diff --git a/modules/services/mkMesh.nix b/modules/services/mkMesh.nix
index 1ea7e98..287511f 100644
--- a/modules/services/mkMesh.nix
+++ b/modules/services/mkMesh.nix
@@ -52,17 +52,26 @@ in {
   };
   config = rec {
     networking.firewall = {
-      allowedUDPPorts =
-        [
-          currentHost.wg.port_v4
-          currentHost.wg.port_v6
-        ]
-        # UPnP broadcast responses
-        ++ (
-          if cfg.enable_upnp_portforward
-          then [1900]
-          else []
-        );
+      allowedUDPPorts = [
+        currentHost.wg.port_v4
+        currentHost.wg.port_v6
+      ];
+      # UPnP broadcast responses
+      # credits: https://github.com/NixOS/nixpkgs/issues/161328
+      extraPackages =
+        if enableUPnP
+        then [pkgs.ipset]
+        else [];
+      extraCommands =
+        if enableUPnP
+        then ''
+          if ! ipset --quiet list upnp; then
+            ipset create upnp hash:ip,port timeout 3
+          fi
+          iptables -A OUTPUT -d 239.255.255.250/32 -p udp -m udp --dport 1900 -j SET --add-set upnp src,src --exist
+          iptables -A nixos-fw -p udp -m set --match-set upnp dst,dst -j nixos-fw-accept
+        ''
+        else "";
     };
 
     networking.wireguard.interfaces.wg0 = {