diff --git a/roles/podman_link/defaults/main.yml b/roles/podman_link/defaults/main.yml
index 7b64500..2692592 100644
--- a/roles/podman_link/defaults/main.yml
+++ b/roles/podman_link/defaults/main.yml
@@ -26,3 +26,5 @@ podman_link_zammad_api_token: ""
 podman_link_postgres_zammad_postgresql_host: zammad-postgresql
 podman_link_postgres_zammad_es_host: opensearch
 podman_link_postgres_zammad_memcached_server: zammad-memcached:11211
+# podman_link_opensearch_hub_ip:
+# podman_link_opensearch_spoke_ip:
diff --git a/roles/podman_link/tasks/main.yml b/roles/podman_link/tasks/main.yml
index 4b42cdd..c30b28b 100644
--- a/roles/podman_link/tasks/main.yml
+++ b/roles/podman_link/tasks/main.yml
@@ -8,6 +8,23 @@
     mode: "0444"
   become: true
 
+- name: Allow access from hub to spoke to Opensearch using firewalld rich rule
+  ansible.posix.firewalld:
+    rich_rule: >-
+      rule family="ipv4"
+      source address="{{ podman_link_opensearch_hub_ip }}"
+      destination address="{{ podman_link_opensearch_spoke_ip }}"
+      port protocol="tcp" port="{{ item }}" accept
+    permanent: yes
+    state: enabled
+  with_items:
+    - 9200
+    - 9300
+  when:
+    - podman_link_opensearch_hub_ip is defined
+    - podman_link_opensearch_spoke_ip is defined
+  become: true
+
 - name: Podman CDR Link | PATCH | Install podman and verify rootless podman user
   ansible.builtin.include_role:
     role: sr2c.core.podman_host
diff --git a/roles/podman_link/templates/home/config/containers/systemd/zammad-opensearch.container b/roles/podman_link/templates/home/config/containers/systemd/zammad-opensearch.container
index 3f45ea1..9b56e01 100644
--- a/roles/podman_link/templates/home/config/containers/systemd/zammad-opensearch.container
+++ b/roles/podman_link/templates/home/config/containers/systemd/zammad-opensearch.container
@@ -18,6 +18,10 @@ Environment=compatibility.override_main_response_version=true
 Image=registry.gitlab.com/digiresilience/link/link-stack/opensearch:{{ podman_link_stack_version }}
 PublishPort=127.0.0.1:9200:9200
 PublishPort=127.0.0.1:9600:9600
+{% if podman_link_opensearch_spoke_ip is defined %}
+PublishPort={{ podman_link_opensearch_spoke_ip }}:9200:9200
+PublishPort={{ podman_link_opensearch_spoke_ip }}:9300:9300
+{% endif %}
 Volume=/home/{{ podman_link_podman_rootless_user }}/opensearch-data:/usr/share/opensearch/data:rw,Z
 Volume=/home/{{ podman_link_podman_rootless_user }}/opensearch-config.yml:/usr/share/opensearch/config/opensearch-security/config.yml:rw,Z
 Network=zammad.network