diff --git a/nix/packages/nft-update-addresses/nft-update-addresses.py b/nix/packages/nft-update-addresses/nft-update-addresses.py
index 1052dac..5faade6 100644
--- a/nix/packages/nft-update-addresses/nft-update-addresses.py
+++ b/nix/packages/nft-update-addresses/nft-update-addresses.py
@@ -425,6 +425,16 @@ class InterfaceUpdateHandler(UpdateStackHandler[IpAddressUpdate]):
                     for port in portList
                 ),
             )
+            yield NftUpdate(
+                obj_type="set",
+                obj_name=f"{set_prefix}dnat{proto.protocol}-allow",
+                operation=op,
+                values=tuple(
+                    f"{slaacs[mac].ip.compressed} . {lan}"
+                    for mac, portMap in proto.forwarded.items()
+                    for _, lan in portMap.items()
+                ),
+            )
             yield NftUpdate(
                 obj_type="map",
                 obj_name=f"{set_prefix}dnat{proto.protocol}",
@@ -455,6 +465,13 @@ class InterfaceUpdateHandler(UpdateStackHandler[IpAddressUpdate]):
                         f"{addr_type} . inet_service",
                     )
                 )
+                output.append(
+                    gen_set_def(
+                        "set",
+                        f"{set_prefix}dnat{proto.protocol}-allow",
+                        f"{addr_type} . inet_service",
+                    )
+                )
                 output.append(
                     gen_set_def(
                         "map",