Merge branch 'main' into feature/buf-cli

# Conflicts: # client/proto/daemon.pb.go # management/proto/management.pb.go
[client] Add TCP support to DNS forwarder service listener (#3790 )
2026-05-08 01:39:55 +00:00 · 2025-05-12 10:34:14 +01:00 · 2025-05-09 15:06:34 +03:00 · 2025-05-09 14:01:21 +02:00 · 2025-05-09 13:56:27 +02:00 · 2025-05-07 07:25:25 +02:00
259 changed files with 13357 additions and 8348 deletions
--- a/.git-branches.toml
+++ b/.git-branches.toml
@@ -0,0 +1,27 @@
 # More info around this file at https://www.git-town.com/configuration-file
 [branches]
 main = "main"
 perennials = []
 perennial-regex = ""
 [create]
 new-branch-type = "feature"
 push-new-branches = false
 [hosting]
 dev-remote = "origin"
 # platform = ""
 # origin-hostname = ""
 [ship]
 delete-tracking-branch = false
 strategy = "squash-merge"
 [sync]
 feature-strategy = "merge"
 perennial-strategy = "rebase"
 prototype-strategy = "merge"
 push-hook = true
 tags = true
 upstream = false
--- a/.github/pull_request_template.md
+++ b/.github/pull_request_template.md
@@ -2,6 +2,10 @@
 ## Issue ticket number and link
 ## Stack
 <!-- branch-stack -->
 ### Checklist
 - [ ] Is it a bug fix
 - [ ] Is a typo/documentation fix
--- a/.github/workflows/git-town.yml
+++ b/.github/workflows/git-town.yml
@@ -0,0 +1,21 @@
 name: Git Town
 on:
  pull_request:
    branches:
      - '**'
 jobs:
  git-town:
    name: Display the branch stack
    runs-on: ubuntu-latest
    permissions:
      contents: read
      pull-requests: write
    steps:
      - uses: actions/checkout@v4
      - uses: git-town/action@v1
        with:
          skip-single-stacks: true
--- a/.github/workflows/golang-test-linux.yml
+++ b/.github/workflows/golang-test-linux.yml
@@ -146,6 +146,65 @@ jobs:
      - name: Test
        run: CGO_ENABLED=1 GOARCH=${{ matrix.arch }} CI=true go test -tags devcert -exec 'sudo' -timeout 10m -p 1 $(go list ./... | grep -v -e /management -e /signal -e /relay)
  test_client_on_docker:
    name: "Client (Docker) / Unit"
    needs: [build-cache]
    runs-on: ubuntu-22.04
    steps:
      - name: Install Go
        uses: actions/setup-go@v5
        with:
          go-version: "1.23.x"
          cache: false
      - name: Checkout code
        uses: actions/checkout@v4
      - name: Get Go environment
        id: go-env
        run: |
          echo "cache_dir=$(go env GOCACHE)" >> $GITHUB_OUTPUT
          echo "modcache_dir=$(go env GOMODCACHE)" >> $GITHUB_OUTPUT
      - name: Cache Go modules
        uses: actions/cache/restore@v4
        id: cache-restore
        with:
          path: |
            ${{ steps.go-env.outputs.cache_dir }}
            ${{ steps.go-env.outputs.modcache_dir }}
          key: ${{ runner.os }}-gotest-cache-${{ hashFiles('**/go.sum') }}
          restore-keys: |
            ${{ runner.os }}-gotest-cache-
      - name: Run tests in container
        env:
          HOST_GOCACHE: ${{ steps.go-env.outputs.cache_dir }}
          HOST_GOMODCACHE: ${{ steps.go-env.outputs.modcache_dir }}
        run: |
          CONTAINER_GOCACHE="/root/.cache/go-build"
          CONTAINER_GOMODCACHE="/go/pkg/mod"
          docker run --rm \
            --cap-add=NET_ADMIN \
            --privileged \
            -v $PWD:/app \
            -w /app \
            -v "${HOST_GOCACHE}:${CONTAINER_GOCACHE}" \
            -v "${HOST_GOMODCACHE}:${CONTAINER_GOMODCACHE}" \
            -e CGO_ENABLED=1 \
            -e CI=true \
            -e DOCKER_CI=true \
            -e GOARCH=${GOARCH_TARGET} \
            -e GOCACHE=${CONTAINER_GOCACHE} \
            -e GOMODCACHE=${CONTAINER_GOMODCACHE} \
            golang:1.23-alpine \
            sh -c ' \
              apk update; apk add --no-cache \
                ca-certificates iptables ip6tables dbus dbus-dev libpcap-dev build-base; \
              go test -buildvcs=false -tags devcert -v -timeout 10m -p 1 $(go list -buildvcs=false ./... | grep -v -e /management -e /signal -e /relay -e /client/ui -e /upload-server)
            '
  test_relay:
    name: "Relay / Unit"
    needs: [build-cache]
@@ -179,13 +238,6 @@ jobs:
          restore-keys: |
            ${{ runner.os }}-gotest-cache-
      - name: Install dependencies
        run: sudo apt update && sudo apt install -y -q libgtk-3-dev libayatana-appindicator3-dev libgl1-mesa-dev xorg-dev gcc-multilib libpcap-dev
      - name: Install 32-bit libpcap
        if: matrix.arch == '386'
        run: sudo dpkg --add-architecture i386 && sudo apt update && sudo apt-get install -y libpcap0.8-dev:i386
      - name: Install modules
        run: go mod tidy
@@ -232,13 +284,6 @@ jobs:
          restore-keys: |
            ${{ runner.os }}-gotest-cache-
      - name: Install dependencies
        run: sudo apt update && sudo apt install -y -q libgtk-3-dev libayatana-appindicator3-dev libgl1-mesa-dev xorg-dev gcc-multilib libpcap-dev
      - name: Install 32-bit libpcap
        if: matrix.arch == '386'
        run: sudo dpkg --add-architecture i386 && sudo apt update && sudo apt-get install -y libpcap0.8-dev:i386
      - name: Install modules
        run: go mod tidy
@@ -286,13 +331,6 @@ jobs:
          restore-keys: |
            ${{ runner.os }}-gotest-cache-
      - name: Install dependencies
        run: sudo apt update && sudo apt install -y -q libgtk-3-dev libayatana-appindicator3-dev libgl1-mesa-dev xorg-dev gcc-multilib libpcap-dev
      - name: Install 32-bit libpcap
        if: matrix.arch == '386'
        run: sudo dpkg --add-architecture i386 && sudo apt update && sudo apt-get install -y libpcap0.8-dev:i386
      - name: Install modules
        run: go mod tidy
@@ -314,6 +352,7 @@ jobs:
        run: |          
          CGO_ENABLED=1 GOARCH=${{ matrix.arch }} \
          NETBIRD_STORE_ENGINE=${{ matrix.store }} \
            CI=true \
          go test -tags=devcert \
            -exec "sudo --preserve-env=CI,NETBIRD_STORE_ENGINE" \
            -timeout 20m ./management/...
@@ -353,13 +392,6 @@ jobs:
          restore-keys: |
            ${{ runner.os }}-gotest-cache-
      - name: Install dependencies
        run: sudo apt update && sudo apt install -y -q libgtk-3-dev libayatana-appindicator3-dev libgl1-mesa-dev xorg-dev gcc-multilib libpcap-dev
      - name: Install 32-bit libpcap
        if: matrix.arch == '386'
        run: sudo dpkg --add-architecture i386 && sudo apt update && sudo apt-get install -y libpcap0.8-dev:i386
      - name: Install modules
        run: go mod tidy
@@ -380,10 +412,11 @@ jobs:
      - name: Test
        run: |
          CGO_ENABLED=1 GOARCH=${{ matrix.arch }} \
-          NETBIRD_STORE_ENGINE=${{ matrix.store }} CI=true \
+          NETBIRD_STORE_ENGINE=${{ matrix.store }} \
          CI=true \
          go test -tags devcert -run=^$ -bench=. \
          -exec 'sudo --preserve-env=CI,NETBIRD_STORE_ENGINE' \
-          -timeout 20m ./...
+          -timeout 20m ./management/...
  api_benchmark:
    name: "Management / Benchmark (API)"
@@ -396,6 +429,33 @@ jobs:
        store: [ 'sqlite', 'postgres' ]
    runs-on: ubuntu-22.04
    steps:
      - name: Create Docker network
        run: docker network create promnet
      - name: Start Prometheus Pushgateway
        run: docker run -d --name pushgateway --network promnet -p 9091:9091 prom/pushgateway
      - name: Start Prometheus (for Pushgateway forwarding)
        run: |
          echo '
          global:
            scrape_interval: 15s
          scrape_configs:
            - job_name: "pushgateway"
              static_configs:
                - targets: ["pushgateway:9091"]
          remote_write:
            - url: ${{ secrets.GRAFANA_URL }}
              basic_auth:
                username: ${{ secrets.GRAFANA_USER }}
                password: ${{ secrets.GRAFANA_API_KEY }}
          ' > prometheus.yml
          docker run -d --name prometheus --network promnet \
            -v $PWD/prometheus.yml:/etc/prometheus/prometheus.yml \
            -p 9090:9090 \
            prom/prometheus
      - name: Install Go
        uses: actions/setup-go@v5
        with:
@@ -420,13 +480,6 @@ jobs:
          restore-keys: |
            ${{ runner.os }}-gotest-cache-
      - name: Install dependencies
        run: sudo apt update && sudo apt install -y -q libgtk-3-dev libayatana-appindicator3-dev libgl1-mesa-dev xorg-dev gcc-multilib libpcap-dev
      - name: Install 32-bit libpcap
        if: matrix.arch == '386'
        run: sudo dpkg --add-architecture i386 && sudo apt update && sudo apt-get install -y libpcap0.8-dev:i386
      - name: Install modules
        run: go mod tidy
@@ -447,11 +500,13 @@ jobs:
      - name: Test
        run: |
          CGO_ENABLED=1 GOARCH=${{ matrix.arch }} \
-          NETBIRD_STORE_ENGINE=${{ matrix.store }} CI=true \
+          NETBIRD_STORE_ENGINE=${{ matrix.store }} \
          CI=true \
          GIT_BRANCH=${{ github.ref_name }} \
          go test -tags=benchmark \
            -run=^$ \
            -bench=. \
-            -exec 'sudo --preserve-env=CI,NETBIRD_STORE_ENGINE' \
+            -exec 'sudo --preserve-env=CI,NETBIRD_STORE_ENGINE,GIT_BRANCH,GITHUB_RUN_ID' \
            -timeout 20m ./management/...
  api_integration_test:
@@ -489,13 +544,6 @@ jobs:
          restore-keys: |
            ${{ runner.os }}-gotest-cache-
      - name: Install dependencies
        run: sudo apt update && sudo apt install -y -q libgtk-3-dev libayatana-appindicator3-dev libgl1-mesa-dev xorg-dev gcc-multilib libpcap-dev
      - name: Install 32-bit libpcap
        if: matrix.arch == '386'
        run: sudo dpkg --add-architecture i386 && sudo apt update && sudo apt-get install -y libpcap0.8-dev:i386
      - name: Install modules
        run: go mod tidy
@@ -505,89 +553,8 @@ jobs:
      - name: Test
        run: |
          CGO_ENABLED=1 GOARCH=${{ matrix.arch }} \
-          NETBIRD_STORE_ENGINE=${{ matrix.store }} CI=true \
+          NETBIRD_STORE_ENGINE=${{ matrix.store }} \
          CI=true \
          go test -tags=integration \
          -exec 'sudo --preserve-env=CI,NETBIRD_STORE_ENGINE' \
          -timeout 20m ./management/...
  test_client_on_docker:
    name: "Client (Docker) / Unit"
    needs: [ build-cache ]
    runs-on: ubuntu-20.04
    steps:
      - name: Install Go
        uses: actions/setup-go@v5
        with:
          go-version: "1.23.x"
          cache: false
      - name: Checkout code
        uses: actions/checkout@v4
      - name: Get Go environment
        run: |
          echo "cache=$(go env GOCACHE)" >> $GITHUB_ENV
          echo "modcache=$(go env GOMODCACHE)" >> $GITHUB_ENV     
      - name: Cache Go modules
        uses: actions/cache/restore@v4
        with:
          path: |
            ${{ env.cache }}
            ${{ env.modcache }}
          key: ${{ runner.os }}-gotest-cache-${{ hashFiles('**/go.sum') }}
          restore-keys: |
            ${{ runner.os }}-gotest-cache-
      - name: Install dependencies
        run: sudo apt update && sudo apt install -y -q libgtk-3-dev libayatana-appindicator3-dev libgl1-mesa-dev xorg-dev gcc-multilib libpcap-dev
      - name: Install modules
        run: go mod tidy
      - name: check git status
        run: git --no-pager diff --exit-code
      - name: Generate Shared Sock Test bin
        run: CGO_ENABLED=0 go test -c -o sharedsock-testing.bin ./sharedsock
      - name: Generate RouteManager Test bin
        run: CGO_ENABLED=0 go test -c -o routemanager-testing.bin  ./client/internal/routemanager
      - name: Generate SystemOps Test bin
        run: CGO_ENABLED=1 go test -c -o systemops-testing.bin -tags netgo -ldflags '-w -extldflags "-static -ldbus-1 -lpcap"' ./client/internal/routemanager/systemops
      - name: Generate nftables Manager Test bin
        run: CGO_ENABLED=0 go test -c -o nftablesmanager-testing.bin ./client/firewall/nftables/...
      - name: Generate Engine Test bin
        run: CGO_ENABLED=1 go test -c -o engine-testing.bin ./client/internal
      - name: Generate Peer Test bin
        run: CGO_ENABLED=0 go test -c -o peer-testing.bin ./client/internal/peer/
      - run: chmod +x *testing.bin
      - name: Run Shared Sock tests in docker
        run: docker run -t --cap-add=NET_ADMIN --privileged --rm -v $PWD:/ci -w /ci/sharedsock --entrypoint /busybox/sh gcr.io/distroless/base:debug -c /ci/sharedsock-testing.bin -test.timeout 5m -test.parallel 1
      - name: Run Iface tests in docker
        run: docker run -t --cap-add=NET_ADMIN --privileged --rm -v $PWD:/netbird -v /tmp/cache:/tmp/cache -v /tmp/modcache:/tmp/modcache -w /netbird -e GOCACHE=/tmp/cache -e GOMODCACHE=/tmp/modcache -e CGO_ENABLED=0 golang:1.23-alpine go test  -test.timeout 5m -test.parallel 1 ./client/iface/...
      - name: Run RouteManager tests in docker
        run: docker run -t --cap-add=NET_ADMIN --privileged --rm -v $PWD:/ci -w /ci/client/internal/routemanager --entrypoint /busybox/sh gcr.io/distroless/base:debug -c /ci/routemanager-testing.bin  -test.timeout 5m -test.parallel 1
      - name: Run SystemOps tests in docker
        run: docker run -t --cap-add=NET_ADMIN --privileged --rm -v $PWD:/ci -w /ci/client/internal/routemanager/systemops --entrypoint /busybox/sh gcr.io/distroless/base:debug -c /ci/systemops-testing.bin  -test.timeout 5m -test.parallel 1
      - name: Run nftables Manager tests in docker
        run: docker run -t --cap-add=NET_ADMIN --privileged --rm -v $PWD:/ci -w /ci/client/firewall --entrypoint /busybox/sh gcr.io/distroless/base:debug -c /ci/nftablesmanager-testing.bin  -test.timeout 5m -test.parallel 1
      - name: Run Engine tests in docker with file store
        run: docker run -t --cap-add=NET_ADMIN --privileged --rm -v $PWD:/ci -w /ci/client/internal -e NETBIRD_STORE_ENGINE="jsonfile" --entrypoint /busybox/sh gcr.io/distroless/base:debug -c /ci/engine-testing.bin  -test.timeout 5m -test.parallel 1
      - name: Run Engine tests in docker with sqlite store
        run: docker run -t --cap-add=NET_ADMIN --privileged --rm -v $PWD:/ci -w /ci/client/internal -e NETBIRD_STORE_ENGINE="sqlite" --entrypoint /busybox/sh gcr.io/distroless/base:debug -c /ci/engine-testing.bin  -test.timeout 5m -test.parallel 1
      - name: Run Peer tests in docker
        run: docker run -t --cap-add=NET_ADMIN --privileged --rm -v $PWD:/ci -w /ci/client/internal/peer  --entrypoint /busybox/sh gcr.io/distroless/base:debug -c /ci/peer-testing.bin  -test.timeout 5m -test.parallel 1
--- a/.github/workflows/test-infrastructure-files.yml
+++ b/.github/workflows/test-infrastructure-files.yml
@@ -178,6 +178,7 @@ jobs:
          grep -A 10 'relay:' docker-compose.yml | egrep 'NB_AUTH_SECRET=.+$'
          grep -A 7 Relay management.json | grep "rel://$CI_NETBIRD_DOMAIN:33445"
          grep -A 7 Relay management.json | egrep '"Secret": ".+"'
          grep DisablePromptLogin management.json | grep 'true'
      - name: Install modules
        run: go mod tidy
--- a/.goreleaser.yaml
+++ b/.goreleaser.yaml
@@ -96,6 +96,20 @@ builds:
      - -s -w -X github.com/netbirdio/netbird/version.version={{.Version}} -X main.commit={{.Commit}} -X main.date={{.CommitDate}} -X main.builtBy=goreleaser
    mod_timestamp: "{{ .CommitTimestamp }}"
  - id: netbird-upload
    dir: upload-server
    env: [CGO_ENABLED=0]
    binary: netbird-upload
    goos:
      - linux
    goarch:
      - amd64
      - arm64
      - arm
    ldflags:
      - -s -w -X github.com/netbirdio/netbird/version.version={{.Version}} -X main.commit={{.Commit}} -X main.date={{.CommitDate}} -X main.builtBy=goreleaser
    mod_timestamp: "{{ .CommitTimestamp }}"
 universal_binaries:
  - id: netbird
@@ -409,6 +423,52 @@ dockers:
      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
      - "--label=org.opencontainers.image.version={{.Version}}"
      - "--label=maintainer=dev@netbird.io"
  - image_templates:
      - netbirdio/upload:{{ .Version }}-amd64
    ids:
      - netbird-upload
    goarch: amd64
    use: buildx
    dockerfile: upload-server/Dockerfile
    build_flag_templates:
      - "--platform=linux/amd64"
      - "--label=org.opencontainers.image.created={{.Date}}"
      - "--label=org.opencontainers.image.title={{.ProjectName}}"
      - "--label=org.opencontainers.image.version={{.Version}}"
      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
      - "--label=org.opencontainers.image.version={{.Version}}"
      - "--label=maintainer=dev@netbird.io"
  - image_templates:
      - netbirdio/upload:{{ .Version }}-arm64v8
    ids:
      - netbird-upload
    goarch: arm64
    use: buildx
    dockerfile: upload-server/Dockerfile
    build_flag_templates:
      - "--platform=linux/arm64"
      - "--label=org.opencontainers.image.created={{.Date}}"
      - "--label=org.opencontainers.image.title={{.ProjectName}}"
      - "--label=org.opencontainers.image.version={{.Version}}"
      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
      - "--label=org.opencontainers.image.version={{.Version}}"
      - "--label=maintainer=dev@netbird.io"
  - image_templates:
      - netbirdio/upload:{{ .Version }}-arm
    ids:
      - netbird-upload
    goarch: arm
    goarm: 6
    use: buildx
    dockerfile: upload-server/Dockerfile
    build_flag_templates:
      - "--platform=linux/arm"
      - "--label=org.opencontainers.image.created={{.Date}}"
      - "--label=org.opencontainers.image.title={{.ProjectName}}"
      - "--label=org.opencontainers.image.version={{.Version}}"
      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
      - "--label=org.opencontainers.image.version={{.Version}}"
      - "--label=maintainer=dev@netbird.io"
 docker_manifests:
  - name_template: netbirdio/netbird:{{ .Version }}
    image_templates:
@@ -475,7 +535,17 @@ docker_manifests:
      - netbirdio/management:{{ .Version }}-debug-arm64v8
      - netbirdio/management:{{ .Version }}-debug-arm
      - netbirdio/management:{{ .Version }}-debug-amd64
  - name_template: netbirdio/upload:{{ .Version }}
    image_templates:
      - netbirdio/upload:{{ .Version }}-arm64v8
      - netbirdio/upload:{{ .Version }}-arm
      - netbirdio/upload:{{ .Version }}-amd64
  - name_template: netbirdio/upload:latest
    image_templates:
      - netbirdio/upload:{{ .Version }}-arm64v8
      - netbirdio/upload:{{ .Version }}-arm
      - netbirdio/upload:{{ .Version }}-amd64
 brews:
  - ids:
      - default
--- a/README.md
+++ b/README.md
@@ -57,16 +57,16 @@
 ### Key features
-| Connectivity                                                                                                                 | Management                                                                                               | Security                                                                                                                              | Automation                                                                                                                               | Platforms                                                                               |
+| Connectivity | Management | Security | Automation| Platforms |
-|------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------|
+|----|----|----|----|----|
-| <ul><li> - \[x] Kernel WireGuard </ul></li>                                                                                  | <ul><li> - \[x] [Admin Web UI](https://github.com/netbirdio/dashboard) </ul></li>                        | <ul><li> - \[x] [SSO & MFA support](https://docs.netbird.io/how-to/installation#running-net-bird-with-sso-login) </ul></li>           | <ul><li> - \[x] [Public API](https://docs.netbird.io/api) </ul></li>                                                                     | <ul><li> - \[x] Linux </ul></li>                                                        |
+| <ul><li>- \[x] Kernel WireGuard</ul></li> | <ul><li>- \[x] [Admin Web UI](https://github.com/netbirdio/dashboard)</ul></li> | <ul><li>- \[x] [SSO & MFA support](https://docs.netbird.io/how-to/installation#running-net-bird-with-sso-login)</ul></li> | <ul><li>- \[x] [Public API](https://docs.netbird.io/api)</ul></li> | <ul><li>- \[x] Linux</ul></li> |
-| <ul><li> - \[x] Peer-to-peer connections </ul></li>                                                                          | <ul><li> - \[x] Auto peer discovery and configuration </ul></li>                                         | <ul><li> - \[x] [Access control - groups & rules](https://docs.netbird.io/how-to/manage-network-access) </ul></li>                    | <ul><li> - \[x] [Setup keys for bulk network provisioning](https://docs.netbird.io/how-to/register-machines-using-setup-keys) </ul></li> | <ul><li> - \[x] Mac </ul></li>                                                          |
+| <ul><li>- \[x] Peer-to-peer connections</ul></li> | <ul><li>- \[x] Auto peer discovery and configuration</ui></li> | <ul><li>- \[x] [Access control - groups & rules](https://docs.netbird.io/how-to/manage-network-access)</ui></li> | <ul><li>- \[x] [Setup keys for bulk network provisioning](https://docs.netbird.io/how-to/register-machines-using-setup-keys)</ui></li> | <ul><li>- \[x] Mac</ui></li> |
-| <ul><li> - \[x] Connection relay fallback </ul></li>                                                                         | <ul><li> - \[x] [IdP integrations](https://docs.netbird.io/selfhosted/identity-providers) </ul></li>     | <ul><li> - \[x] [Activity logging](https://docs.netbird.io/how-to/monitor-system-and-network-activity) </ul></li>                     | <ul><li> - \[x] [Self-hosting quickstart script](https://docs.netbird.io/selfhosted/selfhosted-quickstart) </ul></li>                    | <ul><li> - \[x] Windows </ul></li>                                                      |
+| <ul><li>- \[x] Connection relay fallback</ui></li> | <ul><li>- \[x] [IdP integrations](https://docs.netbird.io/selfhosted/identity-providers)</ui></li> | <ul><li>- \[x] [Activity logging](https://docs.netbird.io/how-to/audit-events-logging)</ui></li> | <ul><li>- \[x] [Self-hosting quickstart script](https://docs.netbird.io/selfhosted/selfhosted-quickstart)</ui></li> | <ul><li>- \[x] Windows</ui></li> |
-| <ul><li> - \[x] [Routes to external networks](https://docs.netbird.io/how-to/routing-traffic-to-private-networks) </ul></li> | <ul><li> - \[x] [Private DNS](https://docs.netbird.io/how-to/manage-dns-in-your-network) </ul></li>      | <ul><li> - \[x] [Device posture checks](https://docs.netbird.io/how-to/manage-posture-checks) </ul></li>                              | <ul><li> - \[x] IdP groups sync with JWT </ul></li>                                                                                      | <ul><li> - \[x] Android </ul></li>                                                      |
+| <ul><li>- \[x] [Routes to external networks](https://docs.netbird.io/how-to/routing-traffic-to-private-networks)</ui></li> | <ul><li>- \[x] [Private DNS](https://docs.netbird.io/how-to/manage-dns-in-your-network)</ui></li> | <ul><li>- \[x] [Device posture checks](https://docs.netbird.io/how-to/manage-posture-checks)</ui></li> | <ul><li>- \[x] IdP groups sync with JWT</ui></li> | <ul><li>- \[x] Android</ui></li> |
-| <ul><li> - \[x] NAT traversal with BPF </ul></li>                                                                            | <ul><li> - \[x] [Multiuser support](https://docs.netbird.io/how-to/add-users-to-your-network) </ul></li> | <ul><li> -  \[x] Peer-to-peer encryption </ul></li>                                                                                   |                                                                                                                                          | <ul><li> - \[x] iOS </ul></li>                                                          |
+| <ul><li>- \[x] NAT traversal with BPF</ui></li> | <ul><li>- \[x] [Multiuser support](https://docs.netbird.io/how-to/add-users-to-your-network)</ui></li> | <ul><li>- \[x] Peer-to-peer encryption</ui></li> || <ul><li>- \[x] iOS</ui></li> |
-|                                                                                                                              |                                                                                                          | <ul><li> - \[x] [Quantum-resistance with Rosenpass](https://netbird.io/knowledge-hub/the-first-quantum-resistant-mesh-vpn) </ul></li> |                                                                                                                                          | <ul><li> - \[x] OpenWRT </ul></li>                                                      |
+||| <ul><li>- \[x] [Quantum-resistance with Rosenpass](https://netbird.io/knowledge-hub/the-first-quantum-resistant-mesh-vpn)</ui></li> || <ul><li>- \[x] OpenWRT</ui></li> |
-|                                                                                                                              |                                                                                                          | <ui><li> - \[x] [Periodic re-authentication](https://docs.netbird.io/how-to/enforce-periodic-user-authentication)</ul></li>           |                                                                                                                                          | <ul><li> - \[x] [Serverless](https://docs.netbird.io/how-to/netbird-on-faas) </ul></li> |
+||| <ul><li>- \[x] [Periodic re-authentication](https://docs.netbird.io/how-to/enforce-periodic-user-authentication)</ui></li> || <ul><li>- \[x] [Serverless](https://docs.netbird.io/how-to/netbird-on-faas)</ui></li> |
-|                                                                                                                              |                                                                                                          |                                                                                                                                       |                                                                                                                                          | <ul><li> - \[x] Docker </ul></li>                                                       |
+||||| <ul><li>- \[x] Docker</ui></li> |
 ### Quickstart with NetBird Cloud
--- a/buf.gen.yaml
+++ b/buf.gen.yaml
@@ -0,0 +1,7 @@
 # For details on buf.gen.yaml configuration, visit https://buf.build/docs/configuration/v2/buf-gen-yaml/
 version: v2
 plugins:
  - remote: buf.build/protocolbuffers/go:v1.35.1
    out: .
  - remote: buf.build/grpc/go:v1.5.1
    out: .
--- a/buf.yaml
+++ b/buf.yaml
@@ -0,0 +1,10 @@
 # For details on buf.yaml configuration, visit https://buf.build/docs/configuration/v2/buf-yaml
 version: v2
 modules:
  - path: proto
 lint:
  use:
    - BASIC
 breaking:
  use:
    - FILE
--- a/client/Dockerfile
+++ b/client/Dockerfile
@@ -1,5 +1,6 @@
 FROM alpine:3.21.3
-RUN apk add --no-cache ca-certificates iptables ip6tables
+# iproute2: busybox doesn't display ip rules properly
 RUN apk add --no-cache ca-certificates ip6tables iproute2 iptables
 ENV NB_FOREGROUND_MODE=true
 ENTRYPOINT [ "/usr/local/bin/netbird","up"]
 COPY netbird /usr/local/bin/netbird
--- a/client/cmd/debug.go
+++ b/client/cmd/debug.go
@@ -11,9 +11,12 @@ import (
 	"google.golang.org/grpc/status"
 	"github.com/netbirdio/netbird/client/internal"
 	"github.com/netbirdio/netbird/client/internal/debug"
 	"github.com/netbirdio/netbird/client/internal/peer"
 	"github.com/netbirdio/netbird/client/proto"
 	"github.com/netbirdio/netbird/client/server"
 	nbstatus "github.com/netbirdio/netbird/client/status"
 	mgmProto "github.com/netbirdio/netbird/management/proto"
 )
 const errCloseConnection = "Failed to close connection: %v"
@@ -84,16 +87,27 @@ func debugBundle(cmd *cobra.Command, _ []string) error {
 	}()
 	client := proto.NewDaemonServiceClient(conn)
-	resp, err := client.DebugBundle(cmd.Context(), &proto.DebugBundleRequest{
+	request := &proto.DebugBundleRequest{
 		Anonymize:  anonymizeFlag,
 		Status:     getStatusOutput(cmd, anonymizeFlag),
 		SystemInfo: debugSystemInfoFlag,
-	})
+	}
 	if debugUploadBundle {
 		request.UploadURL = debugUploadBundleURL
 	}
 	resp, err := client.DebugBundle(cmd.Context(), request)
 	if err != nil {
 		return fmt.Errorf("failed to bundle debug: %v", status.Convert(err).Message())
 	}
 	cmd.Printf("Local file:\n%s\n", resp.GetPath())
-	cmd.Println(resp.GetPath())
+	if resp.GetUploadFailureReason() != "" {
 		return fmt.Errorf("upload failed: %s", resp.GetUploadFailureReason())
 	}
 	if debugUploadBundle {
 		cmd.Printf("Upload file key:\n%s\n", resp.GetUploadedKey())
 	}
 	return nil
 }
@@ -208,23 +222,19 @@ func runForDuration(cmd *cobra.Command, args []string) error {
 	headerPreDown := fmt.Sprintf("----- Netbird pre-down - Timestamp: %s - Duration: %s", time.Now().Format(time.RFC3339), duration)
 	statusOutput = fmt.Sprintf("%s\n%s\n%s", statusOutput, headerPreDown, getStatusOutput(cmd, anonymizeFlag))
-
+	request := &proto.DebugBundleRequest{
 	resp, err := client.DebugBundle(cmd.Context(), &proto.DebugBundleRequest{
 		Anonymize:  anonymizeFlag,
 		Status:     statusOutput,
 		SystemInfo: debugSystemInfoFlag,
-	})
+	}
 	if debugUploadBundle {
 		request.UploadURL = debugUploadBundleURL
 	}
 	resp, err := client.DebugBundle(cmd.Context(), request)
 	if err != nil {
 		return fmt.Errorf("failed to bundle debug: %v", status.Convert(err).Message())
 	}
 	// Disable network map persistence after creating the debug bundle
 	if _, err := client.SetNetworkMapPersistence(cmd.Context(), &proto.SetNetworkMapPersistenceRequest{
 		Enabled: false,
 	}); err != nil {
 		return fmt.Errorf("failed to disable network map persistence: %v", status.Convert(err).Message())
 	}
 	if stateWasDown {
 		if _, err := client.Down(cmd.Context(), &proto.DownRequest{}); err != nil {
 			return fmt.Errorf("failed to down: %v", status.Convert(err).Message())
@@ -239,7 +249,15 @@ func runForDuration(cmd *cobra.Command, args []string) error {
 		cmd.Println("Log level restored to", initialLogLevel.GetLevel())
 	}
-	cmd.Println(resp.GetPath())
+	cmd.Printf("Local file:\n%s\n", resp.GetPath())
 	if resp.GetUploadFailureReason() != "" {
 		return fmt.Errorf("upload failed: %s", resp.GetUploadFailureReason())
 	}
 	if debugUploadBundle {
 		cmd.Printf("Upload file key:\n%s\n", resp.GetUploadedKey())
 	}
 	return nil
 }
@@ -326,3 +344,34 @@ func formatDuration(d time.Duration) string {
 	s := d / time.Second
 	return fmt.Sprintf("%02d:%02d:%02d", h, m, s)
 }
 func generateDebugBundle(config *internal.Config, recorder *peer.Status, connectClient *internal.ConnectClient, logFilePath string) {
 	var networkMap *mgmProto.NetworkMap
 	var err error
 	if connectClient != nil {
 		networkMap, err = connectClient.GetLatestNetworkMap()
 		if err != nil {
 			log.Warnf("Failed to get latest network map: %v", err)
 		}
 	}
 	bundleGenerator := debug.NewBundleGenerator(
 		debug.GeneratorDependencies{
 			InternalConfig: config,
 			StatusRecorder: recorder,
 			NetworkMap:     networkMap,
 			LogFile:        logFilePath,
 		},
 		debug.BundleConfig{
 			IncludeSystemInfo: true,
 		},
 	)
 	path, err := bundleGenerator.Generate()
 	if err != nil {
 		log.Errorf("Failed to generate debug bundle: %v", err)
 		return
 	}
 	log.Infof("Generated debug bundle from SIGUSR1 at: %s", path)
 }
--- a/client/cmd/debug_unix.go
+++ b/client/cmd/debug_unix.go
@@ -0,0 +1,39 @@
 //go:build unix
 package cmd
 import (
 	"context"
 	"os"
 	"os/signal"
 	"syscall"
 	log "github.com/sirupsen/logrus"
 	"github.com/netbirdio/netbird/client/internal"
 	"github.com/netbirdio/netbird/client/internal/peer"
 )
 func SetupDebugHandler(
 	ctx context.Context,
 	config *internal.Config,
 	recorder *peer.Status,
 	connectClient *internal.ConnectClient,
 	logFilePath string,
 ) {
 	usr1Ch := make(chan os.Signal, 1)
 	signal.Notify(usr1Ch, syscall.SIGUSR1)
 	go func() {
 		for {
 			select {
 			case <-ctx.Done():
 				return
 			case <-usr1Ch:
 				log.Info("Received SIGUSR1. Triggering debug bundle generation.")
 				go generateDebugBundle(config, recorder, connectClient, logFilePath)
 			}
 		}
 	}()
 }
--- a/client/cmd/debug_windows.go
+++ b/client/cmd/debug_windows.go
@@ -0,0 +1,126 @@
 package cmd
 import (
 	"context"
 	"errors"
 	"os"
 	"strconv"
 	"time"
 	log "github.com/sirupsen/logrus"
 	"golang.org/x/sys/windows"
 	"github.com/netbirdio/netbird/client/internal"
 	"github.com/netbirdio/netbird/client/internal/peer"
 )
 const (
 	envListenEvent        = "NB_LISTEN_DEBUG_EVENT"
 	debugTriggerEventName = `Global\NetbirdDebugTriggerEvent`
 	waitTimeout = 5 * time.Second
 )
 // SetupDebugHandler sets up a Windows event to listen for a signal to generate a debug bundle.
 // Example usage with PowerShell:
 // $evt = [System.Threading.EventWaitHandle]::OpenExisting("Global\NetbirdDebugTriggerEvent")
 // $evt.Set()
 // $evt.Close()
 func SetupDebugHandler(
 	ctx context.Context,
 	config *internal.Config,
 	recorder *peer.Status,
 	connectClient *internal.ConnectClient,
 	logFilePath string,
 ) {
 	env := os.Getenv(envListenEvent)
 	if env == "" {
 		return
 	}
 	listenEvent, err := strconv.ParseBool(env)
 	if err != nil {
 		log.Errorf("Failed to parse %s: %v", envListenEvent, err)
 		return
 	}
 	if !listenEvent {
 		return
 	}
 	eventNamePtr, err := windows.UTF16PtrFromString(debugTriggerEventName)
 	if err != nil {
 		log.Errorf("Failed to convert event name '%s' to UTF16: %v", debugTriggerEventName, err)
 		return
 	}
 	// TODO: restrict access by ACL
 	eventHandle, err := windows.CreateEvent(nil, 1, 0, eventNamePtr)
 	if err != nil {
 		if errors.Is(err, windows.ERROR_ALREADY_EXISTS) {
 			log.Warnf("Debug trigger event '%s' already exists. Attempting to open.", debugTriggerEventName)
 			// SYNCHRONIZE is needed for WaitForSingleObject, EVENT_MODIFY_STATE for ResetEvent.
 			eventHandle, err = windows.OpenEvent(windows.SYNCHRONIZE|windows.EVENT_MODIFY_STATE, false, eventNamePtr)
 			if err != nil {
 				log.Errorf("Failed to open existing debug trigger event '%s': %v", debugTriggerEventName, err)
 				return
 			}
 			log.Infof("Successfully opened existing debug trigger event '%s'.", debugTriggerEventName)
 		} else {
 			log.Errorf("Failed to create debug trigger event '%s': %v", debugTriggerEventName, err)
 			return
 		}
 	}
 	if eventHandle == windows.InvalidHandle {
 		log.Errorf("Obtained an invalid handle for debug trigger event '%s'", debugTriggerEventName)
 		return
 	}
 	log.Infof("Debug handler waiting for signal on event: %s", debugTriggerEventName)
 	go waitForEvent(ctx, config, recorder, connectClient, logFilePath, eventHandle)
 }
 func waitForEvent(
 	ctx context.Context,
 	config *internal.Config,
 	recorder *peer.Status,
 	connectClient *internal.ConnectClient,
 	logFilePath string,
 	eventHandle windows.Handle,
 ) {
 	defer func() {
 		if err := windows.CloseHandle(eventHandle); err != nil {
 			log.Errorf("Failed to close debug event handle '%s': %v", debugTriggerEventName, err)
 		}
 	}()
 	for {
 		if ctx.Err() != nil {
 			return
 		}
 		status, err := windows.WaitForSingleObject(eventHandle, uint32(waitTimeout.Milliseconds()))
 		switch status {
 		case windows.WAIT_OBJECT_0:
 			log.Info("Received signal on debug event. Triggering debug bundle generation.")
 			// reset the event so it can be triggered again later (manual reset == 1)
 			if err := windows.ResetEvent(eventHandle); err != nil {
 				log.Errorf("Failed to reset debug event '%s': %v", debugTriggerEventName, err)
 			}
 			go generateDebugBundle(config, recorder, connectClient, logFilePath)
 		case uint32(windows.WAIT_TIMEOUT):
 		default:
 			log.Errorf("Unexpected status %d from WaitForSingleObject for debug event '%s': %v", status, debugTriggerEventName, err)
 			select {
 			case <-time.After(5 * time.Second):
 			case <-ctx.Done():
 				return
 			}
 		}
 	}
 }
--- a/client/cmd/login.go
+++ b/client/cmd/login.go
@@ -55,6 +55,9 @@ var loginCmd = &cobra.Command{
 				return err
 			}
 			// update host's static platform and system information
 			system.UpdateStaticInfo()
 			ic := internal.ConfigInput{
 				ManagementURL: managementURL,
 				AdminURL:      adminURL,
--- a/client/cmd/root.go
+++ b/client/cmd/root.go
@@ -22,6 +22,7 @@ import (
 	"google.golang.org/grpc/credentials/insecure"
 	"github.com/netbirdio/netbird/client/internal"
 	"github.com/netbirdio/netbird/upload-server/types"
 )
 const (
@@ -39,6 +40,8 @@ const (
 	dnsRouteIntervalFlag    = "dns-router-interval"
 	systemInfoFlag          = "system-info"
 	blockLANAccessFlag      = "block-lan-access"
 	uploadBundle            = "upload-bundle"
 	uploadBundleURL         = "upload-bundle-url"
 )
 var (
@@ -75,6 +78,8 @@ var (
 	debugSystemInfoFlag     bool
 	dnsRouteInterval        time.Duration
 	blockLANAccess          bool
 	debugUploadBundle       bool
 	debugUploadBundleURL    string
 	rootCmd = &cobra.Command{
 		Use:          "netbird",
@@ -181,6 +186,8 @@ func init() {
 	upCmd.PersistentFlags().BoolVar(&autoConnectDisabled, disableAutoConnectFlag, false, "Disables auto-connect feature. If enabled, then the client won't connect automatically when the service starts.")
 	debugCmd.PersistentFlags().BoolVarP(&debugSystemInfoFlag, systemInfoFlag, "S", true, "Adds system information to the debug bundle")
 	debugCmd.PersistentFlags().BoolVarP(&debugUploadBundle, uploadBundle, "U", false, fmt.Sprintf("Uploads the debug bundle to a server from URL defined by %s", uploadBundleURL))
 	debugCmd.PersistentFlags().StringVar(&debugUploadBundleURL, uploadBundleURL, types.DefaultBundleURL, "Service URL to get an URL to upload the debug bundle")
 }
 // SetupCloseHandler handles SIGTERM signal and exits with success
--- a/client/cmd/service_controller.go
+++ b/client/cmd/service_controller.go
@@ -16,12 +16,17 @@ import (
 	"github.com/netbirdio/netbird/client/proto"
 	"github.com/netbirdio/netbird/client/server"
 	"github.com/netbirdio/netbird/client/system"
 	"github.com/netbirdio/netbird/util"
 )
 func (p *program) Start(svc service.Service) error {
 	// Start should not block. Do the actual work async.
 	log.Info("starting Netbird service") //nolint
 	// Collect static system and platform information
 	system.UpdateStaticInfo()
 	// in any case, even if configuration does not exists we run daemon to serve CLI gRPC API.
 	p.serv = grpc.NewServer()
@@ -115,6 +120,7 @@ var runCmd = &cobra.Command{
 		ctx, cancel := context.WithCancel(cmd.Context())
 		SetupCloseHandler(ctx, cancel)
 		SetupDebugHandler(ctx, nil, nil, nil, logFile)
 		s, err := newSVC(newProgram(ctx, cancel), newSVCConfig())
 		if err != nil {
--- a/client/cmd/testutil_test.go
+++ b/client/cmd/testutil_test.go
@@ -92,11 +92,16 @@ func startManagement(t *testing.T, config *types.Config, testFile string) (*grpc
 	metrics, err := telemetry.NewDefaultAppMetrics(context.Background())
 	require.NoError(t, err)
 	permissionsManagerMock := permissions.NewManagerMock()
 	ctrl := gomock.NewController(t)
 	t.Cleanup(ctrl.Finish)
 	settingsMockManager := settings.NewMockManager(ctrl)
 	permissionsManagerMock := permissions.NewMockManager(ctrl)
 	settingsMockManager.EXPECT().
 		GetSettings(gomock.Any(), gomock.Any(), gomock.Any()).
 		Return(&types.Settings{}, nil).
 		AnyTimes()
 	accountManager, err := mgmt.BuildManager(context.Background(), store, peersUpdateManager, nil, "", "netbird.selfhosted", eventStore, nil, false, iv, metrics, port_forwarding.NewControllerMock(), settingsMockManager, permissionsManagerMock)
 	if err != nil {
--- a/client/cmd/up.go
+++ b/client/cmd/up.go
@@ -219,6 +219,8 @@ func runInForegroundMode(ctx context.Context, cmd *cobra.Command) error {
 	r.GetFullStatus()
 	connectClient := internal.NewConnectClient(ctx, config, r)
 	SetupDebugHandler(ctx, config, r, connectClient, "")
 	return connectClient.Run(nil)
 }
--- a/client/firewall/iptables/manager_linux.go
+++ b/client/firewall/iptables/manager_linux.go
@@ -113,17 +113,16 @@ func (m *Manager) AddPeerFiltering(
 func (m *Manager) AddRouteFiltering(
 	id []byte,
 	sources []netip.Prefix,
-	destination netip.Prefix,
+	destination firewall.Network,
 	proto firewall.Protocol,
-	sPort *firewall.Port,
+	sPort, dPort *firewall.Port,
 	dPort *firewall.Port,
 	action firewall.Action,
 ) (firewall.Rule, error) {
 	m.mutex.Lock()
 	defer m.mutex.Unlock()
-	if !destination.Addr().Is4() {
+	if destination.IsPrefix() && !destination.Prefix.Addr().Is4() {
-		return nil, fmt.Errorf("unsupported IP version: %s", destination.Addr().String())
+		return nil, fmt.Errorf("unsupported IP version: %s", destination.Prefix.Addr().String())
 	}
 	return m.router.AddRouteFiltering(id, sources, destination, proto, sPort, dPort, action)
@@ -243,6 +242,14 @@ func (m *Manager) DeleteDNATRule(rule firewall.Rule) error {
 	return m.router.DeleteDNATRule(rule)
 }
 // UpdateSet updates the set with the given prefixes
 func (m *Manager) UpdateSet(set firewall.Set, prefixes []netip.Prefix) error {
 	m.mutex.Lock()
 	defer m.mutex.Unlock()
 	return m.router.UpdateSet(set, prefixes)
 }
 func getConntrackEstablished() []string {
 	return []string{"-m", "conntrack", "--ctstate", "RELATED,ESTABLISHED", "-j", "ACCEPT"}
 }
--- a/client/firewall/iptables/router_linux.go
+++ b/client/firewall/iptables/router_linux.go
@@ -57,18 +57,18 @@ type ruleInfo struct {
 }
 type routeFilteringRuleParams struct {
-	Sources     []netip.Prefix
+	Source      firewall.Network
-	Destination netip.Prefix
+	Destination firewall.Network
 	Proto       firewall.Protocol
 	SPort       *firewall.Port
 	DPort       *firewall.Port
 	Direction   firewall.RuleDirection
 	Action      firewall.Action
 	SetName     string
 }
 type routeRules map[string][]string
 // the ipset library currently does not support comments, so we use the name only (string)
 type ipsetCounter = refcounter.Counter[string, []netip.Prefix, struct{}]
 type router struct {
@@ -129,7 +129,7 @@ func (r *router) init(stateManager *statemanager.Manager) error {
 func (r *router) AddRouteFiltering(
 	id []byte,
 	sources []netip.Prefix,
-	destination netip.Prefix,
+	destination firewall.Network,
 	proto firewall.Protocol,
 	sPort *firewall.Port,
 	dPort *firewall.Port,
@@ -140,27 +140,28 @@ func (r *router) AddRouteFiltering(
 		return ruleKey, nil
 	}
-	var setName string
+	var source firewall.Network
 	if len(sources) > 1 {
-		setName = firewall.GenerateSetName(sources)
+		source.Set = firewall.NewPrefixSet(sources)
-		if _, err := r.ipsetCounter.Increment(setName, sources); err != nil {
+	} else if len(sources) > 0 {
-			return nil, fmt.Errorf("create or get ipset: %w", err)
+		source.Prefix = sources[0]
 		}
 	}
 	params := routeFilteringRuleParams{
-		Sources:     sources,
+		Source:      source,
 		Destination: destination,
 		Proto:       proto,
 		SPort:       sPort,
 		DPort:       dPort,
 		Action:      action,
 		SetName:     setName,
 	}
-	rule := genRouteFilteringRuleSpec(params)
+	rule, err := r.genRouteRuleSpec(params, sources)
 	if err != nil {
 		return nil, fmt.Errorf("generate route rule spec: %w", err)
 	}
 	// Insert DROP rules at the beginning, append ACCEPT rules at the end
 	var err error
 	if action == firewall.ActionDrop {
 		// after the established rule
 		err = r.iptablesClient.Insert(tableFilter, chainRTFWDIN, 2, rule...)
@@ -183,17 +184,13 @@ func (r *router) DeleteRouteRule(rule firewall.Rule) error {
 	ruleKey := rule.ID()
 	if rule, exists := r.rules[ruleKey]; exists {
 		setName := r.findSetNameInRule(rule)
 		if err := r.iptablesClient.Delete(tableFilter, chainRTFWDIN, rule...); err != nil {
 			return fmt.Errorf("delete route rule: %v", err)
 		}
 		delete(r.rules, ruleKey)
-		if setName != "" {
+		if err := r.decrementSetCounter(rule); err != nil {
-			if _, err := r.ipsetCounter.Decrement(setName); err != nil {
+			return fmt.Errorf("decrement ipset counter: %w", err)
 				return fmt.Errorf("failed to remove ipset: %w", err)
 			}
 		}
 	} else {
 		log.Debugf("route rule %s not found", ruleKey)
@@ -204,13 +201,26 @@ func (r *router) DeleteRouteRule(rule firewall.Rule) error {
 	return nil
 }
-func (r *router) findSetNameInRule(rule []string) string {
+func (r *router) decrementSetCounter(rule []string) error {
 	sets := r.findSets(rule)
 	var merr *multierror.Error
 	for _, setName := range sets {
 		if _, err := r.ipsetCounter.Decrement(setName); err != nil {
 			merr = multierror.Append(merr, fmt.Errorf("decrement counter: %w", err))
 		}
 	}
 	return nberrors.FormatErrorOrNil(merr)
 }
 func (r *router) findSets(rule []string) []string {
 	var sets []string
 	for i, arg := range rule {
 		if arg == "-m" && i+3 < len(rule) && rule[i+1] == "set" && rule[i+2] == matchSet {
-			return rule[i+3]
+			sets = append(sets, rule[i+3])
 		}
 	}
-	return ""
+	return sets
 }
 func (r *router) createIpSet(setName string, sources []netip.Prefix) error {
@@ -231,6 +241,8 @@ func (r *router) deleteIpSet(setName string) error {
 	if err := ipset.Destroy(setName); err != nil {
 		return fmt.Errorf("destroy set %s: %w", setName, err)
 	}
 	log.Debugf("Deleted unused ipset %s", setName)
 	return nil
 }
@@ -270,6 +282,7 @@ func (r *router) RemoveNatRule(pair firewall.RouterPair) error {
 		log.Errorf("%v", err)
 	}
 	if pair.Masquerade {
 		if err := r.removeNatRule(pair); err != nil {
 			return fmt.Errorf("remove nat rule: %w", err)
 		}
@@ -277,6 +290,7 @@ func (r *router) RemoveNatRule(pair firewall.RouterPair) error {
 		if err := r.removeNatRule(firewall.GetInversePair(pair)); err != nil {
 			return fmt.Errorf("remove inverse nat rule: %w", err)
 		}
 	}
 	if err := r.removeLegacyRouteRule(pair); err != nil {
 		return fmt.Errorf("remove legacy routing rule: %w", err)
@@ -313,8 +327,10 @@ func (r *router) removeLegacyRouteRule(pair firewall.RouterPair) error {
 			return fmt.Errorf("remove legacy forwarding rule %s -> %s: %v", pair.Source, pair.Destination, err)
 		}
 		delete(r.rules, ruleKey)
-	} else {
+
-		log.Debugf("legacy forwarding rule %s not found", ruleKey)
+		if err := r.decrementSetCounter(rule); err != nil {
 			return fmt.Errorf("decrement ipset counter: %w", err)
 		}
 	}
 	return nil
@@ -599,12 +615,26 @@ func (r *router) addNatRule(pair firewall.RouterPair) error {
 	rule = append(rule,
 		"-m", "conntrack",
 		"--ctstate", "NEW",
-		"-s", pair.Source.String(),
+	)
-		"-d", pair.Destination.String(),
+	sourceExp, err := r.applyNetwork("-s", pair.Source, nil)
 	if err != nil {
 		return fmt.Errorf("apply network -s: %w", err)
 	}
 	destExp, err := r.applyNetwork("-d", pair.Destination, nil)
 	if err != nil {
 		return fmt.Errorf("apply network -d: %w", err)
 	}
 	rule = append(rule, sourceExp...)
 	rule = append(rule, destExp...)
 	rule = append(rule,
 		"-j", "MARK", "--set-mark", fmt.Sprintf("%#x", markValue),
 	)
-	if err := r.iptablesClient.Append(tableMangle, chainRTPRE, rule...); err != nil {
+	// Ensure nat rules come first, so the mark can be overwritten.
 	// Currently overwritten by the dst-type LOCAL rules for redirected traffic.
 	if err := r.iptablesClient.Insert(tableMangle, chainRTPRE, 1, rule...); err != nil {
 		// TODO: rollback ipset counter
 		return fmt.Errorf("error while adding marking rule for %s: %v", pair.Destination, err)
 	}
@@ -622,6 +652,10 @@ func (r *router) removeNatRule(pair firewall.RouterPair) error {
 			return fmt.Errorf("error while removing marking rule for %s: %v", pair.Destination, err)
 		}
 		delete(r.rules, ruleKey)
 		if err := r.decrementSetCounter(rule); err != nil {
 			return fmt.Errorf("decrement ipset counter: %w", err)
 		}
 	} else {
 		log.Debugf("marking rule %s not found", ruleKey)
 	}
@@ -787,17 +821,21 @@ func (r *router) DeleteDNATRule(rule firewall.Rule) error {
 	return nberrors.FormatErrorOrNil(merr)
 }
-func genRouteFilteringRuleSpec(params routeFilteringRuleParams) []string {
+func (r *router) genRouteRuleSpec(params routeFilteringRuleParams, sources []netip.Prefix) ([]string, error) {
 	var rule []string
-	if params.SetName != "" {
+	sourceExp, err := r.applyNetwork("-s", params.Source, sources)
-		rule = append(rule, "-m", "set", matchSet, params.SetName, "src")
+	if err != nil {
-	} else if len(params.Sources) > 0 {
+		return nil, fmt.Errorf("apply network -s: %w", err)
-		source := params.Sources[0]
+
-		rule = append(rule, "-s", source.String())
+	}
 	destExp, err := r.applyNetwork("-d", params.Destination, nil)
 	if err != nil {
 		return nil, fmt.Errorf("apply network -d: %w", err)
 	}
-	rule = append(rule, "-d", params.Destination.String())
+	rule = append(rule, sourceExp...)
 	rule = append(rule, destExp...)
 	if params.Proto != firewall.ProtocolALL {
 		rule = append(rule, "-p", strings.ToLower(string(params.Proto)))
@@ -807,7 +845,47 @@ func genRouteFilteringRuleSpec(params routeFilteringRuleParams) []string {
 	rule = append(rule, "-j", actionToStr(params.Action))
-	return rule
+	return rule, nil
 }
 func (r *router) applyNetwork(flag string, network firewall.Network, prefixes []netip.Prefix) ([]string, error) {
 	direction := "src"
 	if flag == "-d" {
 		direction = "dst"
 	}
 	if network.IsSet() {
 		if _, err := r.ipsetCounter.Increment(network.Set.HashedName(), prefixes); err != nil {
 			return nil, fmt.Errorf("create or get ipset: %w", err)
 		}
 		return []string{"-m", "set", matchSet, network.Set.HashedName(), direction}, nil
 	}
 	if network.IsPrefix() {
 		return []string{flag, network.Prefix.String()}, nil
 	}
 	// nolint:nilnil
 	return nil, nil
 }
 func (r *router) UpdateSet(set firewall.Set, prefixes []netip.Prefix) error {
 	var merr *multierror.Error
 	for _, prefix := range prefixes {
 		// TODO: Implement IPv6 support
 		if prefix.Addr().Is6() {
 			log.Tracef("skipping IPv6 prefix %s: IPv6 support not yet implemented", prefix)
 			continue
 		}
 		if err := ipset.AddPrefix(set.HashedName(), prefix); err != nil {
 			merr = multierror.Append(merr, fmt.Errorf("increment ipset counter: %w", err))
 		}
 	}
 	if merr == nil {
 		log.Debugf("updated set %s with prefixes %v", set.HashedName(), prefixes)
 	}
 	return nberrors.FormatErrorOrNil(merr)
 }
 func applyPort(flag string, port *firewall.Port) []string {
--- a/client/firewall/iptables/router_linux_test.go
+++ b/client/firewall/iptables/router_linux_test.go
@@ -60,8 +60,8 @@ func TestIptablesManager_RestoreOrCreateContainers(t *testing.T) {
 	pair := firewall.RouterPair{
 		ID:          "abc",
-		Source:      netip.MustParsePrefix("100.100.100.1/32"),
+		Source:      firewall.Network{Prefix: netip.MustParsePrefix("100.100.100.1/32")},
-		Destination: netip.MustParsePrefix("100.100.100.0/24"),
+		Destination: firewall.Network{Prefix: netip.MustParsePrefix("100.100.100.0/24")},
 		Masquerade:  true,
 	}
@@ -332,7 +332,7 @@ func TestRouter_AddRouteFiltering(t *testing.T) {
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			ruleKey, err := r.AddRouteFiltering(nil, tt.sources, tt.destination, tt.proto, tt.sPort, tt.dPort, tt.action)
+			ruleKey, err := r.AddRouteFiltering(nil, tt.sources, firewall.Network{Prefix: tt.destination}, tt.proto, tt.sPort, tt.dPort, tt.action)
 			require.NoError(t, err, "AddRouteFiltering failed")
 			// Check if the rule is in the internal map
@@ -347,23 +347,29 @@ func TestRouter_AddRouteFiltering(t *testing.T) {
 			assert.NoError(t, err, "Failed to check rule existence")
 			assert.True(t, exists, "Rule not found in iptables")
 			var source firewall.Network
 			if len(tt.sources) > 1 {
 				source.Set = firewall.NewPrefixSet(tt.sources)
 			} else if len(tt.sources) > 0 {
 				source.Prefix = tt.sources[0]
 			}
 			// Verify rule content
 			params := routeFilteringRuleParams{
-				Sources:     tt.sources,
+				Source:      source,
-				Destination: tt.destination,
+				Destination: firewall.Network{Prefix: tt.destination},
 				Proto:       tt.proto,
 				SPort:       tt.sPort,
 				DPort:       tt.dPort,
 				Action:      tt.action,
 				SetName:     "",
 			}
-			expectedRule := genRouteFilteringRuleSpec(params)
+			expectedRule, err := r.genRouteRuleSpec(params, nil)
 			require.NoError(t, err, "Failed to generate expected rule spec")
 			if tt.expectSet {
-				setName := firewall.GenerateSetName(tt.sources)
+				setName := firewall.NewPrefixSet(tt.sources).HashedName()
-				params.SetName = setName
+				expectedRule, err = r.genRouteRuleSpec(params, nil)
-				expectedRule = genRouteFilteringRuleSpec(params)
+				require.NoError(t, err, "Failed to generate expected rule spec with set")
 				// Check if the set was created
 				_, exists := r.ipsetCounter.Get(setName)
@@ -378,3 +384,62 @@ func TestRouter_AddRouteFiltering(t *testing.T) {
 		})
 	}
 }
 func TestFindSetNameInRule(t *testing.T) {
 	r := &router{}
 	testCases := []struct {
 		name     string
 		rule     []string
 		expected []string
 	}{
 		{
 			name: "Basic rule with two sets",
 			rule: []string{
 				"-A", "NETBIRD-RT-FWD-IN", "-p", "tcp", "-m", "set", "--match-set", "nb-2e5a2a05", "src",
 				"-m", "set", "--match-set", "nb-349ae051", "dst", "-m", "tcp", "--dport", "8080", "-j", "ACCEPT",
 			},
 			expected: []string{"nb-2e5a2a05", "nb-349ae051"},
 		},
 		{
 			name:     "No sets",
 			rule:     []string{"-A", "NETBIRD-RT-FWD-IN", "-p", "tcp", "-j", "ACCEPT"},
 			expected: []string{},
 		},
 		{
 			name: "Multiple sets with different positions",
 			rule: []string{
 				"-m", "set", "--match-set", "set1", "src", "-p", "tcp",
 				"-m", "set", "--match-set", "set-abc123", "dst", "-j", "ACCEPT",
 			},
 			expected: []string{"set1", "set-abc123"},
 		},
 		{
 			name:     "Boundary case - sequence appears at end",
 			rule:     []string{"-p", "tcp", "-m", "set", "--match-set", "final-set"},
 			expected: []string{"final-set"},
 		},
 		{
 			name:     "Incomplete pattern - missing set name",
 			rule:     []string{"-p", "tcp", "-m", "set", "--match-set"},
 			expected: []string{},
 		},
 	}
 	for _, tc := range testCases {
 		t.Run(tc.name, func(t *testing.T) {
 			result := r.findSets(tc.rule)
 			if len(result) != len(tc.expected) {
 				t.Errorf("Expected %d sets, got %d. Sets found: %v", len(tc.expected), len(result), result)
 				return
 			}
 			for i, set := range result {
 				if set != tc.expected[i] {
 					t.Errorf("Expected set %q at position %d, got %q", tc.expected[i], i, set)
 				}
 			}
 		})
 	}
 }
--- a/client/firewall/manager/firewall.go
+++ b/client/firewall/manager/firewall.go
@@ -1,13 +1,10 @@
 package manager
 import (
 	"crypto/sha256"
 	"encoding/hex"
 	"fmt"
 	"net"
 	"net/netip"
 	"sort"
 	"strings"
 	log "github.com/sirupsen/logrus"
@@ -43,6 +40,18 @@ const (
 // Action is the action to be taken on a rule
 type Action int
 // String returns the string representation of the action
 func (a Action) String() string {
 	switch a {
 	case ActionAccept:
 		return "accept"
 	case ActionDrop:
 		return "drop"
 	default:
 		return "unknown"
 	}
 }
 const (
 	// ActionAccept is the action to accept a packet
 	ActionAccept Action = iota
@@ -50,6 +59,33 @@ const (
 	ActionDrop
 )
 // Network is a rule destination, either a set or a prefix
 type Network struct {
 	Set    Set
 	Prefix netip.Prefix
 }
 // String returns the string representation of the destination
 func (d Network) String() string {
 	if d.Prefix.IsValid() {
 		return d.Prefix.String()
 	}
 	if d.IsSet() {
 		return d.Set.HashedName()
 	}
 	return "<invalid network>"
 }
 // IsSet returns true if the destination is a set
 func (d Network) IsSet() bool {
 	return d.Set != Set{}
 }
 // IsPrefix returns true if the destination is a valid prefix
 func (d Network) IsPrefix() bool {
 	return d.Prefix.IsValid()
 }
 // Manager is the high level abstraction of a firewall manager
 //
 // It declares methods which handle actions required by the
@@ -83,10 +119,9 @@ type Manager interface {
 	AddRouteFiltering(
 		id []byte,
 		sources []netip.Prefix,
-		destination netip.Prefix,
+		destination Network,
 		proto Protocol,
-		sPort *Port,
+		sPort, dPort *Port,
 		dPort *Port,
 		action Action,
 	) (Rule, error)
@@ -119,6 +154,9 @@ type Manager interface {
 	// DeleteDNATRule deletes a DNAT rule
 	DeleteDNATRule(Rule) error
 	// UpdateSet updates the set with the given prefixes
 	UpdateSet(hash Set, prefixes []netip.Prefix) error
 }
 func GenKey(format string, pair RouterPair) string {
@@ -153,22 +191,6 @@ func SetLegacyManagement(router LegacyManager, isLegacy bool) error {
 	return nil
 }
 // GenerateSetName generates a unique name for an ipset based on the given sources.
 func GenerateSetName(sources []netip.Prefix) string {
 	// sort for consistent naming
 	SortPrefixes(sources)
 	var sourcesStr strings.Builder
 	for _, src := range sources {
 		sourcesStr.WriteString(src.String())
 	}
 	hash := sha256.Sum256([]byte(sourcesStr.String()))
 	shortHash := hex.EncodeToString(hash[:])[:8]
 	return fmt.Sprintf("nb-%s", shortHash)
 }
 // MergeIPRanges merges overlapping IP ranges and returns a slice of non-overlapping netip.Prefix
 func MergeIPRanges(prefixes []netip.Prefix) []netip.Prefix {
 	if len(prefixes) == 0 {
--- a/client/firewall/manager/firewall_test.go
+++ b/client/firewall/manager/firewall_test.go
@@ -20,8 +20,8 @@ func TestGenerateSetName(t *testing.T) {
 			netip.MustParsePrefix("192.168.1.0/24"),
 		}
-		result1 := manager.GenerateSetName(prefixes1)
+		result1 := manager.NewPrefixSet(prefixes1)
-		result2 := manager.GenerateSetName(prefixes2)
+		result2 := manager.NewPrefixSet(prefixes2)
 		if result1 != result2 {
 			t.Errorf("Different orders produced different hashes: %s != %s", result1, result2)
@@ -34,9 +34,9 @@ func TestGenerateSetName(t *testing.T) {
 			netip.MustParsePrefix("10.0.0.0/8"),
 		}
-		result := manager.GenerateSetName(prefixes)
+		result := manager.NewPrefixSet(prefixes)
-		matched, err := regexp.MatchString(`^nb-[0-9a-f]{8}$`, result)
+		matched, err := regexp.MatchString(`^nb-[0-9a-f]{8}$`, result.HashedName())
 		if err != nil {
 			t.Fatalf("Error matching regex: %v", err)
 		}
@@ -46,8 +46,8 @@ func TestGenerateSetName(t *testing.T) {
 	})
 	t.Run("Empty input produces consistent result", func(t *testing.T) {
-		result1 := manager.GenerateSetName([]netip.Prefix{})
+		result1 := manager.NewPrefixSet([]netip.Prefix{})
-		result2 := manager.GenerateSetName([]netip.Prefix{})
+		result2 := manager.NewPrefixSet([]netip.Prefix{})
 		if result1 != result2 {
 			t.Errorf("Empty input produced inconsistent results: %s != %s", result1, result2)
@@ -64,8 +64,8 @@ func TestGenerateSetName(t *testing.T) {
 			netip.MustParsePrefix("192.168.1.0/24"),
 		}
-		result1 := manager.GenerateSetName(prefixes1)
+		result1 := manager.NewPrefixSet(prefixes1)
-		result2 := manager.GenerateSetName(prefixes2)
+		result2 := manager.NewPrefixSet(prefixes2)
 		if result1 != result2 {
 			t.Errorf("Different orders of IPv4 and IPv6 produced different hashes: %s != %s", result1, result2)
--- a/client/firewall/manager/routerpair.go
+++ b/client/firewall/manager/routerpair.go
@@ -1,15 +1,13 @@
 package manager
 import (
 	"net/netip"
 	"github.com/netbirdio/netbird/route"
 )
 type RouterPair struct {
 	ID          route.ID
-	Source      netip.Prefix
+	Source      Network
-	Destination netip.Prefix
+	Destination Network
 	Masquerade  bool
 	Inverse     bool
 }
--- a/client/firewall/manager/set.go
+++ b/client/firewall/manager/set.go
@@ -0,0 +1,74 @@
 package manager
 import (
 	"crypto/sha256"
 	"encoding/hex"
 	"fmt"
 	"net/netip"
 	"slices"
 	log "github.com/sirupsen/logrus"
 	"github.com/netbirdio/netbird/management/domain"
 )
 type Set struct {
 	hash    [4]byte
 	comment string
 }
 // String returns the string representation of the set: hashed name and comment
 func (h Set) String() string {
 	if h.comment == "" {
 		return h.HashedName()
 	}
 	return h.HashedName() + ": " + h.comment
 }
 // HashedName returns the string representation of the hash
 func (h Set) HashedName() string {
 	return fmt.Sprintf(
 		"nb-%s",
 		hex.EncodeToString(h.hash[:]),
 	)
 }
 // Comment returns the comment of the set
 func (h Set) Comment() string {
 	return h.comment
 }
 // NewPrefixSet generates a unique name for an ipset based on the given prefixes.
 func NewPrefixSet(prefixes []netip.Prefix) Set {
 	// sort for consistent naming
 	SortPrefixes(prefixes)
 	hash := sha256.New()
 	for _, src := range prefixes {
 		bytes, err := src.MarshalBinary()
 		if err != nil {
 			log.Warnf("failed to marshal prefix %s: %v", src, err)
 		}
 		hash.Write(bytes)
 	}
 	var set Set
 	copy(set.hash[:], hash.Sum(nil)[:4])
 	return set
 }
 // NewDomainSet generates a unique name for an ipset based on the given domains.
 func NewDomainSet(domains domain.List) Set {
 	slices.Sort(domains)
 	hash := sha256.New()
 	for _, d := range domains {
 		hash.Write([]byte(d.PunycodeString()))
 	}
 	set := Set{
 		comment: domains.SafeString(),
 	}
 	copy(set.hash[:], hash.Sum(nil)[:4])
 	return set
 }
--- a/client/firewall/nftables/manager_linux.go
+++ b/client/firewall/nftables/manager_linux.go
@@ -135,17 +135,16 @@ func (m *Manager) AddPeerFiltering(
 func (m *Manager) AddRouteFiltering(
 	id []byte,
 	sources []netip.Prefix,
-	destination netip.Prefix,
+	destination firewall.Network,
 	proto firewall.Protocol,
-	sPort *firewall.Port,
+	sPort, dPort *firewall.Port,
 	dPort *firewall.Port,
 	action firewall.Action,
 ) (firewall.Rule, error) {
 	m.mutex.Lock()
 	defer m.mutex.Unlock()
-	if !destination.Addr().Is4() {
+	if destination.IsPrefix() && !destination.Prefix.Addr().Is4() {
-		return nil, fmt.Errorf("unsupported IP version: %s", destination.Addr().String())
+		return nil, fmt.Errorf("unsupported IP version: %s", destination.Prefix.Addr().String())
 	}
 	return m.router.AddRouteFiltering(id, sources, destination, proto, sPort, dPort, action)
@@ -242,7 +241,7 @@ func (m *Manager) SetLegacyManagement(isLegacy bool) error {
 	return firewall.SetLegacyManagement(m.router, isLegacy)
 }
-// Reset firewall to the default state
+// Close closes the firewall manager
 func (m *Manager) Close(stateManager *statemanager.Manager) error {
 	m.mutex.Lock()
 	defer m.mutex.Unlock()
@@ -359,6 +358,14 @@ func (m *Manager) DeleteDNATRule(rule firewall.Rule) error {
 	return m.router.DeleteDNATRule(rule)
 }
 // UpdateSet updates the set with the given prefixes
 func (m *Manager) UpdateSet(set firewall.Set, prefixes []netip.Prefix) error {
 	m.mutex.Lock()
 	defer m.mutex.Unlock()
 	return m.router.UpdateSet(set, prefixes)
 }
 func (m *Manager) createWorkTable() (*nftables.Table, error) {
 	tables, err := m.rConn.ListTablesOfFamily(nftables.TableFamilyIPv4)
 	if err != nil {
--- a/client/firewall/nftables/manager_linux_test.go
+++ b/client/firewall/nftables/manager_linux_test.go
@@ -289,7 +289,7 @@ func TestNftablesManagerCompatibilityWithIptables(t *testing.T) {
 	_, err = manager.AddRouteFiltering(
 		nil,
 		[]netip.Prefix{netip.MustParsePrefix("192.168.2.0/24")},
-		netip.MustParsePrefix("10.1.0.0/24"),
+		fw.Network{Prefix: netip.MustParsePrefix("10.1.0.0/24")},
 		fw.ProtocolTCP,
 		nil,
 		&fw.Port{Values: []uint16{443}},
@@ -298,8 +298,8 @@ func TestNftablesManagerCompatibilityWithIptables(t *testing.T) {
 	require.NoError(t, err, "failed to add route filtering rule")
 	pair := fw.RouterPair{
-		Source:      netip.MustParsePrefix("192.168.1.0/24"),
+		Source:      fw.Network{Prefix: netip.MustParsePrefix("192.168.1.0/24")},
-		Destination: netip.MustParsePrefix("10.0.0.0/24"),
+		Destination: fw.Network{Prefix: netip.MustParsePrefix("10.0.0.0/24")},
 		Masquerade:  true,
 	}
 	err = manager.AddNatRule(pair)
--- a/client/firewall/nftables/router_linux.go
+++ b/client/firewall/nftables/router_linux.go
@@ -10,7 +10,6 @@ import (
 	"strings"
 	"github.com/coreos/go-iptables/iptables"
 	"github.com/davecgh/go-spew/spew"
 	"github.com/google/nftables"
 	"github.com/google/nftables/binaryutil"
 	"github.com/google/nftables/expr"
@@ -44,9 +43,14 @@ const (
 const refreshRulesMapError = "refresh rules map: %w"
 var (
-	errFilterTableNotFound = fmt.Errorf("nftables: 'filter' table not found")
+	errFilterTableNotFound = fmt.Errorf("'filter' table not found")
 )
 type setInput struct {
 	set      firewall.Set
 	prefixes []netip.Prefix
 }
 type router struct {
 	conn        *nftables.Conn
 	workTable   *nftables.Table
@@ -54,7 +58,7 @@ type router struct {
 	chains      map[string]*nftables.Chain
 	// rules is useful to avoid duplicates and to get missing attributes that we don't have when adding new rules
 	rules        map[string]*nftables.Rule
-	ipsetCounter *refcounter.Counter[string, []netip.Prefix, *nftables.Set]
+	ipsetCounter *refcounter.Counter[string, setInput, *nftables.Set]
 	wgIface          iFaceMapper
 	ipFwdState       *ipfwdstate.IPForwardingState
@@ -163,7 +167,7 @@ func (r *router) removeNatPreroutingRules() error {
 func (r *router) loadFilterTable() (*nftables.Table, error) {
 	tables, err := r.conn.ListTablesOfFamily(nftables.TableFamilyIPv4)
 	if err != nil {
-		return nil, fmt.Errorf("nftables: unable to list tables: %v", err)
+		return nil, fmt.Errorf("unable to list tables: %v", err)
 	}
 	for _, table := range tables {
@@ -316,7 +320,7 @@ func (r *router) setupDataPlaneMark() error {
 func (r *router) AddRouteFiltering(
 	id []byte,
 	sources []netip.Prefix,
-	destination netip.Prefix,
+	destination firewall.Network,
 	proto firewall.Protocol,
 	sPort *firewall.Port,
 	dPort *firewall.Port,
@@ -331,23 +335,29 @@ func (r *router) AddRouteFiltering(
 	chain := r.chains[chainNameRoutingFw]
 	var exprs []expr.Any
 	var source firewall.Network
 	switch {
 	case len(sources) == 1 && sources[0].Bits() == 0:
 		// If it's 0.0.0.0/0, we don't need to add any source matching
 	case len(sources) == 1:
 		// If there's only one source, we can use it directly
-		exprs = append(exprs, generateCIDRMatcherExpressions(true, sources[0])...)
+		source.Prefix = sources[0]
 	default:
-		// If there are multiple sources, create or get an ipset
+		// If there are multiple sources, use a set
-		var err error
+		source.Set = firewall.NewPrefixSet(sources)
 		exprs, err = r.getIpSetExprs(sources, exprs)
 		if err != nil {
 			return nil, fmt.Errorf("get ipset expressions: %w", err)
 		}
 	}
-	// Handle destination
+	sourceExp, err := r.applyNetwork(source, sources, true)
-	exprs = append(exprs, generateCIDRMatcherExpressions(false, destination)...)
+	if err != nil {
 		return nil, fmt.Errorf("apply source: %w", err)
 	}
 	exprs = append(exprs, sourceExp...)
 	destExp, err := r.applyNetwork(destination, nil, false)
 	if err != nil {
 		return nil, fmt.Errorf("apply destination: %w", err)
 	}
 	exprs = append(exprs, destExp...)
 	// Handle protocol
 	if proto != firewall.ProtocolALL {
@@ -391,39 +401,27 @@ func (r *router) AddRouteFiltering(
 		rule = r.conn.AddRule(rule)
 	}
 	log.Tracef("Adding route rule %s", spew.Sdump(rule))
 	if err := r.conn.Flush(); err != nil {
 		return nil, fmt.Errorf(flushError, err)
 	}
 	r.rules[string(ruleKey)] = rule
-	log.Debugf("nftables: added route rule: sources=%v, destination=%v, proto=%v, sPort=%v, dPort=%v, action=%v", sources, destination, proto, sPort, dPort, action)
+	log.Debugf("added route rule: sources=%v, destination=%v, proto=%v, sPort=%v, dPort=%v, action=%v", sources, destination, proto, sPort, dPort, action)
 	return ruleKey, nil
 }
-func (r *router) getIpSetExprs(sources []netip.Prefix, exprs []expr.Any) ([]expr.Any, error) {
+func (r *router) getIpSet(set firewall.Set, prefixes []netip.Prefix, isSource bool) ([]expr.Any, error) {
-	setName := firewall.GenerateSetName(sources)
+	ref, err := r.ipsetCounter.Increment(set.HashedName(), setInput{
-	ref, err := r.ipsetCounter.Increment(setName, sources)
+		set:      set,
 		prefixes: prefixes,
 	})
 	if err != nil {
-		return nil, fmt.Errorf("create or get ipset for sources: %w", err)
+		return nil, fmt.Errorf("create or get ipset: %w", err)
 	}
-	exprs = append(exprs,
+	return getIpSetExprs(ref, isSource)
 		&expr.Payload{
 			DestRegister: 1,
 			Base:         expr.PayloadBaseNetworkHeader,
 			Offset:       12,
 			Len:          4,
 		},
 		&expr.Lookup{
 			SourceRegister: 1,
 			SetName:        ref.Out.Name,
 			SetID:          ref.Out.ID,
 		},
 	)
 	return exprs, nil
 }
 func (r *router) DeleteRouteRule(rule firewall.Rule) error {
@@ -442,42 +440,54 @@ func (r *router) DeleteRouteRule(rule firewall.Rule) error {
 		return fmt.Errorf("route rule %s has no handle", ruleKey)
 	}
 	setName := r.findSetNameInRule(nftRule)
 	if err := r.deleteNftRule(nftRule, ruleKey); err != nil {
 		return fmt.Errorf("delete: %w", err)
 	}
 	if setName != "" {
 		if _, err := r.ipsetCounter.Decrement(setName); err != nil {
 			return fmt.Errorf("decrement ipset reference: %w", err)
 		}
 	}
 	if err := r.conn.Flush(); err != nil {
 		return fmt.Errorf(flushError, err)
 	}
 	if err := r.decrementSetCounter(nftRule); err != nil {
 		return fmt.Errorf("decrement set counter: %w", err)
 	}
 	return nil
 }
-func (r *router) createIpSet(setName string, sources []netip.Prefix) (*nftables.Set, error) {
+func (r *router) createIpSet(setName string, input setInput) (*nftables.Set, error) {
 	// overlapping prefixes will result in an error, so we need to merge them
-	sources = firewall.MergeIPRanges(sources)
+	prefixes := firewall.MergeIPRanges(input.prefixes)
-	set := &nftables.Set{
+	nfset := &nftables.Set{
 		Name:    setName,
 		Comment: input.set.Comment(),
 		Table:   r.workTable,
 		// required for prefixes
 		Interval: true,
 		KeyType:  nftables.TypeIPAddr,
 	}
 	elements := convertPrefixesToSet(prefixes)
 	if err := r.conn.AddSet(nfset, elements); err != nil {
 		return nil, fmt.Errorf("error adding elements to set %s: %w", setName, err)
 	}
 	if err := r.conn.Flush(); err != nil {
 		return nil, fmt.Errorf("flush error: %w", err)
 	}
 	log.Printf("Created new ipset: %s with %d elements", setName, len(elements)/2)
 	return nfset, nil
 }
 func convertPrefixesToSet(prefixes []netip.Prefix) []nftables.SetElement {
 	var elements []nftables.SetElement
-	for _, prefix := range sources {
+	for _, prefix := range prefixes {
 		// TODO: Implement IPv6 support
 		if prefix.Addr().Is6() {
-			log.Printf("Skipping IPv6 prefix %s: IPv6 support not yet implemented", prefix)
+			log.Tracef("skipping IPv6 prefix %s: IPv6 support not yet implemented", prefix)
 			continue
 		}
@@ -493,18 +503,7 @@ func (r *router) createIpSet(setName string, sources []netip.Prefix) (*nftables.
 			nftables.SetElement{Key: lastIP.AsSlice(), IntervalEnd: true},
 		)
 	}
-
+	return elements
 	if err := r.conn.AddSet(set, elements); err != nil {
 		return nil, fmt.Errorf("error adding elements to set %s: %w", setName, err)
 	}
 	if err := r.conn.Flush(); err != nil {
 		return nil, fmt.Errorf("flush error: %w", err)
 	}
 	log.Printf("Created new ipset: %s with %d elements", setName, len(elements)/2)
 	return set, nil
 }
 // calculateLastIP determines the last IP in a given prefix.
@@ -528,8 +527,8 @@ func uint32ToBytes(ip uint32) [4]byte {
 	return b
 }
-func (r *router) deleteIpSet(setName string, set *nftables.Set) error {
+func (r *router) deleteIpSet(setName string, nfset *nftables.Set) error {
-	r.conn.DelSet(set)
+	r.conn.DelSet(nfset)
 	if err := r.conn.Flush(); err != nil {
 		return fmt.Errorf(flushError, err)
 	}
@@ -538,13 +537,27 @@ func (r *router) deleteIpSet(setName string, set *nftables.Set) error {
 	return nil
 }
-func (r *router) findSetNameInRule(rule *nftables.Rule) string {
+func (r *router) decrementSetCounter(rule *nftables.Rule) error {
 	sets := r.findSets(rule)
 	var merr *multierror.Error
 	for _, setName := range sets {
 		if _, err := r.ipsetCounter.Decrement(setName); err != nil {
 			merr = multierror.Append(merr, fmt.Errorf("decrement set counter: %w", err))
 		}
 	}
 	return nberrors.FormatErrorOrNil(merr)
 }
 func (r *router) findSets(rule *nftables.Rule) []string {
 	var sets []string
 	for _, e := range rule.Exprs {
 		if lookup, ok := e.(*expr.Lookup); ok {
-			return lookup.SetName
+			sets = append(sets, lookup.SetName)
 		}
 	}
-	return ""
+	return sets
 }
 func (r *router) deleteNftRule(rule *nftables.Rule, ruleKey string) error {
@@ -586,7 +599,8 @@ func (r *router) AddNatRule(pair firewall.RouterPair) error {
 	}
 	if err := r.conn.Flush(); err != nil {
-		return fmt.Errorf("nftables: insert rules for %s: %v", pair.Destination, err)
+		// TODO: rollback ipset counter
 		return fmt.Errorf("insert rules for %s: %v", pair.Destination, err)
 	}
 	return nil
@@ -594,19 +608,22 @@ func (r *router) AddNatRule(pair firewall.RouterPair) error {
 // addNatRule inserts a nftables rule to the conn client flush queue
 func (r *router) addNatRule(pair firewall.RouterPair) error {
-	sourceExp := generateCIDRMatcherExpressions(true, pair.Source)
+	sourceExp, err := r.applyNetwork(pair.Source, nil, true)
-	destExp := generateCIDRMatcherExpressions(false, pair.Destination)
+	if err != nil {
 		return fmt.Errorf("apply source: %w", err)
 	}
 	destExp, err := r.applyNetwork(pair.Destination, nil, false)
 	if err != nil {
 		return fmt.Errorf("apply destination: %w", err)
 	}
 	op := expr.CmpOpEq
 	if pair.Inverse {
 		op = expr.CmpOpNeq
 	}
-	// We only care about NEW connections to mark them and later identify them in the postrouting chain for masquerading.
+	exprs := []expr.Any{
 	// Masquerading will take care of the conntrack state, which means we won't need to mark established connections.
 	exprs := getCtNewExprs()
 	exprs = append(exprs,
 		// interface matching
 		&expr.Meta{
 			Key:      expr.MetaKeyIIFNAME,
 			Register: 1,
@@ -616,7 +633,10 @@ func (r *router) addNatRule(pair firewall.RouterPair) error {
 			Register: 1,
 			Data:     ifname(r.wgIface.Name()),
 		},
-	)
+	}
 	// We only care about NEW connections to mark them and later identify them in the postrouting chain for masquerading.
 	// Masquerading will take care of the conntrack state, which means we won't need to mark established connections.
 	exprs = append(exprs, getCtNewExprs()...)
 	exprs = append(exprs, sourceExp...)
 	exprs = append(exprs, destExp...)
@@ -646,7 +666,9 @@ func (r *router) addNatRule(pair firewall.RouterPair) error {
 		}
 	}
-	r.rules[ruleKey] = r.conn.AddRule(&nftables.Rule{
+	// Ensure nat rules come first, so the mark can be overwritten.
 	// Currently overwritten by the dst-type LOCAL rules for redirected traffic.
 	r.rules[ruleKey] = r.conn.InsertRule(&nftables.Rule{
 		Table:    r.workTable,
 		Chain:    r.chains[chainNameManglePrerouting],
 		Exprs:    exprs,
@@ -729,8 +751,15 @@ func (r *router) addPostroutingRules() error {
 // addLegacyRouteRule adds a legacy routing rule for mgmt servers pre route acls
 func (r *router) addLegacyRouteRule(pair firewall.RouterPair) error {
-	sourceExp := generateCIDRMatcherExpressions(true, pair.Source)
+	sourceExp, err := r.applyNetwork(pair.Source, nil, true)
-	destExp := generateCIDRMatcherExpressions(false, pair.Destination)
+	if err != nil {
 		return fmt.Errorf("apply source: %w", err)
 	}
 	destExp, err := r.applyNetwork(pair.Destination, nil, false)
 	if err != nil {
 		return fmt.Errorf("apply destination: %w", err)
 	}
 	exprs := []expr.Any{
 		&expr.Counter{},
@@ -739,7 +768,8 @@ func (r *router) addLegacyRouteRule(pair firewall.RouterPair) error {
 		},
 	}
-	expression := append(sourceExp, append(destExp, exprs...)...) // nolint:gocritic
+	exprs = append(exprs, sourceExp...)
 	exprs = append(exprs, destExp...)
 	ruleKey := firewall.GenKey(firewall.ForwardingFormat, pair)
@@ -752,7 +782,7 @@ func (r *router) addLegacyRouteRule(pair firewall.RouterPair) error {
 	r.rules[ruleKey] = r.conn.AddRule(&nftables.Rule{
 		Table:    r.workTable,
 		Chain:    r.chains[chainNameRoutingFw],
-		Exprs:    expression,
+		Exprs:    exprs,
 		UserData: []byte(ruleKey),
 	})
 	return nil
@@ -767,11 +797,13 @@ func (r *router) removeLegacyRouteRule(pair firewall.RouterPair) error {
 			return fmt.Errorf("remove legacy forwarding rule %s -> %s: %v", pair.Source, pair.Destination, err)
 		}
-		log.Debugf("nftables: removed legacy forwarding rule %s -> %s", pair.Source, pair.Destination)
+		log.Debugf("removed legacy forwarding rule %s -> %s", pair.Source, pair.Destination)
 		delete(r.rules, ruleKey)
-	} else {
+
-		log.Debugf("nftables: legacy forwarding rule %s not found", ruleKey)
+		if err := r.decrementSetCounter(rule); err != nil {
 			return fmt.Errorf("decrement set counter: %w", err)
 		}
 	}
 	return nil
@@ -982,6 +1014,7 @@ func (r *router) RemoveNatRule(pair firewall.RouterPair) error {
 		return fmt.Errorf(refreshRulesMapError, err)
 	}
 	if pair.Masquerade {
 		if err := r.removeNatRule(pair); err != nil {
 			return fmt.Errorf("remove prerouting rule: %w", err)
 		}
@@ -989,16 +1022,17 @@ func (r *router) RemoveNatRule(pair firewall.RouterPair) error {
 		if err := r.removeNatRule(firewall.GetInversePair(pair)); err != nil {
 			return fmt.Errorf("remove inverse prerouting rule: %w", err)
 		}
 	}
 	if err := r.removeLegacyRouteRule(pair); err != nil {
 		return fmt.Errorf("remove legacy routing rule: %w", err)
 	}
 	if err := r.conn.Flush(); err != nil {
-		return fmt.Errorf("nftables: received error while applying rule removal for %s: %v", pair.Destination, err)
+		// TODO: rollback set counter
 		return fmt.Errorf("remove nat rules rule %s: %v", pair.Destination, err)
 	}
 	log.Debugf("nftables: removed nat rules for %s", pair.Destination)
 	return nil
 }
@@ -1006,16 +1040,19 @@ func (r *router) removeNatRule(pair firewall.RouterPair) error {
 	ruleKey := firewall.GenKey(firewall.PreroutingFormat, pair)
 	if rule, exists := r.rules[ruleKey]; exists {
-		err := r.conn.DelRule(rule)
+		if err := r.conn.DelRule(rule); err != nil {
 		if err != nil {
 			return fmt.Errorf("remove prerouting rule %s -> %s: %v", pair.Source, pair.Destination, err)
 		}
-		log.Debugf("nftables: removed prerouting rule %s -> %s", pair.Source, pair.Destination)
+		log.Debugf("removed prerouting rule %s -> %s", pair.Source, pair.Destination)
 		delete(r.rules, ruleKey)
 		if err := r.decrementSetCounter(rule); err != nil {
 			return fmt.Errorf("decrement set counter: %w", err)
 		}
 	} else {
-		log.Debugf("nftables: prerouting rule %s not found", ruleKey)
+		log.Debugf("prerouting rule %s not found", ruleKey)
 	}
 	return nil
@@ -1027,7 +1064,7 @@ func (r *router) refreshRulesMap() error {
 	for _, chain := range r.chains {
 		rules, err := r.conn.GetRules(chain.Table, chain)
 		if err != nil {
-			return fmt.Errorf("nftables: unable to list rules: %v", err)
+			return fmt.Errorf(" unable to list rules: %v", err)
 		}
 		for _, rule := range rules {
 			if len(rule.UserData) > 0 {
@@ -1301,13 +1338,54 @@ func (r *router) DeleteDNATRule(rule firewall.Rule) error {
 	return nberrors.FormatErrorOrNil(merr)
 }
-// generateCIDRMatcherExpressions generates nftables expressions that matches a CIDR
+func (r *router) UpdateSet(set firewall.Set, prefixes []netip.Prefix) error {
-func generateCIDRMatcherExpressions(source bool, prefix netip.Prefix) []expr.Any {
+	nfset, err := r.conn.GetSetByName(r.workTable, set.HashedName())
-	var offset uint32
+	if err != nil {
-	if source {
+		return fmt.Errorf("get set %s: %w", set.HashedName(), err)
-		offset = 12 // src offset
+	}
-	} else {
+
-		offset = 16 // dst offset
+	elements := convertPrefixesToSet(prefixes)
 	if err := r.conn.SetAddElements(nfset, elements); err != nil {
 		return fmt.Errorf("add elements to set %s: %w", set.HashedName(), err)
 	}
 	if err := r.conn.Flush(); err != nil {
 		return fmt.Errorf(flushError, err)
 	}
 	log.Debugf("updated set %s with prefixes %v", set.HashedName(), prefixes)
 	return nil
 }
 // applyNetwork generates nftables expressions for networks (CIDR) or sets
 func (r *router) applyNetwork(
 	network firewall.Network,
 	setPrefixes []netip.Prefix,
 	isSource bool,
 ) ([]expr.Any, error) {
 	if network.IsSet() {
 		exprs, err := r.getIpSet(network.Set, setPrefixes, isSource)
 		if err != nil {
 			return nil, fmt.Errorf("source: %w", err)
 		}
 		return exprs, nil
 	}
 	if network.IsPrefix() {
 		return applyPrefix(network.Prefix, isSource), nil
 	}
 	return nil, nil
 }
 // applyPrefix generates nftables expressions for a CIDR prefix
 func applyPrefix(prefix netip.Prefix, isSource bool) []expr.Any {
 	// dst offset
 	offset := uint32(16)
 	if isSource {
 		// src offset
 		offset = 12
 	}
 	ones := prefix.Bits()
@@ -1415,3 +1493,27 @@ func getCtNewExprs() []expr.Any {
 		},
 	}
 }
 func getIpSetExprs(ref refcounter.Ref[*nftables.Set], isSource bool) ([]expr.Any, error) {
 	// dst offset
 	offset := uint32(16)
 	if isSource {
 		// src offset
 		offset = 12
 	}
 	return []expr.Any{
 		&expr.Payload{
 			DestRegister: 1,
 			Base:         expr.PayloadBaseNetworkHeader,
 			Offset:       offset,
 			Len:          4,
 		},
 		&expr.Lookup{
 			SourceRegister: 1,
 			SetName:        ref.Out.Name,
 			SetID:          ref.Out.ID,
 		},
 	}, nil
 }
--- a/client/firewall/nftables/router_linux_test.go
+++ b/client/firewall/nftables/router_linux_test.go
@@ -88,8 +88,8 @@ func TestNftablesManager_AddNatRule(t *testing.T) {
 				}
 				// Build CIDR matching expressions
-				sourceExp := generateCIDRMatcherExpressions(true, testCase.InputPair.Source)
+				sourceExp := applyPrefix(testCase.InputPair.Source.Prefix, true)
-				destExp := generateCIDRMatcherExpressions(false, testCase.InputPair.Destination)
+				destExp := applyPrefix(testCase.InputPair.Destination.Prefix, false)
 				// Combine all expressions in the correct order
 				// nolint:gocritic
@@ -311,7 +311,7 @@ func TestRouter_AddRouteFiltering(t *testing.T) {
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			ruleKey, err := r.AddRouteFiltering(nil, tt.sources, tt.destination, tt.proto, tt.sPort, tt.dPort, tt.action)
+			ruleKey, err := r.AddRouteFiltering(nil, tt.sources, firewall.Network{Prefix: tt.destination}, tt.proto, tt.sPort, tt.dPort, tt.action)
 			require.NoError(t, err, "AddRouteFiltering failed")
 			t.Cleanup(func() {
@@ -441,8 +441,8 @@ func TestNftablesCreateIpSet(t *testing.T) {
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			setName := firewall.GenerateSetName(tt.sources)
+			setName := firewall.NewPrefixSet(tt.sources).HashedName()
-			set, err := r.createIpSet(setName, tt.sources)
+			set, err := r.createIpSet(setName, setInput{prefixes: tt.sources})
 			if err != nil {
 				t.Logf("Failed to create IP set: %v", err)
 				printNftSets()
--- a/client/firewall/test/cases_linux.go
+++ b/client/firewall/test/cases_linux.go
@@ -15,8 +15,8 @@ var (
 			Name: "Insert Forwarding IPV4 Rule",
 			InputPair: firewall.RouterPair{
 				ID:          "zxa",
-				Source:      netip.MustParsePrefix("100.100.100.1/32"),
+				Source:      firewall.Network{Prefix: netip.MustParsePrefix("100.100.100.1/32")},
-				Destination: netip.MustParsePrefix("100.100.200.0/24"),
+				Destination: firewall.Network{Prefix: netip.MustParsePrefix("100.100.200.0/24")},
 				Masquerade:  false,
 			},
 		},
@@ -24,8 +24,8 @@ var (
 			Name: "Insert Forwarding And Nat IPV4 Rules",
 			InputPair: firewall.RouterPair{
 				ID:          "zxa",
-				Source:      netip.MustParsePrefix("100.100.100.1/32"),
+				Source:      firewall.Network{Prefix: netip.MustParsePrefix("100.100.100.1/32")},
-				Destination: netip.MustParsePrefix("100.100.200.0/24"),
+				Destination: firewall.Network{Prefix: netip.MustParsePrefix("100.100.200.0/24")},
 				Masquerade:  true,
 			},
 		},
@@ -40,8 +40,8 @@ var (
 			Name: "Remove Forwarding And Nat IPV4 Rules",
 			InputPair: firewall.RouterPair{
 				ID:          "zxa",
-				Source:      netip.MustParsePrefix("100.100.100.1/32"),
+				Source:      firewall.Network{Prefix: netip.MustParsePrefix("100.100.100.1/32")},
-				Destination: netip.MustParsePrefix("100.100.200.0/24"),
+				Destination: firewall.Network{Prefix: netip.MustParsePrefix("100.100.200.0/24")},
 				Masquerade:  true,
 			},
 		},
--- a/client/firewall/uspfilter/allow_netbird.go
+++ b/client/firewall/uspfilter/allow_netbird.go
@@ -12,7 +12,7 @@ import (
 	"github.com/netbirdio/netbird/client/internal/statemanager"
 )
-// Reset firewall to the default state
+// Close cleans up the firewall manager by removing all rules and closing trackers
 func (m *Manager) Close(stateManager *statemanager.Manager) error {
 	m.mutex.Lock()
 	defer m.mutex.Unlock()
--- a/client/firewall/uspfilter/allow_netbird_windows.go
+++ b/client/firewall/uspfilter/allow_netbird_windows.go
@@ -10,7 +10,6 @@ import (
 	log "github.com/sirupsen/logrus"
 	"github.com/netbirdio/netbird/client/firewall/uspfilter/conntrack"
 	"github.com/netbirdio/netbird/client/internal/statemanager"
 )
@@ -22,7 +21,7 @@ const (
 	firewallRuleName        = "Netbird"
 )
-// Reset firewall to the default state
+// Close cleans up the firewall manager by removing all rules and closing trackers
 func (m *Manager) Close(*statemanager.Manager) error {
 	m.mutex.Lock()
 	defer m.mutex.Unlock()
@@ -32,17 +31,14 @@ func (m *Manager) Close(*statemanager.Manager) error {
 	if m.udpTracker != nil {
 		m.udpTracker.Close()
 		m.udpTracker = conntrack.NewUDPTracker(conntrack.DefaultUDPTimeout, m.logger, m.flowLogger)
 	}
 	if m.icmpTracker != nil {
 		m.icmpTracker.Close()
 		m.icmpTracker = conntrack.NewICMPTracker(conntrack.DefaultICMPTimeout, m.logger, m.flowLogger)
 	}
 	if m.tcpTracker != nil {
 		m.tcpTracker.Close()
 		m.tcpTracker = conntrack.NewTCPTracker(conntrack.DefaultTCPTimeout, m.logger, m.flowLogger)
 	}
 	if fwder := m.forwarder.Load(); fwder != nil {
--- a/client/firewall/uspfilter/forwarder/forwarder.go
+++ b/client/firewall/uspfilter/forwarder/forwarder.go
@@ -4,7 +4,9 @@ import (
 	"context"
 	"fmt"
 	"net"
 	"net/netip"
 	"runtime"
 	"sync"
 	log "github.com/sirupsen/logrus"
 	"gvisor.dev/gvisor/pkg/buffer"
@@ -17,6 +19,7 @@ import (
 	"gvisor.dev/gvisor/pkg/tcpip/transport/udp"
 	"github.com/netbirdio/netbird/client/firewall/uspfilter/common"
 	"github.com/netbirdio/netbird/client/firewall/uspfilter/conntrack"
 	nblog "github.com/netbirdio/netbird/client/firewall/uspfilter/log"
 	nftypes "github.com/netbirdio/netbird/client/internal/netflow/types"
 )
@@ -31,6 +34,8 @@ const (
 type Forwarder struct {
 	logger     *nblog.Logger
 	flowLogger nftypes.FlowLogger
 	// ruleIdMap is used to store the rule ID for a given connection
 	ruleIdMap    sync.Map
 	stack        *stack.Stack
 	endpoint     *endpoint
 	udpForwarder *udpForwarder
@@ -167,3 +172,35 @@ func (f *Forwarder) determineDialAddr(addr tcpip.Address) net.IP {
 	}
 	return addr.AsSlice()
 }
 func (f *Forwarder) RegisterRuleID(srcIP, dstIP netip.Addr, srcPort, dstPort uint16, ruleID []byte) {
 	key := buildKey(srcIP, dstIP, srcPort, dstPort)
 	f.ruleIdMap.LoadOrStore(key, ruleID)
 }
 func (f *Forwarder) getRuleID(srcIP, dstIP netip.Addr, srcPort, dstPort uint16) ([]byte, bool) {
 	if value, ok := f.ruleIdMap.Load(buildKey(srcIP, dstIP, srcPort, dstPort)); ok {
 		return value.([]byte), true
 	} else if value, ok := f.ruleIdMap.Load(buildKey(dstIP, srcIP, dstPort, srcPort)); ok {
 		return value.([]byte), true
 	}
 	return nil, false
 }
 func (f *Forwarder) DeleteRuleID(srcIP, dstIP netip.Addr, srcPort, dstPort uint16) {
 	if _, ok := f.ruleIdMap.LoadAndDelete(buildKey(srcIP, dstIP, srcPort, dstPort)); ok {
 		return
 	}
 	f.ruleIdMap.LoadAndDelete(buildKey(dstIP, srcIP, dstPort, srcPort))
 }
 func buildKey(srcIP, dstIP netip.Addr, srcPort, dstPort uint16) conntrack.ConnKey {
 	return conntrack.ConnKey{
 		SrcIP:   srcIP,
 		DstIP:   dstIP,
 		SrcPort: srcPort,
 		DstPort: dstPort,
 	}
 }
--- a/client/firewall/uspfilter/forwarder/icmp.go
+++ b/client/firewall/uspfilter/forwarder/icmp.go
@@ -25,7 +25,7 @@ func (f *Forwarder) handleICMP(id stack.TransportEndpointID, pkt stack.PacketBuf
 	}
 	flowID := uuid.New()
-	f.sendICMPEvent(nftypes.TypeStart, flowID, id, icmpType, icmpCode)
+	f.sendICMPEvent(nftypes.TypeStart, flowID, id, icmpType, icmpCode, 0, 0)
 	ctx, cancel := context.WithTimeout(f.ctx, 5*time.Second)
 	defer cancel()
@@ -34,14 +34,14 @@ func (f *Forwarder) handleICMP(id stack.TransportEndpointID, pkt stack.PacketBuf
 	// TODO: support non-root
 	conn, err := lc.ListenPacket(ctx, "ip4:icmp", "0.0.0.0")
 	if err != nil {
-		f.logger.Error("Failed to create ICMP socket for %v: %v", epID(id), err)
+		f.logger.Error("forwarder: Failed to create ICMP socket for %v: %v", epID(id), err)
 		// This will make netstack reply on behalf of the original destination, that's ok for now
 		return false
 	}
 	defer func() {
 		if err := conn.Close(); err != nil {
-			f.logger.Debug("Failed to close ICMP socket: %v", err)
+			f.logger.Debug("forwarder: Failed to close ICMP socket: %v", err)
 		}
 	}()
@@ -52,36 +52,37 @@ func (f *Forwarder) handleICMP(id stack.TransportEndpointID, pkt stack.PacketBuf
 	payload := fullPacket.AsSlice()
 	if _, err = conn.WriteTo(payload, dst); err != nil {
-		f.logger.Error("Failed to write ICMP packet for %v: %v", epID(id), err)
+		f.logger.Error("forwarder: Failed to write ICMP packet for %v: %v", epID(id), err)
 		return true
 	}
-	f.logger.Trace("Forwarded ICMP packet %v type %v code %v",
+	f.logger.Trace("forwarder: Forwarded ICMP packet %v type %v code %v",
 		epID(id), icmpHdr.Type(), icmpHdr.Code())
 	// For Echo Requests, send and handle response
 	if header.ICMPv4Type(icmpType) == header.ICMPv4Echo {
-		f.handleEchoResponse(icmpHdr, conn, id)
+		rxBytes := pkt.Size()
-		f.sendICMPEvent(nftypes.TypeEnd, flowID, id, icmpType, icmpCode)
+		txBytes := f.handleEchoResponse(icmpHdr, conn, id)
 		f.sendICMPEvent(nftypes.TypeEnd, flowID, id, icmpType, icmpCode, uint64(rxBytes), uint64(txBytes))
 	}
 	// For other ICMP types (Time Exceeded, Destination Unreachable, etc) do nothing
 	return true
 }
-func (f *Forwarder) handleEchoResponse(icmpHdr header.ICMPv4, conn net.PacketConn, id stack.TransportEndpointID) {
+func (f *Forwarder) handleEchoResponse(icmpHdr header.ICMPv4, conn net.PacketConn, id stack.TransportEndpointID) int {
 	if err := conn.SetReadDeadline(time.Now().Add(5 * time.Second)); err != nil {
-		f.logger.Error("Failed to set read deadline for ICMP response: %v", err)
+		f.logger.Error("forwarder: Failed to set read deadline for ICMP response: %v", err)
-		return
+		return 0
 	}
 	response := make([]byte, f.endpoint.mtu)
 	n, _, err := conn.ReadFrom(response)
 	if err != nil {
 		if !isTimeout(err) {
-			f.logger.Error("Failed to read ICMP response: %v", err)
+			f.logger.Error("forwarder: Failed to read ICMP response: %v", err)
 		}
-		return
+		return 0
 	}
 	ipHdr := make([]byte, header.IPv4MinimumSize)
@@ -100,28 +101,54 @@ func (f *Forwarder) handleEchoResponse(icmpHdr header.ICMPv4, conn net.PacketCon
 	fullPacket = append(fullPacket, response[:n]...)
 	if err := f.InjectIncomingPacket(fullPacket); err != nil {
-		f.logger.Error("Failed to inject ICMP response: %v", err)
+		f.logger.Error("forwarder: Failed to inject ICMP response: %v", err)
-		return
+		return 0
 	}
-	f.logger.Trace("Forwarded ICMP echo reply for %v type %v code %v",
+	f.logger.Trace("forwarder: Forwarded ICMP echo reply for %v type %v code %v",
 		epID(id), icmpHdr.Type(), icmpHdr.Code())
 	return len(fullPacket)
 }
 // sendICMPEvent stores flow events for ICMP packets
-func (f *Forwarder) sendICMPEvent(typ nftypes.Type, flowID uuid.UUID, id stack.TransportEndpointID, icmpType, icmpCode uint8) {
+func (f *Forwarder) sendICMPEvent(typ nftypes.Type, flowID uuid.UUID, id stack.TransportEndpointID, icmpType, icmpCode uint8, rxBytes, txBytes uint64) {
-	f.flowLogger.StoreEvent(nftypes.EventFields{
+	var rxPackets, txPackets uint64
 	if rxBytes > 0 {
 		rxPackets = 1
 	}
 	if txBytes > 0 {
 		txPackets = 1
 	}
 	srcIp := netip.AddrFrom4(id.RemoteAddress.As4())
 	dstIp := netip.AddrFrom4(id.LocalAddress.As4())
 	fields := nftypes.EventFields{
 		FlowID:    flowID,
 		Type:      typ,
 		Direction: nftypes.Ingress,
 		Protocol:  nftypes.ICMP,
 		// TODO: handle ipv6
-		SourceIP: netip.AddrFrom4(id.RemoteAddress.As4()),
+		SourceIP: srcIp,
-		DestIP:   netip.AddrFrom4(id.LocalAddress.As4()),
+		DestIP:   dstIp,
 		ICMPType: icmpType,
 		ICMPCode: icmpCode,
-		// TODO: get packets/bytes
+		RxBytes:   rxBytes,
-	})
+		TxBytes:   txBytes,
 		RxPackets: rxPackets,
 		TxPackets: txPackets,
 	}
 	if typ == nftypes.TypeStart {
 		if ruleId, ok := f.getRuleID(srcIp, dstIp, id.RemotePort, id.LocalPort); ok {
 			fields.RuleID = ruleId
 		}
 	} else {
 		f.DeleteRuleID(srcIp, dstIp, id.RemotePort, id.LocalPort)
 	}
 	f.flowLogger.StoreEvent(fields)
 }
--- a/client/firewall/uspfilter/forwarder/tcp.go
+++ b/client/firewall/uspfilter/forwarder/tcp.go
@@ -6,8 +6,10 @@ import (
 	"io"
 	"net"
 	"net/netip"
 	"sync"
 	"github.com/google/uuid"
 	"gvisor.dev/gvisor/pkg/tcpip"
 	"gvisor.dev/gvisor/pkg/tcpip/adapters/gonet"
 	"gvisor.dev/gvisor/pkg/tcpip/stack"
@@ -23,11 +25,11 @@ func (f *Forwarder) handleTCP(r *tcp.ForwarderRequest) {
 	flowID := uuid.New()
-	f.sendTCPEvent(nftypes.TypeStart, flowID, id, nil)
+	f.sendTCPEvent(nftypes.TypeStart, flowID, id, 0, 0, 0, 0)
 	var success bool
 	defer func() {
 		if !success {
-			f.sendTCPEvent(nftypes.TypeEnd, flowID, id, nil)
+			f.sendTCPEvent(nftypes.TypeEnd, flowID, id, 0, 0, 0, 0)
 		}
 	}()
@@ -65,67 +67,97 @@ func (f *Forwarder) handleTCP(r *tcp.ForwarderRequest) {
 }
 func (f *Forwarder) proxyTCP(id stack.TransportEndpointID, inConn *gonet.TCPConn, outConn net.Conn, ep tcpip.Endpoint, flowID uuid.UUID) {
 	defer func() {
 		if err := inConn.Close(); err != nil {
 			f.logger.Debug("forwarder: inConn close error: %v", err)
 		}
 		if err := outConn.Close(); err != nil {
 			f.logger.Debug("forwarder: outConn close error: %v", err)
 		}
 		ep.Close()
 		f.sendTCPEvent(nftypes.TypeEnd, flowID, id, ep)
 	}()
 	// Create context for managing the proxy goroutines
 	ctx, cancel := context.WithCancel(f.ctx)
 	defer cancel()
-	errChan := make(chan error, 2)
+	go func() {
 		<-ctx.Done()
 		// Close connections and endpoint.
 		if err := inConn.Close(); err != nil && !isClosedError(err) {
 			f.logger.Debug("forwarder: inConn close error: %v", err)
 		}
 		if err := outConn.Close(); err != nil && !isClosedError(err) {
 			f.logger.Debug("forwarder: outConn close error: %v", err)
 		}
 		ep.Close()
 	}()
 	var wg sync.WaitGroup
 	wg.Add(2)
 	var (
 		bytesFromInToOut int64 // bytes from client to server (tx for client)
 		bytesFromOutToIn int64 // bytes from server to client (rx for client)
 		errInToOut       error
 		errOutToIn       error
 	)
 	go func() {
-		_, err := io.Copy(outConn, inConn)
+		bytesFromInToOut, errInToOut = io.Copy(outConn, inConn)
-		errChan <- err
+		cancel()
 		wg.Done()
 	}()
 	go func() {
-		_, err := io.Copy(inConn, outConn)
+
-		errChan <- err
+		bytesFromOutToIn, errOutToIn = io.Copy(inConn, outConn)
 		cancel()
 		wg.Done()
 	}()
-	select {
+	wg.Wait()
-	case <-ctx.Done():
+
-		f.logger.Trace("forwarder: tearing down TCP connection %v due to context done", epID(id))
+	if errInToOut != nil {
-		return
+		if !isClosedError(errInToOut) {
-	case err := <-errChan:
+			f.logger.Error("proxyTCP: copy error (in -> out): %v", errInToOut)
 		if err != nil && !isClosedError(err) {
 			f.logger.Error("proxyTCP: copy error: %v", err)
 		}
 		f.logger.Trace("forwarder: tearing down TCP connection %v", epID(id))
 		return
 	}
 	if errOutToIn != nil {
 		if !isClosedError(errOutToIn) {
 			f.logger.Error("proxyTCP: copy error (out -> in): %v", errOutToIn)
 		}
 	}
 	var rxPackets, txPackets uint64
 	if tcpStats, ok := ep.Stats().(*tcp.Stats); ok {
 		// fields are flipped since this is the in conn
 		rxPackets = tcpStats.SegmentsSent.Value()
 		txPackets = tcpStats.SegmentsReceived.Value()
 	}
 	f.logger.Trace("forwarder: Removed TCP connection %s [in: %d Pkts/%d B, out: %d Pkts/%d B]", epID(id), rxPackets, bytesFromOutToIn, txPackets, bytesFromInToOut)
 	f.sendTCPEvent(nftypes.TypeEnd, flowID, id, uint64(bytesFromOutToIn), uint64(bytesFromInToOut), rxPackets, txPackets)
 }
-func (f *Forwarder) sendTCPEvent(typ nftypes.Type, flowID uuid.UUID, id stack.TransportEndpointID, ep tcpip.Endpoint) {
+func (f *Forwarder) sendTCPEvent(typ nftypes.Type, flowID uuid.UUID, id stack.TransportEndpointID, rxBytes, txBytes, rxPackets, txPackets uint64) {
 	srcIp := netip.AddrFrom4(id.RemoteAddress.As4())
 	dstIp := netip.AddrFrom4(id.LocalAddress.As4())
 	fields := nftypes.EventFields{
 		FlowID:    flowID,
 		Type:      typ,
 		Direction: nftypes.Ingress,
 		Protocol:  nftypes.TCP,
 		// TODO: handle ipv6
-		SourceIP:   netip.AddrFrom4(id.RemoteAddress.As4()),
+		SourceIP:   srcIp,
-		DestIP:     netip.AddrFrom4(id.LocalAddress.As4()),
+		DestIP:     dstIp,
 		SourcePort: id.RemotePort,
 		DestPort:   id.LocalPort,
 		RxBytes:    rxBytes,
 		TxBytes:    txBytes,
 		RxPackets:  rxPackets,
 		TxPackets:  txPackets,
 	}
-	if ep != nil {
+	if typ == nftypes.TypeStart {
-		if tcpStats, ok := ep.Stats().(*tcp.Stats); ok {
+		if ruleId, ok := f.getRuleID(srcIp, dstIp, id.RemotePort, id.LocalPort); ok {
-			// fields are flipped since this is the in conn
+			fields.RuleID = ruleId
 			// TODO: get bytes
 			fields.RxPackets = tcpStats.SegmentsSent.Value()
 			fields.TxPackets = tcpStats.SegmentsReceived.Value()
 		}
 	} else {
 		f.DeleteRuleID(srcIp, dstIp, id.RemotePort, id.LocalPort)
 	}
 	f.flowLogger.StoreEvent(fields)
--- a/client/firewall/uspfilter/forwarder/udp.go
+++ b/client/firewall/uspfilter/forwarder/udp.go
@@ -149,11 +149,11 @@ func (f *Forwarder) handleUDP(r *udp.ForwarderRequest) {
 	flowID := uuid.New()
-	f.sendUDPEvent(nftypes.TypeStart, flowID, id, nil)
+	f.sendUDPEvent(nftypes.TypeStart, flowID, id, 0, 0, 0, 0)
 	var success bool
 	defer func() {
 		if !success {
-			f.sendUDPEvent(nftypes.TypeEnd, flowID, id, nil)
+			f.sendUDPEvent(nftypes.TypeEnd, flowID, id, 0, 0, 0, 0)
 		}
 	}()
@@ -199,7 +199,6 @@ func (f *Forwarder) handleUDP(r *udp.ForwarderRequest) {
 		if err := outConn.Close(); err != nil {
 			f.logger.Debug("forwarder: UDP outConn close error for %v: %v", epID(id), err)
 		}
 		return
 	}
 	f.udpForwarder.conns[id] = pConn
@@ -212,68 +211,94 @@ func (f *Forwarder) handleUDP(r *udp.ForwarderRequest) {
 }
 func (f *Forwarder) proxyUDP(ctx context.Context, pConn *udpPacketConn, id stack.TransportEndpointID, ep tcpip.Endpoint) {
-	defer func() {
+
 	ctx, cancel := context.WithCancel(f.ctx)
 	defer cancel()
 	go func() {
 		<-ctx.Done()
 		pConn.cancel()
-		if err := pConn.conn.Close(); err != nil {
+		if err := pConn.conn.Close(); err != nil && !isClosedError(err) {
 			f.logger.Debug("forwarder: UDP inConn close error for %v: %v", epID(id), err)
 		}
-		if err := pConn.outConn.Close(); err != nil {
+		if err := pConn.outConn.Close(); err != nil && !isClosedError(err) {
 			f.logger.Debug("forwarder: UDP outConn close error for %v: %v", epID(id), err)
 		}
 		ep.Close()
 	}()
 	var wg sync.WaitGroup
 	wg.Add(2)
 	var txBytes, rxBytes int64
 	var outboundErr, inboundErr error
 	// outbound->inbound: copy from pConn.conn to pConn.outConn
 	go func() {
 		defer wg.Done()
 		txBytes, outboundErr = pConn.copy(ctx, pConn.conn, pConn.outConn, &f.udpForwarder.bufPool, "outbound->inbound")
 	}()
 	// inbound->outbound: copy from pConn.outConn to pConn.conn
 	go func() {
 		defer wg.Done()
 		rxBytes, inboundErr = pConn.copy(ctx, pConn.outConn, pConn.conn, &f.udpForwarder.bufPool, "inbound->outbound")
 	}()
 	wg.Wait()
 	if outboundErr != nil && !isClosedError(outboundErr) {
 		f.logger.Error("proxyUDP: copy error (outbound->inbound): %v", outboundErr)
 	}
 	if inboundErr != nil && !isClosedError(inboundErr) {
 		f.logger.Error("proxyUDP: copy error (inbound->outbound): %v", inboundErr)
 	}
 	var rxPackets, txPackets uint64
 	if udpStats, ok := ep.Stats().(*tcpip.TransportEndpointStats); ok {
 		// fields are flipped since this is the in conn
 		rxPackets = udpStats.PacketsSent.Value()
 		txPackets = udpStats.PacketsReceived.Value()
 	}
 	f.logger.Trace("forwarder: Removed UDP connection %s [in: %d Pkts/%d B, out: %d Pkts/%d B]", epID(id), rxPackets, rxBytes, txPackets, txBytes)
 	f.udpForwarder.Lock()
 	delete(f.udpForwarder.conns, id)
 	f.udpForwarder.Unlock()
-		f.sendUDPEvent(nftypes.TypeEnd, pConn.flowID, id, ep)
+	f.sendUDPEvent(nftypes.TypeEnd, pConn.flowID, id, uint64(rxBytes), uint64(txBytes), rxPackets, txPackets)
 	}()
 	errChan := make(chan error, 2)
 	go func() {
 		errChan <- pConn.copy(ctx, pConn.conn, pConn.outConn, &f.udpForwarder.bufPool, "outbound->inbound")
 	}()
 	go func() {
 		errChan <- pConn.copy(ctx, pConn.outConn, pConn.conn, &f.udpForwarder.bufPool, "inbound->outbound")
 	}()
 	select {
 	case <-ctx.Done():
 		f.logger.Trace("forwarder: tearing down UDP connection %v due to context done", epID(id))
 		return
 	case err := <-errChan:
 		if err != nil && !isClosedError(err) {
 			f.logger.Error("proxyUDP: copy error: %v", err)
 		}
 		f.logger.Trace("forwarder: tearing down UDP connection %v", epID(id))
 		return
 	}
 }
 // sendUDPEvent stores flow events for UDP connections
-func (f *Forwarder) sendUDPEvent(typ nftypes.Type, flowID uuid.UUID, id stack.TransportEndpointID, ep tcpip.Endpoint) {
+func (f *Forwarder) sendUDPEvent(typ nftypes.Type, flowID uuid.UUID, id stack.TransportEndpointID, rxBytes, txBytes, rxPackets, txPackets uint64) {
 	srcIp := netip.AddrFrom4(id.RemoteAddress.As4())
 	dstIp := netip.AddrFrom4(id.LocalAddress.As4())
 	fields := nftypes.EventFields{
 		FlowID:    flowID,
 		Type:      typ,
 		Direction: nftypes.Ingress,
 		Protocol:  nftypes.UDP,
 		// TODO: handle ipv6
-		SourceIP:   netip.AddrFrom4(id.RemoteAddress.As4()),
+		SourceIP:   srcIp,
-		DestIP:     netip.AddrFrom4(id.LocalAddress.As4()),
+		DestIP:     dstIp,
 		SourcePort: id.RemotePort,
 		DestPort:   id.LocalPort,
 		RxBytes:    rxBytes,
 		TxBytes:    txBytes,
 		RxPackets:  rxPackets,
 		TxPackets:  txPackets,
 	}
-	if ep != nil {
+	if typ == nftypes.TypeStart {
-		if tcpStats, ok := ep.Stats().(*tcpip.TransportEndpointStats); ok {
+		if ruleId, ok := f.getRuleID(srcIp, dstIp, id.RemotePort, id.LocalPort); ok {
-			// fields are flipped since this is the in conn
+			fields.RuleID = ruleId
 			// TODO: get bytes
 			fields.RxPackets = tcpStats.PacketsSent.Value()
 			fields.TxPackets = tcpStats.PacketsReceived.Value()
 		}
 	} else {
 		f.DeleteRuleID(srcIp, dstIp, id.RemotePort, id.LocalPort)
 	}
 	f.flowLogger.StoreEvent(fields)
@@ -288,18 +313,20 @@ func (c *udpPacketConn) getIdleDuration() time.Duration {
 	return time.Since(lastSeen)
 }
-func (c *udpPacketConn) copy(ctx context.Context, dst net.Conn, src net.Conn, bufPool *sync.Pool, direction string) error {
+// copy reads from src and writes to dst.
 func (c *udpPacketConn) copy(ctx context.Context, dst net.Conn, src net.Conn, bufPool *sync.Pool, direction string) (int64, error) {
 	bufp := bufPool.Get().(*[]byte)
 	defer bufPool.Put(bufp)
 	buffer := *bufp
 	var totalBytes int64 = 0
 	for {
 		if ctx.Err() != nil {
-			return ctx.Err()
+			return totalBytes, ctx.Err()
 		}
 		if err := src.SetDeadline(time.Now().Add(udpTimeout)); err != nil {
-			return fmt.Errorf("set read deadline: %w", err)
+			return totalBytes, fmt.Errorf("set read deadline: %w", err)
 		}
 		n, err := src.Read(buffer)
@@ -307,14 +334,15 @@ func (c *udpPacketConn) copy(ctx context.Context, dst net.Conn, src net.Conn, bu
 			if isTimeout(err) {
 				continue
 			}
-			return fmt.Errorf("read from %s: %w", direction, err)
+			return totalBytes, fmt.Errorf("read from %s: %w", direction, err)
 		}
-		_, err = dst.Write(buffer[:n])
+		nWritten, err := dst.Write(buffer[:n])
 		if err != nil {
-			return fmt.Errorf("write to %s: %w", direction, err)
+			return totalBytes, fmt.Errorf("write to %s: %w", direction, err)
 		}
 		totalBytes += int64(nWritten)
 		c.updateLastSeen()
 	}
 }
--- a/client/firewall/uspfilter/rule.go
+++ b/client/firewall/uspfilter/rule.go
@@ -32,7 +32,8 @@ type RouteRule struct {
 	id           string
 	mgmtId       []byte
 	sources      []netip.Prefix
-	destination netip.Prefix
+	dstSet       firewall.Set
 	destinations []netip.Prefix
 	proto        firewall.Protocol
 	srcPort      *firewall.Port
 	dstPort      *firewall.Port
--- a/client/firewall/uspfilter/tracer_test.go
+++ b/client/firewall/uspfilter/tracer_test.go
@@ -198,12 +198,12 @@ func TestTracePacket(t *testing.T) {
 				m.forwarder.Store(&forwarder.Forwarder{})
 				src := netip.PrefixFrom(netip.AddrFrom4([4]byte{1, 1, 1, 1}), 32)
-				dst := netip.PrefixFrom(netip.AddrFrom4([4]byte{172, 17, 0, 2}), 32)
+				dst := netip.PrefixFrom(netip.AddrFrom4([4]byte{192, 168, 17, 2}), 32)
-				_, err := m.AddRouteFiltering(nil, []netip.Prefix{src}, dst, fw.ProtocolTCP, nil, &fw.Port{Values: []uint16{80}}, fw.ActionAccept)
+				_, err := m.AddRouteFiltering(nil, []netip.Prefix{src}, fw.Network{Prefix: dst}, fw.ProtocolTCP, nil, &fw.Port{Values: []uint16{80}}, fw.ActionAccept)
 				require.NoError(t, err)
 			},
 			packetBuilder: func() *PacketBuilder {
-				return createPacketBuilder("1.1.1.1", "172.17.0.2", "tcp", 12345, 80, fw.RuleDirectionIN)
+				return createPacketBuilder("1.1.1.1", "192.168.17.2", "tcp", 12345, 80, fw.RuleDirectionIN)
 			},
 			expectedStages: []PacketStage{
 				StageReceived,
@@ -222,12 +222,12 @@ func TestTracePacket(t *testing.T) {
 				m.nativeRouter.Store(false)
 				src := netip.PrefixFrom(netip.AddrFrom4([4]byte{1, 1, 1, 1}), 32)
-				dst := netip.PrefixFrom(netip.AddrFrom4([4]byte{172, 17, 0, 2}), 32)
+				dst := netip.PrefixFrom(netip.AddrFrom4([4]byte{192, 168, 17, 2}), 32)
-				_, err := m.AddRouteFiltering(nil, []netip.Prefix{src}, dst, fw.ProtocolTCP, nil, &fw.Port{Values: []uint16{80}}, fw.ActionDrop)
+				_, err := m.AddRouteFiltering(nil, []netip.Prefix{src}, fw.Network{Prefix: dst}, fw.ProtocolTCP, nil, &fw.Port{Values: []uint16{80}}, fw.ActionDrop)
 				require.NoError(t, err)
 			},
 			packetBuilder: func() *PacketBuilder {
-				return createPacketBuilder("1.1.1.1", "172.17.0.2", "tcp", 12345, 80, fw.RuleDirectionIN)
+				return createPacketBuilder("1.1.1.1", "192.168.17.2", "tcp", 12345, 80, fw.RuleDirectionIN)
 			},
 			expectedStages: []PacketStage{
 				StageReceived,
@@ -245,7 +245,7 @@ func TestTracePacket(t *testing.T) {
 				m.nativeRouter.Store(true)
 			},
 			packetBuilder: func() *PacketBuilder {
-				return createPacketBuilder("1.1.1.1", "172.17.0.2", "tcp", 12345, 80, fw.RuleDirectionIN)
+				return createPacketBuilder("1.1.1.1", "192.168.17.2", "tcp", 12345, 80, fw.RuleDirectionIN)
 			},
 			expectedStages: []PacketStage{
 				StageReceived,
@@ -263,7 +263,7 @@ func TestTracePacket(t *testing.T) {
 				m.routingEnabled.Store(false)
 			},
 			packetBuilder: func() *PacketBuilder {
-				return createPacketBuilder("1.1.1.1", "172.17.0.2", "tcp", 12345, 80, fw.RuleDirectionIN)
+				return createPacketBuilder("1.1.1.1", "192.168.17.2", "tcp", 12345, 80, fw.RuleDirectionIN)
 			},
 			expectedStages: []PacketStage{
 				StageReceived,
@@ -425,8 +425,8 @@ func TestTracePacket(t *testing.T) {
 			require.True(t, m.localipmanager.IsLocalIP(netip.MustParseAddr("100.10.0.100")),
 				"100.10.0.100 should be recognized as a local IP")
-			require.False(t, m.localipmanager.IsLocalIP(netip.MustParseAddr("172.17.0.2")),
+			require.False(t, m.localipmanager.IsLocalIP(netip.MustParseAddr("192.168.17.2")),
-				"172.17.0.2 should not be recognized as a local IP")
+				"192.168.17.2 should not be recognized as a local IP")
 			pb := tc.packetBuilder()
--- a/client/firewall/uspfilter/uspfilter.go
+++ b/client/firewall/uspfilter/uspfilter.go
@@ -49,10 +49,10 @@ var errNatNotSupported = errors.New("nat not supported with userspace firewall")
 // RuleSet is a set of rules grouped by a string key
 type RuleSet map[string]PeerRule
-type RouteRules []RouteRule
+type RouteRules []*RouteRule
 func (r RouteRules) Sort() {
-	slices.SortStableFunc(r, func(a, b RouteRule) int {
+	slices.SortStableFunc(r, func(a, b *RouteRule) int {
 		// Deny rules come first
 		if a.action == firewall.ActionDrop && b.action != firewall.ActionDrop {
 			return -1
@@ -99,6 +99,8 @@ type Manager struct {
 	forwarder   atomic.Pointer[forwarder.Forwarder]
 	logger      *nblog.Logger
 	flowLogger  nftypes.FlowLogger
 	blockRule firewall.Rule
 }
 // decoder for packages
@@ -201,41 +203,35 @@ func create(iface common.IFaceMapper, nativeFirewall firewall.Manager, disableSe
 		}
 	}
 	if err := m.blockInvalidRouted(iface); err != nil {
 		log.Errorf("failed to block invalid routed traffic: %v", err)
 	}
 	if err := iface.SetFilter(m); err != nil {
 		return nil, fmt.Errorf("set filter: %w", err)
 	}
 	return m, nil
 }
-func (m *Manager) blockInvalidRouted(iface common.IFaceMapper) error {
+func (m *Manager) blockInvalidRouted(iface common.IFaceMapper) (firewall.Rule, error) {
 	if m.forwarder.Load() == nil {
 		return nil
 	}
 	wgPrefix, err := netip.ParsePrefix(iface.Address().Network.String())
 	if err != nil {
-		return fmt.Errorf("parse wireguard network: %w", err)
+		return nil, fmt.Errorf("parse wireguard network: %w", err)
 	}
 	log.Debugf("blocking invalid routed traffic for %s", wgPrefix)
-	if _, err := m.AddRouteFiltering(
+	rule, err := m.addRouteFiltering(
 		nil,
 		[]netip.Prefix{netip.PrefixFrom(netip.IPv4Unspecified(), 0)},
-		wgPrefix,
+		firewall.Network{Prefix: wgPrefix},
 		firewall.ProtocolALL,
 		nil,
 		nil,
 		firewall.ActionDrop,
-	); err != nil {
+	)
-		return fmt.Errorf("block wg nte : %w", err)
+	if err != nil {
 		return nil, fmt.Errorf("block wg nte : %w", err)
 	}
 	// TODO: Block networks that we're a client of
-	return nil
+	return rule, nil
 }
 func (m *Manager) determineRouting() error {
@@ -413,10 +409,23 @@ func (m *Manager) AddPeerFiltering(
 func (m *Manager) AddRouteFiltering(
 	id []byte,
 	sources []netip.Prefix,
-	destination netip.Prefix,
+	destination firewall.Network,
 	proto firewall.Protocol,
-	sPort *firewall.Port,
+	sPort, dPort *firewall.Port,
-	dPort *firewall.Port,
+	action firewall.Action,
 ) (firewall.Rule, error) {
 	m.mutex.Lock()
 	defer m.mutex.Unlock()
 	return m.addRouteFiltering(id, sources, destination, proto, sPort, dPort, action)
 }
 func (m *Manager) addRouteFiltering(
 	id []byte,
 	sources []netip.Prefix,
 	destination firewall.Network,
 	proto firewall.Protocol,
 	sPort, dPort *firewall.Port,
 	action firewall.Action,
 ) (firewall.Rule, error) {
 	if m.nativeRouter.Load() && m.nativeFirewall != nil {
@@ -429,31 +438,36 @@ func (m *Manager) AddRouteFiltering(
 		id:      ruleID,
 		mgmtId:  id,
 		sources: sources,
-		destination: destination,
+		dstSet:  destination.Set,
 		proto:   proto,
 		srcPort: sPort,
 		dstPort: dPort,
 		action:  action,
 	}
 	if destination.IsPrefix() {
 		rule.destinations = []netip.Prefix{destination.Prefix}
 	}
-	m.mutex.Lock()
+	m.routeRules = append(m.routeRules, &rule)
 	m.routeRules = append(m.routeRules, rule)
 	m.routeRules.Sort()
 	m.mutex.Unlock()
 	return &rule, nil
 }
 func (m *Manager) DeleteRouteRule(rule firewall.Rule) error {
 	m.mutex.Lock()
 	defer m.mutex.Unlock()
 	return m.deleteRouteRule(rule)
 }
 func (m *Manager) deleteRouteRule(rule firewall.Rule) error {
 	if m.nativeRouter.Load() && m.nativeFirewall != nil {
 		return m.nativeFirewall.DeleteRouteRule(rule)
 	}
 	m.mutex.Lock()
 	defer m.mutex.Unlock()
 	ruleID := rule.ID()
-	idx := slices.IndexFunc(m.routeRules, func(r RouteRule) bool {
+	idx := slices.IndexFunc(m.routeRules, func(r *RouteRule) bool {
 		return r.id == ruleID
 	})
 	if idx < 0 {
@@ -509,6 +523,52 @@ func (m *Manager) DeleteDNATRule(rule firewall.Rule) error {
 	return m.nativeFirewall.DeleteDNATRule(rule)
 }
 // UpdateSet updates the rule destinations associated with the given set
 // by merging the existing prefixes with the new ones, then deduplicating.
 func (m *Manager) UpdateSet(set firewall.Set, prefixes []netip.Prefix) error {
 	if m.nativeRouter.Load() && m.nativeFirewall != nil {
 		return m.nativeFirewall.UpdateSet(set, prefixes)
 	}
 	m.mutex.Lock()
 	defer m.mutex.Unlock()
 	var matches []*RouteRule
 	for _, rule := range m.routeRules {
 		if rule.dstSet == set {
 			matches = append(matches, rule)
 		}
 	}
 	if len(matches) == 0 {
 		return fmt.Errorf("no route rule found for set: %s", set)
 	}
 	destinations := matches[0].destinations
 	for _, prefix := range prefixes {
 		if prefix.Addr().Is4() {
 			destinations = append(destinations, prefix)
 		}
 	}
 	slices.SortFunc(destinations, func(a, b netip.Prefix) int {
 		cmp := a.Addr().Compare(b.Addr())
 		if cmp != 0 {
 			return cmp
 		}
 		return a.Bits() - b.Bits()
 	})
 	destinations = slices.Compact(destinations)
 	for _, rule := range matches {
 		rule.destinations = destinations
 	}
 	log.Debugf("updated set %s to prefixes %v", set.HashedName(), destinations)
 	return nil
 }
 // DropOutgoing filter outgoing packets
 func (m *Manager) DropOutgoing(packetData []byte, size int) bool {
 	return m.processOutgoingHooks(packetData, size)
@@ -658,7 +718,8 @@ func (m *Manager) dropFilter(packetData []byte, size int) bool {
 	d := m.decoders.Get().(*decoder)
 	defer m.decoders.Put(d)
-	if !m.isValidPacket(d, packetData) {
+	valid, fragment := m.isValidPacket(d, packetData)
 	if !valid {
 		return true
 	}
@@ -668,6 +729,13 @@ func (m *Manager) dropFilter(packetData []byte, size int) bool {
 		return true
 	}
 	// TODO: pass fragments of routed packets to forwarder
 	if fragment {
 		m.logger.Trace("packet is a fragment: src=%v dst=%v id=%v flags=%v",
 			srcIP, dstIP, d.ip4.Id, d.ip4.Flags)
 		return false
 	}
 	// For all inbound traffic, first check if it matches a tracked connection.
 	// This must happen before any other filtering because the packets are statefully tracked.
 	if m.stateful && m.isValidTrackedConnection(d, srcIP, dstIP, size) {
@@ -756,7 +824,8 @@ func (m *Manager) handleRoutedTraffic(d *decoder, srcIP, dstIP netip.Addr, packe
 	proto, pnum := getProtocolFromPacket(d)
 	srcPort, dstPort := getPortsFromPacket(d)
-	if ruleID, pass := m.routeACLsPass(srcIP, dstIP, proto, srcPort, dstPort); !pass {
+	ruleID, pass := m.routeACLsPass(srcIP, dstIP, proto, srcPort, dstPort)
 	if !pass {
 		m.logger.Trace("Dropping routed packet (ACL denied): rule_id=%s proto=%v src=%s:%d dst=%s:%d",
 			ruleID, pnum, srcIP, srcPort, dstIP, dstPort)
@@ -782,8 +851,11 @@ func (m *Manager) handleRoutedTraffic(d *decoder, srcIP, dstIP netip.Addr, packe
 	if fwd == nil {
 		m.logger.Trace("failed to forward routed packet (forwarder not initialized)")
 	} else {
 		fwd.RegisterRuleID(srcIP, dstIP, srcPort, dstPort, ruleID)
 		if err := fwd.InjectIncomingPacket(packetData); err != nil {
 			m.logger.Error("Failed to inject routed packet: %v", err)
 			fwd.DeleteRuleID(srcIP, dstIP, srcPort, dstPort)
 		}
 	}
@@ -815,17 +887,32 @@ func getPortsFromPacket(d *decoder) (srcPort, dstPort uint16) {
 	}
 }
-func (m *Manager) isValidPacket(d *decoder, packetData []byte) bool {
+// isValidPacket checks if the packet is valid.
 // It returns true, false if the packet is valid and not a fragment.
 // It returns true, true if the packet is a fragment and valid.
 func (m *Manager) isValidPacket(d *decoder, packetData []byte) (bool, bool) {
 	if err := d.parser.DecodeLayers(packetData, &d.decoded); err != nil {
 		m.logger.Trace("couldn't decode packet, err: %s", err)
-		return false
+		return false, false
 	}
-	if len(d.decoded) < 2 {
+	l := len(d.decoded)
-		m.logger.Trace("packet doesn't have network and transport layers")
+
-		return false
+	// L3 and L4 are mandatory
 	if l >= 2 {
 		return true, false
 	}
-	return true
+
 	// Fragments are also valid
 	if l == 1 && d.decoded[0] == layers.LayerTypeIPv4 {
 		ip4 := d.ip4
 		if ip4.Flags&layers.IPv4MoreFragments != 0 || ip4.FragOffset != 0 {
 			return true, true
 		}
 	}
 	m.logger.Trace("packet doesn't have network and transport layers")
 	return false, false
 }
 func (m *Manager) isValidTrackedConnection(d *decoder, srcIP, dstIP netip.Addr, size int) bool {
@@ -965,8 +1052,15 @@ func (m *Manager) routeACLsPass(srcIP, dstIP netip.Addr, proto firewall.Protocol
 	return nil, false
 }
-func (m *Manager) ruleMatches(rule RouteRule, srcAddr, dstAddr netip.Addr, proto firewall.Protocol, srcPort, dstPort uint16) bool {
+func (m *Manager) ruleMatches(rule *RouteRule, srcAddr, dstAddr netip.Addr, proto firewall.Protocol, srcPort, dstPort uint16) bool {
-	if !rule.destination.Contains(dstAddr) {
+	destMatched := false
 	for _, dst := range rule.destinations {
 		if dst.Contains(dstAddr) {
 			destMatched = true
 			break
 		}
 	}
 	if !destMatched {
 		return false
 	}
@@ -1068,7 +1162,22 @@ func (m *Manager) EnableRouting() error {
 	m.mutex.Lock()
 	defer m.mutex.Unlock()
-	return m.determineRouting()
+	if err := m.determineRouting(); err != nil {
 		return fmt.Errorf("determine routing: %w", err)
 	}
 	if m.forwarder.Load() == nil {
 		return nil
 	}
 	rule, err := m.blockInvalidRouted(m.wgIface)
 	if err != nil {
 		return fmt.Errorf("block invalid routed: %w", err)
 	}
 	m.blockRule = rule
 	return nil
 }
 func (m *Manager) DisableRouting() error {
@@ -1093,5 +1202,12 @@ func (m *Manager) DisableRouting() error {
 	log.Debug("forwarder stopped")
 	if m.blockRule != nil {
 		if err := m.deleteRouteRule(m.blockRule); err != nil {
 			return fmt.Errorf("delete block rule: %w", err)
 		}
 		m.blockRule = nil
 	}
 	return nil
 }
--- a/client/firewall/uspfilter/uspfilter_filter_test.go
+++ b/client/firewall/uspfilter/uspfilter_filter_test.go
@@ -15,6 +15,7 @@ import (
 	"github.com/netbirdio/netbird/client/iface/device"
 	"github.com/netbirdio/netbird/client/iface/mocks"
 	"github.com/netbirdio/netbird/client/iface/wgaddr"
 	"github.com/netbirdio/netbird/management/domain"
 )
 func TestPeerACLFiltering(t *testing.T) {
@@ -188,6 +189,281 @@ func TestPeerACLFiltering(t *testing.T) {
 			ruleAction:      fw.ActionAccept,
 			shouldBeBlocked: true,
 		},
 		{
 			name:            "Allow TCP traffic without port specification",
 			srcIP:           "100.10.0.1",
 			dstIP:           "100.10.0.100",
 			proto:           fw.ProtocolTCP,
 			srcPort:         12345,
 			dstPort:         443,
 			ruleIP:          "100.10.0.1",
 			ruleProto:       fw.ProtocolTCP,
 			ruleAction:      fw.ActionAccept,
 			shouldBeBlocked: false,
 		},
 		{
 			name:            "Allow UDP traffic without port specification",
 			srcIP:           "100.10.0.1",
 			dstIP:           "100.10.0.100",
 			proto:           fw.ProtocolUDP,
 			srcPort:         12345,
 			dstPort:         53,
 			ruleIP:          "100.10.0.1",
 			ruleProto:       fw.ProtocolUDP,
 			ruleAction:      fw.ActionAccept,
 			shouldBeBlocked: false,
 		},
 		{
 			name:            "TCP packet doesn't match UDP filter with same port",
 			srcIP:           "100.10.0.1",
 			dstIP:           "100.10.0.100",
 			proto:           fw.ProtocolTCP,
 			srcPort:         12345,
 			dstPort:         443,
 			ruleIP:          "100.10.0.1",
 			ruleProto:       fw.ProtocolUDP,
 			ruleDstPort:     &fw.Port{Values: []uint16{443}},
 			ruleAction:      fw.ActionAccept,
 			shouldBeBlocked: true,
 		},
 		{
 			name:            "UDP packet doesn't match TCP filter with same port",
 			srcIP:           "100.10.0.1",
 			dstIP:           "100.10.0.100",
 			proto:           fw.ProtocolUDP,
 			srcPort:         12345,
 			dstPort:         443,
 			ruleIP:          "100.10.0.1",
 			ruleProto:       fw.ProtocolTCP,
 			ruleDstPort:     &fw.Port{Values: []uint16{443}},
 			ruleAction:      fw.ActionAccept,
 			shouldBeBlocked: true,
 		},
 		{
 			name:            "ICMP packet doesn't match TCP filter",
 			srcIP:           "100.10.0.1",
 			dstIP:           "100.10.0.100",
 			proto:           fw.ProtocolICMP,
 			ruleIP:          "100.10.0.1",
 			ruleProto:       fw.ProtocolTCP,
 			ruleAction:      fw.ActionAccept,
 			shouldBeBlocked: true,
 		},
 		{
 			name:            "ICMP packet doesn't match UDP filter",
 			srcIP:           "100.10.0.1",
 			dstIP:           "100.10.0.100",
 			proto:           fw.ProtocolICMP,
 			ruleIP:          "100.10.0.1",
 			ruleProto:       fw.ProtocolUDP,
 			ruleAction:      fw.ActionAccept,
 			shouldBeBlocked: true,
 		},
 		{
 			name:            "Allow TCP traffic within port range",
 			srcIP:           "100.10.0.1",
 			dstIP:           "100.10.0.100",
 			proto:           fw.ProtocolTCP,
 			srcPort:         12345,
 			dstPort:         8080,
 			ruleIP:          "100.10.0.1",
 			ruleProto:       fw.ProtocolTCP,
 			ruleDstPort:     &fw.Port{IsRange: true, Values: []uint16{8000, 8100}},
 			ruleAction:      fw.ActionAccept,
 			shouldBeBlocked: false,
 		},
 		{
 			name:            "Block TCP traffic outside port range",
 			srcIP:           "100.10.0.1",
 			dstIP:           "100.10.0.100",
 			proto:           fw.ProtocolTCP,
 			srcPort:         12345,
 			dstPort:         7999,
 			ruleIP:          "100.10.0.1",
 			ruleProto:       fw.ProtocolTCP,
 			ruleDstPort:     &fw.Port{IsRange: true, Values: []uint16{8000, 8100}},
 			ruleAction:      fw.ActionAccept,
 			shouldBeBlocked: true,
 		},
 		{
 			name:            "Edge Case - Port at Range Boundary",
 			srcIP:           "100.10.0.1",
 			dstIP:           "100.10.0.100",
 			proto:           fw.ProtocolTCP,
 			srcPort:         12345,
 			dstPort:         8100,
 			ruleIP:          "100.10.0.1",
 			ruleProto:       fw.ProtocolTCP,
 			ruleDstPort:     &fw.Port{IsRange: true, Values: []uint16{8000, 8100}},
 			ruleAction:      fw.ActionAccept,
 			shouldBeBlocked: false,
 		},
 		{
 			name:            "UDP Port Range",
 			srcIP:           "100.10.0.1",
 			dstIP:           "100.10.0.100",
 			proto:           fw.ProtocolUDP,
 			srcPort:         12345,
 			dstPort:         5060,
 			ruleIP:          "100.10.0.1",
 			ruleProto:       fw.ProtocolUDP,
 			ruleDstPort:     &fw.Port{IsRange: true, Values: []uint16{5060, 5070}},
 			ruleAction:      fw.ActionAccept,
 			shouldBeBlocked: false,
 		},
 		{
 			name:            "Allow multiple destination ports",
 			srcIP:           "100.10.0.1",
 			dstIP:           "100.10.0.100",
 			proto:           fw.ProtocolTCP,
 			srcPort:         12345,
 			dstPort:         8080,
 			ruleIP:          "100.10.0.1",
 			ruleProto:       fw.ProtocolTCP,
 			ruleDstPort:     &fw.Port{Values: []uint16{80, 8080, 443}},
 			ruleAction:      fw.ActionAccept,
 			shouldBeBlocked: false,
 		},
 		{
 			name:            "Allow multiple source ports",
 			srcIP:           "100.10.0.1",
 			dstIP:           "100.10.0.100",
 			proto:           fw.ProtocolTCP,
 			srcPort:         12345,
 			dstPort:         80,
 			ruleIP:          "100.10.0.1",
 			ruleProto:       fw.ProtocolTCP,
 			ruleSrcPort:     &fw.Port{Values: []uint16{12345, 12346, 12347}},
 			ruleAction:      fw.ActionAccept,
 			shouldBeBlocked: false,
 		},
 		// New drop test cases
 		{
 			name:            "Drop TCP traffic from WG peer",
 			srcIP:           "100.10.0.1",
 			dstIP:           "100.10.0.100",
 			proto:           fw.ProtocolTCP,
 			srcPort:         12345,
 			dstPort:         443,
 			ruleIP:          "100.10.0.1",
 			ruleProto:       fw.ProtocolTCP,
 			ruleDstPort:     &fw.Port{Values: []uint16{443}},
 			ruleAction:      fw.ActionDrop,
 			shouldBeBlocked: true,
 		},
 		{
 			name:            "Drop UDP traffic from WG peer",
 			srcIP:           "100.10.0.1",
 			dstIP:           "100.10.0.100",
 			proto:           fw.ProtocolUDP,
 			srcPort:         12345,
 			dstPort:         53,
 			ruleIP:          "100.10.0.1",
 			ruleProto:       fw.ProtocolUDP,
 			ruleDstPort:     &fw.Port{Values: []uint16{53}},
 			ruleAction:      fw.ActionDrop,
 			shouldBeBlocked: true,
 		},
 		{
 			name:            "Drop ICMP traffic from WG peer",
 			srcIP:           "100.10.0.1",
 			dstIP:           "100.10.0.100",
 			proto:           fw.ProtocolICMP,
 			ruleIP:          "100.10.0.1",
 			ruleProto:       fw.ProtocolICMP,
 			ruleAction:      fw.ActionDrop,
 			shouldBeBlocked: true,
 		},
 		{
 			name:            "Drop all traffic from WG peer",
 			srcIP:           "100.10.0.1",
 			dstIP:           "100.10.0.100",
 			proto:           fw.ProtocolTCP,
 			srcPort:         12345,
 			dstPort:         443,
 			ruleIP:          "100.10.0.1",
 			ruleProto:       fw.ProtocolALL,
 			ruleAction:      fw.ActionDrop,
 			shouldBeBlocked: true,
 		},
 		{
 			name:            "Drop traffic from multiple source ports",
 			srcIP:           "100.10.0.1",
 			dstIP:           "100.10.0.100",
 			proto:           fw.ProtocolTCP,
 			srcPort:         12345,
 			dstPort:         80,
 			ruleIP:          "100.10.0.1",
 			ruleProto:       fw.ProtocolTCP,
 			ruleSrcPort:     &fw.Port{Values: []uint16{12345, 12346, 12347}},
 			ruleAction:      fw.ActionDrop,
 			shouldBeBlocked: true,
 		},
 		{
 			name:            "Drop multiple destination ports",
 			srcIP:           "100.10.0.1",
 			dstIP:           "100.10.0.100",
 			proto:           fw.ProtocolTCP,
 			srcPort:         12345,
 			dstPort:         8080,
 			ruleIP:          "100.10.0.1",
 			ruleProto:       fw.ProtocolTCP,
 			ruleDstPort:     &fw.Port{Values: []uint16{80, 8080, 443}},
 			ruleAction:      fw.ActionDrop,
 			shouldBeBlocked: true,
 		},
 		{
 			name:            "Drop TCP traffic within port range",
 			srcIP:           "100.10.0.1",
 			dstIP:           "100.10.0.100",
 			proto:           fw.ProtocolTCP,
 			srcPort:         12345,
 			dstPort:         8080,
 			ruleIP:          "100.10.0.1",
 			ruleProto:       fw.ProtocolTCP,
 			ruleDstPort:     &fw.Port{IsRange: true, Values: []uint16{8000, 8100}},
 			ruleAction:      fw.ActionDrop,
 			shouldBeBlocked: true,
 		},
 		{
 			name:            "Accept TCP traffic outside drop port range",
 			srcIP:           "100.10.0.1",
 			dstIP:           "100.10.0.100",
 			proto:           fw.ProtocolTCP,
 			srcPort:         12345,
 			dstPort:         7999,
 			ruleIP:          "100.10.0.1",
 			ruleProto:       fw.ProtocolTCP,
 			ruleDstPort:     &fw.Port{IsRange: true, Values: []uint16{8000, 8100}},
 			ruleAction:      fw.ActionDrop,
 			shouldBeBlocked: false,
 		},
 		{
 			name:            "Drop TCP traffic with source port range",
 			srcIP:           "100.10.0.1",
 			dstIP:           "100.10.0.100",
 			proto:           fw.ProtocolTCP,
 			srcPort:         32100,
 			dstPort:         80,
 			ruleIP:          "100.10.0.1",
 			ruleProto:       fw.ProtocolTCP,
 			ruleSrcPort:     &fw.Port{IsRange: true, Values: []uint16{32000, 33000}},
 			ruleAction:      fw.ActionDrop,
 			shouldBeBlocked: true,
 		},
 		{
 			name:            "Mixed rule - drop specific port but allow other ports",
 			srcIP:           "100.10.0.1",
 			dstIP:           "100.10.0.100",
 			proto:           fw.ProtocolTCP,
 			srcPort:         12345,
 			dstPort:         443,
 			ruleIP:          "100.10.0.1",
 			ruleProto:       fw.ProtocolTCP,
 			ruleDstPort:     &fw.Port{Values: []uint16{443}},
 			ruleAction:      fw.ActionDrop,
 			shouldBeBlocked: true,
 		},
 	}
 	t.Run("Implicit DROP (no rules)", func(t *testing.T) {
@@ -198,6 +474,28 @@ func TestPeerACLFiltering(t *testing.T) {
 	for _, tc := range testCases {
 		t.Run(tc.name, func(t *testing.T) {
 			if tc.ruleAction == fw.ActionDrop {
 				// add general accept rule to test drop rule
 				// TODO: this only works because 0.0.0.0 is tested last, we need to implement order
 				rules, err := manager.AddPeerFiltering(
 					nil,
 					net.ParseIP("0.0.0.0"),
 					fw.ProtocolALL,
 					nil,
 					nil,
 					fw.ActionAccept,
 					"",
 				)
 				require.NoError(t, err)
 				require.NotEmpty(t, rules)
 				t.Cleanup(func() {
 					for _, rule := range rules {
 						require.NoError(t, manager.DeletePeerRule(rule))
 					}
 				})
 			}
 			rules, err := manager.AddPeerFiltering(
 				nil,
 				net.ParseIP(tc.ruleIP),
@@ -303,8 +601,8 @@ func setupRoutedManager(tb testing.TB, network string) *Manager {
 	}
 	manager, err := Create(ifaceMock, false, flowLogger)
 	require.NoError(tb, manager.EnableRouting())
 	require.NoError(tb, err)
 	require.NoError(tb, manager.EnableRouting())
 	require.NotNil(tb, manager)
 	require.True(tb, manager.routingEnabled.Load())
 	require.False(tb, manager.nativeRouter.Load())
@@ -321,7 +619,7 @@ func TestRouteACLFiltering(t *testing.T) {
 	type rule struct {
 		sources []netip.Prefix
-		dest    netip.Prefix
+		dest    fw.Network
 		proto   fw.Protocol
 		srcPort *fw.Port
 		dstPort *fw.Port
@@ -347,7 +645,7 @@ func TestRouteACLFiltering(t *testing.T) {
 			dstPort: 443,
 			rule: rule{
 				sources: []netip.Prefix{netip.MustParsePrefix("100.10.0.0/16")},
-				dest:    netip.MustParsePrefix("192.168.1.0/24"),
+				dest:    fw.Network{Prefix: netip.MustParsePrefix("192.168.1.0/24")},
 				proto:   fw.ProtocolTCP,
 				dstPort: &fw.Port{Values: []uint16{443}},
 				action:  fw.ActionAccept,
@@ -363,7 +661,7 @@ func TestRouteACLFiltering(t *testing.T) {
 			dstPort: 443,
 			rule: rule{
 				sources: []netip.Prefix{netip.MustParsePrefix("0.0.0.0/0")},
-				dest:    netip.MustParsePrefix("192.168.1.0/24"),
+				dest:    fw.Network{Prefix: netip.MustParsePrefix("192.168.1.0/24")},
 				proto:   fw.ProtocolTCP,
 				dstPort: &fw.Port{Values: []uint16{443}},
 				action:  fw.ActionAccept,
@@ -379,7 +677,7 @@ func TestRouteACLFiltering(t *testing.T) {
 			dstPort: 443,
 			rule: rule{
 				sources: []netip.Prefix{netip.MustParsePrefix("0.0.0.0/0")},
-				dest:    netip.MustParsePrefix("0.0.0.0/0"),
+				dest:    fw.Network{Prefix: netip.MustParsePrefix("0.0.0.0/0")},
 				proto:   fw.ProtocolTCP,
 				dstPort: &fw.Port{Values: []uint16{443}},
 				action:  fw.ActionAccept,
@@ -395,7 +693,7 @@ func TestRouteACLFiltering(t *testing.T) {
 			dstPort: 53,
 			rule: rule{
 				sources: []netip.Prefix{netip.MustParsePrefix("100.10.0.0/16")},
-				dest:    netip.MustParsePrefix("192.168.1.0/24"),
+				dest:    fw.Network{Prefix: netip.MustParsePrefix("192.168.1.0/24")},
 				proto:   fw.ProtocolUDP,
 				dstPort: &fw.Port{Values: []uint16{53}},
 				action:  fw.ActionAccept,
@@ -409,7 +707,7 @@ func TestRouteACLFiltering(t *testing.T) {
 			proto: fw.ProtocolICMP,
 			rule: rule{
 				sources: []netip.Prefix{netip.MustParsePrefix("100.10.0.0/16")},
-				dest:    netip.MustParsePrefix("0.0.0.0/0"),
+				dest:    fw.Network{Prefix: netip.MustParsePrefix("0.0.0.0/0")},
 				proto:   fw.ProtocolICMP,
 				action:  fw.ActionAccept,
 			},
@@ -424,7 +722,7 @@ func TestRouteACLFiltering(t *testing.T) {
 			dstPort: 80,
 			rule: rule{
 				sources: []netip.Prefix{netip.MustParsePrefix("100.10.0.0/16")},
-				dest:    netip.MustParsePrefix("192.168.1.0/24"),
+				dest:    fw.Network{Prefix: netip.MustParsePrefix("192.168.1.0/24")},
 				proto:   fw.ProtocolALL,
 				dstPort: &fw.Port{Values: []uint16{80}},
 				action:  fw.ActionAccept,
@@ -440,7 +738,7 @@ func TestRouteACLFiltering(t *testing.T) {
 			dstPort: 8080,
 			rule: rule{
 				sources: []netip.Prefix{netip.MustParsePrefix("100.10.0.0/16")},
-				dest:    netip.MustParsePrefix("192.168.1.0/24"),
+				dest:    fw.Network{Prefix: netip.MustParsePrefix("192.168.1.0/24")},
 				proto:   fw.ProtocolTCP,
 				dstPort: &fw.Port{Values: []uint16{80}},
 				action:  fw.ActionAccept,
@@ -456,7 +754,7 @@ func TestRouteACLFiltering(t *testing.T) {
 			dstPort: 80,
 			rule: rule{
 				sources: []netip.Prefix{netip.MustParsePrefix("100.10.0.0/16")},
-				dest:    netip.MustParsePrefix("192.168.1.0/24"),
+				dest:    fw.Network{Prefix: netip.MustParsePrefix("192.168.1.0/24")},
 				proto:   fw.ProtocolTCP,
 				dstPort: &fw.Port{Values: []uint16{80}},
 				action:  fw.ActionAccept,
@@ -472,7 +770,7 @@ func TestRouteACLFiltering(t *testing.T) {
 			dstPort: 80,
 			rule: rule{
 				sources: []netip.Prefix{netip.MustParsePrefix("100.10.0.0/16")},
-				dest:    netip.MustParsePrefix("192.168.1.0/24"),
+				dest:    fw.Network{Prefix: netip.MustParsePrefix("192.168.1.0/24")},
 				proto:   fw.ProtocolTCP,
 				dstPort: &fw.Port{Values: []uint16{80}},
 				action:  fw.ActionAccept,
@@ -488,7 +786,7 @@ func TestRouteACLFiltering(t *testing.T) {
 			dstPort: 80,
 			rule: rule{
 				sources: []netip.Prefix{netip.MustParsePrefix("100.10.0.0/16")},
-				dest:    netip.MustParsePrefix("192.168.1.0/24"),
+				dest:    fw.Network{Prefix: netip.MustParsePrefix("192.168.1.0/24")},
 				proto:   fw.ProtocolTCP,
 				srcPort: &fw.Port{Values: []uint16{12345}},
 				action:  fw.ActionAccept,
@@ -507,7 +805,7 @@ func TestRouteACLFiltering(t *testing.T) {
 					netip.MustParsePrefix("100.10.0.0/16"),
 					netip.MustParsePrefix("172.16.0.0/16"),
 				},
-				dest:    netip.MustParsePrefix("192.168.1.0/24"),
+				dest:    fw.Network{Prefix: netip.MustParsePrefix("192.168.1.0/24")},
 				proto:   fw.ProtocolTCP,
 				dstPort: &fw.Port{Values: []uint16{80}},
 				action:  fw.ActionAccept,
@@ -521,7 +819,7 @@ func TestRouteACLFiltering(t *testing.T) {
 			proto: fw.ProtocolICMP,
 			rule: rule{
 				sources: []netip.Prefix{netip.MustParsePrefix("100.10.0.0/16")},
-				dest:    netip.MustParsePrefix("192.168.1.0/24"),
+				dest:    fw.Network{Prefix: netip.MustParsePrefix("192.168.1.0/24")},
 				proto:   fw.ProtocolALL,
 				action:  fw.ActionAccept,
 			},
@@ -536,33 +834,13 @@ func TestRouteACLFiltering(t *testing.T) {
 			dstPort: 80,
 			rule: rule{
 				sources: []netip.Prefix{netip.MustParsePrefix("100.10.0.0/16")},
-				dest:    netip.MustParsePrefix("192.168.1.0/24"),
+				dest:    fw.Network{Prefix: netip.MustParsePrefix("192.168.1.0/24")},
 				proto:   fw.ProtocolALL,
 				dstPort: &fw.Port{Values: []uint16{80}},
 				action:  fw.ActionAccept,
 			},
 			shouldPass: true,
 		},
 		{
 			name:  "Multiple source networks with mismatched protocol",
 			srcIP: "172.16.0.1",
 			dstIP: "192.168.1.100",
 			// Should not match TCP rule
 			proto:   fw.ProtocolUDP,
 			srcPort: 12345,
 			dstPort: 80,
 			rule: rule{
 				sources: []netip.Prefix{
 					netip.MustParsePrefix("100.10.0.0/16"),
 					netip.MustParsePrefix("172.16.0.0/16"),
 				},
 				dest:    netip.MustParsePrefix("192.168.1.0/24"),
 				proto:   fw.ProtocolTCP,
 				dstPort: &fw.Port{Values: []uint16{80}},
 				action:  fw.ActionAccept,
 			},
 			shouldPass: false,
 		},
 		{
 			name:    "Allow multiple destination ports",
 			srcIP:   "100.10.0.1",
@@ -572,7 +850,7 @@ func TestRouteACLFiltering(t *testing.T) {
 			dstPort: 8080,
 			rule: rule{
 				sources: []netip.Prefix{netip.MustParsePrefix("100.10.0.0/16")},
-				dest:    netip.MustParsePrefix("192.168.1.0/24"),
+				dest:    fw.Network{Prefix: netip.MustParsePrefix("192.168.1.0/24")},
 				proto:   fw.ProtocolTCP,
 				dstPort: &fw.Port{Values: []uint16{80, 8080, 443}},
 				action:  fw.ActionAccept,
@@ -588,7 +866,7 @@ func TestRouteACLFiltering(t *testing.T) {
 			dstPort: 80,
 			rule: rule{
 				sources: []netip.Prefix{netip.MustParsePrefix("100.10.0.0/16")},
-				dest:    netip.MustParsePrefix("192.168.1.0/24"),
+				dest:    fw.Network{Prefix: netip.MustParsePrefix("192.168.1.0/24")},
 				proto:   fw.ProtocolTCP,
 				srcPort: &fw.Port{Values: []uint16{12345, 12346, 12347}},
 				action:  fw.ActionAccept,
@@ -604,7 +882,7 @@ func TestRouteACLFiltering(t *testing.T) {
 			dstPort: 80,
 			rule: rule{
 				sources: []netip.Prefix{netip.MustParsePrefix("100.10.0.0/16")},
-				dest:    netip.MustParsePrefix("192.168.1.0/24"),
+				dest:    fw.Network{Prefix: netip.MustParsePrefix("192.168.1.0/24")},
 				proto:   fw.ProtocolALL,
 				srcPort: &fw.Port{Values: []uint16{12345}},
 				dstPort: &fw.Port{Values: []uint16{80}},
@@ -621,7 +899,7 @@ func TestRouteACLFiltering(t *testing.T) {
 			dstPort: 8080,
 			rule: rule{
 				sources: []netip.Prefix{netip.MustParsePrefix("100.10.0.0/16")},
-				dest:    netip.MustParsePrefix("192.168.1.0/24"),
+				dest:    fw.Network{Prefix: netip.MustParsePrefix("192.168.1.0/24")},
 				proto:   fw.ProtocolTCP,
 				dstPort: &fw.Port{
 					IsRange: true,
@@ -640,7 +918,7 @@ func TestRouteACLFiltering(t *testing.T) {
 			dstPort: 7999,
 			rule: rule{
 				sources: []netip.Prefix{netip.MustParsePrefix("100.10.0.0/16")},
-				dest:    netip.MustParsePrefix("192.168.1.0/24"),
+				dest:    fw.Network{Prefix: netip.MustParsePrefix("192.168.1.0/24")},
 				proto:   fw.ProtocolTCP,
 				dstPort: &fw.Port{
 					IsRange: true,
@@ -659,7 +937,7 @@ func TestRouteACLFiltering(t *testing.T) {
 			dstPort: 80,
 			rule: rule{
 				sources: []netip.Prefix{netip.MustParsePrefix("100.10.0.0/16")},
-				dest:    netip.MustParsePrefix("192.168.1.0/24"),
+				dest:    fw.Network{Prefix: netip.MustParsePrefix("192.168.1.0/24")},
 				proto:   fw.ProtocolTCP,
 				srcPort: &fw.Port{
 					IsRange: true,
@@ -678,7 +956,7 @@ func TestRouteACLFiltering(t *testing.T) {
 			dstPort: 443,
 			rule: rule{
 				sources: []netip.Prefix{netip.MustParsePrefix("100.10.0.0/16")},
-				dest:    netip.MustParsePrefix("192.168.1.0/24"),
+				dest:    fw.Network{Prefix: netip.MustParsePrefix("192.168.1.0/24")},
 				proto:   fw.ProtocolTCP,
 				srcPort: &fw.Port{
 					IsRange: true,
@@ -700,7 +978,7 @@ func TestRouteACLFiltering(t *testing.T) {
 			dstPort: 8100,
 			rule: rule{
 				sources: []netip.Prefix{netip.MustParsePrefix("100.10.0.0/16")},
-				dest:    netip.MustParsePrefix("192.168.1.0/24"),
+				dest:    fw.Network{Prefix: netip.MustParsePrefix("192.168.1.0/24")},
 				proto:   fw.ProtocolTCP,
 				dstPort: &fw.Port{
 					IsRange: true,
@@ -719,7 +997,7 @@ func TestRouteACLFiltering(t *testing.T) {
 			dstPort: 5060,
 			rule: rule{
 				sources: []netip.Prefix{netip.MustParsePrefix("100.10.0.0/16")},
-				dest:    netip.MustParsePrefix("192.168.1.0/24"),
+				dest:    fw.Network{Prefix: netip.MustParsePrefix("192.168.1.0/24")},
 				proto:   fw.ProtocolUDP,
 				dstPort: &fw.Port{
 					IsRange: true,
@@ -738,7 +1016,7 @@ func TestRouteACLFiltering(t *testing.T) {
 			dstPort: 8080,
 			rule: rule{
 				sources: []netip.Prefix{netip.MustParsePrefix("100.10.0.0/16")},
-				dest:    netip.MustParsePrefix("192.168.1.0/24"),
+				dest:    fw.Network{Prefix: netip.MustParsePrefix("192.168.1.0/24")},
 				proto:   fw.ProtocolALL,
 				dstPort: &fw.Port{
 					IsRange: true,
@@ -757,7 +1035,7 @@ func TestRouteACLFiltering(t *testing.T) {
 			dstPort: 443,
 			rule: rule{
 				sources: []netip.Prefix{netip.MustParsePrefix("100.10.0.0/16")},
-				dest:    netip.MustParsePrefix("192.168.1.0/24"),
+				dest:    fw.Network{Prefix: netip.MustParsePrefix("192.168.1.0/24")},
 				proto:   fw.ProtocolTCP,
 				dstPort: &fw.Port{Values: []uint16{443}},
 				action:  fw.ActionDrop,
@@ -773,7 +1051,7 @@ func TestRouteACLFiltering(t *testing.T) {
 			dstPort: 80,
 			rule: rule{
 				sources: []netip.Prefix{netip.MustParsePrefix("100.10.0.0/16")},
-				dest:    netip.MustParsePrefix("192.168.1.0/24"),
+				dest:    fw.Network{Prefix: netip.MustParsePrefix("192.168.1.0/24")},
 				proto:   fw.ProtocolALL,
 				action:  fw.ActionDrop,
 			},
@@ -791,17 +1069,158 @@ func TestRouteACLFiltering(t *testing.T) {
 					netip.MustParsePrefix("100.10.0.0/16"),
 					netip.MustParsePrefix("172.16.0.0/16"),
 				},
-				dest:    netip.MustParsePrefix("192.168.1.0/24"),
+				dest:    fw.Network{Prefix: netip.MustParsePrefix("192.168.1.0/24")},
 				proto:   fw.ProtocolTCP,
 				dstPort: &fw.Port{Values: []uint16{80}},
 				action:  fw.ActionDrop,
 			},
 			shouldPass: false,
 		},
 		{
 			name:    "Drop empty destination set",
 			srcIP:   "172.16.0.1",
 			dstIP:   "192.168.1.100",
 			proto:   fw.ProtocolTCP,
 			srcPort: 12345,
 			dstPort: 80,
 			rule: rule{
 				sources: []netip.Prefix{
 					netip.MustParsePrefix("172.16.0.0/16"),
 				},
 				dest:    fw.Network{Set: fw.Set{}},
 				proto:   fw.ProtocolTCP,
 				dstPort: &fw.Port{Values: []uint16{80}},
 				action:  fw.ActionAccept,
 			},
 			shouldPass: false,
 		},
 		{
 			name:    "Accept TCP traffic outside drop port range",
 			srcIP:   "100.10.0.1",
 			dstIP:   "192.168.1.100",
 			proto:   fw.ProtocolTCP,
 			srcPort: 12345,
 			dstPort: 7999,
 			rule: rule{
 				sources: []netip.Prefix{netip.MustParsePrefix("100.10.0.0/16")},
 				dest:    fw.Network{Prefix: netip.MustParsePrefix("192.168.1.0/24")},
 				proto:   fw.ProtocolTCP,
 				dstPort: &fw.Port{IsRange: true, Values: []uint16{8000, 8100}},
 				action:  fw.ActionDrop,
 			},
 			shouldPass: true,
 		},
 		{
 			name:    "Allow TCP traffic without port specification",
 			srcIP:   "100.10.0.1",
 			dstIP:   "192.168.1.100",
 			proto:   fw.ProtocolTCP,
 			srcPort: 12345,
 			dstPort: 443,
 			rule: rule{
 				sources: []netip.Prefix{netip.MustParsePrefix("100.10.0.0/16")},
 				dest:    fw.Network{Prefix: netip.MustParsePrefix("192.168.1.0/24")},
 				proto:   fw.ProtocolTCP,
 				action:  fw.ActionAccept,
 			},
 			shouldPass: true,
 		},
 		{
 			name:    "Allow UDP traffic without port specification",
 			srcIP:   "100.10.0.1",
 			dstIP:   "192.168.1.100",
 			proto:   fw.ProtocolUDP,
 			srcPort: 12345,
 			dstPort: 53,
 			rule: rule{
 				sources: []netip.Prefix{netip.MustParsePrefix("100.10.0.0/16")},
 				dest:    fw.Network{Prefix: netip.MustParsePrefix("192.168.1.0/24")},
 				proto:   fw.ProtocolUDP,
 				action:  fw.ActionAccept,
 			},
 			shouldPass: true,
 		},
 		{
 			name:    "TCP packet doesn't match UDP filter with same port",
 			srcIP:   "100.10.0.1",
 			dstIP:   "192.168.1.100",
 			proto:   fw.ProtocolTCP,
 			srcPort: 12345,
 			dstPort: 80,
 			rule: rule{
 				sources: []netip.Prefix{netip.MustParsePrefix("100.10.0.0/16")},
 				dest:    fw.Network{Prefix: netip.MustParsePrefix("192.168.1.0/24")},
 				proto:   fw.ProtocolUDP,
 				dstPort: &fw.Port{Values: []uint16{80}},
 				action:  fw.ActionAccept,
 			},
 			shouldPass: false,
 		},
 		{
 			name:    "UDP packet doesn't match TCP filter with same port",
 			srcIP:   "100.10.0.1",
 			dstIP:   "192.168.1.100",
 			proto:   fw.ProtocolUDP,
 			srcPort: 12345,
 			dstPort: 80,
 			rule: rule{
 				sources: []netip.Prefix{netip.MustParsePrefix("100.10.0.0/16")},
 				dest:    fw.Network{Prefix: netip.MustParsePrefix("192.168.1.0/24")},
 				proto:   fw.ProtocolTCP,
 				dstPort: &fw.Port{Values: []uint16{80}},
 				action:  fw.ActionAccept,
 			},
 			shouldPass: false,
 		},
 		{
 			name:  "ICMP packet doesn't match TCP filter",
 			srcIP: "100.10.0.1",
 			dstIP: "192.168.1.100",
 			proto: fw.ProtocolICMP,
 			rule: rule{
 				sources: []netip.Prefix{netip.MustParsePrefix("100.10.0.0/16")},
 				dest:    fw.Network{Prefix: netip.MustParsePrefix("192.168.1.0/24")},
 				proto:   fw.ProtocolTCP,
 				action:  fw.ActionAccept,
 			},
 			shouldPass: false,
 		},
 		{
 			name:  "ICMP packet doesn't match UDP filter",
 			srcIP: "100.10.0.1",
 			dstIP: "192.168.1.100",
 			proto: fw.ProtocolICMP,
 			rule: rule{
 				sources: []netip.Prefix{netip.MustParsePrefix("100.10.0.0/16")},
 				dest:    fw.Network{Prefix: netip.MustParsePrefix("192.168.1.0/24")},
 				proto:   fw.ProtocolUDP,
 				action:  fw.ActionAccept,
 			},
 			shouldPass: false,
 		},
 	}
 	for _, tc := range testCases {
 		t.Run(tc.name, func(t *testing.T) {
 			if tc.rule.action == fw.ActionDrop {
 				// add general accept rule to test drop rule
 				rule, err := manager.AddRouteFiltering(
 					nil,
 					[]netip.Prefix{netip.MustParsePrefix("0.0.0.0/0")},
 					fw.Network{Prefix: netip.MustParsePrefix("0.0.0.0/0")},
 					fw.ProtocolALL,
 					nil,
 					nil,
 					fw.ActionAccept,
 				)
 				require.NoError(t, err)
 				require.NotNil(t, rule)
 				t.Cleanup(func() {
 					require.NoError(t, manager.DeleteRouteRule(rule))
 				})
 			}
 			rule, err := manager.AddRouteFiltering(
 				nil,
 				tc.rule.sources,
@@ -836,7 +1255,7 @@ func TestRouteACLOrder(t *testing.T) {
 		name  string
 		rules []struct {
 			sources []netip.Prefix
-			dest    netip.Prefix
+			dest    fw.Network
 			proto   fw.Protocol
 			srcPort *fw.Port
 			dstPort *fw.Port
@@ -857,7 +1276,7 @@ func TestRouteACLOrder(t *testing.T) {
 			name: "Drop rules take precedence over accept",
 			rules: []struct {
 				sources []netip.Prefix
-				dest    netip.Prefix
+				dest    fw.Network
 				proto   fw.Protocol
 				srcPort *fw.Port
 				dstPort *fw.Port
@@ -866,7 +1285,7 @@ func TestRouteACLOrder(t *testing.T) {
 				{
 					// Accept rule added first
 					sources: []netip.Prefix{netip.MustParsePrefix("100.10.0.0/16")},
-					dest:    netip.MustParsePrefix("192.168.1.0/24"),
+					dest:    fw.Network{Prefix: netip.MustParsePrefix("192.168.1.0/24")},
 					proto:   fw.ProtocolTCP,
 					dstPort: &fw.Port{Values: []uint16{80, 443}},
 					action:  fw.ActionAccept,
@@ -874,7 +1293,7 @@ func TestRouteACLOrder(t *testing.T) {
 				{
 					// Drop rule added second but should be evaluated first
 					sources: []netip.Prefix{netip.MustParsePrefix("100.10.0.0/16")},
-					dest:    netip.MustParsePrefix("192.168.1.0/24"),
+					dest:    fw.Network{Prefix: netip.MustParsePrefix("192.168.1.0/24")},
 					proto:   fw.ProtocolTCP,
 					dstPort: &fw.Port{Values: []uint16{443}},
 					action:  fw.ActionDrop,
@@ -912,7 +1331,7 @@ func TestRouteACLOrder(t *testing.T) {
 			name: "Multiple drop rules take precedence",
 			rules: []struct {
 				sources []netip.Prefix
-				dest    netip.Prefix
+				dest    fw.Network
 				proto   fw.Protocol
 				srcPort *fw.Port
 				dstPort *fw.Port
@@ -921,14 +1340,14 @@ func TestRouteACLOrder(t *testing.T) {
 				{
 					// Accept all
 					sources: []netip.Prefix{netip.MustParsePrefix("0.0.0.0/0")},
-					dest:    netip.MustParsePrefix("0.0.0.0/0"),
+					dest:    fw.Network{Prefix: netip.MustParsePrefix("0.0.0.0/0")},
 					proto:   fw.ProtocolALL,
 					action:  fw.ActionAccept,
 				},
 				{
 					// Drop specific port
 					sources: []netip.Prefix{netip.MustParsePrefix("100.10.0.0/16")},
-					dest:    netip.MustParsePrefix("192.168.1.0/24"),
+					dest:    fw.Network{Prefix: netip.MustParsePrefix("192.168.1.0/24")},
 					proto:   fw.ProtocolTCP,
 					dstPort: &fw.Port{Values: []uint16{443}},
 					action:  fw.ActionDrop,
@@ -936,7 +1355,7 @@ func TestRouteACLOrder(t *testing.T) {
 				{
 					// Drop different port
 					sources: []netip.Prefix{netip.MustParsePrefix("100.10.0.0/16")},
-					dest:    netip.MustParsePrefix("192.168.1.0/24"),
+					dest:    fw.Network{Prefix: netip.MustParsePrefix("192.168.1.0/24")},
 					proto:   fw.ProtocolTCP,
 					dstPort: &fw.Port{Values: []uint16{80}},
 					action:  fw.ActionDrop,
@@ -1015,3 +1434,53 @@ func TestRouteACLOrder(t *testing.T) {
 		})
 	}
 }
 func TestRouteACLSet(t *testing.T) {
 	ifaceMock := &IFaceMock{
 		SetFilterFunc: func(device.PacketFilter) error { return nil },
 		AddressFunc: func() wgaddr.Address {
 			return wgaddr.Address{
 				IP: net.ParseIP("100.10.0.100"),
 				Network: &net.IPNet{
 					IP:   net.ParseIP("100.10.0.0"),
 					Mask: net.CIDRMask(16, 32),
 				},
 			}
 		},
 	}
 	manager, err := Create(ifaceMock, false, flowLogger)
 	require.NoError(t, err)
 	t.Cleanup(func() {
 		require.NoError(t, manager.Close(nil))
 	})
 	set := fw.NewDomainSet(domain.List{"example.org"})
 	// Add rule that uses the set (initially empty)
 	rule, err := manager.AddRouteFiltering(
 		nil,
 		[]netip.Prefix{netip.MustParsePrefix("0.0.0.0/0")},
 		fw.Network{Set: set},
 		fw.ProtocolTCP,
 		nil,
 		nil,
 		fw.ActionAccept,
 	)
 	require.NoError(t, err)
 	require.NotNil(t, rule)
 	srcIP := netip.MustParseAddr("100.10.0.1")
 	dstIP := netip.MustParseAddr("192.168.1.100")
 	// Check that traffic is dropped (empty set shouldn't match anything)
 	_, isAllowed := manager.routeACLsPass(srcIP, dstIP, fw.ProtocolTCP, 12345, 80)
 	require.False(t, isAllowed, "Empty set should not allow any traffic")
 	err = manager.UpdateSet(set, []netip.Prefix{netip.MustParsePrefix("192.168.1.0/24")})
 	require.NoError(t, err)
 	// Now the packet should be allowed
 	_, isAllowed = manager.routeACLsPass(srcIP, dstIP, fw.ProtocolTCP, 12345, 80)
 	require.True(t, isAllowed, "After set update, traffic to the added network should be allowed")
 }
--- a/client/firewall/uspfilter/uspfilter_test.go
+++ b/client/firewall/uspfilter/uspfilter_test.go
@@ -20,6 +20,7 @@ import (
 	"github.com/netbirdio/netbird/client/iface/device"
 	"github.com/netbirdio/netbird/client/iface/wgaddr"
 	"github.com/netbirdio/netbird/client/internal/netflow"
 	"github.com/netbirdio/netbird/management/domain"
 )
 var logger = log.NewFromLogrus(logrus.StandardLogger())
@@ -711,3 +712,203 @@ func TestStatefulFirewall_UDPTracking(t *testing.T) {
 		})
 	}
 }
 func TestUpdateSetMerge(t *testing.T) {
 	ifaceMock := &IFaceMock{
 		SetFilterFunc: func(device.PacketFilter) error { return nil },
 	}
 	manager, err := Create(ifaceMock, false, flowLogger)
 	require.NoError(t, err)
 	t.Cleanup(func() {
 		require.NoError(t, manager.Close(nil))
 	})
 	set := fw.NewDomainSet(domain.List{"example.org"})
 	initialPrefixes := []netip.Prefix{
 		netip.MustParsePrefix("10.0.0.0/24"),
 		netip.MustParsePrefix("192.168.1.0/24"),
 	}
 	rule, err := manager.AddRouteFiltering(
 		nil,
 		[]netip.Prefix{netip.MustParsePrefix("0.0.0.0/0")},
 		fw.Network{Set: set},
 		fw.ProtocolTCP,
 		nil,
 		nil,
 		fw.ActionAccept,
 	)
 	require.NoError(t, err)
 	require.NotNil(t, rule)
 	// Update the set with initial prefixes
 	err = manager.UpdateSet(set, initialPrefixes)
 	require.NoError(t, err)
 	// Test initial prefixes work
 	srcIP := netip.MustParseAddr("100.10.0.1")
 	dstIP1 := netip.MustParseAddr("10.0.0.100")
 	dstIP2 := netip.MustParseAddr("192.168.1.100")
 	dstIP3 := netip.MustParseAddr("172.16.0.100")
 	_, isAllowed1 := manager.routeACLsPass(srcIP, dstIP1, fw.ProtocolTCP, 12345, 80)
 	_, isAllowed2 := manager.routeACLsPass(srcIP, dstIP2, fw.ProtocolTCP, 12345, 80)
 	_, isAllowed3 := manager.routeACLsPass(srcIP, dstIP3, fw.ProtocolTCP, 12345, 80)
 	require.True(t, isAllowed1, "Traffic to 10.0.0.100 should be allowed")
 	require.True(t, isAllowed2, "Traffic to 192.168.1.100 should be allowed")
 	require.False(t, isAllowed3, "Traffic to 172.16.0.100 should be denied")
 	newPrefixes := []netip.Prefix{
 		netip.MustParsePrefix("172.16.0.0/16"),
 		netip.MustParsePrefix("10.1.0.0/24"),
 	}
 	err = manager.UpdateSet(set, newPrefixes)
 	require.NoError(t, err)
 	// Check that all original prefixes are still included
 	_, isAllowed1 = manager.routeACLsPass(srcIP, dstIP1, fw.ProtocolTCP, 12345, 80)
 	_, isAllowed2 = manager.routeACLsPass(srcIP, dstIP2, fw.ProtocolTCP, 12345, 80)
 	require.True(t, isAllowed1, "Traffic to 10.0.0.100 should still be allowed after update")
 	require.True(t, isAllowed2, "Traffic to 192.168.1.100 should still be allowed after update")
 	// Check that new prefixes are included
 	dstIP4 := netip.MustParseAddr("172.16.1.100")
 	dstIP5 := netip.MustParseAddr("10.1.0.50")
 	_, isAllowed4 := manager.routeACLsPass(srcIP, dstIP4, fw.ProtocolTCP, 12345, 80)
 	_, isAllowed5 := manager.routeACLsPass(srcIP, dstIP5, fw.ProtocolTCP, 12345, 80)
 	require.True(t, isAllowed4, "Traffic to new prefix 172.16.0.0/16 should be allowed")
 	require.True(t, isAllowed5, "Traffic to new prefix 10.1.0.0/24 should be allowed")
 	// Verify the rule has all prefixes
 	manager.mutex.RLock()
 	foundRule := false
 	for _, r := range manager.routeRules {
 		if r.id == rule.ID() {
 			foundRule = true
 			require.Len(t, r.destinations, len(initialPrefixes)+len(newPrefixes),
 				"Rule should have all prefixes merged")
 		}
 	}
 	manager.mutex.RUnlock()
 	require.True(t, foundRule, "Rule should be found")
 }
 func TestUpdateSetDeduplication(t *testing.T) {
 	ifaceMock := &IFaceMock{
 		SetFilterFunc: func(device.PacketFilter) error { return nil },
 	}
 	manager, err := Create(ifaceMock, false, flowLogger)
 	require.NoError(t, err)
 	t.Cleanup(func() {
 		require.NoError(t, manager.Close(nil))
 	})
 	set := fw.NewDomainSet(domain.List{"example.org"})
 	rule, err := manager.AddRouteFiltering(
 		nil,
 		[]netip.Prefix{netip.MustParsePrefix("0.0.0.0/0")},
 		fw.Network{Set: set},
 		fw.ProtocolTCP,
 		nil,
 		nil,
 		fw.ActionAccept,
 	)
 	require.NoError(t, err)
 	require.NotNil(t, rule)
 	initialPrefixes := []netip.Prefix{
 		netip.MustParsePrefix("10.0.0.0/24"),
 		netip.MustParsePrefix("10.0.0.0/24"), // Duplicate
 		netip.MustParsePrefix("192.168.1.0/24"),
 		netip.MustParsePrefix("192.168.1.0/24"), // Duplicate
 	}
 	err = manager.UpdateSet(set, initialPrefixes)
 	require.NoError(t, err)
 	// Check the internal state for deduplication
 	manager.mutex.RLock()
 	foundRule := false
 	for _, r := range manager.routeRules {
 		if r.id == rule.ID() {
 			foundRule = true
 			// Should have deduplicated to 2 prefixes
 			require.Len(t, r.destinations, 2, "Duplicate prefixes should be removed")
 			// Check the prefixes are correct
 			expectedPrefixes := []netip.Prefix{
 				netip.MustParsePrefix("10.0.0.0/24"),
 				netip.MustParsePrefix("192.168.1.0/24"),
 			}
 			for i, prefix := range expectedPrefixes {
 				require.True(t, r.destinations[i] == prefix,
 					"Prefix should match expected value")
 			}
 		}
 	}
 	manager.mutex.RUnlock()
 	require.True(t, foundRule, "Rule should be found")
 	// Test with overlapping prefixes of different sizes
 	overlappingPrefixes := []netip.Prefix{
 		netip.MustParsePrefix("10.0.0.0/16"),    // More general
 		netip.MustParsePrefix("10.0.0.0/24"),    // More specific (already exists)
 		netip.MustParsePrefix("192.168.0.0/16"), // More general
 		netip.MustParsePrefix("192.168.1.0/24"), // More specific (already exists)
 	}
 	err = manager.UpdateSet(set, overlappingPrefixes)
 	require.NoError(t, err)
 	// Check that all prefixes are included (no deduplication of overlapping prefixes)
 	manager.mutex.RLock()
 	for _, r := range manager.routeRules {
 		if r.id == rule.ID() {
 			// Should have all 4 prefixes (2 original + 2 new more general ones)
 			require.Len(t, r.destinations, 4,
 				"Overlapping prefixes should not be deduplicated")
 			// Verify they're sorted correctly (more specific prefixes should come first)
 			prefixes := make([]string, 0, len(r.destinations))
 			for _, p := range r.destinations {
 				prefixes = append(prefixes, p.String())
 			}
 			// Check sorted order
 			require.Equal(t, []string{
 				"10.0.0.0/16",
 				"10.0.0.0/24",
 				"192.168.0.0/16",
 				"192.168.1.0/24",
 			}, prefixes, "Prefixes should be sorted")
 		}
 	}
 	manager.mutex.RUnlock()
 	// Test functionality with all prefixes
 	testCases := []struct {
 		dstIP    netip.Addr
 		expected bool
 		desc     string
 	}{
 		{netip.MustParseAddr("10.0.0.100"), true, "IP in both /16 and /24"},
 		{netip.MustParseAddr("10.0.1.100"), true, "IP only in /16"},
 		{netip.MustParseAddr("192.168.1.100"), true, "IP in both /16 and /24"},
 		{netip.MustParseAddr("192.168.2.100"), true, "IP only in /16"},
 		{netip.MustParseAddr("172.16.0.100"), false, "IP not in any prefix"},
 	}
 	srcIP := netip.MustParseAddr("100.10.0.1")
 	for _, tc := range testCases {
 		_, isAllowed := manager.routeACLsPass(srcIP, tc.dstIP, fw.ProtocolTCP, 12345, 80)
 		require.Equal(t, tc.expected, isAllowed, tc.desc)
 	}
 }
--- a/client/iface/bind/udp_mux.go
+++ b/client/iface/bind/udp_mux.go
@@ -458,6 +458,6 @@ func newBufferHolder(size int) *bufferHolder {
 func getLogger() logging.LeveledLogger {
 	fac := logging.NewDefaultLoggerFactory()
-	fac.Writer = log.StandardLogger().Writer()
+	//fac.Writer = log.StandardLogger().Writer()
 	return fac.NewLogger("ice")
 }
--- a/client/internal/acl/id/id.go
+++ b/client/internal/acl/id/id.go
@@ -18,7 +18,7 @@ func (r RuleID) ID() string {
 func GenerateRouteRuleKey(
 	sources []netip.Prefix,
-	destination netip.Prefix,
+	destination manager.Network,
 	proto manager.Protocol,
 	sPort *manager.Port,
 	dPort *manager.Port,
--- a/client/internal/acl/manager.go
+++ b/client/internal/acl/manager.go
@@ -18,6 +18,7 @@ import (
 	firewall "github.com/netbirdio/netbird/client/firewall/manager"
 	"github.com/netbirdio/netbird/client/internal/acl/id"
 	"github.com/netbirdio/netbird/client/ssh"
 	"github.com/netbirdio/netbird/management/domain"
 	mgmProto "github.com/netbirdio/netbird/management/proto"
 )
@@ -25,7 +26,7 @@ var ErrSourceRangesEmpty = errors.New("sources range is empty")
 // Manager is a ACL rules manager
 type Manager interface {
-	ApplyFiltering(networkMap *mgmProto.NetworkMap)
+	ApplyFiltering(networkMap *mgmProto.NetworkMap, dnsRouteFeatureFlag bool)
 }
 type protoMatch struct {
@@ -53,7 +54,7 @@ func NewDefaultManager(fm firewall.Manager) *DefaultManager {
 // ApplyFiltering firewall rules to the local firewall manager processed by ACL policy.
 //
 // If allowByDefault is true it appends allow ALL traffic rules to input and output chains.
-func (d *DefaultManager) ApplyFiltering(networkMap *mgmProto.NetworkMap) {
+func (d *DefaultManager) ApplyFiltering(networkMap *mgmProto.NetworkMap, dnsRouteFeatureFlag bool) {
 	d.mutex.Lock()
 	defer d.mutex.Unlock()
@@ -82,7 +83,7 @@ func (d *DefaultManager) ApplyFiltering(networkMap *mgmProto.NetworkMap) {
 		log.Errorf("failed to set legacy management flag: %v", err)
 	}
-	if err := d.applyRouteACLs(networkMap.RoutesFirewallRules); err != nil {
+	if err := d.applyRouteACLs(networkMap.RoutesFirewallRules, dnsRouteFeatureFlag); err != nil {
 		log.Errorf("Failed to apply route ACLs: %v", err)
 	}
@@ -176,16 +177,16 @@ func (d *DefaultManager) applyPeerACLs(networkMap *mgmProto.NetworkMap) {
 	d.peerRulesPairs = newRulePairs
 }
-func (d *DefaultManager) applyRouteACLs(rules []*mgmProto.RouteFirewallRule) error {
+func (d *DefaultManager) applyRouteACLs(rules []*mgmProto.RouteFirewallRule, dynamicResolver bool) error {
 	newRouteRules := make(map[id.RuleID]struct{}, len(rules))
 	var merr *multierror.Error
 	// Apply new rules - firewall manager will return existing rule ID if already present
 	for _, rule := range rules {
-		id, err := d.applyRouteACL(rule)
+		id, err := d.applyRouteACL(rule, dynamicResolver)
 		if err != nil {
 			if errors.Is(err, ErrSourceRangesEmpty) {
-				log.Debugf("skipping empty rule with destination %s: %v", rule.Destination, err)
+				log.Debugf("skipping empty sources rule with destination %s: %v", rule.Destination, err)
 			} else {
 				merr = multierror.Append(merr, fmt.Errorf("add route rule: %w", err))
 			}
@@ -208,7 +209,7 @@ func (d *DefaultManager) applyRouteACLs(rules []*mgmProto.RouteFirewallRule) err
 	return nberrors.FormatErrorOrNil(merr)
 }
-func (d *DefaultManager) applyRouteACL(rule *mgmProto.RouteFirewallRule) (id.RuleID, error) {
+func (d *DefaultManager) applyRouteACL(rule *mgmProto.RouteFirewallRule, dynamicResolver bool) (id.RuleID, error) {
 	if len(rule.SourceRanges) == 0 {
 		return "", ErrSourceRangesEmpty
 	}
@@ -222,15 +223,9 @@ func (d *DefaultManager) applyRouteACL(rule *mgmProto.RouteFirewallRule) (id.Rul
 		sources = append(sources, source)
 	}
-	var destination netip.Prefix
+	destination, err := determineDestination(rule, dynamicResolver, sources)
 	if rule.IsDynamic {
 		destination = getDefault(sources[0])
 	} else {
 		var err error
 		destination, err = netip.ParsePrefix(rule.Destination)
 	if err != nil {
-			return "", fmt.Errorf("parse destination: %w", err)
+		return "", fmt.Errorf("determine destination: %w", err)
 		}
 	}
 	protocol, err := convertToFirewallProtocol(rule.Protocol)
@@ -580,6 +575,33 @@ func convertPortInfo(portInfo *mgmProto.PortInfo) *firewall.Port {
 	return nil
 }
 func determineDestination(rule *mgmProto.RouteFirewallRule, dynamicResolver bool, sources []netip.Prefix) (firewall.Network, error) {
 	var destination firewall.Network
 	if rule.IsDynamic {
 		if dynamicResolver {
 			if len(rule.Domains) > 0 {
 				destination.Set = firewall.NewDomainSet(domain.FromPunycodeList(rule.Domains))
 			} else {
 				// isDynamic is set but no domains = outdated management server
 				log.Warn("connected to an older version of management server (no domains in rules), using default destination")
 				destination.Prefix = getDefault(sources[0])
 			}
 		} else {
 			// client resolves DNS, we (router) don't know the destination
 			destination.Prefix = getDefault(sources[0])
 		}
 		return destination, nil
 	}
 	prefix, err := netip.ParsePrefix(rule.Destination)
 	if err != nil {
 		return destination, fmt.Errorf("parse destination: %w", err)
 	}
 	destination.Prefix = prefix
 	return destination, nil
 }
 func getDefault(prefix netip.Prefix) netip.Prefix {
 	if prefix.Addr().Is6() {
 		return netip.PrefixFrom(netip.IPv6Unspecified(), 0)
--- a/client/internal/acl/manager_test.go
+++ b/client/internal/acl/manager_test.go
@@ -66,7 +66,7 @@ func TestDefaultManager(t *testing.T) {
 	acl := NewDefaultManager(fw)
 	t.Run("apply firewall rules", func(t *testing.T) {
-		acl.ApplyFiltering(networkMap)
+		acl.ApplyFiltering(networkMap, false)
 		if len(acl.peerRulesPairs) != 2 {
 			t.Errorf("firewall rules not applied: %v", acl.peerRulesPairs)
@@ -92,7 +92,7 @@ func TestDefaultManager(t *testing.T) {
 			},
 		)
-		acl.ApplyFiltering(networkMap)
+		acl.ApplyFiltering(networkMap, false)
 		// we should have one old and one new rule in the existed rules
 		if len(acl.peerRulesPairs) != 2 {
@@ -116,13 +116,13 @@ func TestDefaultManager(t *testing.T) {
 		networkMap.FirewallRules = networkMap.FirewallRules[:0]
 		networkMap.FirewallRulesIsEmpty = true
-		if acl.ApplyFiltering(networkMap); len(acl.peerRulesPairs) != 0 {
+		if acl.ApplyFiltering(networkMap, false); len(acl.peerRulesPairs) != 0 {
 			t.Errorf("rules should be empty if FirewallRulesIsEmpty is set, got: %v", len(acl.peerRulesPairs))
 			return
 		}
 		networkMap.FirewallRulesIsEmpty = false
-		acl.ApplyFiltering(networkMap)
+		acl.ApplyFiltering(networkMap, false)
 		if len(acl.peerRulesPairs) != 1 {
 			t.Errorf("rules should contain 1 rules if FirewallRulesIsEmpty is not set, got: %v", len(acl.peerRulesPairs))
 			return
@@ -359,7 +359,7 @@ func TestDefaultManagerEnableSSHRules(t *testing.T) {
 	}(fw)
 	acl := NewDefaultManager(fw)
-	acl.ApplyFiltering(networkMap)
+	acl.ApplyFiltering(networkMap, false)
 	if len(acl.peerRulesPairs) != 3 {
 		t.Errorf("expect 3 rules (last must be SSH), got: %d", len(acl.peerRulesPairs))
--- a/client/internal/auth/pkce_flow.go
+++ b/client/internal/auth/pkce_flow.go
@@ -94,13 +94,17 @@ func (p *PKCEAuthorizationFlow) RequestAuthInfo(ctx context.Context) (AuthFlowIn
 	p.codeVerifier = codeVerifier
 	codeChallenge := createCodeChallenge(codeVerifier)
-	authURL := p.oAuthConfig.AuthCodeURL(
+
-		state,
+	params := []oauth2.AuthCodeOption{
 		oauth2.SetAuthURLParam("code_challenge_method", "S256"),
 		oauth2.SetAuthURLParam("code_challenge", codeChallenge),
 		oauth2.SetAuthURLParam("audience", p.providerConfig.Audience),
-		oauth2.SetAuthURLParam("prompt", "login"),
+	}
-	)
+	if !p.providerConfig.DisablePromptLogin {
 		params = append(params, oauth2.SetAuthURLParam("prompt", "login"))
 	}
 	authURL := p.oAuthConfig.AuthCodeURL(state, params...)
 	return AuthFlowInfo{
 		VerificationURIComplete: authURL,
--- a/client/internal/auth/pkce_flow_test.go
+++ b/client/internal/auth/pkce_flow_test.go
@@ -0,0 +1,49 @@
 package auth
 import (
 	"context"
 	"testing"
 	"github.com/stretchr/testify/require"
 	"github.com/netbirdio/netbird/client/internal"
 )
 func TestPromptLogin(t *testing.T) {
 	tt := []struct {
 		name   string
 		prompt bool
 	}{
 		{"PromptLogin", true},
 		{"NoPromptLogin", false},
 	}
 	for _, tc := range tt {
 		t.Run(tc.name, func(t *testing.T) {
 			config := internal.PKCEAuthProviderConfig{
 				ClientID:              "test-client-id",
 				Audience:              "test-audience",
 				TokenEndpoint:         "https://test-token-endpoint.com/token",
 				Scope:                 "openid email profile",
 				AuthorizationEndpoint: "https://test-auth-endpoint.com/authorize",
 				RedirectURLs:          []string{"http://127.0.0.1:33992/"},
 				UseIDToken:            true,
 				DisablePromptLogin:    !tc.prompt,
 			}
 			pkce, err := NewPKCEAuthorizationFlow(config)
 			if err != nil {
 				t.Fatalf("Failed to create PKCEAuthorizationFlow: %v", err)
 			}
 			authInfo, err := pkce.RequestAuthInfo(context.Background())
 			if err != nil {
 				t.Fatalf("Failed to request auth info: %v", err)
 			}
 			pattern := "prompt=login"
 			if tc.prompt {
 				require.Contains(t, authInfo.VerificationURIComplete, pattern)
 			} else {
 				require.NotContains(t, authInfo.VerificationURIComplete, pattern)
 			}
 		})
 	}
 }
--- a/client/internal/connect.go
+++ b/client/internal/connect.go
@@ -349,6 +349,25 @@ func (c *ConnectClient) Engine() *Engine {
 	return e
 }
 // GetLatestNetworkMap returns the latest network map from the engine.
 func (c *ConnectClient) GetLatestNetworkMap() (*mgmProto.NetworkMap, error) {
 	engine := c.Engine()
 	if engine == nil {
 		return nil, errors.New("engine is not initialized")
 	}
 	networkMap, err := engine.GetLatestNetworkMap()
 	if err != nil {
 		return nil, fmt.Errorf("get latest network map: %w", err)
 	}
 	if networkMap == nil {
 		return nil, errors.New("network map is not available")
 	}
 	return networkMap, nil
 }
 // Status returns the current client status
 func (c *ConnectClient) Status() StatusType {
 	if c == nil {
--- a/client/internal/debug/debug.go
+++ b/client/internal/debug/debug.go
--- a/client/internal/debug/debug_linux.go
+++ b/client/internal/debug/debug_linux.go
@@ -1,9 +1,8 @@
 //go:build linux && !android
-package server
+package debug
 import (
 	"archive/zip"
 	"bytes"
 	"encoding/binary"
 	"fmt"
@@ -14,36 +13,31 @@ import (
 	"github.com/google/nftables"
 	"github.com/google/nftables/expr"
 	log "github.com/sirupsen/logrus"
 	"github.com/netbirdio/netbird/client/anonymize"
 	"github.com/netbirdio/netbird/client/proto"
 )
 // addFirewallRules collects and adds firewall rules to the archive
-func (s *Server) addFirewallRules(req *proto.DebugBundleRequest, anonymizer *anonymize.Anonymizer, archive *zip.Writer) error {
+func (g *BundleGenerator) addFirewallRules() error {
 	log.Info("Collecting firewall rules")
 	// Collect and add iptables rules
 	iptablesRules, err := collectIPTablesRules()
 	if err != nil {
 		log.Warnf("Failed to collect iptables rules: %v", err)
 	} else {
-		if req.GetAnonymize() {
+		if g.anonymize {
-			iptablesRules = anonymizer.AnonymizeString(iptablesRules)
+			iptablesRules = g.anonymizer.AnonymizeString(iptablesRules)
 		}
-		if err := addFileToZip(archive, strings.NewReader(iptablesRules), "iptables.txt"); err != nil {
+		if err := g.addFileToZip(strings.NewReader(iptablesRules), "iptables.txt"); err != nil {
 			log.Warnf("Failed to add iptables rules to bundle: %v", err)
 		}
 	}
 	// Collect and add nftables rules
 	nftablesRules, err := collectNFTablesRules()
 	if err != nil {
 		log.Warnf("Failed to collect nftables rules: %v", err)
 	} else {
-		if req.GetAnonymize() {
+		if g.anonymize {
-			nftablesRules = anonymizer.AnonymizeString(nftablesRules)
+			nftablesRules = g.anonymizer.AnonymizeString(nftablesRules)
 		}
-		if err := addFileToZip(archive, strings.NewReader(nftablesRules), "nftables.txt"); err != nil {
+		if err := g.addFileToZip(strings.NewReader(nftablesRules), "nftables.txt"); err != nil {
 			log.Warnf("Failed to add nftables rules to bundle: %v", err)
 		}
 	}
@@ -65,16 +59,23 @@ func collectIPTablesRules() (string, error) {
 		builder.WriteString("\n")
 	}
-	// Then get verbose statistics for each table
+	// Collect ipset information
 	ipsetOutput, err := collectIPSets()
 	if err != nil {
 		log.Warnf("Failed to collect ipset information: %v", err)
 	} else {
 		builder.WriteString("=== ipset list output ===\n")
 		builder.WriteString(ipsetOutput)
 		builder.WriteString("\n")
 	}
 	builder.WriteString("=== iptables -v -n -L output ===\n")
 	// Get list of tables
 	tables := []string{"filter", "nat", "mangle", "raw", "security"}
 	for _, table := range tables {
 		builder.WriteString(fmt.Sprintf("*%s\n", table))
 		// Get verbose statistics for the entire table
 		stats, err := getTableStatistics(table)
 		if err != nil {
 			log.Warnf("Failed to get statistics for table %s: %v", table, err)
@@ -87,6 +88,28 @@ func collectIPTablesRules() (string, error) {
 	return builder.String(), nil
 }
 // collectIPSets collects information about ipsets
 func collectIPSets() (string, error) {
 	cmd := exec.Command("ipset", "list")
 	var stdout, stderr bytes.Buffer
 	cmd.Stdout = &stdout
 	cmd.Stderr = &stderr
 	if err := cmd.Run(); err != nil {
 		if strings.Contains(err.Error(), "executable file not found") {
 			return "", fmt.Errorf("ipset command not found: %w", err)
 		}
 		return "", fmt.Errorf("execute ipset list: %w (stderr: %s)", err, stderr.String())
 	}
 	ipsets := stdout.String()
 	if strings.TrimSpace(ipsets) == "" {
 		return "No ipsets found", nil
 	}
 	return ipsets, nil
 }
 // collectIPTablesSave uses iptables-save to get rule definitions
 func collectIPTablesSave() (string, error) {
 	cmd := exec.Command("iptables-save")
@@ -182,12 +205,10 @@ func formatTables(conn *nftables.Conn, tables []*nftables.Table) string {
 			continue
 		}
 		// Format chains
 		for _, chain := range chains {
 			formatChain(conn, table, chain, &builder)
 		}
 		// Format sets
 		if sets, err := conn.GetSets(table); err != nil {
 			log.Warnf("Failed to get sets for table %s: %v", table.Name, err)
 		} else if len(sets) > 0 {
--- a/client/internal/debug/debug_mobile.go
+++ b/client/internal/debug/debug_mobile.go
@@ -0,0 +1,7 @@
 //go:build ios || android
 package debug
 func (g *BundleGenerator) addRoutes() error {
 	return nil
 }
--- a/client/internal/debug/debug_nonlinux.go
+++ b/client/internal/debug/debug_nonlinux.go
@@ -0,0 +1,8 @@
 //go:build !linux || android
 package debug
 // collectFirewallRules returns nothing on non-linux systems
 func (g *BundleGenerator) addFirewallRules() error {
 	return nil
 }
--- a/client/internal/debug/debug_nonmobile.go
+++ b/client/internal/debug/debug_nonmobile.go
@@ -0,0 +1,25 @@
 //go:build !ios && !android
 package debug
 import (
 	"fmt"
 	"strings"
 	"github.com/netbirdio/netbird/client/internal/routemanager/systemops"
 )
 func (g *BundleGenerator) addRoutes() error {
 	routes, err := systemops.GetRoutesFromTable()
 	if err != nil {
 		return fmt.Errorf("get routes: %w", err)
 	}
 	// TODO: get routes including nexthop
 	routesContent := formatRoutes(routes, g.anonymize, g.anonymizer)
 	routesReader := strings.NewReader(routesContent)
 	if err := g.addFileToZip(routesReader, "routes.txt"); err != nil {
 		return fmt.Errorf("add routes file to zip: %w", err)
 	}
 	return nil
 }
--- a/client/internal/debug/debug_test.go
+++ b/client/internal/debug/debug_test.go
@@ -0,0 +1,543 @@
 package debug
 import (
 	"encoding/json"
 	"net"
 	"strings"
 	"testing"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	"github.com/netbirdio/netbird/client/anonymize"
 	mgmProto "github.com/netbirdio/netbird/management/proto"
 )
 func TestAnonymizeStateFile(t *testing.T) {
 	testState := map[string]json.RawMessage{
 		"null_state": json.RawMessage("null"),
 		"test_state": mustMarshal(map[string]any{
 			// Test simple fields
 			"public_ip":      "203.0.113.1",
 			"private_ip":     "192.168.1.1",
 			"protected_ip":   "100.64.0.1",
 			"well_known_ip":  "8.8.8.8",
 			"ipv6_addr":      "2001:db8::1",
 			"private_ipv6":   "fd00::1",
 			"domain":         "test.example.com",
 			"uri":            "stun:stun.example.com:3478",
 			"uri_with_ip":    "turn:203.0.113.1:3478",
 			"netbird_domain": "device.netbird.cloud",
 			// Test CIDR ranges
 			"public_cidr":       "203.0.113.0/24",
 			"private_cidr":      "192.168.0.0/16",
 			"protected_cidr":    "100.64.0.0/10",
 			"ipv6_cidr":         "2001:db8::/32",
 			"private_ipv6_cidr": "fd00::/8",
 			// Test nested structures
 			"nested": map[string]any{
 				"ip":     "203.0.113.2",
 				"domain": "nested.example.com",
 				"more_nest": map[string]any{
 					"ip":     "203.0.113.3",
 					"domain": "deep.example.com",
 				},
 			},
 			// Test arrays
 			"string_array": []any{
 				"203.0.113.4",
 				"test1.example.com",
 				"test2.example.com",
 			},
 			"object_array": []any{
 				map[string]any{
 					"ip":     "203.0.113.5",
 					"domain": "array1.example.com",
 				},
 				map[string]any{
 					"ip":     "203.0.113.6",
 					"domain": "array2.example.com",
 				},
 			},
 			// Test multiple occurrences of same value
 			"duplicate_ip":     "203.0.113.1",      // Same as public_ip
 			"duplicate_domain": "test.example.com", // Same as domain
 			// Test URIs with various schemes
 			"stun_uri":  "stun:stun.example.com:3478",
 			"turns_uri": "turns:turns.example.com:5349",
 			"http_uri":  "http://web.example.com:80",
 			"https_uri": "https://secure.example.com:443",
 			// Test strings that might look like IPs but aren't
 			"not_ip":         "300.300.300.300",
 			"partial_ip":     "192.168",
 			"ip_like_string": "1234.5678",
 			// Test mixed content strings
 			"mixed_content": "Server at 203.0.113.1 (test.example.com) on port 80",
 			// Test empty and special values
 			"empty_string":  "",
 			"null_value":    nil,
 			"numeric_value": 42,
 			"boolean_value": true,
 		}),
 		"route_state": mustMarshal(map[string]any{
 			"routes": []any{
 				map[string]any{
 					"network": "203.0.113.0/24",
 					"gateway": "203.0.113.1",
 					"domains": []any{
 						"route1.example.com",
 						"route2.example.com",
 					},
 				},
 				map[string]any{
 					"network": "2001:db8::/32",
 					"gateway": "2001:db8::1",
 					"domains": []any{
 						"route3.example.com",
 						"route4.example.com",
 					},
 				},
 			},
 			// Test map with IP/CIDR keys
 			"refCountMap": map[string]any{
 				"203.0.113.1/32": map[string]any{
 					"Count": 1,
 					"Out": map[string]any{
 						"IP": "192.168.0.1",
 						"Intf": map[string]any{
 							"Name":  "eth0",
 							"Index": 1,
 						},
 					},
 				},
 				"2001:db8::1/128": map[string]any{
 					"Count": 1,
 					"Out": map[string]any{
 						"IP": "fe80::1",
 						"Intf": map[string]any{
 							"Name":  "eth0",
 							"Index": 1,
 						},
 					},
 				},
 				"10.0.0.1/32": map[string]any{ // private IP should remain unchanged
 					"Count": 1,
 					"Out": map[string]any{
 						"IP": "192.168.0.1",
 					},
 				},
 			},
 		}),
 	}
 	anonymizer := anonymize.NewAnonymizer(anonymize.DefaultAddresses())
 	// Pre-seed the domains we need to verify in the test assertions
 	anonymizer.AnonymizeDomain("test.example.com")
 	anonymizer.AnonymizeDomain("nested.example.com")
 	anonymizer.AnonymizeDomain("deep.example.com")
 	anonymizer.AnonymizeDomain("array1.example.com")
 	err := anonymizeStateFile(&testState, anonymizer)
 	require.NoError(t, err)
 	// Helper function to unmarshal and get nested values
 	var state map[string]any
 	err = json.Unmarshal(testState["test_state"], &state)
 	require.NoError(t, err)
 	// Test null state remains unchanged
 	require.Equal(t, "null", string(testState["null_state"]))
 	// Basic assertions
 	assert.NotEqual(t, "203.0.113.1", state["public_ip"])
 	assert.Equal(t, "192.168.1.1", state["private_ip"])  // Private IP unchanged
 	assert.Equal(t, "100.64.0.1", state["protected_ip"]) // Protected IP unchanged
 	assert.Equal(t, "8.8.8.8", state["well_known_ip"])   // Well-known IP unchanged
 	assert.NotEqual(t, "2001:db8::1", state["ipv6_addr"])
 	assert.Equal(t, "fd00::1", state["private_ipv6"]) // Private IPv6 unchanged
 	assert.NotEqual(t, "test.example.com", state["domain"])
 	assert.True(t, strings.HasSuffix(state["domain"].(string), ".domain"))
 	assert.Equal(t, "device.netbird.cloud", state["netbird_domain"]) // Netbird domain unchanged
 	// CIDR ranges
 	assert.NotEqual(t, "203.0.113.0/24", state["public_cidr"])
 	assert.Contains(t, state["public_cidr"], "/24")           // Prefix preserved
 	assert.Equal(t, "192.168.0.0/16", state["private_cidr"])  // Private CIDR unchanged
 	assert.Equal(t, "100.64.0.0/10", state["protected_cidr"]) // Protected CIDR unchanged
 	assert.NotEqual(t, "2001:db8::/32", state["ipv6_cidr"])
 	assert.Contains(t, state["ipv6_cidr"], "/32") // IPv6 prefix preserved
 	// Nested structures
 	nested := state["nested"].(map[string]any)
 	assert.NotEqual(t, "203.0.113.2", nested["ip"])
 	assert.NotEqual(t, "nested.example.com", nested["domain"])
 	moreNest := nested["more_nest"].(map[string]any)
 	assert.NotEqual(t, "203.0.113.3", moreNest["ip"])
 	assert.NotEqual(t, "deep.example.com", moreNest["domain"])
 	// Arrays
 	strArray := state["string_array"].([]any)
 	assert.NotEqual(t, "203.0.113.4", strArray[0])
 	assert.NotEqual(t, "test1.example.com", strArray[1])
 	assert.True(t, strings.HasSuffix(strArray[1].(string), ".domain"))
 	objArray := state["object_array"].([]any)
 	firstObj := objArray[0].(map[string]any)
 	assert.NotEqual(t, "203.0.113.5", firstObj["ip"])
 	assert.NotEqual(t, "array1.example.com", firstObj["domain"])
 	// Duplicate values should be anonymized consistently
 	assert.Equal(t, state["public_ip"], state["duplicate_ip"])
 	assert.Equal(t, state["domain"], state["duplicate_domain"])
 	// URIs
 	assert.NotContains(t, state["stun_uri"], "stun.example.com")
 	assert.NotContains(t, state["turns_uri"], "turns.example.com")
 	assert.NotContains(t, state["http_uri"], "web.example.com")
 	assert.NotContains(t, state["https_uri"], "secure.example.com")
 	// Non-IP strings should remain unchanged
 	assert.Equal(t, "300.300.300.300", state["not_ip"])
 	assert.Equal(t, "192.168", state["partial_ip"])
 	assert.Equal(t, "1234.5678", state["ip_like_string"])
 	// Mixed content should have IPs and domains replaced
 	mixedContent := state["mixed_content"].(string)
 	assert.NotContains(t, mixedContent, "203.0.113.1")
 	assert.NotContains(t, mixedContent, "test.example.com")
 	assert.Contains(t, mixedContent, "Server at ")
 	assert.Contains(t, mixedContent, " on port 80")
 	// Special values should remain unchanged
 	assert.Equal(t, "", state["empty_string"])
 	assert.Nil(t, state["null_value"])
 	assert.Equal(t, float64(42), state["numeric_value"])
 	assert.Equal(t, true, state["boolean_value"])
 	// Check route state
 	var routeState map[string]any
 	err = json.Unmarshal(testState["route_state"], &routeState)
 	require.NoError(t, err)
 	routes := routeState["routes"].([]any)
 	route1 := routes[0].(map[string]any)
 	assert.NotEqual(t, "203.0.113.0/24", route1["network"])
 	assert.Contains(t, route1["network"], "/24")
 	assert.NotEqual(t, "203.0.113.1", route1["gateway"])
 	domains := route1["domains"].([]any)
 	assert.True(t, strings.HasSuffix(domains[0].(string), ".domain"))
 	assert.True(t, strings.HasSuffix(domains[1].(string), ".domain"))
 	// Check map keys are anonymized
 	refCountMap := routeState["refCountMap"].(map[string]any)
 	hasPublicIPKey := false
 	hasIPv6Key := false
 	hasPrivateIPKey := false
 	for key := range refCountMap {
 		if strings.Contains(key, "203.0.113.1") {
 			hasPublicIPKey = true
 		}
 		if strings.Contains(key, "2001:db8::1") {
 			hasIPv6Key = true
 		}
 		if key == "10.0.0.1/32" {
 			hasPrivateIPKey = true
 		}
 	}
 	assert.False(t, hasPublicIPKey, "public IP in key should be anonymized")
 	assert.False(t, hasIPv6Key, "IPv6 in key should be anonymized")
 	assert.True(t, hasPrivateIPKey, "private IP in key should remain unchanged")
 }
 func mustMarshal(v any) json.RawMessage {
 	data, err := json.Marshal(v)
 	if err != nil {
 		panic(err)
 	}
 	return data
 }
 func TestAnonymizeNetworkMap(t *testing.T) {
 	networkMap := &mgmProto.NetworkMap{
 		PeerConfig: &mgmProto.PeerConfig{
 			Address: "203.0.113.5",
 			Dns:     "1.2.3.4",
 			Fqdn:    "peer1.corp.example.com",
 			SshConfig: &mgmProto.SSHConfig{
 				SshPubKey: []byte("ssh-rsa AAAAB3NzaC1..."),
 			},
 		},
 		RemotePeers: []*mgmProto.RemotePeerConfig{
 			{
 				AllowedIps: []string{
 					"203.0.113.1/32",
 					"2001:db8:1234::1/128",
 					"192.168.1.1/32",
 					"100.64.0.1/32",
 					"10.0.0.1/32",
 				},
 				Fqdn: "peer2.corp.example.com",
 				SshConfig: &mgmProto.SSHConfig{
 					SshPubKey: []byte("ssh-rsa AAAAB3NzaC2..."),
 				},
 			},
 		},
 		Routes: []*mgmProto.Route{
 			{
 				Network: "197.51.100.0/24",
 				Domains: []string{"prod.example.com", "staging.example.com"},
 				NetID:   "net-123abc",
 			},
 		},
 		DNSConfig: &mgmProto.DNSConfig{
 			NameServerGroups: []*mgmProto.NameServerGroup{
 				{
 					NameServers: []*mgmProto.NameServer{
 						{IP: "8.8.8.8"},
 						{IP: "1.1.1.1"},
 						{IP: "203.0.113.53"},
 					},
 					Domains: []string{"example.com", "internal.example.com"},
 				},
 			},
 			CustomZones: []*mgmProto.CustomZone{
 				{
 					Domain: "custom.example.com",
 					Records: []*mgmProto.SimpleRecord{
 						{
 							Name:  "www.custom.example.com",
 							Type:  1,
 							RData: "203.0.113.10",
 						},
 						{
 							Name:  "internal.custom.example.com",
 							Type:  1,
 							RData: "192.168.1.10",
 						},
 					},
 				},
 			},
 		},
 	}
 	// Create anonymizer with test addresses
 	anonymizer := anonymize.NewAnonymizer(anonymize.DefaultAddresses())
 	// Anonymize the network map
 	err := anonymizeNetworkMap(networkMap, anonymizer)
 	require.NoError(t, err)
 	// Test PeerConfig anonymization
 	peerCfg := networkMap.PeerConfig
 	require.NotEqual(t, "203.0.113.5", peerCfg.Address)
 	// Verify DNS and FQDN are properly anonymized
 	require.NotEqual(t, "1.2.3.4", peerCfg.Dns)
 	require.NotEqual(t, "peer1.corp.example.com", peerCfg.Fqdn)
 	require.True(t, strings.HasSuffix(peerCfg.Fqdn, ".domain"))
 	// Verify SSH key is replaced
 	require.Equal(t, []byte("ssh-placeholder-key"), peerCfg.SshConfig.SshPubKey)
 	// Test RemotePeers anonymization
 	remotePeer := networkMap.RemotePeers[0]
 	// Verify FQDN is anonymized
 	require.NotEqual(t, "peer2.corp.example.com", remotePeer.Fqdn)
 	require.True(t, strings.HasSuffix(remotePeer.Fqdn, ".domain"))
 	// Check that public IPs are anonymized but private IPs are preserved
 	for _, allowedIP := range remotePeer.AllowedIps {
 		ip, _, err := net.ParseCIDR(allowedIP)
 		require.NoError(t, err)
 		if ip.IsPrivate() || isInCGNATRange(ip) {
 			require.Contains(t, []string{
 				"192.168.1.1/32",
 				"100.64.0.1/32",
 				"10.0.0.1/32",
 			}, allowedIP)
 		} else {
 			require.NotContains(t, []string{
 				"203.0.113.1/32",
 				"2001:db8:1234::1/128",
 			}, allowedIP)
 		}
 	}
 	// Test Routes anonymization
 	route := networkMap.Routes[0]
 	require.NotEqual(t, "197.51.100.0/24", route.Network)
 	for _, domain := range route.Domains {
 		require.True(t, strings.HasSuffix(domain, ".domain"))
 		require.NotContains(t, domain, "example.com")
 	}
 	// Test DNS config anonymization
 	dnsConfig := networkMap.DNSConfig
 	nameServerGroup := dnsConfig.NameServerGroups[0]
 	// Verify well-known DNS servers are preserved
 	require.Equal(t, "8.8.8.8", nameServerGroup.NameServers[0].IP)
 	require.Equal(t, "1.1.1.1", nameServerGroup.NameServers[1].IP)
 	// Verify public DNS server is anonymized
 	require.NotEqual(t, "203.0.113.53", nameServerGroup.NameServers[2].IP)
 	// Verify domains are anonymized
 	for _, domain := range nameServerGroup.Domains {
 		require.True(t, strings.HasSuffix(domain, ".domain"))
 		require.NotContains(t, domain, "example.com")
 	}
 	// Test CustomZones anonymization
 	customZone := dnsConfig.CustomZones[0]
 	require.True(t, strings.HasSuffix(customZone.Domain, ".domain"))
 	require.NotContains(t, customZone.Domain, "example.com")
 	// Verify records are properly anonymized
 	for _, record := range customZone.Records {
 		require.True(t, strings.HasSuffix(record.Name, ".domain"))
 		require.NotContains(t, record.Name, "example.com")
 		ip := net.ParseIP(record.RData)
 		if ip != nil {
 			if !ip.IsPrivate() {
 				require.NotEqual(t, "203.0.113.10", record.RData)
 			} else {
 				require.Equal(t, "192.168.1.10", record.RData)
 			}
 		}
 	}
 }
 // Helper function to check if IP is in CGNAT range
 func isInCGNATRange(ip net.IP) bool {
 	cgnat := net.IPNet{
 		IP:   net.ParseIP("100.64.0.0"),
 		Mask: net.CIDRMask(10, 32),
 	}
 	return cgnat.Contains(ip)
 }
 func TestAnonymizeFirewallRules(t *testing.T) {
 	// TODO: Add ipv6
 	// Example iptables-save output
 	iptablesSave := `# Generated by iptables-save v1.8.7 on Thu Dec 19 10:00:00 2024
 *filter
 :INPUT ACCEPT [0:0]
 :FORWARD ACCEPT [0:0]
 :OUTPUT ACCEPT [0:0]
 -A INPUT -s 192.168.1.0/24 -j ACCEPT
 -A INPUT -s 44.192.140.1/32 -j DROP
 -A FORWARD -s 10.0.0.0/8 -j DROP
 -A FORWARD -s 44.192.140.0/24 -d 52.84.12.34/24 -j ACCEPT
 COMMIT
 *nat
 :PREROUTING ACCEPT [0:0]
 :INPUT ACCEPT [0:0]
 :OUTPUT ACCEPT [0:0]
 :POSTROUTING ACCEPT [0:0]
 -A POSTROUTING -s 192.168.100.0/24 -j MASQUERADE
 -A PREROUTING -d 44.192.140.10/32 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.1.10:80
 COMMIT`
 	// Example iptables -v -n -L output
 	iptablesVerbose := `Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
    pkts bytes target     prot opt in     out     source               destination         
       0     0 ACCEPT     all  --  *      *       192.168.1.0/24       0.0.0.0/0           
     100  1024 DROP       all  --  *      *       44.192.140.1         0.0.0.0/0
 Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
    pkts bytes target     prot opt in     out     source               destination         
       0     0 DROP       all  --  *      *       10.0.0.0/8           0.0.0.0/0           
      25   256 ACCEPT     all  --  *      *       44.192.140.0/24      52.84.12.34/24
 Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
    pkts bytes target     prot opt in     out     source               destination`
 	// Example nftables output
 	nftablesRules := `table inet filter {
        chain input {
                type filter hook input priority filter; policy accept;
                ip saddr 192.168.1.1 accept
                ip saddr 44.192.140.1 drop
        }
        chain forward {
                type filter hook forward priority filter; policy accept;
                ip saddr 10.0.0.0/8 drop
                ip saddr 44.192.140.0/24 ip daddr 52.84.12.34/24 accept
        }
    }`
 	anonymizer := anonymize.NewAnonymizer(anonymize.DefaultAddresses())
 	// Test iptables-save anonymization
 	anonIptablesSave := anonymizer.AnonymizeString(iptablesSave)
 	// Private IP addresses should remain unchanged
 	assert.Contains(t, anonIptablesSave, "192.168.1.0/24")
 	assert.Contains(t, anonIptablesSave, "10.0.0.0/8")
 	assert.Contains(t, anonIptablesSave, "192.168.100.0/24")
 	assert.Contains(t, anonIptablesSave, "192.168.1.10")
 	// Public IP addresses should be anonymized to the default range
 	assert.NotContains(t, anonIptablesSave, "44.192.140.1")
 	assert.NotContains(t, anonIptablesSave, "44.192.140.0/24")
 	assert.NotContains(t, anonIptablesSave, "52.84.12.34")
 	assert.Contains(t, anonIptablesSave, "198.51.100.") // Default anonymous range
 	// Structure should be preserved
 	assert.Contains(t, anonIptablesSave, "*filter")
 	assert.Contains(t, anonIptablesSave, ":INPUT ACCEPT [0:0]")
 	assert.Contains(t, anonIptablesSave, "COMMIT")
 	assert.Contains(t, anonIptablesSave, "-j MASQUERADE")
 	assert.Contains(t, anonIptablesSave, "--dport 80")
 	// Test iptables verbose output anonymization
 	anonIptablesVerbose := anonymizer.AnonymizeString(iptablesVerbose)
 	// Private IP addresses should remain unchanged
 	assert.Contains(t, anonIptablesVerbose, "192.168.1.0/24")
 	assert.Contains(t, anonIptablesVerbose, "10.0.0.0/8")
 	// Public IP addresses should be anonymized to the default range
 	assert.NotContains(t, anonIptablesVerbose, "44.192.140.1")
 	assert.NotContains(t, anonIptablesVerbose, "44.192.140.0/24")
 	assert.NotContains(t, anonIptablesVerbose, "52.84.12.34")
 	assert.Contains(t, anonIptablesVerbose, "198.51.100.") // Default anonymous range
 	// Structure and counters should be preserved
 	assert.Contains(t, anonIptablesVerbose, "Chain INPUT (policy ACCEPT 0 packets, 0 bytes)")
 	assert.Contains(t, anonIptablesVerbose, "100  1024 DROP")
 	assert.Contains(t, anonIptablesVerbose, "pkts bytes target")
 	// Test nftables anonymization
 	anonNftables := anonymizer.AnonymizeString(nftablesRules)
 	// Private IP addresses should remain unchanged
 	assert.Contains(t, anonNftables, "192.168.1.1")
 	assert.Contains(t, anonNftables, "10.0.0.0/8")
 	// Public IP addresses should be anonymized to the default range
 	assert.NotContains(t, anonNftables, "44.192.140.1")
 	assert.NotContains(t, anonNftables, "44.192.140.0/24")
 	assert.NotContains(t, anonNftables, "52.84.12.34")
 	assert.Contains(t, anonNftables, "198.51.100.") // Default anonymous range
 	// Structure should be preserved
 	assert.Contains(t, anonNftables, "table inet filter {")
 	assert.Contains(t, anonNftables, "chain input {")
 	assert.Contains(t, anonNftables, "type filter hook input priority filter; policy accept;")
 }
--- a/client/internal/dns/handler_chain_test.go
+++ b/client/internal/dns/handler_chain_test.go
@@ -1,7 +1,6 @@
 package dns_test
 import (
 	"net"
 	"testing"
 	"github.com/miekg/dns"
@@ -9,6 +8,7 @@ import (
 	"github.com/stretchr/testify/mock"
 	nbdns "github.com/netbirdio/netbird/client/internal/dns"
 	"github.com/netbirdio/netbird/client/internal/dns/test"
 )
 // TestHandlerChain_ServeDNS_Priorities tests that handlers are executed in priority order
@@ -30,7 +30,7 @@ func TestHandlerChain_ServeDNS_Priorities(t *testing.T) {
 	r.SetQuestion("example.com.", dns.TypeA)
 	// Create test writer
-	w := &nbdns.ResponseWriterChain{ResponseWriter: &mockResponseWriter{}}
+	w := &nbdns.ResponseWriterChain{ResponseWriter: &test.MockResponseWriter{}}
 	// Setup expectations - only highest priority handler should be called
 	dnsRouteHandler.On("ServeDNS", mock.Anything, r).Once()
@@ -142,7 +142,7 @@ func TestHandlerChain_ServeDNS_DomainMatching(t *testing.T) {
 			r := new(dns.Msg)
 			r.SetQuestion(tt.queryDomain, dns.TypeA)
-			w := &nbdns.ResponseWriterChain{ResponseWriter: &mockResponseWriter{}}
+			w := &nbdns.ResponseWriterChain{ResponseWriter: &test.MockResponseWriter{}}
 			chain.ServeDNS(w, r)
@@ -259,7 +259,7 @@ func TestHandlerChain_ServeDNS_OverlappingDomains(t *testing.T) {
 			// Create and execute request
 			r := new(dns.Msg)
 			r.SetQuestion(tt.queryDomain, dns.TypeA)
-			w := &nbdns.ResponseWriterChain{ResponseWriter: &mockResponseWriter{}}
+			w := &nbdns.ResponseWriterChain{ResponseWriter: &test.MockResponseWriter{}}
 			chain.ServeDNS(w, r)
 			// Verify expectations
@@ -316,7 +316,7 @@ func TestHandlerChain_ServeDNS_ChainContinuation(t *testing.T) {
 	}).Once()
 	// Execute
-	w := &nbdns.ResponseWriterChain{ResponseWriter: &mockResponseWriter{}}
+	w := &nbdns.ResponseWriterChain{ResponseWriter: &test.MockResponseWriter{}}
 	chain.ServeDNS(w, r)
 	// Verify all handlers were called in order
@@ -325,20 +325,6 @@ func TestHandlerChain_ServeDNS_ChainContinuation(t *testing.T) {
 	handler3.AssertExpectations(t)
 }
 // mockResponseWriter implements dns.ResponseWriter for testing
 type mockResponseWriter struct {
 	mock.Mock
 }
 func (m *mockResponseWriter) LocalAddr() net.Addr       { return nil }
 func (m *mockResponseWriter) RemoteAddr() net.Addr      { return nil }
 func (m *mockResponseWriter) WriteMsg(*dns.Msg) error   { return nil }
 func (m *mockResponseWriter) Write([]byte) (int, error) { return 0, nil }
 func (m *mockResponseWriter) Close() error              { return nil }
 func (m *mockResponseWriter) TsigStatus() error         { return nil }
 func (m *mockResponseWriter) TsigTimersOnly(bool)       {}
 func (m *mockResponseWriter) Hijack()                   {}
 func TestHandlerChain_PriorityDeregistration(t *testing.T) {
 	tests := []struct {
 		name string
@@ -425,7 +411,7 @@ func TestHandlerChain_PriorityDeregistration(t *testing.T) {
 			// Create test request
 			r := new(dns.Msg)
 			r.SetQuestion(tt.query, dns.TypeA)
-			w := &nbdns.ResponseWriterChain{ResponseWriter: &mockResponseWriter{}}
+			w := &nbdns.ResponseWriterChain{ResponseWriter: &test.MockResponseWriter{}}
 			// Setup expectations
 			for priority, handler := range handlers {
@@ -471,7 +457,7 @@ func TestHandlerChain_MultiPriorityHandling(t *testing.T) {
 	chain.AddHandler(testDomain, matchHandler, nbdns.PriorityMatchDomain)
 	// Test 1: Initial state
-	w1 := &nbdns.ResponseWriterChain{ResponseWriter: &mockResponseWriter{}}
+	w1 := &nbdns.ResponseWriterChain{ResponseWriter: &test.MockResponseWriter{}}
 	// Highest priority handler (routeHandler) should be called
 	routeHandler.On("ServeDNS", mock.Anything, r).Return().Once()
 	matchHandler.On("ServeDNS", mock.Anything, r).Maybe()   // Ensure others are not expected yet
@@ -490,7 +476,7 @@ func TestHandlerChain_MultiPriorityHandling(t *testing.T) {
 	// Test 2: Remove highest priority handler
 	chain.RemoveHandler(testDomain, nbdns.PriorityDNSRoute)
-	w2 := &nbdns.ResponseWriterChain{ResponseWriter: &mockResponseWriter{}}
+	w2 := &nbdns.ResponseWriterChain{ResponseWriter: &test.MockResponseWriter{}}
 	// Now middle priority handler (matchHandler) should be called
 	matchHandler.On("ServeDNS", mock.Anything, r).Return().Once()
 	defaultHandler.On("ServeDNS", mock.Anything, r).Maybe() // Ensure default is not expected yet
@@ -506,7 +492,7 @@ func TestHandlerChain_MultiPriorityHandling(t *testing.T) {
 	// Test 3: Remove middle priority handler
 	chain.RemoveHandler(testDomain, nbdns.PriorityMatchDomain)
-	w3 := &nbdns.ResponseWriterChain{ResponseWriter: &mockResponseWriter{}}
+	w3 := &nbdns.ResponseWriterChain{ResponseWriter: &test.MockResponseWriter{}}
 	// Now lowest priority handler (defaultHandler) should be called
 	defaultHandler.On("ServeDNS", mock.Anything, r).Return().Once()
@@ -519,7 +505,7 @@ func TestHandlerChain_MultiPriorityHandling(t *testing.T) {
 	// Test 4: Remove last handler
 	chain.RemoveHandler(testDomain, nbdns.PriorityDefault)
-	w4 := &nbdns.ResponseWriterChain{ResponseWriter: &mockResponseWriter{}}
+	w4 := &nbdns.ResponseWriterChain{ResponseWriter: &test.MockResponseWriter{}}
 	chain.ServeDNS(w4, r) // Call ServeDNS on the now empty chain for this domain
 	for _, m := range mocks {
@@ -675,7 +661,7 @@ func TestHandlerChain_CaseSensitivity(t *testing.T) {
 			// Execute request
 			r := new(dns.Msg)
 			r.SetQuestion(tt.query, dns.TypeA)
-			chain.ServeDNS(&mockResponseWriter{}, r)
+			chain.ServeDNS(&test.MockResponseWriter{}, r)
 			// Verify each handler was called exactly as expected
 			for _, h := range tt.addHandlers {
@@ -819,7 +805,7 @@ func TestHandlerChain_DomainSpecificityOrdering(t *testing.T) {
 			r := new(dns.Msg)
 			r.SetQuestion(tt.query, dns.TypeA)
-			w := &nbdns.ResponseWriterChain{ResponseWriter: &mockResponseWriter{}}
+			w := &nbdns.ResponseWriterChain{ResponseWriter: &test.MockResponseWriter{}}
 			// Setup handler expectations
 			for pattern, handler := range handlers {
@@ -969,7 +955,7 @@ func TestHandlerChain_AddRemoveRoundtrip(t *testing.T) {
 			handler := &nbdns.MockHandler{}
 			r := new(dns.Msg)
 			r.SetQuestion(tt.queryPattern, dns.TypeA)
-			w := &nbdns.ResponseWriterChain{ResponseWriter: &mockResponseWriter{}}
+			w := &nbdns.ResponseWriterChain{ResponseWriter: &test.MockResponseWriter{}}
 			// First verify no handler is called before adding any
 			chain.ServeDNS(w, r)
--- a/client/internal/dns/local.go
+++ b/client/internal/dns/local.go
@@ -1,124 +0,0 @@
 package dns
 import (
 	"fmt"
 	"strings"
 	"sync"
 	"github.com/miekg/dns"
 	log "github.com/sirupsen/logrus"
 	nbdns "github.com/netbirdio/netbird/dns"
 )
 type registrationMap map[string]struct{}
 type localResolver struct {
 	registeredMap registrationMap
 	records       sync.Map // key: string (domain_class_type), value: []dns.RR
 }
 func (d *localResolver) MatchSubdomains() bool {
 	return true
 }
 func (d *localResolver) stop() {
 }
 // String returns a string representation of the local resolver
 func (d *localResolver) String() string {
 	return fmt.Sprintf("local resolver [%d records]", len(d.registeredMap))
 }
 // ID returns the unique handler ID
 func (d *localResolver) id() handlerID {
 	return "local-resolver"
 }
 // ServeDNS handles a DNS request
 func (d *localResolver) ServeDNS(w dns.ResponseWriter, r *dns.Msg) {
 	if len(r.Question) > 0 {
 		log.Tracef("received local question: domain=%s type=%v class=%v", r.Question[0].Name, r.Question[0].Qtype, r.Question[0].Qclass)
 	}
 	replyMessage := &dns.Msg{}
 	replyMessage.SetReply(r)
 	replyMessage.RecursionAvailable = true
 	// lookup all records matching the question
 	records := d.lookupRecords(r)
 	if len(records) > 0 {
 		replyMessage.Rcode = dns.RcodeSuccess
 		replyMessage.Answer = append(replyMessage.Answer, records...)
 	} else {
 		replyMessage.Rcode = dns.RcodeNameError
 	}
 	err := w.WriteMsg(replyMessage)
 	if err != nil {
 		log.Debugf("got an error while writing the local resolver response, error: %v", err)
 	}
 }
 // lookupRecords fetches *all* DNS records matching the first question in r.
 func (d *localResolver) lookupRecords(r *dns.Msg) []dns.RR {
 	if len(r.Question) == 0 {
 		return nil
 	}
 	question := r.Question[0]
 	question.Name = strings.ToLower(question.Name)
 	key := buildRecordKey(question.Name, question.Qclass, question.Qtype)
 	value, found := d.records.Load(key)
 	if !found {
 		return nil
 	}
 	records, ok := value.([]dns.RR)
 	if !ok {
 		log.Errorf("failed to cast records to []dns.RR, records: %v", value)
 		return nil
 	}
 	// if there's more than one record, rotate them (round-robin)
 	if len(records) > 1 {
 		first := records[0]
 		records = append(records[1:], first)
 		d.records.Store(key, records)
 	}
 	return records
 }
 // registerRecord stores a new record by appending it to any existing list
 func (d *localResolver) registerRecord(record nbdns.SimpleRecord) (string, error) {
 	rr, err := dns.NewRR(record.String())
 	if err != nil {
 		return "", fmt.Errorf("register record: %w", err)
 	}
 	rr.Header().Rdlength = record.Len()
 	header := rr.Header()
 	key := buildRecordKey(header.Name, header.Class, header.Rrtype)
 	// load any existing slice of records, then append
 	existing, _ := d.records.LoadOrStore(key, []dns.RR{})
 	records := existing.([]dns.RR)
 	records = append(records, rr)
 	// store updated slice
 	d.records.Store(key, records)
 	return key, nil
 }
 // deleteRecord removes *all* records under the recordKey.
 func (d *localResolver) deleteRecord(recordKey string) {
 	d.records.Delete(dns.Fqdn(recordKey))
 }
 // buildRecordKey consistently generates a key: name_class_type
 func buildRecordKey(name string, class, qType uint16) string {
 	return fmt.Sprintf("%s_%d_%d", dns.Fqdn(name), class, qType)
 }
 func (d *localResolver) probeAvailability() {}
--- a/client/internal/dns/local/local.go
+++ b/client/internal/dns/local/local.go
@@ -0,0 +1,149 @@
 package local
 import (
 	"fmt"
 	"slices"
 	"strings"
 	"sync"
 	"github.com/miekg/dns"
 	log "github.com/sirupsen/logrus"
 	"golang.org/x/exp/maps"
 	"github.com/netbirdio/netbird/client/internal/dns/types"
 	nbdns "github.com/netbirdio/netbird/dns"
 )
 type Resolver struct {
 	mu      sync.RWMutex
 	records map[dns.Question][]dns.RR
 }
 func NewResolver() *Resolver {
 	return &Resolver{
 		records: make(map[dns.Question][]dns.RR),
 	}
 }
 func (d *Resolver) MatchSubdomains() bool {
 	return true
 }
 // String returns a string representation of the local resolver
 func (d *Resolver) String() string {
 	return fmt.Sprintf("local resolver [%d records]", len(d.records))
 }
 func (d *Resolver) Stop() {}
 // ID returns the unique handler ID
 func (d *Resolver) ID() types.HandlerID {
 	return "local-resolver"
 }
 func (d *Resolver) ProbeAvailability() {}
 // ServeDNS handles a DNS request
 func (d *Resolver) ServeDNS(w dns.ResponseWriter, r *dns.Msg) {
 	if len(r.Question) == 0 {
 		log.Debugf("received local resolver request with no question")
 		return
 	}
 	question := r.Question[0]
 	question.Name = strings.ToLower(dns.Fqdn(question.Name))
 	log.Tracef("received local question: domain=%s type=%v class=%v", r.Question[0].Name, question.Qtype, question.Qclass)
 	replyMessage := &dns.Msg{}
 	replyMessage.SetReply(r)
 	replyMessage.RecursionAvailable = true
 	// lookup all records matching the question
 	records := d.lookupRecords(question)
 	if len(records) > 0 {
 		replyMessage.Rcode = dns.RcodeSuccess
 		replyMessage.Answer = append(replyMessage.Answer, records...)
 	} else {
 		// TODO: return success if we have a different record type for the same name, relevant for search domains
 		replyMessage.Rcode = dns.RcodeNameError
 	}
 	if err := w.WriteMsg(replyMessage); err != nil {
 		log.Warnf("failed to write the local resolver response: %v", err)
 	}
 }
 // lookupRecords fetches *all* DNS records matching the first question in r.
 func (d *Resolver) lookupRecords(question dns.Question) []dns.RR {
 	d.mu.RLock()
 	records, found := d.records[question]
 	if !found {
 		d.mu.RUnlock()
 		// alternatively check if we have a cname
 		if question.Qtype != dns.TypeCNAME {
 			question.Qtype = dns.TypeCNAME
 			return d.lookupRecords(question)
 		}
 		return nil
 	}
 	recordsCopy := slices.Clone(records)
 	d.mu.RUnlock()
 	// if there's more than one record, rotate them (round-robin)
 	if len(recordsCopy) > 1 {
 		d.mu.Lock()
 		records = d.records[question]
 		if len(records) > 1 {
 			first := records[0]
 			records = append(records[1:], first)
 			d.records[question] = records
 		}
 		d.mu.Unlock()
 	}
 	return recordsCopy
 }
 func (d *Resolver) Update(update []nbdns.SimpleRecord) {
 	d.mu.Lock()
 	defer d.mu.Unlock()
 	maps.Clear(d.records)
 	for _, rec := range update {
 		if err := d.registerRecord(rec); err != nil {
 			log.Warnf("failed to register the record (%s): %v", rec, err)
 			continue
 		}
 	}
 }
 // RegisterRecord stores a new record by appending it to any existing list
 func (d *Resolver) RegisterRecord(record nbdns.SimpleRecord) error {
 	d.mu.Lock()
 	defer d.mu.Unlock()
 	return d.registerRecord(record)
 }
 // registerRecord performs the registration with the lock already held
 func (d *Resolver) registerRecord(record nbdns.SimpleRecord) error {
 	rr, err := dns.NewRR(record.String())
 	if err != nil {
 		return fmt.Errorf("register record: %w", err)
 	}
 	rr.Header().Rdlength = record.Len()
 	header := rr.Header()
 	q := dns.Question{
 		Name:   strings.ToLower(dns.Fqdn(header.Name)),
 		Qtype:  header.Rrtype,
 		Qclass: header.Class,
 	}
 	d.records[q] = append(d.records[q], rr)
 	return nil
 }
--- a/client/internal/dns/local/local_test.go
+++ b/client/internal/dns/local/local_test.go
@@ -0,0 +1,472 @@
 package local
 import (
 	"strings"
 	"testing"
 	"github.com/miekg/dns"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	"github.com/netbirdio/netbird/client/internal/dns/test"
 	nbdns "github.com/netbirdio/netbird/dns"
 )
 func TestLocalResolver_ServeDNS(t *testing.T) {
 	recordA := nbdns.SimpleRecord{
 		Name:  "peera.netbird.cloud.",
 		Type:  1,
 		Class: nbdns.DefaultClass,
 		TTL:   300,
 		RData: "1.2.3.4",
 	}
 	recordCNAME := nbdns.SimpleRecord{
 		Name:  "peerb.netbird.cloud.",
 		Type:  5,
 		Class: nbdns.DefaultClass,
 		TTL:   300,
 		RData: "www.netbird.io",
 	}
 	testCases := []struct {
 		name                string
 		inputRecord         nbdns.SimpleRecord
 		inputMSG            *dns.Msg
 		responseShouldBeNil bool
 	}{
 		{
 			name:        "Should Resolve A Record",
 			inputRecord: recordA,
 			inputMSG:    new(dns.Msg).SetQuestion(recordA.Name, dns.TypeA),
 		},
 		{
 			name:        "Should Resolve CNAME Record",
 			inputRecord: recordCNAME,
 			inputMSG:    new(dns.Msg).SetQuestion(recordCNAME.Name, dns.TypeCNAME),
 		},
 		{
 			name:                "Should Not Write When Not Found A Record",
 			inputRecord:         recordA,
 			inputMSG:            new(dns.Msg).SetQuestion("not.found.com", dns.TypeA),
 			responseShouldBeNil: true,
 		},
 	}
 	for _, testCase := range testCases {
 		t.Run(testCase.name, func(t *testing.T) {
 			resolver := NewResolver()
 			_ = resolver.RegisterRecord(testCase.inputRecord)
 			var responseMSG *dns.Msg
 			responseWriter := &test.MockResponseWriter{
 				WriteMsgFunc: func(m *dns.Msg) error {
 					responseMSG = m
 					return nil
 				},
 			}
 			resolver.ServeDNS(responseWriter, testCase.inputMSG)
 			if responseMSG == nil || len(responseMSG.Answer) == 0 {
 				if testCase.responseShouldBeNil {
 					return
 				}
 				t.Fatalf("should write a response message")
 			}
 			answerString := responseMSG.Answer[0].String()
 			if !strings.Contains(answerString, testCase.inputRecord.Name) {
 				t.Fatalf("answer doesn't contain the same domain name: \nWant: %s\nGot:%s", testCase.name, answerString)
 			}
 			if !strings.Contains(answerString, dns.Type(testCase.inputRecord.Type).String()) {
 				t.Fatalf("answer doesn't contain the correct type: \nWant: %s\nGot:%s", dns.Type(testCase.inputRecord.Type).String(), answerString)
 			}
 			if !strings.Contains(answerString, testCase.inputRecord.RData) {
 				t.Fatalf("answer doesn't contain the same address: \nWant: %s\nGot:%s", testCase.inputRecord.RData, answerString)
 			}
 		})
 	}
 }
 // TestLocalResolver_Update_StaleRecord verifies that updating
 // a record correctly replaces the old one, preventing stale entries.
 func TestLocalResolver_Update_StaleRecord(t *testing.T) {
 	recordName := "host.example.com."
 	recordType := dns.TypeA
 	recordClass := dns.ClassINET
 	record1 := nbdns.SimpleRecord{
 		Name: recordName, Type: int(recordType), Class: nbdns.DefaultClass, TTL: 300, RData: "1.1.1.1",
 	}
 	record2 := nbdns.SimpleRecord{
 		Name: recordName, Type: int(recordType), Class: nbdns.DefaultClass, TTL: 300, RData: "2.2.2.2",
 	}
 	recordKey := dns.Question{Name: recordName, Qtype: uint16(recordClass), Qclass: recordType}
 	resolver := NewResolver()
 	update1 := []nbdns.SimpleRecord{record1}
 	update2 := []nbdns.SimpleRecord{record2}
 	// Apply first update
 	resolver.Update(update1)
 	// Verify first update
 	resolver.mu.RLock()
 	rrSlice1, found1 := resolver.records[recordKey]
 	resolver.mu.RUnlock()
 	require.True(t, found1, "Record key %s not found after first update", recordKey)
 	require.Len(t, rrSlice1, 1, "Should have exactly 1 record after first update")
 	assert.Contains(t, rrSlice1[0].String(), record1.RData, "Record after first update should be %s", record1.RData)
 	// Apply second update
 	resolver.Update(update2)
 	// Verify second update
 	resolver.mu.RLock()
 	rrSlice2, found2 := resolver.records[recordKey]
 	resolver.mu.RUnlock()
 	require.True(t, found2, "Record key %s not found after second update", recordKey)
 	require.Len(t, rrSlice2, 1, "Should have exactly 1 record after update overwriting the key")
 	assert.Contains(t, rrSlice2[0].String(), record2.RData, "The single record should be the updated one (%s)", record2.RData)
 	assert.NotContains(t, rrSlice2[0].String(), record1.RData, "The stale record (%s) should not be present", record1.RData)
 }
 // TestLocalResolver_MultipleRecords_SameQuestion verifies that multiple records
 // with the same question are stored properly
 func TestLocalResolver_MultipleRecords_SameQuestion(t *testing.T) {
 	resolver := NewResolver()
 	recordName := "multi.example.com."
 	recordType := dns.TypeA
 	// Create two records with the same name and type but different IPs
 	record1 := nbdns.SimpleRecord{
 		Name: recordName, Type: int(recordType), Class: nbdns.DefaultClass, TTL: 300, RData: "10.0.0.1",
 	}
 	record2 := nbdns.SimpleRecord{
 		Name: recordName, Type: int(recordType), Class: nbdns.DefaultClass, TTL: 300, RData: "10.0.0.2",
 	}
 	update := []nbdns.SimpleRecord{record1, record2}
 	// Apply update with both records
 	resolver.Update(update)
 	// Create question that matches both records
 	question := dns.Question{
 		Name:   recordName,
 		Qtype:  recordType,
 		Qclass: dns.ClassINET,
 	}
 	// Verify both records are stored
 	resolver.mu.RLock()
 	records, found := resolver.records[question]
 	resolver.mu.RUnlock()
 	require.True(t, found, "Records for question %v not found", question)
 	require.Len(t, records, 2, "Should have exactly 2 records for the same question")
 	// Verify both record data values are present
 	recordStrings := []string{records[0].String(), records[1].String()}
 	assert.Contains(t, recordStrings[0]+recordStrings[1], record1.RData, "First record data should be present")
 	assert.Contains(t, recordStrings[0]+recordStrings[1], record2.RData, "Second record data should be present")
 }
 // TestLocalResolver_RecordRotation verifies that records are rotated in a round-robin fashion
 func TestLocalResolver_RecordRotation(t *testing.T) {
 	resolver := NewResolver()
 	recordName := "rotation.example.com."
 	recordType := dns.TypeA
 	// Create three records with the same name and type but different IPs
 	record1 := nbdns.SimpleRecord{
 		Name: recordName, Type: int(recordType), Class: nbdns.DefaultClass, TTL: 300, RData: "192.168.1.1",
 	}
 	record2 := nbdns.SimpleRecord{
 		Name: recordName, Type: int(recordType), Class: nbdns.DefaultClass, TTL: 300, RData: "192.168.1.2",
 	}
 	record3 := nbdns.SimpleRecord{
 		Name: recordName, Type: int(recordType), Class: nbdns.DefaultClass, TTL: 300, RData: "192.168.1.3",
 	}
 	update := []nbdns.SimpleRecord{record1, record2, record3}
 	// Apply update with all three records
 	resolver.Update(update)
 	msg := new(dns.Msg).SetQuestion(recordName, recordType)
 	// First lookup - should return the records in original order
 	var responses [3]*dns.Msg
 	// Perform three lookups to verify rotation
 	for i := 0; i < 3; i++ {
 		responseWriter := &test.MockResponseWriter{
 			WriteMsgFunc: func(m *dns.Msg) error {
 				responses[i] = m
 				return nil
 			},
 		}
 		resolver.ServeDNS(responseWriter, msg)
 	}
 	// Verify all three responses contain answers
 	for i, resp := range responses {
 		require.NotNil(t, resp, "Response %d should not be nil", i)
 		require.Len(t, resp.Answer, 3, "Response %d should have 3 answers", i)
 	}
 	// Verify the first record in each response is different due to rotation
 	firstRecordIPs := []string{
 		responses[0].Answer[0].String(),
 		responses[1].Answer[0].String(),
 		responses[2].Answer[0].String(),
 	}
 	// Each record should be different (rotated)
 	assert.NotEqual(t, firstRecordIPs[0], firstRecordIPs[1], "First lookup should differ from second lookup due to rotation")
 	assert.NotEqual(t, firstRecordIPs[1], firstRecordIPs[2], "Second lookup should differ from third lookup due to rotation")
 	assert.NotEqual(t, firstRecordIPs[0], firstRecordIPs[2], "First lookup should differ from third lookup due to rotation")
 	// After three rotations, we should have cycled through all records
 	assert.Contains(t, firstRecordIPs[0]+firstRecordIPs[1]+firstRecordIPs[2], record1.RData)
 	assert.Contains(t, firstRecordIPs[0]+firstRecordIPs[1]+firstRecordIPs[2], record2.RData)
 	assert.Contains(t, firstRecordIPs[0]+firstRecordIPs[1]+firstRecordIPs[2], record3.RData)
 }
 // TestLocalResolver_CaseInsensitiveMatching verifies that DNS record lookups are case-insensitive
 func TestLocalResolver_CaseInsensitiveMatching(t *testing.T) {
 	resolver := NewResolver()
 	// Create record with lowercase name
 	lowerCaseRecord := nbdns.SimpleRecord{
 		Name:  "lower.example.com.",
 		Type:  int(dns.TypeA),
 		Class: nbdns.DefaultClass,
 		TTL:   300,
 		RData: "10.10.10.10",
 	}
 	// Create record with mixed case name
 	mixedCaseRecord := nbdns.SimpleRecord{
 		Name:  "MiXeD.ExAmPlE.CoM.",
 		Type:  int(dns.TypeA),
 		Class: nbdns.DefaultClass,
 		TTL:   300,
 		RData: "20.20.20.20",
 	}
 	// Update resolver with the records
 	resolver.Update([]nbdns.SimpleRecord{lowerCaseRecord, mixedCaseRecord})
 	testCases := []struct {
 		name          string
 		queryName     string
 		expectedRData string
 		shouldResolve bool
 	}{
 		{
 			name:          "Query lowercase with lowercase record",
 			queryName:     "lower.example.com.",
 			expectedRData: "10.10.10.10",
 			shouldResolve: true,
 		},
 		{
 			name:          "Query uppercase with lowercase record",
 			queryName:     "LOWER.EXAMPLE.COM.",
 			expectedRData: "10.10.10.10",
 			shouldResolve: true,
 		},
 		{
 			name:          "Query mixed case with lowercase record",
 			queryName:     "LoWeR.eXaMpLe.CoM.",
 			expectedRData: "10.10.10.10",
 			shouldResolve: true,
 		},
 		{
 			name:          "Query lowercase with mixed case record",
 			queryName:     "mixed.example.com.",
 			expectedRData: "20.20.20.20",
 			shouldResolve: true,
 		},
 		{
 			name:          "Query uppercase with mixed case record",
 			queryName:     "MIXED.EXAMPLE.COM.",
 			expectedRData: "20.20.20.20",
 			shouldResolve: true,
 		},
 		{
 			name:          "Query with different casing pattern",
 			queryName:     "mIxEd.ExaMpLe.cOm.",
 			expectedRData: "20.20.20.20",
 			shouldResolve: true,
 		},
 		{
 			name:          "Query non-existent domain",
 			queryName:     "nonexistent.example.com.",
 			shouldResolve: false,
 		},
 	}
 	for _, tc := range testCases {
 		t.Run(tc.name, func(t *testing.T) {
 			var responseMSG *dns.Msg
 			// Create DNS query with the test case name
 			msg := new(dns.Msg).SetQuestion(tc.queryName, dns.TypeA)
 			// Create mock response writer to capture the response
 			responseWriter := &test.MockResponseWriter{
 				WriteMsgFunc: func(m *dns.Msg) error {
 					responseMSG = m
 					return nil
 				},
 			}
 			// Perform DNS query
 			resolver.ServeDNS(responseWriter, msg)
 			// Check if we expect a successful resolution
 			if !tc.shouldResolve {
 				if responseMSG == nil || len(responseMSG.Answer) == 0 {
 					// Expected no answer, test passes
 					return
 				}
 				t.Fatalf("Expected no resolution for %s, but got answer: %v", tc.queryName, responseMSG.Answer)
 			}
 			// Verify we got a response
 			require.NotNil(t, responseMSG, "Should have received a response message")
 			require.Greater(t, len(responseMSG.Answer), 0, "Response should contain at least one answer")
 			// Verify the response contains the expected data
 			answerString := responseMSG.Answer[0].String()
 			assert.Contains(t, answerString, tc.expectedRData,
 				"Answer should contain the expected IP address %s, got: %s",
 				tc.expectedRData, answerString)
 		})
 	}
 }
 // TestLocalResolver_CNAMEFallback verifies that the resolver correctly falls back
 // to checking for CNAME records when the requested record type isn't found
 func TestLocalResolver_CNAMEFallback(t *testing.T) {
 	resolver := NewResolver()
 	// Create a CNAME record (but no A record for this name)
 	cnameRecord := nbdns.SimpleRecord{
 		Name:  "alias.example.com.",
 		Type:  int(dns.TypeCNAME),
 		Class: nbdns.DefaultClass,
 		TTL:   300,
 		RData: "target.example.com.",
 	}
 	// Create an A record for the CNAME target
 	targetRecord := nbdns.SimpleRecord{
 		Name:  "target.example.com.",
 		Type:  int(dns.TypeA),
 		Class: nbdns.DefaultClass,
 		TTL:   300,
 		RData: "192.168.100.100",
 	}
 	// Update resolver with both records
 	resolver.Update([]nbdns.SimpleRecord{cnameRecord, targetRecord})
 	testCases := []struct {
 		name          string
 		queryName     string
 		queryType     uint16
 		expectedType  string
 		expectedRData string
 		shouldResolve bool
 	}{
 		{
 			name:          "Directly query CNAME record",
 			queryName:     "alias.example.com.",
 			queryType:     dns.TypeCNAME,
 			expectedType:  "CNAME",
 			expectedRData: "target.example.com.",
 			shouldResolve: true,
 		},
 		{
 			name:          "Query A record but get CNAME fallback",
 			queryName:     "alias.example.com.",
 			queryType:     dns.TypeA,
 			expectedType:  "CNAME",
 			expectedRData: "target.example.com.",
 			shouldResolve: true,
 		},
 		{
 			name:          "Query AAAA record but get CNAME fallback",
 			queryName:     "alias.example.com.",
 			queryType:     dns.TypeAAAA,
 			expectedType:  "CNAME",
 			expectedRData: "target.example.com.",
 			shouldResolve: true,
 		},
 		{
 			name:          "Query direct A record",
 			queryName:     "target.example.com.",
 			queryType:     dns.TypeA,
 			expectedType:  "A",
 			expectedRData: "192.168.100.100",
 			shouldResolve: true,
 		},
 		{
 			name:          "Query non-existent name",
 			queryName:     "nonexistent.example.com.",
 			queryType:     dns.TypeA,
 			shouldResolve: false,
 		},
 	}
 	for _, tc := range testCases {
 		t.Run(tc.name, func(t *testing.T) {
 			var responseMSG *dns.Msg
 			// Create DNS query with the test case parameters
 			msg := new(dns.Msg).SetQuestion(tc.queryName, tc.queryType)
 			// Create mock response writer to capture the response
 			responseWriter := &test.MockResponseWriter{
 				WriteMsgFunc: func(m *dns.Msg) error {
 					responseMSG = m
 					return nil
 				},
 			}
 			// Perform DNS query
 			resolver.ServeDNS(responseWriter, msg)
 			// Check if we expect a successful resolution
 			if !tc.shouldResolve {
 				if responseMSG == nil || len(responseMSG.Answer) == 0 || responseMSG.Rcode != dns.RcodeSuccess {
 					// Expected no resolution, test passes
 					return
 				}
 				t.Fatalf("Expected no resolution for %s, but got answer: %v", tc.queryName, responseMSG.Answer)
 			}
 			// Verify we got a successful response
 			require.NotNil(t, responseMSG, "Should have received a response message")
 			require.Equal(t, dns.RcodeSuccess, responseMSG.Rcode, "Response should have success status code")
 			require.Greater(t, len(responseMSG.Answer), 0, "Response should contain at least one answer")
 			// Verify the response contains the expected data
 			answerString := responseMSG.Answer[0].String()
 			assert.Contains(t, answerString, tc.expectedType,
 				"Answer should be of type %s, got: %s", tc.expectedType, answerString)
 			assert.Contains(t, answerString, tc.expectedRData,
 				"Answer should contain the expected data %s, got: %s", tc.expectedRData, answerString)
 		})
 	}
 }
--- a/client/internal/dns/local_test.go
+++ b/client/internal/dns/local_test.go
@@ -1,88 +0,0 @@
 package dns
 import (
 	"strings"
 	"testing"
 	"github.com/miekg/dns"
 	nbdns "github.com/netbirdio/netbird/dns"
 )
 func TestLocalResolver_ServeDNS(t *testing.T) {
 	recordA := nbdns.SimpleRecord{
 		Name:  "peera.netbird.cloud.",
 		Type:  1,
 		Class: nbdns.DefaultClass,
 		TTL:   300,
 		RData: "1.2.3.4",
 	}
 	recordCNAME := nbdns.SimpleRecord{
 		Name:  "peerb.netbird.cloud.",
 		Type:  5,
 		Class: nbdns.DefaultClass,
 		TTL:   300,
 		RData: "www.netbird.io",
 	}
 	testCases := []struct {
 		name                string
 		inputRecord         nbdns.SimpleRecord
 		inputMSG            *dns.Msg
 		responseShouldBeNil bool
 	}{
 		{
 			name:        "Should Resolve A Record",
 			inputRecord: recordA,
 			inputMSG:    new(dns.Msg).SetQuestion(recordA.Name, dns.TypeA),
 		},
 		{
 			name:        "Should Resolve CNAME Record",
 			inputRecord: recordCNAME,
 			inputMSG:    new(dns.Msg).SetQuestion(recordCNAME.Name, dns.TypeCNAME),
 		},
 		{
 			name:                "Should Not Write When Not Found A Record",
 			inputRecord:         recordA,
 			inputMSG:            new(dns.Msg).SetQuestion("not.found.com", dns.TypeA),
 			responseShouldBeNil: true,
 		},
 	}
 	for _, testCase := range testCases {
 		t.Run(testCase.name, func(t *testing.T) {
 			resolver := &localResolver{
 				registeredMap: make(registrationMap),
 			}
 			_, _ = resolver.registerRecord(testCase.inputRecord)
 			var responseMSG *dns.Msg
 			responseWriter := &mockResponseWriter{
 				WriteMsgFunc: func(m *dns.Msg) error {
 					responseMSG = m
 					return nil
 				},
 			}
 			resolver.ServeDNS(responseWriter, testCase.inputMSG)
 			if responseMSG == nil || len(responseMSG.Answer) == 0 {
 				if testCase.responseShouldBeNil {
 					return
 				}
 				t.Fatalf("should write a response message")
 			}
 			answerString := responseMSG.Answer[0].String()
 			if !strings.Contains(answerString, testCase.inputRecord.Name) {
 				t.Fatalf("answer doesn't contain the same domain name: \nWant: %s\nGot:%s", testCase.name, answerString)
 			}
 			if !strings.Contains(answerString, dns.Type(testCase.inputRecord.Type).String()) {
 				t.Fatalf("answer doesn't contain the correct type: \nWant: %s\nGot:%s", dns.Type(testCase.inputRecord.Type).String(), answerString)
 			}
 			if !strings.Contains(answerString, testCase.inputRecord.RData) {
 				t.Fatalf("answer doesn't contain the same address: \nWant: %s\nGot:%s", testCase.inputRecord.RData, answerString)
 			}
 		})
 	}
 }
--- a/client/internal/dns/mock_test.go
+++ b/client/internal/dns/mock_test.go
@@ -1,26 +0,0 @@
 package dns
 import (
 	"net"
 	"github.com/miekg/dns"
 )
 type mockResponseWriter struct {
 	WriteMsgFunc func(m *dns.Msg) error
 }
 func (rw *mockResponseWriter) WriteMsg(m *dns.Msg) error {
 	if rw.WriteMsgFunc != nil {
 		return rw.WriteMsgFunc(m)
 	}
 	return nil
 }
 func (rw *mockResponseWriter) LocalAddr() net.Addr       { return nil }
 func (rw *mockResponseWriter) RemoteAddr() net.Addr      { return nil }
 func (rw *mockResponseWriter) Write([]byte) (int, error) { return 0, nil }
 func (rw *mockResponseWriter) Close() error              { return nil }
 func (rw *mockResponseWriter) TsigStatus() error         { return nil }
 func (rw *mockResponseWriter) TsigTimersOnly(bool)       {}
 func (rw *mockResponseWriter) Hijack()                   {}
--- a/client/internal/dns/server.go
+++ b/client/internal/dns/server.go
@@ -15,6 +15,8 @@ import (
 	"golang.org/x/exp/maps"
 	"github.com/netbirdio/netbird/client/iface/netstack"
 	"github.com/netbirdio/netbird/client/internal/dns/local"
 	"github.com/netbirdio/netbird/client/internal/dns/types"
 	"github.com/netbirdio/netbird/client/internal/listener"
 	"github.com/netbirdio/netbird/client/internal/peer"
 	"github.com/netbirdio/netbird/client/internal/statemanager"
@@ -46,8 +48,6 @@ type Server interface {
 	ProbeAvailability()
 }
 type handlerID string
 type nsGroupsByDomain struct {
 	domain string
 	groups []*nbdns.NameServerGroup
@@ -61,7 +61,7 @@ type DefaultServer struct {
 	mux                sync.Mutex
 	service            service
 	dnsMuxMap          registeredHandlerMap
-	localResolver      *localResolver
+	localResolver      *local.Resolver
 	wgInterface        WGIface
 	hostManager        hostManager
 	updateSerial       uint64
@@ -84,9 +84,9 @@ type DefaultServer struct {
 type handlerWithStop interface {
 	dns.Handler
-	stop()
+	Stop()
-	probeAvailability()
+	ProbeAvailability()
-	id() handlerID
+	ID() types.HandlerID
 }
 type handlerWrapper struct {
@@ -95,7 +95,7 @@ type handlerWrapper struct {
 	priority int
 }
-type registeredHandlerMap map[handlerID]handlerWrapper
+type registeredHandlerMap map[types.HandlerID]handlerWrapper
 // NewDefaultServer returns a new dns server
 func NewDefaultServer(
@@ -178,9 +178,7 @@ func newDefaultServer(
 		handlerChain:   handlerChain,
 		extraDomains:   make(map[domain.Domain]int),
 		dnsMuxMap:      make(registeredHandlerMap),
-		localResolver: &localResolver{
+		localResolver:  local.NewResolver(),
 			registeredMap: make(registrationMap),
 		},
 		wgInterface:    wgInterface,
 		statusRecorder: statusRecorder,
 		stateManager:   stateManager,
@@ -403,7 +401,7 @@ func (s *DefaultServer) ProbeAvailability() {
 		wg.Add(1)
 		go func(mux handlerWithStop) {
 			defer wg.Done()
-			mux.probeAvailability()
+			mux.ProbeAvailability()
 		}(mux.handler)
 	}
 	wg.Wait()
@@ -420,7 +418,7 @@ func (s *DefaultServer) applyConfiguration(update nbdns.Config) error {
 		s.service.Stop()
 	}
-	localMuxUpdates, localRecordsByDomain, err := s.buildLocalHandlerUpdate(update.CustomZones)
+	localMuxUpdates, localRecords, err := s.buildLocalHandlerUpdate(update.CustomZones)
 	if err != nil {
 		return fmt.Errorf("local handler updater: %w", err)
 	}
@@ -434,7 +432,7 @@ func (s *DefaultServer) applyConfiguration(update nbdns.Config) error {
 	s.updateMux(muxUpdates)
 	// register local records
-	s.updateLocalResolver(localRecordsByDomain)
+	s.localResolver.Update(localRecords)
 	s.currentConfig = dnsConfigToHostDNSConfig(update, s.service.RuntimeIP(), s.service.RuntimePort())
@@ -467,6 +465,11 @@ func (s *DefaultServer) applyHostConfig() {
 		return
 	}
 	// prevent reapplying config if we're shutting down
 	if s.ctx.Err() != nil {
 		return
 	}
 	config := s.currentConfig
 	existingDomains := make(map[string]struct{})
@@ -511,11 +514,9 @@ func (s *DefaultServer) handleErrNoGroupaAll(err error) {
 	)
 }
-func (s *DefaultServer) buildLocalHandlerUpdate(
+func (s *DefaultServer) buildLocalHandlerUpdate(customZones []nbdns.CustomZone) ([]handlerWrapper, []nbdns.SimpleRecord, error) {
 	customZones []nbdns.CustomZone,
 ) ([]handlerWrapper, map[string][]nbdns.SimpleRecord, error) {
 	var muxUpdates []handlerWrapper
-	localRecords := make(map[string][]nbdns.SimpleRecord)
+	var localRecords []nbdns.SimpleRecord
 	for _, customZone := range customZones {
 		if len(customZone.Records) == 0 {
@@ -529,17 +530,13 @@ func (s *DefaultServer) buildLocalHandlerUpdate(
 			priority: PriorityMatchDomain,
 		})
 		// group all records under this domain
 		for _, record := range customZone.Records {
 			var class uint16 = dns.ClassINET
 			if record.Class != nbdns.DefaultClass {
 				log.Warnf("received an invalid class type: %s", record.Class)
 				continue
 			}
-
+			// zone records contain the fqdn, so we can just flatten them
-			key := buildRecordKey(record.Name, class, uint16(record.Type))
+			localRecords = append(localRecords, record)
 			localRecords[key] = append(localRecords[key], record)
 		}
 	}
@@ -622,7 +619,7 @@ func (s *DefaultServer) createHandlersForDomainGroup(domainGroup nsGroupsByDomai
 		}
 		if len(handler.upstreamServers) == 0 {
-			handler.stop()
+			handler.Stop()
 			log.Errorf("received a nameserver group with an invalid nameserver list")
 			continue
 		}
@@ -651,7 +648,7 @@ func (s *DefaultServer) updateMux(muxUpdates []handlerWrapper) {
 	// this will introduce a short period of time when the server is not able to handle DNS requests
 	for _, existing := range s.dnsMuxMap {
 		s.deregisterHandler([]string{existing.domain}, existing.priority)
-		existing.handler.stop()
+		existing.handler.Stop()
 	}
 	muxUpdateMap := make(registeredHandlerMap)
@@ -662,7 +659,7 @@ func (s *DefaultServer) updateMux(muxUpdates []handlerWrapper) {
 			containsRootUpdate = true
 		}
 		s.registerHandler([]string{update.domain}, update.handler, update.priority)
-		muxUpdateMap[update.handler.id()] = update
+		muxUpdateMap[update.handler.ID()] = update
 	}
 	// If there's no root update and we had a root handler, restore it
@@ -678,33 +675,6 @@ func (s *DefaultServer) updateMux(muxUpdates []handlerWrapper) {
 	s.dnsMuxMap = muxUpdateMap
 }
 func (s *DefaultServer) updateLocalResolver(update map[string][]nbdns.SimpleRecord) {
 	// remove old records that are no longer present
 	for key := range s.localResolver.registeredMap {
 		_, found := update[key]
 		if !found {
 			s.localResolver.deleteRecord(key)
 		}
 	}
 	updatedMap := make(registrationMap)
 	for _, recs := range update {
 		for _, rec := range recs {
 			// convert the record to a dns.RR and register
 			key, err := s.localResolver.registerRecord(rec)
 			if err != nil {
 				log.Warnf("got an error while registering the record (%s), error: %v",
 					rec.String(), err)
 				continue
 			}
 			updatedMap[key] = struct{}{}
 		}
 	}
 	s.localResolver.registeredMap = updatedMap
 }
 func getNSHostPort(ns nbdns.NameServer) string {
 	return fmt.Sprintf("%s:%d", ns.IP.String(), ns.Port)
 }
--- a/client/internal/dns/server_test.go
+++ b/client/internal/dns/server_test.go
@@ -23,6 +23,9 @@ import (
 	"github.com/netbirdio/netbird/client/iface/device"
 	pfmock "github.com/netbirdio/netbird/client/iface/mocks"
 	"github.com/netbirdio/netbird/client/iface/wgaddr"
 	"github.com/netbirdio/netbird/client/internal/dns/local"
 	"github.com/netbirdio/netbird/client/internal/dns/test"
 	"github.com/netbirdio/netbird/client/internal/dns/types"
 	"github.com/netbirdio/netbird/client/internal/netflow"
 	"github.com/netbirdio/netbird/client/internal/peer"
 	"github.com/netbirdio/netbird/client/internal/statemanager"
@@ -107,6 +110,7 @@ func generateDummyHandler(domain string, servers []nbdns.NameServer) *upstreamRe
 }
 func TestUpdateDNSServer(t *testing.T) {
 	nameServers := []nbdns.NameServer{
 		{
 			IP:     netip.MustParseAddr("8.8.8.8"),
@@ -120,22 +124,21 @@ func TestUpdateDNSServer(t *testing.T) {
 		},
 	}
-	dummyHandler := &localResolver{}
+	dummyHandler := local.NewResolver()
 	testCases := []struct {
 		name                string
 		initUpstreamMap     registeredHandlerMap
-		initLocalMap        registrationMap
+		initLocalRecords    []nbdns.SimpleRecord
 		initSerial          uint64
 		inputSerial         uint64
 		inputUpdate         nbdns.Config
 		shouldFail          bool
 		expectedUpstreamMap registeredHandlerMap
-		expectedLocalMap    registrationMap
+		expectedLocalQs     []dns.Question
 	}{
 		{
 			name:            "Initial Config Should Succeed",
 			initLocalMap:    make(registrationMap),
 			initUpstreamMap: make(registeredHandlerMap),
 			initSerial:      0,
 			inputSerial:     1,
@@ -159,30 +162,30 @@ func TestUpdateDNSServer(t *testing.T) {
 				},
 			},
 			expectedUpstreamMap: registeredHandlerMap{
-				generateDummyHandler("netbird.io", nameServers).id(): handlerWrapper{
+				generateDummyHandler("netbird.io", nameServers).ID(): handlerWrapper{
 					domain:   "netbird.io",
 					handler:  dummyHandler,
 					priority: PriorityMatchDomain,
 				},
-				dummyHandler.id(): handlerWrapper{
+				dummyHandler.ID(): handlerWrapper{
 					domain:   "netbird.cloud",
 					handler:  dummyHandler,
 					priority: PriorityMatchDomain,
 				},
-				generateDummyHandler(".", nameServers).id(): handlerWrapper{
+				generateDummyHandler(".", nameServers).ID(): handlerWrapper{
 					domain:   nbdns.RootZone,
 					handler:  dummyHandler,
 					priority: PriorityDefault,
 				},
 			},
-			expectedLocalMap: registrationMap{buildRecordKey(zoneRecords[0].Name, 1, 1): struct{}{}},
+			expectedLocalQs: []dns.Question{{Name: "peera.netbird.cloud.", Qtype: dns.TypeA, Qclass: dns.ClassINET}},
 		},
 		{
 			name:             "New Config Should Succeed",
-			initLocalMap: registrationMap{"netbird.cloud": struct{}{}},
+			initLocalRecords: []nbdns.SimpleRecord{{Name: "netbird.cloud", Type: 1, Class: nbdns.DefaultClass, TTL: 300, RData: "10.0.0.1"}},
 			initUpstreamMap: registeredHandlerMap{
-				generateDummyHandler(zoneRecords[0].Name, nameServers).id(): handlerWrapper{
+				generateDummyHandler(zoneRecords[0].Name, nameServers).ID(): handlerWrapper{
-					domain:   buildRecordKey(zoneRecords[0].Name, 1, 1),
+					domain:   "netbird.cloud",
 					handler:  dummyHandler,
 					priority: PriorityMatchDomain,
 				},
@@ -205,7 +208,7 @@ func TestUpdateDNSServer(t *testing.T) {
 				},
 			},
 			expectedUpstreamMap: registeredHandlerMap{
-				generateDummyHandler("netbird.io", nameServers).id(): handlerWrapper{
+				generateDummyHandler("netbird.io", nameServers).ID(): handlerWrapper{
 					domain:   "netbird.io",
 					handler:  dummyHandler,
 					priority: PriorityMatchDomain,
@@ -216,11 +219,11 @@ func TestUpdateDNSServer(t *testing.T) {
 					priority: PriorityMatchDomain,
 				},
 			},
-			expectedLocalMap: registrationMap{buildRecordKey(zoneRecords[0].Name, 1, 1): struct{}{}},
+			expectedLocalQs: []dns.Question{{Name: zoneRecords[0].Name, Qtype: 1, Qclass: 1}},
 		},
 		{
 			name:             "Smaller Config Serial Should Be Skipped",
-			initLocalMap:    make(registrationMap),
+			initLocalRecords: []nbdns.SimpleRecord{},
 			initUpstreamMap:  make(registeredHandlerMap),
 			initSerial:       2,
 			inputSerial:      1,
@@ -228,7 +231,7 @@ func TestUpdateDNSServer(t *testing.T) {
 		},
 		{
 			name:             "Empty NS Group Domain Or Not Primary Element Should Fail",
-			initLocalMap:    make(registrationMap),
+			initLocalRecords: []nbdns.SimpleRecord{},
 			initUpstreamMap:  make(registeredHandlerMap),
 			initSerial:       0,
 			inputSerial:      1,
@@ -250,7 +253,7 @@ func TestUpdateDNSServer(t *testing.T) {
 		},
 		{
 			name:             "Invalid NS Group Nameservers list Should Fail",
-			initLocalMap:    make(registrationMap),
+			initLocalRecords: []nbdns.SimpleRecord{},
 			initUpstreamMap:  make(registeredHandlerMap),
 			initSerial:       0,
 			inputSerial:      1,
@@ -272,7 +275,7 @@ func TestUpdateDNSServer(t *testing.T) {
 		},
 		{
 			name:             "Invalid Custom Zone Records list Should Skip",
-			initLocalMap:    make(registrationMap),
+			initLocalRecords: []nbdns.SimpleRecord{},
 			initUpstreamMap:  make(registeredHandlerMap),
 			initSerial:       0,
 			inputSerial:      1,
@@ -290,7 +293,7 @@ func TestUpdateDNSServer(t *testing.T) {
 					},
 				},
 			},
-			expectedUpstreamMap: registeredHandlerMap{generateDummyHandler(".", nameServers).id(): handlerWrapper{
+			expectedUpstreamMap: registeredHandlerMap{generateDummyHandler(".", nameServers).ID(): handlerWrapper{
 				domain:   ".",
 				handler:  dummyHandler,
 				priority: PriorityDefault,
@@ -298,9 +301,9 @@ func TestUpdateDNSServer(t *testing.T) {
 		},
 		{
 			name:             "Empty Config Should Succeed and Clean Maps",
-			initLocalMap: registrationMap{"netbird.cloud": struct{}{}},
+			initLocalRecords: []nbdns.SimpleRecord{{Name: "netbird.cloud", Type: int(dns.TypeA), Class: nbdns.DefaultClass, TTL: 300, RData: "10.0.0.1"}},
 			initUpstreamMap: registeredHandlerMap{
-				generateDummyHandler(zoneRecords[0].Name, nameServers).id(): handlerWrapper{
+				generateDummyHandler(zoneRecords[0].Name, nameServers).ID(): handlerWrapper{
 					domain:   zoneRecords[0].Name,
 					handler:  dummyHandler,
 					priority: PriorityMatchDomain,
@@ -310,13 +313,13 @@ func TestUpdateDNSServer(t *testing.T) {
 			inputSerial:         1,
 			inputUpdate:         nbdns.Config{ServiceEnable: true},
 			expectedUpstreamMap: make(registeredHandlerMap),
-			expectedLocalMap:    make(registrationMap),
+			expectedLocalQs:     []dns.Question{},
 		},
 		{
 			name:             "Disabled Service Should clean map",
-			initLocalMap: registrationMap{"netbird.cloud": struct{}{}},
+			initLocalRecords: []nbdns.SimpleRecord{{Name: "netbird.cloud", Type: int(dns.TypeA), Class: nbdns.DefaultClass, TTL: 300, RData: "10.0.0.1"}},
 			initUpstreamMap: registeredHandlerMap{
-				generateDummyHandler(zoneRecords[0].Name, nameServers).id(): handlerWrapper{
+				generateDummyHandler(zoneRecords[0].Name, nameServers).ID(): handlerWrapper{
 					domain:   zoneRecords[0].Name,
 					handler:  dummyHandler,
 					priority: PriorityMatchDomain,
@@ -326,7 +329,7 @@ func TestUpdateDNSServer(t *testing.T) {
 			inputSerial:         1,
 			inputUpdate:         nbdns.Config{ServiceEnable: false},
 			expectedUpstreamMap: make(registeredHandlerMap),
-			expectedLocalMap:    make(registrationMap),
+			expectedLocalQs:     []dns.Question{},
 		},
 	}
@@ -377,7 +380,7 @@ func TestUpdateDNSServer(t *testing.T) {
 			}()
 			dnsServer.dnsMuxMap = testCase.initUpstreamMap
-			dnsServer.localResolver.registeredMap = testCase.initLocalMap
+			dnsServer.localResolver.Update(testCase.initLocalRecords)
 			dnsServer.updateSerial = testCase.initSerial
 			err = dnsServer.UpdateDNSServer(testCase.inputSerial, testCase.inputUpdate)
@@ -399,15 +402,23 @@ func TestUpdateDNSServer(t *testing.T) {
 				}
 			}
-			if len(dnsServer.localResolver.registeredMap) != len(testCase.expectedLocalMap) {
+			var responseMSG *dns.Msg
-				t.Fatalf("update local failed, registered map size is different than expected, want %d, got %d", len(testCase.expectedLocalMap), len(dnsServer.localResolver.registeredMap))
+			responseWriter := &test.MockResponseWriter{
 				WriteMsgFunc: func(m *dns.Msg) error {
 					responseMSG = m
 					return nil
 				},
 			}
 			for _, q := range testCase.expectedLocalQs {
 				dnsServer.localResolver.ServeDNS(responseWriter, &dns.Msg{
 					Question: []dns.Question{q},
 				})
 			}
-			for key := range testCase.expectedLocalMap {
+			if len(testCase.expectedLocalQs) > 0 {
-				_, found := dnsServer.localResolver.registeredMap[key]
+				assert.NotNil(t, responseMSG, "response message should not be nil")
-				if !found {
+				assert.Equal(t, dns.RcodeSuccess, responseMSG.Rcode, "response code should be success")
-					t.Fatalf("update local failed, key %s was not found in the localResolver.registeredMap: %#v", key, dnsServer.localResolver.registeredMap)
+				assert.NotEmpty(t, responseMSG.Answer, "response message should have answers")
 				}
 			}
 		})
 	}
@@ -491,11 +502,12 @@ func TestDNSFakeResolverHandleUpdates(t *testing.T) {
 	dnsServer.dnsMuxMap = registeredHandlerMap{
 		"id1": handlerWrapper{
 			domain:   zoneRecords[0].Name,
-			handler:  &localResolver{},
+			handler:  &local.Resolver{},
 			priority: PriorityMatchDomain,
 		},
 	}
-	dnsServer.localResolver.registeredMap = registrationMap{"netbird.cloud": struct{}{}}
+	//dnsServer.localResolver.RegisteredMap = local.RegistrationMap{local.BuildRecordKey("netbird.cloud", dns.ClassINET, dns.TypeA): struct{}{}}
 	dnsServer.localResolver.Update([]nbdns.SimpleRecord{{Name: "netbird.cloud", Type: int(dns.TypeA), Class: nbdns.DefaultClass, TTL: 300, RData: "10.0.0.1"}})
 	dnsServer.updateSerial = 0
 	nameServers := []nbdns.NameServer{
@@ -582,7 +594,7 @@ func TestDNSServerStartStop(t *testing.T) {
 			}
 			time.Sleep(100 * time.Millisecond)
 			defer dnsServer.Stop()
-			_, err = dnsServer.localResolver.registerRecord(zoneRecords[0])
+			err = dnsServer.localResolver.RegisterRecord(zoneRecords[0])
 			if err != nil {
 				t.Error(err)
 			}
@@ -632,9 +644,7 @@ func TestDNSServerUpstreamDeactivateCallback(t *testing.T) {
 	server := DefaultServer{
 		ctx:           context.Background(),
 		service:       NewServiceViaMemory(&mocWGIface{}),
-		localResolver: &localResolver{
+		localResolver: local.NewResolver(),
 			registeredMap: make(registrationMap),
 		},
 		handlerChain:  NewHandlerChain(),
 		hostManager:   hostManager,
 		currentConfig: HostDNSConfig{
@@ -1004,7 +1014,7 @@ func TestHandlerChain_DomainPriorities(t *testing.T) {
 		t.Run(tc.name, func(t *testing.T) {
 			r := new(dns.Msg)
 			r.SetQuestion(tc.query, dns.TypeA)
-			w := &ResponseWriterChain{ResponseWriter: &mockResponseWriter{}}
+			w := &ResponseWriterChain{ResponseWriter: &test.MockResponseWriter{}}
 			if mh, ok := tc.expectedHandler.(*MockHandler); ok {
 				mh.On("ServeDNS", mock.Anything, r).Once()
@@ -1037,9 +1047,9 @@ type mockHandler struct {
 }
 func (m *mockHandler) ServeDNS(dns.ResponseWriter, *dns.Msg) {}
-func (m *mockHandler) stop()                                 {}
+func (m *mockHandler) Stop()                                 {}
-func (m *mockHandler) probeAvailability()                    {}
+func (m *mockHandler) ProbeAvailability()                    {}
-func (m *mockHandler) id() handlerID                         { return handlerID(m.Id) }
+func (m *mockHandler) ID() types.HandlerID                   { return types.HandlerID(m.Id) }
 type mockService struct{}
@@ -1113,7 +1123,7 @@ func TestDefaultServer_UpdateMux(t *testing.T) {
 		name             string
 		initialHandlers  registeredHandlerMap
 		updates          []handlerWrapper
-		expectedHandlers map[string]string // map[handlerID]domain
+		expectedHandlers map[string]string // map[HandlerID]domain
 		description      string
 	}{
 		{
@@ -1409,7 +1419,7 @@ func TestDefaultServer_UpdateMux(t *testing.T) {
 			// Check each expected handler
 			for id, expectedDomain := range tt.expectedHandlers {
-				handler, exists := server.dnsMuxMap[handlerID(id)]
+				handler, exists := server.dnsMuxMap[types.HandlerID(id)]
 				assert.True(t, exists, "Expected handler %s not found", id)
 				if exists {
 					assert.Equal(t, expectedDomain, handler.domain,
@@ -1418,9 +1428,9 @@ func TestDefaultServer_UpdateMux(t *testing.T) {
 			}
 			// Verify no unexpected handlers exist
-			for handlerID := range server.dnsMuxMap {
+			for HandlerID := range server.dnsMuxMap {
-				_, expected := tt.expectedHandlers[string(handlerID)]
+				_, expected := tt.expectedHandlers[string(HandlerID)]
-				assert.True(t, expected, "Unexpected handler found: %s", handlerID)
+				assert.True(t, expected, "Unexpected handler found: %s", HandlerID)
 			}
 			// Verify the handlerChain state and order
@@ -1696,7 +1706,7 @@ func TestExtraDomains(t *testing.T) {
 				handlerChain:   NewHandlerChain(),
 				wgInterface:    &mocWGIface{},
 				hostManager:    mockHostConfig,
-				localResolver:  &localResolver{},
+				localResolver:  &local.Resolver{},
 				service:        mockSvc,
 				statusRecorder: peer.NewRecorder("test"),
 				extraDomains:   make(map[domain.Domain]int),
@@ -1781,7 +1791,7 @@ func TestExtraDomainsRefCounting(t *testing.T) {
 		ctx:            context.Background(),
 		handlerChain:   NewHandlerChain(),
 		hostManager:    mockHostConfig,
-		localResolver:  &localResolver{},
+		localResolver:  &local.Resolver{},
 		service:        mockSvc,
 		statusRecorder: peer.NewRecorder("test"),
 		extraDomains:   make(map[domain.Domain]int),
@@ -1833,7 +1843,7 @@ func TestUpdateConfigWithExistingExtraDomains(t *testing.T) {
 		ctx:            context.Background(),
 		handlerChain:   NewHandlerChain(),
 		hostManager:    mockHostConfig,
-		localResolver:  &localResolver{},
+		localResolver:  &local.Resolver{},
 		service:        mockSvc,
 		statusRecorder: peer.NewRecorder("test"),
 		extraDomains:   make(map[domain.Domain]int),
@@ -1916,7 +1926,7 @@ func TestDomainCaseHandling(t *testing.T) {
 		ctx:            context.Background(),
 		handlerChain:   NewHandlerChain(),
 		hostManager:    mockHostConfig,
-		localResolver:  &localResolver{},
+		localResolver:  &local.Resolver{},
 		service:        mockSvc,
 		statusRecorder: peer.NewRecorder("test"),
 		extraDomains:   make(map[domain.Domain]int),
--- a/client/internal/dns/test/mock.go
+++ b/client/internal/dns/test/mock.go
@@ -0,0 +1,26 @@
 package test
 import (
 	"net"
 	"github.com/miekg/dns"
 )
 type MockResponseWriter struct {
 	WriteMsgFunc func(m *dns.Msg) error
 }
 func (rw *MockResponseWriter) WriteMsg(m *dns.Msg) error {
 	if rw.WriteMsgFunc != nil {
 		return rw.WriteMsgFunc(m)
 	}
 	return nil
 }
 func (rw *MockResponseWriter) LocalAddr() net.Addr       { return nil }
 func (rw *MockResponseWriter) RemoteAddr() net.Addr      { return nil }
 func (rw *MockResponseWriter) Write([]byte) (int, error) { return 0, nil }
 func (rw *MockResponseWriter) Close() error              { return nil }
 func (rw *MockResponseWriter) TsigStatus() error         { return nil }
 func (rw *MockResponseWriter) TsigTimersOnly(bool)       {}
 func (rw *MockResponseWriter) Hijack()                   {}
--- a/client/internal/dns/types/types.go
+++ b/client/internal/dns/types/types.go
@@ -0,0 +1,3 @@
 package types
 type HandlerID string
--- a/client/internal/dns/upstream.go
+++ b/client/internal/dns/upstream.go
@@ -18,6 +18,8 @@ import (
 	"github.com/miekg/dns"
 	log "github.com/sirupsen/logrus"
 	"github.com/netbirdio/netbird/client/iface"
 	"github.com/netbirdio/netbird/client/internal/dns/types"
 	"github.com/netbirdio/netbird/client/internal/peer"
 	"github.com/netbirdio/netbird/client/proto"
 )
@@ -80,21 +82,21 @@ func (u *upstreamResolverBase) String() string {
 }
 // ID returns the unique handler ID
-func (u *upstreamResolverBase) id() handlerID {
+func (u *upstreamResolverBase) ID() types.HandlerID {
 	servers := slices.Clone(u.upstreamServers)
 	slices.Sort(servers)
 	hash := sha256.New()
 	hash.Write([]byte(u.domain + ":"))
 	hash.Write([]byte(strings.Join(servers, ",")))
-	return handlerID("upstream-" + hex.EncodeToString(hash.Sum(nil)[:8]))
+	return types.HandlerID("upstream-" + hex.EncodeToString(hash.Sum(nil)[:8]))
 }
 func (u *upstreamResolverBase) MatchSubdomains() bool {
 	return true
 }
-func (u *upstreamResolverBase) stop() {
+func (u *upstreamResolverBase) Stop() {
 	log.Debugf("stopping serving DNS for upstreams %s", u.upstreamServers)
 	u.cancel()
 }
@@ -107,9 +109,7 @@ func (u *upstreamResolverBase) ServeDNS(w dns.ResponseWriter, r *dns.Msg) {
 	}()
 	log.Tracef("received upstream question: domain=%s type=%v class=%v", r.Question[0].Name, r.Question[0].Qtype, r.Question[0].Qclass)
 	// set the AuthenticatedData flag and the EDNS0 buffer size to 4096 bytes to support larger dns records
 	if r.Extra == nil {
 		r.SetEdns0(4096, false)
 		r.MsgHdr.AuthenticatedData = true
 	}
@@ -199,9 +199,9 @@ func (u *upstreamResolverBase) checkUpstreamFails(err error) {
 	)
 }
-// probeAvailability tests all upstream servers simultaneously and
+// ProbeAvailability tests all upstream servers simultaneously and
 // disables the resolver if none work
-func (u *upstreamResolverBase) probeAvailability() {
+func (u *upstreamResolverBase) ProbeAvailability() {
 	u.mutex.Lock()
 	defer u.mutex.Unlock()
@@ -337,3 +337,51 @@ func (u *upstreamResolverBase) testNameserver(server string, timeout time.Durati
 	_, _, err := u.upstreamClient.exchange(ctx, server, r)
 	return err
 }
 // ExchangeWithFallback exchanges a DNS message with the upstream server.
 // It first tries to use UDP, and if it is truncated, it falls back to TCP.
 // If the passed context is nil, this will use Exchange instead of ExchangeContext.
 func ExchangeWithFallback(ctx context.Context, client *dns.Client, r *dns.Msg, upstream string) (*dns.Msg, time.Duration, error) {
 	// MTU - ip + udp headers
 	// Note: this could be sent out on an interface that is not ours, but our MTU should always be lower.
 	client.UDPSize = iface.DefaultMTU - (60 + 8)
 	var (
 		rm  *dns.Msg
 		t   time.Duration
 		err error
 	)
 	if ctx == nil {
 		rm, t, err = client.Exchange(r, upstream)
 	} else {
 		rm, t, err = client.ExchangeContext(ctx, r, upstream)
 	}
 	if err != nil {
 		return nil, t, fmt.Errorf("with udp: %w", err)
 	}
 	if rm == nil || !rm.MsgHdr.Truncated {
 		return rm, t, nil
 	}
 	log.Tracef("udp response for domain=%s type=%v class=%v is truncated, trying TCP.",
 		r.Question[0].Name, r.Question[0].Qtype, r.Question[0].Qclass)
 	client.Net = "tcp"
 	if ctx == nil {
 		rm, t, err = client.Exchange(r, upstream)
 	} else {
 		rm, t, err = client.ExchangeContext(ctx, r, upstream)
 	}
 	if err != nil {
 		return nil, t, fmt.Errorf("with tcp: %w", err)
 	}
 	// TODO: once TCP is implemented, rm.Truncate() if the request came in over UDP
 	return rm, t, nil
 }
--- a/client/internal/dns/upstream_general.go
+++ b/client/internal/dns/upstream_general.go
@@ -34,6 +34,5 @@ func newUpstreamResolver(
 }
 func (u *upstreamResolver) exchange(ctx context.Context, upstream string, r *dns.Msg) (rm *dns.Msg, t time.Duration, err error) {
-	upstreamExchangeClient := &dns.Client{}
+	return ExchangeWithFallback(ctx, &dns.Client{}, r, upstream)
 	return upstreamExchangeClient.ExchangeContext(ctx, r, upstream)
 }
--- a/client/internal/dns/upstream_ios.go
+++ b/client/internal/dns/upstream_ios.go
@@ -68,7 +68,7 @@ func (u *upstreamResolverIOS) exchange(ctx context.Context, upstream string, r *
 	}
 	// Cannot use client.ExchangeContext because it overwrites our Dialer
-	return client.Exchange(r, upstream)
+	return ExchangeWithFallback(nil, client, r, upstream)
 }
 // GetClientPrivate returns a new DNS client bound to the local IP address of the Netbird interface
--- a/client/internal/dns/upstream_test.go
+++ b/client/internal/dns/upstream_test.go
@@ -8,6 +8,8 @@ import (
 	"time"
 	"github.com/miekg/dns"
 	"github.com/netbirdio/netbird/client/internal/dns/test"
 )
 func TestUpstreamResolver_ServeDNS(t *testing.T) {
@@ -66,7 +68,7 @@ func TestUpstreamResolver_ServeDNS(t *testing.T) {
 			}
 			var responseMSG *dns.Msg
-			responseWriter := &mockResponseWriter{
+			responseWriter := &test.MockResponseWriter{
 				WriteMsgFunc: func(m *dns.Msg) error {
 					responseMSG = m
 					return nil
@@ -130,7 +132,7 @@ func TestUpstreamResolver_DeactivationReactivation(t *testing.T) {
 	resolver.failsTillDeact = 0
 	resolver.reactivatePeriod = time.Microsecond * 100
-	responseWriter := &mockResponseWriter{
+	responseWriter := &test.MockResponseWriter{
 		WriteMsgFunc: func(m *dns.Msg) error { return nil },
 	}
--- a/client/internal/dnsfwd/forwarder.go
+++ b/client/internal/dnsfwd/forwarder.go
@@ -3,17 +3,24 @@ package dnsfwd
 import (
 	"context"
 	"errors"
 	"fmt"
 	"math"
 	"net"
 	"net/netip"
 	"strings"
 	"sync"
 	"time"
 	"github.com/hashicorp/go-multierror"
 	"github.com/miekg/dns"
 	log "github.com/sirupsen/logrus"
 	nberrors "github.com/netbirdio/netbird/client/errors"
 	firewall "github.com/netbirdio/netbird/client/firewall/manager"
 	"github.com/netbirdio/netbird/client/internal/peer"
 	nbdns "github.com/netbirdio/netbird/dns"
 	"github.com/netbirdio/netbird/management/domain"
 	"github.com/netbirdio/netbird/route"
 )
 const errResolveFailed = "failed to resolve query for domain=%s: %v"
@@ -22,80 +29,116 @@ const upstreamTimeout = 15 * time.Second
 type DNSForwarder struct {
 	listenAddress  string
 	ttl            uint32
 	domains        []string
 	statusRecorder *peer.Status
 	dnsServer *dns.Server
 	mux       *dns.ServeMux
 	tcpServer *dns.Server
 	tcpMux    *dns.ServeMux
-	resId sync.Map
+	mutex      sync.RWMutex
 	fwdEntries []*ForwarderEntry
 	firewall   firewall.Manager
 }
-func NewDNSForwarder(listenAddress string, ttl uint32, statusRecorder *peer.Status) *DNSForwarder {
+func NewDNSForwarder(listenAddress string, ttl uint32, firewall firewall.Manager, statusRecorder *peer.Status) *DNSForwarder {
 	log.Debugf("creating DNS forwarder with listen_address=%s ttl=%d", listenAddress, ttl)
 	return &DNSForwarder{
 		listenAddress:  listenAddress,
 		ttl:            ttl,
 		firewall:       firewall,
 		statusRecorder: statusRecorder,
 	}
 }
-func (f *DNSForwarder) Listen(domains []string, resIds map[string]string) error {
+func (f *DNSForwarder) Listen(entries []*ForwarderEntry) error {
-	log.Infof("listen DNS forwarder on address=%s", f.listenAddress)
+	log.Infof("starting DNS forwarder on address=%s", f.listenAddress)
 	mux := dns.NewServeMux()
-	dnsServer := &dns.Server{
+	// UDP server
 	mux := dns.NewServeMux()
 	f.mux = mux
 	f.dnsServer = &dns.Server{
 		Addr:    f.listenAddress,
 		Net:     "udp",
 		Handler: mux,
 	}
-	f.dnsServer = dnsServer
+	// TCP server
-	f.mux = mux
+	tcpMux := dns.NewServeMux()
 	f.tcpMux = tcpMux
 	f.tcpServer = &dns.Server{
 		Addr:    f.listenAddress,
 		Net:     "tcp",
 		Handler: tcpMux,
 	}
-	f.UpdateDomains(domains, resIds)
+	f.UpdateDomains(entries)
-	return dnsServer.ListenAndServe()
+	errCh := make(chan error, 2)
 	go func() {
 		log.Infof("DNS UDP listener running on %s", f.listenAddress)
 		errCh <- f.dnsServer.ListenAndServe()
 	}()
 	go func() {
 		log.Infof("DNS TCP listener running on %s", f.listenAddress)
 		errCh <- f.tcpServer.ListenAndServe()
 	}()
 	// return the first error we get (e.g. bind failure or shutdown)
 	return <-errCh
 }
 func (f *DNSForwarder) UpdateDomains(entries []*ForwarderEntry) {
 	f.mutex.Lock()
 	defer f.mutex.Unlock()
-func (f *DNSForwarder) UpdateDomains(domains []string, resIds map[string]string) {
+	if f.mux == nil {
-	log.Debugf("Updating domains from %v to %v", f.domains, domains)
+		log.Debug("DNS mux is nil, skipping domain update")
-
+		f.fwdEntries = entries
-	for _, d := range f.domains {
+		return
 		f.mux.HandleRemove(d)
 		f.statusRecorder.RemoveResolvedIPLookupEntry(d)
 	}
 	f.resId.Clear()
-	newDomains := filterDomains(domains)
+	oldDomains := filterDomains(f.fwdEntries)
 	for _, d := range oldDomains {
 		f.mux.HandleRemove(d.PunycodeString())
 		f.tcpMux.HandleRemove(d.PunycodeString())
 	}
 	newDomains := filterDomains(entries)
 	for _, d := range newDomains {
-		f.mux.HandleFunc(d, f.handleDNSQuery)
+		f.mux.HandleFunc(d.PunycodeString(), f.handleDNSQueryUDP)
 		f.tcpMux.HandleFunc(d.PunycodeString(), f.handleDNSQueryTCP)
 	}
-	for domain, resId := range resIds {
+	f.fwdEntries = entries
-		if domain != "" {
+	log.Debugf("Updated domains from %v to %v", oldDomains, newDomains)
 			f.resId.Store(domain, resId)
 		}
 	}
 	f.domains = newDomains
 }
 func (f *DNSForwarder) Close(ctx context.Context) error {
-	if f.dnsServer == nil {
+	var result *multierror.Error
-		return nil
+
 	if f.dnsServer != nil {
 		if err := f.dnsServer.ShutdownContext(ctx); err != nil {
 			result = multierror.Append(result, fmt.Errorf("UDP shutdown: %w", err))
 		}
-	return f.dnsServer.ShutdownContext(ctx)
+	}
 	if f.tcpServer != nil {
 		if err := f.tcpServer.ShutdownContext(ctx); err != nil {
 			result = multierror.Append(result, fmt.Errorf("TCP shutdown: %w", err))
 		}
 	}
 	return nberrors.FormatErrorOrNil(result)
 }
-func (f *DNSForwarder) handleDNSQuery(w dns.ResponseWriter, query *dns.Msg) {
+func (f *DNSForwarder) handleDNSQuery(w dns.ResponseWriter, query *dns.Msg) *dns.Msg {
 	if len(query.Question) == 0 {
-		return
+		return nil
 	}
 	log.Tracef("received DNS request for DNS forwarder: domain=%v type=%v class=%v",
 		query.Question[0].Name, query.Question[0].Qtype, query.Question[0].Qclass)
 	question := query.Question[0]
-	domain := question.Name
+	log.Tracef("received DNS request for DNS forwarder: domain=%v type=%v class=%v",
 		question.Name, question.Qtype, question.Qclass)
 	domain := strings.ToLower(question.Name)
 	resp := query.SetReply(query)
 	var network string
@@ -111,41 +154,96 @@ func (f *DNSForwarder) handleDNSQuery(w dns.ResponseWriter, query *dns.Msg) {
 		if err := w.WriteMsg(resp); err != nil {
 			log.Errorf("failed to write DNS response: %v", err)
 		}
-		return
+		return nil
 	}
 	ctx, cancel := context.WithTimeout(context.Background(), upstreamTimeout)
 	defer cancel()
 	ips, err := net.DefaultResolver.LookupNetIP(ctx, network, domain)
 	if err != nil {
-		f.handleDNSError(w, resp, domain, err)
+		f.handleDNSError(w, query, resp, domain, err)
 		return nil
 	}
 	f.updateInternalState(domain, ips)
 	f.addIPsToResponse(resp, domain, ips)
 	return resp
 }
 func (f *DNSForwarder) handleDNSQueryUDP(w dns.ResponseWriter, query *dns.Msg) {
 	resp := f.handleDNSQuery(w, query)
 	if resp == nil {
 		return
 	}
-	resId, ok := f.resId.Load(strings.TrimSuffix(domain, "."))
+	opt := query.IsEdns0()
-	if ok {
+	maxSize := dns.MinMsgSize
-		for _, ip := range ips {
+	if opt != nil {
-			var ipWithSuffix string
+		// client advertised a larger EDNS0 buffer
-			if ip.Is4() {
+		maxSize = int(opt.UDPSize())
 				ipWithSuffix = ip.String() + "/32"
 				log.Tracef("resolved domain=%s to IPv4=%s", domain, ipWithSuffix)
 			} else {
 				ipWithSuffix = ip.String() + "/128"
 				log.Tracef("resolved domain=%s to IPv6=%s", domain, ipWithSuffix)
 			}
 			f.statusRecorder.AddResolvedIPLookupEntry(ipWithSuffix, resId.(string))
 		}
 	}
-	f.addIPsToResponse(resp, domain, ips)
+	// if our response is too big, truncate and set the TC bit
 	if resp.Len() > maxSize {
 		resp.Truncate(maxSize)
 	}
 	if err := w.WriteMsg(resp); err != nil {
 		log.Errorf("failed to write DNS response: %v", err)
 	}
 }
 func (f *DNSForwarder) handleDNSQueryTCP(w dns.ResponseWriter, query *dns.Msg) {
 	resp := f.handleDNSQuery(w, query)
 	if resp == nil {
 		return
 	}
 	if err := w.WriteMsg(resp); err != nil {
 		log.Errorf("failed to write DNS response: %v", err)
 	}
 }
 func (f *DNSForwarder) updateInternalState(domain string, ips []netip.Addr) {
 	var prefixes []netip.Prefix
 	mostSpecificResId, matchingEntries := f.getMatchingEntries(strings.TrimSuffix(domain, "."))
 	if mostSpecificResId != "" {
 		for _, ip := range ips {
 			var prefix netip.Prefix
 			if ip.Is4() {
 				prefix = netip.PrefixFrom(ip, 32)
 			} else {
 				prefix = netip.PrefixFrom(ip, 128)
 			}
 			prefixes = append(prefixes, prefix)
 			f.statusRecorder.AddResolvedIPLookupEntry(prefix, mostSpecificResId)
 		}
 	}
 	if f.firewall != nil {
 		f.updateFirewall(matchingEntries, prefixes)
 	}
 }
 func (f *DNSForwarder) updateFirewall(matchingEntries []*ForwarderEntry, prefixes []netip.Prefix) {
 	var merr *multierror.Error
 	for _, entry := range matchingEntries {
 		if err := f.firewall.UpdateSet(entry.Set, prefixes); err != nil {
 			merr = multierror.Append(merr, fmt.Errorf("update set for domain=%s: %w", entry.Domain, err))
 		}
 	}
 	if merr != nil {
 		log.Errorf("failed to update firewall sets (%d/%d): %v",
 			len(merr.Errors),
 			len(matchingEntries),
 			nberrors.FormatErrorOrNil(merr))
 	}
 }
 // handleDNSError processes DNS lookup errors and sends an appropriate error response
-func (f *DNSForwarder) handleDNSError(w dns.ResponseWriter, resp *dns.Msg, domain string, err error) {
+func (f *DNSForwarder) handleDNSError(w dns.ResponseWriter, query, resp *dns.Msg, domain string, err error) {
 	var dnsErr *net.DNSError
 	switch {
@@ -157,7 +255,7 @@ func (f *DNSForwarder) handleDNSError(w dns.ResponseWriter, resp *dns.Msg, domai
 		}
 		if dnsErr.Server != "" {
-			log.Warnf("failed to resolve query for domain=%s server=%s: %v", domain, dnsErr.Server, err)
+			log.Warnf("failed to resolve query for type=%s domain=%s server=%s: %v", dns.TypeToString[query.Question[0].Qtype], domain, dnsErr.Server, err)
 		} else {
 			log.Warnf(errResolveFailed, domain, err)
 		}
@@ -204,15 +302,53 @@ func (f *DNSForwarder) addIPsToResponse(resp *dns.Msg, domain string, ips []neti
 	}
 }
 // getMatchingEntries retrieves the resource IDs for a given domain.
 // It returns the most specific match and all matching resource IDs.
 func (f *DNSForwarder) getMatchingEntries(domain string) (route.ResID, []*ForwarderEntry) {
 	var selectedResId route.ResID
 	var bestScore int
 	var matches []*ForwarderEntry
 	f.mutex.RLock()
 	defer f.mutex.RUnlock()
 	for _, entry := range f.fwdEntries {
 		var score int
 		pattern := entry.Domain.PunycodeString()
 		switch {
 		case strings.HasPrefix(pattern, "*."):
 			baseDomain := strings.TrimPrefix(pattern, "*.")
 			if strings.EqualFold(domain, baseDomain) || strings.HasSuffix(domain, "."+baseDomain) {
 				score = len(baseDomain)
 				matches = append(matches, entry)
 			}
 		case domain == pattern:
 			score = math.MaxInt
 			matches = append(matches, entry)
 		default:
 			continue
 		}
 		if score > bestScore {
 			bestScore = score
 			selectedResId = entry.ResID
 		}
 	}
 	return selectedResId, matches
 }
 // filterDomains returns a list of normalized domains
-func filterDomains(domains []string) []string {
+func filterDomains(entries []*ForwarderEntry) domain.List {
-	newDomains := make([]string, 0, len(domains))
+	newDomains := make(domain.List, 0, len(entries))
-	for _, d := range domains {
+	for _, d := range entries {
-		if d == "" {
+		if d.Domain == "" {
 			log.Warn("empty domain in DNS forwarder")
 			continue
 		}
-		newDomains = append(newDomains, nbdns.NormalizeZone(d))
+		newDomains = append(newDomains, domain.Domain(nbdns.NormalizeZone(d.Domain.PunycodeString())))
 	}
 	return newDomains
 }
--- a/client/internal/dnsfwd/forwarder_test.go
+++ b/client/internal/dnsfwd/forwarder_test.go
@@ -0,0 +1,103 @@
 package dnsfwd
 import (
 	"testing"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	"github.com/netbirdio/netbird/management/domain"
 	"github.com/netbirdio/netbird/route"
 )
 func Test_getMatchingEntries(t *testing.T) {
 	testCases := []struct {
 		name           string
 		storedMappings map[string]route.ResID // key: domain pattern, value: resId
 		queryDomain    string
 		expectedResId  route.ResID
 	}{
 		{
 			name:           "Empty map returns empty string",
 			storedMappings: map[string]route.ResID{},
 			queryDomain:    "example.com",
 			expectedResId:  "",
 		},
 		{
 			name:           "Exact match returns stored resId",
 			storedMappings: map[string]route.ResID{"example.com": "res1"},
 			queryDomain:    "example.com",
 			expectedResId:  "res1",
 		},
 		{
 			name:           "Wildcard pattern matches base domain",
 			storedMappings: map[string]route.ResID{"*.example.com": "res2"},
 			queryDomain:    "example.com",
 			expectedResId:  "res2",
 		},
 		{
 			name:           "Wildcard pattern matches subdomain",
 			storedMappings: map[string]route.ResID{"*.example.com": "res3"},
 			queryDomain:    "foo.example.com",
 			expectedResId:  "res3",
 		},
 		{
 			name:           "Wildcard pattern does not match different domain",
 			storedMappings: map[string]route.ResID{"*.example.com": "res4"},
 			queryDomain:    "foo.notexample.com",
 			expectedResId:  "",
 		},
 		{
 			name:           "Non-wildcard pattern does not match subdomain",
 			storedMappings: map[string]route.ResID{"example.com": "res5"},
 			queryDomain:    "foo.example.com",
 			expectedResId:  "",
 		},
 		{
 			name: "Exact match over overlapping wildcard",
 			storedMappings: map[string]route.ResID{
 				"*.example.com":   "resWildcard",
 				"foo.example.com": "resExact",
 			},
 			queryDomain:   "foo.example.com",
 			expectedResId: "resExact",
 		},
 		{
 			name: "Overlapping wildcards: Select more specific wildcard",
 			storedMappings: map[string]route.ResID{
 				"*.example.com":     "resA",
 				"*.sub.example.com": "resB",
 			},
 			queryDomain:   "bar.sub.example.com",
 			expectedResId: "resB",
 		},
 		{
 			name: "Wildcard multi-level subdomain match",
 			storedMappings: map[string]route.ResID{
 				"*.example.com": "resMulti",
 			},
 			queryDomain:   "a.b.example.com",
 			expectedResId: "resMulti",
 		},
 	}
 	for _, tc := range testCases {
 		t.Run(tc.name, func(t *testing.T) {
 			fwd := &DNSForwarder{}
 			var entries []*ForwarderEntry
 			for domainPattern, resId := range tc.storedMappings {
 				d, err := domain.FromString(domainPattern)
 				require.NoError(t, err)
 				entries = append(entries, &ForwarderEntry{
 					Domain: d,
 					ResID:  resId,
 				})
 			}
 			fwd.UpdateDomains(entries)
 			got, _ := fwd.getMatchingEntries(tc.queryDomain)
 			assert.Equal(t, got, tc.expectedResId)
 		})
 	}
 }
--- a/client/internal/dnsfwd/manager.go
+++ b/client/internal/dnsfwd/manager.go
@@ -11,6 +11,8 @@ import (
 	nberrors "github.com/netbirdio/netbird/client/errors"
 	firewall "github.com/netbirdio/netbird/client/firewall/manager"
 	"github.com/netbirdio/netbird/client/internal/peer"
 	"github.com/netbirdio/netbird/management/domain"
 	"github.com/netbirdio/netbird/route"
 )
 const (
@@ -19,11 +21,19 @@ const (
 	dnsTTL     = 60 //seconds
 )
 // ForwarderEntry is a mapping from a domain to a resource ID and a hash of the parent domain list.
 type ForwarderEntry struct {
 	Domain domain.Domain
 	ResID  route.ResID
 	Set    firewall.Set
 }
 type Manager struct {
 	firewall       firewall.Manager
 	statusRecorder *peer.Status
 	fwRules      []firewall.Rule
 	tcpRules     []firewall.Rule
 	dnsForwarder *DNSForwarder
 }
@@ -34,7 +44,7 @@ func NewManager(fw firewall.Manager, statusRecorder *peer.Status) *Manager {
 	}
 }
-func (m *Manager) Start(domains []string, resIds map[string]string) error {
+func (m *Manager) Start(fwdEntries []*ForwarderEntry) error {
 	log.Infof("starting DNS forwarder")
 	if m.dnsForwarder != nil {
 		return nil
@@ -44,9 +54,9 @@ func (m *Manager) Start(domains []string, resIds map[string]string) error {
 		return err
 	}
-	m.dnsForwarder = NewDNSForwarder(fmt.Sprintf(":%d", ListenPort), dnsTTL, m.statusRecorder)
+	m.dnsForwarder = NewDNSForwarder(fmt.Sprintf(":%d", ListenPort), dnsTTL, m.firewall, m.statusRecorder)
 	go func() {
-		if err := m.dnsForwarder.Listen(domains, resIds); err != nil {
+		if err := m.dnsForwarder.Listen(fwdEntries); err != nil {
 			// todo handle close error if it is exists
 			log.Errorf("failed to start DNS forwarder, err: %v", err)
 		}
@@ -55,12 +65,12 @@ func (m *Manager) Start(domains []string, resIds map[string]string) error {
 	return nil
 }
-func (m *Manager) UpdateDomains(domains []string, resIds map[string]string) {
+func (m *Manager) UpdateDomains(entries []*ForwarderEntry) {
 	if m.dnsForwarder == nil {
 		return
 	}
-	m.dnsForwarder.UpdateDomains(domains, resIds)
+	m.dnsForwarder.UpdateDomains(entries)
 }
 func (m *Manager) Stop(ctx context.Context) error {
@@ -81,34 +91,47 @@ func (m *Manager) Stop(ctx context.Context) error {
 	return nberrors.FormatErrorOrNil(mErr)
 }
-func (h *Manager) allowDNSFirewall() error {
+func (m *Manager) allowDNSFirewall() error {
 	dport := &firewall.Port{
 		IsRange: false,
 		Values:  []uint16{ListenPort},
 	}
-	if h.firewall == nil {
+	if m.firewall == nil {
 		return nil
 	}
-	dnsRules, err := h.firewall.AddPeerFiltering(nil, net.IP{0, 0, 0, 0}, firewall.ProtocolUDP, nil, dport, firewall.ActionAccept, "")
+	dnsRules, err := m.firewall.AddPeerFiltering(nil, net.IP{0, 0, 0, 0}, firewall.ProtocolUDP, nil, dport, firewall.ActionAccept, "")
 	if err != nil {
 		log.Errorf("failed to add allow DNS router rules, err: %v", err)
 		return err
 	}
-	h.fwRules = dnsRules
+	m.fwRules = dnsRules
 	tcpRules, err := m.firewall.AddPeerFiltering(nil, net.IP{0, 0, 0, 0}, firewall.ProtocolTCP, nil, dport, firewall.ActionAccept, "")
 	if err != nil {
 		log.Errorf("failed to add allow DNS router rules, err: %v", err)
 		return err
 	}
 	m.tcpRules = tcpRules
 	return nil
 }
-func (h *Manager) dropDNSFirewall() error {
+func (m *Manager) dropDNSFirewall() error {
 	var mErr *multierror.Error
-	for _, rule := range h.fwRules {
+	for _, rule := range m.fwRules {
-		if err := h.firewall.DeletePeerRule(rule); err != nil {
+		if err := m.firewall.DeletePeerRule(rule); err != nil {
 			mErr = multierror.Append(mErr, fmt.Errorf("failed to delete DNS router rules, err: %v", err))
 		}
 	}
 	for _, rule := range m.tcpRules {
 		if err := m.firewall.DeletePeerRule(rule); err != nil {
 			mErr = multierror.Append(mErr, fmt.Errorf("failed to delete DNS router rules, err: %v", err))
 		}
 	}
-	h.fwRules = nil
+	m.fwRules = nil
 	m.tcpRules = nil
 	return nberrors.FormatErrorOrNil(mErr)
 }
--- a/client/internal/engine.go
+++ b/client/internal/engine.go
@@ -527,7 +527,7 @@ func (e *Engine) blockLanAccess() {
 		if _, err := e.firewall.AddRouteFiltering(
 			nil,
 			[]netip.Prefix{v4},
-			network,
+			firewallManager.Network{Prefix: network},
 			firewallManager.ProtocolALL,
 			nil,
 			nil,
@@ -960,21 +960,21 @@ func (e *Engine) updateNetworkMap(networkMap *mgmProto.NetworkMap) error {
 		}
 	}
 	// DNS forwarder
 	dnsRouteFeatureFlag := toDNSFeatureFlag(networkMap)
 	dnsRouteDomains, resourceIds := toRouteDomains(e.config.WgPrivateKey.PublicKey().String(), networkMap.GetRoutes())
 	e.updateDNSForwarder(dnsRouteFeatureFlag, dnsRouteDomains, resourceIds)
 	// apply routes first, route related actions might depend on routing being enabled
 	routes := toRoutes(networkMap.GetRoutes())
 	if err := e.routeManager.UpdateRoutes(serial, routes, dnsRouteFeatureFlag); err != nil {
 		log.Errorf("failed to update clientRoutes, err: %v", err)
 	}
 	// acls might need routing to be enabled, so we apply after routes
 	if e.acl != nil {
-		e.acl.ApplyFiltering(networkMap)
+		e.acl.ApplyFiltering(networkMap, dnsRouteFeatureFlag)
 	}
 	fwdEntries := toRouteDomains(e.config.WgPrivateKey.PublicKey().String(), routes)
 	e.updateDNSForwarder(dnsRouteFeatureFlag, fwdEntries)
 	// Ingress forward rules
 	if err := e.updateForwardRules(networkMap.GetForwardingRules()); err != nil {
 		log.Errorf("failed to update forward rules, err: %v", err)
@@ -1079,29 +1079,24 @@ func toRoutes(protoRoutes []*mgmProto.Route) []*route.Route {
 	return routes
 }
-func toRouteDomains(myPubKey string, protoRoutes []*mgmProto.Route) ([]string, map[string]string) {
+func toRouteDomains(myPubKey string, routes []*route.Route) []*dnsfwd.ForwarderEntry {
-	if protoRoutes == nil {
+	var entries []*dnsfwd.ForwarderEntry
-		protoRoutes = []*mgmProto.Route{}
+	for _, route := range routes {
-	}
+		if len(route.Domains) == 0 {
 	var dnsRoutes []string
 	resIds := make(map[string]string)
 	for _, protoRoute := range protoRoutes {
 		if len(protoRoute.Domains) == 0 {
 			continue
 		}
-		if protoRoute.Peer == myPubKey {
+		if route.Peer == myPubKey {
-			dnsRoutes = append(dnsRoutes, protoRoute.Domains...)
+			domainSet := firewallManager.NewDomainSet(route.Domains)
-			// resource ID is the first part of the ID
+			for _, d := range route.Domains {
-			resId := strings.Split(protoRoute.ID, ":")
+				entries = append(entries, &dnsfwd.ForwarderEntry{
-			for _, domain := range protoRoute.Domains {
+					Domain: d,
-				if len(resId) > 0 {
+					Set:    domainSet,
-					resIds[domain] = resId[0]
+					ResID:  route.GetResourceID(),
 				})
 			}
 		}
 	}
-	}
+	return entries
 	return dnsRoutes, resIds
 }
 func toDNSConfig(protoDNSConfig *mgmProto.DNSConfig, network *net.IPNet) nbdns.Config {
@@ -1231,26 +1226,6 @@ func (e *Engine) createPeerConn(pubKey string, allowedIPs []netip.Prefix) (*peer
 		PreSharedKey: e.config.PreSharedKey,
 	}
 	if e.config.RosenpassEnabled && !e.config.RosenpassPermissive {
 		lk := []byte(e.config.WgPrivateKey.PublicKey().String())
 		rk := []byte(wgConfig.RemoteKey)
 		var keyInput []byte
 		if string(lk) > string(rk) {
 			//nolint:gocritic
 			keyInput = append(lk[:16], rk[:16]...)
 		} else {
 			//nolint:gocritic
 			keyInput = append(rk[:16], lk[:16]...)
 		}
 		key, err := wgtypes.NewKey(keyInput)
 		if err != nil {
 			return nil, err
 		}
 		wgConfig.PreSharedKey = &key
 	}
 	// randomize connection timeout
 	timeout := time.Duration(rand.Intn(PeerConnectionTimeoutMax-PeerConnectionTimeoutMin)+PeerConnectionTimeoutMin) * time.Millisecond
 	config := peer.ConnConfig{
@@ -1259,8 +1234,11 @@ func (e *Engine) createPeerConn(pubKey string, allowedIPs []netip.Prefix) (*peer
 		Timeout:     timeout,
 		WgConfig:    wgConfig,
 		LocalWgPort: e.config.WgPort,
-		RosenpassPubKey: e.getRosenpassPubKey(),
+		RosenpassConfig: peer.RosenpassConfig{
-		RosenpassAddr:   e.getRosenpassAddr(),
+			PubKey:         e.getRosenpassPubKey(),
 			Addr:           e.getRosenpassAddr(),
 			PermissiveMode: e.config.RosenpassPermissive,
 		},
 		ICEConfig: icemaker.Config{
 			StunTurn:             &e.stunTurn,
 			InterfaceBlackList:   e.config.IFaceBlackList,
@@ -1768,7 +1746,10 @@ func (e *Engine) GetWgAddr() net.IP {
 }
 // updateDNSForwarder start or stop the DNS forwarder based on the domains and the feature flag
-func (e *Engine) updateDNSForwarder(enabled bool, domains []string, resIds map[string]string) {
+func (e *Engine) updateDNSForwarder(
 	enabled bool,
 	fwdEntries []*dnsfwd.ForwarderEntry,
 ) {
 	if !enabled {
 		if e.dnsForwardMgr == nil {
 			return
@@ -1779,18 +1760,18 @@ func (e *Engine) updateDNSForwarder(enabled bool, domains []string, resIds map[s
 		return
 	}
-	if len(domains) > 0 {
+	if len(fwdEntries) > 0 {
 		log.Infof("enable domain router service for domains: %v", domains)
 		if e.dnsForwardMgr == nil {
 			e.dnsForwardMgr = dnsfwd.NewManager(e.firewall, e.statusRecorder)
-			if err := e.dnsForwardMgr.Start(domains, resIds); err != nil {
+			if err := e.dnsForwardMgr.Start(fwdEntries); err != nil {
 				log.Errorf("failed to start DNS forward: %v", err)
 				e.dnsForwardMgr = nil
 			}
 			log.Infof("started domain router service with %d entries", len(fwdEntries))
 		} else {
-			log.Infof("update domain router service for domains: %v", domains)
+			e.dnsForwardMgr.UpdateDomains(fwdEntries)
 			e.dnsForwardMgr.UpdateDomains(domains, resIds)
 		}
 	} else if e.dnsForwardMgr != nil {
 		log.Infof("disable domain router service")
--- a/client/internal/engine_test.go
+++ b/client/internal/engine_test.go
@@ -1439,8 +1439,6 @@ func startManagement(t *testing.T, dataDir, testFile string) (*grpc.Server, stri
 	metrics, err := telemetry.NewDefaultAppMetrics(context.Background())
 	require.NoError(t, err)
 	permissionsManagerMock := permissions.NewManagerMock()
 	ctrl := gomock.NewController(t)
 	t.Cleanup(ctrl.Finish)
 	settingsMockManager := settings.NewMockManager(ctrl)
@@ -1449,7 +1447,9 @@ func startManagement(t *testing.T, dataDir, testFile string) (*grpc.Server, stri
 		Return(&types.Settings{}, nil).
 		AnyTimes()
-	accountManager, err := server.BuildManager(context.Background(), store, peersUpdateManager, nil, "", "netbird.selfhosted", eventStore, nil, false, ia, metrics, port_forwarding.NewControllerMock(), settingsMockManager, permissionsManagerMock)
+	permissionsManager := permissions.NewManager(store)
 	accountManager, err := server.BuildManager(context.Background(), store, peersUpdateManager, nil, "", "netbird.selfhosted", eventStore, nil, false, ia, metrics, port_forwarding.NewControllerMock(), settingsMockManager, permissionsManager)
 	if err != nil {
 		return nil, "", err
 	}
--- a/client/internal/networkmonitor/check_change_bsd.go
+++ b/client/internal/networkmonitor/check_change_bsd.go
@@ -19,7 +19,7 @@ import (
 func checkChange(ctx context.Context, nexthopv4, nexthopv6 systemops.Nexthop) error {
 	fd, err := unix.Socket(syscall.AF_ROUTE, syscall.SOCK_RAW, syscall.AF_UNSPEC)
 	if err != nil {
-		return fmt.Errorf("failed to open routing socket: %v", err)
+		return fmt.Errorf("open routing socket: %v", err)
 	}
 	defer func() {
 		err := unix.Close(fd)
--- a/client/internal/networkmonitor/check_change_windows.go
+++ b/client/internal/networkmonitor/check_change_windows.go
@@ -13,7 +13,7 @@ import (
 func checkChange(ctx context.Context, nexthopv4, nexthopv6 systemops.Nexthop) error {
 	routeMonitor, err := systemops.NewRouteMonitor(ctx)
 	if err != nil {
-		return fmt.Errorf("failed to create route monitor: %w", err)
+		return fmt.Errorf("create route monitor: %w", err)
 	}
 	defer func() {
 		if err := routeMonitor.Stop(); err != nil {
@@ -38,35 +38,49 @@ func checkChange(ctx context.Context, nexthopv4, nexthopv6 systemops.Nexthop) er
 }
 func routeChanged(route systemops.RouteUpdate, nexthopv4, nexthopv6 systemops.Nexthop) bool {
-	intf := "<nil>"
+	if intf := route.NextHop.Intf; intf != nil && isSoftInterface(intf.Name) {
-	if route.Interface != nil {
+		log.Debugf("Network monitor: ignoring default route change for next hop with soft interface %s", route.NextHop)
 		intf = route.Interface.Name
 		if isSoftInterface(intf) {
 			log.Debugf("Network monitor: ignoring default route change for soft interface %s", intf)
 		return false
 	}
 	// TODO: for the empty nexthop ip (on-link), determine the family differently
 	nexthop := nexthopv4
 	if route.NextHop.IP.Is6() {
 		nexthop = nexthopv6
 	}
 	switch route.Type {
-	case systemops.RouteModified:
+	case systemops.RouteModified, systemops.RouteAdded:
-		// TODO: get routing table to figure out if our route is affected for modified routes
+		return handleRouteAddedOrModified(route, nexthop)
 		log.Infof("Network monitor: default route changed: via %s, interface %s", route.NextHop, intf)
 		return true
 	case systemops.RouteAdded:
 		if route.NextHop.Is4() && route.NextHop != nexthopv4.IP || route.NextHop.Is6() && route.NextHop != nexthopv6.IP {
 			log.Infof("Network monitor: default route added: via %s, interface %s", route.NextHop, intf)
 			return true
 		}
 	case systemops.RouteDeleted:
-		if nexthopv4.Intf != nil && route.NextHop == nexthopv4.IP || nexthopv6.Intf != nil && route.NextHop == nexthopv6.IP {
+		return handleRouteDeleted(route, nexthop)
 			log.Infof("Network monitor: default route removed: via %s, interface %s", route.NextHop, intf)
 			return true
 		}
 	}
 	return false
 }
 func handleRouteAddedOrModified(route systemops.RouteUpdate, nexthop systemops.Nexthop) bool {
 	// For added/modified routes, we care about different next hops
 	if !nexthop.Equal(route.NextHop) {
 		action := "changed"
 		if route.Type == systemops.RouteAdded {
 			action = "added"
 		}
 		log.Infof("Network monitor: default route %s: via %s", action, route.NextHop)
 		return true
 	}
 	return false
 }
 func handleRouteDeleted(route systemops.RouteUpdate, nexthop systemops.Nexthop) bool {
 	// For deleted routes, we care about our tracked next hop being deleted
 	if nexthop.Equal(route.NextHop) {
 		log.Infof("Network monitor: default route removed: via %s", route.NextHop)
 		return true
 	}
 	return false
 }
 func isSoftInterface(name string) bool {
 	return strings.Contains(strings.ToLower(name), "isatap") || strings.Contains(strings.ToLower(name), "teredo")
 }
--- a/client/internal/networkmonitor/check_change_windows_test.go
+++ b/client/internal/networkmonitor/check_change_windows_test.go
@@ -0,0 +1,404 @@
 package networkmonitor
 import (
 	"net"
 	"net/netip"
 	"testing"
 	"github.com/stretchr/testify/assert"
 	"github.com/netbirdio/netbird/client/internal/routemanager/systemops"
 )
 func TestRouteChanged(t *testing.T) {
 	tests := []struct {
 		name      string
 		route     systemops.RouteUpdate
 		nexthopv4 systemops.Nexthop
 		nexthopv6 systemops.Nexthop
 		expected  bool
 	}{
 		{
 			name: "soft interface should be ignored",
 			route: systemops.RouteUpdate{
 				Type:        systemops.RouteModified,
 				Destination: netip.PrefixFrom(netip.IPv4Unspecified(), 0),
 				NextHop: systemops.Nexthop{
 					IP: netip.MustParseAddr("192.168.1.1"),
 					Intf: &net.Interface{
 						Name: "ISATAP-Interface", // isSoftInterface checks name
 					},
 				},
 			},
 			nexthopv4: systemops.Nexthop{
 				IP: netip.MustParseAddr("192.168.1.2"),
 			},
 			nexthopv6: systemops.Nexthop{
 				IP: netip.MustParseAddr("2001:db8::1"),
 			},
 			expected: false,
 		},
 		{
 			name: "modified route with different v4 nexthop IP should return true",
 			route: systemops.RouteUpdate{
 				Type:        systemops.RouteModified,
 				Destination: netip.PrefixFrom(netip.IPv4Unspecified(), 0),
 				NextHop: systemops.Nexthop{
 					IP: netip.MustParseAddr("192.168.1.1"),
 					Intf: &net.Interface{
 						Index: 1, Name: "eth0",
 					},
 				},
 			},
 			nexthopv4: systemops.Nexthop{
 				IP: netip.MustParseAddr("192.168.1.2"),
 				Intf: &net.Interface{
 					Index: 1, Name: "eth0",
 				},
 			},
 			nexthopv6: systemops.Nexthop{
 				IP: netip.MustParseAddr("2001:db8::1"),
 			},
 			expected: true,
 		},
 		{
 			name: "modified route with same v4 nexthop (IP and Intf Index) should return false",
 			route: systemops.RouteUpdate{
 				Type:        systemops.RouteModified,
 				Destination: netip.PrefixFrom(netip.IPv4Unspecified(), 0),
 				NextHop: systemops.Nexthop{
 					IP: netip.MustParseAddr("192.168.1.1"),
 					Intf: &net.Interface{
 						Index: 1, Name: "eth0",
 					},
 				},
 			},
 			nexthopv4: systemops.Nexthop{
 				IP: netip.MustParseAddr("192.168.1.1"),
 				Intf: &net.Interface{
 					Index: 1, Name: "eth0",
 				},
 			},
 			nexthopv6: systemops.Nexthop{
 				IP: netip.MustParseAddr("2001:db8::1"),
 			},
 			expected: false,
 		},
 		{
 			name: "added route with different v6 nexthop IP should return true",
 			route: systemops.RouteUpdate{
 				Type:        systemops.RouteAdded,
 				Destination: netip.PrefixFrom(netip.IPv6Unspecified(), 0),
 				NextHop: systemops.Nexthop{
 					IP: netip.MustParseAddr("2001:db8::2"),
 					Intf: &net.Interface{
 						Index: 1, Name: "eth0",
 					},
 				},
 			},
 			nexthopv4: systemops.Nexthop{
 				IP: netip.MustParseAddr("192.168.1.1"),
 			},
 			nexthopv6: systemops.Nexthop{
 				IP: netip.MustParseAddr("2001:db8::1"),
 				Intf: &net.Interface{
 					Index: 1, Name: "eth0",
 				},
 			},
 			expected: true,
 		},
 		{
 			name: "added route with same v6 nexthop (IP and Intf Index) should return false",
 			route: systemops.RouteUpdate{
 				Type:        systemops.RouteAdded,
 				Destination: netip.PrefixFrom(netip.IPv6Unspecified(), 0),
 				NextHop: systemops.Nexthop{
 					IP: netip.MustParseAddr("2001:db8::1"),
 					Intf: &net.Interface{
 						Index: 1, Name: "eth0",
 					},
 				},
 			},
 			nexthopv4: systemops.Nexthop{
 				IP: netip.MustParseAddr("192.168.1.1"),
 			},
 			nexthopv6: systemops.Nexthop{
 				IP: netip.MustParseAddr("2001:db8::1"),
 				Intf: &net.Interface{
 					Index: 1, Name: "eth0",
 				},
 			},
 			expected: false,
 		},
 		{
 			name: "deleted route matching tracked v4 nexthop (IP and Intf Index) should return true",
 			route: systemops.RouteUpdate{
 				Type:        systemops.RouteDeleted,
 				Destination: netip.PrefixFrom(netip.IPv4Unspecified(), 0),
 				NextHop: systemops.Nexthop{
 					IP: netip.MustParseAddr("192.168.1.1"),
 					Intf: &net.Interface{
 						Index: 1, Name: "eth0",
 					},
 				},
 			},
 			nexthopv4: systemops.Nexthop{
 				IP: netip.MustParseAddr("192.168.1.1"),
 				Intf: &net.Interface{
 					Index: 1, Name: "eth0",
 				},
 			},
 			nexthopv6: systemops.Nexthop{
 				IP: netip.MustParseAddr("2001:db8::1"),
 			},
 			expected: true,
 		},
 		{
 			name: "deleted route not matching tracked v4 nexthop (different IP) should return false",
 			route: systemops.RouteUpdate{
 				Type:        systemops.RouteDeleted,
 				Destination: netip.PrefixFrom(netip.IPv4Unspecified(), 0),
 				NextHop: systemops.Nexthop{
 					IP: netip.MustParseAddr("192.168.1.3"), // Different IP
 					Intf: &net.Interface{
 						Index: 1, Name: "eth0",
 					},
 				},
 			},
 			nexthopv4: systemops.Nexthop{
 				IP: netip.MustParseAddr("192.168.1.1"),
 				Intf: &net.Interface{
 					Index: 1, Name: "eth0",
 				},
 			},
 			nexthopv6: systemops.Nexthop{
 				IP: netip.MustParseAddr("2001:db8::1"),
 			},
 			expected: false,
 		},
 		{
 			name: "modified v4 route with same IP, different Intf Index should return true",
 			route: systemops.RouteUpdate{
 				Type:        systemops.RouteModified,
 				Destination: netip.PrefixFrom(netip.IPv4Unspecified(), 0),
 				NextHop: systemops.Nexthop{
 					IP:   netip.MustParseAddr("192.168.1.1"),
 					Intf: &net.Interface{Index: 2, Name: "eth1"}, // Different Intf Index
 				},
 			},
 			nexthopv4: systemops.Nexthop{
 				IP:   netip.MustParseAddr("192.168.1.1"),
 				Intf: &net.Interface{Index: 1, Name: "eth0"},
 			},
 			expected: true,
 		},
 		{
 			name: "modified v4 route with same IP, one Intf nil, other non-nil should return true",
 			route: systemops.RouteUpdate{
 				Type:        systemops.RouteModified,
 				Destination: netip.PrefixFrom(netip.IPv4Unspecified(), 0),
 				NextHop: systemops.Nexthop{
 					IP:   netip.MustParseAddr("192.168.1.1"),
 					Intf: nil, // Intf is nil
 				},
 			},
 			nexthopv4: systemops.Nexthop{
 				IP:   netip.MustParseAddr("192.168.1.1"),
 				Intf: &net.Interface{Index: 1, Name: "eth0"}, // Tracked Intf is not nil
 			},
 			expected: true,
 		},
 		{
 			name: "added v4 route with same IP, different Intf Index should return true",
 			route: systemops.RouteUpdate{
 				Type:        systemops.RouteAdded,
 				Destination: netip.PrefixFrom(netip.IPv4Unspecified(), 0),
 				NextHop: systemops.Nexthop{
 					IP:   netip.MustParseAddr("192.168.1.1"),
 					Intf: &net.Interface{Index: 2, Name: "eth1"}, // Different Intf Index
 				},
 			},
 			nexthopv4: systemops.Nexthop{
 				IP:   netip.MustParseAddr("192.168.1.1"),
 				Intf: &net.Interface{Index: 1, Name: "eth0"},
 			},
 			expected: true,
 		},
 		{
 			name: "deleted v4 route with same IP, different Intf Index should return false",
 			route: systemops.RouteUpdate{
 				Type:        systemops.RouteDeleted,
 				Destination: netip.PrefixFrom(netip.IPv4Unspecified(), 0),
 				NextHop: systemops.Nexthop{ // This is the route being deleted
 					IP:   netip.MustParseAddr("192.168.1.1"),
 					Intf: &net.Interface{Index: 1, Name: "eth0"},
 				},
 			},
 			nexthopv4: systemops.Nexthop{ // This is our tracked nexthop
 				IP:   netip.MustParseAddr("192.168.1.1"),
 				Intf: &net.Interface{Index: 2, Name: "eth1"}, // Different Intf Index
 			},
 			expected: false, // Because nexthopv4.Equal(route.NextHop) will be false
 		},
 		{
 			name: "modified v6 route with different IP, same Intf Index should return true",
 			route: systemops.RouteUpdate{
 				Type:        systemops.RouteModified,
 				Destination: netip.PrefixFrom(netip.IPv6Unspecified(), 0),
 				NextHop: systemops.Nexthop{
 					IP:   netip.MustParseAddr("2001:db8::3"), // Different IP
 					Intf: &net.Interface{Index: 1, Name: "eth0"},
 				},
 			},
 			nexthopv6: systemops.Nexthop{
 				IP:   netip.MustParseAddr("2001:db8::1"),
 				Intf: &net.Interface{Index: 1, Name: "eth0"},
 			},
 			expected: true,
 		},
 		{
 			name: "modified v6 route with same IP, different Intf Index should return true",
 			route: systemops.RouteUpdate{
 				Type:        systemops.RouteModified,
 				Destination: netip.PrefixFrom(netip.IPv6Unspecified(), 0),
 				NextHop: systemops.Nexthop{
 					IP:   netip.MustParseAddr("2001:db8::1"),
 					Intf: &net.Interface{Index: 2, Name: "eth1"}, // Different Intf Index
 				},
 			},
 			nexthopv6: systemops.Nexthop{
 				IP:   netip.MustParseAddr("2001:db8::1"),
 				Intf: &net.Interface{Index: 1, Name: "eth0"},
 			},
 			expected: true,
 		},
 		{
 			name: "modified v6 route with same IP, same Intf Index should return false",
 			route: systemops.RouteUpdate{
 				Type:        systemops.RouteModified,
 				Destination: netip.PrefixFrom(netip.IPv6Unspecified(), 0),
 				NextHop: systemops.Nexthop{
 					IP:   netip.MustParseAddr("2001:db8::1"),
 					Intf: &net.Interface{Index: 1, Name: "eth0"},
 				},
 			},
 			nexthopv6: systemops.Nexthop{
 				IP:   netip.MustParseAddr("2001:db8::1"),
 				Intf: &net.Interface{Index: 1, Name: "eth0"},
 			},
 			expected: false,
 		},
 		{
 			name: "deleted v6 route matching tracked nexthop (IP and Intf Index) should return true",
 			route: systemops.RouteUpdate{
 				Type:        systemops.RouteDeleted,
 				Destination: netip.PrefixFrom(netip.IPv6Unspecified(), 0),
 				NextHop: systemops.Nexthop{
 					IP:   netip.MustParseAddr("2001:db8::1"),
 					Intf: &net.Interface{Index: 1, Name: "eth0"},
 				},
 			},
 			nexthopv6: systemops.Nexthop{
 				IP:   netip.MustParseAddr("2001:db8::1"),
 				Intf: &net.Interface{Index: 1, Name: "eth0"},
 			},
 			expected: true,
 		},
 		{
 			name: "deleted v6 route not matching tracked nexthop (different IP) should return false",
 			route: systemops.RouteUpdate{
 				Type:        systemops.RouteDeleted,
 				Destination: netip.PrefixFrom(netip.IPv6Unspecified(), 0),
 				NextHop: systemops.Nexthop{
 					IP:   netip.MustParseAddr("2001:db8::3"), // Different IP
 					Intf: &net.Interface{Index: 1, Name: "eth0"},
 				},
 			},
 			nexthopv6: systemops.Nexthop{
 				IP:   netip.MustParseAddr("2001:db8::1"),
 				Intf: &net.Interface{Index: 1, Name: "eth0"},
 			},
 			expected: false,
 		},
 		{
 			name: "deleted v6 route not matching tracked nexthop (same IP, different Intf Index) should return false",
 			route: systemops.RouteUpdate{
 				Type:        systemops.RouteDeleted,
 				Destination: netip.PrefixFrom(netip.IPv6Unspecified(), 0),
 				NextHop: systemops.Nexthop{ // This is the route being deleted
 					IP:   netip.MustParseAddr("2001:db8::1"),
 					Intf: &net.Interface{Index: 1, Name: "eth0"},
 				},
 			},
 			nexthopv6: systemops.Nexthop{ // This is our tracked nexthop
 				IP:   netip.MustParseAddr("2001:db8::1"),
 				Intf: &net.Interface{Index: 2, Name: "eth1"}, // Different Intf Index
 			},
 			expected: false,
 		},
 		{
 			name: "unknown route type should return false",
 			route: systemops.RouteUpdate{
 				Type:        systemops.RouteUpdateType(99), // Unknown type
 				Destination: netip.PrefixFrom(netip.IPv4Unspecified(), 0),
 				NextHop: systemops.Nexthop{
 					IP:   netip.MustParseAddr("192.168.1.1"),
 					Intf: &net.Interface{Index: 1, Name: "eth0"},
 				},
 			},
 			nexthopv4: systemops.Nexthop{
 				IP:   netip.MustParseAddr("192.168.1.2"), // Different from route.NextHop
 				Intf: &net.Interface{Index: 1, Name: "eth0"},
 			},
 			expected: false,
 		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			result := routeChanged(tt.route, tt.nexthopv4, tt.nexthopv6)
 			assert.Equal(t, tt.expected, result)
 		})
 	}
 }
 func TestIsSoftInterface(t *testing.T) {
 	tests := []struct {
 		name     string
 		ifname   string
 		expected bool
 	}{
 		{
 			name:     "ISATAP interface should be detected",
 			ifname:   "ISATAP tunnel adapter",
 			expected: true,
 		},
 		{
 			name:     "lowercase soft interface should be detected",
 			ifname:   "isatap.{14A5CF17-CA72-43EC-B4EA-B4B093641B7D}",
 			expected: true,
 		},
 		{
 			name:     "Teredo interface should be detected",
 			ifname:   "Teredo Tunneling Pseudo-Interface",
 			expected: true,
 		},
 		{
 			name:     "regular interface should not be detected as soft",
 			ifname:   "eth0",
 			expected: false,
 		},
 		{
 			name:     "another regular interface should not be detected as soft",
 			ifname:   "wlan0",
 			expected: false,
 		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			result := isSoftInterface(tt.ifname)
 			assert.Equal(t, tt.expected, result)
 		})
 	}
 }
--- a/client/internal/networkmonitor/monitor.go
+++ b/client/internal/networkmonitor/monitor.go
@@ -118,9 +118,12 @@ func (nw *NetworkMonitor) Stop() {
 }
 func (nw *NetworkMonitor) checkChanges(ctx context.Context, event chan struct{}, nexthop4 systemops.Nexthop, nexthop6 systemops.Nexthop) {
 	defer close(event)
 	for {
 		if err := checkChangeFn(ctx, nexthop4, nexthop6); err != nil {
-			close(event)
+			if !errors.Is(err, context.Canceled) {
 				log.Errorf("Network monitor: failed to check for changes: %v", err)
 			}
 			return
 		}
 		// prevent blocking
--- a/client/internal/peer/conn.go
+++ b/client/internal/peer/conn.go
@@ -60,6 +60,15 @@ type WgConfig struct {
 	PreSharedKey *wgtypes.Key
 }
 type RosenpassConfig struct {
 	// RosenpassPubKey is this peer's Rosenpass public key
 	PubKey []byte
 	// RosenpassPubKey is this peer's RosenpassAddr server address (IP:port)
 	Addr string
 	PermissiveMode bool
 }
 // ConnConfig is a peer Connection configuration
 type ConnConfig struct {
 	// Key is a public key of a remote peer
@@ -73,10 +82,7 @@ type ConnConfig struct {
 	LocalWgPort int
-	// RosenpassPubKey is this peer's Rosenpass public key
+	RosenpassConfig RosenpassConfig
 	RosenpassPubKey []byte
 	// RosenpassPubKey is this peer's RosenpassAddr server address (IP:port)
 	RosenpassAddr string
 	// ICEConfig ICE protocol configuration
 	ICEConfig icemaker.Config
@@ -109,6 +115,8 @@ type Conn struct {
 	connIDICE            nbnet.ConnectionID
 	beforeAddPeerHooks   []nbnet.AddHookFunc
 	afterRemovePeerHooks []nbnet.RemoveHookFunc
 	// used to store the remote Rosenpass key for Relayed connection in case of connection update from ice
 	rosenpassRemoteKey []byte
 	wgProxyICE   wgproxy.Proxy
 	wgProxyRelay wgproxy.Proxy
@@ -375,7 +383,7 @@ func (conn *Conn) onICEConnectionIsReady(priority ConnPriority, iceConnInfo ICEC
 		wgProxy.Work()
 	}
-	if err = conn.configureWGEndpoint(ep); err != nil {
+	if err = conn.configureWGEndpoint(ep, iceConnInfo.RosenpassPubKey); err != nil {
 		conn.handleConfigurationFailure(err, wgProxy)
 		return
 	}
@@ -408,7 +416,7 @@ func (conn *Conn) onICEStateDisconnected() {
 		conn.dumpState.SwitchToRelay()
 		conn.wgProxyRelay.Work()
-		if err := conn.configureWGEndpoint(conn.wgProxyRelay.EndpointAddr()); err != nil {
+		if err := conn.configureWGEndpoint(conn.wgProxyRelay.EndpointAddr(), conn.rosenpassRemoteKey); err != nil {
 			conn.log.Errorf("failed to switch to relay conn: %v", err)
 		}
@@ -478,7 +486,7 @@ func (conn *Conn) onRelayConnectionIsReady(rci RelayConnInfo) {
 	}
 	wgProxy.Work()
-	if err := conn.configureWGEndpoint(wgProxy.EndpointAddr()); err != nil {
+	if err := conn.configureWGEndpoint(wgProxy.EndpointAddr(), rci.rosenpassPubKey); err != nil {
 		if err := wgProxy.CloseConn(); err != nil {
 			conn.log.Warnf("Failed to close relay connection: %v", err)
 		}
@@ -493,6 +501,7 @@ func (conn *Conn) onRelayConnectionIsReady(rci RelayConnInfo) {
 	}()
 	wgConfigWorkaround()
 	conn.rosenpassRemoteKey = rci.rosenpassPubKey
 	conn.currentConnPriority = connPriorityRelay
 	conn.statusRelay.Set(StatusConnected)
 	conn.setRelayedProxy(wgProxy)
@@ -556,13 +565,14 @@ func (conn *Conn) listenGuardEvent(ctx context.Context) {
 	}
 }
-func (conn *Conn) configureWGEndpoint(addr *net.UDPAddr) error {
+func (conn *Conn) configureWGEndpoint(addr *net.UDPAddr, remoteRPKey []byte) error {
 	presharedKey := conn.presharedKey(remoteRPKey)
 	return conn.config.WgConfig.WgInterface.UpdatePeer(
 		conn.config.WgConfig.RemoteKey,
 		conn.config.WgConfig.AllowedIps,
 		defaultWgKeepAlive,
 		addr,
-		conn.config.WgConfig.PreSharedKey,
+		presharedKey,
 	)
 }
@@ -783,6 +793,44 @@ func (conn *Conn) AllowedIP() netip.Addr {
 	return conn.config.WgConfig.AllowedIps[0].Addr()
 }
 func (conn *Conn) presharedKey(remoteRosenpassKey []byte) *wgtypes.Key {
 	if conn.config.RosenpassConfig.PubKey == nil {
 		return conn.config.WgConfig.PreSharedKey
 	}
 	if remoteRosenpassKey == nil && conn.config.RosenpassConfig.PermissiveMode {
 		return conn.config.WgConfig.PreSharedKey
 	}
 	determKey, err := conn.rosenpassDetermKey()
 	if err != nil {
 		conn.log.Errorf("failed to generate Rosenpass initial key: %v", err)
 		return conn.config.WgConfig.PreSharedKey
 	}
 	return determKey
 }
 // todo: move this logic into Rosenpass package
 func (conn *Conn) rosenpassDetermKey() (*wgtypes.Key, error) {
 	lk := []byte(conn.config.LocalKey)
 	rk := []byte(conn.config.Key) // remote key
 	var keyInput []byte
 	if string(lk) > string(rk) {
 		//nolint:gocritic
 		keyInput = append(lk[:16], rk[:16]...)
 	} else {
 		//nolint:gocritic
 		keyInput = append(rk[:16], lk[:16]...)
 	}
 	key, err := wgtypes.NewKey(keyInput)
 	if err != nil {
 		return nil, err
 	}
 	return &key, nil
 }
 func isController(config ConnConfig) bool {
 	return config.LocalKey > config.Key
 }
--- a/client/internal/peer/conn_test.go
+++ b/client/internal/peer/conn_test.go
@@ -2,6 +2,7 @@ package peer
 import (
 	"context"
 	"fmt"
 	"os"
 	"sync"
 	"testing"
@@ -161,3 +162,145 @@ func TestConn_Status(t *testing.T) {
 		})
 	}
 }
 func TestConn_presharedKey(t *testing.T) {
 	conn1 := Conn{
 		config: ConnConfig{
 			Key:             "LLHf3Ma6z6mdLbriAJbqhX7+nM/B71lgw2+91q3LfhU=",
 			LocalKey:        "RRHf3Ma6z6mdLbriAJbqhX7+nM/B71lgw2+91q3LfhU=",
 			RosenpassConfig: RosenpassConfig{},
 		},
 	}
 	conn2 := Conn{
 		config: ConnConfig{
 			Key:             "RRHf3Ma6z6mdLbriAJbqhX7+nM/B71lgw2+91q3LfhU=",
 			LocalKey:        "LLHf3Ma6z6mdLbriAJbqhX7+nM/B71lgw2+91q3LfhU=",
 			RosenpassConfig: RosenpassConfig{},
 		},
 	}
 	tests := []struct {
 		conn1Permissive         bool
 		conn1RosenpassEnabled   bool
 		conn2Permissive         bool
 		conn2RosenpassEnabled   bool
 		conn1ExpectedInitialKey bool
 		conn2ExpectedInitialKey bool
 	}{
 		{
 			conn1Permissive:         false,
 			conn1RosenpassEnabled:   false,
 			conn2Permissive:         false,
 			conn2RosenpassEnabled:   false,
 			conn1ExpectedInitialKey: false,
 			conn2ExpectedInitialKey: false,
 		},
 		{
 			conn1Permissive:         false,
 			conn1RosenpassEnabled:   true,
 			conn2Permissive:         false,
 			conn2RosenpassEnabled:   true,
 			conn1ExpectedInitialKey: true,
 			conn2ExpectedInitialKey: true,
 		},
 		{
 			conn1Permissive:         false,
 			conn1RosenpassEnabled:   true,
 			conn2Permissive:         false,
 			conn2RosenpassEnabled:   false,
 			conn1ExpectedInitialKey: true,
 			conn2ExpectedInitialKey: false,
 		},
 		{
 			conn1Permissive:         false,
 			conn1RosenpassEnabled:   false,
 			conn2Permissive:         false,
 			conn2RosenpassEnabled:   true,
 			conn1ExpectedInitialKey: false,
 			conn2ExpectedInitialKey: true,
 		},
 		{
 			conn1Permissive:         true,
 			conn1RosenpassEnabled:   true,
 			conn2Permissive:         false,
 			conn2RosenpassEnabled:   false,
 			conn1ExpectedInitialKey: false,
 			conn2ExpectedInitialKey: false,
 		},
 		{
 			conn1Permissive:         false,
 			conn1RosenpassEnabled:   false,
 			conn2Permissive:         true,
 			conn2RosenpassEnabled:   true,
 			conn1ExpectedInitialKey: false,
 			conn2ExpectedInitialKey: false,
 		},
 		{
 			conn1Permissive:         true,
 			conn1RosenpassEnabled:   true,
 			conn2Permissive:         true,
 			conn2RosenpassEnabled:   true,
 			conn1ExpectedInitialKey: true,
 			conn2ExpectedInitialKey: true,
 		},
 		{
 			conn1Permissive:         false,
 			conn1RosenpassEnabled:   false,
 			conn2Permissive:         false,
 			conn2RosenpassEnabled:   true,
 			conn1ExpectedInitialKey: false,
 			conn2ExpectedInitialKey: true,
 		},
 		{
 			conn1Permissive:         false,
 			conn1RosenpassEnabled:   true,
 			conn2Permissive:         true,
 			conn2RosenpassEnabled:   true,
 			conn1ExpectedInitialKey: true,
 			conn2ExpectedInitialKey: true,
 		},
 	}
 	conn1.config.RosenpassConfig.PermissiveMode = true
 	for i, test := range tests {
 		tcase := i + 1
 		t.Run(fmt.Sprintf("Rosenpass test case %d", tcase), func(t *testing.T) {
 			conn1.config.RosenpassConfig = RosenpassConfig{}
 			conn2.config.RosenpassConfig = RosenpassConfig{}
 			if test.conn1RosenpassEnabled {
 				conn1.config.RosenpassConfig.PubKey = []byte("dummykey")
 			}
 			conn1.config.RosenpassConfig.PermissiveMode = test.conn1Permissive
 			if test.conn2RosenpassEnabled {
 				conn2.config.RosenpassConfig.PubKey = []byte("dummykey")
 			}
 			conn2.config.RosenpassConfig.PermissiveMode = test.conn2Permissive
 			conn1PresharedKey := conn1.presharedKey(conn2.config.RosenpassConfig.PubKey)
 			conn2PresharedKey := conn2.presharedKey(conn1.config.RosenpassConfig.PubKey)
 			if test.conn1ExpectedInitialKey {
 				if conn1PresharedKey == nil {
 					t.Errorf("Case %d: Expected conn1 to have a non-nil key, but got nil", tcase)
 				}
 			} else {
 				if conn1PresharedKey != nil {
 					t.Errorf("Case %d: Expected conn1 to have a nil key, but got %v", tcase, conn1PresharedKey)
 				}
 			}
 			// Assert conn2's key expectation
 			if test.conn2ExpectedInitialKey {
 				if conn2PresharedKey == nil {
 					t.Errorf("Case %d: Expected conn2 to have a non-nil key, but got nil", tcase)
 				}
 			} else {
 				if conn2PresharedKey != nil {
 					t.Errorf("Case %d: Expected conn2 to have a nil key, but got %v", tcase, conn2PresharedKey)
 				}
 			}
 		})
 	}
 }
--- a/client/internal/peer/handshaker.go
+++ b/client/internal/peer/handshaker.go
@@ -154,8 +154,8 @@ func (h *Handshaker) sendOffer() error {
 		IceCredentials:  IceCredentials{iceUFrag, icePwd},
 		WgListenPort:    h.config.LocalWgPort,
 		Version:         version.NetbirdVersion(),
-		RosenpassPubKey: h.config.RosenpassPubKey,
+		RosenpassPubKey: h.config.RosenpassConfig.PubKey,
-		RosenpassAddr:   h.config.RosenpassAddr,
+		RosenpassAddr:   h.config.RosenpassConfig.Addr,
 	}
 	addr, err := h.relay.RelayInstanceAddress()
@@ -174,8 +174,8 @@ func (h *Handshaker) sendAnswer() error {
 		IceCredentials:  IceCredentials{uFrag, pwd},
 		WgListenPort:    h.config.LocalWgPort,
 		Version:         version.NetbirdVersion(),
-		RosenpassPubKey: h.config.RosenpassPubKey,
+		RosenpassPubKey: h.config.RosenpassConfig.PubKey,
-		RosenpassAddr:   h.config.RosenpassAddr,
+		RosenpassAddr:   h.config.RosenpassConfig.Addr,
 	}
 	addr, err := h.relay.RelayInstanceAddress()
 	if err == nil {
--- a/client/internal/peer/ice/agent.go
+++ b/client/internal/peer/ice/agent.go
@@ -37,7 +37,8 @@ func NewAgent(iFaceDiscover stdnet.ExternalIFaceDiscover, config Config, candida
 	}
 	fac := logging.NewDefaultLoggerFactory()
-	fac.Writer = log.StandardLogger().Writer()
+
 	//fac.Writer = log.StandardLogger().Writer()
 	agentConfig := &ice.AgentConfig{
 		MulticastDNSMode:       ice.MulticastDNSModeDisabled,
--- a/client/internal/peer/route.go
+++ b/client/internal/peer/route.go
@@ -6,12 +6,14 @@ import (
 	"sync"
 	log "github.com/sirupsen/logrus"
 	"github.com/netbirdio/netbird/route"
 )
 // routeEntry holds the route prefix and the corresponding resource ID.
 type routeEntry struct {
 	prefix     netip.Prefix
-	resourceID string
+	resourceID route.ResID
 }
 type routeIDLookup struct {
@@ -24,7 +26,7 @@ type routeIDLookup struct {
 	resolvedIPs sync.Map
 }
-func (r *routeIDLookup) AddLocalRouteID(resourceID string, route netip.Prefix) {
+func (r *routeIDLookup) AddLocalRouteID(resourceID route.ResID, route netip.Prefix) {
 	r.localLock.Lock()
 	defer r.localLock.Unlock()
@@ -56,7 +58,7 @@ func (r *routeIDLookup) RemoveLocalRouteID(route netip.Prefix) {
 	}
 }
-func (r *routeIDLookup) AddRemoteRouteID(resourceID string, route netip.Prefix) {
+func (r *routeIDLookup) AddRemoteRouteID(resourceID route.ResID, route netip.Prefix) {
 	r.remoteLock.Lock()
 	defer r.remoteLock.Unlock()
@@ -87,7 +89,7 @@ func (r *routeIDLookup) RemoveRemoteRouteID(route netip.Prefix) {
 	}
 }
-func (r *routeIDLookup) AddResolvedIP(resourceID string, route netip.Prefix) {
+func (r *routeIDLookup) AddResolvedIP(resourceID route.ResID, route netip.Prefix) {
 	r.resolvedIPs.Store(route.Addr(), resourceID)
 }
@@ -97,19 +99,19 @@ func (r *routeIDLookup) RemoveResolvedIP(route netip.Prefix) {
 // Lookup returns the resource ID for the given IP address
 // and a bool indicating if the IP is an exit node.
-func (r *routeIDLookup) Lookup(ip netip.Addr) (string, bool) {
+func (r *routeIDLookup) Lookup(ip netip.Addr) (route.ResID, bool) {
 	if res, ok := r.resolvedIPs.Load(ip); ok {
-		return res.(string), false
+		return res.(route.ResID), false
 	}
-	var resourceID string
+	var resourceID route.ResID
 	var isExitNode bool
 	r.localLock.RLock()
 	for _, entry := range r.localRoutes {
 		if entry.prefix.Contains(ip) {
 			resourceID = entry.resourceID
-			isExitNode = (entry.prefix.Bits() == 0)
+			isExitNode = entry.prefix.Bits() == 0
 			break
 		}
 	}
@@ -120,7 +122,7 @@ func (r *routeIDLookup) Lookup(ip netip.Addr) (string, bool) {
 		for _, entry := range r.remoteRoutes {
 			if entry.prefix.Contains(ip) {
 				resourceID = entry.resourceID
-				isExitNode = (entry.prefix.Bits() == 0)
+				isExitNode = entry.prefix.Bits() == 0
 				break
 			}
 		}
--- a/client/internal/peer/status.go
+++ b/client/internal/peer/status.go
@@ -21,6 +21,7 @@ import (
 	"github.com/netbirdio/netbird/client/proto"
 	"github.com/netbirdio/netbird/management/domain"
 	relayClient "github.com/netbirdio/netbird/relay/client"
 	"github.com/netbirdio/netbird/route"
 )
 const eventQueueSize = 10
@@ -313,7 +314,7 @@ func (d *Status) UpdatePeerState(receivedState State) error {
 	return nil
 }
-func (d *Status) AddPeerStateRoute(peer string, route string, resourceId string) error {
+func (d *Status) AddPeerStateRoute(peer string, route string, resourceId route.ResID) error {
 	d.mux.Lock()
 	defer d.mux.Unlock()
@@ -581,7 +582,7 @@ func (d *Status) UpdateLocalPeerState(localPeerState LocalPeerState) {
 }
 // AddLocalPeerStateRoute adds a route to the local peer state
-func (d *Status) AddLocalPeerStateRoute(route, resourceId string) {
+func (d *Status) AddLocalPeerStateRoute(route string, resourceId route.ResID) {
 	d.mux.Lock()
 	defer d.mux.Unlock()
@@ -611,14 +612,11 @@ func (d *Status) RemoveLocalPeerStateRoute(route string) {
 }
 // AddResolvedIPLookupEntry adds a resolved IP lookup entry
-func (d *Status) AddResolvedIPLookupEntry(route, resourceId string) {
+func (d *Status) AddResolvedIPLookupEntry(prefix netip.Prefix, resourceId route.ResID) {
 	d.mux.Lock()
 	defer d.mux.Unlock()
-	pref, err := netip.ParsePrefix(route)
+	d.routeIDLookup.AddResolvedIP(resourceId, prefix)
 	if err == nil {
 		d.routeIDLookup.AddResolvedIP(resourceId, pref)
 	}
 }
 // RemoveResolvedIPLookupEntry removes a resolved IP lookup entry
@@ -723,7 +721,7 @@ func (d *Status) UpdateDNSStates(dnsStates []NSGroupState) {
 	d.nsGroupStates = dnsStates
 }
-func (d *Status) UpdateResolvedDomainsStates(originalDomain domain.Domain, resolvedDomain domain.Domain, prefixes []netip.Prefix, resourceId string) {
+func (d *Status) UpdateResolvedDomainsStates(originalDomain domain.Domain, resolvedDomain domain.Domain, prefixes []netip.Prefix, resourceId route.ResID) {
 	d.mux.Lock()
 	defer d.mux.Unlock()
--- a/client/internal/pkce_auth.go
+++ b/client/internal/pkce_auth.go
@@ -39,6 +39,8 @@ type PKCEAuthProviderConfig struct {
 	UseIDToken bool
 	// ClientCertPair is used for mTLS authentication to the IDP
 	ClientCertPair *tls.Certificate
 	// DisablePromptLogin makes the PKCE flow to not prompt the user for login
 	DisablePromptLogin bool
 }
 // GetPKCEAuthorizationFlowInfo initialize a PKCEAuthorizationFlow instance and return with it
@@ -97,6 +99,7 @@ func GetPKCEAuthorizationFlowInfo(ctx context.Context, privateKey string, mgmURL
 			RedirectURLs:          protoPKCEAuthorizationFlow.GetProviderConfig().GetRedirectURLs(),
 			UseIDToken:            protoPKCEAuthorizationFlow.GetProviderConfig().GetUseIDToken(),
 			ClientCertPair:        clientCert,
 			DisablePromptLogin:    protoPKCEAuthorizationFlow.GetProviderConfig().GetDisablePromptLogin(),
 		},
 	}
--- a/client/internal/routemanager/dnsinterceptor/handler.go
+++ b/client/internal/routemanager/dnsinterceptor/handler.go
@@ -162,9 +162,7 @@ func (d *DnsInterceptor) ServeDNS(w dns.ResponseWriter, r *dns.Msg) {
 		return
 	}
 	// set the AuthenticatedData flag and the EDNS0 buffer size to 4096 bytes to support larger dns records
 	if r.Extra == nil {
 		r.SetEdns0(4096, false)
 		r.MsgHdr.AuthenticatedData = true
 	}
 	client := &dns.Client{
@@ -172,7 +170,7 @@ func (d *DnsInterceptor) ServeDNS(w dns.ResponseWriter, r *dns.Msg) {
 		Net:     "udp",
 	}
 	upstream := fmt.Sprintf("%s:%d", upstreamIP.String(), dnsfwd.ListenPort)
-	reply, _, err := client.ExchangeContext(context.Background(), r, upstream)
+	reply, _, err := nbdns.ExchangeWithFallback(context.TODO(), client, r, upstream)
 	if err != nil {
 		log.Errorf("failed to exchange DNS request with %s (%s) for domain=%s: %v", upstreamIP.String(), peerKey, r.Question[0].Name, err)
 		if err := w.WriteMsg(&dns.Msg{MsgHdr: dns.MsgHdr{Rcode: dns.RcodeServerFailure, Id: r.Id}}); err != nil {
@@ -236,7 +234,7 @@ func (d *DnsInterceptor) writeMsg(w dns.ResponseWriter, r *dns.Msg) error {
 			origPattern = writer.GetOrigPattern()
 		}
-		resolvedDomain := domain.Domain(r.Question[0].Name)
+		resolvedDomain := domain.Domain(strings.ToLower(r.Question[0].Name))
 		// already punycode via RegisterHandler()
 		originalDomain := domain.Domain(origPattern)
@@ -330,6 +328,11 @@ func (d *DnsInterceptor) updateDomainPrefixes(resolvedDomain, originalDomain dom
 	// Update domain prefixes using resolved domain as key
 	if len(toAdd) > 0 || len(toRemove) > 0 {
 		if d.route.KeepRoute {
 			// replace stored prefixes with old + added
 			// nolint:gocritic
 			newPrefixes = append(oldPrefixes, toAdd...)
 		}
 		d.interceptedDomains[resolvedDomain] = newPrefixes
 		originalDomain = domain.Domain(strings.TrimSuffix(string(originalDomain), "."))
 		d.statusRecorder.UpdateResolvedDomainsStates(originalDomain, resolvedDomain, newPrefixes, d.route.GetResourceID())
@@ -340,7 +343,7 @@ func (d *DnsInterceptor) updateDomainPrefixes(resolvedDomain, originalDomain dom
 				originalDomain.SafeString(),
 				toAdd)
 		}
-		if len(toRemove) > 0 {
+		if len(toRemove) > 0 && !d.route.KeepRoute {
 			log.Debugf("removed dynamic route(s) for domain=%s (pattern: domain=%s): %s",
 				resolvedDomain.SafeString(),
 				originalDomain.SafeString(),
--- a/client/internal/routemanager/dynamic/route_ios.go
+++ b/client/internal/routemanager/dynamic/route_ios.go
@@ -27,7 +27,7 @@ func (r *Route) getIPsFromResolver(domain domain.Domain) ([]net.IP, error) {
 	startTime := time.Now()
-	response, _, err := privateClient.Exchange(msg, r.resolverAddr)
+	response, _, err := nbdns.ExchangeWithFallback(nil, privateClient, msg, r.resolverAddr)
 	if err != nil {
 		return nil, fmt.Errorf("DNS query for %s failed after %s: %s ", domain.SafeString(), time.Since(startTime), err)
 	}
--- a/client/internal/routemanager/manager.go
+++ b/client/internal/routemanager/manager.go
@@ -259,8 +259,6 @@ func (m *DefaultManager) Stop(stateManager *statemanager.Manager) {
 		}
 	}
 	m.ctx = nil
 	m.mux.Lock()
 	defer m.mux.Unlock()
 	m.clientRoutes = nil
@@ -292,7 +290,7 @@ func (m *DefaultManager) UpdateRoutes(updateSerial uint64, newRoutes []*route.Ro
 		return nil
 	}
-	if err := m.serverRouter.updateRoutes(newServerRoutesMap); err != nil {
+	if err := m.serverRouter.updateRoutes(newServerRoutesMap, useNewDNSRoute); err != nil {
 		return fmt.Errorf("update routes: %w", err)
 	}
--- a/client/internal/routemanager/server_android.go
+++ b/client/internal/routemanager/server_android.go
@@ -18,7 +18,7 @@ type serverRouter struct {
 func (r serverRouter) cleanUp() {
 }
-func (r serverRouter) updateRoutes(map[route.ID]*route.Route) error {
+func (r serverRouter) updateRoutes(map[route.ID]*route.Route, bool) error {
 	return nil
 }
--- a/client/internal/routemanager/server_nonandroid.go
+++ b/client/internal/routemanager/server_nonandroid.go
@@ -35,7 +35,10 @@ func newServerRouter(ctx context.Context, wgInterface iface.WGIface, firewall fi
 	}, nil
 }
-func (m *serverRouter) updateRoutes(routesMap map[route.ID]*route.Route) error {
+func (m *serverRouter) updateRoutes(routesMap map[route.ID]*route.Route, useNewDNSRoute bool) error {
 	m.mux.Lock()
 	defer m.mux.Unlock()
 	serverRoutesToRemove := make([]route.ID, 0)
 	for routeID := range m.routes {
@@ -73,7 +76,7 @@ func (m *serverRouter) updateRoutes(routesMap map[route.ID]*route.Route) error {
 			continue
 		}
-		err := m.addToServerNetwork(newRoute)
+		err := m.addToServerNetwork(newRoute, useNewDNSRoute)
 		if err != nil {
 			log.Errorf("Unable to add route %s from server, got: %v", newRoute.ID, err)
 			continue
@@ -90,57 +93,30 @@ func (m *serverRouter) removeFromServerNetwork(route *route.Route) error {
 		return m.ctx.Err()
 	}
-	m.mux.Lock()
+	routerPair := routeToRouterPair(route, false)
-	defer m.mux.Unlock()
+	if err := m.firewall.RemoveNatRule(routerPair); err != nil {
 	routerPair, err := routeToRouterPair(route)
 	if err != nil {
 		return fmt.Errorf("parse prefix: %w", err)
 	}
 	err = m.firewall.RemoveNatRule(routerPair)
 	if err != nil {
 		return fmt.Errorf("remove routing rules: %w", err)
 	}
 	delete(m.routes, route.ID)
-
+	m.statusRecorder.RemoveLocalPeerStateRoute(route.NetString())
 	routeStr := route.Network.String()
 	if route.IsDynamic() {
 		routeStr = route.Domains.SafeString()
 	}
 	m.statusRecorder.RemoveLocalPeerStateRoute(routeStr)
 	return nil
 }
-func (m *serverRouter) addToServerNetwork(route *route.Route) error {
+func (m *serverRouter) addToServerNetwork(route *route.Route, useNewDNSRoute bool) error {
 	if m.ctx.Err() != nil {
 		log.Infof("Not adding to server network because context is done")
 		return m.ctx.Err()
 	}
-	m.mux.Lock()
+	routerPair := routeToRouterPair(route, useNewDNSRoute)
-	defer m.mux.Unlock()
+	if err := m.firewall.AddNatRule(routerPair); err != nil {
 	routerPair, err := routeToRouterPair(route)
 	if err != nil {
 		return fmt.Errorf("parse prefix: %w", err)
 	}
 	err = m.firewall.AddNatRule(routerPair)
 	if err != nil {
 		return fmt.Errorf("insert routing rules: %w", err)
 	}
 	m.routes[route.ID] = route
-
+	m.statusRecorder.AddLocalPeerStateRoute(route.NetString(), route.GetResourceID())
 	routeStr := route.Network.String()
 	if route.IsDynamic() {
 		routeStr = route.Domains.SafeString()
 	}
 	m.statusRecorder.AddLocalPeerStateRoute(routeStr, route.GetResourceID())
 	return nil
 }
@@ -148,31 +124,29 @@ func (m *serverRouter) addToServerNetwork(route *route.Route) error {
 func (m *serverRouter) cleanUp() {
 	m.mux.Lock()
 	defer m.mux.Unlock()
 	for _, r := range m.routes {
 		routerPair, err := routeToRouterPair(r)
 		if err != nil {
 			log.Errorf("Failed to convert route to router pair: %v", err)
 			continue
 		}
-		err = m.firewall.RemoveNatRule(routerPair)
+	for _, r := range m.routes {
-		if err != nil {
+		routerPair := routeToRouterPair(r, false)
 		if err := m.firewall.RemoveNatRule(routerPair); err != nil {
 			log.Errorf("Failed to remove cleanup route: %v", err)
 		}
 	}
 	m.statusRecorder.CleanLocalPeerStateRoutes()
 }
-func routeToRouterPair(route *route.Route) (firewall.RouterPair, error) {
+func routeToRouterPair(route *route.Route, useNewDNSRoute bool) firewall.RouterPair {
 	// TODO: add ipv6
 	source := getDefaultPrefix(route.Network)
-
+	destination := firewall.Network{}
 	destination := route.Network.Masked()
 	if route.IsDynamic() {
 		if useNewDNSRoute {
 			destination.Set = firewall.NewDomainSet(route.Domains)
 		} else {
 			// TODO: add ipv6 additionally
-		destination = getDefaultPrefix(destination)
+			destination = getDefaultPrefix(destination.Prefix)
 		}
 	} else {
 		destination.Prefix = route.Network.Masked()
 	}
 	return firewall.RouterPair{
@@ -180,12 +154,16 @@ func routeToRouterPair(route *route.Route) (firewall.RouterPair, error) {
 		Source:      source,
 		Destination: destination,
 		Masquerade:  route.Masquerade,
-	}, nil
+	}
 }
-func getDefaultPrefix(prefix netip.Prefix) netip.Prefix {
+func getDefaultPrefix(prefix netip.Prefix) firewall.Network {
 	if prefix.Addr().Is6() {
-		return netip.PrefixFrom(netip.IPv6Unspecified(), 0)
+		return firewall.Network{
 			Prefix: netip.PrefixFrom(netip.IPv6Unspecified(), 0),
 		}
 	}
 	return firewall.Network{
 		Prefix: netip.PrefixFrom(netip.IPv4Unspecified(), 0),
 	}
 	return netip.PrefixFrom(netip.IPv4Unspecified(), 0)
 }
--- a/client/internal/routemanager/systemops/systemops.go
+++ b/client/internal/routemanager/systemops/systemops.go
@@ -1,6 +1,7 @@
 package systemops
 import (
 	"fmt"
 	"net"
 	"net/netip"
 	"sync"
@@ -15,6 +16,20 @@ type Nexthop struct {
 	Intf *net.Interface
 }
 // Equal checks if two nexthops are equal.
 func (n Nexthop) Equal(other Nexthop) bool {
 	return n.IP == other.IP && (n.Intf == nil && other.Intf == nil ||
 		n.Intf != nil && other.Intf != nil && n.Intf.Index == other.Intf.Index)
 }
 // String returns a string representation of the nexthop.
 func (n Nexthop) String() string {
 	if n.Intf == nil {
 		return n.IP.String()
 	}
 	return fmt.Sprintf("%s @ %d (%s)", n.IP.String(), n.Intf.Index, n.Intf.Name)
 }
 type ExclusionCounter = refcounter.Counter[netip.Prefix, struct{}, Nexthop]
 type SysOps struct {
--- a/client/internal/routemanager/systemops/systemops_bsd_test.go
+++ b/client/internal/routemanager/systemops/systemops_bsd_test.go
@@ -24,7 +24,6 @@ func init() {
 	testCases = append(testCases, []testCase{
 		{
 			name:              "To more specific route without custom dialer via vpn",
 			destination:       "10.10.0.2:53",
 			expectedInterface: expectedVPNint,
 			dialer:            &net.Dialer{},
 			expectedPacket:    createPacketExpectation("100.64.0.1", 12345, "10.10.0.2", 53),
--- a/client/internal/routemanager/systemops/systemops_linux.go
+++ b/client/internal/routemanager/systemops/systemops_linux.go
@@ -45,7 +45,7 @@ var sysctlFailed bool
 type ruleParams struct {
 	priority       int
-	fwmark         int
+	fwmark         uint32
 	tableID        int
 	family         int
 	invert         bool
@@ -55,8 +55,8 @@ type ruleParams struct {
 func getSetupRules() []ruleParams {
 	return []ruleParams{
-		{100, -1, syscall.RT_TABLE_MAIN, netlink.FAMILY_V4, false, 0, "rule with suppress prefixlen v4"},
+		{100, 0, syscall.RT_TABLE_MAIN, netlink.FAMILY_V4, false, 0, "rule with suppress prefixlen v4"},
-		{100, -1, syscall.RT_TABLE_MAIN, netlink.FAMILY_V6, false, 0, "rule with suppress prefixlen v6"},
+		{100, 0, syscall.RT_TABLE_MAIN, netlink.FAMILY_V6, false, 0, "rule with suppress prefixlen v6"},
 		{110, nbnet.ControlPlaneMark, NetbirdVPNTableID, netlink.FAMILY_V4, true, -1, "rule v4 netbird"},
 		{110, nbnet.ControlPlaneMark, NetbirdVPNTableID, netlink.FAMILY_V6, true, -1, "rule v6 netbird"},
 	}
--- a/client/internal/routemanager/systemops/systemops_linux_test.go
+++ b/client/internal/routemanager/systemops/systemops_linux_test.go
@@ -27,14 +27,12 @@ func init() {
 	testCases = append(testCases, []testCase{
 		{
 			name:              "To more specific route without custom dialer via physical interface",
 			destination:       "10.10.0.2:53",
 			expectedInterface: expectedInternalInt,
 			dialer:            &net.Dialer{},
 			expectedPacket:    createPacketExpectation("192.168.1.1", 12345, "10.10.0.2", 53),
 		},
 		{
 			name:              "To more specific route (local) without custom dialer via physical interface",
 			destination:       "127.0.10.1:53",
 			expectedInterface: expectedLoopbackInt,
 			dialer:            &net.Dialer{},
 			expectedPacket:    createPacketExpectation("127.0.0.1", 12345, "127.0.10.1", 53),
@@ -134,6 +132,16 @@ func addDummyRoute(t *testing.T, dstCIDR string, gw net.IP, intf string) {
 	_, dstIPNet, err := net.ParseCIDR(dstCIDR)
 	require.NoError(t, err)
 	link, err := netlink.LinkByName(intf)
 	require.NoError(t, err)
 	linkIndex := link.Attrs().Index
 	route := &netlink.Route{
 		Dst:       dstIPNet,
 		Gw:        gw,
 		LinkIndex: linkIndex,
 	}
 	// Handle existing routes with metric 0
 	var originalNexthop net.IP
 	var originalLinkIndex int
@@ -145,32 +153,24 @@ func addDummyRoute(t *testing.T, dstCIDR string, gw net.IP, intf string) {
 		}
 		if originalNexthop != nil {
 			// remove original route
 			err = netlink.RouteDel(&netlink.Route{Dst: dstIPNet, Priority: 0})
-			switch {
+			assert.NoError(t, err)
-			case err != nil && !errors.Is(err, syscall.ESRCH):
+
-				t.Logf("Failed to delete route: %v", err)
+			// add new route
-			case err == nil:
+			assert.NoError(t, netlink.RouteAdd(route))
 			t.Cleanup(func() {
 				// restore original route
 				assert.NoError(t, netlink.RouteDel(route))
 				err := netlink.RouteAdd(&netlink.Route{Dst: dstIPNet, Gw: originalNexthop, LinkIndex: originalLinkIndex, Priority: 0})
-					if err != nil && !errors.Is(err, syscall.EEXIST) {
+				assert.NoError(t, err)
 						t.Fatalf("Failed to add route: %v", err)
 					}
 			})
-			default:
+
-				t.Logf("Failed to delete route: %v", err)
+			return
 			}
 		}
 	}
 	link, err := netlink.LinkByName(intf)
 	require.NoError(t, err)
 	linkIndex := link.Attrs().Index
 	route := &netlink.Route{
 		Dst:       dstIPNet,
 		Gw:        gw,
 		LinkIndex: linkIndex,
 	}
 	err = netlink.RouteDel(route)
 	if err != nil && !errors.Is(err, syscall.ESRCH) {
 		t.Logf("Failed to delete route: %v", err)
@@ -180,7 +180,6 @@ func addDummyRoute(t *testing.T, dstCIDR string, gw net.IP, intf string) {
 	if err != nil && !errors.Is(err, syscall.EEXIST) {
 		t.Fatalf("Failed to add route: %v", err)
 	}
 	require.NoError(t, err)
 }
 func fetchOriginalGateway(family int) (net.IP, int, error) {
@@ -190,7 +189,11 @@ func fetchOriginalGateway(family int) (net.IP, int, error) {
 	}
 	for _, route := range routes {
-		if route.Dst == nil && route.Priority == 0 {
+		ones := -1
 		if route.Dst != nil {
 			ones, _ = route.Dst.Mask.Size()
 		}
 		if route.Dst == nil || ones == 0 && route.Priority == 0 {
 			return route.Gw, route.LinkIndex, nil
 		}
 	}
--- a/client/internal/routemanager/systemops/systemops_unix_test.go
+++ b/client/internal/routemanager/systemops/systemops_unix_test.go
@@ -31,7 +31,6 @@ type PacketExpectation struct {
 type testCase struct {
 	name              string
 	destination       string
 	expectedInterface string
 	dialer            dialer
 	expectedPacket    PacketExpectation
@@ -40,14 +39,12 @@ type testCase struct {
 var testCases = []testCase{
 	{
 		name:              "To external host without custom dialer via vpn",
 		destination:       "192.0.2.1:53",
 		expectedInterface: expectedVPNint,
 		dialer:            &net.Dialer{},
 		expectedPacket:    createPacketExpectation("100.64.0.1", 12345, "192.0.2.1", 53),
 	},
 	{
 		name:              "To external host with custom dialer via physical interface",
 		destination:       "192.0.2.1:53",
 		expectedInterface: expectedExternalInt,
 		dialer:            nbnet.NewDialer(),
 		expectedPacket:    createPacketExpectation("192.168.0.1", 12345, "192.0.2.1", 53),
@@ -55,14 +52,12 @@ var testCases = []testCase{
 	{
 		name:              "To duplicate internal route with custom dialer via physical interface",
 		destination:       "10.0.0.2:53",
 		expectedInterface: expectedInternalInt,
 		dialer:            nbnet.NewDialer(),
 		expectedPacket:    createPacketExpectation("192.168.1.1", 12345, "10.0.0.2", 53),
 	},
 	{
 		name:              "To duplicate internal route without custom dialer via physical interface", // local route takes precedence
 		destination:       "10.0.0.2:53",
 		expectedInterface: expectedInternalInt,
 		dialer:            &net.Dialer{},
 		expectedPacket:    createPacketExpectation("192.168.1.1", 12345, "10.0.0.2", 53),
@@ -70,14 +65,12 @@ var testCases = []testCase{
 	{
 		name:              "To unique vpn route with custom dialer via physical interface",
 		destination:       "172.16.0.2:53",
 		expectedInterface: expectedExternalInt,
 		dialer:            nbnet.NewDialer(),
 		expectedPacket:    createPacketExpectation("192.168.0.1", 12345, "172.16.0.2", 53),
 	},
 	{
 		name:              "To unique vpn route without custom dialer via vpn",
 		destination:       "172.16.0.2:53",
 		expectedInterface: expectedVPNint,
 		dialer:            &net.Dialer{},
 		expectedPacket:    createPacketExpectation("100.64.0.1", 12345, "172.16.0.2", 53),
@@ -94,10 +87,11 @@ func TestRouting(t *testing.T) {
 		t.Run(tc.name, func(t *testing.T) {
 			setupTestEnv(t)
-			filter := createBPFFilter(tc.destination)
+			dst := fmt.Sprintf("%s:%d", tc.expectedPacket.DstIP, tc.expectedPacket.DstPort)
 			filter := createBPFFilter(dst)
 			handle := startPacketCapture(t, tc.expectedInterface, filter)
-			sendTestPacket(t, tc.destination, tc.expectedPacket.SrcPort, tc.dialer)
+			sendTestPacket(t, dst, tc.expectedPacket.SrcPort, tc.dialer)
 			packetSource := gopacket.NewPacketSource(handle, handle.LinkType())
 			packet, err := packetSource.NextPacket()
--- a/client/internal/routemanager/systemops/systemops_windows.go
+++ b/client/internal/routemanager/systemops/systemops_windows.go
@@ -33,8 +33,7 @@ type RouteUpdateType int
 type RouteUpdate struct {
 	Type        RouteUpdateType
 	Destination netip.Prefix
-	NextHop     netip.Addr
+	NextHop     Nexthop
 	Interface   *net.Interface
 }
 // RouteMonitor provides a way to monitor changes in the routing table.
@@ -231,15 +230,15 @@ func (rm *RouteMonitor) parseUpdate(row *MIB_IPFORWARD_ROW2, notificationType MI
 		intf, err := net.InterfaceByIndex(idx)
 		if err != nil {
 			log.Warnf("failed to get interface name for index %d: %v", idx, err)
-			update.Interface = &net.Interface{
+			update.NextHop.Intf = &net.Interface{
 				Index: idx,
 			}
 		} else {
-			update.Interface = intf
+			update.NextHop.Intf = intf
 		}
 	}
-	log.Tracef("Received route update with destination %v, next hop %v, interface %v", row.DestinationPrefix, row.NextHop, update.Interface)
+	log.Tracef("Received route update with destination %v, next hop %v, interface %v", row.DestinationPrefix, row.NextHop, update.NextHop.Intf)
 	dest := parseIPPrefix(row.DestinationPrefix, idx)
 	if !dest.Addr().IsValid() {
 		return RouteUpdate{}, fmt.Errorf("invalid destination: %v", row)
@@ -262,7 +261,7 @@ func (rm *RouteMonitor) parseUpdate(row *MIB_IPFORWARD_ROW2, notificationType MI
 	update.Type = updateType
 	update.Destination = dest
-	update.NextHop = nexthop
+	update.NextHop.IP = nexthop
 	return update, nil
 }
--- a/client/internal/routeselector/routeselector.go
+++ b/client/internal/routeselector/routeselector.go
@@ -10,20 +10,19 @@ import (
 	"golang.org/x/exp/maps"
 	"github.com/netbirdio/netbird/client/errors"
-	route "github.com/netbirdio/netbird/route"
+	"github.com/netbirdio/netbird/route"
 )
 type RouteSelector struct {
 	mu               sync.RWMutex
-	selectedRoutes map[route.NetID]struct{}
+	deselectedRoutes map[route.NetID]struct{}
-	selectAll      bool
+	deselectAll      bool
 }
 func NewRouteSelector() *RouteSelector {
 	return &RouteSelector{
-		selectedRoutes: map[route.NetID]struct{}{},
+		deselectedRoutes: map[route.NetID]struct{}{},
-		// default selects all routes
+		deselectAll:      false,
 		selectAll: true,
 	}
 }
@@ -32,8 +31,11 @@ func (rs *RouteSelector) SelectRoutes(routes []route.NetID, appendRoute bool, al
 	rs.mu.Lock()
 	defer rs.mu.Unlock()
-	if !appendRoute {
+	if !appendRoute || rs.deselectAll {
-		rs.selectedRoutes = map[route.NetID]struct{}{}
+		maps.Clear(rs.deselectedRoutes)
 		for _, r := range allRoutes {
 			rs.deselectedRoutes[r] = struct{}{}
 		}
 	}
 	var err *multierror.Error
@@ -42,10 +44,10 @@ func (rs *RouteSelector) SelectRoutes(routes []route.NetID, appendRoute bool, al
 			err = multierror.Append(err, fmt.Errorf("route '%s' is not available", route))
 			continue
 		}
-
+		delete(rs.deselectedRoutes, route)
 		rs.selectedRoutes[route] = struct{}{}
 	}
-	rs.selectAll = false
+
 	rs.deselectAll = false
 	return errors.FormatErrorOrNil(err)
 }
@@ -55,32 +57,26 @@ func (rs *RouteSelector) SelectAllRoutes() {
 	rs.mu.Lock()
 	defer rs.mu.Unlock()
-	rs.selectAll = true
+	rs.deselectAll = false
-	rs.selectedRoutes = map[route.NetID]struct{}{}
+	maps.Clear(rs.deselectedRoutes)
 }
 // DeselectRoutes removes specific routes from the selection.
 // If the selector is in "select all" mode, it will transition to "select specific" mode.
 func (rs *RouteSelector) DeselectRoutes(routes []route.NetID, allRoutes []route.NetID) error {
 	rs.mu.Lock()
 	defer rs.mu.Unlock()
-	if rs.selectAll {
+	if rs.deselectAll {
-		rs.selectAll = false
+		return nil
 		rs.selectedRoutes = map[route.NetID]struct{}{}
 		for _, route := range allRoutes {
 			rs.selectedRoutes[route] = struct{}{}
 		}
 	}
 	var err *multierror.Error
 	for _, route := range routes {
 		if !slices.Contains(allRoutes, route) {
 			err = multierror.Append(err, fmt.Errorf("route '%s' is not available", route))
 			continue
 		}
-		delete(rs.selectedRoutes, route)
+		rs.deselectedRoutes[route] = struct{}{}
 	}
 	return errors.FormatErrorOrNil(err)
@@ -91,8 +87,8 @@ func (rs *RouteSelector) DeselectAllRoutes() {
 	rs.mu.Lock()
 	defer rs.mu.Unlock()
-	rs.selectAll = false
+	rs.deselectAll = true
-	rs.selectedRoutes = map[route.NetID]struct{}{}
+	maps.Clear(rs.deselectedRoutes)
 }
 // IsSelected checks if a specific route is selected.
@@ -100,11 +96,12 @@ func (rs *RouteSelector) IsSelected(routeID route.NetID) bool {
 	rs.mu.RLock()
 	defer rs.mu.RUnlock()
-	if rs.selectAll {
+	if rs.deselectAll {
-		return true
+		return false
 	}
-	_, selected := rs.selectedRoutes[routeID]
+
-	return selected
+	_, deselected := rs.deselectedRoutes[routeID]
 	return !deselected
 }
 // FilterSelected removes unselected routes from the provided map.
@@ -112,13 +109,15 @@ func (rs *RouteSelector) FilterSelected(routes route.HAMap) route.HAMap {
 	rs.mu.RLock()
 	defer rs.mu.RUnlock()
-	if rs.selectAll {
+	if rs.deselectAll {
-		return maps.Clone(routes)
+		return route.HAMap{}
 	}
 	filtered := route.HAMap{}
 	for id, rt := range routes {
-		if rs.IsSelected(id.NetID()) {
+		netID := id.NetID()
 		_, deselected := rs.deselectedRoutes[netID]
 		if !deselected {
 			filtered[id] = rt
 		}
 	}
@@ -131,11 +130,11 @@ func (rs *RouteSelector) MarshalJSON() ([]byte, error) {
 	defer rs.mu.RUnlock()
 	return json.Marshal(struct {
-		SelectedRoutes map[route.NetID]struct{} `json:"selected_routes"`
+		DeselectedRoutes map[route.NetID]struct{} `json:"deselected_routes"`
-		SelectAll      bool                     `json:"select_all"`
+		DeselectAll      bool                     `json:"deselect_all"`
 	}{
-		SelectAll:      rs.selectAll,
+		DeselectedRoutes: rs.deselectedRoutes,
-		SelectedRoutes: rs.selectedRoutes,
+		DeselectAll:      rs.deselectAll,
 	})
 }
@@ -147,25 +146,25 @@ func (rs *RouteSelector) UnmarshalJSON(data []byte) error {
 	// Check for null or empty JSON
 	if len(data) == 0 || string(data) == "null" {
-		rs.selectedRoutes = map[route.NetID]struct{}{}
+		rs.deselectedRoutes = map[route.NetID]struct{}{}
-		rs.selectAll = true
+		rs.deselectAll = false
 		return nil
 	}
 	var temp struct {
-		SelectedRoutes map[route.NetID]struct{} `json:"selected_routes"`
+		DeselectedRoutes map[route.NetID]struct{} `json:"deselected_routes"`
-		SelectAll      bool                     `json:"select_all"`
+		DeselectAll      bool                     `json:"deselect_all"`
 	}
 	if err := json.Unmarshal(data, &temp); err != nil {
 		return err
 	}
-	rs.selectedRoutes = temp.SelectedRoutes
+	rs.deselectedRoutes = temp.DeselectedRoutes
-	rs.selectAll = temp.SelectAll
+	rs.deselectAll = temp.DeselectAll
-	if rs.selectedRoutes == nil {
+	if rs.deselectedRoutes == nil {
-		rs.selectedRoutes = map[route.NetID]struct{}{}
+		rs.deselectedRoutes = map[route.NetID]struct{}{}
 	}
 	return nil
--- a/client/internal/routeselector/routeselector_test.go
+++ b/client/internal/routeselector/routeselector_test.go
@@ -66,12 +66,10 @@ func TestRouteSelector_SelectRoutes(t *testing.T) {
 		t.Run(tt.name, func(t *testing.T) {
 			rs := routeselector.NewRouteSelector()
 			if tt.initialSelected != nil {
 			err := rs.SelectRoutes(tt.initialSelected, false, allRoutes)
 			require.NoError(t, err)
 			}
-			err := rs.SelectRoutes(tt.selectRoutes, tt.append, allRoutes)
+			err = rs.SelectRoutes(tt.selectRoutes, tt.append, allRoutes)
 			if tt.wantError {
 				assert.Error(t, err)
 			} else {
@@ -251,7 +249,8 @@ func TestRouteSelector_IsSelected(t *testing.T) {
 	assert.True(t, rs.IsSelected("route1"))
 	assert.True(t, rs.IsSelected("route2"))
 	assert.False(t, rs.IsSelected("route3"))
-	assert.False(t, rs.IsSelected("route4"))
+	// Unknown route is selected by default
 	assert.True(t, rs.IsSelected("route4"))
 }
 func TestRouteSelector_FilterSelected(t *testing.T) {
@@ -297,8 +296,8 @@ func TestRouteSelector_NewRoutesBehavior(t *testing.T) {
 			initialState: func(rs *routeselector.RouteSelector) error {
 				return rs.SelectRoutes([]route.NetID{"route1", "route2"}, false, initialRoutes)
 			},
-			// When specific routes were selected, new routes should remain unselected
+			// When specific routes were selected, new routes should be selected
-			wantNewSelected: []route.NetID{"route1", "route2"},
+			wantNewSelected: []route.NetID{"route1", "route2", "route4", "route5"},
 		},
 		{
 			name: "New routes after deselect all",
@@ -315,16 +314,16 @@ func TestRouteSelector_NewRoutesBehavior(t *testing.T) {
 				rs.SelectAllRoutes()
 				return rs.DeselectRoutes([]route.NetID{"route1"}, initialRoutes)
 			},
-			// After deselecting specific routes, new routes should remain unselected
+			// After deselecting specific routes, new routes should be selected
-			wantNewSelected: []route.NetID{"route2", "route3"},
+			wantNewSelected: []route.NetID{"route2", "route3", "route4", "route5"},
 		},
 		{
 			name: "New routes after selecting with append",
 			initialState: func(rs *routeselector.RouteSelector) error {
 				return rs.SelectRoutes([]route.NetID{"route1"}, true, initialRoutes)
 			},
-			// When routes were appended, new routes should remain unselected
+			// When routes were appended, new routes should be selected
-			wantNewSelected: []route.NetID{"route1"},
+			wantNewSelected: []route.NetID{"route1", "route2", "route3", "route4", "route5"},
 		},
 	}
@@ -358,3 +357,283 @@ func TestRouteSelector_NewRoutesBehavior(t *testing.T) {
 		})
 	}
 }
 func TestRouteSelector_MixedSelectionDeselection(t *testing.T) {
 	allRoutes := []route.NetID{"route1", "route2", "route3"}
 	tests := []struct {
 		name              string
 		routesToSelect    []route.NetID
 		selectAppend      bool
 		routesToDeselect  []route.NetID
 		selectFirst       bool
 		wantSelectedFinal []route.NetID
 	}{
 		{
 			name:              "1. Select A, then Deselect B",
 			routesToSelect:    []route.NetID{"route1"},
 			selectAppend:      false,
 			routesToDeselect:  []route.NetID{"route2"},
 			selectFirst:       true,
 			wantSelectedFinal: []route.NetID{"route1"},
 		},
 		{
 			name:              "2. Select A, then Deselect A",
 			routesToSelect:    []route.NetID{"route1"},
 			selectAppend:      false,
 			routesToDeselect:  []route.NetID{"route1"},
 			selectFirst:       true,
 			wantSelectedFinal: []route.NetID{},
 		},
 		{
 			name:              "3. Deselect A (from all), then Select B",
 			routesToSelect:    []route.NetID{"route2"},
 			selectAppend:      false,
 			routesToDeselect:  []route.NetID{"route1"},
 			selectFirst:       false,
 			wantSelectedFinal: []route.NetID{"route2"},
 		},
 		{
 			name:              "4. Deselect A (from all), then Select A",
 			routesToSelect:    []route.NetID{"route1"},
 			selectAppend:      false,
 			routesToDeselect:  []route.NetID{"route1"},
 			selectFirst:       false,
 			wantSelectedFinal: []route.NetID{"route1"},
 		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			rs := routeselector.NewRouteSelector()
 			var err1, err2 error
 			if tt.selectFirst {
 				err1 = rs.SelectRoutes(tt.routesToSelect, tt.selectAppend, allRoutes)
 				require.NoError(t, err1)
 				err2 = rs.DeselectRoutes(tt.routesToDeselect, allRoutes)
 				require.NoError(t, err2)
 			} else {
 				err1 = rs.DeselectRoutes(tt.routesToDeselect, allRoutes)
 				require.NoError(t, err1)
 				err2 = rs.SelectRoutes(tt.routesToSelect, tt.selectAppend, allRoutes)
 				require.NoError(t, err2)
 			}
 			for _, r := range allRoutes {
 				assert.Equal(t, slices.Contains(tt.wantSelectedFinal, r), rs.IsSelected(r), "Route %s final state mismatch", r)
 			}
 		})
 	}
 }
 func TestRouteSelector_AfterDeselectAll(t *testing.T) {
 	allRoutes := []route.NetID{"route1", "route2", "route3"}
 	tests := []struct {
 		name          string
 		initialAction func(rs *routeselector.RouteSelector) error
 		secondAction  func(rs *routeselector.RouteSelector) error
 		wantSelected  []route.NetID
 		wantError     bool
 	}{
 		{
 			name: "Deselect all -> select specific routes",
 			initialAction: func(rs *routeselector.RouteSelector) error {
 				rs.DeselectAllRoutes()
 				return nil
 			},
 			secondAction: func(rs *routeselector.RouteSelector) error {
 				return rs.SelectRoutes([]route.NetID{"route1", "route2"}, false, allRoutes)
 			},
 			wantSelected: []route.NetID{"route1", "route2"},
 		},
 		{
 			name: "Deselect all -> select with append",
 			initialAction: func(rs *routeselector.RouteSelector) error {
 				rs.DeselectAllRoutes()
 				return nil
 			},
 			secondAction: func(rs *routeselector.RouteSelector) error {
 				return rs.SelectRoutes([]route.NetID{"route1"}, true, allRoutes)
 			},
 			wantSelected: []route.NetID{"route1"},
 		},
 		{
 			name: "Deselect all -> deselect specific",
 			initialAction: func(rs *routeselector.RouteSelector) error {
 				rs.DeselectAllRoutes()
 				return nil
 			},
 			secondAction: func(rs *routeselector.RouteSelector) error {
 				return rs.DeselectRoutes([]route.NetID{"route1"}, allRoutes)
 			},
 			wantSelected: []route.NetID{},
 		},
 		{
 			name: "Deselect all -> select all",
 			initialAction: func(rs *routeselector.RouteSelector) error {
 				rs.DeselectAllRoutes()
 				return nil
 			},
 			secondAction: func(rs *routeselector.RouteSelector) error {
 				rs.SelectAllRoutes()
 				return nil
 			},
 			wantSelected: []route.NetID{"route1", "route2", "route3"},
 		},
 		{
 			name: "Deselect all -> deselect non-existent route",
 			initialAction: func(rs *routeselector.RouteSelector) error {
 				rs.DeselectAllRoutes()
 				return nil
 			},
 			secondAction: func(rs *routeselector.RouteSelector) error {
 				return rs.DeselectRoutes([]route.NetID{"route4"}, allRoutes)
 			},
 			wantSelected: []route.NetID{},
 			wantError:    false,
 		},
 		{
 			name: "Select specific -> deselect all -> select different",
 			initialAction: func(rs *routeselector.RouteSelector) error {
 				err := rs.SelectRoutes([]route.NetID{"route1"}, false, allRoutes)
 				if err != nil {
 					return err
 				}
 				rs.DeselectAllRoutes()
 				return nil
 			},
 			secondAction: func(rs *routeselector.RouteSelector) error {
 				return rs.SelectRoutes([]route.NetID{"route2", "route3"}, false, allRoutes)
 			},
 			wantSelected: []route.NetID{"route2", "route3"},
 		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			rs := routeselector.NewRouteSelector()
 			err := tt.initialAction(rs)
 			require.NoError(t, err)
 			err = tt.secondAction(rs)
 			if tt.wantError {
 				assert.Error(t, err)
 			} else {
 				assert.NoError(t, err)
 			}
 			for _, id := range allRoutes {
 				expected := slices.Contains(tt.wantSelected, id)
 				assert.Equal(t, expected, rs.IsSelected(id),
 					"Route %s selection state incorrect, expected %v", id, expected)
 			}
 			routes := route.HAMap{
 				"route1|10.0.0.0/8":     {},
 				"route2|192.168.0.0/16": {},
 				"route3|172.16.0.0/12":  {},
 			}
 			filtered := rs.FilterSelected(routes)
 			assert.Equal(t, len(tt.wantSelected), len(filtered),
 				"FilterSelected returned wrong number of routes")
 		})
 	}
 }
 func TestRouteSelector_ComplexScenarios(t *testing.T) {
 	allRoutes := []route.NetID{"route1", "route2", "route3", "route4"}
 	tests := []struct {
 		name         string
 		actions      []func(rs *routeselector.RouteSelector) error
 		wantSelected []route.NetID
 	}{
 		{
 			name: "Select all -> deselect specific -> select different with append",
 			actions: []func(rs *routeselector.RouteSelector) error{
 				func(rs *routeselector.RouteSelector) error {
 					rs.SelectAllRoutes()
 					return nil
 				},
 				func(rs *routeselector.RouteSelector) error {
 					return rs.DeselectRoutes([]route.NetID{"route1", "route2"}, allRoutes)
 				},
 				func(rs *routeselector.RouteSelector) error {
 					return rs.SelectRoutes([]route.NetID{"route1"}, true, allRoutes)
 				},
 			},
 			wantSelected: []route.NetID{"route1", "route3", "route4"},
 		},
 		{
 			name: "Deselect all -> select specific -> deselect one -> select different with append",
 			actions: []func(rs *routeselector.RouteSelector) error{
 				func(rs *routeselector.RouteSelector) error {
 					rs.DeselectAllRoutes()
 					return nil
 				},
 				func(rs *routeselector.RouteSelector) error {
 					return rs.SelectRoutes([]route.NetID{"route1", "route2"}, false, allRoutes)
 				},
 				func(rs *routeselector.RouteSelector) error {
 					return rs.DeselectRoutes([]route.NetID{"route2"}, allRoutes)
 				},
 				func(rs *routeselector.RouteSelector) error {
 					return rs.SelectRoutes([]route.NetID{"route3"}, true, allRoutes)
 				},
 			},
 			wantSelected: []route.NetID{"route1", "route3"},
 		},
 		{
 			name: "Select specific -> deselect specific -> select all -> deselect different",
 			actions: []func(rs *routeselector.RouteSelector) error{
 				func(rs *routeselector.RouteSelector) error {
 					return rs.SelectRoutes([]route.NetID{"route1", "route2"}, false, allRoutes)
 				},
 				func(rs *routeselector.RouteSelector) error {
 					return rs.DeselectRoutes([]route.NetID{"route2"}, allRoutes)
 				},
 				func(rs *routeselector.RouteSelector) error {
 					rs.SelectAllRoutes()
 					return nil
 				},
 				func(rs *routeselector.RouteSelector) error {
 					return rs.DeselectRoutes([]route.NetID{"route3", "route4"}, allRoutes)
 				},
 			},
 			wantSelected: []route.NetID{"route1", "route2"},
 		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			rs := routeselector.NewRouteSelector()
 			for i, action := range tt.actions {
 				err := action(rs)
 				require.NoError(t, err, "Action %d failed", i)
 			}
 			for _, id := range allRoutes {
 				expected := slices.Contains(tt.wantSelected, id)
 				assert.Equal(t, expected, rs.IsSelected(id),
 					"Route %s selection state incorrect", id)
 			}
 			routes := route.HAMap{
 				"route1|10.0.0.0/8":     {},
 				"route2|192.168.0.0/16": {},
 				"route3|172.16.0.0/12":  {},
 				"route4|10.10.0.0/16":   {},
 			}
 			filtered := rs.FilterSelected(routes)
 			assert.Equal(t, len(tt.wantSelected), len(filtered),
 				"FilterSelected returned wrong number of routes")
 		})
 	}
 }
--- a/client/proto/daemon.pb.go
+++ b/client/proto/daemon.pb.go
--- a/client/proto/daemon_grpc.pb.go
+++ b/client/proto/daemon_grpc.pb.go
@@ -1,4 +1,8 @@
 // Code generated by protoc-gen-go-grpc. DO NOT EDIT.
 // versions:
 // - protoc-gen-go-grpc v1.5.1
 // - protoc             (unknown)
 // source: daemon/daemon.proto
 package proto
@@ -11,8 +15,31 @@ import (
 // This is a compile-time assertion to ensure that this generated file
 // is compatible with the grpc package it is being compiled against.
-// Requires gRPC-Go v1.32.0 or later.
+// Requires gRPC-Go v1.64.0 or later.
-const _ = grpc.SupportPackageIsVersion7
+const _ = grpc.SupportPackageIsVersion9
 const (
 	DaemonService_Login_FullMethodName                    = "/daemon.DaemonService/Login"
 	DaemonService_WaitSSOLogin_FullMethodName             = "/daemon.DaemonService/WaitSSOLogin"
 	DaemonService_Up_FullMethodName                       = "/daemon.DaemonService/Up"
 	DaemonService_Status_FullMethodName                   = "/daemon.DaemonService/Status"
 	DaemonService_Down_FullMethodName                     = "/daemon.DaemonService/Down"
 	DaemonService_GetConfig_FullMethodName                = "/daemon.DaemonService/GetConfig"
 	DaemonService_ListNetworks_FullMethodName             = "/daemon.DaemonService/ListNetworks"
 	DaemonService_SelectNetworks_FullMethodName           = "/daemon.DaemonService/SelectNetworks"
 	DaemonService_DeselectNetworks_FullMethodName         = "/daemon.DaemonService/DeselectNetworks"
 	DaemonService_ForwardingRules_FullMethodName          = "/daemon.DaemonService/ForwardingRules"
 	DaemonService_DebugBundle_FullMethodName              = "/daemon.DaemonService/DebugBundle"
 	DaemonService_GetLogLevel_FullMethodName              = "/daemon.DaemonService/GetLogLevel"
 	DaemonService_SetLogLevel_FullMethodName              = "/daemon.DaemonService/SetLogLevel"
 	DaemonService_ListStates_FullMethodName               = "/daemon.DaemonService/ListStates"
 	DaemonService_CleanState_FullMethodName               = "/daemon.DaemonService/CleanState"
 	DaemonService_DeleteState_FullMethodName              = "/daemon.DaemonService/DeleteState"
 	DaemonService_SetNetworkMapPersistence_FullMethodName = "/daemon.DaemonService/SetNetworkMapPersistence"
 	DaemonService_TracePacket_FullMethodName              = "/daemon.DaemonService/TracePacket"
 	DaemonService_SubscribeEvents_FullMethodName          = "/daemon.DaemonService/SubscribeEvents"
 	DaemonService_GetEvents_FullMethodName                = "/daemon.DaemonService/GetEvents"
 )
 // DaemonServiceClient is the client API for DaemonService service.
 //
@@ -53,7 +80,7 @@ type DaemonServiceClient interface {
 	// SetNetworkMapPersistence enables or disables network map persistence
 	SetNetworkMapPersistence(ctx context.Context, in *SetNetworkMapPersistenceRequest, opts ...grpc.CallOption) (*SetNetworkMapPersistenceResponse, error)
 	TracePacket(ctx context.Context, in *TracePacketRequest, opts ...grpc.CallOption) (*TracePacketResponse, error)
-	SubscribeEvents(ctx context.Context, in *SubscribeRequest, opts ...grpc.CallOption) (DaemonService_SubscribeEventsClient, error)
+	SubscribeEvents(ctx context.Context, in *SubscribeRequest, opts ...grpc.CallOption) (grpc.ServerStreamingClient[SystemEvent], error)
 	GetEvents(ctx context.Context, in *GetEventsRequest, opts ...grpc.CallOption) (*GetEventsResponse, error)
 }
@@ -66,8 +93,9 @@ func NewDaemonServiceClient(cc grpc.ClientConnInterface) DaemonServiceClient {
 }
 func (c *daemonServiceClient) Login(ctx context.Context, in *LoginRequest, opts ...grpc.CallOption) (*LoginResponse, error) {
 	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
 	out := new(LoginResponse)
-	err := c.cc.Invoke(ctx, "/daemon.DaemonService/Login", in, out, opts...)
+	err := c.cc.Invoke(ctx, DaemonService_Login_FullMethodName, in, out, cOpts...)
 	if err != nil {
 		return nil, err
 	}
@@ -75,8 +103,9 @@ func (c *daemonServiceClient) Login(ctx context.Context, in *LoginRequest, opts
 }
 func (c *daemonServiceClient) WaitSSOLogin(ctx context.Context, in *WaitSSOLoginRequest, opts ...grpc.CallOption) (*WaitSSOLoginResponse, error) {
 	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
 	out := new(WaitSSOLoginResponse)
-	err := c.cc.Invoke(ctx, "/daemon.DaemonService/WaitSSOLogin", in, out, opts...)
+	err := c.cc.Invoke(ctx, DaemonService_WaitSSOLogin_FullMethodName, in, out, cOpts...)
 	if err != nil {
 		return nil, err
 	}
@@ -84,8 +113,9 @@ func (c *daemonServiceClient) WaitSSOLogin(ctx context.Context, in *WaitSSOLogin
 }
 func (c *daemonServiceClient) Up(ctx context.Context, in *UpRequest, opts ...grpc.CallOption) (*UpResponse, error) {
 	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
 	out := new(UpResponse)
-	err := c.cc.Invoke(ctx, "/daemon.DaemonService/Up", in, out, opts...)
+	err := c.cc.Invoke(ctx, DaemonService_Up_FullMethodName, in, out, cOpts...)
 	if err != nil {
 		return nil, err
 	}
@@ -93,8 +123,9 @@ func (c *daemonServiceClient) Up(ctx context.Context, in *UpRequest, opts ...grp
 }
 func (c *daemonServiceClient) Status(ctx context.Context, in *StatusRequest, opts ...grpc.CallOption) (*StatusResponse, error) {
 	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
 	out := new(StatusResponse)
-	err := c.cc.Invoke(ctx, "/daemon.DaemonService/Status", in, out, opts...)
+	err := c.cc.Invoke(ctx, DaemonService_Status_FullMethodName, in, out, cOpts...)
 	if err != nil {
 		return nil, err
 	}
@@ -102,8 +133,9 @@ func (c *daemonServiceClient) Status(ctx context.Context, in *StatusRequest, opt
 }
 func (c *daemonServiceClient) Down(ctx context.Context, in *DownRequest, opts ...grpc.CallOption) (*DownResponse, error) {
 	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
 	out := new(DownResponse)
-	err := c.cc.Invoke(ctx, "/daemon.DaemonService/Down", in, out, opts...)
+	err := c.cc.Invoke(ctx, DaemonService_Down_FullMethodName, in, out, cOpts...)
 	if err != nil {
 		return nil, err
 	}
@@ -111,8 +143,9 @@ func (c *daemonServiceClient) Down(ctx context.Context, in *DownRequest, opts ..
 }
 func (c *daemonServiceClient) GetConfig(ctx context.Context, in *GetConfigRequest, opts ...grpc.CallOption) (*GetConfigResponse, error) {
 	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
 	out := new(GetConfigResponse)
-	err := c.cc.Invoke(ctx, "/daemon.DaemonService/GetConfig", in, out, opts...)
+	err := c.cc.Invoke(ctx, DaemonService_GetConfig_FullMethodName, in, out, cOpts...)
 	if err != nil {
 		return nil, err
 	}
@@ -120,8 +153,9 @@ func (c *daemonServiceClient) GetConfig(ctx context.Context, in *GetConfigReques
 }
 func (c *daemonServiceClient) ListNetworks(ctx context.Context, in *ListNetworksRequest, opts ...grpc.CallOption) (*ListNetworksResponse, error) {
 	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
 	out := new(ListNetworksResponse)
-	err := c.cc.Invoke(ctx, "/daemon.DaemonService/ListNetworks", in, out, opts...)
+	err := c.cc.Invoke(ctx, DaemonService_ListNetworks_FullMethodName, in, out, cOpts...)
 	if err != nil {
 		return nil, err
 	}
@@ -129,8 +163,9 @@ func (c *daemonServiceClient) ListNetworks(ctx context.Context, in *ListNetworks
 }
 func (c *daemonServiceClient) SelectNetworks(ctx context.Context, in *SelectNetworksRequest, opts ...grpc.CallOption) (*SelectNetworksResponse, error) {
 	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
 	out := new(SelectNetworksResponse)
-	err := c.cc.Invoke(ctx, "/daemon.DaemonService/SelectNetworks", in, out, opts...)
+	err := c.cc.Invoke(ctx, DaemonService_SelectNetworks_FullMethodName, in, out, cOpts...)
 	if err != nil {
 		return nil, err
 	}
@@ -138,8 +173,9 @@ func (c *daemonServiceClient) SelectNetworks(ctx context.Context, in *SelectNetw
 }
 func (c *daemonServiceClient) DeselectNetworks(ctx context.Context, in *SelectNetworksRequest, opts ...grpc.CallOption) (*SelectNetworksResponse, error) {
 	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
 	out := new(SelectNetworksResponse)
-	err := c.cc.Invoke(ctx, "/daemon.DaemonService/DeselectNetworks", in, out, opts...)
+	err := c.cc.Invoke(ctx, DaemonService_DeselectNetworks_FullMethodName, in, out, cOpts...)
 	if err != nil {
 		return nil, err
 	}
@@ -147,8 +183,9 @@ func (c *daemonServiceClient) DeselectNetworks(ctx context.Context, in *SelectNe
 }
 func (c *daemonServiceClient) ForwardingRules(ctx context.Context, in *EmptyRequest, opts ...grpc.CallOption) (*ForwardingRulesResponse, error) {
 	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
 	out := new(ForwardingRulesResponse)
-	err := c.cc.Invoke(ctx, "/daemon.DaemonService/ForwardingRules", in, out, opts...)
+	err := c.cc.Invoke(ctx, DaemonService_ForwardingRules_FullMethodName, in, out, cOpts...)
 	if err != nil {
 		return nil, err
 	}
@@ -156,8 +193,9 @@ func (c *daemonServiceClient) ForwardingRules(ctx context.Context, in *EmptyRequ
 }
 func (c *daemonServiceClient) DebugBundle(ctx context.Context, in *DebugBundleRequest, opts ...grpc.CallOption) (*DebugBundleResponse, error) {
 	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
 	out := new(DebugBundleResponse)
-	err := c.cc.Invoke(ctx, "/daemon.DaemonService/DebugBundle", in, out, opts...)
+	err := c.cc.Invoke(ctx, DaemonService_DebugBundle_FullMethodName, in, out, cOpts...)
 	if err != nil {
 		return nil, err
 	}
@@ -165,8 +203,9 @@ func (c *daemonServiceClient) DebugBundle(ctx context.Context, in *DebugBundleRe
 }
 func (c *daemonServiceClient) GetLogLevel(ctx context.Context, in *GetLogLevelRequest, opts ...grpc.CallOption) (*GetLogLevelResponse, error) {
 	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
 	out := new(GetLogLevelResponse)
-	err := c.cc.Invoke(ctx, "/daemon.DaemonService/GetLogLevel", in, out, opts...)
+	err := c.cc.Invoke(ctx, DaemonService_GetLogLevel_FullMethodName, in, out, cOpts...)
 	if err != nil {
 		return nil, err
 	}
@@ -174,8 +213,9 @@ func (c *daemonServiceClient) GetLogLevel(ctx context.Context, in *GetLogLevelRe
 }
 func (c *daemonServiceClient) SetLogLevel(ctx context.Context, in *SetLogLevelRequest, opts ...grpc.CallOption) (*SetLogLevelResponse, error) {
 	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
 	out := new(SetLogLevelResponse)
-	err := c.cc.Invoke(ctx, "/daemon.DaemonService/SetLogLevel", in, out, opts...)
+	err := c.cc.Invoke(ctx, DaemonService_SetLogLevel_FullMethodName, in, out, cOpts...)
 	if err != nil {
 		return nil, err
 	}
@@ -183,8 +223,9 @@ func (c *daemonServiceClient) SetLogLevel(ctx context.Context, in *SetLogLevelRe
 }
 func (c *daemonServiceClient) ListStates(ctx context.Context, in *ListStatesRequest, opts ...grpc.CallOption) (*ListStatesResponse, error) {
 	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
 	out := new(ListStatesResponse)
-	err := c.cc.Invoke(ctx, "/daemon.DaemonService/ListStates", in, out, opts...)
+	err := c.cc.Invoke(ctx, DaemonService_ListStates_FullMethodName, in, out, cOpts...)
 	if err != nil {
 		return nil, err
 	}
@@ -192,8 +233,9 @@ func (c *daemonServiceClient) ListStates(ctx context.Context, in *ListStatesRequ
 }
 func (c *daemonServiceClient) CleanState(ctx context.Context, in *CleanStateRequest, opts ...grpc.CallOption) (*CleanStateResponse, error) {
 	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
 	out := new(CleanStateResponse)
-	err := c.cc.Invoke(ctx, "/daemon.DaemonService/CleanState", in, out, opts...)
+	err := c.cc.Invoke(ctx, DaemonService_CleanState_FullMethodName, in, out, cOpts...)
 	if err != nil {
 		return nil, err
 	}
@@ -201,8 +243,9 @@ func (c *daemonServiceClient) CleanState(ctx context.Context, in *CleanStateRequ
 }
 func (c *daemonServiceClient) DeleteState(ctx context.Context, in *DeleteStateRequest, opts ...grpc.CallOption) (*DeleteStateResponse, error) {
 	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
 	out := new(DeleteStateResponse)
-	err := c.cc.Invoke(ctx, "/daemon.DaemonService/DeleteState", in, out, opts...)
+	err := c.cc.Invoke(ctx, DaemonService_DeleteState_FullMethodName, in, out, cOpts...)
 	if err != nil {
 		return nil, err
 	}
@@ -210,8 +253,9 @@ func (c *daemonServiceClient) DeleteState(ctx context.Context, in *DeleteStateRe
 }
 func (c *daemonServiceClient) SetNetworkMapPersistence(ctx context.Context, in *SetNetworkMapPersistenceRequest, opts ...grpc.CallOption) (*SetNetworkMapPersistenceResponse, error) {
 	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
 	out := new(SetNetworkMapPersistenceResponse)
-	err := c.cc.Invoke(ctx, "/daemon.DaemonService/SetNetworkMapPersistence", in, out, opts...)
+	err := c.cc.Invoke(ctx, DaemonService_SetNetworkMapPersistence_FullMethodName, in, out, cOpts...)
 	if err != nil {
 		return nil, err
 	}
@@ -219,20 +263,22 @@ func (c *daemonServiceClient) SetNetworkMapPersistence(ctx context.Context, in *
 }
 func (c *daemonServiceClient) TracePacket(ctx context.Context, in *TracePacketRequest, opts ...grpc.CallOption) (*TracePacketResponse, error) {
 	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
 	out := new(TracePacketResponse)
-	err := c.cc.Invoke(ctx, "/daemon.DaemonService/TracePacket", in, out, opts...)
+	err := c.cc.Invoke(ctx, DaemonService_TracePacket_FullMethodName, in, out, cOpts...)
 	if err != nil {
 		return nil, err
 	}
 	return out, nil
 }
-func (c *daemonServiceClient) SubscribeEvents(ctx context.Context, in *SubscribeRequest, opts ...grpc.CallOption) (DaemonService_SubscribeEventsClient, error) {
+func (c *daemonServiceClient) SubscribeEvents(ctx context.Context, in *SubscribeRequest, opts ...grpc.CallOption) (grpc.ServerStreamingClient[SystemEvent], error) {
-	stream, err := c.cc.NewStream(ctx, &DaemonService_ServiceDesc.Streams[0], "/daemon.DaemonService/SubscribeEvents", opts...)
+	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
 	stream, err := c.cc.NewStream(ctx, &DaemonService_ServiceDesc.Streams[0], DaemonService_SubscribeEvents_FullMethodName, cOpts...)
 	if err != nil {
 		return nil, err
 	}
-	x := &daemonServiceSubscribeEventsClient{stream}
+	x := &grpc.GenericClientStream[SubscribeRequest, SystemEvent]{ClientStream: stream}
 	if err := x.ClientStream.SendMsg(in); err != nil {
 		return nil, err
 	}
@@ -242,26 +288,13 @@ func (c *daemonServiceClient) SubscribeEvents(ctx context.Context, in *Subscribe
 	return x, nil
 }
-type DaemonService_SubscribeEventsClient interface {
+// This type alias is provided for backwards compatibility with existing code that references the prior non-generic stream type by name.
-	Recv() (*SystemEvent, error)
+type DaemonService_SubscribeEventsClient = grpc.ServerStreamingClient[SystemEvent]
 	grpc.ClientStream
 }
 type daemonServiceSubscribeEventsClient struct {
 	grpc.ClientStream
 }
 func (x *daemonServiceSubscribeEventsClient) Recv() (*SystemEvent, error) {
 	m := new(SystemEvent)
 	if err := x.ClientStream.RecvMsg(m); err != nil {
 		return nil, err
 	}
 	return m, nil
 }
 func (c *daemonServiceClient) GetEvents(ctx context.Context, in *GetEventsRequest, opts ...grpc.CallOption) (*GetEventsResponse, error) {
 	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
 	out := new(GetEventsResponse)
-	err := c.cc.Invoke(ctx, "/daemon.DaemonService/GetEvents", in, out, opts...)
+	err := c.cc.Invoke(ctx, DaemonService_GetEvents_FullMethodName, in, out, cOpts...)
 	if err != nil {
 		return nil, err
 	}
@@ -270,7 +303,7 @@ func (c *daemonServiceClient) GetEvents(ctx context.Context, in *GetEventsReques
 // DaemonServiceServer is the server API for DaemonService service.
 // All implementations must embed UnimplementedDaemonServiceServer
-// for forward compatibility
+// for forward compatibility.
 type DaemonServiceServer interface {
 	// Login uses setup key to prepare configuration for the daemon.
 	Login(context.Context, *LoginRequest) (*LoginResponse, error)
@@ -307,14 +340,17 @@ type DaemonServiceServer interface {
 	// SetNetworkMapPersistence enables or disables network map persistence
 	SetNetworkMapPersistence(context.Context, *SetNetworkMapPersistenceRequest) (*SetNetworkMapPersistenceResponse, error)
 	TracePacket(context.Context, *TracePacketRequest) (*TracePacketResponse, error)
-	SubscribeEvents(*SubscribeRequest, DaemonService_SubscribeEventsServer) error
+	SubscribeEvents(*SubscribeRequest, grpc.ServerStreamingServer[SystemEvent]) error
 	GetEvents(context.Context, *GetEventsRequest) (*GetEventsResponse, error)
 	mustEmbedUnimplementedDaemonServiceServer()
 }
-// UnimplementedDaemonServiceServer must be embedded to have forward compatible implementations.
+// UnimplementedDaemonServiceServer must be embedded to have
-type UnimplementedDaemonServiceServer struct {
+// forward compatible implementations.
-}
+//
 // NOTE: this should be embedded by value instead of pointer to avoid a nil
 // pointer dereference when methods are called.
 type UnimplementedDaemonServiceServer struct{}
 func (UnimplementedDaemonServiceServer) Login(context.Context, *LoginRequest) (*LoginResponse, error) {
 	return nil, status.Errorf(codes.Unimplemented, "method Login not implemented")
@@ -370,13 +406,14 @@ func (UnimplementedDaemonServiceServer) SetNetworkMapPersistence(context.Context
 func (UnimplementedDaemonServiceServer) TracePacket(context.Context, *TracePacketRequest) (*TracePacketResponse, error) {
 	return nil, status.Errorf(codes.Unimplemented, "method TracePacket not implemented")
 }
-func (UnimplementedDaemonServiceServer) SubscribeEvents(*SubscribeRequest, DaemonService_SubscribeEventsServer) error {
+func (UnimplementedDaemonServiceServer) SubscribeEvents(*SubscribeRequest, grpc.ServerStreamingServer[SystemEvent]) error {
 	return status.Errorf(codes.Unimplemented, "method SubscribeEvents not implemented")
 }
 func (UnimplementedDaemonServiceServer) GetEvents(context.Context, *GetEventsRequest) (*GetEventsResponse, error) {
 	return nil, status.Errorf(codes.Unimplemented, "method GetEvents not implemented")
 }
 func (UnimplementedDaemonServiceServer) mustEmbedUnimplementedDaemonServiceServer() {}
 func (UnimplementedDaemonServiceServer) testEmbeddedByValue()                       {}
 // UnsafeDaemonServiceServer may be embedded to opt out of forward compatibility for this service.
 // Use of this interface is not recommended, as added methods to DaemonServiceServer will
@@ -386,6 +423,13 @@ type UnsafeDaemonServiceServer interface {
 }
 func RegisterDaemonServiceServer(s grpc.ServiceRegistrar, srv DaemonServiceServer) {
 	// If the following call pancis, it indicates UnimplementedDaemonServiceServer was
 	// embedded by pointer and is nil.  This will cause panics if an
 	// unimplemented method is ever invoked, so we test this at initialization
 	// time to prevent it from happening at runtime later due to I/O.
 	if t, ok := srv.(interface{ testEmbeddedByValue() }); ok {
 		t.testEmbeddedByValue()
 	}
 	s.RegisterService(&DaemonService_ServiceDesc, srv)
 }
@@ -399,7 +443,7 @@ func _DaemonService_Login_Handler(srv interface{}, ctx context.Context, dec func
 	}
 	info := &grpc.UnaryServerInfo{
 		Server:     srv,
-		FullMethod: "/daemon.DaemonService/Login",
+		FullMethod: DaemonService_Login_FullMethodName,
 	}
 	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
 		return srv.(DaemonServiceServer).Login(ctx, req.(*LoginRequest))
@@ -417,7 +461,7 @@ func _DaemonService_WaitSSOLogin_Handler(srv interface{}, ctx context.Context, d
 	}
 	info := &grpc.UnaryServerInfo{
 		Server:     srv,
-		FullMethod: "/daemon.DaemonService/WaitSSOLogin",
+		FullMethod: DaemonService_WaitSSOLogin_FullMethodName,
 	}
 	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
 		return srv.(DaemonServiceServer).WaitSSOLogin(ctx, req.(*WaitSSOLoginRequest))
@@ -435,7 +479,7 @@ func _DaemonService_Up_Handler(srv interface{}, ctx context.Context, dec func(in
 	}
 	info := &grpc.UnaryServerInfo{
 		Server:     srv,
-		FullMethod: "/daemon.DaemonService/Up",
+		FullMethod: DaemonService_Up_FullMethodName,
 	}
 	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
 		return srv.(DaemonServiceServer).Up(ctx, req.(*UpRequest))
@@ -453,7 +497,7 @@ func _DaemonService_Status_Handler(srv interface{}, ctx context.Context, dec fun
 	}
 	info := &grpc.UnaryServerInfo{
 		Server:     srv,
-		FullMethod: "/daemon.DaemonService/Status",
+		FullMethod: DaemonService_Status_FullMethodName,
 	}
 	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
 		return srv.(DaemonServiceServer).Status(ctx, req.(*StatusRequest))
@@ -471,7 +515,7 @@ func _DaemonService_Down_Handler(srv interface{}, ctx context.Context, dec func(
 	}
 	info := &grpc.UnaryServerInfo{
 		Server:     srv,
-		FullMethod: "/daemon.DaemonService/Down",
+		FullMethod: DaemonService_Down_FullMethodName,
 	}
 	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
 		return srv.(DaemonServiceServer).Down(ctx, req.(*DownRequest))
@@ -489,7 +533,7 @@ func _DaemonService_GetConfig_Handler(srv interface{}, ctx context.Context, dec
 	}
 	info := &grpc.UnaryServerInfo{
 		Server:     srv,
-		FullMethod: "/daemon.DaemonService/GetConfig",
+		FullMethod: DaemonService_GetConfig_FullMethodName,
 	}
 	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
 		return srv.(DaemonServiceServer).GetConfig(ctx, req.(*GetConfigRequest))
@@ -507,7 +551,7 @@ func _DaemonService_ListNetworks_Handler(srv interface{}, ctx context.Context, d
 	}
 	info := &grpc.UnaryServerInfo{
 		Server:     srv,
-		FullMethod: "/daemon.DaemonService/ListNetworks",
+		FullMethod: DaemonService_ListNetworks_FullMethodName,
 	}
 	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
 		return srv.(DaemonServiceServer).ListNetworks(ctx, req.(*ListNetworksRequest))
@@ -525,7 +569,7 @@ func _DaemonService_SelectNetworks_Handler(srv interface{}, ctx context.Context,
 	}
 	info := &grpc.UnaryServerInfo{
 		Server:     srv,
-		FullMethod: "/daemon.DaemonService/SelectNetworks",
+		FullMethod: DaemonService_SelectNetworks_FullMethodName,
 	}
 	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
 		return srv.(DaemonServiceServer).SelectNetworks(ctx, req.(*SelectNetworksRequest))
@@ -543,7 +587,7 @@ func _DaemonService_DeselectNetworks_Handler(srv interface{}, ctx context.Contex
 	}
 	info := &grpc.UnaryServerInfo{
 		Server:     srv,
-		FullMethod: "/daemon.DaemonService/DeselectNetworks",
+		FullMethod: DaemonService_DeselectNetworks_FullMethodName,
 	}
 	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
 		return srv.(DaemonServiceServer).DeselectNetworks(ctx, req.(*SelectNetworksRequest))
@@ -561,7 +605,7 @@ func _DaemonService_ForwardingRules_Handler(srv interface{}, ctx context.Context
 	}
 	info := &grpc.UnaryServerInfo{
 		Server:     srv,
-		FullMethod: "/daemon.DaemonService/ForwardingRules",
+		FullMethod: DaemonService_ForwardingRules_FullMethodName,
 	}
 	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
 		return srv.(DaemonServiceServer).ForwardingRules(ctx, req.(*EmptyRequest))
@@ -579,7 +623,7 @@ func _DaemonService_DebugBundle_Handler(srv interface{}, ctx context.Context, de
 	}
 	info := &grpc.UnaryServerInfo{
 		Server:     srv,
-		FullMethod: "/daemon.DaemonService/DebugBundle",
+		FullMethod: DaemonService_DebugBundle_FullMethodName,
 	}
 	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
 		return srv.(DaemonServiceServer).DebugBundle(ctx, req.(*DebugBundleRequest))
@@ -597,7 +641,7 @@ func _DaemonService_GetLogLevel_Handler(srv interface{}, ctx context.Context, de
 	}
 	info := &grpc.UnaryServerInfo{
 		Server:     srv,
-		FullMethod: "/daemon.DaemonService/GetLogLevel",
+		FullMethod: DaemonService_GetLogLevel_FullMethodName,
 	}
 	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
 		return srv.(DaemonServiceServer).GetLogLevel(ctx, req.(*GetLogLevelRequest))
@@ -615,7 +659,7 @@ func _DaemonService_SetLogLevel_Handler(srv interface{}, ctx context.Context, de
 	}
 	info := &grpc.UnaryServerInfo{
 		Server:     srv,
-		FullMethod: "/daemon.DaemonService/SetLogLevel",
+		FullMethod: DaemonService_SetLogLevel_FullMethodName,
 	}
 	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
 		return srv.(DaemonServiceServer).SetLogLevel(ctx, req.(*SetLogLevelRequest))
@@ -633,7 +677,7 @@ func _DaemonService_ListStates_Handler(srv interface{}, ctx context.Context, dec
 	}
 	info := &grpc.UnaryServerInfo{
 		Server:     srv,
-		FullMethod: "/daemon.DaemonService/ListStates",
+		FullMethod: DaemonService_ListStates_FullMethodName,
 	}
 	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
 		return srv.(DaemonServiceServer).ListStates(ctx, req.(*ListStatesRequest))
@@ -651,7 +695,7 @@ func _DaemonService_CleanState_Handler(srv interface{}, ctx context.Context, dec
 	}
 	info := &grpc.UnaryServerInfo{
 		Server:     srv,
-		FullMethod: "/daemon.DaemonService/CleanState",
+		FullMethod: DaemonService_CleanState_FullMethodName,
 	}
 	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
 		return srv.(DaemonServiceServer).CleanState(ctx, req.(*CleanStateRequest))
@@ -669,7 +713,7 @@ func _DaemonService_DeleteState_Handler(srv interface{}, ctx context.Context, de
 	}
 	info := &grpc.UnaryServerInfo{
 		Server:     srv,
-		FullMethod: "/daemon.DaemonService/DeleteState",
+		FullMethod: DaemonService_DeleteState_FullMethodName,
 	}
 	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
 		return srv.(DaemonServiceServer).DeleteState(ctx, req.(*DeleteStateRequest))
@@ -687,7 +731,7 @@ func _DaemonService_SetNetworkMapPersistence_Handler(srv interface{}, ctx contex
 	}
 	info := &grpc.UnaryServerInfo{
 		Server:     srv,
-		FullMethod: "/daemon.DaemonService/SetNetworkMapPersistence",
+		FullMethod: DaemonService_SetNetworkMapPersistence_FullMethodName,
 	}
 	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
 		return srv.(DaemonServiceServer).SetNetworkMapPersistence(ctx, req.(*SetNetworkMapPersistenceRequest))
@@ -705,7 +749,7 @@ func _DaemonService_TracePacket_Handler(srv interface{}, ctx context.Context, de
 	}
 	info := &grpc.UnaryServerInfo{
 		Server:     srv,
-		FullMethod: "/daemon.DaemonService/TracePacket",
+		FullMethod: DaemonService_TracePacket_FullMethodName,
 	}
 	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
 		return srv.(DaemonServiceServer).TracePacket(ctx, req.(*TracePacketRequest))
@@ -718,21 +762,11 @@ func _DaemonService_SubscribeEvents_Handler(srv interface{}, stream grpc.ServerS
 	if err := stream.RecvMsg(m); err != nil {
 		return err
 	}
-	return srv.(DaemonServiceServer).SubscribeEvents(m, &daemonServiceSubscribeEventsServer{stream})
+	return srv.(DaemonServiceServer).SubscribeEvents(m, &grpc.GenericServerStream[SubscribeRequest, SystemEvent]{ServerStream: stream})
 }
-type DaemonService_SubscribeEventsServer interface {
+// This type alias is provided for backwards compatibility with existing code that references the prior non-generic stream type by name.
-	Send(*SystemEvent) error
+type DaemonService_SubscribeEventsServer = grpc.ServerStreamingServer[SystemEvent]
 	grpc.ServerStream
 }
 type daemonServiceSubscribeEventsServer struct {
 	grpc.ServerStream
 }
 func (x *daemonServiceSubscribeEventsServer) Send(m *SystemEvent) error {
 	return x.ServerStream.SendMsg(m)
 }
 func _DaemonService_GetEvents_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
 	in := new(GetEventsRequest)
@@ -744,7 +778,7 @@ func _DaemonService_GetEvents_Handler(srv interface{}, ctx context.Context, dec
 	}
 	info := &grpc.UnaryServerInfo{
 		Server:     srv,
-		FullMethod: "/daemon.DaemonService/GetEvents",
+		FullMethod: DaemonService_GetEvents_FullMethodName,
 	}
 	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
 		return srv.(DaemonServiceServer).GetEvents(ctx, req.(*GetEventsRequest))
@@ -843,5 +877,5 @@ var DaemonService_ServiceDesc = grpc.ServiceDesc{
 			ServerStreams: true,
 		},
 	},
-	Metadata: "daemon.proto",
+	Metadata: "daemon/daemon.proto",
 }
--- a/client/proto/generate.sh
+++ b/client/proto/generate.sh
@@ -1,17 +0,0 @@
 #!/bin/bash
 set -e
 if ! which realpath > /dev/null 2>&1
 then
  echo realpath is not installed
  echo run: brew install coreutils
  exit 1
 fi
 old_pwd=$(pwd)
 script_path=$(dirname $(realpath "$0"))
 cd "$script_path"
 go install google.golang.org/protobuf/cmd/protoc-gen-go@v1.26
 go install google.golang.org/grpc/cmd/protoc-gen-go-grpc@v1.1
 protoc -I ./ ./daemon.proto --go_out=../ --go-grpc_out=../ --experimental_allow_proto3_optional
 cd "$old_pwd"
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Pedro Costa	43176fb96c	Merge branch 'main' into feature/buf-cli # Conflicts: # client/proto/daemon.pb.go # management/proto/management.pb.go	2025-05-12 10:34:14 +01:00
hakansa	2f34e984b0	[client] Add TCP support to DNS forwarder service listener (#3790 ) [client] Add TCP support to DNS forwarder service listener	2025-05-09 15:06:34 +03:00
Viktor Liu	d5b52e86b6	[client] Ignore irrelevant route changes to tracked network monitor routes (#3796 )	2025-05-09 14:01:21 +02:00
Zoltan Papp	cad2fe1f39	Return with the correct copied length (#3804 )	2025-05-09 13:56:27 +02:00
Pascal Fischer	fcd2c15a37	[management] policy delete cleans policy rules (#3788 )	2025-05-07 07:25:25 +02:00
Bethuel Mmbaga	ebda0fc538	[management] Delete service users with account manager (#3793 )	2025-05-06 17:31:03 +02:00
M. Essam	ac135ab11d	[management/client/rest] fix panic when body is nil (#3714 ) Fixes panic occurring when body is nil (this usually happens when connections is refused) due to lack of nil check by centralizing response.Body.Close() behavior.	2025-05-05 18:54:47 +02:00
Pascal Fischer	25faf9283d	[management] removal of foreign key constraint enforcement on sqlite (#3786 )	2025-05-05 18:21:48 +02:00
hakansa	59faaa99f6	[client] Improve NetBird installation script to handle daemon connection timeout (#3761 ) [client] Improve NetBird installation script to handle daemon connection timeout	2025-05-05 17:05:01 +03:00
Viktor Liu	9762b39f29	[client] Fix stale local records (#3776 )	2025-05-05 14:29:05 +02:00
Alin Trăistaru	ffdd115ded	[client] set TLS ServerName for hostname-based QUIC connections (#3673 ) * fix: set TLS ServerName for hostname-based QUIC connections When connecting to a relay server by hostname, certificates are validated against the IP address instead of the hostname. This change sets ServerName in the TLS config when connecting via hostname, ensuring proper certificate validation. * use default port if port is missing in URL string	2025-05-05 12:20:54 +02:00
Pascal Fischer	055df9854c	[management] add gorm tag for primary key for the networks objects (#3758 )	2025-05-04 20:58:04 +02:00
Maycon Santos	12f883badf	[management] Optimize load account (#3774 )	2025-05-02 00:59:41 +02:00
Maycon Santos	2abb92b0d4	[management] Get account id with order (#3773 ) updated log to display account id	2025-05-02 00:25:46 +02:00
Viktor Liu	01c3719c5d	[client] Add debug for duration option to netbird ui (#3772 )	2025-05-01 23:25:27 +02:00
Pedro Maia Costa	7b64953eed	[management] user info with role permissions (#3728 )	2025-05-01 11:24:55 +01:00
Viktor Liu	9bc7d788f0	[client] Add debug upload option to netbird ui (#3768 )	2025-05-01 00:48:31 +02:00
Pedro Maia Costa	b5419ef11a	[management] limit peers based on module read permission (#3757 )	2025-04-30 15:53:18 +01:00
Zoltan Papp	d5081cef90	[client] Revert mgm client error handling (#3764 )	2025-04-30 13:09:00 +02:00
Bethuel Mmbaga	488e619ec7	[management] Add network traffic events pagination (#3580 ) * Add network traffic events pagination schema	2025-04-30 11:51:40 +03:00
hakansa	d2b42c8f68	[client] Add macOS .pkg installer support to installation script (#3755 ) [client] Add macOS .pkg installer support to installation script	2025-04-29 13:43:42 +03:00
Maycon Santos	2f44fe2e23	[client] Feature/upload bundle (#3734 ) Add an upload bundle option with the flag --upload-bundle; by default, the upload will use a NetBird address, which can be replaced using the flag --upload-bundle-url. The upload server is available under the /upload-server path. The release change will push a docker image to netbirdio/upload image repository. The server supports using s3 with pre-signed URL for direct upload and local file for storing bundles.	2025-04-29 00:43:50 +02:00
Bethuel Mmbaga	d8dc107bee	[management] Skip IdP cache warm-up on Redis if data exists (#3733 ) * Add Redis cache check to skip warm-up on startup if cache is already populated * Refactor Redis test container setup for reusability	2025-04-28 15:10:40 +03:00
Viktor Liu	3fa915e271	[misc] Exclude client benchmarks from CI (#3752 )	2025-04-28 13:40:36 +02:00
Pedro Maia Costa	47c3afe561	[management] add missing network admin mapping (#3751 )	2025-04-28 11:05:27 +01:00
hakansa	84bfecdd37	[client] add byte counters & ruleID for routed traffic on userspace (#3653 ) * [client] add byte counters for routed traffic on userspace * [client] add allowed ruleID for routed traffic on userspace	2025-04-28 10:10:41 +03:00
Viktor Liu	3cf87b6846	[client] Run container tests more generically (#3737 )	2025-04-25 18:50:44 +02:00
Maycon Santos	4fe4c2054d	[client] Move static check when running on foreground (#3742 )	2025-04-25 18:25:48 +02:00
Pascal Fischer	38ada44a0e	[management] allow impersonation via pats (#3739 )	2025-04-25 16:40:54 +02:00
Pedro Maia Costa	dbf81a145e	[management] network admin role (#3720 )	2025-04-25 15:14:32 +01:00
Pedro Maia Costa	39483f8ca8	[management] Auditor role (#3721 )	2025-04-25 15:04:25 +01:00
Carlos Hernandez	c0eaea938e	[client] Fix macos privacy warning when checking static info (#3496 ) avoid checking static info with a init call	2025-04-25 14:41:57 +02:00
Viktor Liu	ef8b8a2891	[client] Ensure dst-type local marks can overwrite nat marks (#3738 )	2025-04-25 12:43:20 +02:00
Zoltan Papp	2817f62c13	[client] Fix error handling case of flow grpc error (#3727 ) When a gRPC error occurs in the Flow package, it will be propagated to the upper layers and handled similarly to a Management gRPC error. Always report a disconnected state in the event of any error Hide the underlying gRPC errors Force close the gRPC connection in the event of any error	2025-04-25 09:26:18 +02:00
Viktor Liu	4a9049566a	[client] Set up firewall rules for dns routes dynamically based on dns response (#3702 )	2025-04-24 17:37:28 +02:00
Viktor Liu	85f92f8321	[client] Add more userspace filter ACL test cases (#3730 )	2025-04-24 12:57:46 +02:00
Viktor Liu	714beb6e3b	[client] Fix exit node deselection (#3722 )	2025-04-24 12:36:05 +02:00
Viktor Liu	400b9fca32	[management] Add firewall rule route ID and missing route domains (#3700 )	2025-04-23 21:29:46 +02:00
hakansa	4013298e22	[client/ui] add connecting state to status handling (#3712 )	2025-04-23 21:04:38 +02:00
Pascal Fischer	312bfd9bd7	[management] support custom domains per account (#3726 )	2025-04-23 19:36:53 +02:00
Pascal Fischer	8db05838ca	[misc] Change github runner for docker test (#3707 )	2025-04-23 19:35:26 +02:00
Misha Bragin	c69df13515	[management] Add account meta (#3724 )	2025-04-23 18:44:22 +02:00
Pascal Fischer	986eb8c1e0	[management] fix lastLogin on dashboard (#3725 )	2025-04-23 15:54:49 +02:00
dependabot[bot]	197761ba4d	Bump github.com/redis/go-redis/v9 from 9.7.1 to 9.7.3 (#3553 ) Bumps [github.com/redis/go-redis/v9](https://github.com/redis/go-redis) from 9.7.1 to 9.7.3. - [Release notes](https://github.com/redis/go-redis/releases) - [Changelog](https://github.com/redis/go-redis/blob/master/CHANGELOG.md) - [Commits](https://github.com/redis/go-redis/compare/v9.7.1...v9.7.3) --- updated-dependencies: - dependency-name: github.com/redis/go-redis/v9 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2025-04-23 10:21:36 +02:00
dependabot[bot]	f74ea64c7b	Bump golang.org/x/net from 0.36.0 to 0.38.0 (#3695 ) Bumps [golang.org/x/net](https://github.com/golang/net) from 0.36.0 to 0.38.0. - [Commits](https://github.com/golang/net/compare/v0.36.0...v0.38.0) --- updated-dependencies: - dependency-name: golang.org/x/net dependency-version: 0.38.0 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2025-04-23 10:20:51 +02:00
Viktor Liu	3b7b9d25bc	[client] Keep new routes selected unless all are deselected (#3692 )	2025-04-23 01:07:04 +02:00
Pascal Fischer	1a6d6b3109	[management] fix github run id (#3705 )	2025-04-18 11:21:54 +02:00
Pascal Fischer	f686615876	[management] benchmarks use ref_name instead (#3704 )	2025-04-17 21:57:54 +02:00
Pascal Fischer	a4311f574d	[management] push benchmark results to grafana (#3701 )	2025-04-17 21:01:23 +02:00
Pierre Timmermans	0bb8eae903	[docs] fix: broken link in the README file (#3697 ) improve README.md, broken link for activity logging	2025-04-17 14:48:10 +02:00
Pedro Costa	d1e4bb0fa3	Merge branch 'main' into feature/buf-cli # Conflicts: # management/proto/management.pb.go	2025-04-17 11:53:47 +01:00
Pascal Fischer	e0b33d325d	[management] permissions manager use crud operations (#3690 )	2025-04-16 17:25:03 +02:00
Zoltan Papp	c38e07d89a	[client] Fix Rosenpass permissive mode handling (#3689 ) fixes the Rosenpass preshared key handling to enable successful WireGuard handshakes when one side is in permissive mode. Key changes include: Updating field accesses from RosenpassPubKey/RosenpassAddr to RosenpassConfig.PubKey/RosenpassConfig.Addr. Modifying the preshared key computation logic to account for permissive mode. Revising peer configuration in the Engine to use the new RosenpassConfig struct.	2025-04-16 16:04:43 +02:00
Lamera	a37368fff4	[misc] update gpt file permissions in install.sh (#3663 ) * Fix install.sh for some installations Fix install.sh for some installations by explicitly setting the file permissions * Add sudo	2025-04-16 14:23:25 +02:00
Viktor Liu	0c93bd3d06	[client] Keep selecting new networks after first deselection (#3671 )	2025-04-16 13:55:26 +02:00
Viktor Liu	a675531b5c	[client] Set up signal to generate debug bundles (#3683 )	2025-04-16 11:06:22 +02:00
hakansa	7cb366bc7d	[client] Remove logrus writer assignment in pion logging (#3684 )	2025-04-15 18:15:52 +03:00
Viktor Liu	a354004564	[client] Add remaining debug profiles (#3681 )	2025-04-15 13:06:28 +02:00
Pedro Maia Costa	75bdd47dfb	[management] get current user endpoint (#3666 )	2025-04-15 11:06:07 +01:00
Viktor Liu	b165f63327	[client] Add heap profile to debug bundle (#3679 )	2025-04-15 11:36:41 +02:00
hakansa	51bb52cdf5	[client] Refactor DNSForwarder to improve handle wildcard domain resource id matching (#3651 ) [client] Refactor DNSForwarder to improve handle wildcard domain resource id matching (#3651)	2025-04-15 10:54:17 +03:00
Pedro Maia Costa	4134b857b4	[management] add permissions manager to geolocation handler (#3665 )	2025-04-14 17:57:58 +01:00
Vlad	7839d2c169	[management] Refactor/management/updchannel (#3645 ) * refactoring updatechannel - use read mutex for send update	2025-04-11 18:22:59 +03:00
Pascal Fischer	b9f82e2f8a	[management] Buffer updateAccountPeers calls (#3644 )	2025-04-11 17:21:05 +02:00
Pedro Maia Costa	fd2a21c65d	[management] remove unnecessary access control middleware (#3650 )	2025-04-11 10:43:59 +01:00
Maycon Santos	82d982b0ab	[management,client] Add support to configurable prompt login (#3660 )	2025-04-11 11:34:55 +02:00
Maycon Santos	9e24fe7701	[docs] Fix a few typos on table (#3658 )	2025-04-10 17:57:39 +02:00
Pedro Maia Costa	e470701b80	[ci] include stash in pr template (#3657 )	2025-04-10 16:30:44 +01:00
Viktor Liu	e3ce026355	[client] Fix race dns cleanup race condition (#3652 )	2025-04-10 13:21:14 +02:00
Pascal Fischer	5ea2806663	[management] use permission modules (#3622 )	2025-04-10 11:06:52 +02:00
Viktor Liu	d6b0673580	[client] Support CNAME in local resolver (#3646 )	2025-04-10 10:38:47 +02:00
Pedro Costa	12b0c13511	[misc] buf cli proto lint, format and gen	2025-04-09 20:39:32 +01:00
Pedro Maia Costa	14913cfa7a	add git town config (#3555 )	2025-04-09 20:18:52 +01:00
Viktor Liu	03f600b576	[client] Fallback to TCP if a truncated UDP response is received from upstream DNS (#3632 )	2025-04-08 13:41:13 +02:00
Viktor Liu	192c97aa63	[client] Support IP fragmentation in userspace (#3639 )	2025-04-08 12:49:14 +02:00