diff --git a/hosts/wob-vpn-gw/default.nix b/hosts/wob-vpn-gw/default.nix
index adb5e9d..7008f4d 100644
--- a/hosts/wob-vpn-gw/default.nix
+++ b/hosts/wob-vpn-gw/default.nix
@@ -86,6 +86,11 @@
     }) (lib.genList lib.id 12));
   };
 
+  networking.nftables.enable = true;
+  networking.firewall.extraInputRules = ''
+    iifname { "bmc*" } meta nfproto ipv4 udp dport 67 accept comment "DHCP server"
+  '';
+
   networking.vlans = lib.listToAttrs (map (x: lib.nameValuePair "bmc${toString x}" {
     interface = "oob";
     id = 101 + x;