diff --git a/pkg/init/build b/pkg/init/build
index d64cf77..aa17164 100755
--- a/pkg/init/build
+++ b/pkg/init/build
@@ -60,6 +60,12 @@ deploy() {
 		SERVICES="$SERVICES nft"
 	fi
 
+	svc=$(file_path_override "sysctl.conf")
+	if [ ! -z "$svc" ]; then
+		cp "$svc" "$DEPLOY/etc/sysctl.conf"
+		echo "etc/sysctl.conf m 644 0 0" >> "$DEPLOY/rootfs_files.txt"
+	fi
+
 	svc=$(file_path_override "interfaces")
 	if [ ! -z "$svc" ]; then
 		echo "etc/init.d/ifcfg m 777 0 0" >> "$DEPLOY/rootfs_files.txt"
diff --git a/product/router/alix/nftables.rules b/product/router/alix/nftables.rules
new file mode 100644
index 0000000..85b3c7b
--- /dev/null
+++ b/product/router/alix/nftables.rules
@@ -0,0 +1,54 @@
+flush ruleset
+
+table inet filter {
+  chain input {
+    type filter hook input priority 0; policy drop;
+
+    ip protocol icmp accept
+
+    ct state {established, related} accept
+    ct state invalid drop
+
+    iifname lo accept
+    iifname port0 accept
+    iifname port1 accept
+
+    reject
+  }
+
+  chain forward {
+    type filter hook forward priority 0;
+
+    iifname port0 jump forward_port0
+    iifname port1 jump forward_port1
+    iifname port2 jump forward_port2
+  }
+  chain forward_port0 {
+    oifname port2 accept
+    reject
+  }
+  chain forward_port1 {
+    oifname port2 accept
+    reject
+  }
+  chain forward_port2 {
+    ct state related, established accept
+    drop
+  }
+
+  chain output {
+    type filter hook output priority 0; policy accept;
+  }
+}
+
+table ip nat {
+  chain prerouting {
+    type nat hook prerouting priority 0;
+  }
+
+  chain postrouting {
+    type nat hook postrouting priority 0;
+
+    oifname port2 masquerade
+  }
+}
diff --git a/product/router/rpi3/nftables.rules b/product/router/rpi3/nftables.rules
new file mode 100644
index 0000000..008b051
--- /dev/null
+++ b/product/router/rpi3/nftables.rules
@@ -0,0 +1,41 @@
+flush ruleset
+
+table inet filter {
+  chain input {
+    type filter hook input priority 0; policy drop;
+
+    ct state {established, related} accept
+    ct state invalid drop
+
+    iifname lo accept
+    iifname wlan0 accept
+
+    ip protocol icmp accept
+
+    reject
+  }
+
+  chain forward {
+    type filter hook forward priority 0;
+
+    oifname port0 accept
+    iifname port0 ct state related, established accept
+    iifname port0 drop
+  }
+
+  chain output {
+    type filter hook output priority 0; policy accept;
+  }
+}
+
+table ip nat {
+  chain prerouting {
+    type nat hook prerouting priority 0;
+  }
+
+  chain postrouting {
+    type nat hook postrouting priority 0;
+
+    oifname port0 masquerade
+  }
+}
diff --git a/product/router/sysctl.conf b/product/router/sysctl.conf
new file mode 100644
index 0000000..119d730
--- /dev/null
+++ b/product/router/sysctl.conf
@@ -0,0 +1 @@
+net.ipv4.ip_forward=1