diff --git a/nixos/hosts/kanako-hkg0/networking.nix b/nixos/hosts/kanako-hkg0/networking.nix
index f5c4320..e764f64 100644
--- a/nixos/hosts/kanako-hkg0/networking.nix
+++ b/nixos/hosts/kanako-hkg0/networking.nix
@@ -6,14 +6,30 @@
 }:
 {
   imports = with profiles; [
-    services.enthalpy.customer
+    services.enthalpy.transit-dualstack
   ];
 
   services.enthalpy.ipsec.interfaces = [ "enp1s0" ];
 
+  networking.nftables.tables.nat = {
+    family = "inet";
+    content = ''
+      chain postrouting {
+        type nat hook postrouting priority srcnat; policy accept;
+        oifname enp1s0 counter masquerade
+      }
+    '';
+  };
+
   systemd.network = {
     enable = true;
     wait-online.anyInterface = true;
+    config = {
+      networkConfig = {
+        IPv4Forwarding = true;
+        IPv6Forwarding = true;
+      };
+    };
     networks = {
       "30-enp1s0" = {
         matchConfig.Name = "enp1s0";
diff --git a/nixos/hosts/marisa-7d76/networking.nix b/nixos/hosts/marisa-7d76/networking.nix
index 9f221a1..7172326 100644
--- a/nixos/hosts/marisa-7d76/networking.nix
+++ b/nixos/hosts/marisa-7d76/networking.nix
@@ -11,7 +11,7 @@
 
   services.enthalpy = {
     ipsec.interfaces = [ "enp14s0" ];
-    clat.segment = lib.singleton "fde3:3be3:a244:2676::2";
+    clat.segment = lib.singleton "fde3:3be3:a244:f876::2";
   };
 
   systemd.network = {
diff --git a/nixos/hosts/marisa-a7s/networking.nix b/nixos/hosts/marisa-a7s/networking.nix
index d1fddea..5207a1d 100644
--- a/nixos/hosts/marisa-a7s/networking.nix
+++ b/nixos/hosts/marisa-a7s/networking.nix
@@ -14,7 +14,7 @@
       interfaces = [ "wlan0" ];
       whitelist = [ "rebmit's edge network" ];
     };
-    clat.segment = lib.singleton "fde3:3be3:a244:2676::2";
+    clat.segment = lib.singleton "fde3:3be3:a244:f876::2";
   };
 
   systemd.network = {