diff --git a/plays/firewall.yml b/plays/firewall.yml
index 75a2f071..c2976feb 100755
--- a/plays/firewall.yml
+++ b/plays/firewall.yml
@@ -4,13 +4,14 @@
 - hosts: crans_routeurs
   roles:
     - sysctl-forwarding
+    - nftables
 
 - hosts: routeur-sam.adm.crans.org
   roles:
     - arp-proxy
 
 # Deploy firewall
-- hosts: crans_routeurs,gulp.adm.crans.org
+- hosts: crans_routeurs
   vars:
     re2o:
       server: re2o.adm.crans.org
@@ -20,7 +21,7 @@
     - firewall
 
 # Deploy BGP server configuration on IPv4 routers
-- hosts: crans_routeurs,gulp.adm.crans.org
+- hosts: crans_routeurs
   vars:
     zebra:
       password: "{{ vault_zebra_password }}"
diff --git a/roles/nftables/tasks/main.yml b/roles/nftables/tasks/main.yml
new file mode 100644
index 00000000..8a5506a5
--- /dev/null
+++ b/roles/nftables/tasks/main.yml
@@ -0,0 +1,15 @@
+---
+- name: Install nftables
+  apt:
+    name: nftables
+    state: present
+    update_cache: true
+  register: apt_result
+  retries: 3
+  until: apt_result is succeeded
+
+- name: Enable and start nftables
+  systemd:
+    name: nftables
+    enabled: true
+    state: started