diff --git a/roles/nftables_infra/templates/nftables.d/10-vars.conf.j2 b/roles/nftables_infra/templates/nftables.d/10-vars.conf.j2
index 1ac86f2..3757bd4 100644
--- a/roles/nftables_infra/templates/nftables.d/10-vars.conf.j2
+++ b/roles/nftables_infra/templates/nftables.d/10-vars.conf.j2
@@ -21,6 +21,9 @@ define pve_ipv4 = 10.134.0.0/16
 define router_ipv6 = 2a09:6840:135::/48
 define router_ipv4 = 10.135.0.0/16
 
+define bastion_ipv6 = 2a09:6840:136::/48
+define bastion_ipv4 = 10.136.0.0/16
+
 define infra_ipv6 = {
 	$public_server_ipv6,
 	$server_ipv6,
@@ -29,6 +32,7 @@ define infra_ipv6 = {
 	$bmc_ipv6,
 	$pve_ipv6,
 	$router_ipv6,
+	$bastion_ipv6,
 }
 define infra_ipv4 = {
 	$public_server_ipv4,
@@ -38,6 +42,7 @@ define infra_ipv4 = {
 	$bmc_ipv4,
 	$pve_ipv4,
 	$router_ipv4,
+	$bastion_ipv4,
 }
 
 # FIXME: temporary
@@ -45,11 +50,13 @@ define egress_internet_ipv6 = {
 	$server_ipv6,
 	$pve_ipv6,
 	$router_ipv6,
+	$bastion_ipv6,
 }
 define egress_internet_ipv4 = {
 	$server_ipv4,
 	$pve_ipv4,
 	$router_ipv4,
+	$bastion_ipv4,
 }
 
 # FIXME: bad ipv6 address
diff --git a/roles/nftables_infra/templates/nftables.d/40-input.conf.j2 b/roles/nftables_infra/templates/nftables.d/40-input.conf.j2
index 813ea11..3297c63 100644
--- a/roles/nftables_infra/templates/nftables.d/40-input.conf.j2
+++ b/roles/nftables_infra/templates/nftables.d/40-input.conf.j2
@@ -10,6 +10,13 @@ table inet input {
 		}
 	}
 
+	chain input_from_server {
+		jump conntrack
+
+		ip6 saddr $prom_infra_ipv6 dport 9100 accept
+		ip saddr $prom_infra_ipv4 dport 9100 accept
+	}
+
 	chain input_from_backbone {
 		ip6 nexthdr { ospf, vrrp } accept
 		ip protocol { ospf, vrrp } accept
@@ -22,6 +29,12 @@ table inet input {
 		tcp dport ssh counter accept
 	}
 
+	chain input_from_bastion {
+		jump conntrack
+
+		tcp dport ssh counter accept
+	}
+
 	chain input_from_anywhere {
 		jump conntrack
 
diff --git a/roles/nftables_infra/templates/nftables.d/60-forward.conf.j2 b/roles/nftables_infra/templates/nftables.d/60-forward.conf.j2
index c2b79f3..9cb3e10 100644
--- a/roles/nftables_infra/templates/nftables.d/60-forward.conf.j2
+++ b/roles/nftables_infra/templates/nftables.d/60-forward.conf.j2
@@ -29,6 +29,9 @@ table inet forward {
 
 		ip6 saddr $prom_infra_v6 tcp dport 9100 counter accept
 		ip saddr $prom_infra_v4 udp dport 161 counter accept
+
+		ip6 saddr $bastion_ipv6 dport ssh accept
+		ip saddr $bastion_ipv4 dport ssh accept
 	}
 
 	chain forward_to_backbone {
@@ -39,6 +42,9 @@ table inet forward {
 
 		ip6 saddr $prom_infra_v6 udp dport 161 counter accept
 		ip saddr $prom_infra_v4 udp dport 161 counter accept
+
+		ip6 saddr $bastion_ipv6 dport ssh accept
+		ip saddr $bastion_ipv4 dport ssh accept
 	}
 
 	chain forward_to_bmc {
@@ -46,6 +52,9 @@ table inet forward {
 
 		ip6 saddr $prom_infra_v6 udp dport 161 counter accept
 		ip saddr $prom_infra_v4 udp dport 161 counter accept
+
+		ip6 saddr $bastion_ipv6 dport ssh accept
+		ip saddr $bastion_ipv4 dport ssh accept
 	}
 
 	chain forward_to_pve {
@@ -53,6 +62,9 @@ table inet forward {
 
 		ip6 saddr $prom_infra_ipv6 tcp dport 9100 counter accept
 		ip saddr $prom_infra_ipv4 tcp dport 9100 counter accept
+
+		ip6 saddr $bastion_ipv6 dport ssh accept
+		ip saddr $bastion_ipv4 dport ssh accept
 	}
 
 	chain forward_to_router {
@@ -60,6 +72,9 @@ table inet forward {
 
 		ip6 saddr $prom_infra_ipv6 tcp dport 9100 counter accept
 		ip saddr $prom_infra_ipv4 tcp dport 9100 counter accept
+
+		ip6 saddr $bastion_ipv6 dport ssh accept
+		ip saddr $bastion_ipv4 dport ssh accept
 	}
 
 	chain forward_to_internet {