From 1651cb54ddbb66cd3c1af7498e3bafc59020e972 Mon Sep 17 00:00:00 2001
From: Tom Alexander <tom@fizz.buzz>
Date: Sun, 26 Apr 2026 12:44:24 -0400
Subject: [PATCH] Allow node-to-node communication.

---
 nix/kubernetes/roles/firewall/default.nix | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/nix/kubernetes/roles/firewall/default.nix b/nix/kubernetes/roles/firewall/default.nix
index 984fed03..d69f1c83 100644
--- a/nix/kubernetes/roles/firewall/default.nix
+++ b/nix/kubernetes/roles/firewall/default.nix
@@ -49,6 +49,13 @@
       ''
         ip6 saddr 2620:11f:7001:7:ffff:eeee::/96 accept
       ''
+      # Allow node-to-node communication
+      # Needed for:
+      #   - metallb port 7946
+      ''
+        iifname "enp*" ip saddr 10.215.1.0/24 ip daddr 10.215.1.0/24 accept
+        iifname "enp*" ip6 saddr 2620:11f:7001:7:ffff:ffff:0ad7:0100/120 ip6 daddr 2620:11f:7001:7:ffff:ffff:0ad7:0100/120 accept
+      ''
     ];
 
     # networking.firewall.extraInputRules = ''