diff --git a/group_vars/dch-gw/dch-network.yml b/group_vars/dch-gw/dch-network.yml
index 4c3da5c..877fc62 100644
--- a/group_vars/dch-gw/dch-network.yml
+++ b/group_vars/dch-gw/dch-network.yml
@@ -74,12 +74,6 @@ nat_port_forwards:
 - protocol: udp
   port: 16881-16999
   destination: 172.31.0.5
-- protocol: udp
-  port: isakmp
-  destination: 172.31.0.2
-- protocol: udp
-  port: ipsec-nat-t
-  destination: 172.31.0.2
 
 
 allow_incoming:
diff --git a/host_vars/gw0/network.yml b/host_vars/gw0/network.yml
index 1418b81..9327b52 100644
--- a/host_vars/gw0/network.yml
+++ b/host_vars/gw0/network.yml
@@ -31,16 +31,6 @@ network:
     addr: 172.31.0.1
     prefix: 27
     addr6: fd99:8cd7:6528::1
-    routes:
-    - prefix: 172.31.0.64/28
-      nexthop:
-      - address: 172.31.0.2
-    - prefix: 192.168.0.0/16
-      nexthop:
-      - address: 172.31.0.2
-    - prefix: 172.28.33.0/24
-      nexthop:
-      - address: 172.31.0.2
   - ifname: vlan100
     enabled: true
     vlan_id: 100
diff --git a/roles/dch-gw/templates/forward.nft.j2 b/roles/dch-gw/templates/forward.nft.j2
index ef49d78..c5f386e 100644
--- a/roles/dch-gw/templates/forward.nft.j2
+++ b/roles/dch-gw/templates/forward.nft.j2
@@ -1,9 +1,10 @@
 {#- vim: set sw=4 ts=4 sts=4 et : #}
 table inet filter {
-    set firemon {
+    set vpn_subnets {
         type ipv4_addr
         flags interval
         elements = {
+            172.31.0.64/28,
 {% for prefix in firemon_networks %}
             {{ prefix }},
 {% endfor %}
@@ -15,7 +16,8 @@ table inet filter {
         iifname {{ dch_networks.guest.router_iface }} oif != {{ internet_iface }} drop
         iif != {{ internet_iface }} oifname {{ dch_networks.guest.router_iface }} drop
         iif != {{ internet_iface }} oif != {{ internet_iface }} counter accept
-        ip daddr @firemon counter accept
+        iif {{ internet_iface }} ip saddr @vpn_subnets counter accept
+        iif != {{ internet_iface }} ip daddr @vpn_subnets counter accept
         tcp dport smtp counter reject with icmpx type host-unreachable
         oif {{ internet_iface }} accept
     }
diff --git a/roles/dch-gw/templates/incoming.nft.j2 b/roles/dch-gw/templates/incoming.nft.j2
index e175bdc..eb036a6 100644
--- a/roles/dch-gw/templates/incoming.nft.j2
+++ b/roles/dch-gw/templates/incoming.nft.j2
@@ -24,8 +24,9 @@ table inet filter {
         ct state established,related accept
         iif lo accept
         ip6 nexthdr ipv6-icmp accept
-        ip protocol icmp accept
+        ip protocol { icmp, esp } accept
         udp sport dhcpv6-server counter accept
+        udp dport { isakmp, ipsec-nat-t } ct state new counter accept
         iif != {{ internet_iface }} tcp dport @allow_tcp_in ct state new counter accept
         iif != {{ internet_iface }} udp dport @allow_udp_in ct state new counter accept
         iif {{ internet_iface }} drop
diff --git a/roles/dch-gw/templates/masquerade.nft.j2 b/roles/dch-gw/templates/masquerade.nft.j2
index 082f787..2354d42 100644
--- a/roles/dch-gw/templates/masquerade.nft.j2
+++ b/roles/dch-gw/templates/masquerade.nft.j2
@@ -1,5 +1,17 @@
 table ip nat {
+    set vpn_subnets {
+        type ipv4_addr
+        flags interval
+        elements = {
+            172.31.0.64/28,
+{% for prefix in firemon_networks %}
+            {{ prefix }},
+{% endfor %}
+        }
+    }
+
     chain postrouting {
+        ip daddr @vpn_subnets counter accept
         oif {{ ansible_default_ipv4.interface }} masquerade
     }
 }
diff --git a/roles/dch-gw/templates/outgoing.nft.j2 b/roles/dch-gw/templates/outgoing.nft.j2
index 67c14fe..e1c6bdf 100644
--- a/roles/dch-gw/templates/outgoing.nft.j2
+++ b/roles/dch-gw/templates/outgoing.nft.j2
@@ -24,7 +24,7 @@ table inet filter {
         ct state established,related accept
         oif lo accept
         ip6 nexthdr ipv6-icmp accept
-        ip protocol icmp accept
+        ip protocol { icmp, esp } accept
         tcp dport @allow_tcp_out ct state new counter accept
         udp dport @allow_udp_out ct state new counter accept
     }