diff --git a/common/network/default.nix b/common/network/default.nix
index 942cd51..c2d6fb6 100644
--- a/common/network/default.nix
+++ b/common/network/default.nix
@@ -14,8 +14,25 @@ in
 
   options.networking.ip_forward = mkEnableOption "Enable ip forwarding";
 
-  config = mkIf cfg.ip_forward {
-    boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
-    boot.kernel.sysctl."net.ipv6.conf.all.forwarding" = 1;
-  };
+  config = mkMerge [
+    (mkIf cfg.ip_forward {
+      boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
+      boot.kernel.sysctl."net.ipv6.conf.all.forwarding" = 1;
+    })
+
+    # Keep dhcpcd away from container/virtual interfaces. dhcpcd runs as a single
+    # daemon over every interface not on its deny list, and the nixpkgs default
+    # omits these. When containers create/tear down podman0/veth*, dhcpcd reacts
+    # to the link events with a full reconfigure and can drop the primary
+    # interface's DHCP default route, leaving the host unreachable.
+    {
+      networking.dhcpcd.denyInterfaces = [
+        "podman*"
+        "veth*"
+        "cni*"
+        "docker*"
+        "br-*"
+      ];
+    }
+  ];
 }