diff --git a/hosts/architect/firewall.nix b/hosts/architect/firewall.nix
index fbb0465..a6992d7 100644
--- a/hosts/architect/firewall.nix
+++ b/hosts/architect/firewall.nix
@@ -54,7 +54,6 @@ in
 
           chain POSTROUTING {
             type nat hook postrouting priority srcnat; policy accept;
-            oifname ${lan.interface} ip saddr ${docker.net} masquerade
             oifname ${lan.interface} ip saddr ${tailscale.net} masquerade
           }
         }
@@ -67,7 +66,6 @@ in
             ip daddr 224.0.0.0/4 accept comment "allow multicast traffic"
             iifname ${lan.interface} ip saddr 127.0.0.0/8 drop comment "bind any ip to intf ${lan.interface}"
             iifname ${lan.interface} accept comment "bind any ip to intf ${lan.interface}"
-            iifname ${docker.interface} ip saddr ${docker.net} accept comment "bind ip ${docker.net} to intf ${docker.interface}"
             iifname ${tailscale.interface} ip saddr ${tailscale.net} accept
             iifname ${tailscale.interface} ip saddr 100.100.100.100/32 accept
             iifname "lo" accept comment "bind any ip to intf lo"
@@ -123,7 +121,6 @@ in
             ip daddr 255.255.255.255 accept comment "allow broadcast traffic"
             ip daddr 224.0.0.0/4 accept comment "allow multicast traffic"
             ip saddr ${lan.net} accept comment "lan > local"
-            iifname ${docker.interface} accept
             ip saddr ${tailscale.net} accept comment "tailscale > local"
             ip saddr {${lib.concatStringsSep "," gdevices}} accept comment "vpn > local"
 
@@ -136,7 +133,6 @@ in
             type filter hook forward priority filter; policy drop;
             ct state established,related accept
 
-            oifname ${lan.interface} ip saddr ${docker.net} accept
             oifname ${lan.interface} ip saddr ${tailscale.net} accept
                     
             jump filter_drop