diff --git a/README.md b/README.md
index 871b093..3de8dcd 100644
--- a/README.md
+++ b/README.md
@@ -33,6 +33,22 @@ You can read more about Nebula [on the official repo](https://github.com/slackhq
     nebula_outbound_rules:
       - { port: "any", proto: "any", host: "any" }
 
+    # Example lighthouse remote_allow_list configuration
+    # Controls IP ranges that this node will consider when handshaking
+    nebula_lighthouse_remote_allow_list:
+      '172.16.0.0/12': false  # Block this subnet
+      '0.0.0.0/0': true       # Allow all other IPs
+      '10.0.0.0/8': false     # Block private range
+      '10.42.42.0/24': true   # Allow specific subnet
+
+    # Example lighthouse local_allow_list configuration
+    # Filters which local IP addresses are advertised to the lighthouses
+    nebula_lighthouse_local_allow_list:
+      interfaces:
+        tun0: false           # Block tun0 interface
+        'docker.*': false     # Block all docker interfaces
+      '10.0.0.0/8': true      # Only advertise this subnet
+
   roles:
     - role: nebula
 ```
diff --git a/defaults/main.yml b/defaults/main.yml
index 492bb8d..6f9fdcd 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -17,6 +17,19 @@ nebula_lighthouse_public_port: 4242
 nebula_lighthouse_is_relay: true
 nebula_lighthouse_extra_config: {}
 
+# Lighthouse remote_allow_list configuration
+# Controls IP ranges that this node will consider when handshaking to another node
+# Format: CIDR: boolean (true to allow, false to deny)
+# If all rules are "allow", default will be "deny", and vice-versa
+# If both "allow" and "deny" rules are present, you MUST set a rule for "0.0.0.0/0" as default
+nebula_lighthouse_remote_allow_list: {}
+
+# Lighthouse local_allow_list configuration
+# Filters which local IP addresses are advertised to the lighthouses
+# Can specify interfaces map of regular expressions to match against interface names
+# Format: CIDR: boolean or interfaces: { interface_regex: boolean }
+nebula_lighthouse_local_allow_list: {}
+
 nebula_metrics_prometheus_enabled: false
 nebula_metrics_prometheus_listen: "127.0.0.1:4244"
 nebula_metrics_prometheus_path: "/metrics"
diff --git a/templates/lighthouse_config.yml.j2 b/templates/lighthouse_config.yml.j2
index 5b04f9c..1899cde 100644
--- a/templates/lighthouse_config.yml.j2
+++ b/templates/lighthouse_config.yml.j2
@@ -28,9 +28,34 @@ lighthouse:
     # format:
     #
     # - "192.168.77.1"
-  {% if nebula_lighthouse_extra_config|length > 0 %}
-  {{- nebula_lighthouse_extra_config | to_nice_yaml | indent(2) }}
+
+{% if nebula_lighthouse_remote_allow_list|length > 0 %}
+  # remote_allow_list controls IP ranges that this node will consider when handshaking
+  remote_allow_list:
+  {% for cidr, allow in nebula_lighthouse_remote_allow_list.items() %}
+    '{{ cidr }}': {{ allow | lower }}
+  {% endfor %}
+{% endif %}
+
+{% if nebula_lighthouse_local_allow_list|length > 0 %}
+  # local_allow_list filters which local IP addresses we advertise to the lighthouses
+  local_allow_list:
+  {% if nebula_lighthouse_local_allow_list.interfaces is defined %}
+    interfaces:
+    {% for interface, allow in nebula_lighthouse_local_allow_list.interfaces.items() %}
+      '{{ interface }}': {{ allow | lower }}
+    {% endfor %}
   {% endif %}
+  {% for key, value in nebula_lighthouse_local_allow_list.items() %}
+  {% if key != 'interfaces' %}
+    '{{ key }}': {{ value | lower }}
+  {% endif %}
+  {% endfor %}
+{% endif %}
+
+{% if nebula_lighthouse_extra_config|length > 0 %}
+  {{- nebula_lighthouse_extra_config | to_nice_yaml | indent(2) }}
+{% endif %}
 
 listen:
   # 0.0.0.0 means "all interfaces," which is probably what you want