diff --git a/scripts/first-boot-containers.sh b/scripts/first-boot-containers.sh
index 74b34889..a604b6c8 100644
--- a/scripts/first-boot-containers.sh
+++ b/scripts/first-boot-containers.sh
@@ -168,11 +168,14 @@ fi
 TARGET_IP=$(hostname -I 2>/dev/null | awk '{print $1}')
 [ -z "$TARGET_IP" ] && TARGET_IP="127.0.0.1"
 
-# Resolve host-gateway for --add-host (podman 4.3.x doesn't support "host-gateway")
-# Use the default gateway IP from the podman network, falling back to host LAN IP
-HOST_GATEWAY=$(ip route show default 2>/dev/null | awk '/default/ {print $3}' | head -1)
-[ -z "$HOST_GATEWAY" ] && HOST_GATEWAY="$TARGET_IP"
-ADD_HOST_FLAG="--add-host=host.containers.internal:${HOST_GATEWAY}"
+# Map host.containers.internal to the rootless-podman host gateway.
+# Podman 4.4+ supports the magic string "host-gateway" which resolves to
+# the correct in-container-network gateway IP at container start. We used
+# to compute a value from `ip route` here, but that returned the LAN
+# router (e.g. 192.168.1.254 or 192.168.1.1) — the gateway out to the
+# internet, not the gateway to the host — which broke every container
+# trying to reach bitcoin-core's RPC on the host (LND, ElectrumX, etc).
+ADD_HOST_FLAG="--add-host=host.containers.internal:host-gateway"
 
 log() { echo "$(date '+%Y-%m-%d %H:%M:%S') $*" | tee -a "$LOG"; }
 
@@ -641,7 +644,7 @@ if [ -f "$BOOTSTRAP_CONF" ]; then
              "http://127.0.0.1:18332/" >/dev/null 2>&1; then
           USE_BOOTSTRAP=true
           # Containers reach host via host.containers.internal (set by $ADD_HOST_FLAG)
-          BTC_HOST="${HOST_GATEWAY:-$TARGET_IP}"
+          BTC_HOST="$TARGET_IP"
           BTC_HOST_PORT=18332
           BTC_RPC_USER="$BOOT_USER"
           BTC_RPC_PASS="$BOOTSTRAP_RPC_PASS"