diff --git a/roles/firewall/handlers/main.yml b/roles/firewall/handlers/main.yml
index d2beb3b..47d1eec 100644
--- a/roles/firewall/handlers/main.yml
+++ b/roles/firewall/handlers/main.yml
@@ -2,10 +2,6 @@
   command: ifup --auto
   when: "'handler' not in ansible_skip_tags"
 
-- name: mkinitfs
-  command: mkinitfs
-  when: "'handler' not in ansible_skip_tags"
-
 - name: reboot
   reboot:
   when: "'handler' not in ansible_skip_tags"
diff --git a/roles/firewall/tasks/main.yml b/roles/firewall/tasks/main.yml
index 83e748f..5220db0 100644
--- a/roles/firewall/tasks/main.yml
+++ b/roles/firewall/tasks/main.yml
@@ -7,13 +7,6 @@
     name: bash,bonding,iproute2
     state: latest
 
-- name: Tell mdev to rename network interfaces
-  lineinfile:
-    path: /etc/mdev.conf
-    line: '-net/.* root:root 600 @/sbin/nameif -s'
-    insertafter: '^# net devices'
-  notify: mkinitfs
-
 - name: Tell ifupdown to also rename network interfaces
   copy:
     dest: /etc/network/if-pre-up.d/nameif
diff --git a/roles/firewall/templates/interfaces.j2 b/roles/firewall/templates/interfaces.j2
index fae0f3d..75980f2 100644
--- a/roles/firewall/templates/interfaces.j2
+++ b/roles/firewall/templates/interfaces.j2
@@ -1,10 +1,9 @@
 {% set addrs = interfaces | selectattr('name', '==', 'lo') | map(attribute='ip_addresses') | first -%}
 
-source-directory /etc/network/interfaces.d
-
 auto lo
-iface lo inet loopback
-    address {{ wg_ip }}
+iface lo
 {% for address in addrs %}
     address {{ address.address }}
 {% endfor %}
+
+source-directory /etc/network/interfaces.d
diff --git a/roles/firewall/templates/nftables.nft.j2 b/roles/firewall/templates/nftables.nft.j2
index 5afa559..bc45c0b 100644
--- a/roles/firewall/templates/nftables.nft.j2
+++ b/roles/firewall/templates/nftables.nft.j2
@@ -146,6 +146,19 @@ table inet filter {
     }
 }
 
+table inet wireguard {
+    chain input {
+        type filter hook prerouting priority raw; policy accept
+        udp dport 51820 notrack \
+        comment "Disable connection tracking for wireguard"
+    }
+    chain output {
+        type route hook output priority raw; policy accept
+        meta mark 51820 meta nfproto ipv4 ip saddr set {{ wg_ip | ipaddr('address') }} notrack \
+        comment "Disable connection tracking and set anycast source IP for wireguard"
+    }
+}
+
 table ip nat {
     include "/etc/nftables.d/interfaces.nft"
     include "/etc/nftables.d/networks.nft"
diff --git a/roles/firewall/templates/wg.intf.j2 b/roles/firewall/templates/wg.intf.j2
index 266eef8..f66ff27 100644
--- a/roles/firewall/templates/wg.intf.j2
+++ b/roles/firewall/templates/wg.intf.j2
@@ -1,5 +1,8 @@
+iface lo
+    address {{ wg_ip }}
+
 auto wg
-iface wg inet static
+iface wg
     use wireguard
 {% if wg_net is defined %}
     address {{ wg_net }}