diff --git a/roles/secure/defaults/main.yml b/roles/secure/defaults/main.yml
index 18b2af4..ba10ec0 100644
--- a/roles/secure/defaults/main.yml
+++ b/roles/secure/defaults/main.yml
@@ -6,6 +6,10 @@ common_allow_restart: false # allow restarting after update
 common_firewall_enabled: true
 common_firewall_reject: false # reject all connections by default
 
+# Allow incoming on internal subnet
+common_firewall_allow_internal_incoming: true # allow or not?
+common_firewall_internal_subnet: 10.0.0.0/24 # internal subnet
+
 # Default Firewall Rules
 common_firewall:
   - port: 22
diff --git a/roles/secure/tasks/main.yml b/roles/secure/tasks/main.yml
index 90a4cde..a56278b 100644
--- a/roles/secure/tasks/main.yml
+++ b/roles/secure/tasks/main.yml
@@ -26,6 +26,13 @@
     state: absent
   when: not common_firewall_enabled
 
+- name: Allow all incoming connections from LAN by default
+  community.general.ufw:
+    default: allow
+    direction: incoming
+    src: "{{ common_firewall_internal_subnet }}"
+  when: "{{ common_firewall_allow_internal_incoming }}"
+
 - name: Reject incoming connections on WAN interface by default
   community.general.ufw:
     default: reject