diff --git a/nixos/network/config.nix b/nixos/network/config.nix
index bc6f9e0..4306762 100644
--- a/nixos/network/config.nix
+++ b/nixos/network/config.nix
@@ -17,6 +17,7 @@ let
       serviceConfig = {
         Type = "oneshot";
         RemainAfterExit = true;
+        PrivateMounts = false;
         PrivateNetwork = true;
         ExecStart = (pkgs.writeShellScript "ns.net.vmix-start" ''
           NAMESPACE="$1.vmix"
@@ -32,7 +33,7 @@ let
   mkLanDomainName = networkName: lanName: lanCfg:
     if (lanCfg.domain != null) then lanCfg.domain else "${lanName}.${networkName}.vmix";
 
-  mkLan = networkName: lanName: cfg:
+  mkLan = networkName: staticRoutes: lanName: cfg:
     let
       lanCfg = cfg // { name = lanName; namespace = "${networkName}"; };
       lanInterfaceName = "brx-${lanCfg.name}";
@@ -63,8 +64,10 @@ let
       lanDomainName = mkLanDomainName networkName lanName lanCfg;
 
       lanDnsmasqConf = ''
+        # lan ${lanName}
         dhcp-range=${lanInterfaceName},${dhcpStartAddress},${dhcpEndAddress},${netmask},12h
         domain=${lanDomainName},${lanInterfaceName}
+        dhcp-option=${lanInterfaceName},option:classless-static-route,${lib.concatStringsSep "," (builtins.map (route: "${route},${lanInterfaceIPAddress}") (builtins.filter (route: route != lanCfg.ipv4.range) staticRoutes))}
       '' + (lib.optionalString (lanCfg.ipv4.dns.upstream != []) ("dhcp-option=${lanInterfaceName},option:dns-server,${(lib.concatStringsSep "," lanCfg.ipv4.dns.upstream)}\n"));
     in
     lanCfg // {
@@ -74,10 +77,11 @@ let
       domain = lanDomainName;
     };
 
-  mkLansService = networkName: lansCfg:
+  mkLansService = networkName: wanIPv4Range: lansCfg:
     let
       dhcpLeaseFile="/tmp/vmix/lans.${networkName}.dhcp.leases";
-      lansList = lib.attrValues(lib.mapAttrs (mkLan networkName) lansCfg);
+      staticRoutes = [ wanIPv4Range ] ++ (builtins.map (lanCfg: lanCfg.ipv4.range) (lib.attrValues lansCfg));
+      lansList = lib.attrValues(lib.mapAttrs (mkLan networkName staticRoutes) lansCfg);
       dnsmasqConf = pkgs.writeText "dnsmasq-${networkName}.conf" (''
         except-interface=lo
         dhcp-authoritative
@@ -183,9 +187,10 @@ let
   mkNetworkServices = networkName: cfg:
     let
       netCfg = cfg // { name = networkName; };
+      vethIPv4RangeForWan = mkVethIPv4Range netCfg.index vmixCfg.global.net.wan.ipv4.range;
     in
-    (mkLansService netCfg.name netCfg.lans)
-    // (mkWanService netCfg.name (netCfg.wan // { ipv4.range = (mkVethIPv4Range netCfg.index vmixCfg.global.net.wan.ipv4.range); lanRanges = builtins.map (lan: lan.ipv4.range) (lib.attrValues netCfg.lans); }))
+    (mkLansService netCfg.name vethIPv4RangeForWan netCfg.lans)
+    // (mkWanService netCfg.name (netCfg.wan // { ipv4.range = vethIPv4RangeForWan; lanRanges = builtins.map (lan: lan.ipv4.range) (lib.attrValues netCfg.lans); }))
     // (lib.concatMapAttrs (mkMacvlanService netCfg.name) netCfg.bridges.macvlans);
 
   networkNames = builtins.attrNames vmixCfg.networks;