diff --git a/build-tools/docker/example-mainnet/.env b/build-tools/docker/example-mainnet/.env
index be434d0f2c..016ee9f598 100644
--- a/build-tools/docker/example-mainnet/.env
+++ b/build-tools/docker/example-mainnet/.env
@@ -22,15 +22,25 @@ API_SERVER_POSTGRES_DB=postgres
 # The password for the postgres dbms.
 API_SERVER_POSTGRES_PASSWORD=use-strong-password
 
-# The node's rpc and p2p ports will be mapped to these ports on the host machine.
+# The node's rpc port will be mapped to this port on the host machine.
+# Note that it will only be reachable from localhost and not from other network interfaces.
 NODE_RPC_HOST_PORT=3030
-NODE_P2P_HOST_PORT=3031
-
 # Username and password for node rpc calls.
 NODE_RPC_USERNAME=username
 NODE_RPC_PASSWORD=use-another-strong-password
 
+# The node's p2p port will be mapped to this port on the host machine.
+# IMPORTANT: changing this port alone won't be enough to make your node discoverable by other nodes
+# (or, if it was already discoverable, it may make it not discoverable anymore).
+# The reason is that the node will advertise itself to the peers as "your_global_ip_address:the_port_you_specify_here".
+# So, if you are behind NAT, you have to also make sure that "the_port_you_specify_here" is open to
+# the outside world and mapped to "the_port_you_specify_here" on your host machine.
+# On the other hand if you don't care about incoming connections from other nodes, just leave
+# this variable as is.
+NODE_P2P_HOST_PORT=3031
+
 # Wallet rpc daemon's port will be mapped to this port on the host machine.
+# This is reachable only from localhost.
 WALLET_RPC_DAEMON_HOST_PORT=3034
 # Username and password for wallet rpc calls.
 WALLET_RPC_DAEMON_USERNAME=username
@@ -38,6 +48,7 @@ WALLET_RPC_DAEMON_PASSWORD=use-yet-another-strong-password
 
 # Host machine's port to which api server's postgres port will be mapped.
 # This is only useful if you want to examine the contents of the db yourself, e.g. via PgAdmin.
+# Reachable only from localhost.
 API_SERVER_POSTGRES_HOST_PORT=5434
 
 # The API web server's port will be mapped to this port on the host machine.
diff --git a/build-tools/docker/example-mainnet/docker-compose.yml b/build-tools/docker/example-mainnet/docker-compose.yml
index 7d61b1884e..2de8f13b90 100644
--- a/build-tools/docker/example-mainnet/docker-compose.yml
+++ b/build-tools/docker/example-mainnet/docker-compose.yml
@@ -16,9 +16,10 @@ services:
     command: node-daemon mainnet
     environment:
       <<: *ml-common-env
-      # Note:
-      # The default rpc bind address is '127.0.0.1', so it'll only be reachable from the same
-      # container; to make it reachable from other containers, we need to set it to '0.0.0.0'.
+      # For rpc, the default rpc bind address is '127.0.0.1', so it'll only be reachable from the
+      # same container; to make it reachable from other containers or from the host machine, we
+      # have to set it to '0.0.0.0'.
+      ML_MAINNET_NODE_RPC_BIND_ADDRESS: 0.0.0.0:3030
       # For p2p, the default address is already '0.0.0.0'. But it's better to use the same port
       # as the one exposed on the host system, otherwise other nodes won't be able to establish
       # outbound connections to this node.
@@ -26,14 +27,16 @@ services:
       # as it is seen by a peer with the port that it is listening on; this address is then
       # advertised to other peers and propagated through the network. So, if the listening port
       # differs from the one exposed on the host, the advertised address will be incorrect.
-      ML_MAINNET_NODE_RPC_BIND_ADDRESS: 0.0.0.0:3030
       ML_MAINNET_NODE_P2P_BIND_ADDRESSES: 0.0.0.0:$NODE_P2P_HOST_PORT
       # Rpc username and password.
       ML_MAINNET_NODE_RPC_USERNAME: $NODE_RPC_USERNAME
       ML_MAINNET_NODE_RPC_PASSWORD: $NODE_RPC_PASSWORD
     ports:
       # This is only needed if you want to access the node's rpc interface from the host system.
-      - "$NODE_RPC_HOST_PORT:3030"
+      # Note that here we also set the ip address to bind to on the host to 127.0.0.1; because of
+      # this, rpc connections will only be allowed from the host machine and not from the "outside
+      # world".
+      - "127.0.0.1:$NODE_RPC_HOST_PORT:3030"
       # This is only needed if you want the node to be able to accept incoming p2p connections
       # from other nodes.
       - "$NODE_P2P_HOST_PORT:$NODE_P2P_HOST_PORT"
@@ -49,7 +52,7 @@ services:
     ports:
       # This is only needed if you want to examine the contents of the db from the host system,
       # e.g. via PgAdmin.
-      - "$API_SERVER_POSTGRES_HOST_PORT:5432"
+      - "127.0.0.1:$API_SERVER_POSTGRES_HOST_PORT:5432"
     volumes:
       # Explicitly mount postgres docker image's mount point to a named volume (without this,
       # docker will create an anonymous volume instead).
@@ -102,28 +105,30 @@ services:
       - node-daemon
     environment:
       <<: *ml-common-env
-      ML_WALLET_RPC_DAEMON_NODE_RPC_ADDRESS: node-daemon:3030
-      ML_WALLET_RPC_DAEMON_NODE_RPC_USERNAME: $NODE_RPC_USERNAME
-      ML_WALLET_RPC_DAEMON_NODE_RPC_PASSWORD: $NODE_RPC_PASSWORD
-      ML_WALLET_RPC_DAEMON_RPC_BIND_ADDRESS: 0.0.0.0:3034
-      ML_WALLET_RPC_DAEMON_RPC_USERNAME: $WALLET_RPC_DAEMON_USERNAME
-      ML_WALLET_RPC_DAEMON_RPC_PASSWORD: $WALLET_RPC_DAEMON_PASSWORD
+      ML_MAINNET_WALLET_RPC_DAEMON_NODE_RPC_ADDRESS: node-daemon:3030
+      ML_MAINNET_WALLET_RPC_DAEMON_NODE_RPC_USERNAME: $NODE_RPC_USERNAME
+      ML_MAINNET_WALLET_RPC_DAEMON_NODE_RPC_PASSWORD: $NODE_RPC_PASSWORD
+      # Same as for the node, the default rpc bind address is '127.0.0.1' here; we need to set it
+      # to '0.0.0.0' to make it reachable from other containers/host machine.
+      ML_MAINNET_WALLET_RPC_DAEMON_RPC_BIND_ADDRESS: 0.0.0.0:3034
+      ML_MAINNET_WALLET_RPC_DAEMON_RPC_USERNAME: $WALLET_RPC_DAEMON_USERNAME
+      ML_MAINNET_WALLET_RPC_DAEMON_RPC_PASSWORD: $WALLET_RPC_DAEMON_PASSWORD
     ports:
-      - "$WALLET_RPC_DAEMON_HOST_PORT:3034"
+      - "127.0.0.1:$WALLET_RPC_DAEMON_HOST_PORT:3034"
 
   # wallet-cli is not a real service; we just need a service definition for it in order to be able
   # to run it via "docker compose run"
   wallet-cli:
     <<: *ml-common
     image: $DOCKERHUB_USERNAME/wallet-cli:$ML_SOFTWARE_VERSION
-    command: wallet-cli
+    command: wallet-cli mainnet
     depends_on:
       - node-daemon
     environment:
       <<: *ml-common-env
-      ML_WALLET_NODE_RPC_ADDRESS: node-daemon:3030
-      ML_WALLET_NODE_RPC_USERNAME: $NODE_RPC_USERNAME
-      ML_WALLET_NODE_RPC_PASSWORD: $NODE_RPC_PASSWORD
+      ML_MAINNET_WALLET_NODE_RPC_ADDRESS: node-daemon:3030
+      ML_MAINNET_WALLET_NODE_RPC_USERNAME: $NODE_RPC_USERNAME
+      ML_MAINNET_WALLET_NODE_RPC_PASSWORD: $NODE_RPC_PASSWORD
     profiles:
       # Put it in a separate profile, so that it's not started automatically by "docker compose up".
       - wallet_cli
diff --git a/p2p/src/peer_manager/mod.rs b/p2p/src/peer_manager/mod.rs
index 0be2416bf5..3cff1b5cb8 100644
--- a/p2p/src/peer_manager/mod.rs
+++ b/p2p/src/peer_manager/mod.rs
@@ -317,6 +317,7 @@ where
     /// This won't work for majority of nodes but that should be accepted.
     fn discover_own_address(
         &mut self,
+        peer_id: PeerId,
         peer_role: PeerRole,
         common_services: Services,
         node_address_as_seen_by_peer: Option<PeerAddress>,
@@ -366,7 +367,16 @@ where
 
         // Send only one address because of the rate limiter (see `ADDR_RATE_INITIAL_SIZE`).
         // Select a random address to give all addresses a chance to be discovered by the network.
-        discovered_own_addresses.into_iter().choose(&mut make_pseudo_rng())
+        let chosen_discovered_address =
+            discovered_own_addresses.iter().choose(&mut make_pseudo_rng()).cloned();
+
+        log::debug!(
+            "Own addresses discovered for peer {peer_id}: {:?}, chosen address: {:?}",
+            discovered_own_addresses,
+            chosen_discovered_address
+        );
+
+        chosen_discovered_address
     }
 
     /// Send address announcement to the selected peer (if the address is new)
@@ -947,6 +957,7 @@ where
         );
 
         let discovered_own_address = self.discover_own_address(
+            peer_id,
             peer_role,
             info.common_services,
             node_address_as_seen_by_peer,
diff --git a/wallet/wallet-rpc-lib/src/cmdline.rs b/wallet/wallet-rpc-lib/src/cmdline.rs
index 5d53c58519..6738f9801d 100644
--- a/wallet/wallet-rpc-lib/src/cmdline.rs
+++ b/wallet/wallet-rpc-lib/src/cmdline.rs
@@ -45,12 +45,15 @@ impl WalletRpcDaemonArgs {
 #[derive(clap::Subcommand)]
 pub enum WalletRpcDaemonCommand {
     /// Run the mainnet wallet.
+    #[clap(mut_args(clap_utils::env_adder("MAINNET_WALLET_RPC_DAEMON")))]
     Mainnet(WalletRpcDaemonChainArgs),
 
     /// Run the testnet wallet.
+    #[clap(mut_args(clap_utils::env_adder("TESTNET_WALLET_RPC_DAEMON")))]
     Testnet(WalletRpcDaemonChainArgs),
 
     /// Run the regtest wallet.
+    #[clap(mut_args(clap_utils::env_adder("REGTEST_WALLET_RPC_DAEMON")))]
     Regtest {
         #[command(flatten)]
         args: WalletRpcDaemonChainArgs,
@@ -76,7 +79,6 @@ impl WalletRpcDaemonCommand {
 }
 
 #[derive(clap::Args)]
-#[clap(mut_args(clap_utils::env_adder("WALLET_RPC_DAEMON")))]
 #[command(
     version,
     about,
@@ -215,7 +217,7 @@ pub fn make_wallet_config(
     rpc_username: Option<String>,
     rpc_password: Option<String>,
     rpc_no_authentication: bool,
-    wallet_rpc_address: Option<String>,
+    wallet_rpc_bind_address: Option<String>,
     chain_type: ChainType,
 ) -> Result<WalletRpcConfig, ConfigError> {
     let rpc_config = {
@@ -230,7 +232,7 @@ pub fn make_wallet_config(
             _ => panic!("Should not happen due to arg constraints"),
         };
 
-        let bind_addr = match wallet_rpc_address {
+        let bind_addr = match wallet_rpc_bind_address {
             None => {
                 let port = WalletRpcConfig::default_port(chain_type);
                 std::net::SocketAddr::new(std::net::Ipv4Addr::LOCALHOST.into(), port)