[client] Fix inbound tracking in userspace firewall (#3111 )

* Don't create state for inbound SYN * Allow final ack in some cases * Relax state machine test a little
[client] Don't fail debug if log file is console (#3103 )
2026-04-17 07:46:38 +00:00 · 2024-12-26 00:51:27 +01:00 · 2024-12-24 15:05:23 +01:00 · 2024-12-23 18:22:17 +01:00 · 2024-12-23 15:57:15 +01:00 · 2024-12-23 14:37:09 +01:00
219 changed files with 21846 additions and 5801 deletions
--- a/.github/workflows/golang-test-darwin.yml
+++ b/.github/workflows/golang-test-darwin.yml
@@ -21,6 +21,7 @@ jobs:
        uses: actions/setup-go@v5
        with:
          go-version: "1.23.x"
+          cache: false
      - name: Checkout code
        uses: actions/checkout@v4

@@ -28,8 +29,9 @@ jobs:
        uses: actions/cache@v4
        with:
          path: ~/go/pkg/mod
-          key: macos-go-${{ hashFiles('**/go.sum') }}
+          key: macos-gotest-${{ hashFiles('**/go.sum') }}
          restore-keys: |
+            macos-gotest-
            macos-go-

      - name: Install libpcap
@@ -42,4 +44,4 @@ jobs:
        run: git --no-pager diff --exit-code

      - name: Test
-        run: NETBIRD_STORE_ENGINE=${{ matrix.store }} CI=true go test -exec 'sudo --preserve-env=CI,NETBIRD_STORE_ENGINE' -timeout 5m -p 1 ./...
+        run: NETBIRD_STORE_ENGINE=${{ matrix.store }} CI=true go test -exec 'sudo --preserve-env=CI,NETBIRD_STORE_ENGINE' -timeout 5m -p 1 $(go list ./... | grep -v /management)
--- a/.github/workflows/golang-test-linux.yml
+++ b/.github/workflows/golang-test-linux.yml
@@ -11,31 +11,115 @@ concurrency:
  cancel-in-progress: true

 jobs:
+  build-cache:
+    runs-on: ubuntu-22.04
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Install Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: "1.23.x"
+          cache: false
+
+      - name: Get Go environment
+        run: |
+          echo "cache=$(go env GOCACHE)" >> $GITHUB_ENV
+          echo "modcache=$(go env GOMODCACHE)" >> $GITHUB_ENV     
+
+      - name: Cache Go modules
+        uses: actions/cache@v4
+        id: cache
+        with:
+          path: |
+            ${{ env.cache }}
+            ${{ env.modcache }}
+          key: ${{ runner.os }}-gotest-cache-${{ hashFiles('**/go.sum') }}
+          restore-keys: |
+            ${{ runner.os }}-gotest-cache-${{ hashFiles('**/go.sum') }}
+            
+
+      - name: Install dependencies
+        if: steps.cache.outputs.cache-hit != 'true'
+        run: sudo apt update && sudo apt install -y -q libgtk-3-dev libayatana-appindicator3-dev libgl1-mesa-dev xorg-dev gcc-multilib libpcap-dev
+
+      - name: Install 32-bit libpcap
+        if: steps.cache.outputs.cache-hit != 'true'
+        run: sudo dpkg --add-architecture i386 && sudo apt update && sudo apt-get install -y libpcap0.8-dev:i386
+
+      - name: Build client
+        if: steps.cache.outputs.cache-hit != 'true'
+        working-directory: client
+        run: CGO_ENABLED=1 go build .
+
+      - name: Build client 386
+        if: steps.cache.outputs.cache-hit != 'true'
+        working-directory: client
+        run: CGO_ENABLED=1 GOARCH=386 go build -o client-386 .
+
+      - name: Build management
+        if: steps.cache.outputs.cache-hit != 'true'
+        working-directory: management
+        run: CGO_ENABLED=1 go build .
+
+      - name: Build management 386
+        if: steps.cache.outputs.cache-hit != 'true'
+        working-directory: management
+        run: CGO_ENABLED=1 GOARCH=386 go build -o management-386 .
+
+      - name: Build signal
+        if: steps.cache.outputs.cache-hit != 'true'
+        working-directory: signal
+        run: CGO_ENABLED=1 go build .
+
+      - name: Build signal 386
+        if: steps.cache.outputs.cache-hit != 'true'
+        working-directory: signal
+        run: CGO_ENABLED=1 GOARCH=386 go build -o signal-386 .
+
+      - name: Build relay
+        if: steps.cache.outputs.cache-hit != 'true'
+        working-directory: relay
+        run: CGO_ENABLED=1 go build .
+
+      - name: Build relay 386
+        if: steps.cache.outputs.cache-hit != 'true'
+        working-directory: relay
+        run: CGO_ENABLED=1 GOARCH=386 go build -o relay-386 .
+
  test:
+    needs: [build-cache]
    strategy:
      fail-fast: false
      matrix:
        arch: [ '386','amd64' ]
-        store: [ 'sqlite', 'postgres']
    runs-on: ubuntu-22.04
    steps:
      - name: Install Go
        uses: actions/setup-go@v5
        with:
          go-version: "1.23.x"
-
-
-      - name: Cache Go modules
-        uses: actions/cache@v4
-        with:
-          path: ~/go/pkg/mod
-          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
-          restore-keys: |
-            ${{ runner.os }}-go-
+          cache: false

      - name: Checkout code
        uses: actions/checkout@v4

+      - name: Get Go environment
+        run: |
+          echo "cache=$(go env GOCACHE)" >> $GITHUB_ENV
+          echo "modcache=$(go env GOMODCACHE)" >> $GITHUB_ENV     
+
+      - name: Cache Go modules
+        uses: actions/cache/restore@v4
+        with:
+          path: |
+            ${{ env.cache }}
+            ${{ env.modcache }}
+          key: ${{ runner.os }}-gotest-cache-${{ hashFiles('**/go.sum') }}
+          restore-keys: |
+            ${{ runner.os }}-gotest-cache-
+
      - name: Install dependencies
        run: sudo apt update && sudo apt install -y -q libgtk-3-dev libayatana-appindicator3-dev libgl1-mesa-dev xorg-dev gcc-multilib libpcap-dev

@@ -50,9 +134,59 @@ jobs:
        run: git --no-pager diff --exit-code

      - name: Test
-        run: CGO_ENABLED=1 GOARCH=${{ matrix.arch }} NETBIRD_STORE_ENGINE=${{ matrix.store }} CI=true go test -exec 'sudo --preserve-env=CI,NETBIRD_STORE_ENGINE' -timeout 10m -p 1 ./...
+        run: CGO_ENABLED=1 GOARCH=${{ matrix.arch }} CI=true go test -exec 'sudo' -timeout 10m -p 1 $(go list ./... | grep -v /management)
+
+  test_management:
+    needs: [ build-cache ]
+    strategy:
+      fail-fast: false
+      matrix:
+        arch: [ '386','amd64' ]
+        store: [ 'sqlite', 'postgres']
+    runs-on: ubuntu-22.04
+    steps:
+      - name: Install Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: "1.23.x"
+          cache: false
+
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Get Go environment
+        run: |
+          echo "cache=$(go env GOCACHE)" >> $GITHUB_ENV
+          echo "modcache=$(go env GOMODCACHE)" >> $GITHUB_ENV     
+
+      - name: Cache Go modules
+        uses: actions/cache/restore@v4
+        with:
+          path: |
+            ${{ env.cache }}
+            ${{ env.modcache }}
+          key: ${{ runner.os }}-gotest-cache-${{ hashFiles('**/go.sum') }}
+          restore-keys: |
+            ${{ runner.os }}-gotest-cache-
+
+      - name: Install dependencies
+        run: sudo apt update && sudo apt install -y -q libgtk-3-dev libayatana-appindicator3-dev libgl1-mesa-dev xorg-dev gcc-multilib libpcap-dev
+
+      - name: Install 32-bit libpcap
+        if: matrix.arch == '386'
+        run: sudo dpkg --add-architecture i386 && sudo apt update && sudo apt-get install -y libpcap0.8-dev:i386
+
+      - name: Install modules
+        run: go mod tidy
+
+      - name: check git status
+        run: git --no-pager diff --exit-code
+
+      - name: Test
+        run: CGO_ENABLED=1 GOARCH=${{ matrix.arch }} NETBIRD_STORE_ENGINE=${{ matrix.store }} CI=true go test -p 1 -exec 'sudo --preserve-env=CI,NETBIRD_STORE_ENGINE' -timeout 10m $(go list ./... | grep /management)

  benchmark:
+    needs: [ build-cache ]
    strategy:
      fail-fast: false
      matrix:
@@ -64,19 +198,26 @@ jobs:
        uses: actions/setup-go@v5
        with:
          go-version: "1.23.x"
-
-
-      - name: Cache Go modules
-        uses: actions/cache@v4
-        with:
-          path: ~/go/pkg/mod
-          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
-          restore-keys: |
-            ${{ runner.os }}-go-
+          cache: false

      - name: Checkout code
        uses: actions/checkout@v4

+      - name: Get Go environment
+        run: |
+          echo "cache=$(go env GOCACHE)" >> $GITHUB_ENV
+          echo "modcache=$(go env GOMODCACHE)" >> $GITHUB_ENV     
+
+      - name: Cache Go modules
+        uses: actions/cache/restore@v4
+        with:
+          path: |
+            ${{ env.cache }}
+            ${{ env.modcache }}
+          key: ${{ runner.os }}-gotest-cache-${{ hashFiles('**/go.sum') }}
+          restore-keys: |
+            ${{ runner.os }}-gotest-cache-
+
      - name: Install dependencies
        run: sudo apt update && sudo apt install -y -q libgtk-3-dev libayatana-appindicator3-dev libgl1-mesa-dev xorg-dev gcc-multilib libpcap-dev

@@ -94,24 +235,33 @@ jobs:
        run: CGO_ENABLED=1 GOARCH=${{ matrix.arch }} NETBIRD_STORE_ENGINE=${{ matrix.store }} CI=true go test -run=^$ -bench=. -exec 'sudo --preserve-env=CI,NETBIRD_STORE_ENGINE' -timeout 10m -p 1 ./...

  test_client_on_docker:
+    needs: [ build-cache ]
    runs-on: ubuntu-20.04
    steps:
      - name: Install Go
        uses: actions/setup-go@v5
        with:
          go-version: "1.23.x"
-
-      - name: Cache Go modules
-        uses: actions/cache@v4
-        with:
-          path: ~/go/pkg/mod
-          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
-          restore-keys: |
-            ${{ runner.os }}-go-
+          cache: false

      - name: Checkout code
        uses: actions/checkout@v4

+      - name: Get Go environment
+        run: |
+          echo "cache=$(go env GOCACHE)" >> $GITHUB_ENV
+          echo "modcache=$(go env GOMODCACHE)" >> $GITHUB_ENV     
+
+      - name: Cache Go modules
+        uses: actions/cache/restore@v4
+        with:
+          path: |
+            ${{ env.cache }}
+            ${{ env.modcache }}
+          key: ${{ runner.os }}-gotest-cache-${{ hashFiles('**/go.sum') }}
+          restore-keys: |
+            ${{ runner.os }}-gotest-cache-
+
      - name: Install dependencies
        run: sudo apt update && sudo apt install -y -q libgtk-3-dev libayatana-appindicator3-dev libgl1-mesa-dev xorg-dev gcc-multilib libpcap-dev

--- a/.github/workflows/golang-test-windows.yml
+++ b/.github/workflows/golang-test-windows.yml
@@ -24,6 +24,23 @@ jobs:
        id: go
        with:
          go-version: "1.23.x"
+          cache: false
+
+      - name: Get Go environment
+        run: |
+          echo "cache=$(go env GOCACHE)" >> $env:GITHUB_ENV
+          echo "modcache=$(go env GOMODCACHE)" >> $env:GITHUB_ENV
+
+      - name: Cache Go modules
+        uses: actions/cache@v4
+        with:
+          path: |
+            ${{ env.cache }}
+            ${{ env.modcache }}
+          key: ${{ runner.os }}-gotest-${{ hashFiles('**/go.sum') }}
+          restore-keys: |
+            ${{ runner.os }}-gotest-
+            ${{ runner.os }}-go-

      - name: Download wintun
        uses: carlosperate/download-file-action@v2
@@ -42,11 +59,13 @@ jobs:
      - run: choco install -y sysinternals --ignore-checksums
      - run: choco install -y mingw

-      - run: PsExec64 -s -w ${{ github.workspace }} C:\hostedtoolcache\windows\go\${{ steps.go.outputs.go-version }}\x64\bin\go.exe env -w GOMODCACHE=C:\Users\runneradmin\go\pkg\mod
-      - run: PsExec64 -s -w ${{ github.workspace }} C:\hostedtoolcache\windows\go\${{ steps.go.outputs.go-version }}\x64\bin\go.exe env -w GOCACHE=C:\Users\runneradmin\AppData\Local\go-build
+      - run: PsExec64 -s -w ${{ github.workspace }} C:\hostedtoolcache\windows\go\${{ steps.go.outputs.go-version }}\x64\bin\go.exe env -w GOMODCACHE=${{ env.cache }}
+      - run: PsExec64 -s -w ${{ github.workspace }} C:\hostedtoolcache\windows\go\${{ steps.go.outputs.go-version }}\x64\bin\go.exe env -w GOCACHE=${{ env.modcache }}
+      - run: PsExec64 -s -w ${{ github.workspace }} C:\hostedtoolcache\windows\go\${{ steps.go.outputs.go-version }}\x64\bin\go.exe mod tidy
+      - run: echo "files=$(go list ./... | ForEach-Object { $_ } | Where-Object { $_ -notmatch '/management' })" >> $env:GITHUB_ENV

      - name: test
-        run: PsExec64 -s -w ${{ github.workspace }} cmd.exe /c "C:\hostedtoolcache\windows\go\${{ steps.go.outputs.go-version }}\x64\bin\go.exe test -timeout 10m -p 1 ./... > test-out.txt 2>&1"
+        run: PsExec64 -s -w ${{ github.workspace }} cmd.exe /c "C:\hostedtoolcache\windows\go\${{ steps.go.outputs.go-version }}\x64\bin\go.exe test -timeout 10m -p 1 ${{ env.files }} > test-out.txt 2>&1"
      - name: test output
        if: ${{ always() }}
        run: Get-Content test-out.txt
--- a/.github/workflows/golangci-lint.yml
+++ b/.github/workflows/golangci-lint.yml
@@ -46,7 +46,7 @@ jobs:
        if: matrix.os == 'ubuntu-latest'
        run: sudo apt update && sudo apt install -y -q libgtk-3-dev libayatana-appindicator3-dev libgl1-mesa-dev xorg-dev libpcap-dev
      - name: golangci-lint
-        uses: golangci/golangci-lint-action@v3
+        uses: golangci/golangci-lint-action@v4
        with:
          version: latest
-          args: --timeout=12m
+          args: --timeout=12m --out-format colored-line-number
--- a/client/Dockerfile
+++ b/client/Dockerfile
@@ -1,4 +1,4 @@
-FROM alpine:3.20
+FROM alpine:3.21.0
 RUN apk add --no-cache ca-certificates iptables ip6tables
 ENV NB_FOREGROUND_MODE=true
 ENTRYPOINT [ "/usr/local/bin/netbird","up"]
--- a/client/anonymize/anonymize.go
+++ b/client/anonymize/anonymize.go
@@ -12,6 +12,8 @@ import (
 	"strings"
 )

+const anonTLD = ".domain"
+
 type Anonymizer struct {
 	ipAnonymizer     map[netip.Addr]netip.Addr
 	domainAnonymizer map[string]string
@@ -19,6 +21,8 @@ type Anonymizer struct {
 	currentAnonIPv6  netip.Addr
 	startAnonIPv4    netip.Addr
 	startAnonIPv6    netip.Addr
+
+	domainKeyRegex *regexp.Regexp
 }

 func DefaultAddresses() (netip.Addr, netip.Addr) {
@@ -34,6 +38,8 @@ func NewAnonymizer(startIPv4, startIPv6 netip.Addr) *Anonymizer {
 		currentAnonIPv6:  startIPv6,
 		startAnonIPv4:    startIPv4,
 		startAnonIPv6:    startIPv6,
+
+		domainKeyRegex: regexp.MustCompile(`\bdomain=([^\s,:"]+)`),
 	}
 }

@@ -83,29 +89,39 @@ func (a *Anonymizer) AnonymizeIPString(ip string) string {
 }

 func (a *Anonymizer) AnonymizeDomain(domain string) string {
-	if strings.HasSuffix(domain, "netbird.io") ||
-		strings.HasSuffix(domain, "netbird.selfhosted") ||
-		strings.HasSuffix(domain, "netbird.cloud") ||
-		strings.HasSuffix(domain, "netbird.stage") ||
-		strings.HasSuffix(domain, ".domain") {
+	baseDomain := domain
+	hasDot := strings.HasSuffix(domain, ".")
+	if hasDot {
+		baseDomain = domain[:len(domain)-1]
+	}
+
+	if strings.HasSuffix(baseDomain, "netbird.io") ||
+		strings.HasSuffix(baseDomain, "netbird.selfhosted") ||
+		strings.HasSuffix(baseDomain, "netbird.cloud") ||
+		strings.HasSuffix(baseDomain, "netbird.stage") ||
+		strings.HasSuffix(baseDomain, anonTLD) {
 		return domain
 	}

-	parts := strings.Split(domain, ".")
+	parts := strings.Split(baseDomain, ".")
 	if len(parts) < 2 {
 		return domain
 	}

-	baseDomain := parts[len(parts)-2] + "." + parts[len(parts)-1]
+	baseForLookup := parts[len(parts)-2] + "." + parts[len(parts)-1]

-	anonymized, ok := a.domainAnonymizer[baseDomain]
+	anonymized, ok := a.domainAnonymizer[baseForLookup]
 	if !ok {
-		anonymizedBase := "anon-" + generateRandomString(5) + ".domain"
-		a.domainAnonymizer[baseDomain] = anonymizedBase
+		anonymizedBase := "anon-" + generateRandomString(5) + anonTLD
+		a.domainAnonymizer[baseForLookup] = anonymizedBase
 		anonymized = anonymizedBase
 	}

-	return strings.Replace(domain, baseDomain, anonymized, 1)
+	result := strings.Replace(baseDomain, baseForLookup, anonymized, 1)
+	if hasDot {
+		result += "."
+	}
+	return result
 }

 func (a *Anonymizer) AnonymizeURI(uri string) string {
@@ -152,27 +168,22 @@ func (a *Anonymizer) AnonymizeString(str string) string {
 	return str
 }

-// AnonymizeSchemeURI finds and anonymizes URIs with stun, stuns, turn, and turns schemes.
+// AnonymizeSchemeURI finds and anonymizes URIs with ws, wss, rel, rels, stun, stuns, turn, and turns schemes.
 func (a *Anonymizer) AnonymizeSchemeURI(text string) string {
-	re := regexp.MustCompile(`(?i)\b(stuns?:|turns?:|https?://)\S+\b`)
+	re := regexp.MustCompile(`(?i)\b(wss?://|rels?://|stuns?:|turns?:|https?://)\S+\b`)

 	return re.ReplaceAllStringFunc(text, a.AnonymizeURI)
 }

-// AnonymizeDNSLogLine anonymizes domain names in DNS log entries by replacing them with a random string.
 func (a *Anonymizer) AnonymizeDNSLogLine(logEntry string) string {
-	domainPattern := `dns\.Question{Name:"([^"]+)",`
-	domainRegex := regexp.MustCompile(domainPattern)
-
-	return domainRegex.ReplaceAllStringFunc(logEntry, func(match string) string {
-		parts := strings.Split(match, `"`)
+	return a.domainKeyRegex.ReplaceAllStringFunc(logEntry, func(match string) string {
+		parts := strings.SplitN(match, "=", 2)
 		if len(parts) >= 2 {
 			domain := parts[1]
-			if strings.HasSuffix(domain, ".domain") {
+			if strings.HasSuffix(domain, anonTLD) {
 				return match
 			}
-			randomDomain := generateRandomString(10) + ".domain"
-			return strings.Replace(match, domain, randomDomain, 1)
+			return "domain=" + a.AnonymizeDomain(domain)
 		}
 		return match
 	})
--- a/client/anonymize/anonymize_test.go
+++ b/client/anonymize/anonymize_test.go
@@ -46,11 +46,59 @@ func TestAnonymizeIP(t *testing.T) {

 func TestAnonymizeDNSLogLine(t *testing.T) {
 	anonymizer := anonymize.NewAnonymizer(netip.Addr{}, netip.Addr{})
-	testLog := `2024-04-23T20:01:11+02:00 TRAC client/internal/dns/local.go:25: received question: dns.Question{Name:"example.com", Qtype:0x1c, Qclass:0x1}`
+	tests := []struct {
+		name     string
+		input    string
+		original string
+		expect   string
+	}{
+		{
+			name:     "Basic domain with trailing content",
+			input:    "received DNS request for DNS forwarder: domain=example.com: something happened with code=123",
+			original: "example.com",
+			expect:   `received DNS request for DNS forwarder: domain=anon-[a-zA-Z0-9]+\.domain: something happened with code=123`,
+		},
+		{
+			name:     "Domain with trailing dot",
+			input:    "domain=example.com. processing request with status=pending",
+			original: "example.com",
+			expect:   `domain=anon-[a-zA-Z0-9]+\.domain\. processing request with status=pending`,
+		},
+		{
+			name:     "Multiple domains in log",
+			input:    "forward domain=first.com status=ok, redirect to domain=second.com port=443",
+			original: "first.com", // testing just one is sufficient as AnonymizeDomain is tested separately
+			expect:   `forward domain=anon-[a-zA-Z0-9]+\.domain status=ok, redirect to domain=anon-[a-zA-Z0-9]+\.domain port=443`,
+		},
+		{
+			name:     "Already anonymized domain",
+			input:    "got request domain=anon-xyz123.domain from=client1 to=server2",
+			original: "", // nothing should be anonymized
+			expect:   `got request domain=anon-xyz123\.domain from=client1 to=server2`,
+		},
+		{
+			name:     "Subdomain with trailing dot",
+			input:    "domain=sub.example.com. next_hop=10.0.0.1 proto=udp",
+			original: "example.com",
+			expect:   `domain=sub\.anon-[a-zA-Z0-9]+\.domain\. next_hop=10\.0\.0\.1 proto=udp`,
+		},
+		{
+			name:     "Handler chain pattern log",
+			input:    "pattern: domain=example.com. original: domain=*.example.com. wildcard=true priority=100",
+			original: "example.com",
+			expect:   `pattern: domain=anon-[a-zA-Z0-9]+\.domain\. original: domain=\*\.anon-[a-zA-Z0-9]+\.domain\. wildcard=true priority=100`,
+		},
+	}

-	result := anonymizer.AnonymizeDNSLogLine(testLog)
-	require.NotEqual(t, testLog, result)
-	assert.NotContains(t, result, "example.com")
+	for _, tc := range tests {
+		t.Run(tc.name, func(t *testing.T) {
+			result := anonymizer.AnonymizeDNSLogLine(tc.input)
+			if tc.original != "" {
+				assert.NotContains(t, result, tc.original)
+			}
+			assert.Regexp(t, tc.expect, result)
+		})
+	}
 }

 func TestAnonymizeDomain(t *testing.T) {
@@ -67,18 +115,36 @@ func TestAnonymizeDomain(t *testing.T) {
 			`^anon-[a-zA-Z0-9]+\.domain$`,
 			true,
 		},
+		{
+			"Domain with Trailing Dot",
+			"example.com.",
+			`^anon-[a-zA-Z0-9]+\.domain.$`,
+			true,
+		},
 		{
 			"Subdomain",
 			"sub.example.com",
 			`^sub\.anon-[a-zA-Z0-9]+\.domain$`,
 			true,
 		},
+		{
+			"Subdomain with Trailing Dot",
+			"sub.example.com.",
+			`^sub\.anon-[a-zA-Z0-9]+\.domain.$`,
+			true,
+		},
 		{
 			"Protected Domain",
 			"netbird.io",
 			`^netbird\.io$`,
 			false,
 		},
+		{
+			"Protected Domain with Trailing Dot",
+			"netbird.io.",
+			`^netbird\.io.$`,
+			false,
+		},
 	}

 	for _, tc := range tests {
@@ -140,8 +206,16 @@ func TestAnonymizeSchemeURI(t *testing.T) {
 		expect string
 	}{
 		{"STUN URI in text", "Connection made via stun:example.com", `Connection made via stun:anon-[a-zA-Z0-9]+\.domain`},
+		{"STUNS URI in message", "Secure connection to stuns:example.com:443", `Secure connection to stuns:anon-[a-zA-Z0-9]+\.domain:443`},
 		{"TURN URI in log", "Failed attempt turn:some.example.com:3478?transport=tcp: retrying", `Failed attempt turn:some.anon-[a-zA-Z0-9]+\.domain:3478\?transport=tcp: retrying`},
+		{"TURNS URI in message", "Secure connection to turns:example.com:5349", `Secure connection to turns:anon-[a-zA-Z0-9]+\.domain:5349`},
+		{"HTTP URI in text", "Visit http://example.com for more", `Visit http://anon-[a-zA-Z0-9]+\.domain for more`},
+		{"HTTPS URI in CAPS", "Visit HTTPS://example.com for more", `Visit https://anon-[a-zA-Z0-9]+\.domain for more`},
 		{"HTTPS URI in message", "Visit https://example.com for more", `Visit https://anon-[a-zA-Z0-9]+\.domain for more`},
+		{"WS URI in log", "Connection established to ws://example.com:8080", `Connection established to ws://anon-[a-zA-Z0-9]+\.domain:8080`},
+		{"WSS URI in message", "Secure connection to wss://example.com", `Secure connection to wss://anon-[a-zA-Z0-9]+\.domain`},
+		{"Rel URI in text", "Relaying to rel://example.com", `Relaying to rel://anon-[a-zA-Z0-9]+\.domain`},
+		{"Rels URI in message", "Relaying to rels://example.com", `Relaying to rels://anon-[a-zA-Z0-9]+\.domain`},
 	}

 	for _, tc := range tests {
--- a/client/cmd/debug.go
+++ b/client/cmd/debug.go
@@ -3,6 +3,7 @@ package cmd
 import (
 	"context"
 	"fmt"
+	"strings"
 	"time"

 	log "github.com/sirupsen/logrus"
@@ -61,6 +62,15 @@ var forCmd = &cobra.Command{
 	RunE:    runForDuration,
 }

+var persistenceCmd = &cobra.Command{
+	Use:     "persistence [on|off]",
+	Short:   "Set network map memory persistence",
+	Long:    `Configure whether the latest network map should persist in memory. When enabled, the last known network map will be kept in memory.`,
+	Example: "  netbird debug persistence on",
+	Args:    cobra.ExactArgs(1),
+	RunE:    setNetworkMapPersistence,
+}
+
 func debugBundle(cmd *cobra.Command, _ []string) error {
 	conn, err := getClient(cmd)
 	if err != nil {
@@ -171,6 +181,13 @@ func runForDuration(cmd *cobra.Command, args []string) error {

 	time.Sleep(1 * time.Second)

+	// Enable network map persistence before bringing the service up
+	if _, err := client.SetNetworkMapPersistence(cmd.Context(), &proto.SetNetworkMapPersistenceRequest{
+		Enabled: true,
+	}); err != nil {
+		return fmt.Errorf("failed to enable network map persistence: %v", status.Convert(err).Message())
+	}
+
 	if _, err := client.Up(cmd.Context(), &proto.UpRequest{}); err != nil {
 		return fmt.Errorf("failed to up: %v", status.Convert(err).Message())
 	}
@@ -200,6 +217,13 @@ func runForDuration(cmd *cobra.Command, args []string) error {
 		return fmt.Errorf("failed to bundle debug: %v", status.Convert(err).Message())
 	}

+	// Disable network map persistence after creating the debug bundle
+	if _, err := client.SetNetworkMapPersistence(cmd.Context(), &proto.SetNetworkMapPersistenceRequest{
+		Enabled: false,
+	}); err != nil {
+		return fmt.Errorf("failed to disable network map persistence: %v", status.Convert(err).Message())
+	}
+
 	if stateWasDown {
 		if _, err := client.Down(cmd.Context(), &proto.DownRequest{}); err != nil {
 			return fmt.Errorf("failed to down: %v", status.Convert(err).Message())
@@ -219,6 +243,34 @@ func runForDuration(cmd *cobra.Command, args []string) error {
 	return nil
 }

+func setNetworkMapPersistence(cmd *cobra.Command, args []string) error {
+	conn, err := getClient(cmd)
+	if err != nil {
+		return err
+	}
+	defer func() {
+		if err := conn.Close(); err != nil {
+			log.Errorf(errCloseConnection, err)
+		}
+	}()
+
+	persistence := strings.ToLower(args[0])
+	if persistence != "on" && persistence != "off" {
+		return fmt.Errorf("invalid persistence value: %s. Use 'on' or 'off'", args[0])
+	}
+
+	client := proto.NewDaemonServiceClient(conn)
+	_, err = client.SetNetworkMapPersistence(cmd.Context(), &proto.SetNetworkMapPersistenceRequest{
+		Enabled: persistence == "on",
+	})
+	if err != nil {
+		return fmt.Errorf("failed to set network map persistence: %v", status.Convert(err).Message())
+	}
+
+	cmd.Printf("Network map persistence set to: %s\n", persistence)
+	return nil
+}
+
 func getStatusOutput(cmd *cobra.Command) string {
 	var statusOutputString string
 	statusResp, err := getStatus(cmd.Context())
--- a/client/cmd/networks.go
+++ b/client/cmd/networks.go
@@ -0,0 +1,173 @@
+package cmd
+
+import (
+	"fmt"
+	"strings"
+
+	"github.com/spf13/cobra"
+	"google.golang.org/grpc/status"
+
+	"github.com/netbirdio/netbird/client/proto"
+)
+
+var appendFlag bool
+
+var networksCMD = &cobra.Command{
+	Use:     "networks",
+	Aliases: []string{"routes"},
+	Short:   "Manage networks",
+	Long:    `Commands to list, select, or deselect networks. Replaces the "routes" command.`,
+}
+
+var routesListCmd = &cobra.Command{
+	Use:     "list",
+	Aliases: []string{"ls"},
+	Short:   "List networks",
+	Example: "  netbird networks list",
+	Long:    "List all available network routes.",
+	RunE:    networksList,
+}
+
+var routesSelectCmd = &cobra.Command{
+	Use:     "select network...|all",
+	Short:   "Select network",
+	Long:    "Select a list of networks by identifiers or 'all' to clear all selections and to accept all (including new) networks.\nDefault mode is replace, use -a to append to already selected networks.",
+	Example: "  netbird networks select all\n  netbird networks select route1 route2\n  netbird routes select -a route3",
+	Args:    cobra.MinimumNArgs(1),
+	RunE:    networksSelect,
+}
+
+var routesDeselectCmd = &cobra.Command{
+	Use:     "deselect network...|all",
+	Short:   "Deselect networks",
+	Long:    "Deselect previously selected networks by identifiers or 'all' to disable accepting any networks.",
+	Example: "  netbird networks deselect all\n  netbird networks deselect route1 route2",
+	Args:    cobra.MinimumNArgs(1),
+	RunE:    networksDeselect,
+}
+
+func init() {
+	routesSelectCmd.PersistentFlags().BoolVarP(&appendFlag, "append", "a", false, "Append to current network selection instead of replacing")
+}
+
+func networksList(cmd *cobra.Command, _ []string) error {
+	conn, err := getClient(cmd)
+	if err != nil {
+		return err
+	}
+	defer conn.Close()
+
+	client := proto.NewDaemonServiceClient(conn)
+	resp, err := client.ListNetworks(cmd.Context(), &proto.ListNetworksRequest{})
+	if err != nil {
+		return fmt.Errorf("failed to list network: %v", status.Convert(err).Message())
+	}
+
+	if len(resp.Routes) == 0 {
+		cmd.Println("No networks available.")
+		return nil
+	}
+
+	printNetworks(cmd, resp)
+
+	return nil
+}
+
+func printNetworks(cmd *cobra.Command, resp *proto.ListNetworksResponse) {
+	cmd.Println("Available Networks:")
+	for _, route := range resp.Routes {
+		printNetwork(cmd, route)
+	}
+}
+
+func printNetwork(cmd *cobra.Command, route *proto.Network) {
+	selectedStatus := getSelectedStatus(route)
+	domains := route.GetDomains()
+
+	if len(domains) > 0 {
+		printDomainRoute(cmd, route, domains, selectedStatus)
+	} else {
+		printNetworkRoute(cmd, route, selectedStatus)
+	}
+}
+
+func getSelectedStatus(route *proto.Network) string {
+	if route.GetSelected() {
+		return "Selected"
+	}
+	return "Not Selected"
+}
+
+func printDomainRoute(cmd *cobra.Command, route *proto.Network, domains []string, selectedStatus string) {
+	cmd.Printf("\n  - ID: %s\n    Domains: %s\n    Status: %s\n", route.GetID(), strings.Join(domains, ", "), selectedStatus)
+	resolvedIPs := route.GetResolvedIPs()
+
+	if len(resolvedIPs) > 0 {
+		printResolvedIPs(cmd, domains, resolvedIPs)
+	} else {
+		cmd.Printf("    Resolved IPs: -\n")
+	}
+}
+
+func printNetworkRoute(cmd *cobra.Command, route *proto.Network, selectedStatus string) {
+	cmd.Printf("\n  - ID: %s\n    Network: %s\n    Status: %s\n", route.GetID(), route.GetRange(), selectedStatus)
+}
+
+func printResolvedIPs(cmd *cobra.Command, _ []string, resolvedIPs map[string]*proto.IPList) {
+	cmd.Printf("    Resolved IPs:\n")
+	for resolvedDomain, ipList := range resolvedIPs {
+		cmd.Printf("      [%s]: %s\n", resolvedDomain, strings.Join(ipList.GetIps(), ", "))
+	}
+}
+
+func networksSelect(cmd *cobra.Command, args []string) error {
+	conn, err := getClient(cmd)
+	if err != nil {
+		return err
+	}
+	defer conn.Close()
+
+	client := proto.NewDaemonServiceClient(conn)
+	req := &proto.SelectNetworksRequest{
+		NetworkIDs: args,
+	}
+
+	if len(args) == 1 && args[0] == "all" {
+		req.All = true
+	} else if appendFlag {
+		req.Append = true
+	}
+
+	if _, err := client.SelectNetworks(cmd.Context(), req); err != nil {
+		return fmt.Errorf("failed to select networks: %v", status.Convert(err).Message())
+	}
+
+	cmd.Println("Networks selected successfully.")
+
+	return nil
+}
+
+func networksDeselect(cmd *cobra.Command, args []string) error {
+	conn, err := getClient(cmd)
+	if err != nil {
+		return err
+	}
+	defer conn.Close()
+
+	client := proto.NewDaemonServiceClient(conn)
+	req := &proto.SelectNetworksRequest{
+		NetworkIDs: args,
+	}
+
+	if len(args) == 1 && args[0] == "all" {
+		req.All = true
+	}
+
+	if _, err := client.DeselectNetworks(cmd.Context(), req); err != nil {
+		return fmt.Errorf("failed to deselect networks: %v", status.Convert(err).Message())
+	}
+
+	cmd.Println("Networks deselected successfully.")
+
+	return nil
+}
--- a/client/cmd/pprof.go
+++ b/client/cmd/pprof.go
@@ -0,0 +1,33 @@
+//go:build pprof
+// +build pprof
+
+package cmd
+
+import (
+	"net/http"
+	_ "net/http/pprof"
+	"os"
+
+	log "github.com/sirupsen/logrus"
+)
+
+func init() {
+	addr := pprofAddr()
+	go pprof(addr)
+}
+
+func pprofAddr() string {
+	listenAddr := os.Getenv("NB_PPROF_ADDR")
+	if listenAddr == "" {
+		return "localhost:6969"
+	}
+
+	return listenAddr
+}
+
+func pprof(listenAddr string) {
+	log.Infof("listening pprof on: %s\n", listenAddr)
+	if err := http.ListenAndServe(listenAddr, nil); err != nil {
+		log.Fatalf("Failed to start pprof: %v", err)
+	}
+}
--- a/client/cmd/root.go
+++ b/client/cmd/root.go
@@ -142,19 +142,20 @@ func init() {
 	rootCmd.AddCommand(loginCmd)
 	rootCmd.AddCommand(versionCmd)
 	rootCmd.AddCommand(sshCmd)
-	rootCmd.AddCommand(routesCmd)
+	rootCmd.AddCommand(networksCMD)
 	rootCmd.AddCommand(debugCmd)

 	serviceCmd.AddCommand(runCmd, startCmd, stopCmd, restartCmd) // service control commands are subcommands of service
 	serviceCmd.AddCommand(installCmd, uninstallCmd)              // service installer commands are subcommands of service

-	routesCmd.AddCommand(routesListCmd)
-	routesCmd.AddCommand(routesSelectCmd, routesDeselectCmd)
+	networksCMD.AddCommand(routesListCmd)
+	networksCMD.AddCommand(routesSelectCmd, routesDeselectCmd)

 	debugCmd.AddCommand(debugBundleCmd)
 	debugCmd.AddCommand(logCmd)
 	logCmd.AddCommand(logLevelCmd)
 	debugCmd.AddCommand(forCmd)
+	debugCmd.AddCommand(persistenceCmd)

 	upCmd.PersistentFlags().StringSliceVar(&natExternalIPs, externalIPMapFlag, nil,
 		`Sets external IPs maps between local addresses and interfaces.`+
--- a/client/cmd/route.go
+++ b/client/cmd/route.go
@@ -1,174 +0,0 @@
-package cmd
-
-import (
-	"fmt"
-	"strings"
-
-	"github.com/spf13/cobra"
-	"google.golang.org/grpc/status"
-
-	"github.com/netbirdio/netbird/client/proto"
-)
-
-var appendFlag bool
-
-var routesCmd = &cobra.Command{
-	Use:   "routes",
-	Short: "Manage network routes",
-	Long:  `Commands to list, select, or deselect network routes.`,
-}
-
-var routesListCmd = &cobra.Command{
-	Use:     "list",
-	Aliases: []string{"ls"},
-	Short:   "List routes",
-	Example: "  netbird routes list",
-	Long:    "List all available network routes.",
-	RunE:    routesList,
-}
-
-var routesSelectCmd = &cobra.Command{
-	Use:     "select route...|all",
-	Short:   "Select routes",
-	Long:    "Select a list of routes by identifiers or 'all' to clear all selections and to accept all (including new) routes.\nDefault mode is replace, use -a to append to already selected routes.",
-	Example: "  netbird routes select all\n  netbird routes select route1 route2\n  netbird routes select -a route3",
-	Args:    cobra.MinimumNArgs(1),
-	RunE:    routesSelect,
-}
-
-var routesDeselectCmd = &cobra.Command{
-	Use:     "deselect route...|all",
-	Short:   "Deselect routes",
-	Long:    "Deselect previously selected routes by identifiers or 'all' to disable accepting any routes.",
-	Example: "  netbird routes deselect all\n  netbird routes deselect route1 route2",
-	Args:    cobra.MinimumNArgs(1),
-	RunE:    routesDeselect,
-}
-
-func init() {
-	routesSelectCmd.PersistentFlags().BoolVarP(&appendFlag, "append", "a", false, "Append to current route selection instead of replacing")
-}
-
-func routesList(cmd *cobra.Command, _ []string) error {
-	conn, err := getClient(cmd)
-	if err != nil {
-		return err
-	}
-	defer conn.Close()
-
-	client := proto.NewDaemonServiceClient(conn)
-	resp, err := client.ListRoutes(cmd.Context(), &proto.ListRoutesRequest{})
-	if err != nil {
-		return fmt.Errorf("failed to list routes: %v", status.Convert(err).Message())
-	}
-
-	if len(resp.Routes) == 0 {
-		cmd.Println("No routes available.")
-		return nil
-	}
-
-	printRoutes(cmd, resp)
-
-	return nil
-}
-
-func printRoutes(cmd *cobra.Command, resp *proto.ListRoutesResponse) {
-	cmd.Println("Available Routes:")
-	for _, route := range resp.Routes {
-		printRoute(cmd, route)
-	}
-}
-
-func printRoute(cmd *cobra.Command, route *proto.Route) {
-	selectedStatus := getSelectedStatus(route)
-	domains := route.GetDomains()
-
-	if len(domains) > 0 {
-		printDomainRoute(cmd, route, domains, selectedStatus)
-	} else {
-		printNetworkRoute(cmd, route, selectedStatus)
-	}
-}
-
-func getSelectedStatus(route *proto.Route) string {
-	if route.GetSelected() {
-		return "Selected"
-	}
-	return "Not Selected"
-}
-
-func printDomainRoute(cmd *cobra.Command, route *proto.Route, domains []string, selectedStatus string) {
-	cmd.Printf("\n  - ID: %s\n    Domains: %s\n    Status: %s\n", route.GetID(), strings.Join(domains, ", "), selectedStatus)
-	resolvedIPs := route.GetResolvedIPs()
-
-	if len(resolvedIPs) > 0 {
-		printResolvedIPs(cmd, domains, resolvedIPs)
-	} else {
-		cmd.Printf("    Resolved IPs: -\n")
-	}
-}
-
-func printNetworkRoute(cmd *cobra.Command, route *proto.Route, selectedStatus string) {
-	cmd.Printf("\n  - ID: %s\n    Network: %s\n    Status: %s\n", route.GetID(), route.GetNetwork(), selectedStatus)
-}
-
-func printResolvedIPs(cmd *cobra.Command, domains []string, resolvedIPs map[string]*proto.IPList) {
-	cmd.Printf("    Resolved IPs:\n")
-	for _, domain := range domains {
-		if ipList, exists := resolvedIPs[domain]; exists {
-			cmd.Printf("      [%s]: %s\n", domain, strings.Join(ipList.GetIps(), ", "))
-		}
-	}
-}
-
-func routesSelect(cmd *cobra.Command, args []string) error {
-	conn, err := getClient(cmd)
-	if err != nil {
-		return err
-	}
-	defer conn.Close()
-
-	client := proto.NewDaemonServiceClient(conn)
-	req := &proto.SelectRoutesRequest{
-		RouteIDs: args,
-	}
-
-	if len(args) == 1 && args[0] == "all" {
-		req.All = true
-	} else if appendFlag {
-		req.Append = true
-	}
-
-	if _, err := client.SelectRoutes(cmd.Context(), req); err != nil {
-		return fmt.Errorf("failed to select routes: %v", status.Convert(err).Message())
-	}
-
-	cmd.Println("Routes selected successfully.")
-
-	return nil
-}
-
-func routesDeselect(cmd *cobra.Command, args []string) error {
-	conn, err := getClient(cmd)
-	if err != nil {
-		return err
-	}
-	defer conn.Close()
-
-	client := proto.NewDaemonServiceClient(conn)
-	req := &proto.SelectRoutesRequest{
-		RouteIDs: args,
-	}
-
-	if len(args) == 1 && args[0] == "all" {
-		req.All = true
-	}
-
-	if _, err := client.DeselectRoutes(cmd.Context(), req); err != nil {
-		return fmt.Errorf("failed to deselect routes: %v", status.Convert(err).Message())
-	}
-
-	cmd.Println("Routes deselected successfully.")
-
-	return nil
-}
--- a/client/cmd/state.go
+++ b/client/cmd/state.go
@@ -0,0 +1,181 @@
+package cmd
+
+import (
+	"fmt"
+
+	log "github.com/sirupsen/logrus"
+	"github.com/spf13/cobra"
+	"google.golang.org/grpc/status"
+
+	"github.com/netbirdio/netbird/client/proto"
+)
+
+var (
+	allFlag bool
+)
+
+var stateCmd = &cobra.Command{
+	Use:   "state",
+	Short: "Manage daemon state",
+	Long:  "Provides commands for managing and inspecting the Netbird daemon state.",
+}
+
+var stateListCmd = &cobra.Command{
+	Use:     "list",
+	Aliases: []string{"ls"},
+	Short:   "List all stored states",
+	Long:    "Lists all registered states with their status and basic information.",
+	Example: "  netbird state list",
+	RunE:    stateList,
+}
+
+var stateCleanCmd = &cobra.Command{
+	Use:   "clean [state-name]",
+	Short: "Clean stored states",
+	Long: `Clean specific state or all states. The daemon must not be running.
+This will perform cleanup operations and remove the state.`,
+	Example: `  netbird state clean dns_state
+  netbird state clean --all`,
+	RunE: stateClean,
+	PreRunE: func(cmd *cobra.Command, args []string) error {
+		// Check mutual exclusivity between --all flag and state-name argument
+		if allFlag && len(args) > 0 {
+			return fmt.Errorf("cannot specify both --all flag and state name")
+		}
+		if !allFlag && len(args) != 1 {
+			return fmt.Errorf("requires a state name argument or --all flag")
+		}
+		return nil
+	},
+}
+
+var stateDeleteCmd = &cobra.Command{
+	Use:   "delete [state-name]",
+	Short: "Delete stored states",
+	Long: `Delete specific state or all states from storage. The daemon must not be running.
+This will remove the state without performing any cleanup operations.`,
+	Example: `  netbird state delete dns_state
+  netbird state delete --all`,
+	RunE: stateDelete,
+	PreRunE: func(cmd *cobra.Command, args []string) error {
+		// Check mutual exclusivity between --all flag and state-name argument
+		if allFlag && len(args) > 0 {
+			return fmt.Errorf("cannot specify both --all flag and state name")
+		}
+		if !allFlag && len(args) != 1 {
+			return fmt.Errorf("requires a state name argument or --all flag")
+		}
+		return nil
+	},
+}
+
+func init() {
+	rootCmd.AddCommand(stateCmd)
+	stateCmd.AddCommand(stateListCmd, stateCleanCmd, stateDeleteCmd)
+
+	stateCleanCmd.Flags().BoolVarP(&allFlag, "all", "a", false, "Clean all states")
+	stateDeleteCmd.Flags().BoolVarP(&allFlag, "all", "a", false, "Delete all states")
+}
+
+func stateList(cmd *cobra.Command, _ []string) error {
+	conn, err := getClient(cmd)
+	if err != nil {
+		return err
+	}
+	defer func() {
+		if err := conn.Close(); err != nil {
+			log.Errorf(errCloseConnection, err)
+		}
+	}()
+
+	client := proto.NewDaemonServiceClient(conn)
+	resp, err := client.ListStates(cmd.Context(), &proto.ListStatesRequest{})
+	if err != nil {
+		return fmt.Errorf("failed to list states: %v", status.Convert(err).Message())
+	}
+
+	cmd.Printf("\nStored states:\n\n")
+	for _, state := range resp.States {
+		cmd.Printf("- %s\n", state.Name)
+	}
+
+	return nil
+}
+
+func stateClean(cmd *cobra.Command, args []string) error {
+	var stateName string
+	if !allFlag {
+		stateName = args[0]
+	}
+
+	conn, err := getClient(cmd)
+	if err != nil {
+		return err
+	}
+	defer func() {
+		if err := conn.Close(); err != nil {
+			log.Errorf(errCloseConnection, err)
+		}
+	}()
+
+	client := proto.NewDaemonServiceClient(conn)
+	resp, err := client.CleanState(cmd.Context(), &proto.CleanStateRequest{
+		StateName: stateName,
+		All:       allFlag,
+	})
+	if err != nil {
+		return fmt.Errorf("failed to clean state: %v", status.Convert(err).Message())
+	}
+
+	if resp.CleanedStates == 0 {
+		cmd.Println("No states were cleaned")
+		return nil
+	}
+
+	if allFlag {
+		cmd.Printf("Successfully cleaned %d states\n", resp.CleanedStates)
+	} else {
+		cmd.Printf("Successfully cleaned state %q\n", stateName)
+	}
+
+	return nil
+}
+
+func stateDelete(cmd *cobra.Command, args []string) error {
+	var stateName string
+	if !allFlag {
+		stateName = args[0]
+	}
+
+	conn, err := getClient(cmd)
+	if err != nil {
+		return err
+	}
+	defer func() {
+		if err := conn.Close(); err != nil {
+			log.Errorf(errCloseConnection, err)
+		}
+	}()
+
+	client := proto.NewDaemonServiceClient(conn)
+	resp, err := client.DeleteState(cmd.Context(), &proto.DeleteStateRequest{
+		StateName: stateName,
+		All:       allFlag,
+	})
+	if err != nil {
+		return fmt.Errorf("failed to delete state: %v", status.Convert(err).Message())
+	}
+
+	if resp.DeletedStates == 0 {
+		cmd.Println("No states were deleted")
+		return nil
+	}
+
+	if allFlag {
+		cmd.Printf("Successfully deleted %d states\n", resp.DeletedStates)
+	} else {
+		cmd.Printf("Successfully deleted state %q\n", stateName)
+	}
+
+	return nil
+}
--- a/client/cmd/status.go
+++ b/client/cmd/status.go
@@ -40,6 +40,7 @@ type peerStateDetailOutput struct {
 	Latency                time.Duration    `json:"latency" yaml:"latency"`
 	RosenpassEnabled       bool             `json:"quantumResistance" yaml:"quantumResistance"`
 	Routes                 []string         `json:"routes" yaml:"routes"`
+	Networks               []string         `json:"networks" yaml:"networks"`
 }

 type peersStateOutput struct {
@@ -98,6 +99,7 @@ type statusOutputOverview struct {
 	RosenpassEnabled    bool                       `json:"quantumResistance" yaml:"quantumResistance"`
 	RosenpassPermissive bool                       `json:"quantumResistancePermissive" yaml:"quantumResistancePermissive"`
 	Routes              []string                   `json:"routes" yaml:"routes"`
+	Networks            []string                   `json:"networks" yaml:"networks"`
 	NSServerGroups      []nsServerGroupStateOutput `json:"dnsServers" yaml:"dnsServers"`
 }

@@ -282,7 +284,8 @@ func convertToStatusOutputOverview(resp *proto.StatusResponse) statusOutputOverv
 		FQDN:                pbFullStatus.GetLocalPeerState().GetFqdn(),
 		RosenpassEnabled:    pbFullStatus.GetLocalPeerState().GetRosenpassEnabled(),
 		RosenpassPermissive: pbFullStatus.GetLocalPeerState().GetRosenpassPermissive(),
-		Routes:              pbFullStatus.GetLocalPeerState().GetRoutes(),
+		Routes:              pbFullStatus.GetLocalPeerState().GetNetworks(),
+		Networks:            pbFullStatus.GetLocalPeerState().GetNetworks(),
 		NSServerGroups:      mapNSGroups(pbFullStatus.GetDnsServers()),
 	}

@@ -390,7 +393,8 @@ func mapPeers(peers []*proto.PeerState) peersStateOutput {
 			TransferSent:           transferSent,
 			Latency:                pbPeerState.GetLatency().AsDuration(),
 			RosenpassEnabled:       pbPeerState.GetRosenpassEnabled(),
-			Routes:                 pbPeerState.GetRoutes(),
+			Routes:                 pbPeerState.GetNetworks(),
+			Networks:               pbPeerState.GetNetworks(),
 		}

 		peersStateDetail = append(peersStateDetail, peerState)
@@ -491,10 +495,10 @@ func parseGeneralSummary(overview statusOutputOverview, showURL bool, showRelays
 		relaysString = fmt.Sprintf("%d/%d Available", overview.Relays.Available, overview.Relays.Total)
 	}

-	routes := "-"
-	if len(overview.Routes) > 0 {
-		sort.Strings(overview.Routes)
-		routes = strings.Join(overview.Routes, ", ")
+	networks := "-"
+	if len(overview.Networks) > 0 {
+		sort.Strings(overview.Networks)
+		networks = strings.Join(overview.Networks, ", ")
 	}

 	var dnsServersString string
@@ -556,6 +560,7 @@ func parseGeneralSummary(overview statusOutputOverview, showURL bool, showRelays
 			"Interface type: %s\n"+
 			"Quantum resistance: %s\n"+
 			"Routes: %s\n"+
+			"Networks: %s\n"+
 			"Peers count: %s\n",
 		fmt.Sprintf("%s/%s%s", goos, goarch, goarm),
 		overview.DaemonVersion,
@@ -568,7 +573,8 @@ func parseGeneralSummary(overview statusOutputOverview, showURL bool, showRelays
 		interfaceIP,
 		interfaceTypeString,
 		rosenpassEnabledStatus,
-		routes,
+		networks,
+		networks,
 		peersCountString,
 	)
 	return summary
@@ -631,10 +637,10 @@ func parsePeers(peers peersStateOutput, rosenpassEnabled, rosenpassPermissive bo
 			}
 		}

-		routes := "-"
-		if len(peerState.Routes) > 0 {
-			sort.Strings(peerState.Routes)
-			routes = strings.Join(peerState.Routes, ", ")
+		networks := "-"
+		if len(peerState.Networks) > 0 {
+			sort.Strings(peerState.Networks)
+			networks = strings.Join(peerState.Networks, ", ")
 		}

 		peerString := fmt.Sprintf(
@@ -652,6 +658,7 @@ func parsePeers(peers peersStateOutput, rosenpassEnabled, rosenpassPermissive bo
 				"  Transfer status (received/sent) %s/%s\n"+
 				"  Quantum resistance: %s\n"+
 				"  Routes: %s\n"+
+				"  Networks: %s\n"+
 				"  Latency: %s\n",
 			peerState.FQDN,
 			peerState.IP,
@@ -668,7 +675,8 @@ func parsePeers(peers peersStateOutput, rosenpassEnabled, rosenpassPermissive bo
 			toIEC(peerState.TransferReceived),
 			toIEC(peerState.TransferSent),
 			rosenpassEnabledStatus,
-			routes,
+			networks,
+			networks,
 			peerState.Latency.String(),
 		)

@@ -810,6 +818,14 @@ func anonymizePeerDetail(a *anonymize.Anonymizer, peer *peerStateDetailOutput) {

 	peer.RelayAddress = a.AnonymizeURI(peer.RelayAddress)

+	for i, route := range peer.Networks {
+		peer.Networks[i] = a.AnonymizeIPString(route)
+	}
+
+	for i, route := range peer.Networks {
+		peer.Networks[i] = a.AnonymizeRoute(route)
+	}
+
 	for i, route := range peer.Routes {
 		peer.Routes[i] = a.AnonymizeIPString(route)
 	}
@@ -850,6 +866,10 @@ func anonymizeOverview(a *anonymize.Anonymizer, overview *statusOutputOverview)
 		}
 	}

+	for i, route := range overview.Networks {
+		overview.Networks[i] = a.AnonymizeRoute(route)
+	}
+
 	for i, route := range overview.Routes {
 		overview.Routes[i] = a.AnonymizeRoute(route)
 	}
--- a/client/cmd/status_test.go
+++ b/client/cmd/status_test.go
@@ -44,7 +44,7 @@ var resp = &proto.StatusResponse{
 				LastWireguardHandshake:     timestamppb.New(time.Date(2001, time.Month(1), 1, 1, 1, 2, 0, time.UTC)),
 				BytesRx:                    200,
 				BytesTx:                    100,
-				Routes: []string{
+				Networks: []string{
 					"10.1.0.0/24",
 				},
 				Latency: durationpb.New(time.Duration(10000000)),
@@ -93,7 +93,7 @@ var resp = &proto.StatusResponse{
 			PubKey:          "Some-Pub-Key",
 			KernelInterface: true,
 			Fqdn:            "some-localhost.awesome-domain.com",
-			Routes: []string{
+			Networks: []string{
 				"10.10.0.0/24",
 			},
 		},
@@ -149,6 +149,9 @@ var overview = statusOutputOverview{
 				Routes: []string{
 					"10.1.0.0/24",
 				},
+				Networks: []string{
+					"10.1.0.0/24",
+				},
 				Latency: time.Duration(10000000),
 			},
 			{
@@ -230,6 +233,9 @@ var overview = statusOutputOverview{
 	Routes: []string{
 		"10.10.0.0/24",
 	},
+	Networks: []string{
+		"10.10.0.0/24",
+	},
 }

 func TestConversionFromFullStatusToOutputOverview(t *testing.T) {
@@ -295,6 +301,9 @@ func TestParsingToJSON(t *testing.T) {
                "quantumResistance": false,
                "routes": [
                  "10.1.0.0/24"
+                ],
+                "networks": [
+                  "10.1.0.0/24"
                ]
              },
              {
@@ -318,7 +327,8 @@ func TestParsingToJSON(t *testing.T) {
                "transferSent": 1000,
 				"latency": 10000000,
                "quantumResistance": false,
-                "routes": null
+                "routes": null,
+                "networks": null
              }
            ]
          },
@@ -359,6 +369,9 @@ func TestParsingToJSON(t *testing.T) {
          "routes": [
            "10.10.0.0/24"
          ],
+          "networks": [
+            "10.10.0.0/24"
+          ],
          "dnsServers": [
            {
              "servers": [
@@ -418,6 +431,8 @@ func TestParsingToYAML(t *testing.T) {
          quantumResistance: false
          routes:
            - 10.1.0.0/24
+          networks:
+            - 10.1.0.0/24
        - fqdn: peer-2.awesome-domain.com
          netbirdIp: 192.168.178.102
          publicKey: Pubkey2
@@ -437,6 +452,7 @@ func TestParsingToYAML(t *testing.T) {
          latency: 10ms
          quantumResistance: false
          routes: []
+          networks: []
 cliVersion: development
 daemonVersion: 0.14.1
 management:
@@ -465,6 +481,8 @@ quantumResistance: false
 quantumResistancePermissive: false
 routes:
    - 10.10.0.0/24
+networks:
+    - 10.10.0.0/24
 dnsServers:
    - servers:
        - 8.8.8.8:53
@@ -509,6 +527,7 @@ func TestParsingToDetail(t *testing.T) {
  Transfer status (received/sent) 200 B/100 B
  Quantum resistance: false
  Routes: 10.1.0.0/24
+  Networks: 10.1.0.0/24
  Latency: 10ms

 peer-2.awesome-domain.com:
@@ -525,6 +544,7 @@ func TestParsingToDetail(t *testing.T) {
  Transfer status (received/sent) 2.0 KiB/1000 B
  Quantum resistance: false
  Routes: -
+  Networks: -
  Latency: 10ms

 OS: %s/%s
@@ -543,6 +563,7 @@ NetBird IP: 192.168.178.100/16
 Interface type: Kernel
 Quantum resistance: false
 Routes: 10.10.0.0/24
+Networks: 10.10.0.0/24
 Peers count: 2/2 Connected
 `, lastConnectionUpdate1, lastHandshake1, lastConnectionUpdate2, lastHandshake2, runtime.GOOS, runtime.GOARCH, overview.CliVersion)

@@ -564,6 +585,7 @@ NetBird IP: 192.168.178.100/16
 Interface type: Kernel
 Quantum resistance: false
 Routes: 10.10.0.0/24
+Networks: 10.10.0.0/24
 Peers count: 2/2 Connected
 `

--- a/client/cmd/testutil_test.go
+++ b/client/cmd/testutil_test.go
@@ -10,6 +10,8 @@ import (
 	"go.opentelemetry.io/otel"

 	"github.com/netbirdio/netbird/management/server/activity"
+	"github.com/netbirdio/netbird/management/server/settings"
+	"github.com/netbirdio/netbird/management/server/store"
 	"github.com/netbirdio/netbird/management/server/telemetry"

 	"github.com/netbirdio/netbird/util"
@@ -71,7 +73,7 @@ func startManagement(t *testing.T, config *mgmt.Config, testFile string) (*grpc.
 		t.Fatal(err)
 	}
 	s := grpc.NewServer()
-	store, cleanUp, err := mgmt.NewTestStoreFromSQL(context.Background(), testFile, t.TempDir())
+	store, cleanUp, err := store.NewTestStoreFromSQL(context.Background(), testFile, t.TempDir())
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -93,7 +95,7 @@ func startManagement(t *testing.T, config *mgmt.Config, testFile string) (*grpc.
 	}

 	secretsManager := mgmt.NewTimeBasedAuthSecretsManager(peersUpdateManager, config.TURNConfig, config.Relay)
-	mgmtServer, err := mgmt.NewServer(context.Background(), config, accountManager, peersUpdateManager, secretsManager, nil, nil)
+	mgmtServer, err := mgmt.NewServer(context.Background(), config, accountManager, settings.NewManager(store), peersUpdateManager, secretsManager, nil, nil)
 	if err != nil {
 		t.Fatal(err)
 	}
--- a/client/firewall/iptables/acl_linux.go
+++ b/client/firewall/iptables/acl_linux.go
@@ -332,18 +332,12 @@ func (m *aclManager) createDefaultChains() error {

 // The OUTPUT chain gets an extra rule to allow traffic to any set up routes, the return traffic is handled by the INPUT related/established rule.
 func (m *aclManager) seedInitialEntries() {
-
 	established := getConntrackEstablished()

 	m.appendToEntries("INPUT", []string{"-i", m.wgIface.Name(), "-j", "DROP"})
 	m.appendToEntries("INPUT", []string{"-i", m.wgIface.Name(), "-j", chainNameInputRules})
 	m.appendToEntries("INPUT", append([]string{"-i", m.wgIface.Name()}, established...))

-	m.appendToEntries("OUTPUT", []string{"-o", m.wgIface.Name(), "-j", "DROP"})
-	m.appendToEntries("OUTPUT", []string{"-o", m.wgIface.Name(), "-j", chainNameOutputRules})
-	m.appendToEntries("OUTPUT", []string{"-o", m.wgIface.Name(), "!", "-d", m.wgIface.Address().String(), "-j", "ACCEPT"})
-	m.appendToEntries("OUTPUT", append([]string{"-o", m.wgIface.Name()}, established...))
-
 	m.appendToEntries("FORWARD", []string{"-i", m.wgIface.Name(), "-j", "DROP"})
 	m.appendToEntries("FORWARD", []string{"-i", m.wgIface.Name(), "-j", m.routingFwChainName})
 	m.appendToEntries("FORWARD", append([]string{"-o", m.wgIface.Name()}, established...))
--- a/client/firewall/iptables/manager_linux.go
+++ b/client/firewall/iptables/manager_linux.go
@@ -207,19 +207,9 @@ func (m *Manager) AllowNetbird() error {
 		"",
 	)
 	if err != nil {
-		return fmt.Errorf("failed to allow netbird interface traffic: %w", err)
+		return fmt.Errorf("allow netbird interface traffic: %w", err)
 	}
-	_, err = m.AddPeerFiltering(
-		net.ParseIP("0.0.0.0"),
-		"all",
-		nil,
-		nil,
-		firewall.RuleDirectionOUT,
-		firewall.ActionAccept,
-		"",
-		"",
-	)
-	return err
+	return nil
 }

 // Flush doesn't need to be implemented for this manager
--- a/client/firewall/iptables/rulestore_linux.go
+++ b/client/firewall/iptables/rulestore_linux.go
@@ -37,6 +37,11 @@ func (s *ipList) UnmarshalJSON(data []byte) error {
 		return err
 	}
 	s.ips = temp.IPs
+
+	if temp.IPs == nil {
+		temp.IPs = make(map[string]struct{})
+	}
+
 	return nil
 }

@@ -89,5 +94,10 @@ func (s *ipsetStore) UnmarshalJSON(data []byte) error {
 		return err
 	}
 	s.ipsets = temp.IPSets
+
+	if temp.IPSets == nil {
+		temp.IPSets = make(map[string]*ipList)
+	}
+
 	return nil
 }
--- a/client/firewall/nftables/acl_linux.go
+++ b/client/firewall/nftables/acl_linux.go
@@ -5,7 +5,6 @@ import (
 	"encoding/binary"
 	"fmt"
 	"net"
-	"net/netip"
 	"strconv"
 	"strings"
 	"time"
@@ -28,7 +27,6 @@ const (

 	// filter chains contains the rules that jump to the rules chains
 	chainNameInputFilter   = "netbird-acl-input-filter"
-	chainNameOutputFilter  = "netbird-acl-output-filter"
 	chainNameForwardFilter = "netbird-acl-forward-filter"
 	chainNamePrerouting    = "netbird-rt-prerouting"

@@ -441,18 +439,6 @@ func (m *AclManager) createDefaultChains() (err error) {
 		return err
 	}

-	// netbird-acl-output-filter
-	// type filter hook output priority filter; policy accept;
-	chain = m.createFilterChainWithHook(chainNameOutputFilter, nftables.ChainHookOutput)
-	m.addFwdAllow(chain, expr.MetaKeyOIFNAME)
-	m.addJumpRule(chain, m.chainOutputRules.Name, expr.MetaKeyOIFNAME) // to netbird-acl-output-rules
-	m.addDropExpressions(chain, expr.MetaKeyOIFNAME)
-	err = m.rConn.Flush()
-	if err != nil {
-		log.Debugf("failed to create chain (%s): %s", chainNameOutputFilter, err)
-		return err
-	}
-
 	// netbird-acl-forward-filter
 	chainFwFilter := m.createFilterChainWithHook(chainNameForwardFilter, nftables.ChainHookForward)
 	m.addJumpRulesToRtForward(chainFwFilter) // to netbird-rt-fwd
@@ -619,45 +605,6 @@ func (m *AclManager) addDropExpressions(chain *nftables.Chain, ifaceKey expr.Met
 	return nil
 }

-func (m *AclManager) addFwdAllow(chain *nftables.Chain, iifname expr.MetaKey) {
-	ip, _ := netip.AddrFromSlice(m.wgIface.Address().Network.IP.To4())
-	dstOp := expr.CmpOpNeq
-	expressions := []expr.Any{
-		&expr.Meta{Key: iifname, Register: 1},
-		&expr.Cmp{
-			Op:       expr.CmpOpEq,
-			Register: 1,
-			Data:     ifname(m.wgIface.Name()),
-		},
-		&expr.Payload{
-			DestRegister: 2,
-			Base:         expr.PayloadBaseNetworkHeader,
-			Offset:       16,
-			Len:          4,
-		},
-		&expr.Bitwise{
-			SourceRegister: 2,
-			DestRegister:   2,
-			Len:            4,
-			Xor:            []byte{0x0, 0x0, 0x0, 0x0},
-			Mask:           m.wgIface.Address().Network.Mask,
-		},
-		&expr.Cmp{
-			Op:       dstOp,
-			Register: 2,
-			Data:     ip.Unmap().AsSlice(),
-		},
-		&expr.Verdict{
-			Kind: expr.VerdictAccept,
-		},
-	}
-	_ = m.rConn.AddRule(&nftables.Rule{
-		Table: chain.Table,
-		Chain: chain,
-		Exprs: expressions,
-	})
-}
-
 func (m *AclManager) addJumpRule(chain *nftables.Chain, to string, ifaceKey expr.MetaKey) {
 	expressions := []expr.Any{
 		&expr.Meta{Key: ifaceKey, Register: 1},
--- a/client/firewall/nftables/state.go
+++ b/client/firewall/nftables/state.go
@@ -1 +0,0 @@
-package nftables
--- a/client/firewall/uspfilter/allow_netbird.go
+++ b/client/firewall/uspfilter/allow_netbird.go
@@ -2,7 +2,10 @@

 package uspfilter

-import "github.com/netbirdio/netbird/client/internal/statemanager"
+import (
+	"github.com/netbirdio/netbird/client/firewall/uspfilter/conntrack"
+	"github.com/netbirdio/netbird/client/internal/statemanager"
+)

 // Reset firewall to the default state
 func (m *Manager) Reset(stateManager *statemanager.Manager) error {
@@ -12,6 +15,21 @@ func (m *Manager) Reset(stateManager *statemanager.Manager) error {
 	m.outgoingRules = make(map[string]RuleSet)
 	m.incomingRules = make(map[string]RuleSet)

+	if m.udpTracker != nil {
+		m.udpTracker.Close()
+		m.udpTracker = conntrack.NewUDPTracker(conntrack.DefaultUDPTimeout)
+	}
+
+	if m.icmpTracker != nil {
+		m.icmpTracker.Close()
+		m.icmpTracker = conntrack.NewICMPTracker(conntrack.DefaultICMPTimeout)
+	}
+
+	if m.tcpTracker != nil {
+		m.tcpTracker.Close()
+		m.tcpTracker = conntrack.NewTCPTracker(conntrack.DefaultTCPTimeout)
+	}
+
 	if m.nativeFirewall != nil {
 		return m.nativeFirewall.Reset(stateManager)
 	}
--- a/client/firewall/uspfilter/allow_netbird_windows.go
+++ b/client/firewall/uspfilter/allow_netbird_windows.go
@@ -7,6 +7,7 @@ import (

 	log "github.com/sirupsen/logrus"

+	"github.com/netbirdio/netbird/client/firewall/uspfilter/conntrack"
 	"github.com/netbirdio/netbird/client/internal/statemanager"
 )

@@ -26,6 +27,21 @@ func (m *Manager) Reset(*statemanager.Manager) error {
 	m.outgoingRules = make(map[string]RuleSet)
 	m.incomingRules = make(map[string]RuleSet)

+	if m.udpTracker != nil {
+		m.udpTracker.Close()
+		m.udpTracker = conntrack.NewUDPTracker(conntrack.DefaultUDPTimeout)
+	}
+
+	if m.icmpTracker != nil {
+		m.icmpTracker.Close()
+		m.icmpTracker = conntrack.NewICMPTracker(conntrack.DefaultICMPTimeout)
+	}
+
+	if m.tcpTracker != nil {
+		m.tcpTracker.Close()
+		m.tcpTracker = conntrack.NewTCPTracker(conntrack.DefaultTCPTimeout)
+	}
+
 	if !isWindowsFirewallReachable() {
 		return nil
 	}
--- a/client/firewall/uspfilter/conntrack/common.go
+++ b/client/firewall/uspfilter/conntrack/common.go
@@ -0,0 +1,137 @@
+// common.go
+package conntrack
+
+import (
+	"net"
+	"sync"
+	"sync/atomic"
+	"time"
+)
+
+// BaseConnTrack provides common fields and locking for all connection types
+type BaseConnTrack struct {
+	SourceIP    net.IP
+	DestIP      net.IP
+	SourcePort  uint16
+	DestPort    uint16
+	lastSeen    atomic.Int64 // Unix nano for atomic access
+	established atomic.Bool
+}
+
+// these small methods will be inlined by the compiler
+
+// UpdateLastSeen safely updates the last seen timestamp
+func (b *BaseConnTrack) UpdateLastSeen() {
+	b.lastSeen.Store(time.Now().UnixNano())
+}
+
+// IsEstablished safely checks if connection is established
+func (b *BaseConnTrack) IsEstablished() bool {
+	return b.established.Load()
+}
+
+// SetEstablished safely sets the established state
+func (b *BaseConnTrack) SetEstablished(state bool) {
+	b.established.Store(state)
+}
+
+// GetLastSeen safely gets the last seen timestamp
+func (b *BaseConnTrack) GetLastSeen() time.Time {
+	return time.Unix(0, b.lastSeen.Load())
+}
+
+// timeoutExceeded checks if the connection has exceeded the given timeout
+func (b *BaseConnTrack) timeoutExceeded(timeout time.Duration) bool {
+	lastSeen := time.Unix(0, b.lastSeen.Load())
+	return time.Since(lastSeen) > timeout
+}
+
+// IPAddr is a fixed-size IP address to avoid allocations
+type IPAddr [16]byte
+
+// MakeIPAddr creates an IPAddr from net.IP
+func MakeIPAddr(ip net.IP) (addr IPAddr) {
+	// Optimization: check for v4 first as it's more common
+	if ip4 := ip.To4(); ip4 != nil {
+		copy(addr[12:], ip4)
+	} else {
+		copy(addr[:], ip.To16())
+	}
+	return addr
+}
+
+// ConnKey uniquely identifies a connection
+type ConnKey struct {
+	SrcIP   IPAddr
+	DstIP   IPAddr
+	SrcPort uint16
+	DstPort uint16
+}
+
+// makeConnKey creates a connection key
+func makeConnKey(srcIP net.IP, dstIP net.IP, srcPort uint16, dstPort uint16) ConnKey {
+	return ConnKey{
+		SrcIP:   MakeIPAddr(srcIP),
+		DstIP:   MakeIPAddr(dstIP),
+		SrcPort: srcPort,
+		DstPort: dstPort,
+	}
+}
+
+// ValidateIPs checks if IPs match without allocation
+func ValidateIPs(connIP IPAddr, pktIP net.IP) bool {
+	if ip4 := pktIP.To4(); ip4 != nil {
+		// Compare IPv4 addresses (last 4 bytes)
+		for i := 0; i < 4; i++ {
+			if connIP[12+i] != ip4[i] {
+				return false
+			}
+		}
+		return true
+	}
+	// Compare full IPv6 addresses
+	ip6 := pktIP.To16()
+	for i := 0; i < 16; i++ {
+		if connIP[i] != ip6[i] {
+			return false
+		}
+	}
+	return true
+}
+
+// PreallocatedIPs is a pool of IP byte slices to reduce allocations
+type PreallocatedIPs struct {
+	sync.Pool
+}
+
+// NewPreallocatedIPs creates a new IP pool
+func NewPreallocatedIPs() *PreallocatedIPs {
+	return &PreallocatedIPs{
+		Pool: sync.Pool{
+			New: func() interface{} {
+				ip := make(net.IP, 16)
+				return &ip
+			},
+		},
+	}
+}
+
+// Get retrieves an IP from the pool
+func (p *PreallocatedIPs) Get() net.IP {
+	return *p.Pool.Get().(*net.IP)
+}
+
+// Put returns an IP to the pool
+func (p *PreallocatedIPs) Put(ip net.IP) {
+	p.Pool.Put(&ip)
+}
+
+// copyIP copies an IP address efficiently
+func copyIP(dst, src net.IP) {
+	if len(src) == 16 {
+		copy(dst, src)
+	} else {
+		// Handle IPv4
+		copy(dst[12:], src.To4())
+	}
+}
--- a/client/firewall/uspfilter/conntrack/common_test.go
+++ b/client/firewall/uspfilter/conntrack/common_test.go
@@ -0,0 +1,115 @@
+package conntrack
+
+import (
+	"net"
+	"testing"
+)
+
+func BenchmarkIPOperations(b *testing.B) {
+	b.Run("MakeIPAddr", func(b *testing.B) {
+		ip := net.ParseIP("192.168.1.1")
+		b.ResetTimer()
+		for i := 0; i < b.N; i++ {
+			_ = MakeIPAddr(ip)
+		}
+	})
+
+	b.Run("ValidateIPs", func(b *testing.B) {
+		ip1 := net.ParseIP("192.168.1.1")
+		ip2 := net.ParseIP("192.168.1.1")
+		addr := MakeIPAddr(ip1)
+		b.ResetTimer()
+		for i := 0; i < b.N; i++ {
+			_ = ValidateIPs(addr, ip2)
+		}
+	})
+
+	b.Run("IPPool", func(b *testing.B) {
+		pool := NewPreallocatedIPs()
+		b.ResetTimer()
+		for i := 0; i < b.N; i++ {
+			ip := pool.Get()
+			pool.Put(ip)
+		}
+	})
+
+}
+func BenchmarkAtomicOperations(b *testing.B) {
+	conn := &BaseConnTrack{}
+	b.Run("UpdateLastSeen", func(b *testing.B) {
+		for i := 0; i < b.N; i++ {
+			conn.UpdateLastSeen()
+		}
+	})
+
+	b.Run("IsEstablished", func(b *testing.B) {
+		for i := 0; i < b.N; i++ {
+			_ = conn.IsEstablished()
+		}
+	})
+
+	b.Run("SetEstablished", func(b *testing.B) {
+		for i := 0; i < b.N; i++ {
+			conn.SetEstablished(i%2 == 0)
+		}
+	})
+
+	b.Run("GetLastSeen", func(b *testing.B) {
+		for i := 0; i < b.N; i++ {
+			_ = conn.GetLastSeen()
+		}
+	})
+}
+
+// Memory pressure tests
+func BenchmarkMemoryPressure(b *testing.B) {
+	b.Run("TCPHighLoad", func(b *testing.B) {
+		tracker := NewTCPTracker(DefaultTCPTimeout)
+		defer tracker.Close()
+
+		// Generate different IPs
+		srcIPs := make([]net.IP, 100)
+		dstIPs := make([]net.IP, 100)
+		for i := 0; i < 100; i++ {
+			srcIPs[i] = net.IPv4(192, 168, byte(i/256), byte(i%256))
+			dstIPs[i] = net.IPv4(10, 0, byte(i/256), byte(i%256))
+		}
+
+		b.ResetTimer()
+		for i := 0; i < b.N; i++ {
+			srcIdx := i % len(srcIPs)
+			dstIdx := (i + 1) % len(dstIPs)
+			tracker.TrackOutbound(srcIPs[srcIdx], dstIPs[dstIdx], uint16(i%65535), 80, TCPSyn)
+
+			// Simulate some valid inbound packets
+			if i%3 == 0 {
+				tracker.IsValidInbound(dstIPs[dstIdx], srcIPs[srcIdx], 80, uint16(i%65535), TCPAck)
+			}
+		}
+	})
+
+	b.Run("UDPHighLoad", func(b *testing.B) {
+		tracker := NewUDPTracker(DefaultUDPTimeout)
+		defer tracker.Close()
+
+		// Generate different IPs
+		srcIPs := make([]net.IP, 100)
+		dstIPs := make([]net.IP, 100)
+		for i := 0; i < 100; i++ {
+			srcIPs[i] = net.IPv4(192, 168, byte(i/256), byte(i%256))
+			dstIPs[i] = net.IPv4(10, 0, byte(i/256), byte(i%256))
+		}
+
+		b.ResetTimer()
+		for i := 0; i < b.N; i++ {
+			srcIdx := i % len(srcIPs)
+			dstIdx := (i + 1) % len(dstIPs)
+			tracker.TrackOutbound(srcIPs[srcIdx], dstIPs[dstIdx], uint16(i%65535), 80)
+
+			// Simulate some valid inbound packets
+			if i%3 == 0 {
+				tracker.IsValidInbound(dstIPs[dstIdx], srcIPs[srcIdx], 80, uint16(i%65535))
+			}
+		}
+	})
+}
--- a/client/firewall/uspfilter/conntrack/icmp.go
+++ b/client/firewall/uspfilter/conntrack/icmp.go
@@ -0,0 +1,170 @@
+package conntrack
+
+import (
+	"net"
+	"sync"
+	"time"
+
+	"github.com/google/gopacket/layers"
+)
+
+const (
+	// DefaultICMPTimeout is the default timeout for ICMP connections
+	DefaultICMPTimeout = 30 * time.Second
+	// ICMPCleanupInterval is how often we check for stale ICMP connections
+	ICMPCleanupInterval = 15 * time.Second
+)
+
+// ICMPConnKey uniquely identifies an ICMP connection
+type ICMPConnKey struct {
+	// Supports both IPv4 and IPv6
+	SrcIP    [16]byte
+	DstIP    [16]byte
+	Sequence uint16 // ICMP sequence number
+	ID       uint16 // ICMP identifier
+}
+
+// ICMPConnTrack represents an ICMP connection state
+type ICMPConnTrack struct {
+	BaseConnTrack
+	Sequence uint16
+	ID       uint16
+}
+
+// ICMPTracker manages ICMP connection states
+type ICMPTracker struct {
+	connections   map[ICMPConnKey]*ICMPConnTrack
+	timeout       time.Duration
+	cleanupTicker *time.Ticker
+	mutex         sync.RWMutex
+	done          chan struct{}
+	ipPool        *PreallocatedIPs
+}
+
+// NewICMPTracker creates a new ICMP connection tracker
+func NewICMPTracker(timeout time.Duration) *ICMPTracker {
+	if timeout == 0 {
+		timeout = DefaultICMPTimeout
+	}
+
+	tracker := &ICMPTracker{
+		connections:   make(map[ICMPConnKey]*ICMPConnTrack),
+		timeout:       timeout,
+		cleanupTicker: time.NewTicker(ICMPCleanupInterval),
+		done:          make(chan struct{}),
+		ipPool:        NewPreallocatedIPs(),
+	}
+
+	go tracker.cleanupRoutine()
+	return tracker
+}
+
+// TrackOutbound records an outbound ICMP Echo Request
+func (t *ICMPTracker) TrackOutbound(srcIP net.IP, dstIP net.IP, id uint16, seq uint16) {
+	key := makeICMPKey(srcIP, dstIP, id, seq)
+	now := time.Now().UnixNano()
+
+	t.mutex.Lock()
+	conn, exists := t.connections[key]
+	if !exists {
+		srcIPCopy := t.ipPool.Get()
+		dstIPCopy := t.ipPool.Get()
+		copyIP(srcIPCopy, srcIP)
+		copyIP(dstIPCopy, dstIP)
+
+		conn = &ICMPConnTrack{
+			BaseConnTrack: BaseConnTrack{
+				SourceIP: srcIPCopy,
+				DestIP:   dstIPCopy,
+			},
+			ID:       id,
+			Sequence: seq,
+		}
+		conn.lastSeen.Store(now)
+		conn.established.Store(true)
+		t.connections[key] = conn
+	}
+	t.mutex.Unlock()
+
+	conn.lastSeen.Store(now)
+}
+
+// IsValidInbound checks if an inbound ICMP Echo Reply matches a tracked request
+func (t *ICMPTracker) IsValidInbound(srcIP net.IP, dstIP net.IP, id uint16, seq uint16, icmpType uint8) bool {
+	switch icmpType {
+	case uint8(layers.ICMPv4TypeDestinationUnreachable),
+		uint8(layers.ICMPv4TypeTimeExceeded):
+		return true
+	case uint8(layers.ICMPv4TypeEchoReply):
+		// continue processing
+	default:
+		return false
+	}
+
+	key := makeICMPKey(dstIP, srcIP, id, seq)
+
+	t.mutex.RLock()
+	conn, exists := t.connections[key]
+	t.mutex.RUnlock()
+
+	if !exists {
+		return false
+	}
+
+	if conn.timeoutExceeded(t.timeout) {
+		return false
+	}
+
+	return conn.IsEstablished() &&
+		ValidateIPs(MakeIPAddr(srcIP), conn.DestIP) &&
+		ValidateIPs(MakeIPAddr(dstIP), conn.SourceIP) &&
+		conn.ID == id &&
+		conn.Sequence == seq
+}
+
+func (t *ICMPTracker) cleanupRoutine() {
+	for {
+		select {
+		case <-t.cleanupTicker.C:
+			t.cleanup()
+		case <-t.done:
+			return
+		}
+	}
+}
+func (t *ICMPTracker) cleanup() {
+	t.mutex.Lock()
+	defer t.mutex.Unlock()
+
+	for key, conn := range t.connections {
+		if conn.timeoutExceeded(t.timeout) {
+			t.ipPool.Put(conn.SourceIP)
+			t.ipPool.Put(conn.DestIP)
+			delete(t.connections, key)
+		}
+	}
+}
+
+// Close stops the cleanup routine and releases resources
+func (t *ICMPTracker) Close() {
+	t.cleanupTicker.Stop()
+	close(t.done)
+
+	t.mutex.Lock()
+	for _, conn := range t.connections {
+		t.ipPool.Put(conn.SourceIP)
+		t.ipPool.Put(conn.DestIP)
+	}
+	t.connections = nil
+	t.mutex.Unlock()
+}
+
+// makeICMPKey creates an ICMP connection key
+func makeICMPKey(srcIP net.IP, dstIP net.IP, id uint16, seq uint16) ICMPConnKey {
+	return ICMPConnKey{
+		SrcIP:    MakeIPAddr(srcIP),
+		DstIP:    MakeIPAddr(dstIP),
+		ID:       id,
+		Sequence: seq,
+	}
+}
--- a/client/firewall/uspfilter/conntrack/icmp_test.go
+++ b/client/firewall/uspfilter/conntrack/icmp_test.go
@@ -0,0 +1,39 @@
+package conntrack
+
+import (
+	"net"
+	"testing"
+)
+
+func BenchmarkICMPTracker(b *testing.B) {
+	b.Run("TrackOutbound", func(b *testing.B) {
+		tracker := NewICMPTracker(DefaultICMPTimeout)
+		defer tracker.Close()
+
+		srcIP := net.ParseIP("192.168.1.1")
+		dstIP := net.ParseIP("192.168.1.2")
+
+		b.ResetTimer()
+		for i := 0; i < b.N; i++ {
+			tracker.TrackOutbound(srcIP, dstIP, uint16(i%65535), uint16(i%65535))
+		}
+	})
+
+	b.Run("IsValidInbound", func(b *testing.B) {
+		tracker := NewICMPTracker(DefaultICMPTimeout)
+		defer tracker.Close()
+
+		srcIP := net.ParseIP("192.168.1.1")
+		dstIP := net.ParseIP("192.168.1.2")
+
+		// Pre-populate some connections
+		for i := 0; i < 1000; i++ {
+			tracker.TrackOutbound(srcIP, dstIP, uint16(i), uint16(i))
+		}
+
+		b.ResetTimer()
+		for i := 0; i < b.N; i++ {
+			tracker.IsValidInbound(dstIP, srcIP, uint16(i%1000), uint16(i%1000), 0)
+		}
+	})
+}
--- a/client/firewall/uspfilter/conntrack/tcp.go
+++ b/client/firewall/uspfilter/conntrack/tcp.go
@@ -0,0 +1,352 @@
+package conntrack
+
+// TODO: Send RST packets for invalid/timed-out connections
+
+import (
+	"net"
+	"sync"
+	"time"
+)
+
+const (
+	// MSL (Maximum Segment Lifetime) is typically 2 minutes
+	MSL = 2 * time.Minute
+	// TimeWaitTimeout (TIME-WAIT) should last 2*MSL
+	TimeWaitTimeout = 2 * MSL
+)
+
+const (
+	TCPSyn  uint8 = 0x02
+	TCPAck  uint8 = 0x10
+	TCPFin  uint8 = 0x01
+	TCPRst  uint8 = 0x04
+	TCPPush uint8 = 0x08
+	TCPUrg  uint8 = 0x20
+)
+
+const (
+	// DefaultTCPTimeout is the default timeout for established TCP connections
+	DefaultTCPTimeout = 3 * time.Hour
+	// TCPHandshakeTimeout is timeout for TCP handshake completion
+	TCPHandshakeTimeout = 60 * time.Second
+	// TCPCleanupInterval is how often we check for stale connections
+	TCPCleanupInterval = 5 * time.Minute
+)
+
+// TCPState represents the state of a TCP connection
+type TCPState int
+
+const (
+	TCPStateNew TCPState = iota
+	TCPStateSynSent
+	TCPStateSynReceived
+	TCPStateEstablished
+	TCPStateFinWait1
+	TCPStateFinWait2
+	TCPStateClosing
+	TCPStateTimeWait
+	TCPStateCloseWait
+	TCPStateLastAck
+	TCPStateClosed
+)
+
+// TCPConnKey uniquely identifies a TCP connection
+type TCPConnKey struct {
+	SrcIP   [16]byte
+	DstIP   [16]byte
+	SrcPort uint16
+	DstPort uint16
+}
+
+// TCPConnTrack represents a TCP connection state
+type TCPConnTrack struct {
+	BaseConnTrack
+	State TCPState
+	sync.RWMutex
+}
+
+// TCPTracker manages TCP connection states
+type TCPTracker struct {
+	connections   map[ConnKey]*TCPConnTrack
+	mutex         sync.RWMutex
+	cleanupTicker *time.Ticker
+	done          chan struct{}
+	timeout       time.Duration
+	ipPool        *PreallocatedIPs
+}
+
+// NewTCPTracker creates a new TCP connection tracker
+func NewTCPTracker(timeout time.Duration) *TCPTracker {
+	tracker := &TCPTracker{
+		connections:   make(map[ConnKey]*TCPConnTrack),
+		cleanupTicker: time.NewTicker(TCPCleanupInterval),
+		done:          make(chan struct{}),
+		timeout:       timeout,
+		ipPool:        NewPreallocatedIPs(),
+	}
+
+	go tracker.cleanupRoutine()
+	return tracker
+}
+
+// TrackOutbound processes an outbound TCP packet and updates connection state
+func (t *TCPTracker) TrackOutbound(srcIP net.IP, dstIP net.IP, srcPort uint16, dstPort uint16, flags uint8) {
+	// Create key before lock
+	key := makeConnKey(srcIP, dstIP, srcPort, dstPort)
+	now := time.Now().UnixNano()
+
+	t.mutex.Lock()
+	conn, exists := t.connections[key]
+	if !exists {
+		// Use preallocated IPs
+		srcIPCopy := t.ipPool.Get()
+		dstIPCopy := t.ipPool.Get()
+		copyIP(srcIPCopy, srcIP)
+		copyIP(dstIPCopy, dstIP)
+
+		conn = &TCPConnTrack{
+			BaseConnTrack: BaseConnTrack{
+				SourceIP:   srcIPCopy,
+				DestIP:     dstIPCopy,
+				SourcePort: srcPort,
+				DestPort:   dstPort,
+			},
+			State: TCPStateNew,
+		}
+		conn.lastSeen.Store(now)
+		conn.established.Store(false)
+		t.connections[key] = conn
+	}
+	t.mutex.Unlock()
+
+	// Lock individual connection for state update
+	conn.Lock()
+	t.updateState(conn, flags, true)
+	conn.Unlock()
+	conn.lastSeen.Store(now)
+}
+
+// IsValidInbound checks if an inbound TCP packet matches a tracked connection
+func (t *TCPTracker) IsValidInbound(srcIP net.IP, dstIP net.IP, srcPort uint16, dstPort uint16, flags uint8) bool {
+	if !isValidFlagCombination(flags) {
+		return false
+	}
+
+	key := makeConnKey(dstIP, srcIP, dstPort, srcPort)
+
+	t.mutex.RLock()
+	conn, exists := t.connections[key]
+	t.mutex.RUnlock()
+
+	if !exists {
+		return false
+	}
+
+	// Handle RST packets
+	if flags&TCPRst != 0 {
+		conn.Lock()
+		if conn.IsEstablished() || conn.State == TCPStateSynSent || conn.State == TCPStateSynReceived {
+			conn.State = TCPStateClosed
+			conn.SetEstablished(false)
+			conn.Unlock()
+			return true
+		}
+		conn.Unlock()
+		return false
+	}
+
+	conn.Lock()
+	t.updateState(conn, flags, false)
+	conn.UpdateLastSeen()
+	isEstablished := conn.IsEstablished()
+	isValidState := t.isValidStateForFlags(conn.State, flags)
+	conn.Unlock()
+
+	return isEstablished || isValidState
+}
+
+// updateState updates the TCP connection state based on flags
+func (t *TCPTracker) updateState(conn *TCPConnTrack, flags uint8, isOutbound bool) {
+	// Handle RST flag specially - it always causes transition to closed
+	if flags&TCPRst != 0 {
+		conn.State = TCPStateClosed
+		conn.SetEstablished(false)
+		return
+	}
+
+	switch conn.State {
+	case TCPStateNew:
+		if flags&TCPSyn != 0 && flags&TCPAck == 0 {
+			conn.State = TCPStateSynSent
+		}
+
+	case TCPStateSynSent:
+		if flags&TCPSyn != 0 && flags&TCPAck != 0 {
+			if isOutbound {
+				conn.State = TCPStateSynReceived
+			} else {
+				// Simultaneous open
+				conn.State = TCPStateEstablished
+				conn.SetEstablished(true)
+			}
+		}
+
+	case TCPStateSynReceived:
+		if flags&TCPAck != 0 && flags&TCPSyn == 0 {
+			conn.State = TCPStateEstablished
+			conn.SetEstablished(true)
+		}
+
+	case TCPStateEstablished:
+		if flags&TCPFin != 0 {
+			if isOutbound {
+				conn.State = TCPStateFinWait1
+			} else {
+				conn.State = TCPStateCloseWait
+			}
+			conn.SetEstablished(false)
+		}
+
+	case TCPStateFinWait1:
+		switch {
+		case flags&TCPFin != 0 && flags&TCPAck != 0:
+			// Simultaneous close - both sides sent FIN
+			conn.State = TCPStateClosing
+		case flags&TCPFin != 0:
+			conn.State = TCPStateFinWait2
+		case flags&TCPAck != 0:
+			conn.State = TCPStateFinWait2
+		}
+
+	case TCPStateFinWait2:
+		if flags&TCPFin != 0 {
+			conn.State = TCPStateTimeWait
+		}
+
+	case TCPStateClosing:
+		if flags&TCPAck != 0 {
+			conn.State = TCPStateTimeWait
+			// Keep established = false from previous state
+		}
+
+	case TCPStateCloseWait:
+		if flags&TCPFin != 0 {
+			conn.State = TCPStateLastAck
+		}
+
+	case TCPStateLastAck:
+		if flags&TCPAck != 0 {
+			conn.State = TCPStateClosed
+		}
+
+	case TCPStateTimeWait:
+		// Stay in TIME-WAIT for 2MSL before transitioning to closed
+		// This is handled by the cleanup routine
+	}
+}
+
+// isValidStateForFlags checks if the TCP flags are valid for the current connection state
+func (t *TCPTracker) isValidStateForFlags(state TCPState, flags uint8) bool {
+	if !isValidFlagCombination(flags) {
+		return false
+	}
+
+	switch state {
+	case TCPStateNew:
+		return flags&TCPSyn != 0 && flags&TCPAck == 0
+	case TCPStateSynSent:
+		return flags&TCPSyn != 0 && flags&TCPAck != 0
+	case TCPStateSynReceived:
+		return flags&TCPAck != 0
+	case TCPStateEstablished:
+		if flags&TCPRst != 0 {
+			return true
+		}
+		return flags&TCPAck != 0
+	case TCPStateFinWait1:
+		return flags&TCPFin != 0 || flags&TCPAck != 0
+	case TCPStateFinWait2:
+		return flags&TCPFin != 0 || flags&TCPAck != 0
+	case TCPStateClosing:
+		// In CLOSING state, we should accept the final ACK
+		return flags&TCPAck != 0
+	case TCPStateTimeWait:
+		// In TIME_WAIT, we might see retransmissions
+		return flags&TCPAck != 0
+	case TCPStateCloseWait:
+		return flags&TCPFin != 0 || flags&TCPAck != 0
+	case TCPStateLastAck:
+		return flags&TCPAck != 0
+	case TCPStateClosed:
+		// Accept retransmitted ACKs in closed state
+		// This is important because the final ACK might be lost
+		// and the peer will retransmit their FIN-ACK
+		return flags&TCPAck != 0
+	}
+	return false
+}
+
+func (t *TCPTracker) cleanupRoutine() {
+	for {
+		select {
+		case <-t.cleanupTicker.C:
+			t.cleanup()
+		case <-t.done:
+			return
+		}
+	}
+}
+
+func (t *TCPTracker) cleanup() {
+	t.mutex.Lock()
+	defer t.mutex.Unlock()
+
+	for key, conn := range t.connections {
+		var timeout time.Duration
+		switch {
+		case conn.State == TCPStateTimeWait:
+			timeout = TimeWaitTimeout
+		case conn.IsEstablished():
+			timeout = t.timeout
+		default:
+			timeout = TCPHandshakeTimeout
+		}
+
+		lastSeen := conn.GetLastSeen()
+		if time.Since(lastSeen) > timeout {
+			// Return IPs to pool
+			t.ipPool.Put(conn.SourceIP)
+			t.ipPool.Put(conn.DestIP)
+			delete(t.connections, key)
+		}
+	}
+}
+
+// Close stops the cleanup routine and releases resources
+func (t *TCPTracker) Close() {
+	t.cleanupTicker.Stop()
+	close(t.done)
+
+	// Clean up all remaining IPs
+	t.mutex.Lock()
+	for _, conn := range t.connections {
+		t.ipPool.Put(conn.SourceIP)
+		t.ipPool.Put(conn.DestIP)
+	}
+	t.connections = nil
+	t.mutex.Unlock()
+}
+
+func isValidFlagCombination(flags uint8) bool {
+	// Invalid: SYN+FIN
+	if flags&TCPSyn != 0 && flags&TCPFin != 0 {
+		return false
+	}
+
+	// Invalid: RST with SYN or FIN
+	if flags&TCPRst != 0 && (flags&TCPSyn != 0 || flags&TCPFin != 0) {
+		return false
+	}
+
+	return true
+}
--- a/client/firewall/uspfilter/conntrack/tcp_test.go
+++ b/client/firewall/uspfilter/conntrack/tcp_test.go
@@ -0,0 +1,308 @@
+package conntrack
+
+import (
+	"net"
+	"testing"
+	"time"
+
+	"github.com/stretchr/testify/require"
+)
+
+func TestTCPStateMachine(t *testing.T) {
+	tracker := NewTCPTracker(DefaultTCPTimeout)
+	defer tracker.Close()
+
+	srcIP := net.ParseIP("100.64.0.1")
+	dstIP := net.ParseIP("100.64.0.2")
+	srcPort := uint16(12345)
+	dstPort := uint16(80)
+
+	t.Run("Security Tests", func(t *testing.T) {
+		tests := []struct {
+			name     string
+			flags    uint8
+			wantDrop bool
+			desc     string
+		}{
+			{
+				name:     "Block unsolicited SYN-ACK",
+				flags:    TCPSyn | TCPAck,
+				wantDrop: true,
+				desc:     "Should block SYN-ACK without prior SYN",
+			},
+			{
+				name:     "Block invalid SYN-FIN",
+				flags:    TCPSyn | TCPFin,
+				wantDrop: true,
+				desc:     "Should block invalid SYN-FIN combination",
+			},
+			{
+				name:     "Block unsolicited RST",
+				flags:    TCPRst,
+				wantDrop: true,
+				desc:     "Should block RST without connection",
+			},
+			{
+				name:     "Block unsolicited ACK",
+				flags:    TCPAck,
+				wantDrop: true,
+				desc:     "Should block ACK without connection",
+			},
+			{
+				name:     "Block data without connection",
+				flags:    TCPAck | TCPPush,
+				wantDrop: true,
+				desc:     "Should block data without established connection",
+			},
+		}
+
+		for _, tt := range tests {
+			t.Run(tt.name, func(t *testing.T) {
+				isValid := tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, tt.flags)
+				require.Equal(t, !tt.wantDrop, isValid, tt.desc)
+			})
+		}
+	})
+
+	t.Run("Connection Flow Tests", func(t *testing.T) {
+		tests := []struct {
+			name string
+			test func(*testing.T)
+			desc string
+		}{
+			{
+				name: "Normal Handshake",
+				test: func(t *testing.T) {
+					t.Helper()
+
+					// Send initial SYN
+					tracker.TrackOutbound(srcIP, dstIP, srcPort, dstPort, TCPSyn)
+
+					// Receive SYN-ACK
+					valid := tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPSyn|TCPAck)
+					require.True(t, valid, "SYN-ACK should be allowed")
+
+					// Send ACK
+					tracker.TrackOutbound(srcIP, dstIP, srcPort, dstPort, TCPAck)
+
+					// Test data transfer
+					valid = tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPPush|TCPAck)
+					require.True(t, valid, "Data should be allowed after handshake")
+				},
+			},
+			{
+				name: "Normal Close",
+				test: func(t *testing.T) {
+					t.Helper()
+
+					// First establish connection
+					establishConnection(t, tracker, srcIP, dstIP, srcPort, dstPort)
+
+					// Send FIN
+					tracker.TrackOutbound(srcIP, dstIP, srcPort, dstPort, TCPFin|TCPAck)
+
+					// Receive ACK for FIN
+					valid := tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPAck)
+					require.True(t, valid, "ACK for FIN should be allowed")
+
+					// Receive FIN from other side
+					valid = tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPFin|TCPAck)
+					require.True(t, valid, "FIN should be allowed")
+
+					// Send final ACK
+					tracker.TrackOutbound(srcIP, dstIP, srcPort, dstPort, TCPAck)
+				},
+			},
+			{
+				name: "RST During Connection",
+				test: func(t *testing.T) {
+					t.Helper()
+
+					// First establish connection
+					establishConnection(t, tracker, srcIP, dstIP, srcPort, dstPort)
+
+					// Receive RST
+					valid := tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPRst)
+					require.True(t, valid, "RST should be allowed for established connection")
+
+					// Connection is logically dead but we don't enforce blocking subsequent packets
+					// The connection will be cleaned up by timeout
+				},
+			},
+			{
+				name: "Simultaneous Close",
+				test: func(t *testing.T) {
+					t.Helper()
+
+					// First establish connection
+					establishConnection(t, tracker, srcIP, dstIP, srcPort, dstPort)
+
+					// Both sides send FIN+ACK
+					tracker.TrackOutbound(srcIP, dstIP, srcPort, dstPort, TCPFin|TCPAck)
+					valid := tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPFin|TCPAck)
+					require.True(t, valid, "Simultaneous FIN should be allowed")
+
+					// Both sides send final ACK
+					tracker.TrackOutbound(srcIP, dstIP, srcPort, dstPort, TCPAck)
+					valid = tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPAck)
+					require.True(t, valid, "Final ACKs should be allowed")
+				},
+			},
+		}
+
+		for _, tt := range tests {
+			t.Run(tt.name, func(t *testing.T) {
+				t.Helper()
+
+				tracker = NewTCPTracker(DefaultTCPTimeout)
+				tt.test(t)
+			})
+		}
+	})
+}
+
+func TestRSTHandling(t *testing.T) {
+	tracker := NewTCPTracker(DefaultTCPTimeout)
+	defer tracker.Close()
+
+	srcIP := net.ParseIP("100.64.0.1")
+	dstIP := net.ParseIP("100.64.0.2")
+	srcPort := uint16(12345)
+	dstPort := uint16(80)
+
+	tests := []struct {
+		name       string
+		setupState func()
+		sendRST    func()
+		wantValid  bool
+		desc       string
+	}{
+		{
+			name: "RST in established",
+			setupState: func() {
+				// Establish connection first
+				tracker.TrackOutbound(srcIP, dstIP, srcPort, dstPort, TCPSyn)
+				tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPSyn|TCPAck)
+				tracker.TrackOutbound(srcIP, dstIP, srcPort, dstPort, TCPAck)
+			},
+			sendRST: func() {
+				tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPRst)
+			},
+			wantValid: true,
+			desc:      "Should accept RST for established connection",
+		},
+		{
+			name:       "RST without connection",
+			setupState: func() {},
+			sendRST: func() {
+				tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPRst)
+			},
+			wantValid: false,
+			desc:      "Should reject RST without connection",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			tt.setupState()
+			tt.sendRST()
+
+			// Verify connection state is as expected
+			key := makeConnKey(srcIP, dstIP, srcPort, dstPort)
+			conn := tracker.connections[key]
+			if tt.wantValid {
+				require.NotNil(t, conn)
+				require.Equal(t, TCPStateClosed, conn.State)
+				require.False(t, conn.IsEstablished())
+			}
+		})
+	}
+}
+
+// Helper to establish a TCP connection
+func establishConnection(t *testing.T, tracker *TCPTracker, srcIP, dstIP net.IP, srcPort, dstPort uint16) {
+	t.Helper()
+
+	tracker.TrackOutbound(srcIP, dstIP, srcPort, dstPort, TCPSyn)
+
+	valid := tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPSyn|TCPAck)
+	require.True(t, valid, "SYN-ACK should be allowed")
+
+	tracker.TrackOutbound(srcIP, dstIP, srcPort, dstPort, TCPAck)
+}
+
+func BenchmarkTCPTracker(b *testing.B) {
+	b.Run("TrackOutbound", func(b *testing.B) {
+		tracker := NewTCPTracker(DefaultTCPTimeout)
+		defer tracker.Close()
+
+		srcIP := net.ParseIP("192.168.1.1")
+		dstIP := net.ParseIP("192.168.1.2")
+
+		b.ResetTimer()
+		for i := 0; i < b.N; i++ {
+			tracker.TrackOutbound(srcIP, dstIP, uint16(i%65535), 80, TCPSyn)
+		}
+	})
+
+	b.Run("IsValidInbound", func(b *testing.B) {
+		tracker := NewTCPTracker(DefaultTCPTimeout)
+		defer tracker.Close()
+
+		srcIP := net.ParseIP("192.168.1.1")
+		dstIP := net.ParseIP("192.168.1.2")
+
+		// Pre-populate some connections
+		for i := 0; i < 1000; i++ {
+			tracker.TrackOutbound(srcIP, dstIP, uint16(i), 80, TCPSyn)
+		}
+
+		b.ResetTimer()
+		for i := 0; i < b.N; i++ {
+			tracker.IsValidInbound(dstIP, srcIP, 80, uint16(i%1000), TCPAck)
+		}
+	})
+
+	b.Run("ConcurrentAccess", func(b *testing.B) {
+		tracker := NewTCPTracker(DefaultTCPTimeout)
+		defer tracker.Close()
+
+		srcIP := net.ParseIP("192.168.1.1")
+		dstIP := net.ParseIP("192.168.1.2")
+
+		b.RunParallel(func(pb *testing.PB) {
+			i := 0
+			for pb.Next() {
+				if i%2 == 0 {
+					tracker.TrackOutbound(srcIP, dstIP, uint16(i%65535), 80, TCPSyn)
+				} else {
+					tracker.IsValidInbound(dstIP, srcIP, 80, uint16(i%65535), TCPAck)
+				}
+				i++
+			}
+		})
+	})
+}
+
+// Benchmark connection cleanup
+func BenchmarkCleanup(b *testing.B) {
+	b.Run("TCPCleanup", func(b *testing.B) {
+		tracker := NewTCPTracker(100 * time.Millisecond) // Short timeout for testing
+		defer tracker.Close()
+
+		// Pre-populate with expired connections
+		srcIP := net.ParseIP("192.168.1.1")
+		dstIP := net.ParseIP("192.168.1.2")
+		for i := 0; i < 10000; i++ {
+			tracker.TrackOutbound(srcIP, dstIP, uint16(i), 80, TCPSyn)
+		}
+
+		// Wait for connections to expire
+		time.Sleep(200 * time.Millisecond)
+
+		b.ResetTimer()
+		for i := 0; i < b.N; i++ {
+			tracker.cleanup()
+		}
+	})
+}
--- a/client/firewall/uspfilter/conntrack/udp.go
+++ b/client/firewall/uspfilter/conntrack/udp.go
@@ -0,0 +1,158 @@
+package conntrack
+
+import (
+	"net"
+	"sync"
+	"time"
+)
+
+const (
+	// DefaultUDPTimeout is the default timeout for UDP connections
+	DefaultUDPTimeout = 30 * time.Second
+	// UDPCleanupInterval is how often we check for stale connections
+	UDPCleanupInterval = 15 * time.Second
+)
+
+// UDPConnTrack represents a UDP connection state
+type UDPConnTrack struct {
+	BaseConnTrack
+}
+
+// UDPTracker manages UDP connection states
+type UDPTracker struct {
+	connections   map[ConnKey]*UDPConnTrack
+	timeout       time.Duration
+	cleanupTicker *time.Ticker
+	mutex         sync.RWMutex
+	done          chan struct{}
+	ipPool        *PreallocatedIPs
+}
+
+// NewUDPTracker creates a new UDP connection tracker
+func NewUDPTracker(timeout time.Duration) *UDPTracker {
+	if timeout == 0 {
+		timeout = DefaultUDPTimeout
+	}
+
+	tracker := &UDPTracker{
+		connections:   make(map[ConnKey]*UDPConnTrack),
+		timeout:       timeout,
+		cleanupTicker: time.NewTicker(UDPCleanupInterval),
+		done:          make(chan struct{}),
+		ipPool:        NewPreallocatedIPs(),
+	}
+
+	go tracker.cleanupRoutine()
+	return tracker
+}
+
+// TrackOutbound records an outbound UDP connection
+func (t *UDPTracker) TrackOutbound(srcIP net.IP, dstIP net.IP, srcPort uint16, dstPort uint16) {
+	key := makeConnKey(srcIP, dstIP, srcPort, dstPort)
+	now := time.Now().UnixNano()
+
+	t.mutex.Lock()
+	conn, exists := t.connections[key]
+	if !exists {
+		srcIPCopy := t.ipPool.Get()
+		dstIPCopy := t.ipPool.Get()
+		copyIP(srcIPCopy, srcIP)
+		copyIP(dstIPCopy, dstIP)
+
+		conn = &UDPConnTrack{
+			BaseConnTrack: BaseConnTrack{
+				SourceIP:   srcIPCopy,
+				DestIP:     dstIPCopy,
+				SourcePort: srcPort,
+				DestPort:   dstPort,
+			},
+		}
+		conn.lastSeen.Store(now)
+		conn.established.Store(true)
+		t.connections[key] = conn
+	}
+	t.mutex.Unlock()
+
+	conn.lastSeen.Store(now)
+}
+
+// IsValidInbound checks if an inbound packet matches a tracked connection
+func (t *UDPTracker) IsValidInbound(srcIP net.IP, dstIP net.IP, srcPort uint16, dstPort uint16) bool {
+	key := makeConnKey(dstIP, srcIP, dstPort, srcPort)
+
+	t.mutex.RLock()
+	conn, exists := t.connections[key]
+	t.mutex.RUnlock()
+
+	if !exists {
+		return false
+	}
+
+	if conn.timeoutExceeded(t.timeout) {
+		return false
+	}
+
+	return conn.IsEstablished() &&
+		ValidateIPs(MakeIPAddr(srcIP), conn.DestIP) &&
+		ValidateIPs(MakeIPAddr(dstIP), conn.SourceIP) &&
+		conn.DestPort == srcPort &&
+		conn.SourcePort == dstPort
+}
+
+// cleanupRoutine periodically removes stale connections
+func (t *UDPTracker) cleanupRoutine() {
+	for {
+		select {
+		case <-t.cleanupTicker.C:
+			t.cleanup()
+		case <-t.done:
+			return
+		}
+	}
+}
+
+func (t *UDPTracker) cleanup() {
+	t.mutex.Lock()
+	defer t.mutex.Unlock()
+
+	for key, conn := range t.connections {
+		if conn.timeoutExceeded(t.timeout) {
+			t.ipPool.Put(conn.SourceIP)
+			t.ipPool.Put(conn.DestIP)
+			delete(t.connections, key)
+		}
+	}
+}
+
+// Close stops the cleanup routine and releases resources
+func (t *UDPTracker) Close() {
+	t.cleanupTicker.Stop()
+	close(t.done)
+
+	t.mutex.Lock()
+	for _, conn := range t.connections {
+		t.ipPool.Put(conn.SourceIP)
+		t.ipPool.Put(conn.DestIP)
+	}
+	t.connections = nil
+	t.mutex.Unlock()
+}
+
+// GetConnection safely retrieves a connection state
+func (t *UDPTracker) GetConnection(srcIP net.IP, srcPort uint16, dstIP net.IP, dstPort uint16) (*UDPConnTrack, bool) {
+	t.mutex.RLock()
+	defer t.mutex.RUnlock()
+
+	key := makeConnKey(srcIP, dstIP, srcPort, dstPort)
+	conn, exists := t.connections[key]
+	if !exists {
+		return nil, false
+	}
+
+	return conn, true
+}
+
+// Timeout returns the configured timeout duration for the tracker
+func (t *UDPTracker) Timeout() time.Duration {
+	return t.timeout
+}
--- a/client/firewall/uspfilter/conntrack/udp_test.go
+++ b/client/firewall/uspfilter/conntrack/udp_test.go
@@ -0,0 +1,243 @@
+package conntrack
+
+import (
+	"net"
+	"testing"
+	"time"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestNewUDPTracker(t *testing.T) {
+	tests := []struct {
+		name        string
+		timeout     time.Duration
+		wantTimeout time.Duration
+	}{
+		{
+			name:        "with custom timeout",
+			timeout:     1 * time.Minute,
+			wantTimeout: 1 * time.Minute,
+		},
+		{
+			name:        "with zero timeout uses default",
+			timeout:     0,
+			wantTimeout: DefaultUDPTimeout,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			tracker := NewUDPTracker(tt.timeout)
+			assert.NotNil(t, tracker)
+			assert.Equal(t, tt.wantTimeout, tracker.timeout)
+			assert.NotNil(t, tracker.connections)
+			assert.NotNil(t, tracker.cleanupTicker)
+			assert.NotNil(t, tracker.done)
+		})
+	}
+}
+
+func TestUDPTracker_TrackOutbound(t *testing.T) {
+	tracker := NewUDPTracker(DefaultUDPTimeout)
+	defer tracker.Close()
+
+	srcIP := net.ParseIP("192.168.1.2")
+	dstIP := net.ParseIP("192.168.1.3")
+	srcPort := uint16(12345)
+	dstPort := uint16(53)
+
+	tracker.TrackOutbound(srcIP, dstIP, srcPort, dstPort)
+
+	// Verify connection was tracked
+	key := makeConnKey(srcIP, dstIP, srcPort, dstPort)
+	conn, exists := tracker.connections[key]
+	require.True(t, exists)
+	assert.True(t, conn.SourceIP.Equal(srcIP))
+	assert.True(t, conn.DestIP.Equal(dstIP))
+	assert.Equal(t, srcPort, conn.SourcePort)
+	assert.Equal(t, dstPort, conn.DestPort)
+	assert.True(t, conn.IsEstablished())
+	assert.WithinDuration(t, time.Now(), conn.GetLastSeen(), 1*time.Second)
+}
+
+func TestUDPTracker_IsValidInbound(t *testing.T) {
+	tracker := NewUDPTracker(1 * time.Second)
+	defer tracker.Close()
+
+	srcIP := net.ParseIP("192.168.1.2")
+	dstIP := net.ParseIP("192.168.1.3")
+	srcPort := uint16(12345)
+	dstPort := uint16(53)
+
+	// Track outbound connection
+	tracker.TrackOutbound(srcIP, dstIP, srcPort, dstPort)
+
+	tests := []struct {
+		name    string
+		srcIP   net.IP
+		dstIP   net.IP
+		srcPort uint16
+		dstPort uint16
+		sleep   time.Duration
+		want    bool
+	}{
+		{
+			name:    "valid inbound response",
+			srcIP:   dstIP,   // Original destination is now source
+			dstIP:   srcIP,   // Original source is now destination
+			srcPort: dstPort, // Original destination port is now source
+			dstPort: srcPort, // Original source port is now destination
+			sleep:   0,
+			want:    true,
+		},
+		{
+			name:    "invalid source IP",
+			srcIP:   net.ParseIP("192.168.1.4"),
+			dstIP:   srcIP,
+			srcPort: dstPort,
+			dstPort: srcPort,
+			sleep:   0,
+			want:    false,
+		},
+		{
+			name:    "invalid destination IP",
+			srcIP:   dstIP,
+			dstIP:   net.ParseIP("192.168.1.4"),
+			srcPort: dstPort,
+			dstPort: srcPort,
+			sleep:   0,
+			want:    false,
+		},
+		{
+			name:    "invalid source port",
+			srcIP:   dstIP,
+			dstIP:   srcIP,
+			srcPort: 54321,
+			dstPort: srcPort,
+			sleep:   0,
+			want:    false,
+		},
+		{
+			name:    "invalid destination port",
+			srcIP:   dstIP,
+			dstIP:   srcIP,
+			srcPort: dstPort,
+			dstPort: 54321,
+			sleep:   0,
+			want:    false,
+		},
+		{
+			name:    "expired connection",
+			srcIP:   dstIP,
+			dstIP:   srcIP,
+			srcPort: dstPort,
+			dstPort: srcPort,
+			sleep:   2 * time.Second, // Longer than tracker timeout
+			want:    false,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			if tt.sleep > 0 {
+				time.Sleep(tt.sleep)
+			}
+			got := tracker.IsValidInbound(tt.srcIP, tt.dstIP, tt.srcPort, tt.dstPort)
+			assert.Equal(t, tt.want, got)
+		})
+	}
+}
+
+func TestUDPTracker_Cleanup(t *testing.T) {
+	// Use shorter intervals for testing
+	timeout := 50 * time.Millisecond
+	cleanupInterval := 25 * time.Millisecond
+
+	// Create tracker with custom cleanup interval
+	tracker := &UDPTracker{
+		connections:   make(map[ConnKey]*UDPConnTrack),
+		timeout:       timeout,
+		cleanupTicker: time.NewTicker(cleanupInterval),
+		done:          make(chan struct{}),
+		ipPool:        NewPreallocatedIPs(),
+	}
+
+	// Start cleanup routine
+	go tracker.cleanupRoutine()
+
+	// Add some connections
+	connections := []struct {
+		srcIP   net.IP
+		dstIP   net.IP
+		srcPort uint16
+		dstPort uint16
+	}{
+		{
+			srcIP:   net.ParseIP("192.168.1.2"),
+			dstIP:   net.ParseIP("192.168.1.3"),
+			srcPort: 12345,
+			dstPort: 53,
+		},
+		{
+			srcIP:   net.ParseIP("192.168.1.4"),
+			dstIP:   net.ParseIP("192.168.1.5"),
+			srcPort: 12346,
+			dstPort: 53,
+		},
+	}
+
+	for _, conn := range connections {
+		tracker.TrackOutbound(conn.srcIP, conn.dstIP, conn.srcPort, conn.dstPort)
+	}
+
+	// Verify initial connections
+	assert.Len(t, tracker.connections, 2)
+
+	// Wait for connection timeout and cleanup interval
+	time.Sleep(timeout + 2*cleanupInterval)
+
+	tracker.mutex.RLock()
+	connCount := len(tracker.connections)
+	tracker.mutex.RUnlock()
+
+	// Verify connections were cleaned up
+	assert.Equal(t, 0, connCount, "Expected all connections to be cleaned up")
+
+	// Properly close the tracker
+	tracker.Close()
+}
+
+func BenchmarkUDPTracker(b *testing.B) {
+	b.Run("TrackOutbound", func(b *testing.B) {
+		tracker := NewUDPTracker(DefaultUDPTimeout)
+		defer tracker.Close()
+
+		srcIP := net.ParseIP("192.168.1.1")
+		dstIP := net.ParseIP("192.168.1.2")
+
+		b.ResetTimer()
+		for i := 0; i < b.N; i++ {
+			tracker.TrackOutbound(srcIP, dstIP, uint16(i%65535), 80)
+		}
+	})
+
+	b.Run("IsValidInbound", func(b *testing.B) {
+		tracker := NewUDPTracker(DefaultUDPTimeout)
+		defer tracker.Close()
+
+		srcIP := net.ParseIP("192.168.1.1")
+		dstIP := net.ParseIP("192.168.1.2")
+
+		// Pre-populate some connections
+		for i := 0; i < 1000; i++ {
+			tracker.TrackOutbound(srcIP, dstIP, uint16(i), 80)
+		}
+
+		b.ResetTimer()
+		for i := 0; i < b.N; i++ {
+			tracker.IsValidInbound(dstIP, srcIP, 80, uint16(i%1000))
+		}
+	})
+}
--- a/client/firewall/uspfilter/uspfilter.go
+++ b/client/firewall/uspfilter/uspfilter.go
@@ -4,6 +4,8 @@ import (
 	"fmt"
 	"net"
 	"net/netip"
+	"os"
+	"strconv"
 	"sync"

 	"github.com/google/gopacket"
@@ -12,6 +14,7 @@ import (
 	log "github.com/sirupsen/logrus"

 	firewall "github.com/netbirdio/netbird/client/firewall/manager"
+	"github.com/netbirdio/netbird/client/firewall/uspfilter/conntrack"
 	"github.com/netbirdio/netbird/client/iface"
 	"github.com/netbirdio/netbird/client/iface/device"
 	"github.com/netbirdio/netbird/client/internal/statemanager"
@@ -19,6 +22,8 @@ import (

 const layerTypeAll = 0

+const EnvDisableConntrack = "NB_DISABLE_CONNTRACK"
+
 var (
 	errRouteNotSupported = fmt.Errorf("route not supported with userspace firewall")
 )
@@ -42,6 +47,11 @@ type Manager struct {
 	nativeFirewall firewall.Manager

 	mutex sync.RWMutex
+
+	stateful    bool
+	udpTracker  *conntrack.UDPTracker
+	icmpTracker *conntrack.ICMPTracker
+	tcpTracker  *conntrack.TCPTracker
 }

 // decoder for packages
@@ -73,6 +83,8 @@ func CreateWithNativeFirewall(iface IFaceMapper, nativeFirewall firewall.Manager
 }

 func create(iface IFaceMapper) (*Manager, error) {
+	disableConntrack, _ := strconv.ParseBool(os.Getenv(EnvDisableConntrack))
+
 	m := &Manager{
 		decoders: sync.Pool{
 			New: func() any {
@@ -90,6 +102,16 @@ func create(iface IFaceMapper) (*Manager, error) {
 		outgoingRules: make(map[string]RuleSet),
 		incomingRules: make(map[string]RuleSet),
 		wgIface:       iface,
+		stateful:      !disableConntrack,
+	}
+
+	// Only initialize trackers if stateful mode is enabled
+	if disableConntrack {
+		log.Info("conntrack is disabled")
+	} else {
+		m.udpTracker = conntrack.NewUDPTracker(conntrack.DefaultUDPTimeout)
+		m.icmpTracker = conntrack.NewICMPTracker(conntrack.DefaultICMPTimeout)
+		m.tcpTracker = conntrack.NewTCPTracker(conntrack.DefaultTCPTimeout)
 	}

 	if err := iface.SetFilter(m); err != nil {
@@ -249,16 +271,16 @@ func (m *Manager) Flush() error { return nil }

 // DropOutgoing filter outgoing packets
 func (m *Manager) DropOutgoing(packetData []byte) bool {
-	return m.dropFilter(packetData, m.outgoingRules, false)
+	return m.processOutgoingHooks(packetData)
 }

 // DropIncoming filter incoming packets
 func (m *Manager) DropIncoming(packetData []byte) bool {
-	return m.dropFilter(packetData, m.incomingRules, true)
+	return m.dropFilter(packetData, m.incomingRules)
 }

-// dropFilter implements same logic for booth direction of the traffic
-func (m *Manager) dropFilter(packetData []byte, rules map[string]RuleSet, isIncomingPacket bool) bool {
+// processOutgoingHooks processes UDP hooks for outgoing packets and tracks TCP/UDP/ICMP
+func (m *Manager) processOutgoingHooks(packetData []byte) bool {
 	m.mutex.RLock()
 	defer m.mutex.RUnlock()

@@ -266,61 +288,213 @@ func (m *Manager) dropFilter(packetData []byte, rules map[string]RuleSet, isInco
 	defer m.decoders.Put(d)

 	if err := d.parser.DecodeLayers(packetData, &d.decoded); err != nil {
-		log.Tracef("couldn't decode layer, err: %s", err)
-		return true
+		return false
 	}

 	if len(d.decoded) < 2 {
-		log.Tracef("not enough levels in network packet")
+		return false
+	}
+
+	srcIP, dstIP := m.extractIPs(d)
+	if srcIP == nil {
+		return false
+	}
+
+	// Always process UDP hooks
+	if d.decoded[1] == layers.LayerTypeUDP {
+		// Track UDP state only if enabled
+		if m.stateful {
+			m.trackUDPOutbound(d, srcIP, dstIP)
+		}
+		return m.checkUDPHooks(d, dstIP, packetData)
+	}
+
+	// Track other protocols only if stateful mode is enabled
+	if m.stateful {
+		switch d.decoded[1] {
+		case layers.LayerTypeTCP:
+			m.trackTCPOutbound(d, srcIP, dstIP)
+		case layers.LayerTypeICMPv4:
+			m.trackICMPOutbound(d, srcIP, dstIP)
+		}
+	}
+
+	return false
+}
+
+func (m *Manager) extractIPs(d *decoder) (srcIP, dstIP net.IP) {
+	switch d.decoded[0] {
+	case layers.LayerTypeIPv4:
+		return d.ip4.SrcIP, d.ip4.DstIP
+	case layers.LayerTypeIPv6:
+		return d.ip6.SrcIP, d.ip6.DstIP
+	default:
+		return nil, nil
+	}
+}
+
+func (m *Manager) trackTCPOutbound(d *decoder, srcIP, dstIP net.IP) {
+	flags := getTCPFlags(&d.tcp)
+	m.tcpTracker.TrackOutbound(
+		srcIP,
+		dstIP,
+		uint16(d.tcp.SrcPort),
+		uint16(d.tcp.DstPort),
+		flags,
+	)
+}
+
+func getTCPFlags(tcp *layers.TCP) uint8 {
+	var flags uint8
+	if tcp.SYN {
+		flags |= conntrack.TCPSyn
+	}
+	if tcp.ACK {
+		flags |= conntrack.TCPAck
+	}
+	if tcp.FIN {
+		flags |= conntrack.TCPFin
+	}
+	if tcp.RST {
+		flags |= conntrack.TCPRst
+	}
+	if tcp.PSH {
+		flags |= conntrack.TCPPush
+	}
+	if tcp.URG {
+		flags |= conntrack.TCPUrg
+	}
+	return flags
+}
+
+func (m *Manager) trackUDPOutbound(d *decoder, srcIP, dstIP net.IP) {
+	m.udpTracker.TrackOutbound(
+		srcIP,
+		dstIP,
+		uint16(d.udp.SrcPort),
+		uint16(d.udp.DstPort),
+	)
+}
+
+func (m *Manager) checkUDPHooks(d *decoder, dstIP net.IP, packetData []byte) bool {
+	for _, ipKey := range []string{dstIP.String(), "0.0.0.0", "::"} {
+		if rules, exists := m.outgoingRules[ipKey]; exists {
+			for _, rule := range rules {
+				if rule.udpHook != nil && (rule.dPort == 0 || rule.dPort == uint16(d.udp.DstPort)) {
+					return rule.udpHook(packetData)
+				}
+			}
+		}
+	}
+	return false
+}
+
+func (m *Manager) trackICMPOutbound(d *decoder, srcIP, dstIP net.IP) {
+	if d.icmp4.TypeCode.Type() == layers.ICMPv4TypeEchoRequest {
+		m.icmpTracker.TrackOutbound(
+			srcIP,
+			dstIP,
+			d.icmp4.Id,
+			d.icmp4.Seq,
+		)
+	}
+}
+
+// dropFilter implements filtering logic for incoming packets
+func (m *Manager) dropFilter(packetData []byte, rules map[string]RuleSet) bool {
+	m.mutex.RLock()
+	defer m.mutex.RUnlock()
+
+	d := m.decoders.Get().(*decoder)
+	defer m.decoders.Put(d)
+
+	if !m.isValidPacket(d, packetData) {
 		return true
 	}

-	ipLayer := d.decoded[0]
-
-	switch ipLayer {
-	case layers.LayerTypeIPv4:
-		if !m.wgNetwork.Contains(d.ip4.SrcIP) || !m.wgNetwork.Contains(d.ip4.DstIP) {
-			return false
-		}
-	case layers.LayerTypeIPv6:
-		if !m.wgNetwork.Contains(d.ip6.SrcIP) || !m.wgNetwork.Contains(d.ip6.DstIP) {
-			return false
-		}
-	default:
+	srcIP, dstIP := m.extractIPs(d)
+	if srcIP == nil {
 		log.Errorf("unknown layer: %v", d.decoded[0])
 		return true
 	}

-	var ip net.IP
-	switch ipLayer {
-	case layers.LayerTypeIPv4:
-		if isIncomingPacket {
-			ip = d.ip4.SrcIP
-		} else {
-			ip = d.ip4.DstIP
-		}
-	case layers.LayerTypeIPv6:
-		if isIncomingPacket {
-			ip = d.ip6.SrcIP
-		} else {
-			ip = d.ip6.DstIP
-		}
+	if !m.isWireguardTraffic(srcIP, dstIP) {
+		return false
 	}

-	filter, ok := validateRule(ip, packetData, rules[ip.String()], d)
-	if ok {
-		return filter
+	// Check connection state only if enabled
+	if m.stateful && m.isValidTrackedConnection(d, srcIP, dstIP) {
+		return false
 	}
-	filter, ok = validateRule(ip, packetData, rules["0.0.0.0"], d)
-	if ok {
-		return filter
+
+	return m.applyRules(srcIP, packetData, rules, d)
+}
+
+func (m *Manager) isValidPacket(d *decoder, packetData []byte) bool {
+	if err := d.parser.DecodeLayers(packetData, &d.decoded); err != nil {
+		log.Tracef("couldn't decode layer, err: %s", err)
+		return false
 	}
-	filter, ok = validateRule(ip, packetData, rules["::"], d)
-	if ok {
+
+	if len(d.decoded) < 2 {
+		log.Tracef("not enough levels in network packet")
+		return false
+	}
+	return true
+}
+
+func (m *Manager) isWireguardTraffic(srcIP, dstIP net.IP) bool {
+	return m.wgNetwork.Contains(srcIP) && m.wgNetwork.Contains(dstIP)
+}
+
+func (m *Manager) isValidTrackedConnection(d *decoder, srcIP, dstIP net.IP) bool {
+	switch d.decoded[1] {
+	case layers.LayerTypeTCP:
+		return m.tcpTracker.IsValidInbound(
+			srcIP,
+			dstIP,
+			uint16(d.tcp.SrcPort),
+			uint16(d.tcp.DstPort),
+			getTCPFlags(&d.tcp),
+		)
+
+	case layers.LayerTypeUDP:
+		return m.udpTracker.IsValidInbound(
+			srcIP,
+			dstIP,
+			uint16(d.udp.SrcPort),
+			uint16(d.udp.DstPort),
+		)
+
+	case layers.LayerTypeICMPv4:
+		return m.icmpTracker.IsValidInbound(
+			srcIP,
+			dstIP,
+			d.icmp4.Id,
+			d.icmp4.Seq,
+			d.icmp4.TypeCode.Type(),
+		)
+
+		// TODO: ICMPv6
+	}
+
+	return false
+}
+
+func (m *Manager) applyRules(srcIP net.IP, packetData []byte, rules map[string]RuleSet, d *decoder) bool {
+	if filter, ok := validateRule(srcIP, packetData, rules[srcIP.String()], d); ok {
 		return filter
 	}

-	// default policy is DROP ALL
+	if filter, ok := validateRule(srcIP, packetData, rules["0.0.0.0"], d); ok {
+		return filter
+	}
+
+	if filter, ok := validateRule(srcIP, packetData, rules["::"], d); ok {
+		return filter
+	}
+
+	// Default policy: DROP ALL
 	return true
 }

--- a/client/firewall/uspfilter/uspfilter_bench_test.go
+++ b/client/firewall/uspfilter/uspfilter_bench_test.go
@@ -0,0 +1,998 @@
+package uspfilter
+
+import (
+	"fmt"
+	"math/rand"
+	"net"
+	"os"
+	"strings"
+	"testing"
+
+	"github.com/google/gopacket"
+	"github.com/google/gopacket/layers"
+	"github.com/stretchr/testify/require"
+
+	fw "github.com/netbirdio/netbird/client/firewall/manager"
+	"github.com/netbirdio/netbird/client/firewall/uspfilter/conntrack"
+	"github.com/netbirdio/netbird/client/iface/device"
+)
+
+// generateRandomIPs generates n different random IPs in the 100.64.0.0/10 range
+func generateRandomIPs(n int) []net.IP {
+	ips := make([]net.IP, n)
+	seen := make(map[string]bool)
+
+	for i := 0; i < n; {
+		ip := make(net.IP, 4)
+		ip[0] = 100
+		ip[1] = byte(64 + rand.Intn(63)) // 64-126
+		ip[2] = byte(rand.Intn(256))
+		ip[3] = byte(1 + rand.Intn(254)) // avoid .0 and .255
+
+		key := ip.String()
+		if !seen[key] {
+			ips[i] = ip
+			seen[key] = true
+			i++
+		}
+	}
+	return ips
+}
+
+func generatePacket(b *testing.B, srcIP, dstIP net.IP, srcPort, dstPort uint16, protocol layers.IPProtocol) []byte {
+	b.Helper()
+
+	ipv4 := &layers.IPv4{
+		TTL:      64,
+		Version:  4,
+		SrcIP:    srcIP,
+		DstIP:    dstIP,
+		Protocol: protocol,
+	}
+
+	var transportLayer gopacket.SerializableLayer
+	switch protocol {
+	case layers.IPProtocolTCP:
+		tcp := &layers.TCP{
+			SrcPort: layers.TCPPort(srcPort),
+			DstPort: layers.TCPPort(dstPort),
+			SYN:     true,
+		}
+		require.NoError(b, tcp.SetNetworkLayerForChecksum(ipv4))
+		transportLayer = tcp
+	case layers.IPProtocolUDP:
+		udp := &layers.UDP{
+			SrcPort: layers.UDPPort(srcPort),
+			DstPort: layers.UDPPort(dstPort),
+		}
+		require.NoError(b, udp.SetNetworkLayerForChecksum(ipv4))
+		transportLayer = udp
+	}
+
+	buf := gopacket.NewSerializeBuffer()
+	opts := gopacket.SerializeOptions{ComputeChecksums: true, FixLengths: true}
+	err := gopacket.SerializeLayers(buf, opts, ipv4, transportLayer, gopacket.Payload("test"))
+	require.NoError(b, err)
+	return buf.Bytes()
+}
+
+// BenchmarkCoreFiltering focuses on the essential performance comparisons between
+// stateful and stateless filtering approaches
+func BenchmarkCoreFiltering(b *testing.B) {
+	scenarios := []struct {
+		name      string
+		stateful  bool
+		setupFunc func(*Manager)
+		desc      string
+	}{
+		{
+			name:     "stateless_single_allow_all",
+			stateful: false,
+			setupFunc: func(m *Manager) {
+				// Single rule allowing all traffic
+				_, err := m.AddPeerFiltering(net.ParseIP("0.0.0.0"), fw.ProtocolALL, nil, nil,
+					fw.RuleDirectionIN, fw.ActionAccept, "", "allow all")
+				require.NoError(b, err)
+			},
+			desc: "Baseline: Single 'allow all' rule without connection tracking",
+		},
+		{
+			name:     "stateful_no_rules",
+			stateful: true,
+			setupFunc: func(m *Manager) {
+				// No explicit rules - rely purely on connection tracking
+			},
+			desc: "Pure connection tracking without any rules",
+		},
+		{
+			name:     "stateless_explicit_return",
+			stateful: false,
+			setupFunc: func(m *Manager) {
+				// Add explicit rules matching return traffic pattern
+				for i := 0; i < 1000; i++ { // Simulate realistic ruleset size
+					ip := generateRandomIPs(1)[0]
+					_, err := m.AddPeerFiltering(ip, fw.ProtocolTCP,
+						&fw.Port{Values: []int{1024 + i}},
+						&fw.Port{Values: []int{80}},
+						fw.RuleDirectionIN, fw.ActionAccept, "", "explicit return")
+					require.NoError(b, err)
+				}
+			},
+			desc: "Explicit rules matching return traffic patterns without state",
+		},
+		{
+			name:     "stateful_with_established",
+			stateful: true,
+			setupFunc: func(m *Manager) {
+				// Add some basic rules but rely on state for established connections
+				_, err := m.AddPeerFiltering(net.ParseIP("0.0.0.0"), fw.ProtocolTCP, nil, nil,
+					fw.RuleDirectionIN, fw.ActionDrop, "", "default drop")
+				require.NoError(b, err)
+			},
+			desc: "Connection tracking with established connections",
+		},
+	}
+
+	// Test both TCP and UDP
+	protocols := []struct {
+		name  string
+		proto layers.IPProtocol
+	}{
+		{"TCP", layers.IPProtocolTCP},
+		{"UDP", layers.IPProtocolUDP},
+	}
+
+	for _, sc := range scenarios {
+		for _, proto := range protocols {
+			b.Run(fmt.Sprintf("%s_%s", sc.name, proto.name), func(b *testing.B) {
+				// Configure stateful/stateless mode
+				if !sc.stateful {
+					require.NoError(b, os.Setenv("NB_DISABLE_CONNTRACK", "1"))
+				} else {
+					require.NoError(b, os.Setenv("NB_CONNTRACK_TIMEOUT", "1m"))
+				}
+
+				// Create manager and basic setup
+				manager, _ := Create(&IFaceMock{
+					SetFilterFunc: func(device.PacketFilter) error { return nil },
+				})
+				defer b.Cleanup(func() {
+					require.NoError(b, manager.Reset(nil))
+				})
+
+				manager.wgNetwork = &net.IPNet{
+					IP:   net.ParseIP("100.64.0.0"),
+					Mask: net.CIDRMask(10, 32),
+				}
+
+				// Apply scenario-specific setup
+				sc.setupFunc(manager)
+
+				// Generate test packets
+				srcIP := generateRandomIPs(1)[0]
+				dstIP := generateRandomIPs(1)[0]
+				srcPort := uint16(1024 + b.N%60000)
+				dstPort := uint16(80)
+
+				outbound := generatePacket(b, srcIP, dstIP, srcPort, dstPort, proto.proto)
+				inbound := generatePacket(b, dstIP, srcIP, dstPort, srcPort, proto.proto)
+
+				// For stateful scenarios, establish the connection
+				if sc.stateful {
+					manager.processOutgoingHooks(outbound)
+				}
+
+				// Measure inbound packet processing
+				b.ResetTimer()
+				for i := 0; i < b.N; i++ {
+					manager.dropFilter(inbound, manager.incomingRules)
+				}
+			})
+		}
+	}
+}
+
+// BenchmarkStateScaling measures how performance scales with connection table size
+func BenchmarkStateScaling(b *testing.B) {
+	connCounts := []int{100, 1000, 10000, 100000}
+
+	for _, count := range connCounts {
+		b.Run(fmt.Sprintf("conns_%d", count), func(b *testing.B) {
+			manager, _ := Create(&IFaceMock{
+				SetFilterFunc: func(device.PacketFilter) error { return nil },
+			})
+			b.Cleanup(func() {
+				require.NoError(b, manager.Reset(nil))
+			})
+
+			manager.wgNetwork = &net.IPNet{
+				IP:   net.ParseIP("100.64.0.0"),
+				Mask: net.CIDRMask(10, 32),
+			}
+
+			// Pre-populate connection table
+			srcIPs := generateRandomIPs(count)
+			dstIPs := generateRandomIPs(count)
+			for i := 0; i < count; i++ {
+				outbound := generatePacket(b, srcIPs[i], dstIPs[i],
+					uint16(1024+i), 80, layers.IPProtocolTCP)
+				manager.processOutgoingHooks(outbound)
+			}
+
+			// Test packet
+			testOut := generatePacket(b, srcIPs[0], dstIPs[0], 1024, 80, layers.IPProtocolTCP)
+			testIn := generatePacket(b, dstIPs[0], srcIPs[0], 80, 1024, layers.IPProtocolTCP)
+
+			// First establish our test connection
+			manager.processOutgoingHooks(testOut)
+
+			b.ResetTimer()
+			for i := 0; i < b.N; i++ {
+				manager.dropFilter(testIn, manager.incomingRules)
+			}
+		})
+	}
+}
+
+// BenchmarkEstablishmentOverhead measures the overhead of connection establishment
+func BenchmarkEstablishmentOverhead(b *testing.B) {
+	scenarios := []struct {
+		name        string
+		established bool
+	}{
+		{"established", true},
+		{"new", false},
+	}
+
+	for _, sc := range scenarios {
+		b.Run(sc.name, func(b *testing.B) {
+			manager, _ := Create(&IFaceMock{
+				SetFilterFunc: func(device.PacketFilter) error { return nil },
+			})
+			b.Cleanup(func() {
+				require.NoError(b, manager.Reset(nil))
+			})
+
+			manager.wgNetwork = &net.IPNet{
+				IP:   net.ParseIP("100.64.0.0"),
+				Mask: net.CIDRMask(10, 32),
+			}
+
+			srcIP := generateRandomIPs(1)[0]
+			dstIP := generateRandomIPs(1)[0]
+			outbound := generatePacket(b, srcIP, dstIP, 1024, 80, layers.IPProtocolTCP)
+			inbound := generatePacket(b, dstIP, srcIP, 80, 1024, layers.IPProtocolTCP)
+
+			if sc.established {
+				manager.processOutgoingHooks(outbound)
+			}
+
+			b.ResetTimer()
+			for i := 0; i < b.N; i++ {
+				manager.dropFilter(inbound, manager.incomingRules)
+			}
+		})
+	}
+}
+
+// BenchmarkRoutedNetworkReturn compares approaches for handling routed network return traffic
+func BenchmarkRoutedNetworkReturn(b *testing.B) {
+	scenarios := []struct {
+		name       string
+		proto      layers.IPProtocol
+		state      string // "new", "established", "post_handshake" (TCP only)
+		setupFunc  func(*Manager)
+		genPackets func(net.IP, net.IP) ([]byte, []byte) // generates appropriate packets for the scenario
+		desc       string
+	}{
+		{
+			name:  "allow_non_wg_tcp_new",
+			proto: layers.IPProtocolTCP,
+			state: "new",
+			setupFunc: func(m *Manager) {
+				m.wgNetwork = &net.IPNet{
+					IP:   net.ParseIP("100.64.0.0"),
+					Mask: net.CIDRMask(10, 32),
+				}
+				b.Setenv("NB_DISABLE_CONNTRACK", "1")
+			},
+			genPackets: func(srcIP, dstIP net.IP) ([]byte, []byte) {
+				return generatePacket(b, srcIP, dstIP, 1024, 80, layers.IPProtocolTCP),
+					generatePacket(b, dstIP, srcIP, 80, 1024, layers.IPProtocolTCP)
+			},
+			desc: "Allow non-WG: TCP new connection",
+		},
+		{
+			name:  "allow_non_wg_tcp_established",
+			proto: layers.IPProtocolTCP,
+			state: "established",
+			setupFunc: func(m *Manager) {
+				m.wgNetwork = &net.IPNet{
+					IP:   net.ParseIP("100.64.0.0"),
+					Mask: net.CIDRMask(10, 32),
+				}
+				b.Setenv("NB_DISABLE_CONNTRACK", "1")
+			},
+			genPackets: func(srcIP, dstIP net.IP) ([]byte, []byte) {
+				// Generate packets with ACK flag for established connection
+				return generateTCPPacketWithFlags(b, srcIP, dstIP, 1024, 80, uint16(conntrack.TCPAck)),
+					generateTCPPacketWithFlags(b, dstIP, srcIP, 80, 1024, uint16(conntrack.TCPAck))
+			},
+			desc: "Allow non-WG: TCP established connection",
+		},
+		{
+			name:  "allow_non_wg_udp_new",
+			proto: layers.IPProtocolUDP,
+			state: "new",
+			setupFunc: func(m *Manager) {
+				m.wgNetwork = &net.IPNet{
+					IP:   net.ParseIP("100.64.0.0"),
+					Mask: net.CIDRMask(10, 32),
+				}
+				b.Setenv("NB_DISABLE_CONNTRACK", "1")
+			},
+			genPackets: func(srcIP, dstIP net.IP) ([]byte, []byte) {
+				return generatePacket(b, srcIP, dstIP, 1024, 80, layers.IPProtocolUDP),
+					generatePacket(b, dstIP, srcIP, 80, 1024, layers.IPProtocolUDP)
+			},
+			desc: "Allow non-WG: UDP new connection",
+		},
+		{
+			name:  "allow_non_wg_udp_established",
+			proto: layers.IPProtocolUDP,
+			state: "established",
+			setupFunc: func(m *Manager) {
+				m.wgNetwork = &net.IPNet{
+					IP:   net.ParseIP("100.64.0.0"),
+					Mask: net.CIDRMask(10, 32),
+				}
+				b.Setenv("NB_DISABLE_CONNTRACK", "1")
+			},
+			genPackets: func(srcIP, dstIP net.IP) ([]byte, []byte) {
+				return generatePacket(b, srcIP, dstIP, 1024, 80, layers.IPProtocolUDP),
+					generatePacket(b, dstIP, srcIP, 80, 1024, layers.IPProtocolUDP)
+			},
+			desc: "Allow non-WG: UDP established connection",
+		},
+		{
+			name:  "stateful_tcp_new",
+			proto: layers.IPProtocolTCP,
+			state: "new",
+			setupFunc: func(m *Manager) {
+				m.wgNetwork = &net.IPNet{
+					IP:   net.ParseIP("0.0.0.0"),
+					Mask: net.CIDRMask(0, 32),
+				}
+				require.NoError(b, os.Unsetenv("NB_DISABLE_CONNTRACK"))
+			},
+			genPackets: func(srcIP, dstIP net.IP) ([]byte, []byte) {
+				return generatePacket(b, srcIP, dstIP, 1024, 80, layers.IPProtocolTCP),
+					generatePacket(b, dstIP, srcIP, 80, 1024, layers.IPProtocolTCP)
+			},
+			desc: "Stateful: TCP new connection",
+		},
+		{
+			name:  "stateful_tcp_established",
+			proto: layers.IPProtocolTCP,
+			state: "established",
+			setupFunc: func(m *Manager) {
+				m.wgNetwork = &net.IPNet{
+					IP:   net.ParseIP("0.0.0.0"),
+					Mask: net.CIDRMask(0, 32),
+				}
+				require.NoError(b, os.Unsetenv("NB_DISABLE_CONNTRACK"))
+			},
+			genPackets: func(srcIP, dstIP net.IP) ([]byte, []byte) {
+				// Generate established TCP packets (ACK flag)
+				return generateTCPPacketWithFlags(b, srcIP, dstIP, 1024, 80, uint16(conntrack.TCPAck)),
+					generateTCPPacketWithFlags(b, dstIP, srcIP, 80, 1024, uint16(conntrack.TCPAck))
+			},
+			desc: "Stateful: TCP established connection",
+		},
+		{
+			name:  "stateful_tcp_post_handshake",
+			proto: layers.IPProtocolTCP,
+			state: "post_handshake",
+			setupFunc: func(m *Manager) {
+				m.wgNetwork = &net.IPNet{
+					IP:   net.ParseIP("0.0.0.0"),
+					Mask: net.CIDRMask(0, 32),
+				}
+				require.NoError(b, os.Unsetenv("NB_DISABLE_CONNTRACK"))
+			},
+			genPackets: func(srcIP, dstIP net.IP) ([]byte, []byte) {
+				// Generate packets with PSH+ACK flags for data transfer
+				return generateTCPPacketWithFlags(b, srcIP, dstIP, 1024, 80, uint16(conntrack.TCPPush|conntrack.TCPAck)),
+					generateTCPPacketWithFlags(b, dstIP, srcIP, 80, 1024, uint16(conntrack.TCPPush|conntrack.TCPAck))
+			},
+			desc: "Stateful: TCP post-handshake data transfer",
+		},
+		{
+			name:  "stateful_udp_new",
+			proto: layers.IPProtocolUDP,
+			state: "new",
+			setupFunc: func(m *Manager) {
+				m.wgNetwork = &net.IPNet{
+					IP:   net.ParseIP("0.0.0.0"),
+					Mask: net.CIDRMask(0, 32),
+				}
+				require.NoError(b, os.Unsetenv("NB_DISABLE_CONNTRACK"))
+			},
+			genPackets: func(srcIP, dstIP net.IP) ([]byte, []byte) {
+				return generatePacket(b, srcIP, dstIP, 1024, 80, layers.IPProtocolUDP),
+					generatePacket(b, dstIP, srcIP, 80, 1024, layers.IPProtocolUDP)
+			},
+			desc: "Stateful: UDP new connection",
+		},
+		{
+			name:  "stateful_udp_established",
+			proto: layers.IPProtocolUDP,
+			state: "established",
+			setupFunc: func(m *Manager) {
+				m.wgNetwork = &net.IPNet{
+					IP:   net.ParseIP("0.0.0.0"),
+					Mask: net.CIDRMask(0, 32),
+				}
+				require.NoError(b, os.Unsetenv("NB_DISABLE_CONNTRACK"))
+			},
+			genPackets: func(srcIP, dstIP net.IP) ([]byte, []byte) {
+				return generatePacket(b, srcIP, dstIP, 1024, 80, layers.IPProtocolUDP),
+					generatePacket(b, dstIP, srcIP, 80, 1024, layers.IPProtocolUDP)
+			},
+			desc: "Stateful: UDP established connection",
+		},
+	}
+
+	for _, sc := range scenarios {
+		b.Run(sc.name, func(b *testing.B) {
+			manager, _ := Create(&IFaceMock{
+				SetFilterFunc: func(device.PacketFilter) error { return nil },
+			})
+			b.Cleanup(func() {
+				require.NoError(b, manager.Reset(nil))
+			})
+
+			// Setup scenario
+			sc.setupFunc(manager)
+
+			// Use IPs outside WG range for routed network simulation
+			srcIP := net.ParseIP("192.168.1.2")
+			dstIP := net.ParseIP("8.8.8.8")
+			outbound, inbound := sc.genPackets(srcIP, dstIP)
+
+			// For stateful cases and established connections
+			if !strings.Contains(sc.name, "allow_non_wg") ||
+				(strings.Contains(sc.state, "established") || sc.state == "post_handshake") {
+				manager.processOutgoingHooks(outbound)
+
+				// For TCP post-handshake, simulate full handshake
+				if sc.state == "post_handshake" {
+					// SYN
+					syn := generateTCPPacketWithFlags(b, srcIP, dstIP, 1024, 80, uint16(conntrack.TCPSyn))
+					manager.processOutgoingHooks(syn)
+					// SYN-ACK
+					synack := generateTCPPacketWithFlags(b, dstIP, srcIP, 80, 1024, uint16(conntrack.TCPSyn|conntrack.TCPAck))
+					manager.dropFilter(synack, manager.incomingRules)
+					// ACK
+					ack := generateTCPPacketWithFlags(b, srcIP, dstIP, 1024, 80, uint16(conntrack.TCPAck))
+					manager.processOutgoingHooks(ack)
+				}
+			}
+
+			b.ResetTimer()
+			for i := 0; i < b.N; i++ {
+				manager.dropFilter(inbound, manager.incomingRules)
+			}
+		})
+	}
+}
+
+var scenarios = []struct {
+	name      string
+	stateful  bool // Whether conntrack is enabled
+	rules     bool // Whether to add return traffic rules
+	routed    bool // Whether to test routed network traffic
+	connCount int  // Number of concurrent connections
+	desc      string
+}{
+	{
+		name:      "stateless_with_rules_100conns",
+		stateful:  false,
+		rules:     true,
+		routed:    false,
+		connCount: 100,
+		desc:      "Pure stateless with return traffic rules, 100 conns",
+	},
+	{
+		name:      "stateless_with_rules_1000conns",
+		stateful:  false,
+		rules:     true,
+		routed:    false,
+		connCount: 1000,
+		desc:      "Pure stateless with return traffic rules, 1000 conns",
+	},
+	{
+		name:      "stateful_no_rules_100conns",
+		stateful:  true,
+		rules:     false,
+		routed:    false,
+		connCount: 100,
+		desc:      "Pure stateful tracking without rules, 100 conns",
+	},
+	{
+		name:      "stateful_no_rules_1000conns",
+		stateful:  true,
+		rules:     false,
+		routed:    false,
+		connCount: 1000,
+		desc:      "Pure stateful tracking without rules, 1000 conns",
+	},
+	{
+		name:      "stateful_with_rules_100conns",
+		stateful:  true,
+		rules:     true,
+		routed:    false,
+		connCount: 100,
+		desc:      "Combined stateful + rules (current implementation), 100 conns",
+	},
+	{
+		name:      "stateful_with_rules_1000conns",
+		stateful:  true,
+		rules:     true,
+		routed:    false,
+		connCount: 1000,
+		desc:      "Combined stateful + rules (current implementation), 1000 conns",
+	},
+	{
+		name:      "routed_network_100conns",
+		stateful:  true,
+		rules:     false,
+		routed:    true,
+		connCount: 100,
+		desc:      "Routed network traffic (non-WG), 100 conns",
+	},
+	{
+		name:      "routed_network_1000conns",
+		stateful:  true,
+		rules:     false,
+		routed:    true,
+		connCount: 1000,
+		desc:      "Routed network traffic (non-WG), 1000 conns",
+	},
+}
+
+// BenchmarkLongLivedConnections tests performance with realistic TCP traffic patterns
+func BenchmarkLongLivedConnections(b *testing.B) {
+	for _, sc := range scenarios {
+		b.Run(sc.name, func(b *testing.B) {
+			// Configure stateful/stateless mode
+			if !sc.stateful {
+				b.Setenv("NB_DISABLE_CONNTRACK", "1")
+			} else {
+				require.NoError(b, os.Unsetenv("NB_DISABLE_CONNTRACK"))
+			}
+
+			manager, _ := Create(&IFaceMock{
+				SetFilterFunc: func(device.PacketFilter) error { return nil },
+			})
+			defer b.Cleanup(func() {
+				require.NoError(b, manager.Reset(nil))
+			})
+
+			manager.SetNetwork(&net.IPNet{
+				IP:   net.ParseIP("100.64.0.0"),
+				Mask: net.CIDRMask(10, 32),
+			})
+
+			// Setup initial state based on scenario
+			if sc.rules {
+				// Single rule to allow all return traffic from port 80
+				_, err := manager.AddPeerFiltering(net.ParseIP("0.0.0.0"), fw.ProtocolTCP,
+					&fw.Port{Values: []int{80}},
+					nil,
+					fw.RuleDirectionIN, fw.ActionAccept, "", "return traffic")
+				require.NoError(b, err)
+			}
+
+			// Generate IPs for connections
+			srcIPs := make([]net.IP, sc.connCount)
+			dstIPs := make([]net.IP, sc.connCount)
+
+			for i := 0; i < sc.connCount; i++ {
+				if sc.routed {
+					srcIPs[i] = net.IPv4(192, 168, 1, byte(2+(i%250))).To4()
+					dstIPs[i] = net.IPv4(8, 8, byte((i/250)%255), byte(2+(i%250))).To4()
+				} else {
+					srcIPs[i] = generateRandomIPs(1)[0]
+					dstIPs[i] = generateRandomIPs(1)[0]
+				}
+			}
+
+			// Create established connections
+			for i := 0; i < sc.connCount; i++ {
+				// Initial SYN
+				syn := generateTCPPacketWithFlags(b, srcIPs[i], dstIPs[i],
+					uint16(1024+i), 80, uint16(conntrack.TCPSyn))
+				manager.processOutgoingHooks(syn)
+
+				// SYN-ACK
+				synack := generateTCPPacketWithFlags(b, dstIPs[i], srcIPs[i],
+					80, uint16(1024+i), uint16(conntrack.TCPSyn|conntrack.TCPAck))
+				manager.dropFilter(synack, manager.incomingRules)
+
+				// ACK
+				ack := generateTCPPacketWithFlags(b, srcIPs[i], dstIPs[i],
+					uint16(1024+i), 80, uint16(conntrack.TCPAck))
+				manager.processOutgoingHooks(ack)
+			}
+
+			// Prepare test packets simulating bidirectional traffic
+			inPackets := make([][]byte, sc.connCount)
+			outPackets := make([][]byte, sc.connCount)
+			for i := 0; i < sc.connCount; i++ {
+				// Server -> Client (inbound)
+				inPackets[i] = generateTCPPacketWithFlags(b, dstIPs[i], srcIPs[i],
+					80, uint16(1024+i), uint16(conntrack.TCPPush|conntrack.TCPAck))
+				// Client -> Server (outbound)
+				outPackets[i] = generateTCPPacketWithFlags(b, srcIPs[i], dstIPs[i],
+					uint16(1024+i), 80, uint16(conntrack.TCPPush|conntrack.TCPAck))
+			}
+
+			b.ResetTimer()
+			for i := 0; i < b.N; i++ {
+				connIdx := i % sc.connCount
+
+				// Simulate bidirectional traffic
+				// First outbound data
+				manager.processOutgoingHooks(outPackets[connIdx])
+				// Then inbound response - this is what we're actually measuring
+				manager.dropFilter(inPackets[connIdx], manager.incomingRules)
+			}
+		})
+	}
+}
+
+// BenchmarkShortLivedConnections tests performance with many short-lived connections
+func BenchmarkShortLivedConnections(b *testing.B) {
+	for _, sc := range scenarios {
+		b.Run(sc.name, func(b *testing.B) {
+			// Configure stateful/stateless mode
+			if !sc.stateful {
+				b.Setenv("NB_DISABLE_CONNTRACK", "1")
+			} else {
+				require.NoError(b, os.Unsetenv("NB_DISABLE_CONNTRACK"))
+			}
+
+			manager, _ := Create(&IFaceMock{
+				SetFilterFunc: func(device.PacketFilter) error { return nil },
+			})
+			defer b.Cleanup(func() {
+				require.NoError(b, manager.Reset(nil))
+			})
+
+			manager.SetNetwork(&net.IPNet{
+				IP:   net.ParseIP("100.64.0.0"),
+				Mask: net.CIDRMask(10, 32),
+			})
+
+			// Setup initial state based on scenario
+			if sc.rules {
+				// Single rule to allow all return traffic from port 80
+				_, err := manager.AddPeerFiltering(net.ParseIP("0.0.0.0"), fw.ProtocolTCP,
+					&fw.Port{Values: []int{80}},
+					nil,
+					fw.RuleDirectionIN, fw.ActionAccept, "", "return traffic")
+				require.NoError(b, err)
+			}
+
+			// Generate IPs for connections
+			srcIPs := make([]net.IP, sc.connCount)
+			dstIPs := make([]net.IP, sc.connCount)
+
+			for i := 0; i < sc.connCount; i++ {
+				if sc.routed {
+					srcIPs[i] = net.IPv4(192, 168, 1, byte(2+(i%250))).To4()
+					dstIPs[i] = net.IPv4(8, 8, byte((i/250)%255), byte(2+(i%250))).To4()
+				} else {
+					srcIPs[i] = generateRandomIPs(1)[0]
+					dstIPs[i] = generateRandomIPs(1)[0]
+				}
+			}
+
+			// Create packet patterns for a complete HTTP-like short connection:
+			// 1. Initial handshake (SYN, SYN-ACK, ACK)
+			// 2. HTTP Request (PSH+ACK from client)
+			// 3. HTTP Response (PSH+ACK from server)
+			// 4. Connection teardown (FIN+ACK, ACK, FIN+ACK, ACK)
+			type connPackets struct {
+				syn       []byte
+				synAck    []byte
+				ack       []byte
+				request   []byte
+				response  []byte
+				finClient []byte
+				ackServer []byte
+				finServer []byte
+				ackClient []byte
+			}
+
+			// Generate all possible connection patterns
+			patterns := make([]connPackets, sc.connCount)
+			for i := 0; i < sc.connCount; i++ {
+				patterns[i] = connPackets{
+					// Handshake
+					syn: generateTCPPacketWithFlags(b, srcIPs[i], dstIPs[i],
+						uint16(1024+i), 80, uint16(conntrack.TCPSyn)),
+					synAck: generateTCPPacketWithFlags(b, dstIPs[i], srcIPs[i],
+						80, uint16(1024+i), uint16(conntrack.TCPSyn|conntrack.TCPAck)),
+					ack: generateTCPPacketWithFlags(b, srcIPs[i], dstIPs[i],
+						uint16(1024+i), 80, uint16(conntrack.TCPAck)),
+
+					// Data transfer
+					request: generateTCPPacketWithFlags(b, srcIPs[i], dstIPs[i],
+						uint16(1024+i), 80, uint16(conntrack.TCPPush|conntrack.TCPAck)),
+					response: generateTCPPacketWithFlags(b, dstIPs[i], srcIPs[i],
+						80, uint16(1024+i), uint16(conntrack.TCPPush|conntrack.TCPAck)),
+
+					// Connection teardown
+					finClient: generateTCPPacketWithFlags(b, srcIPs[i], dstIPs[i],
+						uint16(1024+i), 80, uint16(conntrack.TCPFin|conntrack.TCPAck)),
+					ackServer: generateTCPPacketWithFlags(b, dstIPs[i], srcIPs[i],
+						80, uint16(1024+i), uint16(conntrack.TCPAck)),
+					finServer: generateTCPPacketWithFlags(b, dstIPs[i], srcIPs[i],
+						80, uint16(1024+i), uint16(conntrack.TCPFin|conntrack.TCPAck)),
+					ackClient: generateTCPPacketWithFlags(b, srcIPs[i], dstIPs[i],
+						uint16(1024+i), 80, uint16(conntrack.TCPAck)),
+				}
+			}
+
+			b.ResetTimer()
+			for i := 0; i < b.N; i++ {
+				// Each iteration creates a new short-lived connection
+				connIdx := i % sc.connCount
+				p := patterns[connIdx]
+
+				// Connection establishment
+				manager.processOutgoingHooks(p.syn)
+				manager.dropFilter(p.synAck, manager.incomingRules)
+				manager.processOutgoingHooks(p.ack)
+
+				// Data transfer
+				manager.processOutgoingHooks(p.request)
+				manager.dropFilter(p.response, manager.incomingRules)
+
+				// Connection teardown
+				manager.processOutgoingHooks(p.finClient)
+				manager.dropFilter(p.ackServer, manager.incomingRules)
+				manager.dropFilter(p.finServer, manager.incomingRules)
+				manager.processOutgoingHooks(p.ackClient)
+			}
+		})
+	}
+}
+
+// BenchmarkParallelLongLivedConnections tests performance with realistic TCP traffic patterns in parallel
+func BenchmarkParallelLongLivedConnections(b *testing.B) {
+	for _, sc := range scenarios {
+		b.Run(sc.name, func(b *testing.B) {
+			// Configure stateful/stateless mode
+			if !sc.stateful {
+				b.Setenv("NB_DISABLE_CONNTRACK", "1")
+			} else {
+				require.NoError(b, os.Unsetenv("NB_DISABLE_CONNTRACK"))
+			}
+
+			manager, _ := Create(&IFaceMock{
+				SetFilterFunc: func(device.PacketFilter) error { return nil },
+			})
+			defer b.Cleanup(func() {
+				require.NoError(b, manager.Reset(nil))
+			})
+
+			manager.SetNetwork(&net.IPNet{
+				IP:   net.ParseIP("100.64.0.0"),
+				Mask: net.CIDRMask(10, 32),
+			})
+
+			// Setup initial state based on scenario
+			if sc.rules {
+				_, err := manager.AddPeerFiltering(net.ParseIP("0.0.0.0"), fw.ProtocolTCP,
+					&fw.Port{Values: []int{80}},
+					nil,
+					fw.RuleDirectionIN, fw.ActionAccept, "", "return traffic")
+				require.NoError(b, err)
+			}
+
+			// Generate IPs for connections
+			srcIPs := make([]net.IP, sc.connCount)
+			dstIPs := make([]net.IP, sc.connCount)
+
+			for i := 0; i < sc.connCount; i++ {
+				if sc.routed {
+					srcIPs[i] = net.IPv4(192, 168, 1, byte(2+(i%250))).To4()
+					dstIPs[i] = net.IPv4(8, 8, byte((i/250)%255), byte(2+(i%250))).To4()
+				} else {
+					srcIPs[i] = generateRandomIPs(1)[0]
+					dstIPs[i] = generateRandomIPs(1)[0]
+				}
+			}
+
+			// Create established connections
+			for i := 0; i < sc.connCount; i++ {
+				syn := generateTCPPacketWithFlags(b, srcIPs[i], dstIPs[i],
+					uint16(1024+i), 80, uint16(conntrack.TCPSyn))
+				manager.processOutgoingHooks(syn)
+
+				synack := generateTCPPacketWithFlags(b, dstIPs[i], srcIPs[i],
+					80, uint16(1024+i), uint16(conntrack.TCPSyn|conntrack.TCPAck))
+				manager.dropFilter(synack, manager.incomingRules)
+
+				ack := generateTCPPacketWithFlags(b, srcIPs[i], dstIPs[i],
+					uint16(1024+i), 80, uint16(conntrack.TCPAck))
+				manager.processOutgoingHooks(ack)
+			}
+
+			// Pre-generate test packets
+			inPackets := make([][]byte, sc.connCount)
+			outPackets := make([][]byte, sc.connCount)
+			for i := 0; i < sc.connCount; i++ {
+				inPackets[i] = generateTCPPacketWithFlags(b, dstIPs[i], srcIPs[i],
+					80, uint16(1024+i), uint16(conntrack.TCPPush|conntrack.TCPAck))
+				outPackets[i] = generateTCPPacketWithFlags(b, srcIPs[i], dstIPs[i],
+					uint16(1024+i), 80, uint16(conntrack.TCPPush|conntrack.TCPAck))
+			}
+
+			b.ResetTimer()
+			b.RunParallel(func(pb *testing.PB) {
+				// Each goroutine gets its own counter to distribute load
+				counter := 0
+				for pb.Next() {
+					connIdx := counter % sc.connCount
+					counter++
+
+					// Simulate bidirectional traffic
+					manager.processOutgoingHooks(outPackets[connIdx])
+					manager.dropFilter(inPackets[connIdx], manager.incomingRules)
+				}
+			})
+		})
+	}
+}
+
+// BenchmarkParallelShortLivedConnections tests performance with many short-lived connections in parallel
+func BenchmarkParallelShortLivedConnections(b *testing.B) {
+	for _, sc := range scenarios {
+		b.Run(sc.name, func(b *testing.B) {
+			// Configure stateful/stateless mode
+			if !sc.stateful {
+				b.Setenv("NB_DISABLE_CONNTRACK", "1")
+			} else {
+				require.NoError(b, os.Unsetenv("NB_DISABLE_CONNTRACK"))
+			}
+
+			manager, _ := Create(&IFaceMock{
+				SetFilterFunc: func(device.PacketFilter) error { return nil },
+			})
+			defer b.Cleanup(func() {
+				require.NoError(b, manager.Reset(nil))
+			})
+
+			manager.SetNetwork(&net.IPNet{
+				IP:   net.ParseIP("100.64.0.0"),
+				Mask: net.CIDRMask(10, 32),
+			})
+
+			if sc.rules {
+				_, err := manager.AddPeerFiltering(net.ParseIP("0.0.0.0"), fw.ProtocolTCP,
+					&fw.Port{Values: []int{80}},
+					nil,
+					fw.RuleDirectionIN, fw.ActionAccept, "", "return traffic")
+				require.NoError(b, err)
+			}
+
+			// Generate IPs and pre-generate all packet patterns
+			srcIPs := make([]net.IP, sc.connCount)
+			dstIPs := make([]net.IP, sc.connCount)
+			for i := 0; i < sc.connCount; i++ {
+				if sc.routed {
+					srcIPs[i] = net.IPv4(192, 168, 1, byte(2+(i%250))).To4()
+					dstIPs[i] = net.IPv4(8, 8, byte((i/250)%255), byte(2+(i%250))).To4()
+				} else {
+					srcIPs[i] = generateRandomIPs(1)[0]
+					dstIPs[i] = generateRandomIPs(1)[0]
+				}
+			}
+
+			type connPackets struct {
+				syn       []byte
+				synAck    []byte
+				ack       []byte
+				request   []byte
+				response  []byte
+				finClient []byte
+				ackServer []byte
+				finServer []byte
+				ackClient []byte
+			}
+
+			patterns := make([]connPackets, sc.connCount)
+			for i := 0; i < sc.connCount; i++ {
+				patterns[i] = connPackets{
+					syn: generateTCPPacketWithFlags(b, srcIPs[i], dstIPs[i],
+						uint16(1024+i), 80, uint16(conntrack.TCPSyn)),
+					synAck: generateTCPPacketWithFlags(b, dstIPs[i], srcIPs[i],
+						80, uint16(1024+i), uint16(conntrack.TCPSyn|conntrack.TCPAck)),
+					ack: generateTCPPacketWithFlags(b, srcIPs[i], dstIPs[i],
+						uint16(1024+i), 80, uint16(conntrack.TCPAck)),
+					request: generateTCPPacketWithFlags(b, srcIPs[i], dstIPs[i],
+						uint16(1024+i), 80, uint16(conntrack.TCPPush|conntrack.TCPAck)),
+					response: generateTCPPacketWithFlags(b, dstIPs[i], srcIPs[i],
+						80, uint16(1024+i), uint16(conntrack.TCPPush|conntrack.TCPAck)),
+					finClient: generateTCPPacketWithFlags(b, srcIPs[i], dstIPs[i],
+						uint16(1024+i), 80, uint16(conntrack.TCPFin|conntrack.TCPAck)),
+					ackServer: generateTCPPacketWithFlags(b, dstIPs[i], srcIPs[i],
+						80, uint16(1024+i), uint16(conntrack.TCPAck)),
+					finServer: generateTCPPacketWithFlags(b, dstIPs[i], srcIPs[i],
+						80, uint16(1024+i), uint16(conntrack.TCPFin|conntrack.TCPAck)),
+					ackClient: generateTCPPacketWithFlags(b, srcIPs[i], dstIPs[i],
+						uint16(1024+i), 80, uint16(conntrack.TCPAck)),
+				}
+			}
+
+			b.ResetTimer()
+			b.RunParallel(func(pb *testing.PB) {
+				counter := 0
+				for pb.Next() {
+					connIdx := counter % sc.connCount
+					counter++
+					p := patterns[connIdx]
+
+					// Full connection lifecycle
+					manager.processOutgoingHooks(p.syn)
+					manager.dropFilter(p.synAck, manager.incomingRules)
+					manager.processOutgoingHooks(p.ack)
+
+					manager.processOutgoingHooks(p.request)
+					manager.dropFilter(p.response, manager.incomingRules)
+
+					manager.processOutgoingHooks(p.finClient)
+					manager.dropFilter(p.ackServer, manager.incomingRules)
+					manager.dropFilter(p.finServer, manager.incomingRules)
+					manager.processOutgoingHooks(p.ackClient)
+				}
+			})
+		})
+	}
+}
+
+// generateTCPPacketWithFlags creates a TCP packet with specific flags
+func generateTCPPacketWithFlags(b *testing.B, srcIP, dstIP net.IP, srcPort, dstPort, flags uint16) []byte {
+	b.Helper()
+
+	ipv4 := &layers.IPv4{
+		TTL:      64,
+		Version:  4,
+		SrcIP:    srcIP,
+		DstIP:    dstIP,
+		Protocol: layers.IPProtocolTCP,
+	}
+
+	tcp := &layers.TCP{
+		SrcPort: layers.TCPPort(srcPort),
+		DstPort: layers.TCPPort(dstPort),
+	}
+
+	// Set TCP flags
+	tcp.SYN = (flags & uint16(conntrack.TCPSyn)) != 0
+	tcp.ACK = (flags & uint16(conntrack.TCPAck)) != 0
+	tcp.PSH = (flags & uint16(conntrack.TCPPush)) != 0
+	tcp.RST = (flags & uint16(conntrack.TCPRst)) != 0
+	tcp.FIN = (flags & uint16(conntrack.TCPFin)) != 0
+
+	require.NoError(b, tcp.SetNetworkLayerForChecksum(ipv4))
+
+	buf := gopacket.NewSerializeBuffer()
+	opts := gopacket.SerializeOptions{ComputeChecksums: true, FixLengths: true}
+	require.NoError(b, gopacket.SerializeLayers(buf, opts, ipv4, tcp, gopacket.Payload("test")))
+	return buf.Bytes()
+}
--- a/client/firewall/uspfilter/uspfilter_test.go
+++ b/client/firewall/uspfilter/uspfilter_test.go
@@ -3,6 +3,7 @@ package uspfilter
 import (
 	"fmt"
 	"net"
+	"sync"
 	"testing"
 	"time"

@@ -11,6 +12,7 @@ import (
 	"github.com/stretchr/testify/require"

 	fw "github.com/netbirdio/netbird/client/firewall/manager"
+	"github.com/netbirdio/netbird/client/firewall/uspfilter/conntrack"
 	"github.com/netbirdio/netbird/client/iface"
 	"github.com/netbirdio/netbird/client/iface/device"
 )
@@ -185,10 +187,10 @@ func TestAddUDPPacketHook(t *testing.T) {

 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			manager := &Manager{
-				incomingRules: map[string]RuleSet{},
-				outgoingRules: map[string]RuleSet{},
-			}
+			manager, err := Create(&IFaceMock{
+				SetFilterFunc: func(device.PacketFilter) error { return nil },
+			})
+			require.NoError(t, err)

 			manager.AddUDPPacketHook(tt.in, tt.ip, tt.dPort, tt.hook)

@@ -313,7 +315,7 @@ func TestNotMatchByIP(t *testing.T) {
 		t.Errorf("failed to set network layer for checksum: %v", err)
 		return
 	}
-	payload := gopacket.Payload([]byte("test"))
+	payload := gopacket.Payload("test")

 	buf := gopacket.NewSerializeBuffer()
 	opts := gopacket.SerializeOptions{
@@ -325,7 +327,7 @@ func TestNotMatchByIP(t *testing.T) {
 		return
 	}

-	if m.dropFilter(buf.Bytes(), m.outgoingRules, false) {
+	if m.dropFilter(buf.Bytes(), m.outgoingRules) {
 		t.Errorf("expected packet to be accepted")
 		return
 	}
@@ -348,6 +350,9 @@ func TestRemovePacketHook(t *testing.T) {
 	if err != nil {
 		t.Fatalf("Failed to create Manager: %s", err)
 	}
+	defer func() {
+		require.NoError(t, manager.Reset(nil))
+	}()

 	// Add a UDP packet hook
 	hookFunc := func(data []byte) bool { return true }
@@ -384,6 +389,88 @@ func TestRemovePacketHook(t *testing.T) {
 	}
 }

+func TestProcessOutgoingHooks(t *testing.T) {
+	manager, err := Create(&IFaceMock{
+		SetFilterFunc: func(device.PacketFilter) error { return nil },
+	})
+	require.NoError(t, err)
+
+	manager.wgNetwork = &net.IPNet{
+		IP:   net.ParseIP("100.10.0.0"),
+		Mask: net.CIDRMask(16, 32),
+	}
+	manager.udpTracker.Close()
+	manager.udpTracker = conntrack.NewUDPTracker(100 * time.Millisecond)
+	defer func() {
+		require.NoError(t, manager.Reset(nil))
+	}()
+
+	manager.decoders = sync.Pool{
+		New: func() any {
+			d := &decoder{
+				decoded: []gopacket.LayerType{},
+			}
+			d.parser = gopacket.NewDecodingLayerParser(
+				layers.LayerTypeIPv4,
+				&d.eth, &d.ip4, &d.ip6, &d.icmp4, &d.icmp6, &d.tcp, &d.udp,
+			)
+			d.parser.IgnoreUnsupported = true
+			return d
+		},
+	}
+
+	hookCalled := false
+	hookID := manager.AddUDPPacketHook(
+		false,
+		net.ParseIP("100.10.0.100"),
+		53,
+		func([]byte) bool {
+			hookCalled = true
+			return true
+		},
+	)
+	require.NotEmpty(t, hookID)
+
+	// Create test UDP packet
+	ipv4 := &layers.IPv4{
+		TTL:      64,
+		Version:  4,
+		SrcIP:    net.ParseIP("100.10.0.1"),
+		DstIP:    net.ParseIP("100.10.0.100"),
+		Protocol: layers.IPProtocolUDP,
+	}
+	udp := &layers.UDP{
+		SrcPort: 51334,
+		DstPort: 53,
+	}
+
+	err = udp.SetNetworkLayerForChecksum(ipv4)
+	require.NoError(t, err)
+	payload := gopacket.Payload("test")
+
+	buf := gopacket.NewSerializeBuffer()
+	opts := gopacket.SerializeOptions{
+		ComputeChecksums: true,
+		FixLengths:       true,
+	}
+	err = gopacket.SerializeLayers(buf, opts, ipv4, udp, payload)
+	require.NoError(t, err)
+
+	// Test hook gets called
+	result := manager.processOutgoingHooks(buf.Bytes())
+	require.True(t, result)
+	require.True(t, hookCalled)
+
+	// Test non-UDP packet is ignored
+	ipv4.Protocol = layers.IPProtocolTCP
+	buf = gopacket.NewSerializeBuffer()
+	err = gopacket.SerializeLayers(buf, opts, ipv4)
+	require.NoError(t, err)
+
+	result = manager.processOutgoingHooks(buf.Bytes())
+	require.False(t, result)
+}
+
 func TestUSPFilterCreatePerformance(t *testing.T) {
 	for _, testMax := range []int{10, 20, 30, 40, 50, 60, 70, 80, 90, 100, 200, 300, 400, 500, 600, 700, 800, 900, 1000} {
 		t.Run(fmt.Sprintf("Testing %d rules", testMax), func(t *testing.T) {
@@ -418,3 +505,213 @@ func TestUSPFilterCreatePerformance(t *testing.T) {
 		})
 	}
 }
+
+func TestStatefulFirewall_UDPTracking(t *testing.T) {
+	manager, err := Create(&IFaceMock{
+		SetFilterFunc: func(device.PacketFilter) error { return nil },
+	})
+	require.NoError(t, err)
+
+	manager.wgNetwork = &net.IPNet{
+		IP:   net.ParseIP("100.10.0.0"),
+		Mask: net.CIDRMask(16, 32),
+	}
+
+	manager.udpTracker.Close() // Close the existing tracker
+	manager.udpTracker = conntrack.NewUDPTracker(200 * time.Millisecond)
+	manager.decoders = sync.Pool{
+		New: func() any {
+			d := &decoder{
+				decoded: []gopacket.LayerType{},
+			}
+			d.parser = gopacket.NewDecodingLayerParser(
+				layers.LayerTypeIPv4,
+				&d.eth, &d.ip4, &d.ip6, &d.icmp4, &d.icmp6, &d.tcp, &d.udp,
+			)
+			d.parser.IgnoreUnsupported = true
+			return d
+		},
+	}
+	defer func() {
+		require.NoError(t, manager.Reset(nil))
+	}()
+
+	// Set up packet parameters
+	srcIP := net.ParseIP("100.10.0.1")
+	dstIP := net.ParseIP("100.10.0.100")
+	srcPort := uint16(51334)
+	dstPort := uint16(53)
+
+	// Create outbound packet
+	outboundIPv4 := &layers.IPv4{
+		TTL:      64,
+		Version:  4,
+		SrcIP:    srcIP,
+		DstIP:    dstIP,
+		Protocol: layers.IPProtocolUDP,
+	}
+	outboundUDP := &layers.UDP{
+		SrcPort: layers.UDPPort(srcPort),
+		DstPort: layers.UDPPort(dstPort),
+	}
+
+	err = outboundUDP.SetNetworkLayerForChecksum(outboundIPv4)
+	require.NoError(t, err)
+
+	outboundBuf := gopacket.NewSerializeBuffer()
+	opts := gopacket.SerializeOptions{
+		ComputeChecksums: true,
+		FixLengths:       true,
+	}
+
+	err = gopacket.SerializeLayers(outboundBuf, opts,
+		outboundIPv4,
+		outboundUDP,
+		gopacket.Payload("test"),
+	)
+	require.NoError(t, err)
+
+	// Process outbound packet and verify connection tracking
+	drop := manager.DropOutgoing(outboundBuf.Bytes())
+	require.False(t, drop, "Initial outbound packet should not be dropped")
+
+	// Verify connection was tracked
+	conn, exists := manager.udpTracker.GetConnection(srcIP, srcPort, dstIP, dstPort)
+
+	require.True(t, exists, "Connection should be tracked after outbound packet")
+	require.True(t, conntrack.ValidateIPs(conntrack.MakeIPAddr(srcIP), conn.SourceIP), "Source IP should match")
+	require.True(t, conntrack.ValidateIPs(conntrack.MakeIPAddr(dstIP), conn.DestIP), "Destination IP should match")
+	require.Equal(t, srcPort, conn.SourcePort, "Source port should match")
+	require.Equal(t, dstPort, conn.DestPort, "Destination port should match")
+
+	// Create valid inbound response packet
+	inboundIPv4 := &layers.IPv4{
+		TTL:      64,
+		Version:  4,
+		SrcIP:    dstIP, // Original destination is now source
+		DstIP:    srcIP, // Original source is now destination
+		Protocol: layers.IPProtocolUDP,
+	}
+	inboundUDP := &layers.UDP{
+		SrcPort: layers.UDPPort(dstPort), // Original destination port is now source
+		DstPort: layers.UDPPort(srcPort), // Original source port is now destination
+	}
+
+	err = inboundUDP.SetNetworkLayerForChecksum(inboundIPv4)
+	require.NoError(t, err)
+
+	inboundBuf := gopacket.NewSerializeBuffer()
+	err = gopacket.SerializeLayers(inboundBuf, opts,
+		inboundIPv4,
+		inboundUDP,
+		gopacket.Payload("response"),
+	)
+	require.NoError(t, err)
+	// Test roundtrip response handling over time
+	checkPoints := []struct {
+		sleep       time.Duration
+		shouldAllow bool
+		description string
+	}{
+		{
+			sleep:       0,
+			shouldAllow: true,
+			description: "Immediate response should be allowed",
+		},
+		{
+			sleep:       50 * time.Millisecond,
+			shouldAllow: true,
+			description: "Response within timeout should be allowed",
+		},
+		{
+			sleep:       100 * time.Millisecond,
+			shouldAllow: true,
+			description: "Response at half timeout should be allowed",
+		},
+		{
+			// tracker hasn't updated conn for 250ms -> greater than 200ms timeout
+			sleep:       250 * time.Millisecond,
+			shouldAllow: false,
+			description: "Response after timeout should be dropped",
+		},
+	}
+
+	for _, cp := range checkPoints {
+		time.Sleep(cp.sleep)
+
+		drop = manager.dropFilter(inboundBuf.Bytes(), manager.incomingRules)
+		require.Equal(t, cp.shouldAllow, !drop, cp.description)
+
+		// If the connection should still be valid, verify it exists
+		if cp.shouldAllow {
+			conn, exists := manager.udpTracker.GetConnection(srcIP, srcPort, dstIP, dstPort)
+			require.True(t, exists, "Connection should still exist during valid window")
+			require.True(t, time.Since(conn.GetLastSeen()) < manager.udpTracker.Timeout(),
+				"LastSeen should be updated for valid responses")
+		}
+	}
+
+	// Test invalid response packets (while connection is expired)
+	invalidCases := []struct {
+		name        string
+		modifyFunc  func(*layers.IPv4, *layers.UDP)
+		description string
+	}{
+		{
+			name: "wrong source IP",
+			modifyFunc: func(ip *layers.IPv4, udp *layers.UDP) {
+				ip.SrcIP = net.ParseIP("100.10.0.101")
+			},
+			description: "Response from wrong IP should be dropped",
+		},
+		{
+			name: "wrong destination IP",
+			modifyFunc: func(ip *layers.IPv4, udp *layers.UDP) {
+				ip.DstIP = net.ParseIP("100.10.0.2")
+			},
+			description: "Response to wrong IP should be dropped",
+		},
+		{
+			name: "wrong source port",
+			modifyFunc: func(ip *layers.IPv4, udp *layers.UDP) {
+				udp.SrcPort = 54
+			},
+			description: "Response from wrong port should be dropped",
+		},
+		{
+			name: "wrong destination port",
+			modifyFunc: func(ip *layers.IPv4, udp *layers.UDP) {
+				udp.DstPort = 51335
+			},
+			description: "Response to wrong port should be dropped",
+		},
+	}
+
+	// Create a new outbound connection for invalid tests
+	drop = manager.processOutgoingHooks(outboundBuf.Bytes())
+	require.False(t, drop, "Second outbound packet should not be dropped")
+
+	for _, tc := range invalidCases {
+		t.Run(tc.name, func(t *testing.T) {
+			testIPv4 := *inboundIPv4
+			testUDP := *inboundUDP
+
+			tc.modifyFunc(&testIPv4, &testUDP)
+
+			err = testUDP.SetNetworkLayerForChecksum(&testIPv4)
+			require.NoError(t, err)
+
+			testBuf := gopacket.NewSerializeBuffer()
+			err = gopacket.SerializeLayers(testBuf, opts,
+				&testIPv4,
+				&testUDP,
+				gopacket.Payload("response"),
+			)
+			require.NoError(t, err)
+
+			// Verify the invalid packet is dropped
+			drop = manager.dropFilter(testBuf.Bytes(), manager.incomingRules)
+			require.True(t, drop, tc.description)
+		})
+	}
+}
--- a/client/iface/bind/udp_mux.go
+++ b/client/iface/bind/udp_mux.go
@@ -162,12 +162,13 @@ func NewUDPMuxDefault(params UDPMuxParams) *UDPMuxDefault {
 		params.Logger.Warn("UDPMuxDefault should not listening on unspecified address, use NewMultiUDPMuxFromPort instead")
 		var networks []ice.NetworkType
 		switch {
-		case addr.IP.To4() != nil:
-			networks = []ice.NetworkType{ice.NetworkTypeUDP4}

 		case addr.IP.To16() != nil:
 			networks = []ice.NetworkType{ice.NetworkTypeUDP4, ice.NetworkTypeUDP6}

+		case addr.IP.To4() != nil:
+			networks = []ice.NetworkType{ice.NetworkTypeUDP4}
+
 		default:
 			params.Logger.Errorf("LocalAddr expected IPV4 or IPV6, got %T", params.UDPConn.LocalAddr())
 		}
--- a/client/iface/device/kernel_module_linux.go
+++ b/client/iface/device/kernel_module_linux.go
@@ -27,14 +27,14 @@ import (
 type status int

 const (
-	defaultModuleDir        = "/lib/modules"
-	unknown          status = iota
-	unloaded
-	unloading
-	loading
-	live
-	inuse
-	envDisableWireGuardKernel = "NB_WG_KERNEL_DISABLED"
+	unknown                   status = 1
+	unloaded                  status = 2
+	unloading                 status = 3
+	loading                   status = 4
+	live                      status = 5
+	inuse                     status = 6
+	defaultModuleDir                 = "/lib/modules"
+	envDisableWireGuardKernel        = "NB_WG_KERNEL_DISABLED"
 )

 type module struct {
--- a/client/internal/config.go
+++ b/client/internal/config.go
@@ -46,6 +46,7 @@ type ConfigInput struct {
 	ManagementURL       string
 	AdminURL            string
 	ConfigPath          string
+	StateFilePath       string
 	PreSharedKey        *string
 	ServerSSHAllowed    *bool
 	NATExternalIPs      []string
@@ -105,10 +106,10 @@ type Config struct {

 	// DNSRouteInterval is the interval in which the DNS routes are updated
 	DNSRouteInterval time.Duration
-	//Path to a certificate used for mTLS authentication
+	// Path to a certificate used for mTLS authentication
 	ClientCertPath string

-	//Path to corresponding private key of ClientCertPath
+	// Path to corresponding private key of ClientCertPath
 	ClientCertKeyPath string

 	ClientCertKeyPair *tls.Certificate `json:"-"`
@@ -116,7 +117,7 @@ type Config struct {

 // ReadConfig read config file and return with Config. If it is not exists create a new with default values
 func ReadConfig(configPath string) (*Config, error) {
-	if configFileIsExists(configPath) {
+	if fileExists(configPath) {
 		err := util.EnforcePermission(configPath)
 		if err != nil {
 			log.Errorf("failed to enforce permission on config dir: %v", err)
@@ -149,7 +150,7 @@ func ReadConfig(configPath string) (*Config, error) {

 // UpdateConfig update existing configuration according to input configuration and return with the configuration
 func UpdateConfig(input ConfigInput) (*Config, error) {
-	if !configFileIsExists(input.ConfigPath) {
+	if !fileExists(input.ConfigPath) {
 		return nil, status.Errorf(codes.NotFound, "config file doesn't exist")
 	}

@@ -158,7 +159,7 @@ func UpdateConfig(input ConfigInput) (*Config, error) {

 // UpdateOrCreateConfig reads existing config or generates a new one
 func UpdateOrCreateConfig(input ConfigInput) (*Config, error) {
-	if !configFileIsExists(input.ConfigPath) {
+	if !fileExists(input.ConfigPath) {
 		log.Infof("generating new config %s", input.ConfigPath)
 		cfg, err := createNewConfig(input)
 		if err != nil {
@@ -472,11 +473,19 @@ func isPreSharedKeyHidden(preSharedKey *string) bool {
 	return false
 }

-func configFileIsExists(path string) bool {
+func fileExists(path string) bool {
 	_, err := os.Stat(path)
 	return !os.IsNotExist(err)
 }

+func createFile(path string) error {
+	file, err := os.Create(path)
+	if err != nil {
+		return err
+	}
+	return file.Close()
+}
+
 // UpdateOldManagementURL checks whether client can switch to the new Management URL with port 443 and the management domain.
 // If it can switch, then it updates the config and returns a new one. Otherwise, it returns the provided config.
 // The check is performed only for the NetBird's managed version.
--- a/client/internal/connect.go
+++ b/client/internal/connect.go
@@ -40,6 +40,8 @@ type ConnectClient struct {
 	statusRecorder *peer.Status
 	engine         *Engine
 	engineMutex    sync.Mutex
+
+	persistNetworkMap bool
 }

 func NewConnectClient(
@@ -89,6 +91,7 @@ func (c *ConnectClient) RunOniOS(
 	fileDescriptor int32,
 	networkChangeListener listener.NetworkChangeListener,
 	dnsManager dns.IosDnsManager,
+	stateFilePath string,
 ) error {
 	// Set GC percent to 5% to reduce memory usage as iOS only allows 50MB of memory for the extension.
 	debug.SetGCPercent(5)
@@ -97,6 +100,7 @@ func (c *ConnectClient) RunOniOS(
 		FileDescriptor:        fileDescriptor,
 		NetworkChangeListener: networkChangeListener,
 		DnsManager:            dnsManager,
+		StateFilePath:         stateFilePath,
 	}
 	return c.run(mobileDependency, nil, nil)
 }
@@ -258,7 +262,7 @@ func (c *ConnectClient) run(mobileDependency MobileDependency, probes *ProbeHold

 		c.engineMutex.Lock()
 		c.engine = NewEngineWithProbes(engineCtx, cancel, signalClient, mgmClient, relayManager, engineConfig, mobileDependency, c.statusRecorder, probes, checks)
-
+		c.engine.SetNetworkMapPersistence(c.persistNetworkMap)
 		c.engineMutex.Unlock()

 		if err := c.engine.Start(); err != nil {
@@ -336,6 +340,19 @@ func (c *ConnectClient) Engine() *Engine {
 	return e
 }

+// Status returns the current client status
+func (c *ConnectClient) Status() StatusType {
+	if c == nil {
+		return StatusIdle
+	}
+	status, err := CtxGetState(c.ctx).Status()
+	if err != nil {
+		return StatusIdle
+	}
+
+	return status
+}
+
 func (c *ConnectClient) Stop() error {
 	if c == nil {
 		return nil
@@ -362,6 +379,22 @@ func (c *ConnectClient) isContextCancelled() bool {
 	}
 }

+// SetNetworkMapPersistence enables or disables network map persistence.
+// When enabled, the last received network map will be stored and can be retrieved
+// through the Engine's getLatestNetworkMap method. When disabled, any stored
+// network map will be cleared. This functionality is primarily used for debugging
+// and should not be enabled during normal operation.
+func (c *ConnectClient) SetNetworkMapPersistence(enabled bool) {
+	c.engineMutex.Lock()
+	c.persistNetworkMap = enabled
+	c.engineMutex.Unlock()
+
+	engine := c.Engine()
+	if engine != nil {
+		engine.SetNetworkMapPersistence(enabled)
+	}
+}
+
 // createEngineConfig converts configuration received from Management Service to EngineConfig
 func createEngineConfig(key wgtypes.Key, config *Config, peerConfig *mgmProto.PeerConfig) (*EngineConfig, error) {
 	nm := false
--- a/client/internal/dns/handler_chain.go
+++ b/client/internal/dns/handler_chain.go
@@ -0,0 +1,226 @@
+package dns
+
+import (
+	"slices"
+	"strings"
+	"sync"
+
+	"github.com/miekg/dns"
+	log "github.com/sirupsen/logrus"
+)
+
+const (
+	PriorityDNSRoute    = 100
+	PriorityMatchDomain = 50
+	PriorityDefault     = 0
+)
+
+type SubdomainMatcher interface {
+	dns.Handler
+	MatchSubdomains() bool
+}
+
+type HandlerEntry struct {
+	Handler         dns.Handler
+	Priority        int
+	Pattern         string
+	OrigPattern     string
+	IsWildcard      bool
+	StopHandler     handlerWithStop
+	MatchSubdomains bool
+}
+
+// HandlerChain represents a prioritized chain of DNS handlers
+type HandlerChain struct {
+	mu       sync.RWMutex
+	handlers []HandlerEntry
+}
+
+// ResponseWriterChain wraps a dns.ResponseWriter to track if handler wants to continue chain
+type ResponseWriterChain struct {
+	dns.ResponseWriter
+	origPattern    string
+	shouldContinue bool
+}
+
+func (w *ResponseWriterChain) WriteMsg(m *dns.Msg) error {
+	// Check if this is a continue signal (NXDOMAIN with Zero bit set)
+	if m.Rcode == dns.RcodeNameError && m.MsgHdr.Zero {
+		w.shouldContinue = true
+		return nil
+	}
+	return w.ResponseWriter.WriteMsg(m)
+}
+
+func NewHandlerChain() *HandlerChain {
+	return &HandlerChain{
+		handlers: make([]HandlerEntry, 0),
+	}
+}
+
+// GetOrigPattern returns the original pattern of the handler that wrote the response
+func (w *ResponseWriterChain) GetOrigPattern() string {
+	return w.origPattern
+}
+
+// AddHandler adds a new handler to the chain, replacing any existing handler with the same pattern and priority
+func (c *HandlerChain) AddHandler(pattern string, handler dns.Handler, priority int, stopHandler handlerWithStop) {
+	c.mu.Lock()
+	defer c.mu.Unlock()
+
+	origPattern := pattern
+	isWildcard := strings.HasPrefix(pattern, "*.")
+	if isWildcard {
+		pattern = pattern[2:]
+	}
+	pattern = dns.Fqdn(pattern)
+	origPattern = dns.Fqdn(origPattern)
+
+	// First remove any existing handler with same original pattern and priority
+	for i := len(c.handlers) - 1; i >= 0; i-- {
+		if c.handlers[i].OrigPattern == origPattern && c.handlers[i].Priority == priority {
+			if c.handlers[i].StopHandler != nil {
+				c.handlers[i].StopHandler.stop()
+			}
+			c.handlers = append(c.handlers[:i], c.handlers[i+1:]...)
+			break
+		}
+	}
+
+	// Check if handler implements SubdomainMatcher interface
+	matchSubdomains := false
+	if matcher, ok := handler.(SubdomainMatcher); ok {
+		matchSubdomains = matcher.MatchSubdomains()
+	}
+
+	log.Debugf("adding handler pattern: domain=%s original: domain=%s wildcard=%v match_subdomain=%v priority=%d",
+		pattern, origPattern, isWildcard, matchSubdomains, priority)
+
+	entry := HandlerEntry{
+		Handler:         handler,
+		Priority:        priority,
+		Pattern:         pattern,
+		OrigPattern:     origPattern,
+		IsWildcard:      isWildcard,
+		StopHandler:     stopHandler,
+		MatchSubdomains: matchSubdomains,
+	}
+
+	// Insert handler in priority order
+	pos := 0
+	for i, h := range c.handlers {
+		if h.Priority < priority {
+			pos = i
+			break
+		}
+		pos = i + 1
+	}
+
+	c.handlers = append(c.handlers[:pos], append([]HandlerEntry{entry}, c.handlers[pos:]...)...)
+}
+
+// RemoveHandler removes a handler for the given pattern and priority
+func (c *HandlerChain) RemoveHandler(pattern string, priority int) {
+	c.mu.Lock()
+	defer c.mu.Unlock()
+
+	pattern = dns.Fqdn(pattern)
+
+	// Find and remove handlers matching both original pattern and priority
+	for i := len(c.handlers) - 1; i >= 0; i-- {
+		entry := c.handlers[i]
+		if entry.OrigPattern == pattern && entry.Priority == priority {
+			if entry.StopHandler != nil {
+				entry.StopHandler.stop()
+			}
+			c.handlers = append(c.handlers[:i], c.handlers[i+1:]...)
+			return
+		}
+	}
+}
+
+// HasHandlers returns true if there are any handlers remaining for the given pattern
+func (c *HandlerChain) HasHandlers(pattern string) bool {
+	c.mu.RLock()
+	defer c.mu.RUnlock()
+
+	pattern = dns.Fqdn(pattern)
+	for _, entry := range c.handlers {
+		if entry.Pattern == pattern {
+			return true
+		}
+	}
+	return false
+}
+
+func (c *HandlerChain) ServeDNS(w dns.ResponseWriter, r *dns.Msg) {
+	if len(r.Question) == 0 {
+		return
+	}
+
+	qname := r.Question[0].Name
+	log.Tracef("handling DNS request for domain=%s", qname)
+
+	c.mu.RLock()
+	handlers := slices.Clone(c.handlers)
+	c.mu.RUnlock()
+
+	if log.IsLevelEnabled(log.TraceLevel) {
+		log.Tracef("current handlers (%d):", len(handlers))
+		for _, h := range handlers {
+			log.Tracef("  - pattern: domain=%s original: domain=%s wildcard=%v priority=%d",
+				h.Pattern, h.OrigPattern, h.IsWildcard, h.Priority)
+		}
+	}
+
+	// Try handlers in priority order
+	for _, entry := range handlers {
+		var matched bool
+		switch {
+		case entry.Pattern == ".":
+			matched = true
+		case entry.IsWildcard:
+			parts := strings.Split(strings.TrimSuffix(qname, entry.Pattern), ".")
+			matched = len(parts) >= 2 && strings.HasSuffix(qname, entry.Pattern)
+		default:
+			// For non-wildcard patterns:
+			// If handler wants subdomain matching, allow suffix match
+			// Otherwise require exact match
+			if entry.MatchSubdomains {
+				matched = qname == entry.Pattern || strings.HasSuffix(qname, "."+entry.Pattern)
+			} else {
+				matched = qname == entry.Pattern
+			}
+		}
+
+		if !matched {
+			log.Tracef("trying domain match: request: domain=%s pattern: domain=%s wildcard=%v match_subdomain=%v matched=false",
+				qname, entry.OrigPattern, entry.MatchSubdomains, entry.IsWildcard)
+			continue
+		}
+
+		log.Tracef("handler matched: request: domain=%s pattern: domain=%s wildcard=%v match_subdomain=%v",
+			qname, entry.OrigPattern, entry.IsWildcard, entry.MatchSubdomains)
+
+		chainWriter := &ResponseWriterChain{
+			ResponseWriter: w,
+			origPattern:    entry.OrigPattern,
+		}
+		entry.Handler.ServeDNS(chainWriter, r)
+
+		// If handler wants to continue, try next handler
+		if chainWriter.shouldContinue {
+			log.Tracef("handler requested continue to next handler")
+			continue
+		}
+		return
+	}
+
+	// No handler matched or all handlers passed
+	log.Tracef("no handler found for domain=%s", qname)
+	resp := &dns.Msg{}
+	resp.SetRcode(r, dns.RcodeNameError)
+	if err := w.WriteMsg(resp); err != nil {
+		log.Errorf("failed to write DNS response: %v", err)
+	}
+}
--- a/client/internal/dns/handler_chain_test.go
+++ b/client/internal/dns/handler_chain_test.go
@@ -0,0 +1,511 @@
+package dns_test
+
+import (
+	"net"
+	"testing"
+
+	"github.com/miekg/dns"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/mock"
+
+	nbdns "github.com/netbirdio/netbird/client/internal/dns"
+)
+
+// TestHandlerChain_ServeDNS_Priorities tests that handlers are executed in priority order
+func TestHandlerChain_ServeDNS_Priorities(t *testing.T) {
+	chain := nbdns.NewHandlerChain()
+
+	// Create mock handlers for different priorities
+	defaultHandler := &nbdns.MockHandler{}
+	matchDomainHandler := &nbdns.MockHandler{}
+	dnsRouteHandler := &nbdns.MockHandler{}
+
+	// Setup handlers with different priorities
+	chain.AddHandler("example.com.", defaultHandler, nbdns.PriorityDefault, nil)
+	chain.AddHandler("example.com.", matchDomainHandler, nbdns.PriorityMatchDomain, nil)
+	chain.AddHandler("example.com.", dnsRouteHandler, nbdns.PriorityDNSRoute, nil)
+
+	// Create test request
+	r := new(dns.Msg)
+	r.SetQuestion("example.com.", dns.TypeA)
+
+	// Create test writer
+	w := &nbdns.ResponseWriterChain{ResponseWriter: &mockResponseWriter{}}
+
+	// Setup expectations - only highest priority handler should be called
+	dnsRouteHandler.On("ServeDNS", mock.Anything, r).Once()
+	matchDomainHandler.On("ServeDNS", mock.Anything, r).Maybe()
+	defaultHandler.On("ServeDNS", mock.Anything, r).Maybe()
+
+	// Execute
+	chain.ServeDNS(w, r)
+
+	// Verify all expectations were met
+	dnsRouteHandler.AssertExpectations(t)
+	matchDomainHandler.AssertExpectations(t)
+	defaultHandler.AssertExpectations(t)
+}
+
+// TestHandlerChain_ServeDNS_DomainMatching tests various domain matching scenarios
+func TestHandlerChain_ServeDNS_DomainMatching(t *testing.T) {
+	tests := []struct {
+		name            string
+		handlerDomain   string
+		queryDomain     string
+		isWildcard      bool
+		matchSubdomains bool
+		shouldMatch     bool
+	}{
+		{
+			name:            "exact match",
+			handlerDomain:   "example.com.",
+			queryDomain:     "example.com.",
+			isWildcard:      false,
+			matchSubdomains: false,
+			shouldMatch:     true,
+		},
+		{
+			name:            "subdomain with non-wildcard and MatchSubdomains true",
+			handlerDomain:   "example.com.",
+			queryDomain:     "sub.example.com.",
+			isWildcard:      false,
+			matchSubdomains: true,
+			shouldMatch:     true,
+		},
+		{
+			name:            "subdomain with non-wildcard and MatchSubdomains false",
+			handlerDomain:   "example.com.",
+			queryDomain:     "sub.example.com.",
+			isWildcard:      false,
+			matchSubdomains: false,
+			shouldMatch:     false,
+		},
+		{
+			name:            "wildcard match",
+			handlerDomain:   "*.example.com.",
+			queryDomain:     "sub.example.com.",
+			isWildcard:      true,
+			matchSubdomains: false,
+			shouldMatch:     true,
+		},
+		{
+			name:            "wildcard no match on apex",
+			handlerDomain:   "*.example.com.",
+			queryDomain:     "example.com.",
+			isWildcard:      true,
+			matchSubdomains: false,
+			shouldMatch:     false,
+		},
+		{
+			name:            "root zone match",
+			handlerDomain:   ".",
+			queryDomain:     "anything.com.",
+			isWildcard:      false,
+			matchSubdomains: false,
+			shouldMatch:     true,
+		},
+		{
+			name:            "no match different domain",
+			handlerDomain:   "example.com.",
+			queryDomain:     "example.org.",
+			isWildcard:      false,
+			matchSubdomains: false,
+			shouldMatch:     false,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			chain := nbdns.NewHandlerChain()
+			var handler dns.Handler
+
+			if tt.matchSubdomains {
+				mockSubHandler := &nbdns.MockSubdomainHandler{Subdomains: true}
+				handler = mockSubHandler
+				if tt.shouldMatch {
+					mockSubHandler.On("ServeDNS", mock.Anything, mock.Anything).Once()
+				}
+			} else {
+				mockHandler := &nbdns.MockHandler{}
+				handler = mockHandler
+				if tt.shouldMatch {
+					mockHandler.On("ServeDNS", mock.Anything, mock.Anything).Once()
+				}
+			}
+
+			pattern := tt.handlerDomain
+			if tt.isWildcard {
+				pattern = "*." + tt.handlerDomain[2:]
+			}
+
+			chain.AddHandler(pattern, handler, nbdns.PriorityDefault, nil)
+
+			r := new(dns.Msg)
+			r.SetQuestion(tt.queryDomain, dns.TypeA)
+			w := &nbdns.ResponseWriterChain{ResponseWriter: &mockResponseWriter{}}
+
+			chain.ServeDNS(w, r)
+
+			if h, ok := handler.(*nbdns.MockHandler); ok {
+				h.AssertExpectations(t)
+			} else if h, ok := handler.(*nbdns.MockSubdomainHandler); ok {
+				h.AssertExpectations(t)
+			}
+		})
+	}
+}
+
+// TestHandlerChain_ServeDNS_OverlappingDomains tests behavior with overlapping domain patterns
+func TestHandlerChain_ServeDNS_OverlappingDomains(t *testing.T) {
+	tests := []struct {
+		name     string
+		handlers []struct {
+			pattern  string
+			priority int
+		}
+		queryDomain     string
+		expectedCalls   int
+		expectedHandler int // index of the handler that should be called
+	}{
+		{
+			name: "wildcard and exact same priority - exact should win",
+			handlers: []struct {
+				pattern  string
+				priority int
+			}{
+				{pattern: "*.example.com.", priority: nbdns.PriorityDefault},
+				{pattern: "example.com.", priority: nbdns.PriorityDefault},
+			},
+			queryDomain:     "example.com.",
+			expectedCalls:   1,
+			expectedHandler: 1, // exact match handler should be called
+		},
+		{
+			name: "higher priority wildcard over lower priority exact",
+			handlers: []struct {
+				pattern  string
+				priority int
+			}{
+				{pattern: "example.com.", priority: nbdns.PriorityDefault},
+				{pattern: "*.example.com.", priority: nbdns.PriorityDNSRoute},
+			},
+			queryDomain:     "test.example.com.",
+			expectedCalls:   1,
+			expectedHandler: 1, // higher priority wildcard handler should be called
+		},
+		{
+			name: "multiple wildcards different priorities",
+			handlers: []struct {
+				pattern  string
+				priority int
+			}{
+				{pattern: "*.example.com.", priority: nbdns.PriorityDefault},
+				{pattern: "*.example.com.", priority: nbdns.PriorityMatchDomain},
+				{pattern: "*.example.com.", priority: nbdns.PriorityDNSRoute},
+			},
+			queryDomain:     "test.example.com.",
+			expectedCalls:   1,
+			expectedHandler: 2, // highest priority handler should be called
+		},
+		{
+			name: "subdomain with mix of patterns",
+			handlers: []struct {
+				pattern  string
+				priority int
+			}{
+				{pattern: "*.example.com.", priority: nbdns.PriorityDefault},
+				{pattern: "test.example.com.", priority: nbdns.PriorityMatchDomain},
+				{pattern: "*.test.example.com.", priority: nbdns.PriorityDNSRoute},
+			},
+			queryDomain:     "sub.test.example.com.",
+			expectedCalls:   1,
+			expectedHandler: 2, // highest priority matching handler should be called
+		},
+		{
+			name: "root zone with specific domain",
+			handlers: []struct {
+				pattern  string
+				priority int
+			}{
+				{pattern: ".", priority: nbdns.PriorityDefault},
+				{pattern: "example.com.", priority: nbdns.PriorityDNSRoute},
+			},
+			queryDomain:     "example.com.",
+			expectedCalls:   1,
+			expectedHandler: 1, // higher priority specific domain should win over root
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			chain := nbdns.NewHandlerChain()
+			var handlers []*nbdns.MockHandler
+
+			// Setup handlers and expectations
+			for i := range tt.handlers {
+				handler := &nbdns.MockHandler{}
+				handlers = append(handlers, handler)
+
+				// Set expectation based on whether this handler should be called
+				if i == tt.expectedHandler {
+					handler.On("ServeDNS", mock.Anything, mock.Anything).Once()
+				} else {
+					handler.On("ServeDNS", mock.Anything, mock.Anything).Maybe()
+				}
+
+				chain.AddHandler(tt.handlers[i].pattern, handler, tt.handlers[i].priority, nil)
+			}
+
+			// Create and execute request
+			r := new(dns.Msg)
+			r.SetQuestion(tt.queryDomain, dns.TypeA)
+			w := &nbdns.ResponseWriterChain{ResponseWriter: &mockResponseWriter{}}
+			chain.ServeDNS(w, r)
+
+			// Verify expectations
+			for _, handler := range handlers {
+				handler.AssertExpectations(t)
+			}
+		})
+	}
+}
+
+// TestHandlerChain_ServeDNS_ChainContinuation tests the chain continuation functionality
+func TestHandlerChain_ServeDNS_ChainContinuation(t *testing.T) {
+	chain := nbdns.NewHandlerChain()
+
+	// Create handlers
+	handler1 := &nbdns.MockHandler{}
+	handler2 := &nbdns.MockHandler{}
+	handler3 := &nbdns.MockHandler{}
+
+	// Add handlers in priority order
+	chain.AddHandler("example.com.", handler1, nbdns.PriorityDNSRoute, nil)
+	chain.AddHandler("example.com.", handler2, nbdns.PriorityMatchDomain, nil)
+	chain.AddHandler("example.com.", handler3, nbdns.PriorityDefault, nil)
+
+	// Create test request
+	r := new(dns.Msg)
+	r.SetQuestion("example.com.", dns.TypeA)
+
+	// Setup mock responses to simulate chain continuation
+	handler1.On("ServeDNS", mock.Anything, r).Run(func(args mock.Arguments) {
+		// First handler signals continue
+		w := args.Get(0).(*nbdns.ResponseWriterChain)
+		resp := new(dns.Msg)
+		resp.SetRcode(r, dns.RcodeNameError)
+		resp.MsgHdr.Zero = true // Signal to continue
+		assert.NoError(t, w.WriteMsg(resp))
+	}).Once()
+
+	handler2.On("ServeDNS", mock.Anything, r).Run(func(args mock.Arguments) {
+		// Second handler signals continue
+		w := args.Get(0).(*nbdns.ResponseWriterChain)
+		resp := new(dns.Msg)
+		resp.SetRcode(r, dns.RcodeNameError)
+		resp.MsgHdr.Zero = true
+		assert.NoError(t, w.WriteMsg(resp))
+	}).Once()
+
+	handler3.On("ServeDNS", mock.Anything, r).Run(func(args mock.Arguments) {
+		// Last handler responds normally
+		w := args.Get(0).(*nbdns.ResponseWriterChain)
+		resp := new(dns.Msg)
+		resp.SetRcode(r, dns.RcodeSuccess)
+		assert.NoError(t, w.WriteMsg(resp))
+	}).Once()
+
+	// Execute
+	w := &nbdns.ResponseWriterChain{ResponseWriter: &mockResponseWriter{}}
+	chain.ServeDNS(w, r)
+
+	// Verify all handlers were called in order
+	handler1.AssertExpectations(t)
+	handler2.AssertExpectations(t)
+	handler3.AssertExpectations(t)
+}
+
+// mockResponseWriter implements dns.ResponseWriter for testing
+type mockResponseWriter struct {
+	mock.Mock
+}
+
+func (m *mockResponseWriter) LocalAddr() net.Addr       { return nil }
+func (m *mockResponseWriter) RemoteAddr() net.Addr      { return nil }
+func (m *mockResponseWriter) WriteMsg(*dns.Msg) error   { return nil }
+func (m *mockResponseWriter) Write([]byte) (int, error) { return 0, nil }
+func (m *mockResponseWriter) Close() error              { return nil }
+func (m *mockResponseWriter) TsigStatus() error         { return nil }
+func (m *mockResponseWriter) TsigTimersOnly(bool)       {}
+func (m *mockResponseWriter) Hijack()                   {}
+
+func TestHandlerChain_PriorityDeregistration(t *testing.T) {
+	tests := []struct {
+		name string
+		ops  []struct {
+			action   string // "add" or "remove"
+			pattern  string
+			priority int
+		}
+		query         string
+		expectedCalls map[int]bool // map[priority]shouldBeCalled
+	}{
+		{
+			name: "remove high priority keeps lower priority handler",
+			ops: []struct {
+				action   string
+				pattern  string
+				priority int
+			}{
+				{"add", "example.com.", nbdns.PriorityDNSRoute},
+				{"add", "example.com.", nbdns.PriorityMatchDomain},
+				{"remove", "example.com.", nbdns.PriorityDNSRoute},
+			},
+			query: "example.com.",
+			expectedCalls: map[int]bool{
+				nbdns.PriorityDNSRoute:    false,
+				nbdns.PriorityMatchDomain: true,
+			},
+		},
+		{
+			name: "remove lower priority keeps high priority handler",
+			ops: []struct {
+				action   string
+				pattern  string
+				priority int
+			}{
+				{"add", "example.com.", nbdns.PriorityDNSRoute},
+				{"add", "example.com.", nbdns.PriorityMatchDomain},
+				{"remove", "example.com.", nbdns.PriorityMatchDomain},
+			},
+			query: "example.com.",
+			expectedCalls: map[int]bool{
+				nbdns.PriorityDNSRoute:    true,
+				nbdns.PriorityMatchDomain: false,
+			},
+		},
+		{
+			name: "remove all handlers in order",
+			ops: []struct {
+				action   string
+				pattern  string
+				priority int
+			}{
+				{"add", "example.com.", nbdns.PriorityDNSRoute},
+				{"add", "example.com.", nbdns.PriorityMatchDomain},
+				{"add", "example.com.", nbdns.PriorityDefault},
+				{"remove", "example.com.", nbdns.PriorityDNSRoute},
+				{"remove", "example.com.", nbdns.PriorityMatchDomain},
+			},
+			query: "example.com.",
+			expectedCalls: map[int]bool{
+				nbdns.PriorityDNSRoute:    false,
+				nbdns.PriorityMatchDomain: false,
+				nbdns.PriorityDefault:     true,
+			},
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			chain := nbdns.NewHandlerChain()
+			handlers := make(map[int]*nbdns.MockHandler)
+
+			// Execute operations
+			for _, op := range tt.ops {
+				if op.action == "add" {
+					handler := &nbdns.MockHandler{}
+					handlers[op.priority] = handler
+					chain.AddHandler(op.pattern, handler, op.priority, nil)
+				} else {
+					chain.RemoveHandler(op.pattern, op.priority)
+				}
+			}
+
+			// Create test request
+			r := new(dns.Msg)
+			r.SetQuestion(tt.query, dns.TypeA)
+			w := &nbdns.ResponseWriterChain{ResponseWriter: &mockResponseWriter{}}
+
+			// Setup expectations
+			for priority, handler := range handlers {
+				if shouldCall, exists := tt.expectedCalls[priority]; exists && shouldCall {
+					handler.On("ServeDNS", mock.Anything, r).Once()
+				} else {
+					handler.On("ServeDNS", mock.Anything, r).Maybe()
+				}
+			}
+
+			// Execute request
+			chain.ServeDNS(w, r)
+
+			// Verify expectations
+			for _, handler := range handlers {
+				handler.AssertExpectations(t)
+			}
+
+			// Verify handler exists check
+			for priority, shouldExist := range tt.expectedCalls {
+				if shouldExist {
+					assert.True(t, chain.HasHandlers(tt.ops[0].pattern),
+						"Handler chain should have handlers for pattern after removing priority %d", priority)
+				}
+			}
+		})
+	}
+}
+
+func TestHandlerChain_MultiPriorityHandling(t *testing.T) {
+	chain := nbdns.NewHandlerChain()
+
+	testDomain := "example.com."
+	testQuery := "test.example.com."
+
+	// Create handlers with MatchSubdomains enabled
+	routeHandler := &nbdns.MockSubdomainHandler{Subdomains: true}
+	matchHandler := &nbdns.MockSubdomainHandler{Subdomains: true}
+	defaultHandler := &nbdns.MockSubdomainHandler{Subdomains: true}
+
+	// Create test request that will be reused
+	r := new(dns.Msg)
+	r.SetQuestion(testQuery, dns.TypeA)
+
+	// Add handlers in mixed order
+	chain.AddHandler(testDomain, defaultHandler, nbdns.PriorityDefault, nil)
+	chain.AddHandler(testDomain, routeHandler, nbdns.PriorityDNSRoute, nil)
+	chain.AddHandler(testDomain, matchHandler, nbdns.PriorityMatchDomain, nil)
+
+	// Test 1: Initial state with all three handlers
+	w := &nbdns.ResponseWriterChain{ResponseWriter: &mockResponseWriter{}}
+	// Highest priority handler (routeHandler) should be called
+	routeHandler.On("ServeDNS", mock.Anything, r).Return().Once()
+
+	chain.ServeDNS(w, r)
+	routeHandler.AssertExpectations(t)
+
+	// Test 2: Remove highest priority handler
+	chain.RemoveHandler(testDomain, nbdns.PriorityDNSRoute)
+	assert.True(t, chain.HasHandlers(testDomain))
+
+	w = &nbdns.ResponseWriterChain{ResponseWriter: &mockResponseWriter{}}
+	// Now middle priority handler (matchHandler) should be called
+	matchHandler.On("ServeDNS", mock.Anything, r).Return().Once()
+
+	chain.ServeDNS(w, r)
+	matchHandler.AssertExpectations(t)
+
+	// Test 3: Remove middle priority handler
+	chain.RemoveHandler(testDomain, nbdns.PriorityMatchDomain)
+	assert.True(t, chain.HasHandlers(testDomain))
+
+	w = &nbdns.ResponseWriterChain{ResponseWriter: &mockResponseWriter{}}
+	// Now lowest priority handler (defaultHandler) should be called
+	defaultHandler.On("ServeDNS", mock.Anything, r).Return().Once()
+
+	chain.ServeDNS(w, r)
+	defaultHandler.AssertExpectations(t)
+
+	// Test 4: Remove last handler
+	chain.RemoveHandler(testDomain, nbdns.PriorityDefault)
+	assert.False(t, chain.HasHandlers(testDomain))
+}
--- a/client/internal/dns/local.go
+++ b/client/internal/dns/local.go
@@ -17,12 +17,24 @@ type localResolver struct {
 	records       sync.Map
 }

+func (d *localResolver) MatchSubdomains() bool {
+	return true
+}
+
 func (d *localResolver) stop() {
 }

+// String returns a string representation of the local resolver
+func (d *localResolver) String() string {
+	return fmt.Sprintf("local resolver [%d records]", len(d.registeredMap))
+}
+
 // ServeDNS handles a DNS request
 func (d *localResolver) ServeDNS(w dns.ResponseWriter, r *dns.Msg) {
-	log.Tracef("received question: %#v", r.Question[0])
+	if len(r.Question) > 0 {
+		log.Tracef("received question: domain=%s type=%v class=%v", r.Question[0].Name, r.Question[0].Qtype, r.Question[0].Qclass)
+	}
+
 	replyMessage := &dns.Msg{}
 	replyMessage.SetReply(r)
 	replyMessage.RecursionAvailable = true
--- a/client/internal/dns/mock_server.go
+++ b/client/internal/dns/mock_server.go
@@ -3,14 +3,30 @@ package dns
 import (
 	"fmt"

+	"github.com/miekg/dns"
+
 	nbdns "github.com/netbirdio/netbird/dns"
 )

 // MockServer is the mock instance of a dns server
 type MockServer struct {
-	InitializeFunc      func() error
-	StopFunc            func()
-	UpdateDNSServerFunc func(serial uint64, update nbdns.Config) error
+	InitializeFunc        func() error
+	StopFunc              func()
+	UpdateDNSServerFunc   func(serial uint64, update nbdns.Config) error
+	RegisterHandlerFunc   func([]string, dns.Handler, int)
+	DeregisterHandlerFunc func([]string, int)
+}
+
+func (m *MockServer) RegisterHandler(domains []string, handler dns.Handler, priority int) {
+	if m.RegisterHandlerFunc != nil {
+		m.RegisterHandlerFunc(domains, handler, priority)
+	}
+}
+
+func (m *MockServer) DeregisterHandler(domains []string, priority int) {
+	if m.DeregisterHandlerFunc != nil {
+		m.DeregisterHandlerFunc(domains, priority)
+	}
 }

 // Initialize mock implementation of Initialize from Server interface
--- a/client/internal/dns/server.go
+++ b/client/internal/dns/server.go
@@ -30,6 +30,8 @@ type IosDnsManager interface {

 // Server is a dns server interface
 type Server interface {
+	RegisterHandler(domains []string, handler dns.Handler, priority int)
+	DeregisterHandler(domains []string, priority int)
 	Initialize() error
 	Stop()
 	DnsIP() string
@@ -48,12 +50,14 @@ type DefaultServer struct {
 	mux                sync.Mutex
 	service            service
 	dnsMuxMap          registeredHandlerMap
+	handlerPriorities  map[string]int
 	localResolver      *localResolver
 	wgInterface        WGIface
 	hostManager        hostManager
 	updateSerial       uint64
 	previousConfigHash uint64
 	currentConfig      HostDNSConfig
+	handlerChain       *HandlerChain

 	// permanent related properties
 	permanent      bool
@@ -74,8 +78,9 @@ type handlerWithStop interface {
 }

 type muxUpdate struct {
-	domain  string
-	handler handlerWithStop
+	domain   string
+	handler  handlerWithStop
+	priority int
 }

 // NewDefaultServer returns a new dns server
@@ -135,10 +140,12 @@ func NewDefaultServerIos(
 func newDefaultServer(ctx context.Context, wgInterface WGIface, dnsService service, statusRecorder *peer.Status, stateManager *statemanager.Manager) *DefaultServer {
 	ctx, stop := context.WithCancel(ctx)
 	defaultServer := &DefaultServer{
-		ctx:       ctx,
-		ctxCancel: stop,
-		service:   dnsService,
-		dnsMuxMap: make(registeredHandlerMap),
+		ctx:               ctx,
+		ctxCancel:         stop,
+		service:           dnsService,
+		handlerChain:      NewHandlerChain(),
+		dnsMuxMap:         make(registeredHandlerMap),
+		handlerPriorities: make(map[string]int),
 		localResolver: &localResolver{
 			registeredMap: make(registrationMap),
 		},
@@ -151,6 +158,51 @@ func newDefaultServer(ctx context.Context, wgInterface WGIface, dnsService servi
 	return defaultServer
 }

+func (s *DefaultServer) RegisterHandler(domains []string, handler dns.Handler, priority int) {
+	s.mux.Lock()
+	defer s.mux.Unlock()
+
+	s.registerHandler(domains, handler, priority)
+}
+
+func (s *DefaultServer) registerHandler(domains []string, handler dns.Handler, priority int) {
+	log.Debugf("registering handler %s with priority %d", handler, priority)
+
+	for _, domain := range domains {
+		if domain == "" {
+			log.Warn("skipping empty domain")
+			continue
+		}
+		s.handlerChain.AddHandler(domain, handler, priority, nil)
+		s.handlerPriorities[domain] = priority
+		s.service.RegisterMux(nbdns.NormalizeZone(domain), s.handlerChain)
+	}
+}
+
+func (s *DefaultServer) DeregisterHandler(domains []string, priority int) {
+	s.mux.Lock()
+	defer s.mux.Unlock()
+
+	s.deregisterHandler(domains, priority)
+}
+
+func (s *DefaultServer) deregisterHandler(domains []string, priority int) {
+	log.Debugf("deregistering handler %v with priority %d", domains, priority)
+
+	for _, domain := range domains {
+		s.handlerChain.RemoveHandler(domain, priority)
+
+		// Only deregister from service if no handlers remain
+		if !s.handlerChain.HasHandlers(domain) {
+			if domain == "" {
+				log.Warn("skipping empty domain")
+				continue
+			}
+			s.service.DeregisterMux(nbdns.NormalizeZone(domain))
+		}
+	}
+}
+
 // Initialize instantiate host manager and the dns service
 func (s *DefaultServer) Initialize() (err error) {
 	s.mux.Lock()
@@ -343,14 +395,14 @@ func (s *DefaultServer) buildLocalHandlerUpdate(customZones []nbdns.CustomZone)
 	localRecords := make(map[string]nbdns.SimpleRecord, 0)

 	for _, customZone := range customZones {
-
 		if len(customZone.Records) == 0 {
 			return nil, nil, fmt.Errorf("received an empty list of records")
 		}

 		muxUpdates = append(muxUpdates, muxUpdate{
-			domain:  customZone.Domain,
-			handler: s.localResolver,
+			domain:   customZone.Domain,
+			handler:  s.localResolver,
+			priority: PriorityMatchDomain,
 		})

 		for _, record := range customZone.Records {
@@ -412,8 +464,9 @@ func (s *DefaultServer) buildUpstreamHandlerUpdate(nameServerGroups []*nbdns.Nam

 		if nsGroup.Primary {
 			muxUpdates = append(muxUpdates, muxUpdate{
-				domain:  nbdns.RootZone,
-				handler: handler,
+				domain:   nbdns.RootZone,
+				handler:  handler,
+				priority: PriorityDefault,
 			})
 			continue
 		}
@@ -429,8 +482,9 @@ func (s *DefaultServer) buildUpstreamHandlerUpdate(nameServerGroups []*nbdns.Nam
 				return nil, fmt.Errorf("received a nameserver group with an empty domain element")
 			}
 			muxUpdates = append(muxUpdates, muxUpdate{
-				domain:  domain,
-				handler: handler,
+				domain:   domain,
+				handler:  handler,
+				priority: PriorityMatchDomain,
 			})
 		}
 	}
@@ -440,12 +494,16 @@ func (s *DefaultServer) buildUpstreamHandlerUpdate(nameServerGroups []*nbdns.Nam

 func (s *DefaultServer) updateMux(muxUpdates []muxUpdate) {
 	muxUpdateMap := make(registeredHandlerMap)
+	handlersByPriority := make(map[string]int)

 	var isContainRootUpdate bool

+	// First register new handlers
 	for _, update := range muxUpdates {
-		s.service.RegisterMux(update.domain, update.handler)
+		s.registerHandler([]string{update.domain}, update.handler, update.priority)
 		muxUpdateMap[update.domain] = update.handler
+		handlersByPriority[update.domain] = update.priority
+
 		if existingHandler, ok := s.dnsMuxMap[update.domain]; ok {
 			existingHandler.stop()
 		}
@@ -455,6 +513,7 @@ func (s *DefaultServer) updateMux(muxUpdates []muxUpdate) {
 		}
 	}

+	// Then deregister old handlers not in the update
 	for key, existingHandler := range s.dnsMuxMap {
 		_, found := muxUpdateMap[key]
 		if !found {
@@ -463,12 +522,16 @@ func (s *DefaultServer) updateMux(muxUpdates []muxUpdate) {
 				existingHandler.stop()
 			} else {
 				existingHandler.stop()
-				s.service.DeregisterMux(key)
+				// Deregister with the priority that was used to register
+				if oldPriority, ok := s.handlerPriorities[key]; ok {
+					s.deregisterHandler([]string{key}, oldPriority)
+				}
 			}
 		}
 	}

 	s.dnsMuxMap = muxUpdateMap
+	s.handlerPriorities = handlersByPriority
 }

 func (s *DefaultServer) updateLocalResolver(update map[string]nbdns.SimpleRecord) {
@@ -517,13 +580,13 @@ func (s *DefaultServer) upstreamCallbacks(
 		if nsGroup.Primary {
 			removeIndex[nbdns.RootZone] = -1
 			s.currentConfig.RouteAll = false
-			s.service.DeregisterMux(nbdns.RootZone)
+			s.deregisterHandler([]string{nbdns.RootZone}, PriorityDefault)
 		}

 		for i, item := range s.currentConfig.Domains {
 			if _, found := removeIndex[item.Domain]; found {
 				s.currentConfig.Domains[i].Disabled = true
-				s.service.DeregisterMux(item.Domain)
+				s.deregisterHandler([]string{item.Domain}, PriorityMatchDomain)
 				removeIndex[item.Domain] = i
 			}
 		}
@@ -554,7 +617,7 @@ func (s *DefaultServer) upstreamCallbacks(
 				continue
 			}
 			s.currentConfig.Domains[i].Disabled = false
-			s.service.RegisterMux(domain, handler)
+			s.registerHandler([]string{domain}, handler, PriorityMatchDomain)
 		}

 		l := log.WithField("nameservers", nsGroup.NameServers)
@@ -562,7 +625,7 @@ func (s *DefaultServer) upstreamCallbacks(

 		if nsGroup.Primary {
 			s.currentConfig.RouteAll = true
-			s.service.RegisterMux(nbdns.RootZone, handler)
+			s.registerHandler([]string{nbdns.RootZone}, handler, PriorityDefault)
 		}
 		if err := s.hostManager.applyDNSConfig(s.currentConfig, s.stateManager); err != nil {
 			l.WithError(err).Error("reactivate temporary disabled nameserver group, DNS update apply")
@@ -593,7 +656,8 @@ func (s *DefaultServer) addHostRootZone() {
 	}
 	handler.deactivate = func(error) {}
 	handler.reactivate = func() {}
-	s.service.RegisterMux(nbdns.RootZone, handler)
+
+	s.registerHandler([]string{nbdns.RootZone}, handler, PriorityDefault)
 }

 func (s *DefaultServer) updateNSGroupStates(groups []*nbdns.NameServerGroup) {
--- a/client/internal/dns/server_test.go
+++ b/client/internal/dns/server_test.go
@@ -11,7 +11,9 @@ import (
 	"time"

 	"github.com/golang/mock/gomock"
+	"github.com/miekg/dns"
 	log "github.com/sirupsen/logrus"
+	"github.com/stretchr/testify/mock"
 	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"

 	"github.com/netbirdio/netbird/client/firewall/uspfilter"
@@ -512,7 +514,7 @@ func TestDNSServerStartStop(t *testing.T) {
 				t.Error(err)
 			}

-			dnsServer.service.RegisterMux("netbird.cloud", dnsServer.localResolver)
+			dnsServer.registerHandler([]string{"netbird.cloud"}, dnsServer.localResolver, 1)

 			resolver := &net.Resolver{
 				PreferGo: true,
@@ -560,7 +562,9 @@ func TestDNSServerUpstreamDeactivateCallback(t *testing.T) {
 		localResolver: &localResolver{
 			registeredMap: make(registrationMap),
 		},
-		hostManager: hostManager,
+		handlerChain:      NewHandlerChain(),
+		handlerPriorities: make(map[string]int),
+		hostManager:       hostManager,
 		currentConfig: HostDNSConfig{
 			Domains: []DomainConfig{
 				{false, "domain0", false},
@@ -872,3 +876,86 @@ func newDnsResolver(ip string, port int) *net.Resolver {
 		},
 	}
 }
+
+// MockHandler implements dns.Handler interface for testing
+type MockHandler struct {
+	mock.Mock
+}
+
+func (m *MockHandler) ServeDNS(w dns.ResponseWriter, r *dns.Msg) {
+	m.Called(w, r)
+}
+
+type MockSubdomainHandler struct {
+	MockHandler
+	Subdomains bool
+}
+
+func (m *MockSubdomainHandler) MatchSubdomains() bool {
+	return m.Subdomains
+}
+
+func TestHandlerChain_DomainPriorities(t *testing.T) {
+	chain := NewHandlerChain()
+
+	dnsRouteHandler := &MockHandler{}
+	upstreamHandler := &MockSubdomainHandler{
+		Subdomains: true,
+	}
+
+	chain.AddHandler("example.com.", dnsRouteHandler, PriorityDNSRoute, nil)
+	chain.AddHandler("example.com.", upstreamHandler, PriorityMatchDomain, nil)
+
+	testCases := []struct {
+		name            string
+		query           string
+		expectedHandler dns.Handler
+	}{
+		{
+			name:            "exact domain with dns route handler",
+			query:           "example.com.",
+			expectedHandler: dnsRouteHandler,
+		},
+		{
+			name:            "subdomain should use upstream handler",
+			query:           "sub.example.com.",
+			expectedHandler: upstreamHandler,
+		},
+		{
+			name:            "deep subdomain should use upstream handler",
+			query:           "deep.sub.example.com.",
+			expectedHandler: upstreamHandler,
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			r := new(dns.Msg)
+			r.SetQuestion(tc.query, dns.TypeA)
+			w := &ResponseWriterChain{ResponseWriter: &mockResponseWriter{}}
+
+			if mh, ok := tc.expectedHandler.(*MockHandler); ok {
+				mh.On("ServeDNS", mock.Anything, r).Once()
+			} else if mh, ok := tc.expectedHandler.(*MockSubdomainHandler); ok {
+				mh.On("ServeDNS", mock.Anything, r).Once()
+			}
+
+			chain.ServeDNS(w, r)
+
+			if mh, ok := tc.expectedHandler.(*MockHandler); ok {
+				mh.AssertExpectations(t)
+			} else if mh, ok := tc.expectedHandler.(*MockSubdomainHandler); ok {
+				mh.AssertExpectations(t)
+			}
+
+			// Reset mocks
+			if mh, ok := tc.expectedHandler.(*MockHandler); ok {
+				mh.ExpectedCalls = nil
+				mh.Calls = nil
+			} else if mh, ok := tc.expectedHandler.(*MockSubdomainHandler); ok {
+				mh.ExpectedCalls = nil
+				mh.Calls = nil
+			}
+		})
+	}
+}
--- a/client/internal/dns/service_listener.go
+++ b/client/internal/dns/service_listener.go
@@ -105,6 +105,7 @@ func (s *serviceViaListener) Stop() {
 }

 func (s *serviceViaListener) RegisterMux(pattern string, handler dns.Handler) {
+	log.Debugf("registering dns handler for pattern: %s", pattern)
 	s.dnsMux.Handle(pattern, handler)
 }

--- a/client/internal/dns/upstream.go
+++ b/client/internal/dns/upstream.go
@@ -66,6 +66,15 @@ func newUpstreamResolverBase(ctx context.Context, statusRecorder *peer.Status) *
 	}
 }

+// String returns a string representation of the upstream resolver
+func (u *upstreamResolverBase) String() string {
+	return fmt.Sprintf("upstream %v", u.upstreamServers)
+}
+
+func (u *upstreamResolverBase) MatchSubdomains() bool {
+	return true
+}
+
 func (u *upstreamResolverBase) stop() {
 	log.Debugf("stopping serving DNS for upstreams %s", u.upstreamServers)
 	u.cancel()
--- a/client/internal/dnsfwd/forwarder.go
+++ b/client/internal/dnsfwd/forwarder.go
@@ -0,0 +1,157 @@
+package dnsfwd
+
+import (
+	"context"
+	"errors"
+	"net"
+
+	"github.com/miekg/dns"
+	log "github.com/sirupsen/logrus"
+
+	nbdns "github.com/netbirdio/netbird/dns"
+)
+
+const errResolveFailed = "failed to resolve query for domain=%s: %v"
+
+type DNSForwarder struct {
+	listenAddress string
+	ttl           uint32
+	domains       []string
+
+	dnsServer *dns.Server
+	mux       *dns.ServeMux
+}
+
+func NewDNSForwarder(listenAddress string, ttl uint32) *DNSForwarder {
+	log.Debugf("creating DNS forwarder with listen_address=%s ttl=%d", listenAddress, ttl)
+	return &DNSForwarder{
+		listenAddress: listenAddress,
+		ttl:           ttl,
+	}
+}
+
+func (f *DNSForwarder) Listen(domains []string) error {
+	log.Infof("listen DNS forwarder on address=%s", f.listenAddress)
+	mux := dns.NewServeMux()
+
+	dnsServer := &dns.Server{
+		Addr:    f.listenAddress,
+		Net:     "udp",
+		Handler: mux,
+	}
+	f.dnsServer = dnsServer
+	f.mux = mux
+
+	f.UpdateDomains(domains)
+
+	return dnsServer.ListenAndServe()
+}
+
+func (f *DNSForwarder) UpdateDomains(domains []string) {
+	log.Debugf("Updating domains from %v to %v", f.domains, domains)
+
+	for _, d := range f.domains {
+		f.mux.HandleRemove(d)
+	}
+
+	newDomains := filterDomains(domains)
+	for _, d := range newDomains {
+		f.mux.HandleFunc(d, f.handleDNSQuery)
+	}
+	f.domains = newDomains
+}
+
+func (f *DNSForwarder) Close(ctx context.Context) error {
+	if f.dnsServer == nil {
+		return nil
+	}
+	return f.dnsServer.ShutdownContext(ctx)
+}
+
+func (f *DNSForwarder) handleDNSQuery(w dns.ResponseWriter, query *dns.Msg) {
+	if len(query.Question) == 0 {
+		return
+	}
+	log.Tracef("received DNS request for DNS forwarder: domain=%v type=%v class=%v",
+		query.Question[0].Name, query.Question[0].Qtype, query.Question[0].Qclass)
+
+	question := query.Question[0]
+	domain := question.Name
+
+	resp := query.SetReply(query)
+
+	ips, err := net.LookupIP(domain)
+	if err != nil {
+		var dnsErr *net.DNSError
+
+		switch {
+		case errors.As(err, &dnsErr):
+			resp.Rcode = dns.RcodeServerFailure
+			if dnsErr.IsNotFound {
+				// Pass through NXDOMAIN
+				resp.Rcode = dns.RcodeNameError
+			}
+
+			if dnsErr.Server != "" {
+				log.Warnf("failed to resolve query for domain=%s server=%s: %v", domain, dnsErr.Server, err)
+			} else {
+				log.Warnf(errResolveFailed, domain, err)
+			}
+		default:
+			resp.Rcode = dns.RcodeServerFailure
+			log.Warnf(errResolveFailed, domain, err)
+		}
+
+		if err := w.WriteMsg(resp); err != nil {
+			log.Errorf("failed to write failure DNS response: %v", err)
+		}
+		return
+	}
+
+	for _, ip := range ips {
+		var respRecord dns.RR
+		if ip.To4() == nil {
+			log.Tracef("resolved domain=%s to IPv6=%s", domain, ip)
+			rr := dns.AAAA{
+				AAAA: ip,
+				Hdr: dns.RR_Header{
+					Name:   domain,
+					Rrtype: dns.TypeAAAA,
+					Class:  dns.ClassINET,
+					Ttl:    f.ttl,
+				},
+			}
+			respRecord = &rr
+		} else {
+			log.Tracef("resolved domain=%s to IPv4=%s", domain, ip)
+			rr := dns.A{
+				A: ip,
+				Hdr: dns.RR_Header{
+					Name:   domain,
+					Rrtype: dns.TypeA,
+					Class:  dns.ClassINET,
+					Ttl:    f.ttl,
+				},
+			}
+			respRecord = &rr
+		}
+		resp.Answer = append(resp.Answer, respRecord)
+	}
+
+	if err := w.WriteMsg(resp); err != nil {
+		log.Errorf("failed to write DNS response: %v", err)
+	}
+}
+
+// filterDomains returns a list of normalized domains
+func filterDomains(domains []string) []string {
+	newDomains := make([]string, 0, len(domains))
+	for _, d := range domains {
+		if d == "" {
+			log.Warn("empty domain in DNS forwarder")
+			continue
+		}
+		newDomains = append(newDomains, nbdns.NormalizeZone(d))
+	}
+	return newDomains
+}
--- a/client/internal/dnsfwd/manager.go
+++ b/client/internal/dnsfwd/manager.go
@@ -0,0 +1,106 @@
+package dnsfwd
+
+import (
+	"context"
+	"fmt"
+	"net"
+
+	"github.com/hashicorp/go-multierror"
+	log "github.com/sirupsen/logrus"
+
+	nberrors "github.com/netbirdio/netbird/client/errors"
+	firewall "github.com/netbirdio/netbird/client/firewall/manager"
+)
+
+const (
+	// ListenPort is the port that the DNS forwarder listens on. It has been used by the client peers also
+	ListenPort = 5353
+	dnsTTL     = 60 //seconds
+)
+
+type Manager struct {
+	firewall firewall.Manager
+
+	fwRules      []firewall.Rule
+	dnsForwarder *DNSForwarder
+}
+
+func NewManager(fw firewall.Manager) *Manager {
+	return &Manager{
+		firewall: fw,
+	}
+}
+
+func (m *Manager) Start(domains []string) error {
+	log.Infof("starting DNS forwarder")
+	if m.dnsForwarder != nil {
+		return nil
+	}
+
+	if err := m.allowDNSFirewall(); err != nil {
+		return err
+	}
+
+	m.dnsForwarder = NewDNSForwarder(fmt.Sprintf(":%d", ListenPort), dnsTTL)
+	go func() {
+		if err := m.dnsForwarder.Listen(domains); err != nil {
+			// todo handle close error if it is exists
+			log.Errorf("failed to start DNS forwarder, err: %v", err)
+		}
+	}()
+
+	return nil
+}
+
+func (m *Manager) UpdateDomains(domains []string) {
+	if m.dnsForwarder == nil {
+		return
+	}
+
+	m.dnsForwarder.UpdateDomains(domains)
+}
+
+func (m *Manager) Stop(ctx context.Context) error {
+	if m.dnsForwarder == nil {
+		return nil
+	}
+
+	var mErr *multierror.Error
+	if err := m.dropDNSFirewall(); err != nil {
+		mErr = multierror.Append(mErr, err)
+	}
+
+	if err := m.dnsForwarder.Close(ctx); err != nil {
+		mErr = multierror.Append(mErr, err)
+	}
+
+	m.dnsForwarder = nil
+	return nberrors.FormatErrorOrNil(mErr)
+}
+
+func (h *Manager) allowDNSFirewall() error {
+	dport := &firewall.Port{
+		IsRange: false,
+		Values:  []int{ListenPort},
+	}
+	dnsRules, err := h.firewall.AddPeerFiltering(net.ParseIP("0.0.0.0"), firewall.ProtocolUDP, nil, dport, firewall.RuleDirectionIN, firewall.ActionAccept, "", "")
+	if err != nil {
+		log.Errorf("failed to add allow DNS router rules, err: %v", err)
+		return err
+	}
+	h.fwRules = dnsRules
+
+	return nil
+}
+
+func (h *Manager) dropDNSFirewall() error {
+	var mErr *multierror.Error
+	for _, rule := range h.fwRules {
+		if err := h.firewall.DeletePeerRule(rule); err != nil {
+			mErr = multierror.Append(mErr, fmt.Errorf("failed to delete DNS router rules, err: %v", err))
+		}
+	}
+
+	h.fwRules = nil
+	return nberrors.FormatErrorOrNil(mErr)
+}
--- a/client/internal/engine.go
+++ b/client/internal/engine.go
@@ -4,7 +4,6 @@ import (
 	"context"
 	"errors"
 	"fmt"
-	"maps"
 	"math/rand"
 	"net"
 	"net/netip"
@@ -21,6 +20,7 @@ import (
 	"github.com/pion/stun/v2"
 	log "github.com/sirupsen/logrus"
 	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
+	"google.golang.org/protobuf/proto"

 	"github.com/netbirdio/netbird/client/firewall"
 	"github.com/netbirdio/netbird/client/firewall/manager"
@@ -29,15 +29,18 @@ import (
 	"github.com/netbirdio/netbird/client/iface/device"
 	"github.com/netbirdio/netbird/client/internal/acl"
 	"github.com/netbirdio/netbird/client/internal/dns"
+	"github.com/netbirdio/netbird/client/internal/dnsfwd"
 	"github.com/netbirdio/netbird/client/internal/networkmonitor"
 	"github.com/netbirdio/netbird/client/internal/peer"
 	"github.com/netbirdio/netbird/client/internal/peer/guard"
 	icemaker "github.com/netbirdio/netbird/client/internal/peer/ice"
+	"github.com/netbirdio/netbird/client/internal/peerstore"
 	"github.com/netbirdio/netbird/client/internal/relay"
 	"github.com/netbirdio/netbird/client/internal/rosenpass"
 	"github.com/netbirdio/netbird/client/internal/routemanager"
 	"github.com/netbirdio/netbird/client/internal/routemanager/systemops"
 	"github.com/netbirdio/netbird/client/internal/statemanager"
+	semaphoregroup "github.com/netbirdio/netbird/util/semaphore-group"

 	nbssh "github.com/netbirdio/netbird/client/ssh"
 	"github.com/netbirdio/netbird/client/system"
@@ -61,6 +64,7 @@ import (
 const (
 	PeerConnectionTimeoutMax = 45000 // ms
 	PeerConnectionTimeoutMin = 30000 // ms
+	connInitLimit            = 200
 )

 var ErrResetConnection = fmt.Errorf("reset connection")
@@ -114,7 +118,7 @@ type Engine struct {
 	// mgmClient is a Management Service client
 	mgmClient mgm.Client
 	// peerConns is a map that holds all the peers that are known to this peer
-	peerConns map[string]*peer.Conn
+	peerStore *peerstore.Store

 	beforePeerHook nbnet.AddHookFunc
 	afterPeerHook  nbnet.RemoveHookFunc
@@ -134,10 +138,6 @@ type Engine struct {
 	TURNs    []*stun.URI
 	stunTurn atomic.Value

-	// clientRoutes is the most recent list of clientRoutes received from the Management Service
-	clientRoutes   route.HAMap
-	clientRoutesMu sync.RWMutex
-
 	clientCtx    context.Context
 	clientCancel context.CancelFunc

@@ -158,9 +158,10 @@ type Engine struct {

 	statusRecorder *peer.Status

-	firewall     manager.Manager
-	routeManager routemanager.Manager
-	acl          acl.Manager
+	firewall      manager.Manager
+	routeManager  routemanager.Manager
+	acl           acl.Manager
+	dnsForwardMgr *dnsfwd.Manager

 	dnsServer dns.Server

@@ -172,6 +173,11 @@ type Engine struct {
 	relayManager *relayClient.Manager
 	stateManager *statemanager.Manager
 	srWatcher    *guard.SRWatcher
+
+	// Network map persistence
+	persistNetworkMap bool
+	latestNetworkMap  *mgmProto.NetworkMap
+	connSemaphore     *semaphoregroup.SemaphoreGroup
 }

 // Peer is an instance of the Connection Peer
@@ -226,7 +232,7 @@ func NewEngineWithProbes(
 		signaler:       peer.NewSignaler(signalClient, config.WgPrivateKey),
 		mgmClient:      mgmClient,
 		relayManager:   relayManager,
-		peerConns:      make(map[string]*peer.Conn),
+		peerStore:      peerstore.NewConnStore(),
 		syncMsgMux:     &sync.Mutex{},
 		config:         config,
 		mobileDep:      mobileDep,
@@ -237,6 +243,18 @@ func NewEngineWithProbes(
 		statusRecorder: statusRecorder,
 		probes:         probes,
 		checks:         checks,
+		connSemaphore:  semaphoregroup.NewSemaphoreGroup(connInitLimit),
+	}
+	if runtime.GOOS == "ios" {
+		if !fileExists(mobileDep.StateFilePath) {
+			err := createFile(mobileDep.StateFilePath)
+			if err != nil {
+				log.Errorf("failed to create state file: %v", err)
+				// we are not exiting as we can run without the state manager
+			}
+		}
+
+		engine.stateManager = statemanager.New(mobileDep.StateFilePath)
 	}
 	if path := statemanager.GetDefaultStatePath(); path != "" {
 		engine.stateManager = statemanager.New(path)
@@ -267,19 +285,26 @@ func (e *Engine) Stop() error {
 		e.routeManager.Stop(e.stateManager)
 	}

+	if e.dnsForwardMgr != nil {
+		if err := e.dnsForwardMgr.Stop(context.Background()); err != nil {
+			log.Errorf("failed to stop DNS forward: %v", err)
+		}
+		e.dnsForwardMgr = nil
+	}
+
 	if e.srWatcher != nil {
 		e.srWatcher.Close()
 	}

+	e.statusRecorder.ReplaceOfflinePeers([]peer.State{})
+	e.statusRecorder.UpdateDNSStates([]peer.NSGroupState{})
+	e.statusRecorder.UpdateRelayStates([]relay.ProbeResult{})
+
 	err := e.removeAllPeers()
 	if err != nil {
 		return fmt.Errorf("failed to remove all peers: %s", err)
 	}

-	e.clientRoutesMu.Lock()
-	e.clientRoutes = nil
-	e.clientRoutesMu.Unlock()
-
 	if e.cancel != nil {
 		e.cancel()
 	}
@@ -349,8 +374,19 @@ func (e *Engine) Start() error {
 	}
 	e.dnsServer = dnsServer

-	e.routeManager = routemanager.NewManager(e.ctx, e.config.WgPrivateKey.PublicKey().String(), e.config.DNSRouteInterval, e.wgInterface, e.statusRecorder, e.relayManager, initialRoutes)
-	beforePeerHook, afterPeerHook, err := e.routeManager.Init(e.stateManager)
+	e.routeManager = routemanager.NewManager(
+		e.ctx,
+		e.config.WgPrivateKey.PublicKey().String(),
+		e.config.DNSRouteInterval,
+		e.wgInterface,
+		e.statusRecorder,
+		e.relayManager,
+		initialRoutes,
+		e.stateManager,
+		dnsServer,
+		e.peerStore,
+	)
+	beforePeerHook, afterPeerHook, err := e.routeManager.Init()
 	if err != nil {
 		log.Errorf("Failed to initialize route manager: %s", err)
 	} else {
@@ -427,8 +463,8 @@ func (e *Engine) modifyPeers(peersUpdate []*mgmProto.RemotePeerConfig) error {
 	var modified []*mgmProto.RemotePeerConfig
 	for _, p := range peersUpdate {
 		peerPubKey := p.GetWgPubKey()
-		if peerConn, ok := e.peerConns[peerPubKey]; ok {
-			if peerConn.WgConfig().AllowedIps != strings.Join(p.AllowedIps, ",") {
+		if allowedIPs, ok := e.peerStore.AllowedIPs(peerPubKey); ok {
+			if allowedIPs != strings.Join(p.AllowedIps, ",") {
 				modified = append(modified, p)
 				continue
 			}
@@ -459,17 +495,12 @@ func (e *Engine) modifyPeers(peersUpdate []*mgmProto.RemotePeerConfig) error {
 // removePeers finds and removes peers that do not exist anymore in the network map received from the Management Service.
 // It also removes peers that have been modified (e.g. change of IP address). They will be added again in addPeers method.
 func (e *Engine) removePeers(peersUpdate []*mgmProto.RemotePeerConfig) error {
-	currentPeers := make([]string, 0, len(e.peerConns))
-	for p := range e.peerConns {
-		currentPeers = append(currentPeers, p)
-	}
-
 	newPeers := make([]string, 0, len(peersUpdate))
 	for _, p := range peersUpdate {
 		newPeers = append(newPeers, p.GetWgPubKey())
 	}

-	toRemove := util.SliceDiff(currentPeers, newPeers)
+	toRemove := util.SliceDiff(e.peerStore.PeersPubKey(), newPeers)

 	for _, p := range toRemove {
 		err := e.removePeer(p)
@@ -483,7 +514,7 @@ func (e *Engine) removePeers(peersUpdate []*mgmProto.RemotePeerConfig) error {

 func (e *Engine) removeAllPeers() error {
 	log.Debugf("removing all peer connections")
-	for p := range e.peerConns {
+	for _, p := range e.peerStore.PeersPubKey() {
 		err := e.removePeer(p)
 		if err != nil {
 			return err
@@ -507,9 +538,8 @@ func (e *Engine) removePeer(peerKey string) error {
 		}
 	}()

-	conn, exists := e.peerConns[peerKey]
+	conn, exists := e.peerStore.Remove(peerKey)
 	if exists {
-		delete(e.peerConns, peerKey)
 		conn.Close()
 	}
 	return nil
@@ -564,13 +594,22 @@ func (e *Engine) handleSync(update *mgmProto.SyncResponse) error {
 		return err
 	}

-	if update.GetNetworkMap() != nil {
-		// only apply new changes and ignore old ones
-		err := e.updateNetworkMap(update.GetNetworkMap())
-		if err != nil {
-			return err
-		}
+	nm := update.GetNetworkMap()
+	if nm == nil {
+		return nil
 	}
+
+	// Store network map if persistence is enabled
+	if e.persistNetworkMap {
+		e.latestNetworkMap = nm
+		log.Debugf("network map persisted with serial %d", nm.GetSerial())
+	}
+
+	// only apply new changes and ignore old ones
+	if err := e.updateNetworkMap(nm); err != nil {
+		return err
+	}
+
 	return nil
 }

@@ -744,7 +783,6 @@ func (e *Engine) updateTURNs(turns []*mgmProto.ProtectedHostConfig) error {
 }

 func (e *Engine) updateNetworkMap(networkMap *mgmProto.NetworkMap) error {
-
 	// intentionally leave it before checking serial because for now it can happen that peer IP changed but serial didn't
 	if networkMap.GetPeerConfig() != nil {
 		err := e.updateConfig(networkMap.GetPeerConfig())
@@ -764,20 +802,16 @@ func (e *Engine) updateNetworkMap(networkMap *mgmProto.NetworkMap) error {
 		e.acl.ApplyFiltering(networkMap)
 	}

-	protoRoutes := networkMap.GetRoutes()
-	if protoRoutes == nil {
-		protoRoutes = []*mgmProto.Route{}
-	}
+	// DNS forwarder
+	dnsRouteFeatureFlag := toDNSFeatureFlag(networkMap)
+	dnsRouteDomains := toRouteDomains(e.config.WgPrivateKey.PublicKey().String(), networkMap.GetRoutes())
+	e.updateDNSForwarder(dnsRouteFeatureFlag, dnsRouteDomains)

-	_, clientRoutes, err := e.routeManager.UpdateRoutes(serial, toRoutes(protoRoutes))
-	if err != nil {
+	routes := toRoutes(networkMap.GetRoutes())
+	if err := e.routeManager.UpdateRoutes(serial, routes, dnsRouteFeatureFlag); err != nil {
 		log.Errorf("failed to update clientRoutes, err: %v", err)
 	}

-	e.clientRoutesMu.Lock()
-	e.clientRoutes = clientRoutes
-	e.clientRoutesMu.Unlock()
-
 	log.Debugf("got peers update from Management Service, total peers to connect to = %d", len(networkMap.GetRemotePeers()))

 	e.updateOfflinePeers(networkMap.GetOfflinePeers())
@@ -825,8 +859,7 @@ func (e *Engine) updateNetworkMap(networkMap *mgmProto.NetworkMap) error {
 		protoDNSConfig = &mgmProto.DNSConfig{}
 	}

-	err = e.dnsServer.UpdateDNSServer(serial, toDNSConfig(protoDNSConfig))
-	if err != nil {
+	if err := e.dnsServer.UpdateDNSServer(serial, toDNSConfig(protoDNSConfig)); err != nil {
 		log.Errorf("failed to update dns server, err: %v", err)
 	}

@@ -839,7 +872,18 @@ func (e *Engine) updateNetworkMap(networkMap *mgmProto.NetworkMap) error {
 	return nil
 }

+func toDNSFeatureFlag(networkMap *mgmProto.NetworkMap) bool {
+	if networkMap.PeerConfig != nil {
+		return networkMap.PeerConfig.RoutingPeerDnsResolutionEnabled
+	}
+	return false
+}
+
 func toRoutes(protoRoutes []*mgmProto.Route) []*route.Route {
+	if protoRoutes == nil {
+		protoRoutes = []*mgmProto.Route{}
+	}
+
 	routes := make([]*route.Route, 0)
 	for _, protoRoute := range protoRoutes {
 		var prefix netip.Prefix
@@ -850,6 +894,7 @@ func toRoutes(protoRoutes []*mgmProto.Route) []*route.Route {
 				continue
 			}
 		}
+
 		convertedRoute := &route.Route{
 			ID:          route.ID(protoRoute.ID),
 			Network:     prefix,
@@ -866,6 +911,23 @@ func toRoutes(protoRoutes []*mgmProto.Route) []*route.Route {
 	return routes
 }

+func toRouteDomains(myPubKey string, protoRoutes []*mgmProto.Route) []string {
+	if protoRoutes == nil {
+		protoRoutes = []*mgmProto.Route{}
+	}
+
+	var dnsRoutes []string
+	for _, protoRoute := range protoRoutes {
+		if len(protoRoute.Domains) == 0 {
+			continue
+		}
+		if protoRoute.Peer == myPubKey {
+			dnsRoutes = append(dnsRoutes, protoRoute.Domains...)
+		}
+	}
+	return dnsRoutes
+}
+
 func toDNSConfig(protoDNSConfig *mgmProto.DNSConfig) nbdns.Config {
 	dnsUpdate := nbdns.Config{
 		ServiceEnable:    protoDNSConfig.GetServiceEnable(),
@@ -940,12 +1002,16 @@ func (e *Engine) addNewPeers(peersUpdate []*mgmProto.RemotePeerConfig) error {
 func (e *Engine) addNewPeer(peerConfig *mgmProto.RemotePeerConfig) error {
 	peerKey := peerConfig.GetWgPubKey()
 	peerIPs := peerConfig.GetAllowedIps()
-	if _, ok := e.peerConns[peerKey]; !ok {
+	if _, ok := e.peerStore.PeerConn(peerKey); !ok {
 		conn, err := e.createPeerConn(peerKey, strings.Join(peerIPs, ","))
 		if err != nil {
 			return fmt.Errorf("create peer connection: %w", err)
 		}
-		e.peerConns[peerKey] = conn
+
+		if ok := e.peerStore.AddPeerConn(peerKey, conn); !ok {
+			conn.Close()
+			return fmt.Errorf("peer already exists: %s", peerKey)
+		}

 		if e.beforePeerHook != nil && e.afterPeerHook != nil {
 			conn.AddBeforeAddPeerHook(e.beforePeerHook)
@@ -1013,7 +1079,7 @@ func (e *Engine) createPeerConn(pubKey string, allowedIPs string) (*peer.Conn, e
 		},
 	}

-	peerConn, err := peer.NewConn(e.ctx, config, e.statusRecorder, e.signaler, e.mobileDep.IFaceDiscover, e.relayManager, e.srWatcher)
+	peerConn, err := peer.NewConn(e.ctx, config, e.statusRecorder, e.signaler, e.mobileDep.IFaceDiscover, e.relayManager, e.srWatcher, e.connSemaphore)
 	if err != nil {
 		return nil, err
 	}
@@ -1034,8 +1100,8 @@ func (e *Engine) receiveSignalEvents() {
 			e.syncMsgMux.Lock()
 			defer e.syncMsgMux.Unlock()

-			conn := e.peerConns[msg.Key]
-			if conn == nil {
+			conn, ok := e.peerStore.PeerConn(msg.Key)
+			if !ok {
 				return fmt.Errorf("wrongly addressed message %s", msg.Key)
 			}

@@ -1093,7 +1159,7 @@ func (e *Engine) receiveSignalEvents() {
 					return err
 				}

-				go conn.OnRemoteCandidate(candidate, e.GetClientRoutes())
+				go conn.OnRemoteCandidate(candidate, e.routeManager.GetClientRoutes())
 			case sProto.Body_MODE:
 			}

@@ -1280,26 +1346,6 @@ func (e *Engine) newDnsServer() ([]*route.Route, dns.Server, error) {
 	}
 }

-// GetClientRoutes returns the current routes from the route map
-func (e *Engine) GetClientRoutes() route.HAMap {
-	e.clientRoutesMu.RLock()
-	defer e.clientRoutesMu.RUnlock()
-
-	return maps.Clone(e.clientRoutes)
-}
-
-// GetClientRoutesWithNetID returns the current routes from the route map, but the keys consist of the network ID only
-func (e *Engine) GetClientRoutesWithNetID() map[route.NetID][]*route.Route {
-	e.clientRoutesMu.RLock()
-	defer e.clientRoutesMu.RUnlock()
-
-	routes := make(map[route.NetID][]*route.Route, len(e.clientRoutes))
-	for id, v := range e.clientRoutes {
-		routes[id.NetID()] = v
-	}
-	return routes
-}
-
 // GetRouteManager returns the route manager
 func (e *Engine) GetRouteManager() routemanager.Manager {
 	return e.routeManager
@@ -1384,9 +1430,8 @@ func (e *Engine) receiveProbeEvents() {
 		go e.probes.WgProbe.Receive(e.ctx, func() bool {
 			log.Debug("received wg probe request")

-			for _, peer := range e.peerConns {
-				key := peer.GetKey()
-				wgStats, err := peer.WgConfig().WgInterface.GetStats(key)
+			for _, key := range e.peerStore.PeersPubKey() {
+				wgStats, err := e.wgInterface.GetStats(key)
 				if err != nil {
 					log.Debugf("failed to get wg stats for peer %s: %s", key, err)
 				}
@@ -1463,7 +1508,7 @@ func (e *Engine) startNetworkMonitor() {

 func (e *Engine) addrViaRoutes(addr netip.Addr) (bool, netip.Prefix, error) {
 	var vpnRoutes []netip.Prefix
-	for _, routes := range e.GetClientRoutes() {
+	for _, routes := range e.routeManager.GetClientRoutes() {
 		if len(routes) > 0 && routes[0] != nil {
 			vpnRoutes = append(vpnRoutes, routes[0].Network)
 		}
@@ -1491,6 +1536,80 @@ func (e *Engine) stopDNSServer() {
 	e.statusRecorder.UpdateDNSStates(nsGroupStates)
 }

+// SetNetworkMapPersistence enables or disables network map persistence
+func (e *Engine) SetNetworkMapPersistence(enabled bool) {
+	e.syncMsgMux.Lock()
+	defer e.syncMsgMux.Unlock()
+
+	if enabled == e.persistNetworkMap {
+		return
+	}
+	e.persistNetworkMap = enabled
+	log.Debugf("Network map persistence is set to %t", enabled)
+
+	if !enabled {
+		e.latestNetworkMap = nil
+	}
+}
+
+// GetLatestNetworkMap returns the stored network map if persistence is enabled
+func (e *Engine) GetLatestNetworkMap() (*mgmProto.NetworkMap, error) {
+	e.syncMsgMux.Lock()
+	defer e.syncMsgMux.Unlock()
+
+	if !e.persistNetworkMap {
+		return nil, errors.New("network map persistence is disabled")
+	}
+
+	if e.latestNetworkMap == nil {
+		//nolint:nilnil
+		return nil, nil
+	}
+
+	// Create a deep copy to avoid external modifications
+	nm, ok := proto.Clone(e.latestNetworkMap).(*mgmProto.NetworkMap)
+	if !ok {
+
+		return nil, fmt.Errorf("failed to clone network map")
+	}
+
+	return nm, nil
+}
+
+// updateDNSForwarder start or stop the DNS forwarder based on the domains and the feature flag
+func (e *Engine) updateDNSForwarder(enabled bool, domains []string) {
+	if !enabled {
+		if e.dnsForwardMgr == nil {
+			return
+		}
+		if err := e.dnsForwardMgr.Stop(context.Background()); err != nil {
+			log.Errorf("failed to stop DNS forward: %v", err)
+		}
+		return
+	}
+
+	if len(domains) > 0 {
+		log.Infof("enable domain router service for domains: %v", domains)
+		if e.dnsForwardMgr == nil {
+			e.dnsForwardMgr = dnsfwd.NewManager(e.firewall)
+
+			if err := e.dnsForwardMgr.Start(domains); err != nil {
+				log.Errorf("failed to start DNS forward: %v", err)
+				e.dnsForwardMgr = nil
+			}
+		} else {
+			log.Infof("update domain router service for domains: %v", domains)
+			e.dnsForwardMgr.UpdateDomains(domains)
+		}
+	} else if e.dnsForwardMgr != nil {
+		log.Infof("disable domain router service")
+		if err := e.dnsForwardMgr.Stop(context.Background()); err != nil {
+			log.Errorf("failed to stop DNS forward: %v", err)
+		}
+		e.dnsForwardMgr = nil
+	}
+}
+
 // isChecksEqual checks if two slices of checks are equal.
 func isChecksEqual(checks []*mgmProto.Checks, oChecks []*mgmProto.Checks) bool {
 	for _, check := range checks {
--- a/client/internal/engine_test.go
+++ b/client/internal/engine_test.go
@@ -39,6 +39,8 @@ import (
 	mgmtProto "github.com/netbirdio/netbird/management/proto"
 	"github.com/netbirdio/netbird/management/server"
 	"github.com/netbirdio/netbird/management/server/activity"
+	"github.com/netbirdio/netbird/management/server/settings"
+	"github.com/netbirdio/netbird/management/server/store"
 	"github.com/netbirdio/netbird/management/server/telemetry"
 	relayClient "github.com/netbirdio/netbird/relay/client"
 	"github.com/netbirdio/netbird/route"
@@ -245,12 +247,15 @@ func TestEngine_UpdateNetworkMap(t *testing.T) {
 		nil)

 	wgIface := &iface.MockWGIface{
+		NameFunc: func() string { return "utun102" },
 		RemovePeerFunc: func(peerKey string) error {
 			return nil
 		},
 	}
 	engine.wgInterface = wgIface
-	engine.routeManager = routemanager.NewManager(ctx, key.PublicKey().String(), time.Minute, engine.wgInterface, engine.statusRecorder, relayMgr, nil)
+	engine.routeManager = routemanager.NewManager(ctx, key.PublicKey().String(), time.Minute, engine.wgInterface, engine.statusRecorder, relayMgr, nil, nil, nil, nil)
+	_, _, err = engine.routeManager.Init()
+	require.NoError(t, err)
 	engine.dnsServer = &dns.MockServer{
 		UpdateDNSServerFunc: func(serial uint64, update nbdns.Config) error { return nil },
 	}
@@ -388,8 +393,8 @@ func TestEngine_UpdateNetworkMap(t *testing.T) {
 				return
 			}

-			if len(engine.peerConns) != c.expectedLen {
-				t.Errorf("expecting Engine.peerConns to be of size %d, got %d", c.expectedLen, len(engine.peerConns))
+			if len(engine.peerStore.PeersPubKey()) != c.expectedLen {
+				t.Errorf("expecting Engine.peerConns to be of size %d, got %d", c.expectedLen, len(engine.peerStore.PeersPubKey()))
 			}

 			if engine.networkSerial != c.expectedSerial {
@@ -397,7 +402,7 @@ func TestEngine_UpdateNetworkMap(t *testing.T) {
 			}

 			for _, p := range c.expectedPeers {
-				conn, ok := engine.peerConns[p.GetWgPubKey()]
+				conn, ok := engine.peerStore.PeerConn(p.GetWgPubKey())
 				if !ok {
 					t.Errorf("expecting Engine.peerConns to contain peer %s", p)
 				}
@@ -622,10 +627,10 @@ func TestEngine_UpdateNetworkMapWithRoutes(t *testing.T) {
 			}{}

 			mockRouteManager := &routemanager.MockManager{
-				UpdateRoutesFunc: func(updateSerial uint64, newRoutes []*route.Route) (map[route.ID]*route.Route, route.HAMap, error) {
+				UpdateRoutesFunc: func(updateSerial uint64, newRoutes []*route.Route) error {
 					input.inputSerial = updateSerial
 					input.inputRoutes = newRoutes
-					return nil, nil, testCase.inputErr
+					return testCase.inputErr
 				},
 			}

@@ -798,8 +803,8 @@ func TestEngine_UpdateNetworkMapWithDNSUpdate(t *testing.T) {
 			assert.NoError(t, err, "shouldn't return error")

 			mockRouteManager := &routemanager.MockManager{
-				UpdateRoutesFunc: func(updateSerial uint64, newRoutes []*route.Route) (map[route.ID]*route.Route, route.HAMap, error) {
-					return nil, nil, nil
+				UpdateRoutesFunc: func(updateSerial uint64, newRoutes []*route.Route) error {
+					return nil
 				},
 			}

@@ -1193,7 +1198,7 @@ func startManagement(t *testing.T, dataDir, testFile string) (*grpc.Server, stri
 	}
 	s := grpc.NewServer(grpc.KeepaliveEnforcementPolicy(kaep), grpc.KeepaliveParams(kasp))

-	store, cleanUp, err := server.NewTestStoreFromSQL(context.Background(), testFile, config.Datadir)
+	store, cleanUp, err := store.NewTestStoreFromSQL(context.Background(), testFile, config.Datadir)
 	if err != nil {
 		return nil, "", err
 	}
@@ -1215,7 +1220,7 @@ func startManagement(t *testing.T, dataDir, testFile string) (*grpc.Server, stri
 	}

 	secretsManager := server.NewTimeBasedAuthSecretsManager(peersUpdateManager, config.TURNConfig, config.Relay)
-	mgmtServer, err := server.NewServer(context.Background(), config, accountManager, peersUpdateManager, secretsManager, nil, nil)
+	mgmtServer, err := server.NewServer(context.Background(), config, accountManager, settings.NewManager(store), peersUpdateManager, secretsManager, nil, nil)
 	if err != nil {
 		return nil, "", err
 	}
@@ -1234,7 +1239,8 @@ func getConnectedPeers(e *Engine) int {
 	e.syncMsgMux.Lock()
 	defer e.syncMsgMux.Unlock()
 	i := 0
-	for _, conn := range e.peerConns {
+	for _, id := range e.peerStore.PeersPubKey() {
+		conn, _ := e.peerStore.PeerConn(id)
 		if conn.Status() == peer.StatusConnected {
 			i++
 		}
@@ -1246,5 +1252,5 @@ func getPeers(e *Engine) int {
 	e.syncMsgMux.Lock()
 	defer e.syncMsgMux.Unlock()

-	return len(e.peerConns)
+	return len(e.peerStore.PeersPubKey())
 }
--- a/client/internal/mobile_dependency.go
+++ b/client/internal/mobile_dependency.go
@@ -19,4 +19,5 @@ type MobileDependency struct {
 	//	iOS only
 	DnsManager     dns.IosDnsManager
 	FileDescriptor int32
+	StateFilePath  string
 }
--- a/client/internal/peer/conn.go
+++ b/client/internal/peer/conn.go
@@ -23,6 +23,7 @@ import (
 	relayClient "github.com/netbirdio/netbird/relay/client"
 	"github.com/netbirdio/netbird/route"
 	nbnet "github.com/netbirdio/netbird/util/net"
+	semaphoregroup "github.com/netbirdio/netbird/util/semaphore-group"
 )

 type ConnPriority int
@@ -83,7 +84,6 @@ type Conn struct {
 	signaler       *Signaler
 	relayManager   *relayClient.Manager
 	allowedIP      net.IP
-	allowedNet     string
 	handshaker     *Handshaker

 	onConnected    func(remoteWireGuardKey string, remoteRosenpassPubKey []byte, wireGuardIP string, remoteRosenpassAddr string)
@@ -105,13 +105,14 @@ type Conn struct {
 	wgProxyICE   wgproxy.Proxy
 	wgProxyRelay wgproxy.Proxy

-	guard *guard.Guard
+	guard     *guard.Guard
+	semaphore *semaphoregroup.SemaphoreGroup
 }

 // NewConn creates a new not opened Conn to the remote peer.
 // To establish a connection run Conn.Open
-func NewConn(engineCtx context.Context, config ConnConfig, statusRecorder *Status, signaler *Signaler, iFaceDiscover stdnet.ExternalIFaceDiscover, relayManager *relayClient.Manager, srWatcher *guard.SRWatcher) (*Conn, error) {
-	allowedIP, allowedNet, err := net.ParseCIDR(config.WgConfig.AllowedIps)
+func NewConn(engineCtx context.Context, config ConnConfig, statusRecorder *Status, signaler *Signaler, iFaceDiscover stdnet.ExternalIFaceDiscover, relayManager *relayClient.Manager, srWatcher *guard.SRWatcher, semaphore *semaphoregroup.SemaphoreGroup) (*Conn, error) {
+	allowedIP, _, err := net.ParseCIDR(config.WgConfig.AllowedIps)
 	if err != nil {
 		log.Errorf("failed to parse allowedIPS: %v", err)
 		return nil, err
@@ -129,9 +130,9 @@ func NewConn(engineCtx context.Context, config ConnConfig, statusRecorder *Statu
 		signaler:       signaler,
 		relayManager:   relayManager,
 		allowedIP:      allowedIP,
-		allowedNet:     allowedNet.String(),
 		statusRelay:    NewAtomicConnStatus(),
 		statusICE:      NewAtomicConnStatus(),
+		semaphore:      semaphore,
 	}

 	rFns := WorkerRelayCallbacks{
@@ -171,6 +172,7 @@ func NewConn(engineCtx context.Context, config ConnConfig, statusRecorder *Statu
 // It will try to establish a connection using ICE and in parallel with relay. The higher priority connection type will
 // be used.
 func (conn *Conn) Open() {
+	conn.semaphore.Add(conn.ctx)
 	conn.log.Debugf("open connection to peer")

 	conn.mu.Lock()
@@ -193,6 +195,7 @@ func (conn *Conn) Open() {
 }

 func (conn *Conn) startHandshakeAndReconnect(ctx context.Context) {
+	defer conn.semaphore.Done(conn.ctx)
 	conn.waitInitialRandomSleepTime(ctx)

 	err := conn.handshaker.sendOffer()
@@ -594,14 +597,13 @@ func (conn *Conn) doOnConnected(remoteRosenpassPubKey []byte, remoteRosenpassAdd
 	}

 	if conn.onConnected != nil {
-		conn.onConnected(conn.config.Key, remoteRosenpassPubKey, conn.allowedNet, remoteRosenpassAddr)
+		conn.onConnected(conn.config.Key, remoteRosenpassPubKey, conn.allowedIP.String(), remoteRosenpassAddr)
 	}
 }

 func (conn *Conn) waitInitialRandomSleepTime(ctx context.Context) {
-	minWait := 100
-	maxWait := 800
-	duration := time.Duration(rand.Intn(maxWait-minWait)+minWait) * time.Millisecond
+	maxWait := 300
+	duration := time.Duration(rand.Intn(maxWait)) * time.Millisecond

 	timeout := time.NewTimer(duration)
 	defer timeout.Stop()
@@ -745,6 +747,11 @@ func (conn *Conn) setRelayedProxy(proxy wgproxy.Proxy) {
 	conn.wgProxyRelay = proxy
 }

+// AllowedIP returns the allowed IP of the remote peer
+func (conn *Conn) AllowedIP() net.IP {
+	return conn.allowedIP
+}
+
 func isController(config ConnConfig) bool {
 	return config.LocalKey > config.Key
 }
--- a/client/internal/peer/conn_test.go
+++ b/client/internal/peer/conn_test.go
@@ -14,6 +14,7 @@ import (
 	"github.com/netbirdio/netbird/client/internal/peer/ice"
 	"github.com/netbirdio/netbird/client/internal/stdnet"
 	"github.com/netbirdio/netbird/util"
+	semaphoregroup "github.com/netbirdio/netbird/util/semaphore-group"
 )

 var connConf = ConnConfig{
@@ -46,7 +47,7 @@ func TestNewConn_interfaceFilter(t *testing.T) {

 func TestConn_GetKey(t *testing.T) {
 	swWatcher := guard.NewSRWatcher(nil, nil, nil, connConf.ICEConfig)
-	conn, err := NewConn(context.Background(), connConf, nil, nil, nil, nil, swWatcher)
+	conn, err := NewConn(context.Background(), connConf, nil, nil, nil, nil, swWatcher, semaphoregroup.NewSemaphoreGroup(1))
 	if err != nil {
 		return
 	}
@@ -58,7 +59,7 @@ func TestConn_GetKey(t *testing.T) {

 func TestConn_OnRemoteOffer(t *testing.T) {
 	swWatcher := guard.NewSRWatcher(nil, nil, nil, connConf.ICEConfig)
-	conn, err := NewConn(context.Background(), connConf, NewRecorder("https://mgm"), nil, nil, nil, swWatcher)
+	conn, err := NewConn(context.Background(), connConf, NewRecorder("https://mgm"), nil, nil, nil, swWatcher, semaphoregroup.NewSemaphoreGroup(1))
 	if err != nil {
 		return
 	}
@@ -92,7 +93,7 @@ func TestConn_OnRemoteOffer(t *testing.T) {

 func TestConn_OnRemoteAnswer(t *testing.T) {
 	swWatcher := guard.NewSRWatcher(nil, nil, nil, connConf.ICEConfig)
-	conn, err := NewConn(context.Background(), connConf, NewRecorder("https://mgm"), nil, nil, nil, swWatcher)
+	conn, err := NewConn(context.Background(), connConf, NewRecorder("https://mgm"), nil, nil, nil, swWatcher, semaphoregroup.NewSemaphoreGroup(1))
 	if err != nil {
 		return
 	}
@@ -125,7 +126,7 @@ func TestConn_OnRemoteAnswer(t *testing.T) {
 }
 func TestConn_Status(t *testing.T) {
 	swWatcher := guard.NewSRWatcher(nil, nil, nil, connConf.ICEConfig)
-	conn, err := NewConn(context.Background(), connConf, NewRecorder("https://mgm"), nil, nil, nil, swWatcher)
+	conn, err := NewConn(context.Background(), connConf, NewRecorder("https://mgm"), nil, nil, nil, swWatcher, semaphoregroup.NewSemaphoreGroup(1))
 	if err != nil {
 		return
 	}
--- a/client/internal/peer/status.go
+++ b/client/internal/peer/status.go
@@ -17,6 +17,11 @@ import (
 	relayClient "github.com/netbirdio/netbird/relay/client"
 )

+type ResolvedDomainInfo struct {
+	Prefixes     []netip.Prefix
+	ParentDomain domain.Domain
+}
+
 // State contains the latest state of a peer
 type State struct {
 	Mux                        *sync.RWMutex
@@ -138,7 +143,7 @@ type Status struct {
 	rosenpassEnabled      bool
 	rosenpassPermissive   bool
 	nsGroupStates         []NSGroupState
-	resolvedDomainsStates map[domain.Domain][]netip.Prefix
+	resolvedDomainsStates map[domain.Domain]ResolvedDomainInfo

 	// To reduce the number of notification invocation this bool will be true when need to call the notification
 	// Some Peer actions mostly used by in a batch when the network map has been synchronized. In these type of events
@@ -156,7 +161,7 @@ func NewRecorder(mgmAddress string) *Status {
 		offlinePeers:          make([]State, 0),
 		notifier:              newNotifier(),
 		mgmAddress:            mgmAddress,
-		resolvedDomainsStates: make(map[domain.Domain][]netip.Prefix),
+		resolvedDomainsStates: map[domain.Domain]ResolvedDomainInfo{},
 	}
 }

@@ -591,16 +596,27 @@ func (d *Status) UpdateDNSStates(dnsStates []NSGroupState) {
 	d.nsGroupStates = dnsStates
 }

-func (d *Status) UpdateResolvedDomainsStates(domain domain.Domain, prefixes []netip.Prefix) {
+func (d *Status) UpdateResolvedDomainsStates(originalDomain domain.Domain, resolvedDomain domain.Domain, prefixes []netip.Prefix) {
 	d.mux.Lock()
 	defer d.mux.Unlock()
-	d.resolvedDomainsStates[domain] = prefixes
+
+	// Store both the original domain pattern and resolved domain
+	d.resolvedDomainsStates[resolvedDomain] = ResolvedDomainInfo{
+		Prefixes:     prefixes,
+		ParentDomain: originalDomain,
+	}
 }

 func (d *Status) DeleteResolvedDomainsStates(domain domain.Domain) {
 	d.mux.Lock()
 	defer d.mux.Unlock()
-	delete(d.resolvedDomainsStates, domain)
+
+	// Remove all entries that have this domain as their parent
+	for k, v := range d.resolvedDomainsStates {
+		if v.ParentDomain == domain {
+			delete(d.resolvedDomainsStates, k)
+		}
+	}
 }

 func (d *Status) GetRosenpassState() RosenpassState {
@@ -702,7 +718,7 @@ func (d *Status) GetDNSStates() []NSGroupState {
 	return d.nsGroupStates
 }

-func (d *Status) GetResolvedDomainsStates() map[domain.Domain][]netip.Prefix {
+func (d *Status) GetResolvedDomainsStates() map[domain.Domain]ResolvedDomainInfo {
 	d.mux.Lock()
 	defer d.mux.Unlock()
 	return maps.Clone(d.resolvedDomainsStates)
--- a/client/internal/peer/worker_ice.go
+++ b/client/internal/peer/worker_ice.go
@@ -264,7 +264,13 @@ func (w *WorkerICE) closeAgent(cancel context.CancelFunc) {
 func (w *WorkerICE) punchRemoteWGPort(pair *ice.CandidatePair, remoteWgPort int) {
 	// wait local endpoint configuration
 	time.Sleep(time.Second)
-	addr, err := net.ResolveUDPAddr("udp", fmt.Sprintf("%s:%d", pair.Remote.Address(), remoteWgPort))
+	addrString := pair.Remote.Address()
+	parsed, err := netip.ParseAddr(addrString)
+	if (err == nil) && (parsed.Is6()) {
+		addrString = fmt.Sprintf("[%s]", addrString)
+		//IPv6 Literals need to be wrapped in brackets for Resolve*Addr()
+	}
+	addr, err := net.ResolveUDPAddr("udp", fmt.Sprintf("%s:%d", addrString, remoteWgPort))
 	if err != nil {
 		w.log.Warnf("got an error while resolving the udp address, err: %s", err)
 		return
--- a/client/internal/peerstore/store.go
+++ b/client/internal/peerstore/store.go
@@ -0,0 +1,87 @@
+package peerstore
+
+import (
+	"net"
+	"sync"
+
+	"golang.org/x/exp/maps"
+
+	"github.com/netbirdio/netbird/client/internal/peer"
+)
+
+// Store is a thread-safe store for peer connections.
+type Store struct {
+	peerConns   map[string]*peer.Conn
+	peerConnsMu sync.RWMutex
+}
+
+func NewConnStore() *Store {
+	return &Store{
+		peerConns: make(map[string]*peer.Conn),
+	}
+}
+
+func (s *Store) AddPeerConn(pubKey string, conn *peer.Conn) bool {
+	s.peerConnsMu.Lock()
+	defer s.peerConnsMu.Unlock()
+
+	_, ok := s.peerConns[pubKey]
+	if ok {
+		return false
+	}
+
+	s.peerConns[pubKey] = conn
+	return true
+}
+
+func (s *Store) Remove(pubKey string) (*peer.Conn, bool) {
+	s.peerConnsMu.Lock()
+	defer s.peerConnsMu.Unlock()
+
+	p, ok := s.peerConns[pubKey]
+	if !ok {
+		return nil, false
+	}
+	delete(s.peerConns, pubKey)
+	return p, true
+}
+
+func (s *Store) AllowedIPs(pubKey string) (string, bool) {
+	s.peerConnsMu.RLock()
+	defer s.peerConnsMu.RUnlock()
+
+	p, ok := s.peerConns[pubKey]
+	if !ok {
+		return "", false
+	}
+	return p.WgConfig().AllowedIps, true
+}
+
+func (s *Store) AllowedIP(pubKey string) (net.IP, bool) {
+	s.peerConnsMu.RLock()
+	defer s.peerConnsMu.RUnlock()
+
+	p, ok := s.peerConns[pubKey]
+	if !ok {
+		return nil, false
+	}
+	return p.AllowedIP(), true
+}
+
+func (s *Store) PeerConn(pubKey string) (*peer.Conn, bool) {
+	s.peerConnsMu.RLock()
+	defer s.peerConnsMu.RUnlock()
+
+	p, ok := s.peerConns[pubKey]
+	if !ok {
+		return nil, false
+	}
+	return p, true
+}
+
+func (s *Store) PeersPubKey() []string {
+	s.peerConnsMu.RLock()
+	defer s.peerConnsMu.RUnlock()
+
+	return maps.Keys(s.peerConns)
+}
--- a/client/internal/routemanager/client.go
+++ b/client/internal/routemanager/client.go
@@ -13,12 +13,20 @@ import (
 	"github.com/netbirdio/netbird/client/iface"
 	nbdns "github.com/netbirdio/netbird/client/internal/dns"
 	"github.com/netbirdio/netbird/client/internal/peer"
+	"github.com/netbirdio/netbird/client/internal/peerstore"
+	"github.com/netbirdio/netbird/client/internal/routemanager/dnsinterceptor"
 	"github.com/netbirdio/netbird/client/internal/routemanager/dynamic"
 	"github.com/netbirdio/netbird/client/internal/routemanager/refcounter"
 	"github.com/netbirdio/netbird/client/internal/routemanager/static"
 	"github.com/netbirdio/netbird/route"
 )

+const (
+	handlerTypeDynamic = iota
+	handlerTypeDomain
+	handlerTypeStatic
+)
+
 type routerPeerStatus struct {
 	connected bool
 	relayed   bool
@@ -53,7 +61,18 @@ type clientNetwork struct {
 	updateSerial        uint64
 }

-func newClientNetworkWatcher(ctx context.Context, dnsRouteInterval time.Duration, wgInterface iface.IWGIface, statusRecorder *peer.Status, rt *route.Route, routeRefCounter *refcounter.RouteRefCounter, allowedIPsRefCounter *refcounter.AllowedIPsRefCounter) *clientNetwork {
+func newClientNetworkWatcher(
+	ctx context.Context,
+	dnsRouteInterval time.Duration,
+	wgInterface iface.IWGIface,
+	statusRecorder *peer.Status,
+	rt *route.Route,
+	routeRefCounter *refcounter.RouteRefCounter,
+	allowedIPsRefCounter *refcounter.AllowedIPsRefCounter,
+	dnsServer nbdns.Server,
+	peerStore *peerstore.Store,
+	useNewDNSRoute bool,
+) *clientNetwork {
 	ctx, cancel := context.WithCancel(ctx)

 	client := &clientNetwork{
@@ -65,7 +84,17 @@ func newClientNetworkWatcher(ctx context.Context, dnsRouteInterval time.Duration
 		routePeersNotifiers: make(map[string]chan struct{}),
 		routeUpdate:         make(chan routesUpdate),
 		peerStateUpdate:     make(chan struct{}),
-		handler:             handlerFromRoute(rt, routeRefCounter, allowedIPsRefCounter, dnsRouteInterval, statusRecorder, wgInterface),
+		handler: handlerFromRoute(
+			rt,
+			routeRefCounter,
+			allowedIPsRefCounter,
+			dnsRouteInterval,
+			statusRecorder,
+			wgInterface,
+			dnsServer,
+			peerStore,
+			useNewDNSRoute,
+		),
 	}
 	return client
 }
@@ -368,10 +397,50 @@ func (c *clientNetwork) peersStateAndUpdateWatcher() {
 	}
 }

-func handlerFromRoute(rt *route.Route, routeRefCounter *refcounter.RouteRefCounter, allowedIPsRefCounter *refcounter.AllowedIPsRefCounter, dnsRouterInteval time.Duration, statusRecorder *peer.Status, wgInterface iface.IWGIface) RouteHandler {
-	if rt.IsDynamic() {
+func handlerFromRoute(
+	rt *route.Route,
+	routeRefCounter *refcounter.RouteRefCounter,
+	allowedIPsRefCounter *refcounter.AllowedIPsRefCounter,
+	dnsRouterInteval time.Duration,
+	statusRecorder *peer.Status,
+	wgInterface iface.IWGIface,
+	dnsServer nbdns.Server,
+	peerStore *peerstore.Store,
+	useNewDNSRoute bool,
+) RouteHandler {
+	switch handlerType(rt, useNewDNSRoute) {
+	case handlerTypeDomain:
+		return dnsinterceptor.New(
+			rt,
+			routeRefCounter,
+			allowedIPsRefCounter,
+			statusRecorder,
+			dnsServer,
+			peerStore,
+		)
+	case handlerTypeDynamic:
 		dns := nbdns.NewServiceViaMemory(wgInterface)
-		return dynamic.NewRoute(rt, routeRefCounter, allowedIPsRefCounter, dnsRouterInteval, statusRecorder, wgInterface, fmt.Sprintf("%s:%d", dns.RuntimeIP(), dns.RuntimePort()))
+		return dynamic.NewRoute(
+			rt,
+			routeRefCounter,
+			allowedIPsRefCounter,
+			dnsRouterInteval,
+			statusRecorder,
+			wgInterface,
+			fmt.Sprintf("%s:%d", dns.RuntimeIP(), dns.RuntimePort()),
+		)
+	default:
+		return static.NewRoute(rt, routeRefCounter, allowedIPsRefCounter)
 	}
-	return static.NewRoute(rt, routeRefCounter, allowedIPsRefCounter)
+}
+
+func handlerType(rt *route.Route, useNewDNSRoute bool) int {
+	if !rt.IsDynamic() {
+		return handlerTypeStatic
+	}
+
+	if useNewDNSRoute {
+		return handlerTypeDomain
+	}
+	return handlerTypeDynamic
 }
--- a/client/internal/routemanager/dnsinterceptor/handler.go
+++ b/client/internal/routemanager/dnsinterceptor/handler.go
@@ -0,0 +1,356 @@
+package dnsinterceptor
+
+import (
+	"context"
+	"fmt"
+	"net"
+	"net/netip"
+	"strings"
+	"sync"
+	"time"
+
+	"github.com/hashicorp/go-multierror"
+	"github.com/miekg/dns"
+	log "github.com/sirupsen/logrus"
+
+	nberrors "github.com/netbirdio/netbird/client/errors"
+	nbdns "github.com/netbirdio/netbird/client/internal/dns"
+	"github.com/netbirdio/netbird/client/internal/dnsfwd"
+	"github.com/netbirdio/netbird/client/internal/peer"
+	"github.com/netbirdio/netbird/client/internal/peerstore"
+	"github.com/netbirdio/netbird/client/internal/routemanager/refcounter"
+	"github.com/netbirdio/netbird/management/domain"
+	"github.com/netbirdio/netbird/route"
+)
+
+type domainMap map[domain.Domain][]netip.Prefix
+
+type DnsInterceptor struct {
+	mu                   sync.RWMutex
+	route                *route.Route
+	routeRefCounter      *refcounter.RouteRefCounter
+	allowedIPsRefcounter *refcounter.AllowedIPsRefCounter
+	statusRecorder       *peer.Status
+	dnsServer            nbdns.Server
+	currentPeerKey       string
+	interceptedDomains   domainMap
+	peerStore            *peerstore.Store
+}
+
+func New(
+	rt *route.Route,
+	routeRefCounter *refcounter.RouteRefCounter,
+	allowedIPsRefCounter *refcounter.AllowedIPsRefCounter,
+	statusRecorder *peer.Status,
+	dnsServer nbdns.Server,
+	peerStore *peerstore.Store,
+) *DnsInterceptor {
+	return &DnsInterceptor{
+		route:                rt,
+		routeRefCounter:      routeRefCounter,
+		allowedIPsRefcounter: allowedIPsRefCounter,
+		statusRecorder:       statusRecorder,
+		dnsServer:            dnsServer,
+		interceptedDomains:   make(domainMap),
+		peerStore:            peerStore,
+	}
+}
+
+func (d *DnsInterceptor) String() string {
+	return d.route.Domains.SafeString()
+}
+
+func (d *DnsInterceptor) AddRoute(context.Context) error {
+	d.dnsServer.RegisterHandler(d.route.Domains.ToPunycodeList(), d, nbdns.PriorityDNSRoute)
+	return nil
+}
+
+func (d *DnsInterceptor) RemoveRoute() error {
+	d.mu.Lock()
+
+	var merr *multierror.Error
+	for domain, prefixes := range d.interceptedDomains {
+		for _, prefix := range prefixes {
+			if _, err := d.routeRefCounter.Decrement(prefix); err != nil {
+				merr = multierror.Append(merr, fmt.Errorf("remove dynamic route for IP %s: %v", prefix, err))
+			}
+			if d.currentPeerKey != "" {
+				if _, err := d.allowedIPsRefcounter.Decrement(prefix); err != nil {
+					merr = multierror.Append(merr, fmt.Errorf("remove allowed IP %s: %v", prefix, err))
+				}
+			}
+		}
+		log.Debugf("removed dynamic route(s) for [%s]: %s", domain.SafeString(), strings.ReplaceAll(fmt.Sprintf("%s", prefixes), " ", ", "))
+
+	}
+	for _, domain := range d.route.Domains {
+		d.statusRecorder.DeleteResolvedDomainsStates(domain)
+	}
+
+	clear(d.interceptedDomains)
+	d.mu.Unlock()
+
+	d.dnsServer.DeregisterHandler(d.route.Domains.ToPunycodeList(), nbdns.PriorityDNSRoute)
+
+	return nberrors.FormatErrorOrNil(merr)
+}
+
+func (d *DnsInterceptor) AddAllowedIPs(peerKey string) error {
+	d.mu.Lock()
+	defer d.mu.Unlock()
+
+	var merr *multierror.Error
+	for domain, prefixes := range d.interceptedDomains {
+		for _, prefix := range prefixes {
+			if ref, err := d.allowedIPsRefcounter.Increment(prefix, peerKey); err != nil {
+				merr = multierror.Append(merr, fmt.Errorf("add allowed IP %s: %v", prefix, err))
+			} else if ref.Count > 1 && ref.Out != peerKey {
+				log.Warnf("IP [%s] for domain [%s] is already routed by peer [%s]. HA routing disabled",
+					prefix.Addr(),
+					domain.SafeString(),
+					ref.Out,
+				)
+			}
+		}
+	}
+
+	d.currentPeerKey = peerKey
+	return nberrors.FormatErrorOrNil(merr)
+}
+
+func (d *DnsInterceptor) RemoveAllowedIPs() error {
+	d.mu.Lock()
+	defer d.mu.Unlock()
+
+	var merr *multierror.Error
+	for _, prefixes := range d.interceptedDomains {
+		for _, prefix := range prefixes {
+			if _, err := d.allowedIPsRefcounter.Decrement(prefix); err != nil {
+				merr = multierror.Append(merr, fmt.Errorf("remove allowed IP %s: %v", prefix, err))
+			}
+		}
+	}
+
+	d.currentPeerKey = ""
+	return nberrors.FormatErrorOrNil(merr)
+}
+
+// ServeDNS implements the dns.Handler interface
+func (d *DnsInterceptor) ServeDNS(w dns.ResponseWriter, r *dns.Msg) {
+	if len(r.Question) == 0 {
+		return
+	}
+	log.Tracef("received DNS request for domain=%s type=%v class=%v",
+		r.Question[0].Name, r.Question[0].Qtype, r.Question[0].Qclass)
+
+	d.mu.RLock()
+	peerKey := d.currentPeerKey
+	d.mu.RUnlock()
+
+	if peerKey == "" {
+		log.Tracef("no current peer key set, letting next handler try for domain=%s", r.Question[0].Name)
+
+		d.continueToNextHandler(w, r, "no current peer key")
+		return
+	}
+
+	upstreamIP, err := d.getUpstreamIP(peerKey)
+	if err != nil {
+		log.Errorf("failed to get upstream IP: %v", err)
+		d.continueToNextHandler(w, r, fmt.Sprintf("failed to get upstream IP: %v", err))
+		return
+	}
+
+	client := &dns.Client{
+		Timeout: 5 * time.Second,
+		Net:     "udp",
+	}
+	upstream := fmt.Sprintf("%s:%d", upstreamIP, dnsfwd.ListenPort)
+	reply, _, err := client.ExchangeContext(context.Background(), r, upstream)
+
+	var answer []dns.RR
+	if reply != nil {
+		answer = reply.Answer
+	}
+	log.Tracef("upstream %s (%s) DNS response for domain=%s answers=%v", upstreamIP, peerKey, r.Question[0].Name, answer)
+
+	if err != nil {
+		log.Errorf("failed to exchange DNS request with %s: %v", upstream, err)
+		if err := w.WriteMsg(&dns.Msg{MsgHdr: dns.MsgHdr{Rcode: dns.RcodeServerFailure, Id: r.Id}}); err != nil {
+			log.Errorf("failed writing DNS response: %v", err)
+		}
+		return
+	}
+
+	reply.Id = r.Id
+	if err := d.writeMsg(w, reply); err != nil {
+		log.Errorf("failed writing DNS response: %v", err)
+	}
+}
+
+// continueToNextHandler signals the handler chain to try the next handler
+func (d *DnsInterceptor) continueToNextHandler(w dns.ResponseWriter, r *dns.Msg, reason string) {
+	log.Tracef("continuing to next handler for domain=%s reason=%s", r.Question[0].Name, reason)
+
+	resp := new(dns.Msg)
+	resp.SetRcode(r, dns.RcodeNameError)
+	// Set Zero bit to signal handler chain to continue
+	resp.MsgHdr.Zero = true
+	if err := w.WriteMsg(resp); err != nil {
+		log.Errorf("failed writing DNS continue response: %v", err)
+	}
+}
+
+func (d *DnsInterceptor) getUpstreamIP(peerKey string) (net.IP, error) {
+	peerAllowedIP, exists := d.peerStore.AllowedIP(peerKey)
+	if !exists {
+		return nil, fmt.Errorf("peer connection not found for key: %s", peerKey)
+	}
+	return peerAllowedIP, nil
+}
+
+func (d *DnsInterceptor) writeMsg(w dns.ResponseWriter, r *dns.Msg) error {
+	if r == nil {
+		return fmt.Errorf("received nil DNS message")
+	}
+
+	if len(r.Answer) > 0 && len(r.Question) > 0 {
+		origPattern := ""
+		if writer, ok := w.(*nbdns.ResponseWriterChain); ok {
+			origPattern = writer.GetOrigPattern()
+		}
+
+		resolvedDomain := domain.Domain(r.Question[0].Name)
+
+		// already punycode via RegisterHandler()
+		originalDomain := domain.Domain(origPattern)
+		if originalDomain == "" {
+			originalDomain = resolvedDomain
+		}
+
+		var newPrefixes []netip.Prefix
+		for _, answer := range r.Answer {
+			var ip netip.Addr
+			switch rr := answer.(type) {
+			case *dns.A:
+				addr, ok := netip.AddrFromSlice(rr.A)
+				if !ok {
+					log.Tracef("failed to convert A record for domain=%s ip=%v", resolvedDomain, rr.A)
+					continue
+				}
+				ip = addr
+			case *dns.AAAA:
+				addr, ok := netip.AddrFromSlice(rr.AAAA)
+				if !ok {
+					log.Tracef("failed to convert AAAA record for domain=%s ip=%v", resolvedDomain, rr.AAAA)
+					continue
+				}
+				ip = addr
+			default:
+				continue
+			}
+
+			prefix := netip.PrefixFrom(ip, ip.BitLen())
+			newPrefixes = append(newPrefixes, prefix)
+		}
+
+		if len(newPrefixes) > 0 {
+			if err := d.updateDomainPrefixes(resolvedDomain, originalDomain, newPrefixes); err != nil {
+				log.Errorf("failed to update domain prefixes: %v", err)
+			}
+		}
+	}
+
+	if err := w.WriteMsg(r); err != nil {
+		return fmt.Errorf("failed to write DNS response: %v", err)
+	}
+
+	return nil
+}
+
+func (d *DnsInterceptor) updateDomainPrefixes(resolvedDomain, originalDomain domain.Domain, newPrefixes []netip.Prefix) error {
+	d.mu.Lock()
+	defer d.mu.Unlock()
+
+	oldPrefixes := d.interceptedDomains[resolvedDomain]
+	toAdd, toRemove := determinePrefixChanges(oldPrefixes, newPrefixes)
+
+	var merr *multierror.Error
+
+	// Add new prefixes
+	for _, prefix := range toAdd {
+		if _, err := d.routeRefCounter.Increment(prefix, struct{}{}); err != nil {
+			merr = multierror.Append(merr, fmt.Errorf("add route for IP %s: %v", prefix, err))
+			continue
+		}
+
+		if d.currentPeerKey == "" {
+			continue
+		}
+		if ref, err := d.allowedIPsRefcounter.Increment(prefix, d.currentPeerKey); err != nil {
+			merr = multierror.Append(merr, fmt.Errorf("add allowed IP %s: %v", prefix, err))
+		} else if ref.Count > 1 && ref.Out != d.currentPeerKey {
+			log.Warnf("IP [%s] for domain [%s] is already routed by peer [%s]. HA routing disabled",
+				prefix.Addr(),
+				resolvedDomain.SafeString(),
+				ref.Out,
+			)
+		}
+	}
+
+	if !d.route.KeepRoute {
+		// Remove old prefixes
+		for _, prefix := range toRemove {
+			if _, err := d.routeRefCounter.Decrement(prefix); err != nil {
+				merr = multierror.Append(merr, fmt.Errorf("remove route for IP %s: %v", prefix, err))
+			}
+			if d.currentPeerKey != "" {
+				if _, err := d.allowedIPsRefcounter.Decrement(prefix); err != nil {
+					merr = multierror.Append(merr, fmt.Errorf("remove allowed IP %s: %v", prefix, err))
+				}
+			}
+		}
+	}
+
+	// Update domain prefixes using resolved domain as key
+	if len(toAdd) > 0 || len(toRemove) > 0 {
+		d.interceptedDomains[resolvedDomain] = newPrefixes
+		originalDomain = domain.Domain(strings.TrimSuffix(string(originalDomain), "."))
+		d.statusRecorder.UpdateResolvedDomainsStates(originalDomain, resolvedDomain, newPrefixes)
+
+		if len(toAdd) > 0 {
+			log.Debugf("added dynamic route(s) for domain=%s (pattern: domain=%s): %s",
+				resolvedDomain.SafeString(),
+				originalDomain.SafeString(),
+				toAdd)
+		}
+		if len(toRemove) > 0 {
+			log.Debugf("removed dynamic route(s) for domain=%s (pattern: domain=%s): %s",
+				resolvedDomain.SafeString(),
+				originalDomain.SafeString(),
+				toRemove)
+		}
+	}
+
+	return nberrors.FormatErrorOrNil(merr)
+}
+
+func determinePrefixChanges(oldPrefixes, newPrefixes []netip.Prefix) (toAdd, toRemove []netip.Prefix) {
+	prefixSet := make(map[netip.Prefix]bool)
+	for _, prefix := range oldPrefixes {
+		prefixSet[prefix] = false
+	}
+	for _, prefix := range newPrefixes {
+		if _, exists := prefixSet[prefix]; exists {
+			prefixSet[prefix] = true
+		} else {
+			toAdd = append(toAdd, prefix)
+		}
+	}
+	for prefix, inUse := range prefixSet {
+		if !inUse {
+			toRemove = append(toRemove, prefix)
+		}
+	}
+	return
+}
--- a/client/internal/routemanager/dynamic/route.go
+++ b/client/internal/routemanager/dynamic/route.go
@@ -74,11 +74,7 @@ func NewRoute(
 }

 func (r *Route) String() string {
-	s, err := r.route.Domains.String()
-	if err != nil {
-		return r.route.Domains.PunycodeString()
-	}
-	return s
+	return r.route.Domains.SafeString()
 }

 func (r *Route) AddRoute(ctx context.Context) error {
@@ -292,7 +288,7 @@ func (r *Route) updateDynamicRoutes(ctx context.Context, newDomains domainMap) e
 		updatedPrefixes := combinePrefixes(oldPrefixes, removedPrefixes, addedPrefixes)
 		r.dynamicDomains[domain] = updatedPrefixes

-		r.statusRecorder.UpdateResolvedDomainsStates(domain, updatedPrefixes)
+		r.statusRecorder.UpdateResolvedDomainsStates(domain, domain, updatedPrefixes)
 	}

 	return nberrors.FormatErrorOrNil(merr)
--- a/client/internal/routemanager/manager.go
+++ b/client/internal/routemanager/manager.go
@@ -12,12 +12,15 @@ import (
 	"time"

 	log "github.com/sirupsen/logrus"
+	"golang.org/x/exp/maps"

 	firewall "github.com/netbirdio/netbird/client/firewall/manager"
 	"github.com/netbirdio/netbird/client/iface"
 	"github.com/netbirdio/netbird/client/iface/configurer"
+	"github.com/netbirdio/netbird/client/internal/dns"
 	"github.com/netbirdio/netbird/client/internal/listener"
 	"github.com/netbirdio/netbird/client/internal/peer"
+	"github.com/netbirdio/netbird/client/internal/peerstore"
 	"github.com/netbirdio/netbird/client/internal/routemanager/notifier"
 	"github.com/netbirdio/netbird/client/internal/routemanager/refcounter"
 	"github.com/netbirdio/netbird/client/internal/routemanager/systemops"
@@ -32,10 +35,12 @@ import (

 // Manager is a route manager interface
 type Manager interface {
-	Init(*statemanager.Manager) (nbnet.AddHookFunc, nbnet.RemoveHookFunc, error)
-	UpdateRoutes(updateSerial uint64, newRoutes []*route.Route) (map[route.ID]*route.Route, route.HAMap, error)
+	Init() (nbnet.AddHookFunc, nbnet.RemoveHookFunc, error)
+	UpdateRoutes(updateSerial uint64, newRoutes []*route.Route, useNewDNSRoute bool) error
 	TriggerSelection(route.HAMap)
 	GetRouteSelector() *routeselector.RouteSelector
+	GetClientRoutes() route.HAMap
+	GetClientRoutesWithNetID() map[route.NetID][]*route.Route
 	SetRouteChangeListener(listener listener.NetworkChangeListener)
 	InitialRouteRange() []string
 	EnableServerRouter(firewall firewall.Manager) error
@@ -59,6 +64,12 @@ type DefaultManager struct {
 	routeRefCounter      *refcounter.RouteRefCounter
 	allowedIPsRefCounter *refcounter.AllowedIPsRefCounter
 	dnsRouteInterval     time.Duration
+	stateManager         *statemanager.Manager
+	// clientRoutes is the most recent list of clientRoutes received from the Management Service
+	clientRoutes   route.HAMap
+	dnsServer      dns.Server
+	peerStore      *peerstore.Store
+	useNewDNSRoute bool
 }

 func NewManager(
@@ -69,6 +80,9 @@ func NewManager(
 	statusRecorder *peer.Status,
 	relayMgr *relayClient.Manager,
 	initialRoutes []*route.Route,
+	stateManager *statemanager.Manager,
+	dnsServer dns.Server,
+	peerStore *peerstore.Store,
 ) *DefaultManager {
 	mCTX, cancel := context.WithCancel(ctx)
 	notifier := notifier.NewNotifier()
@@ -80,12 +94,14 @@ func NewManager(
 		dnsRouteInterval: dnsRouteInterval,
 		clientNetworks:   make(map[route.HAUniqueID]*clientNetwork),
 		relayMgr:         relayMgr,
-		routeSelector:    routeselector.NewRouteSelector(),
 		sysOps:           sysOps,
 		statusRecorder:   statusRecorder,
 		wgInterface:      wgInterface,
 		pubKey:           pubKey,
 		notifier:         notifier,
+		stateManager:     stateManager,
+		dnsServer:        dnsServer,
+		peerStore:        peerStore,
 	}

 	dm.routeRefCounter = refcounter.New(
@@ -114,14 +130,16 @@ func NewManager(
 	)

 	if runtime.GOOS == "android" {
-		cr := dm.clientRoutes(initialRoutes)
+		cr := dm.initialClientRoutes(initialRoutes)
 		dm.notifier.SetInitialClientRoutes(cr)
 	}
 	return dm
 }

 // Init sets up the routing
-func (m *DefaultManager) Init(stateManager *statemanager.Manager) (nbnet.AddHookFunc, nbnet.RemoveHookFunc, error) {
+func (m *DefaultManager) Init() (nbnet.AddHookFunc, nbnet.RemoveHookFunc, error) {
+	m.routeSelector = m.initSelector()
+
 	if nbnet.CustomRoutingDisabled() {
 		return nil, nil, nil
 	}
@@ -137,14 +155,36 @@ func (m *DefaultManager) Init(stateManager *statemanager.Manager) (nbnet.AddHook

 	ips := resolveURLsToIPs(initialAddresses)

-	beforePeerHook, afterPeerHook, err := m.sysOps.SetupRouting(ips, stateManager)
+	beforePeerHook, afterPeerHook, err := m.sysOps.SetupRouting(ips, m.stateManager)
 	if err != nil {
 		return nil, nil, fmt.Errorf("setup routing: %w", err)
 	}
+
 	log.Info("Routing setup complete")
 	return beforePeerHook, afterPeerHook, nil
 }

+func (m *DefaultManager) initSelector() *routeselector.RouteSelector {
+	var state *SelectorState
+	m.stateManager.RegisterState(state)
+
+	// restore selector state if it exists
+	if err := m.stateManager.LoadState(state); err != nil {
+		log.Warnf("failed to load state: %v", err)
+		return routeselector.NewRouteSelector()
+	}
+
+	if state := m.stateManager.GetState(state); state != nil {
+		if selector, ok := state.(*SelectorState); ok {
+			return (*routeselector.RouteSelector)(selector)
+		}
+
+		log.Warnf("failed to convert state with type %T to SelectorState", state)
+	}
+
+	return routeselector.NewRouteSelector()
+}
+
 func (m *DefaultManager) EnableServerRouter(firewall firewall.Manager) error {
 	var err error
 	m.serverRouter, err = newServerRouter(m.ctx, m.wgInterface, firewall, m.statusRecorder)
@@ -181,33 +221,41 @@ func (m *DefaultManager) Stop(stateManager *statemanager.Manager) {
 	}

 	m.ctx = nil
+
+	m.mux.Lock()
+	defer m.mux.Unlock()
+	m.clientRoutes = nil
 }

 // UpdateRoutes compares received routes with existing routes and removes, updates or adds them to the client and server maps
-func (m *DefaultManager) UpdateRoutes(updateSerial uint64, newRoutes []*route.Route) (map[route.ID]*route.Route, route.HAMap, error) {
+func (m *DefaultManager) UpdateRoutes(updateSerial uint64, newRoutes []*route.Route, useNewDNSRoute bool) error {
 	select {
 	case <-m.ctx.Done():
 		log.Infof("not updating routes as context is closed")
-		return nil, nil, m.ctx.Err()
+		return nil
 	default:
-		m.mux.Lock()
-		defer m.mux.Unlock()
-
-		newServerRoutesMap, newClientRoutesIDMap := m.classifyRoutes(newRoutes)
-
-		filteredClientRoutes := m.routeSelector.FilterSelected(newClientRoutesIDMap)
-		m.updateClientNetworks(updateSerial, filteredClientRoutes)
-		m.notifier.OnNewRoutes(filteredClientRoutes)
-
-		if m.serverRouter != nil {
-			err := m.serverRouter.updateRoutes(newServerRoutesMap)
-			if err != nil {
-				return nil, nil, fmt.Errorf("update routes: %w", err)
-			}
-		}
-
-		return newServerRoutesMap, newClientRoutesIDMap, nil
 	}
+
+	m.mux.Lock()
+	defer m.mux.Unlock()
+	m.useNewDNSRoute = useNewDNSRoute
+
+	newServerRoutesMap, newClientRoutesIDMap := m.classifyRoutes(newRoutes)
+
+	filteredClientRoutes := m.routeSelector.FilterSelected(newClientRoutesIDMap)
+	m.updateClientNetworks(updateSerial, filteredClientRoutes)
+	m.notifier.OnNewRoutes(filteredClientRoutes)
+
+	if m.serverRouter != nil {
+		err := m.serverRouter.updateRoutes(newServerRoutesMap)
+		if err != nil {
+			return err
+		}
+	}
+
+	m.clientRoutes = newClientRoutesIDMap
+
+	return nil
 }

 // SetRouteChangeListener set RouteListener for route change Notifier
@@ -225,9 +273,24 @@ func (m *DefaultManager) GetRouteSelector() *routeselector.RouteSelector {
 	return m.routeSelector
 }

-// GetClientRoutes returns the client routes
-func (m *DefaultManager) GetClientRoutes() map[route.HAUniqueID]*clientNetwork {
-	return m.clientNetworks
+// GetClientRoutes returns most recent list of clientRoutes received from the Management Service
+func (m *DefaultManager) GetClientRoutes() route.HAMap {
+	m.mux.Lock()
+	defer m.mux.Unlock()
+
+	return maps.Clone(m.clientRoutes)
+}
+
+// GetClientRoutesWithNetID returns the current routes from the route map, but the keys consist of the network ID only
+func (m *DefaultManager) GetClientRoutesWithNetID() map[route.NetID][]*route.Route {
+	m.mux.Lock()
+	defer m.mux.Unlock()
+
+	routes := make(map[route.NetID][]*route.Route, len(m.clientRoutes))
+	for id, v := range m.clientRoutes {
+		routes[id.NetID()] = v
+	}
+	return routes
 }

 // TriggerSelection triggers the selection of routes, stopping deselected watchers and starting newly selected ones
@@ -247,11 +310,26 @@ func (m *DefaultManager) TriggerSelection(networks route.HAMap) {
 			continue
 		}

-		clientNetworkWatcher := newClientNetworkWatcher(m.ctx, m.dnsRouteInterval, m.wgInterface, m.statusRecorder, routes[0], m.routeRefCounter, m.allowedIPsRefCounter)
+		clientNetworkWatcher := newClientNetworkWatcher(
+			m.ctx,
+			m.dnsRouteInterval,
+			m.wgInterface,
+			m.statusRecorder,
+			routes[0],
+			m.routeRefCounter,
+			m.allowedIPsRefCounter,
+			m.dnsServer,
+			m.peerStore,
+			m.useNewDNSRoute,
+		)
 		m.clientNetworks[id] = clientNetworkWatcher
 		go clientNetworkWatcher.peersStateAndUpdateWatcher()
 		clientNetworkWatcher.sendUpdateToClientNetworkWatcher(routesUpdate{routes: routes})
 	}
+
+	if err := m.stateManager.UpdateState((*SelectorState)(m.routeSelector)); err != nil {
+		log.Errorf("failed to update state: %v", err)
+	}
 }

 // stopObsoleteClients stops the client network watcher for the networks that are not in the new list
@@ -272,7 +350,18 @@ func (m *DefaultManager) updateClientNetworks(updateSerial uint64, networks rout
 	for id, routes := range networks {
 		clientNetworkWatcher, found := m.clientNetworks[id]
 		if !found {
-			clientNetworkWatcher = newClientNetworkWatcher(m.ctx, m.dnsRouteInterval, m.wgInterface, m.statusRecorder, routes[0], m.routeRefCounter, m.allowedIPsRefCounter)
+			clientNetworkWatcher = newClientNetworkWatcher(
+				m.ctx,
+				m.dnsRouteInterval,
+				m.wgInterface,
+				m.statusRecorder,
+				routes[0],
+				m.routeRefCounter,
+				m.allowedIPsRefCounter,
+				m.dnsServer,
+				m.peerStore,
+				m.useNewDNSRoute,
+			)
 			m.clientNetworks[id] = clientNetworkWatcher
 			go clientNetworkWatcher.peersStateAndUpdateWatcher()
 		}
@@ -315,7 +404,7 @@ func (m *DefaultManager) classifyRoutes(newRoutes []*route.Route) (map[route.ID]
 	return newServerRoutesMap, newClientRoutesIDMap
 }

-func (m *DefaultManager) clientRoutes(initialRoutes []*route.Route) []*route.Route {
+func (m *DefaultManager) initialClientRoutes(initialRoutes []*route.Route) []*route.Route {
 	_, crMap := m.classifyRoutes(initialRoutes)
 	rs := make([]*route.Route, 0, len(crMap))
 	for _, routes := range crMap {
--- a/client/internal/routemanager/manager_test.go
+++ b/client/internal/routemanager/manager_test.go
@@ -424,9 +424,9 @@ func TestManagerUpdateRoutes(t *testing.T) {

 			statusRecorder := peer.NewRecorder("https://mgm")
 			ctx := context.TODO()
-			routeManager := NewManager(ctx, localPeerKey, 0, wgInterface, statusRecorder, nil, nil)
+			routeManager := NewManager(ctx, localPeerKey, 0, wgInterface, statusRecorder, nil, nil, nil, nil, nil)

-			_, _, err = routeManager.Init(nil)
+			_, _, err = routeManager.Init()

 			require.NoError(t, err, "should init route manager")
 			defer routeManager.Stop(nil)
@@ -436,11 +436,11 @@ func TestManagerUpdateRoutes(t *testing.T) {
 			}

 			if len(testCase.inputInitRoutes) > 0 {
-				_, _, err = routeManager.UpdateRoutes(testCase.inputSerial, testCase.inputRoutes)
+				_ = routeManager.UpdateRoutes(testCase.inputSerial, testCase.inputRoutes, false)
 				require.NoError(t, err, "should update routes with init routes")
 			}

-			_, _, err = routeManager.UpdateRoutes(testCase.inputSerial+uint64(len(testCase.inputInitRoutes)), testCase.inputRoutes)
+			_ = routeManager.UpdateRoutes(testCase.inputSerial+uint64(len(testCase.inputInitRoutes)), testCase.inputRoutes, false)
 			require.NoError(t, err, "should update routes")

 			expectedWatchers := testCase.clientNetworkWatchersExpected
--- a/client/internal/routemanager/mock.go
+++ b/client/internal/routemanager/mock.go
@@ -2,7 +2,6 @@ package routemanager

 import (
 	"context"
-	"fmt"

 	firewall "github.com/netbirdio/netbird/client/firewall/manager"
 	"github.com/netbirdio/netbird/client/iface"
@@ -15,13 +14,15 @@ import (

 // MockManager is the mock instance of a route manager
 type MockManager struct {
-	UpdateRoutesFunc     func(updateSerial uint64, newRoutes []*route.Route) (map[route.ID]*route.Route, route.HAMap, error)
-	TriggerSelectionFunc func(haMap route.HAMap)
-	GetRouteSelectorFunc func() *routeselector.RouteSelector
-	StopFunc             func(manager *statemanager.Manager)
+	UpdateRoutesFunc             func(updateSerial uint64, newRoutes []*route.Route) error
+	TriggerSelectionFunc         func(haMap route.HAMap)
+	GetRouteSelectorFunc         func() *routeselector.RouteSelector
+	GetClientRoutesFunc          func() route.HAMap
+	GetClientRoutesWithNetIDFunc func() map[route.NetID][]*route.Route
+	StopFunc                     func(manager *statemanager.Manager)
 }

-func (m *MockManager) Init(*statemanager.Manager) (net.AddHookFunc, net.RemoveHookFunc, error) {
+func (m *MockManager) Init() (net.AddHookFunc, net.RemoveHookFunc, error) {
 	return nil, nil, nil
 }

@@ -31,11 +32,11 @@ func (m *MockManager) InitialRouteRange() []string {
 }

 // UpdateRoutes mock implementation of UpdateRoutes from Manager interface
-func (m *MockManager) UpdateRoutes(updateSerial uint64, newRoutes []*route.Route) (map[route.ID]*route.Route, route.HAMap, error) {
+func (m *MockManager) UpdateRoutes(updateSerial uint64, newRoutes []*route.Route, b bool) error {
 	if m.UpdateRoutesFunc != nil {
 		return m.UpdateRoutesFunc(updateSerial, newRoutes)
 	}
-	return nil, nil, fmt.Errorf("method UpdateRoutes is not implemented")
+	return nil
 }

 func (m *MockManager) TriggerSelection(networks route.HAMap) {
@@ -52,6 +53,22 @@ func (m *MockManager) GetRouteSelector() *routeselector.RouteSelector {
 	return nil
 }

+// GetClientRoutes mock implementation of GetClientRoutes from Manager interface
+func (m *MockManager) GetClientRoutes() route.HAMap {
+	if m.GetClientRoutesFunc != nil {
+		return m.GetClientRoutesFunc()
+	}
+	return nil
+}
+
+// GetClientRoutesWithNetID mock implementation of GetClientRoutesWithNetID from Manager interface
+func (m *MockManager) GetClientRoutesWithNetID() map[route.NetID][]*route.Route {
+	if m.GetClientRoutesWithNetIDFunc != nil {
+		return m.GetClientRoutesWithNetIDFunc()
+	}
+	return nil
+}
+
 // Start mock implementation of Start from Manager interface
 func (m *MockManager) Start(ctx context.Context, iface *iface.WGIface) {
 }
--- a/client/internal/routemanager/refcounter/refcounter.go
+++ b/client/internal/routemanager/refcounter/refcounter.go
@@ -71,11 +71,14 @@ func New[Key comparable, I, O any](add AddFunc[Key, I, O], remove RemoveFunc[Key
 }

 // LoadData loads the data from the existing counter
+// The passed counter should not be used any longer after calling this function.
 func (rm *Counter[Key, I, O]) LoadData(
 	existingCounter *Counter[Key, I, O],
 ) {
 	rm.mu.Lock()
 	defer rm.mu.Unlock()
+	existingCounter.mu.Lock()
+	defer existingCounter.mu.Unlock()

 	rm.refCountMap = existingCounter.refCountMap
 	rm.idMap = existingCounter.idMap
@@ -231,6 +234,9 @@ func (rm *Counter[Key, I, O]) MarshalJSON() ([]byte, error) {

 // UnmarshalJSON implements the json.Unmarshaler interface for Counter.
 func (rm *Counter[Key, I, O]) UnmarshalJSON(data []byte) error {
+	rm.mu.Lock()
+	defer rm.mu.Unlock()
+
 	var temp struct {
 		RefCountMap map[Key]Ref[O]   `json:"refCountMap"`
 		IDMap       map[string][]Key `json:"idMap"`
@@ -241,6 +247,13 @@ func (rm *Counter[Key, I, O]) UnmarshalJSON(data []byte) error {
 	rm.refCountMap = temp.RefCountMap
 	rm.idMap = temp.IDMap

+	if temp.RefCountMap == nil {
+		temp.RefCountMap = map[Key]Ref[O]{}
+	}
+	if temp.IDMap == nil {
+		temp.IDMap = map[string][]Key{}
+	}
+
 	return nil
 }

--- a/client/internal/routemanager/state.go
+++ b/client/internal/routemanager/state.go
@@ -0,0 +1,19 @@
+package routemanager
+
+import (
+	"github.com/netbirdio/netbird/client/internal/routeselector"
+)
+
+type SelectorState routeselector.RouteSelector
+
+func (s *SelectorState) Name() string {
+	return "routeselector_state"
+}
+
+func (s *SelectorState) MarshalJSON() ([]byte, error) {
+	return (*routeselector.RouteSelector)(s).MarshalJSON()
+}
+
+func (s *SelectorState) UnmarshalJSON(data []byte) error {
+	return (*routeselector.RouteSelector)(s).UnmarshalJSON(data)
+}
--- a/client/internal/routemanager/systemops/systemops_linux.go
+++ b/client/internal/routemanager/systemops/systemops_linux.go
@@ -450,7 +450,7 @@ func addRule(params ruleParams) error {
 	rule.Invert = params.invert
 	rule.SuppressPrefixlen = params.suppressPrefix

-	if err := netlink.RuleAdd(rule); err != nil && !errors.Is(err, syscall.EEXIST) {
+	if err := netlink.RuleAdd(rule); err != nil && !errors.Is(err, syscall.EEXIST) && !errors.Is(err, syscall.EAFNOSUPPORT) {
 		return fmt.Errorf("add routing rule: %w", err)
 	}

@@ -467,7 +467,7 @@ func removeRule(params ruleParams) error {
 	rule.Priority = params.priority
 	rule.SuppressPrefixlen = params.suppressPrefix

-	if err := netlink.RuleDel(rule); err != nil && !errors.Is(err, syscall.ENOENT) {
+	if err := netlink.RuleDel(rule); err != nil && !errors.Is(err, syscall.ENOENT) && !errors.Is(err, syscall.EAFNOSUPPORT) {
 		return fmt.Errorf("remove routing rule: %w", err)
 	}

--- a/client/internal/routemanager/systemops/systemops_windows.go
+++ b/client/internal/routemanager/systemops/systemops_windows.go
@@ -230,10 +230,13 @@ func (rm *RouteMonitor) parseUpdate(row *MIB_IPFORWARD_ROW2, notificationType MI
 	if idx != 0 {
 		intf, err := net.InterfaceByIndex(idx)
 		if err != nil {
-			return update, fmt.Errorf("get interface name: %w", err)
+			log.Warnf("failed to get interface name for index %d: %v", idx, err)
+			update.Interface = &net.Interface{
+				Index: idx,
+			}
+		} else {
+			update.Interface = intf
 		}
-
-		update.Interface = intf
 	}

 	log.Tracef("Received route update with destination %v, next hop %v, interface %v", row.DestinationPrefix, row.NextHop, update.Interface)
--- a/client/internal/routeselector/routeselector.go
+++ b/client/internal/routeselector/routeselector.go
@@ -1,8 +1,10 @@
 package routeselector

 import (
+	"encoding/json"
 	"fmt"
 	"slices"
+	"sync"

 	"github.com/hashicorp/go-multierror"
 	"golang.org/x/exp/maps"
@@ -12,6 +14,7 @@ import (
 )

 type RouteSelector struct {
+	mu             sync.RWMutex
 	selectedRoutes map[route.NetID]struct{}
 	selectAll      bool
 }
@@ -26,6 +29,9 @@ func NewRouteSelector() *RouteSelector {

 // SelectRoutes updates the selected routes based on the provided route IDs.
 func (rs *RouteSelector) SelectRoutes(routes []route.NetID, appendRoute bool, allRoutes []route.NetID) error {
+	rs.mu.Lock()
+	defer rs.mu.Unlock()
+
 	if !appendRoute {
 		rs.selectedRoutes = map[route.NetID]struct{}{}
 	}
@@ -46,6 +52,9 @@ func (rs *RouteSelector) SelectRoutes(routes []route.NetID, appendRoute bool, al

 // SelectAllRoutes sets the selector to select all routes.
 func (rs *RouteSelector) SelectAllRoutes() {
+	rs.mu.Lock()
+	defer rs.mu.Unlock()
+
 	rs.selectAll = true
 	rs.selectedRoutes = map[route.NetID]struct{}{}
 }
@@ -53,6 +62,9 @@ func (rs *RouteSelector) SelectAllRoutes() {
 // DeselectRoutes removes specific routes from the selection.
 // If the selector is in "select all" mode, it will transition to "select specific" mode.
 func (rs *RouteSelector) DeselectRoutes(routes []route.NetID, allRoutes []route.NetID) error {
+	rs.mu.Lock()
+	defer rs.mu.Unlock()
+
 	if rs.selectAll {
 		rs.selectAll = false
 		rs.selectedRoutes = map[route.NetID]struct{}{}
@@ -76,12 +88,18 @@ func (rs *RouteSelector) DeselectRoutes(routes []route.NetID, allRoutes []route.

 // DeselectAllRoutes deselects all routes, effectively disabling route selection.
 func (rs *RouteSelector) DeselectAllRoutes() {
+	rs.mu.Lock()
+	defer rs.mu.Unlock()
+
 	rs.selectAll = false
 	rs.selectedRoutes = map[route.NetID]struct{}{}
 }

 // IsSelected checks if a specific route is selected.
 func (rs *RouteSelector) IsSelected(routeID route.NetID) bool {
+	rs.mu.RLock()
+	defer rs.mu.RUnlock()
+
 	if rs.selectAll {
 		return true
 	}
@@ -91,6 +109,9 @@ func (rs *RouteSelector) IsSelected(routeID route.NetID) bool {

 // FilterSelected removes unselected routes from the provided map.
 func (rs *RouteSelector) FilterSelected(routes route.HAMap) route.HAMap {
+	rs.mu.RLock()
+	defer rs.mu.RUnlock()
+
 	if rs.selectAll {
 		return maps.Clone(routes)
 	}
@@ -103,3 +124,49 @@ func (rs *RouteSelector) FilterSelected(routes route.HAMap) route.HAMap {
 	}
 	return filtered
 }
+
+// MarshalJSON implements the json.Marshaler interface
+func (rs *RouteSelector) MarshalJSON() ([]byte, error) {
+	rs.mu.RLock()
+	defer rs.mu.RUnlock()
+
+	return json.Marshal(struct {
+		SelectedRoutes map[route.NetID]struct{} `json:"selected_routes"`
+		SelectAll      bool                     `json:"select_all"`
+	}{
+		SelectAll:      rs.selectAll,
+		SelectedRoutes: rs.selectedRoutes,
+	})
+}
+
+// UnmarshalJSON implements the json.Unmarshaler interface
+// If the JSON is empty or null, it will initialize like a NewRouteSelector.
+func (rs *RouteSelector) UnmarshalJSON(data []byte) error {
+	rs.mu.Lock()
+	defer rs.mu.Unlock()
+
+	// Check for null or empty JSON
+	if len(data) == 0 || string(data) == "null" {
+		rs.selectedRoutes = map[route.NetID]struct{}{}
+		rs.selectAll = true
+		return nil
+	}
+
+	var temp struct {
+		SelectedRoutes map[route.NetID]struct{} `json:"selected_routes"`
+		SelectAll      bool                     `json:"select_all"`
+	}
+
+	if err := json.Unmarshal(data, &temp); err != nil {
+		return err
+	}
+
+	rs.selectedRoutes = temp.SelectedRoutes
+	rs.selectAll = temp.SelectAll
+
+	if rs.selectedRoutes == nil {
+		rs.selectedRoutes = map[route.NetID]struct{}{}
+	}
+
+	return nil
+}
--- a/client/internal/routeselector/routeselector_test.go
+++ b/client/internal/routeselector/routeselector_test.go
@@ -273,3 +273,88 @@ func TestRouteSelector_FilterSelected(t *testing.T) {
 		"route2|192.168.0.0/16": {},
 	}, filtered)
 }
+
+func TestRouteSelector_NewRoutesBehavior(t *testing.T) {
+	initialRoutes := []route.NetID{"route1", "route2", "route3"}
+	newRoutes := []route.NetID{"route1", "route2", "route3", "route4", "route5"}
+
+	tests := []struct {
+		name            string
+		initialState    func(rs *routeselector.RouteSelector) error // Setup initial state
+		wantNewSelected []route.NetID                               // Expected selected routes after new routes appear
+	}{
+		{
+			name: "New routes with initial selectAll state",
+			initialState: func(rs *routeselector.RouteSelector) error {
+				rs.SelectAllRoutes()
+				return nil
+			},
+			// When selectAll is true, all routes including new ones should be selected
+			wantNewSelected: []route.NetID{"route1", "route2", "route3", "route4", "route5"},
+		},
+		{
+			name: "New routes after specific selection",
+			initialState: func(rs *routeselector.RouteSelector) error {
+				return rs.SelectRoutes([]route.NetID{"route1", "route2"}, false, initialRoutes)
+			},
+			// When specific routes were selected, new routes should remain unselected
+			wantNewSelected: []route.NetID{"route1", "route2"},
+		},
+		{
+			name: "New routes after deselect all",
+			initialState: func(rs *routeselector.RouteSelector) error {
+				rs.DeselectAllRoutes()
+				return nil
+			},
+			// After deselect all, new routes should remain unselected
+			wantNewSelected: []route.NetID{},
+		},
+		{
+			name: "New routes after deselecting specific routes",
+			initialState: func(rs *routeselector.RouteSelector) error {
+				rs.SelectAllRoutes()
+				return rs.DeselectRoutes([]route.NetID{"route1"}, initialRoutes)
+			},
+			// After deselecting specific routes, new routes should remain unselected
+			wantNewSelected: []route.NetID{"route2", "route3"},
+		},
+		{
+			name: "New routes after selecting with append",
+			initialState: func(rs *routeselector.RouteSelector) error {
+				return rs.SelectRoutes([]route.NetID{"route1"}, true, initialRoutes)
+			},
+			// When routes were appended, new routes should remain unselected
+			wantNewSelected: []route.NetID{"route1"},
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			rs := routeselector.NewRouteSelector()
+
+			// Setup initial state
+			err := tt.initialState(rs)
+			require.NoError(t, err)
+
+			// Verify selection state with new routes
+			for _, id := range newRoutes {
+				assert.Equal(t, rs.IsSelected(id), slices.Contains(tt.wantNewSelected, id),
+					"Route %s selection state incorrect", id)
+			}
+
+			// Additional verification using FilterSelected
+			routes := route.HAMap{
+				"route1|10.0.0.0/8":     {},
+				"route2|192.168.0.0/16": {},
+				"route3|172.16.0.0/12":  {},
+				"route4|10.10.0.0/16":   {},
+				"route5|192.168.1.0/24": {},
+			}
+
+			filtered := rs.FilterSelected(routes)
+			expectedLen := len(tt.wantNewSelected)
+			assert.Equal(t, expectedLen, len(filtered),
+				"FilterSelected returned wrong number of routes, got %d want %d", len(filtered), expectedLen)
+		})
+	}
+}
--- a/client/internal/statemanager/manager.go
+++ b/client/internal/statemanager/manager.go
@@ -19,12 +19,36 @@ import (
 	"github.com/netbirdio/netbird/util"
 )

+const (
+	errStateNotRegistered = "state %s not registered"
+	errLoadStateFile      = "load state file: %w"
+)
+
 // State interface defines the methods that all state types must implement
 type State interface {
 	Name() string
+}
+
+// CleanableState interface extends State with cleanup capability
+type CleanableState interface {
+	State
 	Cleanup() error
 }

+// RawState wraps raw JSON data for unregistered states
+type RawState struct {
+	data json.RawMessage
+}
+
+func (r *RawState) Name() string {
+	return "" // This is a placeholder implementation
+}
+
+// MarshalJSON implements json.Marshaler to preserve the original JSON
+func (r *RawState) MarshalJSON() ([]byte, error) {
+	return r.data, nil
+}
+
 // Manager handles the persistence and management of various states
 type Manager struct {
 	mu     sync.Mutex
@@ -140,7 +164,7 @@ func (m *Manager) setState(name string, state State) error {
 	defer m.mu.Unlock()

 	if _, exists := m.states[name]; !exists {
-		return fmt.Errorf("state %s not registered", name)
+		return fmt.Errorf(errStateNotRegistered, name)
 	}

 	m.states[name] = state
@@ -149,6 +173,63 @@ func (m *Manager) setState(name string, state State) error {
 	return nil
 }

+// DeleteStateByName handles deletion of states without cleanup.
+// It doesn't require the state to be registered.
+func (m *Manager) DeleteStateByName(stateName string) error {
+	if m == nil {
+		return nil
+	}
+
+	m.mu.Lock()
+	defer m.mu.Unlock()
+
+	rawStates, err := m.loadStateFile(false)
+	if err != nil {
+		return fmt.Errorf(errLoadStateFile, err)
+	}
+	if rawStates == nil {
+		return nil
+	}
+
+	if _, exists := rawStates[stateName]; !exists {
+		return fmt.Errorf("state %s not found", stateName)
+	}
+
+	// Mark state as deleted by setting it to nil and marking it dirty
+	m.states[stateName] = nil
+	m.dirty[stateName] = struct{}{}
+
+	return nil
+}
+
+// DeleteAllStates removes all states.
+func (m *Manager) DeleteAllStates() (int, error) {
+	if m == nil {
+		return 0, nil
+	}
+
+	m.mu.Lock()
+	defer m.mu.Unlock()
+
+	rawStates, err := m.loadStateFile(false)
+	if err != nil {
+		return 0, fmt.Errorf(errLoadStateFile, err)
+	}
+	if rawStates == nil {
+		return 0, nil
+	}
+
+	count := len(rawStates)
+
+	// Mark all states as deleted and dirty
+	for name := range rawStates {
+		m.states[name] = nil
+		m.dirty[name] = struct{}{}
+	}
+
+	return count, nil
+}
+
 func (m *Manager) periodicStateSave(ctx context.Context) {
 	ticker := time.NewTicker(10 * time.Second)
 	defer ticker.Stop()
@@ -202,63 +283,175 @@ func (m *Manager) PersistState(ctx context.Context) error {
 		}
 	}

-	log.Debugf("persisted shutdown states: %v, took %v", maps.Keys(m.dirty), time.Since(start))
+	log.Debugf("persisted states: %v, took %v", maps.Keys(m.dirty), time.Since(start))

 	clear(m.dirty)

 	return nil
 }

-// loadState loads the existing state from the state file
-func (m *Manager) loadState() error {
+// loadStateFile reads and unmarshals the state file into a map of raw JSON messages
+func (m *Manager) loadStateFile(deleteCorrupt bool) (map[string]json.RawMessage, error) {
 	data, err := os.ReadFile(m.filePath)
 	if err != nil {
 		if errors.Is(err, fs.ErrNotExist) {
 			log.Debug("state file does not exist")
-			return nil
+			return nil, nil // nolint:nilnil
 		}
-		return fmt.Errorf("read state file: %w", err)
+		return nil, fmt.Errorf("read state file: %w", err)
 	}

 	var rawStates map[string]json.RawMessage
 	if err := json.Unmarshal(data, &rawStates); err != nil {
-		log.Warn("State file appears to be corrupted, attempting to delete it")
-		if err := os.Remove(m.filePath); err != nil {
-			log.Errorf("Failed to delete corrupted state file: %v", err)
-		} else {
-			log.Info("State file deleted")
+		if deleteCorrupt {
+			log.Warn("State file appears to be corrupted, attempting to delete it", err)
+			if err := os.Remove(m.filePath); err != nil {
+				log.Errorf("Failed to delete corrupted state file: %v", err)
+			} else {
+				log.Info("State file deleted")
+			}
 		}
-		return fmt.Errorf("unmarshal states: %w", err)
+		return nil, fmt.Errorf("unmarshal states: %w", err)
 	}

-	var merr *multierror.Error
+	return rawStates, nil
+}

-	for name, rawState := range rawStates {
-		stateType, ok := m.stateTypes[name]
-		if !ok {
-			merr = multierror.Append(merr, fmt.Errorf("unknown state type: %s", name))
-			continue
-		}
+// loadSingleRawState unmarshals a raw state into a concrete state object
+func (m *Manager) loadSingleRawState(name string, rawState json.RawMessage) (State, error) {
+	stateType, ok := m.stateTypes[name]
+	if !ok {
+		return nil, fmt.Errorf(errStateNotRegistered, name)
+	}

-		if string(rawState) == "null" {
-			continue
-		}
+	if string(rawState) == "null" {
+		return nil, nil //nolint:nilnil
+	}

-		statePtr := reflect.New(stateType).Interface().(State)
-		if err := json.Unmarshal(rawState, statePtr); err != nil {
-			merr = multierror.Append(merr, fmt.Errorf("unmarshal state %s: %w", name, err))
-			continue
-		}
+	statePtr := reflect.New(stateType).Interface().(State)
+	if err := json.Unmarshal(rawState, statePtr); err != nil {
+		return nil, fmt.Errorf("unmarshal state %s: %w", name, err)
+	}

-		m.states[name] = statePtr
+	return statePtr, nil
+}
+
+// LoadState loads a specific state from the state file
+func (m *Manager) LoadState(state State) error {
+	if m == nil {
+		return nil
+	}
+
+	m.mu.Lock()
+	defer m.mu.Unlock()
+
+	rawStates, err := m.loadStateFile(false)
+	if err != nil {
+		return err
+	}
+	if rawStates == nil {
+		return nil
+	}
+
+	name := state.Name()
+	rawState, exists := rawStates[name]
+	if !exists {
+		return nil
+	}
+
+	loadedState, err := m.loadSingleRawState(name, rawState)
+	if err != nil {
+		return err
+	}
+
+	m.states[name] = loadedState
+	if loadedState != nil {
 		log.Debugf("loaded state: %s", name)
 	}

-	return nberrors.FormatErrorOrNil(merr)
+	return nil
 }

-// PerformCleanup retrieves all states from the state file for the registered states and calls Cleanup on them.
-// If the cleanup is successful, the state is marked for deletion.
+// cleanupSingleState handles the cleanup of a specific state and returns any error.
+// The caller must hold the mutex.
+func (m *Manager) cleanupSingleState(name string, rawState json.RawMessage) error {
+	// For unregistered states, preserve the raw JSON
+	if _, registered := m.stateTypes[name]; !registered {
+		m.states[name] = &RawState{data: rawState}
+		return nil
+	}
+
+	// Load the state
+	loadedState, err := m.loadSingleRawState(name, rawState)
+	if err != nil {
+		return err
+	}
+
+	if loadedState == nil {
+		return nil
+	}
+
+	// Check if state supports cleanup
+	cleanableState, isCleanable := loadedState.(CleanableState)
+	if !isCleanable {
+		// If it doesn't support cleanup, keep it as-is
+		m.states[name] = loadedState
+		return nil
+	}
+
+	// Perform cleanup
+	log.Infof("cleaning up state %s", name)
+	if err := cleanableState.Cleanup(); err != nil {
+		// On cleanup error, preserve the state
+		m.states[name] = loadedState
+		return fmt.Errorf("cleanup state: %w", err)
+	}
+
+	// Successfully cleaned up - mark for deletion
+	m.states[name] = nil
+	m.dirty[name] = struct{}{}
+	return nil
+}
+
+// CleanupStateByName loads and cleans up a specific state by name if it implements CleanableState.
+// Returns an error if the state doesn't exist, isn't registered, or cleanup fails.
+func (m *Manager) CleanupStateByName(name string) error {
+	if m == nil {
+		return nil
+	}
+
+	m.mu.Lock()
+	defer m.mu.Unlock()
+
+	// Check if state is registered
+	if _, registered := m.stateTypes[name]; !registered {
+		return fmt.Errorf(errStateNotRegistered, name)
+	}
+
+	// Load raw states from file
+	rawStates, err := m.loadStateFile(false)
+	if err != nil {
+		return err
+	}
+	if rawStates == nil {
+		return nil
+	}
+
+	// Check if state exists in file
+	rawState, exists := rawStates[name]
+	if !exists {
+		return nil
+	}
+
+	if err := m.cleanupSingleState(name, rawState); err != nil {
+		return fmt.Errorf("%s: %w", name, err)
+	}
+
+	return nil
+}
+
+// PerformCleanup retrieves all states from the state file and calls Cleanup on registered states that support it.
+// Unregistered states are preserved in their original state.
 func (m *Manager) PerformCleanup() error {
 	if m == nil {
 		return nil
@@ -267,30 +460,51 @@ func (m *Manager) PerformCleanup() error {
 	m.mu.Lock()
 	defer m.mu.Unlock()

-	if err := m.loadState(); err != nil {
-		log.Warnf("Failed to load state during cleanup: %v", err)
+	// Load raw states from file
+	rawStates, err := m.loadStateFile(true)
+	if err != nil {
+		return fmt.Errorf(errLoadStateFile, err)
+	}
+	if rawStates == nil {
+		return nil
 	}

 	var merr *multierror.Error
-	for name, state := range m.states {
-		if state == nil {
-			// If no state was found in the state file, we don't mark the state dirty nor return an error
-			continue
-		}

-		log.Infof("client was not shut down properly, cleaning up %s", name)
-		if err := state.Cleanup(); err != nil {
-			merr = multierror.Append(merr, fmt.Errorf("cleanup state for %s: %w", name, err))
-		} else {
-			// mark for deletion on cleanup success
-			m.states[name] = nil
-			m.dirty[name] = struct{}{}
+	// Process each state in the file
+	for name, rawState := range rawStates {
+		if err := m.cleanupSingleState(name, rawState); err != nil {
+			merr = multierror.Append(merr, fmt.Errorf("%s: %w", name, err))
 		}
 	}

 	return nberrors.FormatErrorOrNil(merr)
 }

+// GetSavedStateNames returns all state names that are currently saved in the state file.
+func (m *Manager) GetSavedStateNames() ([]string, error) {
+	if m == nil {
+		return nil, nil
+	}
+
+	rawStates, err := m.loadStateFile(false)
+	if err != nil {
+		return nil, fmt.Errorf(errLoadStateFile, err)
+	}
+	if rawStates == nil {
+		return nil, nil
+	}
+
+	var states []string
+	for name, state := range rawStates {
+		if len(state) != 0 && string(state) != "null" {
+			states = append(states, name)
+		}
+	}
+
+	return states, nil
+}
+
 func marshalWithPanicRecovery(v any) ([]byte, error) {
 	var bs []byte
 	var err error
--- a/client/ios/NetBirdSDK/client.go
+++ b/client/ios/NetBirdSDK/client.go
@@ -59,6 +59,7 @@ func init() {
 // Client struct manage the life circle of background service
 type Client struct {
 	cfgFile               string
+	stateFile             string
 	recorder              *peer.Status
 	ctxCancel             context.CancelFunc
 	ctxCancelLock         *sync.Mutex
@@ -73,9 +74,10 @@ type Client struct {
 }

 // NewClient instantiate a new Client
-func NewClient(cfgFile, deviceName string, osVersion string, osName string, networkChangeListener NetworkChangeListener, dnsManager DnsManager) *Client {
+func NewClient(cfgFile, stateFile, deviceName string, osVersion string, osName string, networkChangeListener NetworkChangeListener, dnsManager DnsManager) *Client {
 	return &Client{
 		cfgFile:               cfgFile,
+		stateFile:             stateFile,
 		deviceName:            deviceName,
 		osName:                osName,
 		osVersion:             osVersion,
@@ -91,7 +93,8 @@ func (c *Client) Run(fd int32, interfaceName string) error {
 	log.Infof("Starting NetBird client")
 	log.Debugf("Tunnel uses interface: %s", interfaceName)
 	cfg, err := internal.UpdateOrCreateConfig(internal.ConfigInput{
-		ConfigPath: c.cfgFile,
+		ConfigPath:    c.cfgFile,
+		StateFilePath: c.stateFile,
 	})
 	if err != nil {
 		return err
@@ -124,7 +127,7 @@ func (c *Client) Run(fd int32, interfaceName string) error {
 	cfg.WgIface = interfaceName

 	c.connectClient = internal.NewConnectClient(ctx, cfg, c.recorder)
-	return c.connectClient.RunOniOS(fd, c.networkChangeListener, c.dnsManager)
+	return c.connectClient.RunOniOS(fd, c.networkChangeListener, c.dnsManager, c.stateFile)
 }

 // Stop the internal client and free the resources
@@ -269,8 +272,8 @@ func (c *Client) GetRoutesSelectionDetails() (*RoutesSelectionDetails, error) {
 		return nil, fmt.Errorf("not connected")
 	}

-	routesMap := engine.GetClientRoutesWithNetID()
 	routeManager := engine.GetRouteManager()
+	routesMap := routeManager.GetClientRoutesWithNetID()
 	if routeManager == nil {
 		return nil, fmt.Errorf("could not get route manager")
 	}
@@ -314,7 +317,7 @@ func (c *Client) GetRoutesSelectionDetails() (*RoutesSelectionDetails, error) {

 }

-func prepareRouteSelectionDetails(routes []*selectRoute, resolvedDomains map[domain.Domain][]netip.Prefix) *RoutesSelectionDetails {
+func prepareRouteSelectionDetails(routes []*selectRoute, resolvedDomains map[domain.Domain]peer.ResolvedDomainInfo) *RoutesSelectionDetails {
 	var routeSelection []RoutesSelectionInfo
 	for _, r := range routes {
 		domainList := make([]DomainInfo, 0)
@@ -322,9 +325,10 @@ func prepareRouteSelectionDetails(routes []*selectRoute, resolvedDomains map[dom
 			domainResp := DomainInfo{
 				Domain: d.SafeString(),
 			}
-			if prefixes, exists := resolvedDomains[d]; exists {
+
+			if info, exists := resolvedDomains[d]; exists {
 				var ipStrings []string
-				for _, prefix := range prefixes {
+				for _, prefix := range info.Prefixes {
 					ipStrings = append(ipStrings, prefix.Addr().String())
 				}
 				domainResp.ResolvedIPs = strings.Join(ipStrings, ", ")
@@ -362,12 +366,12 @@ func (c *Client) SelectRoute(id string) error {
 	} else {
 		log.Debugf("select route with id: %s", id)
 		routes := toNetIDs([]string{id})
-		if err := routeSelector.SelectRoutes(routes, true, maps.Keys(engine.GetClientRoutesWithNetID())); err != nil {
+		if err := routeSelector.SelectRoutes(routes, true, maps.Keys(routeManager.GetClientRoutesWithNetID())); err != nil {
 			log.Debugf("error when selecting routes: %s", err)
 			return fmt.Errorf("select routes: %w", err)
 		}
 	}
-	routeManager.TriggerSelection(engine.GetClientRoutes())
+	routeManager.TriggerSelection(routeManager.GetClientRoutes())
 	return nil

 }
@@ -389,12 +393,12 @@ func (c *Client) DeselectRoute(id string) error {
 	} else {
 		log.Debugf("deselect route with id: %s", id)
 		routes := toNetIDs([]string{id})
-		if err := routeSelector.DeselectRoutes(routes, maps.Keys(engine.GetClientRoutesWithNetID())); err != nil {
+		if err := routeSelector.DeselectRoutes(routes, maps.Keys(routeManager.GetClientRoutesWithNetID())); err != nil {
 			log.Debugf("error when deselecting routes: %s", err)
 			return fmt.Errorf("deselect routes: %w", err)
 		}
 	}
-	routeManager.TriggerSelection(engine.GetClientRoutes())
+	routeManager.TriggerSelection(routeManager.GetClientRoutes())
 	return nil
 }

--- a/client/ios/NetBirdSDK/preferences.go
+++ b/client/ios/NetBirdSDK/preferences.go
@@ -10,9 +10,10 @@ type Preferences struct {
 }

 // NewPreferences create new Preferences instance
-func NewPreferences(configPath string) *Preferences {
+func NewPreferences(configPath string, stateFilePath string) *Preferences {
 	ci := internal.ConfigInput{
-		ConfigPath: configPath,
+		ConfigPath:    configPath,
+		StateFilePath: stateFilePath,
 	}
 	return &Preferences{ci}
 }
--- a/client/ios/NetBirdSDK/preferences_test.go
+++ b/client/ios/NetBirdSDK/preferences_test.go
@@ -9,7 +9,8 @@ import (

 func TestPreferences_DefaultValues(t *testing.T) {
 	cfgFile := filepath.Join(t.TempDir(), "netbird.json")
-	p := NewPreferences(cfgFile)
+	stateFile := filepath.Join(t.TempDir(), "state.json")
+	p := NewPreferences(cfgFile, stateFile)
 	defaultVar, err := p.GetAdminURL()
 	if err != nil {
 		t.Fatalf("failed to read default value: %s", err)
@@ -42,7 +43,8 @@ func TestPreferences_DefaultValues(t *testing.T) {
 func TestPreferences_ReadUncommitedValues(t *testing.T) {
 	exampleString := "exampleString"
 	cfgFile := filepath.Join(t.TempDir(), "netbird.json")
-	p := NewPreferences(cfgFile)
+	stateFile := filepath.Join(t.TempDir(), "state.json")
+	p := NewPreferences(cfgFile, stateFile)

 	p.SetAdminURL(exampleString)
 	resp, err := p.GetAdminURL()
@@ -79,7 +81,8 @@ func TestPreferences_Commit(t *testing.T) {
 	exampleURL := "https://myurl.com:443"
 	examplePresharedKey := "topsecret"
 	cfgFile := filepath.Join(t.TempDir(), "netbird.json")
-	p := NewPreferences(cfgFile)
+	stateFile := filepath.Join(t.TempDir(), "state.json")
+	p := NewPreferences(cfgFile, stateFile)

 	p.SetAdminURL(exampleURL)
 	p.SetManagementURL(exampleURL)
@@ -90,7 +93,7 @@ func TestPreferences_Commit(t *testing.T) {
 		t.Fatalf("failed to save changes: %s", err)
 	}

-	p = NewPreferences(cfgFile)
+	p = NewPreferences(cfgFile, stateFile)
 	resp, err := p.GetAdminURL()
 	if err != nil {
 		t.Fatalf("failed to read admin url: %s", err)
--- a/client/proto/daemon.pb.go
+++ b/client/proto/daemon.pb.go
--- a/client/proto/daemon.proto
+++ b/client/proto/daemon.proto
@@ -28,14 +28,14 @@ service DaemonService {
  // GetConfig of the daemon.
  rpc GetConfig(GetConfigRequest) returns (GetConfigResponse) {}

-  // List available network routes
-  rpc ListRoutes(ListRoutesRequest) returns (ListRoutesResponse) {}
+  // List available networks
+  rpc ListNetworks(ListNetworksRequest) returns (ListNetworksResponse) {}

  // Select specific routes
-  rpc SelectRoutes(SelectRoutesRequest) returns (SelectRoutesResponse) {}
+  rpc SelectNetworks(SelectNetworksRequest) returns (SelectNetworksResponse) {}

  // Deselect specific routes
-  rpc DeselectRoutes(SelectRoutesRequest) returns (SelectRoutesResponse) {}
+  rpc DeselectNetworks(SelectNetworksRequest) returns (SelectNetworksResponse) {}

  // DebugBundle creates a debug bundle
  rpc DebugBundle(DebugBundleRequest) returns (DebugBundleResponse) {}
@@ -45,7 +45,20 @@ service DaemonService {

  // SetLogLevel sets the log level of the daemon
  rpc SetLogLevel(SetLogLevelRequest) returns (SetLogLevelResponse) {}
-};
+
+  // List all states
+  rpc ListStates(ListStatesRequest) returns (ListStatesResponse) {}
+
+  // Clean specific state or all states
+  rpc CleanState(CleanStateRequest) returns (CleanStateResponse) {}
+
+  // Delete specific state or all states
+  rpc DeleteState(DeleteStateRequest) returns (DeleteStateResponse) {}
+
+  // SetNetworkMapPersistence enables or disables network map persistence
+  rpc SetNetworkMapPersistence(SetNetworkMapPersistenceRequest) returns (SetNetworkMapPersistenceResponse) {}
+}
+

 message LoginRequest {
  // setupKey wiretrustee setup key.
@@ -177,7 +190,7 @@ message PeerState {
  int64 bytesRx = 13;
  int64 bytesTx = 14;
  bool rosenpassEnabled = 15;
-  repeated string routes = 16;
+  repeated string networks = 16;
  google.protobuf.Duration latency = 17;
  string relayAddress = 18;
 }
@@ -190,7 +203,7 @@ message LocalPeerState {
  string fqdn = 4;
  bool rosenpassEnabled = 5;
  bool rosenpassPermissive = 6;
-  repeated string routes = 7;
+  repeated string networks = 7;
 }

 // SignalState contains the latest state of a signal connection
@@ -231,20 +244,20 @@ message FullStatus {
  repeated NSGroupState dns_servers = 6;
 }

-message ListRoutesRequest {
+message ListNetworksRequest {
 }

-message ListRoutesResponse {
-  repeated Route routes = 1;
+message ListNetworksResponse {
+  repeated Network routes = 1;
 }

-message SelectRoutesRequest {
-  repeated string routeIDs = 1;
+message SelectNetworksRequest {
+  repeated string networkIDs = 1;
  bool append = 2;
  bool all = 3;
 }

-message SelectRoutesResponse {
+message SelectNetworksResponse {
 }

 message IPList {
@@ -252,9 +265,9 @@ message IPList {
 }


-message Route {
+message Network {
  string ID = 1;
-  string network = 2;
+  string range = 2;
  bool selected = 3;
  repeated string domains = 4;
  map<string, IPList> resolvedIPs = 5;
@@ -293,4 +306,46 @@ message SetLogLevelRequest {
 }

 message SetLogLevelResponse {
-}
+}
+
+// State represents a daemon state entry
+message State {
+  string name = 1;
+}
+
+// ListStatesRequest is empty as it requires no parameters
+message ListStatesRequest {}
+
+// ListStatesResponse contains a list of states
+message ListStatesResponse {
+  repeated State states = 1;
+}
+
+// CleanStateRequest for cleaning states
+message CleanStateRequest {
+  string state_name = 1;
+  bool all = 2;
+}
+
+// CleanStateResponse contains the result of the clean operation
+message CleanStateResponse {
+  int32 cleaned_states = 1;
+}
+
+// DeleteStateRequest for deleting states
+message DeleteStateRequest {
+  string state_name = 1;
+  bool all = 2;
+}
+
+// DeleteStateResponse contains the result of the delete operation
+message DeleteStateResponse {
+  int32 deleted_states = 1;
+}
+
+
+message SetNetworkMapPersistenceRequest {
+  bool enabled = 1;
+}
+
+message SetNetworkMapPersistenceResponse {}
--- a/client/proto/daemon_grpc.pb.go
+++ b/client/proto/daemon_grpc.pb.go
@@ -31,18 +31,26 @@ type DaemonServiceClient interface {
 	Down(ctx context.Context, in *DownRequest, opts ...grpc.CallOption) (*DownResponse, error)
 	// GetConfig of the daemon.
 	GetConfig(ctx context.Context, in *GetConfigRequest, opts ...grpc.CallOption) (*GetConfigResponse, error)
-	// List available network routes
-	ListRoutes(ctx context.Context, in *ListRoutesRequest, opts ...grpc.CallOption) (*ListRoutesResponse, error)
+	// List available networks
+	ListNetworks(ctx context.Context, in *ListNetworksRequest, opts ...grpc.CallOption) (*ListNetworksResponse, error)
 	// Select specific routes
-	SelectRoutes(ctx context.Context, in *SelectRoutesRequest, opts ...grpc.CallOption) (*SelectRoutesResponse, error)
+	SelectNetworks(ctx context.Context, in *SelectNetworksRequest, opts ...grpc.CallOption) (*SelectNetworksResponse, error)
 	// Deselect specific routes
-	DeselectRoutes(ctx context.Context, in *SelectRoutesRequest, opts ...grpc.CallOption) (*SelectRoutesResponse, error)
+	DeselectNetworks(ctx context.Context, in *SelectNetworksRequest, opts ...grpc.CallOption) (*SelectNetworksResponse, error)
 	// DebugBundle creates a debug bundle
 	DebugBundle(ctx context.Context, in *DebugBundleRequest, opts ...grpc.CallOption) (*DebugBundleResponse, error)
 	// GetLogLevel gets the log level of the daemon
 	GetLogLevel(ctx context.Context, in *GetLogLevelRequest, opts ...grpc.CallOption) (*GetLogLevelResponse, error)
 	// SetLogLevel sets the log level of the daemon
 	SetLogLevel(ctx context.Context, in *SetLogLevelRequest, opts ...grpc.CallOption) (*SetLogLevelResponse, error)
+	// List all states
+	ListStates(ctx context.Context, in *ListStatesRequest, opts ...grpc.CallOption) (*ListStatesResponse, error)
+	// Clean specific state or all states
+	CleanState(ctx context.Context, in *CleanStateRequest, opts ...grpc.CallOption) (*CleanStateResponse, error)
+	// Delete specific state or all states
+	DeleteState(ctx context.Context, in *DeleteStateRequest, opts ...grpc.CallOption) (*DeleteStateResponse, error)
+	// SetNetworkMapPersistence enables or disables network map persistence
+	SetNetworkMapPersistence(ctx context.Context, in *SetNetworkMapPersistenceRequest, opts ...grpc.CallOption) (*SetNetworkMapPersistenceResponse, error)
 }

 type daemonServiceClient struct {
@@ -107,27 +115,27 @@ func (c *daemonServiceClient) GetConfig(ctx context.Context, in *GetConfigReques
 	return out, nil
 }

-func (c *daemonServiceClient) ListRoutes(ctx context.Context, in *ListRoutesRequest, opts ...grpc.CallOption) (*ListRoutesResponse, error) {
-	out := new(ListRoutesResponse)
-	err := c.cc.Invoke(ctx, "/daemon.DaemonService/ListRoutes", in, out, opts...)
+func (c *daemonServiceClient) ListNetworks(ctx context.Context, in *ListNetworksRequest, opts ...grpc.CallOption) (*ListNetworksResponse, error) {
+	out := new(ListNetworksResponse)
+	err := c.cc.Invoke(ctx, "/daemon.DaemonService/ListNetworks", in, out, opts...)
 	if err != nil {
 		return nil, err
 	}
 	return out, nil
 }

-func (c *daemonServiceClient) SelectRoutes(ctx context.Context, in *SelectRoutesRequest, opts ...grpc.CallOption) (*SelectRoutesResponse, error) {
-	out := new(SelectRoutesResponse)
-	err := c.cc.Invoke(ctx, "/daemon.DaemonService/SelectRoutes", in, out, opts...)
+func (c *daemonServiceClient) SelectNetworks(ctx context.Context, in *SelectNetworksRequest, opts ...grpc.CallOption) (*SelectNetworksResponse, error) {
+	out := new(SelectNetworksResponse)
+	err := c.cc.Invoke(ctx, "/daemon.DaemonService/SelectNetworks", in, out, opts...)
 	if err != nil {
 		return nil, err
 	}
 	return out, nil
 }

-func (c *daemonServiceClient) DeselectRoutes(ctx context.Context, in *SelectRoutesRequest, opts ...grpc.CallOption) (*SelectRoutesResponse, error) {
-	out := new(SelectRoutesResponse)
-	err := c.cc.Invoke(ctx, "/daemon.DaemonService/DeselectRoutes", in, out, opts...)
+func (c *daemonServiceClient) DeselectNetworks(ctx context.Context, in *SelectNetworksRequest, opts ...grpc.CallOption) (*SelectNetworksResponse, error) {
+	out := new(SelectNetworksResponse)
+	err := c.cc.Invoke(ctx, "/daemon.DaemonService/DeselectNetworks", in, out, opts...)
 	if err != nil {
 		return nil, err
 	}
@@ -161,6 +169,42 @@ func (c *daemonServiceClient) SetLogLevel(ctx context.Context, in *SetLogLevelRe
 	return out, nil
 }

+func (c *daemonServiceClient) ListStates(ctx context.Context, in *ListStatesRequest, opts ...grpc.CallOption) (*ListStatesResponse, error) {
+	out := new(ListStatesResponse)
+	err := c.cc.Invoke(ctx, "/daemon.DaemonService/ListStates", in, out, opts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+func (c *daemonServiceClient) CleanState(ctx context.Context, in *CleanStateRequest, opts ...grpc.CallOption) (*CleanStateResponse, error) {
+	out := new(CleanStateResponse)
+	err := c.cc.Invoke(ctx, "/daemon.DaemonService/CleanState", in, out, opts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+func (c *daemonServiceClient) DeleteState(ctx context.Context, in *DeleteStateRequest, opts ...grpc.CallOption) (*DeleteStateResponse, error) {
+	out := new(DeleteStateResponse)
+	err := c.cc.Invoke(ctx, "/daemon.DaemonService/DeleteState", in, out, opts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+func (c *daemonServiceClient) SetNetworkMapPersistence(ctx context.Context, in *SetNetworkMapPersistenceRequest, opts ...grpc.CallOption) (*SetNetworkMapPersistenceResponse, error) {
+	out := new(SetNetworkMapPersistenceResponse)
+	err := c.cc.Invoke(ctx, "/daemon.DaemonService/SetNetworkMapPersistence", in, out, opts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
 // DaemonServiceServer is the server API for DaemonService service.
 // All implementations must embed UnimplementedDaemonServiceServer
 // for forward compatibility
@@ -178,18 +222,26 @@ type DaemonServiceServer interface {
 	Down(context.Context, *DownRequest) (*DownResponse, error)
 	// GetConfig of the daemon.
 	GetConfig(context.Context, *GetConfigRequest) (*GetConfigResponse, error)
-	// List available network routes
-	ListRoutes(context.Context, *ListRoutesRequest) (*ListRoutesResponse, error)
+	// List available networks
+	ListNetworks(context.Context, *ListNetworksRequest) (*ListNetworksResponse, error)
 	// Select specific routes
-	SelectRoutes(context.Context, *SelectRoutesRequest) (*SelectRoutesResponse, error)
+	SelectNetworks(context.Context, *SelectNetworksRequest) (*SelectNetworksResponse, error)
 	// Deselect specific routes
-	DeselectRoutes(context.Context, *SelectRoutesRequest) (*SelectRoutesResponse, error)
+	DeselectNetworks(context.Context, *SelectNetworksRequest) (*SelectNetworksResponse, error)
 	// DebugBundle creates a debug bundle
 	DebugBundle(context.Context, *DebugBundleRequest) (*DebugBundleResponse, error)
 	// GetLogLevel gets the log level of the daemon
 	GetLogLevel(context.Context, *GetLogLevelRequest) (*GetLogLevelResponse, error)
 	// SetLogLevel sets the log level of the daemon
 	SetLogLevel(context.Context, *SetLogLevelRequest) (*SetLogLevelResponse, error)
+	// List all states
+	ListStates(context.Context, *ListStatesRequest) (*ListStatesResponse, error)
+	// Clean specific state or all states
+	CleanState(context.Context, *CleanStateRequest) (*CleanStateResponse, error)
+	// Delete specific state or all states
+	DeleteState(context.Context, *DeleteStateRequest) (*DeleteStateResponse, error)
+	// SetNetworkMapPersistence enables or disables network map persistence
+	SetNetworkMapPersistence(context.Context, *SetNetworkMapPersistenceRequest) (*SetNetworkMapPersistenceResponse, error)
 	mustEmbedUnimplementedDaemonServiceServer()
 }

@@ -215,14 +267,14 @@ func (UnimplementedDaemonServiceServer) Down(context.Context, *DownRequest) (*Do
 func (UnimplementedDaemonServiceServer) GetConfig(context.Context, *GetConfigRequest) (*GetConfigResponse, error) {
 	return nil, status.Errorf(codes.Unimplemented, "method GetConfig not implemented")
 }
-func (UnimplementedDaemonServiceServer) ListRoutes(context.Context, *ListRoutesRequest) (*ListRoutesResponse, error) {
-	return nil, status.Errorf(codes.Unimplemented, "method ListRoutes not implemented")
+func (UnimplementedDaemonServiceServer) ListNetworks(context.Context, *ListNetworksRequest) (*ListNetworksResponse, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method ListNetworks not implemented")
 }
-func (UnimplementedDaemonServiceServer) SelectRoutes(context.Context, *SelectRoutesRequest) (*SelectRoutesResponse, error) {
-	return nil, status.Errorf(codes.Unimplemented, "method SelectRoutes not implemented")
+func (UnimplementedDaemonServiceServer) SelectNetworks(context.Context, *SelectNetworksRequest) (*SelectNetworksResponse, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method SelectNetworks not implemented")
 }
-func (UnimplementedDaemonServiceServer) DeselectRoutes(context.Context, *SelectRoutesRequest) (*SelectRoutesResponse, error) {
-	return nil, status.Errorf(codes.Unimplemented, "method DeselectRoutes not implemented")
+func (UnimplementedDaemonServiceServer) DeselectNetworks(context.Context, *SelectNetworksRequest) (*SelectNetworksResponse, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method DeselectNetworks not implemented")
 }
 func (UnimplementedDaemonServiceServer) DebugBundle(context.Context, *DebugBundleRequest) (*DebugBundleResponse, error) {
 	return nil, status.Errorf(codes.Unimplemented, "method DebugBundle not implemented")
@@ -233,6 +285,18 @@ func (UnimplementedDaemonServiceServer) GetLogLevel(context.Context, *GetLogLeve
 func (UnimplementedDaemonServiceServer) SetLogLevel(context.Context, *SetLogLevelRequest) (*SetLogLevelResponse, error) {
 	return nil, status.Errorf(codes.Unimplemented, "method SetLogLevel not implemented")
 }
+func (UnimplementedDaemonServiceServer) ListStates(context.Context, *ListStatesRequest) (*ListStatesResponse, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method ListStates not implemented")
+}
+func (UnimplementedDaemonServiceServer) CleanState(context.Context, *CleanStateRequest) (*CleanStateResponse, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method CleanState not implemented")
+}
+func (UnimplementedDaemonServiceServer) DeleteState(context.Context, *DeleteStateRequest) (*DeleteStateResponse, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method DeleteState not implemented")
+}
+func (UnimplementedDaemonServiceServer) SetNetworkMapPersistence(context.Context, *SetNetworkMapPersistenceRequest) (*SetNetworkMapPersistenceResponse, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method SetNetworkMapPersistence not implemented")
+}
 func (UnimplementedDaemonServiceServer) mustEmbedUnimplementedDaemonServiceServer() {}

 // UnsafeDaemonServiceServer may be embedded to opt out of forward compatibility for this service.
@@ -354,56 +418,56 @@ func _DaemonService_GetConfig_Handler(srv interface{}, ctx context.Context, dec
 	return interceptor(ctx, in, info, handler)
 }

-func _DaemonService_ListRoutes_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
-	in := new(ListRoutesRequest)
+func _DaemonService_ListNetworks_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(ListNetworksRequest)
 	if err := dec(in); err != nil {
 		return nil, err
 	}
 	if interceptor == nil {
-		return srv.(DaemonServiceServer).ListRoutes(ctx, in)
+		return srv.(DaemonServiceServer).ListNetworks(ctx, in)
 	}
 	info := &grpc.UnaryServerInfo{
 		Server:     srv,
-		FullMethod: "/daemon.DaemonService/ListRoutes",
+		FullMethod: "/daemon.DaemonService/ListNetworks",
 	}
 	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
-		return srv.(DaemonServiceServer).ListRoutes(ctx, req.(*ListRoutesRequest))
+		return srv.(DaemonServiceServer).ListNetworks(ctx, req.(*ListNetworksRequest))
 	}
 	return interceptor(ctx, in, info, handler)
 }

-func _DaemonService_SelectRoutes_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
-	in := new(SelectRoutesRequest)
+func _DaemonService_SelectNetworks_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(SelectNetworksRequest)
 	if err := dec(in); err != nil {
 		return nil, err
 	}
 	if interceptor == nil {
-		return srv.(DaemonServiceServer).SelectRoutes(ctx, in)
+		return srv.(DaemonServiceServer).SelectNetworks(ctx, in)
 	}
 	info := &grpc.UnaryServerInfo{
 		Server:     srv,
-		FullMethod: "/daemon.DaemonService/SelectRoutes",
+		FullMethod: "/daemon.DaemonService/SelectNetworks",
 	}
 	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
-		return srv.(DaemonServiceServer).SelectRoutes(ctx, req.(*SelectRoutesRequest))
+		return srv.(DaemonServiceServer).SelectNetworks(ctx, req.(*SelectNetworksRequest))
 	}
 	return interceptor(ctx, in, info, handler)
 }

-func _DaemonService_DeselectRoutes_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
-	in := new(SelectRoutesRequest)
+func _DaemonService_DeselectNetworks_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(SelectNetworksRequest)
 	if err := dec(in); err != nil {
 		return nil, err
 	}
 	if interceptor == nil {
-		return srv.(DaemonServiceServer).DeselectRoutes(ctx, in)
+		return srv.(DaemonServiceServer).DeselectNetworks(ctx, in)
 	}
 	info := &grpc.UnaryServerInfo{
 		Server:     srv,
-		FullMethod: "/daemon.DaemonService/DeselectRoutes",
+		FullMethod: "/daemon.DaemonService/DeselectNetworks",
 	}
 	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
-		return srv.(DaemonServiceServer).DeselectRoutes(ctx, req.(*SelectRoutesRequest))
+		return srv.(DaemonServiceServer).DeselectNetworks(ctx, req.(*SelectNetworksRequest))
 	}
 	return interceptor(ctx, in, info, handler)
 }
@@ -462,6 +526,78 @@ func _DaemonService_SetLogLevel_Handler(srv interface{}, ctx context.Context, de
 	return interceptor(ctx, in, info, handler)
 }

+func _DaemonService_ListStates_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(ListStatesRequest)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(DaemonServiceServer).ListStates(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: "/daemon.DaemonService/ListStates",
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(DaemonServiceServer).ListStates(ctx, req.(*ListStatesRequest))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
+func _DaemonService_CleanState_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(CleanStateRequest)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(DaemonServiceServer).CleanState(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: "/daemon.DaemonService/CleanState",
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(DaemonServiceServer).CleanState(ctx, req.(*CleanStateRequest))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
+func _DaemonService_DeleteState_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(DeleteStateRequest)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(DaemonServiceServer).DeleteState(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: "/daemon.DaemonService/DeleteState",
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(DaemonServiceServer).DeleteState(ctx, req.(*DeleteStateRequest))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
+func _DaemonService_SetNetworkMapPersistence_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(SetNetworkMapPersistenceRequest)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(DaemonServiceServer).SetNetworkMapPersistence(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: "/daemon.DaemonService/SetNetworkMapPersistence",
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(DaemonServiceServer).SetNetworkMapPersistence(ctx, req.(*SetNetworkMapPersistenceRequest))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
 // DaemonService_ServiceDesc is the grpc.ServiceDesc for DaemonService service.
 // It's only intended for direct use with grpc.RegisterService,
 // and not to be introspected or modified (even as a copy)
@@ -494,16 +630,16 @@ var DaemonService_ServiceDesc = grpc.ServiceDesc{
 			Handler:    _DaemonService_GetConfig_Handler,
 		},
 		{
-			MethodName: "ListRoutes",
-			Handler:    _DaemonService_ListRoutes_Handler,
+			MethodName: "ListNetworks",
+			Handler:    _DaemonService_ListNetworks_Handler,
 		},
 		{
-			MethodName: "SelectRoutes",
-			Handler:    _DaemonService_SelectRoutes_Handler,
+			MethodName: "SelectNetworks",
+			Handler:    _DaemonService_SelectNetworks_Handler,
 		},
 		{
-			MethodName: "DeselectRoutes",
-			Handler:    _DaemonService_DeselectRoutes_Handler,
+			MethodName: "DeselectNetworks",
+			Handler:    _DaemonService_DeselectNetworks_Handler,
 		},
 		{
 			MethodName: "DebugBundle",
@@ -517,6 +653,22 @@ var DaemonService_ServiceDesc = grpc.ServiceDesc{
 			MethodName: "SetLogLevel",
 			Handler:    _DaemonService_SetLogLevel_Handler,
 		},
+		{
+			MethodName: "ListStates",
+			Handler:    _DaemonService_ListStates_Handler,
+		},
+		{
+			MethodName: "CleanState",
+			Handler:    _DaemonService_CleanState_Handler,
+		},
+		{
+			MethodName: "DeleteState",
+			Handler:    _DaemonService_DeleteState_Handler,
+		},
+		{
+			MethodName: "SetNetworkMapPersistence",
+			Handler:    _DaemonService_SetNetworkMapPersistence_Handler,
+		},
 	},
 	Streams:  []grpc.StreamDesc{},
 	Metadata: "daemon.proto",
--- a/client/server/debug.go
+++ b/client/server/debug.go
@@ -5,32 +5,46 @@ package server
 import (
 	"archive/zip"
 	"bufio"
+	"bytes"
 	"context"
+	"encoding/json"
+	"errors"
 	"fmt"
 	"io"
+	"io/fs"
 	"net"
 	"net/netip"
 	"os"
+	"path/filepath"
 	"sort"
 	"strings"
 	"time"

 	log "github.com/sirupsen/logrus"
+	"google.golang.org/protobuf/encoding/protojson"

 	"github.com/netbirdio/netbird/client/anonymize"
 	"github.com/netbirdio/netbird/client/internal/peer"
 	"github.com/netbirdio/netbird/client/internal/routemanager/systemops"
+	"github.com/netbirdio/netbird/client/internal/statemanager"
 	"github.com/netbirdio/netbird/client/proto"
+	mgmProto "github.com/netbirdio/netbird/management/proto"
 )

 const readmeContent = `Netbird debug bundle
 This debug bundle contains the following files:

 status.txt: Anonymized status information of the NetBird client.
-client.log: Most recent, anonymized log file of the NetBird client.
+client.log: Most recent, anonymized client log file of the NetBird client.
+netbird.err: Most recent, anonymized stderr log file of the NetBird client.
+netbird.out: Most recent, anonymized stdout log file of the NetBird client.
 routes.txt: Anonymized system routes, if --system-info flag was provided.
 interfaces.txt: Anonymized network interface information, if --system-info flag was provided.
+iptables.txt: Anonymized iptables rules with packet counters, if --system-info flag was provided.
+nftables.txt: Anonymized nftables rules with packet counters, if --system-info flag was provided.
 config.txt: Anonymized configuration information of the NetBird client.
+network_map.json: Anonymized network map containing peer configurations, routes, DNS settings, and firewall rules.
+state.json: Anonymized client state dump containing netbird states.


 Anonymization Process
@@ -50,8 +64,32 @@ Domains
 All domain names (except for the netbird domains) are replaced with randomly generated strings ending in ".domain". Anonymized domains are consistent across all files in the bundle.
 Reoccuring domain names are replaced with the same anonymized domain.

+Network Map
+The network_map.json file contains the following anonymized information:
+- Peer configurations (addresses, FQDNs, DNS settings)
+- Remote and offline peer information (allowed IPs, FQDNs)
+- Routes (network ranges, associated domains)
+- DNS configuration (nameservers, domains, custom zones)
+- Firewall rules (peer IPs, source/destination ranges)
+
+SSH keys in the network map are replaced with a placeholder value. All IP addresses and domains in the network map follow the same anonymization rules as described above.
+
+State File
+The state.json file contains anonymized internal state information of the NetBird client, including:
+- DNS settings and configuration
+- Firewall rules
+- Exclusion routes
+- Route selection
+- Other internal states that may be present
+
+The state file follows the same anonymization rules as other files:
+- IP addresses (both individual and CIDR ranges) are anonymized while preserving their structure
+- Domain names are consistently anonymized
+- Technical identifiers and non-sensitive data remain unchanged
+
 Routes
 For anonymized routes, the IP addresses are replaced as described above. The prefix length remains unchanged. Note that for prefixes, the anonymized IP might not be a network address, but the prefix length is still correct.
+
 Network Interfaces
 The interfaces.txt file contains information about network interfaces, including:
 - Interface name
@@ -70,17 +108,37 @@ The config.txt file contains anonymized configuration information of the NetBird
 - CustomDNSAddress

 Other non-sensitive configuration options are included without anonymization.
+
+Firewall Rules (Linux only)
+The bundle includes two separate firewall rule files:
+
+iptables.txt:
+- Complete iptables ruleset with packet counters using 'iptables -v -n -L'
+- Includes all tables (filter, nat, mangle, raw, security)
+- Shows packet and byte counters for each rule
+- All IP addresses are anonymized
+- Chain names, table names, and other non-sensitive information remain unchanged
+
+nftables.txt:
+- Complete nftables ruleset obtained via 'nft -a list ruleset'
+- Includes rule handle numbers and packet counters
+- All tables, chains, and rules are included
+- Shows packet and byte counters for each rule
+- All IP addresses are anonymized
+- Chain names, table names, and other non-sensitive information remain unchanged
 `

+const (
+	clientLogFile = "client.log"
+	errorLogFile  = "netbird.err"
+	stdoutLogFile = "netbird.out"
+)
+
 // DebugBundle creates a debug bundle and returns the location.
 func (s *Server) DebugBundle(_ context.Context, req *proto.DebugBundleRequest) (resp *proto.DebugBundleResponse, err error) {
 	s.mutex.Lock()
 	defer s.mutex.Unlock()

-	if s.logFile == "console" {
-		return nil, fmt.Errorf("log file is set to console, cannot create debug bundle")
-	}
-
 	bundlePath, err := os.CreateTemp("", "netbird.debug.*.zip")
 	if err != nil {
 		return nil, fmt.Errorf("create zip file: %w", err)
@@ -119,21 +177,25 @@ func (s *Server) createArchive(bundlePath *os.File, req *proto.DebugBundleReques
 	seedFromStatus(anonymizer, &status)

 	if err := s.addConfig(req, anonymizer, archive); err != nil {
-		return fmt.Errorf("add config: %w", err)
+		log.Errorf("Failed to add config to debug bundle: %v", err)
 	}

 	if req.GetSystemInfo() {
-		if err := s.addRoutes(req, anonymizer, archive); err != nil {
-			return fmt.Errorf("add routes: %w", err)
-		}
-
-		if err := s.addInterfaces(req, anonymizer, archive); err != nil {
-			return fmt.Errorf("add interfaces: %w", err)
-		}
+		s.addSystemInfo(req, anonymizer, archive)
 	}

-	if err := s.addLogfile(req, anonymizer, archive); err != nil {
-		return fmt.Errorf("add log file: %w", err)
+	if err := s.addNetworkMap(req, anonymizer, archive); err != nil {
+		return fmt.Errorf("add network map: %w", err)
+	}
+
+	if err := s.addStateFile(req, anonymizer, archive); err != nil {
+		log.Errorf("Failed to add state file to debug bundle: %v", err)
+	}
+
+	if s.logFile != "console" {
+		if err := s.addLogfile(req, anonymizer, archive); err != nil {
+			return fmt.Errorf("add log file: %w", err)
+		}
 	}

 	if err := archive.Close(); err != nil {
@@ -142,6 +204,20 @@ func (s *Server) createArchive(bundlePath *os.File, req *proto.DebugBundleReques
 	return nil
 }

+func (s *Server) addSystemInfo(req *proto.DebugBundleRequest, anonymizer *anonymize.Anonymizer, archive *zip.Writer) {
+	if err := s.addRoutes(req, anonymizer, archive); err != nil {
+		log.Errorf("Failed to add routes to debug bundle: %v", err)
+	}
+
+	if err := s.addInterfaces(req, anonymizer, archive); err != nil {
+		log.Errorf("Failed to add interfaces to debug bundle: %v", err)
+	}
+
+	if err := s.addFirewallRules(req, anonymizer, archive); err != nil {
+		log.Errorf("Failed to add firewall rules to debug bundle: %v", err)
+	}
+}
+
 func (s *Server) addReadme(req *proto.DebugBundleRequest, archive *zip.Writer) error {
 	if req.GetAnonymize() {
 		readmeReader := strings.NewReader(readmeContent)
@@ -220,15 +296,16 @@ func (s *Server) addCommonConfigFields(configContent *strings.Builder) {
 }

 func (s *Server) addRoutes(req *proto.DebugBundleRequest, anonymizer *anonymize.Anonymizer, archive *zip.Writer) error {
-	if routes, err := systemops.GetRoutesFromTable(); err != nil {
-		log.Errorf("Failed to get routes: %v", err)
-	} else {
-		// TODO: get routes including nexthop
-		routesContent := formatRoutes(routes, req.GetAnonymize(), anonymizer)
-		routesReader := strings.NewReader(routesContent)
-		if err := addFileToZip(archive, routesReader, "routes.txt"); err != nil {
-			return fmt.Errorf("add routes file to zip: %w", err)
-		}
+	routes, err := systemops.GetRoutesFromTable()
+	if err != nil {
+		return fmt.Errorf("get routes: %w", err)
+	}
+
+	// TODO: get routes including nexthop
+	routesContent := formatRoutes(routes, req.GetAnonymize(), anonymizer)
+	routesReader := strings.NewReader(routesContent)
+	if err := addFileToZip(archive, routesReader, "routes.txt"); err != nil {
+		return fmt.Errorf("add routes file to zip: %w", err)
 	}
 	return nil
 }
@@ -248,14 +325,106 @@ func (s *Server) addInterfaces(req *proto.DebugBundleRequest, anonymizer *anonym
 	return nil
 }

-func (s *Server) addLogfile(req *proto.DebugBundleRequest, anonymizer *anonymize.Anonymizer, archive *zip.Writer) (err error) {
-	logFile, err := os.Open(s.logFile)
+func (s *Server) addNetworkMap(req *proto.DebugBundleRequest, anonymizer *anonymize.Anonymizer, archive *zip.Writer) error {
+	networkMap, err := s.getLatestNetworkMap()
 	if err != nil {
-		return fmt.Errorf("open log file: %w", err)
+		// Skip if network map is not available, but log it
+		log.Debugf("skipping empty network map in debug bundle: %v", err)
+		return nil
+	}
+
+	if req.GetAnonymize() {
+		if err := anonymizeNetworkMap(networkMap, anonymizer); err != nil {
+			return fmt.Errorf("anonymize network map: %w", err)
+		}
+	}
+
+	options := protojson.MarshalOptions{
+		EmitUnpopulated: true,
+		UseProtoNames:   true,
+		Indent:          "  ",
+		AllowPartial:    true,
+	}
+
+	jsonBytes, err := options.Marshal(networkMap)
+	if err != nil {
+		return fmt.Errorf("generate json: %w", err)
+	}
+
+	if err := addFileToZip(archive, bytes.NewReader(jsonBytes), "network_map.json"); err != nil {
+		return fmt.Errorf("add network map to zip: %w", err)
+	}
+
+	return nil
+}
+
+func (s *Server) addStateFile(req *proto.DebugBundleRequest, anonymizer *anonymize.Anonymizer, archive *zip.Writer) error {
+	path := statemanager.GetDefaultStatePath()
+	if path == "" {
+		return nil
+	}
+
+	data, err := os.ReadFile(path)
+	if err != nil {
+		if errors.Is(err, fs.ErrNotExist) {
+			return nil
+		}
+		return fmt.Errorf("read state file: %w", err)
+	}
+
+	if req.GetAnonymize() {
+		var rawStates map[string]json.RawMessage
+		if err := json.Unmarshal(data, &rawStates); err != nil {
+			return fmt.Errorf("unmarshal states: %w", err)
+		}
+
+		if err := anonymizeStateFile(&rawStates, anonymizer); err != nil {
+			return fmt.Errorf("anonymize state file: %w", err)
+		}
+
+		bs, err := json.MarshalIndent(rawStates, "", "  ")
+		if err != nil {
+			return fmt.Errorf("marshal states: %w", err)
+		}
+		data = bs
+	}
+
+	if err := addFileToZip(archive, bytes.NewReader(data), "state.json"); err != nil {
+		return fmt.Errorf("add state file to zip: %w", err)
+	}
+
+	return nil
+}
+
+func (s *Server) addLogfile(req *proto.DebugBundleRequest, anonymizer *anonymize.Anonymizer, archive *zip.Writer) error {
+	logDir := filepath.Dir(s.logFile)
+
+	if err := s.addSingleLogfile(s.logFile, clientLogFile, req, anonymizer, archive); err != nil {
+		return fmt.Errorf("add client log file to zip: %w", err)
+	}
+
+	errLogPath := filepath.Join(logDir, errorLogFile)
+	if err := s.addSingleLogfile(errLogPath, errorLogFile, req, anonymizer, archive); err != nil {
+		log.Warnf("Failed to add %s to zip: %v", errorLogFile, err)
+	}
+
+	stdoutLogPath := filepath.Join(logDir, stdoutLogFile)
+	if err := s.addSingleLogfile(stdoutLogPath, stdoutLogFile, req, anonymizer, archive); err != nil {
+		log.Warnf("Failed to add %s to zip: %v", stdoutLogFile, err)
+	}
+
+	return nil
+}
+
+// addSingleLogfile adds a single log file to the archive
+func (s *Server) addSingleLogfile(logPath, targetName string, req *proto.DebugBundleRequest, anonymizer *anonymize.Anonymizer, archive *zip.Writer) error {
+	logFile, err := os.Open(logPath)
+	if err != nil {
+		return fmt.Errorf("open log file %s: %w", targetName, err)
 	}
 	defer func() {
 		if err := logFile.Close(); err != nil {
-			log.Errorf("Failed to close original log file: %v", err)
+			log.Errorf("Failed to close log file %s: %v", targetName, err)
 		}
 	}()

@@ -264,45 +433,55 @@ func (s *Server) addLogfile(req *proto.DebugBundleRequest, anonymizer *anonymize
 		var writer *io.PipeWriter
 		logReader, writer = io.Pipe()

-		go s.anonymize(logFile, writer, anonymizer)
+		go anonymizeLog(logFile, writer, anonymizer)
 	} else {
 		logReader = logFile
 	}
-	if err := addFileToZip(archive, logReader, "client.log"); err != nil {
-		return fmt.Errorf("add log file to zip: %w", err)
+
+	if err := addFileToZip(archive, logReader, targetName); err != nil {
+		return fmt.Errorf("add %s to zip: %w", targetName, err)
 	}

 	return nil
 }

-func (s *Server) anonymize(reader io.Reader, writer *io.PipeWriter, anonymizer *anonymize.Anonymizer) {
-	defer func() {
-		// always nil
-		_ = writer.Close()
-	}()
+// getLatestNetworkMap returns the latest network map from the engine if network map persistence is enabled
+func (s *Server) getLatestNetworkMap() (*mgmProto.NetworkMap, error) {
+	if s.connectClient == nil {
+		return nil, errors.New("connect client is not initialized")
+	}

-	scanner := bufio.NewScanner(reader)
-	for scanner.Scan() {
-		line := anonymizer.AnonymizeString(scanner.Text())
-		if _, err := writer.Write([]byte(line + "\n")); err != nil {
-			writer.CloseWithError(fmt.Errorf("anonymize write: %w", err))
-			return
-		}
+	engine := s.connectClient.Engine()
+	if engine == nil {
+		return nil, errors.New("engine is not initialized")
 	}
-	if err := scanner.Err(); err != nil {
-		writer.CloseWithError(fmt.Errorf("anonymize scan: %w", err))
-		return
+
+	networkMap, err := engine.GetLatestNetworkMap()
+	if err != nil {
+		return nil, fmt.Errorf("get latest network map: %w", err)
 	}
+
+	if networkMap == nil {
+		return nil, errors.New("network map is not available")
+	}
+
+	return networkMap, nil
 }

 // GetLogLevel gets the current logging level for the server.
 func (s *Server) GetLogLevel(_ context.Context, _ *proto.GetLogLevelRequest) (*proto.GetLogLevelResponse, error) {
+	s.mutex.Lock()
+	defer s.mutex.Unlock()
+
 	level := ParseLogLevel(log.GetLevel().String())
 	return &proto.GetLogLevelResponse{Level: level}, nil
 }

 // SetLogLevel sets the logging level for the server.
 func (s *Server) SetLogLevel(_ context.Context, req *proto.SetLogLevelRequest) (*proto.SetLogLevelResponse, error) {
+	s.mutex.Lock()
+	defer s.mutex.Unlock()
+
 	level, err := log.ParseLevel(req.Level.String())
 	if err != nil {
 		return nil, fmt.Errorf("invalid log level: %w", err)
@@ -313,6 +492,20 @@ func (s *Server) SetLogLevel(_ context.Context, req *proto.SetLogLevelRequest) (
 	return &proto.SetLogLevelResponse{}, nil
 }

+// SetNetworkMapPersistence sets the network map persistence for the server.
+func (s *Server) SetNetworkMapPersistence(_ context.Context, req *proto.SetNetworkMapPersistenceRequest) (*proto.SetNetworkMapPersistenceResponse, error) {
+	s.mutex.Lock()
+	defer s.mutex.Unlock()
+
+	enabled := req.GetEnabled()
+	s.persistNetworkMap = enabled
+	if s.connectClient != nil {
+		s.connectClient.SetNetworkMapPersistence(enabled)
+	}
+
+	return &proto.SetNetworkMapPersistenceResponse{}, nil
+}
+
 func addFileToZip(archive *zip.Writer, reader io.Reader, filename string) error {
 	header := &zip.FileHeader{
 		Name:     filename,
@@ -458,6 +651,26 @@ func formatInterfaces(interfaces []net.Interface, anonymize bool, anonymizer *an
 	return builder.String()
 }

+func anonymizeLog(reader io.Reader, writer *io.PipeWriter, anonymizer *anonymize.Anonymizer) {
+	defer func() {
+		// always nil
+		_ = writer.Close()
+	}()
+
+	scanner := bufio.NewScanner(reader)
+	for scanner.Scan() {
+		line := anonymizer.AnonymizeString(scanner.Text())
+		if _, err := writer.Write([]byte(line + "\n")); err != nil {
+			writer.CloseWithError(fmt.Errorf("anonymize write: %w", err))
+			return
+		}
+	}
+	if err := scanner.Err(); err != nil {
+		writer.CloseWithError(fmt.Errorf("anonymize scan: %w", err))
+		return
+	}
+}
+
 func anonymizeNATExternalIPs(ips []string, anonymizer *anonymize.Anonymizer) []string {
 	anonymizedIPs := make([]string, len(ips))
 	for i, ip := range ips {
@@ -484,3 +697,248 @@ func anonymizeNATExternalIPs(ips []string, anonymizer *anonymize.Anonymizer) []s
 	}
 	return anonymizedIPs
 }
+
+func anonymizeNetworkMap(networkMap *mgmProto.NetworkMap, anonymizer *anonymize.Anonymizer) error {
+	if networkMap.PeerConfig != nil {
+		anonymizePeerConfig(networkMap.PeerConfig, anonymizer)
+	}
+
+	for _, peer := range networkMap.RemotePeers {
+		anonymizeRemotePeer(peer, anonymizer)
+	}
+
+	for _, peer := range networkMap.OfflinePeers {
+		anonymizeRemotePeer(peer, anonymizer)
+	}
+
+	for _, r := range networkMap.Routes {
+		anonymizeRoute(r, anonymizer)
+	}
+
+	if networkMap.DNSConfig != nil {
+		anonymizeDNSConfig(networkMap.DNSConfig, anonymizer)
+	}
+
+	for _, rule := range networkMap.FirewallRules {
+		anonymizeFirewallRule(rule, anonymizer)
+	}
+
+	for _, rule := range networkMap.RoutesFirewallRules {
+		anonymizeRouteFirewallRule(rule, anonymizer)
+	}
+
+	return nil
+}
+
+func anonymizePeerConfig(config *mgmProto.PeerConfig, anonymizer *anonymize.Anonymizer) {
+	if config == nil {
+		return
+	}
+
+	if addr, err := netip.ParseAddr(config.Address); err == nil {
+		config.Address = anonymizer.AnonymizeIP(addr).String()
+	}
+
+	if config.SshConfig != nil && len(config.SshConfig.SshPubKey) > 0 {
+		config.SshConfig.SshPubKey = []byte("ssh-placeholder-key")
+	}
+
+	config.Dns = anonymizer.AnonymizeString(config.Dns)
+	config.Fqdn = anonymizer.AnonymizeDomain(config.Fqdn)
+}
+
+func anonymizeRemotePeer(peer *mgmProto.RemotePeerConfig, anonymizer *anonymize.Anonymizer) {
+	if peer == nil {
+		return
+	}
+
+	for i, ip := range peer.AllowedIps {
+		// Try to parse as prefix first (CIDR)
+		if prefix, err := netip.ParsePrefix(ip); err == nil {
+			anonIP := anonymizer.AnonymizeIP(prefix.Addr())
+			peer.AllowedIps[i] = fmt.Sprintf("%s/%d", anonIP, prefix.Bits())
+		} else if addr, err := netip.ParseAddr(ip); err == nil {
+			peer.AllowedIps[i] = anonymizer.AnonymizeIP(addr).String()
+		}
+	}
+
+	peer.Fqdn = anonymizer.AnonymizeDomain(peer.Fqdn)
+
+	if peer.SshConfig != nil && len(peer.SshConfig.SshPubKey) > 0 {
+		peer.SshConfig.SshPubKey = []byte("ssh-placeholder-key")
+	}
+}
+
+func anonymizeRoute(route *mgmProto.Route, anonymizer *anonymize.Anonymizer) {
+	if route == nil {
+		return
+	}
+
+	if prefix, err := netip.ParsePrefix(route.Network); err == nil {
+		anonIP := anonymizer.AnonymizeIP(prefix.Addr())
+		route.Network = fmt.Sprintf("%s/%d", anonIP, prefix.Bits())
+	}
+
+	for i, domain := range route.Domains {
+		route.Domains[i] = anonymizer.AnonymizeDomain(domain)
+	}
+
+	route.NetID = anonymizer.AnonymizeString(route.NetID)
+}
+
+func anonymizeDNSConfig(config *mgmProto.DNSConfig, anonymizer *anonymize.Anonymizer) {
+	if config == nil {
+		return
+	}
+
+	anonymizeNameServerGroups(config.NameServerGroups, anonymizer)
+	anonymizeCustomZones(config.CustomZones, anonymizer)
+}
+
+func anonymizeNameServerGroups(groups []*mgmProto.NameServerGroup, anonymizer *anonymize.Anonymizer) {
+	for _, group := range groups {
+		anonymizeServers(group.NameServers, anonymizer)
+		anonymizeDomains(group.Domains, anonymizer)
+	}
+}
+
+func anonymizeServers(servers []*mgmProto.NameServer, anonymizer *anonymize.Anonymizer) {
+	for _, server := range servers {
+		if addr, err := netip.ParseAddr(server.IP); err == nil {
+			server.IP = anonymizer.AnonymizeIP(addr).String()
+		}
+	}
+}
+
+func anonymizeDomains(domains []string, anonymizer *anonymize.Anonymizer) {
+	for i, domain := range domains {
+		domains[i] = anonymizer.AnonymizeDomain(domain)
+	}
+}
+
+func anonymizeCustomZones(zones []*mgmProto.CustomZone, anonymizer *anonymize.Anonymizer) {
+	for _, zone := range zones {
+		zone.Domain = anonymizer.AnonymizeDomain(zone.Domain)
+		anonymizeRecords(zone.Records, anonymizer)
+	}
+}
+
+func anonymizeRecords(records []*mgmProto.SimpleRecord, anonymizer *anonymize.Anonymizer) {
+	for _, record := range records {
+		record.Name = anonymizer.AnonymizeDomain(record.Name)
+		anonymizeRData(record, anonymizer)
+	}
+}
+
+func anonymizeRData(record *mgmProto.SimpleRecord, anonymizer *anonymize.Anonymizer) {
+	switch record.Type {
+	case 1, 28: // A or AAAA record
+		if addr, err := netip.ParseAddr(record.RData); err == nil {
+			record.RData = anonymizer.AnonymizeIP(addr).String()
+		}
+	default:
+		record.RData = anonymizer.AnonymizeString(record.RData)
+	}
+}
+
+func anonymizeFirewallRule(rule *mgmProto.FirewallRule, anonymizer *anonymize.Anonymizer) {
+	if rule == nil {
+		return
+	}
+
+	if addr, err := netip.ParseAddr(rule.PeerIP); err == nil {
+		rule.PeerIP = anonymizer.AnonymizeIP(addr).String()
+	}
+}
+
+func anonymizeRouteFirewallRule(rule *mgmProto.RouteFirewallRule, anonymizer *anonymize.Anonymizer) {
+	if rule == nil {
+		return
+	}
+
+	for i, sourceRange := range rule.SourceRanges {
+		if prefix, err := netip.ParsePrefix(sourceRange); err == nil {
+			anonIP := anonymizer.AnonymizeIP(prefix.Addr())
+			rule.SourceRanges[i] = fmt.Sprintf("%s/%d", anonIP, prefix.Bits())
+		}
+	}
+
+	if prefix, err := netip.ParsePrefix(rule.Destination); err == nil {
+		anonIP := anonymizer.AnonymizeIP(prefix.Addr())
+		rule.Destination = fmt.Sprintf("%s/%d", anonIP, prefix.Bits())
+	}
+}
+
+func anonymizeStateFile(rawStates *map[string]json.RawMessage, anonymizer *anonymize.Anonymizer) error {
+	for name, rawState := range *rawStates {
+		if string(rawState) == "null" {
+			continue
+		}
+
+		var state map[string]any
+		if err := json.Unmarshal(rawState, &state); err != nil {
+			return fmt.Errorf("unmarshal state %s: %w", name, err)
+		}
+
+		state = anonymizeValue(state, anonymizer).(map[string]any)
+
+		bs, err := json.Marshal(state)
+		if err != nil {
+			return fmt.Errorf("marshal state %s: %w", name, err)
+		}
+
+		(*rawStates)[name] = bs
+	}
+
+	return nil
+}
+
+func anonymizeValue(value any, anonymizer *anonymize.Anonymizer) any {
+	switch v := value.(type) {
+	case string:
+		return anonymizeString(v, anonymizer)
+	case map[string]any:
+		return anonymizeMap(v, anonymizer)
+	case []any:
+		return anonymizeSlice(v, anonymizer)
+	}
+	return value
+}
+
+func anonymizeString(v string, anonymizer *anonymize.Anonymizer) string {
+	if prefix, err := netip.ParsePrefix(v); err == nil {
+		anonIP := anonymizer.AnonymizeIP(prefix.Addr())
+		return fmt.Sprintf("%s/%d", anonIP, prefix.Bits())
+	}
+	if ip, err := netip.ParseAddr(v); err == nil {
+		return anonymizer.AnonymizeIP(ip).String()
+	}
+	return anonymizer.AnonymizeString(v)
+}
+
+func anonymizeMap(v map[string]any, anonymizer *anonymize.Anonymizer) map[string]any {
+	result := make(map[string]any, len(v))
+	for key, val := range v {
+		newKey := anonymizeMapKey(key, anonymizer)
+		result[newKey] = anonymizeValue(val, anonymizer)
+	}
+	return result
+}
+
+func anonymizeMapKey(key string, anonymizer *anonymize.Anonymizer) string {
+	if prefix, err := netip.ParsePrefix(key); err == nil {
+		anonIP := anonymizer.AnonymizeIP(prefix.Addr())
+		return fmt.Sprintf("%s/%d", anonIP, prefix.Bits())
+	}
+	if ip, err := netip.ParseAddr(key); err == nil {
+		return anonymizer.AnonymizeIP(ip).String()
+	}
+	return key
+}
+
+func anonymizeSlice(v []any, anonymizer *anonymize.Anonymizer) []any {
+	for i, val := range v {
+		v[i] = anonymizeValue(val, anonymizer)
+	}
+	return v
+}
--- a/client/server/debug_linux.go
+++ b/client/server/debug_linux.go
@@ -0,0 +1,693 @@
+//go:build linux && !android
+
+package server
+
+import (
+	"archive/zip"
+	"bytes"
+	"encoding/binary"
+	"fmt"
+	"os/exec"
+	"sort"
+	"strings"
+
+	"github.com/google/nftables"
+	"github.com/google/nftables/expr"
+	log "github.com/sirupsen/logrus"
+
+	"github.com/netbirdio/netbird/client/anonymize"
+	"github.com/netbirdio/netbird/client/proto"
+)
+
+// addFirewallRules collects and adds firewall rules to the archive
+func (s *Server) addFirewallRules(req *proto.DebugBundleRequest, anonymizer *anonymize.Anonymizer, archive *zip.Writer) error {
+	log.Info("Collecting firewall rules")
+	// Collect and add iptables rules
+	iptablesRules, err := collectIPTablesRules()
+	if err != nil {
+		log.Warnf("Failed to collect iptables rules: %v", err)
+	} else {
+		if req.GetAnonymize() {
+			iptablesRules = anonymizer.AnonymizeString(iptablesRules)
+		}
+		if err := addFileToZip(archive, strings.NewReader(iptablesRules), "iptables.txt"); err != nil {
+			log.Warnf("Failed to add iptables rules to bundle: %v", err)
+		}
+	}
+
+	// Collect and add nftables rules
+	nftablesRules, err := collectNFTablesRules()
+	if err != nil {
+		log.Warnf("Failed to collect nftables rules: %v", err)
+	} else {
+		if req.GetAnonymize() {
+			nftablesRules = anonymizer.AnonymizeString(nftablesRules)
+		}
+		if err := addFileToZip(archive, strings.NewReader(nftablesRules), "nftables.txt"); err != nil {
+			log.Warnf("Failed to add nftables rules to bundle: %v", err)
+		}
+	}
+
+	return nil
+}
+
+// collectIPTablesRules collects rules using both iptables-save and verbose listing
+func collectIPTablesRules() (string, error) {
+	var builder strings.Builder
+
+	// First try using iptables-save
+	saveOutput, err := collectIPTablesSave()
+	if err != nil {
+		log.Warnf("Failed to collect iptables rules using iptables-save: %v", err)
+	} else {
+		builder.WriteString("=== iptables-save output ===\n")
+		builder.WriteString(saveOutput)
+		builder.WriteString("\n")
+	}
+
+	// Then get verbose statistics for each table
+	builder.WriteString("=== iptables -v -n -L output ===\n")
+
+	// Get list of tables
+	tables := []string{"filter", "nat", "mangle", "raw", "security"}
+
+	for _, table := range tables {
+		builder.WriteString(fmt.Sprintf("*%s\n", table))
+
+		// Get verbose statistics for the entire table
+		stats, err := getTableStatistics(table)
+		if err != nil {
+			log.Warnf("Failed to get statistics for table %s: %v", table, err)
+			continue
+		}
+		builder.WriteString(stats)
+		builder.WriteString("\n")
+	}
+
+	return builder.String(), nil
+}
+
+// collectIPTablesSave uses iptables-save to get rule definitions
+func collectIPTablesSave() (string, error) {
+	cmd := exec.Command("iptables-save")
+	var stdout, stderr bytes.Buffer
+	cmd.Stdout = &stdout
+	cmd.Stderr = &stderr
+
+	if err := cmd.Run(); err != nil {
+		return "", fmt.Errorf("execute iptables-save: %w (stderr: %s)", err, stderr.String())
+	}
+
+	rules := stdout.String()
+	if strings.TrimSpace(rules) == "" {
+		return "", fmt.Errorf("no iptables rules found")
+	}
+
+	return rules, nil
+}
+
+// getTableStatistics gets verbose statistics for an entire table using iptables command
+func getTableStatistics(table string) (string, error) {
+	cmd := exec.Command("iptables", "-v", "-n", "-L", "-t", table)
+	var stdout, stderr bytes.Buffer
+	cmd.Stdout = &stdout
+	cmd.Stderr = &stderr
+
+	if err := cmd.Run(); err != nil {
+		return "", fmt.Errorf("execute iptables -v -n -L: %w (stderr: %s)", err, stderr.String())
+	}
+
+	return stdout.String(), nil
+}
+
+// collectNFTablesRules attempts to collect nftables rules using either nft command or netlink
+func collectNFTablesRules() (string, error) {
+	// First try using nft command
+	rules, err := collectNFTablesFromCommand()
+	if err != nil {
+		log.Debugf("Failed to collect nftables rules using nft command: %v, falling back to netlink", err)
+		// Fall back to netlink
+		rules, err = collectNFTablesFromNetlink()
+		if err != nil {
+			return "", fmt.Errorf("collect nftables rules using both nft and netlink failed: %w", err)
+		}
+	}
+	return rules, nil
+}
+
+// collectNFTablesFromCommand attempts to collect rules using nft command
+func collectNFTablesFromCommand() (string, error) {
+	cmd := exec.Command("nft", "-a", "list", "ruleset")
+	var stdout, stderr bytes.Buffer
+	cmd.Stdout = &stdout
+	cmd.Stderr = &stderr
+
+	if err := cmd.Run(); err != nil {
+		return "", fmt.Errorf("execute nft list ruleset: %w (stderr: %s)", err, stderr.String())
+	}
+
+	rules := stdout.String()
+	if strings.TrimSpace(rules) == "" {
+		return "", fmt.Errorf("no nftables rules found")
+	}
+
+	return rules, nil
+}
+
+// collectNFTablesFromNetlink collects rules using netlink library
+func collectNFTablesFromNetlink() (string, error) {
+	conn, err := nftables.New()
+	if err != nil {
+		return "", fmt.Errorf("create nftables connection: %w", err)
+	}
+
+	tables, err := conn.ListTables()
+	if err != nil {
+		return "", fmt.Errorf("list tables: %w", err)
+	}
+
+	sortTables(tables)
+	return formatTables(conn, tables), nil
+}
+
+func formatTables(conn *nftables.Conn, tables []*nftables.Table) string {
+	var builder strings.Builder
+
+	for _, table := range tables {
+		builder.WriteString(fmt.Sprintf("table %s %s {\n", formatFamily(table.Family), table.Name))
+
+		chains, err := getAndSortTableChains(conn, table)
+		if err != nil {
+			log.Warnf("Failed to list chains for table %s: %v", table.Name, err)
+			continue
+		}
+
+		// Format chains
+		for _, chain := range chains {
+			formatChain(conn, table, chain, &builder)
+		}
+
+		// Format sets
+		if sets, err := conn.GetSets(table); err != nil {
+			log.Warnf("Failed to get sets for table %s: %v", table.Name, err)
+		} else if len(sets) > 0 {
+			builder.WriteString("\n")
+			for _, set := range sets {
+				builder.WriteString(formatSet(conn, set))
+			}
+		}
+
+		builder.WriteString("}\n")
+	}
+
+	return builder.String()
+}
+
+func getAndSortTableChains(conn *nftables.Conn, table *nftables.Table) ([]*nftables.Chain, error) {
+	chains, err := conn.ListChains()
+	if err != nil {
+		return nil, err
+	}
+
+	var tableChains []*nftables.Chain
+	for _, chain := range chains {
+		if chain.Table.Name == table.Name && chain.Table.Family == table.Family {
+			tableChains = append(tableChains, chain)
+		}
+	}
+
+	sort.Slice(tableChains, func(i, j int) bool {
+		return tableChains[i].Name < tableChains[j].Name
+	})
+
+	return tableChains, nil
+}
+
+func formatChain(conn *nftables.Conn, table *nftables.Table, chain *nftables.Chain, builder *strings.Builder) {
+	builder.WriteString(fmt.Sprintf("\tchain %s {\n", chain.Name))
+
+	if chain.Type != "" {
+		var policy string
+		if chain.Policy != nil {
+			policy = fmt.Sprintf("; policy %s", formatPolicy(*chain.Policy))
+		}
+		builder.WriteString(fmt.Sprintf("\t\ttype %s hook %s priority %d%s\n",
+			formatChainType(chain.Type),
+			formatChainHook(chain.Hooknum),
+			chain.Priority,
+			policy))
+	}
+
+	rules, err := conn.GetRules(table, chain)
+	if err != nil {
+		log.Warnf("Failed to get rules for chain %s: %v", chain.Name, err)
+	} else {
+		sort.Slice(rules, func(i, j int) bool {
+			return rules[i].Position < rules[j].Position
+		})
+		for _, rule := range rules {
+			builder.WriteString(formatRule(rule))
+		}
+	}
+
+	builder.WriteString("\t}\n")
+}
+
+func sortTables(tables []*nftables.Table) {
+	sort.Slice(tables, func(i, j int) bool {
+		if tables[i].Family != tables[j].Family {
+			return tables[i].Family < tables[j].Family
+		}
+		return tables[i].Name < tables[j].Name
+	})
+}
+
+func formatFamily(family nftables.TableFamily) string {
+	switch family {
+	case nftables.TableFamilyIPv4:
+		return "ip"
+	case nftables.TableFamilyIPv6:
+		return "ip6"
+	case nftables.TableFamilyINet:
+		return "inet"
+	case nftables.TableFamilyARP:
+		return "arp"
+	case nftables.TableFamilyBridge:
+		return "bridge"
+	case nftables.TableFamilyNetdev:
+		return "netdev"
+	default:
+		return fmt.Sprintf("family-%d", family)
+	}
+}
+
+func formatChainType(typ nftables.ChainType) string {
+	switch typ {
+	case nftables.ChainTypeFilter:
+		return "filter"
+	case nftables.ChainTypeNAT:
+		return "nat"
+	case nftables.ChainTypeRoute:
+		return "route"
+	default:
+		return fmt.Sprintf("type-%s", typ)
+	}
+}
+
+func formatChainHook(hook *nftables.ChainHook) string {
+	if hook == nil {
+		return "none"
+	}
+	switch *hook {
+	case *nftables.ChainHookPrerouting:
+		return "prerouting"
+	case *nftables.ChainHookInput:
+		return "input"
+	case *nftables.ChainHookForward:
+		return "forward"
+	case *nftables.ChainHookOutput:
+		return "output"
+	case *nftables.ChainHookPostrouting:
+		return "postrouting"
+	default:
+		return fmt.Sprintf("hook-%d", *hook)
+	}
+}
+
+func formatPolicy(policy nftables.ChainPolicy) string {
+	switch policy {
+	case nftables.ChainPolicyDrop:
+		return "drop"
+	case nftables.ChainPolicyAccept:
+		return "accept"
+	default:
+		return fmt.Sprintf("policy-%d", policy)
+	}
+}
+
+func formatRule(rule *nftables.Rule) string {
+	var builder strings.Builder
+	builder.WriteString("\t\t")
+
+	for i := 0; i < len(rule.Exprs); i++ {
+		if i > 0 {
+			builder.WriteString(" ")
+		}
+		i = formatExprSequence(&builder, rule.Exprs, i)
+	}
+
+	builder.WriteString("\n")
+	return builder.String()
+}
+
+func formatExprSequence(builder *strings.Builder, exprs []expr.Any, i int) int {
+	curr := exprs[i]
+
+	// Handle Meta + Cmp sequence
+	if meta, ok := curr.(*expr.Meta); ok && i+1 < len(exprs) {
+		if cmp, ok := exprs[i+1].(*expr.Cmp); ok {
+			if formatted := formatMetaWithCmp(meta, cmp); formatted != "" {
+				builder.WriteString(formatted)
+				return i + 1
+			}
+		}
+	}
+
+	// Handle Payload + Cmp sequence
+	if payload, ok := curr.(*expr.Payload); ok && i+1 < len(exprs) {
+		if cmp, ok := exprs[i+1].(*expr.Cmp); ok {
+			builder.WriteString(formatPayloadWithCmp(payload, cmp))
+			return i + 1
+		}
+	}
+
+	builder.WriteString(formatExpr(curr))
+	return i
+}
+
+func formatMetaWithCmp(meta *expr.Meta, cmp *expr.Cmp) string {
+	switch meta.Key {
+	case expr.MetaKeyIIFNAME:
+		name := strings.TrimRight(string(cmp.Data), "\x00")
+		return fmt.Sprintf("iifname %s %q", formatCmpOp(cmp.Op), name)
+	case expr.MetaKeyOIFNAME:
+		name := strings.TrimRight(string(cmp.Data), "\x00")
+		return fmt.Sprintf("oifname %s %q", formatCmpOp(cmp.Op), name)
+	case expr.MetaKeyMARK:
+		if len(cmp.Data) == 4 {
+			val := binary.BigEndian.Uint32(cmp.Data)
+			return fmt.Sprintf("meta mark %s 0x%x", formatCmpOp(cmp.Op), val)
+		}
+	}
+	return ""
+}
+
+func formatPayloadWithCmp(p *expr.Payload, cmp *expr.Cmp) string {
+	if p.Base == expr.PayloadBaseNetworkHeader {
+		switch p.Offset {
+		case 12: // Source IP
+			if p.Len == 4 {
+				return fmt.Sprintf("ip saddr %s %s", formatCmpOp(cmp.Op), formatIPBytes(cmp.Data))
+			} else if p.Len == 2 {
+				return fmt.Sprintf("ip saddr %s %s", formatCmpOp(cmp.Op), formatIPBytes(cmp.Data))
+			}
+		case 16: // Destination IP
+			if p.Len == 4 {
+				return fmt.Sprintf("ip daddr %s %s", formatCmpOp(cmp.Op), formatIPBytes(cmp.Data))
+			} else if p.Len == 2 {
+				return fmt.Sprintf("ip daddr %s %s", formatCmpOp(cmp.Op), formatIPBytes(cmp.Data))
+			}
+		}
+	}
+	return fmt.Sprintf("%d reg%d [%d:%d] %s %v",
+		p.Base, p.DestRegister, p.Offset, p.Len,
+		formatCmpOp(cmp.Op), cmp.Data)
+}
+
+func formatIPBytes(data []byte) string {
+	if len(data) == 4 {
+		return fmt.Sprintf("%d.%d.%d.%d", data[0], data[1], data[2], data[3])
+	} else if len(data) == 2 {
+		return fmt.Sprintf("%d.%d.0.0/16", data[0], data[1])
+	}
+	return fmt.Sprintf("%v", data)
+}
+
+func formatCmpOp(op expr.CmpOp) string {
+	switch op {
+	case expr.CmpOpEq:
+		return "=="
+	case expr.CmpOpNeq:
+		return "!="
+	case expr.CmpOpLt:
+		return "<"
+	case expr.CmpOpLte:
+		return "<="
+	case expr.CmpOpGt:
+		return ">"
+	case expr.CmpOpGte:
+		return ">="
+	default:
+		return fmt.Sprintf("op-%d", op)
+	}
+}
+
+// formatExpr formats an expression in nft-like syntax
+func formatExpr(exp expr.Any) string {
+	switch e := exp.(type) {
+	case *expr.Meta:
+		return formatMeta(e)
+	case *expr.Cmp:
+		return formatCmp(e)
+	case *expr.Payload:
+		return formatPayload(e)
+	case *expr.Verdict:
+		return formatVerdict(e)
+	case *expr.Counter:
+		return fmt.Sprintf("counter packets %d bytes %d", e.Packets, e.Bytes)
+	case *expr.Masq:
+		return "masquerade"
+	case *expr.NAT:
+		return formatNat(e)
+	case *expr.Match:
+		return formatMatch(e)
+	case *expr.Queue:
+		return fmt.Sprintf("queue num %d", e.Num)
+	case *expr.Lookup:
+		return fmt.Sprintf("@%s", e.SetName)
+	case *expr.Bitwise:
+		return formatBitwise(e)
+	case *expr.Fib:
+		return formatFib(e)
+	case *expr.Target:
+		return fmt.Sprintf("jump %s", e.Name) // Properly format jump targets
+	case *expr.Immediate:
+		if e.Register == 1 {
+			return formatImmediateData(e.Data)
+		}
+		return fmt.Sprintf("immediate %v", e.Data)
+	default:
+		return fmt.Sprintf("<%T>", exp)
+	}
+}
+
+func formatImmediateData(data []byte) string {
+	// For IP addresses (4 bytes)
+	if len(data) == 4 {
+		return fmt.Sprintf("%d.%d.%d.%d", data[0], data[1], data[2], data[3])
+	}
+	return fmt.Sprintf("%v", data)
+}
+
+func formatMeta(e *expr.Meta) string {
+	// Handle source register case first (meta mark set)
+	if e.SourceRegister {
+		return fmt.Sprintf("meta %s set reg %d", formatMetaKey(e.Key), e.Register)
+	}
+
+	// For interface names, handle register load operation
+	switch e.Key {
+	case expr.MetaKeyIIFNAME,
+		expr.MetaKeyOIFNAME,
+		expr.MetaKeyBRIIIFNAME,
+		expr.MetaKeyBRIOIFNAME:
+		// Simply the key name with no register reference
+		return formatMetaKey(e.Key)
+
+	case expr.MetaKeyMARK:
+		// For mark operations, we want just "mark"
+		return "mark"
+	}
+
+	// For other meta keys, show as loading into register
+	return fmt.Sprintf("meta %s => reg %d", formatMetaKey(e.Key), e.Register)
+}
+
+func formatMetaKey(key expr.MetaKey) string {
+	switch key {
+	case expr.MetaKeyLEN:
+		return "length"
+	case expr.MetaKeyPROTOCOL:
+		return "protocol"
+	case expr.MetaKeyPRIORITY:
+		return "priority"
+	case expr.MetaKeyMARK:
+		return "mark"
+	case expr.MetaKeyIIF:
+		return "iif"
+	case expr.MetaKeyOIF:
+		return "oif"
+	case expr.MetaKeyIIFNAME:
+		return "iifname"
+	case expr.MetaKeyOIFNAME:
+		return "oifname"
+	case expr.MetaKeyIIFTYPE:
+		return "iiftype"
+	case expr.MetaKeyOIFTYPE:
+		return "oiftype"
+	case expr.MetaKeySKUID:
+		return "skuid"
+	case expr.MetaKeySKGID:
+		return "skgid"
+	case expr.MetaKeyNFTRACE:
+		return "nftrace"
+	case expr.MetaKeyRTCLASSID:
+		return "rtclassid"
+	case expr.MetaKeySECMARK:
+		return "secmark"
+	case expr.MetaKeyNFPROTO:
+		return "nfproto"
+	case expr.MetaKeyL4PROTO:
+		return "l4proto"
+	case expr.MetaKeyBRIIIFNAME:
+		return "briifname"
+	case expr.MetaKeyBRIOIFNAME:
+		return "broifname"
+	case expr.MetaKeyPKTTYPE:
+		return "pkttype"
+	case expr.MetaKeyCPU:
+		return "cpu"
+	case expr.MetaKeyIIFGROUP:
+		return "iifgroup"
+	case expr.MetaKeyOIFGROUP:
+		return "oifgroup"
+	case expr.MetaKeyCGROUP:
+		return "cgroup"
+	case expr.MetaKeyPRANDOM:
+		return "prandom"
+	default:
+		return fmt.Sprintf("meta-%d", key)
+	}
+}
+
+func formatCmp(e *expr.Cmp) string {
+	ops := map[expr.CmpOp]string{
+		expr.CmpOpEq:  "==",
+		expr.CmpOpNeq: "!=",
+		expr.CmpOpLt:  "<",
+		expr.CmpOpLte: "<=",
+		expr.CmpOpGt:  ">",
+		expr.CmpOpGte: ">=",
+	}
+	return fmt.Sprintf("%s %v", ops[e.Op], e.Data)
+}
+
+func formatPayload(e *expr.Payload) string {
+	var proto string
+	switch e.Base {
+	case expr.PayloadBaseNetworkHeader:
+		proto = "ip"
+	case expr.PayloadBaseTransportHeader:
+		proto = "tcp"
+	default:
+		proto = fmt.Sprintf("payload-%d", e.Base)
+	}
+	return fmt.Sprintf("%s reg%d [%d:%d]", proto, e.DestRegister, e.Offset, e.Len)
+}
+
+func formatVerdict(e *expr.Verdict) string {
+	switch e.Kind {
+	case expr.VerdictAccept:
+		return "accept"
+	case expr.VerdictDrop:
+		return "drop"
+	case expr.VerdictJump:
+		return fmt.Sprintf("jump %s", e.Chain)
+	case expr.VerdictGoto:
+		return fmt.Sprintf("goto %s", e.Chain)
+	case expr.VerdictReturn:
+		return "return"
+	default:
+		return fmt.Sprintf("verdict-%d", e.Kind)
+	}
+}
+
+func formatNat(e *expr.NAT) string {
+	switch e.Type {
+	case expr.NATTypeSourceNAT:
+		return "snat"
+	case expr.NATTypeDestNAT:
+		return "dnat"
+	default:
+		return fmt.Sprintf("nat-%d", e.Type)
+	}
+}
+
+func formatMatch(e *expr.Match) string {
+	return fmt.Sprintf("match %s rev %d", e.Name, e.Rev)
+}
+
+func formatBitwise(e *expr.Bitwise) string {
+	return fmt.Sprintf("bitwise reg%d = reg%d & %v ^ %v",
+		e.DestRegister, e.SourceRegister, e.Mask, e.Xor)
+}
+
+func formatFib(e *expr.Fib) string {
+	var flags []string
+	if e.FlagSADDR {
+		flags = append(flags, "saddr")
+	}
+	if e.FlagDADDR {
+		flags = append(flags, "daddr")
+	}
+	if e.FlagMARK {
+		flags = append(flags, "mark")
+	}
+	if e.FlagIIF {
+		flags = append(flags, "iif")
+	}
+	if e.FlagOIF {
+		flags = append(flags, "oif")
+	}
+	if e.ResultADDRTYPE {
+		flags = append(flags, "type")
+	}
+	return fmt.Sprintf("fib reg%d %s", e.Register, strings.Join(flags, ","))
+}
+
+func formatSet(conn *nftables.Conn, set *nftables.Set) string {
+	var builder strings.Builder
+	builder.WriteString(fmt.Sprintf("\tset %s {\n", set.Name))
+	builder.WriteString(fmt.Sprintf("\t\ttype %s\n", formatSetKeyType(set.KeyType)))
+	if set.ID > 0 {
+		builder.WriteString(fmt.Sprintf("\t\t# handle %d\n", set.ID))
+	}
+
+	elements, err := conn.GetSetElements(set)
+	if err != nil {
+		log.Warnf("Failed to get elements for set %s: %v", set.Name, err)
+	} else if len(elements) > 0 {
+		builder.WriteString("\t\telements = {")
+		for i, elem := range elements {
+			if i > 0 {
+				builder.WriteString(", ")
+			}
+			builder.WriteString(fmt.Sprintf("%v", elem.Key))
+		}
+		builder.WriteString("}\n")
+	}
+
+	builder.WriteString("\t}\n")
+	return builder.String()
+}
+
+func formatSetKeyType(keyType nftables.SetDatatype) string {
+	switch keyType {
+	case nftables.TypeInvalid:
+		return "invalid"
+	case nftables.TypeIPAddr:
+		return "ipv4_addr"
+	case nftables.TypeIP6Addr:
+		return "ipv6_addr"
+	case nftables.TypeEtherAddr:
+		return "ether_addr"
+	case nftables.TypeInetProto:
+		return "inet_proto"
+	case nftables.TypeInetService:
+		return "inet_service"
+	case nftables.TypeMark:
+		return "mark"
+	default:
+		return fmt.Sprintf("type-%v", keyType)
+	}
+}
--- a/client/server/debug_nonlinux.go
+++ b/client/server/debug_nonlinux.go
@@ -0,0 +1,15 @@
+//go:build !linux || android
+
+package server
+
+import (
+	"archive/zip"
+
+	"github.com/netbirdio/netbird/client/anonymize"
+	"github.com/netbirdio/netbird/client/proto"
+)
+
+// collectFirewallRules returns nothing on non-linux systems
+func (s *Server) addFirewallRules(req *proto.DebugBundleRequest, anonymizer *anonymize.Anonymizer, archive *zip.Writer) error {
+	return nil
+}
--- a/client/server/debug_test.go
+++ b/client/server/debug_test.go
@@ -0,0 +1,543 @@
+package server
+
+import (
+	"encoding/json"
+	"net"
+	"strings"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+
+	"github.com/netbirdio/netbird/client/anonymize"
+	mgmProto "github.com/netbirdio/netbird/management/proto"
+)
+
+func TestAnonymizeStateFile(t *testing.T) {
+	testState := map[string]json.RawMessage{
+		"null_state": json.RawMessage("null"),
+		"test_state": mustMarshal(map[string]any{
+			// Test simple fields
+			"public_ip":      "203.0.113.1",
+			"private_ip":     "192.168.1.1",
+			"protected_ip":   "100.64.0.1",
+			"well_known_ip":  "8.8.8.8",
+			"ipv6_addr":      "2001:db8::1",
+			"private_ipv6":   "fd00::1",
+			"domain":         "test.example.com",
+			"uri":            "stun:stun.example.com:3478",
+			"uri_with_ip":    "turn:203.0.113.1:3478",
+			"netbird_domain": "device.netbird.cloud",
+
+			// Test CIDR ranges
+			"public_cidr":       "203.0.113.0/24",
+			"private_cidr":      "192.168.0.0/16",
+			"protected_cidr":    "100.64.0.0/10",
+			"ipv6_cidr":         "2001:db8::/32",
+			"private_ipv6_cidr": "fd00::/8",
+
+			// Test nested structures
+			"nested": map[string]any{
+				"ip":     "203.0.113.2",
+				"domain": "nested.example.com",
+				"more_nest": map[string]any{
+					"ip":     "203.0.113.3",
+					"domain": "deep.example.com",
+				},
+			},
+
+			// Test arrays
+			"string_array": []any{
+				"203.0.113.4",
+				"test1.example.com",
+				"test2.example.com",
+			},
+			"object_array": []any{
+				map[string]any{
+					"ip":     "203.0.113.5",
+					"domain": "array1.example.com",
+				},
+				map[string]any{
+					"ip":     "203.0.113.6",
+					"domain": "array2.example.com",
+				},
+			},
+
+			// Test multiple occurrences of same value
+			"duplicate_ip":     "203.0.113.1",      // Same as public_ip
+			"duplicate_domain": "test.example.com", // Same as domain
+
+			// Test URIs with various schemes
+			"stun_uri":  "stun:stun.example.com:3478",
+			"turns_uri": "turns:turns.example.com:5349",
+			"http_uri":  "http://web.example.com:80",
+			"https_uri": "https://secure.example.com:443",
+
+			// Test strings that might look like IPs but aren't
+			"not_ip":         "300.300.300.300",
+			"partial_ip":     "192.168",
+			"ip_like_string": "1234.5678",
+
+			// Test mixed content strings
+			"mixed_content": "Server at 203.0.113.1 (test.example.com) on port 80",
+
+			// Test empty and special values
+			"empty_string":  "",
+			"null_value":    nil,
+			"numeric_value": 42,
+			"boolean_value": true,
+		}),
+		"route_state": mustMarshal(map[string]any{
+			"routes": []any{
+				map[string]any{
+					"network": "203.0.113.0/24",
+					"gateway": "203.0.113.1",
+					"domains": []any{
+						"route1.example.com",
+						"route2.example.com",
+					},
+				},
+				map[string]any{
+					"network": "2001:db8::/32",
+					"gateway": "2001:db8::1",
+					"domains": []any{
+						"route3.example.com",
+						"route4.example.com",
+					},
+				},
+			},
+			// Test map with IP/CIDR keys
+			"refCountMap": map[string]any{
+				"203.0.113.1/32": map[string]any{
+					"Count": 1,
+					"Out": map[string]any{
+						"IP": "192.168.0.1",
+						"Intf": map[string]any{
+							"Name":  "eth0",
+							"Index": 1,
+						},
+					},
+				},
+				"2001:db8::1/128": map[string]any{
+					"Count": 1,
+					"Out": map[string]any{
+						"IP": "fe80::1",
+						"Intf": map[string]any{
+							"Name":  "eth0",
+							"Index": 1,
+						},
+					},
+				},
+				"10.0.0.1/32": map[string]any{ // private IP should remain unchanged
+					"Count": 1,
+					"Out": map[string]any{
+						"IP": "192.168.0.1",
+					},
+				},
+			},
+		}),
+	}
+
+	anonymizer := anonymize.NewAnonymizer(anonymize.DefaultAddresses())
+
+	// Pre-seed the domains we need to verify in the test assertions
+	anonymizer.AnonymizeDomain("test.example.com")
+	anonymizer.AnonymizeDomain("nested.example.com")
+	anonymizer.AnonymizeDomain("deep.example.com")
+	anonymizer.AnonymizeDomain("array1.example.com")
+
+	err := anonymizeStateFile(&testState, anonymizer)
+	require.NoError(t, err)
+
+	// Helper function to unmarshal and get nested values
+	var state map[string]any
+	err = json.Unmarshal(testState["test_state"], &state)
+	require.NoError(t, err)
+
+	// Test null state remains unchanged
+	require.Equal(t, "null", string(testState["null_state"]))
+
+	// Basic assertions
+	assert.NotEqual(t, "203.0.113.1", state["public_ip"])
+	assert.Equal(t, "192.168.1.1", state["private_ip"])  // Private IP unchanged
+	assert.Equal(t, "100.64.0.1", state["protected_ip"]) // Protected IP unchanged
+	assert.Equal(t, "8.8.8.8", state["well_known_ip"])   // Well-known IP unchanged
+	assert.NotEqual(t, "2001:db8::1", state["ipv6_addr"])
+	assert.Equal(t, "fd00::1", state["private_ipv6"]) // Private IPv6 unchanged
+	assert.NotEqual(t, "test.example.com", state["domain"])
+	assert.True(t, strings.HasSuffix(state["domain"].(string), ".domain"))
+	assert.Equal(t, "device.netbird.cloud", state["netbird_domain"]) // Netbird domain unchanged
+
+	// CIDR ranges
+	assert.NotEqual(t, "203.0.113.0/24", state["public_cidr"])
+	assert.Contains(t, state["public_cidr"], "/24")           // Prefix preserved
+	assert.Equal(t, "192.168.0.0/16", state["private_cidr"])  // Private CIDR unchanged
+	assert.Equal(t, "100.64.0.0/10", state["protected_cidr"]) // Protected CIDR unchanged
+	assert.NotEqual(t, "2001:db8::/32", state["ipv6_cidr"])
+	assert.Contains(t, state["ipv6_cidr"], "/32") // IPv6 prefix preserved
+
+	// Nested structures
+	nested := state["nested"].(map[string]any)
+	assert.NotEqual(t, "203.0.113.2", nested["ip"])
+	assert.NotEqual(t, "nested.example.com", nested["domain"])
+	moreNest := nested["more_nest"].(map[string]any)
+	assert.NotEqual(t, "203.0.113.3", moreNest["ip"])
+	assert.NotEqual(t, "deep.example.com", moreNest["domain"])
+
+	// Arrays
+	strArray := state["string_array"].([]any)
+	assert.NotEqual(t, "203.0.113.4", strArray[0])
+	assert.NotEqual(t, "test1.example.com", strArray[1])
+	assert.True(t, strings.HasSuffix(strArray[1].(string), ".domain"))
+
+	objArray := state["object_array"].([]any)
+	firstObj := objArray[0].(map[string]any)
+	assert.NotEqual(t, "203.0.113.5", firstObj["ip"])
+	assert.NotEqual(t, "array1.example.com", firstObj["domain"])
+
+	// Duplicate values should be anonymized consistently
+	assert.Equal(t, state["public_ip"], state["duplicate_ip"])
+	assert.Equal(t, state["domain"], state["duplicate_domain"])
+
+	// URIs
+	assert.NotContains(t, state["stun_uri"], "stun.example.com")
+	assert.NotContains(t, state["turns_uri"], "turns.example.com")
+	assert.NotContains(t, state["http_uri"], "web.example.com")
+	assert.NotContains(t, state["https_uri"], "secure.example.com")
+
+	// Non-IP strings should remain unchanged
+	assert.Equal(t, "300.300.300.300", state["not_ip"])
+	assert.Equal(t, "192.168", state["partial_ip"])
+	assert.Equal(t, "1234.5678", state["ip_like_string"])
+
+	// Mixed content should have IPs and domains replaced
+	mixedContent := state["mixed_content"].(string)
+	assert.NotContains(t, mixedContent, "203.0.113.1")
+	assert.NotContains(t, mixedContent, "test.example.com")
+	assert.Contains(t, mixedContent, "Server at ")
+	assert.Contains(t, mixedContent, " on port 80")
+
+	// Special values should remain unchanged
+	assert.Equal(t, "", state["empty_string"])
+	assert.Nil(t, state["null_value"])
+	assert.Equal(t, float64(42), state["numeric_value"])
+	assert.Equal(t, true, state["boolean_value"])
+
+	// Check route state
+	var routeState map[string]any
+	err = json.Unmarshal(testState["route_state"], &routeState)
+	require.NoError(t, err)
+
+	routes := routeState["routes"].([]any)
+	route1 := routes[0].(map[string]any)
+	assert.NotEqual(t, "203.0.113.0/24", route1["network"])
+	assert.Contains(t, route1["network"], "/24")
+	assert.NotEqual(t, "203.0.113.1", route1["gateway"])
+	domains := route1["domains"].([]any)
+	assert.True(t, strings.HasSuffix(domains[0].(string), ".domain"))
+	assert.True(t, strings.HasSuffix(domains[1].(string), ".domain"))
+
+	// Check map keys are anonymized
+	refCountMap := routeState["refCountMap"].(map[string]any)
+	hasPublicIPKey := false
+	hasIPv6Key := false
+	hasPrivateIPKey := false
+	for key := range refCountMap {
+		if strings.Contains(key, "203.0.113.1") {
+			hasPublicIPKey = true
+		}
+		if strings.Contains(key, "2001:db8::1") {
+			hasIPv6Key = true
+		}
+		if key == "10.0.0.1/32" {
+			hasPrivateIPKey = true
+		}
+	}
+	assert.False(t, hasPublicIPKey, "public IP in key should be anonymized")
+	assert.False(t, hasIPv6Key, "IPv6 in key should be anonymized")
+	assert.True(t, hasPrivateIPKey, "private IP in key should remain unchanged")
+}
+
+func mustMarshal(v any) json.RawMessage {
+	data, err := json.Marshal(v)
+	if err != nil {
+		panic(err)
+	}
+	return data
+}
+
+func TestAnonymizeNetworkMap(t *testing.T) {
+	networkMap := &mgmProto.NetworkMap{
+		PeerConfig: &mgmProto.PeerConfig{
+			Address: "203.0.113.5",
+			Dns:     "1.2.3.4",
+			Fqdn:    "peer1.corp.example.com",
+			SshConfig: &mgmProto.SSHConfig{
+				SshPubKey: []byte("ssh-rsa AAAAB3NzaC1..."),
+			},
+		},
+		RemotePeers: []*mgmProto.RemotePeerConfig{
+			{
+				AllowedIps: []string{
+					"203.0.113.1/32",
+					"2001:db8:1234::1/128",
+					"192.168.1.1/32",
+					"100.64.0.1/32",
+					"10.0.0.1/32",
+				},
+				Fqdn: "peer2.corp.example.com",
+				SshConfig: &mgmProto.SSHConfig{
+					SshPubKey: []byte("ssh-rsa AAAAB3NzaC2..."),
+				},
+			},
+		},
+		Routes: []*mgmProto.Route{
+			{
+				Network: "197.51.100.0/24",
+				Domains: []string{"prod.example.com", "staging.example.com"},
+				NetID:   "net-123abc",
+			},
+		},
+		DNSConfig: &mgmProto.DNSConfig{
+			NameServerGroups: []*mgmProto.NameServerGroup{
+				{
+					NameServers: []*mgmProto.NameServer{
+						{IP: "8.8.8.8"},
+						{IP: "1.1.1.1"},
+						{IP: "203.0.113.53"},
+					},
+					Domains: []string{"example.com", "internal.example.com"},
+				},
+			},
+			CustomZones: []*mgmProto.CustomZone{
+				{
+					Domain: "custom.example.com",
+					Records: []*mgmProto.SimpleRecord{
+						{
+							Name:  "www.custom.example.com",
+							Type:  1,
+							RData: "203.0.113.10",
+						},
+						{
+							Name:  "internal.custom.example.com",
+							Type:  1,
+							RData: "192.168.1.10",
+						},
+					},
+				},
+			},
+		},
+	}
+
+	// Create anonymizer with test addresses
+	anonymizer := anonymize.NewAnonymizer(anonymize.DefaultAddresses())
+
+	// Anonymize the network map
+	err := anonymizeNetworkMap(networkMap, anonymizer)
+	require.NoError(t, err)
+
+	// Test PeerConfig anonymization
+	peerCfg := networkMap.PeerConfig
+	require.NotEqual(t, "203.0.113.5", peerCfg.Address)
+
+	// Verify DNS and FQDN are properly anonymized
+	require.NotEqual(t, "1.2.3.4", peerCfg.Dns)
+	require.NotEqual(t, "peer1.corp.example.com", peerCfg.Fqdn)
+	require.True(t, strings.HasSuffix(peerCfg.Fqdn, ".domain"))
+
+	// Verify SSH key is replaced
+	require.Equal(t, []byte("ssh-placeholder-key"), peerCfg.SshConfig.SshPubKey)
+
+	// Test RemotePeers anonymization
+	remotePeer := networkMap.RemotePeers[0]
+
+	// Verify FQDN is anonymized
+	require.NotEqual(t, "peer2.corp.example.com", remotePeer.Fqdn)
+	require.True(t, strings.HasSuffix(remotePeer.Fqdn, ".domain"))
+
+	// Check that public IPs are anonymized but private IPs are preserved
+	for _, allowedIP := range remotePeer.AllowedIps {
+		ip, _, err := net.ParseCIDR(allowedIP)
+		require.NoError(t, err)
+
+		if ip.IsPrivate() || isInCGNATRange(ip) {
+			require.Contains(t, []string{
+				"192.168.1.1/32",
+				"100.64.0.1/32",
+				"10.0.0.1/32",
+			}, allowedIP)
+		} else {
+			require.NotContains(t, []string{
+				"203.0.113.1/32",
+				"2001:db8:1234::1/128",
+			}, allowedIP)
+		}
+	}
+
+	// Test Routes anonymization
+	route := networkMap.Routes[0]
+	require.NotEqual(t, "197.51.100.0/24", route.Network)
+	for _, domain := range route.Domains {
+		require.True(t, strings.HasSuffix(domain, ".domain"))
+		require.NotContains(t, domain, "example.com")
+	}
+
+	// Test DNS config anonymization
+	dnsConfig := networkMap.DNSConfig
+	nameServerGroup := dnsConfig.NameServerGroups[0]
+
+	// Verify well-known DNS servers are preserved
+	require.Equal(t, "8.8.8.8", nameServerGroup.NameServers[0].IP)
+	require.Equal(t, "1.1.1.1", nameServerGroup.NameServers[1].IP)
+
+	// Verify public DNS server is anonymized
+	require.NotEqual(t, "203.0.113.53", nameServerGroup.NameServers[2].IP)
+
+	// Verify domains are anonymized
+	for _, domain := range nameServerGroup.Domains {
+		require.True(t, strings.HasSuffix(domain, ".domain"))
+		require.NotContains(t, domain, "example.com")
+	}
+
+	// Test CustomZones anonymization
+	customZone := dnsConfig.CustomZones[0]
+	require.True(t, strings.HasSuffix(customZone.Domain, ".domain"))
+	require.NotContains(t, customZone.Domain, "example.com")
+
+	// Verify records are properly anonymized
+	for _, record := range customZone.Records {
+		require.True(t, strings.HasSuffix(record.Name, ".domain"))
+		require.NotContains(t, record.Name, "example.com")
+
+		ip := net.ParseIP(record.RData)
+		if ip != nil {
+			if !ip.IsPrivate() {
+				require.NotEqual(t, "203.0.113.10", record.RData)
+			} else {
+				require.Equal(t, "192.168.1.10", record.RData)
+			}
+		}
+	}
+}
+
+// Helper function to check if IP is in CGNAT range
+func isInCGNATRange(ip net.IP) bool {
+	cgnat := net.IPNet{
+		IP:   net.ParseIP("100.64.0.0"),
+		Mask: net.CIDRMask(10, 32),
+	}
+	return cgnat.Contains(ip)
+}
+
+func TestAnonymizeFirewallRules(t *testing.T) {
+	// TODO: Add ipv6
+
+	// Example iptables-save output
+	iptablesSave := `# Generated by iptables-save v1.8.7 on Thu Dec 19 10:00:00 2024
+*filter
+:INPUT ACCEPT [0:0]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+-A INPUT -s 192.168.1.0/24 -j ACCEPT
+-A INPUT -s 44.192.140.1/32 -j DROP
+-A FORWARD -s 10.0.0.0/8 -j DROP
+-A FORWARD -s 44.192.140.0/24 -d 52.84.12.34/24 -j ACCEPT
+COMMIT
+
+*nat
+:PREROUTING ACCEPT [0:0]
+:INPUT ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+:POSTROUTING ACCEPT [0:0]
+-A POSTROUTING -s 192.168.100.0/24 -j MASQUERADE
+-A PREROUTING -d 44.192.140.10/32 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.1.10:80
+COMMIT`
+
+	// Example iptables -v -n -L output
+	iptablesVerbose := `Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
+    pkts bytes target     prot opt in     out     source               destination         
+       0     0 ACCEPT     all  --  *      *       192.168.1.0/24       0.0.0.0/0           
+     100  1024 DROP       all  --  *      *       44.192.140.1         0.0.0.0/0
+
+Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
+    pkts bytes target     prot opt in     out     source               destination         
+       0     0 DROP       all  --  *      *       10.0.0.0/8           0.0.0.0/0           
+      25   256 ACCEPT     all  --  *      *       44.192.140.0/24      52.84.12.34/24
+
+Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
+    pkts bytes target     prot opt in     out     source               destination`
+
+	// Example nftables output
+	nftablesRules := `table inet filter {
+        chain input {
+                type filter hook input priority filter; policy accept;
+                ip saddr 192.168.1.1 accept
+                ip saddr 44.192.140.1 drop
+        }
+        chain forward {
+                type filter hook forward priority filter; policy accept;
+                ip saddr 10.0.0.0/8 drop
+                ip saddr 44.192.140.0/24 ip daddr 52.84.12.34/24 accept
+        }
+    }`
+
+	anonymizer := anonymize.NewAnonymizer(anonymize.DefaultAddresses())
+
+	// Test iptables-save anonymization
+	anonIptablesSave := anonymizer.AnonymizeString(iptablesSave)
+
+	// Private IP addresses should remain unchanged
+	assert.Contains(t, anonIptablesSave, "192.168.1.0/24")
+	assert.Contains(t, anonIptablesSave, "10.0.0.0/8")
+	assert.Contains(t, anonIptablesSave, "192.168.100.0/24")
+	assert.Contains(t, anonIptablesSave, "192.168.1.10")
+
+	// Public IP addresses should be anonymized to the default range
+	assert.NotContains(t, anonIptablesSave, "44.192.140.1")
+	assert.NotContains(t, anonIptablesSave, "44.192.140.0/24")
+	assert.NotContains(t, anonIptablesSave, "52.84.12.34")
+	assert.Contains(t, anonIptablesSave, "198.51.100.") // Default anonymous range
+
+	// Structure should be preserved
+	assert.Contains(t, anonIptablesSave, "*filter")
+	assert.Contains(t, anonIptablesSave, ":INPUT ACCEPT [0:0]")
+	assert.Contains(t, anonIptablesSave, "COMMIT")
+	assert.Contains(t, anonIptablesSave, "-j MASQUERADE")
+	assert.Contains(t, anonIptablesSave, "--dport 80")
+
+	// Test iptables verbose output anonymization
+	anonIptablesVerbose := anonymizer.AnonymizeString(iptablesVerbose)
+
+	// Private IP addresses should remain unchanged
+	assert.Contains(t, anonIptablesVerbose, "192.168.1.0/24")
+	assert.Contains(t, anonIptablesVerbose, "10.0.0.0/8")
+
+	// Public IP addresses should be anonymized to the default range
+	assert.NotContains(t, anonIptablesVerbose, "44.192.140.1")
+	assert.NotContains(t, anonIptablesVerbose, "44.192.140.0/24")
+	assert.NotContains(t, anonIptablesVerbose, "52.84.12.34")
+	assert.Contains(t, anonIptablesVerbose, "198.51.100.") // Default anonymous range
+
+	// Structure and counters should be preserved
+	assert.Contains(t, anonIptablesVerbose, "Chain INPUT (policy ACCEPT 0 packets, 0 bytes)")
+	assert.Contains(t, anonIptablesVerbose, "100  1024 DROP")
+	assert.Contains(t, anonIptablesVerbose, "pkts bytes target")
+
+	// Test nftables anonymization
+	anonNftables := anonymizer.AnonymizeString(nftablesRules)
+
+	// Private IP addresses should remain unchanged
+	assert.Contains(t, anonNftables, "192.168.1.1")
+	assert.Contains(t, anonNftables, "10.0.0.0/8")
+
+	// Public IP addresses should be anonymized to the default range
+	assert.NotContains(t, anonNftables, "44.192.140.1")
+	assert.NotContains(t, anonNftables, "44.192.140.0/24")
+	assert.NotContains(t, anonNftables, "52.84.12.34")
+	assert.Contains(t, anonNftables, "198.51.100.") // Default anonymous range
+
+	// Structure should be preserved
+	assert.Contains(t, anonNftables, "table inet filter {")
+	assert.Contains(t, anonNftables, "chain input {")
+	assert.Contains(t, anonNftables, "type filter hook input priority filter; policy accept;")
+}
--- a/client/server/network.go
+++ b/client/server/network.go
@@ -4,6 +4,7 @@ import (
 	"context"
 	"fmt"
 	"net/netip"
+	"slices"
 	"sort"

 	"golang.org/x/exp/maps"
@@ -20,8 +21,8 @@ type selectRoute struct {
 	Selected bool
 }

-// ListRoutes returns a list of all available routes.
-func (s *Server) ListRoutes(context.Context, *proto.ListRoutesRequest) (*proto.ListRoutesResponse, error) {
+// ListNetworks returns a list of all available networks.
+func (s *Server) ListNetworks(context.Context, *proto.ListNetworksRequest) (*proto.ListNetworksResponse, error) {
 	s.mutex.Lock()
 	defer s.mutex.Unlock()

@@ -34,7 +35,7 @@ func (s *Server) ListRoutes(context.Context, *proto.ListRoutesRequest) (*proto.L
 		return nil, fmt.Errorf("not connected")
 	}

-	routesMap := engine.GetClientRoutesWithNetID()
+	routesMap := engine.GetRouteManager().GetClientRoutesWithNetID()
 	routeSelector := engine.GetRouteManager().GetRouteSelector()

 	var routes []*selectRoute
@@ -67,37 +68,47 @@ func (s *Server) ListRoutes(context.Context, *proto.ListRoutesRequest) (*proto.L
 	})

 	resolvedDomains := s.statusRecorder.GetResolvedDomainsStates()
-	var pbRoutes []*proto.Route
+	var pbRoutes []*proto.Network
 	for _, route := range routes {
-		pbRoute := &proto.Route{
+		pbRoute := &proto.Network{
 			ID:          string(route.NetID),
-			Network:     route.Network.String(),
+			Range:       route.Network.String(),
 			Domains:     route.Domains.ToSafeStringList(),
 			ResolvedIPs: map[string]*proto.IPList{},
 			Selected:    route.Selected,
 		}

-		for _, domain := range route.Domains {
-			if prefixes, exists := resolvedDomains[domain]; exists {
-				var ipStrings []string
-				for _, prefix := range prefixes {
-					ipStrings = append(ipStrings, prefix.Addr().String())
-				}
-				pbRoute.ResolvedIPs[string(domain)] = &proto.IPList{
-					Ips: ipStrings,
+		// Group resolved IPs by their parent domain
+		domainMap := map[domain.Domain][]string{}
+
+		for resolvedDomain, info := range resolvedDomains {
+			// Check if this resolved domain's parent is in our route's domains
+			if slices.Contains(route.Domains, info.ParentDomain) {
+				ips := make([]string, 0, len(info.Prefixes))
+				for _, prefix := range info.Prefixes {
+					ips = append(ips, prefix.Addr().String())
 				}
+				domainMap[resolvedDomain] = ips
 			}
 		}
+
+		// Convert to proto format
+		for domain, ips := range domainMap {
+			pbRoute.ResolvedIPs[string(domain)] = &proto.IPList{
+				Ips: ips,
+			}
+		}
+
 		pbRoutes = append(pbRoutes, pbRoute)
 	}

-	return &proto.ListRoutesResponse{
+	return &proto.ListNetworksResponse{
 		Routes: pbRoutes,
 	}, nil
 }

-// SelectRoutes selects specific routes based on the client request.
-func (s *Server) SelectRoutes(_ context.Context, req *proto.SelectRoutesRequest) (*proto.SelectRoutesResponse, error) {
+// SelectNetworks selects specific networks based on the client request.
+func (s *Server) SelectNetworks(_ context.Context, req *proto.SelectNetworksRequest) (*proto.SelectNetworksResponse, error) {
 	s.mutex.Lock()
 	defer s.mutex.Unlock()

@@ -115,18 +126,19 @@ func (s *Server) SelectRoutes(_ context.Context, req *proto.SelectRoutesRequest)
 	if req.GetAll() {
 		routeSelector.SelectAllRoutes()
 	} else {
-		routes := toNetIDs(req.GetRouteIDs())
-		if err := routeSelector.SelectRoutes(routes, req.GetAppend(), maps.Keys(engine.GetClientRoutesWithNetID())); err != nil {
+		routes := toNetIDs(req.GetNetworkIDs())
+		netIdRoutes := maps.Keys(routeManager.GetClientRoutesWithNetID())
+		if err := routeSelector.SelectRoutes(routes, req.GetAppend(), netIdRoutes); err != nil {
 			return nil, fmt.Errorf("select routes: %w", err)
 		}
 	}
-	routeManager.TriggerSelection(engine.GetClientRoutes())
+	routeManager.TriggerSelection(routeManager.GetClientRoutes())

-	return &proto.SelectRoutesResponse{}, nil
+	return &proto.SelectNetworksResponse{}, nil
 }

-// DeselectRoutes deselects specific routes based on the client request.
-func (s *Server) DeselectRoutes(_ context.Context, req *proto.SelectRoutesRequest) (*proto.SelectRoutesResponse, error) {
+// DeselectNetworks deselects specific networks based on the client request.
+func (s *Server) DeselectNetworks(_ context.Context, req *proto.SelectNetworksRequest) (*proto.SelectNetworksResponse, error) {
 	s.mutex.Lock()
 	defer s.mutex.Unlock()

@@ -144,14 +156,15 @@ func (s *Server) DeselectRoutes(_ context.Context, req *proto.SelectRoutesReques
 	if req.GetAll() {
 		routeSelector.DeselectAllRoutes()
 	} else {
-		routes := toNetIDs(req.GetRouteIDs())
-		if err := routeSelector.DeselectRoutes(routes, maps.Keys(engine.GetClientRoutesWithNetID())); err != nil {
+		routes := toNetIDs(req.GetNetworkIDs())
+		netIdRoutes := maps.Keys(routeManager.GetClientRoutesWithNetID())
+		if err := routeSelector.DeselectRoutes(routes, netIdRoutes); err != nil {
 			return nil, fmt.Errorf("deselect routes: %w", err)
 		}
 	}
-	routeManager.TriggerSelection(engine.GetClientRoutes())
+	routeManager.TriggerSelection(routeManager.GetClientRoutes())

-	return &proto.SelectRoutesResponse{}, nil
+	return &proto.SelectNetworksResponse{}, nil
 }

 func toNetIDs(routes []string) []route.NetID {
--- a/client/server/server.go
+++ b/client/server/server.go
@@ -68,6 +68,8 @@ type Server struct {
 	relayProbe  *internal.Probe
 	wgProbe     *internal.Probe
 	lastProbe   time.Time
+
+	persistNetworkMap bool
 }

 type oauthAuthFlow struct {
@@ -196,6 +198,7 @@ func (s *Server) connectWithRetryRuns(ctx context.Context, config *internal.Conf
 	runOperation := func() error {
 		log.Tracef("running client connection")
 		s.connectClient = internal.NewConnectClient(ctx, config, statusRecorder)
+		s.connectClient.SetNetworkMapPersistence(s.persistNetworkMap)

 		probes := internal.ProbeHolder{
 			MgmProbe:    s.mgmProbe,
@@ -769,7 +772,7 @@ func toProtoFullStatus(fullStatus peer.FullStatus) *proto.FullStatus {
 	pbFullStatus.LocalPeerState.Fqdn = fullStatus.LocalPeerState.FQDN
 	pbFullStatus.LocalPeerState.RosenpassPermissive = fullStatus.RosenpassState.Permissive
 	pbFullStatus.LocalPeerState.RosenpassEnabled = fullStatus.RosenpassState.Enabled
-	pbFullStatus.LocalPeerState.Routes = maps.Keys(fullStatus.LocalPeerState.Routes)
+	pbFullStatus.LocalPeerState.Networks = maps.Keys(fullStatus.LocalPeerState.Routes)

 	for _, peerState := range fullStatus.Peers {
 		pbPeerState := &proto.PeerState{
@@ -788,7 +791,7 @@ func toProtoFullStatus(fullStatus peer.FullStatus) *proto.FullStatus {
 			BytesRx:                    peerState.BytesRx,
 			BytesTx:                    peerState.BytesTx,
 			RosenpassEnabled:           peerState.RosenpassEnabled,
-			Routes:                     maps.Keys(peerState.GetRoutes()),
+			Networks:                   maps.Keys(peerState.GetRoutes()),
 			Latency:                    durationpb.New(peerState.Latency),
 		}
 		pbFullStatus.Peers = append(pbFullStatus.Peers, pbPeerState)
--- a/client/server/server_test.go
+++ b/client/server/server_test.go
@@ -20,6 +20,8 @@ import (
 	mgmtProto "github.com/netbirdio/netbird/management/proto"
 	"github.com/netbirdio/netbird/management/server"
 	"github.com/netbirdio/netbird/management/server/activity"
+	"github.com/netbirdio/netbird/management/server/settings"
+	"github.com/netbirdio/netbird/management/server/store"
 	"github.com/netbirdio/netbird/management/server/telemetry"
 	"github.com/netbirdio/netbird/signal/proto"
 	signalServer "github.com/netbirdio/netbird/signal/server"
@@ -110,7 +112,7 @@ func startManagement(t *testing.T, signalAddr string, counter *int) (*grpc.Serve
 		return nil, "", err
 	}
 	s := grpc.NewServer(grpc.KeepaliveEnforcementPolicy(kaep), grpc.KeepaliveParams(kasp))
-	store, cleanUp, err := server.NewTestStoreFromSQL(context.Background(), "", config.Datadir)
+	store, cleanUp, err := store.NewTestStoreFromSQL(context.Background(), "", config.Datadir)
 	if err != nil {
 		return nil, "", err
 	}
@@ -132,7 +134,7 @@ func startManagement(t *testing.T, signalAddr string, counter *int) (*grpc.Serve
 	}

 	secretsManager := server.NewTimeBasedAuthSecretsManager(peersUpdateManager, config.TURNConfig, config.Relay)
-	mgmtServer, err := server.NewServer(context.Background(), config, accountManager, peersUpdateManager, secretsManager, nil, nil)
+	mgmtServer, err := server.NewServer(context.Background(), config, accountManager, settings.NewManager(store), peersUpdateManager, secretsManager, nil, nil)
 	if err != nil {
 		return nil, "", err
 	}
--- a/client/server/state.go
+++ b/client/server/state.go
@@ -5,12 +5,112 @@ import (
 	"fmt"

 	"github.com/hashicorp/go-multierror"
+	"google.golang.org/grpc/codes"
+	"google.golang.org/grpc/status"

 	nberrors "github.com/netbirdio/netbird/client/errors"
+	"github.com/netbirdio/netbird/client/internal"
 	"github.com/netbirdio/netbird/client/internal/statemanager"
+	"github.com/netbirdio/netbird/client/proto"
 )

-// restoreResidualConfig checks if the client was not shut down in a clean way and restores residual state if required.
+// ListStates returns a list of all saved states
+func (s *Server) ListStates(_ context.Context, _ *proto.ListStatesRequest) (*proto.ListStatesResponse, error) {
+	mgr := statemanager.New(statemanager.GetDefaultStatePath())
+
+	stateNames, err := mgr.GetSavedStateNames()
+	if err != nil {
+		return nil, status.Errorf(codes.Internal, "failed to get saved state names: %v", err)
+	}
+
+	states := make([]*proto.State, 0, len(stateNames))
+	for _, name := range stateNames {
+		states = append(states, &proto.State{
+			Name: name,
+		})
+	}
+
+	return &proto.ListStatesResponse{
+		States: states,
+	}, nil
+}
+
+// CleanState handles cleaning of states (performing cleanup operations)
+func (s *Server) CleanState(ctx context.Context, req *proto.CleanStateRequest) (*proto.CleanStateResponse, error) {
+	if s.connectClient.Status() == internal.StatusConnected || s.connectClient.Status() == internal.StatusConnecting {
+		return nil, status.Errorf(codes.FailedPrecondition, "cannot clean state while connecting or connected, run 'netbird down' first.")
+	}
+
+	if req.All {
+		// Reuse existing cleanup logic for all states
+		if err := restoreResidualState(ctx); err != nil {
+			return nil, status.Errorf(codes.Internal, "failed to clean all states: %v", err)
+		}
+
+		// Get count of cleaned states
+		mgr := statemanager.New(statemanager.GetDefaultStatePath())
+		stateNames, err := mgr.GetSavedStateNames()
+		if err != nil {
+			return nil, status.Errorf(codes.Internal, "failed to get state count: %v", err)
+		}
+
+		return &proto.CleanStateResponse{
+			CleanedStates: int32(len(stateNames)),
+		}, nil
+	}
+
+	// Handle single state cleanup
+	mgr := statemanager.New(statemanager.GetDefaultStatePath())
+	registerStates(mgr)
+
+	if err := mgr.CleanupStateByName(req.StateName); err != nil {
+		return nil, status.Errorf(codes.Internal, "failed to clean state %s: %v", req.StateName, err)
+	}
+
+	if err := mgr.PersistState(ctx); err != nil {
+		return nil, status.Errorf(codes.Internal, "failed to persist state changes: %v", err)
+	}
+
+	return &proto.CleanStateResponse{
+		CleanedStates: 1,
+	}, nil
+}
+
+// DeleteState handles deletion of states without cleanup
+func (s *Server) DeleteState(ctx context.Context, req *proto.DeleteStateRequest) (*proto.DeleteStateResponse, error) {
+	if s.connectClient.Status() == internal.StatusConnected || s.connectClient.Status() == internal.StatusConnecting {
+		return nil, status.Errorf(codes.FailedPrecondition, "cannot clean state while connecting or connected, run 'netbird down' first.")
+	}
+
+	mgr := statemanager.New(statemanager.GetDefaultStatePath())
+
+	var count int
+	var err error
+
+	if req.All {
+		count, err = mgr.DeleteAllStates()
+	} else {
+		err = mgr.DeleteStateByName(req.StateName)
+		if err == nil {
+			count = 1
+		}
+	}
+
+	if err != nil {
+		return nil, status.Errorf(codes.Internal, "failed to delete state: %v", err)
+	}
+
+	// Persist the changes
+	if err := mgr.PersistState(ctx); err != nil {
+		return nil, status.Errorf(codes.Internal, "failed to persist state changes: %v", err)
+	}
+
+	return &proto.DeleteStateResponse{
+		DeletedStates: int32(count),
+	}, nil
+}
+
+// restoreResidualState checks if the client was not shut down in a clean way and restores residual if required.
 // Otherwise, we might not be able to connect to the management server to retrieve new config.
 func restoreResidualState(ctx context.Context) error {
 	path := statemanager.GetDefaultStatePath()
@@ -24,6 +124,7 @@ func restoreResidualState(ctx context.Context) error {
 	registerStates(mgr)

 	var merr *multierror.Error
+
 	if err := mgr.PerformCleanup(); err != nil {
 		merr = multierror.Append(merr, fmt.Errorf("perform cleanup: %w", err))
 	}
--- a/client/system/info.go
+++ b/client/system/info.go
@@ -61,6 +61,14 @@ type Info struct {
 	Files              []File // for posture checks
 }

+// StaticInfo is an object that contains machine information that does not change
+type StaticInfo struct {
+	SystemSerialNumber string
+	SystemProductName  string
+	SystemManufacturer string
+	Environment        Environment
+}
+
 // extractUserAgent extracts Netbird's agent (client) name and version from the outgoing context
 func extractUserAgent(ctx context.Context) string {
 	md, hasMeta := metadata.FromOutgoingContext(ctx)
--- a/client/system/info_darwin.go
+++ b/client/system/info_darwin.go
@@ -10,13 +10,12 @@ import (
 	"os/exec"
 	"runtime"
 	"strings"
+	"time"

 	"golang.org/x/sys/unix"

 	log "github.com/sirupsen/logrus"

-	"github.com/netbirdio/netbird/client/system/detect_cloud"
-	"github.com/netbirdio/netbird/client/system/detect_platform"
 	"github.com/netbirdio/netbird/version"
 )

@@ -41,11 +40,10 @@ func GetInfo(ctx context.Context) *Info {
 		log.Warnf("failed to discover network addresses: %s", err)
 	}

-	serialNum, prodName, manufacturer := sysInfo()
-
-	env := Environment{
-		Cloud:    detect_cloud.Detect(ctx),
-		Platform: detect_platform.Detect(ctx),
+	start := time.Now()
+	si := updateStaticInfo()
+	if time.Since(start) > 1*time.Second {
+		log.Warnf("updateStaticInfo took %s", time.Since(start))
 	}

 	gio := &Info{
@@ -57,10 +55,10 @@ func GetInfo(ctx context.Context) *Info {
 		CPUs:               runtime.NumCPU(),
 		KernelVersion:      release,
 		NetworkAddresses:   addrs,
-		SystemSerialNumber: serialNum,
-		SystemProductName:  prodName,
-		SystemManufacturer: manufacturer,
-		Environment:        env,
+		SystemSerialNumber: si.SystemSerialNumber,
+		SystemProductName:  si.SystemProductName,
+		SystemManufacturer: si.SystemManufacturer,
+		Environment:        si.Environment,
 	}

 	systemHostname, _ := os.Hostname()
--- a/client/system/info_linux.go
+++ b/client/system/info_linux.go
@@ -1,5 +1,4 @@
 //go:build !android
-// +build !android

 package system

@@ -16,30 +15,13 @@ import (
 	log "github.com/sirupsen/logrus"
 	"github.com/zcalusic/sysinfo"

-	"github.com/netbirdio/netbird/client/system/detect_cloud"
-	"github.com/netbirdio/netbird/client/system/detect_platform"
 	"github.com/netbirdio/netbird/version"
 )

-type SysInfoGetter interface {
-	GetSysInfo() SysInfo
-}
-
-type SysInfoWrapper struct {
-	si sysinfo.SysInfo
-}
-
-func (s SysInfoWrapper) GetSysInfo() SysInfo {
-	s.si.GetSysInfo()
-	return SysInfo{
-		ChassisSerial: s.si.Chassis.Serial,
-		ProductSerial: s.si.Product.Serial,
-		BoardSerial:   s.si.Board.Serial,
-		ProductName:   s.si.Product.Name,
-		BoardName:     s.si.Board.Name,
-		ProductVendor: s.si.Product.Vendor,
-	}
-}
+var (
+	// it is override in tests
+	getSystemInfo = defaultSysInfoImplementation
+)

 // GetInfo retrieves and parses the system information
 func GetInfo(ctx context.Context) *Info {
@@ -65,12 +47,10 @@ func GetInfo(ctx context.Context) *Info {
 		log.Warnf("failed to discover network addresses: %s", err)
 	}

-	si := SysInfoWrapper{}
-	serialNum, prodName, manufacturer := sysInfo(si.GetSysInfo())
-
-	env := Environment{
-		Cloud:    detect_cloud.Detect(ctx),
-		Platform: detect_platform.Detect(ctx),
+	start := time.Now()
+	si := updateStaticInfo()
+	if time.Since(start) > 1*time.Second {
+		log.Warnf("updateStaticInfo took %s", time.Since(start))
 	}

 	gio := &Info{
@@ -85,10 +65,10 @@ func GetInfo(ctx context.Context) *Info {
 		UIVersion:          extractUserAgent(ctx),
 		KernelVersion:      osInfo[1],
 		NetworkAddresses:   addrs,
-		SystemSerialNumber: serialNum,
-		SystemProductName:  prodName,
-		SystemManufacturer: manufacturer,
-		Environment:        env,
+		SystemSerialNumber: si.SystemSerialNumber,
+		SystemProductName:  si.SystemProductName,
+		SystemManufacturer: si.SystemManufacturer,
+		Environment:        si.Environment,
 	}

 	return gio
@@ -108,9 +88,9 @@ func _getInfo() string {
 	return out.String()
 }

-func sysInfo(si SysInfo) (string, string, string) {
+func sysInfo() (string, string, string) {
 	isascii := regexp.MustCompile("^[[:ascii:]]+$")
-
+	si := getSystemInfo()
 	serials := []string{si.ChassisSerial, si.ProductSerial}
 	serial := ""

@@ -141,3 +121,16 @@ func sysInfo(si SysInfo) (string, string, string) {
 	}
 	return serial, name, manufacturer
 }
+
+func defaultSysInfoImplementation() SysInfo {
+	si := sysinfo.SysInfo{}
+	si.GetSysInfo()
+	return SysInfo{
+		ChassisSerial: si.Chassis.Serial,
+		ProductSerial: si.Product.Serial,
+		BoardSerial:   si.Board.Serial,
+		ProductName:   si.Product.Name,
+		BoardName:     si.Board.Name,
+		ProductVendor: si.Product.Vendor,
+	}
+}
--- a/client/system/info_windows.go
+++ b/client/system/info_windows.go
@@ -6,13 +6,12 @@ import (
 	"os"
 	"runtime"
 	"strings"
+	"time"

 	log "github.com/sirupsen/logrus"
 	"github.com/yusufpapurcu/wmi"
 	"golang.org/x/sys/windows/registry"

-	"github.com/netbirdio/netbird/client/system/detect_cloud"
-	"github.com/netbirdio/netbird/client/system/detect_platform"
 	"github.com/netbirdio/netbird/version"
 )

@@ -42,24 +41,10 @@ func GetInfo(ctx context.Context) *Info {
 		log.Warnf("failed to discover network addresses: %s", err)
 	}

-	serialNum, err := sysNumber()
-	if err != nil {
-		log.Warnf("failed to get system serial number: %s", err)
-	}
-
-	prodName, err := sysProductName()
-	if err != nil {
-		log.Warnf("failed to get system product name: %s", err)
-	}
-
-	manufacturer, err := sysManufacturer()
-	if err != nil {
-		log.Warnf("failed to get system manufacturer: %s", err)
-	}
-
-	env := Environment{
-		Cloud:    detect_cloud.Detect(ctx),
-		Platform: detect_platform.Detect(ctx),
+	start := time.Now()
+	si := updateStaticInfo()
+	if time.Since(start) > 1*time.Second {
+		log.Warnf("updateStaticInfo took %s", time.Since(start))
 	}

 	gio := &Info{
@@ -71,10 +56,10 @@ func GetInfo(ctx context.Context) *Info {
 		CPUs:               runtime.NumCPU(),
 		KernelVersion:      buildVersion,
 		NetworkAddresses:   addrs,
-		SystemSerialNumber: serialNum,
-		SystemProductName:  prodName,
-		SystemManufacturer: manufacturer,
-		Environment:        env,
+		SystemSerialNumber: si.SystemSerialNumber,
+		SystemProductName:  si.SystemProductName,
+		SystemManufacturer: si.SystemManufacturer,
+		Environment:        si.Environment,
 	}

 	systemHostname, _ := os.Hostname()
@@ -85,6 +70,26 @@ func GetInfo(ctx context.Context) *Info {
 	return gio
 }

+func sysInfo() (serialNumber string, productName string, manufacturer string) {
+	var err error
+	serialNumber, err = sysNumber()
+	if err != nil {
+		log.Warnf("failed to get system serial number: %s", err)
+	}
+
+	productName, err = sysProductName()
+	if err != nil {
+		log.Warnf("failed to get system product name: %s", err)
+	}
+
+	manufacturer, err = sysManufacturer()
+	if err != nil {
+		log.Warnf("failed to get system manufacturer: %s", err)
+	}
+
+	return serialNumber, productName, manufacturer
+}
+
 func getOSNameAndVersion() (string, string) {
 	var dst []Win32_OperatingSystem
 	query := wmi.CreateQuery(&dst, "")
--- a/client/system/static_info.go
+++ b/client/system/static_info.go
@@ -0,0 +1,46 @@
+//go:build (linux && !android) || windows || (darwin && !ios)
+
+package system
+
+import (
+	"context"
+	"sync"
+	"time"
+
+	"github.com/netbirdio/netbird/client/system/detect_cloud"
+	"github.com/netbirdio/netbird/client/system/detect_platform"
+)
+
+var (
+	staticInfo StaticInfo
+	once       sync.Once
+)
+
+func init() {
+	go func() {
+		_ = updateStaticInfo()
+	}()
+}
+
+func updateStaticInfo() StaticInfo {
+	once.Do(func() {
+		ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
+		defer cancel()
+		wg := sync.WaitGroup{}
+		wg.Add(3)
+		go func() {
+			staticInfo.SystemSerialNumber, staticInfo.SystemProductName, staticInfo.SystemManufacturer = sysInfo()
+			wg.Done()
+		}()
+		go func() {
+			staticInfo.Environment.Cloud = detect_cloud.Detect(ctx)
+			wg.Done()
+		}()
+		go func() {
+			staticInfo.Environment.Platform = detect_platform.Detect(ctx)
+			wg.Done()
+		}()
+		wg.Wait()
+	})
+	return staticInfo
+}
--- a/client/system/sysinfo_linux_test.go
+++ b/client/system/sysinfo_linux_test.go
@@ -183,7 +183,10 @@ func Test_sysInfo(t *testing.T) {

 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			gotSerialNum, gotProdName, gotManufacturer := sysInfo(tt.sysInfo)
+			getSystemInfo = func() SysInfo {
+				return tt.sysInfo
+			}
+			gotSerialNum, gotProdName, gotManufacturer := sysInfo()
 			if gotSerialNum != tt.wantSerialNum {
 				t.Errorf("sysInfo() gotSerialNum = %v, want %v", gotSerialNum, tt.wantSerialNum)
 			}
--- a/client/ui/client_ui.go
+++ b/client/ui/client_ui.go
@@ -58,7 +58,7 @@ func main() {
 	var showSettings bool
 	flag.BoolVar(&showSettings, "settings", false, "run settings windows")
 	var showRoutes bool
-	flag.BoolVar(&showRoutes, "routes", false, "run routes windows")
+	flag.BoolVar(&showRoutes, "networks", false, "run networks windows")
 	var errorMSG string
 	flag.StringVar(&errorMSG, "error-msg", "", "displays a error message window")

@@ -233,7 +233,7 @@ func newServiceClient(addr string, a fyne.App, showSettings bool, showRoutes boo
 		s.showSettingsUI()
 		return s
 	} else if showRoutes {
-		s.showRoutesUI()
+		s.showNetworksUI()
 	}

 	return s
@@ -549,7 +549,7 @@ func (s *serviceClient) onTrayReady() {
 	s.mAdvancedSettings = s.mSettings.AddSubMenuItem("Advanced Settings", "Advanced settings of the application")
 	s.loadSettings()

-	s.mRoutes = systray.AddMenuItem("Network Routes", "Open the routes management window")
+	s.mRoutes = systray.AddMenuItem("Networks", "Open the networks management window")
 	s.mRoutes.Disable()
 	systray.AddSeparator()

@@ -572,6 +572,7 @@ func (s *serviceClient) onTrayReady() {
 	s.update.SetOnUpdateListener(s.onUpdateAvailable)
 	go func() {
 		s.getSrvConfig()
+		time.Sleep(100 * time.Millisecond) // To prevent race condition caused by systray not being fully initialized and ignoring setIcon
 		for {
 			err := s.updateStatus()
 			if err != nil {
@@ -656,7 +657,7 @@ func (s *serviceClient) onTrayReady() {
 				s.mRoutes.Disable()
 				go func() {
 					defer s.mRoutes.Enable()
-					s.runSelfCommand("routes", "true")
+					s.runSelfCommand("networks", "true")
 				}()
 			}
 			if err != nil {
--- a/client/ui/network.go
+++ b/client/ui/network.go
@@ -19,32 +19,32 @@ import (
 )

 const (
-	allRoutesText                = "All routes"
-	overlappingRoutesText        = "Overlapping routes"
-	exitNodeRoutesText           = "Exit-node routes"
-	allRoutes             filter = "all"
-	overlappingRoutes     filter = "overlapping"
-	exitNodeRoutes        filter = "exit-node"
-	getClientFMT                 = "get client: %v"
+	allNetworksText                = "All networks"
+	overlappingNetworksText        = "Overlapping networks"
+	exitNodeNetworksText           = "Exit-node networks"
+	allNetworks             filter = "all"
+	overlappingNetworks     filter = "overlapping"
+	exitNodeNetworks        filter = "exit-node"
+	getClientFMT                   = "get client: %v"
 )

 type filter string

-func (s *serviceClient) showRoutesUI() {
-	s.wRoutes = s.app.NewWindow("NetBird Routes")
+func (s *serviceClient) showNetworksUI() {
+	s.wRoutes = s.app.NewWindow("Networks")

 	allGrid := container.New(layout.NewGridLayout(3))
-	go s.updateRoutes(allGrid, allRoutes)
+	go s.updateNetworks(allGrid, allNetworks)
 	overlappingGrid := container.New(layout.NewGridLayout(3))
 	exitNodeGrid := container.New(layout.NewGridLayout(3))
 	routeCheckContainer := container.NewVBox()
 	tabs := container.NewAppTabs(
-		container.NewTabItem(allRoutesText, allGrid),
-		container.NewTabItem(overlappingRoutesText, overlappingGrid),
-		container.NewTabItem(exitNodeRoutesText, exitNodeGrid),
+		container.NewTabItem(allNetworksText, allGrid),
+		container.NewTabItem(overlappingNetworksText, overlappingGrid),
+		container.NewTabItem(exitNodeNetworksText, exitNodeGrid),
 	)
 	tabs.OnSelected = func(item *container.TabItem) {
-		s.updateRoutesBasedOnDisplayTab(tabs, allGrid, overlappingGrid, exitNodeGrid)
+		s.updateNetworksBasedOnDisplayTab(tabs, allGrid, overlappingGrid, exitNodeGrid)
 	}
 	tabs.OnUnselected = func(item *container.TabItem) {
 		grid, _ := getGridAndFilterFromTab(tabs, allGrid, overlappingGrid, exitNodeGrid)
@@ -58,17 +58,17 @@ func (s *serviceClient) showRoutesUI() {
 	buttonBox := container.NewHBox(
 		layout.NewSpacer(),
 		widget.NewButton("Refresh", func() {
-			s.updateRoutesBasedOnDisplayTab(tabs, allGrid, overlappingGrid, exitNodeGrid)
+			s.updateNetworksBasedOnDisplayTab(tabs, allGrid, overlappingGrid, exitNodeGrid)
 		}),
 		widget.NewButton("Select all", func() {
 			_, f := getGridAndFilterFromTab(tabs, allGrid, overlappingGrid, exitNodeGrid)
-			s.selectAllFilteredRoutes(f)
-			s.updateRoutesBasedOnDisplayTab(tabs, allGrid, overlappingGrid, exitNodeGrid)
+			s.selectAllFilteredNetworks(f)
+			s.updateNetworksBasedOnDisplayTab(tabs, allGrid, overlappingGrid, exitNodeGrid)
 		}),
 		widget.NewButton("Deselect All", func() {
 			_, f := getGridAndFilterFromTab(tabs, allGrid, overlappingGrid, exitNodeGrid)
-			s.deselectAllFilteredRoutes(f)
-			s.updateRoutesBasedOnDisplayTab(tabs, allGrid, overlappingGrid, exitNodeGrid)
+			s.deselectAllFilteredNetworks(f)
+			s.updateNetworksBasedOnDisplayTab(tabs, allGrid, overlappingGrid, exitNodeGrid)
 		}),
 		layout.NewSpacer(),
 	)
@@ -81,36 +81,36 @@ func (s *serviceClient) showRoutesUI() {
 	s.startAutoRefresh(10*time.Second, tabs, allGrid, overlappingGrid, exitNodeGrid)
 }

-func (s *serviceClient) updateRoutes(grid *fyne.Container, f filter) {
+func (s *serviceClient) updateNetworks(grid *fyne.Container, f filter) {
 	grid.Objects = nil
 	grid.Refresh()
 	idHeader := widget.NewLabelWithStyle("      ID", fyne.TextAlignLeading, fyne.TextStyle{Bold: true})
-	networkHeader := widget.NewLabelWithStyle("Network/Domains", fyne.TextAlignLeading, fyne.TextStyle{Bold: true})
+	networkHeader := widget.NewLabelWithStyle("Range/Domains", fyne.TextAlignLeading, fyne.TextStyle{Bold: true})
 	resolvedIPsHeader := widget.NewLabelWithStyle("Resolved IPs", fyne.TextAlignLeading, fyne.TextStyle{Bold: true})

 	grid.Add(idHeader)
 	grid.Add(networkHeader)
 	grid.Add(resolvedIPsHeader)

-	filteredRoutes, err := s.getFilteredRoutes(f)
+	filteredRoutes, err := s.getFilteredNetworks(f)
 	if err != nil {
 		return
 	}

-	sortRoutesByIDs(filteredRoutes)
+	sortNetworksByIDs(filteredRoutes)

 	for _, route := range filteredRoutes {
 		r := route

 		checkBox := widget.NewCheck(r.GetID(), func(checked bool) {
-			s.selectRoute(r.ID, checked)
+			s.selectNetwork(r.ID, checked)
 		})
 		checkBox.Checked = route.Selected
 		checkBox.Resize(fyne.NewSize(20, 20))
 		checkBox.Refresh()

 		grid.Add(checkBox)
-		network := r.GetNetwork()
+		network := r.GetRange()
 		domains := r.GetDomains()

 		if len(domains) == 0 {
@@ -129,10 +129,8 @@ func (s *serviceClient) updateRoutes(grid *fyne.Container, f filter) {
 		grid.Add(domainsSelector)

 		var resolvedIPsList []string
-		for _, domain := range domains {
-			if ipList, exists := r.GetResolvedIPs()[domain]; exists {
-				resolvedIPsList = append(resolvedIPsList, fmt.Sprintf("%s: %s", domain, strings.Join(ipList.GetIps(), ", ")))
-			}
+		for domain, ipList := range r.GetResolvedIPs() {
+			resolvedIPsList = append(resolvedIPsList, fmt.Sprintf("%s: %s", domain, strings.Join(ipList.GetIps(), ", ")))
 		}

 		if len(resolvedIPsList) == 0 {
@@ -151,35 +149,35 @@ func (s *serviceClient) updateRoutes(grid *fyne.Container, f filter) {
 	grid.Refresh()
 }

-func (s *serviceClient) getFilteredRoutes(f filter) ([]*proto.Route, error) {
-	routes, err := s.fetchRoutes()
+func (s *serviceClient) getFilteredNetworks(f filter) ([]*proto.Network, error) {
+	routes, err := s.fetchNetworks()
 	if err != nil {
 		log.Errorf(getClientFMT, err)
 		s.showError(fmt.Errorf(getClientFMT, err))
 		return nil, err
 	}
 	switch f {
-	case overlappingRoutes:
-		return getOverlappingRoutes(routes), nil
-	case exitNodeRoutes:
-		return getExitNodeRoutes(routes), nil
+	case overlappingNetworks:
+		return getOverlappingNetworks(routes), nil
+	case exitNodeNetworks:
+		return getExitNodeNetworks(routes), nil
 	default:
 	}
 	return routes, nil
 }

-func getOverlappingRoutes(routes []*proto.Route) []*proto.Route {
-	var filteredRoutes []*proto.Route
-	existingRange := make(map[string][]*proto.Route)
+func getOverlappingNetworks(routes []*proto.Network) []*proto.Network {
+	var filteredRoutes []*proto.Network
+	existingRange := make(map[string][]*proto.Network)
 	for _, route := range routes {
 		if len(route.Domains) > 0 {
 			continue
 		}
-		if r, exists := existingRange[route.GetNetwork()]; exists {
+		if r, exists := existingRange[route.GetRange()]; exists {
 			r = append(r, route)
-			existingRange[route.GetNetwork()] = r
+			existingRange[route.GetRange()] = r
 		} else {
-			existingRange[route.GetNetwork()] = []*proto.Route{route}
+			existingRange[route.GetRange()] = []*proto.Network{route}
 		}
 	}
 	for _, r := range existingRange {
@@ -190,29 +188,29 @@ func getOverlappingRoutes(routes []*proto.Route) []*proto.Route {
 	return filteredRoutes
 }

-func getExitNodeRoutes(routes []*proto.Route) []*proto.Route {
-	var filteredRoutes []*proto.Route
+func getExitNodeNetworks(routes []*proto.Network) []*proto.Network {
+	var filteredRoutes []*proto.Network
 	for _, route := range routes {
-		if route.Network == "0.0.0.0/0" {
+		if route.Range == "0.0.0.0/0" {
 			filteredRoutes = append(filteredRoutes, route)
 		}
 	}
 	return filteredRoutes
 }

-func sortRoutesByIDs(routes []*proto.Route) {
+func sortNetworksByIDs(routes []*proto.Network) {
 	sort.Slice(routes, func(i, j int) bool {
 		return strings.ToLower(routes[i].GetID()) < strings.ToLower(routes[j].GetID())
 	})
 }

-func (s *serviceClient) fetchRoutes() ([]*proto.Route, error) {
+func (s *serviceClient) fetchNetworks() ([]*proto.Network, error) {
 	conn, err := s.getSrvClient(defaultFailTimeout)
 	if err != nil {
 		return nil, fmt.Errorf(getClientFMT, err)
 	}

-	resp, err := conn.ListRoutes(s.ctx, &proto.ListRoutesRequest{})
+	resp, err := conn.ListNetworks(s.ctx, &proto.ListNetworksRequest{})
 	if err != nil {
 		return nil, fmt.Errorf("failed to list routes: %v", err)
 	}
@@ -220,7 +218,7 @@ func (s *serviceClient) fetchRoutes() ([]*proto.Route, error) {
 	return resp.Routes, nil
 }

-func (s *serviceClient) selectRoute(id string, checked bool) {
+func (s *serviceClient) selectNetwork(id string, checked bool) {
 	conn, err := s.getSrvClient(defaultFailTimeout)
 	if err != nil {
 		log.Errorf(getClientFMT, err)
@@ -228,73 +226,73 @@ func (s *serviceClient) selectRoute(id string, checked bool) {
 		return
 	}

-	req := &proto.SelectRoutesRequest{
-		RouteIDs: []string{id},
-		Append:   checked,
+	req := &proto.SelectNetworksRequest{
+		NetworkIDs: []string{id},
+		Append:     checked,
 	}

 	if checked {
-		if _, err := conn.SelectRoutes(s.ctx, req); err != nil {
-			log.Errorf("failed to select route: %v", err)
-			s.showError(fmt.Errorf("failed to select route: %v", err))
+		if _, err := conn.SelectNetworks(s.ctx, req); err != nil {
+			log.Errorf("failed to select network: %v", err)
+			s.showError(fmt.Errorf("failed to select network: %v", err))
 			return
 		}
 		log.Infof("Route %s selected", id)
 	} else {
-		if _, err := conn.DeselectRoutes(s.ctx, req); err != nil {
-			log.Errorf("failed to deselect route: %v", err)
-			s.showError(fmt.Errorf("failed to deselect route: %v", err))
+		if _, err := conn.DeselectNetworks(s.ctx, req); err != nil {
+			log.Errorf("failed to deselect network: %v", err)
+			s.showError(fmt.Errorf("failed to deselect network: %v", err))
 			return
 		}
-		log.Infof("Route %s deselected", id)
+		log.Infof("Network %s deselected", id)
 	}
 }

-func (s *serviceClient) selectAllFilteredRoutes(f filter) {
+func (s *serviceClient) selectAllFilteredNetworks(f filter) {
 	conn, err := s.getSrvClient(defaultFailTimeout)
 	if err != nil {
 		log.Errorf(getClientFMT, err)
 		return
 	}

-	req := s.getRoutesRequest(f, true)
-	if _, err := conn.SelectRoutes(s.ctx, req); err != nil {
-		log.Errorf("failed to select all routes: %v", err)
-		s.showError(fmt.Errorf("failed to select all routes: %v", err))
+	req := s.getNetworksRequest(f, true)
+	if _, err := conn.SelectNetworks(s.ctx, req); err != nil {
+		log.Errorf("failed to select all networks: %v", err)
+		s.showError(fmt.Errorf("failed to select all networks: %v", err))
 		return
 	}

-	log.Debug("All routes selected")
+	log.Debug("All networks selected")
 }

-func (s *serviceClient) deselectAllFilteredRoutes(f filter) {
+func (s *serviceClient) deselectAllFilteredNetworks(f filter) {
 	conn, err := s.getSrvClient(defaultFailTimeout)
 	if err != nil {
 		log.Errorf(getClientFMT, err)
 		return
 	}

-	req := s.getRoutesRequest(f, false)
-	if _, err := conn.DeselectRoutes(s.ctx, req); err != nil {
-		log.Errorf("failed to deselect all routes: %v", err)
-		s.showError(fmt.Errorf("failed to deselect all routes: %v", err))
+	req := s.getNetworksRequest(f, false)
+	if _, err := conn.DeselectNetworks(s.ctx, req); err != nil {
+		log.Errorf("failed to deselect all networks: %v", err)
+		s.showError(fmt.Errorf("failed to deselect all networks: %v", err))
 		return
 	}

-	log.Debug("All routes deselected")
+	log.Debug("All networks deselected")
 }

-func (s *serviceClient) getRoutesRequest(f filter, appendRoute bool) *proto.SelectRoutesRequest {
-	req := &proto.SelectRoutesRequest{}
-	if f == allRoutes {
+func (s *serviceClient) getNetworksRequest(f filter, appendRoute bool) *proto.SelectNetworksRequest {
+	req := &proto.SelectNetworksRequest{}
+	if f == allNetworks {
 		req.All = true
 	} else {
-		routes, err := s.getFilteredRoutes(f)
+		routes, err := s.getFilteredNetworks(f)
 		if err != nil {
 			return nil
 		}
 		for _, route := range routes {
-			req.RouteIDs = append(req.RouteIDs, route.GetID())
+			req.NetworkIDs = append(req.NetworkIDs, route.GetID())
 		}
 		req.Append = appendRoute
 	}
@@ -311,7 +309,7 @@ func (s *serviceClient) startAutoRefresh(interval time.Duration, tabs *container
 	ticker := time.NewTicker(interval)
 	go func() {
 		for range ticker.C {
-			s.updateRoutesBasedOnDisplayTab(tabs, allGrid, overlappingGrid, exitNodesGrid)
+			s.updateNetworksBasedOnDisplayTab(tabs, allGrid, overlappingGrid, exitNodesGrid)
 		}
 	}()

@@ -320,20 +318,20 @@ func (s *serviceClient) startAutoRefresh(interval time.Duration, tabs *container
 	})
 }

-func (s *serviceClient) updateRoutesBasedOnDisplayTab(tabs *container.AppTabs, allGrid, overlappingGrid, exitNodesGrid *fyne.Container) {
+func (s *serviceClient) updateNetworksBasedOnDisplayTab(tabs *container.AppTabs, allGrid, overlappingGrid, exitNodesGrid *fyne.Container) {
 	grid, f := getGridAndFilterFromTab(tabs, allGrid, overlappingGrid, exitNodesGrid)
 	s.wRoutes.Content().Refresh()
-	s.updateRoutes(grid, f)
+	s.updateNetworks(grid, f)
 }

 func getGridAndFilterFromTab(tabs *container.AppTabs, allGrid, overlappingGrid, exitNodesGrid *fyne.Container) (*fyne.Container, filter) {
 	switch tabs.Selected().Text {
-	case overlappingRoutesText:
-		return overlappingGrid, overlappingRoutes
-	case exitNodeRoutesText:
-		return exitNodesGrid, exitNodeRoutes
+	case overlappingNetworksText:
+		return overlappingGrid, overlappingNetworks
+	case exitNodeNetworksText:
+		return exitNodesGrid, exitNodeNetworks
 	default:
-		return allGrid, allRoutes
+		return allGrid, allNetworks
 	}
 }

--- a/dns/dns.go
+++ b/dns/dns.go
@@ -108,3 +108,9 @@ func GetParsedDomainLabel(name string) (string, error) {

 	return validHost, nil
 }
+
+// NormalizeZone returns a normalized domain name without the wildcard prefix
+func NormalizeZone(domain string) string {
+	d, _ := strings.CutPrefix(domain, "*.")
+	return d
+}
--- a/go.mod
+++ b/go.mod
@@ -19,13 +19,13 @@ require (
 	github.com/spf13/cobra v1.7.0
 	github.com/spf13/pflag v1.0.5
 	github.com/vishvananda/netlink v1.2.1-beta.2
-	golang.org/x/crypto v0.28.0
-	golang.org/x/sys v0.26.0
+	golang.org/x/crypto v0.31.0
+	golang.org/x/sys v0.28.0
 	golang.zx2c4.com/wireguard v0.0.0-20230704135630-469159ecf7d1
 	golang.zx2c4.com/wireguard/wgctrl v0.0.0-20230429144221-925a1e7659e6
 	golang.zx2c4.com/wireguard/windows v0.5.3
 	google.golang.org/grpc v1.64.1
-	google.golang.org/protobuf v1.34.1
+	google.golang.org/protobuf v1.34.2
 	gopkg.in/natefinch/lumberjack.v2 v2.0.0
 )

@@ -60,7 +60,7 @@ require (
 	github.com/miekg/dns v1.1.59
 	github.com/mitchellh/hashstructure/v2 v2.0.2
 	github.com/nadoo/ipset v0.5.0
-	github.com/netbirdio/management-integrations/integrations v0.0.0-20241106153857-de8e2beb5254
+	github.com/netbirdio/management-integrations/integrations v0.0.0-20241211172827-ba0a446be480
 	github.com/netbirdio/signal-dispatcher/dispatcher v0.0.0-20241010133937-e0df50df217d
 	github.com/okta/okta-sdk-golang/v2 v2.18.0
 	github.com/oschwald/maxminddb-golang v1.12.0
@@ -80,7 +80,7 @@ require (
 	github.com/testcontainers/testcontainers-go/modules/postgres v0.31.0
 	github.com/things-go/go-socks5 v0.0.4
 	github.com/yusufpapurcu/wmi v1.2.4
-	github.com/zcalusic/sysinfo v1.0.2
+	github.com/zcalusic/sysinfo v1.1.3
 	go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.49.0
 	go.opentelemetry.io/otel v1.26.0
 	go.opentelemetry.io/otel/exporters/prometheus v0.48.0
@@ -92,8 +92,8 @@ require (
 	golang.org/x/mobile v0.0.0-20231127183840-76ac6878050a
 	golang.org/x/net v0.30.0
 	golang.org/x/oauth2 v0.19.0
-	golang.org/x/sync v0.8.0
-	golang.org/x/term v0.25.0
+	golang.org/x/sync v0.10.0
+	golang.org/x/term v0.27.0
 	google.golang.org/api v0.177.0
 	gopkg.in/yaml.v3 v3.0.1
 	gorm.io/driver/postgres v1.5.7
@@ -207,6 +207,7 @@ require (
 	github.com/spf13/cast v1.5.0 // indirect
 	github.com/srwiley/oksvg v0.0.0-20221011165216-be6e8873101c // indirect
 	github.com/srwiley/rasterx v0.0.0-20220730225603-2ab79fcdd4ef // indirect
+	github.com/stretchr/objx v0.5.2 // indirect
 	github.com/tklauser/go-sysconf v0.3.14 // indirect
 	github.com/tklauser/numcpus v0.8.0 // indirect
 	github.com/vishvananda/netns v0.0.4 // indirect
@@ -219,12 +220,12 @@ require (
 	go.uber.org/multierr v1.11.0 // indirect
 	golang.org/x/image v0.18.0 // indirect
 	golang.org/x/mod v0.17.0 // indirect
-	golang.org/x/text v0.19.0 // indirect
+	golang.org/x/text v0.21.0 // indirect
 	golang.org/x/time v0.5.0 // indirect
 	golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d // indirect
 	golang.zx2c4.com/wintun v0.0.0-20230126152724-0fa3db229ce2 // indirect
 	google.golang.org/genproto/googleapis/api v0.0.0-20240509183442-62759503f434 // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20240515191416-fc5f0ca64291 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20240903143218-8af14fe29dc1 // indirect
 	gopkg.in/square/go-jose.v2 v2.6.0 // indirect
 	gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 // indirect
 	gopkg.in/tomb.v2 v2.0.0-20161208151619-d5d1b5820637 // indirect
--- a/go.sum
+++ b/go.sum
@@ -521,8 +521,8 @@ github.com/netbirdio/go-netroute v0.0.0-20240611143515-f59b0e1d3944 h1:TDtJKmM6S
 github.com/netbirdio/go-netroute v0.0.0-20240611143515-f59b0e1d3944/go.mod h1:sHA6TRxjQ6RLbnI+3R4DZo2Eseg/iKiPRfNmcuNySVQ=
 github.com/netbirdio/ice/v3 v3.0.0-20240315174635-e72a50fcb64e h1:PURA50S8u4mF6RrkYYCAvvPCixhqqEiEy3Ej6avh04c=
 github.com/netbirdio/ice/v3 v3.0.0-20240315174635-e72a50fcb64e/go.mod h1:YMLU7qbKfVjmEv7EoZPIVEI+kNYxWCdPK3VS0BU+U4Q=
-github.com/netbirdio/management-integrations/integrations v0.0.0-20241106153857-de8e2beb5254 h1:L8mNd3tBxMdnQNxMNJ+/EiwHwizNOMy8/nHLVGNfjpg=
-github.com/netbirdio/management-integrations/integrations v0.0.0-20241106153857-de8e2beb5254/go.mod h1:nykwWZnxb+sJz2Z//CEq45CMRWSHllH8pODKRB8eY7Y=
+github.com/netbirdio/management-integrations/integrations v0.0.0-20241211172827-ba0a446be480 h1:M+UPn/o+plVE7ZehgL6/1dftptsO1tyTPssgImgi+28=
+github.com/netbirdio/management-integrations/integrations v0.0.0-20241211172827-ba0a446be480/go.mod h1:RC0PnyATSBPrRWKQgb+7KcC1tMta9eYyzuA414RG9wQ=
 github.com/netbirdio/service v0.0.0-20240911161631-f62744f42502 h1:3tHlFmhTdX9axERMVN63dqyFqnvuD+EMJHzM7mNGON8=
 github.com/netbirdio/service v0.0.0-20240911161631-f62744f42502/go.mod h1:CIMRFEJVL+0DS1a3Nx06NaMn4Dz63Ng6O7dl0qH0zVM=
 github.com/netbirdio/signal-dispatcher/dispatcher v0.0.0-20241010133937-e0df50df217d h1:bRq5TKgC7Iq20pDiuC54yXaWnAVeS5PdGpSokFTlR28=
@@ -662,6 +662,7 @@ github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+
 github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
 github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=
+github.com/stretchr/objx v0.5.2 h1:xuMeJ0Sdp5ZMRXx/aWO6RZxdr3beISkG5/G/aIRr3pY=
 github.com/stretchr/objx v0.5.2/go.mod h1:FRsXN1f5AsAjCGJKqEizvkpNtU+EGNCLh3NxZ/8L+MA=
 github.com/stretchr/testify v0.0.0-20151208002404-e3a8ff8ce365/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
 github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
@@ -708,8 +709,8 @@ github.com/yuin/goldmark v1.7.1 h1:3bajkSilaCbjdKVsKdZjZCLBNPL9pYzrCakKaf4U49U=
 github.com/yuin/goldmark v1.7.1/go.mod h1:uzxRWxtg69N339t3louHJ7+O03ezfj6PlliRlaOzY1E=
 github.com/yusufpapurcu/wmi v1.2.4 h1:zFUKzehAFReQwLys1b/iSMl+JQGSCSjtVqQn9bBrPo0=
 github.com/yusufpapurcu/wmi v1.2.4/go.mod h1:SBZ9tNy3G9/m5Oi98Zks0QjeHVDvuK0qfxQmPyzfmi0=
-github.com/zcalusic/sysinfo v1.0.2 h1:nwTTo2a+WQ0NXwo0BGRojOJvJ/5XKvQih+2RrtWqfxc=
-github.com/zcalusic/sysinfo v1.0.2/go.mod h1:kluzTYflRWo6/tXVMJPdEjShsbPpsFRyy+p1mBQPC30=
+github.com/zcalusic/sysinfo v1.1.3 h1:u/AVENkuoikKuIZ4sUEJ6iibpmQP6YpGD8SSMCrqAF0=
+github.com/zcalusic/sysinfo v1.1.3/go.mod h1:NX+qYnWGtJVPV0yWldff9uppNKU4h40hJIRPf/pGLv4=
 github.com/zeebo/assert v1.1.0 h1:hU1L1vLTHsnO8x8c9KAR5GmM5QscxHg5RNU5z5qbUWY=
 github.com/zeebo/assert v1.1.0/go.mod h1:Pq9JiuJQpG8JLJdtkwrJESF0Foym2/D9XMU5ciN/wJ0=
 github.com/zeebo/blake3 v0.2.3 h1:TFoLXsjeXqRNFxSbk35Dk4YtszE/MQQGK10BH4ptoTg=
@@ -774,8 +775,8 @@ golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5y
 golang.org/x/crypto v0.8.0/go.mod h1:mRqEX+O9/h5TFCrQhkgjo2yKi0yYA+9ecGkdQoHrywE=
 golang.org/x/crypto v0.12.0/go.mod h1:NF0Gs7EO5K4qLn+Ylc+fih8BSTeIjAP05siRnAh98yw=
 golang.org/x/crypto v0.18.0/go.mod h1:R0j02AL6hcrfOiy9T4ZYp/rcWeMxM3L6QYxlOuEG1mg=
-golang.org/x/crypto v0.28.0 h1:GBDwsMXVQi34v5CCYUm2jkJvu4cbtru2U4TN2PSyQnw=
-golang.org/x/crypto v0.28.0/go.mod h1:rmgy+3RHxRZMyY0jjAJShp2zgEdOqj2AO7U0pYmeQ7U=
+golang.org/x/crypto v0.31.0 h1:ihbySMvVjLAeSH1IbfcRTkD/iNscyz8rGzjF/E5hV6U=
+golang.org/x/crypto v0.31.0/go.mod h1:kDsLvtWBEx7MV9tJOj9bnXsPbxwJQ6csT/x4KIN4Ssk=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8=
@@ -901,8 +902,8 @@ golang.org/x/sync v0.0.0-20201207232520-09787c993a3a/go.mod h1:RxMgew5VJxzue5/jJ
 golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.8.0 h1:3NFvSEYkUoMifnESzZl15y791HH1qU2xm6eCJU5ZPXQ=
-golang.org/x/sync v0.8.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
+golang.org/x/sync v0.10.0 h1:3NQrjDixjgGwUOCaF8w2+VYHv0Ve/vGYSbdkTa98gmQ=
+golang.org/x/sync v0.10.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
 golang.org/x/sys v0.0.0-20170830134202-bb24a47a89ea/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20180823144017-11551d06cbcc/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
@@ -974,8 +975,8 @@ golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.11.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.16.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/sys v0.19.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
-golang.org/x/sys v0.26.0 h1:KHjCJyddX0LoSTb3J+vWpupP9p0oznkqVk/IfjymZbo=
-golang.org/x/sys v0.26.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.28.0 h1:Fksou7UEQUWlKvIdsqzJmUmCX3cZuD2+P3XyyzwMhlA=
+golang.org/x/sys v0.28.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
 golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
@@ -983,8 +984,8 @@ golang.org/x/term v0.7.0/go.mod h1:P32HKFT3hSsZrRxla30E9HqToFYAQPCMs/zFMBUFqPY=
 golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo=
 golang.org/x/term v0.11.0/go.mod h1:zC9APTIj3jG3FdV/Ons+XE1riIZXG4aZ4GTHiPZJPIU=
 golang.org/x/term v0.16.0/go.mod h1:yn7UURbUtPyrVJPGPq404EukNFxcm/foM+bV/bfcDsY=
-golang.org/x/term v0.25.0 h1:WtHI/ltw4NvSUig5KARz9h521QvRC8RmF/cuYqifU24=
-golang.org/x/term v0.25.0/go.mod h1:RPyXicDX+6vLxogjjRxjgD2TKtmAO6NZBsBRfrOLu7M=
+golang.org/x/term v0.27.0 h1:WP60Sv1nlK1T6SupCHbXzSaN0b9wUmsPoRS9b61A23Q=
+golang.org/x/term v0.27.0/go.mod h1:iMsnZpn0cago0GOrHO2+Y7u7JPn5AylBrcoWkElMTSM=
 golang.org/x/text v0.0.0-20160726164857-2910a502d2bf/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
@@ -999,8 +1000,8 @@ golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
 golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
 golang.org/x/text v0.12.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
 golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
-golang.org/x/text v0.19.0 h1:kTxAhCbGbxhK0IwgSKiMO5awPoDQ0RpfiVYBfK860YM=
-golang.org/x/text v0.19.0/go.mod h1:BuEKDfySbSR4drPmRPG/7iBdf8hvFMuRexcpahXilzY=
+golang.org/x/text v0.21.0 h1:zyQAAkrwaneQ066sspRyJaG9VNi/YJ1NfzcGB3hZ/qo=
+golang.org/x/text v0.21.0/go.mod h1:4IBbMaMmOPCJ8SecivzSH54+73PCFmPWxNTLm+vZkEQ=
 golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
@@ -1151,8 +1152,8 @@ google.golang.org/genproto v0.0.0-20210402141018-6c239bbf2bb1/go.mod h1:9lPAdzaE
 google.golang.org/genproto v0.0.0-20210602131652-f16073e35f0c/go.mod h1:UODoCrxHCcBojKKwX1terBiRUaqAsFqJiF615XL43r0=
 google.golang.org/genproto/googleapis/api v0.0.0-20240509183442-62759503f434 h1:OpXbo8JnN8+jZGPrL4SSfaDjSCjupr8lXyBAbexEm/U=
 google.golang.org/genproto/googleapis/api v0.0.0-20240509183442-62759503f434/go.mod h1:FfiGhwUm6CJviekPrc0oJ+7h29e+DmWU6UtjX0ZvI7Y=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20240515191416-fc5f0ca64291 h1:AgADTJarZTBqgjiUzRgfaBchgYB3/WFTC80GPwsMcRI=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20240515191416-fc5f0ca64291/go.mod h1:EfXuqaE1J41VCDicxHzUDm+8rk+7ZdXzHV0IhO/I6s0=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20240903143218-8af14fe29dc1 h1:pPJltXNxVzT4pK9yD8vR9X75DaWYYmLGMsEvBfFQZzQ=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20240903143218-8af14fe29dc1/go.mod h1:UqMtugtsSgubUsoxbuAoiCXvqvErP7Gf0so0mK9tHxU=
 google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c=
 google.golang.org/grpc v1.20.1/go.mod h1:10oTOabMzJvdu6/UiuZezV6QK5dSlG84ov/aaiqXj38=
 google.golang.org/grpc v1.21.1/go.mod h1:oYelfM1adQP15Ek0mdvEgi9Df8B9CZIaU1084ijfRaM=
@@ -1189,8 +1190,8 @@ google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp0
 google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
 google.golang.org/protobuf v1.28.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
 google.golang.org/protobuf v1.30.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
-google.golang.org/protobuf v1.34.1 h1:9ddQBjfCyZPOHPUiPxpYESBLc+T8P3E+Vo4IbKZgFWg=
-google.golang.org/protobuf v1.34.1/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos=
+google.golang.org/protobuf v1.34.2 h1:6xV6lTsCfpGD21XK49h7MhtcApnLqkfYgPcdHftf6hg=
+google.golang.org/protobuf v1.34.2/go.mod h1:qYOHts0dSfpeUzUFpOMr/WGzszTmLH+DiWniOlNbLDw=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
--- a/infrastructure_files/getting-started-with-zitadel.sh
+++ b/infrastructure_files/getting-started-with-zitadel.sh
@@ -530,7 +530,7 @@ renderCaddyfile() {
 {
  debug
 	servers :80,:443 {
-    protocols h1 h2c
+    protocols h1 h2c h2 h3
  }
 }

@@ -788,6 +788,7 @@ services:
    networks: [ netbird ]
    ports:
      - '443:443'
+      - '443:443/udp'
      - '80:80'
      - '8080:8080'
    volumes:
--- a/management/client/client_test.go
+++ b/management/client/client_test.go
@@ -11,6 +11,8 @@ import (
 	"github.com/stretchr/testify/require"

 	"github.com/netbirdio/netbird/management/server/activity"
+	"github.com/netbirdio/netbird/management/server/settings"
+	"github.com/netbirdio/netbird/management/server/store"
 	"github.com/netbirdio/netbird/management/server/telemetry"

 	"github.com/netbirdio/netbird/client/system"
@@ -57,7 +59,7 @@ func startManagement(t *testing.T) (*grpc.Server, net.Listener) {
 		t.Fatal(err)
 	}
 	s := grpc.NewServer()
-	store, cleanUp, err := mgmt.NewTestStoreFromSQL(context.Background(), "../server/testdata/store.sql", t.TempDir())
+	store, cleanUp, err := store.NewTestStoreFromSQL(context.Background(), "../server/testdata/store.sql", t.TempDir())
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -76,7 +78,7 @@ func startManagement(t *testing.T) (*grpc.Server, net.Listener) {
 	}

 	secretsManager := mgmt.NewTimeBasedAuthSecretsManager(peersUpdateManager, config.TURNConfig, config.Relay)
-	mgmtServer, err := mgmt.NewServer(context.Background(), config, accountManager, peersUpdateManager, secretsManager, nil, nil)
+	mgmtServer, err := mgmt.NewServer(context.Background(), config, accountManager, settings.NewManager(store), peersUpdateManager, secretsManager, nil, nil)
 	if err != nil {
 		t.Fatal(err)
 	}
--- a/management/cmd/management.go
+++ b/management/cmd/management.go
@@ -41,11 +41,20 @@ import (
 	"github.com/netbirdio/netbird/management/server"
 	nbContext "github.com/netbirdio/netbird/management/server/context"
 	"github.com/netbirdio/netbird/management/server/geolocation"
+	"github.com/netbirdio/netbird/management/server/groups"
 	httpapi "github.com/netbirdio/netbird/management/server/http"
+	"github.com/netbirdio/netbird/management/server/http/configs"
 	"github.com/netbirdio/netbird/management/server/idp"
 	"github.com/netbirdio/netbird/management/server/jwtclaims"
 	"github.com/netbirdio/netbird/management/server/metrics"
+	"github.com/netbirdio/netbird/management/server/networks"
+	"github.com/netbirdio/netbird/management/server/networks/resources"
+	"github.com/netbirdio/netbird/management/server/networks/routers"
+	"github.com/netbirdio/netbird/management/server/permissions"
+	"github.com/netbirdio/netbird/management/server/settings"
+	"github.com/netbirdio/netbird/management/server/store"
 	"github.com/netbirdio/netbird/management/server/telemetry"
+	"github.com/netbirdio/netbird/management/server/users"
 	"github.com/netbirdio/netbird/util"
 	"github.com/netbirdio/netbird/version"
 )
@@ -149,7 +158,7 @@ var (
 			if err != nil {
 				return err
 			}
-			store, err := server.NewStore(ctx, config.StoreConfig.Engine, config.Datadir, appMetrics)
+			store, err := store.NewStore(ctx, config.StoreConfig.Engine, config.Datadir, appMetrics)
 			if err != nil {
 				return fmt.Errorf("failed creating Store: %s: %v", config.Datadir, err)
 			}
@@ -257,14 +266,22 @@ var (
 				return fmt.Errorf("failed creating JWT validator: %v", err)
 			}

-			httpAPIAuthCfg := httpapi.AuthCfg{
+			httpAPIAuthCfg := configs.AuthCfg{
 				Issuer:       config.HttpConfig.AuthIssuer,
 				Audience:     config.HttpConfig.AuthAudience,
 				UserIDClaim:  config.HttpConfig.AuthUserIDClaim,
 				KeysLocation: config.HttpConfig.AuthKeysLocation,
 			}

-			httpAPIHandler, err := httpapi.APIHandler(ctx, accountManager, geo, *jwtValidator, appMetrics, httpAPIAuthCfg, integratedPeerValidator)
+			userManager := users.NewManager(store)
+			settingsManager := settings.NewManager(store)
+			permissionsManager := permissions.NewManager(userManager, settingsManager)
+			groupsManager := groups.NewManager(store, permissionsManager, accountManager)
+			resourcesManager := resources.NewManager(store, permissionsManager, groupsManager, accountManager)
+			routersManager := routers.NewManager(store, permissionsManager, accountManager)
+			networksManager := networks.NewManager(store, permissionsManager, resourcesManager, routersManager, accountManager)
+
+			httpAPIHandler, err := httpapi.APIHandler(ctx, accountManager, networksManager, resourcesManager, routersManager, groupsManager, geo, *jwtValidator, appMetrics, httpAPIAuthCfg, integratedPeerValidator)
 			if err != nil {
 				return fmt.Errorf("failed creating HTTP API handler: %v", err)
 			}
@@ -273,7 +290,7 @@ var (
 			ephemeralManager.LoadInitialPeers(ctx)

 			gRPCAPIHandler := grpc.NewServer(gRPCOpts...)
-			srv, err := server.NewServer(ctx, config, accountManager, peersUpdateManager, secretsManager, appMetrics, ephemeralManager)
+			srv, err := server.NewServer(ctx, config, accountManager, settingsManager, peersUpdateManager, secretsManager, appMetrics, ephemeralManager)
 			if err != nil {
 				return fmt.Errorf("failed creating gRPC API handler: %v", err)
 			}
@@ -399,7 +416,7 @@ func notifyStop(ctx context.Context, msg string) {
 	}
 }

-func getInstallationID(ctx context.Context, store server.Store) (string, error) {
+func getInstallationID(ctx context.Context, store store.Store) (string, error) {
 	installationID := store.GetInstallationID()
 	if installationID != "" {
 		return installationID, nil
--- a/management/cmd/migration_up.go
+++ b/management/cmd/migration_up.go
@@ -9,7 +9,7 @@ import (
 	"github.com/spf13/cobra"

 	"github.com/netbirdio/netbird/formatter"
-	"github.com/netbirdio/netbird/management/server"
+	"github.com/netbirdio/netbird/management/server/store"
 	"github.com/netbirdio/netbird/util"
 )

@@ -32,7 +32,7 @@ var upCmd = &cobra.Command{
 		//nolint
 		ctx := context.WithValue(cmd.Context(), formatter.ExecutionContextKey, formatter.SystemSource)

-		if err := server.MigrateFileStoreToSqlite(ctx, mgmtDataDir); err != nil {
+		if err := store.MigrateFileStoreToSqlite(ctx, mgmtDataDir); err != nil {
 			return err
 		}
 		log.WithContext(ctx).Info("Migration finished successfully")
--- a/management/proto/management.pb.go
+++ b/management/proto/management.pb.go
@@ -1,7 +1,7 @@
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
 // 	protoc-gen-go v1.26.0
-// 	protoc        v4.23.4
+// 	protoc        v4.24.3
 // source: management.proto

 package proto
@@ -29,6 +29,7 @@ const (
 	RuleProtocol_TCP     RuleProtocol = 2
 	RuleProtocol_UDP     RuleProtocol = 3
 	RuleProtocol_ICMP    RuleProtocol = 4
+	RuleProtocol_CUSTOM  RuleProtocol = 5
 )

 // Enum value maps for RuleProtocol.
@@ -39,6 +40,7 @@ var (
 		2: "TCP",
 		3: "UDP",
 		4: "ICMP",
+		5: "CUSTOM",
 	}
 	RuleProtocol_value = map[string]int32{
 		"UNKNOWN": 0,
@@ -46,6 +48,7 @@ var (
 		"TCP":     2,
 		"UDP":     3,
 		"ICMP":    4,
+		"CUSTOM":  5,
 	}
 )

@@ -1393,7 +1396,8 @@ type PeerConfig struct {
 	// SSHConfig of the peer.
 	SshConfig *SSHConfig `protobuf:"bytes,3,opt,name=sshConfig,proto3" json:"sshConfig,omitempty"`
 	// Peer fully qualified domain name
-	Fqdn string `protobuf:"bytes,4,opt,name=fqdn,proto3" json:"fqdn,omitempty"`
+	Fqdn                            string `protobuf:"bytes,4,opt,name=fqdn,proto3" json:"fqdn,omitempty"`
+	RoutingPeerDnsResolutionEnabled bool   `protobuf:"varint,5,opt,name=RoutingPeerDnsResolutionEnabled,proto3" json:"RoutingPeerDnsResolutionEnabled,omitempty"`
 }

 func (x *PeerConfig) Reset() {
@@ -1456,6 +1460,13 @@ func (x *PeerConfig) GetFqdn() string {
 	return ""
 }

+func (x *PeerConfig) GetRoutingPeerDnsResolutionEnabled() bool {
+	if x != nil {
+		return x.RoutingPeerDnsResolutionEnabled
+	}
+	return false
+}
+
 // NetworkMap represents a network state of the peer with the corresponding configuration parameters to establish peer-to-peer connections
 type NetworkMap struct {
 	state         protoimpl.MessageState
@@ -2780,6 +2791,10 @@ type RouteFirewallRule struct {
 	PortInfo *PortInfo `protobuf:"bytes,5,opt,name=portInfo,proto3" json:"portInfo,omitempty"`
 	// IsDynamic indicates if the route is a DNS route.
 	IsDynamic bool `protobuf:"varint,6,opt,name=isDynamic,proto3" json:"isDynamic,omitempty"`
+	// Domains is a list of domains for which the rule is applicable.
+	Domains []string `protobuf:"bytes,7,rep,name=domains,proto3" json:"domains,omitempty"`
+	// CustomProtocol is a custom protocol ID.
+	CustomProtocol uint32 `protobuf:"varint,8,opt,name=customProtocol,proto3" json:"customProtocol,omitempty"`
 }

 func (x *RouteFirewallRule) Reset() {
@@ -2856,6 +2871,20 @@ func (x *RouteFirewallRule) GetIsDynamic() bool {
 	return false
 }

+func (x *RouteFirewallRule) GetDomains() []string {
+	if x != nil {
+		return x.Domains
+	}
+	return nil
+}
+
+func (x *RouteFirewallRule) GetCustomProtocol() uint32 {
+	if x != nil {
+		return x.CustomProtocol
+	}
+	return 0
+}
+
 type PortInfo_Range struct {
 	state         protoimpl.MessageState
 	sizeCache     protoimpl.SizeCache
@@ -3075,7 +3104,7 @@ var file_management_proto_rawDesc = []byte{
 	0x74, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x12, 0x12, 0x0a, 0x04, 0x75, 0x73, 0x65, 0x72, 0x18,
 	0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x75, 0x73, 0x65, 0x72, 0x12, 0x1a, 0x0a, 0x08, 0x70,
 	0x61, 0x73, 0x73, 0x77, 0x6f, 0x72, 0x64, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x70,
-	0x61, 0x73, 0x73, 0x77, 0x6f, 0x72, 0x64, 0x22, 0x81, 0x01, 0x0a, 0x0a, 0x50, 0x65, 0x65, 0x72,
+	0x61, 0x73, 0x73, 0x77, 0x6f, 0x72, 0x64, 0x22, 0xcb, 0x01, 0x0a, 0x0a, 0x50, 0x65, 0x65, 0x72,
 	0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x12, 0x18, 0x0a, 0x07, 0x61, 0x64, 0x64, 0x72, 0x65, 0x73,
 	0x73, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x07, 0x61, 0x64, 0x64, 0x72, 0x65, 0x73, 0x73,
 	0x12, 0x10, 0x0a, 0x03, 0x64, 0x6e, 0x73, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x64,
@@ -3083,250 +3112,260 @@ var file_management_proto_rawDesc = []byte{
 	0x03, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x15, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65,
 	0x6e, 0x74, 0x2e, 0x53, 0x53, 0x48, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x52, 0x09, 0x73, 0x73,
 	0x68, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x12, 0x12, 0x0a, 0x04, 0x66, 0x71, 0x64, 0x6e, 0x18,
-	0x04, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x66, 0x71, 0x64, 0x6e, 0x22, 0xf3, 0x04, 0x0a, 0x0a,
-	0x4e, 0x65, 0x74, 0x77, 0x6f, 0x72, 0x6b, 0x4d, 0x61, 0x70, 0x12, 0x16, 0x0a, 0x06, 0x53, 0x65,
-	0x72, 0x69, 0x61, 0x6c, 0x18, 0x01, 0x20, 0x01, 0x28, 0x04, 0x52, 0x06, 0x53, 0x65, 0x72, 0x69,
-	0x61, 0x6c, 0x12, 0x36, 0x0a, 0x0a, 0x70, 0x65, 0x65, 0x72, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67,
-	0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x16, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d,
-	0x65, 0x6e, 0x74, 0x2e, 0x50, 0x65, 0x65, 0x72, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x52, 0x0a,
-	0x70, 0x65, 0x65, 0x72, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x12, 0x3e, 0x0a, 0x0b, 0x72, 0x65,
-	0x6d, 0x6f, 0x74, 0x65, 0x50, 0x65, 0x65, 0x72, 0x73, 0x18, 0x03, 0x20, 0x03, 0x28, 0x0b, 0x32,
-	0x1c, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x52, 0x65, 0x6d,
-	0x6f, 0x74, 0x65, 0x50, 0x65, 0x65, 0x72, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x52, 0x0b, 0x72,
-	0x65, 0x6d, 0x6f, 0x74, 0x65, 0x50, 0x65, 0x65, 0x72, 0x73, 0x12, 0x2e, 0x0a, 0x12, 0x72, 0x65,
-	0x6d, 0x6f, 0x74, 0x65, 0x50, 0x65, 0x65, 0x72, 0x73, 0x49, 0x73, 0x45, 0x6d, 0x70, 0x74, 0x79,
-	0x18, 0x04, 0x20, 0x01, 0x28, 0x08, 0x52, 0x12, 0x72, 0x65, 0x6d, 0x6f, 0x74, 0x65, 0x50, 0x65,
-	0x65, 0x72, 0x73, 0x49, 0x73, 0x45, 0x6d, 0x70, 0x74, 0x79, 0x12, 0x29, 0x0a, 0x06, 0x52, 0x6f,
-	0x75, 0x74, 0x65, 0x73, 0x18, 0x05, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x11, 0x2e, 0x6d, 0x61, 0x6e,
-	0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x52, 0x6f, 0x75, 0x74, 0x65, 0x52, 0x06, 0x52,
-	0x6f, 0x75, 0x74, 0x65, 0x73, 0x12, 0x33, 0x0a, 0x09, 0x44, 0x4e, 0x53, 0x43, 0x6f, 0x6e, 0x66,
-	0x69, 0x67, 0x18, 0x06, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x15, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67,
-	0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x44, 0x4e, 0x53, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x52,
-	0x09, 0x44, 0x4e, 0x53, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x12, 0x40, 0x0a, 0x0c, 0x6f, 0x66,
-	0x66, 0x6c, 0x69, 0x6e, 0x65, 0x50, 0x65, 0x65, 0x72, 0x73, 0x18, 0x07, 0x20, 0x03, 0x28, 0x0b,
-	0x32, 0x1c, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x52, 0x65,
-	0x6d, 0x6f, 0x74, 0x65, 0x50, 0x65, 0x65, 0x72, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x52, 0x0c,
-	0x6f, 0x66, 0x66, 0x6c, 0x69, 0x6e, 0x65, 0x50, 0x65, 0x65, 0x72, 0x73, 0x12, 0x3e, 0x0a, 0x0d,
-	0x46, 0x69, 0x72, 0x65, 0x77, 0x61, 0x6c, 0x6c, 0x52, 0x75, 0x6c, 0x65, 0x73, 0x18, 0x08, 0x20,
-	0x03, 0x28, 0x0b, 0x32, 0x18, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74,
-	0x2e, 0x46, 0x69, 0x72, 0x65, 0x77, 0x61, 0x6c, 0x6c, 0x52, 0x75, 0x6c, 0x65, 0x52, 0x0d, 0x46,
-	0x69, 0x72, 0x65, 0x77, 0x61, 0x6c, 0x6c, 0x52, 0x75, 0x6c, 0x65, 0x73, 0x12, 0x32, 0x0a, 0x14,
-	0x66, 0x69, 0x72, 0x65, 0x77, 0x61, 0x6c, 0x6c, 0x52, 0x75, 0x6c, 0x65, 0x73, 0x49, 0x73, 0x45,
-	0x6d, 0x70, 0x74, 0x79, 0x18, 0x09, 0x20, 0x01, 0x28, 0x08, 0x52, 0x14, 0x66, 0x69, 0x72, 0x65,
-	0x77, 0x61, 0x6c, 0x6c, 0x52, 0x75, 0x6c, 0x65, 0x73, 0x49, 0x73, 0x45, 0x6d, 0x70, 0x74, 0x79,
-	0x12, 0x4f, 0x0a, 0x13, 0x72, 0x6f, 0x75, 0x74, 0x65, 0x73, 0x46, 0x69, 0x72, 0x65, 0x77, 0x61,
-	0x6c, 0x6c, 0x52, 0x75, 0x6c, 0x65, 0x73, 0x18, 0x0a, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x1d, 0x2e,
-	0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x52, 0x6f, 0x75, 0x74, 0x65,
-	0x46, 0x69, 0x72, 0x65, 0x77, 0x61, 0x6c, 0x6c, 0x52, 0x75, 0x6c, 0x65, 0x52, 0x13, 0x72, 0x6f,
+	0x04, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x66, 0x71, 0x64, 0x6e, 0x12, 0x48, 0x0a, 0x1f, 0x52,
+	0x6f, 0x75, 0x74, 0x69, 0x6e, 0x67, 0x50, 0x65, 0x65, 0x72, 0x44, 0x6e, 0x73, 0x52, 0x65, 0x73,
+	0x6f, 0x6c, 0x75, 0x74, 0x69, 0x6f, 0x6e, 0x45, 0x6e, 0x61, 0x62, 0x6c, 0x65, 0x64, 0x18, 0x05,
+	0x20, 0x01, 0x28, 0x08, 0x52, 0x1f, 0x52, 0x6f, 0x75, 0x74, 0x69, 0x6e, 0x67, 0x50, 0x65, 0x65,
+	0x72, 0x44, 0x6e, 0x73, 0x52, 0x65, 0x73, 0x6f, 0x6c, 0x75, 0x74, 0x69, 0x6f, 0x6e, 0x45, 0x6e,
+	0x61, 0x62, 0x6c, 0x65, 0x64, 0x22, 0xf3, 0x04, 0x0a, 0x0a, 0x4e, 0x65, 0x74, 0x77, 0x6f, 0x72,
+	0x6b, 0x4d, 0x61, 0x70, 0x12, 0x16, 0x0a, 0x06, 0x53, 0x65, 0x72, 0x69, 0x61, 0x6c, 0x18, 0x01,
+	0x20, 0x01, 0x28, 0x04, 0x52, 0x06, 0x53, 0x65, 0x72, 0x69, 0x61, 0x6c, 0x12, 0x36, 0x0a, 0x0a,
+	0x70, 0x65, 0x65, 0x72, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b,
+	0x32, 0x16, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x50, 0x65,
+	0x65, 0x72, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x52, 0x0a, 0x70, 0x65, 0x65, 0x72, 0x43, 0x6f,
+	0x6e, 0x66, 0x69, 0x67, 0x12, 0x3e, 0x0a, 0x0b, 0x72, 0x65, 0x6d, 0x6f, 0x74, 0x65, 0x50, 0x65,
+	0x65, 0x72, 0x73, 0x18, 0x03, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x1c, 0x2e, 0x6d, 0x61, 0x6e, 0x61,
+	0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x52, 0x65, 0x6d, 0x6f, 0x74, 0x65, 0x50, 0x65, 0x65,
+	0x72, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x52, 0x0b, 0x72, 0x65, 0x6d, 0x6f, 0x74, 0x65, 0x50,
+	0x65, 0x65, 0x72, 0x73, 0x12, 0x2e, 0x0a, 0x12, 0x72, 0x65, 0x6d, 0x6f, 0x74, 0x65, 0x50, 0x65,
+	0x65, 0x72, 0x73, 0x49, 0x73, 0x45, 0x6d, 0x70, 0x74, 0x79, 0x18, 0x04, 0x20, 0x01, 0x28, 0x08,
+	0x52, 0x12, 0x72, 0x65, 0x6d, 0x6f, 0x74, 0x65, 0x50, 0x65, 0x65, 0x72, 0x73, 0x49, 0x73, 0x45,
+	0x6d, 0x70, 0x74, 0x79, 0x12, 0x29, 0x0a, 0x06, 0x52, 0x6f, 0x75, 0x74, 0x65, 0x73, 0x18, 0x05,
+	0x20, 0x03, 0x28, 0x0b, 0x32, 0x11, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e,
+	0x74, 0x2e, 0x52, 0x6f, 0x75, 0x74, 0x65, 0x52, 0x06, 0x52, 0x6f, 0x75, 0x74, 0x65, 0x73, 0x12,
+	0x33, 0x0a, 0x09, 0x44, 0x4e, 0x53, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x18, 0x06, 0x20, 0x01,
+	0x28, 0x0b, 0x32, 0x15, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e,
+	0x44, 0x4e, 0x53, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x52, 0x09, 0x44, 0x4e, 0x53, 0x43, 0x6f,
+	0x6e, 0x66, 0x69, 0x67, 0x12, 0x40, 0x0a, 0x0c, 0x6f, 0x66, 0x66, 0x6c, 0x69, 0x6e, 0x65, 0x50,
+	0x65, 0x65, 0x72, 0x73, 0x18, 0x07, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x1c, 0x2e, 0x6d, 0x61, 0x6e,
+	0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x52, 0x65, 0x6d, 0x6f, 0x74, 0x65, 0x50, 0x65,
+	0x65, 0x72, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x52, 0x0c, 0x6f, 0x66, 0x66, 0x6c, 0x69, 0x6e,
+	0x65, 0x50, 0x65, 0x65, 0x72, 0x73, 0x12, 0x3e, 0x0a, 0x0d, 0x46, 0x69, 0x72, 0x65, 0x77, 0x61,
+	0x6c, 0x6c, 0x52, 0x75, 0x6c, 0x65, 0x73, 0x18, 0x08, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x18, 0x2e,
+	0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x46, 0x69, 0x72, 0x65, 0x77,
+	0x61, 0x6c, 0x6c, 0x52, 0x75, 0x6c, 0x65, 0x52, 0x0d, 0x46, 0x69, 0x72, 0x65, 0x77, 0x61, 0x6c,
+	0x6c, 0x52, 0x75, 0x6c, 0x65, 0x73, 0x12, 0x32, 0x0a, 0x14, 0x66, 0x69, 0x72, 0x65, 0x77, 0x61,
+	0x6c, 0x6c, 0x52, 0x75, 0x6c, 0x65, 0x73, 0x49, 0x73, 0x45, 0x6d, 0x70, 0x74, 0x79, 0x18, 0x09,
+	0x20, 0x01, 0x28, 0x08, 0x52, 0x14, 0x66, 0x69, 0x72, 0x65, 0x77, 0x61, 0x6c, 0x6c, 0x52, 0x75,
+	0x6c, 0x65, 0x73, 0x49, 0x73, 0x45, 0x6d, 0x70, 0x74, 0x79, 0x12, 0x4f, 0x0a, 0x13, 0x72, 0x6f,
 	0x75, 0x74, 0x65, 0x73, 0x46, 0x69, 0x72, 0x65, 0x77, 0x61, 0x6c, 0x6c, 0x52, 0x75, 0x6c, 0x65,
-	0x73, 0x12, 0x3e, 0x0a, 0x1a, 0x72, 0x6f, 0x75, 0x74, 0x65, 0x73, 0x46, 0x69, 0x72, 0x65, 0x77,
-	0x61, 0x6c, 0x6c, 0x52, 0x75, 0x6c, 0x65, 0x73, 0x49, 0x73, 0x45, 0x6d, 0x70, 0x74, 0x79, 0x18,
-	0x0b, 0x20, 0x01, 0x28, 0x08, 0x52, 0x1a, 0x72, 0x6f, 0x75, 0x74, 0x65, 0x73, 0x46, 0x69, 0x72,
-	0x65, 0x77, 0x61, 0x6c, 0x6c, 0x52, 0x75, 0x6c, 0x65, 0x73, 0x49, 0x73, 0x45, 0x6d, 0x70, 0x74,
-	0x79, 0x22, 0x97, 0x01, 0x0a, 0x10, 0x52, 0x65, 0x6d, 0x6f, 0x74, 0x65, 0x50, 0x65, 0x65, 0x72,
-	0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x12, 0x1a, 0x0a, 0x08, 0x77, 0x67, 0x50, 0x75, 0x62, 0x4b,
-	0x65, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x77, 0x67, 0x50, 0x75, 0x62, 0x4b,
-	0x65, 0x79, 0x12, 0x1e, 0x0a, 0x0a, 0x61, 0x6c, 0x6c, 0x6f, 0x77, 0x65, 0x64, 0x49, 0x70, 0x73,
-	0x18, 0x02, 0x20, 0x03, 0x28, 0x09, 0x52, 0x0a, 0x61, 0x6c, 0x6c, 0x6f, 0x77, 0x65, 0x64, 0x49,
-	0x70, 0x73, 0x12, 0x33, 0x0a, 0x09, 0x73, 0x73, 0x68, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x18,
-	0x03, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x15, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65,
-	0x6e, 0x74, 0x2e, 0x53, 0x53, 0x48, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x52, 0x09, 0x73, 0x73,
-	0x68, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x12, 0x12, 0x0a, 0x04, 0x66, 0x71, 0x64, 0x6e, 0x18,
-	0x04, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x66, 0x71, 0x64, 0x6e, 0x22, 0x49, 0x0a, 0x09, 0x53,
-	0x53, 0x48, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x12, 0x1e, 0x0a, 0x0a, 0x73, 0x73, 0x68, 0x45,
-	0x6e, 0x61, 0x62, 0x6c, 0x65, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x08, 0x52, 0x0a, 0x73, 0x73,
-	0x68, 0x45, 0x6e, 0x61, 0x62, 0x6c, 0x65, 0x64, 0x12, 0x1c, 0x0a, 0x09, 0x73, 0x73, 0x68, 0x50,
-	0x75, 0x62, 0x4b, 0x65, 0x79, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x09, 0x73, 0x73, 0x68,
-	0x50, 0x75, 0x62, 0x4b, 0x65, 0x79, 0x22, 0x20, 0x0a, 0x1e, 0x44, 0x65, 0x76, 0x69, 0x63, 0x65,
-	0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x7a, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x46, 0x6c, 0x6f,
-	0x77, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x22, 0xbf, 0x01, 0x0a, 0x17, 0x44, 0x65, 0x76,
-	0x69, 0x63, 0x65, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x7a, 0x61, 0x74, 0x69, 0x6f, 0x6e,
-	0x46, 0x6c, 0x6f, 0x77, 0x12, 0x48, 0x0a, 0x08, 0x50, 0x72, 0x6f, 0x76, 0x69, 0x64, 0x65, 0x72,
-	0x18, 0x01, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x2c, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d,
-	0x65, 0x6e, 0x74, 0x2e, 0x44, 0x65, 0x76, 0x69, 0x63, 0x65, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72,
-	0x69, 0x7a, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x46, 0x6c, 0x6f, 0x77, 0x2e, 0x70, 0x72, 0x6f, 0x76,
-	0x69, 0x64, 0x65, 0x72, 0x52, 0x08, 0x50, 0x72, 0x6f, 0x76, 0x69, 0x64, 0x65, 0x72, 0x12, 0x42,
-	0x0a, 0x0e, 0x50, 0x72, 0x6f, 0x76, 0x69, 0x64, 0x65, 0x72, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67,
-	0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d,
-	0x65, 0x6e, 0x74, 0x2e, 0x50, 0x72, 0x6f, 0x76, 0x69, 0x64, 0x65, 0x72, 0x43, 0x6f, 0x6e, 0x66,
-	0x69, 0x67, 0x52, 0x0e, 0x50, 0x72, 0x6f, 0x76, 0x69, 0x64, 0x65, 0x72, 0x43, 0x6f, 0x6e, 0x66,
-	0x69, 0x67, 0x22, 0x16, 0x0a, 0x08, 0x70, 0x72, 0x6f, 0x76, 0x69, 0x64, 0x65, 0x72, 0x12, 0x0a,
-	0x0a, 0x06, 0x48, 0x4f, 0x53, 0x54, 0x45, 0x44, 0x10, 0x00, 0x22, 0x1e, 0x0a, 0x1c, 0x50, 0x4b,
-	0x43, 0x45, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x7a, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x46,
-	0x6c, 0x6f, 0x77, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x22, 0x5b, 0x0a, 0x15, 0x50, 0x4b,
-	0x43, 0x45, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x7a, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x46,
-	0x6c, 0x6f, 0x77, 0x12, 0x42, 0x0a, 0x0e, 0x50, 0x72, 0x6f, 0x76, 0x69, 0x64, 0x65, 0x72, 0x43,
-	0x6f, 0x6e, 0x66, 0x69, 0x67, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x6d, 0x61,
-	0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x50, 0x72, 0x6f, 0x76, 0x69, 0x64, 0x65,
-	0x72, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x52, 0x0e, 0x50, 0x72, 0x6f, 0x76, 0x69, 0x64, 0x65,
-	0x72, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x22, 0xea, 0x02, 0x0a, 0x0e, 0x50, 0x72, 0x6f, 0x76,
-	0x69, 0x64, 0x65, 0x72, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x12, 0x1a, 0x0a, 0x08, 0x43, 0x6c,
-	0x69, 0x65, 0x6e, 0x74, 0x49, 0x44, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x43, 0x6c,
-	0x69, 0x65, 0x6e, 0x74, 0x49, 0x44, 0x12, 0x22, 0x0a, 0x0c, 0x43, 0x6c, 0x69, 0x65, 0x6e, 0x74,
-	0x53, 0x65, 0x63, 0x72, 0x65, 0x74, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0c, 0x43, 0x6c,
-	0x69, 0x65, 0x6e, 0x74, 0x53, 0x65, 0x63, 0x72, 0x65, 0x74, 0x12, 0x16, 0x0a, 0x06, 0x44, 0x6f,
-	0x6d, 0x61, 0x69, 0x6e, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x44, 0x6f, 0x6d, 0x61,
-	0x69, 0x6e, 0x12, 0x1a, 0x0a, 0x08, 0x41, 0x75, 0x64, 0x69, 0x65, 0x6e, 0x63, 0x65, 0x18, 0x04,
-	0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x41, 0x75, 0x64, 0x69, 0x65, 0x6e, 0x63, 0x65, 0x12, 0x2e,
-	0x0a, 0x12, 0x44, 0x65, 0x76, 0x69, 0x63, 0x65, 0x41, 0x75, 0x74, 0x68, 0x45, 0x6e, 0x64, 0x70,
-	0x6f, 0x69, 0x6e, 0x74, 0x18, 0x05, 0x20, 0x01, 0x28, 0x09, 0x52, 0x12, 0x44, 0x65, 0x76, 0x69,
-	0x63, 0x65, 0x41, 0x75, 0x74, 0x68, 0x45, 0x6e, 0x64, 0x70, 0x6f, 0x69, 0x6e, 0x74, 0x12, 0x24,
-	0x0a, 0x0d, 0x54, 0x6f, 0x6b, 0x65, 0x6e, 0x45, 0x6e, 0x64, 0x70, 0x6f, 0x69, 0x6e, 0x74, 0x18,
-	0x06, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0d, 0x54, 0x6f, 0x6b, 0x65, 0x6e, 0x45, 0x6e, 0x64, 0x70,
-	0x6f, 0x69, 0x6e, 0x74, 0x12, 0x14, 0x0a, 0x05, 0x53, 0x63, 0x6f, 0x70, 0x65, 0x18, 0x07, 0x20,
-	0x01, 0x28, 0x09, 0x52, 0x05, 0x53, 0x63, 0x6f, 0x70, 0x65, 0x12, 0x1e, 0x0a, 0x0a, 0x55, 0x73,
-	0x65, 0x49, 0x44, 0x54, 0x6f, 0x6b, 0x65, 0x6e, 0x18, 0x08, 0x20, 0x01, 0x28, 0x08, 0x52, 0x0a,
-	0x55, 0x73, 0x65, 0x49, 0x44, 0x54, 0x6f, 0x6b, 0x65, 0x6e, 0x12, 0x34, 0x0a, 0x15, 0x41, 0x75,
-	0x74, 0x68, 0x6f, 0x72, 0x69, 0x7a, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x45, 0x6e, 0x64, 0x70, 0x6f,
-	0x69, 0x6e, 0x74, 0x18, 0x09, 0x20, 0x01, 0x28, 0x09, 0x52, 0x15, 0x41, 0x75, 0x74, 0x68, 0x6f,
-	0x72, 0x69, 0x7a, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x45, 0x6e, 0x64, 0x70, 0x6f, 0x69, 0x6e, 0x74,
-	0x12, 0x22, 0x0a, 0x0c, 0x52, 0x65, 0x64, 0x69, 0x72, 0x65, 0x63, 0x74, 0x55, 0x52, 0x4c, 0x73,
-	0x18, 0x0a, 0x20, 0x03, 0x28, 0x09, 0x52, 0x0c, 0x52, 0x65, 0x64, 0x69, 0x72, 0x65, 0x63, 0x74,
-	0x55, 0x52, 0x4c, 0x73, 0x22, 0xed, 0x01, 0x0a, 0x05, 0x52, 0x6f, 0x75, 0x74, 0x65, 0x12, 0x0e,
-	0x0a, 0x02, 0x49, 0x44, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x02, 0x49, 0x44, 0x12, 0x18,
-	0x0a, 0x07, 0x4e, 0x65, 0x74, 0x77, 0x6f, 0x72, 0x6b, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52,
-	0x07, 0x4e, 0x65, 0x74, 0x77, 0x6f, 0x72, 0x6b, 0x12, 0x20, 0x0a, 0x0b, 0x4e, 0x65, 0x74, 0x77,
-	0x6f, 0x72, 0x6b, 0x54, 0x79, 0x70, 0x65, 0x18, 0x03, 0x20, 0x01, 0x28, 0x03, 0x52, 0x0b, 0x4e,
-	0x65, 0x74, 0x77, 0x6f, 0x72, 0x6b, 0x54, 0x79, 0x70, 0x65, 0x12, 0x12, 0x0a, 0x04, 0x50, 0x65,
-	0x65, 0x72, 0x18, 0x04, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x50, 0x65, 0x65, 0x72, 0x12, 0x16,
-	0x0a, 0x06, 0x4d, 0x65, 0x74, 0x72, 0x69, 0x63, 0x18, 0x05, 0x20, 0x01, 0x28, 0x03, 0x52, 0x06,
-	0x4d, 0x65, 0x74, 0x72, 0x69, 0x63, 0x12, 0x1e, 0x0a, 0x0a, 0x4d, 0x61, 0x73, 0x71, 0x75, 0x65,
-	0x72, 0x61, 0x64, 0x65, 0x18, 0x06, 0x20, 0x01, 0x28, 0x08, 0x52, 0x0a, 0x4d, 0x61, 0x73, 0x71,
-	0x75, 0x65, 0x72, 0x61, 0x64, 0x65, 0x12, 0x14, 0x0a, 0x05, 0x4e, 0x65, 0x74, 0x49, 0x44, 0x18,
-	0x07, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x4e, 0x65, 0x74, 0x49, 0x44, 0x12, 0x18, 0x0a, 0x07,
-	0x44, 0x6f, 0x6d, 0x61, 0x69, 0x6e, 0x73, 0x18, 0x08, 0x20, 0x03, 0x28, 0x09, 0x52, 0x07, 0x44,
-	0x6f, 0x6d, 0x61, 0x69, 0x6e, 0x73, 0x12, 0x1c, 0x0a, 0x09, 0x6b, 0x65, 0x65, 0x70, 0x52, 0x6f,
-	0x75, 0x74, 0x65, 0x18, 0x09, 0x20, 0x01, 0x28, 0x08, 0x52, 0x09, 0x6b, 0x65, 0x65, 0x70, 0x52,
-	0x6f, 0x75, 0x74, 0x65, 0x22, 0xb4, 0x01, 0x0a, 0x09, 0x44, 0x4e, 0x53, 0x43, 0x6f, 0x6e, 0x66,
-	0x69, 0x67, 0x12, 0x24, 0x0a, 0x0d, 0x53, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x45, 0x6e, 0x61,
-	0x62, 0x6c, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x08, 0x52, 0x0d, 0x53, 0x65, 0x72, 0x76, 0x69,
-	0x63, 0x65, 0x45, 0x6e, 0x61, 0x62, 0x6c, 0x65, 0x12, 0x47, 0x0a, 0x10, 0x4e, 0x61, 0x6d, 0x65,
-	0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x47, 0x72, 0x6f, 0x75, 0x70, 0x73, 0x18, 0x02, 0x20, 0x03,
-	0x28, 0x0b, 0x32, 0x1b, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e,
-	0x4e, 0x61, 0x6d, 0x65, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x47, 0x72, 0x6f, 0x75, 0x70, 0x52,
-	0x10, 0x4e, 0x61, 0x6d, 0x65, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x47, 0x72, 0x6f, 0x75, 0x70,
-	0x73, 0x12, 0x38, 0x0a, 0x0b, 0x43, 0x75, 0x73, 0x74, 0x6f, 0x6d, 0x5a, 0x6f, 0x6e, 0x65, 0x73,
-	0x18, 0x03, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x16, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d,
-	0x65, 0x6e, 0x74, 0x2e, 0x43, 0x75, 0x73, 0x74, 0x6f, 0x6d, 0x5a, 0x6f, 0x6e, 0x65, 0x52, 0x0b,
-	0x43, 0x75, 0x73, 0x74, 0x6f, 0x6d, 0x5a, 0x6f, 0x6e, 0x65, 0x73, 0x22, 0x58, 0x0a, 0x0a, 0x43,
-	0x75, 0x73, 0x74, 0x6f, 0x6d, 0x5a, 0x6f, 0x6e, 0x65, 0x12, 0x16, 0x0a, 0x06, 0x44, 0x6f, 0x6d,
-	0x61, 0x69, 0x6e, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x44, 0x6f, 0x6d, 0x61, 0x69,
-	0x6e, 0x12, 0x32, 0x0a, 0x07, 0x52, 0x65, 0x63, 0x6f, 0x72, 0x64, 0x73, 0x18, 0x02, 0x20, 0x03,
-	0x28, 0x0b, 0x32, 0x18, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e,
-	0x53, 0x69, 0x6d, 0x70, 0x6c, 0x65, 0x52, 0x65, 0x63, 0x6f, 0x72, 0x64, 0x52, 0x07, 0x52, 0x65,
-	0x63, 0x6f, 0x72, 0x64, 0x73, 0x22, 0x74, 0x0a, 0x0c, 0x53, 0x69, 0x6d, 0x70, 0x6c, 0x65, 0x52,
-	0x65, 0x63, 0x6f, 0x72, 0x64, 0x12, 0x12, 0x0a, 0x04, 0x4e, 0x61, 0x6d, 0x65, 0x18, 0x01, 0x20,
-	0x01, 0x28, 0x09, 0x52, 0x04, 0x4e, 0x61, 0x6d, 0x65, 0x12, 0x12, 0x0a, 0x04, 0x54, 0x79, 0x70,
-	0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x03, 0x52, 0x04, 0x54, 0x79, 0x70, 0x65, 0x12, 0x14, 0x0a,
-	0x05, 0x43, 0x6c, 0x61, 0x73, 0x73, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x43, 0x6c,
-	0x61, 0x73, 0x73, 0x12, 0x10, 0x0a, 0x03, 0x54, 0x54, 0x4c, 0x18, 0x04, 0x20, 0x01, 0x28, 0x03,
-	0x52, 0x03, 0x54, 0x54, 0x4c, 0x12, 0x14, 0x0a, 0x05, 0x52, 0x44, 0x61, 0x74, 0x61, 0x18, 0x05,
-	0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x52, 0x44, 0x61, 0x74, 0x61, 0x22, 0xb3, 0x01, 0x0a, 0x0f,
-	0x4e, 0x61, 0x6d, 0x65, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x47, 0x72, 0x6f, 0x75, 0x70, 0x12,
-	0x38, 0x0a, 0x0b, 0x4e, 0x61, 0x6d, 0x65, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x73, 0x18, 0x01,
-	0x20, 0x03, 0x28, 0x0b, 0x32, 0x16, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e,
-	0x74, 0x2e, 0x4e, 0x61, 0x6d, 0x65, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x52, 0x0b, 0x4e, 0x61,
-	0x6d, 0x65, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x73, 0x12, 0x18, 0x0a, 0x07, 0x50, 0x72, 0x69,
-	0x6d, 0x61, 0x72, 0x79, 0x18, 0x02, 0x20, 0x01, 0x28, 0x08, 0x52, 0x07, 0x50, 0x72, 0x69, 0x6d,
-	0x61, 0x72, 0x79, 0x12, 0x18, 0x0a, 0x07, 0x44, 0x6f, 0x6d, 0x61, 0x69, 0x6e, 0x73, 0x18, 0x03,
-	0x20, 0x03, 0x28, 0x09, 0x52, 0x07, 0x44, 0x6f, 0x6d, 0x61, 0x69, 0x6e, 0x73, 0x12, 0x32, 0x0a,
-	0x14, 0x53, 0x65, 0x61, 0x72, 0x63, 0x68, 0x44, 0x6f, 0x6d, 0x61, 0x69, 0x6e, 0x73, 0x45, 0x6e,
-	0x61, 0x62, 0x6c, 0x65, 0x64, 0x18, 0x04, 0x20, 0x01, 0x28, 0x08, 0x52, 0x14, 0x53, 0x65, 0x61,
-	0x72, 0x63, 0x68, 0x44, 0x6f, 0x6d, 0x61, 0x69, 0x6e, 0x73, 0x45, 0x6e, 0x61, 0x62, 0x6c, 0x65,
-	0x64, 0x22, 0x48, 0x0a, 0x0a, 0x4e, 0x61, 0x6d, 0x65, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x12,
-	0x0e, 0x0a, 0x02, 0x49, 0x50, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x02, 0x49, 0x50, 0x12,
-	0x16, 0x0a, 0x06, 0x4e, 0x53, 0x54, 0x79, 0x70, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x03, 0x52,
-	0x06, 0x4e, 0x53, 0x54, 0x79, 0x70, 0x65, 0x12, 0x12, 0x0a, 0x04, 0x50, 0x6f, 0x72, 0x74, 0x18,
-	0x03, 0x20, 0x01, 0x28, 0x03, 0x52, 0x04, 0x50, 0x6f, 0x72, 0x74, 0x22, 0xd9, 0x01, 0x0a, 0x0c,
-	0x46, 0x69, 0x72, 0x65, 0x77, 0x61, 0x6c, 0x6c, 0x52, 0x75, 0x6c, 0x65, 0x12, 0x16, 0x0a, 0x06,
-	0x50, 0x65, 0x65, 0x72, 0x49, 0x50, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x50, 0x65,
-	0x65, 0x72, 0x49, 0x50, 0x12, 0x37, 0x0a, 0x09, 0x44, 0x69, 0x72, 0x65, 0x63, 0x74, 0x69, 0x6f,
-	0x6e, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x19, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65,
-	0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x52, 0x75, 0x6c, 0x65, 0x44, 0x69, 0x72, 0x65, 0x63, 0x74, 0x69,
-	0x6f, 0x6e, 0x52, 0x09, 0x44, 0x69, 0x72, 0x65, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x2e, 0x0a,
-	0x06, 0x41, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x16, 0x2e,
-	0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x52, 0x75, 0x6c, 0x65, 0x41,
-	0x63, 0x74, 0x69, 0x6f, 0x6e, 0x52, 0x06, 0x41, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x34, 0x0a,
-	0x08, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x18, 0x04, 0x20, 0x01, 0x28, 0x0e, 0x32,
-	0x18, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x52, 0x75, 0x6c,
-	0x65, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x52, 0x08, 0x50, 0x72, 0x6f, 0x74, 0x6f,
-	0x63, 0x6f, 0x6c, 0x12, 0x12, 0x0a, 0x04, 0x50, 0x6f, 0x72, 0x74, 0x18, 0x05, 0x20, 0x01, 0x28,
-	0x09, 0x52, 0x04, 0x50, 0x6f, 0x72, 0x74, 0x22, 0x38, 0x0a, 0x0e, 0x4e, 0x65, 0x74, 0x77, 0x6f,
-	0x72, 0x6b, 0x41, 0x64, 0x64, 0x72, 0x65, 0x73, 0x73, 0x12, 0x14, 0x0a, 0x05, 0x6e, 0x65, 0x74,
-	0x49, 0x50, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x6e, 0x65, 0x74, 0x49, 0x50, 0x12,
-	0x10, 0x0a, 0x03, 0x6d, 0x61, 0x63, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x6d, 0x61,
-	0x63, 0x22, 0x1e, 0x0a, 0x06, 0x43, 0x68, 0x65, 0x63, 0x6b, 0x73, 0x12, 0x14, 0x0a, 0x05, 0x46,
-	0x69, 0x6c, 0x65, 0x73, 0x18, 0x01, 0x20, 0x03, 0x28, 0x09, 0x52, 0x05, 0x46, 0x69, 0x6c, 0x65,
-	0x73, 0x22, 0x96, 0x01, 0x0a, 0x08, 0x50, 0x6f, 0x72, 0x74, 0x49, 0x6e, 0x66, 0x6f, 0x12, 0x14,
-	0x0a, 0x04, 0x70, 0x6f, 0x72, 0x74, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0d, 0x48, 0x00, 0x52, 0x04,
-	0x70, 0x6f, 0x72, 0x74, 0x12, 0x32, 0x0a, 0x05, 0x72, 0x61, 0x6e, 0x67, 0x65, 0x18, 0x02, 0x20,
-	0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74,
-	0x2e, 0x50, 0x6f, 0x72, 0x74, 0x49, 0x6e, 0x66, 0x6f, 0x2e, 0x52, 0x61, 0x6e, 0x67, 0x65, 0x48,
-	0x00, 0x52, 0x05, 0x72, 0x61, 0x6e, 0x67, 0x65, 0x1a, 0x2f, 0x0a, 0x05, 0x52, 0x61, 0x6e, 0x67,
-	0x65, 0x12, 0x14, 0x0a, 0x05, 0x73, 0x74, 0x61, 0x72, 0x74, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0d,
-	0x52, 0x05, 0x73, 0x74, 0x61, 0x72, 0x74, 0x12, 0x10, 0x0a, 0x03, 0x65, 0x6e, 0x64, 0x18, 0x02,
-	0x20, 0x01, 0x28, 0x0d, 0x52, 0x03, 0x65, 0x6e, 0x64, 0x42, 0x0f, 0x0a, 0x0d, 0x70, 0x6f, 0x72,
-	0x74, 0x53, 0x65, 0x6c, 0x65, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x22, 0x8f, 0x02, 0x0a, 0x11, 0x52,
-	0x6f, 0x75, 0x74, 0x65, 0x46, 0x69, 0x72, 0x65, 0x77, 0x61, 0x6c, 0x6c, 0x52, 0x75, 0x6c, 0x65,
-	0x12, 0x22, 0x0a, 0x0c, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x52, 0x61, 0x6e, 0x67, 0x65, 0x73,
-	0x18, 0x01, 0x20, 0x03, 0x28, 0x09, 0x52, 0x0c, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x52, 0x61,
-	0x6e, 0x67, 0x65, 0x73, 0x12, 0x2e, 0x0a, 0x06, 0x61, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x18, 0x02,
-	0x20, 0x01, 0x28, 0x0e, 0x32, 0x16, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e,
-	0x74, 0x2e, 0x52, 0x75, 0x6c, 0x65, 0x41, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x52, 0x06, 0x61, 0x63,
-	0x74, 0x69, 0x6f, 0x6e, 0x12, 0x20, 0x0a, 0x0b, 0x64, 0x65, 0x73, 0x74, 0x69, 0x6e, 0x61, 0x74,
-	0x69, 0x6f, 0x6e, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0b, 0x64, 0x65, 0x73, 0x74, 0x69,
-	0x6e, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x34, 0x0a, 0x08, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x63,
-	0x6f, 0x6c, 0x18, 0x04, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x18, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67,
-	0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x52, 0x75, 0x6c, 0x65, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x63,
-	0x6f, 0x6c, 0x52, 0x08, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x12, 0x30, 0x0a, 0x08,
-	0x70, 0x6f, 0x72, 0x74, 0x49, 0x6e, 0x66, 0x6f, 0x18, 0x05, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x14,
-	0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x50, 0x6f, 0x72, 0x74,
-	0x49, 0x6e, 0x66, 0x6f, 0x52, 0x08, 0x70, 0x6f, 0x72, 0x74, 0x49, 0x6e, 0x66, 0x6f, 0x12, 0x1c,
-	0x0a, 0x09, 0x69, 0x73, 0x44, 0x79, 0x6e, 0x61, 0x6d, 0x69, 0x63, 0x18, 0x06, 0x20, 0x01, 0x28,
-	0x08, 0x52, 0x09, 0x69, 0x73, 0x44, 0x79, 0x6e, 0x61, 0x6d, 0x69, 0x63, 0x2a, 0x40, 0x0a, 0x0c,
-	0x52, 0x75, 0x6c, 0x65, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x12, 0x0b, 0x0a, 0x07,
-	0x55, 0x4e, 0x4b, 0x4e, 0x4f, 0x57, 0x4e, 0x10, 0x00, 0x12, 0x07, 0x0a, 0x03, 0x41, 0x4c, 0x4c,
-	0x10, 0x01, 0x12, 0x07, 0x0a, 0x03, 0x54, 0x43, 0x50, 0x10, 0x02, 0x12, 0x07, 0x0a, 0x03, 0x55,
-	0x44, 0x50, 0x10, 0x03, 0x12, 0x08, 0x0a, 0x04, 0x49, 0x43, 0x4d, 0x50, 0x10, 0x04, 0x2a, 0x20,
-	0x0a, 0x0d, 0x52, 0x75, 0x6c, 0x65, 0x44, 0x69, 0x72, 0x65, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x12,
-	0x06, 0x0a, 0x02, 0x49, 0x4e, 0x10, 0x00, 0x12, 0x07, 0x0a, 0x03, 0x4f, 0x55, 0x54, 0x10, 0x01,
-	0x2a, 0x22, 0x0a, 0x0a, 0x52, 0x75, 0x6c, 0x65, 0x41, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x0a,
-	0x0a, 0x06, 0x41, 0x43, 0x43, 0x45, 0x50, 0x54, 0x10, 0x00, 0x12, 0x08, 0x0a, 0x04, 0x44, 0x52,
-	0x4f, 0x50, 0x10, 0x01, 0x32, 0x90, 0x04, 0x0a, 0x11, 0x4d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d,
-	0x65, 0x6e, 0x74, 0x53, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x12, 0x45, 0x0a, 0x05, 0x4c, 0x6f,
-	0x67, 0x69, 0x6e, 0x12, 0x1c, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74,
-	0x2e, 0x45, 0x6e, 0x63, 0x72, 0x79, 0x70, 0x74, 0x65, 0x64, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67,
-	0x65, 0x1a, 0x1c, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x45,
-	0x6e, 0x63, 0x72, 0x79, 0x70, 0x74, 0x65, 0x64, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x22,
-	0x00, 0x12, 0x46, 0x0a, 0x04, 0x53, 0x79, 0x6e, 0x63, 0x12, 0x1c, 0x2e, 0x6d, 0x61, 0x6e, 0x61,
+	0x73, 0x18, 0x0a, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x1d, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65,
+	0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x52, 0x6f, 0x75, 0x74, 0x65, 0x46, 0x69, 0x72, 0x65, 0x77, 0x61,
+	0x6c, 0x6c, 0x52, 0x75, 0x6c, 0x65, 0x52, 0x13, 0x72, 0x6f, 0x75, 0x74, 0x65, 0x73, 0x46, 0x69,
+	0x72, 0x65, 0x77, 0x61, 0x6c, 0x6c, 0x52, 0x75, 0x6c, 0x65, 0x73, 0x12, 0x3e, 0x0a, 0x1a, 0x72,
+	0x6f, 0x75, 0x74, 0x65, 0x73, 0x46, 0x69, 0x72, 0x65, 0x77, 0x61, 0x6c, 0x6c, 0x52, 0x75, 0x6c,
+	0x65, 0x73, 0x49, 0x73, 0x45, 0x6d, 0x70, 0x74, 0x79, 0x18, 0x0b, 0x20, 0x01, 0x28, 0x08, 0x52,
+	0x1a, 0x72, 0x6f, 0x75, 0x74, 0x65, 0x73, 0x46, 0x69, 0x72, 0x65, 0x77, 0x61, 0x6c, 0x6c, 0x52,
+	0x75, 0x6c, 0x65, 0x73, 0x49, 0x73, 0x45, 0x6d, 0x70, 0x74, 0x79, 0x22, 0x97, 0x01, 0x0a, 0x10,
+	0x52, 0x65, 0x6d, 0x6f, 0x74, 0x65, 0x50, 0x65, 0x65, 0x72, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67,
+	0x12, 0x1a, 0x0a, 0x08, 0x77, 0x67, 0x50, 0x75, 0x62, 0x4b, 0x65, 0x79, 0x18, 0x01, 0x20, 0x01,
+	0x28, 0x09, 0x52, 0x08, 0x77, 0x67, 0x50, 0x75, 0x62, 0x4b, 0x65, 0x79, 0x12, 0x1e, 0x0a, 0x0a,
+	0x61, 0x6c, 0x6c, 0x6f, 0x77, 0x65, 0x64, 0x49, 0x70, 0x73, 0x18, 0x02, 0x20, 0x03, 0x28, 0x09,
+	0x52, 0x0a, 0x61, 0x6c, 0x6c, 0x6f, 0x77, 0x65, 0x64, 0x49, 0x70, 0x73, 0x12, 0x33, 0x0a, 0x09,
+	0x73, 0x73, 0x68, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0b, 0x32,
+	0x15, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x53, 0x53, 0x48,
+	0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x52, 0x09, 0x73, 0x73, 0x68, 0x43, 0x6f, 0x6e, 0x66, 0x69,
+	0x67, 0x12, 0x12, 0x0a, 0x04, 0x66, 0x71, 0x64, 0x6e, 0x18, 0x04, 0x20, 0x01, 0x28, 0x09, 0x52,
+	0x04, 0x66, 0x71, 0x64, 0x6e, 0x22, 0x49, 0x0a, 0x09, 0x53, 0x53, 0x48, 0x43, 0x6f, 0x6e, 0x66,
+	0x69, 0x67, 0x12, 0x1e, 0x0a, 0x0a, 0x73, 0x73, 0x68, 0x45, 0x6e, 0x61, 0x62, 0x6c, 0x65, 0x64,
+	0x18, 0x01, 0x20, 0x01, 0x28, 0x08, 0x52, 0x0a, 0x73, 0x73, 0x68, 0x45, 0x6e, 0x61, 0x62, 0x6c,
+	0x65, 0x64, 0x12, 0x1c, 0x0a, 0x09, 0x73, 0x73, 0x68, 0x50, 0x75, 0x62, 0x4b, 0x65, 0x79, 0x18,
+	0x02, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x09, 0x73, 0x73, 0x68, 0x50, 0x75, 0x62, 0x4b, 0x65, 0x79,
+	0x22, 0x20, 0x0a, 0x1e, 0x44, 0x65, 0x76, 0x69, 0x63, 0x65, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72,
+	0x69, 0x7a, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x46, 0x6c, 0x6f, 0x77, 0x52, 0x65, 0x71, 0x75, 0x65,
+	0x73, 0x74, 0x22, 0xbf, 0x01, 0x0a, 0x17, 0x44, 0x65, 0x76, 0x69, 0x63, 0x65, 0x41, 0x75, 0x74,
+	0x68, 0x6f, 0x72, 0x69, 0x7a, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x46, 0x6c, 0x6f, 0x77, 0x12, 0x48,
+	0x0a, 0x08, 0x50, 0x72, 0x6f, 0x76, 0x69, 0x64, 0x65, 0x72, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0e,
+	0x32, 0x2c, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x44, 0x65,
+	0x76, 0x69, 0x63, 0x65, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x7a, 0x61, 0x74, 0x69, 0x6f,
+	0x6e, 0x46, 0x6c, 0x6f, 0x77, 0x2e, 0x70, 0x72, 0x6f, 0x76, 0x69, 0x64, 0x65, 0x72, 0x52, 0x08,
+	0x50, 0x72, 0x6f, 0x76, 0x69, 0x64, 0x65, 0x72, 0x12, 0x42, 0x0a, 0x0e, 0x50, 0x72, 0x6f, 0x76,
+	0x69, 0x64, 0x65, 0x72, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b,
+	0x32, 0x1a, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x50, 0x72,
+	0x6f, 0x76, 0x69, 0x64, 0x65, 0x72, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x52, 0x0e, 0x50, 0x72,
+	0x6f, 0x76, 0x69, 0x64, 0x65, 0x72, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x22, 0x16, 0x0a, 0x08,
+	0x70, 0x72, 0x6f, 0x76, 0x69, 0x64, 0x65, 0x72, 0x12, 0x0a, 0x0a, 0x06, 0x48, 0x4f, 0x53, 0x54,
+	0x45, 0x44, 0x10, 0x00, 0x22, 0x1e, 0x0a, 0x1c, 0x50, 0x4b, 0x43, 0x45, 0x41, 0x75, 0x74, 0x68,
+	0x6f, 0x72, 0x69, 0x7a, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x46, 0x6c, 0x6f, 0x77, 0x52, 0x65, 0x71,
+	0x75, 0x65, 0x73, 0x74, 0x22, 0x5b, 0x0a, 0x15, 0x50, 0x4b, 0x43, 0x45, 0x41, 0x75, 0x74, 0x68,
+	0x6f, 0x72, 0x69, 0x7a, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x46, 0x6c, 0x6f, 0x77, 0x12, 0x42, 0x0a,
+	0x0e, 0x50, 0x72, 0x6f, 0x76, 0x69, 0x64, 0x65, 0x72, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x18,
+	0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65,
+	0x6e, 0x74, 0x2e, 0x50, 0x72, 0x6f, 0x76, 0x69, 0x64, 0x65, 0x72, 0x43, 0x6f, 0x6e, 0x66, 0x69,
+	0x67, 0x52, 0x0e, 0x50, 0x72, 0x6f, 0x76, 0x69, 0x64, 0x65, 0x72, 0x43, 0x6f, 0x6e, 0x66, 0x69,
+	0x67, 0x22, 0xea, 0x02, 0x0a, 0x0e, 0x50, 0x72, 0x6f, 0x76, 0x69, 0x64, 0x65, 0x72, 0x43, 0x6f,
+	0x6e, 0x66, 0x69, 0x67, 0x12, 0x1a, 0x0a, 0x08, 0x43, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x49, 0x44,
+	0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x43, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x49, 0x44,
+	0x12, 0x22, 0x0a, 0x0c, 0x43, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x53, 0x65, 0x63, 0x72, 0x65, 0x74,
+	0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0c, 0x43, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x53, 0x65,
+	0x63, 0x72, 0x65, 0x74, 0x12, 0x16, 0x0a, 0x06, 0x44, 0x6f, 0x6d, 0x61, 0x69, 0x6e, 0x18, 0x03,
+	0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x44, 0x6f, 0x6d, 0x61, 0x69, 0x6e, 0x12, 0x1a, 0x0a, 0x08,
+	0x41, 0x75, 0x64, 0x69, 0x65, 0x6e, 0x63, 0x65, 0x18, 0x04, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08,
+	0x41, 0x75, 0x64, 0x69, 0x65, 0x6e, 0x63, 0x65, 0x12, 0x2e, 0x0a, 0x12, 0x44, 0x65, 0x76, 0x69,
+	0x63, 0x65, 0x41, 0x75, 0x74, 0x68, 0x45, 0x6e, 0x64, 0x70, 0x6f, 0x69, 0x6e, 0x74, 0x18, 0x05,
+	0x20, 0x01, 0x28, 0x09, 0x52, 0x12, 0x44, 0x65, 0x76, 0x69, 0x63, 0x65, 0x41, 0x75, 0x74, 0x68,
+	0x45, 0x6e, 0x64, 0x70, 0x6f, 0x69, 0x6e, 0x74, 0x12, 0x24, 0x0a, 0x0d, 0x54, 0x6f, 0x6b, 0x65,
+	0x6e, 0x45, 0x6e, 0x64, 0x70, 0x6f, 0x69, 0x6e, 0x74, 0x18, 0x06, 0x20, 0x01, 0x28, 0x09, 0x52,
+	0x0d, 0x54, 0x6f, 0x6b, 0x65, 0x6e, 0x45, 0x6e, 0x64, 0x70, 0x6f, 0x69, 0x6e, 0x74, 0x12, 0x14,
+	0x0a, 0x05, 0x53, 0x63, 0x6f, 0x70, 0x65, 0x18, 0x07, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x53,
+	0x63, 0x6f, 0x70, 0x65, 0x12, 0x1e, 0x0a, 0x0a, 0x55, 0x73, 0x65, 0x49, 0x44, 0x54, 0x6f, 0x6b,
+	0x65, 0x6e, 0x18, 0x08, 0x20, 0x01, 0x28, 0x08, 0x52, 0x0a, 0x55, 0x73, 0x65, 0x49, 0x44, 0x54,
+	0x6f, 0x6b, 0x65, 0x6e, 0x12, 0x34, 0x0a, 0x15, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x7a,
+	0x61, 0x74, 0x69, 0x6f, 0x6e, 0x45, 0x6e, 0x64, 0x70, 0x6f, 0x69, 0x6e, 0x74, 0x18, 0x09, 0x20,
+	0x01, 0x28, 0x09, 0x52, 0x15, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x7a, 0x61, 0x74, 0x69,
+	0x6f, 0x6e, 0x45, 0x6e, 0x64, 0x70, 0x6f, 0x69, 0x6e, 0x74, 0x12, 0x22, 0x0a, 0x0c, 0x52, 0x65,
+	0x64, 0x69, 0x72, 0x65, 0x63, 0x74, 0x55, 0x52, 0x4c, 0x73, 0x18, 0x0a, 0x20, 0x03, 0x28, 0x09,
+	0x52, 0x0c, 0x52, 0x65, 0x64, 0x69, 0x72, 0x65, 0x63, 0x74, 0x55, 0x52, 0x4c, 0x73, 0x22, 0xed,
+	0x01, 0x0a, 0x05, 0x52, 0x6f, 0x75, 0x74, 0x65, 0x12, 0x0e, 0x0a, 0x02, 0x49, 0x44, 0x18, 0x01,
+	0x20, 0x01, 0x28, 0x09, 0x52, 0x02, 0x49, 0x44, 0x12, 0x18, 0x0a, 0x07, 0x4e, 0x65, 0x74, 0x77,
+	0x6f, 0x72, 0x6b, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x07, 0x4e, 0x65, 0x74, 0x77, 0x6f,
+	0x72, 0x6b, 0x12, 0x20, 0x0a, 0x0b, 0x4e, 0x65, 0x74, 0x77, 0x6f, 0x72, 0x6b, 0x54, 0x79, 0x70,
+	0x65, 0x18, 0x03, 0x20, 0x01, 0x28, 0x03, 0x52, 0x0b, 0x4e, 0x65, 0x74, 0x77, 0x6f, 0x72, 0x6b,
+	0x54, 0x79, 0x70, 0x65, 0x12, 0x12, 0x0a, 0x04, 0x50, 0x65, 0x65, 0x72, 0x18, 0x04, 0x20, 0x01,
+	0x28, 0x09, 0x52, 0x04, 0x50, 0x65, 0x65, 0x72, 0x12, 0x16, 0x0a, 0x06, 0x4d, 0x65, 0x74, 0x72,
+	0x69, 0x63, 0x18, 0x05, 0x20, 0x01, 0x28, 0x03, 0x52, 0x06, 0x4d, 0x65, 0x74, 0x72, 0x69, 0x63,
+	0x12, 0x1e, 0x0a, 0x0a, 0x4d, 0x61, 0x73, 0x71, 0x75, 0x65, 0x72, 0x61, 0x64, 0x65, 0x18, 0x06,
+	0x20, 0x01, 0x28, 0x08, 0x52, 0x0a, 0x4d, 0x61, 0x73, 0x71, 0x75, 0x65, 0x72, 0x61, 0x64, 0x65,
+	0x12, 0x14, 0x0a, 0x05, 0x4e, 0x65, 0x74, 0x49, 0x44, 0x18, 0x07, 0x20, 0x01, 0x28, 0x09, 0x52,
+	0x05, 0x4e, 0x65, 0x74, 0x49, 0x44, 0x12, 0x18, 0x0a, 0x07, 0x44, 0x6f, 0x6d, 0x61, 0x69, 0x6e,
+	0x73, 0x18, 0x08, 0x20, 0x03, 0x28, 0x09, 0x52, 0x07, 0x44, 0x6f, 0x6d, 0x61, 0x69, 0x6e, 0x73,
+	0x12, 0x1c, 0x0a, 0x09, 0x6b, 0x65, 0x65, 0x70, 0x52, 0x6f, 0x75, 0x74, 0x65, 0x18, 0x09, 0x20,
+	0x01, 0x28, 0x08, 0x52, 0x09, 0x6b, 0x65, 0x65, 0x70, 0x52, 0x6f, 0x75, 0x74, 0x65, 0x22, 0xb4,
+	0x01, 0x0a, 0x09, 0x44, 0x4e, 0x53, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x12, 0x24, 0x0a, 0x0d,
+	0x53, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x45, 0x6e, 0x61, 0x62, 0x6c, 0x65, 0x18, 0x01, 0x20,
+	0x01, 0x28, 0x08, 0x52, 0x0d, 0x53, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x45, 0x6e, 0x61, 0x62,
+	0x6c, 0x65, 0x12, 0x47, 0x0a, 0x10, 0x4e, 0x61, 0x6d, 0x65, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72,
+	0x47, 0x72, 0x6f, 0x75, 0x70, 0x73, 0x18, 0x02, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x1b, 0x2e, 0x6d,
+	0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x4e, 0x61, 0x6d, 0x65, 0x53, 0x65,
+	0x72, 0x76, 0x65, 0x72, 0x47, 0x72, 0x6f, 0x75, 0x70, 0x52, 0x10, 0x4e, 0x61, 0x6d, 0x65, 0x53,
+	0x65, 0x72, 0x76, 0x65, 0x72, 0x47, 0x72, 0x6f, 0x75, 0x70, 0x73, 0x12, 0x38, 0x0a, 0x0b, 0x43,
+	0x75, 0x73, 0x74, 0x6f, 0x6d, 0x5a, 0x6f, 0x6e, 0x65, 0x73, 0x18, 0x03, 0x20, 0x03, 0x28, 0x0b,
+	0x32, 0x16, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x43, 0x75,
+	0x73, 0x74, 0x6f, 0x6d, 0x5a, 0x6f, 0x6e, 0x65, 0x52, 0x0b, 0x43, 0x75, 0x73, 0x74, 0x6f, 0x6d,
+	0x5a, 0x6f, 0x6e, 0x65, 0x73, 0x22, 0x58, 0x0a, 0x0a, 0x43, 0x75, 0x73, 0x74, 0x6f, 0x6d, 0x5a,
+	0x6f, 0x6e, 0x65, 0x12, 0x16, 0x0a, 0x06, 0x44, 0x6f, 0x6d, 0x61, 0x69, 0x6e, 0x18, 0x01, 0x20,
+	0x01, 0x28, 0x09, 0x52, 0x06, 0x44, 0x6f, 0x6d, 0x61, 0x69, 0x6e, 0x12, 0x32, 0x0a, 0x07, 0x52,
+	0x65, 0x63, 0x6f, 0x72, 0x64, 0x73, 0x18, 0x02, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x18, 0x2e, 0x6d,
+	0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x53, 0x69, 0x6d, 0x70, 0x6c, 0x65,
+	0x52, 0x65, 0x63, 0x6f, 0x72, 0x64, 0x52, 0x07, 0x52, 0x65, 0x63, 0x6f, 0x72, 0x64, 0x73, 0x22,
+	0x74, 0x0a, 0x0c, 0x53, 0x69, 0x6d, 0x70, 0x6c, 0x65, 0x52, 0x65, 0x63, 0x6f, 0x72, 0x64, 0x12,
+	0x12, 0x0a, 0x04, 0x4e, 0x61, 0x6d, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x4e,
+	0x61, 0x6d, 0x65, 0x12, 0x12, 0x0a, 0x04, 0x54, 0x79, 0x70, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28,
+	0x03, 0x52, 0x04, 0x54, 0x79, 0x70, 0x65, 0x12, 0x14, 0x0a, 0x05, 0x43, 0x6c, 0x61, 0x73, 0x73,
+	0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x43, 0x6c, 0x61, 0x73, 0x73, 0x12, 0x10, 0x0a,
+	0x03, 0x54, 0x54, 0x4c, 0x18, 0x04, 0x20, 0x01, 0x28, 0x03, 0x52, 0x03, 0x54, 0x54, 0x4c, 0x12,
+	0x14, 0x0a, 0x05, 0x52, 0x44, 0x61, 0x74, 0x61, 0x18, 0x05, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05,
+	0x52, 0x44, 0x61, 0x74, 0x61, 0x22, 0xb3, 0x01, 0x0a, 0x0f, 0x4e, 0x61, 0x6d, 0x65, 0x53, 0x65,
+	0x72, 0x76, 0x65, 0x72, 0x47, 0x72, 0x6f, 0x75, 0x70, 0x12, 0x38, 0x0a, 0x0b, 0x4e, 0x61, 0x6d,
+	0x65, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x73, 0x18, 0x01, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x16,
+	0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x4e, 0x61, 0x6d, 0x65,
+	0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x52, 0x0b, 0x4e, 0x61, 0x6d, 0x65, 0x53, 0x65, 0x72, 0x76,
+	0x65, 0x72, 0x73, 0x12, 0x18, 0x0a, 0x07, 0x50, 0x72, 0x69, 0x6d, 0x61, 0x72, 0x79, 0x18, 0x02,
+	0x20, 0x01, 0x28, 0x08, 0x52, 0x07, 0x50, 0x72, 0x69, 0x6d, 0x61, 0x72, 0x79, 0x12, 0x18, 0x0a,
+	0x07, 0x44, 0x6f, 0x6d, 0x61, 0x69, 0x6e, 0x73, 0x18, 0x03, 0x20, 0x03, 0x28, 0x09, 0x52, 0x07,
+	0x44, 0x6f, 0x6d, 0x61, 0x69, 0x6e, 0x73, 0x12, 0x32, 0x0a, 0x14, 0x53, 0x65, 0x61, 0x72, 0x63,
+	0x68, 0x44, 0x6f, 0x6d, 0x61, 0x69, 0x6e, 0x73, 0x45, 0x6e, 0x61, 0x62, 0x6c, 0x65, 0x64, 0x18,
+	0x04, 0x20, 0x01, 0x28, 0x08, 0x52, 0x14, 0x53, 0x65, 0x61, 0x72, 0x63, 0x68, 0x44, 0x6f, 0x6d,
+	0x61, 0x69, 0x6e, 0x73, 0x45, 0x6e, 0x61, 0x62, 0x6c, 0x65, 0x64, 0x22, 0x48, 0x0a, 0x0a, 0x4e,
+	0x61, 0x6d, 0x65, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x12, 0x0e, 0x0a, 0x02, 0x49, 0x50, 0x18,
+	0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x02, 0x49, 0x50, 0x12, 0x16, 0x0a, 0x06, 0x4e, 0x53, 0x54,
+	0x79, 0x70, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x03, 0x52, 0x06, 0x4e, 0x53, 0x54, 0x79, 0x70,
+	0x65, 0x12, 0x12, 0x0a, 0x04, 0x50, 0x6f, 0x72, 0x74, 0x18, 0x03, 0x20, 0x01, 0x28, 0x03, 0x52,
+	0x04, 0x50, 0x6f, 0x72, 0x74, 0x22, 0xd9, 0x01, 0x0a, 0x0c, 0x46, 0x69, 0x72, 0x65, 0x77, 0x61,
+	0x6c, 0x6c, 0x52, 0x75, 0x6c, 0x65, 0x12, 0x16, 0x0a, 0x06, 0x50, 0x65, 0x65, 0x72, 0x49, 0x50,
+	0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x50, 0x65, 0x65, 0x72, 0x49, 0x50, 0x12, 0x37,
+	0x0a, 0x09, 0x44, 0x69, 0x72, 0x65, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x18, 0x02, 0x20, 0x01, 0x28,
+	0x0e, 0x32, 0x19, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x52,
+	0x75, 0x6c, 0x65, 0x44, 0x69, 0x72, 0x65, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x52, 0x09, 0x44, 0x69,
+	0x72, 0x65, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x2e, 0x0a, 0x06, 0x41, 0x63, 0x74, 0x69, 0x6f,
+	0x6e, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x16, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65,
+	0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x52, 0x75, 0x6c, 0x65, 0x41, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x52,
+	0x06, 0x41, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x34, 0x0a, 0x08, 0x50, 0x72, 0x6f, 0x74, 0x6f,
+	0x63, 0x6f, 0x6c, 0x18, 0x04, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x18, 0x2e, 0x6d, 0x61, 0x6e, 0x61,
+	0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x52, 0x75, 0x6c, 0x65, 0x50, 0x72, 0x6f, 0x74, 0x6f,
+	0x63, 0x6f, 0x6c, 0x52, 0x08, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x12, 0x12, 0x0a,
+	0x04, 0x50, 0x6f, 0x72, 0x74, 0x18, 0x05, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x50, 0x6f, 0x72,
+	0x74, 0x22, 0x38, 0x0a, 0x0e, 0x4e, 0x65, 0x74, 0x77, 0x6f, 0x72, 0x6b, 0x41, 0x64, 0x64, 0x72,
+	0x65, 0x73, 0x73, 0x12, 0x14, 0x0a, 0x05, 0x6e, 0x65, 0x74, 0x49, 0x50, 0x18, 0x01, 0x20, 0x01,
+	0x28, 0x09, 0x52, 0x05, 0x6e, 0x65, 0x74, 0x49, 0x50, 0x12, 0x10, 0x0a, 0x03, 0x6d, 0x61, 0x63,
+	0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x6d, 0x61, 0x63, 0x22, 0x1e, 0x0a, 0x06, 0x43,
+	0x68, 0x65, 0x63, 0x6b, 0x73, 0x12, 0x14, 0x0a, 0x05, 0x46, 0x69, 0x6c, 0x65, 0x73, 0x18, 0x01,
+	0x20, 0x03, 0x28, 0x09, 0x52, 0x05, 0x46, 0x69, 0x6c, 0x65, 0x73, 0x22, 0x96, 0x01, 0x0a, 0x08,
+	0x50, 0x6f, 0x72, 0x74, 0x49, 0x6e, 0x66, 0x6f, 0x12, 0x14, 0x0a, 0x04, 0x70, 0x6f, 0x72, 0x74,
+	0x18, 0x01, 0x20, 0x01, 0x28, 0x0d, 0x48, 0x00, 0x52, 0x04, 0x70, 0x6f, 0x72, 0x74, 0x12, 0x32,
+	0x0a, 0x05, 0x72, 0x61, 0x6e, 0x67, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e,
+	0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x50, 0x6f, 0x72, 0x74, 0x49,
+	0x6e, 0x66, 0x6f, 0x2e, 0x52, 0x61, 0x6e, 0x67, 0x65, 0x48, 0x00, 0x52, 0x05, 0x72, 0x61, 0x6e,
+	0x67, 0x65, 0x1a, 0x2f, 0x0a, 0x05, 0x52, 0x61, 0x6e, 0x67, 0x65, 0x12, 0x14, 0x0a, 0x05, 0x73,
+	0x74, 0x61, 0x72, 0x74, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0d, 0x52, 0x05, 0x73, 0x74, 0x61, 0x72,
+	0x74, 0x12, 0x10, 0x0a, 0x03, 0x65, 0x6e, 0x64, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0d, 0x52, 0x03,
+	0x65, 0x6e, 0x64, 0x42, 0x0f, 0x0a, 0x0d, 0x70, 0x6f, 0x72, 0x74, 0x53, 0x65, 0x6c, 0x65, 0x63,
+	0x74, 0x69, 0x6f, 0x6e, 0x22, 0xd1, 0x02, 0x0a, 0x11, 0x52, 0x6f, 0x75, 0x74, 0x65, 0x46, 0x69,
+	0x72, 0x65, 0x77, 0x61, 0x6c, 0x6c, 0x52, 0x75, 0x6c, 0x65, 0x12, 0x22, 0x0a, 0x0c, 0x73, 0x6f,
+	0x75, 0x72, 0x63, 0x65, 0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x18, 0x01, 0x20, 0x03, 0x28, 0x09,
+	0x52, 0x0c, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x12, 0x2e,
+	0x0a, 0x06, 0x61, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x16,
+	0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x52, 0x75, 0x6c, 0x65,
+	0x41, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x52, 0x06, 0x61, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x20,
+	0x0a, 0x0b, 0x64, 0x65, 0x73, 0x74, 0x69, 0x6e, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x18, 0x03, 0x20,
+	0x01, 0x28, 0x09, 0x52, 0x0b, 0x64, 0x65, 0x73, 0x74, 0x69, 0x6e, 0x61, 0x74, 0x69, 0x6f, 0x6e,
+	0x12, 0x34, 0x0a, 0x08, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x18, 0x04, 0x20, 0x01,
+	0x28, 0x0e, 0x32, 0x18, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e,
+	0x52, 0x75, 0x6c, 0x65, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x52, 0x08, 0x70, 0x72,
+	0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x12, 0x30, 0x0a, 0x08, 0x70, 0x6f, 0x72, 0x74, 0x49, 0x6e,
+	0x66, 0x6f, 0x18, 0x05, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x14, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67,
+	0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x50, 0x6f, 0x72, 0x74, 0x49, 0x6e, 0x66, 0x6f, 0x52, 0x08,
+	0x70, 0x6f, 0x72, 0x74, 0x49, 0x6e, 0x66, 0x6f, 0x12, 0x1c, 0x0a, 0x09, 0x69, 0x73, 0x44, 0x79,
+	0x6e, 0x61, 0x6d, 0x69, 0x63, 0x18, 0x06, 0x20, 0x01, 0x28, 0x08, 0x52, 0x09, 0x69, 0x73, 0x44,
+	0x79, 0x6e, 0x61, 0x6d, 0x69, 0x63, 0x12, 0x18, 0x0a, 0x07, 0x64, 0x6f, 0x6d, 0x61, 0x69, 0x6e,
+	0x73, 0x18, 0x07, 0x20, 0x03, 0x28, 0x09, 0x52, 0x07, 0x64, 0x6f, 0x6d, 0x61, 0x69, 0x6e, 0x73,
+	0x12, 0x26, 0x0a, 0x0e, 0x63, 0x75, 0x73, 0x74, 0x6f, 0x6d, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x63,
+	0x6f, 0x6c, 0x18, 0x08, 0x20, 0x01, 0x28, 0x0d, 0x52, 0x0e, 0x63, 0x75, 0x73, 0x74, 0x6f, 0x6d,
+	0x50, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x2a, 0x4c, 0x0a, 0x0c, 0x52, 0x75, 0x6c, 0x65,
+	0x50, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x12, 0x0b, 0x0a, 0x07, 0x55, 0x4e, 0x4b, 0x4e,
+	0x4f, 0x57, 0x4e, 0x10, 0x00, 0x12, 0x07, 0x0a, 0x03, 0x41, 0x4c, 0x4c, 0x10, 0x01, 0x12, 0x07,
+	0x0a, 0x03, 0x54, 0x43, 0x50, 0x10, 0x02, 0x12, 0x07, 0x0a, 0x03, 0x55, 0x44, 0x50, 0x10, 0x03,
+	0x12, 0x08, 0x0a, 0x04, 0x49, 0x43, 0x4d, 0x50, 0x10, 0x04, 0x12, 0x0a, 0x0a, 0x06, 0x43, 0x55,
+	0x53, 0x54, 0x4f, 0x4d, 0x10, 0x05, 0x2a, 0x20, 0x0a, 0x0d, 0x52, 0x75, 0x6c, 0x65, 0x44, 0x69,
+	0x72, 0x65, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x06, 0x0a, 0x02, 0x49, 0x4e, 0x10, 0x00, 0x12,
+	0x07, 0x0a, 0x03, 0x4f, 0x55, 0x54, 0x10, 0x01, 0x2a, 0x22, 0x0a, 0x0a, 0x52, 0x75, 0x6c, 0x65,
+	0x41, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x0a, 0x0a, 0x06, 0x41, 0x43, 0x43, 0x45, 0x50, 0x54,
+	0x10, 0x00, 0x12, 0x08, 0x0a, 0x04, 0x44, 0x52, 0x4f, 0x50, 0x10, 0x01, 0x32, 0x90, 0x04, 0x0a,
+	0x11, 0x4d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x53, 0x65, 0x72, 0x76, 0x69,
+	0x63, 0x65, 0x12, 0x45, 0x0a, 0x05, 0x4c, 0x6f, 0x67, 0x69, 0x6e, 0x12, 0x1c, 0x2e, 0x6d, 0x61,
+	0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x45, 0x6e, 0x63, 0x72, 0x79, 0x70, 0x74,
+	0x65, 0x64, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x1a, 0x1c, 0x2e, 0x6d, 0x61, 0x6e, 0x61,
 	0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x45, 0x6e, 0x63, 0x72, 0x79, 0x70, 0x74, 0x65, 0x64,
-	0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x1a, 0x1c, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65,
-	0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x45, 0x6e, 0x63, 0x72, 0x79, 0x70, 0x74, 0x65, 0x64, 0x4d, 0x65,
-	0x73, 0x73, 0x61, 0x67, 0x65, 0x22, 0x00, 0x30, 0x01, 0x12, 0x42, 0x0a, 0x0c, 0x47, 0x65, 0x74,
-	0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x4b, 0x65, 0x79, 0x12, 0x11, 0x2e, 0x6d, 0x61, 0x6e, 0x61,
-	0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x45, 0x6d, 0x70, 0x74, 0x79, 0x1a, 0x1d, 0x2e, 0x6d,
-	0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72,
-	0x4b, 0x65, 0x79, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x00, 0x12, 0x33, 0x0a,
-	0x09, 0x69, 0x73, 0x48, 0x65, 0x61, 0x6c, 0x74, 0x68, 0x79, 0x12, 0x11, 0x2e, 0x6d, 0x61, 0x6e,
-	0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x45, 0x6d, 0x70, 0x74, 0x79, 0x1a, 0x11, 0x2e,
-	0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x45, 0x6d, 0x70, 0x74, 0x79,
-	0x22, 0x00, 0x12, 0x5a, 0x0a, 0x1a, 0x47, 0x65, 0x74, 0x44, 0x65, 0x76, 0x69, 0x63, 0x65, 0x41,
-	0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x7a, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x46, 0x6c, 0x6f, 0x77,
-	0x12, 0x1c, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x45, 0x6e,
-	0x63, 0x72, 0x79, 0x70, 0x74, 0x65, 0x64, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x1a, 0x1c,
-	0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x45, 0x6e, 0x63, 0x72,
-	0x79, 0x70, 0x74, 0x65, 0x64, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x22, 0x00, 0x12, 0x58,
-	0x0a, 0x18, 0x47, 0x65, 0x74, 0x50, 0x4b, 0x43, 0x45, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69,
-	0x7a, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x46, 0x6c, 0x6f, 0x77, 0x12, 0x1c, 0x2e, 0x6d, 0x61, 0x6e,
-	0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x45, 0x6e, 0x63, 0x72, 0x79, 0x70, 0x74, 0x65,
-	0x64, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x1a, 0x1c, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67,
+	0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x22, 0x00, 0x12, 0x46, 0x0a, 0x04, 0x53, 0x79, 0x6e,
+	0x63, 0x12, 0x1c, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x45,
+	0x6e, 0x63, 0x72, 0x79, 0x70, 0x74, 0x65, 0x64, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x1a,
+	0x1c, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x45, 0x6e, 0x63,
+	0x72, 0x79, 0x70, 0x74, 0x65, 0x64, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x22, 0x00, 0x30,
+	0x01, 0x12, 0x42, 0x0a, 0x0c, 0x47, 0x65, 0x74, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x4b, 0x65,
+	0x79, 0x12, 0x11, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x45,
+	0x6d, 0x70, 0x74, 0x79, 0x1a, 0x1d, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e,
+	0x74, 0x2e, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x4b, 0x65, 0x79, 0x52, 0x65, 0x73, 0x70, 0x6f,
+	0x6e, 0x73, 0x65, 0x22, 0x00, 0x12, 0x33, 0x0a, 0x09, 0x69, 0x73, 0x48, 0x65, 0x61, 0x6c, 0x74,
+	0x68, 0x79, 0x12, 0x11, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e,
+	0x45, 0x6d, 0x70, 0x74, 0x79, 0x1a, 0x11, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65,
+	0x6e, 0x74, 0x2e, 0x45, 0x6d, 0x70, 0x74, 0x79, 0x22, 0x00, 0x12, 0x5a, 0x0a, 0x1a, 0x47, 0x65,
+	0x74, 0x44, 0x65, 0x76, 0x69, 0x63, 0x65, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x7a, 0x61,
+	0x74, 0x69, 0x6f, 0x6e, 0x46, 0x6c, 0x6f, 0x77, 0x12, 0x1c, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67,
 	0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x45, 0x6e, 0x63, 0x72, 0x79, 0x70, 0x74, 0x65, 0x64, 0x4d,
-	0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x22, 0x00, 0x12, 0x3d, 0x0a, 0x08, 0x53, 0x79, 0x6e, 0x63,
-	0x4d, 0x65, 0x74, 0x61, 0x12, 0x1c, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e,
-	0x74, 0x2e, 0x45, 0x6e, 0x63, 0x72, 0x79, 0x70, 0x74, 0x65, 0x64, 0x4d, 0x65, 0x73, 0x73, 0x61,
-	0x67, 0x65, 0x1a, 0x11, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e,
-	0x45, 0x6d, 0x70, 0x74, 0x79, 0x22, 0x00, 0x42, 0x08, 0x5a, 0x06, 0x2f, 0x70, 0x72, 0x6f, 0x74,
-	0x6f, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
+	0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x1a, 0x1c, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d,
+	0x65, 0x6e, 0x74, 0x2e, 0x45, 0x6e, 0x63, 0x72, 0x79, 0x70, 0x74, 0x65, 0x64, 0x4d, 0x65, 0x73,
+	0x73, 0x61, 0x67, 0x65, 0x22, 0x00, 0x12, 0x58, 0x0a, 0x18, 0x47, 0x65, 0x74, 0x50, 0x4b, 0x43,
+	0x45, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x7a, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x46, 0x6c,
+	0x6f, 0x77, 0x12, 0x1c, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e,
+	0x45, 0x6e, 0x63, 0x72, 0x79, 0x70, 0x74, 0x65, 0x64, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65,
+	0x1a, 0x1c, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x45, 0x6e,
+	0x63, 0x72, 0x79, 0x70, 0x74, 0x65, 0x64, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x22, 0x00,
+	0x12, 0x3d, 0x0a, 0x08, 0x53, 0x79, 0x6e, 0x63, 0x4d, 0x65, 0x74, 0x61, 0x12, 0x1c, 0x2e, 0x6d,
+	0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x45, 0x6e, 0x63, 0x72, 0x79, 0x70,
+	0x74, 0x65, 0x64, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x1a, 0x11, 0x2e, 0x6d, 0x61, 0x6e,
+	0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x45, 0x6d, 0x70, 0x74, 0x79, 0x22, 0x00, 0x42,
+	0x08, 0x5a, 0x06, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f,
+	0x33,
 }

 var (
--- a/management/proto/management.proto
+++ b/management/proto/management.proto
@@ -222,6 +222,8 @@ message PeerConfig {
  SSHConfig sshConfig = 3;
  // Peer fully qualified domain name
  string fqdn = 4;
+
+  bool RoutingPeerDnsResolutionEnabled = 5;
 }

 // NetworkMap represents a network state of the peer with the corresponding configuration parameters to establish peer-to-peer connections
@@ -396,6 +398,7 @@ enum RuleProtocol {
  TCP = 2;
  UDP = 3;
  ICMP = 4;
+  CUSTOM = 5;
 }

 enum RuleDirection {
@@ -459,5 +462,11 @@ message RouteFirewallRule {

  // IsDynamic indicates if the route is a DNS route.
  bool isDynamic = 6;
+
+  // Domains is a list of domains for which the rule is applicable.
+  repeated string domains = 7;
+
+  // CustomProtocol is a custom protocol ID.
+  uint32 customProtocol = 8;
 }

--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Viktor Liu	b3c87cb5d1	[client] Fix inbound tracking in userspace firewall (#3111 ) * Don't create state for inbound SYN * Allow final ack in some cases * Relax state machine test a little	2024-12-26 00:51:27 +01:00
Viktor Liu	0dbaddc7be	[client] Don't fail debug if log file is console (#3103 )	2024-12-24 15:05:23 +01:00
Viktor Liu	ad9f044aad	[client] Add stateful userspace firewall and remove egress filters (#3093 ) - Add stateful firewall functionality for UDP/TCP/ICMP in userspace firewalll - Removes all egress drop rules/filters, still needs refactoring so we don't add output rules to any chains/filters. - on Linux, if the OUTPUT policy is DROP then we don't do anything about it (no extra allow rules). This is up to the user, if they don't want anything leaving their machine they'll have to manage these rules explicitly.	2024-12-23 18:22:17 +01:00
Viktor Liu	05930ee6b1	[client] Add firewall rules to the debug bundle (#3089 ) Adds the following to the debug bundle: - iptables: `iptables-save`, `iptables -v -n -L` - nftables: `nft list ruleset` or if not available formatted output from netlink (WIP)	2024-12-23 15:57:15 +01:00
Pascal Fischer	e670068cab	[management] Run test sequential (#3101 )	2024-12-23 14:37:09 +01:00
Viktor Liu	b48cf1bf65	[client] Reduce DNS handler chain lock contention (#3099 )	2024-12-21 15:56:52 +01:00
Bethuel Mmbaga	7ee7ada273	[management] Fix duplicate resource routes when routing peer is part of the source group (#3095 ) * Remove duplicate resource routes when routing peer is part of the source group Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com> * Add tests Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com> --------- Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com>	2024-12-20 21:10:53 +03:00
Zoltan Papp	82b4e58ad0	Do not start DNS forwarder on client side (#3094 )	2024-12-20 16:20:50 +01:00
Viktor Liu	ddc365f7a0	[client, management] Add new network concept (#3047 ) --------- Co-authored-by: Pascal Fischer <32096965+pascal-fischer@users.noreply.github.com> Co-authored-by: bcmmbaga <bethuelmbaga12@gmail.com> Co-authored-by: Maycon Santos <mlsmaycon@gmail.com> Co-authored-by: Zoltan Papp <zoltan.pmail@gmail.com>	2024-12-20 11:30:28 +01:00
Maycon Santos	37ad370344	[client] Avoid using iota on mixed const block (#3057 ) Used the values as resolved when the first iota value was the second const in the block.	2024-12-16 18:09:31 +01:00
VYSE V.E.O	703647da1e	fix client unsupported h2 protocol when only 443 activated (#3009 ) When I remove 80 http port in Caddyfile, netbird client cannot connect server:443. Logs show error below: {"level":"debug","ts":1733809631.4012625,"logger":"http.stdlib","msg":"http: TLS handshake error from redacted:41580: tls: client requested unsupported application protocols ([h2])"} I wonder here h2 protocol is absent.	2024-12-16 14:17:46 +01:00
Maycon Santos	9eff58ae62	Upgrade x/crypto package (#3055 ) Mitigates the CVE-2024-45337	2024-12-16 10:30:41 +01:00
Jesse R Codling	3844516aa7	[client] fix: reformat IPv6 ICE addresses when punching (#3050 ) Should fix #2327 and #2606 by checking for IPv6 addresses from ICE	2024-12-16 09:58:54 +01:00
M. Essam	f591e47404	Handle DNF5 install script (#3026 )	2024-12-16 09:41:36 +01:00
Maycon Santos	287ae81195	[misc] split tests with management and rest (#3051 ) optimize go cache for tests	2024-12-14 21:18:46 +01:00
M. Essam	a4a30744ad	Fix race condition with systray ready (#2993 )	2024-12-14 12:17:53 -08:00
Maycon Santos	dcba6a6b7e	fix: client/Dockerfile to reduce vulnerabilities (#3019 ) The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-ALPINE320-OPENSSL-8235201 - https://snyk.io/vuln/SNYK-ALPINE320-OPENSSL-8235201 Co-authored-by: snyk-bot <snyk-bot@snyk.io>	2024-12-11 16:46:51 +01:00
Pascal Fischer	6142828a9c	[management] restructure api files (#3013 )	2024-12-10 15:59:25 +01:00
Bethuel Mmbaga	97bb74f824	Remove peer login log (#3005 ) Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com>	2024-12-09 18:40:06 +01:00
Maycon Santos	2147bf75eb	[client] Add peer conn init limit (#3001 ) Limit the peer connection initialization to 200 peers at the same time	2024-12-09 17:10:31 +01:00
Pascal Fischer	e40a29ba17	[client] Add support for state manager on iOS (#2996 )	2024-12-06 16:51:42 +01:00
Edouard Vanbelle	ff330e644e	upgrade zcalusic/sysinfo@v1.1.3 (add serial for ARM arch) (#2954 ) Signed-off-by: Edouard Vanbelle <edouard.vanbelle@shadow.tech>	2024-12-05 15:38:00 +01:00
M. Essam	713e320c4c	Update account peers on login on meta change (#2991 ) * Update account peers on login on meta change * Factor out LoginPeer peer not found handling	2024-12-05 14:15:23 +01:00
Maycon Santos	e67fe89adb	Reduce max wait time to initialize peer connections (#2984 ) * Reduce max wait time to initialize peer connections setting rand time range to 100-300ms instead of 100-800ms * remove min wait time	2024-12-05 13:03:11 +01:00
Viktor Liu	6cfbb1f320	[client] Init route selector early (#2989 )	2024-12-05 12:41:12 +01:00
Viktor Liu	c853011a32	[client] Don't return error in rule removal if protocol is not supported (#2990 )	2024-12-05 12:28:35 +01:00
Maycon Santos	b50b89ba14	[client] Cleanup status resources on engine stop (#2981 ) cleanup leftovers from status recorder when stopping the engine	2024-12-04 14:09:04 +01:00
Pascal Fischer	d063fbb8b9	[management] merge update account peers in sync call (#2978 )	2024-12-03 16:41:19 +01:00
Viktor Liu	e5d42bc963	[client] Add state handling cmdline options (#2821 )	2024-12-03 16:07:18 +01:00
Viktor Liu	8866394eb6	[client] Don't choke on non-existent interface in route updates (#2922 )	2024-12-03 15:33:41 +01:00
Viktor Liu	17c20b45ce	[client] Add network map to debug bundle (#2966 )	2024-12-03 14:50:12 +01:00
Joakim Nohlgård	7dacd9cb23	[management] Add missing parentheses on iphone hostname generation condition (#2977 )	2024-12-03 13:49:02 +01:00
Viktor Liu	6285e0d23e	[client] Add netbird.err and netbird.out to debug bundle (#2971 )	2024-12-03 12:43:17 +01:00
Maycon Santos	a4826cfb5f	[client] Get static system info once (#2965 ) Get static system info once for Windows, Darwin, and Linux nodes This should improve startup and peer authentication times	2024-12-03 10:22:04 +01:00
Zoltan Papp	a0bf0bdcc0	Pass IP instead of net to Rosenpass (#2975 )	2024-12-03 10:13:27 +01:00
Viktor Liu	dffce78a8c	[client] Fix debug bundle state anonymization test (#2976 )	2024-12-02 20:19:34 +01:00
Viktor Liu	c7e7ad5030	[client] Add state file to debug bundle (#2969 )	2024-12-02 18:04:02 +01:00
Viktor Liu	5142dc52c1	[client] Persist route selection (#2810 )	2024-12-02 17:55:02 +01:00
Zoltan Papp	ecb44ff306	[client] Add pprof build tag (#2964 ) * Add pprof build tag * Change env handling	2024-12-01 19:22:52 +01:00
victorserbu2709	e4a5fb3e91	Unspecified address: default NetworkTypeUDP4+NetworkTypeUDP6 (#2804 )	2024-11-30 10:34:52 +01:00
v1rusnl	e52d352a48	Update Caddyfile and Docker Compose to support HTTP3 (#2822 )	2024-11-30 10:26:31 +01:00
Maycon Santos	f9723c9266	[client] Account different policiy rules for routes firewall rules (#2939 ) * Account different policies rules for routes firewall rules This change ensures that route firewall rules will consider source group peers in the rules generation for access control policies. This fixes the behavior where multiple policies with different levels of access was being applied to all peers in a distribution group * split function * avoid unnecessary allocation Co-authored-by: Viktor Liu <17948409+lixmal@users.noreply.github.com> --------- Co-authored-by: Viktor Liu <17948409+lixmal@users.noreply.github.com>	2024-11-29 17:50:35 +01:00
Maycon Santos	8efad1d170	Add guide when signing key is not found (#2942 ) Some users face issues with their IdP due to signing key not being refreshed With this change we advise users to configure key refresh Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> * removing leftover --------- Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>	2024-11-29 10:06:40 +01:00