diff --git a/nixos/boxes/colony/vms/estuary/default.nix b/nixos/boxes/colony/vms/estuary/default.nix
index a85236e..ab055ac 100644
--- a/nixos/boxes/colony/vms/estuary/default.nix
+++ b/nixos/boxes/colony/vms/estuary/default.nix
@@ -384,14 +384,13 @@ in
                     }
 
                     chain forward {
-                      iifname wan oifname base jump filter-routing
-                      iifname ixps oifname base jump filter-routing
-                      oifname ixps jump ixp
+                      iifname { wan, $ixps } oifname base jump filter-routing
+                      oifname $ixps jump ixp
                       oifname as211024 accept
                     }
                     chain output {
                       oifname ifog ether type != vlan reject
-                      oifname ixps jump ixp
+                      oifname $ixps jump ixp
                     }
                   }
                   table inet nat {