diff --git a/tasks/fail2ban.yml b/tasks/fail2ban.yml
index e832288..8381c45 100644
--- a/tasks/fail2ban.yml
+++ b/tasks/fail2ban.yml
@@ -21,9 +21,8 @@
 #################################################
 
 - name: fail2ban | Get Proxmox node name
-  ansible.builtin.command: hostname
-  register: pve_node
-  changed_when: false
+  ansible.builtin.set_fact:
+    pve_node: "{{ ansible_hostname }}"
 
 - name: fail2ban | Set firewall config path
   ansible.builtin.set_fact:
@@ -89,7 +88,7 @@
   ansible.builtin.command: pve-firewall compile
   register: compiled_fw
   changed_when: false
-  failed_when: false
+  failed_when: fw_compile_check.rc != 0
   when: cluster_status.stat.exists
 
 - name: fail2ban | Fail if corosync ports are being dropped
@@ -140,15 +139,33 @@
   notify: Reload pve firewall
   # noqa risky-file-permissions
 
-- name: fail2ban | Extract corosync ring0 address
+- name: fail2ban | Extract all corosync ring addresses
   ansible.builtin.shell: |
     set -o pipefail
-    grep ring0_addr /etc/pve/corosync.conf | awk '{print $2}'
+    awk '/ring[0-9]+_addr/ {print $2}' /etc/pve/corosync.conf
   args:
     executable: /bin/bash
-  register: corosync_ip
+  register: corosync_ips
   changed_when: false
-  when: cluster_status.stat.exists
+  when: pve_clustered
+
+- name: fail2ban | Determine CIDR for each corosync IP
+  ansible.builtin.command: ip route get {{ item }}
+  register: corosync_routes
+  changed_when: false
+  loop: "{{ corosync_ips.stdout_lines }}"
+  when: pve_clustered
+
+- name: fail2ban | Extract network CIDRs
+  ansible.builtin.set_fact:
+    corosync_networks: >-
+      {{
+        corosync_routes.results
+        | map(attribute='stdout')
+        | map('regex_search', 'src ([0-9.]+)/([0-9]+)', '\\1/\\2')
+        | list
+      }}
+  when: pve_clustered
 
 - name: fail2ban | Validate Proxmox firewall configuration
   ansible.builtin.command: pve-firewall compile
@@ -200,7 +217,7 @@
       bantime.max = {{ f2b_bantime_max }}
       backend  = systemd
       banaction = proxmox-fw
-      ignoreip = 127.0.0.1/8{% if pve_clustered %} {{ corosync_ip.stdout }}{% endif %} 192.168.2.0/24
+      ignoreip = 127.0.0.1/8{% if pve_clustered %} {{ corosync_networks | join(' ') }}{% endif %} 192.168.2.0/24
 
       #################################################
       # SSH