diff --git a/hosts/sire/guests/grafana.nix b/hosts/sire/guests/grafana.nix
index 437b19e..91a0cc7 100644
--- a/hosts/sire/guests/grafana.nix
+++ b/hosts/sire/guests/grafana.nix
@@ -134,6 +134,9 @@ in
         extraConfig = ''
           allow ${globals.net.home-lan.vlans.home.cidrv4};
           allow ${globals.net.home-lan.vlans.home.cidrv6};
+          # Firezone traffic
+          allow ${globals.net.home-lan.vlans.services.hosts.ward.ipv4};
+          allow ${globals.net.home-lan.vlans.services.hosts.ward.ipv6};
           deny all;
         '';
       };
diff --git a/hosts/sire/guests/immich.nix b/hosts/sire/guests/immich.nix
index 8eec40f..d7caa7d 100644
--- a/hosts/sire/guests/immich.nix
+++ b/hosts/sire/guests/immich.nix
@@ -250,6 +250,9 @@ in
           send_timeout       600s;
           allow ${globals.net.home-lan.vlans.home.cidrv4};
           allow ${globals.net.home-lan.vlans.home.cidrv6};
+          # Firezone traffic
+          allow ${globals.net.home-lan.vlans.services.hosts.ward.ipv4};
+          allow ${globals.net.home-lan.vlans.services.hosts.ward.ipv6};
           deny all;
         '';
       };
diff --git a/hosts/sire/guests/paperless.nix b/hosts/sire/guests/paperless.nix
index 02c180e..9cb16cb 100644
--- a/hosts/sire/guests/paperless.nix
+++ b/hosts/sire/guests/paperless.nix
@@ -81,6 +81,9 @@ in
           client_max_body_size 512M;
           allow ${globals.net.home-lan.vlans.home.cidrv4};
           allow ${globals.net.home-lan.vlans.home.cidrv6};
+          # Firezone traffic
+          allow ${globals.net.home-lan.vlans.services.hosts.ward.ipv4};
+          allow ${globals.net.home-lan.vlans.services.hosts.ward.ipv6};
           deny all;
         '';
         locations."/" = {