diff --git a/hosts/fw.cloonar.com/modules/firewall.nix b/hosts/fw.cloonar.com/modules/firewall.nix
index 9ae0c4c..628e76f 100644
--- a/hosts/fw.cloonar.com/modules/firewall.nix
+++ b/hosts/fw.cloonar.com/modules/firewall.nix
@@ -130,9 +130,6 @@
         }
 
         table ip nat {
-          chain post {
-            iifname { "vb-*" } oifname { "server" } masquerade comment "from internal interfaces"
-          }
           chain prerouting {
             type nat hook prerouting priority filter; policy accept;
           }
@@ -141,6 +138,7 @@
           chain postrouting {
             type nat hook postrouting priority filter; policy accept;
             oifname { "wan", "wrwks", "wg_epicenter", "wg_ghetto_at" } masquerade
+            iifname { "vb-*" } oifname { "server" } masquerade comment "from internal interfaces"
           }
         }
       '';