diff --git a/nix/homelab/kustomize/kustomization.yaml b/nix/homelab/kustomize/kustomization.yaml
index bc36645..4001a9c 100644
--- a/nix/homelab/kustomize/kustomization.yaml
+++ b/nix/homelab/kustomize/kustomization.yaml
@@ -4,6 +4,8 @@ kind: Kustomization
 resources:
   - ./metallb/pool.yaml
   - ./traefik/config.yaml
+  - ./traefik/private-networks.yaml
+  - ./traefik/chains.yaml
   - ./cert-manager/config.yaml
   - ./routes/minecraft.yaml
   - ./routes/gitea/ssh.yaml
diff --git a/nix/homelab/kustomize/routes/home-assistant.yaml b/nix/homelab/kustomize/routes/home-assistant.yaml
index cd42fd2..201cc5b 100644
--- a/nix/homelab/kustomize/routes/home-assistant.yaml
+++ b/nix/homelab/kustomize/routes/home-assistant.yaml
@@ -10,6 +10,12 @@ spec:
   hostnames:
     - "home-assistant.lucalise.ca"
   rules:
-    - backendRefs:
+    - filters:
+        - type: ExtensionRef
+          extensionRef:
+            group: traefik.io
+            kind: Middleware
+            name: private-networks
+      backendRefs:
         - name: home-assistant
           port: 8080
diff --git a/nix/homelab/kustomize/routes/longhorn.yaml b/nix/homelab/kustomize/routes/longhorn.yaml
index 4dc79a4..b984455 100644
--- a/nix/homelab/kustomize/routes/longhorn.yaml
+++ b/nix/homelab/kustomize/routes/longhorn.yaml
@@ -10,6 +10,12 @@ spec:
   hostnames:
     - "storage.lucalise.ca"
   rules:
-    - backendRefs:
+    - filters:
+        - type: ExtensionRef
+          extensionRef:
+            group: traefik.io
+            kind: Middleware
+            name: private-networks
+      backendRefs:
         - name: longhorn-frontend
           port: 80
diff --git a/nix/homelab/kustomize/routes/pihole.yaml b/nix/homelab/kustomize/routes/pihole.yaml
index aaa2fbe..67505f2 100644
--- a/nix/homelab/kustomize/routes/pihole.yaml
+++ b/nix/homelab/kustomize/routes/pihole.yaml
@@ -1,7 +1,7 @@
 apiVersion: gateway.networking.k8s.io/v1
 kind: HTTPRoute
 metadata:
-  name: longhorn
+  name: pihole
   namespace: pihole-system
 spec:
   parentRefs:
@@ -10,6 +10,12 @@ spec:
   hostnames:
     - "pihole.lucalise.ca"
   rules:
-    - backendRefs:
+    - filters:
+        - type: ExtensionRef
+          extensionRef:
+            group: traefik.io
+            kind: Middleware
+            name: private-networks
+      backendRefs:
         - name: pihole-web
           port: 80
diff --git a/nix/homelab/kustomize/traefik/chains.yaml b/nix/homelab/kustomize/traefik/chains.yaml
new file mode 100644
index 0000000..e2e1621
--- /dev/null
+++ b/nix/homelab/kustomize/traefik/chains.yaml
@@ -0,0 +1,32 @@
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: private-networks 
+  namespace: home
+spec:
+  chain:
+    middlewares:
+      - name: private-networks
+        namespace: kube-system
+---
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: private-networks 
+  namespace: longhorn-system
+spec:
+  chain:
+    middlewares:
+      - name: private-networks
+        namespace: kube-system
+---
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: private-networks 
+  namespace: pihole-system
+spec:
+  chain:
+    middlewares:
+      - name: private-networks
+        namespace: kube-system
diff --git a/nix/homelab/kustomize/traefik/config.yaml b/nix/homelab/kustomize/traefik/config.yaml
index 65db8fe..47ff0a2 100644
--- a/nix/homelab/kustomize/traefik/config.yaml
+++ b/nix/homelab/kustomize/traefik/config.yaml
@@ -11,6 +11,8 @@ spec:
     service:
       annotations:
         metallb.universe.tf/address-pool: rufus-pool
+      spec:
+        externalTrafficPolicy: Local
 
     ports:
       web:
diff --git a/nix/homelab/kustomize/traefik/private-networks.yaml b/nix/homelab/kustomize/traefik/private-networks.yaml
new file mode 100644
index 0000000..56cfaad
--- /dev/null
+++ b/nix/homelab/kustomize/traefik/private-networks.yaml
@@ -0,0 +1,13 @@
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: private-networks
+  namespace: kube-system
+spec:
+  ipAllowList:
+    sourceRange:
+      # RFC1918 private address ranges
+      - 10.0.0.0/8
+      - 172.16.0.0/12
+      - 192.168.0.0/16
+      - 100.64.0.0/10
diff --git a/nix/homelab/scripts/generate-chains.sh b/nix/homelab/scripts/generate-chains.sh
new file mode 100755
index 0000000..a3a5fa6
--- /dev/null
+++ b/nix/homelab/scripts/generate-chains.sh
@@ -0,0 +1,36 @@
+#!/usr/bin/env bash
+
+set -e
+
+NAMESPACES=(
+  "home"
+  "longhorn-system"
+  "pihole-system"
+)
+
+OUTPUT_FILE="kustomize/traefik/chains.yaml"
+
+> "$OUTPUT_FILE"
+
+for i in "${!NAMESPACES[@]}"; do
+  ns="${NAMESPACES[$i]}"
+  
+  if [[ $i -gt 0 ]]; then
+    echo "---" >> "$OUTPUT_FILE"
+  fi
+  
+  cat >> "$OUTPUT_FILE" <<EOF
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: private-networks 
+  namespace: ${ns}
+spec:
+  chain:
+    middlewares:
+      - name: private-networks
+        namespace: kube-system
+EOF
+done
+
+echo "Generated $OUTPUT_FILE with ${#NAMESPACES[@]} namespace chains"
diff --git a/nix/homelab/kustomize/generate-restore-job.sh b/nix/homelab/scripts/generate-restore-job.sh
similarity index 94%
rename from nix/homelab/kustomize/generate-restore-job.sh
rename to nix/homelab/scripts/generate-restore-job.sh
index dc97604..d7e1dc0 100755
--- a/nix/homelab/kustomize/generate-restore-job.sh
+++ b/nix/homelab/scripts/generate-restore-job.sh
@@ -9,8 +9,12 @@ fi
 SERVER_NAME="$1"
 BACKUP_FILE="$2"
 
+cd kustomize
+
 kubectl scale deployment minecraft-$SERVER_NAME --replicas 0
 
 sed -e "s/{{SERVER_NAME}}/$SERVER_NAME/g" \
     -e "s/{{BACKUP_FILE}}/$BACKUP_FILE/g" \
     restore-job.yaml | kubectl apply -f -
+
+cd -
diff --git a/nix/homelab/update-node.sh b/nix/homelab/scripts/update-node.sh
similarity index 100%
rename from nix/homelab/update-node.sh
rename to nix/homelab/scripts/update-node.sh
diff --git a/nix/modules/dns.nix b/nix/modules/dns.nix
index 35b0445..de98930 100644
--- a/nix/modules/dns.nix
+++ b/nix/modules/dns.nix
@@ -17,13 +17,13 @@
       enable = true;
       dns = "systemd-resolved";
     };
-    networking.extraHosts = ''
-      192.168.27.10 traefik.lucalise.ca 
-      192.168.27.10 media.lucalise.ca 
-      192.168.27.10 git.lucalise.ca 
-      192.168.27.10 storage.lucalise.ca 
-      192.168.27.10 home-assistant.lucalise.ca 
-    '';
+    # networking.extraHosts = ''
+    #   75.157.238.86 traefik.lucalise.ca
+    #   75.157.238.86 media.lucalise.ca
+    #   75.157.238.86 git.lucalise.ca
+    #   75.157.238.86 storage.lucalise.ca
+    #   75.157.238.86 home-assistant.lucalise.ca
+    # '';
 
     services.resolved = {
       enable = true;