diff --git a/ops/nixos/blade-tuvok/default.nix b/ops/nixos/blade-tuvok/default.nix
index c4d0395eae..365a062a23 100644
--- a/ops/nixos/blade-tuvok/default.nix
+++ b/ops/nixos/blade-tuvok/default.nix
@@ -38,6 +38,9 @@ in {
         ip netns exec wg-endpoint sysctl net.ipv4.ip_forward=1 net.ipv6.conf.all.forwarding=1 net.ipv6.conf.default.forwarding=1
       )
     '';
+    nat.extraCommands = ''
+      iptables -w -t nat -A nixos-nat-post -m mark --mark 0x1 -o vl-linx -j SNAT --to-source 92.118.28.1
+    '';
   };
   my.ip.tailscale = "100.119.123.33";
   my.blade.bay = 6;
@@ -225,4 +228,5 @@ in {
       route 2a09:a443::/32 via 2a09:a441::f00f;
     '';
   };
+
 }
diff --git a/ops/nixos/lib/blade.nix b/ops/nixos/lib/blade.nix
index 12f5bdcb03..bf01efcedf 100644
--- a/ops/nixos/lib/blade.nix
+++ b/ops/nixos/lib/blade.nix
@@ -114,6 +114,11 @@ in {
       firewall.interfaces.en-storage.allowedTCPPorts = lib.mkIf config.services.ceph.enable [ 6789 3300 ];
       firewall.interfaces.en-storage.allowedTCPPortRanges = lib.mkIf config.services.ceph.enable [{ from = 6800; to = 7300; }];
 
+      firewall.extraCommands = ''
+        iptables -A nixos-fw -i en-storage -s 10.100.2.0/23 -j ACCEPT
+        iptables -A nixos-fw -i br-mgmt -s 10.100.0.0/23 -j ACCEPT
+      '';
+
       nat = lib.optionalAttrs (config.my.blade.macAddress.internet != null) {
         enable = true;
         internalInterfaces = [ "br-mgmt" ];