diff --git a/nix/nixos-module/container/bird.nix b/nix/nixos-module/container/bird.nix
index 68fd940..d3ad5ce 100644
--- a/nix/nixos-module/container/bird.nix
+++ b/nix/nixos-module/container/bird.nix
@@ -4,9 +4,9 @@
 let
   hostConf = config.site.hosts.${hostName};
 
-  isUpstream = builtins.any (net:
-    hostConf.interfaces.${net}.upstream != null
-  ) (builtins.attrNames hostConf.interfaces);
+  isUpstream =
+    builtins.match "upstream.*" hostName != null ||
+    builtins.match "anon.*" hostName != null;
 
   # Configuring a gateway? If so, this is the associated net.
   gatewayNet =
@@ -35,11 +35,20 @@ in
       protocol kernel K4 {
         learn;
         ipv4 {
-          export all;
+          ${lib.optionalString (!isUpstream) ''
+            export all;
+          ''}
           ${lib.optionalString isUpstream ''
-            # Learn the default route
+            export filter {
+              if net ~ [ 0.0.0.0/0 ] then {
+                # Do not set another default route on upstreams
+                reject;
+              }
+              accept;
+            };
             import filter {
               if net ~ [ 0.0.0.0/0 ] then {
+                # Learn the upstream default route
                 accept;
               }
               reject;
@@ -50,9 +59,18 @@ in
       protocol kernel K6 {
         learn;
         ipv6 {
-          export all;
+          ${lib.optionalString (!isUpstream) ''
+            export all;
+          ''}
           ${lib.optionalString isUpstream ''
-            # Learn the default route
+            export filter {
+              if net ~ [ ::/0 ] then {
+                # Do not set another default route on upstreams
+                reject;
+              }
+              accept;
+            };
+            # Learn the upstream default route
             import filter {
               if net ~ [ ::/0 ] then {
                 accept;