diff --git a/modules/firewall/default-rules.nix b/modules/firewall/default-rules.nix
index dcb62aa..e8ee4d0 100644
--- a/modules/firewall/default-rules.nix
+++ b/modules/firewall/default-rules.nix
@@ -3,6 +3,13 @@ let
   accept = expr : "${expr} accept";
   mcast-scope = 8;
   allow-incoming = false;
+
+  ifname-set = family : name : ifnames : {
+    kind = "set";
+    inherit family name;
+    type = "ifname";
+    elements = ifnames;
+  };
 in {
   bogons-ip6 = {
     type = "filter";
@@ -241,4 +248,13 @@ in {
     ];
   };
 
+  lan-set-ip = ifname-set "ip" "lan" [ "int" ];
+  wan-set-ip = ifname-set "ip" "wan" [ "ppp0" ];
+  dmz-set-ip = ifname-set "ip" "dmz" [ ];
+  guest-set-ip = ifname-set "ip" "guest" [ ];
+
+  lan-set-ip6 = ifname-set "ip6" "lan" [ "int" ];
+  wan-set-ip6 = ifname-set "ip6" "wan" [ "ppp0" ];
+  dmz-set-ip6 = ifname-set "ip6" "dmz" [ ];
+  guest-set-ip6 = ifname-set "ip6" "guest" [ ];
 }
diff --git a/pkgs/firewallgen/default.nix b/pkgs/firewallgen/default.nix
index 51ade67..dc7b907 100644
--- a/pkgs/firewallgen/default.nix
+++ b/pkgs/firewallgen/default.nix
@@ -43,15 +43,33 @@ let
     ${concatStringsSep "\n" rules}
     }
   '';
+
+  doset = { name, type, elements ? [], ... } : ''
+    set ${name}  {
+      type ${type}
+      ${if elements != []
+        then "elements = { ${concatStringsSep ", " elements } }"
+        else ""
+       }
+    }
+  '';
+
+  dochainorset =
+    { kind ? "chain", ... } @ params :
+    {
+      chain = dochain;
+      set = doset;
+    }.${kind} params;
+
   dotable = family : chains : ''
     table ${family} table-${family} {
-    ${concatStringsSep "\n" (map dochain chains)}
+    ${concatStringsSep "\n" (map dochainorset chains)}
     }
   '';
   categorise = chains :
     groupBy
       ({ family, ... } : family)
-      (mapAttrsToList (n : v : v // { name = n; }) chains);
+      (mapAttrsToList (n : v : { name = n; } // v ) chains);
 in writeScript name ''
 #!${nftables}/sbin/nft -f
 
diff --git a/pkgs/firewallgen/test-rules-min.nix b/pkgs/firewallgen/test-rules-min.nix
index d5fe5de..f4cb160 100644
--- a/pkgs/firewallgen/test-rules-min.nix
+++ b/pkgs/firewallgen/test-rules-min.nix
@@ -121,4 +121,23 @@ let
   };
 in {
   inherit input-ip6 forward-ip6 bogons-ip6 incoming-allowed-ip6;
+  lan-set-ip = {
+    kind = "set";
+    family = "ip";
+    type = "ifname";
+    elements = [
+      "eth0" "eth1"
+    ];
+
+  };
+  # honours timeout flags gc-interval size policy counter auto-merge
+  lan-set-ip6 = {
+    kind = "set";
+    family = "ip6";
+    type = "ifname";
+    elements = [
+      "eth0" "eth1"
+    ];
+
+  };
 }