diff --git a/systems/LoutreOS/network.nix b/systems/LoutreOS/network.nix
index 9dec1e7..e65303b 100644
--- a/systems/LoutreOS/network.nix
+++ b/systems/LoutreOS/network.nix
@@ -52,18 +52,6 @@
       enp0s21u1.useDHCP = true;
     };
 
-    # NAT bouygues <-> eno2
-    nat = {
-      enable = true;
-      externalInterface = "bouygues";
-      internalIPs = [ "10.30.0.0/16" ];
-      internalInterfaces = [ "eno2" ];
-      forwardPorts = [
-        { destination = "10.30.0.1:22"; proto = "tcp"; sourcePort = 8443;}
-        { destination = "10.30.135.35:25565"; proto = "tcp"; sourcePort = 25565; loopbackIPs=[ "195.36.180.44" ];}
-      ];
-    };
-
     firewall = {
       enable = true;
       allowedTCPPorts = [ 80 443 ];
@@ -84,21 +72,59 @@
       };
 
       extraCommands = ''
+
+        ################
+        # MANGLE rules #
+        ################
+
+        # Clean and recreate target
+        ip46tables -w -t mangle -D PREROUTING -j loutreos-mangle-pre 2>/dev/null || true
+        ip46tables -w -t mangle -F loutreos-mangle-pre 2>/dev/null || true
+        ip46tables -w -t mangle -X loutreos-mangle-pre 2>/dev/null || true
+        ip46tables -w -t mangle -N loutreos-mangle-pre
+
+        # Restore the packet's CONNMARK to the MARK for existing connections
+        ip46tables -w -t mangle -A loutreos-mangle-pre -j CONNMARK --restore-mark
+
+        # If packet MARK is set, then it means that there is already a connection mark
+        ip46tables -w -t mangle -A loutreos-mangle-pre -m mark ! --mark 0 -j ACCEPT
+
+        # Else, we need to mark the packet.
+        # If the packet is incoming on bouygues then set MARK to 1, LTE MARK 2 and VPN MARK 3
+        ip46tables -w -t mangle -A loutreos-mangle-pre -i bouygues -j MARK --set-mark 1
+        ip46tables -w -t mangle -A loutreos-mangle-pre -i enp0s21u1 -j MARK --set-mark 2
+        ip46tables -w -t mangle -A loutreos-mangle-pre -i wg0 -j MARK --set-mark 3
+
+        # Jump to newly created target 
+        ip46tables -w -t mangle -A PREROUTING -j loutreos-mangle-pre
+
+        # Save MARK to CONNMARK.
+        ip46tables -w -t mangle -D POSTROUTING -j CONNMARK --save-mark 2>/dev/null || true
+        ip46tables -w -t mangle -A POSTROUTING -j CONNMARK --save-mark
+
+        ######################
+        # IPv6 FORWARD rules #
+        ######################
+
         # Forward all IPv6 traffic from local network and reject incoming traffic
         ip6tables -w -D FORWARD -j loutreos-forward 2>/dev/null || true
         ip6tables -w -F loutreos-forward 2>/dev/null || true
         ip6tables -w -X loutreos-forward 2>/dev/null || true
         ip6tables -w -N loutreos-forward
-        ip6tables -A loutreos-forward -m state --state RELATED,ESTABLISHED -j ACCEPT
-        ip6tables -A loutreos-forward -j ACCEPT -i eno2
-        ip6tables -A loutreos-forward -j nixos-fw-log-refuse
+        ip6tables -w -A loutreos-forward -m state --state RELATED,ESTABLISHED -j ACCEPT
+        ip6tables -w -A loutreos-forward -j ACCEPT -i eno2
+        ip6tables -w -A loutreos-forward -j nixos-fw-log-refuse
         ip6tables -w -A FORWARD -j loutreos-forward
 
+        #############################################
+        # Enable server access when fiber link down #
+        #############################################
+
         # Redirect local network request from server external IP to internal IP
-        # Make the server available even without internet access
         iptables -t nat -D PREROUTING -s 10.30.0.0/16 -d 176.180.172.105 -j DNAT --to 10.30.0.1 || true
         iptables -t nat -A PREROUTING -s 10.30.0.0/16 -d 176.180.172.105 -j DNAT --to 10.30.0.1
       '';
+
       # remove refs to nixos-fw-log-refuse before restarting firewall
       # prevents "ressource busy" errors
       extraStopCommands = ''
@@ -119,31 +145,14 @@
   #################
 
   # 0:      from all lookup local
-  # 60:     from all iif lo dport 25 lookup vpn
-  # 4000:   from all fwmark 0x1 lookup fiber
+  # 60:     from all iif lo dport 25 lookup vpn  # mails are forced to vpn table
+  # 4000:   from all fwmark 0x1 lookup fiber     # fwmark indicate established connection that must go through same interface
   # 5000:   from all fwmark 0x2 lookup lte
   # 6000:   from all fwmark 0x3 lookup vpn
-  # 32766:  from all lookup main
+  # 32766:  from all lookup main                 # main table should contain no default routes, only local network routes
   # 32767:  from all lookup default
-  # 40000:  from all lookup fiber
-  # 50000:  from all lookup lte
-
-  # TODO
-
-  ##################
-  # iptables rules #
-  ##################
-
-  # # Restore the packet's CONNMARK to the MARK.
-  # iptables -A PREROUTING -t mangle -j CONNMARK --restore-mark
-  # # If packet MARK is set, then it means that there is already a connection mark
-  # iptables -t mangle -A PREROUTING -m mark ! --mark 0 -j ACCEPT
-  # # Else, we need to mark the packet. If the packet is incoming on bouygues then set MARK to 1
-  # iptables -A PREROUTING -t mangle -i bouygues -j MARK --set-mark 1
-  # iptables -A PREROUTING -t mangle -i enp0s21u1 -j MARK --set-mark 2
-  # iptables -A PREROUTING -t mangle -i wg0 -j MARK --set-mark 3
-  # # Save MARK to CONNMARK.
-  # iptables -A PREROUTING -t mangle -j CONNMARK --save-mark
+  # 40000:  from all lookup fiber                # first table encountered with a default route if fiber is up
+  # 50000:  from all lookup lte                  # first table encountered with a default route if fiber is down
 
   systemd.network = let
     routeTables = {
@@ -317,6 +326,7 @@
           IPv6SendRA = true;
           DHCPPrefixDelegation = true;
           DHCPServer = true;
+          IPMasquerade = "ipv4";
         };
         dhcpServerConfig = {
           EmitRouter = true;