{ ... }: {
  networking = {
    nat.enable = true;
    firewall = {
      enable = true;
      extraCommands = ''
        iptables -A INPUT -i lo -j ACCEPT
        iptables -A INPUT -i wan -j ACCEPT
        iptables -A INPUT -i lan -j ACCEPT
        iptables -A INPUT -i wg_cloonar -j ACCEPT
        iptables -A INPUT -p udp -i smart -m multiport --dports 53,67,68 -j ACCEPT
        iptables -A INPUT -p udp -i multimedia -m multiport --dports 53,67,68 -j ACCEPT
        iptables -A INPUT -p tcp -i smart -m multiport --dports 80,443,453 -j ACCEPT
        iptables -A INPUT -p tcp -i multimedia -m multiport --dports 80,443,453 -j ACCEPT

        iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

        iptables -A FORWARD -i wan -d 10.42.0.0/16 -j ACCEPT
        iptables -A FORWARD -i lan -d 10.42.0.0/16 -j ACCEPT
        iptables -A FORWARD -i wg_cloonar -d 10.42.0.0/16 -j ACCEPT

        iptables -A FORWARD -i lan -o wan -j ACCEPT
        iptables -A FORWARD -i server -o wan -j ACCEPT
        iptables -A FORWARD -i multimedia -o wan -j ACCEPT
        iptables -A FORWARD -i smart -o wan -j ACCEPT
        iptables -A FORWARD -i wg_cloonar -o wan -j ACCEPT

        iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

        iptables -t nat -A POSTROUTING -o wan -j MASQUERADE
        iptables -t nat -A POSTROUTING -o wrwks -j MASQUERADE
        iptables -t nat -A POSTROUTING -o wg_epicenter -j MASQUERADE
        iptables -t nat -A POSTROUTING -o wg_ghetto_at -j MASQUERADE
      '';
    };

    # nftables = {
    #   enable = true;
    #   ruleset = ''
    #     table inet filter {
    #       # enable flow offloading for better throughput
    #       # flowtable f {
    #       #   hook ingress priority 0;
    #       #   devices = { lan, server, wg_cloonar, smart, multimedia, guest };
    #       # }
    #
    #       chain output {
    #         type filter hook output priority 100; policy accept;
    #       }
    #
    #       chain input {
    #         type filter hook input priority filter; policy drop;
    #
    #         # accept any localhost traffic
    #         iifname lo accept
    #
    #         # Allow trusted networks to access the router
    #         iifname {
    #           "wan", # disable when final
    #           "lan",
    #           "wg_cloonar"
    #         } counter accept
    #
    #         # Allow networks to access the dns and dhcp
    #         iifname {
    #           "lan",
    #           "server",
    #           "wg_cloonar",
    #           "smart",
    #           "multimedia"
    #         } udp dport { 53, 67, 68 } counter accept
    #         iifname {
    #           "lan",
    #           "server",
    #           "wg_cloonar",
    #           "smart",
    #           "multimedia"
    #         } tcp dport { 80, 443, 853 } counter accept
    #
    #         # Accept mDNS for avahi reflection
    #         # iifname "multimedia" ip saddr <chromecast IP> tcp dport { llmnr } counter accept
    #         # iifname "multimedia" ip saddr <chromecast IP> udp dport { mdns, llmnr } counter accept
    #
    #         # Allow returning traffic from wg_cloonar and drop everthing else
    #         iifname "wg_cloonar" ct state { established, related } counter accept
    #         iifname "wg_cloonar" drop
    #
    #         iifname "wan" ct state { established, related } accept comment "Allow established traffic"
    #         iifname "wan" icmp type { echo-request, destination-unreachable, time-exceeded } counter accept comment "Allow select ICMP"
    #         iifname "wan" counter drop comment "Drop all other unsolicited traffic from wan"
    #       }
    #
    #       chain forward {
    #         type filter hook forward priority filter; policy drop;
    #
    #         # enable flow offloading for better throughput
    #         # ip protocol { tcp, udp } flow offload @f
    #
    #         # multimedia airplay
    #         iifname "multimedia" oifname { "lan" } counter accept
    #
    #         # lan and vpn to any
    #         # TODO: disable wan when finished
    #         iifname { "wan", "lan", "wg_cloonar" } oifname { "lan", "server", "podman0", "multimedia", "smart", "wrwks", "wg_cloonar", "wg_epicenter", "wg_ghetto_at" } counter accept
    #
    #         # Allow trusted network WAN access
    #         iifname {
    #           "lan",
    #           "server",
    #           "podman0",
    #           "multimedia",
    #           "smart",
    #           "wg_cloonar",
    #         } oifname {
    #           "wan",
    #         } counter accept comment "Allow trusted LAN to WAN"
    #
    #         # Allow established WAN to return
    #         iifname {
    #           "wan",
    #         } oifname {
    #           "lan",
    #           "server",
    #           "podman0",
    #           "multimedia",
    #           "smart",
    #           "wg_cloonar",
    #         } ct state { established, related } counter accept comment "Allow established back to LANs"
    #       }
    #     }
    #
    #     table ip nat {
    #       chain prerouting {
    #         type nat hook prerouting priority filter; policy accept;
    #       }
    #
    #       # Setup NAT masquerading on the ppp0 interface
    #       chain postrouting {
    #         type nat hook postrouting priority filter; policy accept;
    #         # oifname { "wan", "wrwks", "wg_epicenter", "wg_ghetto_at" } masquerade
    #         oifname { "wan" } masquerade
    #       }
    #     }
    #   '';
    # };
  };
}