Reorder subsystem shutdown order so DNS goes last

[client] Replace ipset lib (#4777 )
* Replace ipset lib * Update .github/workflows/check-license-dependencies.yml Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com> * Ignore internal licenses * Ignore dependencies from AGPL code * Use exported errors * Use fixed version --------- Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>
2026-04-17 15:56:39 +00:00 · 2025-11-15 14:57:04 +01:00 · 2025-11-14 00:25:00 +01:00 · 2025-11-13 20:16:45 +01:00 · 2025-11-13 10:25:19 -03:00 · 2025-11-13 13:24:51 +01:00
159 changed files with 12962 additions and 2977 deletions
--- a/.github/workflows/check-license-dependencies.yml
+++ b/.github/workflows/check-license-dependencies.yml
@@ -3,10 +3,19 @@ name: Check License Dependencies
 on:
  push:
    branches: [ main ]
+    paths:
+      - 'go.mod'
+      - 'go.sum'
+      - '.github/workflows/check-license-dependencies.yml'
  pull_request:
+    paths:
+      - 'go.mod'
+      - 'go.sum'
+      - '.github/workflows/check-license-dependencies.yml'

 jobs:
-  check-dependencies:
+  check-internal-dependencies:
+    name: Check Internal AGPL Dependencies
    runs-on: ubuntu-latest

    steps:
@@ -33,9 +42,67 @@ jobs:
        if [ $FOUND_ISSUES -eq 1 ]; then
          echo ""
          echo "❌ Found dependencies on management/, signal/, or relay/ packages"
-          echo "These packages will change license and should not be imported by client or shared code"
+          echo "These packages are licensed under AGPLv3 and must not be imported by BSD-licensed code"
          exit 1
        else
          echo ""
-          echo "✅ All license dependencies are clean"
+          echo "✅ All internal license dependencies are clean"
        fi
+
+  check-external-licenses:
+    name: Check External GPL/AGPL Licenses
+    runs-on: ubuntu-latest
+
+    steps:
+    - uses: actions/checkout@v4
+
+    - name: Set up Go
+      uses: actions/setup-go@v5
+      with:
+        go-version-file: 'go.mod'
+        cache: true
+
+    - name: Install go-licenses
+      run: go install github.com/google/go-licenses@v1.6.0
+
+    - name: Check for GPL/AGPL licensed dependencies
+      run: |
+        echo "Checking for GPL/AGPL/LGPL licensed dependencies..."
+        echo ""
+
+        # Check all Go packages for copyleft licenses, excluding internal netbird packages
+        COPYLEFT_DEPS=$(go-licenses report ./... 2>/dev/null | grep -E 'GPL|AGPL|LGPL' | grep -v 'github.com/netbirdio/netbird/' || true)
+
+        if [ -n "$COPYLEFT_DEPS" ]; then
+          echo "Found copyleft licensed dependencies:"
+          echo "$COPYLEFT_DEPS"
+          echo ""
+
+          # Filter out dependencies that are only pulled in by internal AGPL packages
+          INCOMPATIBLE=""
+          while IFS=',' read -r package url license; do
+            if echo "$license" | grep -qE 'GPL-[0-9]|AGPL-[0-9]|LGPL-[0-9]'; then
+              # Find ALL packages that import this GPL package using go list
+              IMPORTERS=$(go list -json -deps ./... 2>/dev/null | jq -r "select(.Imports[]? == \"$package\") | .ImportPath")
+
+              # Check if any importer is NOT in management/signal/relay
+              BSD_IMPORTER=$(echo "$IMPORTERS" | grep -v "github.com/netbirdio/netbird/\(management\|signal\|relay\)" | head -1)
+
+              if [ -n "$BSD_IMPORTER" ]; then
+                echo "❌ $package ($license) is imported by BSD-licensed code: $BSD_IMPORTER"
+                INCOMPATIBLE="${INCOMPATIBLE}${package},${url},${license}\n"
+              else
+                echo "✓ $package ($license) is only used by internal AGPL packages - OK"
+              fi
+            fi
+          done <<< "$COPYLEFT_DEPS"
+
+          if [ -n "$INCOMPATIBLE" ]; then
+            echo ""
+            echo "❌ INCOMPATIBLE licenses found that are used by BSD-licensed code:"
+            echo -e "$INCOMPATIBLE"
+            exit 1
+          fi
+        fi
+
+        echo "✅ All external license dependencies are compatible with BSD-3-Clause"
--- a/client/android/login.go
+++ b/client/android/login.go
@@ -200,7 +200,7 @@ func (a *Auth) login(urlOpener URLOpener) error {
 }

 func (a *Auth) foregroundGetTokenInfo(urlOpener URLOpener) (*auth.TokenInfo, error) {
-	oAuthFlow, err := auth.NewOAuthFlow(a.ctx, a.config, false)
+	oAuthFlow, err := auth.NewOAuthFlow(a.ctx, a.config, false, "")
 	if err != nil {
 		return nil, err
 	}
--- a/client/cmd/login.go
+++ b/client/cmd/login.go
@@ -106,6 +106,13 @@ func doDaemonLogin(ctx context.Context, cmd *cobra.Command, providedSetupKey str
 		Username:            &username,
 	}

+	profileState, err := pm.GetProfileState(activeProf.Name)
+	if err != nil {
+		log.Debugf("failed to get profile state for login hint: %v", err)
+	} else if profileState.Email != "" {
+		loginRequest.Hint = &profileState.Email
+	}
+
 	if rootCmd.PersistentFlags().Changed(preSharedKeyFlag) {
 		loginRequest.OptionalPreSharedKey = &preSharedKey
 	}
@@ -241,7 +248,7 @@ func doForegroundLogin(ctx context.Context, cmd *cobra.Command, setupKey string,
 		return fmt.Errorf("read config file %s: %v", configFilePath, err)
 	}

-	err = foregroundLogin(ctx, cmd, config, setupKey)
+	err = foregroundLogin(ctx, cmd, config, setupKey, activeProf.Name)
 	if err != nil {
 		return fmt.Errorf("foreground login failed: %v", err)
 	}
@@ -269,7 +276,7 @@ func handleSSOLogin(ctx context.Context, cmd *cobra.Command, loginResp *proto.Lo
 	return nil
 }

-func foregroundLogin(ctx context.Context, cmd *cobra.Command, config *profilemanager.Config, setupKey string) error {
+func foregroundLogin(ctx context.Context, cmd *cobra.Command, config *profilemanager.Config, setupKey, profileName string) error {
 	needsLogin := false

 	err := WithBackOff(func() error {
@@ -286,7 +293,7 @@ func foregroundLogin(ctx context.Context, cmd *cobra.Command, config *profileman

 	jwtToken := ""
 	if setupKey == "" && needsLogin {
-		tokenInfo, err := foregroundGetTokenInfo(ctx, cmd, config)
+		tokenInfo, err := foregroundGetTokenInfo(ctx, cmd, config, profileName)
 		if err != nil {
 			return fmt.Errorf("interactive sso login failed: %v", err)
 		}
@@ -315,8 +322,17 @@ func foregroundLogin(ctx context.Context, cmd *cobra.Command, config *profileman
 	return nil
 }

-func foregroundGetTokenInfo(ctx context.Context, cmd *cobra.Command, config *profilemanager.Config) (*auth.TokenInfo, error) {
-	oAuthFlow, err := auth.NewOAuthFlow(ctx, config, isUnixRunningDesktop())
+func foregroundGetTokenInfo(ctx context.Context, cmd *cobra.Command, config *profilemanager.Config, profileName string) (*auth.TokenInfo, error) {
+	hint := ""
+	pm := profilemanager.NewProfileManager()
+	profileState, err := pm.GetProfileState(profileName)
+	if err != nil {
+		log.Debugf("failed to get profile state for login hint: %v", err)
+	} else if profileState.Email != "" {
+		hint = profileState.Email
+	}
+
+	oAuthFlow, err := auth.NewOAuthFlow(ctx, config, isUnixRunningDesktop(), hint)
 	if err != nil {
 		return nil, err
 	}
--- a/client/cmd/service_installer.go
+++ b/client/cmd/service_installer.go
@@ -10,6 +10,8 @@ import (
 	"path/filepath"
 	"runtime"

+	log "github.com/sirupsen/logrus"
+
 	"github.com/kardianos/service"
 	"github.com/spf13/cobra"

@@ -81,6 +83,10 @@ func configurePlatformSpecificSettings(svcConfig *service.Config) error {
 				svcConfig.Option["LogDirectory"] = dir
 			}
 		}
+
+		if err := configureSystemdNetworkd(); err != nil {
+			log.Warnf("failed to configure systemd-networkd: %v", err)
+		}
 	}

 	if runtime.GOOS == "windows" {
@@ -160,6 +166,12 @@ var uninstallCmd = &cobra.Command{
 			return fmt.Errorf("uninstall service: %w", err)
 		}

+		if runtime.GOOS == "linux" {
+			if err := cleanupSystemdNetworkd(); err != nil {
+				log.Warnf("failed to cleanup systemd-networkd configuration: %v", err)
+			}
+		}
+
 		cmd.Println("NetBird service has been uninstalled")
 		return nil
 	},
@@ -245,3 +257,50 @@ func isServiceRunning() (bool, error) {

 	return status == service.StatusRunning, nil
 }
+
+const (
+	networkdConf        = "/etc/systemd/networkd.conf"
+	networkdConfDir     = "/etc/systemd/networkd.conf.d"
+	networkdConfFile    = "/etc/systemd/networkd.conf.d/99-netbird.conf"
+	networkdConfContent = `# Created by NetBird to prevent systemd-networkd from removing
+# routes and policy rules managed by NetBird.
+
+[Network]
+ManageForeignRoutes=no
+ManageForeignRoutingPolicyRules=no
+`
+)
+
+// configureSystemdNetworkd creates a drop-in configuration file to prevent
+// systemd-networkd from removing NetBird's routes and policy rules.
+func configureSystemdNetworkd() error {
+	if _, err := os.Stat(networkdConf); os.IsNotExist(err) {
+		log.Debug("systemd-networkd not in use, skipping configuration")
+		return nil
+	}
+
+	// nolint:gosec // standard networkd permissions
+	if err := os.MkdirAll(networkdConfDir, 0755); err != nil {
+		return fmt.Errorf("create networkd.conf.d directory: %w", err)
+	}
+
+	// nolint:gosec // standard networkd permissions
+	if err := os.WriteFile(networkdConfFile, []byte(networkdConfContent), 0644); err != nil {
+		return fmt.Errorf("write networkd configuration: %w", err)
+	}
+
+	return nil
+}
+
+// cleanupSystemdNetworkd removes the NetBird systemd-networkd configuration file.
+func cleanupSystemdNetworkd() error {
+	if _, err := os.Stat(networkdConfFile); os.IsNotExist(err) {
+		return nil
+	}
+
+	if err := os.Remove(networkdConfFile); err != nil {
+		return fmt.Errorf("remove networkd configuration: %w", err)
+	}
+
+	return nil
+}
--- a/client/cmd/testutil_test.go
+++ b/client/cmd/testutil_test.go
@@ -12,6 +12,9 @@ import (
 	"google.golang.org/grpc"

 	"github.com/netbirdio/management-integrations/integrations"
+	"github.com/netbirdio/netbird/management/internals/controllers/network_map/controller"
+	"github.com/netbirdio/netbird/management/internals/controllers/network_map/update_channel"
+	nbgrpc "github.com/netbirdio/netbird/management/internals/shared/grpc"

 	clientProto "github.com/netbirdio/netbird/client/proto"
 	client "github.com/netbirdio/netbird/client/server"
@@ -84,7 +87,6 @@ func startManagement(t *testing.T, config *config.Config, testFile string) (*grp
 	}
 	t.Cleanup(cleanUp)

-	peersUpdateManager := mgmt.NewPeersUpdateManager(nil)
 	eventStore := &activity.InMemoryEventStore{}
 	if err != nil {
 		return nil, nil
@@ -110,13 +112,18 @@ func startManagement(t *testing.T, config *config.Config, testFile string) (*grp
 		Return(&types.Settings{}, nil).
 		AnyTimes()

-	accountManager, err := mgmt.BuildManager(context.Background(), store, peersUpdateManager, nil, "", "netbird.selfhosted", eventStore, nil, false, iv, metrics, port_forwarding.NewControllerMock(), settingsMockManager, permissionsManagerMock, false)
+	ctx := context.Background()
+	updateManager := update_channel.NewPeersUpdateManager(metrics)
+	requestBuffer := mgmt.NewAccountRequestBuffer(ctx, store)
+	networkMapController := controller.NewController(ctx, store, metrics, updateManager, requestBuffer, mgmt.MockIntegratedValidator{}, settingsMockManager, "netbird.cloud", port_forwarding.NewControllerMock())
+
+	accountManager, err := mgmt.BuildManager(context.Background(), store, networkMapController, nil, "", eventStore, nil, false, iv, metrics, port_forwarding.NewControllerMock(), settingsMockManager, permissionsManagerMock, false)
 	if err != nil {
 		t.Fatal(err)
 	}

-	secretsManager := mgmt.NewTimeBasedAuthSecretsManager(peersUpdateManager, config.TURNConfig, config.Relay, settingsMockManager, groupsManager)
-	mgmtServer, err := mgmt.NewServer(context.Background(), config, accountManager, settingsMockManager, peersUpdateManager, secretsManager, nil, &manager.EphemeralManager{}, nil, &mgmt.MockIntegratedValidator{})
+	secretsManager := nbgrpc.NewTimeBasedAuthSecretsManager(updateManager, config.TURNConfig, config.Relay, settingsMockManager, groupsManager)
+	mgmtServer, err := nbgrpc.NewServer(config, accountManager, settingsMockManager, updateManager, secretsManager, nil, &manager.EphemeralManager{}, nil, &mgmt.MockIntegratedValidator{}, networkMapController)
 	if err != nil {
 		t.Fatal(err)
 	}
--- a/client/cmd/up.go
+++ b/client/cmd/up.go
@@ -185,7 +185,7 @@ func runInForegroundMode(ctx context.Context, cmd *cobra.Command, activeProf *pr

 	_, _ = profilemanager.UpdateOldManagementURL(ctx, config, configFilePath)

-	err = foregroundLogin(ctx, cmd, config, providedSetupKey)
+	err = foregroundLogin(ctx, cmd, config, providedSetupKey, activeProf.Name)
 	if err != nil {
 		return fmt.Errorf("foreground login failed: %v", err)
 	}
@@ -286,6 +286,13 @@ func doDaemonUp(ctx context.Context, cmd *cobra.Command, client proto.DaemonServ
 	loginRequest.ProfileName = &activeProf.Name
 	loginRequest.Username = &username

+	profileState, err := pm.GetProfileState(activeProf.Name)
+	if err != nil {
+		log.Debugf("failed to get profile state for login hint: %v", err)
+	} else if profileState.Email != "" {
+		loginRequest.Hint = &profileState.Email
+	}
+
 	var loginErr error
 	var loginResp *proto.LoginResponse

--- a/client/firewall/create.go
+++ b/client/firewall/create.go
@@ -15,13 +15,13 @@ import (
 )

 // NewFirewall creates a firewall manager instance
-func NewFirewall(iface IFaceMapper, _ *statemanager.Manager, flowLogger nftypes.FlowLogger, disableServerRoutes bool) (firewall.Manager, error) {
+func NewFirewall(iface IFaceMapper, _ *statemanager.Manager, flowLogger nftypes.FlowLogger, disableServerRoutes bool, mtu uint16) (firewall.Manager, error) {
 	if !iface.IsUserspaceBind() {
 		return nil, fmt.Errorf("not implemented for this OS: %s", runtime.GOOS)
 	}

 	// use userspace packet filtering firewall
-	fm, err := uspfilter.Create(iface, disableServerRoutes, flowLogger)
+	fm, err := uspfilter.Create(iface, disableServerRoutes, flowLogger, mtu)
 	if err != nil {
 		return nil, err
 	}
--- a/client/firewall/create_linux.go
+++ b/client/firewall/create_linux.go
@@ -34,12 +34,12 @@ const SKIP_NFTABLES_ENV = "NB_SKIP_NFTABLES_CHECK"
 // FWType is the type for the firewall type
 type FWType int

-func NewFirewall(iface IFaceMapper, stateManager *statemanager.Manager, flowLogger nftypes.FlowLogger, disableServerRoutes bool) (firewall.Manager, error) {
+func NewFirewall(iface IFaceMapper, stateManager *statemanager.Manager, flowLogger nftypes.FlowLogger, disableServerRoutes bool, mtu uint16) (firewall.Manager, error) {
 	// on the linux system we try to user nftables or iptables
 	// in any case, because we need to allow netbird interface traffic
 	// so we use AllowNetbird traffic from these firewall managers
 	// for the userspace packet filtering firewall
-	fm, err := createNativeFirewall(iface, stateManager, disableServerRoutes)
+	fm, err := createNativeFirewall(iface, stateManager, disableServerRoutes, mtu)

 	if !iface.IsUserspaceBind() {
 		return fm, err
@@ -48,11 +48,11 @@ func NewFirewall(iface IFaceMapper, stateManager *statemanager.Manager, flowLogg
 	if err != nil {
 		log.Warnf("failed to create native firewall: %v. Proceeding with userspace", err)
 	}
-	return createUserspaceFirewall(iface, fm, disableServerRoutes, flowLogger)
+	return createUserspaceFirewall(iface, fm, disableServerRoutes, flowLogger, mtu)
 }

-func createNativeFirewall(iface IFaceMapper, stateManager *statemanager.Manager, routes bool) (firewall.Manager, error) {
-	fm, err := createFW(iface)
+func createNativeFirewall(iface IFaceMapper, stateManager *statemanager.Manager, routes bool, mtu uint16) (firewall.Manager, error) {
+	fm, err := createFW(iface, mtu)
 	if err != nil {
 		return nil, fmt.Errorf("create firewall: %s", err)
 	}
@@ -64,26 +64,26 @@ func createNativeFirewall(iface IFaceMapper, stateManager *statemanager.Manager,
 	return fm, nil
 }

-func createFW(iface IFaceMapper) (firewall.Manager, error) {
+func createFW(iface IFaceMapper, mtu uint16) (firewall.Manager, error) {
 	switch check() {
 	case IPTABLES:
 		log.Info("creating an iptables firewall manager")
-		return nbiptables.Create(iface)
+		return nbiptables.Create(iface, mtu)
 	case NFTABLES:
 		log.Info("creating an nftables firewall manager")
-		return nbnftables.Create(iface)
+		return nbnftables.Create(iface, mtu)
 	default:
 		log.Info("no firewall manager found, trying to use userspace packet filtering firewall")
 		return nil, errors.New("no firewall manager found")
 	}
 }

-func createUserspaceFirewall(iface IFaceMapper, fm firewall.Manager, disableServerRoutes bool, flowLogger nftypes.FlowLogger) (firewall.Manager, error) {
+func createUserspaceFirewall(iface IFaceMapper, fm firewall.Manager, disableServerRoutes bool, flowLogger nftypes.FlowLogger, mtu uint16) (firewall.Manager, error) {
 	var errUsp error
 	if fm != nil {
-		fm, errUsp = uspfilter.CreateWithNativeFirewall(iface, fm, disableServerRoutes, flowLogger)
+		fm, errUsp = uspfilter.CreateWithNativeFirewall(iface, fm, disableServerRoutes, flowLogger, mtu)
 	} else {
-		fm, errUsp = uspfilter.Create(iface, disableServerRoutes, flowLogger)
+		fm, errUsp = uspfilter.Create(iface, disableServerRoutes, flowLogger, mtu)
 	}

 	if errUsp != nil {
--- a/client/firewall/iptables/acl_linux.go
+++ b/client/firewall/iptables/acl_linux.go
@@ -1,13 +1,14 @@
 package iptables

 import (
+	"errors"
 	"fmt"
 	"net"
 	"slices"

 	"github.com/coreos/go-iptables/iptables"
 	"github.com/google/uuid"
-	"github.com/nadoo/ipset"
+	ipset "github.com/lrh3321/ipset-go"
 	log "github.com/sirupsen/logrus"

 	firewall "github.com/netbirdio/netbird/client/firewall/manager"
@@ -40,19 +41,13 @@ type aclManager struct {
 }

 func newAclManager(iptablesClient *iptables.IPTables, wgIface iFaceMapper) (*aclManager, error) {
-	m := &aclManager{
+	return &aclManager{
 		iptablesClient:  iptablesClient,
 		wgIface:         wgIface,
 		entries:         make(map[string][][]string),
 		optionalEntries: make(map[string][]entry),
 		ipsetStore:      newIpsetStore(),
-	}
-
-	if err := ipset.Init(); err != nil {
-		return nil, fmt.Errorf("init ipset: %w", err)
-	}
-
-	return m, nil
+	}, nil
 }

 func (m *aclManager) init(stateManager *statemanager.Manager) error {
@@ -98,8 +93,8 @@ func (m *aclManager) AddPeerFiltering(
 	specs = append(specs, "-j", actionToStr(action))
 	if ipsetName != "" {
 		if ipList, ipsetExists := m.ipsetStore.ipset(ipsetName); ipsetExists {
-			if err := ipset.Add(ipsetName, ip.String()); err != nil {
-				return nil, fmt.Errorf("failed to add IP to ipset: %w", err)
+			if err := m.addToIPSet(ipsetName, ip); err != nil {
+				return nil, fmt.Errorf("add IP to ipset: %w", err)
 			}
 			// if ruleset already exists it means we already have the firewall rule
 			// so we need to update IPs in the ruleset and return new fw.Rule object for ACL manager.
@@ -113,14 +108,18 @@ func (m *aclManager) AddPeerFiltering(
 			}}, nil
 		}

-		if err := ipset.Flush(ipsetName); err != nil {
-			log.Errorf("flush ipset %s before use it: %s", ipsetName, err)
+		if err := m.flushIPSet(ipsetName); err != nil {
+			if errors.Is(err, ipset.ErrSetNotExist) {
+				log.Debugf("flush ipset %s before use: %v", ipsetName, err)
+			} else {
+				log.Errorf("flush ipset %s before use: %v", ipsetName, err)
+			}
 		}
-		if err := ipset.Create(ipsetName); err != nil {
-			return nil, fmt.Errorf("failed to create ipset: %w", err)
+		if err := m.createIPSet(ipsetName); err != nil {
+			return nil, fmt.Errorf("create ipset: %w", err)
 		}
-		if err := ipset.Add(ipsetName, ip.String()); err != nil {
-			return nil, fmt.Errorf("failed to add IP to ipset: %w", err)
+		if err := m.addToIPSet(ipsetName, ip); err != nil {
+			return nil, fmt.Errorf("add IP to ipset: %w", err)
 		}

 		ipList := newIpList(ip.String())
@@ -172,11 +171,16 @@ func (m *aclManager) DeletePeerRule(rule firewall.Rule) error {
 		return fmt.Errorf("invalid rule type")
 	}

+	shouldDestroyIpset := false
 	if ipsetList, ok := m.ipsetStore.ipset(r.ipsetName); ok {
 		// delete IP from ruleset IPs list and ipset
 		if _, ok := ipsetList.ips[r.ip]; ok {
-			if err := ipset.Del(r.ipsetName, r.ip); err != nil {
-				return fmt.Errorf("failed to delete ip from ipset: %w", err)
+			ip := net.ParseIP(r.ip)
+			if ip == nil {
+				return fmt.Errorf("parse IP %s", r.ip)
+			}
+			if err := m.delFromIPSet(r.ipsetName, ip); err != nil {
+				return fmt.Errorf("delete ip from ipset: %w", err)
 			}
 			delete(ipsetList.ips, r.ip)
 		}
@@ -190,10 +194,7 @@ func (m *aclManager) DeletePeerRule(rule firewall.Rule) error {
 		// we delete last IP from the set, that means we need to delete
 		// set itself and associated firewall rule too
 		m.ipsetStore.deleteIpset(r.ipsetName)
-
-		if err := ipset.Destroy(r.ipsetName); err != nil {
-			log.Errorf("delete empty ipset: %v", err)
-		}
+		shouldDestroyIpset = true
 	}

 	if err := m.iptablesClient.Delete(tableName, r.chain, r.specs...); err != nil {
@@ -206,6 +207,16 @@ func (m *aclManager) DeletePeerRule(rule firewall.Rule) error {
 		}
 	}

+	if shouldDestroyIpset {
+		if err := m.destroyIPSet(r.ipsetName); err != nil {
+			if errors.Is(err, ipset.ErrBusy) || errors.Is(err, ipset.ErrSetNotExist) {
+				log.Debugf("destroy empty ipset: %v", err)
+			} else {
+				log.Errorf("destroy empty ipset: %v", err)
+			}
+		}
+	}
+
 	m.updateState()

 	return nil
@@ -264,11 +275,19 @@ func (m *aclManager) cleanChains() error {
 	}

 	for _, ipsetName := range m.ipsetStore.ipsetNames() {
-		if err := ipset.Flush(ipsetName); err != nil {
-			log.Errorf("flush ipset %q during reset: %v", ipsetName, err)
+		if err := m.flushIPSet(ipsetName); err != nil {
+			if errors.Is(err, ipset.ErrSetNotExist) {
+				log.Debugf("flush ipset %q during reset: %v", ipsetName, err)
+			} else {
+				log.Errorf("flush ipset %q during reset: %v", ipsetName, err)
+			}
 		}
-		if err := ipset.Destroy(ipsetName); err != nil {
-			log.Errorf("delete ipset %q during reset: %v", ipsetName, err)
+		if err := m.destroyIPSet(ipsetName); err != nil {
+			if errors.Is(err, ipset.ErrBusy) || errors.Is(err, ipset.ErrSetNotExist) {
+				log.Debugf("destroy ipset %q during reset: %v", ipsetName, err)
+			} else {
+				log.Errorf("destroy ipset %q during reset: %v", ipsetName, err)
+			}
 		}
 		m.ipsetStore.deleteIpset(ipsetName)
 	}
@@ -368,8 +387,8 @@ func (m *aclManager) updateState() {
 // filterRuleSpecs returns the specs of a filtering rule
 func filterRuleSpecs(ip net.IP, protocol string, sPort, dPort *firewall.Port, action firewall.Action, ipsetName string) (specs []string) {
 	matchByIP := true
-	// don't use IP matching if IP is ip 0.0.0.0
-	if ip.String() == "0.0.0.0" {
+	// don't use IP matching if IP is 0.0.0.0
+	if ip.IsUnspecified() {
 		matchByIP = false
 	}

@@ -416,3 +435,61 @@ func transformIPsetName(ipsetName string, sPort, dPort *firewall.Port, action fi
 		return ipsetName + actionSuffix
 	}
 }
+
+func (m *aclManager) createIPSet(name string) error {
+	opts := ipset.CreateOptions{
+		Replace: true,
+	}
+
+	if err := ipset.Create(name, ipset.TypeHashNet, opts); err != nil {
+		return fmt.Errorf("create ipset %s: %w", name, err)
+	}
+
+	log.Debugf("created ipset %s with type hash:net", name)
+	return nil
+}
+
+func (m *aclManager) addToIPSet(name string, ip net.IP) error {
+	cidr := uint8(32)
+	if ip.To4() == nil {
+		cidr = 128
+	}
+
+	entry := &ipset.Entry{
+		IP:      ip,
+		CIDR:    cidr,
+		Replace: true,
+	}
+
+	if err := ipset.Add(name, entry); err != nil {
+		return fmt.Errorf("add IP to ipset %s: %w", name, err)
+	}
+
+	return nil
+}
+
+func (m *aclManager) delFromIPSet(name string, ip net.IP) error {
+	cidr := uint8(32)
+	if ip.To4() == nil {
+		cidr = 128
+	}
+
+	entry := &ipset.Entry{
+		IP:   ip,
+		CIDR: cidr,
+	}
+
+	if err := ipset.Del(name, entry); err != nil {
+		return fmt.Errorf("delete IP from ipset %s: %w", name, err)
+	}
+
+	return nil
+}
+
+func (m *aclManager) flushIPSet(name string) error {
+	return ipset.Flush(name)
+}
+
+func (m *aclManager) destroyIPSet(name string) error {
+	return ipset.Destroy(name)
+}
--- a/client/firewall/iptables/manager_linux.go
+++ b/client/firewall/iptables/manager_linux.go
@@ -36,7 +36,7 @@ type iFaceMapper interface {
 }

 // Create iptables firewall manager
-func Create(wgIface iFaceMapper) (*Manager, error) {
+func Create(wgIface iFaceMapper, mtu uint16) (*Manager, error) {
 	iptablesClient, err := iptables.NewWithProtocol(iptables.ProtocolIPv4)
 	if err != nil {
 		return nil, fmt.Errorf("init iptables: %w", err)
@@ -47,7 +47,7 @@ func Create(wgIface iFaceMapper) (*Manager, error) {
 		ipv4Client: iptablesClient,
 	}

-	m.router, err = newRouter(iptablesClient, wgIface)
+	m.router, err = newRouter(iptablesClient, wgIface, mtu)
 	if err != nil {
 		return nil, fmt.Errorf("create router: %w", err)
 	}
@@ -66,6 +66,7 @@ func (m *Manager) Init(stateManager *statemanager.Manager) error {
 			NameStr:       m.wgIface.Name(),
 			WGAddress:     m.wgIface.Address(),
 			UserspaceBind: m.wgIface.IsUserspaceBind(),
+			MTU:           m.router.mtu,
 		},
 	}
 	stateManager.RegisterState(state)
--- a/client/firewall/iptables/manager_linux_test.go
+++ b/client/firewall/iptables/manager_linux_test.go
@@ -11,6 +11,7 @@ import (
 	"github.com/stretchr/testify/require"

 	fw "github.com/netbirdio/netbird/client/firewall/manager"
+	"github.com/netbirdio/netbird/client/iface"
 	"github.com/netbirdio/netbird/client/iface/wgaddr"
 )

@@ -53,7 +54,7 @@ func TestIptablesManager(t *testing.T) {
 	require.NoError(t, err)

 	// just check on the local interface
-	manager, err := Create(ifaceMock)
+	manager, err := Create(ifaceMock, iface.DefaultMTU)
 	require.NoError(t, err)
 	require.NoError(t, manager.Init(nil))

@@ -114,7 +115,7 @@ func TestIptablesManagerDenyRules(t *testing.T) {
 	ipv4Client, err := iptables.NewWithProtocol(iptables.ProtocolIPv4)
 	require.NoError(t, err)

-	manager, err := Create(ifaceMock)
+	manager, err := Create(ifaceMock, iface.DefaultMTU)
 	require.NoError(t, err)
 	require.NoError(t, manager.Init(nil))

@@ -198,7 +199,7 @@ func TestIptablesManagerIPSet(t *testing.T) {
 	}

 	// just check on the local interface
-	manager, err := Create(mock)
+	manager, err := Create(mock, iface.DefaultMTU)
 	require.NoError(t, err)
 	require.NoError(t, manager.Init(nil))

@@ -264,7 +265,7 @@ func TestIptablesCreatePerformance(t *testing.T) {
 	for _, testMax := range []int{10, 20, 30, 40, 50, 60, 70, 80, 90, 100, 200, 300, 400, 500, 600, 700, 800, 900, 1000} {
 		t.Run(fmt.Sprintf("Testing %d rules", testMax), func(t *testing.T) {
 			// just check on the local interface
-			manager, err := Create(mock)
+			manager, err := Create(mock, iface.DefaultMTU)
 			require.NoError(t, err)
 			require.NoError(t, manager.Init(nil))
 			time.Sleep(time.Second)
--- a/client/firewall/iptables/router_linux.go
+++ b/client/firewall/iptables/router_linux.go
@@ -10,7 +10,7 @@ import (

 	"github.com/coreos/go-iptables/iptables"
 	"github.com/hashicorp/go-multierror"
-	"github.com/nadoo/ipset"
+	ipset "github.com/lrh3321/ipset-go"
 	log "github.com/sirupsen/logrus"

 	nberrors "github.com/netbirdio/netbird/client/errors"
@@ -30,17 +30,20 @@ const (

 	chainPOSTROUTING        = "POSTROUTING"
 	chainPREROUTING         = "PREROUTING"
+	chainFORWARD            = "FORWARD"
 	chainRTNAT              = "NETBIRD-RT-NAT"
 	chainRTFWDIN            = "NETBIRD-RT-FWD-IN"
 	chainRTFWDOUT           = "NETBIRD-RT-FWD-OUT"
 	chainRTPRE              = "NETBIRD-RT-PRE"
 	chainRTRDR              = "NETBIRD-RT-RDR"
+	chainRTMSSCLAMP         = "NETBIRD-RT-MSSCLAMP"
 	routingFinalForwardJump = "ACCEPT"
 	routingFinalNatJump     = "MASQUERADE"

 	jumpManglePre  = "jump-mangle-pre"
 	jumpNatPre     = "jump-nat-pre"
 	jumpNatPost    = "jump-nat-post"
+	jumpMSSClamp   = "jump-mss-clamp"
 	markManglePre  = "mark-mangle-pre"
 	markManglePost = "mark-mangle-post"
 	matchSet       = "--match-set"
@@ -48,6 +51,9 @@ const (
 	dnatSuffix = "_dnat"
 	snatSuffix = "_snat"
 	fwdSuffix  = "_fwd"
+
+	// ipTCPHeaderMinSize represents minimum IP (20) + TCP (20) header size for MSS calculation
+	ipTCPHeaderMinSize = 40
 )

 type ruleInfo struct {
@@ -77,16 +83,18 @@ type router struct {
 	ipsetCounter     *ipsetCounter
 	wgIface          iFaceMapper
 	legacyManagement bool
+	mtu              uint16

 	stateManager *statemanager.Manager
 	ipFwdState   *ipfwdstate.IPForwardingState
 }

-func newRouter(iptablesClient *iptables.IPTables, wgIface iFaceMapper) (*router, error) {
+func newRouter(iptablesClient *iptables.IPTables, wgIface iFaceMapper, mtu uint16) (*router, error) {
 	r := &router{
 		iptablesClient: iptablesClient,
 		rules:          make(map[string][]string),
 		wgIface:        wgIface,
+		mtu:            mtu,
 		ipFwdState:     ipfwdstate.NewIPForwardingState(),
 	}

@@ -99,10 +107,6 @@ func newRouter(iptablesClient *iptables.IPTables, wgIface iFaceMapper) (*router,
 		},
 	)

-	if err := ipset.Init(); err != nil {
-		return nil, fmt.Errorf("init ipset: %w", err)
-	}
-
 	return r, nil
 }

@@ -224,12 +228,12 @@ func (r *router) findSets(rule []string) []string {
 }

 func (r *router) createIpSet(setName string, sources []netip.Prefix) error {
-	if err := ipset.Create(setName, ipset.OptTimeout(0)); err != nil {
+	if err := r.createIPSet(setName); err != nil {
 		return fmt.Errorf("create set %s: %w", setName, err)
 	}

 	for _, prefix := range sources {
-		if err := ipset.AddPrefix(setName, prefix); err != nil {
+		if err := r.addPrefixToIPSet(setName, prefix); err != nil {
 			return fmt.Errorf("add element to set %s: %w", setName, err)
 		}
 	}
@@ -238,7 +242,7 @@ func (r *router) createIpSet(setName string, sources []netip.Prefix) error {
 }

 func (r *router) deleteIpSet(setName string) error {
-	if err := ipset.Destroy(setName); err != nil {
+	if err := r.destroyIPSet(setName); err != nil {
 		return fmt.Errorf("destroy set %s: %w", setName, err)
 	}

@@ -392,6 +396,7 @@ func (r *router) cleanUpDefaultForwardRules() error {
 		{chainRTPRE, tableMangle},
 		{chainRTNAT, tableNat},
 		{chainRTRDR, tableNat},
+		{chainRTMSSCLAMP, tableMangle},
 	} {
 		ok, err := r.iptablesClient.ChainExists(chainInfo.table, chainInfo.chain)
 		if err != nil {
@@ -416,6 +421,7 @@ func (r *router) createContainers() error {
 		{chainRTPRE, tableMangle},
 		{chainRTNAT, tableNat},
 		{chainRTRDR, tableNat},
+		{chainRTMSSCLAMP, tableMangle},
 	} {
 		if err := r.iptablesClient.NewChain(chainInfo.table, chainInfo.chain); err != nil {
 			return fmt.Errorf("create chain %s in table %s: %w", chainInfo.chain, chainInfo.table, err)
@@ -438,6 +444,10 @@ func (r *router) createContainers() error {
 		return fmt.Errorf("add jump rules: %w", err)
 	}

+	if err := r.addMSSClampingRules(); err != nil {
+		log.Errorf("failed to add MSS clamping rules: %s", err)
+	}
+
 	return nil
 }

@@ -518,6 +528,35 @@ func (r *router) addPostroutingRules() error {
 	return nil
 }

+// addMSSClampingRules adds MSS clamping rules to prevent fragmentation for forwarded traffic.
+// TODO: Add IPv6 support
+func (r *router) addMSSClampingRules() error {
+	mss := r.mtu - ipTCPHeaderMinSize
+
+	// Add jump rule from FORWARD chain in mangle table to our custom chain
+	jumpRule := []string{
+		"-j", chainRTMSSCLAMP,
+	}
+	if err := r.iptablesClient.Insert(tableMangle, chainFORWARD, 1, jumpRule...); err != nil {
+		return fmt.Errorf("add jump to MSS clamp chain: %w", err)
+	}
+	r.rules[jumpMSSClamp] = jumpRule
+
+	ruleOut := []string{
+		"-o", r.wgIface.Name(),
+		"-p", "tcp",
+		"--tcp-flags", "SYN,RST", "SYN",
+		"-j", "TCPMSS",
+		"--set-mss", fmt.Sprintf("%d", mss),
+	}
+	if err := r.iptablesClient.Append(tableMangle, chainRTMSSCLAMP, ruleOut...); err != nil {
+		return fmt.Errorf("add outbound MSS clamp rule: %w", err)
+	}
+	r.rules["mss-clamp-out"] = ruleOut
+
+	return nil
+}
+
 func (r *router) insertEstablishedRule(chain string) error {
 	establishedRule := getConntrackEstablished()

@@ -558,7 +597,7 @@ func (r *router) addJumpRules() error {
 }

 func (r *router) cleanJumpRules() error {
-	for _, ruleKey := range []string{jumpNatPost, jumpManglePre, jumpNatPre} {
+	for _, ruleKey := range []string{jumpNatPost, jumpManglePre, jumpNatPre, jumpMSSClamp} {
 		if rule, exists := r.rules[ruleKey]; exists {
 			var table, chain string
 			switch ruleKey {
@@ -571,6 +610,9 @@ func (r *router) cleanJumpRules() error {
 			case jumpNatPre:
 				table = tableNat
 				chain = chainPREROUTING
+			case jumpMSSClamp:
+				table = tableMangle
+				chain = chainFORWARD
 			default:
 				return fmt.Errorf("unknown jump rule: %s", ruleKey)
 			}
@@ -869,8 +911,8 @@ func (r *router) UpdateSet(set firewall.Set, prefixes []netip.Prefix) error {
 			log.Tracef("skipping IPv6 prefix %s: IPv6 support not yet implemented", prefix)
 			continue
 		}
-		if err := ipset.AddPrefix(set.HashedName(), prefix); err != nil {
-			merr = multierror.Append(merr, fmt.Errorf("increment ipset counter: %w", err))
+		if err := r.addPrefixToIPSet(set.HashedName(), prefix); err != nil {
+			merr = multierror.Append(merr, fmt.Errorf("add prefix to ipset: %w", err))
 		}
 	}
 	if merr == nil {
@@ -947,3 +989,37 @@ func applyPort(flag string, port *firewall.Port) []string {

 	return []string{flag, strconv.Itoa(int(port.Values[0]))}
 }
+
+func (r *router) createIPSet(name string) error {
+	opts := ipset.CreateOptions{
+		Replace: true,
+	}
+
+	if err := ipset.Create(name, ipset.TypeHashNet, opts); err != nil {
+		return fmt.Errorf("create ipset %s: %w", name, err)
+	}
+
+	log.Debugf("created ipset %s with type hash:net", name)
+	return nil
+}
+
+func (r *router) addPrefixToIPSet(name string, prefix netip.Prefix) error {
+	addr := prefix.Addr()
+	ip := addr.AsSlice()
+
+	entry := &ipset.Entry{
+		IP:      ip,
+		CIDR:    uint8(prefix.Bits()),
+		Replace: true,
+	}
+
+	if err := ipset.Add(name, entry); err != nil {
+		return fmt.Errorf("add prefix to ipset %s: %w", name, err)
+	}
+
+	return nil
+}
+
+func (r *router) destroyIPSet(name string) error {
+	return ipset.Destroy(name)
+}
--- a/client/firewall/iptables/router_linux_test.go
+++ b/client/firewall/iptables/router_linux_test.go
@@ -14,6 +14,7 @@ import (

 	firewall "github.com/netbirdio/netbird/client/firewall/manager"
 	"github.com/netbirdio/netbird/client/firewall/test"
+	"github.com/netbirdio/netbird/client/iface"
 	nbnet "github.com/netbirdio/netbird/client/net"
 )

@@ -30,7 +31,7 @@ func TestIptablesManager_RestoreOrCreateContainers(t *testing.T) {
 	iptablesClient, err := iptables.NewWithProtocol(iptables.ProtocolIPv4)
 	require.NoError(t, err, "failed to init iptables client")

-	manager, err := newRouter(iptablesClient, ifaceMock)
+	manager, err := newRouter(iptablesClient, ifaceMock, iface.DefaultMTU)
 	require.NoError(t, err, "should return a valid iptables manager")
 	require.NoError(t, manager.init(nil))

@@ -38,7 +39,6 @@ func TestIptablesManager_RestoreOrCreateContainers(t *testing.T) {
 		assert.NoError(t, manager.Reset(), "shouldn't return error")
 	}()

-	// Now 5 rules:
 	// 1. established rule forward in
 	// 2. estbalished rule forward out
 	// 3. jump rule to POST nat chain
@@ -48,7 +48,9 @@ func TestIptablesManager_RestoreOrCreateContainers(t *testing.T) {
 	// 7. static return masquerade rule
 	// 8. mangle prerouting mark rule
 	// 9. mangle postrouting mark rule
-	require.Len(t, manager.rules, 9, "should have created rules map")
+	// 10. jump rule to MSS clamping chain
+	// 11. MSS clamping rule for outbound traffic
+	require.Len(t, manager.rules, 11, "should have created rules map")

 	exists, err := manager.iptablesClient.Exists(tableNat, chainPOSTROUTING, "-j", chainRTNAT)
 	require.NoError(t, err, "should be able to query the iptables %s table and %s chain", tableNat, chainPOSTROUTING)
@@ -82,7 +84,7 @@ func TestIptablesManager_AddNatRule(t *testing.T) {
 			iptablesClient, err := iptables.NewWithProtocol(iptables.ProtocolIPv4)
 			require.NoError(t, err, "failed to init iptables client")

-			manager, err := newRouter(iptablesClient, ifaceMock)
+			manager, err := newRouter(iptablesClient, ifaceMock, iface.DefaultMTU)
 			require.NoError(t, err, "shouldn't return error")
 			require.NoError(t, manager.init(nil))

@@ -155,7 +157,7 @@ func TestIptablesManager_RemoveNatRule(t *testing.T) {
 		t.Run(testCase.Name, func(t *testing.T) {
 			iptablesClient, _ := iptables.NewWithProtocol(iptables.ProtocolIPv4)

-			manager, err := newRouter(iptablesClient, ifaceMock)
+			manager, err := newRouter(iptablesClient, ifaceMock, iface.DefaultMTU)
 			require.NoError(t, err, "shouldn't return error")
 			require.NoError(t, manager.init(nil))
 			defer func() {
@@ -217,7 +219,7 @@ func TestRouter_AddRouteFiltering(t *testing.T) {
 	iptablesClient, err := iptables.NewWithProtocol(iptables.ProtocolIPv4)
 	require.NoError(t, err, "Failed to create iptables client")

-	r, err := newRouter(iptablesClient, ifaceMock)
+	r, err := newRouter(iptablesClient, ifaceMock, iface.DefaultMTU)
 	require.NoError(t, err, "Failed to create router manager")
 	require.NoError(t, r.init(nil))

--- a/client/firewall/iptables/state_linux.go
+++ b/client/firewall/iptables/state_linux.go
@@ -4,6 +4,7 @@ import (
 	"fmt"
 	"sync"

+	"github.com/netbirdio/netbird/client/iface"
 	"github.com/netbirdio/netbird/client/iface/wgaddr"
 )

@@ -11,6 +12,7 @@ type InterfaceState struct {
 	NameStr       string         `json:"name"`
 	WGAddress     wgaddr.Address `json:"wg_address"`
 	UserspaceBind bool           `json:"userspace_bind"`
+	MTU           uint16         `json:"mtu"`
 }

 func (i *InterfaceState) Name() string {
@@ -42,7 +44,11 @@ func (s *ShutdownState) Name() string {
 }

 func (s *ShutdownState) Cleanup() error {
-	ipt, err := Create(s.InterfaceState)
+	mtu := s.InterfaceState.MTU
+	if mtu == 0 {
+		mtu = iface.DefaultMTU
+	}
+	ipt, err := Create(s.InterfaceState, mtu)
 	if err != nil {
 		return fmt.Errorf("create iptables manager: %w", err)
 	}
--- a/client/firewall/manager/firewall.go
+++ b/client/firewall/manager/firewall.go
@@ -100,6 +100,9 @@ type Manager interface {
 	//
 	// If comment argument is empty firewall manager should set
 	// rule ID as comment for the rule
+	//
+	// Note: Callers should call Flush() after adding rules to ensure
+	// they are applied to the kernel and rule handles are refreshed.
 	AddPeerFiltering(
 		id []byte,
 		ip net.IP,
--- a/client/firewall/nftables/acl_linux.go
+++ b/client/firewall/nftables/acl_linux.go
@@ -29,8 +29,6 @@ const (
 	chainNameForwardFilter     = "netbird-acl-forward-filter"
 	chainNameManglePrerouting  = "netbird-mangle-prerouting"
 	chainNameManglePostrouting = "netbird-mangle-postrouting"
-
-	allowNetbirdInputRuleID = "allow Netbird incoming traffic"
 )

 const flushError = "flush: %w"
@@ -195,25 +193,6 @@ func (m *AclManager) DeletePeerRule(rule firewall.Rule) error {
 // createDefaultAllowRules creates default allow rules for the input and output chains
 func (m *AclManager) createDefaultAllowRules() error {
 	expIn := []expr.Any{
-		&expr.Payload{
-			DestRegister: 1,
-			Base:         expr.PayloadBaseNetworkHeader,
-			Offset:       12,
-			Len:          4,
-		},
-		// mask
-		&expr.Bitwise{
-			SourceRegister: 1,
-			DestRegister:   1,
-			Len:            4,
-			Mask:           []byte{0, 0, 0, 0},
-			Xor:            []byte{0, 0, 0, 0},
-		},
-		// net address
-		&expr.Cmp{
-			Register: 1,
-			Data:     []byte{0, 0, 0, 0},
-		},
 		&expr.Verdict{
 			Kind: expr.VerdictAccept,
 		},
@@ -258,7 +237,7 @@ func (m *AclManager) addIOFiltering(
 	action firewall.Action,
 	ipset *nftables.Set,
 ) (*Rule, error) {
-	ruleId := generatePeerRuleId(ip, sPort, dPort, action, ipset)
+	ruleId := generatePeerRuleId(ip, proto, sPort, dPort, action, ipset)
 	if r, ok := m.rules[ruleId]; ok {
 		return &Rule{
 			nftRule:    r.nftRule,
@@ -357,11 +336,12 @@ func (m *AclManager) addIOFiltering(
 	}

 	if err := m.rConn.Flush(); err != nil {
-		return nil, fmt.Errorf(flushError, err)
+		return nil, fmt.Errorf("flush input rule %s: %v", ruleId, err)
 	}

 	ruleStruct := &Rule{
-		nftRule:    nftRule,
+		nftRule: nftRule,
+		// best effort mangle rule
 		mangleRule: m.createPreroutingRule(expressions, userData),
 		nftSet:     ipset,
 		ruleID:     ruleId,
@@ -420,12 +400,19 @@ func (m *AclManager) createPreroutingRule(expressions []expr.Any, userData []byt
 		},
 	)

-	return m.rConn.AddRule(&nftables.Rule{
+	nfRule := m.rConn.AddRule(&nftables.Rule{
 		Table:    m.workTable,
 		Chain:    m.chainPrerouting,
 		Exprs:    preroutingExprs,
 		UserData: userData,
 	})
+
+	if err := m.rConn.Flush(); err != nil {
+		log.Errorf("failed to flush mangle rule %s: %v", string(userData), err)
+		return nil
+	}
+
+	return nfRule
 }

 func (m *AclManager) createDefaultChains() (err error) {
@@ -697,8 +684,8 @@ func (m *AclManager) refreshRuleHandles(chain *nftables.Chain, mangle bool) erro
 	return nil
 }

-func generatePeerRuleId(ip net.IP, sPort *firewall.Port, dPort *firewall.Port, action firewall.Action, ipset *nftables.Set) string {
-	rulesetID := ":"
+func generatePeerRuleId(ip net.IP, proto firewall.Protocol, sPort *firewall.Port, dPort *firewall.Port, action firewall.Action, ipset *nftables.Set) string {
+	rulesetID := ":" + string(proto) + ":"
 	if sPort != nil {
 		rulesetID += sPort.String()
 	}
--- a/client/firewall/nftables/manager_linux.go
+++ b/client/firewall/nftables/manager_linux.go
@@ -1,11 +1,11 @@
 package nftables

 import (
-	"bytes"
 	"context"
 	"fmt"
 	"net"
 	"net/netip"
+	"os"
 	"sync"

 	"github.com/google/nftables"
@@ -19,13 +19,22 @@ import (
 )

 const (
-	// tableNameNetbird is the name of the table that is used for filtering by the Netbird client
+	// tableNameNetbird is the default name of the table that is used for filtering by the Netbird client
 	tableNameNetbird = "netbird"
+	// envTableName is the environment variable to override the table name
+	envTableName = "NB_NFTABLES_TABLE"

 	tableNameFilter = "filter"
 	chainNameInput  = "INPUT"
 )

+func getTableName() string {
+	if name := os.Getenv(envTableName); name != "" {
+		return name
+	}
+	return tableNameNetbird
+}
+
 // iFaceMapper defines subset methods of interface required for manager
 type iFaceMapper interface {
 	Name() string
@@ -44,16 +53,16 @@ type Manager struct {
 }

 // Create nftables firewall manager
-func Create(wgIface iFaceMapper) (*Manager, error) {
+func Create(wgIface iFaceMapper, mtu uint16) (*Manager, error) {
 	m := &Manager{
 		rConn:   &nftables.Conn{},
 		wgIface: wgIface,
 	}

-	workTable := &nftables.Table{Name: tableNameNetbird, Family: nftables.TableFamilyIPv4}
+	workTable := &nftables.Table{Name: getTableName(), Family: nftables.TableFamilyIPv4}

 	var err error
-	m.router, err = newRouter(workTable, wgIface)
+	m.router, err = newRouter(workTable, wgIface, mtu)
 	if err != nil {
 		return nil, fmt.Errorf("create router: %w", err)
 	}
@@ -93,6 +102,7 @@ func (m *Manager) Init(stateManager *statemanager.Manager) error {
 			NameStr:       m.wgIface.Name(),
 			WGAddress:     m.wgIface.Address(),
 			UserspaceBind: m.wgIface.IsUserspaceBind(),
+			MTU:           m.router.mtu,
 		},
 	}); err != nil {
 		log.Errorf("failed to update state: %v", err)
@@ -197,44 +207,11 @@ func (m *Manager) AllowNetbird() error {
 	m.mutex.Lock()
 	defer m.mutex.Unlock()

-	err := m.aclManager.createDefaultAllowRules()
-	if err != nil {
-		return fmt.Errorf("failed to create default allow rules: %v", err)
+	if err := m.aclManager.createDefaultAllowRules(); err != nil {
+		return fmt.Errorf("create default allow rules: %w", err)
 	}
-
-	chains, err := m.rConn.ListChainsOfTableFamily(nftables.TableFamilyIPv4)
-	if err != nil {
-		return fmt.Errorf("list of chains: %w", err)
-	}
-
-	var chain *nftables.Chain
-	for _, c := range chains {
-		if c.Table.Name == tableNameFilter && c.Name == chainNameInput {
-			chain = c
-			break
-		}
-	}
-
-	if chain == nil {
-		log.Debugf("chain INPUT not found. Skipping add allow netbird rule")
-		return nil
-	}
-
-	rules, err := m.rConn.GetRules(chain.Table, chain)
-	if err != nil {
-		return fmt.Errorf("failed to get rules for the INPUT chain: %v", err)
-	}
-
-	if rule := m.detectAllowNetbirdRule(rules); rule != nil {
-		log.Debugf("allow netbird rule already exists: %v", rule)
-		return nil
-	}
-
-	m.applyAllowNetbirdRules(chain)
-
-	err = m.rConn.Flush()
-	if err != nil {
-		return fmt.Errorf("failed to flush allow input netbird rules: %v", err)
+	if err := m.rConn.Flush(); err != nil {
+		return fmt.Errorf("flush allow input netbird rules: %w", err)
 	}

 	return nil
@@ -250,10 +227,6 @@ func (m *Manager) Close(stateManager *statemanager.Manager) error {
 	m.mutex.Lock()
 	defer m.mutex.Unlock()

-	if err := m.resetNetbirdInputRules(); err != nil {
-		return fmt.Errorf("reset netbird input rules: %v", err)
-	}
-
 	if err := m.router.Reset(); err != nil {
 		return fmt.Errorf("reset router: %v", err)
 	}
@@ -273,49 +246,15 @@ func (m *Manager) Close(stateManager *statemanager.Manager) error {
 	return nil
 }

-func (m *Manager) resetNetbirdInputRules() error {
-	chains, err := m.rConn.ListChains()
-	if err != nil {
-		return fmt.Errorf("list chains: %w", err)
-	}
-
-	m.deleteNetbirdInputRules(chains)
-
-	return nil
-}
-
-func (m *Manager) deleteNetbirdInputRules(chains []*nftables.Chain) {
-	for _, c := range chains {
-		if c.Table.Name == tableNameFilter && c.Name == chainNameInput {
-			rules, err := m.rConn.GetRules(c.Table, c)
-			if err != nil {
-				log.Errorf("get rules for chain %q: %v", c.Name, err)
-				continue
-			}
-
-			m.deleteMatchingRules(rules)
-		}
-	}
-}
-
-func (m *Manager) deleteMatchingRules(rules []*nftables.Rule) {
-	for _, r := range rules {
-		if bytes.Equal(r.UserData, []byte(allowNetbirdInputRuleID)) {
-			if err := m.rConn.DelRule(r); err != nil {
-				log.Errorf("delete rule: %v", err)
-			}
-		}
-	}
-}
-
 func (m *Manager) cleanupNetbirdTables() error {
 	tables, err := m.rConn.ListTables()
 	if err != nil {
 		return fmt.Errorf("list tables: %w", err)
 	}

+	tableName := getTableName()
 	for _, t := range tables {
-		if t.Name == tableNameNetbird {
+		if t.Name == tableName {
 			m.rConn.DelTable(t)
 		}
 	}
@@ -398,55 +337,18 @@ func (m *Manager) createWorkTable() (*nftables.Table, error) {
 		return nil, fmt.Errorf("list of tables: %w", err)
 	}

+	tableName := getTableName()
 	for _, t := range tables {
-		if t.Name == tableNameNetbird {
+		if t.Name == tableName {
 			m.rConn.DelTable(t)
 		}
 	}

-	table := m.rConn.AddTable(&nftables.Table{Name: tableNameNetbird, Family: nftables.TableFamilyIPv4})
+	table := m.rConn.AddTable(&nftables.Table{Name: getTableName(), Family: nftables.TableFamilyIPv4})
 	err = m.rConn.Flush()
 	return table, err
 }

-func (m *Manager) applyAllowNetbirdRules(chain *nftables.Chain) {
-	rule := &nftables.Rule{
-		Table: chain.Table,
-		Chain: chain,
-		Exprs: []expr.Any{
-			&expr.Meta{Key: expr.MetaKeyIIFNAME, Register: 1},
-			&expr.Cmp{
-				Op:       expr.CmpOpEq,
-				Register: 1,
-				Data:     ifname(m.wgIface.Name()),
-			},
-			&expr.Verdict{
-				Kind: expr.VerdictAccept,
-			},
-		},
-		UserData: []byte(allowNetbirdInputRuleID),
-	}
-	_ = m.rConn.InsertRule(rule)
-}
-
-func (m *Manager) detectAllowNetbirdRule(existedRules []*nftables.Rule) *nftables.Rule {
-	ifName := ifname(m.wgIface.Name())
-	for _, rule := range existedRules {
-		if rule.Table.Name == tableNameFilter && rule.Chain.Name == chainNameInput {
-			if len(rule.Exprs) < 4 {
-				if e, ok := rule.Exprs[0].(*expr.Meta); !ok || e.Key != expr.MetaKeyIIFNAME {
-					continue
-				}
-				if e, ok := rule.Exprs[1].(*expr.Cmp); !ok || e.Op != expr.CmpOpEq || !bytes.Equal(e.Data, ifName) {
-					continue
-				}
-				return rule
-			}
-		}
-	}
-	return nil
-}
-
 func insertReturnTrafficRule(conn *nftables.Conn, table *nftables.Table, chain *nftables.Chain) {
 	rule := &nftables.Rule{
 		Table: table,
--- a/client/firewall/nftables/manager_linux_test.go
+++ b/client/firewall/nftables/manager_linux_test.go
@@ -16,6 +16,7 @@ import (
 	"golang.org/x/sys/unix"

 	fw "github.com/netbirdio/netbird/client/firewall/manager"
+	"github.com/netbirdio/netbird/client/iface"
 	"github.com/netbirdio/netbird/client/iface/wgaddr"
 )

@@ -56,7 +57,7 @@ func (i *iFaceMock) IsUserspaceBind() bool { return false }
 func TestNftablesManager(t *testing.T) {

 	// just check on the local interface
-	manager, err := Create(ifaceMock)
+	manager, err := Create(ifaceMock, iface.DefaultMTU)
 	require.NoError(t, err)
 	require.NoError(t, manager.Init(nil))
 	time.Sleep(time.Second * 3)
@@ -168,7 +169,7 @@ func TestNftablesManager(t *testing.T) {
 func TestNftablesManagerRuleOrder(t *testing.T) {
 	// This test verifies rule insertion order in nftables peer ACLs
 	// We add accept rule first, then deny rule to test ordering behavior
-	manager, err := Create(ifaceMock)
+	manager, err := Create(ifaceMock, iface.DefaultMTU)
 	require.NoError(t, err)
 	require.NoError(t, manager.Init(nil))

@@ -261,7 +262,7 @@ func TestNFtablesCreatePerformance(t *testing.T) {
 	for _, testMax := range []int{10, 20, 30, 40, 50, 60, 70, 80, 90, 100, 200, 300, 400, 500, 600, 700, 800, 900, 1000} {
 		t.Run(fmt.Sprintf("Testing %d rules", testMax), func(t *testing.T) {
 			// just check on the local interface
-			manager, err := Create(mock)
+			manager, err := Create(mock, iface.DefaultMTU)
 			require.NoError(t, err)
 			require.NoError(t, manager.Init(nil))
 			time.Sleep(time.Second * 3)
@@ -345,7 +346,7 @@ func TestNftablesManagerCompatibilityWithIptables(t *testing.T) {
 	stdout, stderr := runIptablesSave(t)
 	verifyIptablesOutput(t, stdout, stderr)

-	manager, err := Create(ifaceMock)
+	manager, err := Create(ifaceMock, iface.DefaultMTU)
 	require.NoError(t, err, "failed to create manager")
 	require.NoError(t, manager.Init(nil))

--- a/client/firewall/nftables/router_linux.go
+++ b/client/firewall/nftables/router_linux.go
@@ -16,6 +16,7 @@ import (
 	"github.com/google/nftables/xt"
 	"github.com/hashicorp/go-multierror"
 	log "github.com/sirupsen/logrus"
+	"golang.org/x/sys/unix"

 	nberrors "github.com/netbirdio/netbird/client/errors"
 	firewall "github.com/netbirdio/netbird/client/firewall/manager"
@@ -32,12 +33,17 @@ const (
 	chainNameRoutingNat    = "netbird-rt-postrouting"
 	chainNameRoutingRdr    = "netbird-rt-redirect"
 	chainNameForward       = "FORWARD"
+	chainNameMangleForward = "netbird-mangle-forward"

 	userDataAcceptForwardRuleIif = "frwacceptiif"
 	userDataAcceptForwardRuleOif = "frwacceptoif"
+	userDataAcceptInputRule      = "inputaccept"

 	dnatSuffix = "_dnat"
 	snatSuffix = "_snat"
+
+	// ipTCPHeaderMinSize represents minimum IP (20) + TCP (20) header size for MSS calculation
+	ipTCPHeaderMinSize = 40
 )

 const refreshRulesMapError = "refresh rules map: %w"
@@ -63,9 +69,10 @@ type router struct {
 	wgIface          iFaceMapper
 	ipFwdState       *ipfwdstate.IPForwardingState
 	legacyManagement bool
+	mtu              uint16
 }

-func newRouter(workTable *nftables.Table, wgIface iFaceMapper) (*router, error) {
+func newRouter(workTable *nftables.Table, wgIface iFaceMapper, mtu uint16) (*router, error) {
 	r := &router{
 		conn:       &nftables.Conn{},
 		workTable:  workTable,
@@ -73,6 +80,7 @@ func newRouter(workTable *nftables.Table, wgIface iFaceMapper) (*router, error)
 		rules:      make(map[string]*nftables.Rule),
 		wgIface:    wgIface,
 		ipFwdState: ipfwdstate.NewIPForwardingState(),
+		mtu:        mtu,
 	}

 	r.ipsetCounter = refcounter.New(
@@ -96,8 +104,8 @@ func newRouter(workTable *nftables.Table, wgIface iFaceMapper) (*router, error)
 func (r *router) init(workTable *nftables.Table) error {
 	r.workTable = workTable

-	if err := r.removeAcceptForwardRules(); err != nil {
-		log.Errorf("failed to clean up rules from FORWARD chain: %s", err)
+	if err := r.removeAcceptFilterRules(); err != nil {
+		log.Errorf("failed to clean up rules from filter table: %s", err)
 	}

 	if err := r.createContainers(); err != nil {
@@ -111,15 +119,15 @@ func (r *router) init(workTable *nftables.Table) error {
 	return nil
 }

-// Reset cleans existing nftables default forward rules from the system
+// Reset cleans existing nftables filter table rules from the system
 func (r *router) Reset() error {
 	// clear without deleting the ipsets, the nf table will be deleted by the caller
 	r.ipsetCounter.Clear()

 	var merr *multierror.Error

-	if err := r.removeAcceptForwardRules(); err != nil {
-		merr = multierror.Append(merr, fmt.Errorf("remove accept forward rules: %w", err))
+	if err := r.removeAcceptFilterRules(); err != nil {
+		merr = multierror.Append(merr, fmt.Errorf("remove accept filter rules: %w", err))
 	}

 	if err := r.removeNatPreroutingRules(); err != nil {
@@ -220,11 +228,23 @@ func (r *router) createContainers() error {
 		Type:     nftables.ChainTypeFilter,
 	})

+	r.chains[chainNameMangleForward] = r.conn.AddChain(&nftables.Chain{
+		Name:     chainNameMangleForward,
+		Table:    r.workTable,
+		Hooknum:  nftables.ChainHookForward,
+		Priority: nftables.ChainPriorityMangle,
+		Type:     nftables.ChainTypeFilter,
+	})
+
 	// Add the single NAT rule that matches on mark
 	if err := r.addPostroutingRules(); err != nil {
 		return fmt.Errorf("add single nat rule: %v", err)
 	}

+	if err := r.addMSSClampingRules(); err != nil {
+		log.Errorf("failed to add MSS clamping rules: %s", err)
+	}
+
 	if err := r.acceptForwardRules(); err != nil {
 		log.Errorf("failed to add accept rules for the forward chain: %s", err)
 	}
@@ -745,6 +765,83 @@ func (r *router) addPostroutingRules() error {
 	return nil
 }

+// addMSSClampingRules adds MSS clamping rules to prevent fragmentation for forwarded traffic.
+// TODO: Add IPv6 support
+func (r *router) addMSSClampingRules() error {
+	mss := r.mtu - ipTCPHeaderMinSize
+
+	exprsOut := []expr.Any{
+		&expr.Meta{
+			Key:      expr.MetaKeyOIFNAME,
+			Register: 1,
+		},
+		&expr.Cmp{
+			Op:       expr.CmpOpEq,
+			Register: 1,
+			Data:     ifname(r.wgIface.Name()),
+		},
+		&expr.Meta{
+			Key:      expr.MetaKeyL4PROTO,
+			Register: 1,
+		},
+		&expr.Cmp{
+			Op:       expr.CmpOpEq,
+			Register: 1,
+			Data:     []byte{unix.IPPROTO_TCP},
+		},
+		&expr.Payload{
+			DestRegister: 1,
+			Base:         expr.PayloadBaseTransportHeader,
+			Offset:       13,
+			Len:          1,
+		},
+		&expr.Bitwise{
+			DestRegister:   1,
+			SourceRegister: 1,
+			Len:            1,
+			Mask:           []byte{0x02},
+			Xor:            []byte{0x00},
+		},
+		&expr.Cmp{
+			Op:       expr.CmpOpNeq,
+			Register: 1,
+			Data:     []byte{0x00},
+		},
+		&expr.Counter{},
+		&expr.Exthdr{
+			DestRegister: 1,
+			Type:         2,
+			Offset:       2,
+			Len:          2,
+			Op:           expr.ExthdrOpTcpopt,
+		},
+		&expr.Cmp{
+			Op:       expr.CmpOpGt,
+			Register: 1,
+			Data:     binaryutil.BigEndian.PutUint16(uint16(mss)),
+		},
+		&expr.Immediate{
+			Register: 1,
+			Data:     binaryutil.BigEndian.PutUint16(uint16(mss)),
+		},
+		&expr.Exthdr{
+			SourceRegister: 1,
+			Type:           2,
+			Offset:         2,
+			Len:            2,
+			Op:             expr.ExthdrOpTcpopt,
+		},
+	}
+
+	r.conn.AddRule(&nftables.Rule{
+		Table: r.workTable,
+		Chain: r.chains[chainNameMangleForward],
+		Exprs: exprsOut,
+	})
+
+	return nil
+}
+
 // addLegacyRouteRule adds a legacy routing rule for mgmt servers pre route acls
 func (r *router) addLegacyRouteRule(pair firewall.RouterPair) error {
 	sourceExp, err := r.applyNetwork(pair.Source, nil, true)
@@ -840,6 +937,7 @@ func (r *router) RemoveAllLegacyRouteRules() error {
 // that our traffic is not dropped by existing rules there.
 // The existing FORWARD rules/policies decide outbound traffic towards our interface.
 // In case the FORWARD policy is set to "drop", we add an established/related rule to allow return traffic for the inbound rule.
+// This method also adds INPUT chain rules to allow traffic to the local interface.
 func (r *router) acceptForwardRules() error {
 	if r.filterTable == nil {
 		log.Debugf("table 'filter' not found for forward rules, skipping accept rules")
@@ -849,7 +947,7 @@ func (r *router) acceptForwardRules() error {
 	fw := "iptables"

 	defer func() {
-		log.Debugf("Used %s to add accept forward rules", fw)
+		log.Debugf("Used %s to add accept forward and input rules", fw)
 	}()

 	// Try iptables first and fallback to nftables if iptables is not available
@@ -859,22 +957,30 @@ func (r *router) acceptForwardRules() error {
 		log.Warnf("Will use nftables to manipulate the filter table because iptables is not available: %v", err)

 		fw = "nftables"
-		return r.acceptForwardRulesNftables()
+		return r.acceptFilterRulesNftables()
 	}

-	return r.acceptForwardRulesIptables(ipt)
+	return r.acceptFilterRulesIptables(ipt)
 }

-func (r *router) acceptForwardRulesIptables(ipt *iptables.IPTables) error {
+func (r *router) acceptFilterRulesIptables(ipt *iptables.IPTables) error {
 	var merr *multierror.Error
+
 	for _, rule := range r.getAcceptForwardRules() {
 		if err := ipt.Insert("filter", chainNameForward, 1, rule...); err != nil {
-			merr = multierror.Append(err, fmt.Errorf("add iptables rule: %v", err))
+			merr = multierror.Append(err, fmt.Errorf("add iptables forward rule: %v", err))
 		} else {
-			log.Debugf("added iptables rule: %v", rule)
+			log.Debugf("added iptables forward rule: %v", rule)
 		}
 	}

+	inputRule := r.getAcceptInputRule()
+	if err := ipt.Insert("filter", chainNameInput, 1, inputRule...); err != nil {
+		merr = multierror.Append(err, fmt.Errorf("add iptables input rule: %v", err))
+	} else {
+		log.Debugf("added iptables input rule: %v", inputRule)
+	}
+
 	return nberrors.FormatErrorOrNil(merr)
 }

@@ -886,10 +992,13 @@ func (r *router) getAcceptForwardRules() [][]string {
 	}
 }

-func (r *router) acceptForwardRulesNftables() error {
+func (r *router) getAcceptInputRule() []string {
+	return []string{"-i", r.wgIface.Name(), "-j", "ACCEPT"}
+}
+
+func (r *router) acceptFilterRulesNftables() error {
 	intf := ifname(r.wgIface.Name())

-	// Rule for incoming interface (iif) with counter
 	iifRule := &nftables.Rule{
 		Table: r.filterTable,
 		Chain: &nftables.Chain{
@@ -922,11 +1031,10 @@ func (r *router) acceptForwardRulesNftables() error {
 		},
 	}

-	// Rule for outgoing interface (oif) with counter
 	oifRule := &nftables.Rule{
 		Table: r.filterTable,
 		Chain: &nftables.Chain{
-			Name:     "FORWARD",
+			Name:     chainNameForward,
 			Table:    r.filterTable,
 			Type:     nftables.ChainTypeFilter,
 			Hooknum:  nftables.ChainHookForward,
@@ -935,35 +1043,60 @@ func (r *router) acceptForwardRulesNftables() error {
 		Exprs:    append(oifExprs, getEstablishedExprs(2)...),
 		UserData: []byte(userDataAcceptForwardRuleOif),
 	}
-
 	r.conn.InsertRule(oifRule)

+	inputRule := &nftables.Rule{
+		Table: r.filterTable,
+		Chain: &nftables.Chain{
+			Name:     chainNameInput,
+			Table:    r.filterTable,
+			Type:     nftables.ChainTypeFilter,
+			Hooknum:  nftables.ChainHookInput,
+			Priority: nftables.ChainPriorityFilter,
+		},
+		Exprs: []expr.Any{
+			&expr.Meta{Key: expr.MetaKeyIIFNAME, Register: 1},
+			&expr.Cmp{
+				Op:       expr.CmpOpEq,
+				Register: 1,
+				Data:     intf,
+			},
+			&expr.Counter{},
+			&expr.Verdict{Kind: expr.VerdictAccept},
+		},
+		UserData: []byte(userDataAcceptInputRule),
+	}
+	r.conn.InsertRule(inputRule)
+
 	return nil
 }

-func (r *router) removeAcceptForwardRules() error {
+func (r *router) removeAcceptFilterRules() error {
 	if r.filterTable == nil {
 		return nil
 	}

-	// Try iptables first and fallback to nftables if iptables is not available
 	ipt, err := iptables.New()
 	if err != nil {
 		log.Warnf("Will use nftables to manipulate the filter table because iptables is not available: %v", err)
-		return r.removeAcceptForwardRulesNftables()
+		return r.removeAcceptFilterRulesNftables()
 	}

-	return r.removeAcceptForwardRulesIptables(ipt)
+	return r.removeAcceptFilterRulesIptables(ipt)
 }

-func (r *router) removeAcceptForwardRulesNftables() error {
+func (r *router) removeAcceptFilterRulesNftables() error {
 	chains, err := r.conn.ListChainsOfTableFamily(nftables.TableFamilyIPv4)
 	if err != nil {
 		return fmt.Errorf("list chains: %v", err)
 	}

 	for _, chain := range chains {
-		if chain.Table.Name != r.filterTable.Name || chain.Name != chainNameForward {
+		if chain.Table.Name != r.filterTable.Name {
+			continue
+		}
+
+		if chain.Name != chainNameForward && chain.Name != chainNameInput {
 			continue
 		}

@@ -974,7 +1107,8 @@ func (r *router) removeAcceptForwardRulesNftables() error {

 		for _, rule := range rules {
 			if bytes.Equal(rule.UserData, []byte(userDataAcceptForwardRuleIif)) ||
-				bytes.Equal(rule.UserData, []byte(userDataAcceptForwardRuleOif)) {
+				bytes.Equal(rule.UserData, []byte(userDataAcceptForwardRuleOif)) ||
+				bytes.Equal(rule.UserData, []byte(userDataAcceptInputRule)) {
 				if err := r.conn.DelRule(rule); err != nil {
 					return fmt.Errorf("delete rule: %v", err)
 				}
@@ -989,14 +1123,20 @@ func (r *router) removeAcceptForwardRulesNftables() error {
 	return nil
 }

-func (r *router) removeAcceptForwardRulesIptables(ipt *iptables.IPTables) error {
+func (r *router) removeAcceptFilterRulesIptables(ipt *iptables.IPTables) error {
 	var merr *multierror.Error
+
 	for _, rule := range r.getAcceptForwardRules() {
 		if err := ipt.DeleteIfExists("filter", chainNameForward, rule...); err != nil {
-			merr = multierror.Append(err, fmt.Errorf("remove iptables rule: %v", err))
+			merr = multierror.Append(err, fmt.Errorf("remove iptables forward rule: %v", err))
 		}
 	}

+	inputRule := r.getAcceptInputRule()
+	if err := ipt.DeleteIfExists("filter", chainNameInput, inputRule...); err != nil {
+		merr = multierror.Append(err, fmt.Errorf("remove iptables input rule: %v", err))
+	}
+
 	return nberrors.FormatErrorOrNil(merr)
 }

--- a/client/firewall/nftables/router_linux_test.go
+++ b/client/firewall/nftables/router_linux_test.go
@@ -17,6 +17,7 @@ import (

 	firewall "github.com/netbirdio/netbird/client/firewall/manager"
 	"github.com/netbirdio/netbird/client/firewall/test"
+	"github.com/netbirdio/netbird/client/iface"
 )

 const (
@@ -36,7 +37,7 @@ func TestNftablesManager_AddNatRule(t *testing.T) {
 	for _, testCase := range test.InsertRuleTestCases {
 		t.Run(testCase.Name, func(t *testing.T) {
 			// need fw manager to init both acl mgr and router for all chains to be present
-			manager, err := Create(ifaceMock)
+			manager, err := Create(ifaceMock, iface.DefaultMTU)
 			t.Cleanup(func() {
 				require.NoError(t, manager.Close(nil))
 			})
@@ -125,7 +126,7 @@ func TestNftablesManager_RemoveNatRule(t *testing.T) {

 	for _, testCase := range test.RemoveRuleTestCases {
 		t.Run(testCase.Name, func(t *testing.T) {
-			manager, err := Create(ifaceMock)
+			manager, err := Create(ifaceMock, iface.DefaultMTU)
 			t.Cleanup(func() {
 				require.NoError(t, manager.Close(nil))
 			})
@@ -197,7 +198,7 @@ func TestRouter_AddRouteFiltering(t *testing.T) {

 	defer deleteWorkTable()

-	r, err := newRouter(workTable, ifaceMock)
+	r, err := newRouter(workTable, ifaceMock, iface.DefaultMTU)
 	require.NoError(t, err, "Failed to create router")
 	require.NoError(t, r.init(workTable))

@@ -364,7 +365,7 @@ func TestNftablesCreateIpSet(t *testing.T) {

 	defer deleteWorkTable()

-	r, err := newRouter(workTable, ifaceMock)
+	r, err := newRouter(workTable, ifaceMock, iface.DefaultMTU)
 	require.NoError(t, err, "Failed to create router")
 	require.NoError(t, r.init(workTable))

--- a/client/firewall/nftables/state_linux.go
+++ b/client/firewall/nftables/state_linux.go
@@ -3,6 +3,7 @@ package nftables
 import (
 	"fmt"

+	"github.com/netbirdio/netbird/client/iface"
 	"github.com/netbirdio/netbird/client/iface/wgaddr"
 )

@@ -10,6 +11,7 @@ type InterfaceState struct {
 	NameStr       string         `json:"name"`
 	WGAddress     wgaddr.Address `json:"wg_address"`
 	UserspaceBind bool           `json:"userspace_bind"`
+	MTU           uint16         `json:"mtu"`
 }

 func (i *InterfaceState) Name() string {
@@ -33,7 +35,11 @@ func (s *ShutdownState) Name() string {
 }

 func (s *ShutdownState) Cleanup() error {
-	nft, err := Create(s.InterfaceState)
+	mtu := s.InterfaceState.MTU
+	if mtu == 0 {
+		mtu = iface.DefaultMTU
+	}
+	nft, err := Create(s.InterfaceState, mtu)
 	if err != nil {
 		return fmt.Errorf("create nftables manager: %w", err)
 	}
--- a/client/firewall/uspfilter/filter.go
+++ b/client/firewall/uspfilter/filter.go
@@ -1,6 +1,7 @@
 package uspfilter

 import (
+	"encoding/binary"
 	"errors"
 	"fmt"
 	"net"
@@ -27,7 +28,12 @@ import (
 	"github.com/netbirdio/netbird/client/internal/statemanager"
 )

-const layerTypeAll = 0
+const (
+	layerTypeAll = 0
+
+	// ipTCPHeaderMinSize represents minimum IP (20) + TCP (20) header size for MSS calculation
+	ipTCPHeaderMinSize = 40
+)

 const (
 	// EnvDisableConntrack disables the stateful filter, replies to outbound traffic won't be allowed.
@@ -36,6 +42,9 @@ const (
 	// EnvDisableUserspaceRouting disables userspace routing, to-be-routed packets will be dropped.
 	EnvDisableUserspaceRouting = "NB_DISABLE_USERSPACE_ROUTING"

+	// EnvDisableMSSClamping disables TCP MSS clamping for forwarded traffic.
+	EnvDisableMSSClamping = "NB_DISABLE_MSS_CLAMPING"
+
 	// EnvForceUserspaceRouter forces userspace routing even if native routing is available.
 	EnvForceUserspaceRouter = "NB_FORCE_USERSPACE_ROUTER"

@@ -50,6 +59,12 @@ const (

 var errNatNotSupported = errors.New("nat not supported with userspace firewall")

+// serviceKey represents a protocol/port combination for netstack service registry
+type serviceKey struct {
+	protocol gopacket.LayerType
+	port     uint16
+}
+
 // RuleSet is a set of rules grouped by a string key
 type RuleSet map[string]PeerRule

@@ -113,6 +128,13 @@ type Manager struct {
 	portDNATEnabled atomic.Bool
 	portDNATRules   []portDNATRule
 	portDNATMutex   sync.RWMutex
+
+	netstackServices     map[serviceKey]struct{}
+	netstackServiceMutex sync.RWMutex
+
+	mtu             uint16
+	mssClampValue   uint16
+	mssClampEnabled bool
 }

 // decoder for packages
@@ -131,16 +153,16 @@ type decoder struct {
 }

 // Create userspace firewall manager constructor
-func Create(iface common.IFaceMapper, disableServerRoutes bool, flowLogger nftypes.FlowLogger) (*Manager, error) {
-	return create(iface, nil, disableServerRoutes, flowLogger)
+func Create(iface common.IFaceMapper, disableServerRoutes bool, flowLogger nftypes.FlowLogger, mtu uint16) (*Manager, error) {
+	return create(iface, nil, disableServerRoutes, flowLogger, mtu)
 }

-func CreateWithNativeFirewall(iface common.IFaceMapper, nativeFirewall firewall.Manager, disableServerRoutes bool, flowLogger nftypes.FlowLogger) (*Manager, error) {
+func CreateWithNativeFirewall(iface common.IFaceMapper, nativeFirewall firewall.Manager, disableServerRoutes bool, flowLogger nftypes.FlowLogger, mtu uint16) (*Manager, error) {
 	if nativeFirewall == nil {
 		return nil, errors.New("native firewall is nil")
 	}

-	mgr, err := create(iface, nativeFirewall, disableServerRoutes, flowLogger)
+	mgr, err := create(iface, nativeFirewall, disableServerRoutes, flowLogger, mtu)
 	if err != nil {
 		return nil, err
 	}
@@ -148,8 +170,8 @@ func CreateWithNativeFirewall(iface common.IFaceMapper, nativeFirewall firewall.
 	return mgr, nil
 }

-func parseCreateEnv() (bool, bool) {
-	var disableConntrack, enableLocalForwarding bool
+func parseCreateEnv() (bool, bool, bool) {
+	var disableConntrack, enableLocalForwarding, disableMSSClamping bool
 	var err error
 	if val := os.Getenv(EnvDisableConntrack); val != "" {
 		disableConntrack, err = strconv.ParseBool(val)
@@ -168,12 +190,18 @@ func parseCreateEnv() (bool, bool) {
 			log.Warnf("failed to parse %s: %v", EnvEnableLocalForwarding, err)
 		}
 	}
+	if val := os.Getenv(EnvDisableMSSClamping); val != "" {
+		disableMSSClamping, err = strconv.ParseBool(val)
+		if err != nil {
+			log.Warnf("failed to parse %s: %v", EnvDisableMSSClamping, err)
+		}
+	}

-	return disableConntrack, enableLocalForwarding
+	return disableConntrack, enableLocalForwarding, disableMSSClamping
 }

-func create(iface common.IFaceMapper, nativeFirewall firewall.Manager, disableServerRoutes bool, flowLogger nftypes.FlowLogger) (*Manager, error) {
-	disableConntrack, enableLocalForwarding := parseCreateEnv()
+func create(iface common.IFaceMapper, nativeFirewall firewall.Manager, disableServerRoutes bool, flowLogger nftypes.FlowLogger, mtu uint16) (*Manager, error) {
+	disableConntrack, enableLocalForwarding, disableMSSClamping := parseCreateEnv()

 	m := &Manager{
 		decoders: sync.Pool{
@@ -203,13 +231,18 @@ func create(iface common.IFaceMapper, nativeFirewall firewall.Manager, disableSe
 		localForwarding:     enableLocalForwarding,
 		dnatMappings:        make(map[netip.Addr]netip.Addr),
 		portDNATRules:       []portDNATRule{},
+		netstackServices:    make(map[serviceKey]struct{}),
+		mtu:                 mtu,
 	}
 	m.routingEnabled.Store(false)

+	if !disableMSSClamping {
+		m.mssClampEnabled = true
+		m.mssClampValue = mtu - ipTCPHeaderMinSize
+	}
 	if err := m.localipmanager.UpdateLocalIPs(iface); err != nil {
 		return nil, fmt.Errorf("update local IPs: %w", err)
 	}
-
 	if disableConntrack {
 		log.Info("conntrack is disabled")
 	} else {
@@ -217,14 +250,11 @@ func create(iface common.IFaceMapper, nativeFirewall firewall.Manager, disableSe
 		m.icmpTracker = conntrack.NewICMPTracker(conntrack.DefaultICMPTimeout, m.logger, flowLogger)
 		m.tcpTracker = conntrack.NewTCPTracker(conntrack.DefaultTCPTimeout, m.logger, flowLogger)
 	}
-
-	// netstack needs the forwarder for local traffic
 	if m.netstack && m.localForwarding {
 		if err := m.initForwarder(); err != nil {
 			log.Errorf("failed to initialize forwarder: %v", err)
 		}
 	}
-
 	if err := iface.SetFilter(m); err != nil {
 		return nil, fmt.Errorf("set filter: %w", err)
 	}
@@ -327,7 +357,7 @@ func (m *Manager) initForwarder() error {
 		return errors.New("forwarding not supported")
 	}

-	forwarder, err := forwarder.New(m.wgIface, m.logger, m.flowLogger, m.netstack)
+	forwarder, err := forwarder.New(m.wgIface, m.logger, m.flowLogger, m.netstack, m.mtu)
 	if err != nil {
 		m.routingEnabled.Store(false)
 		return fmt.Errorf("create forwarder: %w", err)
@@ -633,8 +663,17 @@ func (m *Manager) filterOutbound(packetData []byte, size int) bool {
 		return false
 	}

-	if d.decoded[1] == layers.LayerTypeUDP && m.udpHooksDrop(uint16(d.udp.DstPort), dstIP, packetData) {
-		return true
+	switch d.decoded[1] {
+	case layers.LayerTypeUDP:
+		if m.udpHooksDrop(uint16(d.udp.DstPort), dstIP, packetData) {
+			return true
+		}
+	case layers.LayerTypeTCP:
+		// Clamp MSS on all TCP SYN packets, including those from local IPs.
+		// SNATed routed traffic may appear as local IP but still requires clamping.
+		if m.mssClampEnabled {
+			m.clampTCPMSS(packetData, d)
+		}
 	}

 	m.trackOutbound(d, srcIP, dstIP, packetData, size)
@@ -681,6 +720,97 @@ func getTCPFlags(tcp *layers.TCP) uint8 {
 	return flags
 }

+// clampTCPMSS clamps the TCP MSS option in SYN and SYN-ACK packets to prevent fragmentation.
+// Both sides advertise their MSS during connection establishment, so we need to clamp both.
+func (m *Manager) clampTCPMSS(packetData []byte, d *decoder) bool {
+	if !d.tcp.SYN {
+		return false
+	}
+	if len(d.tcp.Options) == 0 {
+		return false
+	}
+
+	mssOptionIndex := -1
+	var currentMSS uint16
+	for i, opt := range d.tcp.Options {
+		if opt.OptionType == layers.TCPOptionKindMSS && len(opt.OptionData) == 2 {
+			currentMSS = binary.BigEndian.Uint16(opt.OptionData)
+			if currentMSS > m.mssClampValue {
+				mssOptionIndex = i
+				break
+			}
+		}
+	}
+
+	if mssOptionIndex == -1 {
+		return false
+	}
+
+	ipHeaderSize := int(d.ip4.IHL) * 4
+	if ipHeaderSize < 20 {
+		return false
+	}
+
+	if !m.updateMSSOption(packetData, d, mssOptionIndex, ipHeaderSize) {
+		return false
+	}
+
+	m.logger.Trace2("Clamped TCP MSS from %d to %d", currentMSS, m.mssClampValue)
+	return true
+}
+
+func (m *Manager) updateMSSOption(packetData []byte, d *decoder, mssOptionIndex, ipHeaderSize int) bool {
+	tcpHeaderStart := ipHeaderSize
+	tcpOptionsStart := tcpHeaderStart + 20
+
+	optOffset := tcpOptionsStart
+	for j := 0; j < mssOptionIndex; j++ {
+		switch d.tcp.Options[j].OptionType {
+		case layers.TCPOptionKindEndList, layers.TCPOptionKindNop:
+			optOffset++
+		default:
+			optOffset += 2 + len(d.tcp.Options[j].OptionData)
+		}
+	}
+
+	mssValueOffset := optOffset + 2
+	binary.BigEndian.PutUint16(packetData[mssValueOffset:mssValueOffset+2], m.mssClampValue)
+
+	m.recalculateTCPChecksum(packetData, d, tcpHeaderStart)
+	return true
+}
+
+func (m *Manager) recalculateTCPChecksum(packetData []byte, d *decoder, tcpHeaderStart int) {
+	tcpLayer := packetData[tcpHeaderStart:]
+	tcpLength := len(packetData) - tcpHeaderStart
+
+	tcpLayer[16] = 0
+	tcpLayer[17] = 0
+
+	var pseudoSum uint32
+	pseudoSum += uint32(d.ip4.SrcIP[0])<<8 | uint32(d.ip4.SrcIP[1])
+	pseudoSum += uint32(d.ip4.SrcIP[2])<<8 | uint32(d.ip4.SrcIP[3])
+	pseudoSum += uint32(d.ip4.DstIP[0])<<8 | uint32(d.ip4.DstIP[1])
+	pseudoSum += uint32(d.ip4.DstIP[2])<<8 | uint32(d.ip4.DstIP[3])
+	pseudoSum += uint32(d.ip4.Protocol)
+	pseudoSum += uint32(tcpLength)
+
+	var sum uint32 = pseudoSum
+	for i := 0; i < tcpLength-1; i += 2 {
+		sum += uint32(tcpLayer[i])<<8 | uint32(tcpLayer[i+1])
+	}
+	if tcpLength%2 == 1 {
+		sum += uint32(tcpLayer[tcpLength-1]) << 8
+	}
+
+	for sum > 0xFFFF {
+		sum = (sum & 0xFFFF) + (sum >> 16)
+	}
+
+	checksum := ^uint16(sum)
+	binary.BigEndian.PutUint16(tcpLayer[16:18], checksum)
+}
+
 func (m *Manager) trackOutbound(d *decoder, srcIP, dstIP netip.Addr, packetData []byte, size int) {
 	transport := d.decoded[1]
 	switch transport {
@@ -838,9 +968,7 @@ func (m *Manager) handleLocalTraffic(d *decoder, srcIP, dstIP netip.Addr, packet
 		return true
 	}

-	// If requested we pass local traffic to internal interfaces to the forwarder.
-	// netstack doesn't have an interface to forward packets to the native stack so we always need to use the forwarder.
-	if m.localForwarding && (m.netstack || dstIP != m.wgIface.Address().IP) {
+	if m.shouldForward(d, dstIP) {
 		return m.handleForwardedLocalTraffic(packetData)
 	}

@@ -1274,3 +1402,86 @@ func (m *Manager) DisableRouting() error {

 	return nil
 }
+
+// RegisterNetstackService registers a service as listening on the netstack for the given protocol and port
+func (m *Manager) RegisterNetstackService(protocol nftypes.Protocol, port uint16) {
+	m.netstackServiceMutex.Lock()
+	defer m.netstackServiceMutex.Unlock()
+	layerType := m.protocolToLayerType(protocol)
+	key := serviceKey{protocol: layerType, port: port}
+	m.netstackServices[key] = struct{}{}
+	m.logger.Debug3("RegisterNetstackService: registered %s:%d (layerType=%s)", protocol, port, layerType)
+	m.logger.Debug1("RegisterNetstackService: current registry size: %d", len(m.netstackServices))
+}
+
+// UnregisterNetstackService removes a service from the netstack registry
+func (m *Manager) UnregisterNetstackService(protocol nftypes.Protocol, port uint16) {
+	m.netstackServiceMutex.Lock()
+	defer m.netstackServiceMutex.Unlock()
+	layerType := m.protocolToLayerType(protocol)
+	key := serviceKey{protocol: layerType, port: port}
+	delete(m.netstackServices, key)
+	m.logger.Debug2("Unregistered netstack service on protocol %s port %d", protocol, port)
+}
+
+// protocolToLayerType converts nftypes.Protocol to gopacket.LayerType for internal use
+func (m *Manager) protocolToLayerType(protocol nftypes.Protocol) gopacket.LayerType {
+	switch protocol {
+	case nftypes.TCP:
+		return layers.LayerTypeTCP
+	case nftypes.UDP:
+		return layers.LayerTypeUDP
+	case nftypes.ICMP:
+		return layers.LayerTypeICMPv4
+	default:
+		return gopacket.LayerType(0) // Invalid/unknown
+	}
+}
+
+// shouldForward determines if a packet should be forwarded to the forwarder.
+// The forwarder handles routing packets to the native OS network stack.
+// Returns true if packet should go to the forwarder, false if it should go to netstack listeners or the native stack directly.
+func (m *Manager) shouldForward(d *decoder, dstIP netip.Addr) bool {
+	// not enabled, never forward
+	if !m.localForwarding {
+		return false
+	}
+
+	// netstack always needs to forward because it's lacking a native interface
+	// exception for registered netstack services, those should go to netstack listeners
+	if m.netstack {
+		return !m.hasMatchingNetstackService(d)
+	}
+
+	// traffic to our other local interfaces (not NetBird IP) - always forward
+	if dstIP != m.wgIface.Address().IP {
+		return true
+	}
+
+	// traffic to our NetBird IP, not netstack mode - send to netstack listeners
+	return false
+}
+
+// hasMatchingNetstackService checks if there's a registered netstack service for this packet
+func (m *Manager) hasMatchingNetstackService(d *decoder) bool {
+	if len(d.decoded) < 2 {
+		return false
+	}
+
+	var dstPort uint16
+	switch d.decoded[1] {
+	case layers.LayerTypeTCP:
+		dstPort = uint16(d.tcp.DstPort)
+	case layers.LayerTypeUDP:
+		dstPort = uint16(d.udp.DstPort)
+	default:
+		return false
+	}
+
+	key := serviceKey{protocol: d.decoded[1], port: dstPort}
+	m.netstackServiceMutex.RLock()
+	_, exists := m.netstackServices[key]
+	m.netstackServiceMutex.RUnlock()
+
+	return exists
+}
--- a/client/firewall/uspfilter/filter_bench_test.go
+++ b/client/firewall/uspfilter/filter_bench_test.go
@@ -17,6 +17,7 @@ import (

 	fw "github.com/netbirdio/netbird/client/firewall/manager"
 	"github.com/netbirdio/netbird/client/firewall/uspfilter/conntrack"
+	"github.com/netbirdio/netbird/client/iface"
 	"github.com/netbirdio/netbird/client/iface/device"
 )

@@ -169,7 +170,7 @@ func BenchmarkCoreFiltering(b *testing.B) {
 				// Create manager and basic setup
 				manager, _ := Create(&IFaceMock{
 					SetFilterFunc: func(device.PacketFilter) error { return nil },
-				}, false, flowLogger)
+				}, false, flowLogger, iface.DefaultMTU)
 				defer b.Cleanup(func() {
 					require.NoError(b, manager.Close(nil))
 				})
@@ -209,7 +210,7 @@ func BenchmarkStateScaling(b *testing.B) {
 		b.Run(fmt.Sprintf("conns_%d", count), func(b *testing.B) {
 			manager, _ := Create(&IFaceMock{
 				SetFilterFunc: func(device.PacketFilter) error { return nil },
-			}, false, flowLogger)
+			}, false, flowLogger, iface.DefaultMTU)
 			b.Cleanup(func() {
 				require.NoError(b, manager.Close(nil))
 			})
@@ -252,7 +253,7 @@ func BenchmarkEstablishmentOverhead(b *testing.B) {
 		b.Run(sc.name, func(b *testing.B) {
 			manager, _ := Create(&IFaceMock{
 				SetFilterFunc: func(device.PacketFilter) error { return nil },
-			}, false, flowLogger)
+			}, false, flowLogger, iface.DefaultMTU)
 			b.Cleanup(func() {
 				require.NoError(b, manager.Close(nil))
 			})
@@ -410,7 +411,7 @@ func BenchmarkRoutedNetworkReturn(b *testing.B) {
 		b.Run(sc.name, func(b *testing.B) {
 			manager, _ := Create(&IFaceMock{
 				SetFilterFunc: func(device.PacketFilter) error { return nil },
-			}, false, flowLogger)
+			}, false, flowLogger, iface.DefaultMTU)
 			b.Cleanup(func() {
 				require.NoError(b, manager.Close(nil))
 			})
@@ -537,7 +538,7 @@ func BenchmarkLongLivedConnections(b *testing.B) {

 			manager, _ := Create(&IFaceMock{
 				SetFilterFunc: func(device.PacketFilter) error { return nil },
-			}, false, flowLogger)
+			}, false, flowLogger, iface.DefaultMTU)
 			defer b.Cleanup(func() {
 				require.NoError(b, manager.Close(nil))
 			})
@@ -620,7 +621,7 @@ func BenchmarkShortLivedConnections(b *testing.B) {

 			manager, _ := Create(&IFaceMock{
 				SetFilterFunc: func(device.PacketFilter) error { return nil },
-			}, false, flowLogger)
+			}, false, flowLogger, iface.DefaultMTU)
 			defer b.Cleanup(func() {
 				require.NoError(b, manager.Close(nil))
 			})
@@ -731,7 +732,7 @@ func BenchmarkParallelLongLivedConnections(b *testing.B) {

 			manager, _ := Create(&IFaceMock{
 				SetFilterFunc: func(device.PacketFilter) error { return nil },
-			}, false, flowLogger)
+			}, false, flowLogger, iface.DefaultMTU)
 			defer b.Cleanup(func() {
 				require.NoError(b, manager.Close(nil))
 			})
@@ -811,7 +812,7 @@ func BenchmarkParallelShortLivedConnections(b *testing.B) {

 			manager, _ := Create(&IFaceMock{
 				SetFilterFunc: func(device.PacketFilter) error { return nil },
-			}, false, flowLogger)
+			}, false, flowLogger, iface.DefaultMTU)
 			defer b.Cleanup(func() {
 				require.NoError(b, manager.Close(nil))
 			})
@@ -896,38 +897,6 @@ func BenchmarkParallelShortLivedConnections(b *testing.B) {
 	}
 }

-// generateTCPPacketWithFlags creates a TCP packet with specific flags
-func generateTCPPacketWithFlags(b *testing.B, srcIP, dstIP net.IP, srcPort, dstPort, flags uint16) []byte {
-	b.Helper()
-
-	ipv4 := &layers.IPv4{
-		TTL:      64,
-		Version:  4,
-		SrcIP:    srcIP,
-		DstIP:    dstIP,
-		Protocol: layers.IPProtocolTCP,
-	}
-
-	tcp := &layers.TCP{
-		SrcPort: layers.TCPPort(srcPort),
-		DstPort: layers.TCPPort(dstPort),
-	}
-
-	// Set TCP flags
-	tcp.SYN = (flags & uint16(conntrack.TCPSyn)) != 0
-	tcp.ACK = (flags & uint16(conntrack.TCPAck)) != 0
-	tcp.PSH = (flags & uint16(conntrack.TCPPush)) != 0
-	tcp.RST = (flags & uint16(conntrack.TCPRst)) != 0
-	tcp.FIN = (flags & uint16(conntrack.TCPFin)) != 0
-
-	require.NoError(b, tcp.SetNetworkLayerForChecksum(ipv4))
-
-	buf := gopacket.NewSerializeBuffer()
-	opts := gopacket.SerializeOptions{ComputeChecksums: true, FixLengths: true}
-	require.NoError(b, gopacket.SerializeLayers(buf, opts, ipv4, tcp, gopacket.Payload("test")))
-	return buf.Bytes()
-}
-
 func BenchmarkRouteACLs(b *testing.B) {
 	manager := setupRoutedManager(b, "10.10.0.100/16")

@@ -990,3 +959,231 @@ func BenchmarkRouteACLs(b *testing.B) {
 		}
 	}
 }
+
+// BenchmarkMSSClamping benchmarks the MSS clamping impact on filterOutbound.
+// This shows the overhead difference between the common case (non-SYN packets, fast path)
+// and the rare case (SYN packets that need clamping, expensive path).
+func BenchmarkMSSClamping(b *testing.B) {
+	scenarios := []struct {
+		name        string
+		description string
+		genPacket   func(*testing.B, net.IP, net.IP) []byte
+		frequency   string
+	}{
+		{
+			name:        "syn_needs_clamp",
+			description: "SYN packet needing MSS clamping",
+			genPacket: func(b *testing.B, src, dst net.IP) []byte {
+				return generateSYNPacketWithMSS(b, src, dst, 12345, 80, 1460)
+			},
+			frequency: "~0.1% of traffic - EXPENSIVE",
+		},
+		{
+			name:        "syn_no_clamp_needed",
+			description: "SYN packet with already-small MSS",
+			genPacket: func(b *testing.B, src, dst net.IP) []byte {
+				return generateSYNPacketWithMSS(b, src, dst, 12345, 80, 1200)
+			},
+			frequency: "~0.05% of traffic",
+		},
+		{
+			name:        "tcp_ack",
+			description: "Non-SYN TCP packet (ACK, data transfer)",
+			genPacket: func(b *testing.B, src, dst net.IP) []byte {
+				return generateTCPPacketWithFlags(b, src, dst, 12345, 80, uint16(conntrack.TCPAck))
+			},
+			frequency: "~60-70% of traffic - FAST PATH",
+		},
+		{
+			name:        "tcp_psh_ack",
+			description: "TCP data packet (PSH+ACK)",
+			genPacket: func(b *testing.B, src, dst net.IP) []byte {
+				return generateTCPPacketWithFlags(b, src, dst, 12345, 80, uint16(conntrack.TCPPush|conntrack.TCPAck))
+			},
+			frequency: "~10-20% of traffic - FAST PATH",
+		},
+		{
+			name:        "udp",
+			description: "UDP packet",
+			genPacket: func(b *testing.B, src, dst net.IP) []byte {
+				return generatePacket(b, src, dst, 12345, 80, layers.IPProtocolUDP)
+			},
+			frequency: "~20-30% of traffic - FAST PATH",
+		},
+	}
+
+	for _, sc := range scenarios {
+		b.Run(sc.name, func(b *testing.B) {
+			manager, err := Create(&IFaceMock{
+				SetFilterFunc: func(device.PacketFilter) error { return nil },
+			}, false, flowLogger, iface.DefaultMTU)
+			require.NoError(b, err)
+			defer func() {
+				require.NoError(b, manager.Close(nil))
+			}()
+
+			manager.mssClampEnabled = true
+			manager.mssClampValue = 1240
+
+			srcIP := net.ParseIP("100.64.0.2")
+			dstIP := net.ParseIP("8.8.8.8")
+			packet := sc.genPacket(b, srcIP, dstIP)
+
+			b.ReportAllocs()
+			b.ResetTimer()
+			for i := 0; i < b.N; i++ {
+				manager.filterOutbound(packet, len(packet))
+			}
+		})
+	}
+}
+
+// BenchmarkMSSClampingOverhead compares overhead of MSS clamping enabled vs disabled
+// for the common case (non-SYN TCP packets).
+func BenchmarkMSSClampingOverhead(b *testing.B) {
+	scenarios := []struct {
+		name      string
+		enabled   bool
+		genPacket func(*testing.B, net.IP, net.IP) []byte
+	}{
+		{
+			name:    "disabled_tcp_ack",
+			enabled: false,
+			genPacket: func(b *testing.B, src, dst net.IP) []byte {
+				return generateTCPPacketWithFlags(b, src, dst, 12345, 80, uint16(conntrack.TCPAck))
+			},
+		},
+		{
+			name:    "enabled_tcp_ack",
+			enabled: true,
+			genPacket: func(b *testing.B, src, dst net.IP) []byte {
+				return generateTCPPacketWithFlags(b, src, dst, 12345, 80, uint16(conntrack.TCPAck))
+			},
+		},
+		{
+			name:    "disabled_syn_needs_clamp",
+			enabled: false,
+			genPacket: func(b *testing.B, src, dst net.IP) []byte {
+				return generateSYNPacketWithMSS(b, src, dst, 12345, 80, 1460)
+			},
+		},
+		{
+			name:    "enabled_syn_needs_clamp",
+			enabled: true,
+			genPacket: func(b *testing.B, src, dst net.IP) []byte {
+				return generateSYNPacketWithMSS(b, src, dst, 12345, 80, 1460)
+			},
+		},
+	}
+
+	for _, sc := range scenarios {
+		b.Run(sc.name, func(b *testing.B) {
+			manager, err := Create(&IFaceMock{
+				SetFilterFunc: func(device.PacketFilter) error { return nil },
+			}, false, flowLogger, iface.DefaultMTU)
+			require.NoError(b, err)
+			defer func() {
+				require.NoError(b, manager.Close(nil))
+			}()
+
+			manager.mssClampEnabled = sc.enabled
+			if sc.enabled {
+				manager.mssClampValue = 1240
+			}
+
+			srcIP := net.ParseIP("100.64.0.2")
+			dstIP := net.ParseIP("8.8.8.8")
+			packet := sc.genPacket(b, srcIP, dstIP)
+
+			b.ReportAllocs()
+			b.ResetTimer()
+			for i := 0; i < b.N; i++ {
+				manager.filterOutbound(packet, len(packet))
+			}
+		})
+	}
+}
+
+// BenchmarkMSSClampingMemory measures memory allocations for common vs rare cases
+func BenchmarkMSSClampingMemory(b *testing.B) {
+	scenarios := []struct {
+		name      string
+		genPacket func(*testing.B, net.IP, net.IP) []byte
+	}{
+		{
+			name: "tcp_ack_fast_path",
+			genPacket: func(b *testing.B, src, dst net.IP) []byte {
+				return generateTCPPacketWithFlags(b, src, dst, 12345, 80, uint16(conntrack.TCPAck))
+			},
+		},
+		{
+			name: "syn_needs_clamp",
+			genPacket: func(b *testing.B, src, dst net.IP) []byte {
+				return generateSYNPacketWithMSS(b, src, dst, 12345, 80, 1460)
+			},
+		},
+		{
+			name: "udp_fast_path",
+			genPacket: func(b *testing.B, src, dst net.IP) []byte {
+				return generatePacket(b, src, dst, 12345, 80, layers.IPProtocolUDP)
+			},
+		},
+	}
+
+	for _, sc := range scenarios {
+		b.Run(sc.name, func(b *testing.B) {
+			manager, err := Create(&IFaceMock{
+				SetFilterFunc: func(device.PacketFilter) error { return nil },
+			}, false, flowLogger, iface.DefaultMTU)
+			require.NoError(b, err)
+			defer func() {
+				require.NoError(b, manager.Close(nil))
+			}()
+
+			manager.mssClampEnabled = true
+			manager.mssClampValue = 1240
+
+			srcIP := net.ParseIP("100.64.0.2")
+			dstIP := net.ParseIP("8.8.8.8")
+			packet := sc.genPacket(b, srcIP, dstIP)
+
+			b.ReportAllocs()
+			b.ResetTimer()
+			for i := 0; i < b.N; i++ {
+				manager.filterOutbound(packet, len(packet))
+			}
+		})
+	}
+}
+
+func generateSYNPacketNoMSS(b *testing.B, srcIP, dstIP net.IP, srcPort, dstPort uint16) []byte {
+	b.Helper()
+
+	ip := &layers.IPv4{
+		Version:  4,
+		IHL:      5,
+		TTL:      64,
+		Protocol: layers.IPProtocolTCP,
+		SrcIP:    srcIP,
+		DstIP:    dstIP,
+	}
+
+	tcp := &layers.TCP{
+		SrcPort: layers.TCPPort(srcPort),
+		DstPort: layers.TCPPort(dstPort),
+		SYN:     true,
+		Seq:     1000,
+		Window:  65535,
+	}
+
+	require.NoError(b, tcp.SetNetworkLayerForChecksum(ip))
+
+	buf := gopacket.NewSerializeBuffer()
+	opts := gopacket.SerializeOptions{
+		FixLengths:       true,
+		ComputeChecksums: true,
+	}
+
+	require.NoError(b, gopacket.SerializeLayers(buf, opts, ip, tcp, gopacket.Payload([]byte{})))
+	return buf.Bytes()
+}
--- a/client/firewall/uspfilter/filter_filter_test.go
+++ b/client/firewall/uspfilter/filter_filter_test.go
@@ -12,6 +12,7 @@ import (
 	wgdevice "golang.zx2c4.com/wireguard/device"

 	fw "github.com/netbirdio/netbird/client/firewall/manager"
+	"github.com/netbirdio/netbird/client/iface"
 	"github.com/netbirdio/netbird/client/iface/device"
 	"github.com/netbirdio/netbird/client/iface/mocks"
 	"github.com/netbirdio/netbird/client/iface/wgaddr"
@@ -31,7 +32,7 @@ func TestPeerACLFiltering(t *testing.T) {
 		},
 	}

-	manager, err := Create(ifaceMock, false, flowLogger)
+	manager, err := Create(ifaceMock, false, flowLogger, iface.DefaultMTU)
 	require.NoError(t, err)
 	require.NotNil(t, manager)

@@ -616,7 +617,7 @@ func setupRoutedManager(tb testing.TB, network string) *Manager {
 		},
 	}

-	manager, err := Create(ifaceMock, false, flowLogger)
+	manager, err := Create(ifaceMock, false, flowLogger, iface.DefaultMTU)
 	require.NoError(tb, err)
 	require.NoError(tb, manager.EnableRouting())
 	require.NotNil(tb, manager)
@@ -1462,7 +1463,7 @@ func TestRouteACLSet(t *testing.T) {
 		},
 	}

-	manager, err := Create(ifaceMock, false, flowLogger)
+	manager, err := Create(ifaceMock, false, flowLogger, iface.DefaultMTU)
 	require.NoError(t, err)
 	t.Cleanup(func() {
 		require.NoError(t, manager.Close(nil))
--- a/client/firewall/uspfilter/filter_test.go
+++ b/client/firewall/uspfilter/filter_test.go
@@ -1,6 +1,7 @@
 package uspfilter

 import (
+	"encoding/binary"
 	"fmt"
 	"net"
 	"net/netip"
@@ -17,6 +18,7 @@ import (
 	fw "github.com/netbirdio/netbird/client/firewall/manager"
 	"github.com/netbirdio/netbird/client/firewall/uspfilter/conntrack"
 	"github.com/netbirdio/netbird/client/firewall/uspfilter/log"
+	nbiface "github.com/netbirdio/netbird/client/iface"
 	"github.com/netbirdio/netbird/client/iface/device"
 	"github.com/netbirdio/netbird/client/iface/wgaddr"
 	"github.com/netbirdio/netbird/client/internal/netflow"
@@ -66,7 +68,7 @@ func TestManagerCreate(t *testing.T) {
 		SetFilterFunc: func(device.PacketFilter) error { return nil },
 	}

-	m, err := Create(ifaceMock, false, flowLogger)
+	m, err := Create(ifaceMock, false, flowLogger, nbiface.DefaultMTU)
 	if err != nil {
 		t.Errorf("failed to create Manager: %v", err)
 		return
@@ -86,7 +88,7 @@ func TestManagerAddPeerFiltering(t *testing.T) {
 		},
 	}

-	m, err := Create(ifaceMock, false, flowLogger)
+	m, err := Create(ifaceMock, false, flowLogger, nbiface.DefaultMTU)
 	if err != nil {
 		t.Errorf("failed to create Manager: %v", err)
 		return
@@ -119,7 +121,7 @@ func TestManagerDeleteRule(t *testing.T) {
 		SetFilterFunc: func(device.PacketFilter) error { return nil },
 	}

-	m, err := Create(ifaceMock, false, flowLogger)
+	m, err := Create(ifaceMock, false, flowLogger, nbiface.DefaultMTU)
 	if err != nil {
 		t.Errorf("failed to create Manager: %v", err)
 		return
@@ -215,7 +217,7 @@ func TestAddUDPPacketHook(t *testing.T) {
 		t.Run(tt.name, func(t *testing.T) {
 			manager, err := Create(&IFaceMock{
 				SetFilterFunc: func(device.PacketFilter) error { return nil },
-			}, false, flowLogger)
+			}, false, flowLogger, nbiface.DefaultMTU)
 			require.NoError(t, err)

 			manager.AddUDPPacketHook(tt.in, tt.ip, tt.dPort, tt.hook)
@@ -265,7 +267,7 @@ func TestManagerReset(t *testing.T) {
 		SetFilterFunc: func(device.PacketFilter) error { return nil },
 	}

-	m, err := Create(ifaceMock, false, flowLogger)
+	m, err := Create(ifaceMock, false, flowLogger, nbiface.DefaultMTU)
 	if err != nil {
 		t.Errorf("failed to create Manager: %v", err)
 		return
@@ -304,7 +306,7 @@ func TestNotMatchByIP(t *testing.T) {
 		},
 	}

-	m, err := Create(ifaceMock, false, flowLogger)
+	m, err := Create(ifaceMock, false, flowLogger, nbiface.DefaultMTU)
 	if err != nil {
 		t.Errorf("failed to create Manager: %v", err)
 		return
@@ -367,7 +369,7 @@ func TestRemovePacketHook(t *testing.T) {
 	}

 	// creating manager instance
-	manager, err := Create(iface, false, flowLogger)
+	manager, err := Create(iface, false, flowLogger, nbiface.DefaultMTU)
 	if err != nil {
 		t.Fatalf("Failed to create Manager: %s", err)
 	}
@@ -413,7 +415,7 @@ func TestRemovePacketHook(t *testing.T) {
 func TestProcessOutgoingHooks(t *testing.T) {
 	manager, err := Create(&IFaceMock{
 		SetFilterFunc: func(device.PacketFilter) error { return nil },
-	}, false, flowLogger)
+	}, false, flowLogger, nbiface.DefaultMTU)
 	require.NoError(t, err)

 	manager.udpTracker.Close()
@@ -495,7 +497,7 @@ func TestUSPFilterCreatePerformance(t *testing.T) {
 			ifaceMock := &IFaceMock{
 				SetFilterFunc: func(device.PacketFilter) error { return nil },
 			}
-			manager, err := Create(ifaceMock, false, flowLogger)
+			manager, err := Create(ifaceMock, false, flowLogger, nbiface.DefaultMTU)
 			require.NoError(t, err)
 			time.Sleep(time.Second)

@@ -522,7 +524,7 @@ func TestUSPFilterCreatePerformance(t *testing.T) {
 func TestStatefulFirewall_UDPTracking(t *testing.T) {
 	manager, err := Create(&IFaceMock{
 		SetFilterFunc: func(device.PacketFilter) error { return nil },
-	}, false, flowLogger)
+	}, false, flowLogger, nbiface.DefaultMTU)
 	require.NoError(t, err)

 	manager.udpTracker.Close() // Close the existing tracker
@@ -729,7 +731,7 @@ func TestUpdateSetMerge(t *testing.T) {
 		SetFilterFunc: func(device.PacketFilter) error { return nil },
 	}

-	manager, err := Create(ifaceMock, false, flowLogger)
+	manager, err := Create(ifaceMock, false, flowLogger, nbiface.DefaultMTU)
 	require.NoError(t, err)
 	t.Cleanup(func() {
 		require.NoError(t, manager.Close(nil))
@@ -815,7 +817,7 @@ func TestUpdateSetDeduplication(t *testing.T) {
 		SetFilterFunc: func(device.PacketFilter) error { return nil },
 	}

-	manager, err := Create(ifaceMock, false, flowLogger)
+	manager, err := Create(ifaceMock, false, flowLogger, nbiface.DefaultMTU)
 	require.NoError(t, err)
 	t.Cleanup(func() {
 		require.NoError(t, manager.Close(nil))
@@ -923,3 +925,192 @@ func TestUpdateSetDeduplication(t *testing.T) {
 		require.Equal(t, tc.expected, isAllowed, tc.desc)
 	}
 }
+
+func TestMSSClamping(t *testing.T) {
+	ifaceMock := &IFaceMock{
+		SetFilterFunc: func(device.PacketFilter) error { return nil },
+		AddressFunc: func() wgaddr.Address {
+			return wgaddr.Address{
+				IP:      netip.MustParseAddr("100.10.0.100"),
+				Network: netip.MustParsePrefix("100.10.0.0/16"),
+			}
+		},
+	}
+
+	manager, err := Create(ifaceMock, false, flowLogger, 1280)
+	require.NoError(t, err)
+	defer func() {
+		require.NoError(t, manager.Close(nil))
+	}()
+
+	require.True(t, manager.mssClampEnabled, "MSS clamping should be enabled by default")
+	expectedMSSValue := uint16(1280 - ipTCPHeaderMinSize)
+	require.Equal(t, expectedMSSValue, manager.mssClampValue, "MSS clamp value should be MTU - 40")
+
+	err = manager.UpdateLocalIPs()
+	require.NoError(t, err)
+
+	srcIP := net.ParseIP("100.10.0.2")
+	dstIP := net.ParseIP("8.8.8.8")
+
+	t.Run("SYN packet with high MSS gets clamped", func(t *testing.T) {
+		highMSS := uint16(1460)
+		packet := generateSYNPacketWithMSS(t, srcIP, dstIP, 12345, 80, highMSS)
+
+		manager.filterOutbound(packet, len(packet))
+
+		d := parsePacket(t, packet)
+		require.Len(t, d.tcp.Options, 1, "Should have MSS option")
+		require.Equal(t, uint8(layers.TCPOptionKindMSS), uint8(d.tcp.Options[0].OptionType))
+		actualMSS := binary.BigEndian.Uint16(d.tcp.Options[0].OptionData)
+		require.Equal(t, expectedMSSValue, actualMSS, "MSS should be clamped to MTU - 40")
+	})
+
+	t.Run("SYN packet with low MSS unchanged", func(t *testing.T) {
+		lowMSS := uint16(1200)
+		packet := generateSYNPacketWithMSS(t, srcIP, dstIP, 12345, 80, lowMSS)
+
+		manager.filterOutbound(packet, len(packet))
+
+		d := parsePacket(t, packet)
+		require.Len(t, d.tcp.Options, 1, "Should have MSS option")
+		actualMSS := binary.BigEndian.Uint16(d.tcp.Options[0].OptionData)
+		require.Equal(t, lowMSS, actualMSS, "Low MSS should not be modified")
+	})
+
+	t.Run("SYN-ACK packet gets clamped", func(t *testing.T) {
+		highMSS := uint16(1460)
+		packet := generateSYNACKPacketWithMSS(t, srcIP, dstIP, 12345, 80, highMSS)
+
+		manager.filterOutbound(packet, len(packet))
+
+		d := parsePacket(t, packet)
+		require.Len(t, d.tcp.Options, 1, "Should have MSS option")
+		actualMSS := binary.BigEndian.Uint16(d.tcp.Options[0].OptionData)
+		require.Equal(t, expectedMSSValue, actualMSS, "MSS in SYN-ACK should be clamped")
+	})
+
+	t.Run("Non-SYN packet unchanged", func(t *testing.T) {
+		packet := generateTCPPacketWithFlags(t, srcIP, dstIP, 12345, 80, uint16(conntrack.TCPAck))
+
+		manager.filterOutbound(packet, len(packet))
+
+		d := parsePacket(t, packet)
+		require.Empty(t, d.tcp.Options, "ACK packet should have no options")
+	})
+}
+
+func generateSYNPacketWithMSS(tb testing.TB, srcIP, dstIP net.IP, srcPort, dstPort uint16, mss uint16) []byte {
+	tb.Helper()
+
+	ipLayer := &layers.IPv4{
+		Version:  4,
+		TTL:      64,
+		Protocol: layers.IPProtocolTCP,
+		SrcIP:    srcIP,
+		DstIP:    dstIP,
+	}
+
+	tcpLayer := &layers.TCP{
+		SrcPort: layers.TCPPort(srcPort),
+		DstPort: layers.TCPPort(dstPort),
+		SYN:     true,
+		Window:  65535,
+		Options: []layers.TCPOption{
+			{
+				OptionType:   layers.TCPOptionKindMSS,
+				OptionLength: 4,
+				OptionData:   binary.BigEndian.AppendUint16(nil, mss),
+			},
+		},
+	}
+	err := tcpLayer.SetNetworkLayerForChecksum(ipLayer)
+	require.NoError(tb, err)
+
+	buf := gopacket.NewSerializeBuffer()
+	opts := gopacket.SerializeOptions{ComputeChecksums: true, FixLengths: true}
+	err = gopacket.SerializeLayers(buf, opts, ipLayer, tcpLayer, gopacket.Payload([]byte{}))
+	require.NoError(tb, err)
+
+	return buf.Bytes()
+}
+
+func generateSYNACKPacketWithMSS(tb testing.TB, srcIP, dstIP net.IP, srcPort, dstPort uint16, mss uint16) []byte {
+	tb.Helper()
+
+	ipLayer := &layers.IPv4{
+		Version:  4,
+		TTL:      64,
+		Protocol: layers.IPProtocolTCP,
+		SrcIP:    srcIP,
+		DstIP:    dstIP,
+	}
+
+	tcpLayer := &layers.TCP{
+		SrcPort: layers.TCPPort(srcPort),
+		DstPort: layers.TCPPort(dstPort),
+		SYN:     true,
+		ACK:     true,
+		Window:  65535,
+		Options: []layers.TCPOption{
+			{
+				OptionType:   layers.TCPOptionKindMSS,
+				OptionLength: 4,
+				OptionData:   binary.BigEndian.AppendUint16(nil, mss),
+			},
+		},
+	}
+	err := tcpLayer.SetNetworkLayerForChecksum(ipLayer)
+	require.NoError(tb, err)
+
+	buf := gopacket.NewSerializeBuffer()
+	opts := gopacket.SerializeOptions{ComputeChecksums: true, FixLengths: true}
+	err = gopacket.SerializeLayers(buf, opts, ipLayer, tcpLayer, gopacket.Payload([]byte{}))
+	require.NoError(tb, err)
+
+	return buf.Bytes()
+}
+
+func generateTCPPacketWithFlags(tb testing.TB, srcIP, dstIP net.IP, srcPort, dstPort uint16, flags uint16) []byte {
+	tb.Helper()
+
+	ipLayer := &layers.IPv4{
+		Version:  4,
+		TTL:      64,
+		Protocol: layers.IPProtocolTCP,
+		SrcIP:    srcIP,
+		DstIP:    dstIP,
+	}
+
+	tcpLayer := &layers.TCP{
+		SrcPort: layers.TCPPort(srcPort),
+		DstPort: layers.TCPPort(dstPort),
+		Window:  65535,
+	}
+
+	if flags&uint16(conntrack.TCPSyn) != 0 {
+		tcpLayer.SYN = true
+	}
+	if flags&uint16(conntrack.TCPAck) != 0 {
+		tcpLayer.ACK = true
+	}
+	if flags&uint16(conntrack.TCPFin) != 0 {
+		tcpLayer.FIN = true
+	}
+	if flags&uint16(conntrack.TCPRst) != 0 {
+		tcpLayer.RST = true
+	}
+	if flags&uint16(conntrack.TCPPush) != 0 {
+		tcpLayer.PSH = true
+	}
+
+	err := tcpLayer.SetNetworkLayerForChecksum(ipLayer)
+	require.NoError(tb, err)
+
+	buf := gopacket.NewSerializeBuffer()
+	opts := gopacket.SerializeOptions{ComputeChecksums: true, FixLengths: true}
+	err = gopacket.SerializeLayers(buf, opts, ipLayer, tcpLayer, gopacket.Payload([]byte{}))
+	require.NoError(tb, err)
+
+	return buf.Bytes()
+}
--- a/client/firewall/uspfilter/forwarder/forwarder.go
+++ b/client/firewall/uspfilter/forwarder/forwarder.go
@@ -45,7 +45,7 @@ type Forwarder struct {
 	netstack     bool
 }

-func New(iface common.IFaceMapper, logger *nblog.Logger, flowLogger nftypes.FlowLogger, netstack bool) (*Forwarder, error) {
+func New(iface common.IFaceMapper, logger *nblog.Logger, flowLogger nftypes.FlowLogger, netstack bool, mtu uint16) (*Forwarder, error) {
 	s := stack.New(stack.Options{
 		NetworkProtocols: []stack.NetworkProtocolFactory{ipv4.NewProtocol},
 		TransportProtocols: []stack.TransportProtocolFactory{
@@ -56,10 +56,6 @@ func New(iface common.IFaceMapper, logger *nblog.Logger, flowLogger nftypes.Flow
 		HandleLocal: false,
 	})

-	mtu, err := iface.GetDevice().MTU()
-	if err != nil {
-		return nil, fmt.Errorf("get MTU: %w", err)
-	}
 	nicID := tcpip.NICID(1)
 	endpoint := &endpoint{
 		logger: logger,
@@ -68,7 +64,7 @@ func New(iface common.IFaceMapper, logger *nblog.Logger, flowLogger nftypes.Flow
 	}

 	if err := s.CreateNIC(nicID, endpoint); err != nil {
-		return nil, fmt.Errorf("failed to create NIC: %v", err)
+		return nil, fmt.Errorf("create NIC: %v", err)
 	}

 	protoAddr := tcpip.ProtocolAddress{
--- a/client/firewall/uspfilter/forwarder/udp.go
+++ b/client/firewall/uspfilter/forwarder/udp.go
@@ -49,7 +49,7 @@ type idleConn struct {
 	conn *udpPacketConn
 }

-func newUDPForwarder(mtu int, logger *nblog.Logger, flowLogger nftypes.FlowLogger) *udpForwarder {
+func newUDPForwarder(mtu uint16, logger *nblog.Logger, flowLogger nftypes.FlowLogger) *udpForwarder {
 	ctx, cancel := context.WithCancel(context.Background())
 	f := &udpForwarder{
 		logger:     logger,
--- a/client/firewall/uspfilter/nat_bench_test.go
+++ b/client/firewall/uspfilter/nat_bench_test.go
@@ -12,6 +12,7 @@ import (

 	log "github.com/sirupsen/logrus"

+	"github.com/netbirdio/netbird/client/iface"
 	"github.com/netbirdio/netbird/client/iface/device"
 )

@@ -65,7 +66,7 @@ func BenchmarkDNATTranslation(b *testing.B) {
 		b.Run(sc.name, func(b *testing.B) {
 			manager, err := Create(&IFaceMock{
 				SetFilterFunc: func(device.PacketFilter) error { return nil },
-			}, false, flowLogger)
+			}, false, flowLogger, iface.DefaultMTU)
 			require.NoError(b, err)
 			defer func() {
 				require.NoError(b, manager.Close(nil))
@@ -125,7 +126,7 @@ func BenchmarkDNATTranslation(b *testing.B) {
 func BenchmarkDNATConcurrency(b *testing.B) {
 	manager, err := Create(&IFaceMock{
 		SetFilterFunc: func(device.PacketFilter) error { return nil },
-	}, false, flowLogger)
+	}, false, flowLogger, iface.DefaultMTU)
 	require.NoError(b, err)
 	defer func() {
 		require.NoError(b, manager.Close(nil))
@@ -197,7 +198,7 @@ func BenchmarkDNATScaling(b *testing.B) {
 		b.Run(fmt.Sprintf("mappings_%d", count), func(b *testing.B) {
 			manager, err := Create(&IFaceMock{
 				SetFilterFunc: func(device.PacketFilter) error { return nil },
-			}, false, flowLogger)
+			}, false, flowLogger, iface.DefaultMTU)
 			require.NoError(b, err)
 			defer func() {
 				require.NoError(b, manager.Close(nil))
@@ -309,7 +310,7 @@ func BenchmarkChecksumUpdate(b *testing.B) {
 func BenchmarkDNATMemoryAllocations(b *testing.B) {
 	manager, err := Create(&IFaceMock{
 		SetFilterFunc: func(device.PacketFilter) error { return nil },
-	}, false, flowLogger)
+	}, false, flowLogger, iface.DefaultMTU)
 	require.NoError(b, err)
 	defer func() {
 		require.NoError(b, manager.Close(nil))
@@ -472,7 +473,7 @@ func BenchmarkPortDNAT(b *testing.B) {
 		b.Run(sc.name, func(b *testing.B) {
 			manager, err := Create(&IFaceMock{
 				SetFilterFunc: func(device.PacketFilter) error { return nil },
-			}, false, flowLogger)
+			}, false, flowLogger, iface.DefaultMTU)
 			require.NoError(b, err)
 			defer func() {
 				require.NoError(b, manager.Close(nil))
--- a/client/firewall/uspfilter/nat_test.go
+++ b/client/firewall/uspfilter/nat_test.go
@@ -9,6 +9,7 @@ import (
 	"github.com/stretchr/testify/require"

 	firewall "github.com/netbirdio/netbird/client/firewall/manager"
+	"github.com/netbirdio/netbird/client/iface"
 	"github.com/netbirdio/netbird/client/iface/device"
 )

@@ -16,7 +17,7 @@ import (
 func TestDNATTranslationCorrectness(t *testing.T) {
 	manager, err := Create(&IFaceMock{
 		SetFilterFunc: func(device.PacketFilter) error { return nil },
-	}, false, flowLogger)
+	}, false, flowLogger, iface.DefaultMTU)
 	require.NoError(t, err)
 	defer func() {
 		require.NoError(t, manager.Close(nil))
@@ -100,7 +101,7 @@ func parsePacket(t testing.TB, packetData []byte) *decoder {
 func TestDNATMappingManagement(t *testing.T) {
 	manager, err := Create(&IFaceMock{
 		SetFilterFunc: func(device.PacketFilter) error { return nil },
-	}, false, flowLogger)
+	}, false, flowLogger, iface.DefaultMTU)
 	require.NoError(t, err)
 	defer func() {
 		require.NoError(t, manager.Close(nil))
@@ -148,7 +149,7 @@ func TestDNATMappingManagement(t *testing.T) {
 func TestInboundPortDNAT(t *testing.T) {
 	manager, err := Create(&IFaceMock{
 		SetFilterFunc: func(device.PacketFilter) error { return nil },
-	}, false, flowLogger)
+	}, false, flowLogger, iface.DefaultMTU)
 	require.NoError(t, err)
 	defer func() {
 		require.NoError(t, manager.Close(nil))
@@ -198,7 +199,7 @@ func TestInboundPortDNAT(t *testing.T) {
 func TestInboundPortDNATNegative(t *testing.T) {
 	manager, err := Create(&IFaceMock{
 		SetFilterFunc: func(device.PacketFilter) error { return nil },
-	}, false, flowLogger)
+	}, false, flowLogger, iface.DefaultMTU)
 	require.NoError(t, err)
 	defer func() {
 		require.NoError(t, manager.Close(nil))
--- a/client/firewall/uspfilter/tracer_test.go
+++ b/client/firewall/uspfilter/tracer_test.go
@@ -10,6 +10,7 @@ import (
 	fw "github.com/netbirdio/netbird/client/firewall/manager"
 	"github.com/netbirdio/netbird/client/firewall/uspfilter/conntrack"
 	"github.com/netbirdio/netbird/client/firewall/uspfilter/forwarder"
+	"github.com/netbirdio/netbird/client/iface"
 	"github.com/netbirdio/netbird/client/iface/device"
 	"github.com/netbirdio/netbird/client/iface/wgaddr"
 )
@@ -44,7 +45,7 @@ func TestTracePacket(t *testing.T) {
 			},
 		}

-		m, err := Create(ifaceMock, false, flowLogger)
+		m, err := Create(ifaceMock, false, flowLogger, iface.DefaultMTU)
 		require.NoError(t, err)

 		if !statefulMode {
--- a/client/iface/iface_test.go
+++ b/client/iface/iface_test.go
@@ -1,6 +1,7 @@
 package iface

 import (
+	"context"
 	"fmt"
 	"net"
 	"net/netip"
@@ -9,13 +10,13 @@ import (
 	"time"

 	"github.com/google/uuid"
-	"github.com/pion/transport/v3/stdnet"
 	log "github.com/sirupsen/logrus"
 	"github.com/stretchr/testify/assert"
 	"golang.zx2c4.com/wireguard/wgctrl"
 	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"

 	"github.com/netbirdio/netbird/client/iface/device"
+	"github.com/netbirdio/netbird/client/internal/stdnet"
 )

 // keep darwin compatibility
@@ -40,7 +41,7 @@ func TestWGIface_UpdateAddr(t *testing.T) {
 	ifaceName := fmt.Sprintf("utun%d", WgIntNumber+4)
 	addr := "100.64.0.1/8"
 	wgPort := 33100
-	newNet, err := stdnet.NewNet()
+	newNet, err := stdnet.NewNet(context.Background(), nil)
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -123,7 +124,7 @@ func getIfaceAddrs(ifaceName string) ([]net.Addr, error) {
 func Test_CreateInterface(t *testing.T) {
 	ifaceName := fmt.Sprintf("utun%d", WgIntNumber+1)
 	wgIP := "10.99.99.1/32"
-	newNet, err := stdnet.NewNet()
+	newNet, err := stdnet.NewNet(context.Background(), nil)
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -166,7 +167,7 @@ func Test_Close(t *testing.T) {
 	ifaceName := fmt.Sprintf("utun%d", WgIntNumber+2)
 	wgIP := "10.99.99.2/32"
 	wgPort := 33100
-	newNet, err := stdnet.NewNet()
+	newNet, err := stdnet.NewNet(context.Background(), nil)
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -211,7 +212,7 @@ func TestRecreation(t *testing.T) {
 			ifaceName := fmt.Sprintf("utun%d", WgIntNumber+2)
 			wgIP := "10.99.99.2/32"
 			wgPort := 33100
-			newNet, err := stdnet.NewNet()
+			newNet, err := stdnet.NewNet(context.Background(), nil)
 			if err != nil {
 				t.Fatal(err)
 			}
@@ -284,7 +285,7 @@ func Test_ConfigureInterface(t *testing.T) {
 	ifaceName := fmt.Sprintf("utun%d", WgIntNumber+3)
 	wgIP := "10.99.99.5/30"
 	wgPort := 33100
-	newNet, err := stdnet.NewNet()
+	newNet, err := stdnet.NewNet(context.Background(), nil)
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -339,7 +340,7 @@ func Test_ConfigureInterface(t *testing.T) {
 func Test_UpdatePeer(t *testing.T) {
 	ifaceName := fmt.Sprintf("utun%d", WgIntNumber+4)
 	wgIP := "10.99.99.9/30"
-	newNet, err := stdnet.NewNet()
+	newNet, err := stdnet.NewNet(context.Background(), nil)
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -409,7 +410,7 @@ func Test_UpdatePeer(t *testing.T) {
 func Test_RemovePeer(t *testing.T) {
 	ifaceName := fmt.Sprintf("utun%d", WgIntNumber+4)
 	wgIP := "10.99.99.13/30"
-	newNet, err := stdnet.NewNet()
+	newNet, err := stdnet.NewNet(context.Background(), nil)
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -471,7 +472,7 @@ func Test_ConnectPeers(t *testing.T) {
 	peer2wgPort := 33200

 	keepAlive := 1 * time.Second
-	newNet, err := stdnet.NewNet()
+	newNet, err := stdnet.NewNet(context.Background(), nil)
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -514,7 +515,7 @@ func Test_ConnectPeers(t *testing.T) {
 	guid = fmt.Sprintf("{%s}", uuid.New().String())
 	device.CustomWindowsGUIDString = strings.ToLower(guid)

-	newNet, err = stdnet.NewNet()
+	newNet, err = stdnet.NewNet(context.Background(), nil)
 	if err != nil {
 		t.Fatal(err)
 	}
--- a/client/iface/udpmux/mux.go
+++ b/client/iface/udpmux/mux.go
@@ -1,6 +1,7 @@
 package udpmux

 import (
+	"context"
 	"fmt"
 	"io"
 	"net"
@@ -12,8 +13,9 @@ import (
 	"github.com/pion/logging"
 	"github.com/pion/stun/v3"
 	"github.com/pion/transport/v3"
-	"github.com/pion/transport/v3/stdnet"
 	log "github.com/sirupsen/logrus"
+
+	"github.com/netbirdio/netbird/client/internal/stdnet"
 )

 /*
@@ -199,7 +201,7 @@ func (m *SingleSocketUDPMux) updateLocalAddresses() {
 		if len(networks) > 0 {
 			if m.params.Net == nil {
 				var err error
-				if m.params.Net, err = stdnet.NewNet(); err != nil {
+				if m.params.Net, err = stdnet.NewNet(context.Background(), nil); err != nil {
 					m.params.Logger.Errorf("failed to get create network: %v", err)
 				}
 			}
--- a/client/internal/acl/manager_test.go
+++ b/client/internal/acl/manager_test.go
@@ -9,6 +9,7 @@ import (
 	"github.com/stretchr/testify/require"

 	"github.com/netbirdio/netbird/client/firewall"
+	"github.com/netbirdio/netbird/client/iface"
 	"github.com/netbirdio/netbird/client/iface/wgaddr"
 	"github.com/netbirdio/netbird/client/internal/acl/mocks"
 	"github.com/netbirdio/netbird/client/internal/netflow"
@@ -52,7 +53,7 @@ func TestDefaultManager(t *testing.T) {
 	}).AnyTimes()
 	ifaceMock.EXPECT().GetWGDevice().Return(nil).AnyTimes()

-	fw, err := firewall.NewFirewall(ifaceMock, nil, flowLogger, false)
+	fw, err := firewall.NewFirewall(ifaceMock, nil, flowLogger, false, iface.DefaultMTU)
 	require.NoError(t, err)
 	defer func() {
 		err = fw.Close(nil)
@@ -170,7 +171,7 @@ func TestDefaultManagerStateless(t *testing.T) {
 	}).AnyTimes()
 	ifaceMock.EXPECT().GetWGDevice().Return(nil).AnyTimes()

-	fw, err := firewall.NewFirewall(ifaceMock, nil, flowLogger, false)
+	fw, err := firewall.NewFirewall(ifaceMock, nil, flowLogger, false, iface.DefaultMTU)
 	require.NoError(t, err)
 	defer func() {
 		err = fw.Close(nil)
@@ -321,7 +322,7 @@ func TestDefaultManagerEnableSSHRules(t *testing.T) {
 	}).AnyTimes()
 	ifaceMock.EXPECT().GetWGDevice().Return(nil).AnyTimes()

-	fw, err := firewall.NewFirewall(ifaceMock, nil, flowLogger, false)
+	fw, err := firewall.NewFirewall(ifaceMock, nil, flowLogger, false, iface.DefaultMTU)
 	require.NoError(t, err)
 	defer func() {
 		err = fw.Close(nil)
--- a/client/internal/auth/device_flow.go
+++ b/client/internal/auth/device_flow.go
@@ -128,9 +128,34 @@ func (d *DeviceAuthorizationFlow) RequestAuthInfo(ctx context.Context) (AuthFlow
 		deviceCode.VerificationURIComplete = deviceCode.VerificationURI
 	}

+	if d.providerConfig.LoginHint != "" {
+		deviceCode.VerificationURIComplete = appendLoginHint(deviceCode.VerificationURIComplete, d.providerConfig.LoginHint)
+		if deviceCode.VerificationURI != "" {
+			deviceCode.VerificationURI = appendLoginHint(deviceCode.VerificationURI, d.providerConfig.LoginHint)
+		}
+	}
+
 	return deviceCode, err
 }

+func appendLoginHint(uri, loginHint string) string {
+	if uri == "" || loginHint == "" {
+		return uri
+	}
+
+	parsedURL, err := url.Parse(uri)
+	if err != nil {
+		log.Debugf("failed to parse verification URI for login_hint: %v", err)
+		return uri
+	}
+
+	query := parsedURL.Query()
+	query.Set("login_hint", loginHint)
+	parsedURL.RawQuery = query.Encode()
+
+	return parsedURL.String()
+}
+
 func (d *DeviceAuthorizationFlow) requestToken(info AuthFlowInfo) (TokenRequestResponse, error) {
 	form := url.Values{}
 	form.Add("client_id", d.providerConfig.ClientID)
--- a/client/internal/auth/oauth.go
+++ b/client/internal/auth/oauth.go
@@ -66,32 +66,34 @@ func (t TokenInfo) GetTokenToUse() string {
 // and if that also fails, the authentication process is deemed unsuccessful
 //
 // On Linux distros without desktop environment support, it only tries to initialize the Device Code Flow
-func NewOAuthFlow(ctx context.Context, config *profilemanager.Config, isUnixDesktopClient bool) (OAuthFlow, error) {
+func NewOAuthFlow(ctx context.Context, config *profilemanager.Config, isUnixDesktopClient bool, hint string) (OAuthFlow, error) {
 	if (runtime.GOOS == "linux" || runtime.GOOS == "freebsd") && !isUnixDesktopClient {
-		return authenticateWithDeviceCodeFlow(ctx, config)
+		return authenticateWithDeviceCodeFlow(ctx, config, hint)
 	}

-	pkceFlow, err := authenticateWithPKCEFlow(ctx, config)
+	pkceFlow, err := authenticateWithPKCEFlow(ctx, config, hint)
 	if err != nil {
-		// fallback to device code flow
 		log.Debugf("failed to initialize pkce authentication with error: %v\n", err)
 		log.Debug("falling back to device code flow")
-		return authenticateWithDeviceCodeFlow(ctx, config)
+		return authenticateWithDeviceCodeFlow(ctx, config, hint)
 	}
 	return pkceFlow, nil
 }

 // authenticateWithPKCEFlow initializes the Proof Key for Code Exchange flow auth flow
-func authenticateWithPKCEFlow(ctx context.Context, config *profilemanager.Config) (OAuthFlow, error) {
+func authenticateWithPKCEFlow(ctx context.Context, config *profilemanager.Config, hint string) (OAuthFlow, error) {
 	pkceFlowInfo, err := internal.GetPKCEAuthorizationFlowInfo(ctx, config.PrivateKey, config.ManagementURL, config.ClientCertKeyPair)
 	if err != nil {
 		return nil, fmt.Errorf("getting pkce authorization flow info failed with error: %v", err)
 	}
+
+	pkceFlowInfo.ProviderConfig.LoginHint = hint
+
 	return NewPKCEAuthorizationFlow(pkceFlowInfo.ProviderConfig)
 }

 // authenticateWithDeviceCodeFlow initializes the Device Code auth Flow
-func authenticateWithDeviceCodeFlow(ctx context.Context, config *profilemanager.Config) (OAuthFlow, error) {
+func authenticateWithDeviceCodeFlow(ctx context.Context, config *profilemanager.Config, hint string) (OAuthFlow, error) {
 	deviceFlowInfo, err := internal.GetDeviceAuthorizationFlowInfo(ctx, config.PrivateKey, config.ManagementURL)
 	if err != nil {
 		switch s, ok := gstatus.FromError(err); {
@@ -107,5 +109,7 @@ func authenticateWithDeviceCodeFlow(ctx context.Context, config *profilemanager.
 		}
 	}

+	deviceFlowInfo.ProviderConfig.LoginHint = hint
+
 	return NewDeviceAuthorizationFlow(deviceFlowInfo.ProviderConfig)
 }
--- a/client/internal/auth/pkce_flow.go
+++ b/client/internal/auth/pkce_flow.go
@@ -109,6 +109,9 @@ func (p *PKCEAuthorizationFlow) RequestAuthInfo(ctx context.Context) (AuthFlowIn
 			params = append(params, oauth2.SetAuthURLParam("max_age", "0"))
 		}
 	}
+	if p.providerConfig.LoginHint != "" {
+		params = append(params, oauth2.SetAuthURLParam("login_hint", p.providerConfig.LoginHint))
+	}

 	authURL := p.oAuthConfig.AuthCodeURL(state, params...)

--- a/client/internal/connect.go
+++ b/client/internal/connect.go
@@ -25,6 +25,7 @@ import (
 	"github.com/netbirdio/netbird/client/internal/peer"
 	"github.com/netbirdio/netbird/client/internal/profilemanager"
 	"github.com/netbirdio/netbird/client/internal/stdnet"
+	nbnet "github.com/netbirdio/netbird/client/net"
 	cProto "github.com/netbirdio/netbird/client/proto"
 	"github.com/netbirdio/netbird/client/ssh"
 	"github.com/netbirdio/netbird/client/system"
@@ -34,7 +35,6 @@ import (
 	relayClient "github.com/netbirdio/netbird/shared/relay/client"
 	signal "github.com/netbirdio/netbird/shared/signal/client"
 	"github.com/netbirdio/netbird/util"
-	nbnet "github.com/netbirdio/netbird/client/net"
 	"github.com/netbirdio/netbird/version"
 )

@@ -289,15 +289,18 @@ func (c *ConnectClient) run(mobileDependency MobileDependency, runningChan chan
 		}

 		<-engineCtx.Done()
+
 		c.engineMutex.Lock()
-		if c.engine != nil && c.engine.wgInterface != nil {
-			log.Infof("ensuring %s is removed, Netbird engine context cancelled", c.engine.wgInterface.Name())
-			if err := c.engine.Stop(); err != nil {
+		engine := c.engine
+		c.engine = nil
+		c.engineMutex.Unlock()
+
+		if engine != nil && engine.wgInterface != nil {
+			log.Infof("ensuring %s is removed, Netbird engine context cancelled", engine.wgInterface.Name())
+			if err := engine.Stop(); err != nil {
 				log.Errorf("Failed to stop engine: %v", err)
 			}
-			c.engine = nil
 		}
-		c.engineMutex.Unlock()
 		c.statusRecorder.ClientTeardown()

 		backOff.Reset()
@@ -382,19 +385,12 @@ func (c *ConnectClient) Status() StatusType {
 }

 func (c *ConnectClient) Stop() error {
-	if c == nil {
-		return nil
+	engine := c.Engine()
+	if engine != nil {
+		if err := engine.Stop(); err != nil {
+			return fmt.Errorf("stop engine: %w", err)
+		}
 	}
-	c.engineMutex.Lock()
-	defer c.engineMutex.Unlock()
-
-	if c.engine == nil {
-		return nil
-	}
-	if err := c.engine.Stop(); err != nil {
-		return fmt.Errorf("stop engine: %w", err)
-	}
-
 	return nil
 }

--- a/client/internal/debug/debug.go
+++ b/client/internal/debug/debug.go
@@ -44,6 +44,8 @@ interfaces.txt: Anonymized network interface information, if --system-info flag
 ip_rules.txt: Detailed IP routing rules in tabular format including priority, source, destination, interfaces, table, and action information (Linux only), if --system-info flag was provided.
 iptables.txt: Anonymized iptables rules with packet counters, if --system-info flag was provided.
 nftables.txt: Anonymized nftables rules with packet counters, if --system-info flag was provided.
+resolv.conf: DNS resolver configuration from /etc/resolv.conf (Unix systems only), if --system-info flag was provided.
+scutil_dns.txt: DNS configuration from scutil --dns (macOS only), if --system-info flag was provided.
 resolved_domains.txt: Anonymized resolved domain IP addresses from the status recorder.
 config.txt: Anonymized configuration information of the NetBird client.
 network_map.json: Anonymized sync response containing peer configurations, routes, DNS settings, and firewall rules.
@@ -184,6 +186,20 @@ The ip_rules.txt file contains detailed IP routing rule information:
 The table format provides comprehensive visibility into the IP routing decision process, including how traffic is directed to different routing tables based on various criteria. This is valuable for troubleshooting advanced routing configurations and policy-based routing.

 For anonymized rules, IP addresses and prefixes are replaced as described above. Interface names are anonymized using string anonymization. Table names, actions, and other non-sensitive information remain unchanged.
+
+DNS Configuration
+The debug bundle includes platform-specific DNS configuration files:
+
+resolv.conf (Unix systems):
+- Contains DNS resolver configuration from /etc/resolv.conf
+- Includes nameserver entries, search domains, and resolver options
+- All IP addresses and domain names are anonymized following the same rules as other files
+
+scutil_dns.txt (macOS only):
+- Contains detailed DNS configuration from scutil --dns
+- Shows DNS configuration for all network interfaces
+- Includes search domains, nameservers, and DNS resolver settings
+- All IP addresses and domain names are anonymized
 `

 const (
@@ -357,6 +373,10 @@ func (g *BundleGenerator) addSystemInfo() {
 	if err := g.addFirewallRules(); err != nil {
 		log.Errorf("failed to add firewall rules to debug bundle: %v", err)
 	}
+
+	if err := g.addDNSInfo(); err != nil {
+		log.Errorf("failed to add DNS info to debug bundle: %v", err)
+	}
 }

 func (g *BundleGenerator) addReadme() error {
--- a/client/internal/debug/debug_darwin.go
+++ b/client/internal/debug/debug_darwin.go
@@ -0,0 +1,53 @@
+//go:build darwin && !ios
+
+package debug
+
+import (
+	"bytes"
+	"context"
+	"fmt"
+	"os/exec"
+	"strings"
+	"time"
+
+	log "github.com/sirupsen/logrus"
+)
+
+// addDNSInfo collects and adds DNS configuration information to the archive
+func (g *BundleGenerator) addDNSInfo() error {
+	if err := g.addResolvConf(); err != nil {
+		log.Errorf("failed to add resolv.conf: %v", err)
+	}
+
+	if err := g.addScutilDNS(); err != nil {
+		log.Errorf("failed to add scutil DNS output: %v", err)
+	}
+
+	return nil
+}
+
+func (g *BundleGenerator) addScutilDNS() error {
+	ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
+	defer cancel()
+
+	cmd := exec.CommandContext(ctx, "scutil", "--dns")
+	output, err := cmd.CombinedOutput()
+	if err != nil {
+		return fmt.Errorf("execute scutil --dns: %w", err)
+	}
+
+	if len(bytes.TrimSpace(output)) == 0 {
+		return fmt.Errorf("no scutil DNS output")
+	}
+
+	content := string(output)
+	if g.anonymize {
+		content = g.anonymizer.AnonymizeString(content)
+	}
+
+	if err := g.addFileToZip(strings.NewReader(content), "scutil_dns.txt"); err != nil {
+		return fmt.Errorf("add scutil DNS output to zip: %w", err)
+	}
+
+	return nil
+}
--- a/client/internal/debug/debug_mobile.go
+++ b/client/internal/debug/debug_mobile.go
@@ -5,3 +5,7 @@ package debug
 func (g *BundleGenerator) addRoutes() error {
 	return nil
 }
+
+func (g *BundleGenerator) addDNSInfo() error {
+	return nil
+}
--- a/client/internal/debug/debug_nondarwin.go
+++ b/client/internal/debug/debug_nondarwin.go
@@ -0,0 +1,16 @@
+//go:build unix && !darwin && !android
+
+package debug
+
+import (
+	log "github.com/sirupsen/logrus"
+)
+
+// addDNSInfo collects and adds DNS configuration information to the archive
+func (g *BundleGenerator) addDNSInfo() error {
+	if err := g.addResolvConf(); err != nil {
+		log.Errorf("failed to add resolv.conf: %v", err)
+	}
+
+	return nil
+}
--- a/client/internal/debug/debug_nonunix.go
+++ b/client/internal/debug/debug_nonunix.go
@@ -0,0 +1,7 @@
+//go:build !unix
+
+package debug
+
+func (g *BundleGenerator) addDNSInfo() error {
+	return nil
+}
--- a/client/internal/debug/debug_unix.go
+++ b/client/internal/debug/debug_unix.go
@@ -0,0 +1,29 @@
+//go:build unix && !android
+
+package debug
+
+import (
+	"fmt"
+	"os"
+	"strings"
+)
+
+const resolvConfPath = "/etc/resolv.conf"
+
+func (g *BundleGenerator) addResolvConf() error {
+	data, err := os.ReadFile(resolvConfPath)
+	if err != nil {
+		return fmt.Errorf("read %s: %w", resolvConfPath, err)
+	}
+
+	content := string(data)
+	if g.anonymize {
+		content = g.anonymizer.AnonymizeString(content)
+	}
+
+	if err := g.addFileToZip(strings.NewReader(content), "resolv.conf"); err != nil {
+		return fmt.Errorf("add resolv.conf to zip: %w", err)
+	}
+
+	return nil
+}
--- a/client/internal/device_auth.go
+++ b/client/internal/device_auth.go
@@ -38,6 +38,8 @@ type DeviceAuthProviderConfig struct {
 	Scope string
 	// UseIDToken indicates if the id token should be used for authentication
 	UseIDToken bool
+	// LoginHint is used to pre-fill the email/username field during authentication
+	LoginHint string
 }

 // GetDeviceAuthorizationFlowInfo initialize a DeviceAuthorizationFlow instance and return with it
--- a/client/internal/dns/server.go
+++ b/client/internal/dns/server.go
@@ -65,8 +65,9 @@ type hostManagerWithOriginalNS interface {

 // DefaultServer dns server object
 type DefaultServer struct {
-	ctx       context.Context
-	ctxCancel context.CancelFunc
+	ctx        context.Context
+	ctxCancel  context.CancelFunc
+	shutdownWg sync.WaitGroup
 	// disableSys disables system DNS management (e.g., /etc/resolv.conf updates) while keeping the DNS service running.
 	// This is different from ServiceEnable=false from management which completely disables the DNS service.
 	disableSys         bool
@@ -318,6 +319,7 @@ func (s *DefaultServer) DnsIP() netip.Addr {
 // Stop stops the server
 func (s *DefaultServer) Stop() {
 	s.ctxCancel()
+	s.shutdownWg.Wait()

 	s.mux.Lock()
 	defer s.mux.Unlock()
@@ -507,8 +509,9 @@ func (s *DefaultServer) applyConfiguration(update nbdns.Config) error {

 	s.applyHostConfig()

+	s.shutdownWg.Add(1)
 	go func() {
-		// persist dns state right away
+		defer s.shutdownWg.Done()
 		if err := s.stateManager.PersistState(s.ctx); err != nil {
 			log.Errorf("Failed to persist dns state: %v", err)
 		}
--- a/client/internal/dns/server_test.go
+++ b/client/internal/dns/server_test.go
@@ -335,7 +335,7 @@ func TestUpdateDNSServer(t *testing.T) {
 	for n, testCase := range testCases {
 		t.Run(testCase.name, func(t *testing.T) {
 			privKey, _ := wgtypes.GenerateKey()
-			newNet, err := stdnet.NewNet(nil)
+			newNet, err := stdnet.NewNet(context.Background(), nil)
 			if err != nil {
 				t.Fatal(err)
 			}
@@ -434,7 +434,7 @@ func TestDNSFakeResolverHandleUpdates(t *testing.T) {
 	defer t.Setenv("NB_WG_KERNEL_DISABLED", ov)

 	t.Setenv("NB_WG_KERNEL_DISABLED", "true")
-	newNet, err := stdnet.NewNet([]string{"utun2301"})
+	newNet, err := stdnet.NewNet(context.Background(), []string{"utun2301"})
 	if err != nil {
 		t.Errorf("create stdnet: %v", err)
 		return
@@ -915,7 +915,7 @@ func createWgInterfaceWithBind(t *testing.T) (*iface.WGIface, error) {
 	defer t.Setenv("NB_WG_KERNEL_DISABLED", ov)

 	t.Setenv("NB_WG_KERNEL_DISABLED", "true")
-	newNet, err := stdnet.NewNet([]string{"utun2301"})
+	newNet, err := stdnet.NewNet(context.Background(), []string{"utun2301"})
 	if err != nil {
 		t.Fatalf("create stdnet: %v", err)
 		return nil, err
@@ -944,7 +944,7 @@ func createWgInterfaceWithBind(t *testing.T) (*iface.WGIface, error) {
 		return nil, err
 	}

-	pf, err := uspfilter.Create(wgIface, false, flowLogger)
+	pf, err := uspfilter.Create(wgIface, false, flowLogger, iface.DefaultMTU)
 	if err != nil {
 		t.Fatalf("failed to create uspfilter: %v", err)
 		return nil, err
--- a/client/internal/dnsfwd/cache_test.go
+++ b/client/internal/dnsfwd/cache_test.go
@@ -83,4 +83,3 @@ func TestCacheMiss(t *testing.T) {
 		t.Fatalf("expected cache miss, got=%v ok=%v", got, ok)
 	}
 }
-
--- a/client/internal/dnsfwd/forwarder.go
+++ b/client/internal/dnsfwd/forwarder.go
@@ -14,6 +14,7 @@ import (
 	"github.com/hashicorp/go-multierror"
 	"github.com/miekg/dns"
 	log "github.com/sirupsen/logrus"
+	"golang.zx2c4.com/wireguard/tun/netstack"

 	nberrors "github.com/netbirdio/netbird/client/errors"
 	firewall "github.com/netbirdio/netbird/client/firewall/manager"
@@ -33,7 +34,7 @@ type firewaller interface {
 }

 type DNSForwarder struct {
-	listenAddress  string
+	listenAddress  netip.AddrPort
 	ttl            uint32
 	statusRecorder *peer.Status

@@ -47,9 +48,11 @@ type DNSForwarder struct {
 	firewall   firewaller
 	resolver   resolver
 	cache      *cache
+
+	wgIface wgIface
 }

-func NewDNSForwarder(listenAddress string, ttl uint32, firewall firewaller, statusRecorder *peer.Status) *DNSForwarder {
+func NewDNSForwarder(listenAddress netip.AddrPort, ttl uint32, firewall firewaller, statusRecorder *peer.Status, wgIface wgIface) *DNSForwarder {
 	log.Debugf("creating DNS forwarder with listen_address=%s ttl=%d", listenAddress, ttl)
 	return &DNSForwarder{
 		listenAddress:  listenAddress,
@@ -58,30 +61,46 @@ func NewDNSForwarder(listenAddress string, ttl uint32, firewall firewaller, stat
 		statusRecorder: statusRecorder,
 		resolver:       net.DefaultResolver,
 		cache:          newCache(),
+		wgIface:        wgIface,
 	}
 }

 func (f *DNSForwarder) Listen(entries []*ForwarderEntry) error {
-	log.Infof("starting DNS forwarder on address=%s", f.listenAddress)
+	var netstackNet *netstack.Net
+	if f.wgIface != nil {
+		netstackNet = f.wgIface.GetNet()
+	}
+
+	addrDesc := f.listenAddress.String()
+	if netstackNet != nil {
+		addrDesc = fmt.Sprintf("netstack %s", f.listenAddress)
+	}
+	log.Infof("starting DNS forwarder on address=%s", addrDesc)
+
+	udpLn, err := f.createUDPListener(netstackNet)
+	if err != nil {
+		return fmt.Errorf("create UDP listener: %w", err)
+	}
+
+	tcpLn, err := f.createTCPListener(netstackNet)
+	if err != nil {
+		return fmt.Errorf("create TCP listener: %w", err)
+	}

-	// UDP server
 	mux := dns.NewServeMux()
 	f.mux = mux
 	mux.HandleFunc(".", f.handleDNSQueryUDP)
 	f.dnsServer = &dns.Server{
-		Addr:    f.listenAddress,
-		Net:     "udp",
-		Handler: mux,
+		PacketConn: udpLn,
+		Handler:    mux,
 	}

-	// TCP server
 	tcpMux := dns.NewServeMux()
 	f.tcpMux = tcpMux
 	tcpMux.HandleFunc(".", f.handleDNSQueryTCP)
 	f.tcpServer = &dns.Server{
-		Addr:    f.listenAddress,
-		Net:     "tcp",
-		Handler: tcpMux,
+		Listener: tcpLn,
+		Handler:  tcpMux,
 	}

 	f.UpdateDomains(entries)
@@ -89,18 +108,33 @@ func (f *DNSForwarder) Listen(entries []*ForwarderEntry) error {
 	errCh := make(chan error, 2)

 	go func() {
-		log.Infof("DNS UDP listener running on %s", f.listenAddress)
-		errCh <- f.dnsServer.ListenAndServe()
+		log.Infof("DNS UDP listener running on %s", addrDesc)
+		errCh <- f.dnsServer.ActivateAndServe()
 	}()
 	go func() {
-		log.Infof("DNS TCP listener running on %s", f.listenAddress)
-		errCh <- f.tcpServer.ListenAndServe()
+		log.Infof("DNS TCP listener running on %s", addrDesc)
+		errCh <- f.tcpServer.ActivateAndServe()
 	}()

-	// return the first error we get (e.g. bind failure or shutdown)
 	return <-errCh
 }

+func (f *DNSForwarder) createUDPListener(netstackNet *netstack.Net) (net.PacketConn, error) {
+	if netstackNet != nil {
+		return netstackNet.ListenUDPAddrPort(f.listenAddress)
+	}
+
+	return net.ListenUDP("udp", net.UDPAddrFromAddrPort(f.listenAddress))
+}
+
+func (f *DNSForwarder) createTCPListener(netstackNet *netstack.Net) (net.Listener, error) {
+	if netstackNet != nil {
+		return netstackNet.ListenTCPAddrPort(f.listenAddress)
+	}
+
+	return net.ListenTCP("tcp", net.TCPAddrFromAddrPort(f.listenAddress))
+}
+
 func (f *DNSForwarder) UpdateDomains(entries []*ForwarderEntry) {
 	f.mutex.Lock()
 	defer f.mutex.Unlock()
--- a/client/internal/dnsfwd/forwarder_test.go
+++ b/client/internal/dnsfwd/forwarder_test.go
@@ -297,7 +297,7 @@ func TestDNSForwarder_UnauthorizedDomainAccess(t *testing.T) {
 				mockResolver.On("LookupNetIP", mock.Anything, "ip4", dns.Fqdn(tt.queryDomain)).Return([]netip.Addr{fakeIP}, nil)
 			}

-			forwarder := NewDNSForwarder("127.0.0.1:0", 300, mockFirewall, &peer.Status{})
+			forwarder := NewDNSForwarder(netip.MustParseAddrPort("127.0.0.1:0"), 300, mockFirewall, &peer.Status{}, nil)
 			forwarder.resolver = mockResolver

 			d, err := domain.FromString(tt.configuredDomain)
@@ -402,7 +402,7 @@ func TestDNSForwarder_FirewallSetUpdates(t *testing.T) {
 			mockResolver := &MockResolver{}

 			// Set up forwarder
-			forwarder := NewDNSForwarder("127.0.0.1:0", 300, mockFirewall, &peer.Status{})
+			forwarder := NewDNSForwarder(netip.MustParseAddrPort("127.0.0.1:0"), 300, mockFirewall, &peer.Status{}, nil)
 			forwarder.resolver = mockResolver

 			// Create entries and track sets
@@ -489,7 +489,7 @@ func TestDNSForwarder_MultipleIPsInSingleUpdate(t *testing.T) {
 	mockFirewall := &MockFirewall{}
 	mockResolver := &MockResolver{}

-	forwarder := NewDNSForwarder("127.0.0.1:0", 300, mockFirewall, &peer.Status{})
+	forwarder := NewDNSForwarder(netip.MustParseAddrPort("127.0.0.1:0"), 300, mockFirewall, &peer.Status{}, nil)
 	forwarder.resolver = mockResolver

 	// Configure a single domain
@@ -584,7 +584,7 @@ func TestDNSForwarder_ResponseCodes(t *testing.T) {

 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			forwarder := NewDNSForwarder("127.0.0.1:0", 300, nil, &peer.Status{})
+			forwarder := NewDNSForwarder(netip.MustParseAddrPort("127.0.0.1:0"), 300, nil, &peer.Status{}, nil)

 			d, err := domain.FromString(tt.configured)
 			require.NoError(t, err)
@@ -616,7 +616,7 @@ func TestDNSForwarder_ResponseCodes(t *testing.T) {
 func TestDNSForwarder_TCPTruncation(t *testing.T) {
 	// Test that large UDP responses are truncated with TC bit set
 	mockResolver := &MockResolver{}
-	forwarder := NewDNSForwarder("127.0.0.1:0", 300, nil, &peer.Status{})
+	forwarder := NewDNSForwarder(netip.MustParseAddrPort("127.0.0.1:0"), 300, nil, &peer.Status{}, nil)
 	forwarder.resolver = mockResolver

 	d, _ := domain.FromString("example.com")
@@ -652,7 +652,7 @@ func TestDNSForwarder_TCPTruncation(t *testing.T) {
 // a subsequent upstream failure still returns a successful response from cache.
 func TestDNSForwarder_ServeFromCacheOnUpstreamFailure(t *testing.T) {
 	mockResolver := &MockResolver{}
-	forwarder := NewDNSForwarder("127.0.0.1:0", 300, nil, &peer.Status{})
+	forwarder := NewDNSForwarder(netip.MustParseAddrPort("127.0.0.1:0"), 300, nil, &peer.Status{}, nil)
 	forwarder.resolver = mockResolver

 	d, err := domain.FromString("example.com")
@@ -696,7 +696,7 @@ func TestDNSForwarder_ServeFromCacheOnUpstreamFailure(t *testing.T) {
 // Verifies that cache normalization works across casing and trailing dot variations.
 func TestDNSForwarder_CacheNormalizationCasingAndDot(t *testing.T) {
 	mockResolver := &MockResolver{}
-	forwarder := NewDNSForwarder("127.0.0.1:0", 300, nil, &peer.Status{})
+	forwarder := NewDNSForwarder(netip.MustParseAddrPort("127.0.0.1:0"), 300, nil, &peer.Status{}, nil)
 	forwarder.resolver = mockResolver

 	d, err := domain.FromString("ExAmPlE.CoM")
@@ -742,7 +742,7 @@ func TestDNSForwarder_MultipleOverlappingPatterns(t *testing.T) {
 	mockFirewall := &MockFirewall{}
 	mockResolver := &MockResolver{}

-	forwarder := NewDNSForwarder("127.0.0.1:0", 300, mockFirewall, &peer.Status{})
+	forwarder := NewDNSForwarder(netip.MustParseAddrPort("127.0.0.1:0"), 300, mockFirewall, &peer.Status{}, nil)
 	forwarder.resolver = mockResolver

 	// Set up complex overlapping patterns
@@ -804,7 +804,7 @@ func TestDNSForwarder_NodataVsNxdomain(t *testing.T) {
 	mockFirewall := &MockFirewall{}
 	mockResolver := &MockResolver{}

-	forwarder := NewDNSForwarder("127.0.0.1:0", 300, mockFirewall, &peer.Status{})
+	forwarder := NewDNSForwarder(netip.MustParseAddrPort("127.0.0.1:0"), 300, mockFirewall, &peer.Status{}, nil)
 	forwarder.resolver = mockResolver

 	d, err := domain.FromString("example.com")
@@ -925,7 +925,7 @@ func TestDNSForwarder_NodataVsNxdomain(t *testing.T) {

 func TestDNSForwarder_EmptyQuery(t *testing.T) {
 	// Test handling of malformed query with no questions
-	forwarder := NewDNSForwarder("127.0.0.1:0", 300, nil, &peer.Status{})
+	forwarder := NewDNSForwarder(netip.MustParseAddrPort("127.0.0.1:0"), 300, nil, &peer.Status{}, nil)

 	query := &dns.Msg{}
 	// Don't set any question
--- a/client/internal/dnsfwd/manager.go
+++ b/client/internal/dnsfwd/manager.go
@@ -10,9 +10,12 @@ import (

 	"github.com/hashicorp/go-multierror"
 	log "github.com/sirupsen/logrus"
+	"golang.zx2c4.com/wireguard/tun/netstack"

 	nberrors "github.com/netbirdio/netbird/client/errors"
 	firewall "github.com/netbirdio/netbird/client/firewall/manager"
+	"github.com/netbirdio/netbird/client/iface/wgaddr"
+	nftypes "github.com/netbirdio/netbird/client/internal/netflow/types"
 	"github.com/netbirdio/netbird/client/internal/peer"
 	nbdns "github.com/netbirdio/netbird/dns"
 	"github.com/netbirdio/netbird/route"
@@ -24,6 +27,12 @@ const (
 	envServerPort = "NB_DNS_FORWARDER_PORT"
 )

+// wgIface defines the interface for WireGuard interface operations needed by the DNS forwarder.
+type wgIface interface {
+	GetNet() *netstack.Net
+	Address() wgaddr.Address
+}
+
 // ForwarderEntry is a mapping from a domain to a resource ID and a hash of the parent domain list.
 type ForwarderEntry struct {
 	Domain domain.Domain
@@ -34,7 +43,7 @@ type ForwarderEntry struct {
 type Manager struct {
 	firewall       firewall.Manager
 	statusRecorder *peer.Status
-	localAddr      netip.Addr
+	wgIface        wgIface
 	serverPort     uint16

 	fwRules      []firewall.Rule
@@ -42,7 +51,7 @@ type Manager struct {
 	dnsForwarder *DNSForwarder
 }

-func NewManager(fw firewall.Manager, statusRecorder *peer.Status, localAddr netip.Addr) *Manager {
+func NewManager(fw firewall.Manager, statusRecorder *peer.Status, wgIface wgIface) *Manager {
 	serverPort := nbdns.ForwarderServerPort
 	if envPort := os.Getenv(envServerPort); envPort != "" {
 		if port, err := strconv.ParseUint(envPort, 10, 16); err == nil && port > 0 {
@@ -56,7 +65,7 @@ func NewManager(fw firewall.Manager, statusRecorder *peer.Status, localAddr neti
 	return &Manager{
 		firewall:       fw,
 		statusRecorder: statusRecorder,
-		localAddr:      localAddr,
+		wgIface:        wgIface,
 		serverPort:     serverPort,
 	}
 }
@@ -71,21 +80,25 @@ func (m *Manager) Start(fwdEntries []*ForwarderEntry) error {
 		return err
 	}

-	if m.localAddr.IsValid() && m.firewall != nil {
-		if err := m.firewall.AddInboundDNAT(m.localAddr, firewall.ProtocolUDP, nbdns.ForwarderClientPort, m.serverPort); err != nil {
+	localAddr := m.wgIface.Address().IP
+
+	if localAddr.IsValid() && m.firewall != nil {
+		if err := m.firewall.AddInboundDNAT(localAddr, firewall.ProtocolUDP, nbdns.ForwarderClientPort, m.serverPort); err != nil {
 			log.Warnf("failed to add DNS UDP DNAT rule: %v", err)
 		} else {
-			log.Infof("added DNS UDP DNAT rule: %s:%d -> %s:%d", m.localAddr, nbdns.ForwarderClientPort, m.localAddr, m.serverPort)
+			log.Infof("added DNS UDP DNAT rule: %s:%d -> %s:%d", localAddr, nbdns.ForwarderClientPort, localAddr, m.serverPort)
 		}

-		if err := m.firewall.AddInboundDNAT(m.localAddr, firewall.ProtocolTCP, nbdns.ForwarderClientPort, m.serverPort); err != nil {
+		if err := m.firewall.AddInboundDNAT(localAddr, firewall.ProtocolTCP, nbdns.ForwarderClientPort, m.serverPort); err != nil {
 			log.Warnf("failed to add DNS TCP DNAT rule: %v", err)
 		} else {
-			log.Infof("added DNS TCP DNAT rule: %s:%d -> %s:%d", m.localAddr, nbdns.ForwarderClientPort, m.localAddr, m.serverPort)
+			log.Infof("added DNS TCP DNAT rule: %s:%d -> %s:%d", localAddr, nbdns.ForwarderClientPort, localAddr, m.serverPort)
 		}
 	}

-	m.dnsForwarder = NewDNSForwarder(fmt.Sprintf(":%d", m.serverPort), dnsTTL, m.firewall, m.statusRecorder)
+	listenAddress := netip.AddrPortFrom(localAddr, m.serverPort)
+	m.dnsForwarder = NewDNSForwarder(listenAddress, dnsTTL, m.firewall, m.statusRecorder, m.wgIface)
+
 	go func() {
 		if err := m.dnsForwarder.Listen(fwdEntries); err != nil {
 			// todo handle close error if it is exists
@@ -111,16 +124,19 @@ func (m *Manager) Stop(ctx context.Context) error {

 	var mErr *multierror.Error

-	if m.localAddr.IsValid() && m.firewall != nil {
-		if err := m.firewall.RemoveInboundDNAT(m.localAddr, firewall.ProtocolUDP, nbdns.ForwarderClientPort, m.serverPort); err != nil {
+	localAddr := m.wgIface.Address().IP
+	if localAddr.IsValid() && m.firewall != nil {
+		if err := m.firewall.RemoveInboundDNAT(localAddr, firewall.ProtocolUDP, nbdns.ForwarderClientPort, m.serverPort); err != nil {
 			mErr = multierror.Append(mErr, fmt.Errorf("remove DNS UDP DNAT rule: %w", err))
 		}

-		if err := m.firewall.RemoveInboundDNAT(m.localAddr, firewall.ProtocolTCP, nbdns.ForwarderClientPort, m.serverPort); err != nil {
+		if err := m.firewall.RemoveInboundDNAT(localAddr, firewall.ProtocolTCP, nbdns.ForwarderClientPort, m.serverPort); err != nil {
 			mErr = multierror.Append(mErr, fmt.Errorf("remove DNS TCP DNAT rule: %w", err))
 		}
 	}

+	m.unregisterNetstackServices()
+
 	if err := m.dropDNSFirewall(); err != nil {
 		mErr = multierror.Append(mErr, err)
 	}
@@ -145,21 +161,50 @@ func (m *Manager) allowDNSFirewall() error {

 	dnsRules, err := m.firewall.AddPeerFiltering(nil, net.IP{0, 0, 0, 0}, firewall.ProtocolUDP, nil, dport, firewall.ActionAccept, "")
 	if err != nil {
-		log.Errorf("failed to add allow DNS router rules, err: %v", err)
-		return err
+		return fmt.Errorf("add udp firewall rule: %w", err)
 	}
-	m.fwRules = dnsRules

 	tcpRules, err := m.firewall.AddPeerFiltering(nil, net.IP{0, 0, 0, 0}, firewall.ProtocolTCP, nil, dport, firewall.ActionAccept, "")
 	if err != nil {
-		log.Errorf("failed to add allow DNS router rules, err: %v", err)
-		return err
+		return fmt.Errorf("add tcp firewall rule: %w", err)
 	}
+
+	if err := m.firewall.Flush(); err != nil {
+		return fmt.Errorf("flush: %w", err)
+	}
+
+	m.fwRules = dnsRules
 	m.tcpRules = tcpRules

+	m.registerNetstackServices()
+
 	return nil
 }

+func (m *Manager) registerNetstackServices() {
+	if netstackNet := m.wgIface.GetNet(); netstackNet != nil {
+		if registrar, ok := m.firewall.(interface {
+			RegisterNetstackService(protocol nftypes.Protocol, port uint16)
+		}); ok {
+			registrar.RegisterNetstackService(nftypes.TCP, m.serverPort)
+			registrar.RegisterNetstackService(nftypes.UDP, m.serverPort)
+			log.Debugf("registered DNS forwarder service with netstack for UDP/TCP:%d", m.serverPort)
+		}
+	}
+}
+
+func (m *Manager) unregisterNetstackServices() {
+	if netstackNet := m.wgIface.GetNet(); netstackNet != nil {
+		if registrar, ok := m.firewall.(interface {
+			UnregisterNetstackService(protocol nftypes.Protocol, port uint16)
+		}); ok {
+			registrar.UnregisterNetstackService(nftypes.TCP, m.serverPort)
+			registrar.UnregisterNetstackService(nftypes.UDP, m.serverPort)
+			log.Debugf("unregistered DNS forwarder service with netstack for UDP/TCP:%d", m.serverPort)
+		}
+	}
+}
+
 func (m *Manager) dropDNSFirewall() error {
 	var mErr *multierror.Error
 	for _, rule := range m.fwRules {
--- a/client/internal/engine.go
+++ b/client/internal/engine.go
@@ -148,6 +148,8 @@ type Engine struct {

 	// syncMsgMux is used to guarantee sequential Management Service message processing
 	syncMsgMux *sync.Mutex
+	// sshMux protects sshServer field access
+	sshMux sync.Mutex

 	config    *EngineConfig
 	mobileDep MobileDependency
@@ -200,8 +202,10 @@ type Engine struct {
 	flowManager         nftypes.FlowManager

 	// WireGuard interface monitor
-	wgIfaceMonitor   *WGIfaceMonitor
-	wgIfaceMonitorWg sync.WaitGroup
+	wgIfaceMonitor *WGIfaceMonitor
+
+	// shutdownWg tracks all long-running goroutines to ensure clean shutdown
+	shutdownWg sync.WaitGroup

 	probeStunTurn *relay.StunTurnProbe
 }
@@ -288,9 +292,6 @@ func (e *Engine) Stop() error {
 	}
 	log.Info("Network monitor: stopped")

-	// stop/restore DNS first so dbus and friends don't complain because of a missing interface
-	e.stopDNSServer()
-
 	if e.ingressGatewayMgr != nil {
 		if err := e.ingressGatewayMgr.Close(); err != nil {
 			log.Warnf("failed to cleanup forward rules: %v", err)
@@ -298,17 +299,6 @@ func (e *Engine) Stop() error {
 		e.ingressGatewayMgr = nil
 	}

-	if e.routeManager != nil {
-		e.routeManager.Stop(e.stateManager)
-	}
-
-	if e.dnsForwardMgr != nil {
-		if err := e.dnsForwardMgr.Stop(context.Background()); err != nil {
-			log.Errorf("failed to stop DNS forward: %v", err)
-		}
-		e.dnsForwardMgr = nil
-	}
-
 	if e.srWatcher != nil {
 		e.srWatcher.Close()
 	}
@@ -321,14 +311,20 @@ func (e *Engine) Stop() error {
 		return fmt.Errorf("failed to remove all peers: %s", err)
 	}

+	if e.routeManager != nil {
+		e.routeManager.Stop(e.stateManager)
+	}
+
+	e.stopDNSForwarder()
+
+	// stop/restore DNS after peers are closed but before interface goes down
+	// so dbus and friends don't complain because of a missing interface
+	e.stopDNSServer()
+
 	if e.cancel != nil {
 		e.cancel()
 	}

-	// very ugly but we want to remove peers from the WireGuard interface first before removing interface.
-	// Removing peers happens in the conn.Close() asynchronously
-	time.Sleep(500 * time.Millisecond)
-
 	e.close()

 	// stop flow manager after wg interface is gone
@@ -336,8 +332,6 @@ func (e *Engine) Stop() error {
 		e.flowManager.Close()
 	}

-	log.Infof("stopped Netbird Engine")
-
 	ctx, cancel := context.WithTimeout(context.Background(), 3*time.Second)
 	defer cancel()

@@ -348,12 +342,52 @@ func (e *Engine) Stop() error {
 		log.Errorf("failed to persist state: %v", err)
 	}

-	// Stop WireGuard interface monitor and wait for it to exit
-	e.wgIfaceMonitorWg.Wait()
+	timeout := e.calculateShutdownTimeout()
+	log.Debugf("waiting for goroutines to finish with timeout: %v", timeout)
+	shutdownCtx, cancel := context.WithTimeout(context.Background(), timeout)
+	defer cancel()
+
+	if err := waitWithContext(shutdownCtx, &e.shutdownWg); err != nil {
+		log.Warnf("shutdown timeout exceeded after %v, some goroutines may still be running", timeout)
+	}
+
+	log.Infof("stopped Netbird Engine")

 	return nil
 }

+// calculateShutdownTimeout returns shutdown timeout: 10s base + 100ms per peer, capped at 30s.
+func (e *Engine) calculateShutdownTimeout() time.Duration {
+	peerCount := len(e.peerStore.PeersPubKey())
+
+	baseTimeout := 10 * time.Second
+	perPeerTimeout := time.Duration(peerCount) * 100 * time.Millisecond
+	timeout := baseTimeout + perPeerTimeout
+
+	maxTimeout := 30 * time.Second
+	if timeout > maxTimeout {
+		timeout = maxTimeout
+	}
+
+	return timeout
+}
+
+// waitWithContext waits for WaitGroup with timeout, returns ctx.Err() on timeout.
+func waitWithContext(ctx context.Context, wg *sync.WaitGroup) error {
+	done := make(chan struct{})
+	go func() {
+		wg.Wait()
+		close(done)
+	}()
+
+	select {
+	case <-done:
+		return nil
+	case <-ctx.Done():
+		return ctx.Err()
+	}
+}
+
 // Start creates a new WireGuard tunnel interface and listens to events from Signal and Management services
 // Connections to remote peers are not established here.
 // However, they will be established once an event with a list of peers to connect to will be received from Management Service
@@ -483,14 +517,14 @@ func (e *Engine) Start(netbirdConfig *mgmProto.NetbirdConfig, mgmtURL *url.URL)

 	// monitor WireGuard interface lifecycle and restart engine on changes
 	e.wgIfaceMonitor = NewWGIfaceMonitor()
-	e.wgIfaceMonitorWg.Add(1)
+	e.shutdownWg.Add(1)

 	go func() {
-		defer e.wgIfaceMonitorWg.Done()
+		defer e.shutdownWg.Done()

 		if shouldRestart, err := e.wgIfaceMonitor.Start(e.ctx, e.wgInterface.Name()); shouldRestart {
 			log.Infof("WireGuard interface monitor: %s, restarting engine", err)
-			e.restartEngine()
+			e.triggerClientRestart()
 		} else if err != nil {
 			log.Warnf("WireGuard interface monitor: %s", err)
 		}
@@ -506,7 +540,7 @@ func (e *Engine) createFirewall() error {
 	}

 	var err error
-	e.firewall, err = firewall.NewFirewall(e.wgInterface, e.stateManager, e.flowManager.GetLogger(), e.config.DisableServerRoutes)
+	e.firewall, err = firewall.NewFirewall(e.wgInterface, e.stateManager, e.flowManager.GetLogger(), e.config.DisableServerRoutes, e.config.MTU)
 	if err != nil || e.firewall == nil {
 		log.Errorf("failed creating firewall manager: %s", err)
 		return nil
@@ -674,9 +708,11 @@ func (e *Engine) removeAllPeers() error {
 func (e *Engine) removePeer(peerKey string) error {
 	log.Debugf("removing peer from engine %s", peerKey)

+	e.sshMux.Lock()
 	if !isNil(e.sshServer) {
 		e.sshServer.RemoveAuthorizedKey(peerKey)
 	}
+	e.sshMux.Unlock()

 	e.connMgr.RemovePeerConn(peerKey)

@@ -878,6 +914,7 @@ func (e *Engine) updateSSH(sshConf *mgmProto.SSHConfig) error {
 			log.Warnf("running SSH server on %s is not supported", runtime.GOOS)
 			return nil
 		}
+		e.sshMux.Lock()
 		// start SSH server if it wasn't running
 		if isNil(e.sshServer) {
 			listenAddr := fmt.Sprintf("%s:%d", e.wgInterface.Address().IP.String(), nbssh.DefaultSSHPort)
@@ -885,34 +922,42 @@ func (e *Engine) updateSSH(sshConf *mgmProto.SSHConfig) error {
 				listenAddr = fmt.Sprintf("127.0.0.1:%d", nbssh.DefaultSSHPort)
 			}
 			// nil sshServer means it has not yet been started
-			var err error
-			e.sshServer, err = e.sshServerFunc(e.config.SSHKey, listenAddr)
-
+			server, err := e.sshServerFunc(e.config.SSHKey, listenAddr)
 			if err != nil {
+				e.sshMux.Unlock()
 				return fmt.Errorf("create ssh server: %w", err)
 			}
+
+			e.sshServer = server
+			e.sshMux.Unlock()
+
 			go func() {
 				// blocking
-				err = e.sshServer.Start()
+				err = server.Start()
 				if err != nil {
 					// will throw error when we stop it even if it is a graceful stop
 					log.Debugf("stopped SSH server with error %v", err)
 				}
-				e.syncMsgMux.Lock()
-				defer e.syncMsgMux.Unlock()
+				e.sshMux.Lock()
 				e.sshServer = nil
+				e.sshMux.Unlock()
 				log.Infof("stopped SSH server")
 			}()
 		} else {
+			e.sshMux.Unlock()
 			log.Debugf("SSH server is already running")
 		}
-	} else if !isNil(e.sshServer) {
-		// Disable SSH server request, so stop it if it was running
-		err := e.sshServer.Stop()
-		if err != nil {
-			log.Warnf("failed to stop SSH server %v", err)
+	} else {
+		e.sshMux.Lock()
+		if !isNil(e.sshServer) {
+			// Disable SSH server request, so stop it if it was running
+			err := e.sshServer.Stop()
+			if err != nil {
+				log.Warnf("failed to stop SSH server %v", err)
+			}
+			e.sshServer = nil
 		}
-		e.sshServer = nil
+		e.sshMux.Unlock()
 	}
 	return nil
 }
@@ -949,7 +994,9 @@ func (e *Engine) updateConfig(conf *mgmProto.PeerConfig) error {
 // receiveManagementEvents connects to the Management Service event stream to receive updates from the management service
 // E.g. when a new peer has been registered and we are allowed to connect to it.
 func (e *Engine) receiveManagementEvents() {
+	e.shutdownWg.Add(1)
 	go func() {
+		defer e.shutdownWg.Done()
 		info, err := system.GetInfoWithChecks(e.ctx, e.checks)
 		if err != nil {
 			log.Warnf("failed to get system info with checks: %v", err)
@@ -1125,6 +1172,7 @@ func (e *Engine) updateNetworkMap(networkMap *mgmProto.NetworkMap) error {
 		e.statusRecorder.FinishPeerListModifications()

 		// update SSHServer by adding remote peer SSH keys
+		e.sshMux.Lock()
 		if !isNil(e.sshServer) {
 			for _, config := range networkMap.GetRemotePeers() {
 				if config.GetSshConfig() != nil && config.GetSshConfig().GetSshPubKey() != nil {
@@ -1135,6 +1183,7 @@ func (e *Engine) updateNetworkMap(networkMap *mgmProto.NetworkMap) error {
 				}
 			}
 		}
+		e.sshMux.Unlock()
 	}

 	// must set the exclude list after the peers are added. Without it the manager can not figure out the peers parameters from the store
@@ -1377,7 +1426,9 @@ func (e *Engine) createPeerConn(pubKey string, allowedIPs []netip.Prefix, agentV

 // receiveSignalEvents connects to the Signal Service event stream to negotiate connection with remote peers
 func (e *Engine) receiveSignalEvents() {
+	e.shutdownWg.Add(1)
 	go func() {
+		defer e.shutdownWg.Done()
 		// connect to a stream of messages coming from the signal server
 		err := e.signal.Receive(e.ctx, func(msg *sProto.Message) error {
 			e.syncMsgMux.Lock()
@@ -1494,12 +1545,14 @@ func (e *Engine) close() {
 		e.statusRecorder.SetWgIface(nil)
 	}

+	e.sshMux.Lock()
 	if !isNil(e.sshServer) {
 		err := e.sshServer.Stop()
 		if err != nil {
 			log.Warnf("failed stopping the SSH server: %v", err)
 		}
 	}
+	e.sshMux.Unlock()

 	if e.firewall != nil {
 		err := e.firewall.Close(e.stateManager)
@@ -1730,8 +1783,10 @@ func (e *Engine) RunHealthProbes(waitForResult bool) bool {
 	return allHealthy
 }

-// restartEngine restarts the engine by cancelling the client context
-func (e *Engine) restartEngine() {
+// triggerClientRestart triggers a full client restart by cancelling the client context.
+// Note: This does NOT just restart the engine - it cancels the entire client context,
+// which causes the connect client's retry loop to create a completely new engine.
+func (e *Engine) triggerClientRestart() {
 	e.syncMsgMux.Lock()
 	defer e.syncMsgMux.Unlock()

@@ -1753,7 +1808,9 @@ func (e *Engine) startNetworkMonitor() {
 	}

 	e.networkMonitor = networkmonitor.New()
+	e.shutdownWg.Add(1)
 	go func() {
+		defer e.shutdownWg.Done()
 		if err := e.networkMonitor.Listen(e.ctx); err != nil {
 			if errors.Is(err, context.Canceled) {
 				log.Infof("network monitor stopped")
@@ -1763,8 +1820,8 @@ func (e *Engine) startNetworkMonitor() {
 			return
 		}

-		log.Infof("Network monitor: detected network change, restarting engine")
-		e.restartEngine()
+		log.Infof("Network monitor: detected network change, triggering client restart")
+		e.triggerClientRestart()
 	}()
 }

@@ -1855,38 +1912,46 @@ func (e *Engine) updateDNSForwarder(
 	}

 	if !enabled {
-		if e.dnsForwardMgr == nil {
-			return
-		}
-		if err := e.dnsForwardMgr.Stop(context.Background()); err != nil {
-			log.Errorf("failed to stop DNS forward: %v", err)
-		}
+		e.stopDNSForwarder()
 		return
 	}

 	if len(fwdEntries) > 0 {
 		if e.dnsForwardMgr == nil {
-			localAddr := e.wgInterface.Address().IP
-			e.dnsForwardMgr = dnsfwd.NewManager(e.firewall, e.statusRecorder, localAddr)
-
-			if err := e.dnsForwardMgr.Start(fwdEntries); err != nil {
-				log.Errorf("failed to start DNS forward: %v", err)
-				e.dnsForwardMgr = nil
-			}
-
-			log.Infof("started domain router service with %d entries", len(fwdEntries))
+			e.startDNSForwarder(fwdEntries)
 		} else {
 			e.dnsForwardMgr.UpdateDomains(fwdEntries)
 		}
 	} else if e.dnsForwardMgr != nil {
 		log.Infof("disable domain router service")
-		if err := e.dnsForwardMgr.Stop(context.Background()); err != nil {
-			log.Errorf("failed to stop DNS forward: %v", err)
-		}
-		e.dnsForwardMgr = nil
+		e.stopDNSForwarder()
 	}
 }

+func (e *Engine) startDNSForwarder(fwdEntries []*dnsfwd.ForwarderEntry) {
+	e.dnsForwardMgr = dnsfwd.NewManager(e.firewall, e.statusRecorder, e.wgInterface)
+
+	if err := e.dnsForwardMgr.Start(fwdEntries); err != nil {
+		log.Errorf("failed to start DNS forward: %v", err)
+		e.dnsForwardMgr = nil
+		return
+	}
+
+	log.Infof("started domain router service with %d entries", len(fwdEntries))
+}
+
+func (e *Engine) stopDNSForwarder() {
+	if e.dnsForwardMgr == nil {
+		return
+	}
+
+	if err := e.dnsForwardMgr.Stop(context.Background()); err != nil {
+		log.Errorf("failed to stop DNS forward: %v", err)
+	}
+
+	e.dnsForwardMgr = nil
+}
+
 func (e *Engine) GetNet() (*netstack.Net, error) {
 	e.syncMsgMux.Lock()
 	intf := e.wgInterface
--- a/client/internal/engine_stdnet.go
+++ b/client/internal/engine_stdnet.go
@@ -7,5 +7,5 @@ import (
 )

 func (e *Engine) newStdNet() (*stdnet.Net, error) {
-	return stdnet.NewNet(e.config.IFaceBlackList)
+	return stdnet.NewNet(e.clientCtx, e.config.IFaceBlackList)
 }
--- a/client/internal/engine_stdnet_android.go
+++ b/client/internal/engine_stdnet_android.go
@@ -3,5 +3,5 @@ package internal
 import "github.com/netbirdio/netbird/client/internal/stdnet"

 func (e *Engine) newStdNet() (*stdnet.Net, error) {
-	return stdnet.NewNetWithDiscover(e.mobileDep.IFaceDiscover, e.config.IFaceBlackList)
+	return stdnet.NewNetWithDiscover(e.clientCtx, e.mobileDep.IFaceDiscover, e.config.IFaceBlackList)
 }
--- a/client/internal/engine_test.go
+++ b/client/internal/engine_test.go
@@ -14,7 +14,7 @@ import (

 	"github.com/golang/mock/gomock"
 	"github.com/google/uuid"
-	"github.com/pion/transport/v3/stdnet"
+	"github.com/netbirdio/netbird/client/internal/stdnet"
 	log "github.com/sirupsen/logrus"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
@@ -26,6 +26,9 @@ import (
 	"google.golang.org/grpc/keepalive"

 	"github.com/netbirdio/management-integrations/integrations"
+	"github.com/netbirdio/netbird/management/internals/controllers/network_map/controller"
+	"github.com/netbirdio/netbird/management/internals/controllers/network_map/update_channel"
+	nbgrpc "github.com/netbirdio/netbird/management/internals/shared/grpc"

 	"github.com/netbirdio/netbird/management/internals/server/config"
 	"github.com/netbirdio/netbird/management/server/groups"
@@ -771,7 +774,7 @@ func TestEngine_UpdateNetworkMapWithRoutes(t *testing.T) {
 				MTU:          iface.DefaultMTU,
 			}, MobileDependency{}, peer.NewRecorder("https://mgm"), nil)
 			engine.ctx = ctx
-			newNet, err := stdnet.NewNet()
+			newNet, err := stdnet.NewNet(context.Background(), nil)
 			if err != nil {
 				t.Fatal(err)
 			}
@@ -974,7 +977,7 @@ func TestEngine_UpdateNetworkMapWithDNSUpdate(t *testing.T) {
 			}, MobileDependency{}, peer.NewRecorder("https://mgm"), nil)
 			engine.ctx = ctx

-			newNet, err := stdnet.NewNet()
+			newNet, err := stdnet.NewNet(context.Background(), nil)
 			if err != nil {
 				t.Fatal(err)
 			}
@@ -1556,7 +1559,6 @@ func startManagement(t *testing.T, dataDir, testFile string) (*grpc.Server, stri
 	}
 	t.Cleanup(cleanUp)

-	peersUpdateManager := server.NewPeersUpdateManager(nil)
 	eventStore := &activity.InMemoryEventStore{}
 	if err != nil {
 		return nil, "", err
@@ -1584,13 +1586,16 @@ func startManagement(t *testing.T, dataDir, testFile string) (*grpc.Server, stri

 	groupsManager := groups.NewManagerMock()

-	accountManager, err := server.BuildManager(context.Background(), store, peersUpdateManager, nil, "", "netbird.selfhosted", eventStore, nil, false, ia, metrics, port_forwarding.NewControllerMock(), settingsMockManager, permissionsManager, false)
+	updateManager := update_channel.NewPeersUpdateManager(metrics)
+	requestBuffer := server.NewAccountRequestBuffer(context.Background(), store)
+	networkMapController := controller.NewController(context.Background(), store, metrics, updateManager, requestBuffer, server.MockIntegratedValidator{}, settingsMockManager, "netbird.selfhosted", port_forwarding.NewControllerMock())
+	accountManager, err := server.BuildManager(context.Background(), store, networkMapController, nil, "", eventStore, nil, false, ia, metrics, port_forwarding.NewControllerMock(), settingsMockManager, permissionsManager, false)
 	if err != nil {
 		return nil, "", err
 	}

-	secretsManager := server.NewTimeBasedAuthSecretsManager(peersUpdateManager, config.TURNConfig, config.Relay, settingsMockManager, groupsManager)
-	mgmtServer, err := server.NewServer(context.Background(), config, accountManager, settingsMockManager, peersUpdateManager, secretsManager, nil, &manager.EphemeralManager{}, nil, &server.MockIntegratedValidator{})
+	secretsManager := nbgrpc.NewTimeBasedAuthSecretsManager(updateManager, config.TURNConfig, config.Relay, settingsMockManager, groupsManager)
+	mgmtServer, err := nbgrpc.NewServer(config, accountManager, settingsMockManager, updateManager, secretsManager, nil, &manager.EphemeralManager{}, nil, &server.MockIntegratedValidator{}, networkMapController)
 	if err != nil {
 		return nil, "", err
 	}
--- a/client/internal/netflow/manager.go
+++ b/client/internal/netflow/manager.go
@@ -24,6 +24,7 @@ import (
 // Manager handles netflow tracking and logging
 type Manager struct {
 	mux            sync.Mutex
+	shutdownWg     sync.WaitGroup
 	logger         nftypes.FlowLogger
 	flowConfig     *nftypes.FlowConfig
 	conntrack      nftypes.ConnTracker
@@ -105,8 +106,15 @@ func (m *Manager) resetClient() error {
 	ctx, cancel := context.WithCancel(context.Background())
 	m.cancel = cancel

-	go m.receiveACKs(ctx, flowClient)
-	go m.startSender(ctx)
+	m.shutdownWg.Add(2)
+	go func() {
+		defer m.shutdownWg.Done()
+		m.receiveACKs(ctx, flowClient)
+	}()
+	go func() {
+		defer m.shutdownWg.Done()
+		m.startSender(ctx)
+	}()

 	return nil
 }
@@ -176,11 +184,12 @@ func (m *Manager) Update(update *nftypes.FlowConfig) error {
 // Close cleans up all resources
 func (m *Manager) Close() {
 	m.mux.Lock()
-	defer m.mux.Unlock()
-
 	if err := m.disableFlow(); err != nil {
 		log.Warnf("failed to disable flow manager: %v", err)
 	}
+	m.mux.Unlock()
+
+	m.shutdownWg.Wait()
 }

 // GetLogger returns the flow logger
--- a/client/internal/networkmonitor/check_change_bsd.go
+++ b/client/internal/networkmonitor/check_change_bsd.go
@@ -1,4 +1,4 @@
-//go:build (darwin && !ios) || dragonfly || freebsd || netbsd || openbsd
+//go:build dragonfly || freebsd || netbsd || openbsd

 package networkmonitor

@@ -6,21 +6,19 @@ import (
 	"context"
 	"errors"
 	"fmt"
-	"syscall"
-	"unsafe"

 	log "github.com/sirupsen/logrus"
-	"golang.org/x/net/route"
 	"golang.org/x/sys/unix"

 	"github.com/netbirdio/netbird/client/internal/routemanager/systemops"
 )

 func checkChange(ctx context.Context, nexthopv4, nexthopv6 systemops.Nexthop) error {
-	fd, err := unix.Socket(syscall.AF_ROUTE, syscall.SOCK_RAW, syscall.AF_UNSPEC)
+	fd, err := prepareFd()
 	if err != nil {
 		return fmt.Errorf("open routing socket: %v", err)
 	}
+
 	defer func() {
 		err := unix.Close(fd)
 		if err != nil && !errors.Is(err, unix.EBADF) {
@@ -28,72 +26,5 @@ func checkChange(ctx context.Context, nexthopv4, nexthopv6 systemops.Nexthop) er
 		}
 	}()

-	for {
-		select {
-		case <-ctx.Done():
-			return ctx.Err()
-		default:
-			buf := make([]byte, 2048)
-			n, err := unix.Read(fd, buf)
-			if err != nil {
-				if !errors.Is(err, unix.EBADF) && !errors.Is(err, unix.EINVAL) {
-					log.Warnf("Network monitor: failed to read from routing socket: %v", err)
-				}
-				continue
-			}
-			if n < unix.SizeofRtMsghdr {
-				log.Debugf("Network monitor: read from routing socket returned less than expected: %d bytes", n)
-				continue
-			}
-
-			msg := (*unix.RtMsghdr)(unsafe.Pointer(&buf[0]))
-
-			switch msg.Type {
-			// handle route changes
-			case unix.RTM_ADD, syscall.RTM_DELETE:
-				route, err := parseRouteMessage(buf[:n])
-				if err != nil {
-					log.Debugf("Network monitor: error parsing routing message: %v", err)
-					continue
-				}
-
-				if route.Dst.Bits() != 0 {
-					continue
-				}
-
-				intf := "<nil>"
-				if route.Interface != nil {
-					intf = route.Interface.Name
-				}
-				switch msg.Type {
-				case unix.RTM_ADD:
-					log.Infof("Network monitor: default route changed: via %s, interface %s", route.Gw, intf)
-					return nil
-				case unix.RTM_DELETE:
-					if nexthopv4.Intf != nil && route.Gw.Compare(nexthopv4.IP) == 0 || nexthopv6.Intf != nil && route.Gw.Compare(nexthopv6.IP) == 0 {
-						log.Infof("Network monitor: default route removed: via %s, interface %s", route.Gw, intf)
-						return nil
-					}
-				}
-			}
-		}
-	}
-}
-
-func parseRouteMessage(buf []byte) (*systemops.Route, error) {
-	msgs, err := route.ParseRIB(route.RIBTypeRoute, buf)
-	if err != nil {
-		return nil, fmt.Errorf("parse RIB: %v", err)
-	}
-
-	if len(msgs) != 1 {
-		return nil, fmt.Errorf("unexpected RIB message msgs: %v", msgs)
-	}
-
-	msg, ok := msgs[0].(*route.RouteMessage)
-	if !ok {
-		return nil, fmt.Errorf("unexpected RIB message type: %T", msgs[0])
-	}
-
-	return systemops.MsgToRoute(msg)
+	return routeCheck(ctx, fd, nexthopv4, nexthopv6)
 }
--- a/client/internal/networkmonitor/check_change_common.go
+++ b/client/internal/networkmonitor/check_change_common.go
@@ -0,0 +1,92 @@
+//go:build dragonfly || freebsd || netbsd || openbsd || darwin
+
+package networkmonitor
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"syscall"
+	"unsafe"
+
+	log "github.com/sirupsen/logrus"
+	"golang.org/x/net/route"
+	"golang.org/x/sys/unix"
+
+	"github.com/netbirdio/netbird/client/internal/routemanager/systemops"
+)
+
+func prepareFd() (int, error) {
+	return unix.Socket(syscall.AF_ROUTE, syscall.SOCK_RAW, syscall.AF_UNSPEC)
+}
+
+func routeCheck(ctx context.Context, fd int, nexthopv4, nexthopv6 systemops.Nexthop) error {
+	for {
+		select {
+		case <-ctx.Done():
+			return ctx.Err()
+		default:
+			buf := make([]byte, 2048)
+			n, err := unix.Read(fd, buf)
+			if err != nil {
+				if !errors.Is(err, unix.EBADF) && !errors.Is(err, unix.EINVAL) {
+					log.Warnf("Network monitor: failed to read from routing socket: %v", err)
+				}
+				continue
+			}
+			if n < unix.SizeofRtMsghdr {
+				log.Debugf("Network monitor: read from routing socket returned less than expected: %d bytes", n)
+				continue
+			}
+
+			msg := (*unix.RtMsghdr)(unsafe.Pointer(&buf[0]))
+
+			switch msg.Type {
+			// handle route changes
+			case unix.RTM_ADD, syscall.RTM_DELETE:
+				route, err := parseRouteMessage(buf[:n])
+				if err != nil {
+					log.Debugf("Network monitor: error parsing routing message: %v", err)
+					continue
+				}
+
+				if route.Dst.Bits() != 0 {
+					continue
+				}
+
+				intf := "<nil>"
+				if route.Interface != nil {
+					intf = route.Interface.Name
+				}
+				switch msg.Type {
+				case unix.RTM_ADD:
+					log.Infof("Network monitor: default route changed: via %s, interface %s", route.Gw, intf)
+					return nil
+				case unix.RTM_DELETE:
+					if nexthopv4.Intf != nil && route.Gw.Compare(nexthopv4.IP) == 0 || nexthopv6.Intf != nil && route.Gw.Compare(nexthopv6.IP) == 0 {
+						log.Infof("Network monitor: default route removed: via %s, interface %s", route.Gw, intf)
+						return nil
+					}
+				}
+			}
+		}
+	}
+}
+
+func parseRouteMessage(buf []byte) (*systemops.Route, error) {
+	msgs, err := route.ParseRIB(route.RIBTypeRoute, buf)
+	if err != nil {
+		return nil, fmt.Errorf("parse RIB: %v", err)
+	}
+
+	if len(msgs) != 1 {
+		return nil, fmt.Errorf("unexpected RIB message msgs: %v", msgs)
+	}
+
+	msg, ok := msgs[0].(*route.RouteMessage)
+	if !ok {
+		return nil, fmt.Errorf("unexpected RIB message type: %T", msgs[0])
+	}
+
+	return systemops.MsgToRoute(msg)
+}
--- a/client/internal/networkmonitor/check_change_darwin.go
+++ b/client/internal/networkmonitor/check_change_darwin.go
@@ -0,0 +1,149 @@
+//go:build darwin && !ios
+
+package networkmonitor
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"hash/fnv"
+	"os/exec"
+	"time"
+
+	log "github.com/sirupsen/logrus"
+	"golang.org/x/sys/unix"
+
+	"github.com/netbirdio/netbird/client/internal/routemanager/systemops"
+)
+
+// todo: refactor to not use static functions
+
+func checkChange(ctx context.Context, nexthopv4, nexthopv6 systemops.Nexthop) error {
+	fd, err := prepareFd()
+	if err != nil {
+		return fmt.Errorf("open routing socket: %v", err)
+	}
+
+	defer func() {
+		if err := unix.Close(fd); err != nil {
+			if !errors.Is(err, unix.EBADF) {
+				log.Warnf("Network monitor: failed to close routing socket: %v", err)
+			}
+		}
+	}()
+
+	routeChanged := make(chan struct{})
+	go func() {
+		_ = routeCheck(ctx, fd, nexthopv4, nexthopv6)
+		close(routeChanged)
+	}()
+
+	wakeUp := make(chan struct{})
+	go func() {
+		wakeUpListen(ctx)
+		close(wakeUp)
+	}()
+
+	select {
+	case <-ctx.Done():
+		return ctx.Err()
+	case <-routeChanged:
+		if ctx.Err() != nil {
+			return ctx.Err()
+		}
+		log.Infof("route change detected")
+		return nil
+	case <-wakeUp:
+		if ctx.Err() != nil {
+			return ctx.Err()
+		}
+		log.Infof("wakeup detected")
+		return nil
+	}
+}
+
+func wakeUpListen(ctx context.Context) {
+	log.Infof("start to watch for system wakeups")
+	var (
+		initialHash uint32
+		err         error
+	)
+
+	// Keep retrying until initial sysctl succeeds or context is canceled
+	for {
+		select {
+		case <-ctx.Done():
+			log.Info("exit from wakeUpListen initial hash detection due to context cancellation")
+			return
+		default:
+			initialHash, err = readSleepTimeHash()
+			if err != nil {
+				log.Errorf("failed to detect initial sleep time: %v", err)
+				select {
+				case <-ctx.Done():
+					log.Info("exit from wakeUpListen initial hash detection due to context cancellation")
+					return
+				case <-time.After(3 * time.Second):
+					continue
+				}
+			}
+			log.Debugf("initial wakeup hash: %d", initialHash)
+			break
+		}
+		break
+	}
+
+	ticker := time.NewTicker(5 * time.Second)
+	defer ticker.Stop()
+
+	for {
+		select {
+		case <-ctx.Done():
+			log.Info("context canceled, stopping wakeUpListen")
+			return
+
+		case <-ticker.C:
+			newHash, err := readSleepTimeHash()
+			if err != nil {
+				log.Errorf("failed to read sleep time hash: %v", err)
+				continue
+			}
+
+			if newHash == initialHash {
+				log.Tracef("no wakeup detected")
+				continue
+			}
+
+			upOut, err := exec.Command("uptime").Output()
+			if err != nil {
+				log.Errorf("failed to run uptime command: %v", err)
+				upOut = []byte("unknown")
+			}
+			log.Infof("Wakeup detected: %d -> %d, uptime: %s", initialHash, newHash, upOut)
+			return
+		}
+	}
+}
+
+func readSleepTimeHash() (uint32, error) {
+	cmd := exec.Command("sysctl", "kern.sleeptime")
+	out, err := cmd.Output()
+	if err != nil {
+		return 0, fmt.Errorf("failed to run sysctl: %w", err)
+	}
+
+	h, err := hash(out)
+	if err != nil {
+		return 0, fmt.Errorf("failed to compute hash: %w", err)
+	}
+
+	return h, nil
+}
+
+func hash(data []byte) (uint32, error) {
+	hasher := fnv.New32a() // Create a new 32-bit FNV-1a hasher
+	if _, err := hasher.Write(data); err != nil {
+		return 0, err
+	}
+	return hasher.Sum32(), nil
+}
--- a/client/internal/networkmonitor/monitor.go
+++ b/client/internal/networkmonitor/monitor.go
@@ -88,6 +88,7 @@ func (nw *NetworkMonitor) Listen(ctx context.Context) (err error) {
 	event := make(chan struct{}, 1)
 	go nw.checkChanges(ctx, event, nexthop4, nexthop6)

+	log.Infof("start watching for network changes")
 	// debounce changes
 	timer := time.NewTimer(0)
 	timer.Stop()
--- a/client/internal/peer/guard/ice_monitor.go
+++ b/client/internal/peer/guard/ice_monitor.go
@@ -78,7 +78,7 @@ func (cm *ICEMonitor) Start(ctx context.Context, onChanged func()) {
 func (cm *ICEMonitor) handleCandidateTick(ctx context.Context, ufrag string, pwd string) (bool, error) {
 	log.Debugf("Gathering ICE candidates")

-	agent, err := icemaker.NewAgent(cm.iFaceDiscover, cm.iceConfig, candidateTypesP2P(), ufrag, pwd)
+	agent, err := icemaker.NewAgent(ctx, cm.iFaceDiscover, cm.iceConfig, candidateTypesP2P(), ufrag, pwd)
 	if err != nil {
 		return false, fmt.Errorf("create ICE agent: %w", err)
 	}
--- a/client/internal/peer/guard/sr_watcher.go
+++ b/client/internal/peer/guard/sr_watcher.go
@@ -19,11 +19,10 @@ type SRWatcher struct {
 	signalClient chNotifier
 	relayManager chNotifier

-	listeners     map[chan struct{}]struct{}
-	mu            sync.Mutex
-	iFaceDiscover stdnet.ExternalIFaceDiscover
-	iceConfig     ice.Config
-
+	listeners        map[chan struct{}]struct{}
+	mu               sync.Mutex
+	iFaceDiscover    stdnet.ExternalIFaceDiscover
+	iceConfig        ice.Config
 	cancelIceMonitor context.CancelFunc
 }

--- a/client/internal/peer/ice/agent.go
+++ b/client/internal/peer/ice/agent.go
@@ -1,6 +1,7 @@
 package ice

 import (
+	"context"
 	"sync"
 	"time"

@@ -22,6 +23,8 @@ const (
 	iceFailedTimeoutDefault       = 6 * time.Second
 	// iceRelayAcceptanceMinWaitDefault is the same as in the Pion ICE package
 	iceRelayAcceptanceMinWaitDefault = 2 * time.Second
+	// iceAgentCloseTimeout is the maximum time to wait for ICE agent close to complete
+	iceAgentCloseTimeout = 3 * time.Second
 )

 type ThreadSafeAgent struct {
@@ -32,18 +35,28 @@ type ThreadSafeAgent struct {
 func (a *ThreadSafeAgent) Close() error {
 	var err error
 	a.once.Do(func() {
-		err = a.Agent.Close()
+		done := make(chan error, 1)
+		go func() {
+			done <- a.Agent.Close()
+		}()
+
+		select {
+		case err = <-done:
+		case <-time.After(iceAgentCloseTimeout):
+			log.Warnf("ICE agent close timed out after %v, proceeding with cleanup", iceAgentCloseTimeout)
+			err = nil
+		}
 	})
 	return err
 }

-func NewAgent(iFaceDiscover stdnet.ExternalIFaceDiscover, config Config, candidateTypes []ice.CandidateType, ufrag string, pwd string) (*ThreadSafeAgent, error) {
+func NewAgent(ctx context.Context, iFaceDiscover stdnet.ExternalIFaceDiscover, config Config, candidateTypes []ice.CandidateType, ufrag string, pwd string) (*ThreadSafeAgent, error) {
 	iceKeepAlive := iceKeepAlive()
 	iceDisconnectedTimeout := iceDisconnectedTimeout()
 	iceFailedTimeout := iceFailedTimeout()
 	iceRelayAcceptanceMinWait := iceRelayAcceptanceMinWait()

-	transportNet, err := newStdNet(iFaceDiscover, config.InterfaceBlackList)
+	transportNet, err := newStdNet(ctx, iFaceDiscover, config.InterfaceBlackList)
 	if err != nil {
 		log.Errorf("failed to create pion's stdnet: %s", err)
 	}
--- a/client/internal/peer/ice/stdnet.go
+++ b/client/internal/peer/ice/stdnet.go
@@ -3,9 +3,11 @@
 package ice

 import (
+	"context"
+
 	"github.com/netbirdio/netbird/client/internal/stdnet"
 )

-func newStdNet(_ stdnet.ExternalIFaceDiscover, ifaceBlacklist []string) (*stdnet.Net, error) {
-	return stdnet.NewNet(ifaceBlacklist)
+func newStdNet(ctx context.Context, _ stdnet.ExternalIFaceDiscover, ifaceBlacklist []string) (*stdnet.Net, error) {
+	return stdnet.NewNet(ctx, ifaceBlacklist)
 }
--- a/client/internal/peer/ice/stdnet_android.go
+++ b/client/internal/peer/ice/stdnet_android.go
@@ -1,7 +1,11 @@
 package ice

-import "github.com/netbirdio/netbird/client/internal/stdnet"
+import (
+	"context"

-func newStdNet(iFaceDiscover stdnet.ExternalIFaceDiscover, ifaceBlacklist []string) (*stdnet.Net, error) {
-	return stdnet.NewNetWithDiscover(iFaceDiscover, ifaceBlacklist)
+	"github.com/netbirdio/netbird/client/internal/stdnet"
+)
+
+func newStdNet(ctx context.Context, iFaceDiscover stdnet.ExternalIFaceDiscover, ifaceBlacklist []string) (*stdnet.Net, error) {
+	return stdnet.NewNetWithDiscover(ctx, iFaceDiscover, ifaceBlacklist)
 }
--- a/client/internal/peer/worker_ice.go
+++ b/client/internal/peer/worker_ice.go
@@ -209,7 +209,7 @@ func (w *WorkerICE) Close() {
 }

 func (w *WorkerICE) reCreateAgent(dialerCancel context.CancelFunc, candidates []ice.CandidateType) (*icemaker.ThreadSafeAgent, error) {
-	agent, err := icemaker.NewAgent(w.iFaceDiscover, w.config.ICEConfig, candidates, w.localUfrag, w.localPwd)
+	agent, err := icemaker.NewAgent(w.ctx, w.iFaceDiscover, w.config.ICEConfig, candidates, w.localUfrag, w.localPwd)
 	if err != nil {
 		return nil, fmt.Errorf("create agent: %w", err)
 	}
@@ -411,7 +411,7 @@ func (w *WorkerICE) onConnectionStateChange(agent *icemaker.ThreadSafeAgent, dia

 func (w *WorkerICE) turnAgentDial(ctx context.Context, agent *icemaker.ThreadSafeAgent, remoteOfferAnswer *OfferAnswer) (*ice.Conn, error) {
 	if isController(w.config) {
-		return w.agent.Dial(ctx, remoteOfferAnswer.IceCredentials.UFrag, remoteOfferAnswer.IceCredentials.Pwd)
+		return agent.Dial(ctx, remoteOfferAnswer.IceCredentials.UFrag, remoteOfferAnswer.IceCredentials.Pwd)
 	} else {
 		return agent.Accept(ctx, remoteOfferAnswer.IceCredentials.UFrag, remoteOfferAnswer.IceCredentials.Pwd)
 	}
--- a/client/internal/pkce_auth.go
+++ b/client/internal/pkce_auth.go
@@ -44,6 +44,8 @@ type PKCEAuthProviderConfig struct {
 	DisablePromptLogin bool
 	// LoginFlag is used to configure the PKCE flow login behavior
 	LoginFlag common.LoginFlag
+	// LoginHint is used to pre-fill the email/username field during authentication
+	LoginHint string
 }

 // GetPKCEAuthorizationFlowInfo initialize a PKCEAuthorizationFlow instance and return with it
--- a/client/internal/relay/relay.go
+++ b/client/internal/relay/relay.go
@@ -197,7 +197,7 @@ func (p *StunTurnProbe) probeSTUN(ctx context.Context, uri *stun.URI) (addr stri
 		}
 	}()

-	net, err := stdnet.NewNet(nil)
+	net, err := stdnet.NewNet(ctx, nil)
 	if err != nil {
 		probeErr = fmt.Errorf("new net: %w", err)
 		return
@@ -286,7 +286,7 @@ func (p *StunTurnProbe) probeTURN(ctx context.Context, uri *stun.URI) (addr stri
 		}
 	}()

-	net, err := stdnet.NewNet(nil)
+	net, err := stdnet.NewNet(ctx, nil)
 	if err != nil {
 		probeErr = fmt.Errorf("new net: %w", err)
 		return
--- a/client/internal/routemanager/manager.go
+++ b/client/internal/routemanager/manager.go
@@ -81,6 +81,7 @@ type DefaultManager struct {
 	ctx                  context.Context
 	stop                 context.CancelFunc
 	mux                  sync.Mutex
+	shutdownWg           sync.WaitGroup
 	clientNetworks       map[route.HAUniqueID]*client.Watcher
 	routeSelector        *routeselector.RouteSelector
 	serverRouter         *server.Router
@@ -283,6 +284,7 @@ func (m *DefaultManager) SetDNSForwarderPort(port uint16) {
 // Stop stops the manager watchers and clean firewall rules
 func (m *DefaultManager) Stop(stateManager *statemanager.Manager) {
 	m.stop()
+	m.shutdownWg.Wait()
 	if m.serverRouter != nil {
 		m.serverRouter.CleanUp()
 	}
@@ -485,7 +487,11 @@ func (m *DefaultManager) TriggerSelection(networks route.HAMap) {
 		}
 		clientNetworkWatcher := client.NewWatcher(config)
 		m.clientNetworks[id] = clientNetworkWatcher
-		go clientNetworkWatcher.Start()
+		m.shutdownWg.Add(1)
+		go func() {
+			defer m.shutdownWg.Done()
+			clientNetworkWatcher.Start()
+		}()
 		clientNetworkWatcher.SendUpdate(client.RoutesUpdate{Routes: routes})
 	}

@@ -527,7 +533,11 @@ func (m *DefaultManager) updateClientNetworks(updateSerial uint64, networks rout
 			}
 			clientNetworkWatcher = client.NewWatcher(config)
 			m.clientNetworks[id] = clientNetworkWatcher
-			go clientNetworkWatcher.Start()
+			m.shutdownWg.Add(1)
+			go func() {
+				defer m.shutdownWg.Done()
+				clientNetworkWatcher.Start()
+			}()
 		}
 		update := client.RoutesUpdate{
 			UpdateSerial: updateSerial,
--- a/client/internal/routemanager/manager_test.go
+++ b/client/internal/routemanager/manager_test.go
@@ -6,7 +6,7 @@ import (
 	"net/netip"
 	"testing"

-	"github.com/pion/transport/v3/stdnet"
+	"github.com/netbirdio/netbird/client/internal/stdnet"
 	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"

 	"github.com/stretchr/testify/require"
@@ -403,7 +403,7 @@ func TestManagerUpdateRoutes(t *testing.T) {
 	for n, testCase := range testCases {
 		t.Run(testCase.name, func(t *testing.T) {
 			peerPrivateKey, _ := wgtypes.GeneratePrivateKey()
-			newNet, err := stdnet.NewNet()
+			newNet, err := stdnet.NewNet(context.Background(), nil)
 			if err != nil {
 				t.Fatal(err)
 			}
--- a/client/internal/routemanager/systemops/systemops_generic_test.go
+++ b/client/internal/routemanager/systemops/systemops_generic_test.go
@@ -15,7 +15,7 @@ import (
 	"syscall"
 	"testing"

-	"github.com/pion/transport/v3/stdnet"
+	"github.com/netbirdio/netbird/client/internal/stdnet"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
@@ -436,7 +436,7 @@ func createWGInterface(t *testing.T, interfaceName, ipAddressCIDR string, listen
 	peerPrivateKey, err := wgtypes.GeneratePrivateKey()
 	require.NoError(t, err)

-	newNet, err := stdnet.NewNet()
+	newNet, err := stdnet.NewNet(context.Background(), nil)
 	require.NoError(t, err)

 	opts := iface.WGIFaceOpts{
--- a/client/internal/routeselector/routeselector.go
+++ b/client/internal/routeselector/routeselector.go
@@ -9,8 +9,6 @@ import (
 	"github.com/hashicorp/go-multierror"
 	"golang.org/x/exp/maps"

-	log "github.com/sirupsen/logrus"
-
 	"github.com/netbirdio/netbird/client/errors"
 	"github.com/netbirdio/netbird/route"
 )
@@ -128,13 +126,11 @@ func (rs *RouteSelector) IsSelected(routeID route.NetID) bool {
 	defer rs.mu.RUnlock()

 	if rs.deselectAll {
-		log.Debugf("Route %s not selected (deselect all)", routeID)
 		return false
 	}

 	_, deselected := rs.deselectedRoutes[routeID]
 	isSelected := !deselected
-	log.Debugf("Route %s selection status: %v (deselected: %v)", routeID, isSelected, deselected)
 	return isSelected
 }

--- a/client/internal/stdnet/stdnet.go
+++ b/client/internal/stdnet/stdnet.go
@@ -4,17 +4,28 @@
 package stdnet

 import (
+	"context"
+	"errors"
 	"fmt"
+	"net"
+	"net/netip"
 	"slices"
+	"strconv"
 	"sync"
 	"time"

-	"github.com/netbirdio/netbird/client/iface/netstack"
 	"github.com/pion/transport/v3"
 	"github.com/pion/transport/v3/stdnet"
+
+	"github.com/netbirdio/netbird/client/iface/netstack"
 )

-const updateInterval = 30 * time.Second
+const (
+	updateInterval    = 30 * time.Second
+	dnsResolveTimeout = 30 * time.Second
+)
+
+var errNoSuitableAddress = errors.New("no suitable address found")

 // Net is an implementation of the net.Net interface
 // based on functions of the standard net package.
@@ -28,12 +39,19 @@ type Net struct {

 	// mu is shared between interfaces and lastUpdate
 	mu sync.Mutex
+
+	// ctx is the context for network operations that supports cancellation
+	ctx context.Context
 }

 // NewNetWithDiscover creates a new StdNet instance.
-func NewNetWithDiscover(iFaceDiscover ExternalIFaceDiscover, disallowList []string) (*Net, error) {
+func NewNetWithDiscover(ctx context.Context, iFaceDiscover ExternalIFaceDiscover, disallowList []string) (*Net, error) {
+	if ctx == nil {
+		ctx = context.Background()
+	}
 	n := &Net{
 		interfaceFilter: InterfaceFilter(disallowList),
+		ctx:             ctx,
 	}
 	// current ExternalIFaceDiscover implement in android-client https://github.dev/netbirdio/android-client
 	// so in android cli use pionDiscover
@@ -46,14 +64,64 @@ func NewNetWithDiscover(iFaceDiscover ExternalIFaceDiscover, disallowList []stri
 }

 // NewNet creates a new StdNet instance.
-func NewNet(disallowList []string) (*Net, error) {
+func NewNet(ctx context.Context, disallowList []string) (*Net, error) {
+	if ctx == nil {
+		ctx = context.Background()
+	}
 	n := &Net{
 		iFaceDiscover:   pionDiscover{},
 		interfaceFilter: InterfaceFilter(disallowList),
+		ctx:             ctx,
 	}
 	return n, n.UpdateInterfaces()
 }

+// resolveAddr performs DNS resolution with context support and timeout.
+func (n *Net) resolveAddr(network, address string) (netip.AddrPort, error) {
+	host, portStr, err := net.SplitHostPort(address)
+	if err != nil {
+		return netip.AddrPort{}, err
+	}
+
+	port, err := strconv.Atoi(portStr)
+	if err != nil {
+		return netip.AddrPort{}, fmt.Errorf("invalid port: %w", err)
+	}
+	if port < 0 || port > 65535 {
+		return netip.AddrPort{}, fmt.Errorf("invalid port: %d", port)
+	}
+
+	ipNet := "ip"
+	switch network {
+	case "tcp4", "udp4":
+		ipNet = "ip4"
+	case "tcp6", "udp6":
+		ipNet = "ip6"
+	}
+
+	if host == "" {
+		addr := netip.IPv4Unspecified()
+		if ipNet == "ip6" {
+			addr = netip.IPv6Unspecified()
+		}
+		return netip.AddrPortFrom(addr, uint16(port)), nil
+	}
+
+	ctx, cancel := context.WithTimeout(n.ctx, dnsResolveTimeout)
+	defer cancel()
+
+	addrs, err := net.DefaultResolver.LookupNetIP(ctx, ipNet, host)
+	if err != nil {
+		return netip.AddrPort{}, err
+	}
+
+	if len(addrs) == 0 {
+		return netip.AddrPort{}, errNoSuitableAddress
+	}
+
+	return netip.AddrPortFrom(addrs[0], uint16(port)), nil
+}
+
 // UpdateInterfaces updates the internal list of network interfaces
 // and associated addresses filtering them by name.
 // The interfaces are discovered by an external iFaceDiscover function or by a default discoverer if the external one
@@ -137,3 +205,39 @@ func (n *Net) filterInterfaces(interfaces []*transport.Interface) []*transport.I
 	}
 	return result
 }
+
+// ResolveUDPAddr resolves UDP addresses with context support and timeout.
+func (n *Net) ResolveUDPAddr(network, address string) (*net.UDPAddr, error) {
+	switch network {
+	case "udp", "udp4", "udp6":
+	case "":
+		network = "udp"
+	default:
+		return nil, &net.OpError{Op: "resolve", Net: network, Err: net.UnknownNetworkError(network)}
+	}
+
+	addrPort, err := n.resolveAddr(network, address)
+	if err != nil {
+		return nil, &net.OpError{Op: "resolve", Net: network, Addr: &net.UDPAddr{IP: nil}, Err: err}
+	}
+
+	return net.UDPAddrFromAddrPort(addrPort), nil
+}
+
+// ResolveTCPAddr resolves TCP addresses with context support and timeout.
+func (n *Net) ResolveTCPAddr(network, address string) (*net.TCPAddr, error) {
+	switch network {
+	case "tcp", "tcp4", "tcp6":
+	case "":
+		network = "tcp"
+	default:
+		return nil, &net.OpError{Op: "resolve", Net: network, Err: net.UnknownNetworkError(network)}
+	}
+
+	addrPort, err := n.resolveAddr(network, address)
+	if err != nil {
+		return nil, &net.OpError{Op: "resolve", Net: network, Addr: &net.TCPAddr{IP: nil}, Err: err}
+	}
+
+	return net.TCPAddrFromAddrPort(addrPort), nil
+}
--- a/client/ios/NetBirdSDK/client.go
+++ b/client/ios/NetBirdSDK/client.go
@@ -228,7 +228,7 @@ func (c *Client) LoginForMobile() string {
 		ConfigPath: c.cfgFile,
 	})

-	oAuthFlow, err := auth.NewOAuthFlow(ctx, cfg, false)
+	oAuthFlow, err := auth.NewOAuthFlow(ctx, cfg, false, "")
 	if err != nil {
 		return err.Error()
 	}
--- a/client/proto/daemon.pb.go
+++ b/client/proto/daemon.pb.go
@@ -279,8 +279,10 @@ type LoginRequest struct {
 	ProfileName           *string `protobuf:"bytes,30,opt,name=profileName,proto3,oneof" json:"profileName,omitempty"`
 	Username              *string `protobuf:"bytes,31,opt,name=username,proto3,oneof" json:"username,omitempty"`
 	Mtu                   *int64  `protobuf:"varint,32,opt,name=mtu,proto3,oneof" json:"mtu,omitempty"`
-	unknownFields         protoimpl.UnknownFields
-	sizeCache             protoimpl.SizeCache
+	// hint is used to pre-fill the email/username field during SSO authentication
+	Hint          *string `protobuf:"bytes,33,opt,name=hint,proto3,oneof" json:"hint,omitempty"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
 }

 func (x *LoginRequest) Reset() {
@@ -538,6 +540,13 @@ func (x *LoginRequest) GetMtu() int64 {
 	return 0
 }

+func (x *LoginRequest) GetHint() string {
+	if x != nil && x.Hint != nil {
+		return *x.Hint
+	}
+	return ""
+}
+
 type LoginResponse struct {
 	state                   protoimpl.MessageState `protogen:"open.v1"`
 	NeedsSSOLogin           bool                   `protobuf:"varint,1,opt,name=needsSSOLogin,proto3" json:"needsSSOLogin,omitempty"`
@@ -4608,7 +4617,7 @@ var File_daemon_proto protoreflect.FileDescriptor
 const file_daemon_proto_rawDesc = "" +
 	"\n" +
 	"\fdaemon.proto\x12\x06daemon\x1a google/protobuf/descriptor.proto\x1a\x1fgoogle/protobuf/timestamp.proto\x1a\x1egoogle/protobuf/duration.proto\"\x0e\n" +
-	"\fEmptyRequest\"\xc3\x0e\n" +
+	"\fEmptyRequest\"\xe5\x0e\n" +
 	"\fLoginRequest\x12\x1a\n" +
 	"\bsetupKey\x18\x01 \x01(\tR\bsetupKey\x12&\n" +
 	"\fpreSharedKey\x18\x02 \x01(\tB\x02\x18\x01R\fpreSharedKey\x12$\n" +
@@ -4645,7 +4654,8 @@ const file_daemon_proto_rawDesc = "" +
 	"\rblock_inbound\x18\x1d \x01(\bH\x10R\fblockInbound\x88\x01\x01\x12%\n" +
 	"\vprofileName\x18\x1e \x01(\tH\x11R\vprofileName\x88\x01\x01\x12\x1f\n" +
 	"\busername\x18\x1f \x01(\tH\x12R\busername\x88\x01\x01\x12\x15\n" +
-	"\x03mtu\x18  \x01(\x03H\x13R\x03mtu\x88\x01\x01B\x13\n" +
+	"\x03mtu\x18  \x01(\x03H\x13R\x03mtu\x88\x01\x01\x12\x17\n" +
+	"\x04hint\x18! \x01(\tH\x14R\x04hint\x88\x01\x01B\x13\n" +
 	"\x11_rosenpassEnabledB\x10\n" +
 	"\x0e_interfaceNameB\x10\n" +
 	"\x0e_wireguardPortB\x17\n" +
@@ -4665,7 +4675,8 @@ const file_daemon_proto_rawDesc = "" +
 	"\x0e_block_inboundB\x0e\n" +
 	"\f_profileNameB\v\n" +
 	"\t_usernameB\x06\n" +
-	"\x04_mtu\"\xb5\x01\n" +
+	"\x04_mtuB\a\n" +
+	"\x05_hint\"\xb5\x01\n" +
 	"\rLoginResponse\x12$\n" +
 	"\rneedsSSOLogin\x18\x01 \x01(\bR\rneedsSSOLogin\x12\x1a\n" +
 	"\buserCode\x18\x02 \x01(\tR\buserCode\x12(\n" +
--- a/client/proto/daemon.proto
+++ b/client/proto/daemon.proto
@@ -158,6 +158,9 @@ message LoginRequest {
  optional string username = 31;

  optional int64 mtu = 32;
+
+  // hint is used to pre-fill the email/username field during SSO authentication
+  optional string hint = 33;
 }

 message LoginResponse {
--- a/client/server/server.go
+++ b/client/server/server.go
@@ -483,7 +483,11 @@ func (s *Server) Login(callerCtx context.Context, msg *proto.LoginRequest) (*pro
 	state.Set(internal.StatusConnecting)

 	if msg.SetupKey == "" {
-		oAuthFlow, err := auth.NewOAuthFlow(ctx, config, msg.IsUnixDesktopClient)
+		hint := ""
+		if msg.Hint != nil {
+			hint = *msg.Hint
+		}
+		oAuthFlow, err := auth.NewOAuthFlow(ctx, config, msg.IsUnixDesktopClient, hint)
 		if err != nil {
 			state.Set(internal.StatusLoginFailed)
 			return nil, err
--- a/client/server/server_test.go
+++ b/client/server/server_test.go
@@ -14,6 +14,9 @@ import (
 	"go.opentelemetry.io/otel"

 	"github.com/netbirdio/management-integrations/integrations"
+	"github.com/netbirdio/netbird/management/internals/controllers/network_map/controller"
+	"github.com/netbirdio/netbird/management/internals/controllers/network_map/update_channel"
+	nbgrpc "github.com/netbirdio/netbird/management/internals/shared/grpc"

 	"github.com/netbirdio/netbird/management/internals/server/config"
 	"github.com/netbirdio/netbird/management/server/groups"
@@ -290,7 +293,6 @@ func startManagement(t *testing.T, signalAddr string, counter *int) (*grpc.Serve
 	}
 	t.Cleanup(cleanUp)

-	peersUpdateManager := server.NewPeersUpdateManager(nil)
 	eventStore := &activity.InMemoryEventStore{}
 	if err != nil {
 		return nil, "", err
@@ -311,13 +313,16 @@ func startManagement(t *testing.T, signalAddr string, counter *int) (*grpc.Serve
 	settingsMockManager := settings.NewMockManager(ctrl)
 	groupsManager := groups.NewManagerMock()

-	accountManager, err := server.BuildManager(context.Background(), store, peersUpdateManager, nil, "", "netbird.selfhosted", eventStore, nil, false, ia, metrics, port_forwarding.NewControllerMock(), settingsMockManager, permissionsManagerMock, false)
+	requestBuffer := server.NewAccountRequestBuffer(context.Background(), store)
+	peersUpdateManager := update_channel.NewPeersUpdateManager(metrics)
+	networkMapController := controller.NewController(context.Background(), store, metrics, peersUpdateManager, requestBuffer, server.MockIntegratedValidator{}, settingsMockManager, "netbird.selfhosted", port_forwarding.NewControllerMock())
+	accountManager, err := server.BuildManager(context.Background(), store, networkMapController, nil, "", eventStore, nil, false, ia, metrics, port_forwarding.NewControllerMock(), settingsMockManager, permissionsManagerMock, false)
 	if err != nil {
 		return nil, "", err
 	}

-	secretsManager := server.NewTimeBasedAuthSecretsManager(peersUpdateManager, config.TURNConfig, config.Relay, settingsMockManager, groupsManager)
-	mgmtServer, err := server.NewServer(context.Background(), config, accountManager, settingsMockManager, peersUpdateManager, secretsManager, nil, &manager.EphemeralManager{}, nil, &server.MockIntegratedValidator{})
+	secretsManager := nbgrpc.NewTimeBasedAuthSecretsManager(peersUpdateManager, config.TURNConfig, config.Relay, settingsMockManager, groupsManager)
+	mgmtServer, err := nbgrpc.NewServer(config, accountManager, settingsMockManager, peersUpdateManager, secretsManager, nil, &manager.EphemeralManager{}, nil, &server.MockIntegratedValidator{}, networkMapController)
 	if err != nil {
 		return nil, "", err
 	}
--- a/client/ui/assets/netbird-disconnected.ico
+++ b/client/ui/assets/netbird-disconnected.ico
--- a/client/ui/assets/netbird-disconnected.png
+++ b/client/ui/assets/netbird-disconnected.png
--- a/client/ui/client_ui.go
+++ b/client/ui/client_ui.go
@@ -85,21 +85,22 @@ func main() {

 	// Create the service client (this also builds the settings or networks UI if requested).
 	client := newServiceClient(&newServiceClientArgs{
-		addr:         flags.daemonAddr,
-		logFile:      logFile,
-		app:          a,
-		showSettings: flags.showSettings,
-		showNetworks: flags.showNetworks,
-		showLoginURL: flags.showLoginURL,
-		showDebug:    flags.showDebug,
-		showProfiles: flags.showProfiles,
+		addr:             flags.daemonAddr,
+		logFile:          logFile,
+		app:              a,
+		showSettings:     flags.showSettings,
+		showNetworks:     flags.showNetworks,
+		showLoginURL:     flags.showLoginURL,
+		showDebug:        flags.showDebug,
+		showProfiles:     flags.showProfiles,
+		showQuickActions: flags.showQuickActions,
 	})

 	// Watch for theme/settings changes to update the icon.
 	go watchSettingsChanges(a, client)

 	// Run in window mode if any UI flag was set.
-	if flags.showSettings || flags.showNetworks || flags.showDebug || flags.showLoginURL || flags.showProfiles {
+	if flags.showSettings || flags.showNetworks || flags.showDebug || flags.showLoginURL || flags.showProfiles || flags.showQuickActions {
 		a.Run()
 		return
 	}
@@ -111,23 +112,29 @@ func main() {
 		return
 	}
 	if running {
-		log.Warnf("another process is running with pid %d, exiting", pid)
+		log.Infof("another process is running with pid %d, sending signal to show window", pid)
+		if err := sendShowWindowSignal(pid); err != nil {
+			log.Errorf("send signal to running instance: %v", err)
+		}
 		return
 	}

+	client.setupSignalHandler(client.ctx)
+
 	client.setDefaultFonts()
 	systray.Run(client.onTrayReady, client.onTrayExit)
 }

 type cliFlags struct {
-	daemonAddr     string
-	showSettings   bool
-	showNetworks   bool
-	showProfiles   bool
-	showDebug      bool
-	showLoginURL   bool
-	errorMsg       string
-	saveLogsInFile bool
+	daemonAddr       string
+	showSettings     bool
+	showNetworks     bool
+	showProfiles     bool
+	showDebug        bool
+	showLoginURL     bool
+	showQuickActions bool
+	errorMsg         string
+	saveLogsInFile   bool
 }

 // parseFlags reads and returns all needed command-line flags.
@@ -143,6 +150,7 @@ func parseFlags() *cliFlags {
 	flag.BoolVar(&flags.showNetworks, "networks", false, "run networks window")
 	flag.BoolVar(&flags.showProfiles, "profiles", false, "run profiles window")
 	flag.BoolVar(&flags.showDebug, "debug", false, "run debug window")
+	flag.BoolVar(&flags.showQuickActions, "quick-actions", false, "run quick actions window")
 	flag.StringVar(&flags.errorMsg, "error-msg", "", "displays an error message window")
 	flag.BoolVar(&flags.saveLogsInFile, "use-log-file", false, fmt.Sprintf("save logs in a file: %s/netbird-ui-PID.log", os.TempDir()))
 	flag.BoolVar(&flags.showLoginURL, "login-url", false, "show login URL in a popup window")
@@ -158,11 +166,9 @@ func initLogFile() (string, error) {

 // watchSettingsChanges listens for Fyne theme/settings changes and updates the client icon.
 func watchSettingsChanges(a fyne.App, client *serviceClient) {
-	settingsChangeChan := make(chan fyne.Settings)
-	a.Settings().AddChangeListener(settingsChangeChan)
-	for range settingsChangeChan {
+	a.Settings().AddListener(func(settings fyne.Settings) {
 		client.updateIcon()
-	}
+	})
 }

 // showErrorMessage displays an error message in a simple window.
@@ -287,6 +293,7 @@ type serviceClient struct {
 	showNetworks         bool
 	wNetworks            fyne.Window
 	wProfiles            fyne.Window
+	wQuickActions        fyne.Window

 	eventManager *event.Manager

@@ -306,14 +313,15 @@ type menuHandler struct {
 }

 type newServiceClientArgs struct {
-	addr         string
-	logFile      string
-	app          fyne.App
-	showSettings bool
-	showNetworks bool
-	showDebug    bool
-	showLoginURL bool
-	showProfiles bool
+	addr             string
+	logFile          string
+	app              fyne.App
+	showSettings     bool
+	showNetworks     bool
+	showDebug        bool
+	showLoginURL     bool
+	showProfiles     bool
+	showQuickActions bool
 }

 // newServiceClient instance constructor
@@ -349,6 +357,8 @@ func newServiceClient(args *newServiceClientArgs) *serviceClient {
 		s.showDebugUI()
 	case args.showProfiles:
 		s.showProfilesUI()
+	case args.showQuickActions:
+		s.showQuickActionsUI()
 	}

 	return s
@@ -610,11 +620,20 @@ func (s *serviceClient) login(ctx context.Context, openURL bool) (*proto.LoginRe
 		return nil, fmt.Errorf("get current user: %w", err)
 	}

-	loginResp, err := conn.Login(ctx, &proto.LoginRequest{
+	loginReq := &proto.LoginRequest{
 		IsUnixDesktopClient: runtime.GOOS == "linux" || runtime.GOOS == "freebsd",
 		ProfileName:         &activeProf.Name,
 		Username:            &currUser.Username,
-	})
+	}
+
+	profileState, err := s.profileManager.GetProfileState(activeProf.Name)
+	if err != nil {
+		log.Debugf("failed to get profile state for login hint: %v", err)
+	} else if profileState.Email != "" {
+		loginReq.Hint = &profileState.Email
+	}
+
+	loginResp, err := conn.Login(ctx, loginReq)
 	if err != nil {
 		return nil, fmt.Errorf("login to management: %w", err)
 	}
--- a/client/ui/debug.go
+++ b/client/ui/debug.go
@@ -500,7 +500,7 @@ func (s *serviceClient) createDebugBundleFromCollection(
 		if uploadFailureReason != "" {
 			showUploadFailedDialog(progress.window, localPath, uploadFailureReason)
 		} else {
-			showUploadSuccessDialog(progress.window, localPath, uploadedKey)
+			showUploadSuccessDialog(s.app, progress.window, localPath, uploadedKey)
 		}
 	} else {
 		showBundleCreatedDialog(progress.window, localPath)
@@ -565,7 +565,7 @@ func (s *serviceClient) handleDebugCreation(
 		if uploadFailureReason != "" {
 			showUploadFailedDialog(w, localPath, uploadFailureReason)
 		} else {
-			showUploadSuccessDialog(w, localPath, uploadedKey)
+			showUploadSuccessDialog(s.app, w, localPath, uploadedKey)
 		}
 	} else {
 		showBundleCreatedDialog(w, localPath)
@@ -665,7 +665,7 @@ func showUploadFailedDialog(w fyne.Window, localPath, failureReason string) {
 }

 // showUploadSuccessDialog displays a dialog when upload succeeds
-func showUploadSuccessDialog(w fyne.Window, localPath, uploadedKey string) {
+func showUploadSuccessDialog(a fyne.App, w fyne.Window, localPath, uploadedKey string) {
 	log.Infof("Upload key: %s", uploadedKey)
 	keyEntry := widget.NewEntry()
 	keyEntry.SetText(uploadedKey)
@@ -683,7 +683,7 @@ func showUploadSuccessDialog(w fyne.Window, localPath, uploadedKey string) {
 	customDialog := dialog.NewCustom("Upload Successful", "OK", content, w)

 	copyBtn := createButtonWithAction("Copy key", func() {
-		w.Clipboard().SetContent(uploadedKey)
+		a.Clipboard().SetContent(uploadedKey)
 		log.Info("Upload key copied to clipboard")
 	})

--- a/client/ui/icons.go
+++ b/client/ui/icons.go
@@ -9,6 +9,9 @@ import (
 //go:embed assets/netbird.png
 var iconAbout []byte

+//go:embed assets/netbird-disconnected.png
+var iconAboutDisconnected []byte
+
 //go:embed assets/netbird-systemtray-connected.png
 var iconConnected []byte

--- a/client/ui/icons_windows.go
+++ b/client/ui/icons_windows.go
@@ -7,6 +7,9 @@ import (
 //go:embed assets/netbird.ico
 var iconAbout []byte

+//go:embed assets/netbird-disconnected.ico
+var iconAboutDisconnected []byte
+
 //go:embed assets/netbird-systemtray-connected.ico
 var iconConnected []byte

--- a/client/ui/quickactions.go
+++ b/client/ui/quickactions.go
@@ -0,0 +1,349 @@
+//go:build !(linux && 386)
+
+//go:generate fyne bundle -o quickactions_assets.go assets/connected.png
+//go:generate fyne bundle -o quickactions_assets.go -append assets/disconnected.png
+package main
+
+import (
+	"context"
+	_ "embed"
+	"fmt"
+	"runtime"
+	"sync/atomic"
+	"time"
+
+	"fyne.io/fyne/v2"
+	"fyne.io/fyne/v2/canvas"
+	"fyne.io/fyne/v2/container"
+	"fyne.io/fyne/v2/layout"
+	"fyne.io/fyne/v2/widget"
+	log "github.com/sirupsen/logrus"
+
+	"github.com/netbirdio/netbird/client/internal"
+	"github.com/netbirdio/netbird/client/proto"
+)
+
+type quickActionsUiState struct {
+	connectionStatus      string
+	isToggleButtonEnabled bool
+	isConnectionChanged   bool
+	toggleAction          func()
+}
+
+func newQuickActionsUiState() quickActionsUiState {
+	return quickActionsUiState{
+		connectionStatus:      string(internal.StatusIdle),
+		isToggleButtonEnabled: false,
+		isConnectionChanged:   false,
+	}
+}
+
+type clientConnectionStatusProvider interface {
+	connectionStatus(ctx context.Context) (string, error)
+}
+
+type daemonClientConnectionStatusProvider struct {
+	client proto.DaemonServiceClient
+}
+
+func (d daemonClientConnectionStatusProvider) connectionStatus(ctx context.Context) (string, error) {
+	childCtx, cancel := context.WithTimeout(ctx, 400*time.Millisecond)
+	defer cancel()
+	status, err := d.client.Status(childCtx, &proto.StatusRequest{})
+	if err != nil {
+		return "", err
+	}
+
+	return status.Status, nil
+}
+
+type clientCommand interface {
+	execute() error
+}
+
+type connectCommand struct {
+	connectClient func() error
+}
+
+func (c connectCommand) execute() error {
+	return c.connectClient()
+}
+
+type disconnectCommand struct {
+	disconnectClient func() error
+}
+
+func (c disconnectCommand) execute() error {
+	return c.disconnectClient()
+}
+
+type quickActionsViewModel struct {
+	provider                   clientConnectionStatusProvider
+	connect                    clientCommand
+	disconnect                 clientCommand
+	uiChan                     chan quickActionsUiState
+	isWatchingConnectionStatus atomic.Bool
+}
+
+func newQuickActionsViewModel(ctx context.Context, provider clientConnectionStatusProvider, connect, disconnect clientCommand, uiChan chan quickActionsUiState) {
+	viewModel := quickActionsViewModel{
+		provider:   provider,
+		connect:    connect,
+		disconnect: disconnect,
+		uiChan:     uiChan,
+	}
+
+	viewModel.isWatchingConnectionStatus.Store(true)
+
+	// base UI status
+	uiChan <- newQuickActionsUiState()
+
+	// this retrieves the current connection status
+	// and pushes the UI state that reflects it via uiChan
+	go viewModel.watchConnectionStatus(ctx)
+}
+
+func (q *quickActionsViewModel) updateUiState(ctx context.Context) {
+	uiState := newQuickActionsUiState()
+	connectionStatus, err := q.provider.connectionStatus(ctx)
+
+	if err != nil {
+		log.Errorf("Status: Error - %v", err)
+		q.uiChan <- uiState
+		return
+	}
+
+	if connectionStatus == string(internal.StatusConnected) {
+		uiState.toggleAction = func() {
+			q.executeCommand(q.disconnect)
+		}
+	} else {
+		uiState.toggleAction = func() {
+			q.executeCommand(q.connect)
+		}
+	}
+
+	uiState.isToggleButtonEnabled = true
+	uiState.connectionStatus = connectionStatus
+	q.uiChan <- uiState
+}
+
+func (q *quickActionsViewModel) watchConnectionStatus(ctx context.Context) {
+	ticker := time.NewTicker(1000 * time.Millisecond)
+	defer ticker.Stop()
+
+	for {
+		select {
+		case <-ctx.Done():
+			return
+		case <-ticker.C:
+			if q.isWatchingConnectionStatus.Load() {
+				q.updateUiState(ctx)
+			}
+		}
+	}
+}
+
+func (q *quickActionsViewModel) executeCommand(command clientCommand) {
+	uiState := newQuickActionsUiState()
+	// newQuickActionsUiState starts with Idle connection status,
+	// and all that's necessary here is to just disable the toggle button.
+	uiState.connectionStatus = ""
+
+	q.uiChan <- uiState
+
+	q.isWatchingConnectionStatus.Store(false)
+
+	err := command.execute()
+
+	if err != nil {
+		log.Errorf("Status: Error - %v", err)
+		q.isWatchingConnectionStatus.Store(true)
+	} else {
+		uiState = newQuickActionsUiState()
+		uiState.isConnectionChanged = true
+		q.uiChan <- uiState
+	}
+}
+
+func getSystemTrayName() string {
+	os := runtime.GOOS
+	switch os {
+	case "darwin":
+		return "menu bar"
+	default:
+		return "system tray"
+	}
+}
+
+func (s *serviceClient) getNetBirdImage(name string, content []byte) *canvas.Image {
+	imageSize := fyne.NewSize(64, 64)
+
+	resource := fyne.NewStaticResource(name, content)
+	image := canvas.NewImageFromResource(resource)
+	image.FillMode = canvas.ImageFillContain
+	image.SetMinSize(imageSize)
+	image.Resize(imageSize)
+
+	return image
+}
+
+type quickActionsUiComponents struct {
+	content                                   *fyne.Container
+	toggleConnectionButton                    *widget.Button
+	connectedLabelText, disconnectedLabelText string
+	connectedImage, disconnectedImage         *canvas.Image
+	connectedCircleRes, disconnectedCircleRes fyne.Resource
+}
+
+// applyQuickActionsUiState applies a single UI state to the quick actions window.
+// It closes the window and returns true if the connection status has changed,
+// in which case the caller should stop processing further states.
+func (s *serviceClient) applyQuickActionsUiState(
+	uiState quickActionsUiState,
+	components quickActionsUiComponents,
+) bool {
+	if uiState.isConnectionChanged {
+		fyne.DoAndWait(func() {
+			s.wQuickActions.Close()
+		})
+		return true
+	}
+
+	var logo *canvas.Image
+	var buttonText string
+	var buttonIcon fyne.Resource
+
+	if uiState.connectionStatus == string(internal.StatusConnected) {
+		buttonText = components.connectedLabelText
+		buttonIcon = components.connectedCircleRes
+		logo = components.connectedImage
+	} else if uiState.connectionStatus == string(internal.StatusIdle) {
+		buttonText = components.disconnectedLabelText
+		buttonIcon = components.disconnectedCircleRes
+		logo = components.disconnectedImage
+	}
+
+	fyne.DoAndWait(func() {
+		if buttonText != "" {
+			components.toggleConnectionButton.SetText(buttonText)
+		}
+
+		if buttonIcon != nil {
+			components.toggleConnectionButton.SetIcon(buttonIcon)
+		}
+
+		if uiState.isToggleButtonEnabled {
+			components.toggleConnectionButton.Enable()
+		} else {
+			components.toggleConnectionButton.Disable()
+		}
+
+		components.toggleConnectionButton.OnTapped = func() {
+			if uiState.toggleAction != nil {
+				go uiState.toggleAction()
+			}
+		}
+
+		components.toggleConnectionButton.Refresh()
+
+		// the second position in the content's object array is the NetBird logo.
+		if logo != nil {
+			components.content.Objects[1] = logo
+			components.content.Refresh()
+		}
+	})
+
+	return false
+}
+
+// showQuickActionsUI displays a simple window with the NetBird logo and a connection toggle button.
+func (s *serviceClient) showQuickActionsUI() {
+	s.wQuickActions = s.app.NewWindow("NetBird")
+	vmCtx, vmCancel := context.WithCancel(s.ctx)
+	s.wQuickActions.SetOnClosed(vmCancel)
+
+	client, err := s.getSrvClient(defaultFailTimeout)
+
+	connCmd := connectCommand{
+		connectClient: func() error {
+			return s.menuUpClick(s.ctx)
+		},
+	}
+
+	disConnCmd := disconnectCommand{
+		disconnectClient: func() error {
+			return s.menuDownClick()
+		},
+	}
+
+	if err != nil {
+		log.Errorf("get service client: %v", err)
+		return
+	}
+
+	uiChan := make(chan quickActionsUiState, 1)
+	newQuickActionsViewModel(vmCtx, daemonClientConnectionStatusProvider{client: client}, connCmd, disConnCmd, uiChan)
+
+	connectedImage := s.getNetBirdImage("netbird.png", iconAbout)
+	disconnectedImage := s.getNetBirdImage("netbird-disconnected.png", iconAboutDisconnected)
+
+	connectedCircle := canvas.NewImageFromResource(resourceConnectedPng)
+	disconnectedCircle := canvas.NewImageFromResource(resourceDisconnectedPng)
+
+	connectedLabelText := "Disconnect"
+	disconnectedLabelText := "Connect"
+
+	toggleConnectionButton := widget.NewButtonWithIcon(disconnectedLabelText, disconnectedCircle.Resource, func() {
+		// This button's tap function will be set when an ui state arrives via the uiChan channel.
+	})
+
+	// Button starts disabled until the first ui state arrives.
+	toggleConnectionButton.Disable()
+
+	hintLabelText := fmt.Sprintf("You can always access NetBird from your %s.", getSystemTrayName())
+	hintLabel := widget.NewLabel(hintLabelText)
+
+	content := container.NewVBox(
+		layout.NewSpacer(),
+		disconnectedImage,
+		layout.NewSpacer(),
+		container.NewCenter(toggleConnectionButton),
+		layout.NewSpacer(),
+		container.NewCenter(hintLabel),
+	)
+
+	// this watches for ui state updates.
+	go func() {
+
+		for {
+			select {
+			case <-vmCtx.Done():
+				return
+			case uiState, ok := <-uiChan:
+				if !ok {
+					return
+				}
+
+				closed := s.applyQuickActionsUiState(
+					uiState,
+					quickActionsUiComponents{
+						content,
+						toggleConnectionButton,
+						connectedLabelText, disconnectedLabelText,
+						connectedImage, disconnectedImage,
+						connectedCircle.Resource, disconnectedCircle.Resource,
+					},
+				)
+				if closed {
+					return
+				}
+			}
+		}
+	}()
+
+	s.wQuickActions.SetContent(content)
+	s.wQuickActions.Resize(fyne.NewSize(400, 200))
+	s.wQuickActions.SetFixedSize(true)
+	s.wQuickActions.Show()
+}
--- a/client/ui/quickactions_assets.go
+++ b/client/ui/quickactions_assets.go
@@ -0,0 +1,23 @@
+// auto-generated
+// Code generated by '$ fyne bundle'. DO NOT EDIT.
+
+package main
+
+import (
+	_ "embed"
+	"fyne.io/fyne/v2"
+)
+
+//go:embed assets/connected.png
+var resourceConnectedPngData []byte
+var resourceConnectedPng = &fyne.StaticResource{
+	StaticName:    "assets/connected.png",
+	StaticContent: resourceConnectedPngData,
+}
+
+//go:embed assets/disconnected.png
+var resourceDisconnectedPngData []byte
+var resourceDisconnectedPng = &fyne.StaticResource{
+	StaticName:    "assets/disconnected.png",
+	StaticContent: resourceDisconnectedPngData,
+}
--- a/client/ui/signal_unix.go
+++ b/client/ui/signal_unix.go
@@ -0,0 +1,76 @@
+//go:build !windows && !(linux && 386)
+
+package main
+
+import (
+	"context"
+	"os"
+	"os/exec"
+	"os/signal"
+	"syscall"
+
+	log "github.com/sirupsen/logrus"
+)
+
+// setupSignalHandler sets up a signal handler to listen for SIGUSR1.
+// When received, it opens the quick actions window.
+func (s *serviceClient) setupSignalHandler(ctx context.Context) {
+	sigChan := make(chan os.Signal, 1)
+	signal.Notify(sigChan, syscall.SIGUSR1)
+
+	go func() {
+		for {
+			select {
+			case <-ctx.Done():
+				return
+			case <-sigChan:
+				log.Info("received SIGUSR1 signal, opening quick actions window")
+				s.openQuickActions()
+			}
+		}
+	}()
+}
+
+// openQuickActions opens the quick actions window by spawning a new process.
+func (s *serviceClient) openQuickActions() {
+	proc, err := os.Executable()
+	if err != nil {
+		log.Errorf("get executable path: %v", err)
+		return
+	}
+
+	cmd := exec.CommandContext(s.ctx, proc,
+		"--quick-actions=true",
+		"--daemon-addr="+s.addr,
+	)
+
+	if out := s.attachOutput(cmd); out != nil {
+		defer func() {
+			if err := out.Close(); err != nil {
+				log.Errorf("close log file %s: %v", s.logFile, err)
+			}
+		}()
+	}
+
+	log.Infof("running command: %s --quick-actions=true --daemon-addr=%s", proc, s.addr)
+
+	if err := cmd.Start(); err != nil {
+		log.Errorf("start quick actions window: %v", err)
+		return
+	}
+
+	go func() {
+		if err := cmd.Wait(); err != nil {
+			log.Debugf("quick actions window exited: %v", err)
+		}
+	}()
+}
+
+// sendShowWindowSignal sends SIGUSR1 to the specified PID.
+func sendShowWindowSignal(pid int32) error {
+	process, err := os.FindProcess(int(pid))
+	if err != nil {
+		return err
+	}
+	return process.Signal(syscall.SIGUSR1)
+}
--- a/client/ui/signal_windows.go
+++ b/client/ui/signal_windows.go
@@ -0,0 +1,171 @@
+//go:build windows
+
+package main
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"os"
+	"os/exec"
+	"time"
+
+	log "github.com/sirupsen/logrus"
+	"golang.org/x/sys/windows"
+)
+
+const (
+	quickActionsTriggerEventName = `Global\NetBirdQuickActionsTriggerEvent`
+	waitTimeout                  = 5 * time.Second
+	// SYNCHRONIZE is needed for WaitForSingleObject, EVENT_MODIFY_STATE for ResetEvent.
+	desiredAccesses = windows.SYNCHRONIZE | windows.EVENT_MODIFY_STATE
+)
+
+func getEventNameUint16Pointer() (*uint16, error) {
+	eventNamePtr, err := windows.UTF16PtrFromString(quickActionsTriggerEventName)
+	if err != nil {
+		log.Errorf("Failed to convert event name '%s' to UTF16: %v", quickActionsTriggerEventName, err)
+		return nil, err
+	}
+
+	return eventNamePtr, nil
+}
+
+// setupSignalHandler sets up signal handling for Windows.
+// Windows doesn't support SIGUSR1, so this uses a similar approach using windows.Events.
+func (s *serviceClient) setupSignalHandler(ctx context.Context) {
+	eventNamePtr, err := getEventNameUint16Pointer()
+	if err != nil {
+		return
+	}
+
+	eventHandle, err := windows.CreateEvent(nil, 1, 0, eventNamePtr)
+
+	if err != nil {
+		if errors.Is(err, windows.ERROR_ALREADY_EXISTS) {
+			log.Warnf("Quick actions trigger event '%s' already exists. Attempting to open.", quickActionsTriggerEventName)
+			eventHandle, err = windows.OpenEvent(desiredAccesses, false, eventNamePtr)
+			if err != nil {
+				log.Errorf("Failed to open existing quick actions trigger event '%s': %v", quickActionsTriggerEventName, err)
+				return
+			}
+			log.Infof("Successfully opened existing quick actions trigger event '%s'.", quickActionsTriggerEventName)
+		} else {
+			log.Errorf("Failed to create quick actions trigger event '%s': %v", quickActionsTriggerEventName, err)
+			return
+		}
+	}
+
+	if eventHandle == windows.InvalidHandle {
+		log.Errorf("Obtained an invalid handle for quick actions trigger event '%s'", quickActionsTriggerEventName)
+		return
+	}
+
+	log.Infof("Quick actions handler waiting for signal on event: %s", quickActionsTriggerEventName)
+
+	go s.waitForEvent(ctx, eventHandle)
+}
+
+func (s *serviceClient) waitForEvent(ctx context.Context, eventHandle windows.Handle) {
+	defer func() {
+		if err := windows.CloseHandle(eventHandle); err != nil {
+			log.Errorf("Failed to close quick actions event handle '%s': %v", quickActionsTriggerEventName, err)
+		}
+	}()
+
+	for {
+		if ctx.Err() != nil {
+			return
+		}
+
+		status, err := windows.WaitForSingleObject(eventHandle, uint32(waitTimeout.Milliseconds()))
+
+		switch status {
+		case windows.WAIT_OBJECT_0:
+			log.Info("Received signal on quick actions event. Opening quick actions window.")
+
+			// reset the event so it can be triggered again later (manual reset == 1)
+			if err := windows.ResetEvent(eventHandle); err != nil {
+				log.Errorf("Failed to reset quick actions event '%s': %v", quickActionsTriggerEventName, err)
+			}
+
+			s.openQuickActions()
+		case uint32(windows.WAIT_TIMEOUT):
+
+		default:
+			if isDone := logUnexpectedStatus(ctx, status, err); isDone {
+				return
+			}
+		}
+	}
+}
+
+func logUnexpectedStatus(ctx context.Context, status uint32, err error) bool {
+	log.Errorf("Unexpected status %d from WaitForSingleObject for quick actions event '%s': %v",
+		status, quickActionsTriggerEventName, err)
+	select {
+	case <-time.After(5 * time.Second):
+		return false
+	case <-ctx.Done():
+		return true
+	}
+}
+
+// openQuickActions opens the quick actions window by spawning a new process.
+func (s *serviceClient) openQuickActions() {
+	proc, err := os.Executable()
+	if err != nil {
+		log.Errorf("get executable path: %v", err)
+		return
+	}
+
+	cmd := exec.CommandContext(s.ctx, proc,
+		"--quick-actions=true",
+		"--daemon-addr="+s.addr,
+	)
+
+	if out := s.attachOutput(cmd); out != nil {
+		defer func() {
+			if err := out.Close(); err != nil {
+				log.Errorf("close log file %s: %v", s.logFile, err)
+			}
+		}()
+	}
+
+	log.Infof("running command: %s --quick-actions=true --daemon-addr=%s", proc, s.addr)
+
+	if err := cmd.Start(); err != nil {
+		log.Errorf("error starting quick actions window: %v", err)
+		return
+	}
+
+	go func() {
+		if err := cmd.Wait(); err != nil {
+			log.Debugf("quick actions window exited: %v", err)
+		}
+	}()
+}
+
+func sendShowWindowSignal(pid int32) error {
+	_, err := os.FindProcess(int(pid))
+	if err != nil {
+		return err
+	}
+
+	eventNamePtr, err := getEventNameUint16Pointer()
+	if err != nil {
+		return err
+	}
+
+	eventHandle, err := windows.OpenEvent(desiredAccesses, false, eventNamePtr)
+	if err != nil {
+		return err
+	}
+
+	err = windows.SetEvent(eventHandle)
+	if err != nil {
+		return fmt.Errorf("Error setting event: %w", err)
+	}
+
+	return nil
+}
--- a/go.mod
+++ b/go.mod
@@ -16,7 +16,7 @@ require (
 	github.com/sirupsen/logrus v1.9.3
 	github.com/spf13/cobra v1.7.0
 	github.com/spf13/pflag v1.0.5
-	github.com/vishvananda/netlink v1.3.0
+	github.com/vishvananda/netlink v1.3.1
 	golang.org/x/crypto v0.40.0
 	golang.org/x/sys v0.34.0
 	golang.zx2c4.com/wireguard v0.0.0-20230704135630-469159ecf7d1
@@ -28,8 +28,8 @@ require (
 )

 require (
-	fyne.io/fyne/v2 v2.5.3
-	fyne.io/systray v1.11.0
+	fyne.io/fyne/v2 v2.7.0
+	fyne.io/systray v1.11.1-0.20250603113521-ca66a66d8b58
 	github.com/TheJumpCloud/jcapi-go v3.0.0+incompatible
 	github.com/aws/aws-sdk-go-v2 v1.36.3
 	github.com/aws/aws-sdk-go-v2/config v1.29.14
@@ -43,7 +43,7 @@ require (
 	github.com/eko/gocache/lib/v4 v4.2.0
 	github.com/eko/gocache/store/go_cache/v4 v4.2.2
 	github.com/eko/gocache/store/redis/v4 v4.2.2
-	github.com/fsnotify/fsnotify v1.7.0
+	github.com/fsnotify/fsnotify v1.9.0
 	github.com/gliderlabs/ssh v0.3.8
 	github.com/godbus/dbus/v5 v5.1.0
 	github.com/golang-jwt/jwt/v5 v5.3.0
@@ -56,12 +56,13 @@ require (
 	github.com/hashicorp/go-multierror v1.1.1
 	github.com/hashicorp/go-secure-stdlib/base62 v0.1.2
 	github.com/hashicorp/go-version v1.6.0
+	github.com/jackc/pgx/v5 v5.5.5
 	github.com/libdns/route53 v1.5.0
 	github.com/libp2p/go-netroute v0.2.1
+	github.com/lrh3321/ipset-go v0.0.0-20250619021614-54a0a98ace81
 	github.com/mdlayher/socket v0.5.1
 	github.com/miekg/dns v1.1.59
 	github.com/mitchellh/hashstructure/v2 v2.0.2
-	github.com/nadoo/ipset v0.5.0
 	github.com/netbirdio/management-integrations/integrations v0.0.0-20251027212525-d751b79f5d48
 	github.com/netbirdio/signal-dispatcher/dispatcher v0.0.0-20250805121659-6b4ac470ca45
 	github.com/okta/okta-sdk-golang/v2 v2.18.0
@@ -76,13 +77,13 @@ require (
 	github.com/pion/transport/v3 v3.0.7
 	github.com/pion/turn/v3 v3.0.1
 	github.com/prometheus/client_golang v1.22.0
-	github.com/quic-go/quic-go v0.48.2
+	github.com/quic-go/quic-go v0.49.1
 	github.com/redis/go-redis/v9 v9.7.3
 	github.com/rs/xid v1.3.0
 	github.com/shirou/gopsutil/v3 v3.24.4
 	github.com/skratchdot/open-golang v0.0.0-20200116055534-eef842397966
 	github.com/songgao/water v0.0.0-20200317203138-2b4b6d7c09d8
-	github.com/stretchr/testify v1.10.0
+	github.com/stretchr/testify v1.11.1
 	github.com/testcontainers/testcontainers-go v0.31.0
 	github.com/testcontainers/testcontainers-go/modules/mysql v0.31.0
 	github.com/testcontainers/testcontainers-go/modules/postgres v0.31.0
@@ -98,15 +99,17 @@ require (
 	go.opentelemetry.io/otel/exporters/prometheus v0.48.0
 	go.opentelemetry.io/otel/metric v1.35.0
 	go.opentelemetry.io/otel/sdk/metric v1.35.0
+	go.uber.org/mock v0.5.0
 	go.uber.org/zap v1.27.0
 	goauthentik.io/api/v3 v3.2023051.3
 	golang.org/x/exp v0.0.0-20240506185415-9bf2ced13842
 	golang.org/x/mobile v0.0.0-20231127183840-76ac6878050a
-	golang.org/x/mod v0.25.0
+	golang.org/x/mod v0.26.0
 	golang.org/x/net v0.42.0
-	golang.org/x/oauth2 v0.28.0
+	golang.org/x/oauth2 v0.30.0
 	golang.org/x/sync v0.16.0
 	golang.org/x/term v0.33.0
+	golang.org/x/time v0.12.0
 	google.golang.org/api v0.177.0
 	gopkg.in/yaml.v3 v3.0.1
 	gorm.io/driver/mysql v1.5.7
@@ -123,7 +126,7 @@ require (
 	dario.cat/mergo v1.0.0 // indirect
 	filippo.io/edwards25519 v1.1.0 // indirect
 	github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161 // indirect
-	github.com/BurntSushi/toml v1.4.0 // indirect
+	github.com/BurntSushi/toml v1.5.0 // indirect
 	github.com/Microsoft/go-winio v0.6.2 // indirect
 	github.com/Microsoft/hcsshim v0.12.3 // indirect
 	github.com/anmitsu/go-shlex v0.0.0-20200514113438-38f4b401e2be // indirect
@@ -146,7 +149,7 @@ require (
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/caddyserver/zerossl v0.1.3 // indirect
 	github.com/cespare/xxhash/v2 v2.3.0 // indirect
-	github.com/containerd/containerd v1.7.27 // indirect
+	github.com/containerd/containerd v1.7.29 // indirect
 	github.com/containerd/log v0.1.0 // indirect
 	github.com/containerd/platforms v0.2.1 // indirect
 	github.com/cpuguy83/dockercfg v0.3.2 // indirect
@@ -157,11 +160,12 @@ require (
 	github.com/docker/go-connections v0.5.0 // indirect
 	github.com/docker/go-units v0.5.0 // indirect
 	github.com/felixge/httpsnoop v1.0.4 // indirect
-	github.com/fredbi/uri v1.1.0 // indirect
-	github.com/fyne-io/gl-js v0.0.0-20220119005834-d2da28d9ccfe // indirect
-	github.com/fyne-io/glfw-js v0.0.0-20241126112943-313d8a0fe1d0 // indirect
-	github.com/fyne-io/image v0.0.0-20220602074514-4956b0afb3d2 // indirect
-	github.com/go-gl/gl v0.0.0-20211210172815-726fda9656d6 // indirect
+	github.com/fredbi/uri v1.1.1 // indirect
+	github.com/fyne-io/gl-js v0.2.0 // indirect
+	github.com/fyne-io/glfw-js v0.3.0 // indirect
+	github.com/fyne-io/image v0.1.1 // indirect
+	github.com/fyne-io/oksvg v0.2.0 // indirect
+	github.com/go-gl/gl v0.0.0-20231021071112-07e5d0ea2e71 // indirect
 	github.com/go-gl/glfw/v3.3/glfw v0.0.0-20240506104042-037f3cc74f2a // indirect
 	github.com/go-logr/logr v1.4.2 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
@@ -169,7 +173,7 @@ require (
 	github.com/go-sql-driver/mysql v1.8.1 // indirect
 	github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 // indirect
 	github.com/go-text/render v0.2.0 // indirect
-	github.com/go-text/typesetting v0.2.0 // indirect
+	github.com/go-text/typesetting v0.2.1 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
 	github.com/google/btree v1.1.2 // indirect
@@ -177,19 +181,19 @@ require (
 	github.com/google/s2a-go v0.1.7 // indirect
 	github.com/googleapis/enterprise-certificate-proxy v0.3.2 // indirect
 	github.com/googleapis/gax-go/v2 v2.12.3 // indirect
-	github.com/gopherjs/gopherjs v1.17.2 // indirect
+	github.com/hack-pad/go-indexeddb v0.3.2 // indirect
+	github.com/hack-pad/safejs v0.1.0 // indirect
 	github.com/hashicorp/errwrap v1.1.0 // indirect
 	github.com/hashicorp/go-uuid v1.0.3 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
 	github.com/jackc/pgpassfile v1.0.0 // indirect
 	github.com/jackc/pgservicefile v0.0.0-20221227161230-091c0ba34f0a // indirect
-	github.com/jackc/pgx/v5 v5.5.5 // indirect
 	github.com/jackc/puddle/v2 v2.2.1 // indirect
-	github.com/jeandeaual/go-locale v0.0.0-20240223122105-ce5225dcaa49 // indirect
+	github.com/jeandeaual/go-locale v0.0.0-20250612000132-0ef82f21eade // indirect
 	github.com/jinzhu/inflection v1.0.0 // indirect
 	github.com/jinzhu/now v1.1.5 // indirect
 	github.com/jmespath/go-jmespath v0.4.0 // indirect
-	github.com/jsummers/gobmp v0.0.0-20151104160322-e2ba15ffa76e // indirect
+	github.com/jsummers/gobmp v0.0.0-20230614200233-a9de23ed2e25 // indirect
 	github.com/kelseyhightower/envconfig v1.4.0 // indirect
 	github.com/klauspost/compress v1.18.0 // indirect
 	github.com/klauspost/cpuid/v2 v2.2.7 // indirect
@@ -208,7 +212,8 @@ require (
 	github.com/moby/term v0.5.0 // indirect
 	github.com/morikuni/aec v1.0.0 // indirect
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
-	github.com/nicksnyder/go-i18n/v2 v2.4.0 // indirect
+	github.com/nfnt/resize v0.0.0-20180221191011-83c6a9932646 // indirect
+	github.com/nicksnyder/go-i18n/v2 v2.5.1 // indirect
 	github.com/nxadm/tail v1.4.8 // indirect
 	github.com/onsi/ginkgo/v2 v2.9.5 // indirect
 	github.com/opencontainers/go-digest v1.0.0 // indirect
@@ -224,28 +229,26 @@ require (
 	github.com/prometheus/client_model v0.6.1 // indirect
 	github.com/prometheus/common v0.62.0 // indirect
 	github.com/prometheus/procfs v0.15.1 // indirect
-	github.com/rymdport/portal v0.3.0 // indirect
+	github.com/rymdport/portal v0.4.2 // indirect
 	github.com/shoenig/go-m1cpu v0.1.6 // indirect
 	github.com/srwiley/oksvg v0.0.0-20221011165216-be6e8873101c // indirect
 	github.com/srwiley/rasterx v0.0.0-20220730225603-2ab79fcdd4ef // indirect
 	github.com/stretchr/objx v0.5.2 // indirect
 	github.com/tklauser/go-sysconf v0.3.14 // indirect
 	github.com/tklauser/numcpus v0.8.0 // indirect
-	github.com/vishvananda/netns v0.0.4 // indirect
+	github.com/vishvananda/netns v0.0.5 // indirect
 	github.com/vmihailenco/tagparser/v2 v2.0.0 // indirect
 	github.com/wlynxg/anet v0.0.3 // indirect
-	github.com/yuin/goldmark v1.7.1 // indirect
+	github.com/yuin/goldmark v1.7.8 // indirect
 	github.com/zeebo/blake3 v0.2.3 // indirect
 	go.opencensus.io v0.24.0 // indirect
 	go.opentelemetry.io/auto/sdk v1.1.0 // indirect
 	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.51.0 // indirect
 	go.opentelemetry.io/otel/sdk v1.35.0 // indirect
 	go.opentelemetry.io/otel/trace v1.35.0 // indirect
-	go.uber.org/mock v0.4.0 // indirect
 	go.uber.org/multierr v1.11.0 // indirect
-	golang.org/x/image v0.18.0 // indirect
+	golang.org/x/image v0.24.0 // indirect
 	golang.org/x/text v0.27.0 // indirect
-	golang.org/x/time v0.5.0 // indirect
 	golang.org/x/tools v0.34.0 // indirect
 	golang.zx2c4.com/wintun v0.0.0-20230126152724-0fa3db229ce2 // indirect
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20250707201910-8d1bb00bc6a7 // indirect
--- a/go.sum
+++ b/go.sum
--- a/management/internals/controllers/network_map/controller/cache/dns_config_cache.go
+++ b/management/internals/controllers/network_map/controller/cache/dns_config_cache.go
@@ -0,0 +1,31 @@
+package cache
+
+import (
+	"sync"
+
+	"github.com/netbirdio/netbird/shared/management/proto"
+)
+
+// DNSConfigCache is a thread-safe cache for DNS configuration components
+type DNSConfigCache struct {
+	NameServerGroups sync.Map
+}
+
+// GetNameServerGroup retrieves a cached name server group
+func (c *DNSConfigCache) GetNameServerGroup(key string) (*proto.NameServerGroup, bool) {
+	if c == nil {
+		return nil, false
+	}
+	if value, ok := c.NameServerGroups.Load(key); ok {
+		return value.(*proto.NameServerGroup), true
+	}
+	return nil, false
+}
+
+// SetNameServerGroup stores a name server group in the cache
+func (c *DNSConfigCache) SetNameServerGroup(key string, value *proto.NameServerGroup) {
+	if c == nil {
+		return
+	}
+	c.NameServerGroups.Store(key, value)
+}
--- a/management/internals/controllers/network_map/controller/controller.go
+++ b/management/internals/controllers/network_map/controller/controller.go
@@ -0,0 +1,784 @@
+package controller
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"os"
+	"slices"
+	"strconv"
+	"strings"
+	"sync"
+	"sync/atomic"
+	"time"
+
+	log "github.com/sirupsen/logrus"
+	"golang.org/x/exp/maps"
+	"golang.org/x/mod/semver"
+
+	nbdns "github.com/netbirdio/netbird/dns"
+	"github.com/netbirdio/netbird/management/internals/controllers/network_map"
+	"github.com/netbirdio/netbird/management/internals/controllers/network_map/controller/cache"
+	"github.com/netbirdio/netbird/management/internals/shared/grpc"
+	"github.com/netbirdio/netbird/management/server/account"
+	"github.com/netbirdio/netbird/management/server/integrations/integrated_validator"
+	"github.com/netbirdio/netbird/management/server/integrations/port_forwarding"
+	nbpeer "github.com/netbirdio/netbird/management/server/peer"
+	"github.com/netbirdio/netbird/management/server/posture"
+	"github.com/netbirdio/netbird/management/server/settings"
+	"github.com/netbirdio/netbird/management/server/store"
+	"github.com/netbirdio/netbird/management/server/telemetry"
+	"github.com/netbirdio/netbird/management/server/types"
+	"github.com/netbirdio/netbird/shared/management/proto"
+	"github.com/netbirdio/netbird/shared/management/status"
+	"github.com/netbirdio/netbird/util"
+)
+
+type Controller struct {
+	repo    Repository
+	metrics *metrics
+	// This should not be here, but we need to maintain it for the time being
+	accountManagerMetrics *telemetry.AccountManagerMetrics
+	peersUpdateManager    network_map.PeersUpdateManager
+	settingsManager       settings.Manager
+
+	accountUpdateLocks               sync.Map
+	sendAccountUpdateLocks           sync.Map
+	updateAccountPeersBufferInterval atomic.Int64
+	// dnsDomain is used for peer resolution. This is appended to the peer's name
+	dnsDomain string
+
+	requestBuffer account.RequestBuffer
+
+	proxyController port_forwarding.Controller
+
+	integratedPeerValidator integrated_validator.IntegratedValidator
+
+	holder *types.Holder
+
+	expNewNetworkMap     bool
+	expNewNetworkMapAIDs map[string]struct{}
+}
+
+type bufferUpdate struct {
+	mu     sync.Mutex
+	next   *time.Timer
+	update atomic.Bool
+}
+
+var _ network_map.Controller = (*Controller)(nil)
+
+func NewController(ctx context.Context, store store.Store, metrics telemetry.AppMetrics, peersUpdateManager network_map.PeersUpdateManager, requestBuffer account.RequestBuffer, integratedPeerValidator integrated_validator.IntegratedValidator, settingsManager settings.Manager, dnsDomain string, proxyController port_forwarding.Controller) *Controller {
+	nMetrics, err := newMetrics(metrics.UpdateChannelMetrics())
+	if err != nil {
+		log.Fatal(fmt.Errorf("error creating metrics: %w", err))
+	}
+
+	newNetworkMapBuilder, err := strconv.ParseBool(os.Getenv(network_map.EnvNewNetworkMapBuilder))
+	if err != nil {
+		log.WithContext(ctx).Warnf("failed to parse %s, using default value false: %v", network_map.EnvNewNetworkMapBuilder, err)
+		newNetworkMapBuilder = false
+	}
+
+	ids := strings.Split(os.Getenv(network_map.EnvNewNetworkMapAccounts), ",")
+	expIDs := make(map[string]struct{}, len(ids))
+	for _, id := range ids {
+		expIDs[id] = struct{}{}
+	}
+
+	return &Controller{
+		repo:                    newRepository(store),
+		metrics:                 nMetrics,
+		accountManagerMetrics:   metrics.AccountManagerMetrics(),
+		peersUpdateManager:      peersUpdateManager,
+		requestBuffer:           requestBuffer,
+		integratedPeerValidator: integratedPeerValidator,
+		settingsManager:         settingsManager,
+		dnsDomain:               dnsDomain,
+
+		proxyController: proxyController,
+
+		holder:               types.NewHolder(),
+		expNewNetworkMap:     newNetworkMapBuilder,
+		expNewNetworkMapAIDs: expIDs,
+	}
+}
+
+func (c *Controller) sendUpdateAccountPeers(ctx context.Context, accountID string) error {
+	log.WithContext(ctx).Tracef("updating peers for account %s from %s", accountID, util.GetCallerName())
+	var (
+		account *types.Account
+		err     error
+	)
+	if c.experimentalNetworkMap(accountID) {
+		account = c.getAccountFromHolderOrInit(accountID)
+	} else {
+		account, err = c.requestBuffer.GetAccountWithBackpressure(ctx, accountID)
+		if err != nil {
+			return fmt.Errorf("failed to get account: %v", err)
+		}
+	}
+
+	globalStart := time.Now()
+
+	hasPeersConnected := false
+	for _, peer := range account.Peers {
+		if c.peersUpdateManager.HasChannel(peer.ID) {
+			hasPeersConnected = true
+			break
+		}
+
+	}
+
+	if !hasPeersConnected {
+		return nil
+	}
+
+	approvedPeersMap, err := c.integratedPeerValidator.GetValidatedPeers(ctx, account.Id, maps.Values(account.Groups), maps.Values(account.Peers), account.Settings.Extra)
+	if err != nil {
+		return fmt.Errorf("failed to get validate peers: %v", err)
+	}
+
+	var wg sync.WaitGroup
+	semaphore := make(chan struct{}, 10)
+
+	dnsCache := &cache.DNSConfigCache{}
+	dnsDomain := c.GetDNSDomain(account.Settings)
+	customZone := account.GetPeersCustomZone(ctx, dnsDomain)
+	resourcePolicies := account.GetResourcePoliciesMap()
+	routers := account.GetResourceRoutersMap()
+
+	if c.experimentalNetworkMap(accountID) {
+		c.initNetworkMapBuilderIfNeeded(account, approvedPeersMap)
+	}
+
+	proxyNetworkMaps, err := c.proxyController.GetProxyNetworkMapsAll(ctx, accountID, account.Peers)
+	if err != nil {
+		log.WithContext(ctx).Errorf("failed to get proxy network maps: %v", err)
+		return fmt.Errorf("failed to get proxy network maps: %v", err)
+	}
+
+	extraSetting, err := c.settingsManager.GetExtraSettings(ctx, accountID)
+	if err != nil {
+		return fmt.Errorf("failed to get flow enabled status: %v", err)
+	}
+
+	dnsFwdPort := computeForwarderPort(maps.Values(account.Peers), network_map.DnsForwarderPortMinVersion)
+
+	for _, peer := range account.Peers {
+		if !c.peersUpdateManager.HasChannel(peer.ID) {
+			log.WithContext(ctx).Tracef("peer %s doesn't have a channel, skipping network map update", peer.ID)
+			continue
+		}
+
+		wg.Add(1)
+		semaphore <- struct{}{}
+		go func(p *nbpeer.Peer) {
+			defer wg.Done()
+			defer func() { <-semaphore }()
+
+			start := time.Now()
+
+			postureChecks, err := c.getPeerPostureChecks(account, p.ID)
+			if err != nil {
+				log.WithContext(ctx).Debugf("failed to get posture checks for peer %s: %v", p.ID, err)
+				return
+			}
+
+			c.metrics.CountCalcPostureChecksDuration(time.Since(start))
+			start = time.Now()
+
+			var remotePeerNetworkMap *types.NetworkMap
+
+			if c.experimentalNetworkMap(accountID) {
+				remotePeerNetworkMap = c.getPeerNetworkMapExp(ctx, p.AccountID, p.ID, approvedPeersMap, customZone, c.accountManagerMetrics)
+			} else {
+				remotePeerNetworkMap = account.GetPeerNetworkMap(ctx, p.ID, customZone, approvedPeersMap, resourcePolicies, routers, c.accountManagerMetrics)
+			}
+
+			c.metrics.CountCalcPeerNetworkMapDuration(time.Since(start))
+
+			proxyNetworkMap, ok := proxyNetworkMaps[peer.ID]
+			if ok {
+				remotePeerNetworkMap.Merge(proxyNetworkMap)
+			}
+
+			peerGroups := account.GetPeerGroups(p.ID)
+			start = time.Now()
+			update := grpc.ToSyncResponse(ctx, nil, p, nil, nil, remotePeerNetworkMap, dnsDomain, postureChecks, dnsCache, account.Settings, extraSetting, maps.Keys(peerGroups), dnsFwdPort)
+			c.metrics.CountToSyncResponseDuration(time.Since(start))
+
+			c.peersUpdateManager.SendUpdate(ctx, p.ID, &network_map.UpdateMessage{Update: update})
+		}(peer)
+	}
+
+	wg.Wait()
+	if c.accountManagerMetrics != nil {
+		c.accountManagerMetrics.CountUpdateAccountPeersDuration(time.Since(globalStart))
+	}
+
+	return nil
+}
+
+func (c *Controller) bufferSendUpdateAccountPeers(ctx context.Context, accountID string) error {
+	log.WithContext(ctx).Tracef("buffer sending update peers for account %s from %s", accountID, util.GetCallerName())
+
+	bufUpd, _ := c.sendAccountUpdateLocks.LoadOrStore(accountID, &bufferUpdate{})
+	b := bufUpd.(*bufferUpdate)
+
+	if !b.mu.TryLock() {
+		b.update.Store(true)
+		return nil
+	}
+
+	if b.next != nil {
+		b.next.Stop()
+	}
+
+	go func() {
+		defer b.mu.Unlock()
+		_ = c.sendUpdateAccountPeers(ctx, accountID)
+		if !b.update.Load() {
+			return
+		}
+		b.update.Store(false)
+		if b.next == nil {
+			b.next = time.AfterFunc(time.Duration(c.updateAccountPeersBufferInterval.Load()), func() {
+				_ = c.sendUpdateAccountPeers(ctx, accountID)
+			})
+			return
+		}
+		b.next.Reset(time.Duration(c.updateAccountPeersBufferInterval.Load()))
+	}()
+
+	return nil
+}
+
+// UpdatePeers updates all peers that belong to an account.
+// Should be called when changes have to be synced to peers.
+func (c *Controller) UpdateAccountPeers(ctx context.Context, accountID string) error {
+	if err := c.RecalculateNetworkMapCache(ctx, accountID); err != nil {
+		return fmt.Errorf("recalculate network map cache: %v", err)
+	}
+
+	return c.sendUpdateAccountPeers(ctx, accountID)
+}
+
+func (c *Controller) UpdateAccountPeer(ctx context.Context, accountId string, peerId string) error {
+	if !c.peersUpdateManager.HasChannel(peerId) {
+		return fmt.Errorf("peer %s doesn't have a channel, skipping network map update", peerId)
+	}
+
+	account, err := c.requestBuffer.GetAccountWithBackpressure(ctx, accountId)
+	if err != nil {
+		return fmt.Errorf("failed to send out updates to peer %s: %v", peerId, err)
+	}
+
+	peer := account.GetPeer(peerId)
+	if peer == nil {
+		return fmt.Errorf("peer %s doesn't exists in account %s", peerId, accountId)
+	}
+
+	approvedPeersMap, err := c.integratedPeerValidator.GetValidatedPeers(ctx, account.Id, maps.Values(account.Groups), maps.Values(account.Peers), account.Settings.Extra)
+	if err != nil {
+		return fmt.Errorf("failed to get validated peers: %v", err)
+	}
+
+	dnsCache := &cache.DNSConfigCache{}
+	dnsDomain := c.GetDNSDomain(account.Settings)
+	customZone := account.GetPeersCustomZone(ctx, dnsDomain)
+	resourcePolicies := account.GetResourcePoliciesMap()
+	routers := account.GetResourceRoutersMap()
+
+	postureChecks, err := c.getPeerPostureChecks(account, peerId)
+	if err != nil {
+		log.WithContext(ctx).Errorf("failed to send update to peer %s, failed to get posture checks: %v", peerId, err)
+		return fmt.Errorf("failed to get posture checks for peer %s: %v", peerId, err)
+	}
+
+	proxyNetworkMaps, err := c.proxyController.GetProxyNetworkMaps(ctx, account.Id, peer.ID, account.Peers)
+	if err != nil {
+		log.WithContext(ctx).Errorf("failed to get proxy network maps: %v", err)
+		return err
+	}
+
+	var remotePeerNetworkMap *types.NetworkMap
+
+	if c.experimentalNetworkMap(accountId) {
+		remotePeerNetworkMap = c.getPeerNetworkMapExp(ctx, peer.AccountID, peer.ID, approvedPeersMap, customZone, c.accountManagerMetrics)
+	} else {
+		remotePeerNetworkMap = account.GetPeerNetworkMap(ctx, peerId, customZone, approvedPeersMap, resourcePolicies, routers, c.accountManagerMetrics)
+	}
+
+	proxyNetworkMap, ok := proxyNetworkMaps[peer.ID]
+	if ok {
+		remotePeerNetworkMap.Merge(proxyNetworkMap)
+	}
+
+	extraSettings, err := c.settingsManager.GetExtraSettings(ctx, peer.AccountID)
+	if err != nil {
+		return fmt.Errorf("failed to get extra settings: %v", err)
+	}
+
+	peerGroups := account.GetPeerGroups(peerId)
+	dnsFwdPort := computeForwarderPort(maps.Values(account.Peers), network_map.DnsForwarderPortMinVersion)
+
+	update := grpc.ToSyncResponse(ctx, nil, peer, nil, nil, remotePeerNetworkMap, dnsDomain, postureChecks, dnsCache, account.Settings, extraSettings, maps.Keys(peerGroups), dnsFwdPort)
+	c.peersUpdateManager.SendUpdate(ctx, peer.ID, &network_map.UpdateMessage{Update: update})
+
+	return nil
+}
+
+func (c *Controller) BufferUpdateAccountPeers(ctx context.Context, accountID string) error {
+	log.WithContext(ctx).Tracef("buffer updating peers for account %s from %s", accountID, util.GetCallerName())
+
+	bufUpd, _ := c.accountUpdateLocks.LoadOrStore(accountID, &bufferUpdate{})
+	b := bufUpd.(*bufferUpdate)
+
+	if !b.mu.TryLock() {
+		b.update.Store(true)
+		return nil
+	}
+
+	if b.next != nil {
+		b.next.Stop()
+	}
+
+	go func() {
+		defer b.mu.Unlock()
+		_ = c.UpdateAccountPeers(ctx, accountID)
+		if !b.update.Load() {
+			return
+		}
+		b.update.Store(false)
+		if b.next == nil {
+			b.next = time.AfterFunc(time.Duration(c.updateAccountPeersBufferInterval.Load()), func() {
+				_ = c.UpdateAccountPeers(ctx, accountID)
+			})
+			return
+		}
+		b.next.Reset(time.Duration(c.updateAccountPeersBufferInterval.Load()))
+	}()
+
+	return nil
+}
+
+func (c *Controller) DeletePeer(ctx context.Context, accountId string, peerId string) error {
+	network, err := c.repo.GetAccountNetwork(ctx, accountId)
+	if err != nil {
+		return err
+	}
+
+	peers, err := c.repo.GetAccountPeers(ctx, accountId)
+	if err != nil {
+		return err
+	}
+
+	dnsFwdPort := computeForwarderPort(peers, network_map.DnsForwarderPortMinVersion)
+	c.peersUpdateManager.SendUpdate(ctx, peerId, &network_map.UpdateMessage{
+		Update: &proto.SyncResponse{
+			RemotePeers:        []*proto.RemotePeerConfig{},
+			RemotePeersIsEmpty: true,
+			NetworkMap: &proto.NetworkMap{
+				Serial:               network.CurrentSerial(),
+				RemotePeers:          []*proto.RemotePeerConfig{},
+				RemotePeersIsEmpty:   true,
+				FirewallRules:        []*proto.FirewallRule{},
+				FirewallRulesIsEmpty: true,
+				DNSConfig: &proto.DNSConfig{
+					ForwarderPort: dnsFwdPort,
+				},
+			},
+		},
+	})
+	c.peersUpdateManager.CloseChannel(ctx, peerId)
+	return nil
+}
+
+func (c *Controller) GetValidatedPeerWithMap(ctx context.Context, isRequiresApproval bool, accountID string, peer *nbpeer.Peer) (*nbpeer.Peer, *types.NetworkMap, []*posture.Checks, int64, error) {
+	if isRequiresApproval {
+		network, err := c.repo.GetAccountNetwork(ctx, accountID)
+		if err != nil {
+			return nil, nil, nil, 0, err
+		}
+
+		emptyMap := &types.NetworkMap{
+			Network: network.Copy(),
+		}
+		return peer, emptyMap, nil, 0, nil
+	}
+
+	var (
+		account *types.Account
+		err     error
+	)
+	if c.experimentalNetworkMap(accountID) {
+		account = c.getAccountFromHolderOrInit(accountID)
+	} else {
+		account, err = c.requestBuffer.GetAccountWithBackpressure(ctx, accountID)
+		if err != nil {
+			return nil, nil, nil, 0, err
+		}
+	}
+
+	approvedPeersMap, err := c.integratedPeerValidator.GetValidatedPeers(ctx, account.Id, maps.Values(account.Groups), maps.Values(account.Peers), account.Settings.Extra)
+	if err != nil {
+		return nil, nil, nil, 0, err
+	}
+
+	startPosture := time.Now()
+	postureChecks, err := c.getPeerPostureChecks(account, peer.ID)
+	if err != nil {
+		return nil, nil, nil, 0, err
+	}
+	log.WithContext(ctx).Debugf("getPeerPostureChecks took %s", time.Since(startPosture))
+
+	customZone := account.GetPeersCustomZone(ctx, c.GetDNSDomain(account.Settings))
+
+	proxyNetworkMaps, err := c.proxyController.GetProxyNetworkMaps(ctx, account.Id, peer.ID, account.Peers)
+	if err != nil {
+		log.WithContext(ctx).Errorf("failed to get proxy network maps: %v", err)
+		return nil, nil, nil, 0, err
+	}
+
+	var networkMap *types.NetworkMap
+
+	if c.experimentalNetworkMap(accountID) {
+		networkMap = c.getPeerNetworkMapExp(ctx, peer.AccountID, peer.ID, approvedPeersMap, customZone, c.accountManagerMetrics)
+	} else {
+		networkMap = account.GetPeerNetworkMap(ctx, peer.ID, customZone, approvedPeersMap, account.GetResourcePoliciesMap(), account.GetResourceRoutersMap(), c.accountManagerMetrics)
+	}
+
+	proxyNetworkMap, ok := proxyNetworkMaps[peer.ID]
+	if ok {
+		networkMap.Merge(proxyNetworkMap)
+	}
+
+	dnsFwdPort := computeForwarderPort(maps.Values(account.Peers), network_map.DnsForwarderPortMinVersion)
+
+	return peer, networkMap, postureChecks, dnsFwdPort, nil
+}
+
+func (c *Controller) initNetworkMapBuilderIfNeeded(account *types.Account, validatedPeers map[string]struct{}) {
+	c.enrichAccountFromHolder(account)
+	account.InitNetworkMapBuilderIfNeeded(validatedPeers)
+}
+
+func (c *Controller) getPeerNetworkMapExp(
+	ctx context.Context,
+	accountId string,
+	peerId string,
+	validatedPeers map[string]struct{},
+	customZone nbdns.CustomZone,
+	metrics *telemetry.AccountManagerMetrics,
+) *types.NetworkMap {
+	account := c.getAccountFromHolderOrInit(accountId)
+	if account == nil {
+		log.WithContext(ctx).Warnf("account %s not found in holder when getting peer network map", accountId)
+		return &types.NetworkMap{
+			Network: &types.Network{},
+		}
+	}
+	return account.GetPeerNetworkMapExp(ctx, peerId, customZone, validatedPeers, metrics)
+}
+
+func (c *Controller) onPeerAddedUpdNetworkMapCache(account *types.Account, peerId string) error {
+	c.enrichAccountFromHolder(account)
+	return account.OnPeerAddedUpdNetworkMapCache(peerId)
+}
+
+func (c *Controller) onPeerDeletedUpdNetworkMapCache(account *types.Account, peerId string) error {
+	c.enrichAccountFromHolder(account)
+	return account.OnPeerDeletedUpdNetworkMapCache(peerId)
+}
+
+func (c *Controller) UpdatePeerInNetworkMapCache(accountId string, peer *nbpeer.Peer) {
+	account := c.getAccountFromHolder(accountId)
+	if account == nil {
+		return
+	}
+	account.UpdatePeerInNetworkMapCache(peer)
+}
+
+func (c *Controller) recalculateNetworkMapCache(account *types.Account, validatedPeers map[string]struct{}) {
+	account.RecalculateNetworkMapCache(validatedPeers)
+	c.updateAccountInHolder(account)
+}
+
+func (c *Controller) RecalculateNetworkMapCache(ctx context.Context, accountId string) error {
+	if c.experimentalNetworkMap(accountId) {
+		account, err := c.requestBuffer.GetAccountWithBackpressure(ctx, accountId)
+		if err != nil {
+			return err
+		}
+		validatedPeers, err := c.integratedPeerValidator.GetValidatedPeers(ctx, account.Id, maps.Values(account.Groups), maps.Values(account.Peers), account.Settings.Extra)
+		if err != nil {
+			log.WithContext(ctx).Errorf("failed to get validate peers: %v", err)
+			return err
+		}
+		c.recalculateNetworkMapCache(account, validatedPeers)
+	}
+	return nil
+}
+
+func (c *Controller) experimentalNetworkMap(accountId string) bool {
+	_, ok := c.expNewNetworkMapAIDs[accountId]
+	return c.expNewNetworkMap || ok
+}
+
+func (c *Controller) enrichAccountFromHolder(account *types.Account) {
+	a := c.holder.GetAccount(account.Id)
+	if a == nil {
+		c.holder.AddAccount(account)
+		return
+	}
+	account.NetworkMapCache = a.NetworkMapCache
+	if account.NetworkMapCache == nil {
+		return
+	}
+	account.NetworkMapCache.UpdateAccountPointer(account)
+	c.holder.AddAccount(account)
+}
+
+func (c *Controller) getAccountFromHolder(accountID string) *types.Account {
+	return c.holder.GetAccount(accountID)
+}
+
+func (c *Controller) getAccountFromHolderOrInit(accountID string) *types.Account {
+	a := c.holder.GetAccount(accountID)
+	if a != nil {
+		return a
+	}
+	account, err := c.holder.LoadOrStoreFunc(accountID, c.requestBuffer.GetAccountWithBackpressure)
+	if err != nil {
+		return nil
+	}
+	return account
+}
+
+func (c *Controller) updateAccountInHolder(account *types.Account) {
+	c.holder.AddAccount(account)
+}
+
+// GetDNSDomain returns the configured dnsDomain
+func (c *Controller) GetDNSDomain(settings *types.Settings) string {
+	if settings == nil {
+		return c.dnsDomain
+	}
+	if settings.DNSDomain == "" {
+		return c.dnsDomain
+	}
+
+	return settings.DNSDomain
+}
+
+// getPeerPostureChecks returns the posture checks applied for a given peer.
+func (c *Controller) getPeerPostureChecks(account *types.Account, peerID string) ([]*posture.Checks, error) {
+	peerPostureChecks := make(map[string]*posture.Checks)
+
+	if len(account.PostureChecks) == 0 {
+		return nil, nil
+	}
+
+	for _, policy := range account.Policies {
+		if !policy.Enabled || len(policy.SourcePostureChecks) == 0 {
+			continue
+		}
+
+		if err := addPolicyPostureChecks(account, peerID, policy, peerPostureChecks); err != nil {
+			return nil, err
+		}
+	}
+
+	return maps.Values(peerPostureChecks), nil
+}
+
+func (c *Controller) StartWarmup(ctx context.Context) {
+	var initialInterval int64
+	intervalStr := os.Getenv("NB_PEER_UPDATE_INTERVAL_MS")
+	interval, err := strconv.Atoi(intervalStr)
+	if err != nil {
+		initialInterval = 1
+		log.WithContext(ctx).Warnf("failed to parse peer update interval, using default value %dms: %v", initialInterval, err)
+	} else {
+		initialInterval = int64(interval) * 10
+		go func() {
+			startupPeriodStr := os.Getenv("NB_PEER_UPDATE_STARTUP_PERIOD_S")
+			startupPeriod, err := strconv.Atoi(startupPeriodStr)
+			if err != nil {
+				startupPeriod = 1
+				log.WithContext(ctx).Warnf("failed to parse peer update startup period, using default value %ds: %v", startupPeriod, err)
+			}
+			time.Sleep(time.Duration(startupPeriod) * time.Second)
+			c.updateAccountPeersBufferInterval.Store(int64(time.Duration(interval) * time.Millisecond))
+			log.WithContext(ctx).Infof("set peer update buffer interval to %dms", interval)
+		}()
+	}
+	c.updateAccountPeersBufferInterval.Store(int64(time.Duration(initialInterval) * time.Millisecond))
+	log.WithContext(ctx).Infof("set peer update buffer interval to %dms", initialInterval)
+
+}
+
+// computeForwarderPort checks if all peers in the account have updated to a specific version or newer.
+// If all peers have the required version, it returns the new well-known port (22054), otherwise returns 0.
+func computeForwarderPort(peers []*nbpeer.Peer, requiredVersion string) int64 {
+	if len(peers) == 0 {
+		return int64(network_map.OldForwarderPort)
+	}
+
+	reqVer := semver.Canonical(requiredVersion)
+
+	// Check if all peers have the required version or newer
+	for _, peer := range peers {
+
+		// Development version is always supported
+		if peer.Meta.WtVersion == "development" {
+			continue
+		}
+		peerVersion := semver.Canonical("v" + peer.Meta.WtVersion)
+		if peerVersion == "" {
+			// If any peer doesn't have version info, return 0
+			return int64(network_map.OldForwarderPort)
+		}
+
+		// Compare versions
+		if semver.Compare(peerVersion, reqVer) < 0 {
+			return int64(network_map.OldForwarderPort)
+		}
+	}
+
+	// All peers have the required version or newer
+	return int64(network_map.DnsForwarderPort)
+}
+
+// addPolicyPostureChecks adds posture checks from a policy to the peer posture checks map if the peer is in the policy's source groups.
+func addPolicyPostureChecks(account *types.Account, peerID string, policy *types.Policy, peerPostureChecks map[string]*posture.Checks) error {
+	isInGroup, err := isPeerInPolicySourceGroups(account, peerID, policy)
+	if err != nil {
+		return err
+	}
+
+	if !isInGroup {
+		return nil
+	}
+
+	for _, sourcePostureCheckID := range policy.SourcePostureChecks {
+		postureCheck := account.GetPostureChecks(sourcePostureCheckID)
+		if postureCheck == nil {
+			return errors.New("failed to add policy posture checks: posture checks not found")
+		}
+		peerPostureChecks[sourcePostureCheckID] = postureCheck
+	}
+
+	return nil
+}
+
+// isPeerInPolicySourceGroups checks if a peer is present in any of the policy rule source groups.
+func isPeerInPolicySourceGroups(account *types.Account, peerID string, policy *types.Policy) (bool, error) {
+	for _, rule := range policy.Rules {
+		if !rule.Enabled {
+			continue
+		}
+
+		for _, sourceGroup := range rule.Sources {
+			group := account.GetGroup(sourceGroup)
+			if group == nil {
+				return false, fmt.Errorf("failed to check peer in policy source group: group not found")
+			}
+
+			if slices.Contains(group.Peers, peerID) {
+				return true, nil
+			}
+		}
+	}
+
+	return false, nil
+}
+
+func (c *Controller) OnPeerUpdated(accountId string, peer *nbpeer.Peer) {
+	c.UpdatePeerInNetworkMapCache(accountId, peer)
+	_ = c.bufferSendUpdateAccountPeers(context.Background(), accountId)
+}
+
+func (c *Controller) OnPeerAdded(ctx context.Context, accountID string, peerID string) error {
+	if c.experimentalNetworkMap(accountID) {
+		account, err := c.requestBuffer.GetAccountWithBackpressure(ctx, accountID)
+		if err != nil {
+			return err
+		}
+
+		err = c.onPeerAddedUpdNetworkMapCache(account, peerID)
+		if err != nil {
+			return err
+		}
+	}
+	return c.bufferSendUpdateAccountPeers(ctx, accountID)
+}
+
+func (c *Controller) OnPeerDeleted(ctx context.Context, accountID string, peerID string) error {
+	if c.experimentalNetworkMap(accountID) {
+		account, err := c.requestBuffer.GetAccountWithBackpressure(ctx, accountID)
+		if err != nil {
+			return err
+		}
+		err = c.onPeerDeletedUpdNetworkMapCache(account, peerID)
+		if err != nil {
+			return err
+		}
+	}
+
+	return c.bufferSendUpdateAccountPeers(ctx, accountID)
+}
+
+// GetNetworkMap returns Network map for a given peer (omits original peer from the Peers result)
+func (c *Controller) GetNetworkMap(ctx context.Context, peerID string) (*types.NetworkMap, error) {
+	account, err := c.repo.GetAccountByPeerID(ctx, peerID)
+	if err != nil {
+		return nil, err
+	}
+
+	peer := account.GetPeer(peerID)
+	if peer == nil {
+		return nil, status.Errorf(status.NotFound, "peer with ID %s not found", peerID)
+	}
+
+	groups := make(map[string][]string)
+	for groupID, group := range account.Groups {
+		groups[groupID] = group.Peers
+	}
+
+	validatedPeers, err := c.integratedPeerValidator.GetValidatedPeers(ctx, account.Id, maps.Values(account.Groups), maps.Values(account.Peers), account.Settings.Extra)
+	if err != nil {
+		return nil, err
+	}
+	customZone := account.GetPeersCustomZone(ctx, c.GetDNSDomain(account.Settings))
+
+	proxyNetworkMaps, err := c.proxyController.GetProxyNetworkMaps(ctx, account.Id, peerID, account.Peers)
+	if err != nil {
+		log.WithContext(ctx).Errorf("failed to get proxy network maps: %v", err)
+		return nil, err
+	}
+
+	var networkMap *types.NetworkMap
+
+	if c.experimentalNetworkMap(peer.AccountID) {
+		networkMap = c.getPeerNetworkMapExp(ctx, peer.AccountID, peerID, validatedPeers, customZone, nil)
+	} else {
+		networkMap = account.GetPeerNetworkMap(ctx, peer.ID, customZone, validatedPeers, account.GetResourcePoliciesMap(), account.GetResourceRoutersMap(), nil)
+	}
+
+	proxyNetworkMap, ok := proxyNetworkMaps[peer.ID]
+	if ok {
+		networkMap.Merge(proxyNetworkMap)
+	}
+
+	return networkMap, nil
+}
+
+func (c *Controller) DisconnectPeers(ctx context.Context, peerIDs []string) {
+	c.peersUpdateManager.CloseChannels(ctx, peerIDs)
+}
+
+func (c *Controller) IsConnected(peerID string) bool {
+	return c.peersUpdateManager.HasChannel(peerID)
+}
--- a/management/internals/controllers/network_map/controller/controller_test.go
+++ b/management/internals/controllers/network_map/controller/controller_test.go
@@ -0,0 +1,244 @@
+package controller
+
+import (
+	"context"
+	"sync"
+	"sync/atomic"
+	"testing"
+	"time"
+
+	"github.com/stretchr/testify/assert"
+
+	"github.com/netbirdio/netbird/management/internals/controllers/network_map"
+	"github.com/netbirdio/netbird/management/server/mock_server"
+	nbpeer "github.com/netbirdio/netbird/management/server/peer"
+)
+
+func TestComputeForwarderPort(t *testing.T) {
+	// Test with empty peers list
+	peers := []*nbpeer.Peer{}
+	result := computeForwarderPort(peers, "v0.59.0")
+	if result != int64(network_map.OldForwarderPort) {
+		t.Errorf("Expected %d for empty peers list, got %d", network_map.OldForwarderPort, result)
+	}
+
+	// Test with peers that have old versions
+	peers = []*nbpeer.Peer{
+		{
+			Meta: nbpeer.PeerSystemMeta{
+				WtVersion: "0.57.0",
+			},
+		},
+		{
+			Meta: nbpeer.PeerSystemMeta{
+				WtVersion: "0.26.0",
+			},
+		},
+	}
+	result = computeForwarderPort(peers, "v0.59.0")
+	if result != int64(network_map.OldForwarderPort) {
+		t.Errorf("Expected %d for peers with old versions, got %d", network_map.OldForwarderPort, result)
+	}
+
+	// Test with peers that have new versions
+	peers = []*nbpeer.Peer{
+		{
+			Meta: nbpeer.PeerSystemMeta{
+				WtVersion: "0.59.0",
+			},
+		},
+		{
+			Meta: nbpeer.PeerSystemMeta{
+				WtVersion: "0.59.0",
+			},
+		},
+	}
+	result = computeForwarderPort(peers, "v0.59.0")
+	if result != int64(network_map.DnsForwarderPort) {
+		t.Errorf("Expected %d for peers with new versions, got %d", network_map.DnsForwarderPort, result)
+	}
+
+	// Test with peers that have mixed versions
+	peers = []*nbpeer.Peer{
+		{
+			Meta: nbpeer.PeerSystemMeta{
+				WtVersion: "0.59.0",
+			},
+		},
+		{
+			Meta: nbpeer.PeerSystemMeta{
+				WtVersion: "0.57.0",
+			},
+		},
+	}
+	result = computeForwarderPort(peers, "v0.59.0")
+	if result != int64(network_map.OldForwarderPort) {
+		t.Errorf("Expected %d for peers with mixed versions, got %d", network_map.OldForwarderPort, result)
+	}
+
+	// Test with peers that have empty version
+	peers = []*nbpeer.Peer{
+		{
+			Meta: nbpeer.PeerSystemMeta{
+				WtVersion: "",
+			},
+		},
+	}
+	result = computeForwarderPort(peers, "v0.59.0")
+	if result != int64(network_map.OldForwarderPort) {
+		t.Errorf("Expected %d for peers with empty version, got %d", network_map.OldForwarderPort, result)
+	}
+
+	peers = []*nbpeer.Peer{
+		{
+			Meta: nbpeer.PeerSystemMeta{
+				WtVersion: "development",
+			},
+		},
+	}
+	result = computeForwarderPort(peers, "v0.59.0")
+	if result == int64(network_map.OldForwarderPort) {
+		t.Errorf("Expected %d for peers with dev version, got %d", network_map.DnsForwarderPort, result)
+	}
+
+	// Test with peers that have unknown version string
+	peers = []*nbpeer.Peer{
+		{
+			Meta: nbpeer.PeerSystemMeta{
+				WtVersion: "unknown",
+			},
+		},
+	}
+	result = computeForwarderPort(peers, "v0.59.0")
+	if result != int64(network_map.OldForwarderPort) {
+		t.Errorf("Expected %d for peers with unknown version, got %d", network_map.OldForwarderPort, result)
+	}
+}
+
+func TestBufferUpdateAccountPeers(t *testing.T) {
+	const (
+		peersCount            = 1000
+		updateAccountInterval = 50 * time.Millisecond
+	)
+
+	var (
+		deletedPeers, updatePeersDeleted, updatePeersRuns atomic.Int32
+		uapLastRun, dpLastRun                             atomic.Int64
+
+		totalNewRuns, totalOldRuns int
+	)
+
+	uap := func(ctx context.Context, accountID string) {
+		updatePeersDeleted.Store(deletedPeers.Load())
+		updatePeersRuns.Add(1)
+		uapLastRun.Store(time.Now().UnixMilli())
+		time.Sleep(100 * time.Millisecond)
+	}
+
+	t.Run("new approach", func(t *testing.T) {
+		updatePeersRuns.Store(0)
+		updatePeersDeleted.Store(0)
+		deletedPeers.Store(0)
+
+		var mustore sync.Map
+		bufupd := func(ctx context.Context, accountID string) {
+			mu, _ := mustore.LoadOrStore(accountID, &bufferUpdate{})
+			b := mu.(*bufferUpdate)
+
+			if !b.mu.TryLock() {
+				b.update.Store(true)
+				return
+			}
+
+			if b.next != nil {
+				b.next.Stop()
+			}
+
+			go func() {
+				defer b.mu.Unlock()
+				uap(ctx, accountID)
+				if !b.update.Load() {
+					return
+				}
+				b.update.Store(false)
+				b.next = time.AfterFunc(updateAccountInterval, func() {
+					uap(ctx, accountID)
+				})
+			}()
+		}
+		dp := func(ctx context.Context, accountID, peerID, userID string) error {
+			deletedPeers.Add(1)
+			dpLastRun.Store(time.Now().UnixMilli())
+			time.Sleep(10 * time.Millisecond)
+			bufupd(ctx, accountID)
+			return nil
+		}
+
+		am := mock_server.MockAccountManager{
+			UpdateAccountPeersFunc:       uap,
+			BufferUpdateAccountPeersFunc: bufupd,
+			DeletePeerFunc:               dp,
+		}
+		empty := ""
+		for range peersCount {
+			//nolint
+			am.DeletePeer(context.Background(), empty, empty, empty)
+		}
+		time.Sleep(100 * time.Millisecond)
+
+		assert.Equal(t, peersCount, int(deletedPeers.Load()), "Expected all peers to be deleted")
+		assert.Equal(t, peersCount, int(updatePeersDeleted.Load()), "Expected all peers to be updated in the buffer")
+		assert.GreaterOrEqual(t, uapLastRun.Load(), dpLastRun.Load(), "Expected update account peers to run after delete peer")
+
+		totalNewRuns = int(updatePeersRuns.Load())
+	})
+
+	t.Run("old approach", func(t *testing.T) {
+		updatePeersRuns.Store(0)
+		updatePeersDeleted.Store(0)
+		deletedPeers.Store(0)
+
+		var mustore sync.Map
+		bufupd := func(ctx context.Context, accountID string) {
+			mu, _ := mustore.LoadOrStore(accountID, &sync.Mutex{})
+			b := mu.(*sync.Mutex)
+
+			if !b.TryLock() {
+				return
+			}
+
+			go func() {
+				time.Sleep(updateAccountInterval)
+				b.Unlock()
+				uap(ctx, accountID)
+			}()
+		}
+		dp := func(ctx context.Context, accountID, peerID, userID string) error {
+			deletedPeers.Add(1)
+			dpLastRun.Store(time.Now().UnixMilli())
+			time.Sleep(10 * time.Millisecond)
+			bufupd(ctx, accountID)
+			return nil
+		}
+
+		am := mock_server.MockAccountManager{
+			UpdateAccountPeersFunc:       uap,
+			BufferUpdateAccountPeersFunc: bufupd,
+			DeletePeerFunc:               dp,
+		}
+		empty := ""
+		for range peersCount {
+			//nolint
+			am.DeletePeer(context.Background(), empty, empty, empty)
+		}
+		time.Sleep(100 * time.Millisecond)
+
+		assert.Equal(t, peersCount, int(deletedPeers.Load()), "Expected all peers to be deleted")
+		assert.Equal(t, peersCount, int(updatePeersDeleted.Load()), "Expected all peers to be updated in the buffer")
+		assert.GreaterOrEqual(t, uapLastRun.Load(), dpLastRun.Load(), "Expected update account peers to run after delete peer")
+
+		totalOldRuns = int(updatePeersRuns.Load())
+	})
+	assert.Less(t, totalNewRuns, totalOldRuns, "Expected new approach to run less than old approach. New runs: %d, Old runs: %d", totalNewRuns, totalOldRuns)
+	t.Logf("New runs: %d, Old runs: %d", totalNewRuns, totalOldRuns)
+}
--- a/management/internals/controllers/network_map/controller/metrics.go
+++ b/management/internals/controllers/network_map/controller/metrics.go
@@ -0,0 +1,15 @@
+package controller
+
+import (
+	"github.com/netbirdio/netbird/management/server/telemetry"
+)
+
+type metrics struct {
+	*telemetry.UpdateChannelMetrics
+}
+
+func newMetrics(updateChannelMetrics *telemetry.UpdateChannelMetrics) (*metrics, error) {
+	return &metrics{
+		updateChannelMetrics,
+	}, nil
+}
--- a/management/internals/controllers/network_map/controller/repository.go
+++ b/management/internals/controllers/network_map/controller/repository.go
@@ -0,0 +1,39 @@
+package controller
+
+import (
+	"context"
+
+	"github.com/netbirdio/netbird/management/server/peer"
+	"github.com/netbirdio/netbird/management/server/store"
+	"github.com/netbirdio/netbird/management/server/types"
+)
+
+type Repository interface {
+	GetAccountNetwork(ctx context.Context, accountID string) (*types.Network, error)
+	GetAccountPeers(ctx context.Context, accountID string) ([]*peer.Peer, error)
+	GetAccountByPeerID(ctx context.Context, peerID string) (*types.Account, error)
+}
+
+type repository struct {
+	store store.Store
+}
+
+var _ Repository = (*repository)(nil)
+
+func newRepository(s store.Store) Repository {
+	return &repository{
+		store: s,
+	}
+}
+
+func (r *repository) GetAccountNetwork(ctx context.Context, accountID string) (*types.Network, error) {
+	return r.store.GetAccountNetwork(ctx, store.LockingStrengthNone, accountID)
+}
+
+func (r *repository) GetAccountPeers(ctx context.Context, accountID string) ([]*peer.Peer, error) {
+	return r.store.GetAccountPeers(ctx, store.LockingStrengthNone, accountID, "", "")
+}
+
+func (r *repository) GetAccountByPeerID(ctx context.Context, peerID string) (*types.Account, error) {
+	return r.store.GetAccountByPeerID(ctx, peerID)
+}
--- a/management/internals/controllers/network_map/interface.go
+++ b/management/internals/controllers/network_map/interface.go
@@ -0,0 +1,39 @@
+package network_map
+
+//go:generate go run go.uber.org/mock/mockgen -package network_map -destination=interface_mock.go -source=./interface.go -build_flags=-mod=mod
+
+import (
+	"context"
+
+	nbdns "github.com/netbirdio/netbird/dns"
+	nbpeer "github.com/netbirdio/netbird/management/server/peer"
+	"github.com/netbirdio/netbird/management/server/posture"
+	"github.com/netbirdio/netbird/management/server/types"
+)
+
+const (
+	EnvNewNetworkMapBuilder  = "NB_EXPERIMENT_NETWORK_MAP"
+	EnvNewNetworkMapAccounts = "NB_EXPERIMENT_NETWORK_MAP_ACCOUNTS"
+
+	DnsForwarderPort           = nbdns.ForwarderServerPort
+	OldForwarderPort           = nbdns.ForwarderClientPort
+	DnsForwarderPortMinVersion = "v0.59.0"
+)
+
+type Controller interface {
+	UpdateAccountPeers(ctx context.Context, accountID string) error
+	UpdateAccountPeer(ctx context.Context, accountId string, peerId string) error
+	BufferUpdateAccountPeers(ctx context.Context, accountID string) error
+	GetValidatedPeerWithMap(ctx context.Context, isRequiresApproval bool, accountID string, p *nbpeer.Peer) (*nbpeer.Peer, *types.NetworkMap, []*posture.Checks, int64, error)
+	GetDNSDomain(settings *types.Settings) string
+	StartWarmup(context.Context)
+	GetNetworkMap(ctx context.Context, peerID string) (*types.NetworkMap, error)
+
+	DeletePeer(ctx context.Context, accountId string, peerId string) error
+
+	OnPeerUpdated(accountId string, peer *nbpeer.Peer)
+	OnPeerAdded(ctx context.Context, accountID string, peerID string) error
+	OnPeerDeleted(ctx context.Context, accountID string, peerID string) error
+	DisconnectPeers(ctx context.Context, peerIDs []string)
+	IsConnected(peerID string) bool
+}
--- a/management/internals/controllers/network_map/interface_mock.go
+++ b/management/internals/controllers/network_map/interface_mock.go
@@ -0,0 +1,225 @@
+// Code generated by MockGen. DO NOT EDIT.
+// Source: ./interface.go
+//
+// Generated by this command:
+//
+//	mockgen -package network_map -destination=interface_mock.go -source=./interface.go -build_flags=-mod=mod
+//
+
+// Package network_map is a generated GoMock package.
+package network_map
+
+import (
+	context "context"
+	reflect "reflect"
+
+	peer "github.com/netbirdio/netbird/management/server/peer"
+	posture "github.com/netbirdio/netbird/management/server/posture"
+	types "github.com/netbirdio/netbird/management/server/types"
+	gomock "go.uber.org/mock/gomock"
+)
+
+// MockController is a mock of Controller interface.
+type MockController struct {
+	ctrl     *gomock.Controller
+	recorder *MockControllerMockRecorder
+	isgomock struct{}
+}
+
+// MockControllerMockRecorder is the mock recorder for MockController.
+type MockControllerMockRecorder struct {
+	mock *MockController
+}
+
+// NewMockController creates a new mock instance.
+func NewMockController(ctrl *gomock.Controller) *MockController {
+	mock := &MockController{ctrl: ctrl}
+	mock.recorder = &MockControllerMockRecorder{mock}
+	return mock
+}
+
+// EXPECT returns an object that allows the caller to indicate expected use.
+func (m *MockController) EXPECT() *MockControllerMockRecorder {
+	return m.recorder
+}
+
+// BufferUpdateAccountPeers mocks base method.
+func (m *MockController) BufferUpdateAccountPeers(ctx context.Context, accountID string) error {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "BufferUpdateAccountPeers", ctx, accountID)
+	ret0, _ := ret[0].(error)
+	return ret0
+}
+
+// BufferUpdateAccountPeers indicates an expected call of BufferUpdateAccountPeers.
+func (mr *MockControllerMockRecorder) BufferUpdateAccountPeers(ctx, accountID any) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "BufferUpdateAccountPeers", reflect.TypeOf((*MockController)(nil).BufferUpdateAccountPeers), ctx, accountID)
+}
+
+// DeletePeer mocks base method.
+func (m *MockController) DeletePeer(ctx context.Context, accountId, peerId string) error {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "DeletePeer", ctx, accountId, peerId)
+	ret0, _ := ret[0].(error)
+	return ret0
+}
+
+// DeletePeer indicates an expected call of DeletePeer.
+func (mr *MockControllerMockRecorder) DeletePeer(ctx, accountId, peerId any) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "DeletePeer", reflect.TypeOf((*MockController)(nil).DeletePeer), ctx, accountId, peerId)
+}
+
+// DisconnectPeers mocks base method.
+func (m *MockController) DisconnectPeers(ctx context.Context, peerIDs []string) {
+	m.ctrl.T.Helper()
+	m.ctrl.Call(m, "DisconnectPeers", ctx, peerIDs)
+}
+
+// DisconnectPeers indicates an expected call of DisconnectPeers.
+func (mr *MockControllerMockRecorder) DisconnectPeers(ctx, peerIDs any) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "DisconnectPeers", reflect.TypeOf((*MockController)(nil).DisconnectPeers), ctx, peerIDs)
+}
+
+// GetDNSDomain mocks base method.
+func (m *MockController) GetDNSDomain(settings *types.Settings) string {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "GetDNSDomain", settings)
+	ret0, _ := ret[0].(string)
+	return ret0
+}
+
+// GetDNSDomain indicates an expected call of GetDNSDomain.
+func (mr *MockControllerMockRecorder) GetDNSDomain(settings any) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetDNSDomain", reflect.TypeOf((*MockController)(nil).GetDNSDomain), settings)
+}
+
+// GetNetworkMap mocks base method.
+func (m *MockController) GetNetworkMap(ctx context.Context, peerID string) (*types.NetworkMap, error) {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "GetNetworkMap", ctx, peerID)
+	ret0, _ := ret[0].(*types.NetworkMap)
+	ret1, _ := ret[1].(error)
+	return ret0, ret1
+}
+
+// GetNetworkMap indicates an expected call of GetNetworkMap.
+func (mr *MockControllerMockRecorder) GetNetworkMap(ctx, peerID any) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetNetworkMap", reflect.TypeOf((*MockController)(nil).GetNetworkMap), ctx, peerID)
+}
+
+// GetValidatedPeerWithMap mocks base method.
+func (m *MockController) GetValidatedPeerWithMap(ctx context.Context, isRequiresApproval bool, accountID string, p *peer.Peer) (*peer.Peer, *types.NetworkMap, []*posture.Checks, int64, error) {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "GetValidatedPeerWithMap", ctx, isRequiresApproval, accountID, p)
+	ret0, _ := ret[0].(*peer.Peer)
+	ret1, _ := ret[1].(*types.NetworkMap)
+	ret2, _ := ret[2].([]*posture.Checks)
+	ret3, _ := ret[3].(int64)
+	ret4, _ := ret[4].(error)
+	return ret0, ret1, ret2, ret3, ret4
+}
+
+// GetValidatedPeerWithMap indicates an expected call of GetValidatedPeerWithMap.
+func (mr *MockControllerMockRecorder) GetValidatedPeerWithMap(ctx, isRequiresApproval, accountID, p any) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetValidatedPeerWithMap", reflect.TypeOf((*MockController)(nil).GetValidatedPeerWithMap), ctx, isRequiresApproval, accountID, p)
+}
+
+// IsConnected mocks base method.
+func (m *MockController) IsConnected(peerID string) bool {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "IsConnected", peerID)
+	ret0, _ := ret[0].(bool)
+	return ret0
+}
+
+// IsConnected indicates an expected call of IsConnected.
+func (mr *MockControllerMockRecorder) IsConnected(peerID any) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "IsConnected", reflect.TypeOf((*MockController)(nil).IsConnected), peerID)
+}
+
+// OnPeerAdded mocks base method.
+func (m *MockController) OnPeerAdded(ctx context.Context, accountID, peerID string) error {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "OnPeerAdded", ctx, accountID, peerID)
+	ret0, _ := ret[0].(error)
+	return ret0
+}
+
+// OnPeerAdded indicates an expected call of OnPeerAdded.
+func (mr *MockControllerMockRecorder) OnPeerAdded(ctx, accountID, peerID any) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "OnPeerAdded", reflect.TypeOf((*MockController)(nil).OnPeerAdded), ctx, accountID, peerID)
+}
+
+// OnPeerDeleted mocks base method.
+func (m *MockController) OnPeerDeleted(ctx context.Context, accountID, peerID string) error {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "OnPeerDeleted", ctx, accountID, peerID)
+	ret0, _ := ret[0].(error)
+	return ret0
+}
+
+// OnPeerDeleted indicates an expected call of OnPeerDeleted.
+func (mr *MockControllerMockRecorder) OnPeerDeleted(ctx, accountID, peerID any) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "OnPeerDeleted", reflect.TypeOf((*MockController)(nil).OnPeerDeleted), ctx, accountID, peerID)
+}
+
+// OnPeerUpdated mocks base method.
+func (m *MockController) OnPeerUpdated(accountId string, peer *peer.Peer) {
+	m.ctrl.T.Helper()
+	m.ctrl.Call(m, "OnPeerUpdated", accountId, peer)
+}
+
+// OnPeerUpdated indicates an expected call of OnPeerUpdated.
+func (mr *MockControllerMockRecorder) OnPeerUpdated(accountId, peer any) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "OnPeerUpdated", reflect.TypeOf((*MockController)(nil).OnPeerUpdated), accountId, peer)
+}
+
+// StartWarmup mocks base method.
+func (m *MockController) StartWarmup(arg0 context.Context) {
+	m.ctrl.T.Helper()
+	m.ctrl.Call(m, "StartWarmup", arg0)
+}
+
+// StartWarmup indicates an expected call of StartWarmup.
+func (mr *MockControllerMockRecorder) StartWarmup(arg0 any) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "StartWarmup", reflect.TypeOf((*MockController)(nil).StartWarmup), arg0)
+}
+
+// UpdateAccountPeer mocks base method.
+func (m *MockController) UpdateAccountPeer(ctx context.Context, accountId, peerId string) error {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "UpdateAccountPeer", ctx, accountId, peerId)
+	ret0, _ := ret[0].(error)
+	return ret0
+}
+
+// UpdateAccountPeer indicates an expected call of UpdateAccountPeer.
+func (mr *MockControllerMockRecorder) UpdateAccountPeer(ctx, accountId, peerId any) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "UpdateAccountPeer", reflect.TypeOf((*MockController)(nil).UpdateAccountPeer), ctx, accountId, peerId)
+}
+
+// UpdateAccountPeers mocks base method.
+func (m *MockController) UpdateAccountPeers(ctx context.Context, accountID string) error {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "UpdateAccountPeers", ctx, accountID)
+	ret0, _ := ret[0].(error)
+	return ret0
+}
+
+// UpdateAccountPeers indicates an expected call of UpdateAccountPeers.
+func (mr *MockControllerMockRecorder) UpdateAccountPeers(ctx, accountID any) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "UpdateAccountPeers", reflect.TypeOf((*MockController)(nil).UpdateAccountPeers), ctx, accountID)
+}
--- a/management/internals/controllers/network_map/network_map.go
+++ b/management/internals/controllers/network_map/network_map.go
@@ -0,0 +1 @@
+package network_map
--- a/management/internals/controllers/network_map/update_channel.go
+++ b/management/internals/controllers/network_map/update_channel.go
@@ -0,0 +1,13 @@
+package network_map
+
+import "context"
+
+type PeersUpdateManager interface {
+	SendUpdate(ctx context.Context, peerID string, update *UpdateMessage)
+	CreateChannel(ctx context.Context, peerID string) chan *UpdateMessage
+	CloseChannel(ctx context.Context, peerID string)
+	CountStreams() int
+	HasChannel(peerID string) bool
+	CloseChannels(ctx context.Context, peerIDs []string)
+	GetAllConnectedPeers() map[string]struct{}
+}
--- a/management/internals/controllers/network_map/update_channel/updatechannel.go
+++ b/management/internals/controllers/network_map/update_channel/updatechannel.go
@@ -1,4 +1,4 @@
-package server
+package update_channel

 import (
 	"context"
@@ -7,38 +7,34 @@ import (

 	log "github.com/sirupsen/logrus"

-	"github.com/netbirdio/netbird/shared/management/proto"
+	"github.com/netbirdio/netbird/management/internals/controllers/network_map"
 	"github.com/netbirdio/netbird/management/server/telemetry"
-	"github.com/netbirdio/netbird/management/server/types"
 )

 const channelBufferSize = 100

-type UpdateMessage struct {
-	Update     *proto.SyncResponse
-	NetworkMap *types.NetworkMap
-}
-
 type PeersUpdateManager struct {
 	// peerChannels is an update channel indexed by Peer.ID
-	peerChannels map[string]chan *UpdateMessage
+	peerChannels map[string]chan *network_map.UpdateMessage
 	// channelsMux keeps the mutex to access peerChannels
 	channelsMux *sync.RWMutex
 	// metrics provides method to collect application metrics
 	metrics telemetry.AppMetrics
 }

+var _ network_map.PeersUpdateManager = (*PeersUpdateManager)(nil)
+
 // NewPeersUpdateManager returns a new instance of PeersUpdateManager
 func NewPeersUpdateManager(metrics telemetry.AppMetrics) *PeersUpdateManager {
 	return &PeersUpdateManager{
-		peerChannels: make(map[string]chan *UpdateMessage),
+		peerChannels: make(map[string]chan *network_map.UpdateMessage),
 		channelsMux:  &sync.RWMutex{},
 		metrics:      metrics,
 	}
 }

 // SendUpdate sends update message to the peer's channel
-func (p *PeersUpdateManager) SendUpdate(ctx context.Context, peerID string, update *UpdateMessage) {
+func (p *PeersUpdateManager) SendUpdate(ctx context.Context, peerID string, update *network_map.UpdateMessage) {
 	start := time.Now()
 	var found, dropped bool

@@ -66,7 +62,7 @@ func (p *PeersUpdateManager) SendUpdate(ctx context.Context, peerID string, upda
 }

 // CreateChannel creates a go channel for a given peer used to deliver updates relevant to the peer.
-func (p *PeersUpdateManager) CreateChannel(ctx context.Context, peerID string) chan *UpdateMessage {
+func (p *PeersUpdateManager) CreateChannel(ctx context.Context, peerID string) chan *network_map.UpdateMessage {
 	start := time.Now()

 	closed := false
@@ -85,7 +81,7 @@ func (p *PeersUpdateManager) CreateChannel(ctx context.Context, peerID string) c
 		close(channel)
 	}
 	// mbragin: todo shouldn't it be more? or configurable?
-	channel := make(chan *UpdateMessage, channelBufferSize)
+	channel := make(chan *network_map.UpdateMessage, channelBufferSize)
 	p.peerChannels[peerID] = channel

 	log.WithContext(ctx).Debugf("opened updates channel for a peer %s", peerID)
@@ -176,3 +172,9 @@ func (p *PeersUpdateManager) HasChannel(peerID string) bool {

 	return ok
 }
+
+func (p *PeersUpdateManager) CountStreams() int {
+	p.channelsMux.RLock()
+	defer p.channelsMux.RUnlock()
+	return len(p.peerChannels)
+}
--- a/management/internals/controllers/network_map/update_channel/updatechannel_test.go
+++ b/management/internals/controllers/network_map/update_channel/updatechannel_test.go
@@ -1,10 +1,11 @@
-package server
+package update_channel

 import (
 	"context"
 	"testing"
 	"time"

+	"github.com/netbirdio/netbird/management/internals/controllers/network_map"
 	"github.com/netbirdio/netbird/shared/management/proto"
 )

@@ -24,7 +25,7 @@ func TestCreateChannel(t *testing.T) {
 func TestSendUpdate(t *testing.T) {
 	peer := "test-sendupdate"
 	peersUpdater := NewPeersUpdateManager(nil)
-	update1 := &UpdateMessage{Update: &proto.SyncResponse{
+	update1 := &network_map.UpdateMessage{Update: &proto.SyncResponse{
 		NetworkMap: &proto.NetworkMap{
 			Serial: 0,
 		},
@@ -44,7 +45,7 @@ func TestSendUpdate(t *testing.T) {
 		peersUpdater.SendUpdate(context.Background(), peer, update1)
 	}

-	update2 := &UpdateMessage{Update: &proto.SyncResponse{
+	update2 := &network_map.UpdateMessage{Update: &proto.SyncResponse{
 		NetworkMap: &proto.NetworkMap{
 			Serial: 10,
 		},
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Viktor Liu	fae27656c2	Reorder subsystem shutdown order so DNS goes last	2025-11-15 14:57:04 +01:00
Viktor Liu	e4b41d0ad7	[client] Replace ipset lib (#4777 ) * Replace ipset lib * Update .github/workflows/check-license-dependencies.yml Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com> * Ignore internal licenses * Ignore dependencies from AGPL code * Use exported errors * Use fixed version --------- Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>	2025-11-14 00:25:00 +01:00
Viktor Liu	9cc9462cd5	[client] Use stdnet with a context to avoid DNS deadlocks (#4781 )	2025-11-13 20:16:45 +01:00
Diego Romar	3176b53968	[client] Add quick actions window (#4717 ) * Open quick settings window if netbird-ui is already running * [client-ui] fix connection status comparison * [client-ui] modularize quick actions code * [client-ui] add netbird-disconnected logo * [client-ui] change quickactions UI It now displays the NetBird logo and a single button with a round icon * [client-ui] add hint message to quick actions screen This also updates fyne to v2.7.0 * [client-ui] remove unnecessary default clause * [client-ui] remove commented code * [client-ui] remove unused dependency * [client-ui] close quick actions on connection change * [client-ui] add function to get image from embed resources * [client] Return error when calling sendShowWindowSignal from Windows * [client-ui] Add commentary on empty OnTapped function for toggleConnectionButton * [client-ui] Fix tests * [client-ui] Add context to menuUpClick call * [client-ui] Pass serviceClient app as parameter To use its clipboard rather than the window's when showing the upload success dialog * [client-ui] Replace for select with for range chan * [client-ui] Replace settings change listener channel Settings now accept a function callback * [client-ui] Add missing iconAboutDisconnected to icons_windows.go * [client] Add quick actions signal handler for Windows with named events * [client] Run go mod tidy * [client] Remove line break * [client] Log unexpected status in separate function * [client-ui] Refactor quick actions window To address racing conditions, it also replaces usage of pause and resume channels with an atomic bool. * [client-ui] use derived context from ServiceClient * [client] Update signal_windows log message Also, format error when trying to set event on sendShowWindowSignal * go mod tidy * [client-ui] Add struct to pass fewer parameters to applyQuickActionsUiState function * [client] Add missing import --------- Co-authored-by: Viktor Liu <viktor@netbird.io>	2025-11-13 10:25:19 -03:00
Viktor Liu	27957036c9	[client] Fix shutdown blocking on stuck ICE agent close (#4780 )	2025-11-13 13:24:51 +01:00
Pascal Fischer	6fb568728f	[management] Removed policy posture checks on original peer (#4779 ) Co-authored-by: crn4 <vladimir@netbird.io>	2025-11-13 12:51:03 +01:00
Pascal Fischer	cc97cffff1	[management] move network map logic into new design (#4774 )	2025-11-13 12:09:46 +01:00
Zoltan Papp	c28275611b	Fix agent reference (#4776 )	2025-11-11 13:59:32 +01:00
Vlad	56f169eede	[management] fix pg db deadlock after app panic (#4772 )	2025-11-10 23:43:08 +01:00
Viktor Liu	07cf9d5895	[client] Create networkd.conf.d if it doesn't exist (#4764 )	2025-11-08 10:54:37 +01:00
Pascal Fischer	7df49e249d	[management ] remove timing logs (#4761 )	2025-11-07 20:14:52 +01:00
Pascal Fischer	dbfc8a52c9	[management] remove GLOBAL when disabling foreign keys on mysql (#4615 )	2025-11-07 16:03:14 +01:00
Vlad	98ddac07bf	[management] remove toAll firewall rule (#4725 )	2025-11-07 15:50:58 +01:00
Pascal Fischer	48475ddc05	[management] add pat rate limiting (#4741 )	2025-11-07 15:50:18 +01:00
Vlad	6aa4ba7af4	[management] incremental network map builder (#4753 )	2025-11-07 10:44:46 +01:00
dependabot[bot]	2e16c9914a	[management] Bump github.com/containerd/containerd from 1.7.27 to 1.7.29 (#4756 ) Bumps [github.com/containerd/containerd](https://github.com/containerd/containerd) from 1.7.27 to 1.7.29. - [Release notes](https://github.com/containerd/containerd/releases) - [Changelog](https://github.com/containerd/containerd/blob/main/RELEASES.md) - [Commits](https://github.com/containerd/containerd/compare/v1.7.27...v1.7.29) --- updated-dependencies: - dependency-name: github.com/containerd/containerd dependency-version: 1.7.29 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2025-11-06 19:01:44 +03:00
Pascal Fischer	5c29d395b2	[management] activity events on group updates (#4750 )	2025-11-06 12:51:14 +01:00
Viktor Liu	229e0038ee	[client] Add dns config to debug bundle (#4704 )	2025-11-05 17:30:17 +01:00
Viktor Liu	75327d9519	[client] Add login_hint to oidc flows (#4724 )	2025-11-05 17:00:20 +01:00
Viktor Liu	c92e6c1b5f	[client] Block on all subsystems on shutdown (#4709 )	2025-11-05 12:15:37 +01:00
Viktor Liu	641eb5140b	[client] Allow INPUT traffic on the compat iptables filter table for nftables (#4742 )	2025-11-04 21:56:53 +01:00
Viktor Liu	45c25dca84	[client] Clamp MSS on outbound traffic (#4735 )	2025-11-04 17:18:51 +01:00
Viktor Liu	679c58ce47	[client] Set up networkd to ignore ip rules (#4730 )	2025-11-04 17:06:35 +01:00
Pascal Fischer	719283c792	[management] update db connection lifecycle configuration (#4740 )	2025-11-03 17:40:12 +01:00
dependabot[bot]	a2313a5ba4	[client] Bump github.com/quic-go/quic-go from 0.48.2 to 0.49.1 (#4621 ) Bumps [github.com/quic-go/quic-go](https://github.com/quic-go/quic-go) from 0.48.2 to 0.49.1. - [Release notes](https://github.com/quic-go/quic-go/releases) - [Commits](https://github.com/quic-go/quic-go/compare/v0.48.2...v0.49.1) --- updated-dependencies: - dependency-name: github.com/quic-go/quic-go dependency-version: 0.49.1 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2025-11-01 15:27:22 +01:00
Zoltan Papp	8c108ccad3	[client] Extend Darwin network monitoring with wakeup detection	2025-10-31 19:19:14 +01:00
Viktor Liu	86eff0d750	[client] Fix netstack dns forwarder (#4727 )	2025-10-31 14:18:09 +01:00