diff --git a/config/firewall/rules.pl b/config/firewall/rules.pl
index 0dd1c9024..9d280045a 100644
--- a/config/firewall/rules.pl
+++ b/config/firewall/rules.pl
@@ -55,6 +55,9 @@ my @PRIVATE_NETWORKS = (
 	"100.64.0.0/10",
 );
 
+# MARK masks
+my $NAT_MASK = 0x0f000000;
+
 my %fwdfwsettings=();
 my %fwoptions = ();
 my %defaultNetworks=();
@@ -829,10 +832,8 @@ sub add_dnat_mangle_rules {
 	my $interface = shift;
 	my @options = @_;
 
-	my $mark = 0;
+	my $mark = 0x01000000;
 	foreach my $zone ("GREEN", "BLUE", "ORANGE") {
-		$mark++;
-
 		# Skip rule if not all required information exists.
 		next unless (exists $defaultNetworks{$zone . "_NETADDRESS"});
 		next unless (exists $defaultNetworks{$zone . "_NETMASK"});
@@ -845,9 +846,11 @@ sub add_dnat_mangle_rules {
 		$netaddress .= "/" . $defaultNetworks{$zone . "_NETMASK"};
 
 		push(@mangle_options, ("-s", $netaddress, "-d", $nat_address));
-		push(@mangle_options, ("-j", "MARK", "--set-mark", $mark));
+		push(@mangle_options, ("-j", "MARK", "--set-xmark", "$mark/$NAT_MASK"));
 
 		run("$IPTABLES -t mangle -A $CHAIN_MANGLE_NAT_DESTINATION_FIX @mangle_options");
+
+		$mark <<= 1;
 	}
 }
 
diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall
index baa39abe1..9d023a349 100644
--- a/src/initscripts/system/firewall
+++ b/src/initscripts/system/firewall
@@ -12,6 +12,8 @@ if [ -f /var/ipfire/red/device ]; then
 	DEVICE=`/bin/cat /var/ipfire/red/device 2> /dev/null | /usr/bin/tr -d '\012'`
 fi
 
+NAT_MASK="0x0f000000"
+
 function iptables() {
 	/sbin/iptables --wait "$@"
 }
@@ -282,17 +284,17 @@ iptables_init() {
 
 	if [ -n "${GREEN_ADDRESS}" ]; then
 		iptables -t nat -A NAT_DESTINATION_FIX \
-			-m mark --mark 1 -j SNAT --to-source "${GREEN_ADDRESS}"
+			-m mark --mark "0x01000000/${NAT_MASK}" -j SNAT --to-source "${GREEN_ADDRESS}"
 	fi
 
 	if [ -n "${BLUE_ADDRESS}" ]; then
 		iptables -t nat -A NAT_DESTINATION_FIX \
-			-m mark --mark 2 -j SNAT --to-source "${BLUE_ADDRESS}"
+			-m mark --mark "0x02000000/${NAT_MASK}" -j SNAT --to-source "${BLUE_ADDRESS}"
 	fi
 
 	if [ -n "${ORANGE_ADDRESS}" ]; then
 		iptables -t nat -A NAT_DESTINATION_FIX \
-			-m mark --mark 3 -j SNAT --to-source "${ORANGE_ADDRESS}"
+			-m mark --mark "0x04000000/${NAT_MASK}" -j SNAT --to-source "${ORANGE_ADDRESS}"
 	fi
 
 	# RED chain, used for the red interface