diff --git a/nixbld-etc-nixos/configuration.nix b/nixbld-etc-nixos/configuration.nix
index d3ddade..64912ba 100644
--- a/nixbld-etc-nixos/configuration.nix
+++ b/nixbld-etc-nixos/configuration.nix
@@ -94,6 +94,14 @@ in
       allowedUDPPorts = [ 53 67 500 4500 ];
       trustedInterfaces = [ netifLan ];
       logRefusedConnections = false;
+      extraCommands = ''
+        iptables -A INPUT -s 5.78.86.156 -p gre -j ACCEPT
+        iptables -A INPUT -s 5.78.86.156 -p ah -j ACCEPT
+      '';
+      extraStopCommands = ''
+        iptables -D INPUT -s 5.78.86.156 -p gre -j ACCEPT
+        iptables -D INPUT -s 5.78.86.156 -p ah -j ACCEPT
+      '';
     };
     useDHCP = false;
     interfaces."${netifWan}".useDHCP = true;  # PCCW - always wants active DHCP lease or cuts you off