diff --git a/modules/adguard.nix b/modules/adguard.nix
index add1199..56c5052 100644
--- a/modules/adguard.nix
+++ b/modules/adguard.nix
@@ -179,6 +179,7 @@ in
     networking.firewall.extraCommands = ''
       iptables -t nat -A PREROUTING -i tailscale0 -p udp --dport 53 -j REDIRECT --to-ports 5353
       iptables -t nat -A PREROUTING -i tailscale0 -p tcp --dport 53 -j REDIRECT --to-ports 5353
+      iptables -I ts-input 3 -p tcp --dport ${toString cfg.port} -s 100.64.0.0/10 -j ACCEPT
     '';
     networking.firewall.extraStopCommands = ''
       iptables -t nat -D PREROUTING -i tailscale0 -p udp --dport 53 -j REDIRECT --to-ports 5353 || true
@@ -192,11 +193,6 @@ in
       contentSecurityPolicy = null; # AdGuard Home handles its own CSP
     };
 
-    # Allow direct Tailscale access to AdGuard Home dashboard
-    networking.firewall.extraCommands = lib.mkAfter ''
-      iptables -I ts-input 3 -p tcp --dport ${toString cfg.port} -s 100.64.0.0/10 -j ACCEPT
-    '';
-
     # Ensure nginx user can access ACME certs
     users.users.nginx.extraGroups = [ "acme" ];
   };