diff --git a/roles/firewall/templates/firewall.j2 b/roles/firewall/templates/firewall.j2
index a0acb32..e10f12c 100644
--- a/roles/firewall/templates/firewall.j2
+++ b/roles/firewall/templates/firewall.j2
@@ -440,6 +440,65 @@ config rule
 	option target 'ACCEPT'
 	option family 'ipv4'
 
+### IoT Rules
+## General Rules
+# ICMP
+config rule
+	option name 'Allow-ICMP'
+	option dest 'iot'
+	list proto 'icmp'
+	option target 'ACCEPT'
+
+config rule
+	option name 'Allow-ICMP'
+	option src 'iot'
+	list proto 'icmp'
+	option target 'ACCEPT'
+
+config rule
+	option name 'Allow-ICMP'
+	option src 'iot'
+	list proto 'icmp'
+	option dest '*'
+	option target 'ACCEPT'
+
+# DHCP rules
+config rule
+	option name 'Allow-DMZ-DHCP'
+	option dest 'iot'
+	list proto 'tcp'
+	list proto 'udp'
+	option dest_port '67-68'
+	option target 'ACCEPT'
+	option family 'ipv4'
+
+config rule
+	option name 'Allow-DMZ-DHCP'
+	option src 'iot'
+	list proto 'tcp'
+	list proto 'udp'
+	option dest_port '67-68'
+	option target 'ACCEPT'
+	option family 'ipv4'
+
+# DNS Resolution
+config rule
+	option name 'Allow-INPUT-DNS'
+	option src 'iot'
+	list proto 'tcp'
+	list proto 'udp'
+	option dest_port '53'
+	option target 'ACCEPT'
+	option family 'ipv4'
+
+# NTP
+config rule
+	option name 'Allow-OUTPUT-NTP'
+	option src 'iot'
+	list proto 'udp'
+	option dest_port '123'
+	option target 'ACCEPT'
+
 ## Default configuration
 config defaults
 	option syn_flood '1'
@@ -462,6 +521,13 @@ config zone
 	option forward 'REJECT'
 	option network 'dmz'
 
+config zone
+	option name 'iot'
+	option input 'REJECT'
+	option output 'REJECT'
+	option forward 'REJECT'
+	option network 'iot'
+
 config zone
 	option name 'wan'
 	option input 'REJECT'
@@ -488,6 +554,10 @@ config forwarding
 	option src 'lan'
 	option dest 'dmz'
 
+config forwarding
+	option src 'lan'
+	option dest 'iot'
+
 config forwarding
 	option src 'lan'
 	option dest 'orig'