diff --git a/roles/dch-gw/templates/forward.nft.j2 b/roles/dch-gw/templates/forward.nft.j2
index c5f386e..f74faba 100644
--- a/roles/dch-gw/templates/forward.nft.j2
+++ b/roles/dch-gw/templates/forward.nft.j2
@@ -1,5 +1,13 @@
 {#- vim: set sw=4 ts=4 sts=4 et : #}
 table inet filter {
+    set domain_controllers {
+        type ipv4_addr
+        elements = {
+            dc0.pyrocufflink.blue,
+            dc1.pyrocufflink.blue,
+        }
+    }
+
     set vpn_subnets {
         type ipv4_addr
         flags interval
@@ -15,6 +23,8 @@ table inet filter {
         ct state established,related accept
         iifname {{ dch_networks.guest.router_iface }} oif != {{ internet_iface }} drop
         iif != {{ internet_iface }} oifname {{ dch_networks.guest.router_iface }} drop
+        iifname {{ dch_networks.mgmt.router_iface }} ip daddr @domain_controllers udp dport { ntp, radius } counter accept
+        iifname {{ dch_networks.mgmt.router_iface }} counter drop
         iif != {{ internet_iface }} oif != {{ internet_iface }} counter accept
         iif {{ internet_iface }} ip saddr @vpn_subnets counter accept
         iif != {{ internet_iface }} ip daddr @vpn_subnets counter accept