diff --git a/ops/nixos/bvm-radius/default.nix b/ops/nixos/bvm-radius/default.nix
index 2615a9a4c8..468fb35f05 100644
--- a/ops/nixos/bvm-radius/default.nix
+++ b/ops/nixos/bvm-radius/default.nix
@@ -24,8 +24,25 @@ in {
     };
     defaultGateway = { address = "92.118.28.1"; interface = "enp2s0"; };
     defaultGateway6 = { address = "2a09:a441::1"; interface = "enp2s0"; };
+
+    firewall = {
+      extraCommands = ''
+        # Allow JANET inbound RADIUS traffic.
+        ip46tables -A nixos-fw -p udp --dport 1812 --src roaming0.ja.net -j nixos-fw-accept
+        ip46tables -A nixos-fw -p udp --dport 1812 --src roaming1.ja.net -j nixos-fw-accept
+        ip46tables -A nixos-fw -p udp --dport 1812 --src roaming2.ja.net -j nixos-fw-accept
+
+        # Allow inbound RADIUS from authenticators.
+        ip6tables -A nixos-fw -p udp --dport 1812 --src 2a09:a443::/64 -j nixos-fw-accept
+        iptables -A nixos-fw -p udp --dport 1812 --src 92.118.30.0/24 -j nixos-fw-accept
+      '';
+    };
   };
   my.ip.tailscale = "100.120.98.116";
 
+  environment.systemPackages = with pkgs; [
+    freeradius
+  ];
+
   system.stateVersion = "21.05";
 }