diff --git a/ansible/router/install.yaml b/ansible/router/install.yaml
index 70b24a0f0ac3c945cce98e0e94cebd755dc1d483..ff8a481b5da9e6a8d8cd8a33477495a1101163e1 100644
--- a/ansible/router/install.yaml
+++ b/ansible/router/install.yaml
@@ -19,4 +19,14 @@
       port: 10022
       permitRootLogin: 'no'
       pubkeyAuthentication: 'yes'
-      passwordAuthentication: 'no'
\ No newline at end of file
+      passwordAuthentication: 'no'
+      allow:
+        users: 'rlacko'
+    nftables:
+      snat_to: 152.66.211.122
+      snat_from: 192.168.96.0/22
+      dnat:
+        - dport: 80
+          to: 192.168.96.101:80
+        - dport: 443
+          to: 192.168.96.101:443
diff --git a/ansible/router/inventory.yaml b/ansible/router/inventory.yaml
index 47671573d9ef04b34c76b1a7d62688ac3a8e2245..80257bbb788557bf498f408b38b4c68b8848c383 100644
--- a/ansible/router/inventory.yaml
+++ b/ansible/router/inventory.yaml
@@ -1,4 +1,5 @@
 all:
   hosts:
     # Use OpenSSH config to make it confortable
-    router.maze:
+    152.66.211.122:
+      ansible_port: 10022
diff --git a/ansible/router/tasks/firewall.yaml b/ansible/router/tasks/firewall.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..f8e91f0c4b7c7106788c88498a8ecf31c4a7f949
--- /dev/null
+++ b/ansible/router/tasks/firewall.yaml
@@ -0,0 +1,16 @@
+---
+
+- name: Ensure nftables runs and enabled
+  service:
+    name: nftables
+    state: started
+    enabled: yes
+
+- name: Place nftables configuration file.
+  template:
+    src: etc/nftables.conf.j2
+    dest: /etc/nftables.conf
+    mode: 0755
+
+- name: Load config
+  command: nft -f /etc/nftables.conf
diff --git a/ansible/router/tasks/iptables.yaml b/ansible/router/tasks/iptables.yaml
deleted file mode 100644
index cd21505a47e530a967e3c44bd2a772d1b8d08bd7..0000000000000000000000000000000000000000
--- a/ansible/router/tasks/iptables.yaml
+++ /dev/null
@@ -1,2 +0,0 @@
----
-
diff --git a/ansible/router/tasks/main.yaml b/ansible/router/tasks/main.yaml
index 05bc45c30b8a7e1594b2bee6aaeff9ef2ba66f42..454b163b01a6bf1ffb4b4b3814365e6f94fa5317 100644
--- a/ansible/router/tasks/main.yaml
+++ b/ansible/router/tasks/main.yaml
@@ -28,5 +28,6 @@
     state: restarted
     enabled: yes
 
-- name: Setup iptables
-  include_tasks: iptables.yaml
+- name: Setup firewall
+  include_tasks: firewall.yaml
+  tags: [firewall]
diff --git a/ansible/router/tasks/packages.yaml b/ansible/router/tasks/packages.yaml
index 9ec7c5d7a0892faa3bca726703be99568588ec03..7477db35ac86ae1d17c38b461048f7ecfc0c693a 100644
--- a/ansible/router/tasks/packages.yaml
+++ b/ansible/router/tasks/packages.yaml
@@ -31,5 +31,5 @@
       - jq
       - git
 
-      # Router
-      - iptables
+      # Firewall
+      - nftables
diff --git a/ansible/router/templates/etc/nftables.conf.j2 b/ansible/router/templates/etc/nftables.conf.j2
new file mode 100644
index 0000000000000000000000000000000000000000..5dd25198a056dc2e9bdbcfaeb2fb9bc937af15c7
--- /dev/null
+++ b/ansible/router/templates/etc/nftables.conf.j2
@@ -0,0 +1,64 @@
+#!/usr/bin/nft -f
+
+# !!!
+# {{ ansible_managed }}
+# !!!
+
+flush ruleset
+
+table inet filter {
+  chain input {
+    type filter hook input priority 0; policy drop;
+
+    ct state {established, related} accept
+    ct state invalid drop
+
+    iif lo accept
+
+    # Allow from internal network
+    iif eth1 accept
+
+    ip protocol icmp accept
+
+    tcp dport 10022 accept comment "SSH in"
+  }
+
+  chain forward {
+    type filter hook forward priority 0;
+
+    # Allow outgoing via wan
+    oif eth0 accept
+    # Allow dnat
+    ct status dnat accept
+    # Allow incoming on wan for related & established connections
+    iif eth0 ct state related, established accept
+
+    # Drop any other incoming traffic on wan
+    iif eth0 drop
+  }
+
+  # Allow all packets sent by the firewall
+  chain output {
+    type filter hook output priority 100; policy accept;
+  }
+}
+
+table ip nat {
+  chain prerouting {
+    type nat hook prerouting priority -100;
+
+    # Port forwarding
+{% if nftables.dnat is defined %}
+{% for dnat in nftables.dnat %}
+    iif eth0 tcp dport {{ dnat.dport }} dnat {{ dnat.to }}
+{% endfor %}
+{% endif %}
+  }
+
+  chain postrouting {
+    type nat hook postrouting priority 100;
+
+    # SNAT outgoing traffic
+    ip saddr {{ nftables.snat_from }} oif eth0 snat to {{ nftables.snat_to }}
+  }
+}