diff --git a/resources/chaosknoten/router/nftables/nftables.conf b/resources/chaosknoten/router/nftables/nftables.conf
index 6bc6cbe..8d30852 100644
--- a/resources/chaosknoten/router/nftables/nftables.conf
+++ b/resources/chaosknoten/router/nftables/nftables.conf
@@ -7,12 +7,20 @@ define if_net1_v4_wan = "net1"
 define if_net2_v6_wan = "net2"
 define if_net0_2_v4_nat = "net0.2"
 define if_net0_3_ci_runner = "net0.3"
+define if_net0_4_v4_nat_legacy = "net0.4"
+define if_net0_5_public = "net0.5"
 
 # Interface Groups
 define wan_ifs = { $if_net1_v4_wan,
                    $if_net2_v6_wan }
 define lan_ifs = { $if_net0_2_v4_nat,
-                   $if_net0_3_ci_runner }
+                   $if_net0_3_ci_runner,
+                   $if_net0_4_v4_nat_legacy,
+                   $if_net0_5_public }
+define v4_exposed_ifs = { $if_net0_5_public }
+define v6_exposed_ifs = { $if_net0_2_v4_nat,
+                          $if_net0_4_v4_nat_legacy,
+                          $if_net0_5_public }
 
 
 ## Rules
@@ -67,7 +75,10 @@ table inet forward {
         ct state established,related accept
 
         # Allow internet access.
-		meta nfproto ipv6 iifname $lan_ifs oifname $if_net2_v6_wan accept comment "allow v6 internet access"
-		meta nfproto ipv4 iifname $lan_ifs oifname $if_net1_v4_wan accept comment "allow v4 internet access"
+        iifname $lan_ifs oifname $wan_ifs accept comment "allow internet access"
+
+        # Allow access to exposed networks from internet.
+        meta nfproto ipv4 oifname $v4_exposed_ifs accept comment "allow v4 exposed network access"
+        meta nfproto ipv6 oifname $v6_exposed_ifs accept comment "allow v6 exposed network access"
     }
 }
diff --git a/resources/chaosknoten/router/systemd_networkd/00-net1.link b/resources/chaosknoten/router/systemd_networkd/00-net1.link
index ef04d04..9489f17 100644
--- a/resources/chaosknoten/router/systemd_networkd/00-net1.link
+++ b/resources/chaosknoten/router/systemd_networkd/00-net1.link
@@ -1,5 +1,6 @@
 [Match]
-MACAddress=BC:24:11:9A:FB:34
+# Stolen from turing to make 212.12.48.122 work.
+MACAddress=0E:A4:E3:97:16:92
 Type=ether
 
 [Link]
diff --git a/resources/chaosknoten/router/systemd_networkd/10-net0.4-v4_nat_legacy.netdev b/resources/chaosknoten/router/systemd_networkd/10-net0.4-v4_nat_legacy.netdev
new file mode 100644
index 0000000..5cb68ed
--- /dev/null
+++ b/resources/chaosknoten/router/systemd_networkd/10-net0.4-v4_nat_legacy.netdev
@@ -0,0 +1,6 @@
+[NetDev]
+Name=net0.4
+Kind=vlan
+
+[VLAN]
+Id=4
diff --git a/resources/chaosknoten/router/systemd_networkd/10-net0.5-public.netdev b/resources/chaosknoten/router/systemd_networkd/10-net0.5-public.netdev
new file mode 100644
index 0000000..be3c9d9
--- /dev/null
+++ b/resources/chaosknoten/router/systemd_networkd/10-net0.5-public.netdev
@@ -0,0 +1,6 @@
+[NetDev]
+Name=net0.5
+Kind=vlan
+
+[VLAN]
+Id=5
diff --git a/resources/chaosknoten/router/systemd_networkd/20-net0.network b/resources/chaosknoten/router/systemd_networkd/20-net0.network
index a32d75e..59897cf 100644
--- a/resources/chaosknoten/router/systemd_networkd/20-net0.network
+++ b/resources/chaosknoten/router/systemd_networkd/20-net0.network
@@ -7,6 +7,7 @@ RequiredForOnline=no
 [Network]
 VLAN=net0.2
 VLAN=net0.3
+VLAN=net0.4
+VLAN=net0.5
 
 LinkLocalAddressing=no
-
diff --git a/resources/chaosknoten/router/systemd_networkd/20-net1.network b/resources/chaosknoten/router/systemd_networkd/20-net1.network
index c8bffc1..5789ef6 100644
--- a/resources/chaosknoten/router/systemd_networkd/20-net1.network
+++ b/resources/chaosknoten/router/systemd_networkd/20-net1.network
@@ -5,10 +5,11 @@ Name=net1
 DNS=212.12.50.158
 IPForward=ipv4
 IPv6AcceptRA=no
-
-[Address]
+# v4 taken from turing for routing public v4 range and turing-compat for v4-NAT-legacy network.
+# Also just the v4 for other purposes as well.
+Address=212.12.48.122/24
 Address=212.12.48.123/24
-
-[Route]
+# v6 for turing-compat for v4-NAT-legacy network routed v6.
+Address=2a00:14b0:4200:3000:122::1
 Gateway=212.12.48.55
-
+Gateway=2a00:14b0:4200:3000::1
diff --git a/resources/chaosknoten/router/systemd_networkd/21-net0.4-v4_nat_legacy.network b/resources/chaosknoten/router/systemd_networkd/21-net0.4-v4_nat_legacy.network
new file mode 100644
index 0000000..dd63a73
--- /dev/null
+++ b/resources/chaosknoten/router/systemd_networkd/21-net0.4-v4_nat_legacy.network
@@ -0,0 +1,23 @@
+[Match]
+Name=net0.4
+Type=vlan
+
+[Link]
+RequiredForOnline=no
+
+[Network]
+Description=v4-NAT-legacy
+
+# Masquerading done in nftables (nftables.conf).
+IPv6SendRA=yes
+
+[Address]
+Address=172.31.17.129/25
+
+[IPv6SendRA]
+UplinkInterface=net1
+
+[IPv6Prefix]
+Prefix=2a00:14b0:f000:23::/64
+Assign=true
+Token=static:::1
diff --git a/resources/chaosknoten/router/systemd_networkd/21-net0.5-public.network b/resources/chaosknoten/router/systemd_networkd/21-net0.5-public.network
new file mode 100644
index 0000000..d49eb60
--- /dev/null
+++ b/resources/chaosknoten/router/systemd_networkd/21-net0.5-public.network
@@ -0,0 +1,22 @@
+[Match]
+Name=net0.5
+Type=vlan
+
+[Link]
+RequiredForOnline=no
+
+[Network]
+Description=public
+
+IPv6SendRA=yes
+
+[Address]
+Address=212.12.50.209/29
+
+[IPv6SendRA]
+UplinkInterface=net2
+
+[IPv6Prefix]
+Prefix=2a00:14b0:42:105::/64
+Assign=true
+Token=static:::1