diff --git a/nix/kubernetes/README.org b/nix/kubernetes/README.org
index 70f8a687..fbeeb074 100644
--- a/nix/kubernetes/README.org
+++ b/nix/kubernetes/README.org
@@ -10,6 +10,12 @@
     { domain = "@users"; item = "rtprio"; type = "-"; value = 1; }
   ];
 #+end_src
+* IP Ranges
+|         | IPv4          | IPv6                                    |
+|---------+---------------+-----------------------------------------|
+| Pod     | 10.200.0.0/16 | 2620:11f:7001:7:ffff:eeee::/96          |
+| Service | 10.197.0.0/16 | fd00:3e42:e349::/112                    |
+| Node    | 10.215.1.0/24 | 2620:11f:7001:7:ffff:ffff:0ad7:0100/120 |
 * Healthcheck
 ** Check cilium status
 #+begin_src bash
diff --git a/nix/kubernetes/keys/scope.nix b/nix/kubernetes/keys/scope.nix
index b75bb804..5c7382e0 100644
--- a/nix/kubernetes/keys/scope.nix
+++ b/nix/kubernetes/keys/scope.nix
@@ -246,6 +246,8 @@ makeScope newScope (
             "ipv4NativeRoutingCIDR" = "10.200.0.0/16";
             "ipv6NativeRoutingCIDR" = "2620:11f:7001:7:ffff::/80";
 
+            # TODO: Read and maybe apply https://docs.cilium.io/en/stable/operations/performance/tuning/
+
             # --set hostFirewall.enabled=true
 
             # --set 'ipam.operator.clusterPoolIPv4PodCIDRList=["10.0.0.0/8"]' \
diff --git a/nix/kubernetes/roles/debugging/default.nix b/nix/kubernetes/roles/debugging/default.nix
index 14bcb75b..35b9cd14 100644
--- a/nix/kubernetes/roles/debugging/default.nix
+++ b/nix/kubernetes/roles/debugging/default.nix
@@ -27,7 +27,9 @@
       ldns # for drill
     ];
 
-    networking.firewall.enable = false; # TODO: This is just here for debugging / initial development.
-    # TODO: Maybe use networking.nftables.enable to switch to nftables?
+    # This can make debugging easier by rejecting packets instead of dropping them:
+    networking.firewall.rejectPackets = true;
+    # Log each rejected packet instead of just each connection.
+    networking.firewall.logRefusedPackets = true;
   };
 }
diff --git a/nix/kubernetes/roles/firewall/default.nix b/nix/kubernetes/roles/firewall/default.nix
index 9dedd294..771aa1d9 100644
--- a/nix/kubernetes/roles/firewall/default.nix
+++ b/nix/kubernetes/roles/firewall/default.nix
@@ -26,15 +26,29 @@
       "net.bridge.bridge-nf-call-iptables" = 1;
       "net.bridge.bridge-nf-call-ip6tables" = 1;
       "net.ipv4.ip_forward" = 1;
+
+      # Enable forwarding on all interfaces.
+      # "net.ipv4.conf.all.forwarding" = 1;
+      # "net.ipv6.conf.all.forwarding" = 1;
     };
 
+    networking.firewall.enable = false;
     networking.nftables.enable = true;
     # We want to filter forwarded traffic.
     # Also needed for `networking.firewall.extraForwardRules` to do anything.
     networking.firewall.filterForward = true;
 
-    # This can make debugging easier by rejecting packets instead of dropping them:
-    # networking.firewall.rejectPackets = true;
+    networking.firewall.extraInputRules = ''
+      ip6 saddr 2620:11f:7001:7:ffff:eeee::/96 accept
+      ip6 saddr fd00:3e42:e349::/112 accept
+      ip6 saddr 2620:11f:7001:7:ffff:ffff:0ad7:0100/120 accept
+    '';
+
+    networking.firewall.extraForwardRules = ''
+      ip6 daddr 2620:11f:7001:7:ffff:eeee::/96 accept
+      ip6 daddr fd00:3e42:e349::/112 accept
+      ip6 daddr 2620:11f:7001:7:ffff:ffff:0ad7:0100/120 accept
+    '';
 
     # Check logs for blocked connections:
     # journalctl -k or dmesg