diff --git a/machines/shinobu/services/router/common.nix b/machines/shinobu/services/router/common.nix
index 0c28330..fde0e68 100644
--- a/machines/shinobu/services/router/common.nix
+++ b/machines/shinobu/services/router/common.nix
@@ -60,7 +60,7 @@ in
       # default
       {
         minor = 2;
-        rate = "1000kbit";
+        rate = "800kbit";
         prio = 50;
       }
       # DNS, small packets (e.g., TCP ACK)
@@ -110,6 +110,13 @@ in
         ceil = "3000kbit";
         prio = 90;
       }
+      # guest
+      {
+        minor = 10;
+        rate = "200kbit";
+        ceil = "2000kbit";
+        prio = 99;
+      }
     ];
   };
 }
diff --git a/machines/shinobu/services/router/rules.nft b/machines/shinobu/services/router/rules.nft
index 3272aeb..5a86b08 100644
--- a/machines/shinobu/services/router/rules.nft
+++ b/machines/shinobu/services/router/rules.nft
@@ -76,6 +76,8 @@ table inet tc {
 	}
 
 	chain common {
+		iifname "br-guest" meta priority set 1:a counter return comment "guest network"
+
 		meta l4proto tcp meta length 1-64 meta priority set 1:3 counter return comment "small tcp packets"
 
 		tcp dport 22 ip  dscp af21 meta priority set 1:4 counter return comment "interactive SSH (4)"