diff --git a/hosts/public-access-proxy/default.nix b/hosts/public-access-proxy/default.nix
index 17625398..fa559f0c 100644
--- a/hosts/public-access-proxy/default.nix
+++ b/hosts/public-access-proxy/default.nix
@@ -6,6 +6,12 @@
     ./stats.nix
   ];
 
+  boot.kernel.sysctl = {
+    # table overflow causing packets from nginx to the service to drop
+    # nf_conntrack: nf_conntrack: table full, dropping packet
+    "net.netfilter.nf_conntrack_max" = toString (4096*32);
+  };
+
   c3d2.deployment.server = "server10";
 
   networking.hostName = "public-access-proxy";
diff --git a/modules/microvm-defaults.nix b/modules/microvm-defaults.nix
index 948f524b..172d18fb 100644
--- a/modules/microvm-defaults.nix
+++ b/modules/microvm-defaults.nix
@@ -9,6 +9,10 @@
 
   boot = {
     loader.grub.enable = false;
+    initrd.kernelModules = [
+      # required for net.netfilter.nf_conntrack_max appearing in sysfs early at boot
+      "nf_conntrack"
+    ];
     kernel.sysctl =
       let
         mem = if (config?microvm) then config.microvm.mem else config.deployment.mem;
@@ -16,12 +20,8 @@
       lib.optionalAttrs (mem <= 2*1024) {
         # table overflow causing packets from nginx to the service to drop
         # nf_conntrack: nf_conntrack: table full, dropping packet
-        "net.netfilter.nf_conntrack_max" = "65536";
+        "net.netfilter.nf_conntrack_max" = lib.mkDefault "65536";
       };
-    kernelModules = [
-      # required for net.netfilter.nf_conntrack_max appearing in sysfs early at boot
-      "nf_conntrack"
-    ];
     kernelParams = [
       "preempt=none"
       # No server/router runs any untrusted user code