diff --git a/charts/t8s-cluster/templates/workload-cluster/cni-cilium.yaml b/charts/t8s-cluster/templates/workload-cluster/cni-cilium.yaml
index 73c56c5966..dad11624c9 100644
--- a/charts/t8s-cluster/templates/workload-cluster/cni-cilium.yaml
+++ b/charts/t8s-cluster/templates/workload-cluster/cni-cilium.yaml
@@ -25,6 +25,15 @@ spec:
   targetNamespace: kube-system
   releaseName: cni
   values:
+    # enable eBPF based routing instead of iptables
+    nodePort:
+      enabled: true
+    bpf:
+      masquerade: true
+    # enable eBPF bases host routing
+    # currently not really possible with CAPI, as they don't support disabling the built-in kube-proxy
+    # kubeProxyReplacement: strict
+
     rollOutCiliumPods: true
     encryption:
       enabled: false