diff --git a/config/net/flpk.nix b/config/net/flpk.nix
index 6b7a3c2..c6a5117 100644
--- a/config/net/flpk.nix
+++ b/config/net/flpk.nix
@@ -51,8 +51,10 @@
       };
     };
     bgp = {
-      allowedUpstreams = [ "upstream4" "upstream3" "freifunk" ];
       upstreamTable = "vpn_table";
+      allowedUpstreams = [ "upstream4" "upstream3" "freifunk" ];
+      # IPv6 ::/0 via wireguard tunnel
+      allowedUpstreams6 = [];
       peers.${config.site.net.core.subnets6.dn42} = {
         type = "upstream";
         name = "up";
diff --git a/config/net/upstream.nix b/config/net/upstream.nix
index 1541ce5..7c31eb1 100644
--- a/config/net/upstream.nix
+++ b/config/net/upstream.nix
@@ -353,8 +353,10 @@ in
         };
       };
       bgp = {
-        allowedUpstreams = [ "upstream3" "upstream4" "freifunk" ];
         upstreamTable = "vpn_table";
+        allowedUpstreams = [ "upstream3" "upstream4" "freifunk" ];
+        # IPv6 ::/0 via wireguard tunnel
+        allowedUpstreams6 = [];
         peers.${config.site.net.core.subnets6.dn42} = {
           asn = config.site.hosts.upstream3.bgp.asn;
           type = "upstream";
diff --git a/nix/nixos-module/container/bird.nix b/nix/nixos-module/container/bird.nix
index bd50912..d27858d 100644
--- a/nix/nixos-module/container/bird.nix
+++ b/nix/nixos-module/container/bird.nix
@@ -166,23 +166,43 @@ in
               preference = preference + 200;
               accept;
             };
-            ${lib.optionalString (nets4 != []) ''
-              export where net ~ [ ${lib.concatMapStringsSep ", " (n: "${n}") nets4} ];
-            ''}
+            export filter {
+              if net ~ [ ${config.site.net.core.subnet4} ] then {
+                reject;
+              }
+              ${lib.optionalString (nets4 != []) ''
+                if net ~ [ ${lib.concatMapStringsSep ", " (n: "${n}+") nets4} ] then {
+                  accept;
+                }
+              ''}
+              reject;
+            };
           };
           ipv6 {
             import filter {
               preference = preference + 200;
               accept;
             };
-            ${lib.optionalString (nets6 != []) ''
-              export where net ~ [ ${lib.concatMapStringsSep ", " (n: "${n}") nets6} ];
-            ''}
+            export filter {
+              if net ~ [ ${lib.concatStringsSep ", " (builtins.attrValues config.site.net.core.subnets6)} ] then {
+                reject;
+              }
+              ${lib.optionalString (nets6 != []) ''
+                if net ~ [ ${lib.concatMapStringsSep ", " (n: "${n}+") nets6} ] then {
+                  accept;
+                }
+              ''}
+              reject;
+            };
           };
         }
         template bgp bgp_rr_client {
           local as ${toString hostConf.bgp.asn};
           direct;
+          connect delay time 1;
+          connect retry time 3;
+          error wait time 1 5;
+          error forget time 5;
 
           ipv4 {
             next hop self on;
@@ -260,6 +280,10 @@ in
             local as ${toString hostConf.bgp.asn};
             neighbor ${config.site.net.core.hosts6.dn42.${upstream}} as ${toString hostConf.bgp.asn};
             direct;
+            connect delay time 1;
+            connect retry time 3;
+            error wait time 1 5;
+            error forget time 5;
 
             ipv4 {
               ${if (upstream4Order ? ${upstream})
@@ -329,8 +353,7 @@ in
         ];
       };
       instance = {
-        ipv4 = "ZW4_${hostNameEscaped}";
-        ipv6 = "ZW6_${hostNameEscaped}";
+        ipv4 = "bgp_up";
       };
       checkService = addressFamily: {
         description = "Check connectivity for ${addressFamily}";
@@ -369,6 +392,6 @@ in
       };
     in lib.mkIf isUpstream {
       check-upstream-ipv4 = checkService "ipv4";
-      check-upstream-ipv6 = checkService "ipv6";
+      #check-upstream-ipv6 = checkService "ipv6";
     };
 }