diff --git a/roles/debian/tasks/firewall.yml b/roles/debian/tasks/firewall.yml
new file mode 100644
index 0000000..5247171
--- /dev/null
+++ b/roles/debian/tasks/firewall.yml
@@ -0,0 +1,26 @@
+- name: Install nftables
+  package:
+    name: nftables
+
+- name: Set up generic firewall rules
+  copy:
+    dest: /etc/nftables.conf
+    src: nftables.conf
+  notify: reload nftables
+
+- name: Create nftables include directory
+  file:
+    path: /etc/nftables.d
+    state: directory
+
+- name: Set up local firewall rules
+  template:
+    dest: /etc/nftables.d/services.nft
+    src: services.nft.j2
+  notify: reload nftables
+
+- name: Enable firewall
+  service:
+    name: nftables
+    enabled: yes
+    state: started
diff --git a/roles/debian/tasks/main.yml b/roles/debian/tasks/main.yml
index d4cf87d..70f3e7d 100644
--- a/roles/debian/tasks/main.yml
+++ b/roles/debian/tasks/main.yml
@@ -30,7 +30,6 @@
     name:
       - git
       - ifupdown2
-      - nftables
       - rsync
       - vim
       - tmux
@@ -76,28 +75,9 @@
       value: 'prohibit-password'
   notify: reload sshd
 
-- name: Set up generic firewall rules
-  copy:
-    dest: /etc/nftables.conf
-    src: nftables.conf
-  notify: reload nftables
-
-- name: Create nftables include directory
-  file:
-    path: /etc/nftables.d
-    state: directory
-
-- name: Set up local firewall rules
-  template:
-    dest: /etc/nftables.d/services.nft
-    src: services.nft.j2
-  notify: reload nftables
-
-- name: Enable firewall
-  service:
-    name: nftables
-    enabled: yes
-    state: started
+- name: Set up firewall
+  include_tasks: firewall.yml
+  when: is_virtual or cluster_type != 'proxmox' # proxmox has its own firewall configuration
 
 - name: Install automatic upgrade package
   package: