diff --git a/config/net/upstream.nix b/config/net/upstream.nix
index 5e30fdc..eedb53a 100644
--- a/config/net/upstream.nix
+++ b/config/net/upstream.nix
@@ -34,11 +34,15 @@ in
           destination = servHosts.public-access-proxy;
           proto = "tcp";
           sourcePort = 80;
+          # this is the default but written here explicitly because we do ip based filtering
+          reflect = false;
         }
         { # https
           destination = servHosts.public-access-proxy;
           proto = "tcp";
           sourcePort = 443;
+          # this is the default but written here explicitly because we do ip based filtering
+          reflect = false;
         }
         { # gemini
           destination = "${c3d2-web}:1965";
@@ -49,11 +53,15 @@ in
           destination = servHosts.knot;
           proto = "tcp";
           sourcePort = 53;
+          # this is the default but written here explicitly because we do ip based filtering
+          reflect = false;
         }
         {
           destination = servHosts.knot;
           proto = "udp";
           sourcePort = 53;
+          # this is the default but written here explicitly because we do ip based filtering
+          reflect = false;
         }
         {
           destination = dn42;