diff --git a/inventory/group_vars/bastion b/inventory/group_vars/bastion
index 986722eb45..031a10f034 100644
--- a/inventory/group_vars/bastion
+++ b/inventory/group_vars/bastion
@@ -12,9 +12,11 @@ udp_ports: [ 1194 ]
 
 #
 # drop incoming traffic from less trusted vpn hosts
+# allow ntp from internal phx2 10 nets
 #
 custom_rules: [
     '-A INPUT -s 192.168.100/24 -j REJECT --reject-with icmp-host-prohibited',
+    '-A INPUT -s 10.0.0.0/8 -p udp -m udp --dport 123 -j ACCEPT',
 ]
 #
 # allow a bunch of sysadmin groups here so they can access internal stuff