diff --git a/modules/microvm-defaults.nix b/modules/microvm-defaults.nix
index 439f9e9a..948f524b 100644
--- a/modules/microvm-defaults.nix
+++ b/modules/microvm-defaults.nix
@@ -18,6 +18,10 @@
         # nf_conntrack: nf_conntrack: table full, dropping packet
         "net.netfilter.nf_conntrack_max" = "65536";
       };
+    kernelModules = [
+      # required for net.netfilter.nf_conntrack_max appearing in sysfs early at boot
+      "nf_conntrack"
+    ];
     kernelParams = [
       "preempt=none"
       # No server/router runs any untrusted user code