diff --git a/hosts/fra1-a/configuration.nix b/hosts/fra1-a/configuration.nix
index ec12485..093df51 100644
--- a/hosts/fra1-a/configuration.nix
+++ b/hosts/fra1-a/configuration.nix
@@ -91,7 +91,6 @@
     firewall = {
       allowedUDPPorts = [53];
       allowedTCPPorts = [22 53];
-      checkReversePath = "loose"; # for tailscale
     };
   };
 
diff --git a/hosts/vno1-oh2/configuration.nix b/hosts/vno1-oh2/configuration.nix
index c377131..e98818d 100644
--- a/hosts/vno1-oh2/configuration.nix
+++ b/hosts/vno1-oh2/configuration.nix
@@ -603,7 +603,6 @@
     firewall = {
       allowedUDPPorts = [53 80 443];
       allowedTCPPorts = [53 80 443];
-      checkReversePath = "loose"; # for tailscale
     };
   };
 }
diff --git a/hosts/vno1-rp3b/configuration.nix b/hosts/vno1-rp3b/configuration.nix
index b3f91c1..bcfd458 100644
--- a/hosts/vno1-rp3b/configuration.nix
+++ b/hosts/vno1-rp3b/configuration.nix
@@ -108,7 +108,6 @@
       }
     ];
     firewall = {
-      checkReversePath = "loose"; # for tailscale
     };
   };
 
diff --git a/modules/base/default.nix b/modules/base/default.nix
index 7fcea33..748e52a 100644
--- a/modules/base/default.nix
+++ b/modules/base/default.nix
@@ -144,6 +144,7 @@
     };
 
     networking.firewall.logRefusedConnections = false;
+    networking.firewall.checkReversePath = "loose"; # for tailscale
 
     services = {
       chrony = {