diff --git a/nftables.conf b/nftables.conf
index ce4e51f..7ef2a0c 100644
--- a/nftables.conf
+++ b/nftables.conf
@@ -40,6 +40,7 @@ table ip nat {
 		type nat hook prerouting priority -100; policy accept;
 
 		# ip daddr 10.0.0.1 tcp dport { 80, 443 } dnat to 10.0.0.210
+		iifname $LAN accept
 
 		# faceless
 		# allow HTTP, HTTPS, gitea's SSH, and host ssh to faceless