diff --git a/hosts/rackserv/profiles/nebula.nix b/hosts/rackserv/profiles/nebula.nix
index b6d3a75..24fa5d7 100644
--- a/hosts/rackserv/profiles/nebula.nix
+++ b/hosts/rackserv/profiles/nebula.nix
@@ -1,5 +1,5 @@
 {config, ...}: {
-  networking.firewall.allowedTCPPorts = [4343];
+  networking.firewall.allowedTCPPorts = [3131];
   services.nebula.networks.xunmesh = {
     enable = true;
     isLighthouse = true;
diff --git a/sys/profiles/network/nebula.nix b/sys/profiles/network/nebula.nix
index 72a0c71..9119428 100644
--- a/sys/profiles/network/nebula.nix
+++ b/sys/profiles/network/nebula.nix
@@ -30,4 +30,6 @@
       punchy.punch = true;
     };
   };
+
+  networking.firewall.trustedInterfaces = ["nebula.xunmesh"]; # bypass nixos firewall
 }