diff --git a/roles/firewall/templates/sysctl.conf.j2 b/roles/firewall/templates/sysctl.conf.j2
index 6bc0545..1c40f43 100644
--- a/roles/firewall/templates/sysctl.conf.j2
+++ b/roles/firewall/templates/sysctl.conf.j2
@@ -11,3 +11,6 @@ net.ipv6.route.skip_notify_on_dev_down = 1
 # firewall is routing packets between them.
 net.ipv4.conf.all.send_redirects = 0
 net.ipv4.conf.default.send_redirects = 0
+
+# Increase max connections for netfilter.
+net.netfilter.nf_conntrack_max = 1048576