diff --git a/hosts/fw.cloonar.com/modules/firewall.nix b/hosts/fw.cloonar.com/modules/firewall.nix
index 040bc73..7cf7681 100644
--- a/hosts/fw.cloonar.com/modules/firewall.nix
+++ b/hosts/fw.cloonar.com/modules/firewall.nix
@@ -193,6 +193,9 @@
             iifname { "lan", "wg_cloonar" } oifname { "wrwks", "wg_epicenter", "wg_ghetto_at" } counter accept
             iifname { "infrastructure" } oifname { "server", "vserver" } counter accept
 
+            # allow all established, related
+            ct state { established, related } accept comment "Allow established traffic"
+
             # Allow trusted network WAN access
             iifname {
               "lan",