diff --git a/package/gluon-mesh-vpn-core/Makefile b/package/gluon-mesh-vpn-core/Makefile
index 64f0e65b..c183c542 100644
--- a/package/gluon-mesh-vpn-core/Makefile
+++ b/package/gluon-mesh-vpn-core/Makefile
@@ -6,7 +6,7 @@ include ../gluon.mk
 
 define Package/gluon-mesh-vpn-core
   TITLE:=Basic support for connecting meshes via VPN tunnels
-  DEPENDS:=+gluon-core +gluon-wan-dnsmasq +simple-tc
+  DEPENDS:=+gluon-core +gluon-nftables +gluon-wan-dnsmasq +simple-tc
   USERID:=:gluon-mesh-vpn=800
 endef
 
diff --git a/package/gluon-mesh-vpn-core/files/lib/gluon/mesh-vpn/nftables.rules b/package/gluon-mesh-vpn-core/files/lib/gluon/nftables/mesh_vpn_dns.nft
similarity index 100%
rename from package/gluon-mesh-vpn-core/files/lib/gluon/mesh-vpn/nftables.rules
rename to package/gluon-mesh-vpn-core/files/lib/gluon/nftables/mesh_vpn_dns.nft
diff --git a/package/gluon-mesh-vpn-core/luasrc/lib/gluon/nftables/mesh_vpn.lua b/package/gluon-mesh-vpn-core/luasrc/lib/gluon/nftables/mesh_vpn.lua
new file mode 100644
index 00000000..88dba355
--- /dev/null
+++ b/package/gluon-mesh-vpn-core/luasrc/lib/gluon/nftables/mesh_vpn.lua
@@ -0,0 +1,4 @@
+include('mesh_vpn_dns', {
+	position = 'chain-prepend',
+	chain = 'dstnat',
+})
diff --git a/package/gluon-mesh-vpn-core/luasrc/lib/gluon/upgrade/500-mesh-vpn b/package/gluon-mesh-vpn-core/luasrc/lib/gluon/upgrade/500-mesh-vpn
index 0cf971a0..61f88217 100755
--- a/package/gluon-mesh-vpn-core/luasrc/lib/gluon/upgrade/500-mesh-vpn
+++ b/package/gluon-mesh-vpn-core/luasrc/lib/gluon/upgrade/500-mesh-vpn
@@ -25,15 +25,6 @@ uci:save('network')
 users.remove_user('gluon-fastd')
 users.remove_group('gluon-fastd')
 
-uci:section('firewall', 'include', 'mesh_vpn_dns', {
-	type = 'nftables',
-	path = '/lib/gluon/mesh-vpn/nftables.rules',
-	position = 'chain-prepend',
-	chain = 'dstnat',
-})
-
-uci:save('firewall')
-
 
 -- VPN migration
 if not uci:get('gluon', 'mesh_vpn') then