diff --git a/nix/lib/config/legacy.nix b/nix/lib/config/legacy.nix
index 2a54e29..775d806 100644
--- a/nix/lib/config/legacy.nix
+++ b/nix/lib/config/legacy.nix
@@ -76,6 +76,12 @@ in
           services.dnscache.enable = true;
         };
 
+        upstream1.interfaces.up1.upstream.noNat.subnets6 = [
+          "2a02:8106:208:5200::/56"
+        ];
+        upstream2.interfaces.up2.upstream.noNat.subnets6 = [
+          "2a02:8106:208:e900::/56"
+        ];
         upstream1.ospf.upstreamInstance = 3;
         upstream2.ospf.upstreamInstance = 4;
         anon1.ospf.upstreamInstance = 5;
diff --git a/nix/lib/config/options.nix b/nix/lib/config/options.nix
index 40f9ae5..ba95160 100644
--- a/nix/lib/config/options.nix
+++ b/nix/lib/config/options.nix
@@ -101,6 +101,11 @@ let
     upBandwidth = mkOption {
       type = with types; nullOr int;
     };
+    noNat.subnets6 = mkOption {
+      type = with types; listOf str;
+      default = [];
+      description = "Do not NAT66 traffic from these public static subnets";
+    };
   };
   interfaceOpts = { name, ... }: {
     options = {
diff --git a/nix/nixos-module/container/upstream.nix b/nix/nixos-module/container/upstream.nix
index 6e86dd8..8461e70 100644
--- a/nix/nixos-module/container/upstream.nix
+++ b/nix/nixos-module/container/upstream.nix
@@ -1,9 +1,11 @@
 { hostName, config, lib, ... }:
 
 let
+  hostConf = config.site.hosts.${hostName};
+
   upstreamInterfaces =
     lib.filterAttrs (_: { upstream, ... }: upstream != null)
-      config.site.hosts.${hostName}.interfaces;
+      hostConf.interfaces;
 
   firstUpstreamInterface =
     if builtins.length (builtins.attrNames upstreamInterfaces) > 0
@@ -46,6 +48,27 @@ in
     enable = true;
     internalInterfaces = [ "core" ];
     externalInterface = firstUpstreamInterface;
-    inherit (config.site.hosts.${hostName}) forwardPorts;
+    # Provide IPv6 upstream for everyone, using NAT66 when not from
+    # our static prefixes
+    extraCommands =
+      builtins.concatStringsSep "\n" (
+        map (net: ''
+          ip6tables -t nat -X ${net}_nat || true
+          ip6tables -t nat -N ${net}_nat
+          ${builtins.concatStringsSep "\n" (
+            map (subnet: ''
+              ip6tables -t nat -A ${net}_nat \
+                -s ${subnet} \
+                -j RETURN
+            '') upstreamInterfaces.${net}.upstream.noNat.subnets6
+          )}
+          ip6tables -t nat -A ${net}_nat -j MASQUERADE
+
+          ip6tables -t nat -A POSTROUTING \
+            -o ${net} \
+            -j ${net}_nat
+        '') (builtins.attrNames upstreamInterfaces)
+      );
+    inherit (hostConf) forwardPorts;
   };
 }