diff --git a/config/services/netbird.nix b/config/services/netbird.nix
index 110d83a..144d884 100644
--- a/config/services/netbird.nix
+++ b/config/services/netbird.nix
@@ -3,9 +3,10 @@
   wireguard.elisabeth = {
     client.via = "elisabeth";
     firewallRuleForNode.elisabeth.allowedTCPPorts = [
-      80
-      3000
-      3001
+      80 # dashboard
+      3000 # management
+      8012 # signal
+      33080 # relay
     ];
   };
 
@@ -28,12 +29,7 @@
     group = "netbird";
   };
 
-  networking.firewall.allowedTCPPorts = [
-    80
-    3000
-    3001
-  ];
-  networking.firewall.allowedUDPPorts = [ 3478 ];
+  networking.firewall.allowedUDPPorts = [ 3478 ]; # STUN/TURN server
   services.netbird = {
     server = {
       enable = true;
diff --git a/hosts/elisabeth/guests.nix b/hosts/elisabeth/guests.nix
index 02568bb..ca62bfd 100644
--- a/hosts/elisabeth/guests.nix
+++ b/hosts/elisabeth/guests.nix
@@ -153,7 +153,7 @@ in
               X-Frame-Options = "SAMEORIGIN";
             };
             "/signalexchange.SignalExchange/".extraConfig = ''
-              grpc_pass grpc://${ipOf "netbird"}:3001;
+              grpc_pass grpc://${ipOf "netbird"}:8012;
               grpc_read_timeout 1d;
               grpc_send_timeout 1d;
               grpc_socket_keepalive on;