e82..92c8fad6 100644
--- a/src/PVE/QemuServer.pm
+++ b/src/PVE/QemuServer.pm
@@ -36,7 +36,6 @@ use PVE::Mapping::Dir;
 use PVE::Mapping::PCI;
 use PVE::Mapping::USB;
 use PVE::Network::SDN::Vnets;
-use PVE::Network::SDN::Zones;
 use PVE::INotify;
 use PVE::JSONSchema qw(get_standard_option parse_property_string);
 use PVE::ProcFSTools;
@@ -5013,7 +5012,7 @@ sub vmconfig_update_net {
                     );
                 }
 
-                PVE::Network::SDN::Zones::tap_plug(
+                PVE::QemuServer::Network::tap_plug(
                     $iface,
                     $newnet->{bridge},
                     $newnet->{tag},
diff --git a/src/PVE/QemuServer/Network.pm b/src/PVE/QemuServer/Network.pm
index 84d8981a..9ca31435 100644
--- a/src/PVE/QemuServer/Network.pm
+++ b/src/PVE/QemuServer/Network.pm
@@ -4,6 +4,7 @@ use strict;
 use warnings;
 
 use PVE::Cluster;
+use PVE::Firewall::Helpers;
 use PVE::JSONSchema qw(get_standard_option parse_property_string);
 use PVE::Network::SDN::Vnets;
 use PVE::Network::SDN::Zones;
@@ -321,4 +322,11 @@ sub delete_ifaces_ipams_ips {
     }
 }
 
+sub tap_plug {
+    my ($iface, $bridge, $tag, $firewall, $trunks, $rate) = @_;
+
+    $firewall = $firewall && PVE::Firewall::Helpers::needs_fwbr($bridge);
+    PVE::Network::SDN::Zones::tap_plug($iface, $bridge, $tag, $firewall, $trunks, $rate);
+}
+
 1;
diff --git a/src/usr/pve-bridge b/src/usr/pve-bridge
index 7378aaa8..c7260c6b 100755
--- a/src/usr/pve-bridge
+++ b/src/usr/pve-bridge
@@ -40,18 +40,10 @@ die "unable to get network config '$netid'\n"
 my $net = PVE::QemuServer::Network::parse_net($netconf);
 die "unable to parse network config '$netid'\n" if !$net;
 
-# The nftable-based implementation from the newer proxmox-firewall does not requires FW bridges
-my $create_firewall_bridges = $net->{firewall} && !PVE::Firewall::is_nftables();
-
 PVE::Network::SDN::Vnets::add_dhcp_mapping($net->{bridge}, $net->{macaddr}, $vmid, $conf->{name});
 PVE::Network::SDN::Zones::tap_create($iface, $net->{bridge});
-PVE::Network::SDN::Zones::tap_plug(
-    $iface,
-    $net->{bridge},
-    $net->{tag},
-    $create_firewall_bridges,
-    $net->{trunks},
-    $net->{rate},
+PVE::QemuServer::Network::tap_plug(
+    $iface, $net->{bridge}, $net->{tag}, $net->{firewall}, $net->{trunks}, $net->{rate},
 );
 
 exit 0;