diff --git a/services/router.nix b/services/router.nix
index abfa20e..9f4a9bb 100644
--- a/services/router.nix
+++ b/services/router.nix
@@ -112,10 +112,12 @@ in
             # LAN is trusted
             iifname "eth0" accept
             # Docker containers reaching host services (e.g. Profilarr → Radarr
-            # on 10.0.0.1:7878). The forward chain already trusts docker0 for
-            # outbound; this is the matching INPUT rule for traffic landing on
-            # the host's own LAN/bridge IPs from a container.
-            iifname "docker0" accept
+            # on 10.0.0.1:7878). The forward chain already trusts docker bridges
+            # for outbound; this is the matching INPUT rule for traffic landing
+            # on the host's own LAN/bridge IPs from a container. The br-* glob
+            # covers user-defined networks (the Forgejo runner creates one per
+            # workflow), so it doesn't fall through to the default-deny policy.
+            iifname { "docker0", "br-*" } accept
             # Phase 1: also trust the existing eero subnet on eno1 so SSH
             # and AdGuard DNS keep working during the transition.
             ${legacyTrustRules}
@@ -131,8 +133,10 @@ in
             ct state invalid drop
             # LAN → anywhere
             iifname "eth0" accept
-            # Docker containers → anywhere (needed for image pulls, LinuxGSM bootstrap, etc.)
-            iifname "docker0" accept
+            # Docker containers → anywhere (needed for image pulls, LinuxGSM
+            # bootstrap, Forgejo runner workflows, etc.). br-* matches the
+            # user-defined bridges Docker creates for custom networks.
+            iifname { "docker0", "br-*" } accept
             # WAN → any port-forward target (LAN host or docker container)
             iifname "eno1" ct status dnat accept
           }