diff --git a/services/adguard/service.toml b/services/adguard/service.toml
index ad5c44f..29e7cd3 100644
--- a/services/adguard/service.toml
+++ b/services/adguard/service.toml
@@ -1,4 +1,4 @@
-capabilities = ["NET_RAW", "NET_ADMIN"]
+capabilities = ["NET_RAW", "NET_ADMIN", "NET_BIND_SERVICE"]
 
 [service]
 name = "adguard"
diff --git a/services/firewall/rules.nft b/services/firewall/rules.nft
index 2fe3583..0f6886e 100644
--- a/services/firewall/rules.nft
+++ b/services/firewall/rules.nft
@@ -68,15 +68,19 @@ table inet firewall {
 
     ip saddr $lan_net tcp dport 22 accept                 # Allow SSH from LAN network
 
-    # AdGuard admin access (8888) only from LAN and VPN
+    # AdGuard admin access (8888) accept for LAN and VPN
     ip saddr { $lan_net, $vpn_net } tcp dport 8888 accept
     ip6 saddr $lan_net6 tcp dport 8888 accept
 
-    # Adguard DNS, DHCP, DoT, DoQ ports only from LAN and VPN
-    ip saddr { $lan_net, $vpn_net} udp dport { 53, 67, 68, 784 } accept
-    ip saddr { $lan_net, $vpn_net} tcp dport { 53, 853 } accept
-    ip6 saddr $lan_net6 udp dport { 53, 67, 68, 784 } accept
-    ip6 saddr $lan_net6 tcp dport { 53, 853 } accept
+    # Adguard DHCP, DoT, DoQ ports
+    udp dport { 67, 68, 784 } accept
+    tcp dport { 853 } accept
+
+    # Allow DNS from LAN and VPN
+    ip saddr { $lan_net, $vpn_net } udp dport 53 accept
+    ip6 saddr $lan_net6 udp dport 53 accept
+    ip saddr { $lan_net, $vpn_net } tcp dport 53 accept
+    ip6 saddr $lan_net6 tcp dport 53 accept
 
     # Rules for WAN interface only
     iifname $wan udp dport 51820 accept                   # Allow Wireguard incoming from WAN