diff --git a/hosts/sausebiene/mosquitto.nix b/hosts/sausebiene/mosquitto.nix
index aa02959..7368466 100644
--- a/hosts/sausebiene/mosquitto.nix
+++ b/hosts/sausebiene/mosquitto.nix
@@ -27,16 +27,4 @@
       }
     ];
   };
-
-  networking.nftables.firewall.rules = {
-    # Allow devices and iot VLANs to access the MQTT server
-    access-mqtt = {
-      from = [
-        "vlan-devices"
-        "vlan-iot"
-      ];
-      to = [ "local" ];
-      allowedTCPPorts = [ 1883 ];
-    };
-  };
 }
diff --git a/hosts/sausebiene/net.nix b/hosts/sausebiene/net.nix
index d14e0ff..53f50fa 100644
--- a/hosts/sausebiene/net.nix
+++ b/hosts/sausebiene/net.nix
@@ -104,6 +104,44 @@ in
           "vlan-${vlanName}".interfaces = [ "vlan-${vlanName}" ];
         }
       );
+
+    rules = {
+      # Allow devices to be discovered through various protocols
+      discovery-protocols = {
+        from = [
+          "vlan-home"
+          "vlan-devices"
+          "vlan-iot"
+        ];
+        to = [ "local" ];
+        allowedUDPPorts = [
+          1900 # Simple Service Discovery Protocol, UPnP
+        ];
+        allowedTCPPorts = [
+          40000 # UPnP HTTP
+        ];
+        # HomeKit etc. may use random high-numbered ports.
+        # There's probably a better way to handle this
+        allowedUDPPortRanges = [
+          {
+            from = 30000;
+            to = 65535;
+          }
+        ];
+      };
+
+      # Allow devices to access some local services
+      access-services = {
+        from = [
+          "vlan-devices"
+          "vlan-iot"
+        ];
+        to = [ "local" ];
+        allowedTCPPorts = [
+          1883 # MQTT
+        ];
+      };
+    };
   };
 
   wireguard.proxy-home.client.via = "ward";