diff --git a/roles/exit/templates/frr.conf.j2 b/roles/exit/templates/frr.conf.j2
index e9107a3..13723a6 100644
--- a/roles/exit/templates/frr.conf.j2
+++ b/roles/exit/templates/frr.conf.j2
@@ -392,10 +392,12 @@ route-map firewall->outside permit 41
 route-map firewall-{{ loop.index }}->inside permit 1
   set tag {{ loop.index }}
   set weight {{ 100 * loop.index }}
+  set as-path exclude {{ asn.asn }} {{ hostvars[peer].asn.asn }}
   call firewall->inside
 route-map firewall-{{ loop.index }}->outside permit 1
   set tag {{ loop.index }}
   set weight {{ 100 * loop.index }}
+  set as-path exclude {{ asn.asn }} {{ hostvars[peer].asn.asn }}
   call firewall->outside
 {% endfor %}
 
@@ -448,11 +450,15 @@ route-map me->peer.4 permit 110
 route-map me->peer.4 permit 111
   match ipv6 address prefix-list default
 route-map me->peer.4 permit 120
-  match ip address prefix-list nat
+  match ip address prefix-list office
 route-map me->peer.4 permit 121
-  match ipv6 address prefix-list vpn
-route-map me->peer.4 permit 131
   match ipv6 address prefix-list office
+route-map me->peer.4 permit 130
+  match ip address prefix-list nat
+route-map me->peer.4 permit 140
+  match ip address prefix-list vpn
+route-map me->peer.4 permit 141
+  match ipv6 address prefix-list vpn
 
 # Received backup routes (same as above).
 route-map peer.4->me permit 110
@@ -460,8 +466,12 @@ route-map peer.4->me permit 110
 route-map peer.4->me permit 111
   match ipv6 address prefix-list default
 route-map peer.4->me permit 120
-  match ip address prefix-list nat
+  match ip address prefix-list office
 route-map peer.4->me permit 121
-  match ipv6 address prefix-list vpn
-route-map peer.4->me permit 131
   match ipv6 address prefix-list office
+route-map peer.4->me permit 130
+  match ip address prefix-list nat
+route-map peer.4->me permit 140
+  match ip address prefix-list vpn
+route-map peer.4->me permit 141
+  match ipv6 address prefix-list vpn
diff --git a/roles/firewall/templates/nftables.nft.j2 b/roles/firewall/templates/nftables.nft.j2
index 14baf08..baae902 100644
--- a/roles/firewall/templates/nftables.nft.j2
+++ b/roles/firewall/templates/nftables.nft.j2
@@ -18,8 +18,10 @@ table inet filter {
         type inet_proto . inet_service
         flags interval
         elements = {
+            tcp . 53,
             tcp . 88,
             tcp . 135,
+            tcp . 139,
             tcp . 389,
             tcp . 445,
             tcp . 464,
@@ -29,14 +31,31 @@ table inet filter {
             tcp . 9389,
             tcp . 22222-22224,
             tcp . 49152-65535,
+            udp . 53,
             udp . 88,
             udp . 135,
+            udp . 137, # netbios, maybe can do without
+            udp . 138, # netbios, maybe can do without
             udp . 389,
             udp . 464,
             udp . 3269
         }
     }
 
+    set ldap-ports {
+        type inet_proto . inet_service
+        flags interval
+        elements = {
+            tcp . 88,
+            tcp . 389,
+            tcp . 636,
+            tcp . 3268,
+            tcp . 3269,
+            udp . 88,
+            udp . 389
+        }
+    }
+
     chain input {
         type filter hook input priority 0; policy drop
 
@@ -104,6 +123,18 @@ table inet filter {
         ct status dnat accept \
         comment "Forward DNAT traffic for servers and suchlike"
 
+        ip protocol icmp icmp type {
+            echo-request, echo-reply, destination-unreachable,
+            parameter-problem, time-exceeded,
+        } accept \
+        comment "Accept ICMPv4"
+
+        ip6 nexthdr icmpv6 icmpv6 type {
+            echo-request, echo-reply, destination-unreachable,
+            packet-too-big, parameter-problem, time-exceeded,
+        } accept \
+        comment "Accept ICMPv6"
+
         include "/etc/nftables.d/forward.nft*"
     }