diff --git a/collect/sentinel/sentinel-firewall/Makefile b/collect/sentinel/sentinel-firewall/Makefile
index 6f522285a..b5da8be46 100644
--- a/collect/sentinel/sentinel-firewall/Makefile
+++ b/collect/sentinel/sentinel-firewall/Makefile
@@ -68,6 +68,8 @@ define Package/sentinel-firewall-nftables/install
 	$(INSTALL_DATA) ./files/common_nftables.sh $(1)/usr/libexec/sentinel/firewall.d/common.sh
 	$(INSTALL_DIR) $(1)/etc/uci-defaults
 	$(INSTALL_BIN) ./files/uci-defaults $(1)/etc/uci-defaults/99-sentinel-firewall
+	$(INSTALL_DIR) $(1)/etc/hotplug.d/iface
+	$(INSTALL_BIN) ./files/90-wan-ip $(1)/etc/hotplug.d/iface/90-wan-ip
 	$(INSTALL_DIR) $(1)/lib/functions
 	$(INSTALL_DATA) ./files/functions.sh $(1)/lib/functions/sentinel-firewall.sh
 endef
diff --git a/collect/sentinel/sentinel-firewall/files/90-wan-ip b/collect/sentinel/sentinel-firewall/files/90-wan-ip
new file mode 100755
index 000000000..d27f35dc1
--- /dev/null
+++ b/collect/sentinel/sentinel-firewall/files/90-wan-ip
@@ -0,0 +1,17 @@
+if [ "$INTERFACE" = "wan" ]; then
+    zone="wan"
+    nft add set inet turris-sentinel "${zone}_ips_6" "{ type ipv6_addr; comment \"IPv4 addresses in zone $zone\"  ; }"
+    nft flush set inet turris-sentinel "${zone}_ips_6"
+    for dev in $(ifstatus wan | jsonfilter -e '@.device'); do
+        for ip in $(ip a s dev "$dev" | sed -n 's|.*inet6 \([0-9a-f:]*\)/.*|\1|p'); do
+            nft add element inet turris-sentinel "${zone}_ips_6" "{ $ip }"
+        done
+    done
+    nft add set inet turris-sentinel "${zone}_ips_4" "{ type ipv4_addr; comment \"IPv4 addresses in zone $zone\"  ; }"
+    nft flush set inet turris-sentinel "${zone}_ips_4"
+    for dev in $(ifstatus wan | jsonfilter -e '@.device'); do
+        for ip in $(ip a s dev "$dev" | sed -n 's|.*inet \([0-9.]*\)/.*|\1|p'); do
+            nft add element inet turris-sentinel "${zone}_ips_4" "{ $ip }"
+        done
+    done
+fi
diff --git a/collect/sentinel/sentinel-firewall/files/common_nftables.sh b/collect/sentinel/sentinel-firewall/files/common_nftables.sh
index 47f359d45..c878cd78a 100644
--- a/collect/sentinel/sentinel-firewall/files/common_nftables.sh
+++ b/collect/sentinel/sentinel-firewall/files/common_nftables.sh
@@ -30,7 +30,11 @@ setup_zone() {
     # Setup port-forwarding infrastructure for minipots in turris-sentinel table
     nft delete chain inet turris-sentinel minipots_dstnat_"$zone" 2> /dev/null || :
     nft add chain inet turris-sentinel minipots_dstnat_"$zone"
-    nft add rule inet turris-sentinel minipots_dstnat iifname $wan_if jump minipots_dstnat_"$zone" \
+    nft add set inet turris-sentinel "${zone}_ips_6" "{ type ipv6_addr; comment \"IPv4 addresses in zone $zone\"  ; }"
+    nft add rule inet turris-sentinel minipots_dstnat iifname $wan_if ip6 daddr @${zone}_ips_6 jump minipots_dstnat_"$zone" \
+        comment "\"!sentinel: port redirection for minipots\""
+    nft add set inet turris-sentinel "${zone}_ips_4" "{ type ipv4_addr; comment \"IPv4 addresses in zone $zone\"  ; }"
+    nft add rule inet turris-sentinel minipots_dstnat iifname $wan_if ip daddr @${zone}_ips_4 jump minipots_dstnat_"$zone" \
         comment "\"!sentinel: port redirection for minipots\""
 
     # Setup blocking infrastructure