diff --git a/roles/ceph/templates/nftables.conf.j2 b/roles/ceph/templates/nftables.conf.j2
index d686cfd..327fbae 100644
--- a/roles/ceph/templates/nftables.conf.j2
+++ b/roles/ceph/templates/nftables.conf.j2
@@ -46,8 +46,6 @@ table inet filter {
         iif lan0 ip6 saddr fe80::/64 accept
         iif lan1 ip6 saddr fe80::/64 accept
 
-        iif mgmt accept comment "management access"
-
         ip saddr @cluster accept comment "accept connections from other nodes"
         ip6 saddr @cluster/6 accept comment "accept connections from other nodes"
 
@@ -66,6 +64,8 @@ table inet filter {
 
 {% endfor %}
 
+        iifname mgmt accept comment "management access"
+
         ip saddr @allowed accept
         ip6 saddr @allowed/6 accept
     }