diff --git a/README.md b/README.md
index 4808897..9eda744 100644
--- a/README.md
+++ b/README.md
@@ -42,6 +42,7 @@ You **MUST** specify these options, or Lixonet will not work.
  * `tinc_peer_address` - The *router* address to use.  This is your Lixonet routing layer address: 172.xxx.0.xxx
  * `network_address` - The *network* address to use.  This is your Lixonet routing layer address: 172.xxx.0.0 (especially take note of the last two 0's: `0.0` -- it _MUST_ end with zeros corresponding to the network size)
  * `bgp_asn` - The BGP ASN to use.  We usually follow the format `4206969XXX` where _XXX_ is the last octet of your `address`, zero-padded (i.e. 008 or 212)
+ * `internal_address` - The internal address to use.  MUST be unique to this Lixonet EE instance; if the address of the host is 172.31.16.2, you should _NOT_ use that IP address, and instead pick another static address.
  * `internal_gateway` - The internal gateway to use.  This is the IP address, directly upstream from the Lixonet EE router, that can be used as a next hop to reach your own subnets.
 
 #### Configuration example
@@ -117,11 +118,12 @@ default         172.31.8.1      0.0.0.0         UG    202    0        0 eth0
  * `router_prefix`: router network prefix: defaults to `24`. If you change this you _SHOULD_ change `netmask` too.
  * `netmask`: router netmask: defaults to `255.255.255.0` (`/24`); _SHOULD_ be the bitmask that corresponds to the `router_prefix`
  * `internal_interface`: the interface to route your _OWN_ networks to.  This should be the interface where your personal Lixonet subnets are reachable at, or in other words the interface at which the Lixonet EE router can send packets destined to networks you own.  Defaults to `eth0`.
+ * `internal_subnet`: the internal subnet that your Lixonet EE router is connected to, defaults to "`internal_gateway`/24".
  * `vip`: virtual IP: a virtual IP address to assign to the Lixonet EE router directly, aside from 172.31.0.8.
 
 #### Tinc options
  * `network_name` - The name of the interface that Tinc should create when it's started.  Defaults to `lixonet`.  Set this for multiple networks.
- * `tinc_bind_address` - The address that Tinc should bind to to _listen_ for incoming WAN-sided connections (i.e. 10.0.0.1).  This is _not_ the Lixonet router IP (i.e. 172.31.0.8).  Use this if you have an `eth1` that you _don't_ want to use for binding tinc to, and would prefer to bind tinc exclusivley to `eth0` instead.
+ * `tinc_bind_address` - The address that Tinc should bind to to _listen_ for incoming public Internet connections (i.e. 10.0.0.1).  This is _not_ the Lixonet router IP (i.e. 172.31.0.8).  Use this if you have an `eth1` that you _don't_ want to use for binding tinc to, and would prefer to bind tinc exclusivley to `eth0` instead.  Defaults to `internal_address`.
  * `tinc_bind_port` - The Tinc server port to listen on.  Defaults to `9994`.
  * `tinc_connect_to` - A comma-separated list of well-known/pre-defined hosts to connect to (i.e. `denco_mane_lixo`).  If not supplied, this is automatically set to all core routers that aren't yourself (`name`).
 
diff --git a/build.sh b/build.sh
index 13517a1..2939d85 100644
--- a/build.sh
+++ b/build.sh
@@ -28,6 +28,7 @@ do
     source $dir/lixonet.conf
     if [ -z "$git" ]; then echo "Missing 'git' variable in $dir/lixonet.conf"; exit 1; fi
     sigil_vars=$(cat /etc/lixonet/${netname}/lixonet.conf | tr "\\n" " ")
+    sigil_vars=$(echo "$sigil_vars netname=$netname")
 
     # Parse subnets into a collection of IP reverse zones
     root_reverse_zones=$(echo '${network_address}/${global_prefix:-16}' | sigil -p $sigil_vars | xargs -I '{}' netcalc split {} 24 | sed 's/.0\/24$//' | awk 'BEGIN{FS="."}{print $3"."$2"."$1".in-addr.arpa"}' | sed -e ':a;N;$!ba;s/\n/,/g')
@@ -90,7 +91,7 @@ do
     #  Fill out templates and remove them after
     process_templates "/etc/bind/$netname/" "$sigil_vars"
 
-    printf "COMPOSE_PROJECT_NAME=$netname\nBIND_ADDRESS=$tinc_peer_address" > .env
+    echo $sigil_vars | tr ' ' '\n' > .env
     docker-compose -p $netname up -d --build --remove-orphans
     rm .env
 
diff --git a/docker-compose.yml b/docker-compose.yml
index 882bd41..1ac2cdb 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -1,15 +1,12 @@
 version: "3.7"
 services:
   tinc:
-    network_mode: host
     build:
       context: .
       dockerfile: Dockerfile.tinc
-    ports:
-      - "${BIND_ADDRESS}:655:655/tcp"
-      - "${BIND_ADDRESS}:655:655/udp"
     volumes:
       - /etc/tinc/${COMPOSE_PROJECT_NAME}:/etc/tinc/${COMPOSE_PROJECT_NAME}
+      - /usr/bin/docker-proxy:/usr/bin/docker-proxy
     environment:
       - RUNMODE=server
       - NETNAME=${COMPOSE_PROJECT_NAME}
@@ -18,53 +15,56 @@ services:
     devices:
       - /dev/net/tun:/dev/net/tun
     restart: always
+    networks:
+      internal:
+        ipv4_address: ${internal_address}
   bird:
-    network_mode: host
+    network_mode: 'service:tinc'
     depends_on:
       - tinc
     build:
       context: .
       dockerfile: Dockerfile.bird
-    ports:
-      - "${BIND_ADDRESS}:179:179/tcp"
     volumes:
-      - /etc/bird/${COMPOSE_PROJECT_NAME}/:/etc/bird/
+      - /etc/bird/${netname}/:/etc/bird/
       - bird-run:/var/run/bird/
     cap_add:
       - NET_ADMIN
     restart: always
   bind:
-    depends_on:
-      - tinc
+    network_mode: 'service:tinc'
     build:
       context: .
       dockerfile: Dockerfile.bind
-    ports:
-      - "${BIND_ADDRESS}:53:53/udp"
-      - "${BIND_ADDRESS}:53:53/tcp"
     volumes:
-      - /etc/bind/${COMPOSE_PROJECT_NAME}/:/etc/bind/
+      - /etc/bind/${netname}/:/etc/bind/
     restart: always
   bird_exporter:
+    network_mode: 'service:tinc'
     image: czerwonk/bird_exporter
     command: '-bird.v2=true -bird.socket=/var/run/bird/bird.ctl'
     depends_on:
       - bird
-    ports:
-      - "${BIND_ADDRESS}:9324:9324/tcp"
     volumes:
       - bird-run:/var/run/bird/
     restart: always
   ping_exporter:
+    network_mode: 'service:tinc'
     image: czerwonk/ping_exporter
     command: './ping_exporter --config.path /pinger.yml'
     depends_on:
       - tinc
-    ports:
-      - "${BIND_ADDRESS}:9427:9427/tcp"
     volumes:
-      - /etc/tinc/${COMPOSE_PROJECT_NAME}/pinger.yml:/pinger.yml
+      - /etc/tinc/${netname}/pinger.yml:/pinger.yml
     restart: always
 
 volumes:
   bird-run:
+networks:
+  internal:
+    driver: macvlan
+    driver_opts:
+      parent: eth0
+    ipam:
+      config:
+        - subnet: ${internal_subnet:-$internal_gateway/24}
diff --git a/tinc/tinc.conf.tmpl b/tinc/tinc.conf.tmpl
index 6e59856..e9a5aac 100644
--- a/tinc/tinc.conf.tmpl
+++ b/tinc/tinc.conf.tmpl
@@ -11,9 +11,8 @@ Name = ${tinc_peer_name}
 # Do not change these.  Lixonet runs over port 9993 by standard.
 {{ if len "${tinc_bind_interface:-}" }}
 BindToInterface ${tinc_bind_interface}
-{{ end }}
-{{ if len "${tinc_bind_address:-}" }}
-BindToAddress ${tinc_bind_address}
+{{ else }}
+BindToAddress ${tinc_bind_address:-$internal_address}
 {{ end }}
 Port = ${tinc_bind_port:-9994}