diff --git a/clan.nix b/clan.nix
index eed0182..e7ccb27 100644
--- a/clan.nix
+++ b/clan.nix
@@ -1,3 +1,17 @@
+let
+  # This clan-core pins the zerotier `allowedIps` interface (admit by network
+  # IPv6), but node IDs are the stable per-device handle (what `zerotier-cli
+  # info` prints). Derive a member's IP on THIS network from the controller's
+  # network id so external members can be listed by node id, as below.
+  ztNetworkId = builtins.readFile ./vars/per-machine/control/zerotier/zerotier-network-id/value;
+  ztMemberIp =
+    nodeId:
+    let
+      full = "fd" + ztNetworkId + "9993" + nodeId;
+      h = i: builtins.substring (i * 4) 4 full;
+    in
+    "${h 0}:${h 1}:${h 2}:${h 3}:${h 4}:${h 5}:${h 6}:${h 7}";
+in
 {
   # Ensure this is unique among all clans you want to use.
   meta.name = "cnx-network-clan";
@@ -23,6 +37,14 @@
     zerotier = {
       roles.controller.machines."control" = { };
       roles.peer.tags.all = { };
+      # External members admitted by ZeroTier node id (stable per device).
+      # Inventory machines are auto-accepted; this is only for peers outside the
+      # clan. Node id comes from `zerotier-cli info` on the joining device.
+      roles.controller.settings.allowedIps = map ztMemberIp [
+        "dbe44c0287" # Alex-gateway
+        "b0e0b84fd3" # Alex
+        "2bd36db8cc" # kurogeek-thinkpad
+      ];
     };
 
     tor = {