diff --git a/hieradata/roles/infra/nomad/agent.yaml b/hieradata/roles/infra/nomad/agent.yaml
index 3c9d1c3..bbce070 100644
--- a/hieradata/roles/infra/nomad/agent.yaml
+++ b/hieradata/roles/infra/nomad/agent.yaml
@@ -39,6 +39,7 @@ profiles::ceph::client::keyrings:
 profiles::packages::include:
   nomad: {}
   cni-plugins: {}
+  consul-cni: {}
 
 profiles::nomad::node::client: true
 
diff --git a/hieradata/roles/infra/nomad/agentv2.yaml b/hieradata/roles/infra/nomad/agentv2.yaml
index 629a9be..e478e40 100644
--- a/hieradata/roles/infra/nomad/agentv2.yaml
+++ b/hieradata/roles/infra/nomad/agentv2.yaml
@@ -22,6 +22,7 @@ networking::interfaces:
 profiles::packages::include:
   nomad: {}
   cni-plugins: {}
+  consul-cni: {}
 
 profiles::nomad::node::client: true
 
@@ -34,6 +35,10 @@ profiles::pki::vault::alt_names:
   - "nomad-client.service.%{facts.country}-%{facts.region}.consul"
 
 # configure consul service
+profiles::consul::client::ports:
+  grpc: 8502
+  dns: 8600
+  http: 8500
 profiles::consul::client::node_rules:
   - resource: service
     segment: nomad-client
diff --git a/hieradata/roles/infra/storage/consul.yaml b/hieradata/roles/infra/storage/consul.yaml
index 148d2f0..3df5db8 100644
--- a/hieradata/roles/infra/storage/consul.yaml
+++ b/hieradata/roles/infra/storage/consul.yaml
@@ -8,6 +8,7 @@ profiles::consul::server::addresses:
   grpc: "%{::networking.ip}"
   grpc_tls: "%{::networking.ip}"
 profiles::consul::server::ports:
+  grpc: 8502
   dns: 8600
   http: 8500
   https: -1
diff --git a/site/profiles/manifests/consul/client.pp b/site/profiles/manifests/consul/client.pp
index fa229c8..2fc80ec 100644
--- a/site/profiles/manifests/consul/client.pp
+++ b/site/profiles/manifests/consul/client.pp
@@ -10,6 +10,7 @@ class profiles::consul::client (
   Array                $consul_servers     = [],
   Stdlib::Absolutepath $data_dir           = '/opt/consul',
   Array[Hash]          $node_rules         = [],
+  Hash                 $ports              = {},
 ) {
 
   if $facts['enc_role'] != $members_role {
@@ -44,6 +45,7 @@ class profiles::consul::client (
         'bind_addr'            => $::facts['networking']['ip'],
         'advertise_addr'       => $::facts['networking']['ip'],
         'enable_script_checks' => true,
+        'ports'                => $ports,
         'acl'                  => {
           tokens => {
             default => fqdn_uuid("${facts['networking']['fqdn']}-${secret_id_salt}")
diff --git a/site/profiles/manifests/consul/server.pp b/site/profiles/manifests/consul/server.pp
index 9a57ae7..c2107a4 100644
--- a/site/profiles/manifests/consul/server.pp
+++ b/site/profiles/manifests/consul/server.pp
@@ -119,6 +119,8 @@ class profiles::consul::server (
           'advertise_addr'       => $advertise_addr,
           'retry_join'           => $servers_array,
           'retry_join_wan'       => $remote_servers_array,
+          'connect'              => { 'enabled' => true },
+          'recursors'            => ['198.18.19.16'],
         },
       }
     }