diff --git a/hosts/containers/freifunk/default.nix b/hosts/containers/freifunk/default.nix
index 360f2444..1323e993 100644
--- a/hosts/containers/freifunk/default.nix
+++ b/hosts/containers/freifunk/default.nix
@@ -86,10 +86,6 @@ in {
     # Setup routing into Freifunk,
     # masquerading anything that isn't already their IP range
     extraCommands = ''
-      ${pkgs.iproute}/bin/ip rule del priority 300 || true
-      ${pkgs.iproute}/bin/ip rule add to 10.200.0.0/16 table bmx_hosts priority 300
-      ${pkgs.iproute}/bin/ip rule del priority 33000 || true
-      ${pkgs.iproute}/bin/ip rule add table bmx_tuns priority 33000
       ${pkgs.iptables}/bin/iptables -t nat -F POSTROUTING
       ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING \
         \! --source 10.200.0.0/15 -o ${meshInterface} -j SNAT --to 10.200.${ddmeshAddrPart}
@@ -191,14 +187,27 @@ in {
             Broadcast = ddmeshBroadcast;
           };
         }];
+        routingPolicyRules = [ {
+          routingPolicyRuleConfig = {
+            Priority = 300;
+            To = "10.200.0.0/16";
+            Table = "bmx_hosts";
+          };
+        } ];
       };
       # Dummy interface for primary (10.200) address
-      "11-bmx-loopback" = {
+      "11-bmx-prime" = {
         enable = true;
         matchConfig = { Name = meshLoopback; };
         addresses = [{
           addressConfig.Address = "10.200.${ddmeshAddrPart}/32";
         }];
+        routingPolicyRules = [ {
+          routingPolicyRuleConfig = {
+            Priority = 33000;
+            Table = "bmx_tuns";
+          };
+        } ];
       };
       "31-wg-vpn6" = {
         enable = true;