diff --git a/flake.lock b/flake.lock
index f97b35d..1c36cca 100644
--- a/flake.lock
+++ b/flake.lock
@@ -58,11 +58,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1719506693,
-        "narHash": "sha256-C8e9S7RzshSdHB7L+v9I51af1gDM5unhJ2xO1ywxNH8=",
+        "lastModified": 1719848872,
+        "narHash": "sha256-H3+EC5cYuq+gQW8y0lSrrDZfH71LB4DAf+TDFyvwCNA=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "b2852eb9365c6de48ffb0dc2c9562591f652242a",
+        "rev": "00d80d13810dbfea8ab4ed1009b09100cca86ba8",
         "type": "github"
       },
       "original": {
@@ -187,11 +187,11 @@
         "nixpkgs-stable": "nixpkgs-stable"
       },
       "locked": {
-        "lastModified": 1719716556,
-        "narHash": "sha256-KA9gy2Wkv76s4A8eLnOcdKVTygewbw3xsB8+awNMyqs=",
+        "lastModified": 1719873517,
+        "narHash": "sha256-D1dxZmXf6M2h5lNE1m6orojuUawVPjogbGRsqSBX+1g=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "b5974d4331fb6c893e808977a2e1a6d34b3162d6",
+        "rev": "a11224af8d824935f363928074b4717ca2e280db",
         "type": "github"
       },
       "original": {
diff --git a/modules/router/default.nix b/modules/router/default.nix
index 4479b30..4718115 100644
--- a/modules/router/default.nix
+++ b/modules/router/default.nix
@@ -6,6 +6,8 @@ let
   wan = "end0";
   lan = "enp1s0";
   bridge = "br-lan";
+  devices = "devices-vlan";
+  wifi = "wifi-vlan";
 in
 {
   boot.kernel = {
@@ -21,6 +23,20 @@ in
   systemd.network = {
     wait-online.anyInterface = true;
     netdevs = {
+      "00-${devices}" = {
+        netdevConfig = {
+          Name = devices;
+          Kind = "vlan";
+        };
+        vlanConfig.Id = 30;
+      };
+      "00-${wifi}" = {
+        netdevConfig = {
+          Name = wifi;
+          Kind = "vlan";
+        };
+        vlanConfig.Id = 40;
+      };
       "20-${bridge}" = {
         netdevConfig = {
           Kind = "bridge";
@@ -57,9 +73,28 @@ in
         ];
         networkConfig = {
           ConfigureWithoutCarrier = true;
+          VLAN = [ devices wifi ];
         };
         linkConfig.RequiredForOnline = "no";
       };
+      "50-${devices}" = {
+        matchConfig = {
+          Name = devices;
+          Type = "vlan";
+        };
+        address = [
+          "192.168.30.1/24"
+        ];
+      };
+      "50-${wifi}" = {
+        matchConfig = {
+          Name = wifi;
+          Type = "vlan";
+        };
+        address = [
+          "192.168.40.1/24"
+        ];
+      };
     };
   };
 
@@ -78,6 +113,8 @@ in
       define WAN=${wan}
       define LAN=${lan}
       define BRIDGE=${bridge}
+      define DEVICES=${devices}
+      define WIFI=${wifi}
 
       table inet filter {
 
@@ -87,7 +124,7 @@ in
           iifname $BRIDGE accept comment "Allow local network to access the router"
           iifname $WAN ct state { established, related } accept comment "Allow established traffic"
           iifname $WAN icmp type { echo-request, destination-unreachable, time-exceeded } counter accept comment "icmp stuff"
-          iifname $WAN tcp dport 3128 accept comment "Allow SSH in"
+          iifname { $WAN, $WIFI } tcp dport 3128 accept comment "Allow SSH in"
           iifname $WAN counter drop comment "Drop all other traffic from wan"
           iifname "lo" accept comment "Accept everything from loopback"
         }
@@ -95,9 +132,9 @@ in
           type filter hook forward priority filter; policy drop;
 
           iifname $BRIDGE oifname $BRIDGE accept comment "Allow forwarding internal traffic"
-          iifname $WAN oifname $BRIDGE tcp dport { 22, 80, 443, 27750 } accept comment "Allow forwarding external traffic to services"
-          iifname $BRIDGE oifname $WAN accept comment "Allow trusted LAN to WAN"
-          iifname $WAN oifname $BRIDGE ct state { established, related } accept comment "Allow established traffic"
+          iifname { $WAN, $WIFI } oifname $BRIDGE tcp dport { 22, 80, 443, 27750 } accept comment "Allow forwarding external traffic to services"
+          iifname { $BRIDGE, $DEVICES, $WIFI } oifname $WAN accept comment "Allow trusted LAN to WAN"
+          iifname $WAN oifname { $BRIDGE, $DEVICES, $WIFI } ct state { established, related } accept comment "Allow established traffic"
         }
       }
 
@@ -113,6 +150,7 @@ in
           type nat hook postrouting priority 100; policy accept;
           oifname $WAN masquerade
           iifname $BRIDGE oifname $BRIDGE masquerade
+          iifname $WIFI oifname $BRIDGE masquerade
         }
       }
       '';
@@ -133,9 +171,27 @@ in
 
       cache-size = 1000;
 
-      dhcp-range = [ "br-lan,192.168.20.50,192.168.20.90,24h" ];
-      interface = "br-lan";
-      dhcp-host = "192.168.20.1";
+      dhcp-range = [
+        "set:${bridge},192.168.20.50,192.168.20.90,24h"
+        "set:${devices},192.168.30.10,192.168.30.240,24h"
+        "set:${wifi},192.168.40.10,192.168.40.240,24h"
+      ];
+      interface = [ bridge devices wifi ];
+      dhcp-host = [
+        "192.168.20.1,set:${bridge}"
+        "192.168.30.1,set:${devices}"
+        "192.168.40.1,set:${wifi}"
+      ];
+      dhcp-option = [
+        "tag:${bridge},option:router,192.168.20.1"
+        "tag:${bridge},option:dns-server,192.168.20.1"
+
+        "tag:${devices},option:router,192.168.30.1"
+        "tag:${devices},option:dns-server,192.168.30.1"
+
+        "tag:${wifi},option:router,192.168.40.1"
+        "tag:${wifi},option:dns-server,192.168.40.1"
+      ];
 
       local = "/lan/";
       domain = "lan";