diff --git a/hosts/architect/firewall.nix b/hosts/architect/firewall.nix
index 3194b36..255f46f 100644
--- a/hosts/architect/firewall.nix
+++ b/hosts/architect/firewall.nix
@@ -54,6 +54,9 @@ in
         }
 
         table ip nat {
+          chain DOCKER {
+            type nat hook prerouting priority dstnat; policy accept;
+          }
           chain PREROUTING {
             type nat hook prerouting priority dstnat; policy accept;
           }
@@ -142,6 +145,7 @@ in
             ip daddr 255.255.255.255 accept comment "allow broadcast traffic"
             ip daddr 224.0.0.0/4 accept comment "allow multicast traffic"
             ip saddr ${lan.net} accept comment "lan > local"
+            iifname ${docker.interface} accept
             ip saddr ${tailscale.net} accept comment "tailscale > local"
             ip saddr {${lib.concatStringsSep "," gdevices}} accept comment "vpn > local"
 
@@ -151,7 +155,6 @@ in
             iifname ${wireguard.interface} udp dport {${openUDPVPN}} accept
                       
             iifname ${wireguard.interface} icmp type echo-request accept
-            iifname ${docker.interface} udp dport 53 accept
             jump filter_drop
           }