Merge branch 'main' into userspace-router

Treat the whole localhost range as local IPs
2026-06-02 22:19:54 +00:00 · 2025-02-07 13:32:09 +01:00 · 2025-01-29 22:43:14 +01:00 · 2025-01-29 22:00:41 +01:00 · 2025-01-23 19:29:40 +01:00 · 2025-01-23 19:29:25 +01:00
342 changed files with 8025 additions and 18150 deletions
--- a/.github/workflows/golang-test-darwin.yml
+++ b/.github/workflows/golang-test-darwin.yml
@@ -1,4 +1,4 @@
-name: "Darwin"
+name: Test Code Darwin

 on:
  push:
@@ -12,7 +12,9 @@ concurrency:

 jobs:
  test:
-    name: "Client / Unit"
+    strategy:
+      matrix:
+        store: ['sqlite']
    runs-on: macos-latest
    steps:
      - name: Install Go
--- a/.github/workflows/golang-test-freebsd.yml
+++ b/.github/workflows/golang-test-freebsd.yml
@@ -1,4 +1,5 @@
-name: "FreeBSD"
+
+name: Test Code FreeBSD

 on:
  push:
@@ -12,7 +13,6 @@ concurrency:

 jobs:
  test:
-    name: "Client / Unit"
    runs-on: ubuntu-22.04
    steps:
      - uses: actions/checkout@v4
--- a/.github/workflows/golang-test-linux.yml
+++ b/.github/workflows/golang-test-linux.yml
@@ -1,4 +1,4 @@
-name: Linux
+name: Test Code Linux

 on:
  push:
@@ -12,21 +12,11 @@ concurrency:

 jobs:
  build-cache:
-    name: "Build Cache"
    runs-on: ubuntu-22.04
-    outputs:
-      management: ${{ steps.filter.outputs.management }}
    steps:        
      - name: Checkout code
        uses: actions/checkout@v4

-      - uses: dorny/paths-filter@v3
-        id: filter
-        with:
-          filters: |
-              management:
-                - 'management/**'
-
      - name: Install Go
        uses: actions/setup-go@v5
        with:
@@ -48,6 +38,7 @@ jobs:
          key: ${{ runner.os }}-gotest-cache-${{ hashFiles('**/go.sum') }}
          restore-keys: |
            ${{ runner.os }}-gotest-cache-${{ hashFiles('**/go.sum') }}
+            

      - name: Install dependencies
        if: steps.cache.outputs.cache-hit != 'true'
@@ -98,7 +89,6 @@ jobs:
        run: CGO_ENABLED=1 GOARCH=386 go build -o relay-386 .

  test:
-    name: "Client / Unit"
    needs: [build-cache]
    strategy:
      fail-fast: false
@@ -144,116 +134,9 @@ jobs:
        run: git --no-pager diff --exit-code

      - name: Test
-        run: CGO_ENABLED=1 GOARCH=${{ matrix.arch }} CI=true go test -tags devcert -exec 'sudo' -timeout 10m -p 1 $(go list ./... | grep -v -e /management -e /signal -e /relay)
-
-  test_relay:
-    name: "Relay / Unit"
-    needs: [build-cache]
-    strategy:
-      fail-fast: false
-      matrix:
-        arch: [ '386','amd64' ]
-    runs-on: ubuntu-22.04
-    steps:
-      - name: Install Go
-        uses: actions/setup-go@v5
-        with:
-          go-version: "1.23.x"
-          cache: false
-
-      - name: Checkout code
-        uses: actions/checkout@v4
-
-      - name: Get Go environment
-        run: |
-          echo "cache=$(go env GOCACHE)" >> $GITHUB_ENV
-          echo "modcache=$(go env GOMODCACHE)" >> $GITHUB_ENV     
-
-      - name: Cache Go modules
-        uses: actions/cache/restore@v4
-        with:
-          path: |
-            ${{ env.cache }}
-            ${{ env.modcache }}
-          key: ${{ runner.os }}-gotest-cache-${{ hashFiles('**/go.sum') }}
-          restore-keys: |
-            ${{ runner.os }}-gotest-cache-
-
-      - name: Install dependencies
-        run: sudo apt update && sudo apt install -y -q libgtk-3-dev libayatana-appindicator3-dev libgl1-mesa-dev xorg-dev gcc-multilib libpcap-dev
-
-      - name: Install 32-bit libpcap
-        if: matrix.arch == '386'
-        run: sudo dpkg --add-architecture i386 && sudo apt update && sudo apt-get install -y libpcap0.8-dev:i386
-
-      - name: Install modules
-        run: go mod tidy
-
-      - name: check git status
-        run: git --no-pager diff --exit-code
-
-      - name: Test
-        run: |
-          CGO_ENABLED=1 GOARCH=${{ matrix.arch }} \
-          go test \
-            -exec 'sudo' \
-            -timeout 10m ./signal/...
-
-  test_signal:
-    name: "Signal / Unit"
-    needs: [build-cache]
-    strategy:
-      fail-fast: false
-      matrix:
-        arch: [ '386','amd64' ]
-    runs-on: ubuntu-22.04
-    steps:
-      - name: Install Go
-        uses: actions/setup-go@v5
-        with:
-          go-version: "1.23.x"
-          cache: false
-
-      - name: Checkout code
-        uses: actions/checkout@v4
-
-      - name: Get Go environment
-        run: |
-          echo "cache=$(go env GOCACHE)" >> $GITHUB_ENV
-          echo "modcache=$(go env GOMODCACHE)" >> $GITHUB_ENV     
-
-      - name: Cache Go modules
-        uses: actions/cache/restore@v4
-        with:
-          path: |
-            ${{ env.cache }}
-            ${{ env.modcache }}
-          key: ${{ runner.os }}-gotest-cache-${{ hashFiles('**/go.sum') }}
-          restore-keys: |
-            ${{ runner.os }}-gotest-cache-
-
-      - name: Install dependencies
-        run: sudo apt update && sudo apt install -y -q libgtk-3-dev libayatana-appindicator3-dev libgl1-mesa-dev xorg-dev gcc-multilib libpcap-dev
-
-      - name: Install 32-bit libpcap
-        if: matrix.arch == '386'
-        run: sudo dpkg --add-architecture i386 && sudo apt update && sudo apt-get install -y libpcap0.8-dev:i386
-
-      - name: Install modules
-        run: go mod tidy
-
-      - name: check git status
-        run: git --no-pager diff --exit-code
-
-      - name: Test
-        run: |
-          CGO_ENABLED=1 GOARCH=${{ matrix.arch }} \
-          go test \
-            -exec 'sudo' \
-            -timeout 10m ./signal/...
+        run: CGO_ENABLED=1 GOARCH=${{ matrix.arch }} CI=true go test -tags devcert -exec 'sudo' -timeout 10m -p 1 $(go list ./... | grep -v /management)

  test_management:
-    name: "Management / Unit"
    needs: [ build-cache ]
    strategy:
      fail-fast: false
@@ -311,17 +194,10 @@ jobs:
        run: docker pull mlsmaycon/warmed-mysql:8

      - name: Test
-        run: |          
-          CGO_ENABLED=1 GOARCH=${{ matrix.arch }} \
-          NETBIRD_STORE_ENGINE=${{ matrix.store }} \
-          go test -tags=devcert \
-            -exec "sudo --preserve-env=CI,NETBIRD_STORE_ENGINE" \
-            -timeout 20m ./management/...
+        run: CGO_ENABLED=1 GOARCH=${{ matrix.arch }} NETBIRD_STORE_ENGINE=${{ matrix.store }} CI=true go test -tags=devcert -p 1 -exec 'sudo --preserve-env=CI,NETBIRD_STORE_ENGINE' -timeout 10m $(go list ./... | grep /management)

  benchmark:
-    name: "Management / Benchmark"
    needs: [ build-cache ]
-    if: ${{ needs.build-cache.outputs.management == 'true' || github.event_name != 'pull_request' }}
    strategy:
      fail-fast: false
      matrix:
@@ -378,17 +254,10 @@ jobs:
        run: docker pull mlsmaycon/warmed-mysql:8

      - name: Test
-        run: |
-          CGO_ENABLED=1 GOARCH=${{ matrix.arch }} \
-          NETBIRD_STORE_ENGINE=${{ matrix.store }} CI=true \
-          go test -tags devcert -run=^$ -bench=. \
-          -exec 'sudo --preserve-env=CI,NETBIRD_STORE_ENGINE' \
-          -timeout 20m ./...
+        run: CGO_ENABLED=1 GOARCH=${{ matrix.arch }} NETBIRD_STORE_ENGINE=${{ matrix.store }} CI=true go test -tags devcert -run=^$ -bench=. -exec 'sudo --preserve-env=CI,NETBIRD_STORE_ENGINE' -timeout 20m ./...

  api_benchmark:
-    name: "Management / Benchmark (API)"
    needs: [ build-cache ]
-    if: ${{ needs.build-cache.outputs.management == 'true' || github.event_name != 'pull_request' }}
    strategy:
      fail-fast: false
      matrix:
@@ -443,21 +312,12 @@ jobs:
      - name: download mysql image
        if: matrix.store == 'mysql'
        run: docker pull mlsmaycon/warmed-mysql:8
-
+        
      - name: Test
-        run: |
-          CGO_ENABLED=1 GOARCH=${{ matrix.arch }} \
-          NETBIRD_STORE_ENGINE=${{ matrix.store }} CI=true \
-          go test -tags=benchmark \
-            -run=^$ \
-            -bench=. \
-            -exec 'sudo --preserve-env=CI,NETBIRD_STORE_ENGINE' \
-            -timeout 20m ./management/...
+        run: CGO_ENABLED=1 GOARCH=${{ matrix.arch }} NETBIRD_STORE_ENGINE=${{ matrix.store }} CI=true go test -run=^$ -tags=benchmark -bench=. -exec 'sudo --preserve-env=CI,NETBIRD_STORE_ENGINE' -timeout 30m $(go list -tags=benchmark ./... | grep /management)

  api_integration_test:
-    name: "Management / Integration"
    needs: [ build-cache ]
-    if: ${{ needs.build-cache.outputs.management == 'true' || github.event_name != 'pull_request' }}
    strategy:
      fail-fast: false
      matrix:
@@ -503,15 +363,9 @@ jobs:
        run: git --no-pager diff --exit-code

      - name: Test
-        run: |
-          CGO_ENABLED=1 GOARCH=${{ matrix.arch }} \
-          NETBIRD_STORE_ENGINE=${{ matrix.store }} CI=true \
-          go test -tags=integration \
-          -exec 'sudo --preserve-env=CI,NETBIRD_STORE_ENGINE' \
-          -timeout 20m ./management/...
+        run: CGO_ENABLED=1 GOARCH=${{ matrix.arch }} NETBIRD_STORE_ENGINE=${{ matrix.store }} CI=true go test -tags=integration -p 1 -exec 'sudo --preserve-env=CI,NETBIRD_STORE_ENGINE' -timeout 30m $(go list -tags=integration ./... | grep /management)

  test_client_on_docker:
-    name: "Client (Docker) / Unit"
    needs: [ build-cache ]
    runs-on: ubuntu-20.04
    steps:
--- a/.github/workflows/golang-test-windows.yml
+++ b/.github/workflows/golang-test-windows.yml
@@ -1,4 +1,4 @@
-name: "Windows"
+name: Test Code Windows

 on:
  push:
@@ -14,7 +14,6 @@ concurrency:

 jobs:
  test:
-    name: "Client / Unit"
    runs-on: windows-latest
    steps:
      - name: Checkout code
--- a/.github/workflows/golangci-lint.yml
+++ b/.github/workflows/golangci-lint.yml
@@ -1,4 +1,4 @@
-name: Lint
+name: golangci-lint
 on: [pull_request]

 permissions:
@@ -27,14 +27,7 @@ jobs:
      fail-fast: false
      matrix:
        os: [macos-latest, windows-latest, ubuntu-latest]
-        include:
-          - os: macos-latest
-            display_name: Darwin
-          - os: windows-latest
-            display_name: Windows
-          - os: ubuntu-latest
-            display_name: Linux
-    name: ${{ matrix.display_name }}
+    name: lint
    runs-on: ${{ matrix.os }}
    timeout-minutes: 15
    steps:
--- a/.github/workflows/mobile-build-validation.yml
+++ b/.github/workflows/mobile-build-validation.yml
@@ -1,4 +1,4 @@
-name: Mobile
+name: Mobile build validation

 on:
  push:
@@ -12,7 +12,6 @@ concurrency:

 jobs:
  android_build:
-    name: "Android / Build"
    runs-on: ubuntu-latest
    steps:
      - name: Checkout repository
@@ -48,7 +47,6 @@ jobs:
          CGO_ENABLED: 0
          ANDROID_NDK_HOME: /usr/local/lib/android/sdk/ndk/23.1.7779620
  ios_build:
-    name: "iOS / Build"
    runs-on: macos-latest
    steps:
      - name: Checkout repository
--- a/.gitignore
+++ b/.gitignore
@@ -29,4 +29,3 @@ infrastructure_files/setup.env
 infrastructure_files/setup-*.env
 .vscode
 .DS_Store
-vendor/
--- a/.golangci.yaml
+++ b/.golangci.yaml
@@ -103,7 +103,7 @@ linters:
    - predeclared # predeclared finds code that shadows one of Go's predeclared identifiers
    - revive # Fast, configurable, extensible, flexible, and beautiful linter for Go. Drop-in replacement of golint.
    - sqlclosecheck # checks that sql.Rows and sql.Stmt are closed
-    # - thelper # thelper detects Go test helpers without t.Helper() call and checks the consistency of test helpers.
+    - thelper # thelper detects Go test helpers without t.Helper() call and checks the consistency of test helpers.
    - wastedassign # wastedassign finds wasted assignment statements
 issues:
  # Maximum count of issues with the same text.
--- a/.goreleaser_ui.yaml
+++ b/.goreleaser_ui.yaml
@@ -50,12 +50,10 @@ nfpms:
      - netbird-ui
    formats:
      - deb
-    scripts:
-      postinstall: "release_files/ui-post-install.sh"
    contents:
      - src: client/ui/netbird.desktop
        dst: /usr/share/applications/netbird.desktop
-      - src: client/ui/netbird.png
+      - src: client/ui/netbird-systemtray-connected.png
        dst: /usr/share/pixmaps/netbird.png
    dependencies:
      - netbird
@@ -69,12 +67,10 @@ nfpms:
      - netbird-ui
    formats:
      - rpm
-    scripts:
-      postinstall: "release_files/ui-post-install.sh"
    contents:
      - src: client/ui/netbird.desktop
        dst: /usr/share/applications/netbird.desktop
-      - src: client/ui/netbird.png
+      - src: client/ui/netbird-systemtray-connected.png
        dst: /usr/share/pixmaps/netbird.png
    dependencies:
      - netbird
--- a/README.md
+++ b/README.md
@@ -1,6 +1,4 @@
 <div align="center">
-<br/>
-  <br/>
 <p align="center">
  <img width="234" src="docs/media/logo-full.png"/>
 </p>
@@ -33,10 +31,6 @@
  <br/>
 
 </strong>
-<br>
-<a href="https://netbird.io/webinars/achieve-zero-trust-access-to-k8s?utm_source=github&utm_campaign=2502%20-%20webinar%20-%20How%20to%20Achieve%20Zero%20Trust%20Access%20to%20Kubernetes%20-%20Effortlessly&utm_medium=github">
-    Webinar: Securely Access Kubernetes without Port Forwarding and Jump Hosts
-  </a> 
 </p>

 <br>
--- a/client/Dockerfile
+++ b/client/Dockerfile
@@ -1,4 +1,4 @@
-FROM alpine:3.21.3
+FROM alpine:3.21.0
 RUN apk add --no-cache ca-certificates iptables ip6tables
 ENV NB_FOREGROUND_MODE=true
 ENTRYPOINT [ "/usr/local/bin/netbird","up"]
--- a/client/cmd/debug.go
+++ b/client/cmd/debug.go
@@ -13,7 +13,6 @@ import (
 	"github.com/netbirdio/netbird/client/internal"
 	"github.com/netbirdio/netbird/client/proto"
 	"github.com/netbirdio/netbird/client/server"
-	nbstatus "github.com/netbirdio/netbird/client/status"
 )

 const errCloseConnection = "Failed to close connection: %v"
@@ -86,7 +85,7 @@ func debugBundle(cmd *cobra.Command, _ []string) error {
 	client := proto.NewDaemonServiceClient(conn)
 	resp, err := client.DebugBundle(cmd.Context(), &proto.DebugBundleRequest{
 		Anonymize:  anonymizeFlag,
-		Status:     getStatusOutput(cmd, anonymizeFlag),
+		Status:     getStatusOutput(cmd),
 		SystemInfo: debugSystemInfoFlag,
 	})
 	if err != nil {
@@ -197,7 +196,7 @@ func runForDuration(cmd *cobra.Command, args []string) error {
 	time.Sleep(3 * time.Second)

 	headerPostUp := fmt.Sprintf("----- Netbird post-up - Timestamp: %s", time.Now().Format(time.RFC3339))
-	statusOutput := fmt.Sprintf("%s\n%s", headerPostUp, getStatusOutput(cmd, anonymizeFlag))
+	statusOutput := fmt.Sprintf("%s\n%s", headerPostUp, getStatusOutput(cmd))

 	if waitErr := waitForDurationOrCancel(cmd.Context(), duration, cmd); waitErr != nil {
 		return waitErr
@@ -207,7 +206,7 @@ func runForDuration(cmd *cobra.Command, args []string) error {
 	cmd.Println("Creating debug bundle...")

 	headerPreDown := fmt.Sprintf("----- Netbird pre-down - Timestamp: %s - Duration: %s", time.Now().Format(time.RFC3339), duration)
-	statusOutput = fmt.Sprintf("%s\n%s\n%s", statusOutput, headerPreDown, getStatusOutput(cmd, anonymizeFlag))
+	statusOutput = fmt.Sprintf("%s\n%s\n%s", statusOutput, headerPreDown, getStatusOutput(cmd))

 	resp, err := client.DebugBundle(cmd.Context(), &proto.DebugBundleRequest{
 		Anonymize:  anonymizeFlag,
@@ -272,15 +271,13 @@ func setNetworkMapPersistence(cmd *cobra.Command, args []string) error {
 	return nil
 }

-func getStatusOutput(cmd *cobra.Command, anon bool) string {
+func getStatusOutput(cmd *cobra.Command) string {
 	var statusOutputString string
 	statusResp, err := getStatus(cmd.Context())
 	if err != nil {
 		cmd.PrintErrf("Failed to get status: %v\n", err)
 	} else {
-		statusOutputString = nbstatus.ParseToFullDetailSummary(
-			nbstatus.ConvertToStatusOutputOverview(statusResp, anon, "", nil, nil, nil),
-		)
+		statusOutputString = parseToFullDetailSummary(convertToStatusOutputOverview(statusResp))
 	}
 	return statusOutputString
 }
--- a/client/cmd/forwarding_rules.go
+++ b/client/cmd/forwarding_rules.go
@@ -1,98 +0,0 @@
-package cmd
-
-import (
-	"fmt"
-	"sort"
-
-	"github.com/spf13/cobra"
-	"google.golang.org/grpc/status"
-
-	"github.com/netbirdio/netbird/client/proto"
-)
-
-var forwardingRulesCmd = &cobra.Command{
-	Use:   "forwarding",
-	Short: "List forwarding rules",
-	Long:  `Commands to list forwarding rules.`,
-}
-
-var forwardingRulesListCmd = &cobra.Command{
-	Use:     "list",
-	Aliases: []string{"ls"},
-	Short:   "List forwarding rules",
-	Example: "  netbird forwarding list",
-	Long:    "Commands to list forwarding rules.",
-	RunE:    listForwardingRules,
-}
-
-func listForwardingRules(cmd *cobra.Command, _ []string) error {
-	conn, err := getClient(cmd)
-	if err != nil {
-		return err
-	}
-	defer conn.Close()
-
-	client := proto.NewDaemonServiceClient(conn)
-	resp, err := client.ForwardingRules(cmd.Context(), &proto.EmptyRequest{})
-	if err != nil {
-		return fmt.Errorf("failed to list network: %v", status.Convert(err).Message())
-	}
-
-	if len(resp.GetRules()) == 0 {
-		cmd.Println("No forwarding rules available.")
-		return nil
-	}
-
-	printForwardingRules(cmd, resp.GetRules())
-	return nil
-}
-
-func printForwardingRules(cmd *cobra.Command, rules []*proto.ForwardingRule) {
-	cmd.Println("Available forwarding rules:")
-
-	// Sort rules by translated address
-	sort.Slice(rules, func(i, j int) bool {
-		if rules[i].GetTranslatedAddress() != rules[j].GetTranslatedAddress() {
-			return rules[i].GetTranslatedAddress() < rules[j].GetTranslatedAddress()
-		}
-		if rules[i].GetProtocol() != rules[j].GetProtocol() {
-			return rules[i].GetProtocol() < rules[j].GetProtocol()
-		}
-
-		return getFirstPort(rules[i].GetDestinationPort()) < getFirstPort(rules[j].GetDestinationPort())
-	})
-
-	var lastIP string
-	for _, rule := range rules {
-		dPort := portToString(rule.GetDestinationPort())
-		tPort := portToString(rule.GetTranslatedPort())
-		if lastIP != rule.GetTranslatedAddress() {
-			lastIP = rule.GetTranslatedAddress()
-			cmd.Printf("\nTranslated peer: %s\n", rule.GetTranslatedHostname())
-		}
-
-		cmd.Printf("  Local %s/%s to %s:%s\n", rule.GetProtocol(), dPort, rule.GetTranslatedAddress(), tPort)
-	}
-}
-
-func getFirstPort(portInfo *proto.PortInfo) int {
-	switch v := portInfo.PortSelection.(type) {
-	case *proto.PortInfo_Port:
-		return int(v.Port)
-	case *proto.PortInfo_Range_:
-		return int(v.Range.GetStart())
-	default:
-		return 0
-	}
-}
-
-func portToString(translatedPort *proto.PortInfo) string {
-	switch v := translatedPort.PortSelection.(type) {
-	case *proto.PortInfo_Port:
-		return fmt.Sprintf("%d", v.Port)
-	case *proto.PortInfo_Range_:
-		return fmt.Sprintf("%d-%d", v.Range.GetStart(), v.Range.GetEnd())
-	default:
-		return "No port specified"
-	}
-}
--- a/client/cmd/login.go
+++ b/client/cmd/login.go
@@ -85,17 +85,11 @@ var loginCmd = &cobra.Command{

 		client := proto.NewDaemonServiceClient(conn)

-		var dnsLabelsReq []string
-		if dnsLabelsValidated != nil {
-			dnsLabelsReq = dnsLabelsValidated.ToSafeStringList()
-		}
-
 		loginRequest := proto.LoginRequest{
 			SetupKey:             providedSetupKey,
 			ManagementUrl:        managementURL,
 			IsLinuxDesktopClient: isLinuxRunningDesktop(),
 			Hostname:             hostName,
-			DnsLabels:            dnsLabelsReq,
 		}

 		if rootCmd.PersistentFlags().Changed(preSharedKeyFlag) {
--- a/client/cmd/root.go
+++ b/client/cmd/root.go
@@ -145,7 +145,6 @@ func init() {
 	rootCmd.AddCommand(versionCmd)
 	rootCmd.AddCommand(sshCmd)
 	rootCmd.AddCommand(networksCMD)
-	rootCmd.AddCommand(forwardingRulesCmd)
 	rootCmd.AddCommand(debugCmd)

 	serviceCmd.AddCommand(runCmd, startCmd, stopCmd, restartCmd) // service control commands are subcommands of service
@@ -154,8 +153,6 @@ func init() {
 	networksCMD.AddCommand(routesListCmd)
 	networksCMD.AddCommand(routesSelectCmd, routesDeselectCmd)

-	forwardingRulesCmd.AddCommand(forwardingRulesListCmd)
-
 	debugCmd.AddCommand(debugBundleCmd)
 	debugCmd.AddCommand(logCmd)
 	logCmd.AddCommand(logLevelCmd)
--- a/client/cmd/status.go
+++ b/client/cmd/status.go
@@ -2,20 +2,107 @@ package cmd

 import (
 	"context"
+	"encoding/json"
 	"fmt"
 	"net"
 	"net/netip"
+	"os"
+	"runtime"
+	"sort"
 	"strings"
+	"time"

 	"github.com/spf13/cobra"
 	"google.golang.org/grpc/status"
+	"gopkg.in/yaml.v3"

+	"github.com/netbirdio/netbird/client/anonymize"
 	"github.com/netbirdio/netbird/client/internal"
+	"github.com/netbirdio/netbird/client/internal/peer"
 	"github.com/netbirdio/netbird/client/proto"
-	nbstatus "github.com/netbirdio/netbird/client/status"
 	"github.com/netbirdio/netbird/util"
+	"github.com/netbirdio/netbird/version"
 )

+type peerStateDetailOutput struct {
+	FQDN                   string           `json:"fqdn" yaml:"fqdn"`
+	IP                     string           `json:"netbirdIp" yaml:"netbirdIp"`
+	PubKey                 string           `json:"publicKey" yaml:"publicKey"`
+	Status                 string           `json:"status" yaml:"status"`
+	LastStatusUpdate       time.Time        `json:"lastStatusUpdate" yaml:"lastStatusUpdate"`
+	ConnType               string           `json:"connectionType" yaml:"connectionType"`
+	IceCandidateType       iceCandidateType `json:"iceCandidateType" yaml:"iceCandidateType"`
+	IceCandidateEndpoint   iceCandidateType `json:"iceCandidateEndpoint" yaml:"iceCandidateEndpoint"`
+	RelayAddress           string           `json:"relayAddress" yaml:"relayAddress"`
+	LastWireguardHandshake time.Time        `json:"lastWireguardHandshake" yaml:"lastWireguardHandshake"`
+	TransferReceived       int64            `json:"transferReceived" yaml:"transferReceived"`
+	TransferSent           int64            `json:"transferSent" yaml:"transferSent"`
+	Latency                time.Duration    `json:"latency" yaml:"latency"`
+	RosenpassEnabled       bool             `json:"quantumResistance" yaml:"quantumResistance"`
+	Routes                 []string         `json:"routes" yaml:"routes"`
+	Networks               []string         `json:"networks" yaml:"networks"`
+}
+
+type peersStateOutput struct {
+	Total     int                     `json:"total" yaml:"total"`
+	Connected int                     `json:"connected" yaml:"connected"`
+	Details   []peerStateDetailOutput `json:"details" yaml:"details"`
+}
+
+type signalStateOutput struct {
+	URL       string `json:"url" yaml:"url"`
+	Connected bool   `json:"connected" yaml:"connected"`
+	Error     string `json:"error" yaml:"error"`
+}
+
+type managementStateOutput struct {
+	URL       string `json:"url" yaml:"url"`
+	Connected bool   `json:"connected" yaml:"connected"`
+	Error     string `json:"error" yaml:"error"`
+}
+
+type relayStateOutputDetail struct {
+	URI       string `json:"uri" yaml:"uri"`
+	Available bool   `json:"available" yaml:"available"`
+	Error     string `json:"error" yaml:"error"`
+}
+
+type relayStateOutput struct {
+	Total     int                      `json:"total" yaml:"total"`
+	Available int                      `json:"available" yaml:"available"`
+	Details   []relayStateOutputDetail `json:"details" yaml:"details"`
+}
+
+type iceCandidateType struct {
+	Local  string `json:"local" yaml:"local"`
+	Remote string `json:"remote" yaml:"remote"`
+}
+
+type nsServerGroupStateOutput struct {
+	Servers []string `json:"servers" yaml:"servers"`
+	Domains []string `json:"domains" yaml:"domains"`
+	Enabled bool     `json:"enabled" yaml:"enabled"`
+	Error   string   `json:"error" yaml:"error"`
+}
+
+type statusOutputOverview struct {
+	Peers               peersStateOutput           `json:"peers" yaml:"peers"`
+	CliVersion          string                     `json:"cliVersion" yaml:"cliVersion"`
+	DaemonVersion       string                     `json:"daemonVersion" yaml:"daemonVersion"`
+	ManagementState     managementStateOutput      `json:"management" yaml:"management"`
+	SignalState         signalStateOutput          `json:"signal" yaml:"signal"`
+	Relays              relayStateOutput           `json:"relays" yaml:"relays"`
+	IP                  string                     `json:"netbirdIp" yaml:"netbirdIp"`
+	PubKey              string                     `json:"publicKey" yaml:"publicKey"`
+	KernelInterface     bool                       `json:"usesKernelInterface" yaml:"usesKernelInterface"`
+	FQDN                string                     `json:"fqdn" yaml:"fqdn"`
+	RosenpassEnabled    bool                       `json:"quantumResistance" yaml:"quantumResistance"`
+	RosenpassPermissive bool                       `json:"quantumResistancePermissive" yaml:"quantumResistancePermissive"`
+	Routes              []string                   `json:"routes" yaml:"routes"`
+	Networks            []string                   `json:"networks" yaml:"networks"`
+	NSServerGroups      []nsServerGroupStateOutput `json:"dnsServers" yaml:"dnsServers"`
+}
+
 var (
 	detailFlag           bool
 	ipv4Flag             bool
@@ -86,17 +173,18 @@ func statusFunc(cmd *cobra.Command, args []string) error {
 		return nil
 	}

-	var outputInformationHolder = nbstatus.ConvertToStatusOutputOverview(resp, anonymizeFlag, statusFilter, prefixNamesFilter, prefixNamesFilterMap, ipsFilterMap)
+	outputInformationHolder := convertToStatusOutputOverview(resp)
+
 	var statusOutputString string
 	switch {
 	case detailFlag:
-		statusOutputString = nbstatus.ParseToFullDetailSummary(outputInformationHolder)
+		statusOutputString = parseToFullDetailSummary(outputInformationHolder)
 	case jsonFlag:
-		statusOutputString, err = nbstatus.ParseToJSON(outputInformationHolder)
+		statusOutputString, err = parseToJSON(outputInformationHolder)
 	case yamlFlag:
-		statusOutputString, err = nbstatus.ParseToYAML(outputInformationHolder)
+		statusOutputString, err = parseToYAML(outputInformationHolder)
 	default:
-		statusOutputString = nbstatus.ParseGeneralSummary(outputInformationHolder, false, false, false)
+		statusOutputString = parseGeneralSummary(outputInformationHolder, false, false, false)
 	}

 	if err != nil {
@@ -126,6 +214,7 @@ func getStatus(ctx context.Context) (*proto.StatusResponse, error) {
 }

 func parseFilters() error {
+
 	switch strings.ToLower(statusFilter) {
 	case "", "disconnected", "connected":
 		if strings.ToLower(statusFilter) != "" {
@@ -162,6 +251,175 @@ func enableDetailFlagWhenFilterFlag() {
 	}
 }

+func convertToStatusOutputOverview(resp *proto.StatusResponse) statusOutputOverview {
+	pbFullStatus := resp.GetFullStatus()
+
+	managementState := pbFullStatus.GetManagementState()
+	managementOverview := managementStateOutput{
+		URL:       managementState.GetURL(),
+		Connected: managementState.GetConnected(),
+		Error:     managementState.Error,
+	}
+
+	signalState := pbFullStatus.GetSignalState()
+	signalOverview := signalStateOutput{
+		URL:       signalState.GetURL(),
+		Connected: signalState.GetConnected(),
+		Error:     signalState.Error,
+	}
+
+	relayOverview := mapRelays(pbFullStatus.GetRelays())
+	peersOverview := mapPeers(resp.GetFullStatus().GetPeers())
+
+	overview := statusOutputOverview{
+		Peers:               peersOverview,
+		CliVersion:          version.NetbirdVersion(),
+		DaemonVersion:       resp.GetDaemonVersion(),
+		ManagementState:     managementOverview,
+		SignalState:         signalOverview,
+		Relays:              relayOverview,
+		IP:                  pbFullStatus.GetLocalPeerState().GetIP(),
+		PubKey:              pbFullStatus.GetLocalPeerState().GetPubKey(),
+		KernelInterface:     pbFullStatus.GetLocalPeerState().GetKernelInterface(),
+		FQDN:                pbFullStatus.GetLocalPeerState().GetFqdn(),
+		RosenpassEnabled:    pbFullStatus.GetLocalPeerState().GetRosenpassEnabled(),
+		RosenpassPermissive: pbFullStatus.GetLocalPeerState().GetRosenpassPermissive(),
+		Routes:              pbFullStatus.GetLocalPeerState().GetNetworks(),
+		Networks:            pbFullStatus.GetLocalPeerState().GetNetworks(),
+		NSServerGroups:      mapNSGroups(pbFullStatus.GetDnsServers()),
+	}
+
+	if anonymizeFlag {
+		anonymizer := anonymize.NewAnonymizer(anonymize.DefaultAddresses())
+		anonymizeOverview(anonymizer, &overview)
+	}
+
+	return overview
+}
+
+func mapRelays(relays []*proto.RelayState) relayStateOutput {
+	var relayStateDetail []relayStateOutputDetail
+
+	var relaysAvailable int
+	for _, relay := range relays {
+		available := relay.GetAvailable()
+		relayStateDetail = append(relayStateDetail,
+			relayStateOutputDetail{
+				URI:       relay.URI,
+				Available: available,
+				Error:     relay.GetError(),
+			},
+		)
+
+		if available {
+			relaysAvailable++
+		}
+	}
+
+	return relayStateOutput{
+		Total:     len(relays),
+		Available: relaysAvailable,
+		Details:   relayStateDetail,
+	}
+}
+
+func mapNSGroups(servers []*proto.NSGroupState) []nsServerGroupStateOutput {
+	mappedNSGroups := make([]nsServerGroupStateOutput, 0, len(servers))
+	for _, pbNsGroupServer := range servers {
+		mappedNSGroups = append(mappedNSGroups, nsServerGroupStateOutput{
+			Servers: pbNsGroupServer.GetServers(),
+			Domains: pbNsGroupServer.GetDomains(),
+			Enabled: pbNsGroupServer.GetEnabled(),
+			Error:   pbNsGroupServer.GetError(),
+		})
+	}
+	return mappedNSGroups
+}
+
+func mapPeers(peers []*proto.PeerState) peersStateOutput {
+	var peersStateDetail []peerStateDetailOutput
+	peersConnected := 0
+	for _, pbPeerState := range peers {
+		localICE := ""
+		remoteICE := ""
+		localICEEndpoint := ""
+		remoteICEEndpoint := ""
+		relayServerAddress := ""
+		connType := ""
+		lastHandshake := time.Time{}
+		transferReceived := int64(0)
+		transferSent := int64(0)
+
+		isPeerConnected := pbPeerState.ConnStatus == peer.StatusConnected.String()
+		if skipDetailByFilters(pbPeerState, isPeerConnected) {
+			continue
+		}
+		if isPeerConnected {
+			peersConnected++
+
+			localICE = pbPeerState.GetLocalIceCandidateType()
+			remoteICE = pbPeerState.GetRemoteIceCandidateType()
+			localICEEndpoint = pbPeerState.GetLocalIceCandidateEndpoint()
+			remoteICEEndpoint = pbPeerState.GetRemoteIceCandidateEndpoint()
+			connType = "P2P"
+			if pbPeerState.Relayed {
+				connType = "Relayed"
+			}
+			relayServerAddress = pbPeerState.GetRelayAddress()
+			lastHandshake = pbPeerState.GetLastWireguardHandshake().AsTime().Local()
+			transferReceived = pbPeerState.GetBytesRx()
+			transferSent = pbPeerState.GetBytesTx()
+		}
+
+		timeLocal := pbPeerState.GetConnStatusUpdate().AsTime().Local()
+		peerState := peerStateDetailOutput{
+			IP:               pbPeerState.GetIP(),
+			PubKey:           pbPeerState.GetPubKey(),
+			Status:           pbPeerState.GetConnStatus(),
+			LastStatusUpdate: timeLocal,
+			ConnType:         connType,
+			IceCandidateType: iceCandidateType{
+				Local:  localICE,
+				Remote: remoteICE,
+			},
+			IceCandidateEndpoint: iceCandidateType{
+				Local:  localICEEndpoint,
+				Remote: remoteICEEndpoint,
+			},
+			RelayAddress:           relayServerAddress,
+			FQDN:                   pbPeerState.GetFqdn(),
+			LastWireguardHandshake: lastHandshake,
+			TransferReceived:       transferReceived,
+			TransferSent:           transferSent,
+			Latency:                pbPeerState.GetLatency().AsDuration(),
+			RosenpassEnabled:       pbPeerState.GetRosenpassEnabled(),
+			Routes:                 pbPeerState.GetNetworks(),
+			Networks:               pbPeerState.GetNetworks(),
+		}
+
+		peersStateDetail = append(peersStateDetail, peerState)
+	}
+
+	sortPeersByIP(peersStateDetail)
+
+	peersOverview := peersStateOutput{
+		Total:     len(peersStateDetail),
+		Connected: peersConnected,
+		Details:   peersStateDetail,
+	}
+	return peersOverview
+}
+
+func sortPeersByIP(peersStateDetail []peerStateDetailOutput) {
+	if len(peersStateDetail) > 0 {
+		sort.SliceStable(peersStateDetail, func(i, j int) bool {
+			iAddr, _ := netip.ParseAddr(peersStateDetail[i].IP)
+			jAddr, _ := netip.ParseAddr(peersStateDetail[j].IP)
+			return iAddr.Compare(jAddr) == -1
+		})
+	}
+}
+
 func parseInterfaceIP(interfaceIP string) string {
 	ip, _, err := net.ParseCIDR(interfaceIP)
 	if err != nil {
@@ -169,3 +427,452 @@ func parseInterfaceIP(interfaceIP string) string {
 	}
 	return fmt.Sprintf("%s\n", ip)
 }
+
+func parseToJSON(overview statusOutputOverview) (string, error) {
+	jsonBytes, err := json.Marshal(overview)
+	if err != nil {
+		return "", fmt.Errorf("json marshal failed")
+	}
+	return string(jsonBytes), err
+}
+
+func parseToYAML(overview statusOutputOverview) (string, error) {
+	yamlBytes, err := yaml.Marshal(overview)
+	if err != nil {
+		return "", fmt.Errorf("yaml marshal failed")
+	}
+	return string(yamlBytes), nil
+}
+
+func parseGeneralSummary(overview statusOutputOverview, showURL bool, showRelays bool, showNameServers bool) string {
+	var managementConnString string
+	if overview.ManagementState.Connected {
+		managementConnString = "Connected"
+		if showURL {
+			managementConnString = fmt.Sprintf("%s to %s", managementConnString, overview.ManagementState.URL)
+		}
+	} else {
+		managementConnString = "Disconnected"
+		if overview.ManagementState.Error != "" {
+			managementConnString = fmt.Sprintf("%s, reason: %s", managementConnString, overview.ManagementState.Error)
+		}
+	}
+
+	var signalConnString string
+	if overview.SignalState.Connected {
+		signalConnString = "Connected"
+		if showURL {
+			signalConnString = fmt.Sprintf("%s to %s", signalConnString, overview.SignalState.URL)
+		}
+	} else {
+		signalConnString = "Disconnected"
+		if overview.SignalState.Error != "" {
+			signalConnString = fmt.Sprintf("%s, reason: %s", signalConnString, overview.SignalState.Error)
+		}
+	}
+
+	interfaceTypeString := "Userspace"
+	interfaceIP := overview.IP
+	if overview.KernelInterface {
+		interfaceTypeString = "Kernel"
+	} else if overview.IP == "" {
+		interfaceTypeString = "N/A"
+		interfaceIP = "N/A"
+	}
+
+	var relaysString string
+	if showRelays {
+		for _, relay := range overview.Relays.Details {
+			available := "Available"
+			reason := ""
+			if !relay.Available {
+				available = "Unavailable"
+				reason = fmt.Sprintf(", reason: %s", relay.Error)
+			}
+			relaysString += fmt.Sprintf("\n  [%s] is %s%s", relay.URI, available, reason)
+		}
+	} else {
+		relaysString = fmt.Sprintf("%d/%d Available", overview.Relays.Available, overview.Relays.Total)
+	}
+
+	networks := "-"
+	if len(overview.Networks) > 0 {
+		sort.Strings(overview.Networks)
+		networks = strings.Join(overview.Networks, ", ")
+	}
+
+	var dnsServersString string
+	if showNameServers {
+		for _, nsServerGroup := range overview.NSServerGroups {
+			enabled := "Available"
+			if !nsServerGroup.Enabled {
+				enabled = "Unavailable"
+			}
+			errorString := ""
+			if nsServerGroup.Error != "" {
+				errorString = fmt.Sprintf(", reason: %s", nsServerGroup.Error)
+				errorString = strings.TrimSpace(errorString)
+			}
+
+			domainsString := strings.Join(nsServerGroup.Domains, ", ")
+			if domainsString == "" {
+				domainsString = "." // Show "." for the default zone
+			}
+			dnsServersString += fmt.Sprintf(
+				"\n  [%s] for [%s] is %s%s",
+				strings.Join(nsServerGroup.Servers, ", "),
+				domainsString,
+				enabled,
+				errorString,
+			)
+		}
+	} else {
+		dnsServersString = fmt.Sprintf("%d/%d Available", countEnabled(overview.NSServerGroups), len(overview.NSServerGroups))
+	}
+
+	rosenpassEnabledStatus := "false"
+	if overview.RosenpassEnabled {
+		rosenpassEnabledStatus = "true"
+		if overview.RosenpassPermissive {
+			rosenpassEnabledStatus = "true (permissive)" //nolint:gosec
+		}
+	}
+
+	peersCountString := fmt.Sprintf("%d/%d Connected", overview.Peers.Connected, overview.Peers.Total)
+
+	goos := runtime.GOOS
+	goarch := runtime.GOARCH
+	goarm := ""
+	if goarch == "arm" {
+		goarm = fmt.Sprintf(" (ARMv%s)", os.Getenv("GOARM"))
+	}
+
+	summary := fmt.Sprintf(
+		"OS: %s\n"+
+			"Daemon version: %s\n"+
+			"CLI version: %s\n"+
+			"Management: %s\n"+
+			"Signal: %s\n"+
+			"Relays: %s\n"+
+			"Nameservers: %s\n"+
+			"FQDN: %s\n"+
+			"NetBird IP: %s\n"+
+			"Interface type: %s\n"+
+			"Quantum resistance: %s\n"+
+			"Routes: %s\n"+
+			"Networks: %s\n"+
+			"Peers count: %s\n",
+		fmt.Sprintf("%s/%s%s", goos, goarch, goarm),
+		overview.DaemonVersion,
+		version.NetbirdVersion(),
+		managementConnString,
+		signalConnString,
+		relaysString,
+		dnsServersString,
+		overview.FQDN,
+		interfaceIP,
+		interfaceTypeString,
+		rosenpassEnabledStatus,
+		networks,
+		networks,
+		peersCountString,
+	)
+	return summary
+}
+
+func parseToFullDetailSummary(overview statusOutputOverview) string {
+	parsedPeersString := parsePeers(overview.Peers, overview.RosenpassEnabled, overview.RosenpassPermissive)
+	summary := parseGeneralSummary(overview, true, true, true)
+
+	return fmt.Sprintf(
+		"Peers detail:"+
+			"%s\n"+
+			"%s",
+		parsedPeersString,
+		summary,
+	)
+}
+
+func parsePeers(peers peersStateOutput, rosenpassEnabled, rosenpassPermissive bool) string {
+	var (
+		peersString = ""
+	)
+
+	for _, peerState := range peers.Details {
+
+		localICE := "-"
+		if peerState.IceCandidateType.Local != "" {
+			localICE = peerState.IceCandidateType.Local
+		}
+
+		remoteICE := "-"
+		if peerState.IceCandidateType.Remote != "" {
+			remoteICE = peerState.IceCandidateType.Remote
+		}
+
+		localICEEndpoint := "-"
+		if peerState.IceCandidateEndpoint.Local != "" {
+			localICEEndpoint = peerState.IceCandidateEndpoint.Local
+		}
+
+		remoteICEEndpoint := "-"
+		if peerState.IceCandidateEndpoint.Remote != "" {
+			remoteICEEndpoint = peerState.IceCandidateEndpoint.Remote
+		}
+
+		rosenpassEnabledStatus := "false"
+		if rosenpassEnabled {
+			if peerState.RosenpassEnabled {
+				rosenpassEnabledStatus = "true"
+			} else {
+				if rosenpassPermissive {
+					rosenpassEnabledStatus = "false (remote didn't enable quantum resistance)"
+				} else {
+					rosenpassEnabledStatus = "false (connection won't work without a permissive mode)"
+				}
+			}
+		} else {
+			if peerState.RosenpassEnabled {
+				rosenpassEnabledStatus = "false (connection might not work without a remote permissive mode)"
+			}
+		}
+
+		networks := "-"
+		if len(peerState.Networks) > 0 {
+			sort.Strings(peerState.Networks)
+			networks = strings.Join(peerState.Networks, ", ")
+		}
+
+		peerString := fmt.Sprintf(
+			"\n %s:\n"+
+				"  NetBird IP: %s\n"+
+				"  Public key: %s\n"+
+				"  Status: %s\n"+
+				"  -- detail --\n"+
+				"  Connection type: %s\n"+
+				"  ICE candidate (Local/Remote): %s/%s\n"+
+				"  ICE candidate endpoints (Local/Remote): %s/%s\n"+
+				"  Relay server address: %s\n"+
+				"  Last connection update: %s\n"+
+				"  Last WireGuard handshake: %s\n"+
+				"  Transfer status (received/sent) %s/%s\n"+
+				"  Quantum resistance: %s\n"+
+				"  Routes: %s\n"+
+				"  Networks: %s\n"+
+				"  Latency: %s\n",
+			peerState.FQDN,
+			peerState.IP,
+			peerState.PubKey,
+			peerState.Status,
+			peerState.ConnType,
+			localICE,
+			remoteICE,
+			localICEEndpoint,
+			remoteICEEndpoint,
+			peerState.RelayAddress,
+			timeAgo(peerState.LastStatusUpdate),
+			timeAgo(peerState.LastWireguardHandshake),
+			toIEC(peerState.TransferReceived),
+			toIEC(peerState.TransferSent),
+			rosenpassEnabledStatus,
+			networks,
+			networks,
+			peerState.Latency.String(),
+		)
+
+		peersString += peerString
+	}
+	return peersString
+}
+
+func skipDetailByFilters(peerState *proto.PeerState, isConnected bool) bool {
+	statusEval := false
+	ipEval := false
+	nameEval := true
+
+	if statusFilter != "" {
+		lowerStatusFilter := strings.ToLower(statusFilter)
+		if lowerStatusFilter == "disconnected" && isConnected {
+			statusEval = true
+		} else if lowerStatusFilter == "connected" && !isConnected {
+			statusEval = true
+		}
+	}
+
+	if len(ipsFilter) > 0 {
+		_, ok := ipsFilterMap[peerState.IP]
+		if !ok {
+			ipEval = true
+		}
+	}
+
+	if len(prefixNamesFilter) > 0 {
+		for prefixNameFilter := range prefixNamesFilterMap {
+			if strings.HasPrefix(peerState.Fqdn, prefixNameFilter) {
+				nameEval = false
+				break
+			}
+		}
+	} else {
+		nameEval = false
+	}
+
+	return statusEval || ipEval || nameEval
+}
+
+func toIEC(b int64) string {
+	const unit = 1024
+	if b < unit {
+		return fmt.Sprintf("%d B", b)
+	}
+	div, exp := int64(unit), 0
+	for n := b / unit; n >= unit; n /= unit {
+		div *= unit
+		exp++
+	}
+	return fmt.Sprintf("%.1f %ciB",
+		float64(b)/float64(div), "KMGTPE"[exp])
+}
+
+func countEnabled(dnsServers []nsServerGroupStateOutput) int {
+	count := 0
+	for _, server := range dnsServers {
+		if server.Enabled {
+			count++
+		}
+	}
+	return count
+}
+
+// timeAgo returns a string representing the duration since the provided time in a human-readable format.
+func timeAgo(t time.Time) string {
+	if t.IsZero() || t.Equal(time.Unix(0, 0)) {
+		return "-"
+	}
+	duration := time.Since(t)
+	switch {
+	case duration < time.Second:
+		return "Now"
+	case duration < time.Minute:
+		seconds := int(duration.Seconds())
+		if seconds == 1 {
+			return "1 second ago"
+		}
+		return fmt.Sprintf("%d seconds ago", seconds)
+	case duration < time.Hour:
+		minutes := int(duration.Minutes())
+		seconds := int(duration.Seconds()) % 60
+		if minutes == 1 {
+			if seconds == 1 {
+				return "1 minute, 1 second ago"
+			} else if seconds > 0 {
+				return fmt.Sprintf("1 minute, %d seconds ago", seconds)
+			}
+			return "1 minute ago"
+		}
+		if seconds > 0 {
+			return fmt.Sprintf("%d minutes, %d seconds ago", minutes, seconds)
+		}
+		return fmt.Sprintf("%d minutes ago", minutes)
+	case duration < 24*time.Hour:
+		hours := int(duration.Hours())
+		minutes := int(duration.Minutes()) % 60
+		if hours == 1 {
+			if minutes == 1 {
+				return "1 hour, 1 minute ago"
+			} else if minutes > 0 {
+				return fmt.Sprintf("1 hour, %d minutes ago", minutes)
+			}
+			return "1 hour ago"
+		}
+		if minutes > 0 {
+			return fmt.Sprintf("%d hours, %d minutes ago", hours, minutes)
+		}
+		return fmt.Sprintf("%d hours ago", hours)
+	}
+
+	days := int(duration.Hours()) / 24
+	hours := int(duration.Hours()) % 24
+	if days == 1 {
+		if hours == 1 {
+			return "1 day, 1 hour ago"
+		} else if hours > 0 {
+			return fmt.Sprintf("1 day, %d hours ago", hours)
+		}
+		return "1 day ago"
+	}
+	if hours > 0 {
+		return fmt.Sprintf("%d days, %d hours ago", days, hours)
+	}
+	return fmt.Sprintf("%d days ago", days)
+}
+
+func anonymizePeerDetail(a *anonymize.Anonymizer, peer *peerStateDetailOutput) {
+	peer.FQDN = a.AnonymizeDomain(peer.FQDN)
+	if localIP, port, err := net.SplitHostPort(peer.IceCandidateEndpoint.Local); err == nil {
+		peer.IceCandidateEndpoint.Local = fmt.Sprintf("%s:%s", a.AnonymizeIPString(localIP), port)
+	}
+	if remoteIP, port, err := net.SplitHostPort(peer.IceCandidateEndpoint.Remote); err == nil {
+		peer.IceCandidateEndpoint.Remote = fmt.Sprintf("%s:%s", a.AnonymizeIPString(remoteIP), port)
+	}
+
+	peer.RelayAddress = a.AnonymizeURI(peer.RelayAddress)
+
+	for i, route := range peer.Networks {
+		peer.Networks[i] = a.AnonymizeIPString(route)
+	}
+
+	for i, route := range peer.Networks {
+		peer.Networks[i] = a.AnonymizeRoute(route)
+	}
+
+	for i, route := range peer.Routes {
+		peer.Routes[i] = a.AnonymizeIPString(route)
+	}
+
+	for i, route := range peer.Routes {
+		peer.Routes[i] = a.AnonymizeRoute(route)
+	}
+}
+
+func anonymizeOverview(a *anonymize.Anonymizer, overview *statusOutputOverview) {
+	for i, peer := range overview.Peers.Details {
+		peer := peer
+		anonymizePeerDetail(a, &peer)
+		overview.Peers.Details[i] = peer
+	}
+
+	overview.ManagementState.URL = a.AnonymizeURI(overview.ManagementState.URL)
+	overview.ManagementState.Error = a.AnonymizeString(overview.ManagementState.Error)
+	overview.SignalState.URL = a.AnonymizeURI(overview.SignalState.URL)
+	overview.SignalState.Error = a.AnonymizeString(overview.SignalState.Error)
+
+	overview.IP = a.AnonymizeIPString(overview.IP)
+	for i, detail := range overview.Relays.Details {
+		detail.URI = a.AnonymizeURI(detail.URI)
+		detail.Error = a.AnonymizeString(detail.Error)
+		overview.Relays.Details[i] = detail
+	}
+
+	for i, nsGroup := range overview.NSServerGroups {
+		for j, domain := range nsGroup.Domains {
+			overview.NSServerGroups[i].Domains[j] = a.AnonymizeDomain(domain)
+		}
+		for j, ns := range nsGroup.Servers {
+			host, port, err := net.SplitHostPort(ns)
+			if err == nil {
+				overview.NSServerGroups[i].Servers[j] = fmt.Sprintf("%s:%s", a.AnonymizeIPString(host), port)
+			}
+		}
+	}
+
+	for i, route := range overview.Networks {
+		overview.Networks[i] = a.AnonymizeRoute(route)
+	}
+
+	for i, route := range overview.Routes {
+		overview.Routes[i] = a.AnonymizeRoute(route)
+	}
+
+	overview.FQDN = a.AnonymizeDomain(overview.FQDN)
+}
--- a/client/cmd/status_test.go
+++ b/client/cmd/status_test.go
@@ -1,11 +1,597 @@
 package cmd

 import (
+	"bytes"
+	"encoding/json"
+	"fmt"
+	"runtime"
 	"testing"
+	"time"

 	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	"google.golang.org/protobuf/types/known/durationpb"
+	"google.golang.org/protobuf/types/known/timestamppb"
+
+	"github.com/netbirdio/netbird/client/proto"
+	"github.com/netbirdio/netbird/version"
 )

+func init() {
+	loc, err := time.LoadLocation("UTC")
+	if err != nil {
+		panic(err)
+	}
+
+	time.Local = loc
+}
+
+var resp = &proto.StatusResponse{
+	Status: "Connected",
+	FullStatus: &proto.FullStatus{
+		Peers: []*proto.PeerState{
+			{
+				IP:                         "192.168.178.101",
+				PubKey:                     "Pubkey1",
+				Fqdn:                       "peer-1.awesome-domain.com",
+				ConnStatus:                 "Connected",
+				ConnStatusUpdate:           timestamppb.New(time.Date(2001, time.Month(1), 1, 1, 1, 1, 0, time.UTC)),
+				Relayed:                    false,
+				LocalIceCandidateType:      "",
+				RemoteIceCandidateType:     "",
+				LocalIceCandidateEndpoint:  "",
+				RemoteIceCandidateEndpoint: "",
+				LastWireguardHandshake:     timestamppb.New(time.Date(2001, time.Month(1), 1, 1, 1, 2, 0, time.UTC)),
+				BytesRx:                    200,
+				BytesTx:                    100,
+				Networks: []string{
+					"10.1.0.0/24",
+				},
+				Latency: durationpb.New(time.Duration(10000000)),
+			},
+			{
+				IP:                         "192.168.178.102",
+				PubKey:                     "Pubkey2",
+				Fqdn:                       "peer-2.awesome-domain.com",
+				ConnStatus:                 "Connected",
+				ConnStatusUpdate:           timestamppb.New(time.Date(2002, time.Month(2), 2, 2, 2, 2, 0, time.UTC)),
+				Relayed:                    true,
+				LocalIceCandidateType:      "relay",
+				RemoteIceCandidateType:     "prflx",
+				LocalIceCandidateEndpoint:  "10.0.0.1:10001",
+				RemoteIceCandidateEndpoint: "10.0.10.1:10002",
+				LastWireguardHandshake:     timestamppb.New(time.Date(2002, time.Month(2), 2, 2, 2, 3, 0, time.UTC)),
+				BytesRx:                    2000,
+				BytesTx:                    1000,
+				Latency:                    durationpb.New(time.Duration(10000000)),
+			},
+		},
+		ManagementState: &proto.ManagementState{
+			URL:       "my-awesome-management.com:443",
+			Connected: true,
+			Error:     "",
+		},
+		SignalState: &proto.SignalState{
+			URL:       "my-awesome-signal.com:443",
+			Connected: true,
+			Error:     "",
+		},
+		Relays: []*proto.RelayState{
+			{
+				URI:       "stun:my-awesome-stun.com:3478",
+				Available: true,
+				Error:     "",
+			},
+			{
+				URI:       "turns:my-awesome-turn.com:443?transport=tcp",
+				Available: false,
+				Error:     "context: deadline exceeded",
+			},
+		},
+		LocalPeerState: &proto.LocalPeerState{
+			IP:              "192.168.178.100/16",
+			PubKey:          "Some-Pub-Key",
+			KernelInterface: true,
+			Fqdn:            "some-localhost.awesome-domain.com",
+			Networks: []string{
+				"10.10.0.0/24",
+			},
+		},
+		DnsServers: []*proto.NSGroupState{
+			{
+				Servers: []string{
+					"8.8.8.8:53",
+				},
+				Domains: nil,
+				Enabled: true,
+				Error:   "",
+			},
+			{
+				Servers: []string{
+					"1.1.1.1:53",
+					"2.2.2.2:53",
+				},
+				Domains: []string{
+					"example.com",
+					"example.net",
+				},
+				Enabled: false,
+				Error:   "timeout",
+			},
+		},
+	},
+	DaemonVersion: "0.14.1",
+}
+
+var overview = statusOutputOverview{
+	Peers: peersStateOutput{
+		Total:     2,
+		Connected: 2,
+		Details: []peerStateDetailOutput{
+			{
+				IP:               "192.168.178.101",
+				PubKey:           "Pubkey1",
+				FQDN:             "peer-1.awesome-domain.com",
+				Status:           "Connected",
+				LastStatusUpdate: time.Date(2001, 1, 1, 1, 1, 1, 0, time.UTC),
+				ConnType:         "P2P",
+				IceCandidateType: iceCandidateType{
+					Local:  "",
+					Remote: "",
+				},
+				IceCandidateEndpoint: iceCandidateType{
+					Local:  "",
+					Remote: "",
+				},
+				LastWireguardHandshake: time.Date(2001, 1, 1, 1, 1, 2, 0, time.UTC),
+				TransferReceived:       200,
+				TransferSent:           100,
+				Routes: []string{
+					"10.1.0.0/24",
+				},
+				Networks: []string{
+					"10.1.0.0/24",
+				},
+				Latency: time.Duration(10000000),
+			},
+			{
+				IP:               "192.168.178.102",
+				PubKey:           "Pubkey2",
+				FQDN:             "peer-2.awesome-domain.com",
+				Status:           "Connected",
+				LastStatusUpdate: time.Date(2002, 2, 2, 2, 2, 2, 0, time.UTC),
+				ConnType:         "Relayed",
+				IceCandidateType: iceCandidateType{
+					Local:  "relay",
+					Remote: "prflx",
+				},
+				IceCandidateEndpoint: iceCandidateType{
+					Local:  "10.0.0.1:10001",
+					Remote: "10.0.10.1:10002",
+				},
+				LastWireguardHandshake: time.Date(2002, 2, 2, 2, 2, 3, 0, time.UTC),
+				TransferReceived:       2000,
+				TransferSent:           1000,
+				Latency:                time.Duration(10000000),
+			},
+		},
+	},
+	CliVersion:    version.NetbirdVersion(),
+	DaemonVersion: "0.14.1",
+	ManagementState: managementStateOutput{
+		URL:       "my-awesome-management.com:443",
+		Connected: true,
+		Error:     "",
+	},
+	SignalState: signalStateOutput{
+		URL:       "my-awesome-signal.com:443",
+		Connected: true,
+		Error:     "",
+	},
+	Relays: relayStateOutput{
+		Total:     2,
+		Available: 1,
+		Details: []relayStateOutputDetail{
+			{
+				URI:       "stun:my-awesome-stun.com:3478",
+				Available: true,
+				Error:     "",
+			},
+			{
+				URI:       "turns:my-awesome-turn.com:443?transport=tcp",
+				Available: false,
+				Error:     "context: deadline exceeded",
+			},
+		},
+	},
+	IP:              "192.168.178.100/16",
+	PubKey:          "Some-Pub-Key",
+	KernelInterface: true,
+	FQDN:            "some-localhost.awesome-domain.com",
+	NSServerGroups: []nsServerGroupStateOutput{
+		{
+			Servers: []string{
+				"8.8.8.8:53",
+			},
+			Domains: nil,
+			Enabled: true,
+			Error:   "",
+		},
+		{
+			Servers: []string{
+				"1.1.1.1:53",
+				"2.2.2.2:53",
+			},
+			Domains: []string{
+				"example.com",
+				"example.net",
+			},
+			Enabled: false,
+			Error:   "timeout",
+		},
+	},
+	Routes: []string{
+		"10.10.0.0/24",
+	},
+	Networks: []string{
+		"10.10.0.0/24",
+	},
+}
+
+func TestConversionFromFullStatusToOutputOverview(t *testing.T) {
+	convertedResult := convertToStatusOutputOverview(resp)
+
+	assert.Equal(t, overview, convertedResult)
+}
+
+func TestSortingOfPeers(t *testing.T) {
+	peers := []peerStateDetailOutput{
+		{
+			IP: "192.168.178.104",
+		},
+		{
+			IP: "192.168.178.102",
+		},
+		{
+			IP: "192.168.178.101",
+		},
+		{
+			IP: "192.168.178.105",
+		},
+		{
+			IP: "192.168.178.103",
+		},
+	}
+
+	sortPeersByIP(peers)
+
+	assert.Equal(t, peers[3].IP, "192.168.178.104")
+}
+
+func TestParsingToJSON(t *testing.T) {
+	jsonString, _ := parseToJSON(overview)
+
+	//@formatter:off
+	expectedJSONString := `
+        {
+          "peers": {
+            "total": 2,
+            "connected": 2,
+            "details": [
+              {
+                "fqdn": "peer-1.awesome-domain.com",
+                "netbirdIp": "192.168.178.101",
+                "publicKey": "Pubkey1",
+                "status": "Connected",
+                "lastStatusUpdate": "2001-01-01T01:01:01Z",
+                "connectionType": "P2P",
+                "iceCandidateType": {
+                  "local": "",
+                  "remote": ""
+                },
+                "iceCandidateEndpoint": {
+                  "local": "",
+                  "remote": ""
+                },
+				"relayAddress": "",
+                "lastWireguardHandshake": "2001-01-01T01:01:02Z",
+                "transferReceived": 200,
+                "transferSent": 100,
+				"latency": 10000000,
+                "quantumResistance": false,
+                "routes": [
+                  "10.1.0.0/24"
+                ],
+                "networks": [
+                  "10.1.0.0/24"
+                ]
+              },
+              {
+                "fqdn": "peer-2.awesome-domain.com",
+                "netbirdIp": "192.168.178.102",
+                "publicKey": "Pubkey2",
+                "status": "Connected",
+                "lastStatusUpdate": "2002-02-02T02:02:02Z",
+                "connectionType": "Relayed",
+                "iceCandidateType": {
+                  "local": "relay",
+                  "remote": "prflx"
+                },
+                "iceCandidateEndpoint": {
+                  "local": "10.0.0.1:10001",
+                  "remote": "10.0.10.1:10002"
+                },
+				"relayAddress": "",
+                "lastWireguardHandshake": "2002-02-02T02:02:03Z",
+                "transferReceived": 2000,
+                "transferSent": 1000,
+				"latency": 10000000,
+                "quantumResistance": false,
+                "routes": null,
+                "networks": null
+              }
+            ]
+          },
+          "cliVersion": "development",
+          "daemonVersion": "0.14.1",
+          "management": {
+            "url": "my-awesome-management.com:443",
+            "connected": true,
+            "error": ""
+          },
+          "signal": {
+            "url": "my-awesome-signal.com:443",
+            "connected": true,
+            "error": ""
+          },
+          "relays": {
+            "total": 2,
+            "available": 1,
+            "details": [
+              {
+                "uri": "stun:my-awesome-stun.com:3478",
+                "available": true,
+                "error": ""
+              },
+              {
+                "uri": "turns:my-awesome-turn.com:443?transport=tcp",
+                "available": false,
+                "error": "context: deadline exceeded"
+              }
+            ]
+          },
+          "netbirdIp": "192.168.178.100/16",
+          "publicKey": "Some-Pub-Key",
+          "usesKernelInterface": true,
+          "fqdn": "some-localhost.awesome-domain.com",
+          "quantumResistance": false,
+          "quantumResistancePermissive": false,
+          "routes": [
+            "10.10.0.0/24"
+          ],
+          "networks": [
+            "10.10.0.0/24"
+          ],
+          "dnsServers": [
+            {
+              "servers": [
+                "8.8.8.8:53"
+              ],
+              "domains": null,
+              "enabled": true,
+              "error": ""
+            },
+            {
+              "servers": [
+                "1.1.1.1:53",
+                "2.2.2.2:53"
+              ],
+              "domains": [
+                "example.com",
+                "example.net"
+              ],
+              "enabled": false,
+              "error": "timeout"
+            }
+          ]
+        }`
+	// @formatter:on
+
+	var expectedJSON bytes.Buffer
+	require.NoError(t, json.Compact(&expectedJSON, []byte(expectedJSONString)))
+
+	assert.Equal(t, expectedJSON.String(), jsonString)
+}
+
+func TestParsingToYAML(t *testing.T) {
+	yaml, _ := parseToYAML(overview)
+
+	expectedYAML :=
+		`peers:
+    total: 2
+    connected: 2
+    details:
+        - fqdn: peer-1.awesome-domain.com
+          netbirdIp: 192.168.178.101
+          publicKey: Pubkey1
+          status: Connected
+          lastStatusUpdate: 2001-01-01T01:01:01Z
+          connectionType: P2P
+          iceCandidateType:
+            local: ""
+            remote: ""
+          iceCandidateEndpoint:
+            local: ""
+            remote: ""
+          relayAddress: ""
+          lastWireguardHandshake: 2001-01-01T01:01:02Z
+          transferReceived: 200
+          transferSent: 100
+          latency: 10ms
+          quantumResistance: false
+          routes:
+            - 10.1.0.0/24
+          networks:
+            - 10.1.0.0/24
+        - fqdn: peer-2.awesome-domain.com
+          netbirdIp: 192.168.178.102
+          publicKey: Pubkey2
+          status: Connected
+          lastStatusUpdate: 2002-02-02T02:02:02Z
+          connectionType: Relayed
+          iceCandidateType:
+            local: relay
+            remote: prflx
+          iceCandidateEndpoint:
+            local: 10.0.0.1:10001
+            remote: 10.0.10.1:10002
+          relayAddress: ""
+          lastWireguardHandshake: 2002-02-02T02:02:03Z
+          transferReceived: 2000
+          transferSent: 1000
+          latency: 10ms
+          quantumResistance: false
+          routes: []
+          networks: []
+cliVersion: development
+daemonVersion: 0.14.1
+management:
+    url: my-awesome-management.com:443
+    connected: true
+    error: ""
+signal:
+    url: my-awesome-signal.com:443
+    connected: true
+    error: ""
+relays:
+    total: 2
+    available: 1
+    details:
+        - uri: stun:my-awesome-stun.com:3478
+          available: true
+          error: ""
+        - uri: turns:my-awesome-turn.com:443?transport=tcp
+          available: false
+          error: 'context: deadline exceeded'
+netbirdIp: 192.168.178.100/16
+publicKey: Some-Pub-Key
+usesKernelInterface: true
+fqdn: some-localhost.awesome-domain.com
+quantumResistance: false
+quantumResistancePermissive: false
+routes:
+    - 10.10.0.0/24
+networks:
+    - 10.10.0.0/24
+dnsServers:
+    - servers:
+        - 8.8.8.8:53
+      domains: []
+      enabled: true
+      error: ""
+    - servers:
+        - 1.1.1.1:53
+        - 2.2.2.2:53
+      domains:
+        - example.com
+        - example.net
+      enabled: false
+      error: timeout
+`
+
+	assert.Equal(t, expectedYAML, yaml)
+}
+
+func TestParsingToDetail(t *testing.T) {
+	// Calculate time ago based on the fixture dates
+	lastConnectionUpdate1 := timeAgo(overview.Peers.Details[0].LastStatusUpdate)
+	lastHandshake1 := timeAgo(overview.Peers.Details[0].LastWireguardHandshake)
+	lastConnectionUpdate2 := timeAgo(overview.Peers.Details[1].LastStatusUpdate)
+	lastHandshake2 := timeAgo(overview.Peers.Details[1].LastWireguardHandshake)
+
+	detail := parseToFullDetailSummary(overview)
+
+	expectedDetail := fmt.Sprintf(
+		`Peers detail:
+ peer-1.awesome-domain.com:
+  NetBird IP: 192.168.178.101
+  Public key: Pubkey1
+  Status: Connected
+  -- detail --
+  Connection type: P2P
+  ICE candidate (Local/Remote): -/-
+  ICE candidate endpoints (Local/Remote): -/-
+  Relay server address: 
+  Last connection update: %s
+  Last WireGuard handshake: %s
+  Transfer status (received/sent) 200 B/100 B
+  Quantum resistance: false
+  Routes: 10.1.0.0/24
+  Networks: 10.1.0.0/24
+  Latency: 10ms
+
+ peer-2.awesome-domain.com:
+  NetBird IP: 192.168.178.102
+  Public key: Pubkey2
+  Status: Connected
+  -- detail --
+  Connection type: Relayed
+  ICE candidate (Local/Remote): relay/prflx
+  ICE candidate endpoints (Local/Remote): 10.0.0.1:10001/10.0.10.1:10002
+  Relay server address: 
+  Last connection update: %s
+  Last WireGuard handshake: %s
+  Transfer status (received/sent) 2.0 KiB/1000 B
+  Quantum resistance: false
+  Routes: -
+  Networks: -
+  Latency: 10ms
+
+OS: %s/%s
+Daemon version: 0.14.1
+CLI version: %s
+Management: Connected to my-awesome-management.com:443
+Signal: Connected to my-awesome-signal.com:443
+Relays: 
+  [stun:my-awesome-stun.com:3478] is Available
+  [turns:my-awesome-turn.com:443?transport=tcp] is Unavailable, reason: context: deadline exceeded
+Nameservers: 
+  [8.8.8.8:53] for [.] is Available
+  [1.1.1.1:53, 2.2.2.2:53] for [example.com, example.net] is Unavailable, reason: timeout
+FQDN: some-localhost.awesome-domain.com
+NetBird IP: 192.168.178.100/16
+Interface type: Kernel
+Quantum resistance: false
+Routes: 10.10.0.0/24
+Networks: 10.10.0.0/24
+Peers count: 2/2 Connected
+`, lastConnectionUpdate1, lastHandshake1, lastConnectionUpdate2, lastHandshake2, runtime.GOOS, runtime.GOARCH, overview.CliVersion)
+
+	assert.Equal(t, expectedDetail, detail)
+}
+
+func TestParsingToShortVersion(t *testing.T) {
+	shortVersion := parseGeneralSummary(overview, false, false, false)
+
+	expectedString := fmt.Sprintf("OS: %s/%s", runtime.GOOS, runtime.GOARCH) + `
+Daemon version: 0.14.1
+CLI version: development
+Management: Connected
+Signal: Connected
+Relays: 1/2 Available
+Nameservers: 1/2 Available
+FQDN: some-localhost.awesome-domain.com
+NetBird IP: 192.168.178.100/16
+Interface type: Kernel
+Quantum resistance: false
+Routes: 10.10.0.0/24
+Networks: 10.10.0.0/24
+Peers count: 2/2 Connected
+`
+
+	assert.Equal(t, expectedString, shortVersion)
+}
+
 func TestParsingOfIP(t *testing.T) {
 	InterfaceIP := "192.168.178.123/16"

@@ -13,3 +599,31 @@ func TestParsingOfIP(t *testing.T) {

 	assert.Equal(t, "192.168.178.123\n", parsedIP)
 }
+
+func TestTimeAgo(t *testing.T) {
+	now := time.Now()
+
+	cases := []struct {
+		name     string
+		input    time.Time
+		expected string
+	}{
+		{"Now", now, "Now"},
+		{"Seconds ago", now.Add(-10 * time.Second), "10 seconds ago"},
+		{"One minute ago", now.Add(-1 * time.Minute), "1 minute ago"},
+		{"Minutes and seconds ago", now.Add(-(1*time.Minute + 30*time.Second)), "1 minute, 30 seconds ago"},
+		{"One hour ago", now.Add(-1 * time.Hour), "1 hour ago"},
+		{"Hours and minutes ago", now.Add(-(2*time.Hour + 15*time.Minute)), "2 hours, 15 minutes ago"},
+		{"One day ago", now.Add(-24 * time.Hour), "1 day ago"},
+		{"Multiple days ago", now.Add(-(72*time.Hour + 20*time.Minute)), "3 days ago"},
+		{"Zero time", time.Time{}, "-"},
+		{"Unix zero time", time.Unix(0, 0), "-"},
+	}
+
+	for _, tc := range cases {
+		t.Run(tc.name, func(t *testing.T) {
+			result := timeAgo(tc.input)
+			assert.Equal(t, tc.expected, result, "Failed %s", tc.name)
+		})
+	}
+}
--- a/client/cmd/testutil_test.go
+++ b/client/cmd/testutil_test.go
@@ -10,7 +10,6 @@ import (
 	"go.opentelemetry.io/otel"

 	"github.com/netbirdio/netbird/management/server/activity"
-	"github.com/netbirdio/netbird/management/server/integrations/port_forwarding"
 	"github.com/netbirdio/netbird/management/server/settings"
 	"github.com/netbirdio/netbird/management/server/store"
 	"github.com/netbirdio/netbird/management/server/telemetry"
@@ -90,13 +89,13 @@ func startManagement(t *testing.T, config *mgmt.Config, testFile string) (*grpc.
 	metrics, err := telemetry.NewDefaultAppMetrics(context.Background())
 	require.NoError(t, err)

-	accountManager, err := mgmt.BuildManager(context.Background(), store, peersUpdateManager, nil, "", "netbird.selfhosted", eventStore, nil, false, iv, metrics, port_forwarding.NewControllerMock(), settings.NewManagerMock())
+	accountManager, err := mgmt.BuildManager(context.Background(), store, peersUpdateManager, nil, "", "netbird.selfhosted", eventStore, nil, false, iv, metrics)
 	if err != nil {
 		t.Fatal(err)
 	}

 	secretsManager := mgmt.NewTimeBasedAuthSecretsManager(peersUpdateManager, config.TURNConfig, config.Relay)
-	mgmtServer, err := mgmt.NewServer(context.Background(), config, accountManager, settings.NewManagerMock(), peersUpdateManager, secretsManager, nil, nil, nil)
+	mgmtServer, err := mgmt.NewServer(context.Background(), config, accountManager, settings.NewManager(store), peersUpdateManager, secretsManager, nil, nil)
 	if err != nil {
 		t.Fatal(err)
 	}
--- a/client/cmd/up.go
+++ b/client/cmd/up.go
@@ -20,7 +20,6 @@ import (
 	"github.com/netbirdio/netbird/client/internal/peer"
 	"github.com/netbirdio/netbird/client/proto"
 	"github.com/netbirdio/netbird/client/system"
-	"github.com/netbirdio/netbird/management/domain"
 	"github.com/netbirdio/netbird/util"
 )

@@ -30,16 +29,9 @@ const (
 	interfaceInputType
 )

-const (
-	dnsLabelsFlag = "extra-dns-labels"
-)
-
 var (
-	foregroundMode     bool
-	dnsLabels          []string
-	dnsLabelsValidated domain.List
-
-	upCmd = &cobra.Command{
+	foregroundMode bool
+	upCmd          = &cobra.Command{
 		Use:   "up",
 		Short: "install, login and start Netbird client",
 		RunE:  upFunc,
@@ -57,14 +49,6 @@ func init() {
 	upCmd.PersistentFlags().StringSliceVar(&extraIFaceBlackList, extraIFaceBlackListFlag, nil, "Extra list of default interfaces to ignore for listening")
 	upCmd.PersistentFlags().DurationVar(&dnsRouteInterval, dnsRouteIntervalFlag, time.Minute, "DNS route update interval")
 	upCmd.PersistentFlags().BoolVar(&blockLANAccess, blockLANAccessFlag, false, "Block access to local networks (LAN) when using this peer as a router or exit node")
-
-	upCmd.PersistentFlags().StringSliceVar(&dnsLabels, dnsLabelsFlag, nil,
-		`Sets DNS labels`+
-			`You can specify a comma-separated list of up to 32 labels. `+
-			`An empty string "" clears the previous configuration. `+
-			`E.g. --extra-dns-labels vpc1 or --extra-dns-labels vpc1,mgmt1 `+
-			`or --extra-dns-labels ""`,
-	)
 }

 func upFunc(cmd *cobra.Command, args []string) error {
@@ -83,11 +67,6 @@ func upFunc(cmd *cobra.Command, args []string) error {
 		return err
 	}

-	dnsLabelsValidated, err = validateDnsLabels(dnsLabels)
-	if err != nil {
-		return err
-	}
-
 	ctx := internal.CtxInitState(cmd.Context())

 	if hostName != "" {
@@ -119,7 +98,6 @@ func runInForegroundMode(ctx context.Context, cmd *cobra.Command) error {
 		NATExternalIPs:      natExternalIPs,
 		CustomDNSAddress:    customDNSAddressConverted,
 		ExtraIFaceBlackList: extraIFaceBlackList,
-		DNSLabels:           dnsLabelsValidated,
 	}

 	if cmd.Flag(enableRosenpassFlag).Changed {
@@ -262,8 +240,6 @@ func runInDaemonMode(ctx context.Context, cmd *cobra.Command) error {
 		IsLinuxDesktopClient: isLinuxRunningDesktop(),
 		Hostname:             hostName,
 		ExtraIFaceBlacklist:  extraIFaceBlackList,
-		DnsLabels:            dnsLabels,
-		CleanDNSLabels:       dnsLabels != nil && len(dnsLabels) == 0,
 	}

 	if rootCmd.PersistentFlags().Changed(preSharedKeyFlag) {
@@ -454,24 +430,6 @@ func parseCustomDNSAddress(modified bool) ([]byte, error) {
 	return parsed, nil
 }

-func validateDnsLabels(labels []string) (domain.List, error) {
-	var (
-		domains domain.List
-		err     error
-	)
-
-	if len(labels) == 0 {
-		return domains, nil
-	}
-
-	domains, err = domain.ValidateDomains(labels)
-	if err != nil {
-		return nil, fmt.Errorf("failed to validate dns labels: %v", err)
-	}
-
-	return domains, nil
-}
-
 func isValidAddrPort(input string) bool {
 	if input == "" {
 		return true
--- a/client/embed/doc.go
+++ b/client/embed/doc.go
@@ -1,167 +0,0 @@
-// Package embed provides a way to embed the NetBird client directly
-// into Go programs without requiring a separate NetBird client installation.
-package embed
-
-// Basic Usage:
-//
-//	client, err := embed.New(embed.Options{
-//	    DeviceName:    "my-service",
-//	    SetupKey:      os.Getenv("NB_SETUP_KEY"),
-//	    ManagementURL: os.Getenv("NB_MANAGEMENT_URL"),
-//	})
-//	if err != nil {
-//	    log.Fatal(err)
-//	}
-//
-//	ctx, cancel := context.WithTimeout(context.Background(), 30*time.Second)
-//	defer cancel()
-//	if err := client.Start(ctx); err != nil {
-//	    log.Fatal(err)
-//	}
-//
-// Complete HTTP Server Example:
-//
-//	package main
-//
-//	import (
-//	    "context"
-//	    "fmt"
-//	    "log"
-//	    "net/http"
-//	    "os"
-//	    "os/signal"
-//	    "syscall"
-//	    "time"
-//
-//	    netbird "github.com/netbirdio/netbird/client/embed"
-//	)
-//
-//	func main() {
-//	    // Create client with setup key and device name
-//	    client, err := netbird.New(netbird.Options{
-//	        DeviceName:    "http-server",
-//	        SetupKey:      os.Getenv("NB_SETUP_KEY"),
-//	        ManagementURL: os.Getenv("NB_MANAGEMENT_URL"),
-//	        LogOutput:     io.Discard,
-//	    })
-//	    if err != nil {
-//	        log.Fatal(err)
-//	    }
-//
-//	    // Start with timeout
-//	    ctx, cancel := context.WithTimeout(context.Background(), 30*time.Second)
-//	    defer cancel()
-//	    if err := client.Start(ctx); err != nil {
-//	        log.Fatal(err)
-//	    }
-//
-//	    // Create HTTP server
-//	    mux := http.NewServeMux()
-//	    mux.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
-//	        fmt.Printf("Request from %s: %s %s\n", r.RemoteAddr, r.Method, r.URL.Path)
-//	        fmt.Fprintf(w, "Hello from netbird!")
-//	    })
-//
-//	    // Listen on netbird network
-//	    l, err := client.ListenTCP(":8080")
-//	    if err != nil {
-//	        log.Fatal(err)
-//	    }
-//
-//	    server := &http.Server{Handler: mux}
-//	    go func() {
-//	        if err := server.Serve(l); !errors.Is(err, http.ErrServerClosed) {
-//	            log.Printf("HTTP server error: %v", err)
-//	        }
-//	    }()
-//
-//	    log.Printf("HTTP server listening on netbird network port 8080")
-//
-//	    // Handle shutdown
-//	    stop := make(chan os.Signal, 1)
-//	    signal.Notify(stop, syscall.SIGINT, syscall.SIGTERM)
-//	    <-stop
-//
-//	    shutdownCtx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
-//	    defer cancel()
-//
-//	    if err := server.Shutdown(shutdownCtx); err != nil {
-//	        log.Printf("HTTP shutdown error: %v", err)
-//	    }
-//	    if err := client.Stop(shutdownCtx); err != nil {
-//	        log.Printf("Netbird shutdown error: %v", err)
-//	    }
-//	}
-//
-// Complete HTTP Client Example:
-//
-//	package main
-//
-//	import (
-//	    "context"
-//	    "fmt"
-//	    "io"
-//	    "log"
-//	    "os"
-//	    "time"
-//
-//	    netbird "github.com/netbirdio/netbird/client/embed"
-//	)
-//
-//	func main() {
-//	    // Create client with setup key and device name
-//	    client, err := netbird.New(netbird.Options{
-//	        DeviceName:    "http-client",
-//	        SetupKey:      os.Getenv("NB_SETUP_KEY"),
-//	        ManagementURL: os.Getenv("NB_MANAGEMENT_URL"),
-//	        LogOutput:     io.Discard,
-//	    })
-//	    if err != nil {
-//	        log.Fatal(err)
-//	    }
-//
-//	    // Start with timeout
-//	    ctx, cancel := context.WithTimeout(context.Background(), 30*time.Second)
-//	    defer cancel()
-//
-//	    if err := client.Start(ctx); err != nil {
-//	        log.Fatal(err)
-//	    }
-//
-//	    // Create HTTP client that uses netbird network
-//	    httpClient := client.NewHTTPClient()
-//	    httpClient.Timeout = 10 * time.Second
-//
-//	    // Make request to server in netbird network
-//	    target := os.Getenv("NB_TARGET")
-//	    resp, err := httpClient.Get(target)
-//	    if err != nil {
-//	        log.Fatal(err)
-//	    }
-//	    defer resp.Body.Close()
-//
-//	    // Read and print response
-//	    body, err := io.ReadAll(resp.Body)
-//	    if err != nil {
-//	        log.Fatal(err)
-//	    }
-//
-//	    fmt.Printf("Response from server: %s\n", string(body))
-//
-//	    // Clean shutdown
-//	    shutdownCtx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
-//	    defer cancel()
-//
-//	    if err := client.Stop(shutdownCtx); err != nil {
-//	        log.Printf("Netbird shutdown error: %v", err)
-//	    }
-//	}
-//
-// The package provides several methods for network operations:
-//   - Dial: Creates outbound connections
-//   - ListenTCP: Creates TCP listeners
-//   - ListenUDP: Creates UDP listeners
-//
-// By default, the embed package uses userspace networking mode, which doesn't
-// require root/admin privileges. For production deployments, consider setting
-// appropriate config and state paths for persistence.
--- a/client/embed/embed.go
+++ b/client/embed/embed.go
@@ -1,296 +0,0 @@
-package embed
-
-import (
-	"context"
-	"errors"
-	"fmt"
-	"io"
-	"net"
-	"net/http"
-	"net/netip"
-	"os"
-	"sync"
-
-	"github.com/sirupsen/logrus"
-	wgnetstack "golang.zx2c4.com/wireguard/tun/netstack"
-
-	"github.com/netbirdio/netbird/client/iface/netstack"
-	"github.com/netbirdio/netbird/client/internal"
-	"github.com/netbirdio/netbird/client/internal/peer"
-	"github.com/netbirdio/netbird/client/system"
-)
-
-var ErrClientAlreadyStarted = errors.New("client already started")
-var ErrClientNotStarted = errors.New("client not started")
-
-// Client manages a netbird embedded client instance
-type Client struct {
-	deviceName string
-	config     *internal.Config
-	mu         sync.Mutex
-	cancel     context.CancelFunc
-	setupKey   string
-	connect    *internal.ConnectClient
-}
-
-// Options configures a new Client
-type Options struct {
-	// DeviceName is this peer's name in the network
-	DeviceName string
-	// SetupKey is used for authentication
-	SetupKey string
-	// ManagementURL overrides the default management server URL
-	ManagementURL string
-	// PreSharedKey is the pre-shared key for the WireGuard interface
-	PreSharedKey string
-	// LogOutput is the output destination for logs (defaults to os.Stderr if nil)
-	LogOutput io.Writer
-	// LogLevel sets the logging level (defaults to info if empty)
-	LogLevel string
-	// NoUserspace disables the userspace networking mode. Needs admin/root privileges
-	NoUserspace bool
-	// ConfigPath is the path to the netbird config file. If empty, the config will be stored in memory and not persisted.
-	ConfigPath string
-	// StatePath is the path to the netbird state file
-	StatePath string
-	// DisableClientRoutes disables the client routes
-	DisableClientRoutes bool
-}
-
-// New creates a new netbird embedded client
-func New(opts Options) (*Client, error) {
-	if opts.LogOutput != nil {
-		logrus.SetOutput(opts.LogOutput)
-	}
-
-	if opts.LogLevel != "" {
-		level, err := logrus.ParseLevel(opts.LogLevel)
-		if err != nil {
-			return nil, fmt.Errorf("parse log level: %w", err)
-		}
-		logrus.SetLevel(level)
-	}
-
-	if !opts.NoUserspace {
-		if err := os.Setenv(netstack.EnvUseNetstackMode, "true"); err != nil {
-			return nil, fmt.Errorf("setenv: %w", err)
-		}
-		if err := os.Setenv(netstack.EnvSkipProxy, "true"); err != nil {
-			return nil, fmt.Errorf("setenv: %w", err)
-		}
-	}
-
-	if opts.StatePath != "" {
-		// TODO: Disable state if path not provided
-		if err := os.Setenv("NB_DNS_STATE_FILE", opts.StatePath); err != nil {
-			return nil, fmt.Errorf("setenv: %w", err)
-		}
-	}
-
-	t := true
-	var config *internal.Config
-	var err error
-	input := internal.ConfigInput{
-		ConfigPath:          opts.ConfigPath,
-		ManagementURL:       opts.ManagementURL,
-		PreSharedKey:        &opts.PreSharedKey,
-		DisableServerRoutes: &t,
-		DisableClientRoutes: &opts.DisableClientRoutes,
-	}
-	if opts.ConfigPath != "" {
-		config, err = internal.UpdateOrCreateConfig(input)
-	} else {
-		config, err = internal.CreateInMemoryConfig(input)
-	}
-	if err != nil {
-		return nil, fmt.Errorf("create config: %w", err)
-	}
-
-	return &Client{
-		deviceName: opts.DeviceName,
-		setupKey:   opts.SetupKey,
-		config:     config,
-	}, nil
-}
-
-// Start begins client operation and blocks until the engine has been started successfully or a startup error occurs.
-// Pass a context with a deadline to limit the time spent waiting for the engine to start.
-func (c *Client) Start(startCtx context.Context) error {
-	c.mu.Lock()
-	defer c.mu.Unlock()
-	if c.cancel != nil {
-		return ErrClientAlreadyStarted
-	}
-
-	ctx := internal.CtxInitState(context.Background())
-	// nolint:staticcheck
-	ctx = context.WithValue(ctx, system.DeviceNameCtxKey, c.deviceName)
-	if err := internal.Login(ctx, c.config, c.setupKey, ""); err != nil {
-		return fmt.Errorf("login: %w", err)
-	}
-
-	recorder := peer.NewRecorder(c.config.ManagementURL.String())
-	client := internal.NewConnectClient(ctx, c.config, recorder)
-
-	// either startup error (permanent backoff err) or nil err (successful engine up)
-	// TODO: make after-startup backoff err available
-	run := make(chan error, 1)
-	go func() {
-		if err := client.Run(run); err != nil {
-			run <- err
-		}
-	}()
-
-	select {
-	case <-startCtx.Done():
-		if stopErr := client.Stop(); stopErr != nil {
-			return fmt.Errorf("stop error after context done. Stop error: %w. Context done: %w", stopErr, startCtx.Err())
-		}
-		return startCtx.Err()
-	case err := <-run:
-		if err != nil {
-			if stopErr := client.Stop(); stopErr != nil {
-				return fmt.Errorf("stop error after failed to startup. Stop error: %w. Start error: %w", stopErr, err)
-			}
-			return fmt.Errorf("startup: %w", err)
-		}
-	}
-
-	c.connect = client
-
-	return nil
-}
-
-// Stop gracefully stops the client.
-// Pass a context with a deadline to limit the time spent waiting for the engine to stop.
-func (c *Client) Stop(ctx context.Context) error {
-	c.mu.Lock()
-	defer c.mu.Unlock()
-
-	if c.connect == nil {
-		return ErrClientNotStarted
-	}
-
-	done := make(chan error, 1)
-	go func() {
-		done <- c.connect.Stop()
-	}()
-
-	select {
-	case <-ctx.Done():
-		c.cancel = nil
-		return ctx.Err()
-	case err := <-done:
-		c.cancel = nil
-		if err != nil {
-			return fmt.Errorf("stop: %w", err)
-		}
-		return nil
-	}
-}
-
-// Dial dials a network address in the netbird network.
-// Not applicable if the userspace networking mode is disabled.
-func (c *Client) Dial(ctx context.Context, network, address string) (net.Conn, error) {
-	c.mu.Lock()
-	connect := c.connect
-	if connect == nil {
-		c.mu.Unlock()
-		return nil, ErrClientNotStarted
-	}
-	c.mu.Unlock()
-
-	engine := connect.Engine()
-	if engine == nil {
-		return nil, errors.New("engine not started")
-	}
-
-	nsnet, err := engine.GetNet()
-	if err != nil {
-		return nil, fmt.Errorf("get net: %w", err)
-	}
-
-	return nsnet.DialContext(ctx, network, address)
-}
-
-// ListenTCP listens on the given address in the netbird network
-// Not applicable if the userspace networking mode is disabled.
-func (c *Client) ListenTCP(address string) (net.Listener, error) {
-	nsnet, addr, err := c.getNet()
-	if err != nil {
-		return nil, err
-	}
-
-	_, port, err := net.SplitHostPort(address)
-	if err != nil {
-		return nil, fmt.Errorf("split host port: %w", err)
-	}
-	listenAddr := fmt.Sprintf("%s:%s", addr, port)
-
-	tcpAddr, err := net.ResolveTCPAddr("tcp", listenAddr)
-	if err != nil {
-		return nil, fmt.Errorf("resolve: %w", err)
-	}
-	return nsnet.ListenTCP(tcpAddr)
-}
-
-// ListenUDP listens on the given address in the netbird network
-// Not applicable if the userspace networking mode is disabled.
-func (c *Client) ListenUDP(address string) (net.PacketConn, error) {
-	nsnet, addr, err := c.getNet()
-	if err != nil {
-		return nil, err
-	}
-
-	_, port, err := net.SplitHostPort(address)
-	if err != nil {
-		return nil, fmt.Errorf("split host port: %w", err)
-	}
-	listenAddr := fmt.Sprintf("%s:%s", addr, port)
-
-	udpAddr, err := net.ResolveUDPAddr("udp", listenAddr)
-	if err != nil {
-		return nil, fmt.Errorf("resolve: %w", err)
-	}
-
-	return nsnet.ListenUDP(udpAddr)
-}
-
-// NewHTTPClient returns a configured http.Client that uses the netbird network for requests.
-// Not applicable if the userspace networking mode is disabled.
-func (c *Client) NewHTTPClient() *http.Client {
-	transport := &http.Transport{
-		DialContext: c.Dial,
-	}
-
-	return &http.Client{
-		Transport: transport,
-	}
-}
-
-func (c *Client) getNet() (*wgnetstack.Net, netip.Addr, error) {
-	c.mu.Lock()
-	connect := c.connect
-	if connect == nil {
-		c.mu.Unlock()
-		return nil, netip.Addr{}, errors.New("client not started")
-	}
-	c.mu.Unlock()
-
-	engine := connect.Engine()
-	if engine == nil {
-		return nil, netip.Addr{}, errors.New("engine not started")
-	}
-
-	addr, err := engine.Address()
-	if err != nil {
-		return nil, netip.Addr{}, fmt.Errorf("engine address: %w", err)
-	}
-
-	nsnet, err := engine.GetNet()
-	if err != nil {
-		return nil, netip.Addr{}, fmt.Errorf("get net: %w", err)
-	}
-
-	return nsnet, addr, nil
-}
--- a/client/firewall/iptables/acl_linux.go
+++ b/client/firewall/iptables/acl_linux.go
@@ -30,8 +30,10 @@ type entry struct {
 }

 type aclManager struct {
-	iptablesClient  *iptables.IPTables
-	wgIface         iFaceMapper
+	iptablesClient     *iptables.IPTables
+	wgIface            iFaceMapper
+	routingFwChainName string
+
 	entries         aclEntries
 	optionalEntries map[string][]entry
 	ipsetStore      *ipsetStore
@@ -39,10 +41,12 @@ type aclManager struct {
 	stateManager *statemanager.Manager
 }

-func newAclManager(iptablesClient *iptables.IPTables, wgIface iFaceMapper) (*aclManager, error) {
+func newAclManager(iptablesClient *iptables.IPTables, wgIface iFaceMapper, routingFwChainName string) (*aclManager, error) {
 	m := &aclManager{
-		iptablesClient:  iptablesClient,
-		wgIface:         wgIface,
+		iptablesClient:     iptablesClient,
+		wgIface:            wgIface,
+		routingFwChainName: routingFwChainName,
+
 		entries:         make(map[string][][]string),
 		optionalEntries: make(map[string][]entry),
 		ipsetStore:      newIpsetStore(),
@@ -310,12 +314,9 @@ func (m *aclManager) seedInitialEntries() {
 	m.appendToEntries("INPUT", []string{"-i", m.wgIface.Name(), "-j", chainNameInputRules})
 	m.appendToEntries("INPUT", append([]string{"-i", m.wgIface.Name()}, established...))

-	// Inbound is handled by our ACLs, the rest is dropped.
-	// For outbound we respect the FORWARD policy. However, we need to allow established/related traffic for inbound rules.
 	m.appendToEntries("FORWARD", []string{"-i", m.wgIface.Name(), "-j", "DROP"})
-
-	m.appendToEntries("FORWARD", []string{"-o", m.wgIface.Name(), "-j", chainRTFWDOUT})
-	m.appendToEntries("FORWARD", []string{"-i", m.wgIface.Name(), "-j", chainRTFWDIN})
+	m.appendToEntries("FORWARD", []string{"-i", m.wgIface.Name(), "-j", m.routingFwChainName})
+	m.appendToEntries("FORWARD", append([]string{"-o", m.wgIface.Name()}, established...))
 }

 func (m *aclManager) seedInitialOptionalEntries() {
--- a/client/firewall/iptables/manager_linux.go
+++ b/client/firewall/iptables/manager_linux.go
@@ -52,7 +52,7 @@ func Create(wgIface iFaceMapper) (*Manager, error) {
 		return nil, fmt.Errorf("create router: %w", err)
 	}

-	m.aclMgr, err = newAclManager(iptablesClient, wgIface)
+	m.aclMgr, err = newAclManager(iptablesClient, wgIface, chainRTFWD)
 	if err != nil {
 		return nil, fmt.Errorf("create acl manager: %w", err)
 	}
@@ -218,30 +218,6 @@ func (m *Manager) SetLogLevel(log.Level) {
 	// not supported
 }

-func (m *Manager) EnableRouting() error {
-	return nil
-}
-
-func (m *Manager) DisableRouting() error {
-	return nil
-}
-
-// AddDNATRule adds a DNAT rule
-func (m *Manager) AddDNATRule(rule firewall.ForwardRule) (firewall.Rule, error) {
-	m.mutex.Lock()
-	defer m.mutex.Unlock()
-
-	return m.router.AddDNATRule(rule)
-}
-
-// DeleteDNATRule deletes a DNAT rule
-func (m *Manager) DeleteDNATRule(rule firewall.Rule) error {
-	m.mutex.Lock()
-	defer m.mutex.Unlock()
-
-	return m.router.DeleteDNATRule(rule)
-}
-
 func getConntrackEstablished() []string {
 	return []string{"-m", "conntrack", "--ctstate", "RELATED,ESTABLISHED", "-j", "ACCEPT"}
 }
--- a/client/firewall/iptables/router_linux.go
+++ b/client/firewall/iptables/router_linux.go
@@ -16,7 +16,6 @@ import (
 	nberrors "github.com/netbirdio/netbird/client/errors"
 	firewall "github.com/netbirdio/netbird/client/firewall/manager"
 	"github.com/netbirdio/netbird/client/internal/acl/id"
-	"github.com/netbirdio/netbird/client/internal/routemanager/ipfwdstate"
 	"github.com/netbirdio/netbird/client/internal/routemanager/refcounter"
 	"github.com/netbirdio/netbird/client/internal/statemanager"
 	nbnet "github.com/netbirdio/netbird/util/net"
@@ -24,36 +23,22 @@ import (

 // constants needed to manage and create iptable rules
 const (
-	tableFilter = "filter"
-	tableNat    = "nat"
-	tableMangle = "mangle"
-
+	tableFilter             = "filter"
+	tableNat                = "nat"
+	tableMangle             = "mangle"
 	chainPOSTROUTING        = "POSTROUTING"
 	chainPREROUTING         = "PREROUTING"
 	chainRTNAT              = "NETBIRD-RT-NAT"
-	chainRTFWDIN            = "NETBIRD-RT-FWD-IN"
-	chainRTFWDOUT           = "NETBIRD-RT-FWD-OUT"
+	chainRTFWD              = "NETBIRD-RT-FWD"
 	chainRTPRE              = "NETBIRD-RT-PRE"
-	chainRTRDR              = "NETBIRD-RT-RDR"
 	routingFinalForwardJump = "ACCEPT"
 	routingFinalNatJump     = "MASQUERADE"

-	jumpManglePre = "jump-mangle-pre"
-	jumpNatPre    = "jump-nat-pre"
-	jumpNatPost   = "jump-nat-post"
-	matchSet      = "--match-set"
-
-	dnatSuffix = "_dnat"
-	snatSuffix = "_snat"
-	fwdSuffix  = "_fwd"
+	jumpPre  = "jump-pre"
+	jumpNat  = "jump-nat"
+	matchSet = "--match-set"
 )

-type ruleInfo struct {
-	chain string
-	table string
-	rule  []string
-}
-
 type routeFilteringRuleParams struct {
 	Sources     []netip.Prefix
 	Destination netip.Prefix
@@ -77,7 +62,6 @@ type router struct {
 	legacyManagement bool

 	stateManager *statemanager.Manager
-	ipFwdState   *ipfwdstate.IPForwardingState
 }

 func newRouter(iptablesClient *iptables.IPTables, wgIface iFaceMapper) (*router, error) {
@@ -85,7 +69,6 @@ func newRouter(iptablesClient *iptables.IPTables, wgIface iFaceMapper) (*router,
 		iptablesClient: iptablesClient,
 		rules:          make(map[string][]string),
 		wgIface:        wgIface,
-		ipFwdState:     ipfwdstate.NewIPForwardingState(),
 	}

 	r.ipsetCounter = refcounter.New(
@@ -156,9 +139,9 @@ func (r *router) AddRouteFiltering(
 	var err error
 	if action == firewall.ActionDrop {
 		// after the established rule
-		err = r.iptablesClient.Insert(tableFilter, chainRTFWDIN, 2, rule...)
+		err = r.iptablesClient.Insert(tableFilter, chainRTFWD, 2, rule...)
 	} else {
-		err = r.iptablesClient.Append(tableFilter, chainRTFWDIN, rule...)
+		err = r.iptablesClient.Append(tableFilter, chainRTFWD, rule...)
 	}

 	if err != nil {
@@ -173,12 +156,12 @@ func (r *router) AddRouteFiltering(
 }

 func (r *router) DeleteRouteRule(rule firewall.Rule) error {
-	ruleKey := rule.ID()
+	ruleKey := rule.GetRuleID()

 	if rule, exists := r.rules[ruleKey]; exists {
 		setName := r.findSetNameInRule(rule)

-		if err := r.iptablesClient.Delete(tableFilter, chainRTFWDIN, rule...); err != nil {
+		if err := r.iptablesClient.Delete(tableFilter, chainRTFWD, rule...); err != nil {
 			return fmt.Errorf("delete route rule: %v", err)
 		}
 		delete(r.rules, ruleKey)
@@ -229,10 +212,6 @@ func (r *router) deleteIpSet(setName string) error {

 // AddNatRule inserts an iptables rule pair into the nat chain
 func (r *router) AddNatRule(pair firewall.RouterPair) error {
-	if err := r.ipFwdState.RequestForwarding(); err != nil {
-		return err
-	}
-
 	if r.legacyManagement {
 		log.Warnf("This peer is connected to a NetBird Management service with an older version. Allowing all traffic for %s", pair.Destination)
 		if err := r.addLegacyRouteRule(pair); err != nil {
@@ -259,10 +238,6 @@ func (r *router) AddNatRule(pair firewall.RouterPair) error {

 // RemoveNatRule removes an iptables rule pair from forwarding and nat chains
 func (r *router) RemoveNatRule(pair firewall.RouterPair) error {
-	if err := r.ipFwdState.ReleaseForwarding(); err != nil {
-		log.Errorf("%v", err)
-	}
-
 	if err := r.removeNatRule(pair); err != nil {
 		return fmt.Errorf("remove nat rule: %w", err)
 	}
@@ -289,7 +264,7 @@ func (r *router) addLegacyRouteRule(pair firewall.RouterPair) error {
 	}

 	rule := []string{"-s", pair.Source.String(), "-d", pair.Destination.String(), "-j", routingFinalForwardJump}
-	if err := r.iptablesClient.Append(tableFilter, chainRTFWDIN, rule...); err != nil {
+	if err := r.iptablesClient.Append(tableFilter, chainRTFWD, rule...); err != nil {
 		return fmt.Errorf("add legacy forwarding rule %s -> %s: %v", pair.Source, pair.Destination, err)
 	}

@@ -302,7 +277,7 @@ func (r *router) removeLegacyRouteRule(pair firewall.RouterPair) error {
 	ruleKey := firewall.GenKey(firewall.ForwardingFormat, pair)

 	if rule, exists := r.rules[ruleKey]; exists {
-		if err := r.iptablesClient.DeleteIfExists(tableFilter, chainRTFWDIN, rule...); err != nil {
+		if err := r.iptablesClient.DeleteIfExists(tableFilter, chainRTFWD, rule...); err != nil {
 			return fmt.Errorf("remove legacy forwarding rule %s -> %s: %v", pair.Source, pair.Destination, err)
 		}
 		delete(r.rules, ruleKey)
@@ -330,7 +305,7 @@ func (r *router) RemoveAllLegacyRouteRules() error {
 		if !strings.HasPrefix(k, firewall.ForwardingFormatPrefix) {
 			continue
 		}
-		if err := r.iptablesClient.DeleteIfExists(tableFilter, chainRTFWDIN, rule...); err != nil {
+		if err := r.iptablesClient.DeleteIfExists(tableFilter, chainRTFWD, rule...); err != nil {
 			merr = multierror.Append(merr, fmt.Errorf("remove legacy forwarding rule: %v", err))
 		} else {
 			delete(r.rules, k)
@@ -368,11 +343,9 @@ func (r *router) cleanUpDefaultForwardRules() error {
 		chain string
 		table string
 	}{
-		{chainRTFWDIN, tableFilter},
-		{chainRTFWDOUT, tableFilter},
-		{chainRTPRE, tableMangle},
+		{chainRTFWD, tableFilter},
 		{chainRTNAT, tableNat},
-		{chainRTRDR, tableNat},
+		{chainRTPRE, tableMangle},
 	} {
 		ok, err := r.iptablesClient.ChainExists(chainInfo.table, chainInfo.chain)
 		if err != nil {
@@ -392,22 +365,16 @@ func (r *router) createContainers() error {
 		chain string
 		table string
 	}{
-		{chainRTFWDIN, tableFilter},
-		{chainRTFWDOUT, tableFilter},
+		{chainRTFWD, tableFilter},
 		{chainRTPRE, tableMangle},
 		{chainRTNAT, tableNat},
-		{chainRTRDR, tableNat},
 	} {
-		if err := r.iptablesClient.NewChain(chainInfo.table, chainInfo.chain); err != nil {
+		if err := r.createAndSetupChain(chainInfo.chain); err != nil {
 			return fmt.Errorf("create chain %s in table %s: %w", chainInfo.chain, chainInfo.table, err)
 		}
 	}

-	if err := r.insertEstablishedRule(chainRTFWDIN); err != nil {
-		return fmt.Errorf("insert established rule: %w", err)
-	}
-
-	if err := r.insertEstablishedRule(chainRTFWDOUT); err != nil {
+	if err := r.insertEstablishedRule(chainRTFWD); err != nil {
 		return fmt.Errorf("insert established rule: %w", err)
 	}

@@ -448,6 +415,27 @@ func (r *router) addPostroutingRules() error {
 	return nil
 }

+func (r *router) createAndSetupChain(chain string) error {
+	table := r.getTableForChain(chain)
+
+	if err := r.iptablesClient.NewChain(table, chain); err != nil {
+		return fmt.Errorf("failed creating chain %s, error: %v", chain, err)
+	}
+
+	return nil
+}
+
+func (r *router) getTableForChain(chain string) string {
+	switch chain {
+	case chainRTNAT:
+		return tableNat
+	case chainRTPRE:
+		return tableMangle
+	default:
+		return tableFilter
+	}
+}
+
 func (r *router) insertEstablishedRule(chain string) error {
 	establishedRule := getConntrackEstablished()

@@ -466,43 +454,28 @@ func (r *router) addJumpRules() error {
 	// Jump to NAT chain
 	natRule := []string{"-j", chainRTNAT}
 	if err := r.iptablesClient.Insert(tableNat, chainPOSTROUTING, 1, natRule...); err != nil {
-		return fmt.Errorf("add nat postrouting jump rule: %v", err)
+		return fmt.Errorf("add nat jump rule: %v", err)
 	}
-	r.rules[jumpNatPost] = natRule
+	r.rules[jumpNat] = natRule

-	// Jump to mangle prerouting chain
+	// Jump to prerouting chain
 	preRule := []string{"-j", chainRTPRE}
 	if err := r.iptablesClient.Insert(tableMangle, chainPREROUTING, 1, preRule...); err != nil {
-		return fmt.Errorf("add mangle prerouting jump rule: %v", err)
+		return fmt.Errorf("add prerouting jump rule: %v", err)
 	}
-	r.rules[jumpManglePre] = preRule
-
-	// Jump to nat prerouting chain
-	rdrRule := []string{"-j", chainRTRDR}
-	if err := r.iptablesClient.Insert(tableNat, chainPREROUTING, 1, rdrRule...); err != nil {
-		return fmt.Errorf("add nat prerouting jump rule: %v", err)
-	}
-	r.rules[jumpNatPre] = rdrRule
+	r.rules[jumpPre] = preRule

 	return nil
 }

 func (r *router) cleanJumpRules() error {
-	for _, ruleKey := range []string{jumpNatPost, jumpManglePre, jumpNatPre} {
+	for _, ruleKey := range []string{jumpNat, jumpPre} {
 		if rule, exists := r.rules[ruleKey]; exists {
-			var table, chain string
-			switch ruleKey {
-			case jumpNatPost:
-				table = tableNat
-				chain = chainPOSTROUTING
-			case jumpManglePre:
+			table := tableNat
+			chain := chainPOSTROUTING
+			if ruleKey == jumpPre {
 				table = tableMangle
 				chain = chainPREROUTING
-			case jumpNatPre:
-				table = tableNat
-				chain = chainPREROUTING
-			default:
-				return fmt.Errorf("unknown jump rule: %s", ruleKey)
 			}

 			if err := r.iptablesClient.DeleteIfExists(table, chain, rule...); err != nil {
@@ -547,8 +520,6 @@ func (r *router) addNatRule(pair firewall.RouterPair) error {
 	}

 	r.rules[ruleKey] = rule
-
-	r.updateState()
 	return nil
 }

@@ -564,7 +535,6 @@ func (r *router) removeNatRule(pair firewall.RouterPair) error {
 		log.Debugf("marking rule %s not found", ruleKey)
 	}

-	r.updateState()
 	return nil
 }

@@ -594,137 +564,6 @@ func (r *router) updateState() {
 	}
 }

-func (r *router) AddDNATRule(rule firewall.ForwardRule) (firewall.Rule, error) {
-	if err := r.ipFwdState.RequestForwarding(); err != nil {
-		return nil, err
-	}
-
-	ruleKey := rule.ID()
-	if _, exists := r.rules[ruleKey+dnatSuffix]; exists {
-		return rule, nil
-	}
-
-	toDestination := rule.TranslatedAddress.String()
-	switch {
-	case len(rule.TranslatedPort.Values) == 0:
-		// no translated port, use original port
-	case len(rule.TranslatedPort.Values) == 1:
-		toDestination += fmt.Sprintf(":%d", rule.TranslatedPort.Values[0])
-	case rule.TranslatedPort.IsRange && len(rule.TranslatedPort.Values) == 2:
-		// need the "/originalport" suffix to avoid dnat port randomization
-		toDestination += fmt.Sprintf(":%d-%d/%d", rule.TranslatedPort.Values[0], rule.TranslatedPort.Values[1], rule.DestinationPort.Values[0])
-	default:
-		return nil, fmt.Errorf("invalid translated port: %v", rule.TranslatedPort)
-	}
-
-	proto := strings.ToLower(string(rule.Protocol))
-
-	rules := make(map[string]ruleInfo, 3)
-
-	// DNAT rule
-	dnatRule := []string{
-		"!", "-i", r.wgIface.Name(),
-		"-p", proto,
-		"-j", "DNAT",
-		"--to-destination", toDestination,
-	}
-	dnatRule = append(dnatRule, applyPort("--dport", &rule.DestinationPort)...)
-	rules[ruleKey+dnatSuffix] = ruleInfo{
-		table: tableNat,
-		chain: chainRTRDR,
-		rule:  dnatRule,
-	}
-
-	// SNAT rule
-	snatRule := []string{
-		"-o", r.wgIface.Name(),
-		"-p", proto,
-		"-d", rule.TranslatedAddress.String(),
-		"-j", "MASQUERADE",
-	}
-	snatRule = append(snatRule, applyPort("--dport", &rule.TranslatedPort)...)
-	rules[ruleKey+snatSuffix] = ruleInfo{
-		table: tableNat,
-		chain: chainRTNAT,
-		rule:  snatRule,
-	}
-
-	// Forward filtering rule, if fwd policy is DROP
-	forwardRule := []string{
-		"-o", r.wgIface.Name(),
-		"-p", proto,
-		"-d", rule.TranslatedAddress.String(),
-		"-j", "ACCEPT",
-	}
-	forwardRule = append(forwardRule, applyPort("--dport", &rule.TranslatedPort)...)
-	rules[ruleKey+fwdSuffix] = ruleInfo{
-		table: tableFilter,
-		chain: chainRTFWDOUT,
-		rule:  forwardRule,
-	}
-
-	for key, ruleInfo := range rules {
-		if err := r.iptablesClient.Append(ruleInfo.table, ruleInfo.chain, ruleInfo.rule...); err != nil {
-			if rollbackErr := r.rollbackRules(rules); rollbackErr != nil {
-				log.Errorf("rollback failed: %v", rollbackErr)
-			}
-			return nil, fmt.Errorf("add rule %s: %w", key, err)
-		}
-		r.rules[key] = ruleInfo.rule
-	}
-
-	r.updateState()
-	return rule, nil
-}
-
-func (r *router) rollbackRules(rules map[string]ruleInfo) error {
-	var merr *multierror.Error
-	for key, ruleInfo := range rules {
-		if err := r.iptablesClient.DeleteIfExists(ruleInfo.table, ruleInfo.chain, ruleInfo.rule...); err != nil {
-			merr = multierror.Append(merr, fmt.Errorf("rollback rule %s: %w", key, err))
-			// On rollback error, add to rules map for next cleanup
-			r.rules[key] = ruleInfo.rule
-		}
-	}
-	if merr != nil {
-		r.updateState()
-	}
-	return nberrors.FormatErrorOrNil(merr)
-}
-
-func (r *router) DeleteDNATRule(rule firewall.Rule) error {
-	if err := r.ipFwdState.ReleaseForwarding(); err != nil {
-		log.Errorf("%v", err)
-	}
-
-	ruleKey := rule.ID()
-
-	var merr *multierror.Error
-	if dnatRule, exists := r.rules[ruleKey+dnatSuffix]; exists {
-		if err := r.iptablesClient.Delete(tableNat, chainRTRDR, dnatRule...); err != nil {
-			merr = multierror.Append(merr, fmt.Errorf("delete DNAT rule: %w", err))
-		}
-		delete(r.rules, ruleKey+dnatSuffix)
-	}
-
-	if snatRule, exists := r.rules[ruleKey+snatSuffix]; exists {
-		if err := r.iptablesClient.Delete(tableNat, chainRTNAT, snatRule...); err != nil {
-			merr = multierror.Append(merr, fmt.Errorf("delete SNAT rule: %w", err))
-		}
-		delete(r.rules, ruleKey+snatSuffix)
-	}
-
-	if fwdRule, exists := r.rules[ruleKey+fwdSuffix]; exists {
-		if err := r.iptablesClient.Delete(tableFilter, chainRTFWDIN, fwdRule...); err != nil {
-			merr = multierror.Append(merr, fmt.Errorf("delete forward rule: %w", err))
-		}
-		delete(r.rules, ruleKey+fwdSuffix)
-	}
-
-	r.updateState()
-	return nberrors.FormatErrorOrNil(merr)
-}
-
 func genRouteFilteringRuleSpec(params routeFilteringRuleParams) []string {
 	var rule []string

--- a/client/firewall/iptables/router_linux_test.go
+++ b/client/firewall/iptables/router_linux_test.go
@@ -39,14 +39,12 @@ func TestIptablesManager_RestoreOrCreateContainers(t *testing.T) {
 	}()

 	// Now 5 rules:
-	// 1. established rule forward in
-	// 2. estbalished rule forward out
-	// 3. jump rule to POST nat chain
-	// 4. jump rule to PRE mangle chain
-	// 5. jump rule to PRE nat chain
-	// 6. static outbound masquerade rule
-	// 7. static return masquerade rule
-	require.Len(t, manager.rules, 7, "should have created rules map")
+	// 1. established rule in forward chain
+	// 2. jump rule to NAT chain
+	// 3. jump rule to PRE chain
+	// 4. static outbound masquerade rule
+	// 5. static return masquerade rule
+	require.Len(t, manager.rules, 5, "should have created rules map")

 	exists, err := manager.iptablesClient.Exists(tableNat, chainPOSTROUTING, "-j", chainRTNAT)
 	require.NoError(t, err, "should be able to query the iptables %s table and %s chain", tableNat, chainPOSTROUTING)
@@ -334,14 +332,14 @@ func TestRouter_AddRouteFiltering(t *testing.T) {
 			require.NoError(t, err, "AddRouteFiltering failed")

 			// Check if the rule is in the internal map
-			rule, ok := r.rules[ruleKey.ID()]
+			rule, ok := r.rules[ruleKey.GetRuleID()]
 			assert.True(t, ok, "Rule not found in internal map")

 			// Log the internal rule
 			t.Logf("Internal rule: %v", rule)

 			// Check if the rule exists in iptables
-			exists, err := iptablesClient.Exists(tableFilter, chainRTFWDIN, rule...)
+			exists, err := iptablesClient.Exists(tableFilter, chainRTFWD, rule...)
 			assert.NoError(t, err, "Failed to check rule existence")
 			assert.True(t, exists, "Rule not found in iptables")

--- a/client/firewall/iptables/rule.go
+++ b/client/firewall/iptables/rule.go
@@ -12,6 +12,6 @@ type Rule struct {
 }

 // GetRuleID returns the rule id
-func (r *Rule) ID() string {
+func (r *Rule) GetRuleID() string {
 	return r.ruleID
 }
--- a/client/firewall/manager/firewall.go
+++ b/client/firewall/manager/firewall.go
@@ -26,8 +26,8 @@ const (
 // Each firewall type for different OS can use different type
 // of the properties to hold data of the created rule
 type Rule interface {
-	// ID returns the rule id
-	ID() string
+	// GetRuleID returns the rule id
+	GetRuleID() string
 }

 // RuleDirection is the traffic direction which a rule is applied
@@ -101,16 +101,6 @@ type Manager interface {
 	Flush() error

 	SetLogLevel(log.Level)
-
-	EnableRouting() error
-
-	DisableRouting() error
-
-	// AddDNATRule adds a DNAT rule
-	AddDNATRule(ForwardRule) (Rule, error)
-
-	// DeleteDNATRule deletes a DNAT rule
-	DeleteDNATRule(Rule) error
 }

 func GenKey(format string, pair RouterPair) string {
--- a/client/firewall/manager/forward_rule.go
+++ b/client/firewall/manager/forward_rule.go
@@ -1,27 +0,0 @@
-package manager
-
-import (
-	"fmt"
-	"net/netip"
-)
-
-// ForwardRule todo figure out better place to this to avoid circular imports
-type ForwardRule struct {
-	Protocol          Protocol
-	DestinationPort   Port
-	TranslatedAddress netip.Addr
-	TranslatedPort    Port
-}
-
-func (r ForwardRule) ID() string {
-	id := fmt.Sprintf("%s;%s;%s;%s",
-		r.Protocol,
-		r.DestinationPort.String(),
-		r.TranslatedAddress.String(),
-		r.TranslatedPort.String())
-	return id
-}
-
-func (r ForwardRule) String() string {
-	return fmt.Sprintf("protocol: %s, destinationPort: %s, translatedAddress: %s, translatedPort: %s", r.Protocol, r.DestinationPort.String(), r.TranslatedAddress.String(), r.TranslatedPort.String())
-}
--- a/client/firewall/manager/port.go
+++ b/client/firewall/manager/port.go
@@ -1,12 +1,30 @@
 package manager

 import (
-	"fmt"
 	"strconv"
 )

+// Protocol is the protocol of the port
+type Protocol string
+
+const (
+	// ProtocolTCP is the TCP protocol
+	ProtocolTCP Protocol = "tcp"
+
+	// ProtocolUDP is the UDP protocol
+	ProtocolUDP Protocol = "udp"
+
+	// ProtocolICMP is the ICMP protocol
+	ProtocolICMP Protocol = "icmp"
+
+	// ProtocolALL cover all supported protocols
+	ProtocolALL Protocol = "all"
+
+	// ProtocolUnknown unknown protocol
+	ProtocolUnknown Protocol = "unknown"
+)
+
 // Port of the address for firewall rule
-// todo Move Protocol and Port and RouterPair to the Firwall package or a separate package
 type Port struct {
 	// IsRange is true Values contains two values, the first is the start port, the second is the end port
 	IsRange bool
@@ -15,25 +33,6 @@ type Port struct {
 	Values []uint16
 }

-func NewPort(ports ...int) (*Port, error) {
-	if len(ports) == 0 {
-		return nil, fmt.Errorf("no port provided")
-	}
-
-	ports16 := make([]uint16, len(ports))
-	for i, port := range ports {
-		if port < 1 || port > 65535 {
-			return nil, fmt.Errorf("invalid port number: %d (must be between 1-65535)", port)
-		}
-		ports16[i] = uint16(port)
-	}
-
-	return &Port{
-		IsRange: len(ports) > 1,
-		Values:  ports16,
-	}, nil
-}
-
 // String interface implementation
 func (p *Port) String() string {
 	var ports string
--- a/client/firewall/manager/protocol.go
+++ b/client/firewall/manager/protocol.go
@@ -1,19 +0,0 @@
-package manager
-
-// Protocol is the protocol of the port
-// todo Move Protocol and Port and RouterPair to the Firwall package or a separate package
-type Protocol string
-
-const (
-	// ProtocolTCP is the TCP protocol
-	ProtocolTCP Protocol = "tcp"
-
-	// ProtocolUDP is the UDP protocol
-	ProtocolUDP Protocol = "udp"
-
-	// ProtocolICMP is the ICMP protocol
-	ProtocolICMP Protocol = "icmp"
-
-	// ProtocolALL cover all supported protocols
-	ProtocolALL Protocol = "all"
-)
--- a/client/firewall/nftables/acl_linux.go
+++ b/client/firewall/nftables/acl_linux.go
@@ -127,7 +127,7 @@ func (m *AclManager) DeletePeerRule(rule firewall.Rule) error {
 				log.Errorf("failed to delete mangle rule: %v", err)
 			}
 		}
-		delete(m.rules, r.ID())
+		delete(m.rules, r.GetRuleID())
 		return m.rConn.Flush()
 	}

@@ -141,7 +141,7 @@ func (m *AclManager) DeletePeerRule(rule firewall.Rule) error {
 				log.Errorf("failed to delete mangle rule: %v", err)
 			}
 		}
-		delete(m.rules, r.ID())
+		delete(m.rules, r.GetRuleID())
 		return m.rConn.Flush()
 	}

@@ -176,7 +176,7 @@ func (m *AclManager) DeletePeerRule(rule firewall.Rule) error {
 		return err
 	}

-	delete(m.rules, r.ID())
+	delete(m.rules, r.GetRuleID())
 	m.ipsetStore.DeleteReferenceFromIpSet(r.nftSet.Name)

 	if m.ipsetStore.HasReferenceToSet(r.nftSet.Name) {
--- a/client/firewall/nftables/manager_linux.go
+++ b/client/firewall/nftables/manager_linux.go
@@ -323,14 +323,6 @@ func (m *Manager) SetLogLevel(log.Level) {
 	// not supported
 }

-func (m *Manager) EnableRouting() error {
-	return nil
-}
-
-func (m *Manager) DisableRouting() error {
-	return nil
-}
-
 // Flush rule/chain/set operations from the buffer
 //
 // Method also get all rules after flush and refreshes handle values in the rulesets
@@ -342,22 +334,6 @@ func (m *Manager) Flush() error {
 	return m.aclManager.Flush()
 }

-// AddDNATRule adds a DNAT rule
-func (m *Manager) AddDNATRule(rule firewall.ForwardRule) (firewall.Rule, error) {
-	m.mutex.Lock()
-	defer m.mutex.Unlock()
-
-	return m.router.AddDNATRule(rule)
-}
-
-// DeleteDNATRule deletes a DNAT rule
-func (m *Manager) DeleteDNATRule(rule firewall.Rule) error {
-	m.mutex.Lock()
-	defer m.mutex.Unlock()
-
-	return m.router.DeleteDNATRule(rule)
-}
-
 func (m *Manager) createWorkTable() (*nftables.Table, error) {
 	tables, err := m.rConn.ListTablesOfFamily(nftables.TableFamilyIPv4)
 	if err != nil {
--- a/client/firewall/nftables/router_linux.go
+++ b/client/firewall/nftables/router_linux.go
@@ -14,31 +14,23 @@ import (
 	"github.com/google/nftables"
 	"github.com/google/nftables/binaryutil"
 	"github.com/google/nftables/expr"
-	"github.com/google/nftables/xt"
 	"github.com/hashicorp/go-multierror"
 	log "github.com/sirupsen/logrus"

 	nberrors "github.com/netbirdio/netbird/client/errors"
 	firewall "github.com/netbirdio/netbird/client/firewall/manager"
 	"github.com/netbirdio/netbird/client/internal/acl/id"
-	"github.com/netbirdio/netbird/client/internal/routemanager/ipfwdstate"
 	"github.com/netbirdio/netbird/client/internal/routemanager/refcounter"
 	nbnet "github.com/netbirdio/netbird/util/net"
 )

 const (
-	tableNat               = "nat"
-	chainNameNatPrerouting = "PREROUTING"
-	chainNameRoutingFw     = "netbird-rt-fwd"
-	chainNameRoutingNat    = "netbird-rt-postrouting"
-	chainNameRoutingRdr    = "netbird-rt-redirect"
-	chainNameForward       = "FORWARD"
+	chainNameRoutingFw  = "netbird-rt-fwd"
+	chainNameRoutingNat = "netbird-rt-postrouting"
+	chainNameForward    = "FORWARD"

 	userDataAcceptForwardRuleIif = "frwacceptiif"
 	userDataAcceptForwardRuleOif = "frwacceptoif"
-
-	dnatSuffix = "_dnat"
-	snatSuffix = "_snat"
 )

 const refreshRulesMapError = "refresh rules map: %w"
@@ -57,18 +49,16 @@ type router struct {
 	ipsetCounter *refcounter.Counter[string, []netip.Prefix, *nftables.Set]

 	wgIface          iFaceMapper
-	ipFwdState       *ipfwdstate.IPForwardingState
 	legacyManagement bool
 }

 func newRouter(workTable *nftables.Table, wgIface iFaceMapper) (*router, error) {
 	r := &router{
-		conn:       &nftables.Conn{},
-		workTable:  workTable,
-		chains:     make(map[string]*nftables.Chain),
-		rules:      make(map[string]*nftables.Rule),
-		wgIface:    wgIface,
-		ipFwdState: ipfwdstate.NewIPForwardingState(),
+		conn:      &nftables.Conn{},
+		workTable: workTable,
+		chains:    make(map[string]*nftables.Chain),
+		rules:     make(map[string]*nftables.Rule),
+		wgIface:   wgIface,
 	}

 	r.ipsetCounter = refcounter.New(
@@ -108,52 +98,7 @@ func (r *router) Reset() error {
 	// clear without deleting the ipsets, the nf table will be deleted by the caller
 	r.ipsetCounter.Clear()

-	var merr *multierror.Error
-
-	if err := r.removeAcceptForwardRules(); err != nil {
-		merr = multierror.Append(merr, fmt.Errorf("remove accept forward rules: %w", err))
-	}
-
-	if err := r.removeNatPreroutingRules(); err != nil {
-		merr = multierror.Append(merr, fmt.Errorf("remove filter prerouting rules: %w", err))
-	}
-
-	return nberrors.FormatErrorOrNil(merr)
-}
-
-func (r *router) removeNatPreroutingRules() error {
-	table := &nftables.Table{
-		Name:   tableNat,
-		Family: nftables.TableFamilyIPv4,
-	}
-	chain := &nftables.Chain{
-		Name:     chainNameNatPrerouting,
-		Table:    table,
-		Hooknum:  nftables.ChainHookPrerouting,
-		Priority: nftables.ChainPriorityNATDest,
-		Type:     nftables.ChainTypeNAT,
-	}
-	rules, err := r.conn.GetRules(table, chain)
-	if err != nil {
-		return fmt.Errorf("get rules from nat table: %w", err)
-	}
-
-	var merr *multierror.Error
-
-	// Delete rules that have our UserData suffix
-	for _, rule := range rules {
-		if len(rule.UserData) == 0 || !strings.HasSuffix(string(rule.UserData), dnatSuffix) {
-			continue
-		}
-		if err := r.conn.DelRule(rule); err != nil {
-			merr = multierror.Append(merr, fmt.Errorf("delete rule %s: %w", rule.UserData, err))
-		}
-	}
-
-	if err := r.conn.Flush(); err != nil {
-		merr = multierror.Append(merr, fmt.Errorf(flushError, err))
-	}
-	return nberrors.FormatErrorOrNil(merr)
+	return r.removeAcceptForwardRules()
 }

 func (r *router) loadFilterTable() (*nftables.Table, error) {
@@ -188,22 +133,14 @@ func (r *router) createContainers() error {
 		Type:     nftables.ChainTypeNAT,
 	})

-	r.chains[chainNameRoutingRdr] = r.conn.AddChain(&nftables.Chain{
-		Name:     chainNameRoutingRdr,
-		Table:    r.workTable,
-		Hooknum:  nftables.ChainHookPrerouting,
-		Priority: nftables.ChainPriorityNATDest,
-		Type:     nftables.ChainTypeNAT,
-	})
-
 	// Chain is created by acl manager
 	// TODO: move creation to a common place
 	r.chains[chainNamePrerouting] = &nftables.Chain{
 		Name:     chainNamePrerouting,
 		Table:    r.workTable,
+		Type:     nftables.ChainTypeFilter,
 		Hooknum:  nftables.ChainHookPrerouting,
 		Priority: nftables.ChainPriorityMangle,
-		Type:     nftables.ChainTypeFilter,
 	}

 	// Add the single NAT rule that matches on mark
@@ -344,7 +281,7 @@ func (r *router) DeleteRouteRule(rule firewall.Rule) error {
 		return fmt.Errorf(refreshRulesMapError, err)
 	}

-	ruleKey := rule.ID()
+	ruleKey := rule.GetRuleID()
 	nftRule, exists := r.rules[ruleKey]
 	if !exists {
 		log.Debugf("route rule %s not found", ruleKey)
@@ -473,10 +410,6 @@ func (r *router) deleteNftRule(rule *nftables.Rule, ruleKey string) error {

 // AddNatRule appends a nftables rule pair to the nat chain
 func (r *router) AddNatRule(pair firewall.RouterPair) error {
-	if err := r.ipFwdState.RequestForwarding(); err != nil {
-		return err
-	}
-
 	if err := r.refreshRulesMap(); err != nil {
 		return fmt.Errorf(refreshRulesMapError, err)
 	}
@@ -903,10 +836,6 @@ func (r *router) removeAcceptForwardRulesIptables(ipt *iptables.IPTables) error

 // RemoveNatRule removes the prerouting mark rule
 func (r *router) RemoveNatRule(pair firewall.RouterPair) error {
-	if err := r.ipFwdState.ReleaseForwarding(); err != nil {
-		log.Errorf("%v", err)
-	}
-
 	if err := r.refreshRulesMap(); err != nil {
 		return fmt.Errorf(refreshRulesMapError, err)
 	}
@@ -967,269 +896,6 @@ func (r *router) refreshRulesMap() error {
 	return nil
 }

-func (r *router) AddDNATRule(rule firewall.ForwardRule) (firewall.Rule, error) {
-	if err := r.ipFwdState.RequestForwarding(); err != nil {
-		return nil, err
-	}
-
-	ruleKey := rule.ID()
-	if _, exists := r.rules[ruleKey+dnatSuffix]; exists {
-		return rule, nil
-	}
-
-	protoNum, err := protoToInt(rule.Protocol)
-	if err != nil {
-		return nil, fmt.Errorf("convert protocol to number: %w", err)
-	}
-
-	if err := r.addDnatRedirect(rule, protoNum, ruleKey); err != nil {
-		return nil, err
-	}
-
-	r.addDnatMasq(rule, protoNum, ruleKey)
-
-	// Unlike iptables, there's no point in adding "out" rules in the forward chain here as our policy is ACCEPT.
-	// To overcome DROP policies in other chains, we'd have to add rules to the chains there.
-	// We also cannot just add "oif <iface> accept" there and filter in our own table as we don't know what is supposed to be allowed.
-	// TODO: find chains with drop policies and add rules there
-
-	if err := r.conn.Flush(); err != nil {
-		return nil, fmt.Errorf("flush rules: %w", err)
-	}
-
-	return &rule, nil
-}
-
-func (r *router) addDnatRedirect(rule firewall.ForwardRule, protoNum uint8, ruleKey string) error {
-	dnatExprs := []expr.Any{
-		&expr.Meta{Key: expr.MetaKeyIIFNAME, Register: 1},
-		&expr.Cmp{
-			Op:       expr.CmpOpNeq,
-			Register: 1,
-			Data:     ifname(r.wgIface.Name()),
-		},
-		&expr.Meta{Key: expr.MetaKeyL4PROTO, Register: 1},
-		&expr.Cmp{
-			Op:       expr.CmpOpEq,
-			Register: 1,
-			Data:     []byte{protoNum},
-		},
-		&expr.Payload{
-			DestRegister: 1,
-			Base:         expr.PayloadBaseTransportHeader,
-			Offset:       2,
-			Len:          2,
-		},
-	}
-	dnatExprs = append(dnatExprs, applyPort(&rule.DestinationPort, false)...)
-
-	// shifted translated port is not supported in nftables, so we hand this over to xtables
-	if rule.TranslatedPort.IsRange && len(rule.TranslatedPort.Values) == 2 {
-		if rule.TranslatedPort.Values[0] != rule.DestinationPort.Values[0] ||
-			rule.TranslatedPort.Values[1] != rule.DestinationPort.Values[1] {
-			return r.addXTablesRedirect(dnatExprs, ruleKey, rule)
-		}
-	}
-
-	additionalExprs, regProtoMin, regProtoMax, err := r.handleTranslatedPort(rule)
-	if err != nil {
-		return err
-	}
-	dnatExprs = append(dnatExprs, additionalExprs...)
-
-	dnatExprs = append(dnatExprs,
-		&expr.NAT{
-			Type:        expr.NATTypeDestNAT,
-			Family:      uint32(nftables.TableFamilyIPv4),
-			RegAddrMin:  1,
-			RegProtoMin: regProtoMin,
-			RegProtoMax: regProtoMax,
-		},
-	)
-
-	dnatRule := &nftables.Rule{
-		Table:    r.workTable,
-		Chain:    r.chains[chainNameRoutingRdr],
-		Exprs:    dnatExprs,
-		UserData: []byte(ruleKey + dnatSuffix),
-	}
-	r.conn.AddRule(dnatRule)
-	r.rules[ruleKey+dnatSuffix] = dnatRule
-
-	return nil
-}
-
-func (r *router) handleTranslatedPort(rule firewall.ForwardRule) ([]expr.Any, uint32, uint32, error) {
-	switch {
-	case rule.TranslatedPort.IsRange && len(rule.TranslatedPort.Values) == 2:
-		return r.handlePortRange(rule)
-	case len(rule.TranslatedPort.Values) == 0:
-		return r.handleAddressOnly(rule)
-	case len(rule.TranslatedPort.Values) == 1:
-		return r.handleSinglePort(rule)
-	default:
-		return nil, 0, 0, fmt.Errorf("invalid translated port: %v", rule.TranslatedPort)
-	}
-}
-
-func (r *router) handlePortRange(rule firewall.ForwardRule) ([]expr.Any, uint32, uint32, error) {
-	exprs := []expr.Any{
-		&expr.Immediate{
-			Register: 1,
-			Data:     rule.TranslatedAddress.AsSlice(),
-		},
-		&expr.Immediate{
-			Register: 2,
-			Data:     binaryutil.BigEndian.PutUint16(rule.TranslatedPort.Values[0]),
-		},
-		&expr.Immediate{
-			Register: 3,
-			Data:     binaryutil.BigEndian.PutUint16(rule.TranslatedPort.Values[1]),
-		},
-	}
-	return exprs, 2, 3, nil
-}
-
-func (r *router) handleAddressOnly(rule firewall.ForwardRule) ([]expr.Any, uint32, uint32, error) {
-	exprs := []expr.Any{
-		&expr.Immediate{
-			Register: 1,
-			Data:     rule.TranslatedAddress.AsSlice(),
-		},
-	}
-	return exprs, 0, 0, nil
-}
-
-func (r *router) handleSinglePort(rule firewall.ForwardRule) ([]expr.Any, uint32, uint32, error) {
-	exprs := []expr.Any{
-		&expr.Immediate{
-			Register: 1,
-			Data:     rule.TranslatedAddress.AsSlice(),
-		},
-		&expr.Immediate{
-			Register: 2,
-			Data:     binaryutil.BigEndian.PutUint16(rule.TranslatedPort.Values[0]),
-		},
-	}
-	return exprs, 2, 0, nil
-}
-
-func (r *router) addXTablesRedirect(dnatExprs []expr.Any, ruleKey string, rule firewall.ForwardRule) error {
-	dnatExprs = append(dnatExprs,
-		&expr.Counter{},
-		&expr.Target{
-			Name: "DNAT",
-			Rev:  2,
-			Info: &xt.NatRange2{
-				NatRange: xt.NatRange{
-					Flags:   uint(xt.NatRangeMapIPs | xt.NatRangeProtoSpecified | xt.NatRangeProtoOffset),
-					MinIP:   rule.TranslatedAddress.AsSlice(),
-					MaxIP:   rule.TranslatedAddress.AsSlice(),
-					MinPort: rule.TranslatedPort.Values[0],
-					MaxPort: rule.TranslatedPort.Values[1],
-				},
-				BasePort: rule.DestinationPort.Values[0],
-			},
-		},
-	)
-
-	dnatRule := &nftables.Rule{
-		Table: &nftables.Table{
-			Name:   tableNat,
-			Family: nftables.TableFamilyIPv4,
-		},
-		Chain: &nftables.Chain{
-			Name:     chainNameNatPrerouting,
-			Table:    r.filterTable,
-			Type:     nftables.ChainTypeNAT,
-			Hooknum:  nftables.ChainHookPrerouting,
-			Priority: nftables.ChainPriorityNATDest,
-		},
-		Exprs:    dnatExprs,
-		UserData: []byte(ruleKey + dnatSuffix),
-	}
-	r.conn.AddRule(dnatRule)
-	r.rules[ruleKey+dnatSuffix] = dnatRule
-
-	return nil
-}
-
-func (r *router) addDnatMasq(rule firewall.ForwardRule, protoNum uint8, ruleKey string) {
-	masqExprs := []expr.Any{
-		&expr.Meta{Key: expr.MetaKeyOIFNAME, Register: 1},
-		&expr.Cmp{
-			Op:       expr.CmpOpEq,
-			Register: 1,
-			Data:     ifname(r.wgIface.Name()),
-		},
-		&expr.Meta{Key: expr.MetaKeyL4PROTO, Register: 1},
-		&expr.Cmp{
-			Op:       expr.CmpOpEq,
-			Register: 1,
-			Data:     []byte{protoNum},
-		},
-		&expr.Payload{
-			DestRegister: 1,
-			Base:         expr.PayloadBaseNetworkHeader,
-			Offset:       16,
-			Len:          4,
-		},
-		&expr.Cmp{
-			Op:       expr.CmpOpEq,
-			Register: 1,
-			Data:     rule.TranslatedAddress.AsSlice(),
-		},
-	}
-
-	masqExprs = append(masqExprs, applyPort(&rule.TranslatedPort, false)...)
-	masqExprs = append(masqExprs, &expr.Masq{})
-
-	masqRule := &nftables.Rule{
-		Table:    r.workTable,
-		Chain:    r.chains[chainNameRoutingNat],
-		Exprs:    masqExprs,
-		UserData: []byte(ruleKey + snatSuffix),
-	}
-	r.conn.AddRule(masqRule)
-	r.rules[ruleKey+snatSuffix] = masqRule
-}
-
-func (r *router) DeleteDNATRule(rule firewall.Rule) error {
-	if err := r.ipFwdState.ReleaseForwarding(); err != nil {
-		log.Errorf("%v", err)
-	}
-
-	ruleKey := rule.ID()
-
-	if err := r.refreshRulesMap(); err != nil {
-		return fmt.Errorf(refreshRulesMapError, err)
-	}
-
-	var merr *multierror.Error
-	if dnatRule, exists := r.rules[ruleKey+dnatSuffix]; exists {
-		if err := r.conn.DelRule(dnatRule); err != nil {
-			merr = multierror.Append(merr, fmt.Errorf("delete dnat rule: %w", err))
-		}
-	}
-
-	if masqRule, exists := r.rules[ruleKey+snatSuffix]; exists {
-		if err := r.conn.DelRule(masqRule); err != nil {
-			merr = multierror.Append(merr, fmt.Errorf("delete snat rule: %w", err))
-		}
-	}
-
-	if err := r.conn.Flush(); err != nil {
-		merr = multierror.Append(merr, fmt.Errorf(flushError, err))
-	}
-
-	if merr == nil {
-		delete(r.rules, ruleKey+dnatSuffix)
-		delete(r.rules, ruleKey+snatSuffix)
-	}
-
-	return nberrors.FormatErrorOrNil(merr)
-}
-
 // generateCIDRMatcherExpressions generates nftables expressions that matches a CIDR
 func generateCIDRMatcherExpressions(source bool, prefix netip.Prefix) []expr.Any {
 	var offset uint32
@@ -1293,11 +959,15 @@ func applyPort(port *firewall.Port, isSource bool) []expr.Any {
 	if port.IsRange && len(port.Values) == 2 {
 		// Handle port range
 		exprs = append(exprs,
-			&expr.Range{
-				Op:       expr.CmpOpEq,
+			&expr.Cmp{
+				Op:       expr.CmpOpGte,
 				Register: 1,
-				FromData: binaryutil.BigEndian.PutUint16(port.Values[0]),
-				ToData:   binaryutil.BigEndian.PutUint16(port.Values[1]),
+				Data:     binaryutil.BigEndian.PutUint16(port.Values[0]),
+			},
+			&expr.Cmp{
+				Op:       expr.CmpOpLte,
+				Register: 1,
+				Data:     binaryutil.BigEndian.PutUint16(port.Values[1]),
 			},
 		)
 	} else {
--- a/client/firewall/nftables/router_linux_test.go
+++ b/client/firewall/nftables/router_linux_test.go
@@ -319,7 +319,7 @@ func TestRouter_AddRouteFiltering(t *testing.T) {
 			})

 			// Check if the rule is in the internal map
-			rule, ok := r.rules[ruleKey.ID()]
+			rule, ok := r.rules[ruleKey.GetRuleID()]
 			assert.True(t, ok, "Rule not found in internal map")

 			t.Log("Internal rule expressions:")
@@ -336,7 +336,7 @@ func TestRouter_AddRouteFiltering(t *testing.T) {

 			var nftRule *nftables.Rule
 			for _, rule := range rules {
-				if string(rule.UserData) == ruleKey.ID() {
+				if string(rule.UserData) == ruleKey.GetRuleID() {
 					nftRule = rule
 					break
 				}
@@ -595,20 +595,16 @@ func containsPort(exprs []expr.Any, port *firewall.Port, isSource bool) bool {
 			if ex.Base == expr.PayloadBaseTransportHeader && ex.Offset == offset && ex.Len == 2 {
 				payloadFound = true
 			}
-		case *expr.Range:
-			if port.IsRange && len(port.Values) == 2 {
-				fromPort := binary.BigEndian.Uint16(ex.FromData)
-				toPort := binary.BigEndian.Uint16(ex.ToData)
-				if fromPort == port.Values[0] && toPort == port.Values[1] {
+		case *expr.Cmp:
+			if port.IsRange {
+				if ex.Op == expr.CmpOpGte || ex.Op == expr.CmpOpLte {
 					portMatchFound = true
 				}
-			}
-		case *expr.Cmp:
-			if !port.IsRange {
+			} else {
 				if ex.Op == expr.CmpOpEq && len(ex.Data) == 2 {
 					portValue := binary.BigEndian.Uint16(ex.Data)
 					for _, p := range port.Values {
-						if p == portValue {
+						if uint16(p) == portValue {
 							portMatchFound = true
 							break
 						}
--- a/client/firewall/nftables/rule_linux.go
+++ b/client/firewall/nftables/rule_linux.go
@@ -16,6 +16,6 @@ type Rule struct {
 }

 // GetRuleID returns the rule id
-func (r *Rule) ID() string {
+func (r *Rule) GetRuleID() string {
 	return r.ruleID
 }
--- a/client/firewall/uspfilter/forwarder/udp.go
+++ b/client/firewall/uspfilter/forwarder/udp.go
@@ -245,29 +245,33 @@ func (c *udpPacketConn) copy(ctx context.Context, dst net.Conn, src net.Conn, bu
 	defer bufPool.Put(bufp)
 	buffer := *bufp

+	if err := src.SetReadDeadline(time.Now().Add(udpTimeout)); err != nil {
+		return fmt.Errorf("set read deadline: %w", err)
+	}
+	if err := src.SetWriteDeadline(time.Now().Add(udpTimeout)); err != nil {
+		return fmt.Errorf("set write deadline: %w", err)
+	}
+
 	for {
-		if ctx.Err() != nil {
+		select {
+		case <-ctx.Done():
 			return ctx.Err()
-		}
-
-		if err := src.SetDeadline(time.Now().Add(udpTimeout)); err != nil {
-			return fmt.Errorf("set read deadline: %w", err)
-		}
-
-		n, err := src.Read(buffer)
-		if err != nil {
-			if isTimeout(err) {
-				continue
+		default:
+			n, err := src.Read(buffer)
+			if err != nil {
+				if isTimeout(err) {
+					continue
+				}
+				return fmt.Errorf("read from %s: %w", direction, err)
 			}
-			return fmt.Errorf("read from %s: %w", direction, err)
-		}

-		_, err = dst.Write(buffer[:n])
-		if err != nil {
-			return fmt.Errorf("write to %s: %w", direction, err)
-		}
+			_, err = dst.Write(buffer[:n])
+			if err != nil {
+				return fmt.Errorf("write to %s: %w", direction, err)
+			}

-		c.updateLastSeen()
+			c.updateLastSeen()
+		}
 	}
 }

--- a/client/firewall/uspfilter/rule.go
+++ b/client/firewall/uspfilter/rule.go
@@ -24,8 +24,8 @@ type PeerRule struct {
 	udpHook func([]byte) bool
 }

-// ID returns the rule id
-func (r *PeerRule) ID() string {
+// GetRuleID returns the rule id
+func (r *PeerRule) GetRuleID() string {
 	return r.id
 }

@@ -39,7 +39,7 @@ type RouteRule struct {
 	action      firewall.Action
 }

-// ID returns the rule id
-func (r *RouteRule) ID() string {
+// GetRuleID returns the rule id
+func (r *RouteRule) GetRuleID() string {
 	return r.id
 }
--- a/client/firewall/uspfilter/uspfilter.go
+++ b/client/firewall/uspfilter/uspfilter.go
@@ -42,8 +42,6 @@ const (
 	EnvEnableNetstackLocalForwarding = "NB_ENABLE_NETSTACK_LOCAL_FORWARDING"
 )

-var errNatNotSupported = errors.New("nat not supported with userspace firewall")
-
 // RuleSet is a set of rules grouped by a string key
 type RuleSet map[string]PeerRule

@@ -76,8 +74,6 @@ type Manager struct {

 	mutex sync.RWMutex

-	// indicates whether server routes are disabled
-	disableServerRoutes bool
 	// indicates whether we forward packets not destined for ourselves
 	routingEnabled bool
 	// indicates whether we leave forwarding and filtering to the native firewall
@@ -129,27 +125,15 @@ func CreateWithNativeFirewall(iface common.IFaceMapper, nativeFirewall firewall.
 	return mgr, nil
 }

-func parseCreateEnv() (bool, bool) {
-	var disableConntrack, enableLocalForwarding bool
-	var err error
-	if val := os.Getenv(EnvDisableConntrack); val != "" {
-		disableConntrack, err = strconv.ParseBool(val)
-		if err != nil {
-			log.Warnf("failed to parse %s: %v", EnvDisableConntrack, err)
-		}
-	}
-	if val := os.Getenv(EnvEnableNetstackLocalForwarding); val != "" {
-		enableLocalForwarding, err = strconv.ParseBool(val)
-		if err != nil {
-			log.Warnf("failed to parse %s: %v", EnvEnableNetstackLocalForwarding, err)
-		}
-	}
-
-	return disableConntrack, enableLocalForwarding
-}
-
 func create(iface common.IFaceMapper, nativeFirewall firewall.Manager, disableServerRoutes bool) (*Manager, error) {
-	disableConntrack, enableLocalForwarding := parseCreateEnv()
+	disableConntrack, err := strconv.ParseBool(os.Getenv(EnvDisableConntrack))
+	if err != nil {
+		log.Warnf("failed to parse %s: %v", EnvDisableConntrack, err)
+	}
+	enableLocalForwarding, err := strconv.ParseBool(os.Getenv(EnvEnableNetstackLocalForwarding))
+	if err != nil {
+		log.Warnf("failed to parse %s: %v", EnvEnableNetstackLocalForwarding, err)
+	}

 	m := &Manager{
 		decoders: sync.Pool{
@@ -165,23 +149,24 @@ func create(iface common.IFaceMapper, nativeFirewall firewall.Manager, disableSe
 				return d
 			},
 		},
-		nativeFirewall:      nativeFirewall,
-		outgoingRules:       make(map[string]RuleSet),
-		incomingRules:       make(map[string]RuleSet),
-		wgIface:             iface,
-		localipmanager:      newLocalIPManager(),
-		disableServerRoutes: disableServerRoutes,
-		routingEnabled:      false,
-		stateful:            !disableConntrack,
-		logger:              nblog.NewFromLogrus(log.StandardLogger()),
-		netstack:            netstack.IsEnabled(),
-		localForwarding:     enableLocalForwarding,
+		nativeFirewall: nativeFirewall,
+		outgoingRules:  make(map[string]RuleSet),
+		incomingRules:  make(map[string]RuleSet),
+		wgIface:        iface,
+		localipmanager: newLocalIPManager(),
+		routingEnabled: false,
+		stateful:       !disableConntrack,
+		logger:         nblog.NewFromLogrus(log.StandardLogger()),
+		netstack:       netstack.IsEnabled(),
+		// default true for non-netstack, for netstack only if explicitly enabled
+		localForwarding: !netstack.IsEnabled() || enableLocalForwarding,
 	}

 	if err := m.localipmanager.UpdateLocalIPs(iface); err != nil {
 		return nil, fmt.Errorf("update local IPs: %w", err)
 	}

+	// Only initialize trackers if stateful mode is enabled
 	if disableConntrack {
 		log.Info("conntrack is disabled")
 	} else {
@@ -190,12 +175,7 @@ func create(iface common.IFaceMapper, nativeFirewall firewall.Manager, disableSe
 		m.tcpTracker = conntrack.NewTCPTracker(conntrack.DefaultTCPTimeout, m.logger)
 	}

-	// netstack needs the forwarder for local traffic
-	if m.netstack && m.localForwarding {
-		if err := m.initForwarder(); err != nil {
-			log.Errorf("failed to initialize forwarder: %v", err)
-		}
-	}
+	m.determineRouting(iface, disableServerRoutes)

 	if err := m.blockInvalidRouted(iface); err != nil {
 		log.Errorf("failed to block invalid routed traffic: %v", err)
@@ -233,21 +213,9 @@ func (m *Manager) blockInvalidRouted(iface common.IFaceMapper) error {
 	return nil
 }

-func (m *Manager) determineRouting() error {
-	var disableUspRouting, forceUserspaceRouter bool
-	var err error
-	if val := os.Getenv(EnvDisableUserspaceRouting); val != "" {
-		disableUspRouting, err = strconv.ParseBool(val)
-		if err != nil {
-			log.Warnf("failed to parse %s: %v", EnvDisableUserspaceRouting, err)
-		}
-	}
-	if val := os.Getenv(EnvForceUserspaceRouter); val != "" {
-		forceUserspaceRouter, err = strconv.ParseBool(val)
-		if err != nil {
-			log.Warnf("failed to parse %s: %v", EnvForceUserspaceRouter, err)
-		}
-	}
+func (m *Manager) determineRouting(iface common.IFaceMapper, disableServerRoutes bool) {
+	disableUspRouting, _ := strconv.ParseBool(os.Getenv(EnvDisableUserspaceRouting))
+	forceUserspaceRouter, _ := strconv.ParseBool(os.Getenv(EnvForceUserspaceRouter))

 	switch {
 	case disableUspRouting:
@@ -255,7 +223,7 @@ func (m *Manager) determineRouting() error {
 		m.nativeRouter = false
 		log.Info("userspace routing is disabled")

-	case m.disableServerRoutes:
+	case disableServerRoutes:
 		//  if server routes are disabled we will let packets pass to the native stack
 		m.routingEnabled = true
 		m.nativeRouter = true
@@ -284,37 +252,32 @@ func (m *Manager) determineRouting() error {
 		log.Info("userspace routing enabled by default")
 	}

-	if m.routingEnabled && !m.nativeRouter {
-		return m.initForwarder()
-	}
+	// netstack needs the forwarder for local traffic
+	if m.netstack && m.localForwarding ||
+		m.routingEnabled && !m.nativeRouter {

-	return nil
+		m.initForwarder(iface)
+	}
 }

 // initForwarder initializes the forwarder, it disables routing on errors
-func (m *Manager) initForwarder() error {
-	if m.forwarder != nil {
-		return nil
-	}
-
+func (m *Manager) initForwarder(iface common.IFaceMapper) {
 	// Only supported in userspace mode as we need to inject packets back into wireguard directly
-	intf := m.wgIface.GetWGDevice()
+	intf := iface.GetWGDevice()
 	if intf == nil {
+		log.Info("forwarding not supported")
 		m.routingEnabled = false
-		return errors.New("forwarding not supported")
+		return
 	}

-	forwarder, err := forwarder.New(m.wgIface, m.logger, m.netstack)
+	forwarder, err := forwarder.New(iface, m.logger, m.netstack)
 	if err != nil {
+		log.Errorf("failed to create forwarder: %v", err)
 		m.routingEnabled = false
-		return fmt.Errorf("create forwarder: %w", err)
+		return
 	}

 	m.forwarder = forwarder
-
-	log.Debug("forwarder initialized")
-
-	return nil
 }

 func (m *Manager) Init(*statemanager.Manager) error {
@@ -322,7 +285,7 @@ func (m *Manager) Init(*statemanager.Manager) error {
 }

 func (m *Manager) IsServerRouteSupported() bool {
-	return true
+	return m.nativeFirewall != nil || m.routingEnabled && m.forwarder != nil
 }

 func (m *Manager) AddNatRule(pair firewall.RouterPair) error {
@@ -439,7 +402,7 @@ func (m *Manager) DeleteRouteRule(rule firewall.Rule) error {
 	m.mutex.Lock()
 	defer m.mutex.Unlock()

-	ruleID := rule.ID()
+	ruleID := rule.GetRuleID()
 	idx := slices.IndexFunc(m.routeRules, func(r RouteRule) bool {
 		return r.id == ruleID
 	})
@@ -480,22 +443,6 @@ func (m *Manager) SetLegacyManagement(isLegacy bool) error {
 // Flush doesn't need to be implemented for this manager
 func (m *Manager) Flush() error { return nil }

-// AddDNATRule adds a DNAT rule
-func (m *Manager) AddDNATRule(rule firewall.ForwardRule) (firewall.Rule, error) {
-	if m.nativeFirewall == nil {
-		return nil, errNatNotSupported
-	}
-	return m.nativeFirewall.AddDNATRule(rule)
-}
-
-// DeleteDNATRule deletes a DNAT rule
-func (m *Manager) DeleteDNATRule(rule firewall.Rule) error {
-	if m.nativeFirewall == nil {
-		return errNatNotSupported
-	}
-	return m.nativeFirewall.DeleteDNATRule(rule)
-}
-
 // DropOutgoing filter outgoing packets
 func (m *Manager) DropOutgoing(packetData []byte) bool {
 	return m.processOutgoingHooks(packetData)
@@ -639,6 +586,7 @@ func (m *Manager) dropFilter(packetData []byte) bool {
 	defer m.decoders.Put(d)

 	if !m.isValidPacket(d, packetData) {
+		m.logger.Trace("Invalid packet structure")
 		return true
 	}

@@ -664,6 +612,11 @@ func (m *Manager) dropFilter(packetData []byte) bool {
 // handleLocalTraffic handles local traffic.
 // If it returns true, the packet should be dropped.
 func (m *Manager) handleLocalTraffic(d *decoder, srcIP, dstIP net.IP, packetData []byte) bool {
+	if !m.localForwarding {
+		m.logger.Trace("Dropping local packet (local forwarding disabled): src=%s dst=%s", srcIP, dstIP)
+		return true
+	}
+
 	if m.peerACLsBlock(srcIP, packetData, m.incomingRules, d) {
 		m.logger.Trace("Dropping local packet (ACL denied): src=%s dst=%s",
 			srcIP, dstIP)
@@ -672,29 +625,22 @@ func (m *Manager) handleLocalTraffic(d *decoder, srcIP, dstIP net.IP, packetData

 	// if running in netstack mode we need to pass this to the forwarder
 	if m.netstack {
-		return m.handleNetstackLocalTraffic(packetData)
+		m.handleNetstackLocalTraffic(packetData)
+
+		// don't process this packet further
+		return true
 	}

 	return false
 }
-
-func (m *Manager) handleNetstackLocalTraffic(packetData []byte) bool {
-	if !m.localForwarding {
-		// pass to virtual tcp/ip stack to be picked up by listeners
-		return false
-	}
-
+func (m *Manager) handleNetstackLocalTraffic(packetData []byte) {
 	if m.forwarder == nil {
-		m.logger.Trace("Dropping local packet (forwarder not initialized)")
-		return true
+		return
 	}

 	if err := m.forwarder.InjectIncomingPacket(packetData); err != nil {
 		m.logger.Error("Failed to inject local packet: %v", err)
 	}
-
-	// don't process this packet further
-	return true
 }

 // handleRoutedTraffic handles routed traffic.
@@ -712,9 +658,11 @@ func (m *Manager) handleRoutedTraffic(d *decoder, srcIP, dstIP net.IP, packetDat
 		return false
 	}

+	// Get protocol and ports for route ACL check
 	proto := getProtocolFromPacket(d)
 	srcPort, dstPort := getPortsFromPacket(d)

+	// Check route ACLs
 	if !m.routeACLsPass(srcIP, dstIP, proto, srcPort, dstPort) {
 		m.logger.Trace("Dropping routed packet (ACL denied): src=%s:%d dst=%s:%d proto=%v",
 			srcIP, srcPort, dstIP, dstPort, proto)
@@ -756,12 +704,12 @@ func getPortsFromPacket(d *decoder) (srcPort, dstPort uint16) {

 func (m *Manager) isValidPacket(d *decoder, packetData []byte) bool {
 	if err := d.parser.DecodeLayers(packetData, &d.decoded); err != nil {
-		m.logger.Trace("couldn't decode packet, err: %s", err)
+		log.Tracef("couldn't decode layer, err: %s", err)
 		return false
 	}

 	if len(d.decoded) < 2 {
-		m.logger.Trace("packet doesn't have network and transport layers")
+		log.Tracef("not enough levels in network packet")
 		return false
 	}
 	return true
@@ -1005,34 +953,3 @@ func (m *Manager) SetLogLevel(level log.Level) {
 		m.logger.SetLevel(nblog.Level(level))
 	}
 }
-
-func (m *Manager) EnableRouting() error {
-	m.mutex.Lock()
-	defer m.mutex.Unlock()
-
-	return m.determineRouting()
-}
-
-func (m *Manager) DisableRouting() error {
-	m.mutex.Lock()
-	defer m.mutex.Unlock()
-
-	if m.forwarder == nil {
-		return nil
-	}
-
-	m.routingEnabled = false
-	m.nativeRouter = false
-
-	// don't stop forwarder if in use by netstack
-	if m.netstack && m.localForwarding {
-		return nil
-	}
-
-	m.forwarder.Stop()
-	m.forwarder = nil
-
-	log.Debug("forwarder stopped")
-
-	return nil
-}
--- a/client/firewall/uspfilter/uspfilter_filter_test.go
+++ b/client/firewall/uspfilter/uspfilter_filter_test.go
@@ -303,7 +303,6 @@ func setupRoutedManager(tb testing.TB, network string) *Manager {
 	}

 	manager, err := Create(ifaceMock, false)
-	require.NoError(tb, manager.EnableRouting())
 	require.NoError(tb, err)
 	require.NotNil(tb, manager)
 	require.True(tb, manager.routingEnabled)
--- a/client/firewall/uspfilter/uspfilter_test.go
+++ b/client/firewall/uspfilter/uspfilter_test.go
@@ -135,7 +135,7 @@ func TestManagerDeleteRule(t *testing.T) {
 	}

 	for _, r := range rule2 {
-		if _, ok := m.incomingRules[ip.String()][r.ID()]; !ok {
+		if _, ok := m.incomingRules[ip.String()][r.GetRuleID()]; !ok {
 			t.Errorf("rule2 is not in the incomingRules")
 		}
 	}
@@ -149,7 +149,7 @@ func TestManagerDeleteRule(t *testing.T) {
 	}

 	for _, r := range rule2 {
-		if _, ok := m.incomingRules[ip.String()][r.ID()]; ok {
+		if _, ok := m.incomingRules[ip.String()][r.GetRuleID()]; ok {
 			t.Errorf("rule2 is not in the incomingRules")
 		}
 	}
--- a/client/iface/bind/udp_mux.go
+++ b/client/iface/bind/udp_mux.go
@@ -4,7 +4,6 @@ import (
 	"fmt"
 	"io"
 	"net"
-	"slices"
 	"strings"
 	"sync"

@@ -153,7 +152,46 @@ func NewUDPMuxDefault(params UDPMuxParams) *UDPMuxDefault {
 		params.Logger = logging.NewDefaultLoggerFactory().NewLogger("ice")
 	}

-	mux := &UDPMuxDefault{
+	var localAddrsForUnspecified []net.Addr
+	if addr, ok := params.UDPConn.LocalAddr().(*net.UDPAddr); !ok {
+		params.Logger.Errorf("LocalAddr is not a net.UDPAddr, got %T", params.UDPConn.LocalAddr())
+	} else if ok && addr.IP.IsUnspecified() {
+		// For unspecified addresses, the correct behavior is to return errListenUnspecified, but
+		// it will break the applications that are already using unspecified UDP connection
+		// with UDPMuxDefault, so print a warn log and create a local address list for mux.
+		params.Logger.Warn("UDPMuxDefault should not listening on unspecified address, use NewMultiUDPMuxFromPort instead")
+		var networks []ice.NetworkType
+		switch {
+
+		case addr.IP.To16() != nil:
+			networks = []ice.NetworkType{ice.NetworkTypeUDP4, ice.NetworkTypeUDP6}
+
+		case addr.IP.To4() != nil:
+			networks = []ice.NetworkType{ice.NetworkTypeUDP4}
+
+		default:
+			params.Logger.Errorf("LocalAddr expected IPV4 or IPV6, got %T", params.UDPConn.LocalAddr())
+		}
+		if len(networks) > 0 {
+			if params.Net == nil {
+				var err error
+				if params.Net, err = stdnet.NewNet(); err != nil {
+					params.Logger.Errorf("failed to get create network: %v", err)
+				}
+			}
+
+			ips, err := localInterfaces(params.Net, params.InterfaceFilter, nil, networks, true)
+			if err == nil {
+				for _, ip := range ips {
+					localAddrsForUnspecified = append(localAddrsForUnspecified, &net.UDPAddr{IP: ip, Port: addr.Port})
+				}
+			} else {
+				params.Logger.Errorf("failed to get local interfaces for unspecified addr: %v", err)
+			}
+		}
+	}
+
+	return &UDPMuxDefault{
 		addressMap: map[string][]*udpMuxedConn{},
 		params:     params,
 		connsIPv4:  make(map[string]*udpMuxedConn),
@@ -165,55 +203,8 @@ func NewUDPMuxDefault(params UDPMuxParams) *UDPMuxDefault {
 				return newBufferHolder(receiveMTU + maxAddrSize)
 			},
 		},
+		localAddrsForUnspecified: localAddrsForUnspecified,
 	}
-
-	mux.updateLocalAddresses()
-	return mux
-}
-
-func (m *UDPMuxDefault) updateLocalAddresses() {
-	var localAddrsForUnspecified []net.Addr
-	if addr, ok := m.params.UDPConn.LocalAddr().(*net.UDPAddr); !ok {
-		m.params.Logger.Errorf("LocalAddr is not a net.UDPAddr, got %T", m.params.UDPConn.LocalAddr())
-	} else if ok && addr.IP.IsUnspecified() {
-		// For unspecified addresses, the correct behavior is to return errListenUnspecified, but
-		// it will break the applications that are already using unspecified UDP connection
-		// with UDPMuxDefault, so print a warn log and create a local address list for mux.
-		m.params.Logger.Warn("UDPMuxDefault should not listening on unspecified address, use NewMultiUDPMuxFromPort instead")
-		var networks []ice.NetworkType
-		switch {
-
-		case addr.IP.To16() != nil:
-			networks = []ice.NetworkType{ice.NetworkTypeUDP4, ice.NetworkTypeUDP6}
-
-		case addr.IP.To4() != nil:
-			networks = []ice.NetworkType{ice.NetworkTypeUDP4}
-
-		default:
-			m.params.Logger.Errorf("LocalAddr expected IPV4 or IPV6, got %T", m.params.UDPConn.LocalAddr())
-		}
-		if len(networks) > 0 {
-			if m.params.Net == nil {
-				var err error
-				if m.params.Net, err = stdnet.NewNet(); err != nil {
-					m.params.Logger.Errorf("failed to get create network: %v", err)
-				}
-			}
-
-			ips, err := localInterfaces(m.params.Net, m.params.InterfaceFilter, nil, networks, true)
-			if err == nil {
-				for _, ip := range ips {
-					localAddrsForUnspecified = append(localAddrsForUnspecified, &net.UDPAddr{IP: ip, Port: addr.Port})
-				}
-			} else {
-				m.params.Logger.Errorf("failed to get local interfaces for unspecified addr: %v", err)
-			}
-		}
-	}
-
-	m.mu.Lock()
-	m.localAddrsForUnspecified = localAddrsForUnspecified
-	m.mu.Unlock()
 }

 // LocalAddr returns the listening address of this UDPMuxDefault
@@ -223,12 +214,8 @@ func (m *UDPMuxDefault) LocalAddr() net.Addr {

 // GetListenAddresses returns the list of addresses that this mux is listening on
 func (m *UDPMuxDefault) GetListenAddresses() []net.Addr {
-	m.updateLocalAddresses()
-
-	m.mu.Lock()
-	defer m.mu.Unlock()
 	if len(m.localAddrsForUnspecified) > 0 {
-		return slices.Clone(m.localAddrsForUnspecified)
+		return m.localAddrsForUnspecified
 	}

 	return []net.Addr{m.LocalAddr()}
@@ -238,10 +225,7 @@ func (m *UDPMuxDefault) GetListenAddresses() []net.Addr {
 // creates the connection if an existing one can't be found
 func (m *UDPMuxDefault) GetConn(ufrag string, addr net.Addr) (net.PacketConn, error) {
 	// don't check addr for mux using unspecified address
-	m.mu.Lock()
-	lenLocalAddrs := len(m.localAddrsForUnspecified)
-	m.mu.Unlock()
-	if lenLocalAddrs == 0 && m.params.UDPConn.LocalAddr().String() != addr.String() {
+	if len(m.localAddrsForUnspecified) == 0 && m.params.UDPConn.LocalAddr().String() != addr.String() {
 		return nil, fmt.Errorf("invalid address %s", addr.String())
 	}

--- a/client/iface/configurer/kernel_unix.go
+++ b/client/iface/configurer/kernel_unix.go
@@ -43,7 +43,13 @@ func (c *KernelConfigurer) ConfigureInterface(privateKey string, port int) error
 	return nil
 }

-func (c *KernelConfigurer) UpdatePeer(peerKey string, allowedIps []net.IPNet, keepAlive time.Duration, endpoint *net.UDPAddr, preSharedKey *wgtypes.Key) error {
+func (c *KernelConfigurer) UpdatePeer(peerKey string, allowedIps string, keepAlive time.Duration, endpoint *net.UDPAddr, preSharedKey *wgtypes.Key) error {
+	// parse allowed ips
+	_, ipNet, err := net.ParseCIDR(allowedIps)
+	if err != nil {
+		return err
+	}
+
 	peerKeyParsed, err := wgtypes.ParseKey(peerKey)
 	if err != nil {
 		return err
@@ -52,7 +58,7 @@ func (c *KernelConfigurer) UpdatePeer(peerKey string, allowedIps []net.IPNet, ke
 		PublicKey:         peerKeyParsed,
 		ReplaceAllowedIPs: false,
 		// don't replace allowed ips, wg will handle duplicated peer IP
-		AllowedIPs:                  allowedIps,
+		AllowedIPs:                  []net.IPNet{*ipNet},
 		PersistentKeepaliveInterval: &keepAlive,
 		Endpoint:                    endpoint,
 		PresharedKey:                preSharedKey,
--- a/client/iface/configurer/usp.go
+++ b/client/iface/configurer/usp.go
@@ -52,7 +52,13 @@ func (c *WGUSPConfigurer) ConfigureInterface(privateKey string, port int) error
 	return c.device.IpcSet(toWgUserspaceString(config))
 }

-func (c *WGUSPConfigurer) UpdatePeer(peerKey string, allowedIps []net.IPNet, keepAlive time.Duration, endpoint *net.UDPAddr, preSharedKey *wgtypes.Key) error {
+func (c *WGUSPConfigurer) UpdatePeer(peerKey string, allowedIps string, keepAlive time.Duration, endpoint *net.UDPAddr, preSharedKey *wgtypes.Key) error {
+	// parse allowed ips
+	_, ipNet, err := net.ParseCIDR(allowedIps)
+	if err != nil {
+		return err
+	}
+
 	peerKeyParsed, err := wgtypes.ParseKey(peerKey)
 	if err != nil {
 		return err
@@ -61,7 +67,7 @@ func (c *WGUSPConfigurer) UpdatePeer(peerKey string, allowedIps []net.IPNet, kee
 		PublicKey:         peerKeyParsed,
 		ReplaceAllowedIPs: false,
 		// don't replace allowed ips, wg will handle duplicated peer IP
-		AllowedIPs:                  allowedIps,
+		AllowedIPs:                  []net.IPNet{*ipNet},
 		PersistentKeepaliveInterval: &keepAlive,
 		PresharedKey:                preSharedKey,
 		Endpoint:                    endpoint,
@@ -356,7 +362,7 @@ func toWgUserspaceString(wgCfg wgtypes.Config) string {
 }

 func getFwmark() int {
-	if nbnet.AdvancedRouting() {
+	if runtime.GOOS == "linux" && !nbnet.CustomRoutingDisabled() {
 		return nbnet.NetbirdFwmark
 	}
 	return 0
--- a/client/iface/device.go
+++ b/client/iface/device.go
@@ -3,8 +3,6 @@
 package iface

 import (
-	"golang.zx2c4.com/wireguard/tun/netstack"
-
 	wgdevice "golang.zx2c4.com/wireguard/device"

 	"github.com/netbirdio/netbird/client/iface/bind"
@@ -20,5 +18,4 @@ type WGTunDevice interface {
 	Close() error
 	FilteredDevice() *device.FilteredDevice
 	Device() *wgdevice.Device
-	GetNet() *netstack.Net
 }
--- a/client/iface/device/device_android.go
+++ b/client/iface/device/device_android.go
@@ -9,7 +9,6 @@ import (
 	"golang.org/x/sys/unix"
 	"golang.zx2c4.com/wireguard/device"
 	"golang.zx2c4.com/wireguard/tun"
-	"golang.zx2c4.com/wireguard/tun/netstack"

 	"github.com/netbirdio/netbird/client/iface/bind"
 	"github.com/netbirdio/netbird/client/iface/configurer"
@@ -131,10 +130,6 @@ func (t *WGTunDevice) FilteredDevice() *FilteredDevice {
 	return t.filteredDevice
 }

-func (t *WGTunDevice) GetNet() *netstack.Net {
-	return nil
-}
-
 func routesToString(routes []string) string {
 	return strings.Join(routes, ";")
 }
--- a/client/iface/device/device_darwin.go
+++ b/client/iface/device/device_darwin.go
@@ -9,7 +9,6 @@ import (
 	log "github.com/sirupsen/logrus"
 	"golang.zx2c4.com/wireguard/device"
 	"golang.zx2c4.com/wireguard/tun"
-	"golang.zx2c4.com/wireguard/tun/netstack"

 	"github.com/netbirdio/netbird/client/iface/bind"
 	"github.com/netbirdio/netbird/client/iface/configurer"
@@ -144,7 +143,3 @@ func (t *TunDevice) assignAddr() error {
 	}
 	return nil
 }
-
-func (t *TunDevice) GetNet() *netstack.Net {
-	return nil
-}
--- a/client/iface/device/device_ios.go
+++ b/client/iface/device/device_ios.go
@@ -10,7 +10,6 @@ import (
 	"golang.org/x/sys/unix"
 	"golang.zx2c4.com/wireguard/device"
 	"golang.zx2c4.com/wireguard/tun"
-	"golang.zx2c4.com/wireguard/tun/netstack"

 	"github.com/netbirdio/netbird/client/iface/bind"
 	"github.com/netbirdio/netbird/client/iface/configurer"
@@ -132,7 +131,3 @@ func (t *TunDevice) UpdateAddr(addr WGAddress) error {
 func (t *TunDevice) FilteredDevice() *FilteredDevice {
 	return t.filteredDevice
 }
-
-func (t *TunDevice) GetNet() *netstack.Net {
-	return nil
-}
--- a/client/iface/device/device_kernel_unix.go
+++ b/client/iface/device/device_kernel_unix.go
@@ -10,7 +10,6 @@ import (
 	"github.com/pion/transport/v3"
 	log "github.com/sirupsen/logrus"
 	"golang.zx2c4.com/wireguard/device"
-	"golang.zx2c4.com/wireguard/tun/netstack"

 	"github.com/netbirdio/netbird/client/iface/bind"
 	"github.com/netbirdio/netbird/client/iface/configurer"
@@ -166,7 +165,3 @@ func (t *TunKernelDevice) FilteredDevice() *FilteredDevice {
 func (t *TunKernelDevice) assignAddr() error {
 	return t.link.assignAddr(t.address)
 }
-
-func (t *TunKernelDevice) GetNet() *netstack.Net {
-	return nil
-}
--- a/client/iface/device/device_netstack.go
+++ b/client/iface/device/device_netstack.go
@@ -8,12 +8,10 @@ import (

 	log "github.com/sirupsen/logrus"
 	"golang.zx2c4.com/wireguard/device"
-	"golang.zx2c4.com/wireguard/tun/netstack"

 	"github.com/netbirdio/netbird/client/iface/bind"
 	"github.com/netbirdio/netbird/client/iface/configurer"
-	nbnetstack "github.com/netbirdio/netbird/client/iface/netstack"
-	nbnet "github.com/netbirdio/netbird/util/net"
+	"github.com/netbirdio/netbird/client/iface/netstack"
 )

 type TunNetstackDevice struct {
@@ -27,11 +25,9 @@ type TunNetstackDevice struct {

 	device         *device.Device
 	filteredDevice *FilteredDevice
-	nsTun          *nbnetstack.NetStackTun
+	nsTun          *netstack.NetStackTun
 	udpMux         *bind.UniversalUDPMuxDefault
 	configurer     WGConfigurer
-
-	net *netstack.Net
 }

 func NewNetstackDevice(name string, address WGAddress, wgPort int, key string, mtu int, iceBind *bind.ICEBind, listenAddress string) *TunNetstackDevice {
@@ -47,19 +43,13 @@ func NewNetstackDevice(name string, address WGAddress, wgPort int, key string, m
 }

 func (t *TunNetstackDevice) Create() (WGConfigurer, error) {
-	log.Info("create nbnetstack tun interface")
-
-	// TODO: get from service listener runtime IP
-	dnsAddr := nbnet.GetLastIPFromNetwork(t.address.Network, 1)
-	log.Debugf("netstack using address: %s", t.address.IP)
-	t.nsTun = nbnetstack.NewNetStackTun(t.listenAddress, t.address.IP, dnsAddr, t.mtu)
-	log.Debugf("netstack using dns address: %s", dnsAddr)
-	tunIface, net, err := t.nsTun.Create()
+	log.Info("create netstack tun interface")
+	t.nsTun = netstack.NewNetStackTun(t.listenAddress, t.address.IP.String(), t.mtu)
+	tunIface, err := t.nsTun.Create()
 	if err != nil {
 		return nil, fmt.Errorf("error creating tun device: %s", err)
 	}
 	t.filteredDevice = newDeviceFilter(tunIface)
-	t.net = net

 	t.device = device.NewDevice(
 		t.filteredDevice,
@@ -132,7 +122,3 @@ func (t *TunNetstackDevice) FilteredDevice() *FilteredDevice {
 func (t *TunNetstackDevice) Device() *device.Device {
 	return t.device
 }
-
-func (t *TunNetstackDevice) GetNet() *netstack.Net {
-	return t.net
-}
--- a/client/iface/device/device_usp_unix.go
+++ b/client/iface/device/device_usp_unix.go
@@ -8,7 +8,6 @@ import (
 	log "github.com/sirupsen/logrus"
 	"golang.zx2c4.com/wireguard/device"
 	"golang.zx2c4.com/wireguard/tun"
-	"golang.zx2c4.com/wireguard/tun/netstack"

 	"github.com/netbirdio/netbird/client/iface/bind"
 	"github.com/netbirdio/netbird/client/iface/configurer"
@@ -136,7 +135,3 @@ func (t *USPDevice) assignAddr() error {

 	return link.assignAddr(t.address)
 }
-
-func (t *USPDevice) GetNet() *netstack.Net {
-	return nil
-}
--- a/client/iface/device/device_windows.go
+++ b/client/iface/device/device_windows.go
@@ -8,7 +8,6 @@ import (
 	"golang.org/x/sys/windows"
 	"golang.zx2c4.com/wireguard/device"
 	"golang.zx2c4.com/wireguard/tun"
-	"golang.zx2c4.com/wireguard/tun/netstack"
 	"golang.zx2c4.com/wireguard/windows/tunnel/winipcfg"

 	"github.com/netbirdio/netbird/client/iface/bind"
@@ -175,7 +174,3 @@ func (t *TunDevice) assignAddr() error {
 	log.Debugf("adding address %s to interface: %s", t.address.IP, t.name)
 	return luid.SetIPAddresses([]netip.Prefix{netip.MustParsePrefix(t.address.String())})
 }
-
-func (t *TunDevice) GetNet() *netstack.Net {
-	return nil
-}
--- a/client/iface/device/interface.go
+++ b/client/iface/device/interface.go
@@ -11,7 +11,7 @@ import (

 type WGConfigurer interface {
 	ConfigureInterface(privateKey string, port int) error
-	UpdatePeer(peerKey string, allowedIps []net.IPNet, keepAlive time.Duration, endpoint *net.UDPAddr, preSharedKey *wgtypes.Key) error
+	UpdatePeer(peerKey string, allowedIps string, keepAlive time.Duration, endpoint *net.UDPAddr, preSharedKey *wgtypes.Key) error
 	RemovePeer(peerKey string) error
 	AddAllowedIP(peerKey string, allowedIP string) error
 	RemoveAllowedIP(peerKey string, allowedIP string) error
--- a/client/iface/device_android.go
+++ b/client/iface/device_android.go
@@ -3,8 +3,6 @@ package iface
 import (
 	wgdevice "golang.zx2c4.com/wireguard/device"

-	"golang.zx2c4.com/wireguard/tun/netstack"
-
 	"github.com/netbirdio/netbird/client/iface/bind"
 	"github.com/netbirdio/netbird/client/iface/device"
 )
@@ -18,5 +16,4 @@ type WGTunDevice interface {
 	Close() error
 	FilteredDevice() *device.FilteredDevice
 	Device() *wgdevice.Device
-	GetNet() *netstack.Net
 }
--- a/client/iface/iface.go
+++ b/client/iface/iface.go
@@ -3,14 +3,12 @@ package iface
 import (
 	"fmt"
 	"net"
-	"net/netip"
 	"sync"
 	"time"

 	"github.com/hashicorp/go-multierror"
 	"github.com/pion/transport/v3"
 	log "github.com/sirupsen/logrus"
-	"golang.zx2c4.com/wireguard/tun/netstack"
 	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"

 	wgdevice "golang.zx2c4.com/wireguard/device"
@@ -113,13 +111,12 @@ func (w *WGIface) UpdateAddr(newAddr string) error {

 // UpdatePeer updates existing Wireguard Peer or creates a new one if doesn't exist
 // Endpoint is optional
-func (w *WGIface) UpdatePeer(peerKey string, allowedIps []netip.Prefix, keepAlive time.Duration, endpoint *net.UDPAddr, preSharedKey *wgtypes.Key) error {
+func (w *WGIface) UpdatePeer(peerKey string, allowedIps string, keepAlive time.Duration, endpoint *net.UDPAddr, preSharedKey *wgtypes.Key) error {
 	w.mu.Lock()
 	defer w.mu.Unlock()

-	netIPNets := prefixesToIPNets(allowedIps)
 	log.Debugf("updating interface %s peer %s, endpoint %s", w.tun.DeviceName(), peerKey, endpoint)
-	return w.configurer.UpdatePeer(peerKey, netIPNets, keepAlive, endpoint, preSharedKey)
+	return w.configurer.UpdatePeer(peerKey, allowedIps, keepAlive, endpoint, preSharedKey)
 }

 // RemovePeer removes a Wireguard Peer from the interface iface
@@ -244,22 +241,3 @@ func (w *WGIface) waitUntilRemoved() error {
 		}
 	}
 }
-
-// GetNet returns the netstack.Net for the netstack device
-func (w *WGIface) GetNet() *netstack.Net {
-	w.mu.Lock()
-	defer w.mu.Unlock()
-
-	return w.tun.GetNet()
-}
-
-func prefixesToIPNets(prefixes []netip.Prefix) []net.IPNet {
-	ipNets := make([]net.IPNet, len(prefixes))
-	for i, prefix := range prefixes {
-		ipNets[i] = net.IPNet{
-			IP:   net.IP(prefix.Addr().AsSlice()),                     // Convert netip.Addr to net.IP
-			Mask: net.CIDRMask(prefix.Bits(), prefix.Addr().BitLen()), // Create subnet mask
-		}
-	}
-	return ipNets
-}
--- a/client/iface/iface_moc.go
+++ b/client/iface/iface_moc.go
@@ -0,0 +1,117 @@
+package iface
+
+import (
+	"net"
+	"time"
+
+	wgdevice "golang.zx2c4.com/wireguard/device"
+	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
+
+	"github.com/netbirdio/netbird/client/iface/bind"
+	"github.com/netbirdio/netbird/client/iface/configurer"
+	"github.com/netbirdio/netbird/client/iface/device"
+	"github.com/netbirdio/netbird/client/iface/wgproxy"
+)
+
+type MockWGIface struct {
+	CreateFunc                 func() error
+	CreateOnAndroidFunc        func(routeRange []string, ip string, domains []string) error
+	IsUserspaceBindFunc        func() bool
+	NameFunc                   func() string
+	AddressFunc                func() device.WGAddress
+	ToInterfaceFunc            func() *net.Interface
+	UpFunc                     func() (*bind.UniversalUDPMuxDefault, error)
+	UpdateAddrFunc             func(newAddr string) error
+	UpdatePeerFunc             func(peerKey string, allowedIps string, keepAlive time.Duration, endpoint *net.UDPAddr, preSharedKey *wgtypes.Key) error
+	RemovePeerFunc             func(peerKey string) error
+	AddAllowedIPFunc           func(peerKey string, allowedIP string) error
+	RemoveAllowedIPFunc        func(peerKey string, allowedIP string) error
+	CloseFunc                  func() error
+	SetFilterFunc              func(filter device.PacketFilter) error
+	GetFilterFunc              func() device.PacketFilter
+	GetDeviceFunc              func() *device.FilteredDevice
+	GetWGDeviceFunc            func() *wgdevice.Device
+	GetStatsFunc               func(peerKey string) (configurer.WGStats, error)
+	GetInterfaceGUIDStringFunc func() (string, error)
+	GetProxyFunc               func() wgproxy.Proxy
+}
+
+func (m *MockWGIface) GetInterfaceGUIDString() (string, error) {
+	return m.GetInterfaceGUIDStringFunc()
+}
+
+func (m *MockWGIface) Create() error {
+	return m.CreateFunc()
+}
+
+func (m *MockWGIface) CreateOnAndroid(routeRange []string, ip string, domains []string) error {
+	return m.CreateOnAndroidFunc(routeRange, ip, domains)
+}
+
+func (m *MockWGIface) IsUserspaceBind() bool {
+	return m.IsUserspaceBindFunc()
+}
+
+func (m *MockWGIface) Name() string {
+	return m.NameFunc()
+}
+
+func (m *MockWGIface) Address() device.WGAddress {
+	return m.AddressFunc()
+}
+
+func (m *MockWGIface) ToInterface() *net.Interface {
+	return m.ToInterfaceFunc()
+}
+
+func (m *MockWGIface) Up() (*bind.UniversalUDPMuxDefault, error) {
+	return m.UpFunc()
+}
+
+func (m *MockWGIface) UpdateAddr(newAddr string) error {
+	return m.UpdateAddrFunc(newAddr)
+}
+
+func (m *MockWGIface) UpdatePeer(peerKey string, allowedIps string, keepAlive time.Duration, endpoint *net.UDPAddr, preSharedKey *wgtypes.Key) error {
+	return m.UpdatePeerFunc(peerKey, allowedIps, keepAlive, endpoint, preSharedKey)
+}
+
+func (m *MockWGIface) RemovePeer(peerKey string) error {
+	return m.RemovePeerFunc(peerKey)
+}
+
+func (m *MockWGIface) AddAllowedIP(peerKey string, allowedIP string) error {
+	return m.AddAllowedIPFunc(peerKey, allowedIP)
+}
+
+func (m *MockWGIface) RemoveAllowedIP(peerKey string, allowedIP string) error {
+	return m.RemoveAllowedIPFunc(peerKey, allowedIP)
+}
+
+func (m *MockWGIface) Close() error {
+	return m.CloseFunc()
+}
+
+func (m *MockWGIface) SetFilter(filter device.PacketFilter) error {
+	return m.SetFilterFunc(filter)
+}
+
+func (m *MockWGIface) GetFilter() device.PacketFilter {
+	return m.GetFilterFunc()
+}
+
+func (m *MockWGIface) GetDevice() *device.FilteredDevice {
+	return m.GetDeviceFunc()
+}
+
+func (m *MockWGIface) GetWGDevice() *wgdevice.Device {
+	return m.GetWGDeviceFunc()
+}
+
+func (m *MockWGIface) GetStats(peerKey string) (configurer.WGStats, error) {
+	return m.GetStatsFunc(peerKey)
+}
+
+func (m *MockWGIface) GetProxy() wgproxy.Proxy {
+	return m.GetProxyFunc()
+}
--- a/client/iface/iface_test.go
+++ b/client/iface/iface_test.go
@@ -373,12 +373,12 @@ func Test_UpdatePeer(t *testing.T) {
 		t.Fatal(err)
 	}
 	keepAlive := 15 * time.Second
-	allowedIP := netip.MustParsePrefix("10.99.99.10/32")
+	allowedIP := "10.99.99.10/32"
 	endpoint, err := net.ResolveUDPAddr("udp", "127.0.0.1:9900")
 	if err != nil {
 		t.Fatal(err)
 	}
-	err = iface.UpdatePeer(peerPubKey, []netip.Prefix{allowedIP}, keepAlive, endpoint, nil)
+	err = iface.UpdatePeer(peerPubKey, allowedIP, keepAlive, endpoint, nil)
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -396,7 +396,7 @@ func Test_UpdatePeer(t *testing.T) {

 	var foundAllowedIP bool
 	for _, aip := range peer.AllowedIPs {
-		if aip.String() == allowedIP.String() {
+		if aip.String() == allowedIP {
 			foundAllowedIP = true
 			break
 		}
@@ -443,8 +443,9 @@ func Test_RemovePeer(t *testing.T) {
 		t.Fatal(err)
 	}
 	keepAlive := 15 * time.Second
-	allowedIP := netip.MustParsePrefix("10.99.99.14/32")
-	err = iface.UpdatePeer(peerPubKey, []netip.Prefix{allowedIP}, keepAlive, nil, nil)
+	allowedIP := "10.99.99.14/32"
+
+	err = iface.UpdatePeer(peerPubKey, allowedIP, keepAlive, nil, nil)
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -461,12 +462,12 @@ func Test_RemovePeer(t *testing.T) {

 func Test_ConnectPeers(t *testing.T) {
 	peer1ifaceName := fmt.Sprintf("utun%d", WgIntNumber+400)
-	peer1wgIP := netip.MustParsePrefix("10.99.99.17/30")
+	peer1wgIP := "10.99.99.17/30"
 	peer1Key, _ := wgtypes.GeneratePrivateKey()
 	peer1wgPort := 33100

 	peer2ifaceName := "utun500"
-	peer2wgIP := netip.MustParsePrefix("10.99.99.18/30")
+	peer2wgIP := "10.99.99.18/30"
 	peer2Key, _ := wgtypes.GeneratePrivateKey()
 	peer2wgPort := 33200

@@ -481,7 +482,7 @@ func Test_ConnectPeers(t *testing.T) {

 	optsPeer1 := WGIFaceOpts{
 		IFaceName:    peer1ifaceName,
-		Address:      peer1wgIP.String(),
+		Address:      peer1wgIP,
 		WGPort:       peer1wgPort,
 		WGPrivKey:    peer1Key.String(),
 		MTU:          DefaultMTU,
@@ -521,7 +522,7 @@ func Test_ConnectPeers(t *testing.T) {

 	optsPeer2 := WGIFaceOpts{
 		IFaceName:    peer2ifaceName,
-		Address:      peer2wgIP.String(),
+		Address:      peer2wgIP,
 		WGPort:       peer2wgPort,
 		WGPrivKey:    peer2Key.String(),
 		MTU:          DefaultMTU,
@@ -557,11 +558,11 @@ func Test_ConnectPeers(t *testing.T) {
 		}
 	}()

-	err = iface1.UpdatePeer(peer2Key.PublicKey().String(), []netip.Prefix{peer2wgIP}, keepAlive, peer2endpoint, nil)
+	err = iface1.UpdatePeer(peer2Key.PublicKey().String(), peer2wgIP, keepAlive, peer2endpoint, nil)
 	if err != nil {
 		t.Fatal(err)
 	}
-	err = iface2.UpdatePeer(peer1Key.PublicKey().String(), []netip.Prefix{peer1wgIP}, keepAlive, peer1endpoint, nil)
+	err = iface2.UpdatePeer(peer1Key.PublicKey().String(), peer1wgIP, keepAlive, peer1endpoint, nil)
 	if err != nil {
 		t.Fatal(err)
 	}
--- a/client/internal/iface_common.go
+++ b/client/internal/iface_common.go
@@ -1,12 +1,12 @@
-package internal
+//go:build !windows
+
+package iface

 import (
 	"net"
-	"net/netip"
 	"time"

 	wgdevice "golang.zx2c4.com/wireguard/device"
-	"golang.zx2c4.com/wireguard/tun/netstack"
 	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"

 	"github.com/netbirdio/netbird/client/iface/bind"
@@ -15,7 +15,7 @@ import (
 	"github.com/netbirdio/netbird/client/iface/wgproxy"
 )

-type wgIfaceBase interface {
+type IWGIface interface {
 	Create() error
 	CreateOnAndroid(routeRange []string, ip string, domains []string) error
 	IsUserspaceBind() bool
@@ -25,7 +25,7 @@ type wgIfaceBase interface {
 	Up() (*bind.UniversalUDPMuxDefault, error)
 	UpdateAddr(newAddr string) error
 	GetProxy() wgproxy.Proxy
-	UpdatePeer(peerKey string, allowedIps []netip.Prefix, keepAlive time.Duration, endpoint *net.UDPAddr, preSharedKey *wgtypes.Key) error
+	UpdatePeer(peerKey string, allowedIps string, keepAlive time.Duration, endpoint *net.UDPAddr, preSharedKey *wgtypes.Key) error
 	RemovePeer(peerKey string) error
 	AddAllowedIP(peerKey string, allowedIP string) error
 	RemoveAllowedIP(peerKey string, allowedIP string) error
@@ -35,5 +35,4 @@ type wgIfaceBase interface {
 	GetDevice() *device.FilteredDevice
 	GetWGDevice() *wgdevice.Device
 	GetStats(peerKey string) (configurer.WGStats, error)
-	GetNet() *netstack.Net
 }
--- a/client/iface/iwginterface_windows.go
+++ b/client/iface/iwginterface_windows.go
@@ -0,0 +1,37 @@
+package iface
+
+import (
+	"net"
+	"time"
+
+	wgdevice "golang.zx2c4.com/wireguard/device"
+	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
+
+	"github.com/netbirdio/netbird/client/iface/bind"
+	"github.com/netbirdio/netbird/client/iface/configurer"
+	"github.com/netbirdio/netbird/client/iface/device"
+	"github.com/netbirdio/netbird/client/iface/wgproxy"
+)
+
+type IWGIface interface {
+	Create() error
+	CreateOnAndroid(routeRange []string, ip string, domains []string) error
+	IsUserspaceBind() bool
+	Name() string
+	Address() device.WGAddress
+	ToInterface() *net.Interface
+	Up() (*bind.UniversalUDPMuxDefault, error)
+	UpdateAddr(newAddr string) error
+	GetProxy() wgproxy.Proxy
+	UpdatePeer(peerKey string, allowedIps string, keepAlive time.Duration, endpoint *net.UDPAddr, preSharedKey *wgtypes.Key) error
+	RemovePeer(peerKey string) error
+	AddAllowedIP(peerKey string, allowedIP string) error
+	RemoveAllowedIP(peerKey string, allowedIP string) error
+	Close() error
+	SetFilter(filter device.PacketFilter) error
+	GetFilter() device.PacketFilter
+	GetDevice() *device.FilteredDevice
+	GetWGDevice() *wgdevice.Device
+	GetStats(peerKey string) (configurer.WGStats, error)
+	GetInterfaceGUIDString() (string, error)
+}
--- a/client/iface/netstack/env.go
+++ b/client/iface/netstack/env.go
@@ -8,11 +8,9 @@ import (
 	log "github.com/sirupsen/logrus"
 )

-const EnvUseNetstackMode = "NB_USE_NETSTACK_MODE"
-
 // IsEnabled todo: move these function to cmd layer
 func IsEnabled() bool {
-	return os.Getenv(EnvUseNetstackMode) == "true"
+	return os.Getenv("NB_USE_NETSTACK_MODE") == "true"
 }

 func ListenAddr() string {
--- a/client/iface/netstack/tun.go
+++ b/client/iface/netstack/tun.go
@@ -1,22 +1,15 @@
 package netstack

 import (
-	"fmt"
-	"net"
 	"net/netip"
-	"os"
-	"strconv"

 	log "github.com/sirupsen/logrus"
 	"golang.zx2c4.com/wireguard/tun"
 	"golang.zx2c4.com/wireguard/tun/netstack"
 )

-const EnvSkipProxy = "NB_NETSTACK_SKIP_PROXY"
-
 type NetStackTun struct { //nolint:revive
-	address       net.IP
-	dnsAddress    net.IP
+	address       string
 	mtu           int
 	listenAddress string

@@ -24,48 +17,29 @@ type NetStackTun struct { //nolint:revive
 	tundev tun.Device
 }

-func NewNetStackTun(listenAddress string, address net.IP, dnsAddress net.IP, mtu int) *NetStackTun {
+func NewNetStackTun(listenAddress string, address string, mtu int) *NetStackTun {
 	return &NetStackTun{
 		address:       address,
-		dnsAddress:    dnsAddress,
 		mtu:           mtu,
 		listenAddress: listenAddress,
 	}
 }

-func (t *NetStackTun) Create() (tun.Device, *netstack.Net, error) {
-	addr, ok := netip.AddrFromSlice(t.address)
-	if !ok {
-		return nil, nil, fmt.Errorf("convert address to netip.Addr: %v", t.address)
-	}
-
-	dnsAddr, ok := netip.AddrFromSlice(t.dnsAddress)
-	if !ok {
-		return nil, nil, fmt.Errorf("convert dns address to netip.Addr: %v", t.dnsAddress)
-	}
-
+func (t *NetStackTun) Create() (tun.Device, error) {
 	nsTunDev, tunNet, err := netstack.CreateNetTUN(
-		[]netip.Addr{addr.Unmap()},
-		[]netip.Addr{dnsAddr.Unmap()},
+		[]netip.Addr{netip.MustParseAddr(t.address)},
+		[]netip.Addr{},
 		t.mtu)
 	if err != nil {
-		return nil, nil, err
+		return nil, err
 	}
 	t.tundev = nsTunDev

-	skipProxy, err := strconv.ParseBool(os.Getenv(EnvSkipProxy))
-	if err != nil {
-		log.Errorf("failed to parse NB_ETSTACK_SKIP_PROXY: %s", err)
-	}
-	if skipProxy {
-		return nsTunDev, tunNet, nil
-	}
-
 	dialer := NewNSDialer(tunNet)
 	t.proxy, err = NewSocks5(dialer)
 	if err != nil {
 		_ = t.tundev.Close()
-		return nil, nil, err
+		return nil, err
 	}

 	go func() {
@@ -75,7 +49,7 @@ func (t *NetStackTun) Create() (tun.Device, *netstack.Net, error) {
 		}
 	}()

-	return nsTunDev, tunNet, nil
+	return nsTunDev, nil
 }

 func (t *NetStackTun) Close() error {
--- a/client/internal/acl/id/id.go
+++ b/client/internal/acl/id/id.go
@@ -12,7 +12,7 @@ import (

 type RuleID string

-func (r RuleID) ID() string {
+func (r RuleID) GetRuleID() string {
 	return string(r)
 }

--- a/client/internal/acl/manager.go
+++ b/client/internal/acl/manager.go
@@ -245,7 +245,7 @@ func (d *DefaultManager) applyRouteACL(rule *mgmProto.RouteFirewallRule) (id.Rul
 		return "", fmt.Errorf("add route rule: %w", err)
 	}

-	return id.RuleID(addedRule.ID()), nil
+	return id.RuleID(addedRule.GetRuleID()), nil
 }

 func (d *DefaultManager) protoRuleToFirewallRule(
@@ -515,7 +515,7 @@ func (d *DefaultManager) rollBack(newRulePairs map[id.RuleID][]firewall.Rule) {
 	for _, rules := range newRulePairs {
 		for _, rule := range rules {
 			if err := d.firewall.DeletePeerRule(rule); err != nil {
-				log.Errorf("failed to delete new firewall rule (id: %v) during rollback: %v", rule.ID(), err)
+				log.Errorf("failed to delete new firewall rule (id: %v) during rollback: %v", rule.GetRuleID(), err)
 			}
 		}
 	}
--- a/client/internal/acl/manager_test.go
+++ b/client/internal/acl/manager_test.go
@@ -74,7 +74,7 @@ func TestDefaultManager(t *testing.T) {
 	t.Run("add extra rules", func(t *testing.T) {
 		existedPairs := map[string]struct{}{}
 		for id := range acl.peerRulesPairs {
-			existedPairs[id.ID()] = struct{}{}
+			existedPairs[id.GetRuleID()] = struct{}{}
 		}

 		// remove first rule
@@ -100,7 +100,7 @@ func TestDefaultManager(t *testing.T) {
 		// check that old rule was removed
 		previousCount := 0
 		for id := range acl.peerRulesPairs {
-			if _, ok := existedPairs[id.ID()]; ok {
+			if _, ok := existedPairs[id.GetRuleID()]; ok {
 				previousCount++
 			}
 		}
--- a/client/internal/config.go
+++ b/client/internal/config.go
@@ -8,7 +8,6 @@ import (
 	"os"
 	"reflect"
 	"runtime"
-	"slices"
 	"strings"
 	"time"

@@ -21,7 +20,6 @@ import (
 	"github.com/netbirdio/netbird/client/internal/routemanager/dynamic"
 	"github.com/netbirdio/netbird/client/ssh"
 	mgm "github.com/netbirdio/netbird/management/client"
-	"github.com/netbirdio/netbird/management/domain"
 	"github.com/netbirdio/netbird/util"
 )

@@ -70,10 +68,6 @@ type ConfigInput struct {
 	DisableFirewall     *bool

 	BlockLANAccess *bool
-
-	DisableNotifications *bool
-
-	DNSLabels domain.List
 }

 // Config Configuration type
@@ -99,10 +93,6 @@ type Config struct {

 	BlockLANAccess bool

-	DisableNotifications *bool
-
-	DNSLabels domain.List
-
 	// SSHKey is a private SSH key in a PEM format
 	SSHKey string

@@ -479,23 +469,6 @@ func (config *Config) apply(input ConfigInput) (updated bool, err error) {
 		updated = true
 	}

-	if input.DisableNotifications != nil && input.DisableNotifications != config.DisableNotifications {
-		if *input.DisableNotifications {
-			log.Infof("disabling notifications")
-		} else {
-			log.Infof("enabling notifications")
-		}
-		config.DisableNotifications = input.DisableNotifications
-		updated = true
-	}
-
-	if config.DisableNotifications == nil {
-		disabled := true
-		config.DisableNotifications = &disabled
-		log.Infof("setting notifications to disabled by default")
-		updated = true
-	}
-
 	if input.ClientCertKeyPath != "" {
 		config.ClientCertKeyPath = input.ClientCertKeyPath
 		updated = true
@@ -516,14 +489,6 @@ func (config *Config) apply(input ConfigInput) (updated bool, err error) {
 		}
 	}

-	if input.DNSLabels != nil && !slices.Equal(config.DNSLabels, input.DNSLabels) {
-		log.Infof("updating DNS labels [ %s ] (old value: [ %s ])",
-			input.DNSLabels.SafeString(),
-			config.DNSLabels.SafeString())
-		config.DNSLabels = input.DNSLabels
-		updated = true
-	}
-
 	return updated, nil
 }

--- a/client/internal/connect.go
+++ b/client/internal/connect.go
@@ -23,7 +23,6 @@ import (
 	"github.com/netbirdio/netbird/client/internal/listener"
 	"github.com/netbirdio/netbird/client/internal/peer"
 	"github.com/netbirdio/netbird/client/internal/stdnet"
-	cProto "github.com/netbirdio/netbird/client/proto"
 	"github.com/netbirdio/netbird/client/ssh"
 	"github.com/netbirdio/netbird/client/system"
 	mgm "github.com/netbirdio/netbird/management/client"
@@ -32,7 +31,6 @@ import (
 	relayClient "github.com/netbirdio/netbird/relay/client"
 	signal "github.com/netbirdio/netbird/signal/client"
 	"github.com/netbirdio/netbird/util"
-	nbnet "github.com/netbirdio/netbird/util/net"
 	"github.com/netbirdio/netbird/version"
 )

@@ -105,24 +103,12 @@ func (c *ConnectClient) RunOniOS(
 func (c *ConnectClient) run(mobileDependency MobileDependency, runningChan chan error) error {
 	defer func() {
 		if r := recover(); r != nil {
-			rec := c.statusRecorder
-			if rec != nil {
-				rec.PublishEvent(
-					cProto.SystemEvent_CRITICAL, cProto.SystemEvent_SYSTEM,
-					"panic occurred",
-					"The Netbird service panicked. Please restart the service and submit a bug report with the client logs.",
-					nil,
-				)
-			}
-
 			log.Panicf("Panic occurred: %v, stack trace: %s", r, string(debug.Stack()))
 		}
 	}()

 	log.Infof("starting NetBird client version %s on %s/%s", version.NetbirdVersion(), runtime.GOOS, runtime.GOARCH)

-	nbnet.Init()
-
 	backOff := &backoff.ExponentialBackOff{
 		InitialInterval:     time.Second,
 		RandomizationFactor: 1,
@@ -489,7 +475,7 @@ func loginToManagement(ctx context.Context, client mgm.Client, pubSSHKey []byte,
 		config.DisableDNS,
 		config.DisableFirewall,
 	)
-	loginResp, err := client.Login(*serverPublicKey, sysInfo, pubSSHKey, config.DNSLabels)
+	loginResp, err := client.Login(*serverPublicKey, sysInfo, pubSSHKey)
 	if err != nil {
 		return nil, err
 	}
--- a/client/internal/dns.go
+++ b/client/internal/dns.go
@@ -1,111 +0,0 @@
-package internal
-
-import (
-	"fmt"
-	"net"
-	"slices"
-	"strings"
-
-	"github.com/miekg/dns"
-	log "github.com/sirupsen/logrus"
-
-	nbdns "github.com/netbirdio/netbird/dns"
-)
-
-func createPTRRecord(aRecord nbdns.SimpleRecord, ipNet *net.IPNet) (nbdns.SimpleRecord, bool) {
-	ip := net.ParseIP(aRecord.RData)
-	if ip == nil || ip.To4() == nil {
-		return nbdns.SimpleRecord{}, false
-	}
-
-	if !ipNet.Contains(ip) {
-		return nbdns.SimpleRecord{}, false
-	}
-
-	ipOctets := strings.Split(ip.String(), ".")
-	slices.Reverse(ipOctets)
-	rdnsName := dns.Fqdn(strings.Join(ipOctets, ".") + ".in-addr.arpa")
-
-	return nbdns.SimpleRecord{
-		Name:  rdnsName,
-		Type:  int(dns.TypePTR),
-		Class: aRecord.Class,
-		TTL:   aRecord.TTL,
-		RData: dns.Fqdn(aRecord.Name),
-	}, true
-}
-
-// generateReverseZoneName creates the reverse DNS zone name for a given network
-func generateReverseZoneName(ipNet *net.IPNet) (string, error) {
-	networkIP := ipNet.IP.Mask(ipNet.Mask)
-	maskOnes, _ := ipNet.Mask.Size()
-
-	// round up to nearest byte
-	octetsToUse := (maskOnes + 7) / 8
-
-	octets := strings.Split(networkIP.String(), ".")
-	if octetsToUse > len(octets) {
-		return "", fmt.Errorf("invalid network mask size for reverse DNS: %d", maskOnes)
-	}
-
-	reverseOctets := make([]string, octetsToUse)
-	for i := 0; i < octetsToUse; i++ {
-		reverseOctets[octetsToUse-1-i] = octets[i]
-	}
-
-	return dns.Fqdn(strings.Join(reverseOctets, ".") + ".in-addr.arpa"), nil
-}
-
-// zoneExists checks if a zone with the given name already exists in the configuration
-func zoneExists(config *nbdns.Config, zoneName string) bool {
-	for _, zone := range config.CustomZones {
-		if zone.Domain == zoneName {
-			log.Debugf("reverse DNS zone %s already exists", zoneName)
-			return true
-		}
-	}
-	return false
-}
-
-// collectPTRRecords gathers all PTR records for the given network from A records
-func collectPTRRecords(config *nbdns.Config, ipNet *net.IPNet) []nbdns.SimpleRecord {
-	var records []nbdns.SimpleRecord
-
-	for _, zone := range config.CustomZones {
-		for _, record := range zone.Records {
-			if record.Type != int(dns.TypeA) {
-				continue
-			}
-
-			if ptrRecord, ok := createPTRRecord(record, ipNet); ok {
-				records = append(records, ptrRecord)
-			}
-		}
-	}
-
-	return records
-}
-
-// addReverseZone adds a reverse DNS zone to the configuration for the given network
-func addReverseZone(config *nbdns.Config, ipNet *net.IPNet) {
-	zoneName, err := generateReverseZoneName(ipNet)
-	if err != nil {
-		log.Warn(err)
-		return
-	}
-
-	if zoneExists(config, zoneName) {
-		log.Debugf("reverse DNS zone %s already exists", zoneName)
-		return
-	}
-
-	records := collectPTRRecords(config, ipNet)
-
-	reverseZone := nbdns.CustomZone{
-		Domain:  zoneName,
-		Records: records,
-	}
-
-	config.CustomZones = append(config.CustomZones, reverseZone)
-	log.Debugf("added reverse DNS zone: %s with %d records", zoneName, len(records))
-}
--- a/client/internal/dns/file_unix.go
+++ b/client/internal/dns/file_unix.go
@@ -58,7 +58,7 @@ func (f *fileConfigurator) applyDNSConfig(config HostDNSConfig, stateManager *st
 				return fmt.Errorf("restoring the original resolv.conf file return err: %w", err)
 			}
 		}
-		return ErrRouteAllWithoutNameserverGroup
+		return fmt.Errorf("unable to configure DNS for this peer using file manager without a nameserver group with all domains configured")
 	}

 	if !backupFileExist {
@@ -121,10 +121,6 @@ func (f *fileConfigurator) restoreHostDNS() error {
 	return f.restore()
 }

-func (f *fileConfigurator) string() string {
-	return "file"
-}
-
 func (f *fileConfigurator) backup() error {
 	stats, err := os.Stat(defaultResolvConfPath)
 	if err != nil {
--- a/client/internal/dns/handler_chain.go
+++ b/client/internal/dns/handler_chain.go
@@ -12,7 +12,7 @@ import (
 const (
 	PriorityDNSRoute    = 100
 	PriorityMatchDomain = 50
-	PriorityDefault     = 1
+	PriorityDefault     = 0
 )

 type SubdomainMatcher interface {
@@ -26,6 +26,7 @@ type HandlerEntry struct {
 	Pattern         string
 	OrigPattern     string
 	IsWildcard      bool
+	StopHandler     handlerWithStop
 	MatchSubdomains bool
 }

@@ -63,7 +64,7 @@ func (w *ResponseWriterChain) GetOrigPattern() string {
 }

 // AddHandler adds a new handler to the chain, replacing any existing handler with the same pattern and priority
-func (c *HandlerChain) AddHandler(pattern string, handler dns.Handler, priority int) {
+func (c *HandlerChain) AddHandler(pattern string, handler dns.Handler, priority int, stopHandler handlerWithStop) {
 	c.mu.Lock()
 	defer c.mu.Unlock()

@@ -77,6 +78,9 @@ func (c *HandlerChain) AddHandler(pattern string, handler dns.Handler, priority
 	// First remove any existing handler with same pattern (case-insensitive) and priority
 	for i := len(c.handlers) - 1; i >= 0; i-- {
 		if strings.EqualFold(c.handlers[i].OrigPattern, origPattern) && c.handlers[i].Priority == priority {
+			if c.handlers[i].StopHandler != nil {
+				c.handlers[i].StopHandler.stop()
+			}
 			c.handlers = append(c.handlers[:i], c.handlers[i+1:]...)
 			break
 		}
@@ -97,6 +101,7 @@ func (c *HandlerChain) AddHandler(pattern string, handler dns.Handler, priority
 		Pattern:         pattern,
 		OrigPattern:     origPattern,
 		IsWildcard:      isWildcard,
+		StopHandler:     stopHandler,
 		MatchSubdomains: matchSubdomains,
 	}

@@ -137,6 +142,9 @@ func (c *HandlerChain) RemoveHandler(pattern string, priority int) {
 	for i := len(c.handlers) - 1; i >= 0; i-- {
 		entry := c.handlers[i]
 		if strings.EqualFold(entry.OrigPattern, pattern) && entry.Priority == priority {
+			if entry.StopHandler != nil {
+				entry.StopHandler.stop()
+			}
 			c.handlers = append(c.handlers[:i], c.handlers[i+1:]...)
 			return
 		}
@@ -172,8 +180,8 @@ func (c *HandlerChain) ServeDNS(w dns.ResponseWriter, r *dns.Msg) {
 	if log.IsLevelEnabled(log.TraceLevel) {
 		log.Tracef("current handlers (%d):", len(handlers))
 		for _, h := range handlers {
-			log.Tracef("  - pattern: domain=%s original: domain=%s wildcard=%v match_subdomain=%v priority=%d",
-				h.Pattern, h.OrigPattern, h.IsWildcard, h.MatchSubdomains, h.Priority)
+			log.Tracef("  - pattern: domain=%s original: domain=%s wildcard=%v priority=%d",
+				h.Pattern, h.OrigPattern, h.IsWildcard, h.Priority)
 		}
 	}

@@ -198,13 +206,13 @@ func (c *HandlerChain) ServeDNS(w dns.ResponseWriter, r *dns.Msg) {
 		}

 		if !matched {
-			log.Tracef("trying domain match: request: domain=%s pattern: domain=%s wildcard=%v match_subdomain=%v priority=%d matched=false",
-				qname, entry.OrigPattern, entry.MatchSubdomains, entry.IsWildcard, entry.Priority)
+			log.Tracef("trying domain match: request: domain=%s pattern: domain=%s wildcard=%v match_subdomain=%v matched=false",
+				qname, entry.OrigPattern, entry.MatchSubdomains, entry.IsWildcard)
 			continue
 		}

-		log.Tracef("handler matched: request: domain=%s pattern: domain=%s wildcard=%v match_subdomain=%v priority=%d",
-			qname, entry.OrigPattern, entry.IsWildcard, entry.MatchSubdomains, entry.Priority)
+		log.Tracef("handler matched: request: domain=%s pattern: domain=%s wildcard=%v match_subdomain=%v",
+			qname, entry.OrigPattern, entry.IsWildcard, entry.MatchSubdomains)

 		chainWriter := &ResponseWriterChain{
 			ResponseWriter: w,
--- a/client/internal/dns/handler_chain_test.go
+++ b/client/internal/dns/handler_chain_test.go
@@ -21,9 +21,9 @@ func TestHandlerChain_ServeDNS_Priorities(t *testing.T) {
 	dnsRouteHandler := &nbdns.MockHandler{}

 	// Setup handlers with different priorities
-	chain.AddHandler("example.com.", defaultHandler, nbdns.PriorityDefault)
-	chain.AddHandler("example.com.", matchDomainHandler, nbdns.PriorityMatchDomain)
-	chain.AddHandler("example.com.", dnsRouteHandler, nbdns.PriorityDNSRoute)
+	chain.AddHandler("example.com.", defaultHandler, nbdns.PriorityDefault, nil)
+	chain.AddHandler("example.com.", matchDomainHandler, nbdns.PriorityMatchDomain, nil)
+	chain.AddHandler("example.com.", dnsRouteHandler, nbdns.PriorityDNSRoute, nil)

 	// Create test request
 	r := new(dns.Msg)
@@ -138,7 +138,7 @@ func TestHandlerChain_ServeDNS_DomainMatching(t *testing.T) {
 				pattern = "*." + tt.handlerDomain[2:]
 			}

-			chain.AddHandler(pattern, handler, nbdns.PriorityDefault)
+			chain.AddHandler(pattern, handler, nbdns.PriorityDefault, nil)

 			r := new(dns.Msg)
 			r.SetQuestion(tt.queryDomain, dns.TypeA)
@@ -253,7 +253,7 @@ func TestHandlerChain_ServeDNS_OverlappingDomains(t *testing.T) {
 					handler.On("ServeDNS", mock.Anything, mock.Anything).Maybe()
 				}

-				chain.AddHandler(tt.handlers[i].pattern, handler, tt.handlers[i].priority)
+				chain.AddHandler(tt.handlers[i].pattern, handler, tt.handlers[i].priority, nil)
 			}

 			// Create and execute request
@@ -280,9 +280,9 @@ func TestHandlerChain_ServeDNS_ChainContinuation(t *testing.T) {
 	handler3 := &nbdns.MockHandler{}

 	// Add handlers in priority order
-	chain.AddHandler("example.com.", handler1, nbdns.PriorityDNSRoute)
-	chain.AddHandler("example.com.", handler2, nbdns.PriorityMatchDomain)
-	chain.AddHandler("example.com.", handler3, nbdns.PriorityDefault)
+	chain.AddHandler("example.com.", handler1, nbdns.PriorityDNSRoute, nil)
+	chain.AddHandler("example.com.", handler2, nbdns.PriorityMatchDomain, nil)
+	chain.AddHandler("example.com.", handler3, nbdns.PriorityDefault, nil)

 	// Create test request
 	r := new(dns.Msg)
@@ -416,7 +416,7 @@ func TestHandlerChain_PriorityDeregistration(t *testing.T) {
 				if op.action == "add" {
 					handler := &nbdns.MockHandler{}
 					handlers[op.priority] = handler
-					chain.AddHandler(op.pattern, handler, op.priority)
+					chain.AddHandler(op.pattern, handler, op.priority, nil)
 				} else {
 					chain.RemoveHandler(op.pattern, op.priority)
 				}
@@ -471,9 +471,9 @@ func TestHandlerChain_MultiPriorityHandling(t *testing.T) {
 	r.SetQuestion(testQuery, dns.TypeA)

 	// Add handlers in mixed order
-	chain.AddHandler(testDomain, defaultHandler, nbdns.PriorityDefault)
-	chain.AddHandler(testDomain, routeHandler, nbdns.PriorityDNSRoute)
-	chain.AddHandler(testDomain, matchHandler, nbdns.PriorityMatchDomain)
+	chain.AddHandler(testDomain, defaultHandler, nbdns.PriorityDefault, nil)
+	chain.AddHandler(testDomain, routeHandler, nbdns.PriorityDNSRoute, nil)
+	chain.AddHandler(testDomain, matchHandler, nbdns.PriorityMatchDomain, nil)

 	// Test 1: Initial state with all three handlers
 	w := &nbdns.ResponseWriterChain{ResponseWriter: &mockResponseWriter{}}
@@ -653,7 +653,7 @@ func TestHandlerChain_CaseSensitivity(t *testing.T) {
 					handler = mockHandler
 				}

-				chain.AddHandler(pattern, handler, h.priority)
+				chain.AddHandler(pattern, handler, h.priority, nil)
 			}

 			// Execute request
@@ -795,7 +795,7 @@ func TestHandlerChain_DomainSpecificityOrdering(t *testing.T) {
 				if op.action == "add" {
 					handler := &nbdns.MockSubdomainHandler{Subdomains: op.subdomain}
 					handlers[op.pattern] = handler
-					chain.AddHandler(op.pattern, handler, op.priority)
+					chain.AddHandler(op.pattern, handler, op.priority, nil)
 				} else {
 					chain.RemoveHandler(op.pattern, op.priority)
 				}
--- a/client/internal/dns/host.go
+++ b/client/internal/dns/host.go
@@ -9,18 +9,10 @@ import (
 	nbdns "github.com/netbirdio/netbird/dns"
 )

-var ErrRouteAllWithoutNameserverGroup = fmt.Errorf("unable to configure DNS for this peer using file manager without a nameserver group with all domains configured")
-
-const (
-	ipv4ReverseZone = ".in-addr.arpa"
-	ipv6ReverseZone = ".ip6.arpa"
-)
-
 type hostManager interface {
 	applyDNSConfig(config HostDNSConfig, stateManager *statemanager.Manager) error
 	restoreHostDNS() error
 	supportCustomPort() bool
-	string() string
 }

 type SystemDNSSettings struct {
@@ -47,7 +39,6 @@ type mockHostConfigurator struct {
 	restoreHostDNSFunc            func() error
 	supportCustomPortFunc         func() bool
 	restoreUncleanShutdownDNSFunc func(*netip.Addr) error
-	stringFunc                    func() string
 }

 func (m *mockHostConfigurator) applyDNSConfig(config HostDNSConfig, stateManager *statemanager.Manager) error {
@@ -71,13 +62,6 @@ func (m *mockHostConfigurator) supportCustomPort() bool {
 	return false
 }

-func (m *mockHostConfigurator) string() string {
-	if m.stringFunc != nil {
-		return m.stringFunc()
-	}
-	return "mock"
-}
-
 func newNoopHostMocker() hostManager {
 	return &mockHostConfigurator{
 		applyDNSConfigFunc:            func(config HostDNSConfig, stateManager *statemanager.Manager) error { return nil },
@@ -110,10 +94,9 @@ func dnsConfigToHostDNSConfig(dnsConfig nbdns.Config, ip string, port int) HostD
 	}

 	for _, customZone := range dnsConfig.CustomZones {
-		matchOnly := strings.HasSuffix(customZone.Domain, ipv4ReverseZone) || strings.HasSuffix(customZone.Domain, ipv6ReverseZone)
 		config.Domains = append(config.Domains, DomainConfig{
 			Domain:    strings.TrimSuffix(customZone.Domain, "."),
-			MatchOnly: matchOnly,
+			MatchOnly: false,
 		})
 	}

@@ -133,7 +116,3 @@ func (n noopHostConfigurator) restoreHostDNS() error {
 func (n noopHostConfigurator) supportCustomPort() bool {
 	return true
 }
-
-func (n noopHostConfigurator) string() string {
-	return "noop"
-}
--- a/client/internal/dns/host_android.go
+++ b/client/internal/dns/host_android.go
@@ -22,7 +22,3 @@ func (a androidHostManager) restoreHostDNS() error {
 func (a androidHostManager) supportCustomPort() bool {
 	return false
 }
-
-func (a androidHostManager) string() string {
-	return "none"
-}
--- a/client/internal/dns/host_darwin.go
+++ b/client/internal/dns/host_darwin.go
@@ -114,10 +114,6 @@ func (s *systemConfigurator) applyDNSConfig(config HostDNSConfig, stateManager *
 	return nil
 }

-func (s *systemConfigurator) string() string {
-	return "scutil"
-}
-
 func (s *systemConfigurator) restoreHostDNS() error {
 	keys := s.getRemovableKeysWithDefaults()
 	for _, key := range keys {
--- a/client/internal/dns/host_ios.go
+++ b/client/internal/dns/host_ios.go
@@ -38,7 +38,3 @@ func (a iosHostManager) restoreHostDNS() error {
 func (a iosHostManager) supportCustomPort() bool {
 	return false
 }
-
-func (a iosHostManager) string() string {
-	return "none"
-}
--- a/client/internal/dns/host_windows.go
+++ b/client/internal/dns/host_windows.go
@@ -1,51 +1,35 @@
 package dns

 import (
-	"errors"
 	"fmt"
 	"io"
 	"strings"
-	"syscall"

-	"github.com/hashicorp/go-multierror"
 	log "github.com/sirupsen/logrus"
 	"golang.org/x/sys/windows/registry"

-	nberrors "github.com/netbirdio/netbird/client/errors"
 	"github.com/netbirdio/netbird/client/internal/statemanager"
 )

-var (
-	userenv = syscall.NewLazyDLL("userenv.dll")
-
-	// https://learn.microsoft.com/en-us/windows/win32/api/userenv/nf-userenv-refreshpolicyex
-	refreshPolicyExFn = userenv.NewProc("RefreshPolicyEx")
-)
-
 const (
-	dnsPolicyConfigMatchPath    = `SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\DnsPolicyConfig\NetBird-Match`
-	gpoDnsPolicyRoot            = `SOFTWARE\Policies\Microsoft\Windows NT\DNSClient`
-	gpoDnsPolicyConfigMatchPath = gpoDnsPolicyRoot + `\DnsPolicyConfig\NetBird-Match`
-
+	dnsPolicyConfigMatchPath            = `SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\DnsPolicyConfig\NetBird-Match`
 	dnsPolicyConfigVersionKey           = "Version"
 	dnsPolicyConfigVersionValue         = 2
 	dnsPolicyConfigNameKey              = "Name"
 	dnsPolicyConfigGenericDNSServersKey = "GenericDNSServers"
 	dnsPolicyConfigConfigOptionsKey     = "ConfigOptions"
 	dnsPolicyConfigConfigOptionsValue   = 0x8
+)

+const (
 	interfaceConfigPath          = `SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces`
 	interfaceConfigNameServerKey = "NameServer"
 	interfaceConfigSearchListKey = "SearchList"
-
-	// RP_FORCE: Reapply all policies even if no policy change was detected
-	rpForce = 0x1
 )

 type registryConfigurator struct {
 	guid       string
 	routingAll bool
-	gpo        bool
 }

 func newHostManager(wgInterface WGIface) (*registryConfigurator, error) {
@@ -53,20 +37,12 @@ func newHostManager(wgInterface WGIface) (*registryConfigurator, error) {
 	if err != nil {
 		return nil, err
 	}
+	return newHostManagerWithGuid(guid)
+}

-	var useGPO bool
-	k, err := registry.OpenKey(registry.LOCAL_MACHINE, gpoDnsPolicyRoot, registry.QUERY_VALUE)
-	if err != nil {
-		log.Debugf("failed to open GPO DNS policy root: %v", err)
-	} else {
-		closer(k)
-		useGPO = true
-		log.Infof("detected GPO DNS policy configuration, using policy store")
-	}
-
+func newHostManagerWithGuid(guid string) (*registryConfigurator, error) {
 	return &registryConfigurator{
 		guid: guid,
-		gpo:  useGPO,
 	}, nil
 }

@@ -75,23 +51,30 @@ func (r *registryConfigurator) supportCustomPort() bool {
 }

 func (r *registryConfigurator) applyDNSConfig(config HostDNSConfig, stateManager *statemanager.Manager) error {
+	var err error
 	if config.RouteAll {
-		if err := r.addDNSSetupForAll(config.ServerIP); err != nil {
+		err = r.addDNSSetupForAll(config.ServerIP)
+		if err != nil {
 			return fmt.Errorf("add dns setup: %w", err)
 		}
 	} else if r.routingAll {
-		if err := r.deleteInterfaceRegistryKeyProperty(interfaceConfigNameServerKey); err != nil {
+		err = r.deleteInterfaceRegistryKeyProperty(interfaceConfigNameServerKey)
+		if err != nil {
 			return fmt.Errorf("delete interface registry key property: %w", err)
 		}
 		r.routingAll = false
 		log.Infof("removed %s as main DNS forwarder for this peer", config.ServerIP)
 	}

-	if err := stateManager.UpdateState(&ShutdownState{Guid: r.guid, GPO: r.gpo}); err != nil {
+	if err := stateManager.UpdateState(&ShutdownState{Guid: r.guid}); err != nil {
 		log.Errorf("failed to update shutdown state: %s", err)
 	}

-	var searchDomains, matchDomains []string
+	var (
+		searchDomains []string
+		matchDomains  []string
+	)
+
 	for _, dConf := range config.Domains {
 		if dConf.Disabled {
 			continue
@@ -103,16 +86,16 @@ func (r *registryConfigurator) applyDNSConfig(config HostDNSConfig, stateManager
 	}

 	if len(matchDomains) != 0 {
-		if err := r.addDNSMatchPolicy(matchDomains, config.ServerIP); err != nil {
-			return fmt.Errorf("add dns match policy: %w", err)
-		}
+		err = r.addDNSMatchPolicy(matchDomains, config.ServerIP)
 	} else {
-		if err := r.removeDNSMatchPolicies(); err != nil {
-			return fmt.Errorf("remove dns match policies: %w", err)
-		}
+		err = removeRegistryKeyFromDNSPolicyConfig(dnsPolicyConfigMatchPath)
+	}
+	if err != nil {
+		return fmt.Errorf("add dns match policy: %w", err)
 	}

-	if err := r.updateSearchDomains(searchDomains); err != nil {
+	err = r.updateSearchDomains(searchDomains)
+	if err != nil {
 		return fmt.Errorf("update search domains: %w", err)
 	}

@@ -120,8 +103,9 @@ func (r *registryConfigurator) applyDNSConfig(config HostDNSConfig, stateManager
 }

 func (r *registryConfigurator) addDNSSetupForAll(ip string) error {
-	if err := r.setInterfaceRegistryKeyStringValue(interfaceConfigNameServerKey, ip); err != nil {
-		return fmt.Errorf("adding dns setup for all failed: %w", err)
+	err := r.setInterfaceRegistryKeyStringValue(interfaceConfigNameServerKey, ip)
+	if err != nil {
+		return fmt.Errorf("adding dns setup for all failed with error: %w", err)
 	}
 	r.routingAll = true
 	log.Infof("configured %s:53 as main DNS forwarder for this peer", ip)
@@ -129,70 +113,64 @@ func (r *registryConfigurator) addDNSSetupForAll(ip string) error {
 }

 func (r *registryConfigurator) addDNSMatchPolicy(domains []string, ip string) error {
-	// if the gpo key is present, we need to put our DNS settings there, otherwise our config might be ignored
-	// see https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-gpnrpt/8cc31cb9-20cb-4140-9e85-3e08703b4745
-	if r.gpo {
-		if err := r.configureDNSPolicy(gpoDnsPolicyConfigMatchPath, domains, ip); err != nil {
-			return fmt.Errorf("configure GPO DNS policy: %w", err)
-		}
-
-		if err := r.configureDNSPolicy(dnsPolicyConfigMatchPath, domains, ip); err != nil {
-			return fmt.Errorf("configure local DNS policy: %w", err)
-		}
-
-		if err := refreshGroupPolicy(); err != nil {
-			log.Warnf("failed to refresh group policy: %v", err)
-		}
-	} else {
-		if err := r.configureDNSPolicy(dnsPolicyConfigMatchPath, domains, ip); err != nil {
-			return fmt.Errorf("configure local DNS policy: %w", err)
+	_, err := registry.OpenKey(registry.LOCAL_MACHINE, dnsPolicyConfigMatchPath, registry.QUERY_VALUE)
+	if err == nil {
+		err = registry.DeleteKey(registry.LOCAL_MACHINE, dnsPolicyConfigMatchPath)
+		if err != nil {
+			return fmt.Errorf("unable to remove existing key from registry, key: HKEY_LOCAL_MACHINE\\%s, error: %w", dnsPolicyConfigMatchPath, err)
 		}
 	}

-	log.Infof("added %d match domains. Domain list: %s", len(domains), domains)
-	return nil
-}
-
-// configureDNSPolicy handles the actual configuration of a DNS policy at the specified path
-func (r *registryConfigurator) configureDNSPolicy(policyPath string, domains []string, ip string) error {
-	if err := removeRegistryKeyFromDNSPolicyConfig(policyPath); err != nil {
-		return fmt.Errorf("remove existing dns policy: %w", err)
-	}
-
-	regKey, _, err := registry.CreateKey(registry.LOCAL_MACHINE, policyPath, registry.SET_VALUE)
+	regKey, _, err := registry.CreateKey(registry.LOCAL_MACHINE, dnsPolicyConfigMatchPath, registry.SET_VALUE)
 	if err != nil {
-		return fmt.Errorf("create registry key HKEY_LOCAL_MACHINE\\%s: %w", policyPath, err)
-	}
-	defer closer(regKey)
-
-	if err := regKey.SetDWordValue(dnsPolicyConfigVersionKey, dnsPolicyConfigVersionValue); err != nil {
-		return fmt.Errorf("set %s: %w", dnsPolicyConfigVersionKey, err)
+		return fmt.Errorf("unable to create registry key, key: HKEY_LOCAL_MACHINE\\%s, error: %w", dnsPolicyConfigMatchPath, err)
 	}

-	if err := regKey.SetStringsValue(dnsPolicyConfigNameKey, domains); err != nil {
-		return fmt.Errorf("set %s: %w", dnsPolicyConfigNameKey, err)
+	err = regKey.SetDWordValue(dnsPolicyConfigVersionKey, dnsPolicyConfigVersionValue)
+	if err != nil {
+		return fmt.Errorf("unable to set registry value for %s, error: %w", dnsPolicyConfigVersionKey, err)
 	}

-	if err := regKey.SetStringValue(dnsPolicyConfigGenericDNSServersKey, ip); err != nil {
-		return fmt.Errorf("set %s: %w", dnsPolicyConfigGenericDNSServersKey, err)
+	err = regKey.SetStringsValue(dnsPolicyConfigNameKey, domains)
+	if err != nil {
+		return fmt.Errorf("unable to set registry value for %s, error: %w", dnsPolicyConfigNameKey, err)
 	}

-	if err := regKey.SetDWordValue(dnsPolicyConfigConfigOptionsKey, dnsPolicyConfigConfigOptionsValue); err != nil {
-		return fmt.Errorf("set %s: %w", dnsPolicyConfigConfigOptionsKey, err)
+	err = regKey.SetStringValue(dnsPolicyConfigGenericDNSServersKey, ip)
+	if err != nil {
+		return fmt.Errorf("unable to set registry value for %s, error: %w", dnsPolicyConfigGenericDNSServersKey, err)
 	}

+	err = regKey.SetDWordValue(dnsPolicyConfigConfigOptionsKey, dnsPolicyConfigConfigOptionsValue)
+	if err != nil {
+		return fmt.Errorf("unable to set registry value for %s, error: %w", dnsPolicyConfigConfigOptionsKey, err)
+	}
+
+	log.Infof("added %d match domains to the state. Domain list: %s", len(domains), domains)
+
 	return nil
 }

-func (r *registryConfigurator) string() string {
-	return "registry"
+func (r *registryConfigurator) restoreHostDNS() error {
+	if err := removeRegistryKeyFromDNSPolicyConfig(dnsPolicyConfigMatchPath); err != nil {
+		log.Errorf("remove registry key from dns policy config: %s", err)
+	}
+
+	if err := r.deleteInterfaceRegistryKeyProperty(interfaceConfigSearchListKey); err != nil {
+		return fmt.Errorf("remove interface registry key: %w", err)
+	}
+
+	return nil
 }

 func (r *registryConfigurator) updateSearchDomains(domains []string) error {
-	if err := r.setInterfaceRegistryKeyStringValue(interfaceConfigSearchListKey, strings.Join(domains, ",")); err != nil {
-		return fmt.Errorf("update search domains: %w", err)
+	err := r.setInterfaceRegistryKeyStringValue(interfaceConfigSearchListKey, strings.Join(domains, ","))
+	if err != nil {
+		return fmt.Errorf("adding search domain failed with error: %w", err)
 	}
-	log.Infof("updated search domains: %s", domains)
+
+	log.Infof("updated the search domains in the registry with %d domains. Domain list: %s", len(domains), domains)
+
 	return nil
 }

@@ -203,9 +181,11 @@ func (r *registryConfigurator) setInterfaceRegistryKeyStringValue(key, value str
 	}
 	defer closer(regKey)

-	if err := regKey.SetStringValue(key, value); err != nil {
-		return fmt.Errorf("set key %s=%s: %w", key, value, err)
+	err = regKey.SetStringValue(key, value)
+	if err != nil {
+		return fmt.Errorf("applying key %s with value \"%s\" for interface failed with error: %w", key, value, err)
 	}
+
 	return nil
 }

@@ -216,91 +196,43 @@ func (r *registryConfigurator) deleteInterfaceRegistryKeyProperty(propertyKey st
 	}
 	defer closer(regKey)

-	if err := regKey.DeleteValue(propertyKey); err != nil {
-		return fmt.Errorf("delete registry key %s: %w", propertyKey, err)
+	err = regKey.DeleteValue(propertyKey)
+	if err != nil {
+		return fmt.Errorf("deleting registry key %s for interface failed with error: %w", propertyKey, err)
 	}
+
 	return nil
 }

 func (r *registryConfigurator) getInterfaceRegistryKey() (registry.Key, error) {
+	var regKey registry.Key
+
 	regKeyPath := interfaceConfigPath + "\\" + r.guid
+
 	regKey, err := registry.OpenKey(registry.LOCAL_MACHINE, regKeyPath, registry.SET_VALUE)
 	if err != nil {
-		return regKey, fmt.Errorf("open HKEY_LOCAL_MACHINE\\%s: %w", regKeyPath, err)
+		return regKey, fmt.Errorf("unable to open the interface registry key, key: HKEY_LOCAL_MACHINE\\%s, error: %w", regKeyPath, err)
 	}
+
 	return regKey, nil
 }

-func (r *registryConfigurator) restoreHostDNS() error {
-	if err := r.removeDNSMatchPolicies(); err != nil {
-		log.Errorf("remove dns match policies: %s", err)
-	}
-
-	if err := r.deleteInterfaceRegistryKeyProperty(interfaceConfigSearchListKey); err != nil {
-		return fmt.Errorf("remove interface registry key: %w", err)
-	}
-
-	return nil
-}
-
-func (r *registryConfigurator) removeDNSMatchPolicies() error {
-	var merr *multierror.Error
-	if err := removeRegistryKeyFromDNSPolicyConfig(dnsPolicyConfigMatchPath); err != nil {
-		merr = multierror.Append(merr, fmt.Errorf("remove local registry key: %w", err))
-	}
-
-	if err := removeRegistryKeyFromDNSPolicyConfig(gpoDnsPolicyConfigMatchPath); err != nil {
-		merr = multierror.Append(merr, fmt.Errorf("remove GPO registry key: %w", err))
-	}
-
-	if err := refreshGroupPolicy(); err != nil {
-		merr = multierror.Append(merr, fmt.Errorf("refresh group policy: %w", err))
-	}
-
-	return nberrors.FormatErrorOrNil(merr)
-}
-
 func (r *registryConfigurator) restoreUncleanShutdownDNS() error {
-	return r.restoreHostDNS()
+	if err := r.restoreHostDNS(); err != nil {
+		return fmt.Errorf("restoring dns via registry: %w", err)
+	}
+	return nil
 }

 func removeRegistryKeyFromDNSPolicyConfig(regKeyPath string) error {
 	k, err := registry.OpenKey(registry.LOCAL_MACHINE, regKeyPath, registry.QUERY_VALUE)
-	if err != nil {
-		log.Debugf("failed to open HKEY_LOCAL_MACHINE\\%s: %v", regKeyPath, err)
-		return nil
-	}
-
-	closer(k)
-	if err := registry.DeleteKey(registry.LOCAL_MACHINE, regKeyPath); err != nil {
-		return fmt.Errorf("delete HKEY_LOCAL_MACHINE\\%s: %w", regKeyPath, err)
-	}
-
-	return nil
-}
-
-func refreshGroupPolicy() error {
-	// refreshPolicyExFn.Call() panics if the func is not found
-	defer func() {
-		if r := recover(); r != nil {
-			log.Errorf("Recovered from panic: %v", r)
+	if err == nil {
+		defer closer(k)
+		err = registry.DeleteKey(registry.LOCAL_MACHINE, regKeyPath)
+		if err != nil {
+			return fmt.Errorf("unable to remove existing key from registry, key: HKEY_LOCAL_MACHINE\\%s, error: %w", regKeyPath, err)
 		}
-	}()
-
-	ret, _, err := refreshPolicyExFn.Call(
-		// bMachine = TRUE (computer policy)
-		uintptr(1),
-		// dwOptions = RP_FORCE
-		uintptr(rpForce),
-	)
-
-	if ret == 0 {
-		if err != nil && !errors.Is(err, syscall.Errno(0)) {
-			return fmt.Errorf("RefreshPolicyEx failed: %w", err)
-		}
-		return fmt.Errorf("RefreshPolicyEx failed")
 	}
-
 	return nil
 }

--- a/client/internal/dns/local.go
+++ b/client/internal/dns/local.go
@@ -2,7 +2,6 @@ package dns

 import (
 	"fmt"
-	"strings"
 	"sync"

 	"github.com/miekg/dns"
@@ -15,7 +14,7 @@ type registrationMap map[string]struct{}

 type localResolver struct {
 	registeredMap registrationMap
-	records       sync.Map // key: string (domain_class_type), value: []dns.RR
+	records       sync.Map
 }

 func (d *localResolver) MatchSubdomains() bool {
@@ -30,26 +29,20 @@ func (d *localResolver) String() string {
 	return fmt.Sprintf("local resolver [%d records]", len(d.registeredMap))
 }

-// ID returns the unique handler ID
-func (d *localResolver) id() handlerID {
-	return "local-resolver"
-}
-
 // ServeDNS handles a DNS request
 func (d *localResolver) ServeDNS(w dns.ResponseWriter, r *dns.Msg) {
 	if len(r.Question) > 0 {
-		log.Tracef("received local question: domain=%s type=%v class=%v", r.Question[0].Name, r.Question[0].Qtype, r.Question[0].Qclass)
+		log.Tracef("received question: domain=%s type=%v class=%v", r.Question[0].Name, r.Question[0].Qtype, r.Question[0].Qclass)
 	}

 	replyMessage := &dns.Msg{}
 	replyMessage.SetReply(r)
 	replyMessage.RecursionAvailable = true
+	replyMessage.Rcode = dns.RcodeSuccess

-	// lookup all records matching the question
-	records := d.lookupRecords(r)
-	if len(records) > 0 {
-		replyMessage.Rcode = dns.RcodeSuccess
-		replyMessage.Answer = append(replyMessage.Answer, records...)
+	response := d.lookupRecord(r)
+	if response != nil {
+		replyMessage.Answer = append(replyMessage.Answer, response)
 	} else {
 		replyMessage.Rcode = dns.RcodeNameError
 	}
@@ -60,65 +53,37 @@ func (d *localResolver) ServeDNS(w dns.ResponseWriter, r *dns.Msg) {
 	}
 }

-// lookupRecords fetches *all* DNS records matching the first question in r.
-func (d *localResolver) lookupRecords(r *dns.Msg) []dns.RR {
-	if len(r.Question) == 0 {
-		return nil
-	}
+func (d *localResolver) lookupRecord(r *dns.Msg) dns.RR {
 	question := r.Question[0]
-	question.Name = strings.ToLower(question.Name)
-	key := buildRecordKey(question.Name, question.Qclass, question.Qtype)
-
-	value, found := d.records.Load(key)
+	record, found := d.records.Load(buildRecordKey(question.Name, question.Qclass, question.Qtype))
 	if !found {
 		return nil
 	}

-	records, ok := value.([]dns.RR)
-	if !ok {
-		log.Errorf("failed to cast records to []dns.RR, records: %v", value)
-		return nil
-	}
-
-	// if there's more than one record, rotate them (round-robin)
-	if len(records) > 1 {
-		first := records[0]
-		records = append(records[1:], first)
-		d.records.Store(key, records)
-	}
-
-	return records
+	return record.(dns.RR)
 }

-// registerRecord stores a new record by appending it to any existing list
-func (d *localResolver) registerRecord(record nbdns.SimpleRecord) (string, error) {
-	rr, err := dns.NewRR(record.String())
+func (d *localResolver) registerRecord(record nbdns.SimpleRecord) error {
+	fullRecord, err := dns.NewRR(record.String())
 	if err != nil {
-		return "", fmt.Errorf("register record: %w", err)
+		return fmt.Errorf("register record: %w", err)
 	}

-	rr.Header().Rdlength = record.Len()
-	header := rr.Header()
-	key := buildRecordKey(header.Name, header.Class, header.Rrtype)
+	fullRecord.Header().Rdlength = record.Len()

-	// load any existing slice of records, then append
-	existing, _ := d.records.LoadOrStore(key, []dns.RR{})
-	records := existing.([]dns.RR)
-	records = append(records, rr)
+	header := fullRecord.Header()
+	d.records.Store(buildRecordKey(header.Name, header.Class, header.Rrtype), fullRecord)

-	// store updated slice
-	d.records.Store(key, records)
-	return key, nil
+	return nil
 }

-// deleteRecord removes *all* records under the recordKey.
 func (d *localResolver) deleteRecord(recordKey string) {
 	d.records.Delete(dns.Fqdn(recordKey))
 }

-// buildRecordKey consistently generates a key: name_class_type
 func buildRecordKey(name string, class, qType uint16) string {
-	return fmt.Sprintf("%s_%d_%d", dns.Fqdn(name), class, qType)
+	key := fmt.Sprintf("%s_%d_%d", name, class, qType)
+	return key
 }

 func (d *localResolver) probeAvailability() {}
--- a/client/internal/dns/local_test.go
+++ b/client/internal/dns/local_test.go
@@ -55,7 +55,7 @@ func TestLocalResolver_ServeDNS(t *testing.T) {
 			resolver := &localResolver{
 				registeredMap: make(registrationMap),
 			}
-			_, _ = resolver.registerRecord(testCase.inputRecord)
+			_ = resolver.registerRecord(testCase.inputRecord)
 			var responseMSG *dns.Msg
 			responseWriter := &mockResponseWriter{
 				WriteMsgFunc: func(m *dns.Msg) error {
--- a/client/internal/dns/network_manager_unix.go
+++ b/client/internal/dns/network_manager_unix.go
@@ -179,10 +179,6 @@ func (n *networkManagerDbusConfigurator) restoreHostDNS() error {
 	return nil
 }

-func (n *networkManagerDbusConfigurator) string() string {
-	return "network-manager"
-}
-
 func (n *networkManagerDbusConfigurator) getAppliedConnectionSettings() (networkManagerConnSettings, networkManagerConfigVersion, error) {
 	obj, closeConn, err := getDbusObject(networkManagerDest, n.dbusLinkObject)
 	if err != nil {
--- a/client/internal/dns/resolvconf_unix.go
+++ b/client/internal/dns/resolvconf_unix.go
@@ -91,7 +91,7 @@ func (r *resolvconf) applyDNSConfig(config HostDNSConfig, stateManager *stateman
 		if err != nil {
 			log.Errorf("restore host dns: %s", err)
 		}
-		return ErrRouteAllWithoutNameserverGroup
+		return fmt.Errorf("unable to configure DNS for this peer using resolvconf manager without a nameserver group with all domains configured")
 	}

 	searchDomainList := searchDomains(config)
@@ -139,10 +139,6 @@ func (r *resolvconf) restoreHostDNS() error {
 	return nil
 }

-func (r *resolvconf) string() string {
-	return fmt.Sprintf("resolvconf (%s)", r.implType)
-}
-
 func (r *resolvconf) applyConfig(content bytes.Buffer) error {
 	var cmd *exec.Cmd

--- a/client/internal/dns/server.go
+++ b/client/internal/dns/server.go
@@ -2,10 +2,10 @@ package dns

 import (
 	"context"
-	"errors"
 	"fmt"
 	"net/netip"
 	"runtime"
+	"strings"
 	"sync"

 	"github.com/miekg/dns"
@@ -16,7 +16,6 @@ import (
 	"github.com/netbirdio/netbird/client/internal/listener"
 	"github.com/netbirdio/netbird/client/internal/peer"
 	"github.com/netbirdio/netbird/client/internal/statemanager"
-	cProto "github.com/netbirdio/netbird/client/proto"
 	nbdns "github.com/netbirdio/netbird/dns"
 )

@@ -43,12 +42,7 @@ type Server interface {
 	ProbeAvailability()
 }

-type handlerID string
-
-type nsGroupsByDomain struct {
-	domain string
-	groups []*nbdns.NameServerGroup
-}
+type registeredHandlerMap map[string]handlerWithStop

 // DefaultServer dns server object
 type DefaultServer struct {
@@ -58,6 +52,7 @@ type DefaultServer struct {
 	mux                sync.Mutex
 	service            service
 	dnsMuxMap          registeredHandlerMap
+	handlerPriorities  map[string]int
 	localResolver      *localResolver
 	wgInterface        WGIface
 	hostManager        hostManager
@@ -82,17 +77,14 @@ type handlerWithStop interface {
 	dns.Handler
 	stop()
 	probeAvailability()
-	id() handlerID
 }

-type handlerWrapper struct {
+type muxUpdate struct {
 	domain   string
 	handler  handlerWithStop
 	priority int
 }

-type registeredHandlerMap map[handlerID]handlerWrapper
-
 // NewDefaultServer returns a new dns server
 func NewDefaultServer(
 	ctx context.Context,
@@ -166,12 +158,13 @@ func newDefaultServer(
 ) *DefaultServer {
 	ctx, stop := context.WithCancel(ctx)
 	defaultServer := &DefaultServer{
-		ctx:          ctx,
-		ctxCancel:    stop,
-		disableSys:   disableSys,
-		service:      dnsService,
-		handlerChain: NewHandlerChain(),
-		dnsMuxMap:    make(registeredHandlerMap),
+		ctx:               ctx,
+		ctxCancel:         stop,
+		disableSys:        disableSys,
+		service:           dnsService,
+		handlerChain:      NewHandlerChain(),
+		dnsMuxMap:         make(registeredHandlerMap),
+		handlerPriorities: make(map[string]int),
 		localResolver: &localResolver{
 			registeredMap: make(registrationMap),
 		},
@@ -199,7 +192,8 @@ func (s *DefaultServer) registerHandler(domains []string, handler dns.Handler, p
 			log.Warn("skipping empty domain")
 			continue
 		}
-		s.handlerChain.AddHandler(domain, handler, priority)
+		s.handlerChain.AddHandler(domain, handler, priority, nil)
+		s.handlerPriorities[domain] = priority
 		s.service.RegisterMux(nbdns.NormalizeZone(domain), s.handlerChain)
 	}
 }
@@ -215,15 +209,14 @@ func (s *DefaultServer) deregisterHandler(domains []string, priority int) {
 	log.Debugf("deregistering handler %v with priority %d", domains, priority)

 	for _, domain := range domains {
-		if domain == "" {
-			log.Warn("skipping empty domain")
-			continue
-		}
-
 		s.handlerChain.RemoveHandler(domain, priority)

 		// Only deregister from service if no handlers remain
 		if !s.handlerChain.HasHandlers(domain) {
+			if domain == "" {
+				log.Warn("skipping empty domain")
+				continue
+			}
 			s.service.DeregisterMux(nbdns.NormalizeZone(domain))
 		}
 	}
@@ -290,24 +283,14 @@ func (s *DefaultServer) Stop() {

 // OnUpdatedHostDNSServer update the DNS servers addresses for root zones
 // It will be applied if the mgm server do not enforce DNS settings for root zone
-
 func (s *DefaultServer) OnUpdatedHostDNSServer(hostsDnsList []string) {
 	s.hostsDNSHolder.set(hostsDnsList)

-	// Check if there's any root handler
-	var hasRootHandler bool
-	for _, handler := range s.dnsMuxMap {
-		if handler.domain == nbdns.RootZone {
-			hasRootHandler = true
-			break
-		}
-	}
-
-	if hasRootHandler {
+	_, ok := s.dnsMuxMap[nbdns.RootZone]
+	if ok {
 		log.Debugf("on new host DNS config but skip to apply it")
 		return
 	}
-
 	log.Debugf("update host DNS settings: %+v", hostsDnsList)
 	s.addHostRootZone()
 }
@@ -381,7 +364,7 @@ func (s *DefaultServer) ProbeAvailability() {
 		go func(mux handlerWithStop) {
 			defer wg.Done()
 			mux.probeAvailability()
-		}(mux.handler)
+		}(mux)
 	}
 	wg.Wait()
 }
@@ -395,22 +378,18 @@ func (s *DefaultServer) applyConfiguration(update nbdns.Config) error {
 		s.service.Stop()
 	}

-	localMuxUpdates, localRecordsByDomain, err := s.buildLocalHandlerUpdate(update.CustomZones)
+	localMuxUpdates, localRecords, err := s.buildLocalHandlerUpdate(update.CustomZones)
 	if err != nil {
-		return fmt.Errorf("local handler updater: %w", err)
+		return fmt.Errorf("not applying dns update, error: %v", err)
 	}
-
 	upstreamMuxUpdates, err := s.buildUpstreamHandlerUpdate(update.NameServerGroups)
 	if err != nil {
-		return fmt.Errorf("upstream handler updater: %w", err)
+		return fmt.Errorf("not applying dns update, error: %v", err)
 	}
 	muxUpdates := append(localMuxUpdates, upstreamMuxUpdates...) //nolint:gocritic

 	s.updateMux(muxUpdates)
-
-	// register local records
-	s.updateLocalResolver(localRecordsByDomain)
-
+	s.updateLocalResolver(localRecords)
 	s.currentConfig = dnsConfigToHostDNSConfig(update, s.service.RuntimeIP(), s.service.RuntimePort())

 	hostUpdate := s.currentConfig
@@ -422,7 +401,6 @@ func (s *DefaultServer) applyConfiguration(update nbdns.Config) error {

 	if err = s.hostManager.applyDNSConfig(hostUpdate, s.stateManager); err != nil {
 		log.Error(err)
-		s.handleErrNoGroupaAll(err)
 	}

 	go func() {
@@ -441,111 +419,42 @@ func (s *DefaultServer) applyConfiguration(update nbdns.Config) error {
 	return nil
 }

-func (s *DefaultServer) handleErrNoGroupaAll(err error) {
-	if !errors.Is(ErrRouteAllWithoutNameserverGroup, err) {
-		return
-	}
-
-	if s.statusRecorder == nil {
-		return
-	}
-
-	s.statusRecorder.PublishEvent(
-		cProto.SystemEvent_WARNING, cProto.SystemEvent_DNS,
-		"The host dns manager does not support match domains",
-		"The host dns manager does not support match domains without a catch-all nameserver group.",
-		map[string]string{"manager": s.hostManager.string()},
-	)
-}
-
-func (s *DefaultServer) buildLocalHandlerUpdate(
-	customZones []nbdns.CustomZone,
-) ([]handlerWrapper, map[string][]nbdns.SimpleRecord, error) {
-	var muxUpdates []handlerWrapper
-	localRecords := make(map[string][]nbdns.SimpleRecord)
+func (s *DefaultServer) buildLocalHandlerUpdate(customZones []nbdns.CustomZone) ([]muxUpdate, map[string]nbdns.SimpleRecord, error) {
+	var muxUpdates []muxUpdate
+	localRecords := make(map[string]nbdns.SimpleRecord, 0)

 	for _, customZone := range customZones {
 		if len(customZone.Records) == 0 {
-			log.Warnf("received a custom zone with empty records, skipping domain: %s", customZone.Domain)
-			continue
+			return nil, nil, fmt.Errorf("received an empty list of records")
 		}

-		muxUpdates = append(muxUpdates, handlerWrapper{
+		muxUpdates = append(muxUpdates, muxUpdate{
 			domain:   customZone.Domain,
 			handler:  s.localResolver,
 			priority: PriorityMatchDomain,
 		})

-		// group all records under this domain
 		for _, record := range customZone.Records {
 			var class uint16 = dns.ClassINET
 			if record.Class != nbdns.DefaultClass {
-				log.Warnf("received an invalid class type: %s", record.Class)
-				continue
+				return nil, nil, fmt.Errorf("received an invalid class type: %s", record.Class)
 			}
-
 			key := buildRecordKey(record.Name, class, uint16(record.Type))
-
-			localRecords[key] = append(localRecords[key], record)
+			localRecords[key] = record
 		}
 	}
-
 	return muxUpdates, localRecords, nil
 }

-func (s *DefaultServer) buildUpstreamHandlerUpdate(nameServerGroups []*nbdns.NameServerGroup) ([]handlerWrapper, error) {
-	var muxUpdates []handlerWrapper
+func (s *DefaultServer) buildUpstreamHandlerUpdate(nameServerGroups []*nbdns.NameServerGroup) ([]muxUpdate, error) {

+	var muxUpdates []muxUpdate
 	for _, nsGroup := range nameServerGroups {
 		if len(nsGroup.NameServers) == 0 {
 			log.Warn("received a nameserver group with empty nameserver list")
 			continue
 		}

-		if !nsGroup.Primary && len(nsGroup.Domains) == 0 {
-			return nil, fmt.Errorf("received a non primary nameserver group with an empty domain list")
-		}
-
-		for _, domain := range nsGroup.Domains {
-			if domain == "" {
-				return nil, fmt.Errorf("received a nameserver group with an empty domain element")
-			}
-		}
-	}
-
-	groupedNS := groupNSGroupsByDomain(nameServerGroups)
-
-	for _, domainGroup := range groupedNS {
-		basePriority := PriorityMatchDomain
-		if domainGroup.domain == nbdns.RootZone {
-			basePriority = PriorityDefault
-		}
-
-		updates, err := s.createHandlersForDomainGroup(domainGroup, basePriority)
-		if err != nil {
-			return nil, err
-		}
-		muxUpdates = append(muxUpdates, updates...)
-	}
-
-	return muxUpdates, nil
-}
-
-func (s *DefaultServer) createHandlersForDomainGroup(domainGroup nsGroupsByDomain, basePriority int) ([]handlerWrapper, error) {
-	var muxUpdates []handlerWrapper
-
-	for i, nsGroup := range domainGroup.groups {
-		// Decrement priority by handler index (0, 1, 2, ...) to avoid conflicts
-		priority := basePriority - i
-
-		// Check if we're about to overlap with the next priority tier
-		if basePriority == PriorityMatchDomain && priority <= PriorityDefault {
-			log.Warnf("too many handlers for domain=%s, would overlap with default priority tier (diff=%d). Skipping remaining handlers",
-				domainGroup.domain, PriorityMatchDomain-PriorityDefault)
-			break
-		}
-
-		log.Debugf("creating handler for domain=%s with priority=%d", domainGroup.domain, priority)
 		handler, err := newUpstreamResolver(
 			s.ctx,
 			s.wgInterface.Name(),
@@ -553,12 +462,10 @@ func (s *DefaultServer) createHandlersForDomainGroup(domainGroup nsGroupsByDomai
 			s.wgInterface.Address().Network,
 			s.statusRecorder,
 			s.hostsDNSHolder,
-			domainGroup.domain,
 		)
 		if err != nil {
-			return nil, fmt.Errorf("create upstream resolver: %v", err)
+			return nil, fmt.Errorf("unable to create a new upstream resolver, error: %v", err)
 		}
-
 		for _, ns := range nsGroup.NameServers {
 			if ns.NSType != nbdns.UDPNameServerType {
 				log.Warnf("skipping nameserver %s with type %s, this peer supports only %s",
@@ -582,51 +489,81 @@ func (s *DefaultServer) createHandlersForDomainGroup(domainGroup nsGroupsByDomai
 		// after some period defined by upstream it tries to reactivate self by calling this hook
 		// everything we need here is just to re-apply current configuration because it already
 		// contains this upstream settings (temporal deactivation not removed it)
-		handler.deactivate, handler.reactivate = s.upstreamCallbacks(nsGroup, handler, priority)
+		handler.deactivate, handler.reactivate = s.upstreamCallbacks(nsGroup, handler)

-		muxUpdates = append(muxUpdates, handlerWrapper{
-			domain:   domainGroup.domain,
-			handler:  handler,
-			priority: priority,
-		})
+		if nsGroup.Primary {
+			muxUpdates = append(muxUpdates, muxUpdate{
+				domain:   nbdns.RootZone,
+				handler:  handler,
+				priority: PriorityDefault,
+			})
+			continue
+		}
+
+		if len(nsGroup.Domains) == 0 {
+			handler.stop()
+			return nil, fmt.Errorf("received a non primary nameserver group with an empty domain list")
+		}
+
+		for _, domain := range nsGroup.Domains {
+			if domain == "" {
+				handler.stop()
+				return nil, fmt.Errorf("received a nameserver group with an empty domain element")
+			}
+			muxUpdates = append(muxUpdates, muxUpdate{
+				domain:   domain,
+				handler:  handler,
+				priority: PriorityMatchDomain,
+			})
+		}
 	}

 	return muxUpdates, nil
 }

-func (s *DefaultServer) updateMux(muxUpdates []handlerWrapper) {
-	// this will introduce a short period of time when the server is not able to handle DNS requests
-	for _, existing := range s.dnsMuxMap {
-		s.deregisterHandler([]string{existing.domain}, existing.priority)
-		existing.handler.stop()
-	}
-
+func (s *DefaultServer) updateMux(muxUpdates []muxUpdate) {
 	muxUpdateMap := make(registeredHandlerMap)
-	var containsRootUpdate bool
+	handlersByPriority := make(map[string]int)

+	var isContainRootUpdate bool
+
+	// First register new handlers
 	for _, update := range muxUpdates {
-		if update.domain == nbdns.RootZone {
-			containsRootUpdate = true
-		}
 		s.registerHandler([]string{update.domain}, update.handler, update.priority)
-		muxUpdateMap[update.handler.id()] = update
+		muxUpdateMap[update.domain] = update.handler
+		handlersByPriority[update.domain] = update.priority
+
+		if existingHandler, ok := s.dnsMuxMap[update.domain]; ok {
+			existingHandler.stop()
+		}
+
+		if update.domain == nbdns.RootZone {
+			isContainRootUpdate = true
+		}
 	}

-	// If there's no root update and we had a root handler, restore it
-	if !containsRootUpdate {
-		for _, existing := range s.dnsMuxMap {
-			if existing.domain == nbdns.RootZone {
+	// Then deregister old handlers not in the update
+	for key, existingHandler := range s.dnsMuxMap {
+		_, found := muxUpdateMap[key]
+		if !found {
+			if !isContainRootUpdate && key == nbdns.RootZone {
 				s.addHostRootZone()
-				break
+				existingHandler.stop()
+			} else {
+				existingHandler.stop()
+				// Deregister with the priority that was used to register
+				if oldPriority, ok := s.handlerPriorities[key]; ok {
+					s.deregisterHandler([]string{key}, oldPriority)
+				}
 			}
 		}
 	}

 	s.dnsMuxMap = muxUpdateMap
+	s.handlerPriorities = handlersByPriority
 }

-func (s *DefaultServer) updateLocalResolver(update map[string][]nbdns.SimpleRecord) {
-	// remove old records that are no longer present
+func (s *DefaultServer) updateLocalResolver(update map[string]nbdns.SimpleRecord) {
 	for key := range s.localResolver.registeredMap {
 		_, found := update[key]
 		if !found {
@@ -635,18 +572,12 @@ func (s *DefaultServer) updateLocalResolver(update map[string][]nbdns.SimpleReco
 	}

 	updatedMap := make(registrationMap)
-	for _, recs := range update {
-		for _, rec := range recs {
-			// convert the record to a dns.RR and register
-			key, err := s.localResolver.registerRecord(rec)
-			if err != nil {
-				log.Warnf("got an error while registering the record (%s), error: %v",
-					rec.String(), err)
-				continue
-			}
-
-			updatedMap[key] = struct{}{}
+	for key, record := range update {
+		err := s.localResolver.registerRecord(record)
+		if err != nil {
+			log.Warnf("got an error while registering the record (%s), error: %v", record.String(), err)
 		}
+		updatedMap[key] = struct{}{}
 	}

 	s.localResolver.registeredMap = updatedMap
@@ -662,7 +593,6 @@ func getNSHostPort(ns nbdns.NameServer) string {
 func (s *DefaultServer) upstreamCallbacks(
 	nsGroup *nbdns.NameServerGroup,
 	handler dns.Handler,
-	priority int,
 ) (deactivate func(error), reactivate func()) {
 	var removeIndex map[string]int
 	deactivate = func(err error) {
@@ -679,19 +609,18 @@ func (s *DefaultServer) upstreamCallbacks(
 		if nsGroup.Primary {
 			removeIndex[nbdns.RootZone] = -1
 			s.currentConfig.RouteAll = false
-			s.deregisterHandler([]string{nbdns.RootZone}, priority)
+			s.deregisterHandler([]string{nbdns.RootZone}, PriorityDefault)
 		}

 		for i, item := range s.currentConfig.Domains {
 			if _, found := removeIndex[item.Domain]; found {
 				s.currentConfig.Domains[i].Disabled = true
-				s.deregisterHandler([]string{item.Domain}, priority)
+				s.deregisterHandler([]string{item.Domain}, PriorityMatchDomain)
 				removeIndex[item.Domain] = i
 			}
 		}

 		if err := s.hostManager.applyDNSConfig(s.currentConfig, s.stateManager); err != nil {
-			s.handleErrNoGroupaAll(err)
 			l.Errorf("Failed to apply nameserver deactivation on the host: %v", err)
 		}

@@ -706,8 +635,8 @@ func (s *DefaultServer) upstreamCallbacks(
 		}

 		s.updateNSState(nsGroup, err, false)
-	}

+	}
 	reactivate = func() {
 		s.mux.Lock()
 		defer s.mux.Unlock()
@@ -717,7 +646,7 @@ func (s *DefaultServer) upstreamCallbacks(
 				continue
 			}
 			s.currentConfig.Domains[i].Disabled = false
-			s.registerHandler([]string{domain}, handler, priority)
+			s.registerHandler([]string{domain}, handler, PriorityMatchDomain)
 		}

 		l := log.WithField("nameservers", nsGroup.NameServers)
@@ -725,12 +654,11 @@ func (s *DefaultServer) upstreamCallbacks(

 		if nsGroup.Primary {
 			s.currentConfig.RouteAll = true
-			s.registerHandler([]string{nbdns.RootZone}, handler, priority)
+			s.registerHandler([]string{nbdns.RootZone}, handler, PriorityDefault)
 		}

 		if s.hostManager != nil {
 			if err := s.hostManager.applyDNSConfig(s.currentConfig, s.stateManager); err != nil {
-				s.handleErrNoGroupaAll(err)
 				l.WithError(err).Error("reactivate temporary disabled nameserver group, DNS update apply")
 			}
 		}
@@ -748,7 +676,6 @@ func (s *DefaultServer) addHostRootZone() {
 		s.wgInterface.Address().Network,
 		s.statusRecorder,
 		s.hostsDNSHolder,
-		nbdns.RootZone,
 	)
 	if err != nil {
 		log.Errorf("unable to create a new upstream resolver, error: %v", err)
@@ -805,34 +732,5 @@ func generateGroupKey(nsGroup *nbdns.NameServerGroup) string {
 	for _, ns := range nsGroup.NameServers {
 		servers = append(servers, fmt.Sprintf("%s:%d", ns.IP, ns.Port))
 	}
-	return fmt.Sprintf("%v_%v", servers, nsGroup.Domains)
-}
-
-// groupNSGroupsByDomain groups nameserver groups by their match domains
-func groupNSGroupsByDomain(nsGroups []*nbdns.NameServerGroup) []nsGroupsByDomain {
-	domainMap := make(map[string][]*nbdns.NameServerGroup)
-
-	for _, group := range nsGroups {
-		if group.Primary {
-			domainMap[nbdns.RootZone] = append(domainMap[nbdns.RootZone], group)
-			continue
-		}
-
-		for _, domain := range group.Domains {
-			if domain == "" {
-				continue
-			}
-			domainMap[domain] = append(domainMap[domain], group)
-		}
-	}
-
-	var result []nsGroupsByDomain
-	for domain, groups := range domainMap {
-		result = append(result, nsGroupsByDomain{
-			domain: domain,
-			groups: groups,
-		})
-	}
-
-	return result
+	return fmt.Sprintf("%s_%s_%s", nsGroup.ID, nsGroup.Name, strings.Join(servers, ","))
 }
--- a/client/internal/dns/server_test.go
+++ b/client/internal/dns/server_test.go
@@ -13,7 +13,6 @@ import (
 	"github.com/golang/mock/gomock"
 	"github.com/miekg/dns"
 	log "github.com/sirupsen/logrus"
-	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/mock"
 	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"

@@ -89,18 +88,6 @@ func init() {
 	formatter.SetTextFormatter(log.StandardLogger())
 }

-func generateDummyHandler(domain string, servers []nbdns.NameServer) *upstreamResolverBase {
-	var srvs []string
-	for _, srv := range servers {
-		srvs = append(srvs, getNSHostPort(srv))
-	}
-	return &upstreamResolverBase{
-		domain:          domain,
-		upstreamServers: srvs,
-		cancel:          func() {},
-	}
-}
-
 func TestUpdateDNSServer(t *testing.T) {
 	nameServers := []nbdns.NameServer{
 		{
@@ -153,37 +140,15 @@ func TestUpdateDNSServer(t *testing.T) {
 					},
 				},
 			},
-			expectedUpstreamMap: registeredHandlerMap{
-				generateDummyHandler("netbird.io", nameServers).id(): handlerWrapper{
-					domain:   "netbird.io",
-					handler:  dummyHandler,
-					priority: PriorityMatchDomain,
-				},
-				dummyHandler.id(): handlerWrapper{
-					domain:   "netbird.cloud",
-					handler:  dummyHandler,
-					priority: PriorityMatchDomain,
-				},
-				generateDummyHandler(".", nameServers).id(): handlerWrapper{
-					domain:   nbdns.RootZone,
-					handler:  dummyHandler,
-					priority: PriorityDefault,
-				},
-			},
-			expectedLocalMap: registrationMap{buildRecordKey(zoneRecords[0].Name, 1, 1): struct{}{}},
+			expectedUpstreamMap: registeredHandlerMap{"netbird.io": dummyHandler, "netbird.cloud": dummyHandler, nbdns.RootZone: dummyHandler},
+			expectedLocalMap:    registrationMap{buildRecordKey(zoneRecords[0].Name, 1, 1): struct{}{}},
 		},
 		{
-			name:         "New Config Should Succeed",
-			initLocalMap: registrationMap{"netbird.cloud": struct{}{}},
-			initUpstreamMap: registeredHandlerMap{
-				generateDummyHandler(zoneRecords[0].Name, nameServers).id(): handlerWrapper{
-					domain:   buildRecordKey(zoneRecords[0].Name, 1, 1),
-					handler:  dummyHandler,
-					priority: PriorityMatchDomain,
-				},
-			},
-			initSerial:  0,
-			inputSerial: 1,
+			name:            "New Config Should Succeed",
+			initLocalMap:    registrationMap{"netbird.cloud": struct{}{}},
+			initUpstreamMap: registeredHandlerMap{buildRecordKey(zoneRecords[0].Name, 1, 1): dummyHandler},
+			initSerial:      0,
+			inputSerial:     1,
 			inputUpdate: nbdns.Config{
 				ServiceEnable: true,
 				CustomZones: []nbdns.CustomZone{
@@ -199,19 +164,8 @@ func TestUpdateDNSServer(t *testing.T) {
 					},
 				},
 			},
-			expectedUpstreamMap: registeredHandlerMap{
-				generateDummyHandler("netbird.io", nameServers).id(): handlerWrapper{
-					domain:   "netbird.io",
-					handler:  dummyHandler,
-					priority: PriorityMatchDomain,
-				},
-				"local-resolver": handlerWrapper{
-					domain:   "netbird.cloud",
-					handler:  dummyHandler,
-					priority: PriorityMatchDomain,
-				},
-			},
-			expectedLocalMap: registrationMap{buildRecordKey(zoneRecords[0].Name, 1, 1): struct{}{}},
+			expectedUpstreamMap: registeredHandlerMap{"netbird.io": dummyHandler, "netbird.cloud": dummyHandler},
+			expectedLocalMap:    registrationMap{buildRecordKey(zoneRecords[0].Name, 1, 1): struct{}{}},
 		},
 		{
 			name:            "Smaller Config Serial Should Be Skipped",
@@ -266,7 +220,7 @@ func TestUpdateDNSServer(t *testing.T) {
 			shouldFail: true,
 		},
 		{
-			name:            "Invalid Custom Zone Records list Should Skip",
+			name:            "Invalid Custom Zone Records list Should Fail",
 			initLocalMap:    make(registrationMap),
 			initUpstreamMap: make(registeredHandlerMap),
 			initSerial:      0,
@@ -285,22 +239,12 @@ func TestUpdateDNSServer(t *testing.T) {
 					},
 				},
 			},
-			expectedUpstreamMap: registeredHandlerMap{generateDummyHandler(".", nameServers).id(): handlerWrapper{
-				domain:   ".",
-				handler:  dummyHandler,
-				priority: PriorityDefault,
-			}},
+			shouldFail: true,
 		},
 		{
-			name:         "Empty Config Should Succeed and Clean Maps",
-			initLocalMap: registrationMap{"netbird.cloud": struct{}{}},
-			initUpstreamMap: registeredHandlerMap{
-				generateDummyHandler(zoneRecords[0].Name, nameServers).id(): handlerWrapper{
-					domain:   zoneRecords[0].Name,
-					handler:  dummyHandler,
-					priority: PriorityMatchDomain,
-				},
-			},
+			name:                "Empty Config Should Succeed and Clean Maps",
+			initLocalMap:        registrationMap{"netbird.cloud": struct{}{}},
+			initUpstreamMap:     registeredHandlerMap{zoneRecords[0].Name: dummyHandler},
 			initSerial:          0,
 			inputSerial:         1,
 			inputUpdate:         nbdns.Config{ServiceEnable: true},
@@ -308,15 +252,9 @@ func TestUpdateDNSServer(t *testing.T) {
 			expectedLocalMap:    make(registrationMap),
 		},
 		{
-			name:         "Disabled Service Should clean map",
-			initLocalMap: registrationMap{"netbird.cloud": struct{}{}},
-			initUpstreamMap: registeredHandlerMap{
-				generateDummyHandler(zoneRecords[0].Name, nameServers).id(): handlerWrapper{
-					domain:   zoneRecords[0].Name,
-					handler:  dummyHandler,
-					priority: PriorityMatchDomain,
-				},
-			},
+			name:                "Disabled Service Should clean map",
+			initLocalMap:        registrationMap{"netbird.cloud": struct{}{}},
+			initUpstreamMap:     registeredHandlerMap{zoneRecords[0].Name: dummyHandler},
 			initSerial:          0,
 			inputSerial:         1,
 			inputUpdate:         nbdns.Config{ServiceEnable: false},
@@ -356,7 +294,7 @@ func TestUpdateDNSServer(t *testing.T) {
 					t.Log(err)
 				}
 			}()
-			dnsServer, err := NewDefaultServer(context.Background(), wgIface, "", peer.NewRecorder("mgm"), nil, false)
+			dnsServer, err := NewDefaultServer(context.Background(), wgIface, "", &peer.Status{}, nil, false)
 			if err != nil {
 				t.Fatal(err)
 			}
@@ -413,7 +351,7 @@ func TestDNSFakeResolverHandleUpdates(t *testing.T) {
 	defer t.Setenv("NB_WG_KERNEL_DISABLED", ov)

 	t.Setenv("NB_WG_KERNEL_DISABLED", "true")
-	newNet, err := stdnet.NewNet([]string{"utun2301"})
+	newNet, err := stdnet.NewNet(nil)
 	if err != nil {
 		t.Errorf("create stdnet: %v", err)
 		return
@@ -465,7 +403,7 @@ func TestDNSFakeResolverHandleUpdates(t *testing.T) {
 		return
 	}

-	dnsServer, err := NewDefaultServer(context.Background(), wgIface, "", peer.NewRecorder("mgm"), nil, false)
+	dnsServer, err := NewDefaultServer(context.Background(), wgIface, "", &peer.Status{}, nil, false)
 	if err != nil {
 		t.Errorf("create DNS server: %v", err)
 		return
@@ -483,13 +421,7 @@ func TestDNSFakeResolverHandleUpdates(t *testing.T) {
 		}
 	}()

-	dnsServer.dnsMuxMap = registeredHandlerMap{
-		"id1": handlerWrapper{
-			domain:   zoneRecords[0].Name,
-			handler:  &localResolver{},
-			priority: PriorityMatchDomain,
-		},
-	}
+	dnsServer.dnsMuxMap = registeredHandlerMap{zoneRecords[0].Name: &localResolver{}}
 	dnsServer.localResolver.registeredMap = registrationMap{"netbird.cloud": struct{}{}}
 	dnsServer.updateSerial = 0

@@ -566,7 +498,7 @@ func TestDNSServerStartStop(t *testing.T) {

 	for _, testCase := range testCases {
 		t.Run(testCase.name, func(t *testing.T) {
-			dnsServer, err := NewDefaultServer(context.Background(), &mocWGIface{}, testCase.addrPort, peer.NewRecorder("mgm"), nil, false)
+			dnsServer, err := NewDefaultServer(context.Background(), &mocWGIface{}, testCase.addrPort, &peer.Status{}, nil, false)
 			if err != nil {
 				t.Fatalf("%v", err)
 			}
@@ -577,7 +509,7 @@ func TestDNSServerStartStop(t *testing.T) {
 			}
 			time.Sleep(100 * time.Millisecond)
 			defer dnsServer.Stop()
-			_, err = dnsServer.localResolver.registerRecord(zoneRecords[0])
+			err = dnsServer.localResolver.registerRecord(zoneRecords[0])
 			if err != nil {
 				t.Error(err)
 			}
@@ -630,8 +562,9 @@ func TestDNSServerUpstreamDeactivateCallback(t *testing.T) {
 		localResolver: &localResolver{
 			registeredMap: make(registrationMap),
 		},
-		handlerChain: NewHandlerChain(),
-		hostManager:  hostManager,
+		handlerChain:      NewHandlerChain(),
+		handlerPriorities: make(map[string]int),
+		hostManager:       hostManager,
 		currentConfig: HostDNSConfig{
 			Domains: []DomainConfig{
 				{false, "domain0", false},
@@ -639,7 +572,7 @@ func TestDNSServerUpstreamDeactivateCallback(t *testing.T) {
 				{false, "domain2", false},
 			},
 		},
-		statusRecorder: peer.NewRecorder("mgm"),
+		statusRecorder: &peer.Status{},
 	}

 	var domainsUpdate string
@@ -660,7 +593,7 @@ func TestDNSServerUpstreamDeactivateCallback(t *testing.T) {
 		NameServers: []nbdns.NameServer{
 			{IP: netip.MustParseAddr("8.8.0.0"), NSType: nbdns.UDPNameServerType, Port: 53},
 		},
-	}, nil, 0)
+	}, nil)

 	deactivate(nil)
 	expected := "domain0,domain2"
@@ -700,7 +633,7 @@ func TestDNSPermanent_updateHostDNS_emptyUpstream(t *testing.T) {

 	var dnsList []string
 	dnsConfig := nbdns.Config{}
-	dnsServer := NewDefaultServerPermanentUpstream(context.Background(), wgIFace, dnsList, dnsConfig, nil, peer.NewRecorder("mgm"), false)
+	dnsServer := NewDefaultServerPermanentUpstream(context.Background(), wgIFace, dnsList, dnsConfig, nil, &peer.Status{}, false)
 	err = dnsServer.Initialize()
 	if err != nil {
 		t.Errorf("failed to initialize DNS server: %v", err)
@@ -724,7 +657,7 @@ func TestDNSPermanent_updateUpstream(t *testing.T) {
 	}
 	defer wgIFace.Close()
 	dnsConfig := nbdns.Config{}
-	dnsServer := NewDefaultServerPermanentUpstream(context.Background(), wgIFace, []string{"8.8.8.8"}, dnsConfig, nil, peer.NewRecorder("mgm"), false)
+	dnsServer := NewDefaultServerPermanentUpstream(context.Background(), wgIFace, []string{"8.8.8.8"}, dnsConfig, nil, &peer.Status{}, false)
 	err = dnsServer.Initialize()
 	if err != nil {
 		t.Errorf("failed to initialize DNS server: %v", err)
@@ -816,7 +749,7 @@ func TestDNSPermanent_matchOnly(t *testing.T) {
 	}
 	defer wgIFace.Close()
 	dnsConfig := nbdns.Config{}
-	dnsServer := NewDefaultServerPermanentUpstream(context.Background(), wgIFace, []string{"8.8.8.8"}, dnsConfig, nil, peer.NewRecorder("mgm"), false)
+	dnsServer := NewDefaultServerPermanentUpstream(context.Background(), wgIFace, []string{"8.8.8.8"}, dnsConfig, nil, &peer.Status{}, false)
 	err = dnsServer.Initialize()
 	if err != nil {
 		t.Errorf("failed to initialize DNS server: %v", err)
@@ -887,7 +820,7 @@ func createWgInterfaceWithBind(t *testing.T) (*iface.WGIface, error) {
 	defer t.Setenv("NB_WG_KERNEL_DISABLED", ov)

 	t.Setenv("NB_WG_KERNEL_DISABLED", "true")
-	newNet, err := stdnet.NewNet([]string{"utun2301"})
+	newNet, err := stdnet.NewNet(nil)
 	if err != nil {
 		t.Fatalf("create stdnet: %v", err)
 		return nil, err
@@ -970,8 +903,8 @@ func TestHandlerChain_DomainPriorities(t *testing.T) {
 		Subdomains: true,
 	}

-	chain.AddHandler("example.com.", dnsRouteHandler, PriorityDNSRoute)
-	chain.AddHandler("example.com.", upstreamHandler, PriorityMatchDomain)
+	chain.AddHandler("example.com.", dnsRouteHandler, PriorityDNSRoute, nil)
+	chain.AddHandler("example.com.", upstreamHandler, PriorityMatchDomain, nil)

 	testCases := []struct {
 		name            string
@@ -1026,421 +959,3 @@ func TestHandlerChain_DomainPriorities(t *testing.T) {
 		})
 	}
 }
-
-type mockHandler struct {
-	Id string
-}
-
-func (m *mockHandler) ServeDNS(dns.ResponseWriter, *dns.Msg) {}
-func (m *mockHandler) stop()                                 {}
-func (m *mockHandler) probeAvailability()                    {}
-func (m *mockHandler) id() handlerID                         { return handlerID(m.Id) }
-
-type mockService struct{}
-
-func (m *mockService) Listen() error                   { return nil }
-func (m *mockService) Stop()                           {}
-func (m *mockService) RuntimeIP() string               { return "127.0.0.1" }
-func (m *mockService) RuntimePort() int                { return 53 }
-func (m *mockService) RegisterMux(string, dns.Handler) {}
-func (m *mockService) DeregisterMux(string)            {}
-
-func TestDefaultServer_UpdateMux(t *testing.T) {
-	baseMatchHandlers := registeredHandlerMap{
-		"upstream-group1": {
-			domain: "example.com",
-			handler: &mockHandler{
-				Id: "upstream-group1",
-			},
-			priority: PriorityMatchDomain,
-		},
-		"upstream-group2": {
-			domain: "example.com",
-			handler: &mockHandler{
-				Id: "upstream-group2",
-			},
-			priority: PriorityMatchDomain - 1,
-		},
-	}
-
-	baseRootHandlers := registeredHandlerMap{
-		"upstream-root1": {
-			domain: ".",
-			handler: &mockHandler{
-				Id: "upstream-root1",
-			},
-			priority: PriorityDefault,
-		},
-		"upstream-root2": {
-			domain: ".",
-			handler: &mockHandler{
-				Id: "upstream-root2",
-			},
-			priority: PriorityDefault - 1,
-		},
-	}
-
-	baseMixedHandlers := registeredHandlerMap{
-		"upstream-group1": {
-			domain: "example.com",
-			handler: &mockHandler{
-				Id: "upstream-group1",
-			},
-			priority: PriorityMatchDomain,
-		},
-		"upstream-group2": {
-			domain: "example.com",
-			handler: &mockHandler{
-				Id: "upstream-group2",
-			},
-			priority: PriorityMatchDomain - 1,
-		},
-		"upstream-other": {
-			domain: "other.com",
-			handler: &mockHandler{
-				Id: "upstream-other",
-			},
-			priority: PriorityMatchDomain,
-		},
-	}
-
-	tests := []struct {
-		name             string
-		initialHandlers  registeredHandlerMap
-		updates          []handlerWrapper
-		expectedHandlers map[string]string // map[handlerID]domain
-		description      string
-	}{
-		{
-			name:            "Remove group1 from update",
-			initialHandlers: baseMatchHandlers,
-			updates: []handlerWrapper{
-				// Only group2 remains
-				{
-					domain: "example.com",
-					handler: &mockHandler{
-						Id: "upstream-group2",
-					},
-					priority: PriorityMatchDomain - 1,
-				},
-			},
-			expectedHandlers: map[string]string{
-				"upstream-group2": "example.com",
-			},
-			description: "When group1 is not included in the update, it should be removed while group2 remains",
-		},
-		{
-			name:            "Remove group2 from update",
-			initialHandlers: baseMatchHandlers,
-			updates: []handlerWrapper{
-				// Only group1 remains
-				{
-					domain: "example.com",
-					handler: &mockHandler{
-						Id: "upstream-group1",
-					},
-					priority: PriorityMatchDomain,
-				},
-			},
-			expectedHandlers: map[string]string{
-				"upstream-group1": "example.com",
-			},
-			description: "When group2 is not included in the update, it should be removed while group1 remains",
-		},
-		{
-			name:            "Add group3 in first position",
-			initialHandlers: baseMatchHandlers,
-			updates: []handlerWrapper{
-				// Add group3 with highest priority
-				{
-					domain: "example.com",
-					handler: &mockHandler{
-						Id: "upstream-group3",
-					},
-					priority: PriorityMatchDomain + 1,
-				},
-				// Keep existing groups with their original priorities
-				{
-					domain: "example.com",
-					handler: &mockHandler{
-						Id: "upstream-group1",
-					},
-					priority: PriorityMatchDomain,
-				},
-				{
-					domain: "example.com",
-					handler: &mockHandler{
-						Id: "upstream-group2",
-					},
-					priority: PriorityMatchDomain - 1,
-				},
-			},
-			expectedHandlers: map[string]string{
-				"upstream-group1": "example.com",
-				"upstream-group2": "example.com",
-				"upstream-group3": "example.com",
-			},
-			description: "When adding group3 with highest priority, it should be first in chain while maintaining existing groups",
-		},
-		{
-			name:            "Add group3 in last position",
-			initialHandlers: baseMatchHandlers,
-			updates: []handlerWrapper{
-				// Keep existing groups with their original priorities
-				{
-					domain: "example.com",
-					handler: &mockHandler{
-						Id: "upstream-group1",
-					},
-					priority: PriorityMatchDomain,
-				},
-				{
-					domain: "example.com",
-					handler: &mockHandler{
-						Id: "upstream-group2",
-					},
-					priority: PriorityMatchDomain - 1,
-				},
-				// Add group3 with lowest priority
-				{
-					domain: "example.com",
-					handler: &mockHandler{
-						Id: "upstream-group3",
-					},
-					priority: PriorityMatchDomain - 2,
-				},
-			},
-			expectedHandlers: map[string]string{
-				"upstream-group1": "example.com",
-				"upstream-group2": "example.com",
-				"upstream-group3": "example.com",
-			},
-			description: "When adding group3 with lowest priority, it should be last in chain while maintaining existing groups",
-		},
-		// Root zone tests
-		{
-			name:            "Remove root1 from update",
-			initialHandlers: baseRootHandlers,
-			updates: []handlerWrapper{
-				{
-					domain: ".",
-					handler: &mockHandler{
-						Id: "upstream-root2",
-					},
-					priority: PriorityDefault - 1,
-				},
-			},
-			expectedHandlers: map[string]string{
-				"upstream-root2": ".",
-			},
-			description: "When root1 is not included in the update, it should be removed while root2 remains",
-		},
-		{
-			name:            "Remove root2 from update",
-			initialHandlers: baseRootHandlers,
-			updates: []handlerWrapper{
-				{
-					domain: ".",
-					handler: &mockHandler{
-						Id: "upstream-root1",
-					},
-					priority: PriorityDefault,
-				},
-			},
-			expectedHandlers: map[string]string{
-				"upstream-root1": ".",
-			},
-			description: "When root2 is not included in the update, it should be removed while root1 remains",
-		},
-		{
-			name:            "Add root3 in first position",
-			initialHandlers: baseRootHandlers,
-			updates: []handlerWrapper{
-				{
-					domain: ".",
-					handler: &mockHandler{
-						Id: "upstream-root3",
-					},
-					priority: PriorityDefault + 1,
-				},
-				{
-					domain: ".",
-					handler: &mockHandler{
-						Id: "upstream-root1",
-					},
-					priority: PriorityDefault,
-				},
-				{
-					domain: ".",
-					handler: &mockHandler{
-						Id: "upstream-root2",
-					},
-					priority: PriorityDefault - 1,
-				},
-			},
-			expectedHandlers: map[string]string{
-				"upstream-root1": ".",
-				"upstream-root2": ".",
-				"upstream-root3": ".",
-			},
-			description: "When adding root3 with highest priority, it should be first in chain while maintaining existing root handlers",
-		},
-		{
-			name:            "Add root3 in last position",
-			initialHandlers: baseRootHandlers,
-			updates: []handlerWrapper{
-				{
-					domain: ".",
-					handler: &mockHandler{
-						Id: "upstream-root1",
-					},
-					priority: PriorityDefault,
-				},
-				{
-					domain: ".",
-					handler: &mockHandler{
-						Id: "upstream-root2",
-					},
-					priority: PriorityDefault - 1,
-				},
-				{
-					domain: ".",
-					handler: &mockHandler{
-						Id: "upstream-root3",
-					},
-					priority: PriorityDefault - 2,
-				},
-			},
-			expectedHandlers: map[string]string{
-				"upstream-root1": ".",
-				"upstream-root2": ".",
-				"upstream-root3": ".",
-			},
-			description: "When adding root3 with lowest priority, it should be last in chain while maintaining existing root handlers",
-		},
-		// Mixed domain tests
-		{
-			name:            "Update with mixed domains - remove one of duplicate domain",
-			initialHandlers: baseMixedHandlers,
-			updates: []handlerWrapper{
-				{
-					domain: "example.com",
-					handler: &mockHandler{
-						Id: "upstream-group1",
-					},
-					priority: PriorityMatchDomain,
-				},
-				{
-					domain: "other.com",
-					handler: &mockHandler{
-						Id: "upstream-other",
-					},
-					priority: PriorityMatchDomain,
-				},
-			},
-			expectedHandlers: map[string]string{
-				"upstream-group1": "example.com",
-				"upstream-other":  "other.com",
-			},
-			description: "When updating mixed domains, should correctly handle removal of one duplicate while maintaining other domains",
-		},
-		{
-			name:            "Update with mixed domains - add new domain",
-			initialHandlers: baseMixedHandlers,
-			updates: []handlerWrapper{
-				{
-					domain: "example.com",
-					handler: &mockHandler{
-						Id: "upstream-group1",
-					},
-					priority: PriorityMatchDomain,
-				},
-				{
-					domain: "example.com",
-					handler: &mockHandler{
-						Id: "upstream-group2",
-					},
-					priority: PriorityMatchDomain - 1,
-				},
-				{
-					domain: "other.com",
-					handler: &mockHandler{
-						Id: "upstream-other",
-					},
-					priority: PriorityMatchDomain,
-				},
-				{
-					domain: "new.com",
-					handler: &mockHandler{
-						Id: "upstream-new",
-					},
-					priority: PriorityMatchDomain,
-				},
-			},
-			expectedHandlers: map[string]string{
-				"upstream-group1": "example.com",
-				"upstream-group2": "example.com",
-				"upstream-other":  "other.com",
-				"upstream-new":    "new.com",
-			},
-			description: "When updating mixed domains, should maintain existing duplicates and add new domain",
-		},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			server := &DefaultServer{
-				dnsMuxMap:    tt.initialHandlers,
-				handlerChain: NewHandlerChain(),
-				service:      &mockService{},
-			}
-
-			// Perform the update
-			server.updateMux(tt.updates)
-
-			// Verify the results
-			assert.Equal(t, len(tt.expectedHandlers), len(server.dnsMuxMap),
-				"Number of handlers after update doesn't match expected")
-
-			// Check each expected handler
-			for id, expectedDomain := range tt.expectedHandlers {
-				handler, exists := server.dnsMuxMap[handlerID(id)]
-				assert.True(t, exists, "Expected handler %s not found", id)
-				if exists {
-					assert.Equal(t, expectedDomain, handler.domain,
-						"Domain mismatch for handler %s", id)
-				}
-			}
-
-			// Verify no unexpected handlers exist
-			for handlerID := range server.dnsMuxMap {
-				_, expected := tt.expectedHandlers[string(handlerID)]
-				assert.True(t, expected, "Unexpected handler found: %s", handlerID)
-			}
-
-			// Verify the handlerChain state and order
-			previousPriority := 0
-			for _, chainEntry := range server.handlerChain.handlers {
-				// Verify priority order
-				if previousPriority > 0 {
-					assert.True(t, chainEntry.Priority <= previousPriority,
-						"Handlers in chain not properly ordered by priority")
-				}
-				previousPriority = chainEntry.Priority
-
-				// Verify handler exists in mux
-				foundInMux := false
-				for _, muxEntry := range server.dnsMuxMap {
-					if chainEntry.Handler == muxEntry.handler &&
-						chainEntry.Priority == muxEntry.priority &&
-						chainEntry.Pattern == dns.Fqdn(muxEntry.domain) {
-						foundInMux = true
-						break
-					}
-				}
-				assert.True(t, foundInMux,
-					"Handler in chain not found in dnsMuxMap")
-			}
-		})
-	}
-}
--- a/client/internal/dns/service_memory.go
+++ b/client/internal/dns/service_memory.go
@@ -2,6 +2,7 @@ package dns

 import (
 	"fmt"
+	"math/big"
 	"net"
 	"sync"

@@ -9,8 +10,6 @@ import (
 	"github.com/google/gopacket/layers"
 	"github.com/miekg/dns"
 	log "github.com/sirupsen/logrus"
-
-	nbnet "github.com/netbirdio/netbird/util/net"
 )

 type ServiceViaMemory struct {
@@ -28,7 +27,7 @@ func NewServiceViaMemory(wgIface WGIface) *ServiceViaMemory {
 		wgInterface: wgIface,
 		dnsMux:      dns.NewServeMux(),

-		runtimeIP:   nbnet.GetLastIPFromNetwork(wgIface.Address().Network, 1).String(),
+		runtimeIP:   getLastIPFromNetwork(wgIface.Address().Network, 1),
 		runtimePort: defaultPort,
 	}
 	return s
@@ -119,3 +118,22 @@ func (s *ServiceViaMemory) filterDNSTraffic() (string, error) {

 	return filter.AddUDPPacketHook(false, net.ParseIP(s.runtimeIP), uint16(s.runtimePort), hook), nil
 }
+
+func getLastIPFromNetwork(network *net.IPNet, fromEnd int) string {
+	// Calculate the last IP in the CIDR range
+	var endIP net.IP
+	for i := 0; i < len(network.IP); i++ {
+		endIP = append(endIP, network.IP[i]|^network.Mask[i])
+	}
+
+	// convert to big.Int
+	endInt := big.NewInt(0)
+	endInt.SetBytes(endIP)
+
+	// subtract fromEnd from the last ip
+	fromEndBig := big.NewInt(int64(fromEnd))
+	resultInt := big.NewInt(0)
+	resultInt.Sub(endInt, fromEndBig)
+
+	return net.IP(resultInt.Bytes()).String()
+}
--- a/client/internal/dns/service_memory_test.go
+++ b/client/internal/dns/service_memory_test.go
@@ -3,8 +3,6 @@ package dns
 import (
 	"net"
 	"testing"
-
-	nbnet "github.com/netbirdio/netbird/util/net"
 )

 func TestGetLastIPFromNetwork(t *testing.T) {
@@ -25,7 +23,7 @@ func TestGetLastIPFromNetwork(t *testing.T) {
 			return
 		}

-		lastIP := nbnet.GetLastIPFromNetwork(ipnet, 1).String()
+		lastIP := getLastIPFromNetwork(ipnet, 1)
 		if lastIP != tt.ip {
 			t.Errorf("wrong IP address, expected %s: got %s", tt.ip, lastIP)
 		}
--- a/client/internal/dns/systemd_linux.go
+++ b/client/internal/dns/systemd_linux.go
@@ -154,10 +154,6 @@ func (s *systemdDbusConfigurator) applyDNSConfig(config HostDNSConfig, stateMana
 	return nil
 }

-func (s *systemdDbusConfigurator) string() string {
-	return "dbus"
-}
-
 func (s *systemdDbusConfigurator) setDomainsForInterface(domainsInput []systemdDbusLinkDomainsInput) error {
 	err := s.callLinkMethod(systemdDbusSetDomainsMethodSuffix, domainsInput)
 	if err != nil {
--- a/client/internal/dns/unclean_shutdown_windows.go
+++ b/client/internal/dns/unclean_shutdown_windows.go
@@ -6,7 +6,6 @@ import (

 type ShutdownState struct {
 	Guid string
-	GPO  bool
 }

 func (s *ShutdownState) Name() string {
@@ -14,9 +13,9 @@ func (s *ShutdownState) Name() string {
 }

 func (s *ShutdownState) Cleanup() error {
-	manager := &registryConfigurator{
-		guid: s.Guid,
-		gpo:  s.GPO,
+	manager, err := newHostManagerWithGuid(s.Guid)
+	if err != nil {
+		return fmt.Errorf("create host manager: %w", err)
 	}

 	if err := manager.restoreUncleanShutdownDNS(); err != nil {
--- a/client/internal/dns/upstream.go
+++ b/client/internal/dns/upstream.go
@@ -2,13 +2,9 @@ package dns

 import (
 	"context"
-	"crypto/sha256"
-	"encoding/hex"
 	"errors"
 	"fmt"
 	"net"
-	"slices"
-	"strings"
 	"sync"
 	"sync/atomic"
 	"time"
@@ -19,7 +15,6 @@ import (
 	log "github.com/sirupsen/logrus"

 	"github.com/netbirdio/netbird/client/internal/peer"
-	"github.com/netbirdio/netbird/client/proto"
 )

 const (
@@ -45,7 +40,6 @@ type upstreamResolverBase struct {
 	cancel           context.CancelFunc
 	upstreamClient   upstreamClient
 	upstreamServers  []string
-	domain           string
 	disabled         bool
 	failsCount       atomic.Int32
 	successCount     atomic.Int32
@@ -59,13 +53,12 @@ type upstreamResolverBase struct {
 	statusRecorder *peer.Status
 }

-func newUpstreamResolverBase(ctx context.Context, statusRecorder *peer.Status, domain string) *upstreamResolverBase {
+func newUpstreamResolverBase(ctx context.Context, statusRecorder *peer.Status) *upstreamResolverBase {
 	ctx, cancel := context.WithCancel(ctx)

 	return &upstreamResolverBase{
 		ctx:              ctx,
 		cancel:           cancel,
-		domain:           domain,
 		upstreamTimeout:  upstreamTimeout,
 		reactivatePeriod: reactivatePeriod,
 		failsTillDeact:   failsTillDeact,
@@ -78,17 +71,6 @@ func (u *upstreamResolverBase) String() string {
 	return fmt.Sprintf("upstream %v", u.upstreamServers)
 }

-// ID returns the unique handler ID
-func (u *upstreamResolverBase) id() handlerID {
-	servers := slices.Clone(u.upstreamServers)
-	slices.Sort(servers)
-
-	hash := sha256.New()
-	hash.Write([]byte(u.domain + ":"))
-	hash.Write([]byte(strings.Join(servers, ",")))
-	return handlerID("upstream-" + hex.EncodeToString(hash.Sum(nil)[:8]))
-}
-
 func (u *upstreamResolverBase) MatchSubdomains() bool {
 	return true
 }
@@ -105,7 +87,7 @@ func (u *upstreamResolverBase) ServeDNS(w dns.ResponseWriter, r *dns.Msg) {
 		u.checkUpstreamFails(err)
 	}()

-	log.Tracef("received upstream question: domain=%s type=%v class=%v", r.Question[0].Name, r.Question[0].Qtype, r.Question[0].Qclass)
+	log.WithField("question", r.Question[0]).Trace("received an upstream question")
 	// set the AuthenticatedData flag and the EDNS0 buffer size to 4096 bytes to support larger dns records
 	if r.Extra == nil {
 		r.SetEdns0(4096, false)
@@ -114,7 +96,6 @@ func (u *upstreamResolverBase) ServeDNS(w dns.ResponseWriter, r *dns.Msg) {

 	select {
 	case <-u.ctx.Done():
-		log.Tracef("%s has been stopped", u)
 		return
 	default:
 	}
@@ -131,36 +112,41 @@ func (u *upstreamResolverBase) ServeDNS(w dns.ResponseWriter, r *dns.Msg) {

 		if err != nil {
 			if errors.Is(err, context.DeadlineExceeded) || isTimeout(err) {
-				log.Warnf("upstream %s timed out for question domain=%s", upstream, r.Question[0].Name)
+				log.WithError(err).WithField("upstream", upstream).
+					Warn("got an error while connecting to upstream")
 				continue
 			}
-			log.Warnf("failed to query upstream %s for question domain=%s: %s", upstream, r.Question[0].Name, err)
-			continue
+			u.failsCount.Add(1)
+			log.WithError(err).WithField("upstream", upstream).
+				Error("got other error while querying the upstream")
+			return
 		}

-		if rm == nil || !rm.Response {
-			log.Warnf("no response from upstream %s for question domain=%s", upstream, r.Question[0].Name)
-			continue
+		if rm == nil {
+			log.WithError(err).WithField("upstream", upstream).
+				Warn("no response from upstream")
+			return
+		}
+		// those checks need to be independent of each other due to memory address issues
+		if !rm.Response {
+			log.WithError(err).WithField("upstream", upstream).
+				Warn("no response from upstream")
+			return
 		}

 		u.successCount.Add(1)
-		log.Tracef("took %s to query the upstream %s for question domain=%s", t, upstream, r.Question[0].Name)
+		log.Tracef("took %s to query the upstream %s", t, upstream)

-		if err = w.WriteMsg(rm); err != nil {
-			log.Errorf("failed to write DNS response for question domain=%s: %s", r.Question[0].Name, err)
+		err = w.WriteMsg(rm)
+		if err != nil {
+			log.WithError(err).Error("got an error while writing the upstream resolver response")
 		}
 		// count the fails only if they happen sequentially
 		u.failsCount.Store(0)
 		return
 	}
 	u.failsCount.Add(1)
-	log.Errorf("all queries to the %s failed for question domain=%s", u, r.Question[0].Name)
-
-	m := new(dns.Msg)
-	m.SetRcode(r, dns.RcodeServerFailure)
-	if err := w.WriteMsg(m); err != nil {
-		log.Errorf("failed to write error response for %s for question domain=%s: %s", u, r.Question[0].Name, err)
-	}
+	log.Error("all queries to the upstream nameservers failed with timeout")
 }

 // checkUpstreamFails counts fails and disables or enables upstream resolving
@@ -183,19 +169,6 @@ func (u *upstreamResolverBase) checkUpstreamFails(err error) {
 	}

 	u.disable(err)
-
-	if u.statusRecorder == nil {
-		return
-	}
-
-	u.statusRecorder.PublishEvent(
-		proto.SystemEvent_WARNING,
-		proto.SystemEvent_DNS,
-		"All upstream servers failed (fail count exceeded)",
-		"Unable to reach one or more DNS servers. This might affect your ability to connect to some services.",
-		map[string]string{"upstreams": strings.Join(u.upstreamServers, ", ")},
-		// TODO add domain meta
-	)
 }

 // probeAvailability tests all upstream servers simultaneously and
@@ -244,18 +217,6 @@ func (u *upstreamResolverBase) probeAvailability() {
 	// didn't find a working upstream server, let's disable and try later
 	if !success {
 		u.disable(errors.ErrorOrNil())
-
-		if u.statusRecorder == nil {
-			return
-		}
-
-		u.statusRecorder.PublishEvent(
-			proto.SystemEvent_WARNING,
-			proto.SystemEvent_DNS,
-			"All upstream servers failed (probe failed)",
-			"Unable to reach one or more DNS servers. This might affect your ability to connect to some services.",
-			map[string]string{"upstreams": strings.Join(u.upstreamServers, ", ")},
-		)
 	}
 }

--- a/client/internal/dns/upstream_android.go
+++ b/client/internal/dns/upstream_android.go
@@ -27,9 +27,8 @@ func newUpstreamResolver(
 	_ *net.IPNet,
 	statusRecorder *peer.Status,
 	hostsDNSHolder *hostsDNSHolder,
-	domain string,
 ) (*upstreamResolver, error) {
-	upstreamResolverBase := newUpstreamResolverBase(ctx, statusRecorder, domain)
+	upstreamResolverBase := newUpstreamResolverBase(ctx, statusRecorder)
 	c := &upstreamResolver{
 		upstreamResolverBase: upstreamResolverBase,
 		hostsDNSHolder:       hostsDNSHolder,
--- a/client/internal/dns/upstream_general.go
+++ b/client/internal/dns/upstream_general.go
@@ -23,9 +23,8 @@ func newUpstreamResolver(
 	_ *net.IPNet,
 	statusRecorder *peer.Status,
 	_ *hostsDNSHolder,
-	domain string,
 ) (*upstreamResolver, error) {
-	upstreamResolverBase := newUpstreamResolverBase(ctx, statusRecorder, domain)
+	upstreamResolverBase := newUpstreamResolverBase(ctx, statusRecorder)
 	nonIOS := &upstreamResolver{
 		upstreamResolverBase: upstreamResolverBase,
 	}
--- a/client/internal/dns/upstream_ios.go
+++ b/client/internal/dns/upstream_ios.go
@@ -30,9 +30,8 @@ func newUpstreamResolver(
 	net *net.IPNet,
 	statusRecorder *peer.Status,
 	_ *hostsDNSHolder,
-	domain string,
 ) (*upstreamResolverIOS, error) {
-	upstreamResolverBase := newUpstreamResolverBase(ctx, statusRecorder, domain)
+	upstreamResolverBase := newUpstreamResolverBase(ctx, statusRecorder)

 	ios := &upstreamResolverIOS{
 		upstreamResolverBase: upstreamResolverBase,
--- a/client/internal/dns/upstream_test.go
+++ b/client/internal/dns/upstream_test.go
@@ -20,7 +20,6 @@ func TestUpstreamResolver_ServeDNS(t *testing.T) {
 		timeout             time.Duration
 		cancelCTX           bool
 		expectedAnswer      string
-		acceptNXDomain      bool
 	}{
 		{
 			name:           "Should Resolve A Record",
@@ -37,11 +36,11 @@ func TestUpstreamResolver_ServeDNS(t *testing.T) {
 			expectedAnswer: "1.1.1.1",
 		},
 		{
-			name:           "Should Not Resolve If Can't Connect To Both Servers",
-			inputMSG:       new(dns.Msg).SetQuestion("one.one.one.one.", dns.TypeA),
-			InputServers:   []string{"8.0.0.0:53", "8.0.0.1:53"},
-			timeout:        200 * time.Millisecond,
-			acceptNXDomain: true,
+			name:                "Should Not Resolve If Can't Connect To Both Servers",
+			inputMSG:            new(dns.Msg).SetQuestion("one.one.one.one.", dns.TypeA),
+			InputServers:        []string{"8.0.0.0:53", "8.0.0.1:53"},
+			timeout:             200 * time.Millisecond,
+			responseShouldBeNil: true,
 		},
 		{
 			name:                "Should Not Resolve If Parent Context Is Canceled",
@@ -52,11 +51,14 @@ func TestUpstreamResolver_ServeDNS(t *testing.T) {
 			responseShouldBeNil: true,
 		},
 	}
+	// should resolve if first upstream times out
+	// should not write when both fails
+	// should not resolve if parent context is canceled

 	for _, testCase := range testCases {
 		t.Run(testCase.name, func(t *testing.T) {
 			ctx, cancel := context.WithCancel(context.TODO())
-			resolver, _ := newUpstreamResolver(ctx, "", net.IP{}, &net.IPNet{}, nil, nil, ".")
+			resolver, _ := newUpstreamResolver(ctx, "", net.IP{}, &net.IPNet{}, nil, nil)
 			resolver.upstreamServers = testCase.InputServers
 			resolver.upstreamTimeout = testCase.timeout
 			if testCase.cancelCTX {
@@ -82,22 +84,16 @@ func TestUpstreamResolver_ServeDNS(t *testing.T) {
 				t.Fatalf("should write a response message")
 			}

-			if testCase.acceptNXDomain && responseMSG.Rcode == dns.RcodeNameError {
-				return
+			foundAnswer := false
+			for _, answer := range responseMSG.Answer {
+				if strings.Contains(answer.String(), testCase.expectedAnswer) {
+					foundAnswer = true
+					break
+				}
 			}

-			if testCase.expectedAnswer != "" {
-				foundAnswer := false
-				for _, answer := range responseMSG.Answer {
-					if strings.Contains(answer.String(), testCase.expectedAnswer) {
-						foundAnswer = true
-						break
-					}
-				}
-
-				if !foundAnswer {
-					t.Errorf("couldn't find the required answer, %s, in the dns response", testCase.expectedAnswer)
-				}
+			if !foundAnswer {
+				t.Errorf("couldn't find the required answer, %s, in the dns response", testCase.expectedAnswer)
 			}
 		})
 	}
--- a/client/internal/engine.go
+++ b/client/internal/engine.go
@@ -19,23 +19,19 @@ import (
 	"github.com/pion/ice/v3"
 	"github.com/pion/stun/v2"
 	log "github.com/sirupsen/logrus"
-	"golang.zx2c4.com/wireguard/tun/netstack"
 	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
 	"google.golang.org/protobuf/proto"

 	nberrors "github.com/netbirdio/netbird/client/errors"
 	"github.com/netbirdio/netbird/client/firewall"
-	firewallManager "github.com/netbirdio/netbird/client/firewall/manager"
+	"github.com/netbirdio/netbird/client/firewall/manager"
 	"github.com/netbirdio/netbird/client/iface"
 	"github.com/netbirdio/netbird/client/iface/bind"
 	"github.com/netbirdio/netbird/client/iface/device"
-	nbnetstack "github.com/netbirdio/netbird/client/iface/netstack"
+	"github.com/netbirdio/netbird/client/iface/netstack"
 	"github.com/netbirdio/netbird/client/internal/acl"
 	"github.com/netbirdio/netbird/client/internal/dns"
 	"github.com/netbirdio/netbird/client/internal/dnsfwd"
-	"github.com/netbirdio/netbird/client/internal/ingressgw"
-	"github.com/netbirdio/netbird/client/internal/netflow"
-	"github.com/netbirdio/netbird/client/internal/netflow/types"
 	"github.com/netbirdio/netbird/client/internal/networkmonitor"
 	"github.com/netbirdio/netbird/client/internal/peer"
 	"github.com/netbirdio/netbird/client/internal/peer/guard"
@@ -46,7 +42,6 @@ import (
 	"github.com/netbirdio/netbird/client/internal/routemanager"
 	"github.com/netbirdio/netbird/client/internal/routemanager/systemops"
 	"github.com/netbirdio/netbird/client/internal/statemanager"
-	cProto "github.com/netbirdio/netbird/client/proto"
 	"github.com/netbirdio/netbird/management/domain"
 	semaphoregroup "github.com/netbirdio/netbird/util/semaphore-group"

@@ -158,7 +153,7 @@ type Engine struct {
 	ctx    context.Context
 	cancel context.CancelFunc

-	wgInterface WGIface
+	wgInterface iface.IWGIface

 	udpMux *bind.UniversalUDPMuxDefault

@@ -172,11 +167,10 @@ type Engine struct {

 	statusRecorder *peer.Status

-	firewall          firewallManager.Manager
-	routeManager      routemanager.Manager
-	acl               acl.Manager
-	dnsForwardMgr     *dnsfwd.Manager
-	ingressGatewayMgr *ingressgw.Manager
+	firewall      manager.Manager
+	routeManager  routemanager.Manager
+	acl           acl.Manager
+	dnsForwardMgr *dnsfwd.Manager

 	dnsServer dns.Server

@@ -191,7 +185,6 @@ type Engine struct {
 	persistNetworkMap bool
 	latestNetworkMap  *mgmProto.NetworkMap
 	connSemaphore     *semaphoregroup.SemaphoreGroup
-	flowManager       types.FlowManager
 }

 // Peer is an instance of the Connection Peer
@@ -234,7 +227,6 @@ func NewEngine(
 		statusRecorder: statusRecorder,
 		checks:         checks,
 		connSemaphore:  semaphoregroup.NewSemaphoreGroup(connInitLimit),
-		flowManager:    netflow.NewManager(clientCtx),
 	}
 	if runtime.GOOS == "ios" {
 		if !fileExists(mobileDep.StateFilePath) {
@@ -272,13 +264,6 @@ func (e *Engine) Stop() error {
 	// stop/restore DNS first so dbus and friends don't complain because of a missing interface
 	e.stopDNSServer()

-	if e.ingressGatewayMgr != nil {
-		if err := e.ingressGatewayMgr.Close(); err != nil {
-			log.Warnf("failed to cleanup forward rules: %v", err)
-		}
-		e.ingressGatewayMgr = nil
-	}
-
 	if e.routeManager != nil {
 		e.routeManager.Stop(e.stateManager)
 	}
@@ -303,8 +288,6 @@ func (e *Engine) Stop() error {
 		return fmt.Errorf("failed to remove all peers: %s", err)
 	}

-	e.flowManager.Close()
-
 	if e.cancel != nil {
 		e.cancel()
 	}
@@ -484,15 +467,15 @@ func (e *Engine) initFirewall() error {
 	}

 	rosenpassPort := e.rpManager.GetAddress().Port
-	port := firewallManager.Port{Values: []uint16{uint16(rosenpassPort)}}
+	port := manager.Port{Values: []uint16{uint16(rosenpassPort)}}

 	// this rule is static and will be torn down on engine down by the firewall manager
 	if _, err := e.firewall.AddPeerFiltering(
 		net.IP{0, 0, 0, 0},
-		firewallManager.ProtocolUDP,
+		manager.ProtocolUDP,
 		nil,
 		&port,
-		firewallManager.ActionAccept,
+		manager.ActionAccept,
 		"",
 		"",
 	); err != nil {
@@ -520,10 +503,10 @@ func (e *Engine) blockLanAccess() {
 		if _, err := e.firewall.AddRouteFiltering(
 			[]netip.Prefix{v4},
 			network,
-			firewallManager.ProtocolALL,
+			manager.ProtocolALL,
 			nil,
 			nil,
-			firewallManager.ActionDrop,
+			manager.ActionDrop,
 		); err != nil {
 			merr = multierror.Append(merr, fmt.Errorf("add fw rule for network %s: %w", network, err))
 		}
@@ -542,18 +525,15 @@ func (e *Engine) modifyPeers(peersUpdate []*mgmProto.RemotePeerConfig) error {
 	var modified []*mgmProto.RemotePeerConfig
 	for _, p := range peersUpdate {
 		peerPubKey := p.GetWgPubKey()
-		allowedIPs, ok := e.peerStore.AllowedIPs(peerPubKey)
-		if !ok {
-			continue
-		}
-		if !compareNetIPLists(allowedIPs, p.GetAllowedIps()) {
-			modified = append(modified, p)
-			continue
-		}
-
-		err := e.statusRecorder.UpdatePeerFQDN(peerPubKey, p.GetFqdn())
-		if err != nil {
-			log.Warnf("error updating peer's %s fqdn in the status recorder, got error: %v", peerPubKey, err)
+		if allowedIPs, ok := e.peerStore.AllowedIPs(peerPubKey); ok {
+			if allowedIPs != strings.Join(p.AllowedIps, ",") {
+				modified = append(modified, p)
+				continue
+			}
+			err := e.statusRecorder.UpdatePeerFQDN(peerPubKey, p.GetFqdn())
+			if err != nil {
+				log.Warnf("error updating peer's %s fqdn in the status recorder, got error: %v", peerPubKey, err)
+			}
 		}
 	}

@@ -648,14 +628,25 @@ func (e *Engine) handleSync(update *mgmProto.SyncResponse) error {
 		stunTurn = append(stunTurn, e.TURNs...)
 		e.stunTurn.Store(stunTurn)

-		err = e.handleRelayUpdate(wCfg.GetRelay())
-		if err != nil {
-			return err
-		}
+		relayMsg := wCfg.GetRelay()
+		if relayMsg != nil {
+			// when we receive token we expect valid address list too
+			c := &auth.Token{
+				Payload:   relayMsg.GetTokenPayload(),
+				Signature: relayMsg.GetTokenSignature(),
+			}
+			if err := e.relayManager.UpdateToken(c); err != nil {
+				log.Errorf("failed to update relay token: %v", err)
+				return fmt.Errorf("update relay token: %w", err)
+			}

-		err = e.handleFlowUpdate(wCfg.GetFlow())
-		if err != nil {
-			return fmt.Errorf("handle the flow configuration: %w", err)
+			e.relayManager.UpdateServerURLs(relayMsg.Urls)
+
+			// Just in case the agent started with an MGM server where the relay was disabled but was later enabled.
+			// We can ignore all errors because the guard will manage the reconnection retries.
+			_ = e.relayManager.Serve()
+		} else {
+			e.relayManager.UpdateServerURLs(nil)
 		}

 		// todo update signal
@@ -681,59 +672,9 @@ func (e *Engine) handleSync(update *mgmProto.SyncResponse) error {
 		return err
 	}

-	e.statusRecorder.PublishEvent(cProto.SystemEvent_INFO, cProto.SystemEvent_SYSTEM, "Network map updated", "", nil)
-
 	return nil
 }

-func (e *Engine) handleRelayUpdate(update *mgmProto.RelayConfig) error {
-	if update != nil {
-		// when we receive token we expect valid address list too
-		c := &auth.Token{
-			Payload:   update.GetTokenPayload(),
-			Signature: update.GetTokenSignature(),
-		}
-		if err := e.relayManager.UpdateToken(c); err != nil {
-			return fmt.Errorf("update relay token: %w", err)
-		}
-
-		e.relayManager.UpdateServerURLs(update.Urls)
-
-		// Just in case the agent started with an MGM server where the relay was disabled but was later enabled.
-		// We can ignore all errors because the guard will manage the reconnection retries.
-		_ = e.relayManager.Serve()
-	} else {
-		e.relayManager.UpdateServerURLs(nil)
-	}
-
-	return nil
-}
-
-func (e *Engine) handleFlowUpdate(config *mgmProto.FlowConfig) error {
-	if config == nil {
-		return nil
-	}
-
-	flowConfig, err := toFlowLoggerConfig(config)
-	if err != nil {
-		return err
-	}
-	return e.flowManager.Update(flowConfig)
-}
-
-func toFlowLoggerConfig(config *mgmProto.FlowConfig) (*types.FlowConfig, error) {
-	if config.GetInterval() == nil {
-		return nil, errors.New("flow interval is nil")
-	}
-	return &types.FlowConfig{
-		Enabled:        config.GetEnabled(),
-		URL:            config.GetUrl(),
-		TokenPayload:   config.GetTokenPayload(),
-		TokenSignature: config.GetTokenSignature(),
-		Interval:       config.GetInterval().AsDuration(),
-	}, nil
-}
-
 // updateChecksIfNew updates checks if there are changes and sync new meta with management
 func (e *Engine) updateChecksIfNew(checks []*mgmProto.Checks) error {
 	// if checks are equal, we skip the update
@@ -783,7 +724,7 @@ func (e *Engine) updateSSH(sshConf *mgmProto.SSHConfig) error {
 			// start SSH server if it wasn't running
 			if isNil(e.sshServer) {
 				listenAddr := fmt.Sprintf("%s:%d", e.wgInterface.Address().IP.String(), nbssh.DefaultSSHPort)
-				if nbnetstack.IsEnabled() {
+				if netstack.IsEnabled() {
 					listenAddr = fmt.Sprintf("127.0.0.1:%d", nbssh.DefaultSSHPort)
 				}
 				// nil sshServer means it has not yet been started
@@ -964,11 +905,6 @@ func (e *Engine) updateNetworkMap(networkMap *mgmProto.NetworkMap) error {
 		log.Errorf("failed to update clientRoutes, err: %v", err)
 	}

-	// Ingress forward rules
-	if err := e.updateForwardRules(networkMap.GetForwardingRules()); err != nil {
-		log.Errorf("failed to update forward rules, err: %v", err)
-	}
-
 	log.Debugf("got peers update from Management Service, total peers to connect to = %d", len(networkMap.GetRemotePeers()))

 	e.updateOfflinePeers(networkMap.GetOfflinePeers())
@@ -1016,7 +952,7 @@ func (e *Engine) updateNetworkMap(networkMap *mgmProto.NetworkMap) error {
 		protoDNSConfig = &mgmProto.DNSConfig{}
 	}

-	if err := e.dnsServer.UpdateDNSServer(serial, toDNSConfig(protoDNSConfig, e.wgInterface.Address().Network)); err != nil {
+	if err := e.dnsServer.UpdateDNSServer(serial, toDNSConfig(protoDNSConfig)); err != nil {
 		log.Errorf("failed to update dns server, err: %v", err)
 	}

@@ -1085,7 +1021,7 @@ func toRouteDomains(myPubKey string, protoRoutes []*mgmProto.Route) []string {
 	return dnsRoutes
 }

-func toDNSConfig(protoDNSConfig *mgmProto.DNSConfig, network *net.IPNet) nbdns.Config {
+func toDNSConfig(protoDNSConfig *mgmProto.DNSConfig) nbdns.Config {
 	dnsUpdate := nbdns.Config{
 		ServiceEnable:    protoDNSConfig.GetServiceEnable(),
 		CustomZones:      make([]nbdns.CustomZone, 0),
@@ -1125,11 +1061,6 @@ func toDNSConfig(protoDNSConfig *mgmProto.DNSConfig, network *net.IPNet) nbdns.C
 		}
 		dnsUpdate.NameServerGroups = append(dnsUpdate.NameServerGroups, dnsNSGroup)
 	}
-
-	if len(dnsUpdate.CustomZones) > 0 {
-		addReverseZone(&dnsUpdate, network)
-	}
-
 	return dnsUpdate
 }

@@ -1163,45 +1094,34 @@ func (e *Engine) addNewPeers(peersUpdate []*mgmProto.RemotePeerConfig) error {
 // addNewPeer add peer if connection doesn't exist
 func (e *Engine) addNewPeer(peerConfig *mgmProto.RemotePeerConfig) error {
 	peerKey := peerConfig.GetWgPubKey()
-	peerIPs := make([]netip.Prefix, 0, len(peerConfig.GetAllowedIps()))
-	if _, ok := e.peerStore.PeerConn(peerKey); ok {
-		return nil
-	}
-
-	for _, ipString := range peerConfig.GetAllowedIps() {
-		allowedNetIP, err := netip.ParsePrefix(ipString)
+	peerIPs := peerConfig.GetAllowedIps()
+	if _, ok := e.peerStore.PeerConn(peerKey); !ok {
+		conn, err := e.createPeerConn(peerKey, strings.Join(peerIPs, ","))
 		if err != nil {
-			log.Errorf("failed to parse allowedIPS: %v", err)
-			return err
+			return fmt.Errorf("create peer connection: %w", err)
 		}
-		peerIPs = append(peerIPs, allowedNetIP)
-	}

-	conn, err := e.createPeerConn(peerKey, peerIPs)
-	if err != nil {
-		return fmt.Errorf("create peer connection: %w", err)
-	}
+		if ok := e.peerStore.AddPeerConn(peerKey, conn); !ok {
+			conn.Close()
+			return fmt.Errorf("peer already exists: %s", peerKey)
+		}

-	if ok := e.peerStore.AddPeerConn(peerKey, conn); !ok {
-		conn.Close()
-		return fmt.Errorf("peer already exists: %s", peerKey)
-	}
+		if e.beforePeerHook != nil && e.afterPeerHook != nil {
+			conn.AddBeforeAddPeerHook(e.beforePeerHook)
+			conn.AddAfterRemovePeerHook(e.afterPeerHook)
+		}

-	if e.beforePeerHook != nil && e.afterPeerHook != nil {
-		conn.AddBeforeAddPeerHook(e.beforePeerHook)
-		conn.AddAfterRemovePeerHook(e.afterPeerHook)
-	}
+		err = e.statusRecorder.AddPeer(peerKey, peerConfig.Fqdn)
+		if err != nil {
+			log.Warnf("error adding peer %s to status recorder, got error: %v", peerKey, err)
+		}

-	err = e.statusRecorder.AddPeer(peerKey, peerConfig.Fqdn)
-	if err != nil {
-		log.Warnf("error adding peer %s to status recorder, got error: %v", peerKey, err)
+		conn.Open()
 	}
-
-	conn.Open()
 	return nil
 }

-func (e *Engine) createPeerConn(pubKey string, allowedIPs []netip.Prefix) (*peer.Conn, error) {
+func (e *Engine) createPeerConn(pubKey string, allowedIPs string) (*peer.Conn, error) {
 	log.Debugf("creating peer connection %s", pubKey)

 	wgConfig := peer.WgConfig{
@@ -1447,7 +1367,7 @@ func (e *Engine) readInitialSettings() ([]*route.Route, *nbdns.Config, error) {
 		return nil, nil, err
 	}
 	routes := toRoutes(netMap.GetRoutes())
-	dnsCfg := toDNSConfig(netMap.GetDNSConfig(), e.wgInterface.Address().Network)
+	dnsCfg := toDNSConfig(netMap.GetDNSConfig())
 	return routes, &dnsCfg, nil
 }

@@ -1539,7 +1459,7 @@ func (e *Engine) GetRouteManager() routemanager.Manager {
 }

 // GetFirewallManager returns the firewall manager
-func (e *Engine) GetFirewallManager() firewallManager.Manager {
+func (e *Engine) GetFirewallManager() manager.Manager {
 	return e.firewall
 }

@@ -1796,105 +1716,6 @@ func (e *Engine) updateDNSForwarder(enabled bool, domains []string) {
 	}
 }

-func (e *Engine) GetNet() (*netstack.Net, error) {
-	e.syncMsgMux.Lock()
-	intf := e.wgInterface
-	e.syncMsgMux.Unlock()
-	if intf == nil {
-		return nil, errors.New("wireguard interface not initialized")
-	}
-
-	nsnet := intf.GetNet()
-	if nsnet == nil {
-		return nil, errors.New("failed to get netstack")
-	}
-	return nsnet, nil
-}
-
-func (e *Engine) Address() (netip.Addr, error) {
-	e.syncMsgMux.Lock()
-	intf := e.wgInterface
-	e.syncMsgMux.Unlock()
-	if intf == nil {
-		return netip.Addr{}, errors.New("wireguard interface not initialized")
-	}
-
-	addr := e.wgInterface.Address()
-	ip, ok := netip.AddrFromSlice(addr.IP)
-	if !ok {
-		return netip.Addr{}, errors.New("failed to convert address to netip.Addr")
-	}
-	return ip.Unmap(), nil
-}
-
-func (e *Engine) updateForwardRules(rules []*mgmProto.ForwardingRule) error {
-	if e.firewall == nil {
-		log.Warn("firewall is disabled, not updating forwarding rules")
-		return nil
-	}
-
-	if len(rules) == 0 {
-		if e.ingressGatewayMgr == nil {
-			return nil
-		}
-
-		err := e.ingressGatewayMgr.Close()
-		e.ingressGatewayMgr = nil
-		e.statusRecorder.SetIngressGwMgr(nil)
-		return err
-	}
-
-	if e.ingressGatewayMgr == nil {
-		mgr := ingressgw.NewManager(e.firewall)
-		e.ingressGatewayMgr = mgr
-		e.statusRecorder.SetIngressGwMgr(mgr)
-	}
-
-	var merr *multierror.Error
-	forwardingRules := make([]firewallManager.ForwardRule, 0, len(rules))
-	for _, rule := range rules {
-		proto, err := convertToFirewallProtocol(rule.GetProtocol())
-		if err != nil {
-			merr = multierror.Append(merr, fmt.Errorf("failed to convert protocol '%s': %w", rule.GetProtocol(), err))
-			continue
-		}
-
-		dstPortInfo, err := convertPortInfo(rule.GetDestinationPort())
-		if err != nil {
-			merr = multierror.Append(merr, fmt.Errorf("invalid destination port '%v': %w", rule.GetDestinationPort(), err))
-			continue
-		}
-
-		translateIP, err := convertToIP(rule.GetTranslatedAddress())
-		if err != nil {
-			merr = multierror.Append(merr, fmt.Errorf("failed to convert translated address '%s': %w", rule.GetTranslatedAddress(), err))
-			continue
-		}
-
-		translatePort, err := convertPortInfo(rule.GetTranslatedPort())
-		if err != nil {
-			merr = multierror.Append(merr, fmt.Errorf("invalid translate port '%v': %w", rule.GetTranslatedPort(), err))
-			continue
-		}
-
-		forwardRule := firewallManager.ForwardRule{
-			Protocol:          proto,
-			DestinationPort:   *dstPortInfo,
-			TranslatedAddress: translateIP,
-			TranslatedPort:    *translatePort,
-		}
-
-		forwardingRules = append(forwardingRules, forwardRule)
-	}
-
-	log.Infof("updating forwarding rules: %d", len(forwardingRules))
-	if err := e.ingressGatewayMgr.Update(forwardingRules); err != nil {
-		log.Errorf("failed to update forwarding rules: %v", err)
-	}
-
-	return nberrors.FormatErrorOrNil(merr)
-}
-
 // isChecksEqual checks if two slices of checks are equal.
 func isChecksEqual(checks []*mgmProto.Checks, oChecks []*mgmProto.Checks) bool {
 	for _, check := range checks {
@@ -1954,36 +1775,3 @@ func getInterfacePrefixes() ([]netip.Prefix, error) {

 	return prefixes, nberrors.FormatErrorOrNil(merr)
 }
-
-// compareNetIPLists compares a list of netip.Prefix with a list of strings.
-// return true if both lists are equal, false otherwise.
-func compareNetIPLists(list1 []netip.Prefix, list2 []string) bool {
-	if len(list1) != len(list2) {
-		return false
-	}
-
-	freq := make(map[string]int, len(list1))
-	for _, p := range list1 {
-		freq[p.String()]++
-	}
-
-	for _, s := range list2 {
-		p, err := netip.ParsePrefix(s)
-		if err != nil {
-			return false // invalid prefix in list2.
-		}
-		key := p.String()
-		if freq[key] == 0 {
-			return false
-		}
-		freq[key]--
-	}
-
-	// all counts should be zero if lists are equal.
-	for _, count := range freq {
-		if count != 0 {
-			return false
-		}
-	}
-	return true
-}
--- a/client/internal/engine_test.go
+++ b/client/internal/engine_test.go
@@ -22,16 +22,11 @@ import (
 	"google.golang.org/grpc"
 	"google.golang.org/grpc/keepalive"

-	wgdevice "golang.zx2c4.com/wireguard/device"
-	"golang.zx2c4.com/wireguard/tun/netstack"
-
 	"github.com/netbirdio/management-integrations/integrations"

 	"github.com/netbirdio/netbird/client/iface"
 	"github.com/netbirdio/netbird/client/iface/bind"
-	"github.com/netbirdio/netbird/client/iface/configurer"
 	"github.com/netbirdio/netbird/client/iface/device"
-	"github.com/netbirdio/netbird/client/iface/wgproxy"
 	"github.com/netbirdio/netbird/client/internal/dns"
 	"github.com/netbirdio/netbird/client/internal/peer"
 	"github.com/netbirdio/netbird/client/internal/peer/guard"
@@ -44,7 +39,6 @@ import (
 	mgmtProto "github.com/netbirdio/netbird/management/proto"
 	"github.com/netbirdio/netbird/management/server"
 	"github.com/netbirdio/netbird/management/server/activity"
-	"github.com/netbirdio/netbird/management/server/integrations/port_forwarding"
 	"github.com/netbirdio/netbird/management/server/settings"
 	"github.com/netbirdio/netbird/management/server/store"
 	"github.com/netbirdio/netbird/management/server/telemetry"
@@ -70,114 +64,6 @@ var (
 	}
 )

-type MockWGIface struct {
-	CreateFunc                 func() error
-	CreateOnAndroidFunc        func(routeRange []string, ip string, domains []string) error
-	IsUserspaceBindFunc        func() bool
-	NameFunc                   func() string
-	AddressFunc                func() device.WGAddress
-	ToInterfaceFunc            func() *net.Interface
-	UpFunc                     func() (*bind.UniversalUDPMuxDefault, error)
-	UpdateAddrFunc             func(newAddr string) error
-	UpdatePeerFunc             func(peerKey string, allowedIps []netip.Prefix, keepAlive time.Duration, endpoint *net.UDPAddr, preSharedKey *wgtypes.Key) error
-	RemovePeerFunc             func(peerKey string) error
-	AddAllowedIPFunc           func(peerKey string, allowedIP string) error
-	RemoveAllowedIPFunc        func(peerKey string, allowedIP string) error
-	CloseFunc                  func() error
-	SetFilterFunc              func(filter device.PacketFilter) error
-	GetFilterFunc              func() device.PacketFilter
-	GetDeviceFunc              func() *device.FilteredDevice
-	GetWGDeviceFunc            func() *wgdevice.Device
-	GetStatsFunc               func(peerKey string) (configurer.WGStats, error)
-	GetInterfaceGUIDStringFunc func() (string, error)
-	GetProxyFunc               func() wgproxy.Proxy
-	GetNetFunc                 func() *netstack.Net
-}
-
-func (m *MockWGIface) GetInterfaceGUIDString() (string, error) {
-	return m.GetInterfaceGUIDStringFunc()
-}
-
-func (m *MockWGIface) Create() error {
-	return m.CreateFunc()
-}
-
-func (m *MockWGIface) CreateOnAndroid(routeRange []string, ip string, domains []string) error {
-	return m.CreateOnAndroidFunc(routeRange, ip, domains)
-}
-
-func (m *MockWGIface) IsUserspaceBind() bool {
-	return m.IsUserspaceBindFunc()
-}
-
-func (m *MockWGIface) Name() string {
-	return m.NameFunc()
-}
-
-func (m *MockWGIface) Address() device.WGAddress {
-	return m.AddressFunc()
-}
-
-func (m *MockWGIface) ToInterface() *net.Interface {
-	return m.ToInterfaceFunc()
-}
-
-func (m *MockWGIface) Up() (*bind.UniversalUDPMuxDefault, error) {
-	return m.UpFunc()
-}
-
-func (m *MockWGIface) UpdateAddr(newAddr string) error {
-	return m.UpdateAddrFunc(newAddr)
-}
-
-func (m *MockWGIface) UpdatePeer(peerKey string, allowedIps []netip.Prefix, keepAlive time.Duration, endpoint *net.UDPAddr, preSharedKey *wgtypes.Key) error {
-	return m.UpdatePeerFunc(peerKey, allowedIps, keepAlive, endpoint, preSharedKey)
-}
-
-func (m *MockWGIface) RemovePeer(peerKey string) error {
-	return m.RemovePeerFunc(peerKey)
-}
-
-func (m *MockWGIface) AddAllowedIP(peerKey string, allowedIP string) error {
-	return m.AddAllowedIPFunc(peerKey, allowedIP)
-}
-
-func (m *MockWGIface) RemoveAllowedIP(peerKey string, allowedIP string) error {
-	return m.RemoveAllowedIPFunc(peerKey, allowedIP)
-}
-
-func (m *MockWGIface) Close() error {
-	return m.CloseFunc()
-}
-
-func (m *MockWGIface) SetFilter(filter device.PacketFilter) error {
-	return m.SetFilterFunc(filter)
-}
-
-func (m *MockWGIface) GetFilter() device.PacketFilter {
-	return m.GetFilterFunc()
-}
-
-func (m *MockWGIface) GetDevice() *device.FilteredDevice {
-	return m.GetDeviceFunc()
-}
-
-func (m *MockWGIface) GetWGDevice() *wgdevice.Device {
-	return m.GetWGDeviceFunc()
-}
-
-func (m *MockWGIface) GetStats(peerKey string) (configurer.WGStats, error) {
-	return m.GetStatsFunc(peerKey)
-}
-
-func (m *MockWGIface) GetProxy() wgproxy.Proxy {
-	return m.GetProxyFunc()
-}
-
-func (m *MockWGIface) GetNet() *netstack.Net {
-	return m.GetNetFunc()
-}
-
 func TestMain(m *testing.M) {
 	_ = util.InitLog("debug", "console")
 	code := m.Run()
@@ -359,20 +245,11 @@ func TestEngine_UpdateNetworkMap(t *testing.T) {
 		peer.NewRecorder("https://mgm"),
 		nil)

-	wgIface := &MockWGIface{
+	wgIface := &iface.MockWGIface{
 		NameFunc: func() string { return "utun102" },
 		RemovePeerFunc: func(peerKey string) error {
 			return nil
 		},
-		AddressFunc: func() iface.WGAddress {
-			return iface.WGAddress{
-				IP: net.ParseIP("10.20.0.1"),
-				Network: &net.IPNet{
-					IP:   net.ParseIP("10.20.0.0"),
-					Mask: net.IPv4Mask(255, 255, 255, 0),
-				},
-			}
-		},
 	}
 	engine.wgInterface = wgIface
 	engine.routeManager = routemanager.NewManager(routemanager.ManagerConfig{
@@ -536,7 +413,7 @@ func TestEngine_UpdateNetworkMap(t *testing.T) {
 					t.Errorf("expecting Engine.peerConns to contain peer %s", p)
 				}
 				expectedAllowedIPs := strings.Join(p.AllowedIps, ",")
-				if !compareNetIPLists(conn.WgConfig().AllowedIps, p.AllowedIps) {
+				if conn.WgConfig().AllowedIps != expectedAllowedIPs {
 					t.Errorf("expecting peer %s to have AllowedIPs= %s, got %s", p.GetWgPubKey(),
 						expectedAllowedIPs, conn.WgConfig().AllowedIps)
 				}
@@ -815,9 +692,6 @@ func TestEngine_UpdateNetworkMapWithDNSUpdate(t *testing.T) {
 								},
 							},
 						},
-						{
-							Domain: "0.66.100.in-addr.arpa.",
-						},
 					},
 					NameServerGroups: []*mgmtProto.NameServerGroup{
 						{
@@ -847,9 +721,6 @@ func TestEngine_UpdateNetworkMapWithDNSUpdate(t *testing.T) {
 						},
 					},
 				},
-				{
-					Domain: "0.66.100.in-addr.arpa.",
-				},
 			},
 			expectedNSGroupsLen: 1,
 			expectedNSGroups: []*nbdns.NameServerGroup{
@@ -1239,91 +1110,6 @@ func Test_CheckFilesEqual(t *testing.T) {
 	}
 }

-func TestCompareNetIPLists(t *testing.T) {
-	tests := []struct {
-		name     string
-		list1    []netip.Prefix
-		list2    []string
-		expected bool
-	}{
-		{
-			name:     "both empty",
-			list1:    []netip.Prefix{},
-			list2:    []string{},
-			expected: true,
-		},
-		{
-			name:     "single match ipv4",
-			list1:    []netip.Prefix{netip.MustParsePrefix("192.168.0.0/24")},
-			list2:    []string{"192.168.0.0/24"},
-			expected: true,
-		},
-		{
-			name:     "multiple match ipv4, different order",
-			list1:    []netip.Prefix{netip.MustParsePrefix("192.168.1.0/24"), netip.MustParsePrefix("10.0.0.0/8")},
-			list2:    []string{"10.0.0.0/8", "192.168.1.0/24"},
-			expected: true,
-		},
-		{
-			name:     "ipv4 mismatch due to extra element in list2",
-			list1:    []netip.Prefix{netip.MustParsePrefix("192.168.1.0/24")},
-			list2:    []string{"192.168.1.0/24", "10.0.0.0/8"},
-			expected: false,
-		},
-		{
-			name:     "ipv4 mismatch due to duplicate count",
-			list1:    []netip.Prefix{netip.MustParsePrefix("192.168.1.0/24"), netip.MustParsePrefix("192.168.1.0/24")},
-			list2:    []string{"192.168.1.0/24"},
-			expected: false,
-		},
-		{
-			name:     "invalid prefix in list2",
-			list1:    []netip.Prefix{netip.MustParsePrefix("192.168.1.0/24")},
-			list2:    []string{"invalid-prefix"},
-			expected: false,
-		},
-		{
-			name:     "ipv4 mismatch because different prefixes",
-			list1:    []netip.Prefix{netip.MustParsePrefix("192.168.1.0/24")},
-			list2:    []string{"10.0.0.0/8"},
-			expected: false,
-		},
-		{
-			name:     "single match ipv6",
-			list1:    []netip.Prefix{netip.MustParsePrefix("2001:db8::/32")},
-			list2:    []string{"2001:db8::/32"},
-			expected: true,
-		},
-		{
-			name:     "multiple match ipv6, different order",
-			list1:    []netip.Prefix{netip.MustParsePrefix("2001:db8::/32"), netip.MustParsePrefix("fe80::/10")},
-			list2:    []string{"fe80::/10", "2001:db8::/32"},
-			expected: true,
-		},
-		{
-			name:     "mixed ipv4 and ipv6 match",
-			list1:    []netip.Prefix{netip.MustParsePrefix("192.168.1.0/24"), netip.MustParsePrefix("2001:db8::/32")},
-			list2:    []string{"2001:db8::/32", "192.168.1.0/24"},
-			expected: true,
-		},
-		{
-			name:     "ipv6 mismatch with invalid prefix",
-			list1:    []netip.Prefix{netip.MustParsePrefix("2001:db8::/32")},
-			list2:    []string{"invalid-ipv6"},
-			expected: false,
-		},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			result := compareNetIPLists(tt.list1, tt.list2)
-			if result != tt.expected {
-				t.Errorf("compareNetIPLists(%v, %v) = %v; want %v", tt.list1, tt.list2, result, tt.expected)
-			}
-		})
-	}
-}
-
 func createEngine(ctx context.Context, cancel context.CancelFunc, setupKey string, i int, mgmtAddr string, signalAddr string) (*Engine, error) {
 	key, err := wgtypes.GeneratePrivateKey()
 	if err != nil {
@@ -1344,7 +1130,7 @@ func createEngine(ctx context.Context, cancel context.CancelFunc, setupKey strin
 	}

 	info := system.GetInfo(ctx)
-	resp, err := mgmtClient.Register(*publicKey, setupKey, "", info, nil, nil)
+	resp, err := mgmtClient.Register(*publicKey, setupKey, "", info, nil)
 	if err != nil {
 		return nil, err
 	}
@@ -1434,13 +1220,13 @@ func startManagement(t *testing.T, dataDir, testFile string) (*grpc.Server, stri
 	metrics, err := telemetry.NewDefaultAppMetrics(context.Background())
 	require.NoError(t, err)

-	accountManager, err := server.BuildManager(context.Background(), store, peersUpdateManager, nil, "", "netbird.selfhosted", eventStore, nil, false, ia, metrics, port_forwarding.NewControllerMock(), settings.NewManagerMock())
+	accountManager, err := server.BuildManager(context.Background(), store, peersUpdateManager, nil, "", "netbird.selfhosted", eventStore, nil, false, ia, metrics)
 	if err != nil {
 		return nil, "", err
 	}

 	secretsManager := server.NewTimeBasedAuthSecretsManager(peersUpdateManager, config.TURNConfig, config.Relay)
-	mgmtServer, err := server.NewServer(context.Background(), config, accountManager, settings.NewManagerMock(), peersUpdateManager, secretsManager, nil, nil, nil)
+	mgmtServer, err := server.NewServer(context.Background(), config, accountManager, settings.NewManager(store), peersUpdateManager, secretsManager, nil, nil)
 	if err != nil {
 		return nil, "", err
 	}
--- a/client/internal/iface.go
+++ b/client/internal/iface.go
@@ -1,8 +0,0 @@
-//go:build !windows
-// +build !windows
-
-package internal
-
-type WGIface interface {
-	wgIfaceBase
-}
--- a/client/internal/iface_windows.go
+++ b/client/internal/iface_windows.go
@@ -1,6 +0,0 @@
-package internal
-
-type WGIface interface {
-	wgIfaceBase
-	GetInterfaceGUIDString() (string, error)
-}
--- a/client/internal/ingressgw/manager.go
+++ b/client/internal/ingressgw/manager.go
@@ -1,107 +0,0 @@
-package ingressgw
-
-import (
-	"fmt"
-	"sync"
-
-	"github.com/hashicorp/go-multierror"
-	log "github.com/sirupsen/logrus"
-
-	nberrors "github.com/netbirdio/netbird/client/errors"
-	firewall "github.com/netbirdio/netbird/client/firewall/manager"
-)
-
-type DNATFirewall interface {
-	AddDNATRule(fwdRule firewall.ForwardRule) (firewall.Rule, error)
-	DeleteDNATRule(rule firewall.Rule) error
-}
-
-type RulePair struct {
-	firewall.ForwardRule
-	firewall.Rule
-}
-
-type Manager struct {
-	dnatFirewall DNATFirewall
-
-	rules   map[string]RulePair // keys is the ID of the ForwardRule
-	rulesMu sync.Mutex
-}
-
-func NewManager(dnatFirewall DNATFirewall) *Manager {
-	return &Manager{
-		dnatFirewall: dnatFirewall,
-		rules:        make(map[string]RulePair),
-	}
-}
-
-func (h *Manager) Update(forwardRules []firewall.ForwardRule) error {
-	h.rulesMu.Lock()
-	defer h.rulesMu.Unlock()
-
-	var mErr *multierror.Error
-
-	toDelete := make(map[string]RulePair, len(h.rules))
-	for id, r := range h.rules {
-		toDelete[id] = r
-	}
-
-	// Process new/updated rules
-	for _, fwdRule := range forwardRules {
-		id := fwdRule.ID()
-		if _, ok := h.rules[id]; ok {
-			delete(toDelete, id)
-			continue
-		}
-
-		rule, err := h.dnatFirewall.AddDNATRule(fwdRule)
-		if err != nil {
-			mErr = multierror.Append(mErr, fmt.Errorf("add forward rule '%s': %v", fwdRule.String(), err))
-			continue
-		}
-		log.Infof("forward rule has been added '%s'", fwdRule)
-		h.rules[id] = RulePair{
-			ForwardRule: fwdRule,
-			Rule:        rule,
-		}
-	}
-
-	// Remove deleted rules
-	for id, rulePair := range toDelete {
-		if err := h.dnatFirewall.DeleteDNATRule(rulePair.Rule); err != nil {
-			mErr = multierror.Append(mErr, fmt.Errorf("failed to delete forward rule '%s': %v", rulePair.ForwardRule.String(), err))
-		}
-		log.Infof("forward rule has been deleted '%s'", rulePair.ForwardRule)
-		delete(h.rules, id)
-	}
-
-	return nberrors.FormatErrorOrNil(mErr)
-}
-
-func (h *Manager) Close() error {
-	h.rulesMu.Lock()
-	defer h.rulesMu.Unlock()
-
-	log.Infof("clean up all (%d) forward rules", len(h.rules))
-	var mErr *multierror.Error
-	for _, rule := range h.rules {
-		if err := h.dnatFirewall.DeleteDNATRule(rule.Rule); err != nil {
-			mErr = multierror.Append(mErr, fmt.Errorf("failed to delete forward rule '%s': %v", rule, err))
-		}
-	}
-
-	h.rules = make(map[string]RulePair)
-	return nberrors.FormatErrorOrNil(mErr)
-}
-
-func (h *Manager) Rules() []firewall.ForwardRule {
-	h.rulesMu.Lock()
-	defer h.rulesMu.Unlock()
-
-	rules := make([]firewall.ForwardRule, 0, len(h.rules))
-	for _, rulePair := range h.rules {
-		rules = append(rules, rulePair.ForwardRule)
-	}
-
-	return rules
-}
--- a/client/internal/ingressgw/manager_test.go
+++ b/client/internal/ingressgw/manager_test.go
@@ -1,281 +0,0 @@
-package ingressgw
-
-import (
-	"fmt"
-	"net/netip"
-	"testing"
-
-	firewall "github.com/netbirdio/netbird/client/firewall/manager"
-)
-
-var (
-	_ firewall.Rule = (*MocFwRule)(nil)
-	_ DNATFirewall  = &MockDNATFirewall{}
-)
-
-type MocFwRule struct {
-	id string
-}
-
-func (m *MocFwRule) ID() string {
-	return string(m.id)
-}
-
-type MockDNATFirewall struct {
-	throwError bool
-}
-
-func (m *MockDNATFirewall) AddDNATRule(fwdRule firewall.ForwardRule) (firewall.Rule, error) {
-	if m.throwError {
-		return nil, fmt.Errorf("moc error")
-	}
-
-	fwRule := &MocFwRule{
-		id: fwdRule.ID(),
-	}
-	return fwRule, nil
-}
-
-func (m *MockDNATFirewall) DeleteDNATRule(rule firewall.Rule) error {
-	if m.throwError {
-		return fmt.Errorf("moc error")
-	}
-	return nil
-}
-
-func (m *MockDNATFirewall) forceToThrowErrors() {
-	m.throwError = true
-}
-
-func TestManager_AddRule(t *testing.T) {
-	fw := &MockDNATFirewall{}
-	mgr := NewManager(fw)
-
-	port, _ := firewall.NewPort(8080)
-
-	updates := []firewall.ForwardRule{
-		{
-			Protocol:          firewall.ProtocolTCP,
-			DestinationPort:   *port,
-			TranslatedAddress: netip.MustParseAddr("172.16.254.1"),
-			TranslatedPort:    *port,
-		},
-		{
-			Protocol:          firewall.ProtocolUDP,
-			DestinationPort:   *port,
-			TranslatedAddress: netip.MustParseAddr("172.16.254.1"),
-			TranslatedPort:    *port,
-		}}
-
-	if err := mgr.Update(updates); err != nil {
-		t.Errorf("unexpected error: %v", err)
-	}
-
-	rules := mgr.Rules()
-	if len(rules) != len(updates) {
-		t.Errorf("unexpected rules count: %d", len(rules))
-	}
-}
-
-func TestManager_UpdateRule(t *testing.T) {
-	fw := &MockDNATFirewall{}
-	mgr := NewManager(fw)
-
-	port, _ := firewall.NewPort(8080)
-	ruleTCP := firewall.ForwardRule{
-		Protocol:          firewall.ProtocolTCP,
-		DestinationPort:   *port,
-		TranslatedAddress: netip.MustParseAddr("172.16.254.1"),
-		TranslatedPort:    *port,
-	}
-
-	if err := mgr.Update([]firewall.ForwardRule{ruleTCP}); err != nil {
-		t.Errorf("unexpected error: %v", err)
-	}
-
-	ruleUDP := firewall.ForwardRule{
-		Protocol:          firewall.ProtocolUDP,
-		DestinationPort:   *port,
-		TranslatedAddress: netip.MustParseAddr("172.16.254.2"),
-		TranslatedPort:    *port,
-	}
-
-	if err := mgr.Update([]firewall.ForwardRule{ruleUDP}); err != nil {
-		t.Errorf("unexpected error: %v", err)
-	}
-
-	rules := mgr.Rules()
-	if len(rules) != 1 {
-		t.Errorf("unexpected rules count: %d", len(rules))
-	}
-
-	if rules[0].TranslatedAddress.String() != ruleUDP.TranslatedAddress.String() {
-		t.Errorf("unexpected rule: %v", rules[0])
-	}
-
-	if rules[0].TranslatedPort.String() != ruleUDP.TranslatedPort.String() {
-		t.Errorf("unexpected rule: %v", rules[0])
-	}
-
-	if rules[0].DestinationPort.String() != ruleUDP.DestinationPort.String() {
-		t.Errorf("unexpected rule: %v", rules[0])
-	}
-
-	if rules[0].Protocol != ruleUDP.Protocol {
-		t.Errorf("unexpected rule: %v", rules[0])
-	}
-}
-
-func TestManager_ExtendRules(t *testing.T) {
-	fw := &MockDNATFirewall{}
-	mgr := NewManager(fw)
-
-	port, _ := firewall.NewPort(8080)
-	ruleTCP := firewall.ForwardRule{
-		Protocol:          firewall.ProtocolTCP,
-		DestinationPort:   *port,
-		TranslatedAddress: netip.MustParseAddr("172.16.254.1"),
-		TranslatedPort:    *port,
-	}
-
-	ruleUDP := firewall.ForwardRule{
-		Protocol:          firewall.ProtocolUDP,
-		DestinationPort:   *port,
-		TranslatedAddress: netip.MustParseAddr("172.16.254.2"),
-		TranslatedPort:    *port,
-	}
-
-	if err := mgr.Update([]firewall.ForwardRule{ruleTCP}); err != nil {
-		t.Errorf("unexpected error: %v", err)
-	}
-
-	if err := mgr.Update([]firewall.ForwardRule{ruleTCP, ruleUDP}); err != nil {
-		t.Errorf("unexpected error: %v", err)
-	}
-
-	rules := mgr.Rules()
-	if len(rules) != 2 {
-		t.Errorf("unexpected rules count: %d", len(rules))
-	}
-}
-
-func TestManager_UnderlingError(t *testing.T) {
-	fw := &MockDNATFirewall{}
-	mgr := NewManager(fw)
-
-	port, _ := firewall.NewPort(8080)
-	ruleTCP := firewall.ForwardRule{
-		Protocol:          firewall.ProtocolTCP,
-		DestinationPort:   *port,
-		TranslatedAddress: netip.MustParseAddr("172.16.254.1"),
-		TranslatedPort:    *port,
-	}
-
-	ruleUDP := firewall.ForwardRule{
-		Protocol:          firewall.ProtocolUDP,
-		DestinationPort:   *port,
-		TranslatedAddress: netip.MustParseAddr("172.16.254.2"),
-		TranslatedPort:    *port,
-	}
-
-	if err := mgr.Update([]firewall.ForwardRule{ruleTCP}); err != nil {
-		t.Errorf("unexpected error: %v", err)
-	}
-
-	fw.forceToThrowErrors()
-
-	if err := mgr.Update([]firewall.ForwardRule{ruleTCP, ruleUDP}); err == nil {
-		t.Errorf("expected error")
-	}
-
-	rules := mgr.Rules()
-	if len(rules) != 1 {
-		t.Errorf("unexpected rules count: %d", len(rules))
-	}
-}
-
-func TestManager_Cleanup(t *testing.T) {
-	fw := &MockDNATFirewall{}
-	mgr := NewManager(fw)
-
-	port, _ := firewall.NewPort(8080)
-	ruleTCP := firewall.ForwardRule{
-		Protocol:          firewall.ProtocolTCP,
-		DestinationPort:   *port,
-		TranslatedAddress: netip.MustParseAddr("172.16.254.1"),
-		TranslatedPort:    *port,
-	}
-
-	if err := mgr.Update([]firewall.ForwardRule{ruleTCP}); err != nil {
-		t.Errorf("unexpected error: %v", err)
-	}
-
-	if err := mgr.Update([]firewall.ForwardRule{}); err != nil {
-		t.Errorf("unexpected error: %v", err)
-	}
-
-	rules := mgr.Rules()
-	if len(rules) != 0 {
-		t.Errorf("unexpected rules count: %d", len(rules))
-	}
-}
-
-func TestManager_DeleteBrokenRule(t *testing.T) {
-	fw := &MockDNATFirewall{}
-
-	// force to throw errors when Add DNAT Rule
-	fw.forceToThrowErrors()
-	mgr := NewManager(fw)
-
-	port, _ := firewall.NewPort(8080)
-	ruleTCP := firewall.ForwardRule{
-		Protocol:          firewall.ProtocolTCP,
-		DestinationPort:   *port,
-		TranslatedAddress: netip.MustParseAddr("172.16.254.1"),
-		TranslatedPort:    *port,
-	}
-
-	if err := mgr.Update([]firewall.ForwardRule{ruleTCP}); err == nil {
-		t.Errorf("unexpected error: %v", err)
-	}
-
-	rules := mgr.Rules()
-	if len(rules) != 0 {
-		t.Errorf("unexpected rules count: %d", len(rules))
-	}
-
-	// simulate that to remove a broken rule
-	if err := mgr.Update([]firewall.ForwardRule{}); err != nil {
-		t.Errorf("unexpected error: %v", err)
-	}
-
-	if err := mgr.Close(); err != nil {
-		t.Errorf("unexpected error: %v", err)
-	}
-}
-
-func TestManager_Close(t *testing.T) {
-	fw := &MockDNATFirewall{}
-	mgr := NewManager(fw)
-
-	port, _ := firewall.NewPort(8080)
-	ruleTCP := firewall.ForwardRule{
-		Protocol:          firewall.ProtocolTCP,
-		DestinationPort:   *port,
-		TranslatedAddress: netip.MustParseAddr("172.16.254.1"),
-		TranslatedPort:    *port,
-	}
-
-	if err := mgr.Update([]firewall.ForwardRule{ruleTCP}); err != nil {
-		t.Errorf("unexpected error: %v", err)
-	}
-
-	if err := mgr.Close(); err != nil {
-		t.Errorf("unexpected error: %v", err)
-	}
-
-	rules := mgr.Rules()
-	if len(rules) != 0 {
-		t.Errorf("unexpected rules count: %d", len(rules))
-	}
-}
--- a/client/internal/login.go
+++ b/client/internal/login.go
@@ -117,7 +117,7 @@ func doMgmLogin(ctx context.Context, mgmClient *mgm.GrpcClient, pubSSHKey []byte
 		config.DisableDNS,
 		config.DisableFirewall,
 	)
-	_, err = mgmClient.Login(*serverKey, sysInfo, pubSSHKey, config.DNSLabels)
+	_, err = mgmClient.Login(*serverKey, sysInfo, pubSSHKey)
 	return serverKey, err
 }

@@ -140,7 +140,7 @@ func registerPeer(ctx context.Context, serverPublicKey wgtypes.Key, client *mgm.
 		config.DisableDNS,
 		config.DisableFirewall,
 	)
-	loginResp, err := client.Register(serverPublicKey, validSetupKey.String(), jwtToken, info, pubSSHKey, config.DNSLabels)
+	loginResp, err := client.Register(serverPublicKey, validSetupKey.String(), jwtToken, info, pubSSHKey)
 	if err != nil {
 		log.Errorf("failed registering peer %v,%s", err, validSetupKey.String())
 		return nil, err
--- a/client/internal/message_convert.go
+++ b/client/internal/message_convert.go
@@ -1,58 +0,0 @@
-package internal
-
-import (
-	"errors"
-	"fmt"
-	"net"
-	"net/netip"
-
-	firewallManager "github.com/netbirdio/netbird/client/firewall/manager"
-	mgmProto "github.com/netbirdio/netbird/management/proto"
-)
-
-func convertToFirewallProtocol(protocol mgmProto.RuleProtocol) (firewallManager.Protocol, error) {
-	switch protocol {
-	case mgmProto.RuleProtocol_TCP:
-		return firewallManager.ProtocolTCP, nil
-	case mgmProto.RuleProtocol_UDP:
-		return firewallManager.ProtocolUDP, nil
-	case mgmProto.RuleProtocol_ICMP:
-		return firewallManager.ProtocolICMP, nil
-	case mgmProto.RuleProtocol_ALL:
-		return firewallManager.ProtocolALL, nil
-	default:
-		return "", fmt.Errorf("invalid protocol type: %s", protocol.String())
-	}
-}
-
-func convertPortInfo(portInfo *mgmProto.PortInfo) (*firewallManager.Port, error) {
-	if portInfo == nil {
-		return nil, errors.New("portInfo cannot be nil")
-	}
-
-	if portInfo.GetPort() != 0 {
-		return firewallManager.NewPort(int(portInfo.GetPort()))
-	}
-
-	if portInfo.GetRange() != nil {
-		return firewallManager.NewPort(int(portInfo.GetRange().Start), int(portInfo.GetRange().End))
-	}
-
-	return nil, fmt.Errorf("invalid portInfo: %v", portInfo)
-}
-
-func convertToIP(rawIP []byte) (netip.Addr, error) {
-	if rawIP == nil {
-		return netip.Addr{}, errors.New("input bytes cannot be nil")
-	}
-
-	if len(rawIP) != net.IPv4len && len(rawIP) != net.IPv6len {
-		return netip.Addr{}, fmt.Errorf("invalid IP length: %d", len(rawIP))
-	}
-
-	if len(rawIP) == net.IPv4len {
-		return netip.AddrFrom4([4]byte(rawIP)), nil
-	}
-
-	return netip.AddrFrom16([16]byte(rawIP)), nil
-}
--- a/client/internal/netflow/logger/logger.go
+++ b/client/internal/netflow/logger/logger.go
@@ -1,113 +0,0 @@
-package logger
-
-import (
-	"context"
-	"sync"
-	"sync/atomic"
-	"time"
-
-	"github.com/google/uuid"
-	log "github.com/sirupsen/logrus"
-
-	"github.com/netbirdio/netbird/client/internal/netflow/store"
-	"github.com/netbirdio/netbird/client/internal/netflow/types"
-)
-
-type rcvChan chan *types.EventFields
-type Logger struct {
-	mux            sync.Mutex
-	ctx            context.Context
-	cancel         context.CancelFunc
-	enabled        atomic.Bool
-	rcvChan        atomic.Pointer[rcvChan]
-	cancelReceiver context.CancelFunc
-	Store          types.Store
-}
-
-func New(ctx context.Context) *Logger {
-	ctx, cancel := context.WithCancel(ctx)
-	return &Logger{
-		ctx:    ctx,
-		cancel: cancel,
-		Store:  store.NewMemoryStore(),
-	}
-}
-
-func (l *Logger) StoreEvent(flowEvent types.EventFields) {
-	if !l.enabled.Load() {
-		return
-	}
-
-	c := l.rcvChan.Load()
-	if c == nil {
-		return
-	}
-
-	select {
-	case *c <- &flowEvent:
-	default:
-		// todo: we should collect or log on this
-	}
-}
-
-func (l *Logger) Enable() {
-	go l.startReceiver()
-}
-
-func (l *Logger) startReceiver() {
-	if l.enabled.Load() {
-		return
-	}
-	l.mux.Lock()
-	ctx, cancel := context.WithCancel(l.ctx)
-	l.cancelReceiver = cancel
-	l.mux.Unlock()
-
-	c := make(rcvChan, 100)
-	l.rcvChan.Swap(&c)
-	l.enabled.Store(true)
-
-	for {
-		select {
-		case <-ctx.Done():
-			log.Info("flow Memory store receiver stopped")
-			return
-		case eventFields := <-c:
-			id := uuid.NewString()
-			event := types.Event{
-				ID:          id,
-				EventFields: *eventFields,
-				Timestamp:   time.Now(),
-			}
-			l.Store.StoreEvent(&event)
-		}
-	}
-}
-
-func (l *Logger) Disable() {
-	l.stop()
-	l.Store.Close()
-}
-
-func (l *Logger) stop() {
-	if !l.enabled.Load() {
-		return
-	}
-
-	l.enabled.Store(false)
-	l.mux.Lock()
-	if l.cancelReceiver != nil {
-		l.cancelReceiver()
-		l.cancelReceiver = nil
-	}
-	l.mux.Unlock()
-}
-
-func (l *Logger) GetEvents() []*types.Event {
-	return l.Store.GetEvents()
-}
-
-func (l *Logger) Close() {
-	l.stop()
-	l.cancel()
-}
--- a/client/internal/netflow/logger/logger_test.go
+++ b/client/internal/netflow/logger/logger_test.go
@@ -1,67 +0,0 @@
-package logger_test
-
-import (
-	"context"
-	"testing"
-	"time"
-
-	"github.com/google/uuid"
-
-	"github.com/netbirdio/netbird/client/internal/netflow/logger"
-	"github.com/netbirdio/netbird/client/internal/netflow/types"
-)
-
-func TestStore(t *testing.T) {
-	logger := logger.New(context.Background())
-	logger.Enable()
-
-	event := types.EventFields{
-		FlowID:    uuid.New(),
-		Type:      types.TypeStart,
-		Direction: types.Ingress,
-		Protocol:  6,
-	}
-
-	wait := func() { time.Sleep(time.Millisecond) }
-	wait()
-	logger.StoreEvent(event)
-	wait()
-
-	allEvents := logger.GetEvents()
-	matched := false
-	for _, e := range allEvents {
-		if e.EventFields.FlowID == event.FlowID {
-			matched = true
-		}
-	}
-	if !matched {
-		t.Errorf("didn't match any event")
-	}
-
-	// test disable
-	logger.Disable()
-	wait()
-	logger.StoreEvent(event)
-	wait()
-	allEvents = logger.GetEvents()
-	if len(allEvents) != 0 {
-		t.Errorf("expected 0 events, got %d", len(allEvents))
-	}
-
-	// test re-enable
-	logger.Enable()
-	wait()
-	logger.StoreEvent(event)
-	wait()
-
-	allEvents = logger.GetEvents()
-	matched = false
-	for _, e := range allEvents {
-		if e.EventFields.FlowID == event.FlowID {
-			matched = true
-		}
-	}
-	if !matched {
-		t.Errorf("didn't match any event")
-	}
-}
--- a/client/internal/netflow/manager.go
+++ b/client/internal/netflow/manager.go
@@ -1,48 +0,0 @@
-package netflow
-
-import (
-	"context"
-	"sync"
-
-	"github.com/netbirdio/netbird/client/internal/netflow/logger"
-	"github.com/netbirdio/netbird/client/internal/netflow/types"
-)
-
-type Manager struct {
-	mux        sync.Mutex
-	logger     types.FlowLogger
-	flowConfig *types.FlowConfig
-}
-
-func NewManager(ctx context.Context) *Manager {
-	return &Manager{
-		logger: logger.New(ctx),
-	}
-}
-
-func (m *Manager) Update(update *types.FlowConfig) error {
-	m.mux.Lock()
-	defer m.mux.Unlock()
-	if update == nil {
-		return nil
-	}
-
-	m.flowConfig = update
-
-	if update.Enabled {
-		m.logger.Enable()
-		return nil
-	}
-
-	m.logger.Disable()
-
-	return nil
-}
-
-func (m *Manager) Close() {
-	m.logger.Close()
-}
-
-func (m *Manager) GetLogger() types.FlowLogger {
-	return m.logger
-}
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Viktor Liu	19178b59ec	Merge branch 'main' into userspace-router	2025-02-07 13:32:09 +01:00
Viktor Liu	48f58d776c	Treat the whole localhost range as local IPs	2025-01-29 22:43:14 +01:00
Viktor Liu	4d635e3c2f	Merge branch 'main' into userspace-router	2025-01-29 22:00:41 +01:00
Viktor Liu	a0ca3edb9f	Merge branch 'port-range-acl' into userspace-router	2025-01-23 19:29:40 +01:00
Viktor Liu	0837864cfc	Fix port	2025-01-23 19:29:25 +01:00
Viktor Liu	e3d4f9819f	Add test cases for port ranges in peer ACLs	2025-01-23 19:28:42 +01:00
Viktor Liu	da43d33540	Merge branch 'port-range-acl' into userspace-router	2025-01-23 19:27:45 +01:00
Viktor Liu	b951fb4aec	Use uppercase field name	2025-01-23 18:14:16 +01:00
Viktor Liu	862d548d4d	Support port ranges	2025-01-23 18:04:00 +01:00
Viktor Liu	9b5c0439e9	Make debug ops a bit safer	2025-01-16 20:28:38 +01:00
Viktor Liu	21a3679590	Fix regression	2025-01-15 18:27:15 +01:00
Viktor Liu	77afcc8454	Merge branch 'main' into userspace-router	2025-01-15 17:53:22 +01:00
Viktor Liu	22991b3963	Process drop rules first (#3167 )	2025-01-15 17:51:08 +01:00
Viktor Liu	ea6c947f5d	Merge branch 'main' into userspace-router	2025-01-15 17:01:32 +01:00
Viktor Liu	8dce13113d	Disable local forwarding in netstack mode by default for security reasons	2025-01-14 18:11:02 +01:00
Viktor Liu	a625f90ea8	Merge branch 'main' into userspace-router	2025-01-14 10:49:04 +01:00
Viktor Liu	1c00870ca6	Merge branch 'allow-ssh-server-freebsd' into userspace-router	2025-01-11 12:40:32 +01:00
Viktor Liu	1296ecf96e	Tidy up go mod	2025-01-11 02:38:31 +01:00
Viktor Liu	8430c37dd6	Fix panic if login cmd fails	2025-01-11 02:36:11 +01:00
Viktor Liu	648b22aca1	Fix listening in netstack mode	2025-01-11 02:36:11 +01:00
Viktor Liu	d31543cb12	Enable ssh server on freebsd	2025-01-11 02:36:11 +01:00
Viktor Liu	af46f259ac	Block wg net forwarded traffic	2025-01-11 00:38:30 +01:00
Viktor Liu	01957a305d	Merge branch 'main' into userspace-router	2025-01-10 10:07:57 +01:00
Viktor Liu	706f98c1f1	Improve routing decision logic	2025-01-09 17:37:12 +01:00
Viktor Liu	6335ef8b48	Correct comment	2025-01-09 14:10:33 +01:00
Viktor Liu	daf935942c	Handle disable-server-routes flag in userspace router	2025-01-09 14:08:44 +01:00
Viktor Liu	28f5cd523a	Merge branch 'main' into userspace-router	2025-01-08 11:38:30 +01:00
Viktor Liu	2060242092	Merge branch 'main' into userspace-router	2025-01-07 15:40:19 +01:00
Viktor Liu	5ea39dfe8a	Adjust limits for iOS	2025-01-06 23:53:12 +01:00
Viktor Liu	4a189a87ce	Use MTU for udp max size	2025-01-06 23:47:03 +01:00
Viktor Liu	fe7a2aa263	Fix test	2025-01-05 22:44:04 +01:00
Viktor Liu	290e6992a8	Demote close error levels	2025-01-05 14:50:17 +01:00
Viktor Liu	474fb33305	Remove established field from udp and icmp (unused)	2025-01-04 23:46:32 +01:00
Viktor Liu	766e0cccc9	Add packet tracer	2025-01-03 21:09:40 +01:00
Viktor Liu	7dfe7e426e	Always use userspace routing in netstack mode	2025-01-03 18:38:57 +01:00
Viktor Liu	eaadb75144	Add env var to force userspace routing if native routing is available	2025-01-03 18:02:35 +01:00
Viktor Liu	0b116b3941	Use native firewall for nat/firewall operations if available	2025-01-03 17:52:36 +01:00
Viktor Liu	f69dd6fb62	Make extra IPs from interfaces optional	2025-01-03 16:54:46 +01:00
Viktor Liu	62a20f5f1a	Add local IPs test	2025-01-03 16:50:00 +01:00
Viktor Liu	a6ad4dcf22	Close endpoint when stopping udp forwarder	2025-01-03 16:40:51 +01:00
Viktor Liu	f26b418e83	Allow to set firewall log level	2025-01-03 16:04:00 +01:00
Viktor Liu	3ce39905c6	Merge branch 'main' into userspace-router	2025-01-03 15:51:05 +01:00
Viktor Liu	979fe6bb6a	Reduce complexity and fix linter issues	2025-01-03 15:43:28 +01:00
Viktor Liu	c68be6b61b	Remove fractions of seconds	2025-01-03 15:18:36 +01:00
Viktor Liu	fc799effda	Set log level from logrus	2025-01-03 15:16:30 +01:00
Viktor Liu	955b2b98e1	Complete route ACLs and add tests	2025-01-03 15:16:23 +01:00
Viktor Liu	9490e9095b	Reduce complexity	2025-01-03 11:50:51 +01:00
Viktor Liu	d711172f67	Fix benchmarks	2025-01-03 11:30:55 +01:00
Viktor Liu	0c2fa38e26	Exclude benchmark from CI	2025-01-03 11:27:52 +01:00
Viktor Liu	88b420da6d	Remove linux restriction	2025-01-03 00:23:35 +01:00
Viktor Liu	2930288f2d	Fix test expectation	2025-01-03 00:22:09 +01:00
Viktor Liu	0b9854b2b1	Fix tests	2025-01-03 00:01:40 +01:00
Viktor Liu	f772a21f37	Fix log level handling	2025-01-02 19:02:40 +01:00
Viktor Liu	e912f2d7c0	Fix double close in logger	2025-01-02 19:02:40 +01:00
Viktor Liu	568d064089	Drop certain forwarded icmp packets	2025-01-02 19:02:40 +01:00
Viktor Liu	911f86ded8	Support local IPs in netstack mode	2025-01-02 19:02:40 +01:00
Viktor Liu	2b8092dfad	Close endpoints	2025-01-02 16:41:54 +01:00
Viktor Liu	c3c6afa37b	Merge branch 'main' into userspace-router	2025-01-02 16:25:04 +01:00
Viktor Liu	fa27369b59	Fix linter issues	2025-01-02 16:21:03 +01:00
Viktor Liu	657413b8a6	Move icmp acceptance logic	2025-01-02 15:59:53 +01:00
Viktor Liu	d85e57e819	Handle other icmp types in forwarder	2025-01-02 15:59:53 +01:00
Viktor Liu	7667886794	Add more tcp logging	2025-01-02 15:17:53 +01:00
Viktor Liu	a12a9ac290	Handle all local IPs	2025-01-02 14:59:41 +01:00
Viktor Liu	ed22d79f04	Add more control with env vars, also allow to pass traffic to native firewall	2025-01-02 13:40:36 +01:00
Viktor Liu	509b4e2132	Lower udp timeout and add teardown messages	2024-12-31 16:06:17 +01:00
Viktor Liu	fb1a10755a	Fix lint and test issues	2024-12-31 14:38:59 +01:00
Viktor Liu	9feaa8d767	Add icmp forwarder	2024-12-31 12:23:16 +01:00
Viktor Liu	6a97d44d5d	Improve udp implementation	2024-12-31 00:34:05 +01:00
Viktor Liu	d2616544fe	Add logger	2024-12-31 00:34:05 +01:00
Viktor Liu	fad82ee65c	Add stop methods and improve udp implementation	2024-12-30 14:30:53 +01:00
Viktor Liu	b43a8c56df	Update wireguard-go ref	2024-12-30 13:05:26 +01:00
Viktor Liu	4199da4a45	Add userspace routing	2024-12-30 01:38:28 +01:00