diff --git a/nix/lib/config/legacy.nix b/nix/lib/config/legacy.nix
index 7c0f01e..ada7f9b 100644
--- a/nix/lib/config/legacy.nix
+++ b/nix/lib/config/legacy.nix
@@ -149,6 +149,7 @@ in
 
         upstream1.interfaces.up1.upstream = {
           provider = "vodafone";
+          staticIpv4Address = "24.134.104.53";
           noNat.subnets6 = [
             "2a02:8106:208:5200::/56"
           ];
@@ -165,6 +166,7 @@ in
           upstream = {
             provider = "dsi";
             link = "up4";
+            staticIpv4Address = "81.201.149.152";
             upBandwidth = 98000;
             noNat.subnets6 = [
               "2a00:8180:2000:37::1/128"
diff --git a/nix/lib/config/options.nix b/nix/lib/config/options.nix
index 53f064d..8332cdc 100644
--- a/nix/lib/config/options.nix
+++ b/nix/lib/config/options.nix
@@ -111,6 +111,9 @@ let
       default = null;
       description = "Underlying interface name for eg. PPPoE";
     };
+    staticIpv4Address = mkOption {
+      type = with types; nullOr str;
+    };
     upBandwidth = mkOption {
       type = with types; nullOr int;
       default = null;
diff --git a/nix/nixos-module/container/upstream.nix b/nix/nixos-module/container/upstream.nix
index 662a84f..679f3da 100644
--- a/nix/nixos-module/container/upstream.nix
+++ b/nix/nixos-module/container/upstream.nix
@@ -77,32 +77,37 @@ in
             -j ${net}_nat
         '') (builtins.attrNames upstreamInterfaces)
       ) +
-      # Do SNAT on connection attempts so that the actual return path
-      # won't matter. Forwarded ports will work from internal networks
-      # and on services that have Internet through another upstream routers.
-      builtins.concatStringsSep "\n" (
-        map ({ proto, destination, sourcePort, ... }:
+      # Do SNAT on connection attempts so that forwarded ports will
+      # work from internal networks.
+      ''
+        iptables -w -t nat -N nixos-nat-post-forward 2>/dev/null || \
+          iptables -w -t nat -F nixos-nat-post-forward
+
+        ${lib.concatMapStringsSep "\n" (net:
           let
-            ds = builtins.split ":" destination;
-            ds' =
-              if builtins.length ds == 3
-              then {
-                dest = lib.elemAt ds 0;
-                port = lib.elemAt ds 2;
-              }
-              else if builtins.length ds == 1
-              then {
-                dest = lib.elemAt ds 0;
-                port = toString sourcePort;
-              }
-              else throw "Too many colons in a forwardPorts destination";
-            inherit (ds') dest port;
-          in ''
-            iptables -t nat -A nixos-nat-post \
-              -p ${proto} --dest ${dest} --dport ${port} \
-              -j SNAT --to-source ${config.site.net.core.hosts4.${hostName}}
-        '') hostConf.forwardPorts
-      );
+            inherit (upstreamInterfaces.${net}.upstream) staticIpv4Address;
+          in lib.optionalString (staticIpv4Address != null) ''
+            iptables -w -t nat -A nixos-nat-post \
+              --source 172.20.0.0/14 \
+              --dest ${staticIpv4Address}/32 \
+              -j nixos-nat-post-forward
+          '') (builtins.attrNames upstreamInterfaces)}
+
+        ${lib.concatMapStringsSep "\n" ({ proto, destination, sourcePort, ... }:
+            let
+              ds = builtins.split ":" destination;
+              port =
+                if builtins.length ds == 3
+                then lib.elemAt ds 2
+                else if builtins.length ds == 1
+                then toString sourcePort
+                else throw "Too many colons in a forwardPorts destination";
+            in ''
+              iptables -t nat -A nixos-nat-post-forward \
+                -p ${proto} --dport ${port} \
+                -j SNAT --to-source ${config.site.net.core.hosts4.${hostName}}
+        '') hostConf.forwardPorts}
+      '';
     extraStopCommands =
       builtins.concatStringsSep "\n" (
         map (net: ''