I have the following setup:

Raspi with Docker and multiple Containers connected to my Router. Some containers are on a MACVLAN network and receive regular IP Address in my LAN (e.g. Pihole, Unbound, etc.), some are on bridged networks and expose certain ports (Portainer, nginx, etc.)

Router LAN (192.x.y.0/24)
    |Raspi (192.x.y.5)
    |Pihole  (192.x.y.11)
    |Webserver (192.x.y.20)
    |Wireguard (192.x.y.13) - (VPN: 10.x.y.0/32, DNS 192.x.y.11) - (Allowed IPs: 192.x.y.0/24)
    |
    |Portainer (bridged - exposing 8000, 9000, 9443)
    |NGINX (bridged - exposing 81, 80, 443)

When I connect a client through Wireguard,

• I can access the internet (Pihole on 192.x.y.11 works as DNS - adblocking works)
• I can access Piholes webUI on 192.x.y.11
• I can access my webserver on 192.x.y.20

NOT working:

I cannot access the Portainer UI or NGINX UI on their respective forwarded IP:ports e.g. 192.x.y.5:81 for NGINX

What is missing in any config? I found nothing solving this issue - please help!