diff --git a/hosts/ni/default.nix b/hosts/ni/default.nix
index 4f6637fb..917a93a9 100644
--- a/hosts/ni/default.nix
+++ b/hosts/ni/default.nix
@@ -9,8 +9,8 @@ let
     wireguardPeers;
 
   wireguardAllowedIPs = [
-    "${interfaces.internal.IPv4}/16"
-    "${interfaces.internal.IPv6}/64"
+    "${interfaces.internal.IPv4.address}/16"
+    "${interfaces.internal.IPv6.address}/64"
   ];
   wireguardIFName = "wireguard0";
 in
@@ -229,7 +229,7 @@ in
             PublicKey = lib.readFile ../plover/files/wireguard/wireguard-public-key-plover;
             PresharedKeyFile = config.sops.secrets."ni/wireguard/preshared-keys/plover".path;
             AllowedIPs = lib.concatStringsSep "," wireguardAllowedIPs;
-            Endpoint = "${interfaces.main'.IPv4}:51820";
+            Endpoint = "${interfaces.main'.IPv4.address}:${toString wireguardPort}";
           };
         }
       ];
diff --git a/hosts/plover/default.nix b/hosts/plover/default.nix
index 9835d4b6..69c18390 100644
--- a/hosts/plover/default.nix
+++ b/hosts/plover/default.nix
@@ -2,6 +2,7 @@
 
 let
   inherit (builtins) toString;
+  inherit (import ./modules/hardware/networks.nix) interfaces;
 
   # The head of the Borgbase hostname.
   hetzner-boxes-user = "u332477";
@@ -56,6 +57,10 @@ in
   services.fail2ban.ignoreIP = [
     "172.16.0.0/12"
     "fc00::/7"
+
+    # Those from the tunneling services.
+    "${interfaces.wireguard0.IPv4.address}/16"
+    "${interfaces.wireguard0.IPv6.address}/64"
   ];
 
   # TODO: Put the secrets to the respective service module.
diff --git a/hosts/plover/modules/hardware/hetzner-cloud-cx21.nix b/hosts/plover/modules/hardware/hetzner-cloud-cx21.nix
index 537e053f..511fe030 100644
--- a/hosts/plover/modules/hardware/hetzner-cloud-cx21.nix
+++ b/hosts/plover/modules/hardware/hetzner-cloud-cx21.nix
@@ -4,12 +4,12 @@
 # settings of whatever image format configuration this host system will import
 # from nixos-generators.
 let
-  network = import ./networks.nix;
   inherit (builtins) toString;
-  inherit (network) privateIPv6Prefix interfaces;
+  inherit (import ./networks.nix) interfaces;
 
   # This is just referring to the same interface just with alternative names.
-  mainEthernetInterfaceNames = [ "ens3" "enp0s3" ];
+  mainEthernetInterfaceNames = [ "ens10" "enp0s10" ];
+  internalEthernetInterfaceNames = [ "ens11" "enp0s11" ];
 in
 {
   imports = [
@@ -58,61 +58,68 @@ in
     # For more information, you can look at Hetzner documentation from
     # https://docs.hetzner.com/robot/dedicated-server/ip/additional-ip-adresses/
     networks = {
-      "60-wan" = {
+      "20-wan" = {
         matchConfig.Name = lib.concatStringsSep " " mainEthernetInterfaceNames;
 
         # Setting the primary static IPs.
         address = with interfaces; [
           # The public IPs.
-          "${main'.IPv4}/32"
-          "${main'.IPv6}/128"
-
-          # IPs in the LAN.
-          "${main.IPv4}/16"
-          "${main.IPv6}/64"
+          "${main'.IPv4.address}/32"
+          "${main'.IPv6.address}/128"
         ];
 
-        networkConfig = {
-          IPForward = true;
-          IPMasquerade = "both";
-        };
+        networkConfig.IPForward = true;
+
+        gateway = [
+          interfaces.main'.IPv4.gateway
+          interfaces.main'.IPv6.gateway
+        ];
 
         routes = [
-          { routeConfig.Gateway = "fe80::1"; }
-          { routeConfig.Destination = "${interfaces.main'.IPv4}/32"; }
+          { routeConfig.Gateway = interfaces.main'.IPv6.gateway; }
+          { routeConfig.Destination = interfaces.main'.IPv4.address; }
 
           {
             routeConfig = {
-              Gateway = "${interfaces.main'.IPv4}/32";
+              Gateway = interfaces.main'.IPv4.gateway;
               GatewayOnLink = true;
             };
           }
         ];
       };
 
-      "60-lan" = {
-        matchConfig.Name = "ens11";
-        address = with interfaces.internal; [
-          "${IPv4}/16"
-          "${IPv6}/64"
+      "20-lan" = with interfaces.internal; {
+        matchConfig.Name = lib.concatStringsSep " " internalEthernetInterfaceNames;
+        address = [
+          "${IPv4.address}/16"
+          "${IPv6.address}/64"
+        ];
+        gateway = [
+          IPv4.gateway
+          IPv6.gateway
+        ];
+
+        routes = [
+          { routeConfig.Gateway = IPv6.gateway; }
+          { routeConfig.Destination = IPv4.address; }
+
+          {
+            routeConfig = {
+              Gateway = IPv4.gateway;
+              GatewayOnLink = true;
+            };
+          }
         ];
-        networkConfig.DHCP = "yes";
       };
 
-      # This is to make use of the remaining ethernet interfaces as we can
-      # build a local network.
-      "60-dhcpv6-pd-downstreams" = {
-        matchConfig.Name = "en*";
+      "60-internal" = {
+        matchConfig.Name = "ens*";
         networkConfig.DHCP = "yes";
-
-        # Even if there's one, it would have the interface with subnets and a
-        # guaranteed network interface for the internal services.
-        dhcpV6Config.PrefixDelegationHint = "${privateIPv6Prefix}:43ff::/64";
       };
     };
   };
 
   # This is to look out for any errors that will occur for my networking setup
   # which is always a possibility.
-  systemd.services.systemd-networkd.serviceConfig.Environment = "SYSTEMD_LOG_LEVEL=debug";
+  systemd.services.systemd-networkd.serviceConfig.Environment = "SYSTEMD_LOG_LEVEL=info";
 }
diff --git a/hosts/plover/modules/hardware/networks.nix b/hosts/plover/modules/hardware/networks.nix
index 503b8a36..06df31a6 100644
--- a/hosts/plover/modules/hardware/networks.nix
+++ b/hosts/plover/modules/hardware/networks.nix
@@ -6,30 +6,58 @@ let
 in
 rec {
   privateIPv6Prefix = "fdee:b0de:5685";
-  interfaces = {
+  interfaces = let
+    ploverInternalNetworkGateway = "172.16.0.1";
+    widdeerLan = "10.0.0.1";
+    ipv6Gateway = "fe80::1";
+  in
+    {
     # This is the public-facing interface. Any interface name with a prime
     # symbol means it's a public-facing interface.
     main' = {
-      IPv4 = "95.217.212.19";
-      IPv6 = "2a01:4f9:c011:a448::1";
+      # The gateways for the public addresses are retrieved from the following
+      # pages:
+      #
+      # * https://docs.hetzner.com/cloud/networks/faq/#are-any-ip-addresses-reserved
+      # * https://docs.hetzner.com/robot/dedicated-server/ip/additional-ip-adresses/#gateway
+      IPv4 = {
+        address = "95.217.212.19";
+        gateway = "172.31.1.1";
+      };
+      IPv6 = {
+        address = "2a01:4f9:c011:a448::1";
+        gateway = ipv6Gateway;
+      };
     };
 
     # /16 block for IPv4, /64 for IPv6.
     main = {
-      IPv4 = "172.25.0.1";
-      IPv6 = "${privateIPv6Prefix}:1::";
+      IPv4 = {
+        address = "172.27.0.1";
+        gateway = ploverInternalNetworkGateway;
+      };
+      IPv6 = {
+        address = "${privateIPv6Prefix}:1::";
+        gateway = ipv6Gateway;
+      };
     };
 
     # /16 block for IPv4, /64 for IPv6.
     internal = {
-      IPv4 = "172.24.0.1";
-      IPv6 = "${privateIPv6Prefix}:2::";
+      IPv4 = {
+        address = "172.27.0.2";
+        gateway = ploverInternalNetworkGateway;
+      };
+      IPv6 = {
+        address = "${privateIPv6Prefix}:2::";
+        gateway = ipv6Gateway;
+      };
     };
 
     # /16 BLOCK for IPv4, /64 for IPv6.
     wireguard0 = {
-      IPv4 = "10.210.0.1";
-      IPv6 = "${privateIPv6Prefix}:12ae::";
+      IPv4.address = "10.210.0.1";
+      IPv6.address = "${privateIPv6Prefix}:12ae::";
     };
   };
 
@@ -39,19 +67,22 @@ rec {
   # Wireguard-related things.
   wireguardPort = 51820;
   wireguardIPHostPart = "10.210.0";
-  wireguardIPv6Prefix = interfaces.wireguard0.IPv6;
+  wireguardIPv6Prefix = interfaces.wireguard0.IPv6.address;
 
   # These are all fixed IP addresses. They should be /32 IPv4 block and /128
   # IPv6 block.
   wireguardPeers = {
-    server = with interfaces.wireguard0; { inherit IPv4 IPv6; };
+    server = with interfaces.wireguard0; {
+      IPv4 = IPv4.address;
+      IPv6 = IPv6.address;
+    };
     desktop = {
       IPv4 = "${wireguardIPHostPart}.2";
-      IPv6 = "${wireguardIPv6Prefix}:12ae::2";
+      IPv6 = "${wireguardIPv6Prefix}2";
     };
     phone = {
       IPv4 = "${wireguardIPHostPart}.3";
-      IPv6 = "${wireguardIPv6Prefix}:12ae::3";
+      IPv6 = "${wireguardIPv6Prefix}3";
     };
   };
 }
diff --git a/hosts/plover/modules/services/atuin.nix b/hosts/plover/modules/services/atuin.nix
index 3a2c3679..3ee80bbf 100644
--- a/hosts/plover/modules/services/atuin.nix
+++ b/hosts/plover/modules/services/atuin.nix
@@ -7,7 +7,7 @@ let
   inherit (import ../hardware/networks.nix) preferredInternalTLD interfaces;
 
   atuinDomain = "atuin.${config.networking.domain}.${preferredInternalTLD}";
-  host = interfaces.internal.IPv4;
+  host = interfaces.internal.IPv4.address;
 in
 {
   # Atuin sync server because why not.
diff --git a/hosts/plover/modules/services/keycloak.nix b/hosts/plover/modules/services/keycloak.nix
index c59789bf..9caaa429 100644
--- a/hosts/plover/modules/services/keycloak.nix
+++ b/hosts/plover/modules/services/keycloak.nix
@@ -11,7 +11,7 @@ let
   keycloakDbName = if config.services.keycloak.database.createLocally then keycloakUser else config.services.keycloak.database.username;
 
   certs = config.security.acme.certs;
-  host = interfaces.internal.IPv4;
+  host = interfaces.internal.IPv4.address;
 in
 {
   # Hey, the hub for your application sign-in.
diff --git a/hosts/plover/modules/services/wireguard.nix b/hosts/plover/modules/services/wireguard.nix
index d58c1e06..69210cff 100644
--- a/hosts/plover/modules/services/wireguard.nix
+++ b/hosts/plover/modules/services/wireguard.nix
@@ -53,8 +53,8 @@ in
     networks."99-${wireguardIFName}" = {
       matchConfig.Name = wireguardIFName;
       address = with interfaces.wireguard0; [
-        "${IPv4}/32"
-        "${IPv6}/128"
+        "${IPv4.address}/32"
+        "${IPv6.address}/128"
       ];
 
       routes = [