diff --git a/nas/configuration.nix b/nas/configuration.nix
index e09c38b..1aef7b2 100644
--- a/nas/configuration.nix
+++ b/nas/configuration.nix
@@ -55,10 +55,61 @@
       prefixLength = 24;
     }];
 
-    firewall.enable = false;
-
     hostName = "nas";
     hostId = "c9e40f42";
+
+    nat = {
+      enable = true;
+      externalInterface = "enp1s0";
+      internalInterfaces = [ "wg0" ];
+    };
+
+    firewall = {
+      enable = true;
+
+      allowedTCPPorts = [
+        22      # ssh
+        80      # http
+        139     # smb
+        443     # https
+        445     # smb
+        8096    # jellyfin
+        9091    # transmission webui
+        19999   # netdata
+        22000   # syncthing sync
+        51415   # transmission
+        51820   # wireguard
+      ];
+
+      allowedUDPPorts = [
+        21027   # syncthing discovery
+        22000   # syncthing sync
+        51415   # transmission
+        51820   # wireguard
+      ];
+    };
+
+    wireguard.interfaces.wg0 = {
+      ips = [ "10.100.0.1/32" ];
+      listenPort = 51820;
+      privateKeyFile = "/home/sijmen/wireguard-keys/private";
+
+      postSetup = ''
+        ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -o eth0 -j MASQUERADE
+      '';
+
+      postShutdown = ''
+        ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.100.0.0/24 -o eth0 -j MASQUERADE
+      '';
+
+      peers = [
+        {
+          # thinkpad
+          publicKey = "Y2X8mT+LCXkjLjzRBcdglIKLYu68kvf5K0nKTEOWdGE=";
+          allowedIPs = [ "10.100.0.2/32" ];
+        }
+      ];
+    };
   };
 
   i18n.defaultLocale = "en_US.UTF-8";
@@ -215,7 +266,7 @@
       server string = nas
       netbios name = nas
       security = user
-      hosts allow = 192.168.1.0/24, 10.2.0.0/24
+      hosts allow = 192.168.1.0/24, 10.2.0.0/24, 10.100.0.0/24
       guest account = nobody
 
       client min protocol = SMB3