diff --git a/roles/hass-dhcp/defaults/main.yml b/roles/hass-dhcp/defaults/main.yml
index 3f30a2e..bd7ee4e 100644
--- a/roles/hass-dhcp/defaults/main.yml
+++ b/roles/hass-dhcp/defaults/main.yml
@@ -1,5 +1,5 @@
 hass_dhcp_range:
   start: 192.168.1.100
   end: 192.168.1.250
-hass_dhcp_lease_time: 1h
+hass_dhcp_lease_time: 24h
 hass_dns_domain: homeassistant.io
diff --git a/roles/hass-dhcp/handlers/main.yml b/roles/hass-dhcp/handlers/main.yml
index bf3bfdc..b3d091a 100644
--- a/roles/hass-dhcp/handlers/main.yml
+++ b/roles/hass-dhcp/handlers/main.yml
@@ -2,3 +2,7 @@
   service:
     name: dnsmasq
     state: restarted
+- name: reload firewalld
+  command: firewall-cmd --reload
+- name: save firewalld configuration
+  command: firewall-cmd --runtime-to-permanent
diff --git a/roles/hass-dhcp/tasks/main.yml b/roles/hass-dhcp/tasks/main.yml
index 8a0a651..0c042c0 100644
--- a/roles/hass-dhcp/tasks/main.yml
+++ b/roles/hass-dhcp/tasks/main.yml
@@ -12,3 +12,43 @@
     mode: '0644'
   notify:
   - restart dnsmasq
+
+- meta: flush_handlers
+- name: ensure homeassistant firewall zone exists
+  firewalld:
+    zone: homeassistant
+    permanent: true
+    state: present
+  tags:
+  - firewall
+  notify:
+  - reload firewalld
+- name: ensure homeassistant firewalld zone is configured
+  firewalld:
+    zone: homeassistant
+    interface: '{{ hass_interface }}'
+    permanent: true
+    state: enabled
+  notify:
+  - reload firewalld
+  tags:
+  - firewall
+- meta: flush_handlers
+- name: ensure firewall is configured for home assistant services
+  firewalld:
+    zone: homeassistant
+    service: '{{ item }}'
+    immediate: yes
+    permanent: no
+    state: enabled
+  loop:
+  - dhcp
+  - dns
+  - http
+  - https
+  - mdns
+  - mqtt-tls
+  notify:
+  - save firewalld configuration
+  tags:
+  - firewall
diff --git a/roles/hass-dhcp/templates/homeassistant.dnsmasq.conf.j2 b/roles/hass-dhcp/templates/homeassistant.dnsmasq.conf.j2
index ee854de..858d870 100644
--- a/roles/hass-dhcp/templates/homeassistant.dnsmasq.conf.j2
+++ b/roles/hass-dhcp/templates/homeassistant.dnsmasq.conf.j2
@@ -1,5 +1,9 @@
+no-resolv
+no-hosts
 interface={{ hass_interface }}
-dhcp-range={{ hass_dhcp_range.start }},{{ hass_dhcp_range.end }},{{ hass_dhcp_lease_time }}
-domain={{ hass_dns_domain }}
-
-log-queries=extra
+dhcp-range=set:homeassistant,{{ hass_dhcp_range.start }},{{ hass_dhcp_range.end }},{{ hass_dhcp_lease_time }}
+domain={{ hass_dns_domain }},{{ hass_net_cidr }}
+interface-name={{ homeassistant_server_name }},{{ hass_interface }}
+{% if hass_net_gateway|d %}
+dhcp-option=option:router,{{ hass_net_gateway }}
+{% endif %}
diff --git a/roles/hass-dhcp/vars/main.yml b/roles/hass-dhcp/vars/main.yml
new file mode 100644
index 0000000..7bef48f
--- /dev/null
+++ b/roles/hass-dhcp/vars/main.yml
@@ -0,0 +1,9 @@
+hass_net_cidr: >-
+  {{
+    (
+      ansible_facts[hass_interface].ipv4.network
+      + '/'
+      + ansible_facts[hass_interface].ipv4.netmask
+    )
+    | ipaddr('net')
+  }}