diff --git a/hardware-configuration.nix b/hardware-configuration.nix
index 0a0d26c..a64bf68 100644
--- a/hardware-configuration.nix
+++ b/hardware-configuration.nix
@@ -39,7 +39,9 @@
       RUN+="/bin/sh -c 'modprobe ahci; echo 0000:08:00.0 > /sys/bus/pci/drivers_probe'"
   '';
 
-  boot.kernel.sysctl."net.ipv4.conf.all.forwarding" = true;
+  boot.kernel.sysctl = {
+    "net.ipv4.conf.all.forwarding" = true;
+  };
 
   swapDevices =
     [ { device = "/dev/disk/by-uuid/7e34cdc3-bd48-435a-8ea2-e1fe43926262"; }
diff --git a/incus.nix b/incus.nix
index 244f4d9..1a75979 100644
--- a/incus.nix
+++ b/incus.nix
@@ -5,7 +5,7 @@
   networking = {
     nftables.enable = true;
     firewall = {
-      trustedInterfaces = [ "incusbr1" ];
+      trustedInterfaces = [ "incusbr1" "incusbr2" ];
       filterForward = true;
 
       extraForwardRules = ''
@@ -23,6 +23,10 @@
           allowedTCPPorts = [ 53 ];
           allowedUDPPorts = [ 53 67 68 ];
         };
+        incusbr2 = {
+          allowedTCPPorts = [ 53 ];
+          allowedUDPPorts = [ 53 67 68 ];
+        };
       };
 
       
diff --git a/networking.nix b/networking.nix
index ae7760f..3560a80 100644
--- a/networking.nix
+++ b/networking.nix
@@ -9,9 +9,8 @@
 
     firewall = {
       enable = true;
-      allowedTCPPorts = [ 80 443 8123 1883 8883 9001 20 21 50000 50001 50002 50003 50004 50005 22 2222 2223 990 989 445 111 2049 32765 32768 20048 ];
-      allowedUDPPorts = [ 111 2049 20048 32765 32768 ];
-      trustedInterfaces = [ "incusbr0" "incusbr2" ];
+      allowedTCPPorts = [ 53 80 443 8123 1883 8883 9001 20 21 50000 50001 50002 50003 50004 50005 22 2222 2223 990 989 445 111 2049 32765 32768 20048 ];
+      allowedUDPPorts = [ 53 67 68 111 2049 20048 32765 32768 ];
     };
 
     nftables.ruleset = ''
@@ -28,6 +27,12 @@
           # allow vm to vm communication 
           iifname "tap*" oifname "tap*" accept
 
+          # allow vm dns
+          ether saddr 10:66:6a:06:f9:5e udp dport 53 accept
+
+          # allow vms on incusbr2 to go into lan
+          iifname "incusbr2" accept
+
           # allow natted replies
           iifname "incusbr2" oifname "incusbr0" tcp dport 8123 ct state new,established accept
           iifname "incusbr2" oifname "incusbr0" tcp dport 80 ct state new,established accept
@@ -90,7 +95,6 @@
           { address = "192.168.0.19"; prefixLength = 24; }
         ];
         macAddress = "2c:fd:a1:c1:13:b0";
-        mtu = 1280;
       };
     };