diff --git a/system/services/docker/ollama/default.nix b/system/services/docker/ollama/default.nix
index cdfbb02..f4b57b5 100644
--- a/system/services/docker/ollama/default.nix
+++ b/system/services/docker/ollama/default.nix
@@ -11,6 +11,16 @@
             ollama
         ];
 
+        networking.firewall.interfaces = {
+            "ve-traefik" = {
+                allowedTCPPorts = [ 11434 ];
+            };
+
+            "ve-openwebui" = {
+                allowedTCPPorts = [ 11434 ];
+            };
+        };
+
         virtualisation.oci-containers.containers.ollama = {
             image = "ollama/ollama:latest";
 
diff --git a/system/services/docker/pihole/default.nix b/system/services/docker/pihole/default.nix
index 9d53f03..16e3107 100644
--- a/system/services/docker/pihole/default.nix
+++ b/system/services/docker/pihole/default.nix
@@ -19,7 +19,13 @@
             user = "root";
             mode = "0664";
         };
-        
+ 
+        networking.firewall.interfaces = {
+            "ve-traefik" = {
+                allowedTCPPorts = [ 9001 ];
+            };
+        };
+
         virtualisation.oci-containers.containers.pihole = {
             image = "pihole/pihole:latest";
 
diff --git a/system/services/docker/portainer/default.nix b/system/services/docker/portainer/default.nix
index 6b09aaf..f5172d9 100644
--- a/system/services/docker/portainer/default.nix
+++ b/system/services/docker/portainer/default.nix
@@ -7,6 +7,12 @@
 
     config = lib.mkIf (config.sysconfig.docker.portainer.enable && config.sysconfig.docker.enable) {
 
+        networking.firewall.interfaces = {
+            "ve-traefik" = {
+                allowedTCPPorts = [ 9000 ];
+            };
+        };
+
         virtualisation.oci-containers.containers.portainer = {
             image = "portainer/portainer-ce:latest";