diff --git a/global/overlay/etc/puppet/modules/cdn/manifests/mqtt.pp b/global/overlay/etc/puppet/modules/cdn/manifests/mqtt.pp
index c34b323..8e7498f 100644
--- a/global/overlay/etc/puppet/modules/cdn/manifests/mqtt.pp
+++ b/global/overlay/etc/puppet/modules/cdn/manifests/mqtt.pp
@@ -1,7 +1,7 @@
 # Configure a SUNET CDN mqtt server
 class cdn::mqtt(
   String $dc = '',
-  Array[String] $clients = [],
+  Array[String] $mqtt_client_ips = [],
   Hash[String, Hash] $bridges = {},
   Hash[String, String] $acme_url = {
     test => 'https://internal-sto3-test-ca-1.cdn.sunet.se:9000/acme/acme/directory'
@@ -35,6 +35,14 @@ class cdn::mqtt(
     proto => 'tcp',
   }
 
+  $mqtt_client_ips.each | String $mqtt_client_ip | {
+    sunet::nftables::allow { "allow-acme-client-${mqtt_client_ip}":
+      from  => $mqtt_client_ip,
+      port  => 8883,
+      proto => 'tcp',
+    }
+  }
+
   # From https://wiki.sunet.se/display/sunetops/Platform+naming+standards
   $my_fqdn = $facts['networking']['fqdn']
   $dot_split = split($my_fqdn, '[.]')