diff --git a/ops/nixos/lib/blade.nix b/ops/nixos/lib/blade.nix
index baef3b29d6..fbedc93176 100644
--- a/ops/nixos/lib/blade.nix
+++ b/ops/nixos/lib/blade.nix
@@ -98,8 +98,8 @@ in {
       firewall.allowedUDPPorts = [
         41641 # Tailscale
       ];
-      firewall.allowedTCPPorts = lib.mkIf config.services.ceph.enable [ 6789 3300 ];
-      firewall.allowedTCPPortRanges = lib.mkIf config.services.ceph.enable [{ from = 6800; to = 7300; }];
+      firewall.interfaces.en-storage.allowedTCPPorts = lib.mkIf config.services.ceph.enable [ 6789 3300 ];
+      firewall.interfaces.en-storage.allowedTCPPortRanges = lib.mkIf config.services.ceph.enable [{ from = 6800; to = 7300; }];
 
       nat = lib.optionalAttrs (config.my.blade.macAddress.internet != null) {
         enable = true;