diff --git a/machines/orbi/configuration.nix b/machines/orbi/configuration.nix
index 2c84d25..3e30f1c 100644
--- a/machines/orbi/configuration.nix
+++ b/machines/orbi/configuration.nix
@@ -45,6 +45,9 @@
   ];
 
   networking.firewall.enable = true;
+  networking.firewall.extraCommands = ''
+    iptables -P FORWARD DROP
+  '';
   boot.kernel.sysctl."net.ipv4.ip_forwarding" = false;
 
   services.logrotate.checkConfig = false; # because uid 3000 does not exist in here
diff --git a/machines/orbi/network-wireguard.nix b/machines/orbi/network-wireguard.nix
index 2b01481..5f7d0e0 100644
--- a/machines/orbi/network-wireguard.nix
+++ b/machines/orbi/network-wireguard.nix
@@ -20,6 +20,11 @@ let
 in
 {
   networking.firewall.allowedUDPPorts = [ 51820 ];
+  networking.firewall.extraCommands = ''
+    iptables -A FORWARD -i wg0 -j ACCEPT
+  '';
+  boot.kernel.sysctl."net.ipv4.conf.wg0.forwarding" = true;
+
   clan.core.facts.services.wireguard = factsGenerator.wireguard { name = "wg0"; };
   clan.core.facts.services.wireguard_ip = factsGenerator.public {
     "wireguard.wg0.endpoint" = "95.216.66.212:51820";
@@ -31,8 +36,6 @@ in
     ping -c 1 -W 5 ${config.clan.core.facts.services.wireguard_ip.public."wireguard.wg0.ip".value}
   '';
 
-  boot.kernel.sysctl."net.ipv4.conf.wg0.forwarding" = true;
-
   # Enable WireGuard
   networking.wg-quick.interfaces = {
     # Hub and Spoke Setup