diff --git a/group_vars/adm.yml b/group_vars/adm.yml
index 1c7de95..dce7311 100644
--- a/group_vars/adm.yml
+++ b/group_vars/adm.yml
@@ -6,3 +6,4 @@ datadisks:
 firewall_in:
   - {proto: tcp, port: 22, from: [172.20.20.0/22]}
   - {proto: tcp, port: 443, from: [172.20.20.0/22]}
+  - {proto: tcp, port: 4949, from: [172.20.20.0/22]}
diff --git a/group_vars/collab.yml b/group_vars/collab.yml
index e745826..8f92dbb 100644
--- a/group_vars/collab.yml
+++ b/group_vars/collab.yml
@@ -5,3 +5,4 @@ datadisks:
 firewall_in:
   - {proto: tcp, port: 22, from: [172.20.20.0/22]}
   - {proto: tcp, port: 443, from: [172.20.20.0/22]}
+  - {proto: tcp, port: 4949, from: [172.20.20.0/22]}
diff --git a/group_vars/git.yml b/group_vars/git.yml
index 1c7de95..dce7311 100644
--- a/group_vars/git.yml
+++ b/group_vars/git.yml
@@ -6,3 +6,4 @@ datadisks:
 firewall_in:
   - {proto: tcp, port: 22, from: [172.20.20.0/22]}
   - {proto: tcp, port: 443, from: [172.20.20.0/22]}
+  - {proto: tcp, port: 4949, from: [172.20.20.0/22]}
diff --git a/group_vars/ldap.yml b/group_vars/ldap.yml
index cd8bc6c..660bcb5 100644
--- a/group_vars/ldap.yml
+++ b/group_vars/ldap.yml
@@ -5,3 +5,4 @@ firewall_in:
   - {proto: tcp, port: 22, from: [172.20.20.0/22]}
   - {proto: tcp, port: 443, from: [172.20.20.0/22]}
   - {proto: tcp, port: 636, from: [172.20.20.0/22]}
+  - {proto: tcp, port: 4949, from: [172.20.20.0/22]}
diff --git a/group_vars/log.yml b/group_vars/log.yml
index 09e73c2..b25b970 100644
--- a/group_vars/log.yml
+++ b/group_vars/log.yml
@@ -4,4 +4,5 @@ datadisks:
 
 firewall_in:
   - {proto: tcp, port: 22, from: [172.20.20.0/22]}
+  - {proto: tcp, port: 4949, from: [172.20.20.0/22]}
   - {proto: tcp, port: 6514}
diff --git a/group_vars/mail.yml b/group_vars/mail.yml
index 365afc5..d6a68c7 100644
--- a/group_vars/mail.yml
+++ b/group_vars/mail.yml
@@ -10,3 +10,4 @@ firewall_in:
   - {proto: tcp, port: 465}
   - {proto: tcp, port: 587}
   - {proto: tcp, port: 993}
+  - {proto: tcp, port: 4949, from: [172.20.20.0/22]}
diff --git a/group_vars/mirror.yml b/group_vars/mirror.yml
index 3784714..deaae99 100644
--- a/group_vars/mirror.yml
+++ b/group_vars/mirror.yml
@@ -7,3 +7,4 @@ firewall_in:
   - {proto: tcp, port: 22, from: [172.20.20.0/22]}
   - {proto: tcp, port: 443, from: [172.20.20.0/22]}
   - {proto: tcp, port: 873, from: [172.20.20.0/22]}
+  - {proto: tcp, port: 4949, from: [172.20.20.0/22]}
diff --git a/group_vars/nas.yml b/group_vars/nas.yml
index 61922a5..44ec14a 100644
--- a/group_vars/nas.yml
+++ b/group_vars/nas.yml
@@ -9,3 +9,4 @@ firewall_in:
   - {proto: tcp, port: 22, from: [172.20.20.0/22]}
   - {proto: tcp, port: 2049, from: [172.20.20.0/22]}
   - {proto: tcp, port: 2049, from: [172.20.30.0/24]}
+  - {proto: tcp, port: 4949, from: [172.20.20.0/22]}
diff --git a/group_vars/ns.yml b/group_vars/ns.yml
index 944a455..f1436a9 100644
--- a/group_vars/ns.yml
+++ b/group_vars/ns.yml
@@ -6,6 +6,7 @@ firewall_in:
   - {proto: tcp, port: 80}
   - {proto: tcp, port: 443}
   - {proto: tcp, port: 853}
+  - {proto: tcp, port: 4949, from: [172.20.20.0/22, 81.175.130.44/32]}
 
 ifstated_config: ifstated-ns.conf
 network_carp_interfaces:
diff --git a/group_vars/proxy.yml b/group_vars/proxy.yml
index 303f415..cb37c52 100644
--- a/group_vars/proxy.yml
+++ b/group_vars/proxy.yml
@@ -49,4 +49,5 @@ firewall_in:
   - {proto: tcp, port: 80}
   - {proto: tcp, port: 443}
   - {proto: tcp, port: 636}
+  - {proto: tcp, port: 4949, from: [172.20.20.0/22]}
   - {proto: tcp, port: 6514}
diff --git a/group_vars/shell.yml b/group_vars/shell.yml
index 6abe4d2..55b6bab 100644
--- a/group_vars/shell.yml
+++ b/group_vars/shell.yml
@@ -7,3 +7,4 @@ num_cpus: 4
 
 firewall_in:
   - {proto: tcp, port: 22}
+  - {proto: tcp, port: 4949, from: [81.175.130.44/32]}
diff --git a/group_vars/static.yml b/group_vars/static.yml
index 07d697b..24c3e3a 100644
--- a/group_vars/static.yml
+++ b/group_vars/static.yml
@@ -2,3 +2,4 @@
 firewall_in:
   - {proto: tcp, port: 22, from: [172.20.20.0/22]}
   - {proto: tcp, port: 443, from: [172.20.20.0/22]}
+  - {proto: tcp, port: 4949, from: [172.20.20.0/22]}
diff --git a/group_vars/vmhost.yml b/group_vars/vmhost.yml
index ec4ea73..c611eea 100644
--- a/group_vars/vmhost.yml
+++ b/group_vars/vmhost.yml
@@ -1,3 +1,4 @@
 ---
 firewall_in:
   - {proto: tcp, port: 22, from: [172.20.20.0/22]}
+  - {proto: tcp, port: 4949, from: [172.20.20.0/22]}
diff --git a/roles/pf/files/pf.conf.gw_fsol b/roles/pf/files/pf.conf.gw_fsol
index 98378d3..5f3a715 100644
--- a/roles/pf/files/pf.conf.gw_fsol
+++ b/roles/pf/files/pf.conf.gw_fsol
@@ -30,8 +30,9 @@ pass quick inet6 proto icmp6
 antispoof for lo0
 antispoof for vio0
 
-# admin connection (internal)
+# admin connection and munin (internal)
 pass in quick on $int_if proto tcp from $int_net to self port ssh keep state (no-sync)
+pass in quick on $int_if proto tcp from $int_net to self port 4949 keep state (no-sync)
 
 # internal network
 block in quick from any to self
diff --git a/roles/pf/files/pf.conf.gw_home b/roles/pf/files/pf.conf.gw_home
index ccead9b..21a4824 100644
--- a/roles/pf/files/pf.conf.gw_home
+++ b/roles/pf/files/pf.conf.gw_home
@@ -45,6 +45,9 @@ pass in quick on $ext_if proto tcp from 37.35.86.64/29 to self port ssh
 pass in quick on $ext_if proto tcp from 37.16.96.144/28 to self port ssh
 pass in quick on $ext_if proto tcp from 81.175.155.142/32 to self port ssh
 
+# munin from internal network
+pass in quick on $int_if proto tcp from $int_net to self port 4949
+
 # allow dns queries from internal net
 pass in quick on $int_if proto { tcp, udp } from $int_net to self port domain