diff --git a/hosts/phoenix.lewd.wtf/networking.nix b/hosts/phoenix.lewd.wtf/networking.nix
index 85c62fa..553c687 100644
--- a/hosts/phoenix.lewd.wtf/networking.nix
+++ b/hosts/phoenix.lewd.wtf/networking.nix
@@ -20,13 +20,6 @@
   networking.defaultGateway = "192.168.0.1";
   networking.nameservers =  [ "192.168.0.1" ];
 
-  networking.nat = {
-    enable = true;
-    internalInterfaces = ["ve-+"];
-    externalInterface = "wg0";
-    enableIPv6 = true;
-  };
-
   networking.firewall.enable = false;
 
   networking.wireguard.interfaces = {
@@ -44,6 +37,26 @@
           persistentKeepalive = 25;
         }
       ];
+      postSetup = [
+        # Force traffic from container networks through wg0
+        "ip route add table 2 default dev wg0"
+	"ip rule add from 192.168.100.0/24 table 2"
+	"ip rule add from 192.168.5.0/24 table 2"
+	# NAT
+	"iptables -I POSTROUTING -t nat -o wg0 -j MASQUERADE"
+        # Port forwarding
+        "iptables -A PREROUTING -t nat -p tcp -i wg0 --dport 51506 -j DNAT --to-destination 192.168.100.11:51506"
+      ];
+      postShutdown = [
+        # Force traffic from container networks through wg0
+	"ip rule del from 192.168.100.0/24 table 2"
+	"ip rule del from 192.168.5.0/24 table 2"
+        "ip route del table 2 default dev wg0"
+	# NAT
+	"iptables -D POSTROUTING -t nat -o wg0 -j MASQUERADE"
+        # Port forwarding
+        "iptables -D PREROUTING -t nat -p tcp -i wg0 --dport 51506 -j DNAT --to-destination 192.168.100.11:51506"
+      ];
     };
   };
 }