diff --git a/ansible/router/templates/etc/nftables.conf.j2 b/ansible/router/templates/etc/nftables.conf.j2
index 5dd25198a056dc2e9bdbcfaeb2fb9bc937af15c7..6c88617348765fe824a06514374bdc1b2417d343 100644
--- a/ansible/router/templates/etc/nftables.conf.j2
+++ b/ansible/router/templates/etc/nftables.conf.j2
@@ -6,6 +6,9 @@
 
 flush ruleset
 
+define wan = eth0
+define lan = eth1
+
 table inet filter {
   chain input {
     type filter hook input priority 0; policy drop;
@@ -15,8 +18,7 @@ table inet filter {
 
     iif lo accept
 
-    # Allow from internal network
-    iif eth1 accept
+    iif $lan accept
 
     ip protocol icmp accept
 
@@ -26,15 +28,11 @@ table inet filter {
   chain forward {
     type filter hook forward priority 0;
 
-    # Allow outgoing via wan
-    oif eth0 accept
-    # Allow dnat
-    ct status dnat accept
-    # Allow incoming on wan for related & established connections
-    iif eth0 ct state related, established accept
+    oif $wan accept
+    iif $wan drop
 
-    # Drop any other incoming traffic on wan
-    iif eth0 drop
+    ct status dnat accept
+    iif $wan ct state related, established accept
   }
 
   # Allow all packets sent by the firewall
@@ -50,7 +48,7 @@ table ip nat {
     # Port forwarding
 {% if nftables.dnat is defined %}
 {% for dnat in nftables.dnat %}
-    iif eth0 tcp dport {{ dnat.dport }} dnat {{ dnat.to }}
+    iif $wan tcp dport {{ dnat.dport }} dnat {{ dnat.to }}
 {% endfor %}
 {% endif %}
   }
@@ -59,6 +57,6 @@ table ip nat {
     type nat hook postrouting priority 100;
 
     # SNAT outgoing traffic
-    ip saddr {{ nftables.snat_from }} oif eth0 snat to {{ nftables.snat_to }}
+    ip saddr {{ nftables.snat_from }} oif $wan snat to {{ nftables.snat_to }}
   }
 }