diff --git a/nix/nixos-module/container/upstream.nix b/nix/nixos-module/container/upstream.nix
index fa3607c..2add9f7 100644
--- a/nix/nixos-module/container/upstream.nix
+++ b/nix/nixos-module/container/upstream.nix
@@ -87,11 +87,13 @@ in
       ''}
 
       # Do not NAT our public IPv4 addresses
-      ${lib.concatMapStringsSep "\n" (subnet: ''
-        ip6tables -t nat -I nixos-nat-post \
-          -s ${subnet} \
-          -j RETURN
-      '') upstreamInterfaces.${net}.upstream.noNat.subnets4}
+      ${lib.concatMapStringsSep "\n" (net:
+        lib.concatMapStrings (subnet: ''
+          ip6tables -t nat -I nixos-nat-post \
+            -s ${subnet} \
+            -j RETURN
+        '') upstreamInterfaces.${net}.upstream.noNat.subnets4 or []
+      ) (builtins.attrNames hostConf.interfaces)}
 
       # Provide IPv6 upstream for everyone, using NAT66 when not from
       # our static prefixes
diff --git a/nix/nixos-module/default.nix b/nix/nixos-module/default.nix
index cfc59d0..e6c3799 100644
--- a/nix/nixos-module/default.nix
+++ b/nix/nixos-module/default.nix
@@ -30,7 +30,10 @@ in {
   optionals lib.config.site.hosts.${hostName}.isRouter [
     ./container/bird.nix
   ] ++
-  optionals (builtins.match "upstream.*" hostName != null) [
+  optionals (
+    builtins.match "upstream.*" hostName != null ||
+    hostName == "flpk-gw"
+  ) [
     ./container/upstream.nix
     ./container/upstream/pppoe.nix
   ] ++