diff --git a/roles/dch-gw/templates/forward.nft.j2 b/roles/dch-gw/templates/forward.nft.j2
index 792864e..ef49d78 100644
--- a/roles/dch-gw/templates/forward.nft.j2
+++ b/roles/dch-gw/templates/forward.nft.j2
@@ -16,7 +16,6 @@ table inet filter {
         iif != {{ internet_iface }} oifname {{ dch_networks.guest.router_iface }} drop
         iif != {{ internet_iface }} oif != {{ internet_iface }} counter accept
         ip daddr @firemon counter accept
-        mark 323 counter accept
         tcp dport smtp counter reject with icmpx type host-unreachable
         oif {{ internet_iface }} accept
     }
diff --git a/roles/dch-gw/templates/port-forwards.nft.j2 b/roles/dch-gw/templates/port-forwards.nft.j2
index afc0ff3..58ee61c 100644
--- a/roles/dch-gw/templates/port-forwards.nft.j2
+++ b/roles/dch-gw/templates/port-forwards.nft.j2
@@ -33,13 +33,21 @@ table ip nat {
     }
 
     chain prerouting {
-        ip daddr $outside_address meta mark set 323 dnat tcp dport map @tcp_forward
-        ip daddr $outside_address meta mark set 323 dnat udp dport map @udp_forward
+        ip daddr $outside_address dnat tcp dport map @tcp_forward
+        ip daddr $outside_address dnat udp dport map @udp_forward
     }
 
     chain postrouting {
 {% for item in nat_port_forwards %}
-        ip saddr @inside_networks ip daddr {{ item.destination }} {{ item.protocol|d('tcp') }} dport {{ item.port }} meta mark set 323 masquerade
+        ip saddr @inside_networks ip daddr {{ item.destination }} {{ item.protocol|d('tcp') }} dport {{ item.port }} masquerade
+{% endfor %}
+    }
+}
+
+table inet filter {
+    chain forward {
+{% for item in nat_port_forwards %}
+        ip daddr {{ item.destination }} {{ item.protocol|d('tcp') }} dport {{ item.port }} counter accept
 {% endfor %}
     }
 }