diff --git a/infrastructure/longhorn/values.yaml b/infrastructure/longhorn/values.yaml
index f946cba..04154cd 100644
--- a/infrastructure/longhorn/values.yaml
+++ b/infrastructure/longhorn/values.yaml
@@ -16,5 +16,6 @@ longhorn:
     host: longhorn.apps.internal.k3s.stabify.de
     annotations:
       cert-manager.io/cluster-issuer: letsencrypt-prod
+      traefik.ingress.kubernetes.io/router.middlewares: traefik-system-ipwhitelist-internal@kubernetescrd
     tls: true
     tlsSecret: longhorn-tls
diff --git a/infrastructure/seaweedfs-app.yaml b/infrastructure/seaweedfs-app.yaml
index b8e6ab8..82af43e 100644
--- a/infrastructure/seaweedfs-app.yaml
+++ b/infrastructure/seaweedfs-app.yaml
@@ -38,6 +38,7 @@ spec:
             className: traefik
             annotations: |
               cert-manager.io/cluster-issuer: letsencrypt-prod
+              traefik.ingress.kubernetes.io/router.middlewares: traefik-system-ipwhitelist-internal@kubernetescrd
             host: filer.seaweedfs.apps.internal.k3s.stabify.de
             tls:
               - secretName: seaweedfs-filer-tls
@@ -53,6 +54,7 @@ spec:
             className: traefik
             annotations: |
               cert-manager.io/cluster-issuer: letsencrypt-prod
+              traefik.ingress.kubernetes.io/router.middlewares: traefik-system-ipwhitelist-internal@kubernetescrd
             host: s3.apps.internal.k3s.stabify.de
             tls:
               - secretName: seaweedfs-s3-tls
diff --git a/infrastructure/traefik-middleware-app.yaml b/infrastructure/traefik-middleware-app.yaml
new file mode 100644
index 0000000..f74ffce
--- /dev/null
+++ b/infrastructure/traefik-middleware-app.yaml
@@ -0,0 +1,26 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: traefik-middleware-ipwhitelist
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-wave: "0"  # Nach Traefik, aber vor Apps
+spec:
+  project: default
+  source:
+    repoURL: https://git.cloud-infra.prod.openmailserver.de/stabify/gitops.git
+    targetRevision: HEAD
+    path: infrastructure
+    directory:
+      recurse: false
+      include: traefik-middleware-ipwhitelist.yaml
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: traefik-system
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
+      - ServerSideApply=true
diff --git a/infrastructure/traefik-middleware-ipwhitelist.yaml b/infrastructure/traefik-middleware-ipwhitelist.yaml
new file mode 100644
index 0000000..f13a045
--- /dev/null
+++ b/infrastructure/traefik-middleware-ipwhitelist.yaml
@@ -0,0 +1,19 @@
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: ipwhitelist-internal
+  namespace: traefik-system
+  labels:
+    app.kubernetes.io/name: traefik
+    app.kubernetes.io/component: middleware
+spec:
+  ipWhiteList:
+    # VPN IP-Range: Anpassen je nach VPN-Konfiguration
+    # Standard: 10.100.0.0/16 (komplettes internes Netzwerk)
+    # Für spezifische VPN-Range: z.B. 10.100.200.0/24
+    sourceRange:
+      - "10.100.0.0/16"
+      - "10.200.0.0/24"   # Internes Netzwerk (VLAN 30, 40, 90, etc.)
+      # Weitere VPN-Ranges hier hinzufügen:
+      # - "10.100.200.0/24"  # Beispiel: Dediziertes VPN-Subnetz
+      # - "192.168.1.0/24"   # Beispiel: Externes VPN-Netzwerk