diff --git a/nix/nixos-module/container/upstream.nix b/nix/nixos-module/container/upstream.nix
index 91b509f..814ff00 100644
--- a/nix/nixos-module/container/upstream.nix
+++ b/nix/nixos-module/container/upstream.nix
@@ -15,6 +15,8 @@ let
     else null;
 
   enabled = firstUpstreamInterface != null;
+
+  inherit (upstreamInterfaces.${firstUpstreamInterface}.upstream) staticIpv4Address;
 in
 {
   systemd.network.networks = {
@@ -56,7 +58,7 @@ in
     enable = true;
     internalInterfaces = [ "core" ];
     externalInterface = firstUpstreamInterface;
-    externalIP = upstreamInterfaces.${firstUpstreamInterface}.upstream.staticIpv4Address;
+    externalIP = staticIpv4Address;
     extraCommands = ''
       # Prohibit SMTP except for servers
       iptables -N fwd_smtp
@@ -72,6 +74,16 @@ in
       ip6tables -A fwd_smtp -j REJECT
       ip6tables -I FORWARD -p tcp --dport 25 -j fwd_smtp
 
+      ${lib.optionalString (staticIpv4Address != null) ''
+        # Allow connections to ${staticIpv4Address} from other hosts behind NAT
+        ${lib.concatMapStrings (fwd: ''
+          iptables -t nat -t nat -A nixos-nat-pre \
+            -d ${staticIpv4Address} -p ${fwd.proto} \
+            --dport ${builtins.toString fwd.sourcePort} \
+            -j DNAT --to-destination ${fwd.destination}
+        '') config.networking.nat.forwardPorts}
+      ''}
+
       # Provide IPv6 upstream for everyone, using NAT66 when not from
       # our static prefixes
       ${lib.concatMapStringsSep "\n" (net: ''