diff --git a/hosts/architect/firewall.nix b/hosts/architect/firewall.nix
index d51ee5d..072548c 100644
--- a/hosts/architect/firewall.nix
+++ b/hosts/architect/firewall.nix
@@ -13,9 +13,19 @@ let
   ];
   open_udp_ports = lib.concatMapStringsSep "," (x: toString x) [
     1194 # wireguard
-    3478 # turn
     51413 # transmission
   ];
+  open_tcp_ports_vpn = lib.concatMapStringsSep "," (x: toString x) [
+    22
+    80
+    443
+    8848
+    32400 # plex
+  ];
+  open_udp_ports_vpn = lib.concatMapStringsSep "," (x: toString x) [
+    53 # dns
+  ];
+
 in {
   networking = {
     # needed to use nftables
@@ -125,9 +135,8 @@ in {
 
                     iifname ${wan-if} tcp dport {${open_tcp_ports}} accept
                     iifname ${wan-if} udp dport {${open_udp_ports}} accept
-                    iifname ${vpn-if} tcp dport {${open_tcp_ports}} accept
-                    iifname ${vpn-if} udp dport {${open_udp_ports}} accept
-                    iifname ${vpn-if} udp dport 53 accept
+                    iifname ${vpn-if} tcp dport {${open_tcp_ports_vpn}} accept
+                    iifname ${vpn-if} udp dport {${open_udp_ports_vpn}} accept
                     iifname ${vpn-if} icmp type echo-request accept
 
                     jump filter_drop