diff --git a/hosts/carbon/configuration.nix b/hosts/carbon/configuration.nix
index 5aa260a..86b7586 100644
--- a/hosts/carbon/configuration.nix
+++ b/hosts/carbon/configuration.nix
@@ -243,11 +243,15 @@
   networking.firewall.allowedUDPPorts = [ 53 ];
   networking.firewall.allowedTCPPorts = [ 53 ];
 
-  networking.firewall.extraCommands = ''
-    ip46tables -A FORWARD -i enp1s0.202 -o ppp-ntvdsl -j ACCEPT
-    ip46tables -A FORWARD -i enp1s0.202 -j DROP
-    ip46tables -A FORWARD -i ppp-ntvdsl -o enp1s0.202 -j ACCEPT
-    ip46tables -A FORWARD -o enp1s0.202 -j DROP
+  clerie.firewall.enable = true;
+  clerie.firewall.extraForwardFilterCommands = ''
+    ip46tables -A forward-filter -i enp1s0.202 -o ppp-ntvdsl -j ACCEPT
+    ip46tables -A forward-filter -i enp1s0.202 -j DROP
+    ip46tables -A forward-filter -i ppp-ntvdsl -o enp1s0.202 -j ACCEPT
+    ip46tables -A forward-filter -o enp1s0.202 -j DROP
+  '';
+  clerie.firewall.extraForwardMangleCommands = ''
+    ip46tables -t mangle -A forward-mangle -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1452
   '';
 
   services.pppd = {