diff --git a/modules/k3s/default.nix b/modules/k3s/default.nix
index 4e37c91..8bce7d6 100644
--- a/modules/k3s/default.nix
+++ b/modules/k3s/default.nix
@@ -16,12 +16,16 @@ in
 
   config = mkIf cfg.enable {
     networking.firewall.allowedTCPPorts = [
-      6443 # k3s: required so that pods can reach the API server (running on port 6443 by default)
-      2379 # k3s, etcd clients: required if using a "High Availability Embedded etcd" configuration
-      2380 # k3s, etcd peers: required if using a "High Availability Embedded etcd" configuration
+      6443 # k3s, api server
+      2379 # k3s, etcd clients
+      2380 # k3s, etcd peers
+      10250 # k3s, kubelet
     ];
     networking.firewall.allowedUDPPorts = [
-      8472 # k3s, flannel: required if using multi-node for inter-node networking
+      8472 # k3s, flannel
+    ];
+    networking.firewall.allowedTCPPortRanges = [
+      { from = 30000; to = 32767; } # k3s, nodeport
     ];
 
     environment.systemPackages = with pkgs; [