diff --git a/roles/ceph/templates/nftables.conf.j2 b/roles/ceph/templates/nftables.conf.j2
index bf1da05..b7e0e25 100644
--- a/roles/ceph/templates/nftables.conf.j2
+++ b/roles/ceph/templates/nftables.conf.j2
@@ -32,6 +32,16 @@ table inet filter {
         ct state vmap { invalid : drop, established : accept, related : accept }
         iif lo accept
 
+        ip protocol icmp icmp type {
+            echo-request, echo-reply, destination-unreachable,
+            parameter-problem, time-exceeded,
+        } accept comment "accept some ICMPv4"
+
+        ip6 nexthdr icmpv6 icmpv6 type {
+            echo-request, echo-reply, destination-unreachable,
+            packet-too-big, parameter-problem, time-exceeded,
+        } accept comment "accept some ICMPv6"
+
         # BGP / BFD sessions
         iif lan0 ip6 saddr fe80::/64 accept
         iif lan1 ip6 saddr fe80::/64 accept