diff --git a/firewall/initfwvars.pl.in b/firewall/initfwvars.pl.in
index f4cabbb93591aa1d77ee7918bb28af06ad5b7392..15bb112c3b64adb9870008a4cdc8421aa7ba6e8f 100755
--- a/firewall/initfwvars.pl.in
+++ b/firewall/initfwvars.pl.in
@@ -174,6 +174,21 @@ if ($VIRTNODE_NETWORK =~ /^(\d+\.\d+\.\d+)\.0$/) {
 	if ($doit);
 }
 
+#
+# Sorry these are hardwired. 
+#
+my $EMULAB_VCNET_BOSS = "172.17.254.254";
+my $EMULAB_VCNET_OPS  = "172.17.253.254";
+
+$str = "replace into default_firewall_vars values ".
+    "('EMULAB_VCNET_BOSS', '$EMULAB_VCNET_BOSS'), ".
+    "('EMULAB_VCNET_OPS',  '$EMULAB_VCNET_OPS')";
+
+print "$str\n"
+    if (!$doit);
+DBQueryFatal($str)
+    if ($doit);
+
 #
 # Create EMULAB_MCADDR and EMULAB_MCPORT variables
 #
diff --git a/firewall/iptables-fw-domU-rules b/firewall/iptables-fw-domU-rules
index a73d4c49d200595e91ac2ef5523171bb0bb9cdad..13fb35416ad744e368e7c7f238a2cf5a9a487448 100644
--- a/firewall/iptables-fw-domU-rules
+++ b/firewall/iptables-fw-domU-rules
@@ -81,6 +81,10 @@
 # Allow everything from the gateway, since the gateway may be part of the node control net
 iptables -A OUTSIDE -s EMULAB_GWIP,EMULAB_VGWIP -j ACCEPT # BASIC,CLOSED,ELABINELAB
 
+# On a non-segmented control network (like an IG rack), boss/ops
+# have aliases on the virtual node network. Allows these though.
+iptables -A OUTSIDE -s EMULAB_VCNET_BOSS,EMULAB_VCNET_OPS -j ACCEPT # BASIC,CLOSED,ELABINELAB
+
 #
 # No one on the inside can talk to other experiments' nodes and visa-versa.
 #