diff --git a/systems/LoutreOS/network.nix b/systems/LoutreOS/network.nix
index a53f677..d96b7c1 100644
--- a/systems/LoutreOS/network.nix
+++ b/systems/LoutreOS/network.nix
@@ -57,56 +57,6 @@
       enp0s21u1.useDHCP = true;
     };
 
-    nftables = {
-      enable = true;
-      flushRuleset = false;
-      tables = {
-        "multi-wan-routing" = {
-          family = "inet";
-          content = ''
-            chain PREROUTING {
-              type filter hook prerouting priority mangle; policy accept;
-              # Restore the packet's CONNMARK to the MARK for existing incoming connections
-              counter meta mark set ct mark
-              # If packet MARK is set, then it means that there is already a connection mark
-              meta mark != 0x00000000 counter accept
-              # Else, we need to mark the packet.
-              # If the packet is incoming on bouygues then set MARK to 1, LTE MARK 2 and VPN MARK 3
-              iifname "bouygues" counter meta mark set 0x1
-              iifname "enp0s21u1" counter meta mark set 0x2
-              iifname "wg0" counter meta mark set 0x3
-              # Save new mark in CONNMARK
-              counter ct mark set mark
-            }
-
-            chain OUTPUT {
-              type route hook output priority mangle; policy accept;
-              # Restore CONNMARK to MARK for outgoing packets before final routing decision
-              counter meta mark set ct mark
-            }
-
-            chain POSTROUTING {
-              type filter hook postrouting priority mangle; policy accept;
-              # Save MARK to CONNMARK
-              counter ct mark set mark
-            }
-          '';
-        };
-
-        "redirect-external-to-local" = {
-          family = "ip";
-          content = ''
-            chain PREROUTING {
-              type nat hook prerouting priority dstnat; policy accept;
-              # Redirect local network request from server external IP to internal IP
-              # This allow access to server without internet access
-              ip saddr 10.30.0.0/16 ip daddr 176.180.172.105 counter dnat to 10.30.0.1
-            }
-          '';
-        };
-      };
-    };
-
     firewall = {
       enable = true;
       allowedTCPPorts = [ 80 443 ];
@@ -126,11 +76,72 @@
         ];
       };
 
-      # Don't forward incoming IPv6 requests to local network
-      filterForward = true;
-      extraForwardRules = ''
-        # Forward all IPv6 traffic from local network
-        iifname "eno2" counter accept
+      extraCommands = ''
+
+        ################
+        # MANGLE rules #
+        ################
+
+        # Clean and recreate target
+        ip46tables -w -t mangle -D PREROUTING -j loutreos-mangle-pre 2>/dev/null || true
+        ip46tables -w -t mangle -F loutreos-mangle-pre 2>/dev/null || true
+        ip46tables -w -t mangle -X loutreos-mangle-pre 2>/dev/null || true
+        ip46tables -w -t mangle -N loutreos-mangle-pre
+
+        # Restore the packet's CONNMARK to the MARK for existing incoming connections
+        ip46tables -w -t mangle -A loutreos-mangle-pre -j CONNMARK --restore-mark
+
+        # Restore CONNMARK to MARK for outgoing packets before final routing decision
+        ip46tables -w -t mangle -D OUTPUT -j CONNMARK --restore-mark 2>/dev/null || true
+        ip46tables -w -t mangle -A OUTPUT -j CONNMARK --restore-mark
+
+
+        # If packet MARK is set, then it means that there is already a connection mark
+        ip46tables -w -t mangle -A loutreos-mangle-pre -m mark ! --mark 0 -j ACCEPT
+
+        # Else, we need to mark the packet.
+        # If the packet is incoming on bouygues then set MARK to 1, LTE MARK 2 and VPN MARK 3
+        ip46tables -w -t mangle -A loutreos-mangle-pre -i bouygues -j MARK --set-mark 1
+        ip46tables -w -t mangle -A loutreos-mangle-pre -i enp0s21u1 -j MARK --set-mark 2
+        ip46tables -w -t mangle -A loutreos-mangle-pre -i wg0 -j MARK --set-mark 3
+
+        # Save new mark in CONNMARK
+        ip46tables -w -t mangle -A loutreos-mangle-pre -j CONNMARK --save-mark
+
+        # Jump to newly created target 
+        ip46tables -w -t mangle -I PREROUTING 1 -j loutreos-mangle-pre
+
+        # Save MARK to CONNMARK.
+        ip46tables -w -t mangle -D POSTROUTING -j CONNMARK --save-mark 2>/dev/null || true
+        ip46tables -w -t mangle -A POSTROUTING -j CONNMARK --save-mark
+
+        ######################
+        # IPv6 FORWARD rules #
+        ######################
+
+        # Forward all IPv6 traffic from local network and reject incoming traffic
+        ip6tables -w -D FORWARD -j loutreos-forward 2>/dev/null || true
+        ip6tables -w -F loutreos-forward 2>/dev/null || true
+        ip6tables -w -X loutreos-forward 2>/dev/null || true
+        ip6tables -w -N loutreos-forward
+        ip6tables -w -A loutreos-forward -m state --state RELATED,ESTABLISHED -j ACCEPT
+        ip6tables -w -A loutreos-forward -j ACCEPT -i eno2
+        ip6tables -w -A loutreos-forward -j nixos-fw-log-refuse
+        ip6tables -w -A FORWARD -j loutreos-forward
+
+        #############################################
+        # Enable server access when fiber link down #
+        #############################################
+
+        # Redirect local network request from server external IP to internal IP
+        iptables -t nat -D PREROUTING -s 10.30.0.0/16 -d 176.180.172.105 -j DNAT --to 10.30.0.1 2>/dev/null || true
+        iptables -t nat -A PREROUTING -s 10.30.0.0/16 -d 176.180.172.105 -j DNAT --to 10.30.0.1
+      '';
+
+      # remove refs to nixos-fw-log-refuse before restarting firewall
+      # prevents "ressource busy" errors
+      extraStopCommands = ''
+        ip6tables -D loutreos-forward -j nixos-fw-log-refuse 2>/dev/null || true
       '';
     };
   };