diff --git a/hosts/fw.cloonar.com/modules/firewall.nix b/hosts/fw.cloonar.com/modules/firewall.nix
index 5e90866..12d0f7c 100644
--- a/hosts/fw.cloonar.com/modules/firewall.nix
+++ b/hosts/fw.cloonar.com/modules/firewall.nix
@@ -19,13 +19,25 @@
           chain input {
             type filter hook input priority filter; policy drop;
 
+            # accept any localhost traffic
+            iif lo accept
+
             # Allow trusted networks to access the router
             iifname {
-              "wan" # disable when final
+              "wan", # disable when final
               "lan",
               "wg_cloonar"
             } counter accept
 
+            # Allow networks to access the dns
+            iifname {
+              "lan",
+              "server",
+              "wg_cloonar",
+              "smart",
+              "multimedia"
+            } udp dport { 53, 67, 68 } tcp dport { 80, 443, 853 } counter accept
+
             # Accept mDNS for avahi reflection
             # iifname "multimedia" ip saddr <chromecast IP> tcp dport { llmnr } counter accept
             # iifname "multimedia" ip saddr <chromecast IP> udp dport { mdns, llmnr } counter accept
diff --git a/hosts/fw.cloonar.com/modules/unbound.nix b/hosts/fw.cloonar.com/modules/unbound.nix
index 40b1113..199d01c 100644
--- a/hosts/fw.cloonar.com/modules/unbound.nix
+++ b/hosts/fw.cloonar.com/modules/unbound.nix
@@ -4,78 +4,79 @@
     settings = {
       server = {
         interface = [ "10.42.96.1" "10.42.97.1" "10.42.99.1" "10.42.254.1" ];
-        tls-cert-bundle = "/var/lib/acme/fw.cloonar.com/fullchain.pem";
+        # tls-cert-bundle = "/var/lib/acme/fw.cloonar.com/fullchain.pem";
       };
-      local-data = [
-        "localhost A 127.0.0.1"
-        "localhost.cloonar.com A 127.0.0.1"
-        "localhost AAAA ::1"
-        "localhost.cloonar.com AAAA ::1"
-        "fw.cloonar.com A 10.42.97.1"
-        "fw A 10.42.97.1"
-
-        "switch.cloonar.com IN A 10.42.97.10"
-        "drone.cloonar.com IN A 10.42.97.118"
-        "hv-02.cloonar.com IN A 10.42.97.3"
-        "home-assistant.cloonar.com IN A 10.42.97.20"
-        "deconz.cloonar.com IN A 10.42.97.20"
-        "mopidy.cloonar.com IN A 10.42.97.20"
-        "snapcast.cloonar.com IN A 10.42.97.20"
-        "cl-storage-01.cloonar.com IN A 10.42.97.9"
-        "git.cloonar.com IN A 10.42.97.118"
-
-        "stage.wsw.at IN A 10.254.235.22"
-        "prod.wsw.at IN A 10.254.217.23"
-        "piwik.wohnservice-wien.at IN A 10.254.240.109"
-        "wohnservice-wien.at IN A 10.254.240.109"
-        "mieterhilfe.at IN A 10.254.240.109"
-        "wohnpartner-wien.at IN A 10.254.240.109"
-        "wohnberatung-wien.at IN A 10.254.240.109"
-        "wienbautvor.at IN A 10.254.240.109"
-        "a.wohnservice-wien.at IN A 10.254.240.109"
-        "a.wohnpartner-wien.at IN A 10.254.240.109"
-        "a.stage.wohnservice-wien.at IN A 10.254.240.110"
-        "a.stage.mieterhilfe.at IN A 10.254.240.110"
-        "a.stage.wohnpartner-wien.at IN A 10.254.240.110"
-        "a.stage.wohnberatung-wien.at IN A 10.254.240.110"
-        "a.stage.wienbautvor.at IN A 10.254.240.110"
-        "a.stage.wienwohntbesser.at IN A 10.254.240.110"
-        "upgrade-staging.wohnservice-wien.at IN A 10.254.240.110"
-        "upgrade-staging.mieterhilfe.at IN A 10.254.240.110"
-        "upgrade-staging.wohnpartner-wien.at IN A 10.254.240.110"
-        "upgrade-staging.wohnberatung-wien.at IN A 10.254.240.110"
-        "upgrade-staging.wienbautvor.at IN A 10.254.240.110"
-        "upgrade-staging.wienwohntbesser.at IN A 10.254.240.110"
-
-        "testing.ebs.amz.at IN A 80.120.142.235"
-        "api.testing-ebs.amz.at IN A 80.120.142.235"
-
-        "metz.cloonar.com IN A 10.42.96.167"
-        "firetv-living.cloonar.com IN A 10.42.96.175"
-        "ps5-living.cloonar.com IN A 10.42.96.176"
-
-        "ddl-warez.to IN A 172.67.184.30"
-      ];
-      local-data-ptr = [
-        "127.0.0.1 localhost"
-        "::1 localhost"
-        "10.42.97.10 switch.cloonar.com"
-        "10.42.97.1 fw.cloonar.com"
-        "10.42.97.118 drone.cloonar.com"
-        "10.42.97.3 hv-02.cloonar.com"
-        "10.42.97.20 home-assistant.cloonar.com"
-        "10.42.97.9 cl-storage-01.cloonar.com"
-        "10.42.97.118 git.cloonar.com"
-
-        "10.254.235.22 stage.wsw.at"
-        "10.254.217.23 prod.wsw.at"
-        "10.254.240.109 wohnservice-wien.at"
-        "10.254.240.110 a.stage.wohnservice-wien.at"
-
-        "80.120.142.235 testing.ebs.amz.at"
-
-        "172.67.184.30 ddl-warez.to"
-      ];
+      # local-zone = "cloonar.com transparent";
+      # local-data = [
+      #   "\"localhost A 127.0.0.1\""
+      #   "localhost.cloonar.com A 127.0.0.1"
+      #   "localhost AAAA ::1"
+      #   "localhost.cloonar.com AAAA ::1"
+      #   "fw.cloonar.com A 10.42.97.1"
+      #   "fw A 10.42.97.1"
+      #
+      #   "switch.cloonar.com IN A 10.42.97.10"
+      #   "drone.cloonar.com IN A 10.42.97.118"
+      #   "hv-02.cloonar.com IN A 10.42.97.3"
+      #   "home-assistant.cloonar.com IN A 10.42.97.20"
+      #   "deconz.cloonar.com IN A 10.42.97.20"
+      #   "mopidy.cloonar.com IN A 10.42.97.20"
+      #   "snapcast.cloonar.com IN A 10.42.97.20"
+      #   "cl-storage-01.cloonar.com IN A 10.42.97.9"
+      #   "git.cloonar.com IN A 10.42.97.118"
+      #
+      #   "stage.wsw.at IN A 10.254.235.22"
+      #   "prod.wsw.at IN A 10.254.217.23"
+      #   "piwik.wohnservice-wien.at IN A 10.254.240.109"
+      #   "wohnservice-wien.at IN A 10.254.240.109"
+      #   "mieterhilfe.at IN A 10.254.240.109"
+      #   "wohnpartner-wien.at IN A 10.254.240.109"
+      #   "wohnberatung-wien.at IN A 10.254.240.109"
+      #   "wienbautvor.at IN A 10.254.240.109"
+      #   "a.wohnservice-wien.at IN A 10.254.240.109"
+      #   "a.wohnpartner-wien.at IN A 10.254.240.109"
+      #   "a.stage.wohnservice-wien.at IN A 10.254.240.110"
+      #   "a.stage.mieterhilfe.at IN A 10.254.240.110"
+      #   "a.stage.wohnpartner-wien.at IN A 10.254.240.110"
+      #   "a.stage.wohnberatung-wien.at IN A 10.254.240.110"
+      #   "a.stage.wienbautvor.at IN A 10.254.240.110"
+      #   "a.stage.wienwohntbesser.at IN A 10.254.240.110"
+      #   "upgrade-staging.wohnservice-wien.at IN A 10.254.240.110"
+      #   "upgrade-staging.mieterhilfe.at IN A 10.254.240.110"
+      #   "upgrade-staging.wohnpartner-wien.at IN A 10.254.240.110"
+      #   "upgrade-staging.wohnberatung-wien.at IN A 10.254.240.110"
+      #   "upgrade-staging.wienbautvor.at IN A 10.254.240.110"
+      #   "upgrade-staging.wienwohntbesser.at IN A 10.254.240.110"
+      #
+      #   "testing.ebs.amz.at IN A 80.120.142.235"
+      #   "api.testing-ebs.amz.at IN A 80.120.142.235"
+      #
+      #   "metz.cloonar.com IN A 10.42.96.167"
+      #   "firetv-living.cloonar.com IN A 10.42.96.175"
+      #   "ps5-living.cloonar.com IN A 10.42.96.176"
+      #
+      #   "ddl-warez.to IN A 172.67.184.30"
+      # ];
+      # local-data-ptr = [
+      #   "127.0.0.1 localhost"
+      #   "::1 localhost"
+      #   "10.42.97.10 switch.cloonar.com"
+      #   "10.42.97.1 fw.cloonar.com"
+      #   "10.42.97.118 drone.cloonar.com"
+      #   "10.42.97.3 hv-02.cloonar.com"
+      #   "10.42.97.20 home-assistant.cloonar.com"
+      #   "10.42.97.9 cl-storage-01.cloonar.com"
+      #   "10.42.97.118 git.cloonar.com"
+      #
+      #   "10.254.235.22 stage.wsw.at"
+      #   "10.254.217.23 prod.wsw.at"
+      #   "10.254.240.109 wohnservice-wien.at"
+      #   "10.254.240.110 a.stage.wohnservice-wien.at"
+      #
+      #   "80.120.142.235 testing.ebs.amz.at"
+      #
+      #   "172.67.184.30 ddl-warez.to"
+      # ];
       forward-zone = [
         {
           name = ".";