diff --git a/modules/core/network.nix b/modules/core/network.nix
index 1d6d830..7fe584a 100644
--- a/modules/core/network.nix
+++ b/modules/core/network.nix
@@ -53,6 +53,23 @@ in
       description = "Interfaces grouped by type (lan, wan, vpn) for easy access.";
       internal = true;
     };
+    
+    interfaceTypes = mkOption {
+      type = types.attrsOf types.str;
+      default = {
+        lan = "lan";
+        wan = "wan";
+        vpn = "vpn";
+      };
+      description = "Interface type identifiers for easy reference.";
+    };
+    
+    groups = mkOption {
+      type = types.attrsOf types.str;
+      default = {};
+      description = "Network groups for access control (CIDR ranges).";
+      internal = true;
+    };
   };
   
   config = {
@@ -62,5 +79,14 @@ in
       wan = lib.filterAttrs (_: iface: iface.type == "wan") cfg.interfaces;
       vpn = lib.filterAttrs (_: iface: iface.type == "vpn") cfg.interfaces;
     };
+    
+    # Create network groups from interfaces
+    pepe.core.network.groups = let
+      lanInterfaces = lib.filterAttrs (_: iface: iface.type == "lan") cfg.interfaces;
+      vpnInterfaces = lib.filterAttrs (_: iface: iface.type == "vpn") cfg.interfaces;
+    in {
+      lan = lib.concatStringsSep " " (lib.mapAttrsToList (_: iface: iface.net) lanInterfaces);
+      vpn = lib.concatStringsSep " " (lib.mapAttrsToList (_: iface: iface.net) vpnInterfaces);
+    };
   };
 }
diff --git a/modules/core/vhost.nix b/modules/core/vhost.nix
index 9d26a23..f6412ce 100644
--- a/modules/core/vhost.nix
+++ b/modules/core/vhost.nix
@@ -99,8 +99,8 @@ in
             recommendedProxySettings = location.recommendedProxySettings;
             extraConfig = ''
               ${concatMapStringsSep "\n" (allowCIDR: "allow ${allowCIDR};") location.allow}
-              ${optionalString location.allowLAN ''allow ${config.pepe.core.network.interfaces.${config.pepe.core.network.interfaceTypes.lan}.net};''}
-              ${optionalString location.allowVPN ''allow ${config.pepe.core.network.interfaces.${config.pepe.core.network.interfaceTypes.vpn}.net};''}
+              ${optionalString location.allowLAN ''allow ${config.pepe.core.network.groups.lan};''}
+              ${optionalString location.allowVPN ''allow ${config.pepe.core.network.groups.vpn};''}
               ${optionalString (!location.allowWAN) "deny all;"}
             '' + location.extraConfig;
           })