diff --git a/ansible/group_vars/nimbus.mainnet.yml b/ansible/group_vars/nimbus.mainnet.yml
index 05ba46d..03757b5 100644
--- a/ansible/group_vars/nimbus.mainnet.yml
+++ b/ansible/group_vars/nimbus.mainnet.yml
@@ -85,6 +85,13 @@ nimbus_era_files_node_service_path: '/data/beacon-node-{{ beacon_node_network }}
 nimbus_era_files_nclidb_path: '{{ nimbus_era_files_node_service_path }}/repo/build/ncli_db'
 nimbus_era_files_db_path: '{{ nimbus_era_files_node_service_path }}/data/db'
 
+# Open Ports
+open_ports_default_comment: 'Nimbus REST API'
+open_ports_default_chain: 'VPN'
+open_ports_list:
+  - { port: '9300:9310', ipset: '{{ env }}.{{ stage }}' }
+  - { port: '9400',      ipset: 'metrics.hq', comment: 'Geth Exporter' }
+
 # Split by hostname for more central location
 nodes_layout:
   'stable-small-01.aws-eu-central-1a.nimbus.mainnet':
diff --git a/ansible/mainnet.yml b/ansible/mainnet.yml
index c8fc57a..519a9c0 100644
--- a/ansible/mainnet.yml
+++ b/ansible/mainnet.yml
@@ -33,6 +33,7 @@
   serial: '{{ serial|default(1) }}'
   hosts: nimbus-mainnet-metal
   roles:
+    - { role: open-ports,                   tags: [ open-ports ] }
     - { role: redirect-ports,               tags: [ redirect-ports ] }
     - { role: infra-role-geth,              tags: [ infra-role-geth ] }
     - { role: infra-role-geth-exporter,     tags: [ infra-role-geth-exporter ] }