diff --git a/flake.nix b/flake.nix
index cbf2947..b28f6b1 100644
--- a/flake.nix
+++ b/flake.nix
@@ -789,7 +789,7 @@
           selfIp6 = "2001:db8:20::27";
           macAddress = "02:ff:ce:a9:d3:74";
           keyFile = "whitestormKeyFile";
-          primaryIp = "192.168.20.26";
+          # primaryIp = "192.168.20.26";
         };
 
         build2 = makeBuildConfig system {
diff --git a/modules/k3s/default.nix b/modules/k3s/default.nix
index 0a4c1f7..6fc99d1 100644
--- a/modules/k3s/default.nix
+++ b/modules/k3s/default.nix
@@ -16,7 +16,7 @@
       services.k3s = {
         inherit enable;
         environmentFile = config.sops.secrets.k3s_env.path;
-        extraFlags = "--disable traefik --disable servicelb";
+        extraFlags = "--disable traefik --disable servicelb --cluster-cidr=10.42.0.0/16,2001:cafe:42::/56 --service-cidr=10.43.0.0/16,2001:cafe:43::/112";
         role = "server";
       };
     };
diff --git a/modules/router/default.nix b/modules/router/default.nix
index dbf064e..8fdea14 100644
--- a/modules/router/default.nix
+++ b/modules/router/default.nix
@@ -164,9 +164,14 @@ in
         define WIFI=${wifi}
 
         define HTTP_HOST=192.168.20.200
+        define HTTP_HOST_V6=2001:db8:20::200
+
         define FORGEJO_HOST=192.168.20.201
+        define FORGEJO_HOST_V6=2001:db8:20::201
         define FORGEJO_SSH_PORT=2222
+
         define DRAWPILE_HOST=192.168.20.202
+        define DRAWPILE_HOST_V6=2001:db8:20::202
         define DRAWPILE_TCP_PORT=27750
 
         table inet filter {
@@ -207,9 +212,14 @@ in
           }
 
           chain bridge_in {
-            ip daddr $HTTP_HOST tcp dport { 80, 443 } ct state new accept comment "Allow HTTP/S to http host"
-            ip daddr $FORGEJO_HOST tcp dport $FORGEJO_SSH_PORT ct state new accept comment "Allow ssh to forgejo"
-            ip daddr $DRAWPILE_HOST tcp dport $DRAWPILE_TCP_PORT ct state new accept comment "Allow drawpile traffic to drawpile"
+            tcp dport { 80, 443 } ip daddr $HTTP_HOST ct state new accept comment "Allow HTTP/S to http host"
+            tcp dport { 80, 443 } ip6 daddr $HTTP_HOST_V6 ct state new accept comment "Allow HTTP/S to http host"
+
+            tcp dport $FORGEJO_SSH_PORT ip daddr $FORGEJO_HOST ct state new accept comment "Allow ssh to forgejo"
+            tcp dport $FORGEJO_SSH_PORT ip6 daddr $FORGEJO_HOST_V6 ct state new accept comment "Allow ssh to forgejo"
+
+            tcp dport $DRAWPILE_TCP_PORT ip daddr $DRAWPILE_HOST ct state new accept comment "Allow drawpile traffic to drawpile"
+            tcp dport $DRAWPILE_TCP_PORT ip6 daddr $DRAWPILE_HOST_V6 ct state new accept comment "Allow drawpile traffic to drawpile"
           }
           chain bridge_out {
             accept
@@ -306,6 +316,9 @@ in
         table ip6 nat {
           chain prerouting {
             type nat hook prerouting priority -100; policy accept;
+            fib daddr type local tcp dport { 80, 443 } dnat to $HTTP_HOST_V6
+            fib daddr type local tcp dport 22 dnat to $FORGEJO_HOST_V6:$FORGEJO_SSH_PORT
+            fib daddr type local tcp dport $DRAWPILE_TCP_PORT dnat to $DRAWPILE_HOST_V6
           }
 
           chain postrouting {
diff --git a/secrets/k3s.yaml b/secrets/k3s.yaml
index 753466b..f481df3 100644
--- a/secrets/k3s.yaml
+++ b/secrets/k3s.yaml
@@ -1,4 +1,4 @@
-k3s_token: ENC[AES256_GCM,data:zbRNNqY95zovQ9IMlpUHPYRoyKL56WsmJQf9mmAqegsT+j3OJhRf0IMAv3k2xZsnvkKKcNaiJomLb/filK1Lg4GMrXoA5eQ83K3B0kP9v3zw1Nvs4ySWHmP/vfENeU0v/FuyHWNCtEeBEm8E,iv:6y2hfaxL3VV/HTlOxNc29RTHHfErXD5PMzfuRc/EtQk=,tag:+Pi1u5sKZSYsAOBUUcOlpg==,type:str]
+k3s_token: ENC[AES256_GCM,data:tQuF03fY+qw62/09w63qMDQ5OfRvmh/j5pQMsfahDEHOxaFHIULo74LTHlVMeDkxTJ9IclnCXHLCa8i/TcvHlKARG1NC4BdxZSJ5oEukefN8HNXwnIc93ZyUm0JJvtSqp7PdFAWWNDQj4tDl,iv:G2OqDwYYxrbtFsOfsUB9I9GKw0qMzbFR3+7eYlN+wNI=,tag:2qQnqM6gRBa09b5FzZ9xtw==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -23,8 +23,8 @@ sops:
             NHVtWEdPZjVFdFF0UG4xNEtoU1lBckkKj6Fx2o17lrER5SAIJcqLSlcOmz/qufyE
             P3l8RCxKtzsGoihsGME1jROMiq2hsWe5uFA7vUiOggqzWV9M9mywBQ==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2023-01-27T22:50:42Z"
-    mac: ENC[AES256_GCM,data:NdTWBlMadq2Znz09J5nbELWKWkDW7wRGE3nZiJmIiWQsTWS000mqSJSg7QdZ75bOWx+jJrLEKHUg7DNrvRzrocUYCcuq6Gc4poGw5wD+CRFo7B3KEVg1q+LP5NnYLWaqOg0NrcXm68hAY4/kbhrtzAdKDSfZaewooLI4hzqjlqE=,iv:3cXHe6An9LTKGznxYru6v3mhR4XvmhKsLOVF278FVgc=,tag:67BDFWppZ/7GizWNU2/Reg==,type:str]
+    lastmodified: "2024-07-04T22:54:44Z"
+    mac: ENC[AES256_GCM,data:mvoYlmiuq4m03m5shdFvM6k36uASZeEXxDXaOLlksBfDAktXGwaFm1sZS2zSbJXIodd2Ln1wfFlKNNLQQu+VKmAQPtUTXoCAzjJu1e0ds3XpdXD7J+dWdEkkgU9MN0f783wBixB2Qm/wJcLwZu+nNbRg9OaFXR7KyS5Qgdtz9Qg=,iv:f3b6vTqddwYJXDKaNZP9e35571u+rU78JtcCXlEITO8=,tag:fsNASW6tiJWhlCln3C5Sdw==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
-    version: 3.7.3
+    version: 3.8.1
diff --git a/secrets/k3s_env.bin b/secrets/k3s_env.bin
index 82fa2b0..a25babf 100644
--- a/secrets/k3s_env.bin
+++ b/secrets/k3s_env.bin
@@ -1,5 +1,5 @@
 {
-	"data": "ENC[AES256_GCM,data:rxMCpdVseLWrSaSu11GlQ7enf2MYOmcmvXgrLqmeYtmgkf2C36fHxpycErh03alnbVH2GHMZGAtGKewbQ5bsljULbB0ASHQgMu2EaaSY5JK6wxu+HSv/+o3522kzChRpl197ohZRZmiF99O2ze6WAECnpG76D3+0BrvVZ1p0ZWIwG4QSLmfAOErcm+qeyQ==,iv:5Otnin3EnkLBDDJ+NnUTYcudJvoC7XHIs5HUybs0m0A=,tag:aaZ+x6v1Oi2L0oOxda4EUQ==,type:str]",
+	"data": "ENC[AES256_GCM,data:B2ggkSHOdi9nKbfkMlBYEMG+sQTnM+Z82Ibb83gXMyMAf7QZq57QLvWf4xKS0R+KA9Mq1CUOzkgpWqopxM8XzkmIbA7tOMfD+2BwQ9HcGc1HeI+nAE23a7IN9AqZ0UJ5hJp/Pu+oTAa2Qm+Ol+CgwTfCdmHKb46fs3CRaWvGZYM8G9OaEnIaioGLXG6OsA==,iv:r17jcY1J0can8ctGOkJI0vL7hfuwrlDmVVcgfMpDZAU=,tag:quj7yYTri2x0Pi/Vun2unA==,type:str]",
 	"sops": {
 		"kms": null,
 		"gcp_kms": null,
@@ -15,8 +15,8 @@
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBN2RlVXh0cHN0RjVtcHds\nTWxleGZpZHk0Sjl3L3NLSHA0NW1za3dLQlRVCjRCdXJiTjBJb1RoRlZqbUsrUWZE\neXgwRzg4clAyRUxWK1pPU3Z3Znpkb0UKLS0tIHd1Zy9yLysyWnJpNXg3a1FQYURN\nT1FnWXF0QmdGN0NvVm0yM2gzNHRCdm8K993lhwndBDaFKlpCOi5WSdIsTMvhoi83\n5eyiQYjhfILeJWIIzDHOMHcNqE6plei+bhFRY23dZft8IxQWcAQfOg==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
-		"lastmodified": "2024-01-31T04:13:39Z",
-		"mac": "ENC[AES256_GCM,data:7LZcJloXoV+2xHrZVvHJzMHbiHQbo1ughT2TquvhbHMkP8XMSy97pig4soU+noR7cz6MkV+bOlvieGdgkjCEjkF/PZrZHIleKKJYKou6GzRyWddSts+xTVYvWSryrppKgB/pLZi/Ob8XwoWpyrMu3SltcEA8WRNjRCG7DkkshC0=,iv:+IucoD5OyEFq+NG5bAEOTQyfiL+ndiX2Y/tVurlRHJA=,tag:CbwOv47neJTgQ04HUCN/DQ==,type:str]",
+		"lastmodified": "2024-07-04T22:41:50Z",
+		"mac": "ENC[AES256_GCM,data:QRJ30qsa8oyNYoQJxOdZPpkU/4ULFD2du8sYDKEBdLWssbSuG49h73qSGWGiFCaBNDQiLlR0ZCTZ9de0iogcAf2DGqTLJGDEqZCRVHKc+i07glDCgzNoqz8W0ktSUYA5qgq6wnsrcSMSuSkLGYn+V55BsNxQ0fUY/DSrYSho7IA=,iv:Fuid015VEe3phejWsoKEayQSbxjRQGfD5eKoFNRjXQY=,tag:cN9x9a/HS9sn2/O/nFxxQA==,type:str]",
 		"pgp": null,
 		"unencrypted_suffix": "_unencrypted",
 		"version": "3.8.1"