diff --git a/hosts/pre-router/configuration.nix b/hosts/pre-router/configuration.nix
index adf69f9..6d894fe 100644
--- a/hosts/pre-router/configuration.nix
+++ b/hosts/pre-router/configuration.nix
@@ -55,34 +55,6 @@
     { address = "10.42.0.0"; prefixLength = 16; via = "10.42.10.1"; }
   ];
 
-  networking.wireguard = {
-    enable = true;
-    interfaces = {
-      wg0 = {
-        ips = [ "fe80::42:10:1/64" ];
-        privateKeyFile = "/var/src/secrets/wireguard/wg0";
-        allowedIPsAsRoutes = false;
-        peers = [{
-          publicKey = "Y++eB9SfU17zB4mJ/6AaN761tngXAyTNoVaPNKmuvls=";
-          allowedIPs = [ "::/0"  ];
-          endpoint = "78.47.183.82:51876";
-          #endpoint = "gatekeeper.net.clerie.de:51876";
-          persistentKeepalive = 25;
-        }];
-      };
-    };
-  };
-
-  networking.localCommands = ''
-    ip -6 route add default dev wg0 table 100
-  '';
-
-  clerie.policyrouting.enable = true;
-  clerie.policyrouting.rules6 = [
-    { rule = "lookup main suppress_prefixlength 0"; prio = 10000; }
-    { rule = "from 2a01:4f8:1c0c:8221::/64 lookup 100"; prio = 19000; }
-  ];
-
   # This value determines the NixOS release from which the default
   # settings for stateful data, like file locations and database versions
   # on your system were taken. It‘s perfectly fine and recommended to leave
diff --git a/hosts/router/10-net-services.nix b/hosts/router/10-net-services.nix
index f229d1b..dd16c2f 100644
--- a/hosts/router/10-net-services.nix
+++ b/hosts/router/10-net-services.nix
@@ -6,6 +6,32 @@
     interface = "ens18";
   };
 
+  networking.wireguard = {
+    enable = true;
+    interfaces = {
+      wg-services = {
+        ips = [ "fe80::42:10:1/64" ];
+        privateKeyFile = "/var/src/secrets/wireguard/wg-services";
+        allowedIPsAsRoutes = false;
+        peers = [{
+          publicKey = "Y++eB9SfU17zB4mJ/6AaN761tngXAyTNoVaPNKmuvls=";
+          allowedIPs = [ "::/0"  ];
+          endpoint = "78.47.183.82:51876";
+          #endpoint = "gatekeeper.net.clerie.de:51876";
+          persistentKeepalive = 25;
+        }];
+      };
+    };
+  };
+
+  networking.localCommands = ''
+    ip -6 route add default dev wg-services table 20003
+  '';
+
+  clerie.policyrouting.rules6 = [
+    { rule = "from 2a01:4f8:1c0c:8221::/64 lookup 20003"; prio = 19000; }
+  ];
+
   networking.interfaces.net-services.ipv4.addresses = [
     { address = "10.42.10.1"; prefixLength = 24; }
     { address = "10.42.10.2"; prefixLength = 24; }
diff --git a/hosts/router/configuration.nix b/hosts/router/configuration.nix
index fe9a264..dfc867c 100644
--- a/hosts/router/configuration.nix
+++ b/hosts/router/configuration.nix
@@ -34,9 +34,6 @@
 
   networking.hostName = "router";
 
-  networking.defaultGateway = { address = "10.42.10.25"; interface = "net-services"; };
-  networking.defaultGateway6 = { address = "2a01:4f8:1c0c:8221::25"; interface = "net-services"; };
-
   networking.firewall.checkReversePath = false;
 
   services.prometheus.exporters.node = {
diff --git a/hosts/router/ppp.nix b/hosts/router/ppp.nix
index 8e13475..cdd5102 100644
--- a/hosts/router/ppp.nix
+++ b/hosts/router/ppp.nix
@@ -14,10 +14,12 @@
        ppp-uplink-a)
          ${pkgs.iproute2}/bin/ip route flush table 20001 || true
          ${pkgs.iproute2}/bin/ip route add default dev ppp-uplink-a table 20001
+         ${pkgs.iproute2}/bin/ip route replace default dev ppp-uplink-a metric 2000
          ;;
        ppp-uplink-b)
          ${pkgs.iproute2}/bin/ip route flush table 20002 || true
          ${pkgs.iproute2}/bin/ip route add default dev ppp-uplink-b table 20002
+         ${pkgs.iproute2}/bin/ip route replace default dev ppp-uplink-b metric 1000
          ;;
       esac
     '';
@@ -30,9 +32,11 @@
       case $1 in
        ppp-uplink-a)
          ${pkgs.iproute2}/bin/ip route flush table 20001 || true
+         ${pkgs.iproute2}/bin/ip route delete default dev ppp-uplink-a || true
          ;;
        ppp-uplink-b)
          ${pkgs.iproute2}/bin/ip route flush table 20002 || true
+         ${pkgs.iproute2}/bin/ip route delete default dev ppp-uplink-b || true
          ;;
       esac
     '';
@@ -46,10 +50,12 @@
        ppp-uplink-a)
          ${pkgs.iproute2}/bin/ip -6 route flush table 20001 || true
          ${pkgs.iproute2}/bin/ip -6 route add default dev ppp-uplink-a table 20001
+         ${pkgs.iproute2}/bin/ip -6 route replace default dev ppp-uplink-a metric 2000
          ;;
        ppp-uplink-b)
          ${pkgs.iproute2}/bin/ip -6 route flush table 20002 || true
          ${pkgs.iproute2}/bin/ip -6 route add default dev ppp-uplink-b table 20002
+         ${pkgs.iproute2}/bin/ip -6 route replace default dev ppp-uplink-b metric 1000
          ;;
       esac
     '';
@@ -62,9 +68,11 @@
       case $1 in
        ppp-uplink-a)
          ${pkgs.iproute2}/bin/ip -6 route flush table 20001 || true
+         ${pkgs.iproute2}/bin/ip -6 route delete default dev ppp-uplink-a || true
          ;;
        ppp-uplink-b)
          ${pkgs.iproute2}/bin/ip -6 route flush table 20002 || true
+         ${pkgs.iproute2}/bin/ip -6 route delete default dev ppp-uplink-b || true
          ;;
       esac
     '';
diff --git a/hosts/router/uplink-selector.nix b/hosts/router/uplink-selector.nix
index 0f54dd5..2312002 100644
--- a/hosts/router/uplink-selector.nix
+++ b/hosts/router/uplink-selector.nix
@@ -1,14 +1,7 @@
 { config, pkgs, ... }:
 
 {
-  networking.localCommands = ''
-    ip -6 route add default via 2a01:4f8:1c0c:8221::25 dev net-services table 20003
-  '';
-
   clerie.policyrouting.enable = true;
-  clerie.policyrouting.rules6 = [
-    { rule = "from 2a01:4f8:1c0c:8221::/64 lookup 20003"; prio = 19000; }
-  ];
 
   clerie.uplink-selector.enable = true;
   clerie.uplink-selector.uplinks = {