diff --git a/home.admin/_provision_.sh b/home.admin/_provision_.sh
index e396d6a07..35b54868c 100755
--- a/home.admin/_provision_.sh
+++ b/home.admin/_provision_.sh
@@ -164,10 +164,15 @@ echo "allow: local web admin HTTPS"
 ufw allow from 10.0.0.0/8 to any port 443 comment 'allow local LAN HTTPS'
 ufw allow from 172.16.0.0/12 to any port 443 comment 'allow local LAN HTTPS'
 ufw allow from 192.168.0.0/16 to any port 443 comment 'allow local LAN HTTPS'
-echo "open firewall for auto nat discover (see issue #129)"
+echo "open firewall for auto nat discover (see issue #129 & #3144)"
 ufw allow proto udp from 10.0.0.0/8 port 1900 to any comment 'allow local LAN SSDP for UPnP discovery'
 ufw allow proto udp from 172.16.0.0/12 port 1900 to any comment 'allow local LAN SSDP for UPnP discovery'
 ufw allow proto udp from 192.168.0.0/16 port 1900 to any comment 'allow local LAN SSDP for UPnP discovery'
+ufw allow proto udp from 192.168.0.0/16 port 5350 to any comment 'Bonjour NAT'
+ufw allow proto udp from 172.16.0.0/12 port 5350 to any comment 'Bonjour NAT'
+ufw allow proto udp from 192.168.0.0/16 port 5351 to any comment 'Bonjour NAT'
+ufw allow proto udp from 172.16.0.0/12 port 5351 to any comment 'Bonjour NAT'
+
 echo "enable lazy firewall"
 ufw --force enable
 echo ""
diff --git a/home.admin/assets/lnd.bitcoin.conf b/home.admin/assets/lnd.bitcoin.conf
index 129b47ef4..ca5cf575f 100755
--- a/home.admin/assets/lnd.bitcoin.conf
+++ b/home.admin/assets/lnd.bitcoin.conf
@@ -9,8 +9,6 @@ nat=false
 
 # Avoid historical graph data sync
 ignore-historical-gossip-filters=1
-# Avoid slow startup time
-sync-freelist=1
 # Avoid high startup overhead
 stagger-initial-reconnect=1
 
diff --git a/home.admin/config.scripts/lnd.check.sh b/home.admin/config.scripts/lnd.check.sh
index 199de1d75..126fde020 100755
--- a/home.admin/config.scripts/lnd.check.sh
+++ b/home.admin/config.scripts/lnd.check.sh
@@ -63,6 +63,11 @@ if [ "$1" == "prestart" ]; then
 
   ##### APPLICATION OPTIONS SECTION #####
 
+  # remove sync-freelist=1 (use =true is you want to overrule raspiblitz)
+  # https://github.com/rootzoll/raspiblitz/issues/3251
+  sed -i "/^# Avoid slow startup time/d" ${lndConfFile}
+  sed -i "/^sync-freelist=1/d" ${lndConfFile}
+
   # delete autounlock if passwordFile not present
   passwordFile="/mnt/hdd/lnd/data/chain/${network}/${CHAIN}/password.info"
   if ! ls ${passwordFile} &>/dev/null; then