diff --git a/ferm.conf b/ferm.conf
index 81e88c2..15924c3 100644
--- a/ferm.conf
+++ b/ferm.conf
@@ -1,6 +1,5 @@
 @def $subnet = 192.168.66.0/24;
 @def $bridge = br0;
-@def $evenet = evenet;
 @def $internet = "enp2s0";
 @def $public_ipv4 = `ip a s enp2s0 | awk '$0 ~ "inet " { split($2,a,"/"); print a[1] }'`;
 @def $public_ipv6 = `ip a s enp2s0 | awk '$0 ~ "inet6 " && !($2 ~ /^fe80/) { split($2,a,"/"); print a[1] }'`;
@@ -20,7 +19,7 @@ domain (ip ip6) {
       interface $bridge protocol tcp dport smtp REJECT reject-with tcp-reset;
 
       # dn42 -> is filtered in dn42 container
-      interface $evenet outerface $evenet ACCEPT;
+      interface $bridge mod physdev physdev-out lxc_dn42 ACCEPT;
 
       interface $bridge outerface $internet ACCEPT;
     }
diff --git a/functions b/functions
index 844f93a..57c9cfa 100644
--- a/functions
+++ b/functions
@@ -6,11 +6,12 @@
 # Defines a service residing in a given container
 @def &def_service($service, $container, $proto, $port) = {
   # look up IP addresses of the container
-  @def $ip4 = @resolve($container, A);
-  @def $ip6 = @resolve($container, AAAA);
+  @def $ip4 = @resolve("$container", A);
+  @def $ip6 = @resolve("ipv6.$container", AAAA);
+  @def $ula = @resolve("ula.$container", AAAA);
 
   # chain to allow forwarding to the service
-  domain (ip ip6) table filter chain @cat("allow_", $service) daddr @ipfilter(($ip4 $ip6)) protocol $proto dport $port ACCEPT;
+  domain (ip ip6) table filter chain @cat("allow_", $service) daddr @ipfilter(($ip4 $ip6 $ula)) protocol $proto dport $port ACCEPT;
 
   # chain to do the DNAT to change the address / port to the one of the container / service
   domain ip  table nat chain @cat("fwd_to_", $service) protocol $proto DNAT to "$ip4:$port";
@@ -34,8 +35,9 @@
 # Allows connection from the given container to the specified service (which resides in another container)
 @def &allow_service_for($service, $container) = {
   @def $ip4 = @resolve($container, A);
-  @def $ip6 = @resolve($container, AAAA);
-  domain (ip ip6) table filter chain FORWARD saddr @ipfilter(($ip4 $ip6)) jump @cat("allow_", $service);
+  @def $ip6 = @resolve("ipv6.$container", AAAA);
+  @def $ula = @resolve("ula.$container", AAAA);
+  domain (ip ip6) table filter chain FORWARD saddr @ipfilter(($ip4 $ip6 $ula)) jump @cat("allow_", $service);
 }
 
 # Allows connection a specific service to all containers
@@ -49,13 +51,14 @@
 @def &forward_to($container, $proto, $port) = {
   # look up IP addresses of the container
   @def $ip4 = @resolve($container, A);
-  @def $ip6 = @resolve($container, AAAA);
+  @def $ip6 = @resolve("ipv6.$container", AAAA);
+  @def $ula = @resolve("ula.$container", AAAA);
 
   domain (ip ip6) {
     # allow forwarding to container
-    table filter chain FORWARD daddr @ipfilter(($ip4 $ip6)) protocol $proto dport $port ACCEPT;
+    table filter chain FORWARD daddr @ipfilter(($ip4 $ip6 $ula)) protocol $proto dport $port ACCEPT;
 
     # change destination address to the containers one
-    table nat chain PREROUTING interface $internet protocol $proto dport $port DNAT to @ipfilter($ip4 $ip6);
+    table nat chain PREROUTING interface $internet protocol $proto dport $port DNAT to @ipfilter($ip4 $ip6 $ula);
   }
 }
diff --git a/services/00-local b/services/00-local
index da1e820..6ccf35f 100644
--- a/services/00-local
+++ b/services/00-local
@@ -1,4 +1,4 @@
 &allow_local(tcp, 22022); # SSH
 &allow_local(udp, 60000:60010); # Mosh
-&allow_local(tcp, 655); # tinc
-&allow_local(udp, 655); # tinc
+&allow_local(tcp, 655);  # tinc
+&allow_local(udp, 655);  # tinc
diff --git a/services/45-dn42 b/services/45-dn42
index 02ea567..c9f8ac2 100644
--- a/services/45-dn42
+++ b/services/45-dn42
@@ -3,8 +3,8 @@
 domain (ip ip6) table filter chain FORWARD proto udp dport 5001:5020 daddr @ipfilter(($dn42_ip4 $dn42_ip6)) interface $bridge ACCEPT;
 domain (ip ip6) table nat chain PREROUTING interface $internet proto udp dport 5001:5020 DNAT to @ipfilter(($dn42_ip4 $dn42_ip6));
 
-# tinc
-&def_service(evenet, dn42, udp, 666);
-&forward_to_service(evenet, udp, 666);
-&def_service(evenet, dn42, tcp, 666);
-&forward_to_service(evenet, tcp, 666);
+# openvpn client server
+&def_service(evenet, dn42, udp, 123);
+&forward_to_service(evenet, udp, 123);
+&def_service(evenet, dn42, tcp, 993);
+&forward_to_service(evenet, tcp, 993);
diff --git a/services/45-dns b/services/45-dns
index eaaa1d9..0b7ff15 100644
--- a/services/45-dns
+++ b/services/45-dns
@@ -6,13 +6,9 @@
 &allow_service_for_all(dns);
 &allow_service_for_all(dns2);
 
-chain FORWARD interface $evenet mod pkttype pkt-type (broadcast multicast) ACCEPT;
-
 # chain to allow forwarding to the service
 domain ip table filter chain FORWARD {
-  @def $dns1_ip4 = @resolve(dns1.evenet.dn42, A);
-  @def $dns2_ip4 = @resolve(dns2.evenet.dn42, A);
   @def $ns1_ip4  = @resolve(ns1.evenet.dn42, A);
   @def $ns2_ip4  = @resolve(ns2.evenet.dn42, A);
-  daddr ($dns1_ip4 $dns2_ip4 $ns1_ip4 $ns2_ip4) protocol udp dport 53 ACCEPT;
+  daddr ($ns1_ip4 $ns2_ip4) protocol udp dport 53 ACCEPT;
 }