diff --git a/ansible/roles/routeros/tasks/firewall.yml b/ansible/roles/routeros/tasks/firewall.yml
index 10aa909..33255b5 100644
--- a/ansible/roles/routeros/tasks/firewall.yml
+++ b/ansible/roles/routeros/tasks/firewall.yml
@@ -256,6 +256,11 @@
         dst-port: 30033
         out-interface: vlan4
         protocol: tcp
+      - action: accept
+        chain: allow-ports
+        dst-port: 10011
+        out-interface: vlan4
+        protocol: tcp
       - action: accept
         chain: allow-ports
         comment: Allow HTTP
@@ -315,6 +320,12 @@
         dst-port: 30033
         protocol: tcp
         to-addresses: 10.44.0.0
+      - action: dst-nat
+        chain: dstnat
+        dst-address: 139.28.40.212
+        dst-port: 10011
+        protocol: tcp
+        to-addresses: 10.44.0.0
       - action: src-nat
         chain: srcnat
         comment: src-nat from LAN to TS3 to some Greenland address
diff --git a/apps/ispeak3/service.yaml b/apps/ispeak3/service.yaml
index 9418d51..e2bf18c 100644
--- a/apps/ispeak3/service.yaml
+++ b/apps/ispeak3/service.yaml
@@ -15,6 +15,10 @@ spec:
     protocol: TCP
     port: 30033
     targetPort: 30033
+  - name: rawquery
+    protocol: TCP
+    port: 10011
+    targetPort: 10011
   type: LoadBalancer
   externalTrafficPolicy: Local
   ipFamilyPolicy: PreferDualStack