diff --git a/roles/firewall/templates/nftables.nft.j2 b/roles/firewall/templates/nftables.nft.j2
index 9f8679c..baae902 100644
--- a/roles/firewall/templates/nftables.nft.j2
+++ b/roles/firewall/templates/nftables.nft.j2
@@ -123,6 +123,18 @@ table inet filter {
         ct status dnat accept \
         comment "Forward DNAT traffic for servers and suchlike"
 
+        ip protocol icmp icmp type {
+            echo-request, echo-reply, destination-unreachable,
+            parameter-problem, time-exceeded,
+        } accept \
+        comment "Accept ICMPv4"
+
+        ip6 nexthdr icmpv6 icmpv6 type {
+            echo-request, echo-reply, destination-unreachable,
+            packet-too-big, parameter-problem, time-exceeded,
+        } accept \
+        comment "Accept ICMPv6"
+
         include "/etc/nftables.d/forward.nft*"
     }