diff --git a/globals.nix b/globals.nix
index 5fc7706..57e1b83 100644
--- a/globals.nix
+++ b/globals.nix
@@ -62,10 +62,15 @@ in
             cidrv6 = "fd20::/64";
             hosts.ward.id = 1;
             hosts.sire.id = 2;
+            hosts.scanner-ads-4300n = {
+              id = 23;
+              mac = globals.macs.scanner-ads-4300n;
+            };
             hosts.wallbox = {
               id = 40;
               mac = globals.macs.wallbox;
             };
+            # TODO remove once new home-assistant machine is up
             hosts.home-assistant-temp = {
               id = 85;
               mac = globals.macs.home-assistant;
diff --git a/hosts/ward/net.nix b/hosts/ward/net.nix
index b983c6b..96ff4bc 100644
--- a/hosts/ward/net.nix
+++ b/hosts/ward/net.nix
@@ -173,11 +173,15 @@
       {
         untrusted.interfaces = [ "wan" ];
         proxy-home.interfaces = [ "proxy-home" ];
-        adguardhome.ipv4Addresses = [
-          globals.net.home-lan.vlans.services.hosts.ward-adguardhome.ipv4
+        adguardhome.ipv4Addresses = [ globals.net.home-lan.vlans.services.hosts.ward-adguardhome.ipv4 ];
+        adguardhome.ipv6Addresses = [ globals.net.home-lan.vlans.services.hosts.ward-adguardhome.ipv6 ];
+        samba.ipv4Addresses = [ globals.net.home-lan.vlans.services.hosts.sire-samba.ipv4 ];
+        samba.ipv6Addresses = [ globals.net.home-lan.vlans.services.hosts.sire-samba.ipv6 ];
+        scanner-ads-4300n.ipv4Addresses = [
+          globals.net.home-lan.vlans.devices.hosts.scanner-ads-4300n.ipv4
         ];
-        adguardhome.ipv6Addresses = [
-          globals.net.home-lan.vlans.services.hosts.ward-adguardhome.ipv6
+        scanner-ads-4300n.ipv6Addresses = [
+          globals.net.home-lan.vlans.devices.hosts.scanner-ads-4300n.ipv6
         ];
       }
       // lib.flip lib.concatMapAttrs globals.net.home-lan.vlans (
@@ -194,9 +198,7 @@
           "vlan-devices"
           "vlan-guests"
         ];
-        to = [
-          "untrusted"
-        ];
+        to = [ "untrusted" ];
         masquerade = true;
         late = true; # Only accept after any rejects have been processed
         verdict = "accept";
@@ -214,11 +216,16 @@
         verdict = "accept";
       };
 
+      # Allow the scanner to access samba via SFTP
+      access-samba-sftp = {
+        from = [ "scanner-ads-4300n" ];
+        to = [ "samba" ];
+        allowedTCPPorts = [ 22 ];
+      };
+
       # Allow devices in the home VLAN to talk to any of the services or home devices.
       access-services = {
-        from = [
-          "vlan-home"
-        ];
+        from = [ "vlan-home" ];
         to = [
           "vlan-services"
           "vlan-devices"
diff --git a/secrets/global.nix.age b/secrets/global.nix.age
index 2c67dcb..65fa807 100644
Binary files a/secrets/global.nix.age and b/secrets/global.nix.age differ