fix: keep the daemon socket address constant

Refactors peer deletion to centralize group cleanup logic, ensuring deleted peers are consistently removed from all groups in one place.

- Removed redundant group removal code from DefaultAccountManager.DeletePeer
- Added group removal logic inside deletePeers to handle both single and multiple peer deletions

.github/workflows/release.yml

@@ -9,7 +9,7 @@ on:
   pull_request:
 
 env:
-  SIGN_PIPE_VER: "v0.0.19"
+  SIGN_PIPE_VER: "v0.0.20"
   GORELEASER_VER: "v2.3.2"
   PRODUCT_NAME: "NetBird"
   COPYRIGHT: "NetBird GmbH"

.github/workflows/test-infrastructure-files.yml

@@ -134,6 +134,7 @@ jobs:
           NETBIRD_STORE_ENGINE_MYSQL_DSN: '${{ env.NETBIRD_STORE_ENGINE_MYSQL_DSN }}$'
           CI_NETBIRD_MGMT_IDP_SIGNKEY_REFRESH: false
           CI_NETBIRD_TURN_EXTERNAL_IP: "1.2.3.4"
+          CI_NETBIRD_MGMT_DISABLE_DEFAULT_POLICY: false
 
         run: |
           set -x
@@ -180,6 +181,7 @@ jobs:
           grep -A 7 Relay management.json | egrep '"Secret": ".+"'
           grep DisablePromptLogin management.json | grep 'true'
           grep LoginFlag management.json | grep 0
+          grep DisableDefaultPolicy management.json | grep "$CI_NETBIRD_MGMT_DISABLE_DEFAULT_POLICY"
 
       - name: Install modules
         run: go mod tidy

README.md

@@ -14,6 +14,9 @@
     <br>
     <a href="https://docs.netbird.io/slack-url">
         <img src="https://img.shields.io/badge/slack-@netbird-red.svg?logo=slack"/>
+     </a>
+    <a href="https://forum.netbird.io">
+        <img src="https://img.shields.io/badge/community forum-@netbird-red.svg?logo=discourse"/>
      </a>  
      <br>
     <a href="https://gurubase.io/g/netbird">
@@ -29,13 +32,13 @@
   <br/>
   See <a href="https://netbird.io/docs/">Documentation</a>
   <br/>
-   Join our <a href="https://docs.netbird.io/slack-url">Slack channel</a>
+   Join our <a href="https://docs.netbird.io/slack-url">Slack channel</a> or our <a href="https://forum.netbird.io">Community forum</a>
   <br/>
  
 </strong>
 <br>
-<a href="https://github.com/netbirdio/kubernetes-operator">
+<a href="https://registry.terraform.io/providers/netbirdio/netbird/latest">
-    New: NetBird Kubernetes Operator
+    New: NetBird terraform provider
   </a> 
 </p>
 

client/android/client.go

@@ -203,8 +203,10 @@ func (c *Client) Networks() *NetworkArray {
 			continue
 		}
 
-		if routes[0].IsDynamic() {
+		r := routes[0]
-			continue
+		netStr := r.Network.String()
+		if r.IsDynamic() {
+			netStr = r.Domains.SafeString()
 		}
 
 		peer, err := c.recorder.GetPeer(routes[0].Peer)
@@ -214,7 +216,7 @@ func (c *Client) Networks() *NetworkArray {
 		}
 		network := Network{
 			Name:    string(id),
-			Network: routes[0].Network.String(),
+			Network: netStr,
 			Peer:    peer.FQDN,
 			Status:  peer.ConnStatus.String(),
 		}

client/cmd/service.go

@@ -37,7 +37,7 @@ func newSVCConfig() *service.Config {
 	}
 
 	if runtime.GOOS == "linux" {
-		config.EnvVars["SYSTEMD_UNIT"] = serviceName
+		config.EnvVars["NB_SERVICE"] = serviceName
 	}
 
 	return config

client/cmd/status.go

@@ -120,7 +120,7 @@ func getStatus(ctx context.Context) (*proto.StatusResponse, error) {
 	}
 	defer conn.Close()
 
-	resp, err := proto.NewDaemonServiceClient(conn).Status(ctx, &proto.StatusRequest{GetFullPeerStatus: true})
+	resp, err := proto.NewDaemonServiceClient(conn).Status(ctx, &proto.StatusRequest{GetFullPeerStatus: true, ShouldRunProbes: true})
 	if err != nil {
 		return nil, fmt.Errorf("status failed: %v", status.Convert(err).Message())
 	}

client/cmd/testutil_test.go

@@ -103,7 +103,7 @@ func startManagement(t *testing.T, config *types.Config, testFile string) (*grpc
 		Return(&types.Settings{}, nil).
 		AnyTimes()
 
-	accountManager, err := mgmt.BuildManager(context.Background(), store, peersUpdateManager, nil, "", "netbird.selfhosted", eventStore, nil, false, iv, metrics, port_forwarding.NewControllerMock(), settingsMockManager, permissionsManagerMock)
+	accountManager, err := mgmt.BuildManager(context.Background(), store, peersUpdateManager, nil, "", "netbird.selfhosted", eventStore, nil, false, iv, metrics, port_forwarding.NewControllerMock(), settingsMockManager, permissionsManagerMock, false)
 	if err != nil {
 		t.Fatal(err)
 	}

client/firewall/uspfilter/filter.go

@@ -104,6 +104,12 @@ type Manager struct {
 	flowLogger  nftypes.FlowLogger
 
 	blockRule firewall.Rule
+
+	// Internal 1:1 DNAT
+	dnatEnabled  atomic.Bool
+	dnatMappings map[netip.Addr]netip.Addr
+	dnatMutex    sync.RWMutex
+	dnatBiMap    *biDNATMap
 }
 
 // decoder for packages
@@ -189,6 +195,7 @@ func create(iface common.IFaceMapper, nativeFirewall firewall.Manager, disableSe
 		flowLogger:          flowLogger,
 		netstack:            netstack.IsEnabled(),
 		localForwarding:     enableLocalForwarding,
+		dnatMappings:        make(map[netip.Addr]netip.Addr),
 	}
 	m.routingEnabled.Store(false)
 
@@ -519,22 +526,6 @@ func (m *Manager) SetLegacyManagement(isLegacy bool) error {
 // Flush doesn't need to be implemented for this manager
 func (m *Manager) Flush() error { return nil }
 
-// AddDNATRule adds a DNAT rule
-func (m *Manager) AddDNATRule(rule firewall.ForwardRule) (firewall.Rule, error) {
-	if m.nativeFirewall == nil {
-		return nil, errNatNotSupported
-	}
-	return m.nativeFirewall.AddDNATRule(rule)
-}
-
-// DeleteDNATRule deletes a DNAT rule
-func (m *Manager) DeleteDNATRule(rule firewall.Rule) error {
-	if m.nativeFirewall == nil {
-		return errNatNotSupported
-	}
-	return m.nativeFirewall.DeleteDNATRule(rule)
-}
-
 // UpdateSet updates the rule destinations associated with the given set
 // by merging the existing prefixes with the new ones, then deduplicating.
 func (m *Manager) UpdateSet(set firewall.Set, prefixes []netip.Prefix) error {
@@ -581,14 +572,14 @@ func (m *Manager) UpdateSet(set firewall.Set, prefixes []netip.Prefix) error {
 	return nil
 }
 
-// DropOutgoing filter outgoing packets
+// FilterOutBound filters outgoing packets
-func (m *Manager) DropOutgoing(packetData []byte, size int) bool {
+func (m *Manager) FilterOutbound(packetData []byte, size int) bool {
-	return m.processOutgoingHooks(packetData, size)
+	return m.filterOutbound(packetData, size)
 }
 
-// DropIncoming filter incoming packets
+// FilterInbound filters incoming packets
-func (m *Manager) DropIncoming(packetData []byte, size int) bool {
+func (m *Manager) FilterInbound(packetData []byte, size int) bool {
-	return m.dropFilter(packetData, size)
+	return m.filterInbound(packetData, size)
 }
 
 // UpdateLocalIPs updates the list of local IPs
@@ -596,7 +587,7 @@ func (m *Manager) UpdateLocalIPs() error {
 	return m.localipmanager.UpdateLocalIPs(m.wgIface)
 }
 
-func (m *Manager) processOutgoingHooks(packetData []byte, size int) bool {
+func (m *Manager) filterOutbound(packetData []byte, size int) bool {
 	d := m.decoders.Get().(*decoder)
 	defer m.decoders.Put(d)
 
@@ -618,8 +609,8 @@ func (m *Manager) processOutgoingHooks(packetData []byte, size int) bool {
 		return true
 	}
 
-	// for netflow we keep track even if the firewall is stateless
 	m.trackOutbound(d, srcIP, dstIP, size)
+	m.translateOutboundDNAT(packetData, d)
 
 	return false
 }
@@ -723,9 +714,9 @@ func (m *Manager) udpHooksDrop(dport uint16, dstIP netip.Addr, packetData []byte
 	return false
 }
 
-// dropFilter implements filtering logic for incoming packets.
+// filterInbound implements filtering logic for incoming packets.
 // If it returns true, the packet should be dropped.
-func (m *Manager) dropFilter(packetData []byte, size int) bool {
+func (m *Manager) filterInbound(packetData []byte, size int) bool {
 	d := m.decoders.Get().(*decoder)
 	defer m.decoders.Put(d)
 
@@ -747,8 +738,15 @@ func (m *Manager) dropFilter(packetData []byte, size int) bool {
 		return false
 	}
 
-	// For all inbound traffic, first check if it matches a tracked connection.
+	if translated := m.translateInboundReverse(packetData, d); translated {
-	// This must happen before any other filtering because the packets are statefully tracked.
+		// Re-decode after translation to get original addresses
+		if err := d.parser.DecodeLayers(packetData, &d.decoded); err != nil {
+			m.logger.Error("Failed to re-decode packet after reverse DNAT: %v", err)
+			return true
+		}
+		srcIP, dstIP = m.extractIPs(d)
+	}
+
 	if m.stateful && m.isValidTrackedConnection(d, srcIP, dstIP, size) {
 		return false
 	}

client/firewall/uspfilter/filter_bench_test.go

@@ -188,13 +188,13 @@ func BenchmarkCoreFiltering(b *testing.B) {
 
 				// For stateful scenarios, establish the connection
 				if sc.stateful {
-					manager.processOutgoingHooks(outbound, 0)
+					manager.filterOutbound(outbound, 0)
 				}
 
 				// Measure inbound packet processing
 				b.ResetTimer()
 				for i := 0; i < b.N; i++ {
-					manager.dropFilter(inbound, 0)
+					manager.filterInbound(inbound, 0)
 				}
 			})
 		}
@@ -220,7 +220,7 @@ func BenchmarkStateScaling(b *testing.B) {
 			for i := 0; i < count; i++ {
 				outbound := generatePacket(b, srcIPs[i], dstIPs[i],
 					uint16(1024+i), 80, layers.IPProtocolTCP)
-				manager.processOutgoingHooks(outbound, 0)
+				manager.filterOutbound(outbound, 0)
 			}
 
 			// Test packet
@@ -228,11 +228,11 @@ func BenchmarkStateScaling(b *testing.B) {
 			testIn := generatePacket(b, dstIPs[0], srcIPs[0], 80, 1024, layers.IPProtocolTCP)
 
 			// First establish our test connection
-			manager.processOutgoingHooks(testOut, 0)
+			manager.filterOutbound(testOut, 0)
 
 			b.ResetTimer()
 			for i := 0; i < b.N; i++ {
-				manager.dropFilter(testIn, 0)
+				manager.filterInbound(testIn, 0)
 			}
 		})
 	}
@@ -263,12 +263,12 @@ func BenchmarkEstablishmentOverhead(b *testing.B) {
 			inbound := generatePacket(b, dstIP, srcIP, 80, 1024, layers.IPProtocolTCP)
 
 			if sc.established {
-				manager.processOutgoingHooks(outbound, 0)
+				manager.filterOutbound(outbound, 0)
 			}
 
 			b.ResetTimer()
 			for i := 0; i < b.N; i++ {
-				manager.dropFilter(inbound, 0)
+				manager.filterInbound(inbound, 0)
 			}
 		})
 	}
@@ -426,25 +426,25 @@ func BenchmarkRoutedNetworkReturn(b *testing.B) {
 			// For stateful cases and established connections
 			if !strings.Contains(sc.name, "allow_non_wg") ||
 				(strings.Contains(sc.state, "established") || sc.state == "post_handshake") {
-				manager.processOutgoingHooks(outbound, 0)
+				manager.filterOutbound(outbound, 0)
 
 				// For TCP post-handshake, simulate full handshake
 				if sc.state == "post_handshake" {
 					// SYN
 					syn := generateTCPPacketWithFlags(b, srcIP, dstIP, 1024, 80, uint16(conntrack.TCPSyn))
-					manager.processOutgoingHooks(syn, 0)
+					manager.filterOutbound(syn, 0)
 					// SYN-ACK
 					synack := generateTCPPacketWithFlags(b, dstIP, srcIP, 80, 1024, uint16(conntrack.TCPSyn|conntrack.TCPAck))
-					manager.dropFilter(synack, 0)
+					manager.filterInbound(synack, 0)
 					// ACK
 					ack := generateTCPPacketWithFlags(b, srcIP, dstIP, 1024, 80, uint16(conntrack.TCPAck))
-					manager.processOutgoingHooks(ack, 0)
+					manager.filterOutbound(ack, 0)
 				}
 			}
 
 			b.ResetTimer()
 			for i := 0; i < b.N; i++ {
-				manager.dropFilter(inbound, 0)
+				manager.filterInbound(inbound, 0)
 			}
 		})
 	}
@@ -568,17 +568,17 @@ func BenchmarkLongLivedConnections(b *testing.B) {
 				// Initial SYN
 				syn := generateTCPPacketWithFlags(b, srcIPs[i], dstIPs[i],
 					uint16(1024+i), 80, uint16(conntrack.TCPSyn))
-				manager.processOutgoingHooks(syn, 0)
+				manager.filterOutbound(syn, 0)
 
 				// SYN-ACK
 				synack := generateTCPPacketWithFlags(b, dstIPs[i], srcIPs[i],
 					80, uint16(1024+i), uint16(conntrack.TCPSyn|conntrack.TCPAck))
-				manager.dropFilter(synack, 0)
+				manager.filterInbound(synack, 0)
 
 				// ACK
 				ack := generateTCPPacketWithFlags(b, srcIPs[i], dstIPs[i],
 					uint16(1024+i), 80, uint16(conntrack.TCPAck))
-				manager.processOutgoingHooks(ack, 0)
+				manager.filterOutbound(ack, 0)
 			}
 
 			// Prepare test packets simulating bidirectional traffic
@@ -599,9 +599,9 @@ func BenchmarkLongLivedConnections(b *testing.B) {
 
 				// Simulate bidirectional traffic
 				// First outbound data
-				manager.processOutgoingHooks(outPackets[connIdx], 0)
+				manager.filterOutbound(outPackets[connIdx], 0)
 				// Then inbound response - this is what we're actually measuring
-				manager.dropFilter(inPackets[connIdx], 0)
+				manager.filterInbound(inPackets[connIdx], 0)
 			}
 		})
 	}
@@ -700,19 +700,19 @@ func BenchmarkShortLivedConnections(b *testing.B) {
 				p := patterns[connIdx]
 
 				// Connection establishment
-				manager.processOutgoingHooks(p.syn, 0)
+				manager.filterOutbound(p.syn, 0)
-				manager.dropFilter(p.synAck, 0)
+				manager.filterInbound(p.synAck, 0)
-				manager.processOutgoingHooks(p.ack, 0)
+				manager.filterOutbound(p.ack, 0)
 
 				// Data transfer
-				manager.processOutgoingHooks(p.request, 0)
+				manager.filterOutbound(p.request, 0)
-				manager.dropFilter(p.response, 0)
+				manager.filterInbound(p.response, 0)
 
 				// Connection teardown
-				manager.processOutgoingHooks(p.finClient, 0)
+				manager.filterOutbound(p.finClient, 0)
-				manager.dropFilter(p.ackServer, 0)
+				manager.filterInbound(p.ackServer, 0)
-				manager.dropFilter(p.finServer, 0)
+				manager.filterInbound(p.finServer, 0)
-				manager.processOutgoingHooks(p.ackClient, 0)
+				manager.filterOutbound(p.ackClient, 0)
 			}
 		})
 	}
@@ -760,15 +760,15 @@ func BenchmarkParallelLongLivedConnections(b *testing.B) {
 			for i := 0; i < sc.connCount; i++ {
 				syn := generateTCPPacketWithFlags(b, srcIPs[i], dstIPs[i],
 					uint16(1024+i), 80, uint16(conntrack.TCPSyn))
-				manager.processOutgoingHooks(syn, 0)
+				manager.filterOutbound(syn, 0)
 
 				synack := generateTCPPacketWithFlags(b, dstIPs[i], srcIPs[i],
 					80, uint16(1024+i), uint16(conntrack.TCPSyn|conntrack.TCPAck))
-				manager.dropFilter(synack, 0)
+				manager.filterInbound(synack, 0)
 
 				ack := generateTCPPacketWithFlags(b, srcIPs[i], dstIPs[i],
 					uint16(1024+i), 80, uint16(conntrack.TCPAck))
-				manager.processOutgoingHooks(ack, 0)
+				manager.filterOutbound(ack, 0)
 			}
 
 			// Pre-generate test packets
@@ -790,8 +790,8 @@ func BenchmarkParallelLongLivedConnections(b *testing.B) {
 					counter++
 
 					// Simulate bidirectional traffic
-					manager.processOutgoingHooks(outPackets[connIdx], 0)
+					manager.filterOutbound(outPackets[connIdx], 0)
-					manager.dropFilter(inPackets[connIdx], 0)
+					manager.filterInbound(inPackets[connIdx], 0)
 				}
 			})
 		})
@@ -879,17 +879,17 @@ func BenchmarkParallelShortLivedConnections(b *testing.B) {
 					p := patterns[connIdx]
 
 					// Full connection lifecycle
-					manager.processOutgoingHooks(p.syn, 0)
+					manager.filterOutbound(p.syn, 0)
-					manager.dropFilter(p.synAck, 0)
+					manager.filterInbound(p.synAck, 0)
-					manager.processOutgoingHooks(p.ack, 0)
+					manager.filterOutbound(p.ack, 0)
 
-					manager.processOutgoingHooks(p.request, 0)
+					manager.filterOutbound(p.request, 0)
-					manager.dropFilter(p.response, 0)
+					manager.filterInbound(p.response, 0)
 
-					manager.processOutgoingHooks(p.finClient, 0)
+					manager.filterOutbound(p.finClient, 0)
-					manager.dropFilter(p.ackServer, 0)
+					manager.filterInbound(p.ackServer, 0)
-					manager.dropFilter(p.finServer, 0)
+					manager.filterInbound(p.finServer, 0)
-					manager.processOutgoingHooks(p.ackClient, 0)
+					manager.filterOutbound(p.ackClient, 0)
 				}
 			})
 		})

client/firewall/uspfilter/filter_filter_test.go

@@ -462,7 +462,7 @@ func TestPeerACLFiltering(t *testing.T) {
 
 	t.Run("Implicit DROP (no rules)", func(t *testing.T) {
 		packet := createTestPacket(t, "100.10.0.1", "100.10.0.100", fw.ProtocolTCP, 12345, 443)
-		isDropped := manager.DropIncoming(packet, 0)
+		isDropped := manager.FilterInbound(packet, 0)
 		require.True(t, isDropped, "Packet should be dropped when no rules exist")
 	})
 
@@ -509,7 +509,7 @@ func TestPeerACLFiltering(t *testing.T) {
 			})
 
 			packet := createTestPacket(t, tc.srcIP, tc.dstIP, tc.proto, tc.srcPort, tc.dstPort)
-			isDropped := manager.DropIncoming(packet, 0)
+			isDropped := manager.FilterInbound(packet, 0)
 			require.Equal(t, tc.shouldBeBlocked, isDropped)
 		})
 	}
@@ -1233,7 +1233,7 @@ func TestRouteACLFiltering(t *testing.T) {
 			srcIP := netip.MustParseAddr(tc.srcIP)
 			dstIP := netip.MustParseAddr(tc.dstIP)
 
-			// testing routeACLsPass only and not DropIncoming, as routed packets are dropped after being passed
+			// testing routeACLsPass only and not FilterInbound, as routed packets are dropped after being passed
 			// to the forwarder
 			_, isAllowed := manager.routeACLsPass(srcIP, dstIP, tc.proto, tc.srcPort, tc.dstPort)
 			require.Equal(t, tc.shouldPass, isAllowed)

client/firewall/uspfilter/filter_test.go

@@ -321,7 +321,7 @@ func TestNotMatchByIP(t *testing.T) {
 		return
 	}
 
-	if m.dropFilter(buf.Bytes(), 0) {
+	if m.filterInbound(buf.Bytes(), 0) {
 		t.Errorf("expected packet to be accepted")
 		return
 	}
@@ -447,7 +447,7 @@ func TestProcessOutgoingHooks(t *testing.T) {
 	require.NoError(t, err)
 
 	// Test hook gets called
-	result := manager.processOutgoingHooks(buf.Bytes(), 0)
+	result := manager.filterOutbound(buf.Bytes(), 0)
 	require.True(t, result)
 	require.True(t, hookCalled)
 
@@ -457,7 +457,7 @@ func TestProcessOutgoingHooks(t *testing.T) {
 	err = gopacket.SerializeLayers(buf, opts, ipv4)
 	require.NoError(t, err)
 
-	result = manager.processOutgoingHooks(buf.Bytes(), 0)
+	result = manager.filterOutbound(buf.Bytes(), 0)
 	require.False(t, result)
 }
 
@@ -553,7 +553,7 @@ func TestStatefulFirewall_UDPTracking(t *testing.T) {
 	require.NoError(t, err)
 
 	// Process outbound packet and verify connection tracking
-	drop := manager.DropOutgoing(outboundBuf.Bytes(), 0)
+	drop := manager.FilterOutbound(outboundBuf.Bytes(), 0)
 	require.False(t, drop, "Initial outbound packet should not be dropped")
 
 	// Verify connection was tracked
@@ -620,7 +620,7 @@ func TestStatefulFirewall_UDPTracking(t *testing.T) {
 	for _, cp := range checkPoints {
 		time.Sleep(cp.sleep)
 
-		drop = manager.dropFilter(inboundBuf.Bytes(), 0)
+		drop = manager.filterInbound(inboundBuf.Bytes(), 0)
 		require.Equal(t, cp.shouldAllow, !drop, cp.description)
 
 		// If the connection should still be valid, verify it exists
@@ -669,7 +669,7 @@ func TestStatefulFirewall_UDPTracking(t *testing.T) {
 	}
 
 	// Create a new outbound connection for invalid tests
-	drop = manager.processOutgoingHooks(outboundBuf.Bytes(), 0)
+	drop = manager.filterOutbound(outboundBuf.Bytes(), 0)
 	require.False(t, drop, "Second outbound packet should not be dropped")
 
 	for _, tc := range invalidCases {
@@ -691,7 +691,7 @@ func TestStatefulFirewall_UDPTracking(t *testing.T) {
 			require.NoError(t, err)
 
 			// Verify the invalid packet is dropped
-			drop = manager.dropFilter(testBuf.Bytes(), 0)
+			drop = manager.filterInbound(testBuf.Bytes(), 0)
 			require.True(t, drop, tc.description)
 		})
 	}

client/firewall/uspfilter/nat.go

@@ -0,0 +1,408 @@
+package uspfilter
+
+import (
+	"encoding/binary"
+	"errors"
+	"fmt"
+	"net/netip"
+
+	"github.com/google/gopacket/layers"
+
+	firewall "github.com/netbirdio/netbird/client/firewall/manager"
+)
+
+var ErrIPv4Only = errors.New("only IPv4 is supported for DNAT")
+
+func ipv4Checksum(header []byte) uint16 {
+	if len(header) < 20 {
+		return 0
+	}
+
+	var sum1, sum2 uint32
+
+	// Parallel processing - unroll and compute two sums simultaneously
+	sum1 += uint32(binary.BigEndian.Uint16(header[0:2]))
+	sum2 += uint32(binary.BigEndian.Uint16(header[2:4]))
+	sum1 += uint32(binary.BigEndian.Uint16(header[4:6]))
+	sum2 += uint32(binary.BigEndian.Uint16(header[6:8]))
+	sum1 += uint32(binary.BigEndian.Uint16(header[8:10]))
+	// Skip checksum field at [10:12]
+	sum2 += uint32(binary.BigEndian.Uint16(header[12:14]))
+	sum1 += uint32(binary.BigEndian.Uint16(header[14:16]))
+	sum2 += uint32(binary.BigEndian.Uint16(header[16:18]))
+	sum1 += uint32(binary.BigEndian.Uint16(header[18:20]))
+
+	sum := sum1 + sum2
+
+	// Handle remaining bytes for headers > 20 bytes
+	for i := 20; i < len(header)-1; i += 2 {
+		sum += uint32(binary.BigEndian.Uint16(header[i : i+2]))
+	}
+
+	if len(header)%2 == 1 {
+		sum += uint32(header[len(header)-1]) << 8
+	}
+
+	// Optimized carry fold - single iteration handles most cases
+	sum = (sum & 0xFFFF) + (sum >> 16)
+	if sum > 0xFFFF {
+		sum++
+	}
+
+	return ^uint16(sum)
+}
+
+func icmpChecksum(data []byte) uint16 {
+	var sum1, sum2, sum3, sum4 uint32
+	i := 0
+
+	// Process 16 bytes at once with 4 parallel accumulators
+	for i <= len(data)-16 {
+		sum1 += uint32(binary.BigEndian.Uint16(data[i : i+2]))
+		sum2 += uint32(binary.BigEndian.Uint16(data[i+2 : i+4]))
+		sum3 += uint32(binary.BigEndian.Uint16(data[i+4 : i+6]))
+		sum4 += uint32(binary.BigEndian.Uint16(data[i+6 : i+8]))
+		sum1 += uint32(binary.BigEndian.Uint16(data[i+8 : i+10]))
+		sum2 += uint32(binary.BigEndian.Uint16(data[i+10 : i+12]))
+		sum3 += uint32(binary.BigEndian.Uint16(data[i+12 : i+14]))
+		sum4 += uint32(binary.BigEndian.Uint16(data[i+14 : i+16]))
+		i += 16
+	}
+
+	sum := sum1 + sum2 + sum3 + sum4
+
+	// Handle remaining bytes
+	for i < len(data)-1 {
+		sum += uint32(binary.BigEndian.Uint16(data[i : i+2]))
+		i += 2
+	}
+
+	if len(data)%2 == 1 {
+		sum += uint32(data[len(data)-1]) << 8
+	}
+
+	sum = (sum & 0xFFFF) + (sum >> 16)
+	if sum > 0xFFFF {
+		sum++
+	}
+
+	return ^uint16(sum)
+}
+
+type biDNATMap struct {
+	forward map[netip.Addr]netip.Addr
+	reverse map[netip.Addr]netip.Addr
+}
+
+func newBiDNATMap() *biDNATMap {
+	return &biDNATMap{
+		forward: make(map[netip.Addr]netip.Addr),
+		reverse: make(map[netip.Addr]netip.Addr),
+	}
+}
+
+func (b *biDNATMap) set(original, translated netip.Addr) {
+	b.forward[original] = translated
+	b.reverse[translated] = original
+}
+
+func (b *biDNATMap) delete(original netip.Addr) {
+	if translated, exists := b.forward[original]; exists {
+		delete(b.forward, original)
+		delete(b.reverse, translated)
+	}
+}
+
+func (b *biDNATMap) getTranslated(original netip.Addr) (netip.Addr, bool) {
+	translated, exists := b.forward[original]
+	return translated, exists
+}
+
+func (b *biDNATMap) getOriginal(translated netip.Addr) (netip.Addr, bool) {
+	original, exists := b.reverse[translated]
+	return original, exists
+}
+
+func (m *Manager) AddInternalDNATMapping(originalAddr, translatedAddr netip.Addr) error {
+	if !originalAddr.IsValid() || !translatedAddr.IsValid() {
+		return fmt.Errorf("invalid IP addresses")
+	}
+
+	if m.localipmanager.IsLocalIP(translatedAddr) {
+		return fmt.Errorf("cannot map to local IP: %s", translatedAddr)
+	}
+
+	m.dnatMutex.Lock()
+	defer m.dnatMutex.Unlock()
+
+	// Initialize both maps together if either is nil
+	if m.dnatMappings == nil || m.dnatBiMap == nil {
+		m.dnatMappings = make(map[netip.Addr]netip.Addr)
+		m.dnatBiMap = newBiDNATMap()
+	}
+
+	m.dnatMappings[originalAddr] = translatedAddr
+	m.dnatBiMap.set(originalAddr, translatedAddr)
+
+	if len(m.dnatMappings) == 1 {
+		m.dnatEnabled.Store(true)
+	}
+
+	return nil
+}
+
+// RemoveInternalDNATMapping removes a 1:1 IP address mapping
+func (m *Manager) RemoveInternalDNATMapping(originalAddr netip.Addr) error {
+	m.dnatMutex.Lock()
+	defer m.dnatMutex.Unlock()
+
+	if _, exists := m.dnatMappings[originalAddr]; !exists {
+		return fmt.Errorf("mapping not found for: %s", originalAddr)
+	}
+
+	delete(m.dnatMappings, originalAddr)
+	m.dnatBiMap.delete(originalAddr)
+	if len(m.dnatMappings) == 0 {
+		m.dnatEnabled.Store(false)
+	}
+
+	return nil
+}
+
+// getDNATTranslation returns the translated address if a mapping exists
+func (m *Manager) getDNATTranslation(addr netip.Addr) (netip.Addr, bool) {
+	if !m.dnatEnabled.Load() {
+		return addr, false
+	}
+
+	m.dnatMutex.RLock()
+	translated, exists := m.dnatBiMap.getTranslated(addr)
+	m.dnatMutex.RUnlock()
+	return translated, exists
+}
+
+// findReverseDNATMapping finds original address for return traffic
+func (m *Manager) findReverseDNATMapping(translatedAddr netip.Addr) (netip.Addr, bool) {
+	if !m.dnatEnabled.Load() {
+		return translatedAddr, false
+	}
+
+	m.dnatMutex.RLock()
+	original, exists := m.dnatBiMap.getOriginal(translatedAddr)
+	m.dnatMutex.RUnlock()
+	return original, exists
+}
+
+// translateOutboundDNAT applies DNAT translation to outbound packets
+func (m *Manager) translateOutboundDNAT(packetData []byte, d *decoder) bool {
+	if !m.dnatEnabled.Load() {
+		return false
+	}
+
+	if len(packetData) < 20 || d.decoded[0] != layers.LayerTypeIPv4 {
+		return false
+	}
+
+	dstIP := netip.AddrFrom4([4]byte{packetData[16], packetData[17], packetData[18], packetData[19]})
+
+	translatedIP, exists := m.getDNATTranslation(dstIP)
+	if !exists {
+		return false
+	}
+
+	if err := m.rewritePacketDestination(packetData, d, translatedIP); err != nil {
+		m.logger.Error("Failed to rewrite packet destination: %v", err)
+		return false
+	}
+
+	m.logger.Trace("DNAT: %s -> %s", dstIP, translatedIP)
+	return true
+}
+
+// translateInboundReverse applies reverse DNAT to inbound return traffic
+func (m *Manager) translateInboundReverse(packetData []byte, d *decoder) bool {
+	if !m.dnatEnabled.Load() {
+		return false
+	}
+
+	if len(packetData) < 20 || d.decoded[0] != layers.LayerTypeIPv4 {
+		return false
+	}
+
+	srcIP := netip.AddrFrom4([4]byte{packetData[12], packetData[13], packetData[14], packetData[15]})
+
+	originalIP, exists := m.findReverseDNATMapping(srcIP)
+	if !exists {
+		return false
+	}
+
+	if err := m.rewritePacketSource(packetData, d, originalIP); err != nil {
+		m.logger.Error("Failed to rewrite packet source: %v", err)
+		return false
+	}
+
+	m.logger.Trace("Reverse DNAT: %s -> %s", srcIP, originalIP)
+	return true
+}
+
+// rewritePacketDestination replaces destination IP in the packet
+func (m *Manager) rewritePacketDestination(packetData []byte, d *decoder, newIP netip.Addr) error {
+	if len(packetData) < 20 || d.decoded[0] != layers.LayerTypeIPv4 || !newIP.Is4() {
+		return ErrIPv4Only
+	}
+
+	var oldDst [4]byte
+	copy(oldDst[:], packetData[16:20])
+	newDst := newIP.As4()
+
+	copy(packetData[16:20], newDst[:])
+
+	ipHeaderLen := int(d.ip4.IHL) * 4
+	if ipHeaderLen < 20 || ipHeaderLen > len(packetData) {
+		return fmt.Errorf("invalid IP header length")
+	}
+
+	binary.BigEndian.PutUint16(packetData[10:12], 0)
+	ipChecksum := ipv4Checksum(packetData[:ipHeaderLen])
+	binary.BigEndian.PutUint16(packetData[10:12], ipChecksum)
+
+	if len(d.decoded) > 1 {
+		switch d.decoded[1] {
+		case layers.LayerTypeTCP:
+			m.updateTCPChecksum(packetData, ipHeaderLen, oldDst[:], newDst[:])
+		case layers.LayerTypeUDP:
+			m.updateUDPChecksum(packetData, ipHeaderLen, oldDst[:], newDst[:])
+		case layers.LayerTypeICMPv4:
+			m.updateICMPChecksum(packetData, ipHeaderLen)
+		}
+	}
+
+	return nil
+}
+
+// rewritePacketSource replaces the source IP address in the packet
+func (m *Manager) rewritePacketSource(packetData []byte, d *decoder, newIP netip.Addr) error {
+	if len(packetData) < 20 || d.decoded[0] != layers.LayerTypeIPv4 || !newIP.Is4() {
+		return ErrIPv4Only
+	}
+
+	var oldSrc [4]byte
+	copy(oldSrc[:], packetData[12:16])
+	newSrc := newIP.As4()
+
+	copy(packetData[12:16], newSrc[:])
+
+	ipHeaderLen := int(d.ip4.IHL) * 4
+	if ipHeaderLen < 20 || ipHeaderLen > len(packetData) {
+		return fmt.Errorf("invalid IP header length")
+	}
+
+	binary.BigEndian.PutUint16(packetData[10:12], 0)
+	ipChecksum := ipv4Checksum(packetData[:ipHeaderLen])
+	binary.BigEndian.PutUint16(packetData[10:12], ipChecksum)
+
+	if len(d.decoded) > 1 {
+		switch d.decoded[1] {
+		case layers.LayerTypeTCP:
+			m.updateTCPChecksum(packetData, ipHeaderLen, oldSrc[:], newSrc[:])
+		case layers.LayerTypeUDP:
+			m.updateUDPChecksum(packetData, ipHeaderLen, oldSrc[:], newSrc[:])
+		case layers.LayerTypeICMPv4:
+			m.updateICMPChecksum(packetData, ipHeaderLen)
+		}
+	}
+
+	return nil
+}
+
+func (m *Manager) updateTCPChecksum(packetData []byte, ipHeaderLen int, oldIP, newIP []byte) {
+	tcpStart := ipHeaderLen
+	if len(packetData) < tcpStart+18 {
+		return
+	}
+
+	checksumOffset := tcpStart + 16
+	oldChecksum := binary.BigEndian.Uint16(packetData[checksumOffset : checksumOffset+2])
+	newChecksum := incrementalUpdate(oldChecksum, oldIP, newIP)
+	binary.BigEndian.PutUint16(packetData[checksumOffset:checksumOffset+2], newChecksum)
+}
+
+func (m *Manager) updateUDPChecksum(packetData []byte, ipHeaderLen int, oldIP, newIP []byte) {
+	udpStart := ipHeaderLen
+	if len(packetData) < udpStart+8 {
+		return
+	}
+
+	checksumOffset := udpStart + 6
+	oldChecksum := binary.BigEndian.Uint16(packetData[checksumOffset : checksumOffset+2])
+
+	if oldChecksum == 0 {
+		return
+	}
+
+	newChecksum := incrementalUpdate(oldChecksum, oldIP, newIP)
+	binary.BigEndian.PutUint16(packetData[checksumOffset:checksumOffset+2], newChecksum)
+}
+
+func (m *Manager) updateICMPChecksum(packetData []byte, ipHeaderLen int) {
+	icmpStart := ipHeaderLen
+	if len(packetData) < icmpStart+8 {
+		return
+	}
+
+	icmpData := packetData[icmpStart:]
+	binary.BigEndian.PutUint16(icmpData[2:4], 0)
+	checksum := icmpChecksum(icmpData)
+	binary.BigEndian.PutUint16(icmpData[2:4], checksum)
+}
+
+// incrementalUpdate performs incremental checksum update per RFC 1624
+func incrementalUpdate(oldChecksum uint16, oldBytes, newBytes []byte) uint16 {
+	sum := uint32(^oldChecksum)
+
+	// Fast path for IPv4 addresses (4 bytes) - most common case
+	if len(oldBytes) == 4 && len(newBytes) == 4 {
+		sum += uint32(^binary.BigEndian.Uint16(oldBytes[0:2]))
+		sum += uint32(^binary.BigEndian.Uint16(oldBytes[2:4]))
+		sum += uint32(binary.BigEndian.Uint16(newBytes[0:2]))
+		sum += uint32(binary.BigEndian.Uint16(newBytes[2:4]))
+	} else {
+		// Fallback for other lengths
+		for i := 0; i < len(oldBytes)-1; i += 2 {
+			sum += uint32(^binary.BigEndian.Uint16(oldBytes[i : i+2]))
+		}
+		if len(oldBytes)%2 == 1 {
+			sum += uint32(^oldBytes[len(oldBytes)-1]) << 8
+		}
+
+		for i := 0; i < len(newBytes)-1; i += 2 {
+			sum += uint32(binary.BigEndian.Uint16(newBytes[i : i+2]))
+		}
+		if len(newBytes)%2 == 1 {
+			sum += uint32(newBytes[len(newBytes)-1]) << 8
+		}
+	}
+
+	sum = (sum & 0xFFFF) + (sum >> 16)
+	if sum > 0xFFFF {
+		sum++
+	}
+
+	return ^uint16(sum)
+}
+
+// AddDNATRule adds a DNAT rule (delegates to native firewall for port forwarding)
+func (m *Manager) AddDNATRule(rule firewall.ForwardRule) (firewall.Rule, error) {
+	if m.nativeFirewall == nil {
+		return nil, errNatNotSupported
+	}
+	return m.nativeFirewall.AddDNATRule(rule)
+}
+
+// DeleteDNATRule deletes a DNAT rule (delegates to native firewall)
+func (m *Manager) DeleteDNATRule(rule firewall.Rule) error {
+	if m.nativeFirewall == nil {
+		return errNatNotSupported
+	}
+	return m.nativeFirewall.DeleteDNATRule(rule)
+}

client/firewall/uspfilter/nat_bench_test.go

@@ -0,0 +1,416 @@
+package uspfilter
+
+import (
+	"fmt"
+	"net/netip"
+	"testing"
+
+	"github.com/google/gopacket"
+	"github.com/google/gopacket/layers"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+
+	log "github.com/sirupsen/logrus"
+
+	"github.com/netbirdio/netbird/client/iface/device"
+)
+
+// BenchmarkDNATTranslation measures the performance of DNAT operations
+func BenchmarkDNATTranslation(b *testing.B) {
+	scenarios := []struct {
+		name        string
+		proto       layers.IPProtocol
+		setupDNAT   bool
+		description string
+	}{
+		{
+			name:        "tcp_with_dnat",
+			proto:       layers.IPProtocolTCP,
+			setupDNAT:   true,
+			description: "TCP packet with DNAT translation enabled",
+		},
+		{
+			name:        "tcp_without_dnat",
+			proto:       layers.IPProtocolTCP,
+			setupDNAT:   false,
+			description: "TCP packet without DNAT (baseline)",
+		},
+		{
+			name:        "udp_with_dnat",
+			proto:       layers.IPProtocolUDP,
+			setupDNAT:   true,
+			description: "UDP packet with DNAT translation enabled",
+		},
+		{
+			name:        "udp_without_dnat",
+			proto:       layers.IPProtocolUDP,
+			setupDNAT:   false,
+			description: "UDP packet without DNAT (baseline)",
+		},
+		{
+			name:        "icmp_with_dnat",
+			proto:       layers.IPProtocolICMPv4,
+			setupDNAT:   true,
+			description: "ICMP packet with DNAT translation enabled",
+		},
+		{
+			name:        "icmp_without_dnat",
+			proto:       layers.IPProtocolICMPv4,
+			setupDNAT:   false,
+			description: "ICMP packet without DNAT (baseline)",
+		},
+	}
+
+	for _, sc := range scenarios {
+		b.Run(sc.name, func(b *testing.B) {
+			manager, err := Create(&IFaceMock{
+				SetFilterFunc: func(device.PacketFilter) error { return nil },
+			}, false, flowLogger)
+			require.NoError(b, err)
+			defer func() {
+				require.NoError(b, manager.Close(nil))
+			}()
+
+			// Set logger to error level to reduce noise during benchmarking
+			manager.SetLogLevel(log.ErrorLevel)
+			defer func() {
+				// Restore to info level after benchmark
+				manager.SetLogLevel(log.InfoLevel)
+			}()
+
+			// Setup DNAT mapping if needed
+			originalIP := netip.MustParseAddr("192.168.1.100")
+			translatedIP := netip.MustParseAddr("10.0.0.100")
+
+			if sc.setupDNAT {
+				err := manager.AddInternalDNATMapping(originalIP, translatedIP)
+				require.NoError(b, err)
+			}
+
+			// Create test packets
+			srcIP := netip.MustParseAddr("172.16.0.1")
+			outboundPacket := generateDNATTestPacket(b, srcIP, originalIP, sc.proto, 12345, 80)
+
+			// Pre-establish connection for reverse DNAT test
+			if sc.setupDNAT {
+				manager.filterOutbound(outboundPacket, 0)
+			}
+
+			b.ResetTimer()
+
+			// Benchmark outbound DNAT translation
+			b.Run("outbound", func(b *testing.B) {
+				for i := 0; i < b.N; i++ {
+					// Create fresh packet each time since translation modifies it
+					packet := generateDNATTestPacket(b, srcIP, originalIP, sc.proto, 12345, 80)
+					manager.filterOutbound(packet, 0)
+				}
+			})
+
+			// Benchmark inbound reverse DNAT translation
+			if sc.setupDNAT {
+				b.Run("inbound_reverse", func(b *testing.B) {
+					for i := 0; i < b.N; i++ {
+						// Create fresh packet each time since translation modifies it
+						packet := generateDNATTestPacket(b, translatedIP, srcIP, sc.proto, 80, 12345)
+						manager.filterInbound(packet, 0)
+					}
+				})
+			}
+		})
+	}
+}
+
+// BenchmarkDNATConcurrency tests DNAT performance under concurrent load
+func BenchmarkDNATConcurrency(b *testing.B) {
+	manager, err := Create(&IFaceMock{
+		SetFilterFunc: func(device.PacketFilter) error { return nil },
+	}, false, flowLogger)
+	require.NoError(b, err)
+	defer func() {
+		require.NoError(b, manager.Close(nil))
+	}()
+
+	// Set logger to error level to reduce noise during benchmarking
+	manager.SetLogLevel(log.ErrorLevel)
+	defer func() {
+		// Restore to info level after benchmark
+		manager.SetLogLevel(log.InfoLevel)
+	}()
+
+	// Setup multiple DNAT mappings
+	numMappings := 100
+	originalIPs := make([]netip.Addr, numMappings)
+	translatedIPs := make([]netip.Addr, numMappings)
+
+	for i := 0; i < numMappings; i++ {
+		originalIPs[i] = netip.MustParseAddr(fmt.Sprintf("192.168.%d.%d", (i/254)+1, (i%254)+1))
+		translatedIPs[i] = netip.MustParseAddr(fmt.Sprintf("10.0.%d.%d", (i/254)+1, (i%254)+1))
+		err := manager.AddInternalDNATMapping(originalIPs[i], translatedIPs[i])
+		require.NoError(b, err)
+	}
+
+	srcIP := netip.MustParseAddr("172.16.0.1")
+
+	// Pre-generate packets
+	outboundPackets := make([][]byte, numMappings)
+	inboundPackets := make([][]byte, numMappings)
+	for i := 0; i < numMappings; i++ {
+		outboundPackets[i] = generateDNATTestPacket(b, srcIP, originalIPs[i], layers.IPProtocolTCP, 12345, 80)
+		inboundPackets[i] = generateDNATTestPacket(b, translatedIPs[i], srcIP, layers.IPProtocolTCP, 80, 12345)
+		// Establish connections
+		manager.filterOutbound(outboundPackets[i], 0)
+	}
+
+	b.ResetTimer()
+
+	b.Run("concurrent_outbound", func(b *testing.B) {
+		b.RunParallel(func(pb *testing.PB) {
+			i := 0
+			for pb.Next() {
+				idx := i % numMappings
+				packet := generateDNATTestPacket(b, srcIP, originalIPs[idx], layers.IPProtocolTCP, 12345, 80)
+				manager.filterOutbound(packet, 0)
+				i++
+			}
+		})
+	})
+
+	b.Run("concurrent_inbound", func(b *testing.B) {
+		b.RunParallel(func(pb *testing.PB) {
+			i := 0
+			for pb.Next() {
+				idx := i % numMappings
+				packet := generateDNATTestPacket(b, translatedIPs[idx], srcIP, layers.IPProtocolTCP, 80, 12345)
+				manager.filterInbound(packet, 0)
+				i++
+			}
+		})
+	})
+}
+
+// BenchmarkDNATScaling tests how DNAT performance scales with number of mappings
+func BenchmarkDNATScaling(b *testing.B) {
+	mappingCounts := []int{1, 10, 100, 1000}
+
+	for _, count := range mappingCounts {
+		b.Run(fmt.Sprintf("mappings_%d", count), func(b *testing.B) {
+			manager, err := Create(&IFaceMock{
+				SetFilterFunc: func(device.PacketFilter) error { return nil },
+			}, false, flowLogger)
+			require.NoError(b, err)
+			defer func() {
+				require.NoError(b, manager.Close(nil))
+			}()
+
+			// Set logger to error level to reduce noise during benchmarking
+			manager.SetLogLevel(log.ErrorLevel)
+			defer func() {
+				// Restore to info level after benchmark
+				manager.SetLogLevel(log.InfoLevel)
+			}()
+
+			// Setup DNAT mappings
+			for i := 0; i < count; i++ {
+				originalIP := netip.MustParseAddr(fmt.Sprintf("192.168.%d.%d", (i/254)+1, (i%254)+1))
+				translatedIP := netip.MustParseAddr(fmt.Sprintf("10.0.%d.%d", (i/254)+1, (i%254)+1))
+				err := manager.AddInternalDNATMapping(originalIP, translatedIP)
+				require.NoError(b, err)
+			}
+
+			// Test with the last mapping added (worst case for lookup)
+			srcIP := netip.MustParseAddr("172.16.0.1")
+			lastOriginal := netip.MustParseAddr(fmt.Sprintf("192.168.%d.%d", ((count-1)/254)+1, ((count-1)%254)+1))
+
+			b.ResetTimer()
+			for i := 0; i < b.N; i++ {
+				packet := generateDNATTestPacket(b, srcIP, lastOriginal, layers.IPProtocolTCP, 12345, 80)
+				manager.filterOutbound(packet, 0)
+			}
+		})
+	}
+}
+
+// generateDNATTestPacket creates a test packet for DNAT benchmarking
+func generateDNATTestPacket(tb testing.TB, srcIP, dstIP netip.Addr, proto layers.IPProtocol, srcPort, dstPort uint16) []byte {
+	tb.Helper()
+
+	ipv4 := &layers.IPv4{
+		TTL:      64,
+		Version:  4,
+		SrcIP:    srcIP.AsSlice(),
+		DstIP:    dstIP.AsSlice(),
+		Protocol: proto,
+	}
+
+	var transportLayer gopacket.SerializableLayer
+	switch proto {
+	case layers.IPProtocolTCP:
+		tcp := &layers.TCP{
+			SrcPort: layers.TCPPort(srcPort),
+			DstPort: layers.TCPPort(dstPort),
+			SYN:     true,
+		}
+		require.NoError(tb, tcp.SetNetworkLayerForChecksum(ipv4))
+		transportLayer = tcp
+	case layers.IPProtocolUDP:
+		udp := &layers.UDP{
+			SrcPort: layers.UDPPort(srcPort),
+			DstPort: layers.UDPPort(dstPort),
+		}
+		require.NoError(tb, udp.SetNetworkLayerForChecksum(ipv4))
+		transportLayer = udp
+	case layers.IPProtocolICMPv4:
+		icmp := &layers.ICMPv4{
+			TypeCode: layers.CreateICMPv4TypeCode(layers.ICMPv4TypeEchoRequest, 0),
+		}
+		transportLayer = icmp
+	}
+
+	buf := gopacket.NewSerializeBuffer()
+	opts := gopacket.SerializeOptions{ComputeChecksums: true, FixLengths: true}
+	err := gopacket.SerializeLayers(buf, opts, ipv4, transportLayer, gopacket.Payload("test"))
+	require.NoError(tb, err)
+	return buf.Bytes()
+}
+
+// BenchmarkChecksumUpdate specifically benchmarks checksum calculation performance
+func BenchmarkChecksumUpdate(b *testing.B) {
+	// Create test data for checksum calculations
+	testData := make([]byte, 64) // Typical packet size for checksum testing
+	for i := range testData {
+		testData[i] = byte(i)
+	}
+
+	b.Run("ipv4_checksum", func(b *testing.B) {
+		for i := 0; i < b.N; i++ {
+			_ = ipv4Checksum(testData[:20]) // IPv4 header is typically 20 bytes
+		}
+	})
+
+	b.Run("icmp_checksum", func(b *testing.B) {
+		for i := 0; i < b.N; i++ {
+			_ = icmpChecksum(testData)
+		}
+	})
+
+	b.Run("incremental_update", func(b *testing.B) {
+		oldBytes := []byte{192, 168, 1, 100}
+		newBytes := []byte{10, 0, 0, 100}
+		oldChecksum := uint16(0x1234)
+
+		for i := 0; i < b.N; i++ {
+			_ = incrementalUpdate(oldChecksum, oldBytes, newBytes)
+		}
+	})
+}
+
+// BenchmarkDNATMemoryAllocations checks for memory allocations in DNAT operations
+func BenchmarkDNATMemoryAllocations(b *testing.B) {
+	manager, err := Create(&IFaceMock{
+		SetFilterFunc: func(device.PacketFilter) error { return nil },
+	}, false, flowLogger)
+	require.NoError(b, err)
+	defer func() {
+		require.NoError(b, manager.Close(nil))
+	}()
+
+	// Set logger to error level to reduce noise during benchmarking
+	manager.SetLogLevel(log.ErrorLevel)
+	defer func() {
+		// Restore to info level after benchmark
+		manager.SetLogLevel(log.InfoLevel)
+	}()
+
+	originalIP := netip.MustParseAddr("192.168.1.100")
+	translatedIP := netip.MustParseAddr("10.0.0.100")
+	srcIP := netip.MustParseAddr("172.16.0.1")
+
+	err = manager.AddInternalDNATMapping(originalIP, translatedIP)
+	require.NoError(b, err)
+
+	packet := generateDNATTestPacket(b, srcIP, originalIP, layers.IPProtocolTCP, 12345, 80)
+
+	b.ResetTimer()
+	b.ReportAllocs()
+
+	for i := 0; i < b.N; i++ {
+		// Create fresh packet each time to isolate allocation testing
+		testPacket := make([]byte, len(packet))
+		copy(testPacket, packet)
+
+		// Parse the packet fresh each time to get a clean decoder
+		d := &decoder{decoded: []gopacket.LayerType{}}
+		d.parser = gopacket.NewDecodingLayerParser(
+			layers.LayerTypeIPv4,
+			&d.eth, &d.ip4, &d.ip6, &d.icmp4, &d.icmp6, &d.tcp, &d.udp,
+		)
+		d.parser.IgnoreUnsupported = true
+		err = d.parser.DecodeLayers(testPacket, &d.decoded)
+		assert.NoError(b, err)
+
+		manager.translateOutboundDNAT(testPacket, d)
+	}
+}
+
+// BenchmarkDirectIPExtraction tests the performance improvement of direct IP extraction
+func BenchmarkDirectIPExtraction(b *testing.B) {
+	// Create a test packet
+	srcIP := netip.MustParseAddr("172.16.0.1")
+	dstIP := netip.MustParseAddr("192.168.1.100")
+	packet := generateDNATTestPacket(b, srcIP, dstIP, layers.IPProtocolTCP, 12345, 80)
+
+	b.Run("direct_byte_access", func(b *testing.B) {
+		for i := 0; i < b.N; i++ {
+			// Direct extraction from packet bytes
+			_ = netip.AddrFrom4([4]byte{packet[16], packet[17], packet[18], packet[19]})
+		}
+	})
+
+	b.Run("decoder_extraction", func(b *testing.B) {
+		// Create decoder once for comparison
+		d := &decoder{decoded: []gopacket.LayerType{}}
+		d.parser = gopacket.NewDecodingLayerParser(
+			layers.LayerTypeIPv4,
+			&d.eth, &d.ip4, &d.ip6, &d.icmp4, &d.icmp6, &d.tcp, &d.udp,
+		)
+		d.parser.IgnoreUnsupported = true
+		err := d.parser.DecodeLayers(packet, &d.decoded)
+		assert.NoError(b, err)
+
+		for i := 0; i < b.N; i++ {
+			// Extract using decoder (traditional method)
+			dst, _ := netip.AddrFromSlice(d.ip4.DstIP)
+			_ = dst
+		}
+	})
+}
+
+// BenchmarkChecksumOptimizations compares optimized vs standard checksum implementations
+func BenchmarkChecksumOptimizations(b *testing.B) {
+	// Create test IPv4 header (20 bytes)
+	header := make([]byte, 20)
+	for i := range header {
+		header[i] = byte(i)
+	}
+	// Clear checksum field
+	header[10] = 0
+	header[11] = 0
+
+	b.Run("optimized_ipv4_checksum", func(b *testing.B) {
+		for i := 0; i < b.N; i++ {
+			_ = ipv4Checksum(header)
+		}
+	})
+
+	// Test incremental checksum updates
+	oldIP := []byte{192, 168, 1, 100}
+	newIP := []byte{10, 0, 0, 100}
+	oldChecksum := uint16(0x1234)
+
+	b.Run("optimized_incremental_update", func(b *testing.B) {
+		for i := 0; i < b.N; i++ {
+			_ = incrementalUpdate(oldChecksum, oldIP, newIP)
+		}
+	})
+}

client/firewall/uspfilter/nat_test.go

@@ -0,0 +1,145 @@
+package uspfilter
+
+import (
+	"net/netip"
+	"testing"
+
+	"github.com/google/gopacket"
+	"github.com/google/gopacket/layers"
+	"github.com/stretchr/testify/require"
+
+	"github.com/netbirdio/netbird/client/iface/device"
+)
+
+// TestDNATTranslationCorrectness verifies DNAT translation works correctly
+func TestDNATTranslationCorrectness(t *testing.T) {
+	manager, err := Create(&IFaceMock{
+		SetFilterFunc: func(device.PacketFilter) error { return nil },
+	}, false, flowLogger)
+	require.NoError(t, err)
+	defer func() {
+		require.NoError(t, manager.Close(nil))
+	}()
+
+	originalIP := netip.MustParseAddr("192.168.1.100")
+	translatedIP := netip.MustParseAddr("10.0.0.100")
+	srcIP := netip.MustParseAddr("172.16.0.1")
+
+	// Add DNAT mapping
+	err = manager.AddInternalDNATMapping(originalIP, translatedIP)
+	require.NoError(t, err)
+
+	testCases := []struct {
+		name     string
+		protocol layers.IPProtocol
+		srcPort  uint16
+		dstPort  uint16
+	}{
+		{"TCP", layers.IPProtocolTCP, 12345, 80},
+		{"UDP", layers.IPProtocolUDP, 12345, 53},
+		{"ICMP", layers.IPProtocolICMPv4, 0, 0},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			// Test outbound DNAT translation
+			outboundPacket := generateDNATTestPacket(t, srcIP, originalIP, tc.protocol, tc.srcPort, tc.dstPort)
+			originalOutbound := make([]byte, len(outboundPacket))
+			copy(originalOutbound, outboundPacket)
+
+			// Process outbound packet (should translate destination)
+			translated := manager.translateOutboundDNAT(outboundPacket, parsePacket(t, outboundPacket))
+			require.True(t, translated, "Outbound packet should be translated")
+
+			// Verify destination IP was changed
+			dstIPAfter := netip.AddrFrom4([4]byte{outboundPacket[16], outboundPacket[17], outboundPacket[18], outboundPacket[19]})
+			require.Equal(t, translatedIP, dstIPAfter, "Destination IP should be translated")
+
+			// Test inbound reverse DNAT translation
+			inboundPacket := generateDNATTestPacket(t, translatedIP, srcIP, tc.protocol, tc.dstPort, tc.srcPort)
+			originalInbound := make([]byte, len(inboundPacket))
+			copy(originalInbound, inboundPacket)
+
+			// Process inbound packet (should reverse translate source)
+			reversed := manager.translateInboundReverse(inboundPacket, parsePacket(t, inboundPacket))
+			require.True(t, reversed, "Inbound packet should be reverse translated")
+
+			// Verify source IP was changed back to original
+			srcIPAfter := netip.AddrFrom4([4]byte{inboundPacket[12], inboundPacket[13], inboundPacket[14], inboundPacket[15]})
+			require.Equal(t, originalIP, srcIPAfter, "Source IP should be reverse translated")
+
+			// Test that checksums are recalculated correctly
+			if tc.protocol != layers.IPProtocolICMPv4 {
+				// For TCP/UDP, verify the transport checksum was updated
+				require.NotEqual(t, originalOutbound, outboundPacket, "Outbound packet should be modified")
+				require.NotEqual(t, originalInbound, inboundPacket, "Inbound packet should be modified")
+			}
+		})
+	}
+}
+
+// parsePacket helper to create a decoder for testing
+func parsePacket(t testing.TB, packetData []byte) *decoder {
+	t.Helper()
+	d := &decoder{
+		decoded: []gopacket.LayerType{},
+	}
+	d.parser = gopacket.NewDecodingLayerParser(
+		layers.LayerTypeIPv4,
+		&d.eth, &d.ip4, &d.ip6, &d.icmp4, &d.icmp6, &d.tcp, &d.udp,
+	)
+	d.parser.IgnoreUnsupported = true
+
+	err := d.parser.DecodeLayers(packetData, &d.decoded)
+	require.NoError(t, err)
+	return d
+}
+
+// TestDNATMappingManagement tests adding/removing DNAT mappings
+func TestDNATMappingManagement(t *testing.T) {
+	manager, err := Create(&IFaceMock{
+		SetFilterFunc: func(device.PacketFilter) error { return nil },
+	}, false, flowLogger)
+	require.NoError(t, err)
+	defer func() {
+		require.NoError(t, manager.Close(nil))
+	}()
+
+	originalIP := netip.MustParseAddr("192.168.1.100")
+	translatedIP := netip.MustParseAddr("10.0.0.100")
+
+	// Test adding mapping
+	err = manager.AddInternalDNATMapping(originalIP, translatedIP)
+	require.NoError(t, err)
+
+	// Verify mapping exists
+	result, exists := manager.getDNATTranslation(originalIP)
+	require.True(t, exists)
+	require.Equal(t, translatedIP, result)
+
+	// Test reverse lookup
+	reverseResult, exists := manager.findReverseDNATMapping(translatedIP)
+	require.True(t, exists)
+	require.Equal(t, originalIP, reverseResult)
+
+	// Test removing mapping
+	err = manager.RemoveInternalDNATMapping(originalIP)
+	require.NoError(t, err)
+
+	// Verify mapping no longer exists
+	_, exists = manager.getDNATTranslation(originalIP)
+	require.False(t, exists)
+
+	_, exists = manager.findReverseDNATMapping(translatedIP)
+	require.False(t, exists)
+
+	// Test error cases
+	err = manager.AddInternalDNATMapping(netip.Addr{}, translatedIP)
+	require.Error(t, err, "Should reject invalid original IP")
+
+	err = manager.AddInternalDNATMapping(originalIP, netip.Addr{})
+	require.Error(t, err, "Should reject invalid translated IP")
+
+	err = manager.RemoveInternalDNATMapping(originalIP)
+	require.Error(t, err, "Should error when removing non-existent mapping")
+}

client/firewall/uspfilter/tracer.go

@@ -401,7 +401,7 @@ func (m *Manager) addForwardingResult(trace *PacketTrace, action, remoteAddr str
 
 func (m *Manager) traceOutbound(packetData []byte, trace *PacketTrace) *PacketTrace {
 	// will create or update the connection state
-	dropped := m.processOutgoingHooks(packetData, 0)
+	dropped := m.filterOutbound(packetData, 0)
 	if dropped {
 		trace.AddResult(StageCompleted, "Packet dropped by outgoing hook", false)
 	} else {

client/iface/bind/activity.go

@@ -0,0 +1,94 @@
+package bind
+
+import (
+	"net/netip"
+	"sync"
+	"sync/atomic"
+	"time"
+
+	log "github.com/sirupsen/logrus"
+
+	"github.com/netbirdio/netbird/monotime"
+)
+
+const (
+	saveFrequency = int64(5 * time.Second)
+)
+
+type PeerRecord struct {
+	Address      netip.AddrPort
+	LastActivity atomic.Int64 // UnixNano timestamp
+}
+
+type ActivityRecorder struct {
+	mu         sync.RWMutex
+	peers      map[string]*PeerRecord         // publicKey to PeerRecord map
+	addrToPeer map[netip.AddrPort]*PeerRecord // address to PeerRecord map
+}
+
+func NewActivityRecorder() *ActivityRecorder {
+	return &ActivityRecorder{
+		peers:      make(map[string]*PeerRecord),
+		addrToPeer: make(map[netip.AddrPort]*PeerRecord),
+	}
+}
+
+// GetLastActivities returns a snapshot of peer last activity
+func (r *ActivityRecorder) GetLastActivities() map[string]time.Time {
+	r.mu.RLock()
+	defer r.mu.RUnlock()
+
+	activities := make(map[string]time.Time, len(r.peers))
+	for key, record := range r.peers {
+		unixNano := record.LastActivity.Load()
+		activities[key] = time.Unix(0, unixNano)
+	}
+	return activities
+}
+
+// UpsertAddress adds or updates the address for a publicKey
+func (r *ActivityRecorder) UpsertAddress(publicKey string, address netip.AddrPort) {
+	r.mu.Lock()
+	defer r.mu.Unlock()
+
+	if pr, exists := r.peers[publicKey]; exists {
+		delete(r.addrToPeer, pr.Address)
+		pr.Address = address
+	} else {
+		record := &PeerRecord{
+			Address: address,
+		}
+		record.LastActivity.Store(monotime.Now())
+		r.peers[publicKey] = record
+	}
+
+	r.addrToPeer[address] = r.peers[publicKey]
+}
+
+func (r *ActivityRecorder) Remove(publicKey string) {
+	r.mu.Lock()
+	defer r.mu.Unlock()
+	if record, exists := r.peers[publicKey]; exists {
+		delete(r.addrToPeer, record.Address)
+		delete(r.peers, publicKey)
+	}
+}
+
+// record updates LastActivity for the given address using atomic store
+func (r *ActivityRecorder) record(address netip.AddrPort) {
+	r.mu.RLock()
+	record, ok := r.addrToPeer[address]
+	r.mu.RUnlock()
+	if !ok {
+		log.Warnf("could not find record for address %s", address)
+		return
+	}
+
+	now := monotime.Now()
+	last := record.LastActivity.Load()
+	if now-last < saveFrequency {
+		return
+	}
+
+	_ = record.LastActivity.CompareAndSwap(last, now)
+}

client/iface/bind/activity_test.go

@@ -0,0 +1,27 @@
+package bind
+
+import (
+	"net/netip"
+	"testing"
+	"time"
+)
+
+func TestActivityRecorder_GetLastActivities(t *testing.T) {
+	peer := "peer1"
+	ar := NewActivityRecorder()
+	ar.UpsertAddress("peer1", netip.MustParseAddrPort("192.168.0.5:51820"))
+	activities := ar.GetLastActivities()
+
+	p, ok := activities[peer]
+	if !ok {
+		t.Fatalf("Expected activity for peer %s, but got none", peer)
+	}
+
+	if p.IsZero() {
+		t.Fatalf("Expected activity for peer %s, but got zero", peer)
+	}
+
+	if p.Before(time.Now().Add(-2 * time.Minute)) {
+		t.Fatalf("Expected activity for peer %s to be recent, but got %v", peer, p)
+	}
+}

client/iface/bind/ice_bind.go

@@ -1,6 +1,7 @@
 package bind
 
 import (
+	"encoding/binary"
 	"fmt"
 	"net"
 	"net/netip"
@@ -51,22 +52,24 @@ type ICEBind struct {
 	closedChanMu sync.RWMutex // protect the closeChan recreation from reading from it.
 	closed       bool
 
-	muUDPMux sync.Mutex
+	muUDPMux         sync.Mutex
-	udpMux   *UniversalUDPMuxDefault
+	udpMux           *UniversalUDPMuxDefault
-	address  wgaddr.Address
+	address          wgaddr.Address
+	activityRecorder *ActivityRecorder
 }
 
 func NewICEBind(transportNet transport.Net, filterFn FilterFn, address wgaddr.Address) *ICEBind {
 	b, _ := wgConn.NewStdNetBind().(*wgConn.StdNetBind)
 	ib := &ICEBind{
-		StdNetBind:   b,
+		StdNetBind:       b,
-		RecvChan:     make(chan RecvMessage, 1),
+		RecvChan:         make(chan RecvMessage, 1),
-		transportNet: transportNet,
+		transportNet:     transportNet,
-		filterFn:     filterFn,
+		filterFn:         filterFn,
-		endpoints:    make(map[netip.Addr]net.Conn),
+		endpoints:        make(map[netip.Addr]net.Conn),
-		closedChan:   make(chan struct{}),
+		closedChan:       make(chan struct{}),
-		closed:       true,
+		closed:           true,
-		address:      address,
+		address:          address,
+		activityRecorder: NewActivityRecorder(),
 	}
 
 	rc := receiverCreator{
@@ -100,6 +103,10 @@ func (s *ICEBind) Close() error {
 	return s.StdNetBind.Close()
 }
 
+func (s *ICEBind) ActivityRecorder() *ActivityRecorder {
+	return s.activityRecorder
+}
+
 // GetICEMux returns the ICE UDPMux that was created and used by ICEBind
 func (s *ICEBind) GetICEMux() (*UniversalUDPMuxDefault, error) {
 	s.muUDPMux.Lock()
@@ -199,6 +206,11 @@ func (s *ICEBind) createIPv4ReceiverFn(pc *ipv4.PacketConn, conn *net.UDPConn, r
 				continue
 			}
 			addrPort := msg.Addr.(*net.UDPAddr).AddrPort()
+
+			if isTransportPkg(msg.Buffers, msg.N) {
+				s.activityRecorder.record(addrPort)
+			}
+
 			ep := &wgConn.StdNetEndpoint{AddrPort: addrPort} // TODO: remove allocation
 			wgConn.GetSrcFromControl(msg.OOB[:msg.NN], ep)
 			eps[i] = ep
@@ -257,6 +269,13 @@ func (c *ICEBind) receiveRelayed(buffs [][]byte, sizes []int, eps []wgConn.Endpo
 		copy(buffs[0], msg.Buffer)
 		sizes[0] = len(msg.Buffer)
 		eps[0] = wgConn.Endpoint(msg.Endpoint)
+
+		if isTransportPkg(buffs, sizes[0]) {
+			if ep, ok := eps[0].(*Endpoint); ok {
+				c.activityRecorder.record(ep.AddrPort)
+			}
+		}
+
 		return 1, nil
 	}
 }
@@ -272,3 +291,19 @@ func putMessages(msgs *[]ipv6.Message, msgsPool *sync.Pool) {
 	}
 	msgsPool.Put(msgs)
 }
+
+func isTransportPkg(buffers [][]byte, n int) bool {
+	// The first buffer should contain at least 4 bytes for type
+	if len(buffers[0]) < 4 {
+		return true
+	}
+
+	// WireGuard packet type is a little-endian uint32 at start
+	packetType := binary.LittleEndian.Uint32(buffers[0][:4])
+
+	// Check if packetType matches known WireGuard message types
+	if packetType == 4 && n > 32 {
+		return true
+	}
+	return false
+}

client/iface/configurer/kernel_unix.go

@@ -276,3 +276,7 @@ func (c *KernelConfigurer) GetStats() (map[string]WGStats, error) {
 	}
 	return stats, nil
 }
+
+func (c *KernelConfigurer) LastActivities() map[string]time.Time {
+	return nil
+}

client/iface/configurer/usp.go

@@ -16,6 +16,7 @@ import (
 	"golang.zx2c4.com/wireguard/device"
 	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
 
+	"github.com/netbirdio/netbird/client/iface/bind"
 	nbnet "github.com/netbirdio/netbird/util/net"
 )
 
@@ -36,16 +37,18 @@ const (
 var ErrAllowedIPNotFound = fmt.Errorf("allowed IP not found")
 
 type WGUSPConfigurer struct {
-	device     *device.Device
+	device           *device.Device
-	deviceName string
+	deviceName       string
+	activityRecorder *bind.ActivityRecorder
 
 	uapiListener net.Listener
 }
 
-func NewUSPConfigurer(device *device.Device, deviceName string) *WGUSPConfigurer {
+func NewUSPConfigurer(device *device.Device, deviceName string, activityRecorder *bind.ActivityRecorder) *WGUSPConfigurer {
 	wgCfg := &WGUSPConfigurer{
-		device:     device,
+		device:           device,
-		deviceName: deviceName,
+		deviceName:       deviceName,
+		activityRecorder: activityRecorder,
 	}
 	wgCfg.startUAPI()
 	return wgCfg
@@ -87,7 +90,19 @@ func (c *WGUSPConfigurer) UpdatePeer(peerKey string, allowedIps []netip.Prefix,
 		Peers: []wgtypes.PeerConfig{peer},
 	}
 
-	return c.device.IpcSet(toWgUserspaceString(config))
+	if ipcErr := c.device.IpcSet(toWgUserspaceString(config)); ipcErr != nil {
+		return ipcErr
+	}
+
+	if endpoint != nil {
+		addr, err := netip.ParseAddr(endpoint.IP.String())
+		if err != nil {
+			return fmt.Errorf("failed to parse endpoint address: %w", err)
+		}
+		addrPort := netip.AddrPortFrom(addr, uint16(endpoint.Port))
+		c.activityRecorder.UpsertAddress(peerKey, addrPort)
+	}
+	return nil
 }
 
 func (c *WGUSPConfigurer) RemovePeer(peerKey string) error {
@@ -104,7 +119,10 @@ func (c *WGUSPConfigurer) RemovePeer(peerKey string) error {
 	config := wgtypes.Config{
 		Peers: []wgtypes.PeerConfig{peer},
 	}
-	return c.device.IpcSet(toWgUserspaceString(config))
+	ipcErr := c.device.IpcSet(toWgUserspaceString(config))
+
+	c.activityRecorder.Remove(peerKey)
+	return ipcErr
 }
 
 func (c *WGUSPConfigurer) AddAllowedIP(peerKey string, allowedIP netip.Prefix) error {
@@ -205,6 +223,10 @@ func (c *WGUSPConfigurer) FullStats() (*Stats, error) {
 	return parseStatus(c.deviceName, ipcStr)
 }
 
+func (c *WGUSPConfigurer) LastActivities() map[string]time.Time {
+	return c.activityRecorder.GetLastActivities()
+}
+
 // startUAPI starts the UAPI listener for managing the WireGuard interface via external tool
 func (t *WGUSPConfigurer) startUAPI() {
 	var err error

client/iface/device/device_android.go

@@ -79,7 +79,7 @@ func (t *WGTunDevice) Create(routes []string, dns string, searchDomains []string
 	// this helps with support for the older NetBird clients that had a hardcoded direct mode
 	// t.device.DisableSomeRoamingForBrokenMobileSemantics()
 
-	t.configurer = configurer.NewUSPConfigurer(t.device, t.name)
+	t.configurer = configurer.NewUSPConfigurer(t.device, t.name, t.iceBind.ActivityRecorder())
 	err = t.configurer.ConfigureInterface(t.key, t.port)
 	if err != nil {
 		t.device.Close()

client/iface/device/device_darwin.go

@@ -61,7 +61,7 @@ func (t *TunDevice) Create() (WGConfigurer, error) {
 		return nil, fmt.Errorf("error assigning ip: %s", err)
 	}
 
-	t.configurer = configurer.NewUSPConfigurer(t.device, t.name)
+	t.configurer = configurer.NewUSPConfigurer(t.device, t.name, t.iceBind.ActivityRecorder())
 	err = t.configurer.ConfigureInterface(t.key, t.port)
 	if err != nil {
 		t.device.Close()

client/iface/device/device_filter.go

@@ -9,11 +9,11 @@ import (
 
 // PacketFilter interface for firewall abilities
 type PacketFilter interface {
-	// DropOutgoing filter outgoing packets from host to external destinations
+	// FilterOutbound filter outgoing packets from host to external destinations
-	DropOutgoing(packetData []byte, size int) bool
+	FilterOutbound(packetData []byte, size int) bool
 
-	// DropIncoming filter incoming packets from external sources to host
+	// FilterInbound filter incoming packets from external sources to host
-	DropIncoming(packetData []byte, size int) bool
+	FilterInbound(packetData []byte, size int) bool
 
 	// AddUDPPacketHook calls hook when UDP packet from given direction matched
 	//
@@ -54,7 +54,7 @@ func (d *FilteredDevice) Read(bufs [][]byte, sizes []int, offset int) (n int, er
 	}
 
 	for i := 0; i < n; i++ {
-		if filter.DropOutgoing(bufs[i][offset:offset+sizes[i]], sizes[i]) {
+		if filter.FilterOutbound(bufs[i][offset:offset+sizes[i]], sizes[i]) {
 			bufs = append(bufs[:i], bufs[i+1:]...)
 			sizes = append(sizes[:i], sizes[i+1:]...)
 			n--
@@ -78,7 +78,7 @@ func (d *FilteredDevice) Write(bufs [][]byte, offset int) (int, error) {
 	filteredBufs := make([][]byte, 0, len(bufs))
 	dropped := 0
 	for _, buf := range bufs {
-		if !filter.DropIncoming(buf[offset:], len(buf)) {
+		if !filter.FilterInbound(buf[offset:], len(buf)) {
 			filteredBufs = append(filteredBufs, buf)
 			dropped++
 		}

client/iface/device/device_filter_test.go

@@ -146,7 +146,7 @@ func TestDeviceWrapperRead(t *testing.T) {
 		tun.EXPECT().Write(mockBufs, 0).Return(0, nil)
 
 		filter := mocks.NewMockPacketFilter(ctrl)
-		filter.EXPECT().DropIncoming(gomock.Any(), gomock.Any()).Return(true)
+		filter.EXPECT().FilterInbound(gomock.Any(), gomock.Any()).Return(true)
 
 		wrapped := newDeviceFilter(tun)
 		wrapped.filter = filter
@@ -201,7 +201,7 @@ func TestDeviceWrapperRead(t *testing.T) {
 				return 1, nil
 			})
 		filter := mocks.NewMockPacketFilter(ctrl)
-		filter.EXPECT().DropOutgoing(gomock.Any(), gomock.Any()).Return(true)
+		filter.EXPECT().FilterOutbound(gomock.Any(), gomock.Any()).Return(true)
 
 		wrapped := newDeviceFilter(tun)
 		wrapped.filter = filter

client/iface/device/device_ios.go

@@ -71,7 +71,7 @@ func (t *TunDevice) Create() (WGConfigurer, error) {
 	// this helps with support for the older NetBird clients that had a hardcoded direct mode
 	// t.device.DisableSomeRoamingForBrokenMobileSemantics()
 
-	t.configurer = configurer.NewUSPConfigurer(t.device, t.name)
+	t.configurer = configurer.NewUSPConfigurer(t.device, t.name, t.iceBind.ActivityRecorder())
 	err = t.configurer.ConfigureInterface(t.key, t.port)
 	if err != nil {
 		t.device.Close()

client/iface/device/device_netstack.go

@@ -72,7 +72,7 @@ func (t *TunNetstackDevice) Create() (WGConfigurer, error) {
 		device.NewLogger(wgLogLevel(), "[netbird] "),
 	)
 
-	t.configurer = configurer.NewUSPConfigurer(t.device, t.name)
+	t.configurer = configurer.NewUSPConfigurer(t.device, t.name, t.iceBind.ActivityRecorder())
 	err = t.configurer.ConfigureInterface(t.key, t.port)
 	if err != nil {
 		_ = tunIface.Close()

client/iface/device/device_usp_unix.go

@@ -64,7 +64,7 @@ func (t *USPDevice) Create() (WGConfigurer, error) {
 		return nil, fmt.Errorf("error assigning ip: %s", err)
 	}
 
-	t.configurer = configurer.NewUSPConfigurer(t.device, t.name)
+	t.configurer = configurer.NewUSPConfigurer(t.device, t.name, t.iceBind.ActivityRecorder())
 	err = t.configurer.ConfigureInterface(t.key, t.port)
 	if err != nil {
 		t.device.Close()

client/iface/device/device_windows.go

@@ -94,7 +94,7 @@ func (t *TunDevice) Create() (WGConfigurer, error) {
 		return nil, fmt.Errorf("error assigning ip: %s", err)
 	}
 
-	t.configurer = configurer.NewUSPConfigurer(t.device, t.name)
+	t.configurer = configurer.NewUSPConfigurer(t.device, t.name, t.iceBind.ActivityRecorder())
 	err = t.configurer.ConfigureInterface(t.key, t.port)
 	if err != nil {
 		t.device.Close()

client/iface/device/interface.go

@@ -19,4 +19,5 @@ type WGConfigurer interface {
 	Close()
 	GetStats() (map[string]configurer.WGStats, error)
 	FullStats() (*configurer.Stats, error)
+	LastActivities() map[string]time.Time
 }

client/iface/iface.go

@@ -217,6 +217,14 @@ func (w *WGIface) GetStats() (map[string]configurer.WGStats, error) {
 	return w.configurer.GetStats()
 }
 
+func (w *WGIface) LastActivities() map[string]time.Time {
+	w.mu.Lock()
+	defer w.mu.Unlock()
+
+	return w.configurer.LastActivities()
+
+}
+
 func (w *WGIface) FullStats() (*configurer.Stats, error) {
 	return w.configurer.FullStats()
 }

client/iface/mocks/filter.go

@@ -48,32 +48,32 @@ func (mr *MockPacketFilterMockRecorder) AddUDPPacketHook(arg0, arg1, arg2, arg3
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "AddUDPPacketHook", reflect.TypeOf((*MockPacketFilter)(nil).AddUDPPacketHook), arg0, arg1, arg2, arg3)
 }
 
-// DropIncoming mocks base method.
+// FilterInbound mocks base method.
-func (m *MockPacketFilter) DropIncoming(arg0 []byte, arg1 int) bool {
+func (m *MockPacketFilter) FilterInbound(arg0 []byte, arg1 int) bool {
 	m.ctrl.T.Helper()
-	ret := m.ctrl.Call(m, "DropIncoming", arg0, arg1)
+	ret := m.ctrl.Call(m, "FilterInbound", arg0, arg1)
 	ret0, _ := ret[0].(bool)
 	return ret0
 }
 
-// DropIncoming indicates an expected call of DropIncoming.
+// FilterInbound indicates an expected call of FilterInbound.
-func (mr *MockPacketFilterMockRecorder) DropIncoming(arg0 interface{}, arg1 any) *gomock.Call {
+func (mr *MockPacketFilterMockRecorder) FilterInbound(arg0 interface{}, arg1 any) *gomock.Call {
 	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "DropIncoming", reflect.TypeOf((*MockPacketFilter)(nil).DropIncoming), arg0, arg1)
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "FilterInbound", reflect.TypeOf((*MockPacketFilter)(nil).FilterInbound), arg0, arg1)
 }
 
-// DropOutgoing mocks base method.
+// FilterOutbound mocks base method.
-func (m *MockPacketFilter) DropOutgoing(arg0 []byte, arg1 int) bool {
+func (m *MockPacketFilter) FilterOutbound(arg0 []byte, arg1 int) bool {
 	m.ctrl.T.Helper()
-	ret := m.ctrl.Call(m, "DropOutgoing", arg0, arg1)
+	ret := m.ctrl.Call(m, "FilterOutbound", arg0, arg1)
 	ret0, _ := ret[0].(bool)
 	return ret0
 }
 
-// DropOutgoing indicates an expected call of DropOutgoing.
+// FilterOutbound indicates an expected call of FilterOutbound.
-func (mr *MockPacketFilterMockRecorder) DropOutgoing(arg0 interface{}, arg1 any) *gomock.Call {
+func (mr *MockPacketFilterMockRecorder) FilterOutbound(arg0 interface{}, arg1 any) *gomock.Call {
 	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "DropOutgoing", reflect.TypeOf((*MockPacketFilter)(nil).DropOutgoing), arg0, arg1)
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "FilterOutbound", reflect.TypeOf((*MockPacketFilter)(nil).FilterOutbound), arg0, arg1)
 }
 
 // RemovePacketHook mocks base method.

client/iface/mocks/iface/mocks/filter.go

@@ -46,32 +46,32 @@ func (mr *MockPacketFilterMockRecorder) AddUDPPacketHook(arg0, arg1, arg2, arg3
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "AddUDPPacketHook", reflect.TypeOf((*MockPacketFilter)(nil).AddUDPPacketHook), arg0, arg1, arg2, arg3)
 }
 
-// DropIncoming mocks base method.
+// FilterInbound mocks base method.
-func (m *MockPacketFilter) DropIncoming(arg0 []byte) bool {
+func (m *MockPacketFilter) FilterInbound(arg0 []byte) bool {
 	m.ctrl.T.Helper()
-	ret := m.ctrl.Call(m, "DropIncoming", arg0)
+	ret := m.ctrl.Call(m, "FilterInbound", arg0)
 	ret0, _ := ret[0].(bool)
 	return ret0
 }
 
-// DropIncoming indicates an expected call of DropIncoming.
+// FilterInbound indicates an expected call of FilterInbound.
-func (mr *MockPacketFilterMockRecorder) DropIncoming(arg0 interface{}) *gomock.Call {
+func (mr *MockPacketFilterMockRecorder) FilterInbound(arg0 interface{}) *gomock.Call {
 	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "DropIncoming", reflect.TypeOf((*MockPacketFilter)(nil).DropIncoming), arg0)
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "FilterInbound", reflect.TypeOf((*MockPacketFilter)(nil).FilterInbound), arg0)
 }
 
-// DropOutgoing mocks base method.
+// FilterOutbound mocks base method.
-func (m *MockPacketFilter) DropOutgoing(arg0 []byte) bool {
+func (m *MockPacketFilter) FilterOutbound(arg0 []byte) bool {
 	m.ctrl.T.Helper()
-	ret := m.ctrl.Call(m, "DropOutgoing", arg0)
+	ret := m.ctrl.Call(m, "FilterOutbound", arg0)
 	ret0, _ := ret[0].(bool)
 	return ret0
 }
 
-// DropOutgoing indicates an expected call of DropOutgoing.
+// FilterOutbound indicates an expected call of FilterOutbound.
-func (mr *MockPacketFilterMockRecorder) DropOutgoing(arg0 interface{}) *gomock.Call {
+func (mr *MockPacketFilterMockRecorder) FilterOutbound(arg0 interface{}) *gomock.Call {
 	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "DropOutgoing", reflect.TypeOf((*MockPacketFilter)(nil).DropOutgoing), arg0)
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "FilterOutbound", reflect.TypeOf((*MockPacketFilter)(nil).FilterOutbound), arg0)
 }
 
 // SetNetwork mocks base method.

client/internal/config.go

@@ -319,10 +319,6 @@ func (config *Config) apply(input ConfigInput) (updated bool, err error) {
 			*input.WireguardPort, config.WgPort)
 		config.WgPort = *input.WireguardPort
 		updated = true
-	} else if config.WgPort == 0 {
-		config.WgPort = iface.DefaultWgPort
-		log.Infof("using default Wireguard port %d", config.WgPort)
-		updated = true
 	}
 
 	if input.InterfaceName != nil && *input.InterfaceName != config.WgIface {

client/internal/conn_mgr.go

@@ -12,7 +12,6 @@ import (
 	"github.com/netbirdio/netbird/client/internal/lazyconn"
 	"github.com/netbirdio/netbird/client/internal/lazyconn/manager"
 	"github.com/netbirdio/netbird/client/internal/peer"
-	"github.com/netbirdio/netbird/client/internal/peer/dispatcher"
 	"github.com/netbirdio/netbird/client/internal/peerstore"
 	"github.com/netbirdio/netbird/route"
 )
@@ -26,11 +25,11 @@ import (
 //
 // The implementation is not thread-safe; it is protected by engine.syncMsgMux.
 type ConnMgr struct {
-	peerStore      *peerstore.Store
+	peerStore        *peerstore.Store
-	statusRecorder *peer.Status
+	statusRecorder   *peer.Status
-	iface          lazyconn.WGIface
+	iface            lazyconn.WGIface
-	dispatcher     *dispatcher.ConnectionDispatcher
+	enabledLocally   bool
-	enabledLocally bool
+	rosenpassEnabled bool
 
 	lazyConnMgr *manager.Manager
 
@@ -39,12 +38,12 @@ type ConnMgr struct {
 	lazyCtxCancel context.CancelFunc
 }
 
-func NewConnMgr(engineConfig *EngineConfig, statusRecorder *peer.Status, peerStore *peerstore.Store, iface lazyconn.WGIface, dispatcher *dispatcher.ConnectionDispatcher) *ConnMgr {
+func NewConnMgr(engineConfig *EngineConfig, statusRecorder *peer.Status, peerStore *peerstore.Store, iface lazyconn.WGIface) *ConnMgr {
 	e := &ConnMgr{
-		peerStore:      peerStore,
+		peerStore:        peerStore,
-		statusRecorder: statusRecorder,
+		statusRecorder:   statusRecorder,
-		iface:          iface,
+		iface:            iface,
-		dispatcher:     dispatcher,
+		rosenpassEnabled: engineConfig.RosenpassEnabled,
 	}
 	if engineConfig.LazyConnectionEnabled || lazyconn.IsLazyConnEnabledByEnv() {
 		e.enabledLocally = true
@@ -64,6 +63,11 @@ func (e *ConnMgr) Start(ctx context.Context) {
 		return
 	}
 
+	if e.rosenpassEnabled {
+		log.Warnf("rosenpass connection manager is enabled, lazy connection manager will not be started")
+		return
+	}
+
 	e.initLazyManager(ctx)
 	e.statusRecorder.UpdateLazyConnection(true)
 }
@@ -83,7 +87,12 @@ func (e *ConnMgr) UpdatedRemoteFeatureFlag(ctx context.Context, enabled bool) er
 			return nil
 		}
 
-		log.Infof("lazy connection manager is enabled by management feature flag")
+		if e.rosenpassEnabled {
+			log.Infof("rosenpass connection manager is enabled, lazy connection manager will not be started")
+			return nil
+		}
+
+		log.Warnf("lazy connection manager is enabled by management feature flag")
 		e.initLazyManager(ctx)
 		e.statusRecorder.UpdateLazyConnection(true)
 		return e.addPeersToLazyConnManager()
@@ -133,7 +142,7 @@ func (e *ConnMgr) SetExcludeList(ctx context.Context, peerIDs map[string]bool) {
 		excludedPeers = append(excludedPeers, lazyPeerCfg)
 	}
 
-	added := e.lazyConnMgr.ExcludePeer(e.lazyCtx, excludedPeers)
+	added := e.lazyConnMgr.ExcludePeer(excludedPeers)
 	for _, peerID := range added {
 		var peerConn *peer.Conn
 		var exists bool
@@ -175,7 +184,7 @@ func (e *ConnMgr) AddPeerConn(ctx context.Context, peerKey string, conn *peer.Co
 		PeerConnID: conn.ConnID(),
 		Log:        conn.Log,
 	}
-	excluded, err := e.lazyConnMgr.AddPeer(e.lazyCtx, lazyPeerCfg)
+	excluded, err := e.lazyConnMgr.AddPeer(lazyPeerCfg)
 	if err != nil {
 		conn.Log.Errorf("failed to add peer to lazyconn manager: %v", err)
 		if err := conn.Open(ctx); err != nil {
@@ -201,7 +210,7 @@ func (e *ConnMgr) RemovePeerConn(peerKey string) {
 	if !ok {
 		return
 	}
-	defer conn.Close()
+	defer conn.Close(false)
 
 	if !e.isStartedWithLazyMgr() {
 		return
@@ -211,23 +220,28 @@ func (e *ConnMgr) RemovePeerConn(peerKey string) {
 	conn.Log.Infof("removed peer from lazy conn manager")
 }
 
-func (e *ConnMgr) OnSignalMsg(ctx context.Context, peerKey string) (*peer.Conn, bool) {
+func (e *ConnMgr) ActivatePeer(ctx context.Context, conn *peer.Conn) {
-	conn, ok := e.peerStore.PeerConn(peerKey)
-	if !ok {
-		return nil, false
-	}
-
 	if !e.isStartedWithLazyMgr() {
-		return conn, true
+		return
 	}
 
-	if found := e.lazyConnMgr.ActivatePeer(e.lazyCtx, peerKey); found {
+	if found := e.lazyConnMgr.ActivatePeer(conn.GetKey()); found {
 		conn.Log.Infof("activated peer from inactive state")
 		if err := conn.Open(ctx); err != nil {
 			conn.Log.Errorf("failed to open connection: %v", err)
 		}
 	}
-	return conn, true
+}
+
+// DeactivatePeer deactivates a peer connection in the lazy connection manager.
+// If locally the lazy connection is disabled, we force the peer connection open.
+func (e *ConnMgr) DeactivatePeer(conn *peer.Conn) {
+	if !e.isStartedWithLazyMgr() {
+		return
+	}
+
+	conn.Log.Infof("closing peer connection: remote peer initiated inactive, idle lazy state and sent GOAWAY")
+	e.lazyConnMgr.DeactivatePeer(conn.ConnID())
 }
 
 func (e *ConnMgr) Close() {
@@ -244,7 +258,7 @@ func (e *ConnMgr) initLazyManager(engineCtx context.Context) {
 	cfg := manager.Config{
 		InactivityThreshold: inactivityThresholdEnv(),
 	}
-	e.lazyConnMgr = manager.NewManager(cfg, engineCtx, e.peerStore, e.iface, e.dispatcher)
+	e.lazyConnMgr = manager.NewManager(cfg, engineCtx, e.peerStore, e.iface)
 
 	e.lazyCtx, e.lazyCtxCancel = context.WithCancel(engineCtx)
 
@@ -275,7 +289,7 @@ func (e *ConnMgr) addPeersToLazyConnManager() error {
 		lazyPeerCfgs = append(lazyPeerCfgs, lazyPeerCfg)
 	}
 
-	return e.lazyConnMgr.AddActivePeers(e.lazyCtx, lazyPeerCfgs)
+	return e.lazyConnMgr.AddActivePeers(lazyPeerCfgs)
 }
 
 func (e *ConnMgr) closeManager(ctx context.Context) {

client/internal/connect.go

@@ -17,7 +17,6 @@ import (
 	"google.golang.org/grpc/codes"
 	gstatus "google.golang.org/grpc/status"
 
-	"github.com/netbirdio/netbird/client/iface"
 	"github.com/netbirdio/netbird/client/iface/device"
 	"github.com/netbirdio/netbird/client/internal/dns"
 	"github.com/netbirdio/netbird/client/internal/listener"
@@ -526,17 +525,13 @@ func statusRecorderToSignalConnStateNotifier(statusRecorder *peer.Status) signal
 
 // freePort attempts to determine if the provided port is available, if not it will ask the system for a free port.
 func freePort(initPort int) (int, error) {
-	addr := net.UDPAddr{}
+	addr := net.UDPAddr{Port: initPort}
-	if initPort == 0 {
-		initPort = iface.DefaultWgPort
-	}
-
-	addr.Port = initPort
 
 	conn, err := net.ListenUDP("udp", &addr)
 	if err == nil {
+		returnPort := conn.LocalAddr().(*net.UDPAddr).Port
 		closeConnWithLog(conn)
-		return initPort, nil
+		return returnPort, nil
 	}
 
 	// if the port is already in use, ask the system for a free port

client/internal/connect_test.go

@@ -13,10 +13,10 @@ func Test_freePort(t *testing.T) {
 		shouldMatch bool
 	}{
 		{
-			name:        "not provided, fallback to default",
+			name:        "when port is 0 use random port",
 			port:        0,
-			want:        51820,
+			want:        0,
-			shouldMatch: true,
+			shouldMatch: false,
 		},
 		{
 			name:        "provided and available",
@@ -31,7 +31,7 @@ func Test_freePort(t *testing.T) {
 			shouldMatch: false,
 		},
 	}
-	c1, err := net.ListenUDP("udp", &net.UDPAddr{Port: 51830})
+	c1, err := net.ListenUDP("udp", &net.UDPAddr{Port: 0})
 	if err != nil {
 		t.Errorf("freePort error = %v", err)
 	}
@@ -39,6 +39,14 @@ func Test_freePort(t *testing.T) {
 		_ = c1.Close()
 	}(c1)
 
+	if tests[1].port == c1.LocalAddr().(*net.UDPAddr).Port {
+		tests[1].port++
+		tests[1].want++
+	}
+
+	tests[2].port = c1.LocalAddr().(*net.UDPAddr).Port
+	tests[2].want = c1.LocalAddr().(*net.UDPAddr).Port
+
 	for _, tt := range tests {
 
 		t.Run(tt.name, func(t *testing.T) {

client/internal/debug/debug_linux.go

@@ -55,8 +55,8 @@ func (g *BundleGenerator) trySystemdLogFallback() error {
 
 // getServiceName gets the service name from environment or defaults to netbird
 func getServiceName() string {
-	if unitName := os.Getenv("SYSTEMD_UNIT"); unitName != "" {
+	if unitName := os.Getenv("NB_SERVICE"); unitName != "" {
-		log.Debugf("Detected SYSTEMD_UNIT environment variable: %s", unitName)
+		log.Debugf("Detected NB_SERVICE environment variable: %s", unitName)
 		return unitName
 	}
 

client/internal/dns/server_test.go

@@ -464,7 +464,7 @@ func TestDNSFakeResolverHandleUpdates(t *testing.T) {
 	defer ctrl.Finish()
 
 	packetfilter := pfmock.NewMockPacketFilter(ctrl)
-	packetfilter.EXPECT().DropOutgoing(gomock.Any(), gomock.Any()).AnyTimes()
+	packetfilter.EXPECT().FilterOutbound(gomock.Any(), gomock.Any()).AnyTimes()
 	packetfilter.EXPECT().AddUDPPacketHook(gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any())
 	packetfilter.EXPECT().RemovePacketHook(gomock.Any())
 

client/internal/engine.go

@@ -38,7 +38,6 @@ import (
 	nftypes "github.com/netbirdio/netbird/client/internal/netflow/types"
 	"github.com/netbirdio/netbird/client/internal/networkmonitor"
 	"github.com/netbirdio/netbird/client/internal/peer"
-	"github.com/netbirdio/netbird/client/internal/peer/dispatcher"
 	"github.com/netbirdio/netbird/client/internal/peer/guard"
 	icemaker "github.com/netbirdio/netbird/client/internal/peer/ice"
 	"github.com/netbirdio/netbird/client/internal/peerstore"
@@ -175,8 +174,7 @@ type Engine struct {
 	sshServerFunc func(hostKeyPEM []byte, addr string) (nbssh.Server, error)
 	sshServer     nbssh.Server
 
-	statusRecorder     *peer.Status
+	statusRecorder *peer.Status
-	peerConnDispatcher *dispatcher.ConnectionDispatcher
 
 	firewall          firewallManager.Manager
 	routeManager      routemanager.Manager
@@ -383,7 +381,13 @@ func (e *Engine) Start() error {
 	}
 	e.stateManager.Start()
 
-	initialRoutes, dnsServer, err := e.newDnsServer()
+	initialRoutes, dnsConfig, dnsFeatureFlag, err := e.readInitialSettings()
+	if err != nil {
+		e.close()
+		return fmt.Errorf("read initial settings: %w", err)
+	}
+
+	dnsServer, err := e.newDnsServer(dnsConfig)
 	if err != nil {
 		e.close()
 		return fmt.Errorf("create dns server: %w", err)
@@ -400,6 +404,7 @@ func (e *Engine) Start() error {
 		InitialRoutes:       initialRoutes,
 		StateManager:        e.stateManager,
 		DNSServer:           dnsServer,
+		DNSFeatureFlag:      dnsFeatureFlag,
 		PeerStore:           e.peerStore,
 		DisableClientRoutes: e.config.DisableClientRoutes,
 		DisableServerRoutes: e.config.DisableServerRoutes,
@@ -451,9 +456,7 @@ func (e *Engine) Start() error {
 		NATExternalIPs:       e.parseNATExternalIPMappings(),
 	}
 
-	e.peerConnDispatcher = dispatcher.NewConnectionDispatcher()
+	e.connMgr = NewConnMgr(e.config, e.statusRecorder, e.peerStore, wgIface)
-
-	e.connMgr = NewConnMgr(e.config, e.statusRecorder, e.peerStore, wgIface, e.peerConnDispatcher)
 	e.connMgr.Start(e.ctx)
 
 	e.srWatcher = guard.NewSRWatcher(e.signal, e.relayManager, e.mobileDep.IFaceDiscover, iceCfg)
@@ -488,9 +491,9 @@ func (e *Engine) createFirewall() error {
 }
 
 func (e *Engine) initFirewall() error {
-	if err := e.routeManager.EnableServerRouter(e.firewall); err != nil {
+	if err := e.routeManager.SetFirewall(e.firewall); err != nil {
 		e.close()
-		return fmt.Errorf("enable server router: %w", err)
+		return fmt.Errorf("set firewall: %w", err)
 	}
 
 	if e.config.BlockLANAccess {
@@ -1009,8 +1012,6 @@ func (e *Engine) updateNetworkMap(networkMap *mgmProto.NetworkMap) error {
 		log.Errorf("failed to update dns server, err: %v", err)
 	}
 
-	dnsRouteFeatureFlag := toDNSFeatureFlag(networkMap)
-
 	// apply routes first, route related actions might depend on routing being enabled
 	routes := toRoutes(networkMap.GetRoutes())
 	serverRoutes, clientRoutes := e.routeManager.ClassifyRoutes(routes)
@@ -1021,6 +1022,7 @@ func (e *Engine) updateNetworkMap(networkMap *mgmProto.NetworkMap) error {
 		log.Debugf("updated lazy connection manager with %d HA groups", len(clientRoutes))
 	}
 
+	dnsRouteFeatureFlag := toDNSFeatureFlag(networkMap)
 	if err := e.routeManager.UpdateRoutes(serial, serverRoutes, clientRoutes, dnsRouteFeatureFlag); err != nil {
 		log.Errorf("failed to update routes: %v", err)
 	}
@@ -1255,7 +1257,7 @@ func (e *Engine) addNewPeer(peerConfig *mgmProto.RemotePeerConfig) error {
 	}
 
 	if exists := e.connMgr.AddPeerConn(e.ctx, peerKey, conn); exists {
-		conn.Close()
+		conn.Close(false)
 		return fmt.Errorf("peer already exists: %s", peerKey)
 	}
 
@@ -1302,13 +1304,12 @@ func (e *Engine) createPeerConn(pubKey string, allowedIPs []netip.Prefix, agentV
 	}
 
 	serviceDependencies := peer.ServiceDependencies{
-		StatusRecorder:     e.statusRecorder,
+		StatusRecorder: e.statusRecorder,
-		Signaler:           e.signaler,
+		Signaler:       e.signaler,
-		IFaceDiscover:      e.mobileDep.IFaceDiscover,
+		IFaceDiscover:  e.mobileDep.IFaceDiscover,
-		RelayManager:       e.relayManager,
+		RelayManager:   e.relayManager,
-		SrWatcher:          e.srWatcher,
+		SrWatcher:      e.srWatcher,
-		Semaphore:          e.connSemaphore,
+		Semaphore:      e.connSemaphore,
-		PeerConnDispatcher: e.peerConnDispatcher,
 	}
 	peerConn, err := peer.NewConn(config, serviceDependencies)
 	if err != nil {
@@ -1331,11 +1332,16 @@ func (e *Engine) receiveSignalEvents() {
 			e.syncMsgMux.Lock()
 			defer e.syncMsgMux.Unlock()
 
-			conn, ok := e.connMgr.OnSignalMsg(e.ctx, msg.Key)
+			conn, ok := e.peerStore.PeerConn(msg.Key)
 			if !ok {
 				return fmt.Errorf("wrongly addressed message %s", msg.Key)
 			}
 
+			msgType := msg.GetBody().GetType()
+			if msgType != sProto.Body_GO_IDLE {
+				e.connMgr.ActivatePeer(e.ctx, conn)
+			}
+
 			switch msg.GetBody().Type {
 			case sProto.Body_OFFER:
 				remoteCred, err := signal.UnMarshalCredential(msg)
@@ -1392,6 +1398,8 @@ func (e *Engine) receiveSignalEvents() {
 
 				go conn.OnRemoteCandidate(candidate, e.routeManager.GetClientRoutes())
 			case sProto.Body_MODE:
+			case sProto.Body_GO_IDLE:
+				e.connMgr.DeactivatePeer(conn)
 			}
 
 			return nil
@@ -1489,7 +1497,12 @@ func (e *Engine) close() {
 	}
 }
 
-func (e *Engine) readInitialSettings() ([]*route.Route, *nbdns.Config, error) {
+func (e *Engine) readInitialSettings() ([]*route.Route, *nbdns.Config, bool, error) {
+	if runtime.GOOS != "android" {
+		// nolint:nilnil
+		return nil, nil, false, nil
+	}
+
 	info := system.GetInfo(e.ctx)
 	info.SetFlags(
 		e.config.RosenpassEnabled,
@@ -1506,11 +1519,12 @@ func (e *Engine) readInitialSettings() ([]*route.Route, *nbdns.Config, error) {
 
 	netMap, err := e.mgmClient.GetNetworkMap(info)
 	if err != nil {
-		return nil, nil, err
+		return nil, nil, false, err
 	}
 	routes := toRoutes(netMap.GetRoutes())
 	dnsCfg := toDNSConfig(netMap.GetDNSConfig(), e.wgInterface.Address().Network)
-	return routes, &dnsCfg, nil
+	dnsFeatureFlag := toDNSFeatureFlag(netMap)
+	return routes, &dnsCfg, dnsFeatureFlag, nil
 }
 
 func (e *Engine) newWgIface() (*iface.WGIface, error) {
@@ -1558,18 +1572,14 @@ func (e *Engine) wgInterfaceCreate() (err error) {
 	return err
 }
 
-func (e *Engine) newDnsServer() ([]*route.Route, dns.Server, error) {
+func (e *Engine) newDnsServer(dnsConfig *nbdns.Config) (dns.Server, error) {
 	// due to tests where we are using a mocked version of the DNS server
 	if e.dnsServer != nil {
-		return nil, e.dnsServer, nil
+		return e.dnsServer, nil
 	}
 
 	switch runtime.GOOS {
 	case "android":
-		routes, dnsConfig, err := e.readInitialSettings()
-		if err != nil {
-			return nil, nil, err
-		}
 		dnsServer := dns.NewDefaultServerPermanentUpstream(
 			e.ctx,
 			e.wgInterface,
@@ -1580,19 +1590,19 @@ func (e *Engine) newDnsServer() ([]*route.Route, dns.Server, error) {
 			e.config.DisableDNS,
 		)
 		go e.mobileDep.DnsReadyListener.OnReady()
-		return routes, dnsServer, nil
+		return dnsServer, nil
 
 	case "ios":
 		dnsServer := dns.NewDefaultServerIos(e.ctx, e.wgInterface, e.mobileDep.DnsManager, e.statusRecorder, e.config.DisableDNS)
-		return nil, dnsServer, nil
+		return dnsServer, nil
 
 	default:
 		dnsServer, err := dns.NewDefaultServer(e.ctx, e.wgInterface, e.config.CustomDNSAddress, e.statusRecorder, e.stateManager, e.config.DisableDNS)
 		if err != nil {
-			return nil, nil, err
+			return nil, err
 		}
 
-		return nil, dnsServer, nil
+		return dnsServer, nil
 	}
 }
 

client/internal/engine_test.go

@@ -36,7 +36,6 @@ import (
 	"github.com/netbirdio/netbird/client/iface/wgproxy"
 	"github.com/netbirdio/netbird/client/internal/dns"
 	"github.com/netbirdio/netbird/client/internal/peer"
-	"github.com/netbirdio/netbird/client/internal/peer/dispatcher"
 	"github.com/netbirdio/netbird/client/internal/peer/guard"
 	icemaker "github.com/netbirdio/netbird/client/internal/peer/ice"
 	"github.com/netbirdio/netbird/client/internal/routemanager"
@@ -97,6 +96,7 @@ type MockWGIface struct {
 	GetInterfaceGUIDStringFunc func() (string, error)
 	GetProxyFunc               func() wgproxy.Proxy
 	GetNetFunc                 func() *netstack.Net
+	LastActivitiesFunc         func() map[string]time.Time
 }
 
 func (m *MockWGIface) FullStats() (*configurer.Stats, error) {
@@ -187,6 +187,13 @@ func (m *MockWGIface) GetNet() *netstack.Net {
 	return m.GetNetFunc()
 }
 
+func (m *MockWGIface) LastActivities() map[string]time.Time {
+	if m.LastActivitiesFunc != nil {
+		return m.LastActivitiesFunc()
+	}
+	return nil
+}
+
 func TestMain(m *testing.M) {
 	_ = util.InitLog("debug", "console")
 	code := m.Run()
@@ -404,7 +411,7 @@ func TestEngine_UpdateNetworkMap(t *testing.T) {
 	engine.udpMux = bind.NewUniversalUDPMuxDefault(bind.UniversalUDPMuxParams{UDPConn: conn})
 	engine.ctx = ctx
 	engine.srWatcher = guard.NewSRWatcher(nil, nil, nil, icemaker.Config{})
-	engine.connMgr = NewConnMgr(engine.config, engine.statusRecorder, engine.peerStore, wgIface, dispatcher.NewConnectionDispatcher())
+	engine.connMgr = NewConnMgr(engine.config, engine.statusRecorder, engine.peerStore, wgIface)
 	engine.connMgr.Start(ctx)
 
 	type testCase struct {
@@ -793,7 +800,7 @@ func TestEngine_UpdateNetworkMapWithRoutes(t *testing.T) {
 
 			engine.routeManager = mockRouteManager
 			engine.dnsServer = &dns.MockServer{}
-			engine.connMgr = NewConnMgr(engine.config, engine.statusRecorder, engine.peerStore, engine.wgInterface, dispatcher.NewConnectionDispatcher())
+			engine.connMgr = NewConnMgr(engine.config, engine.statusRecorder, engine.peerStore, engine.wgInterface)
 			engine.connMgr.Start(ctx)
 
 			defer func() {
@@ -991,7 +998,7 @@ func TestEngine_UpdateNetworkMapWithDNSUpdate(t *testing.T) {
 			}
 
 			engine.dnsServer = mockDNSServer
-			engine.connMgr = NewConnMgr(engine.config, engine.statusRecorder, engine.peerStore, engine.wgInterface, dispatcher.NewConnectionDispatcher())
+			engine.connMgr = NewConnMgr(engine.config, engine.statusRecorder, engine.peerStore, engine.wgInterface)
 			engine.connMgr.Start(ctx)
 
 			defer func() {
@@ -1476,7 +1483,7 @@ func startManagement(t *testing.T, dataDir, testFile string) (*grpc.Server, stri
 
 	permissionsManager := permissions.NewManager(store)
 
-	accountManager, err := server.BuildManager(context.Background(), store, peersUpdateManager, nil, "", "netbird.selfhosted", eventStore, nil, false, ia, metrics, port_forwarding.NewControllerMock(), settingsMockManager, permissionsManager)
+	accountManager, err := server.BuildManager(context.Background(), store, peersUpdateManager, nil, "", "netbird.selfhosted", eventStore, nil, false, ia, metrics, port_forwarding.NewControllerMock(), settingsMockManager, permissionsManager, false)
 	if err != nil {
 		return nil, "", err
 	}

client/internal/iface_common.go

@@ -38,4 +38,5 @@ type wgIfaceBase interface {
 	GetStats() (map[string]configurer.WGStats, error)
 	GetNet() *netstack.Net
 	FullStats() (*configurer.Stats, error)
+	LastActivities() map[string]time.Time
 }

client/internal/lazyconn/activity/listener.go

@@ -13,7 +13,7 @@ import (
 
 // Listener it is not a thread safe implementation, do not call Close before ReadPackets. It will cause blocking
 type Listener struct {
-	wgIface  lazyconn.WGIface
+	wgIface  WgInterface
 	peerCfg  lazyconn.PeerConfig
 	conn     *net.UDPConn
 	endpoint *net.UDPAddr
@@ -22,7 +22,7 @@ type Listener struct {
 	isClosed atomic.Bool // use to avoid error log when closing the listener
 }
 
-func NewListener(wgIface lazyconn.WGIface, cfg lazyconn.PeerConfig) (*Listener, error) {
+func NewListener(wgIface WgInterface, cfg lazyconn.PeerConfig) (*Listener, error) {
 	d := &Listener{
 		wgIface: wgIface,
 		peerCfg: cfg,

client/internal/lazyconn/activity/manager.go

@@ -1,18 +1,27 @@
 package activity
 
 import (
+	"net"
+	"net/netip"
 	"sync"
+	"time"
 
 	log "github.com/sirupsen/logrus"
+	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
 
 	"github.com/netbirdio/netbird/client/internal/lazyconn"
 	peerid "github.com/netbirdio/netbird/client/internal/peer/id"
 )
 
+type WgInterface interface {
+	RemovePeer(peerKey string) error
+	UpdatePeer(peerKey string, allowedIps []netip.Prefix, keepAlive time.Duration, endpoint *net.UDPAddr, preSharedKey *wgtypes.Key) error
+}
+
 type Manager struct {
 	OnActivityChan chan peerid.ConnID
 
-	wgIface lazyconn.WGIface
+	wgIface WgInterface
 
 	peers map[peerid.ConnID]*Listener
 	done  chan struct{}
@@ -20,7 +29,7 @@ type Manager struct {
 	mu sync.Mutex
 }
 
-func NewManager(wgIface lazyconn.WGIface) *Manager {
+func NewManager(wgIface WgInterface) *Manager {
 	m := &Manager{
 		OnActivityChan: make(chan peerid.ConnID, 1),
 		wgIface:        wgIface,

client/internal/lazyconn/inactivity/inactivity.go

@@ -1,75 +0,0 @@
-package inactivity
-
-import (
-	"context"
-	"time"
-
-	peer "github.com/netbirdio/netbird/client/internal/peer/id"
-)
-
-const (
-	DefaultInactivityThreshold = 60 * time.Minute // idle after 1 hour inactivity
-	MinimumInactivityThreshold = 3 * time.Minute
-)
-
-type Monitor struct {
-	id                  peer.ConnID
-	timer               *time.Timer
-	cancel              context.CancelFunc
-	inactivityThreshold time.Duration
-}
-
-func NewInactivityMonitor(peerID peer.ConnID, threshold time.Duration) *Monitor {
-	i := &Monitor{
-		id:                  peerID,
-		timer:               time.NewTimer(0),
-		inactivityThreshold: threshold,
-	}
-	i.timer.Stop()
-	return i
-}
-
-func (i *Monitor) Start(ctx context.Context, timeoutChan chan peer.ConnID) {
-	i.timer.Reset(i.inactivityThreshold)
-	defer i.timer.Stop()
-
-	ctx, i.cancel = context.WithCancel(ctx)
-	defer func() {
-		defer i.cancel()
-		select {
-		case <-i.timer.C:
-		default:
-		}
-	}()
-
-	select {
-	case <-i.timer.C:
-		select {
-		case timeoutChan <- i.id:
-		case <-ctx.Done():
-			return
-		}
-	case <-ctx.Done():
-		return
-	}
-}
-
-func (i *Monitor) Stop() {
-	if i.cancel == nil {
-		return
-	}
-	i.cancel()
-}
-
-func (i *Monitor) PauseTimer() {
-	i.timer.Stop()
-}
-
-func (i *Monitor) ResetTimer() {
-	i.timer.Reset(i.inactivityThreshold)
-}
-
-func (i *Monitor) ResetMonitor(ctx context.Context, timeoutChan chan peer.ConnID) {
-	i.Stop()
-	go i.Start(ctx, timeoutChan)
-}

client/internal/lazyconn/inactivity/inactivity_test.go

@@ -1,156 +0,0 @@
-package inactivity
-
-import (
-	"context"
-	"testing"
-	"time"
-
-	peerid "github.com/netbirdio/netbird/client/internal/peer/id"
-)
-
-type MocPeer struct {
-}
-
-func (m *MocPeer) ConnID() peerid.ConnID {
-	return peerid.ConnID(m)
-}
-
-func TestInactivityMonitor(t *testing.T) {
-	tCtx, testTimeoutCancel := context.WithTimeout(context.Background(), time.Second*5)
-	defer testTimeoutCancel()
-
-	p := &MocPeer{}
-	im := NewInactivityMonitor(p.ConnID(), time.Second*2)
-
-	timeoutChan := make(chan peerid.ConnID)
-
-	exitChan := make(chan struct{})
-
-	go func() {
-		defer close(exitChan)
-		im.Start(tCtx, timeoutChan)
-	}()
-
-	select {
-	case <-timeoutChan:
-	case <-tCtx.Done():
-		t.Fatal("timeout")
-	}
-
-	select {
-	case <-exitChan:
-	case <-tCtx.Done():
-		t.Fatal("timeout")
-	}
-}
-
-func TestReuseInactivityMonitor(t *testing.T) {
-	p := &MocPeer{}
-	im := NewInactivityMonitor(p.ConnID(), time.Second*2)
-
-	timeoutChan := make(chan peerid.ConnID)
-
-	for i := 2; i > 0; i-- {
-		exitChan := make(chan struct{})
-
-		testTimeoutCtx, testTimeoutCancel := context.WithTimeout(context.Background(), time.Second*5)
-
-		go func() {
-			defer close(exitChan)
-			im.Start(testTimeoutCtx, timeoutChan)
-		}()
-
-		select {
-		case <-timeoutChan:
-		case <-testTimeoutCtx.Done():
-			t.Fatal("timeout")
-		}
-
-		select {
-		case <-exitChan:
-		case <-testTimeoutCtx.Done():
-			t.Fatal("timeout")
-		}
-		testTimeoutCancel()
-	}
-}
-
-func TestStopInactivityMonitor(t *testing.T) {
-	tCtx, testTimeoutCancel := context.WithTimeout(context.Background(), time.Second*5)
-	defer testTimeoutCancel()
-
-	p := &MocPeer{}
-	im := NewInactivityMonitor(p.ConnID(), DefaultInactivityThreshold)
-
-	timeoutChan := make(chan peerid.ConnID)
-
-	exitChan := make(chan struct{})
-
-	go func() {
-		defer close(exitChan)
-		im.Start(tCtx, timeoutChan)
-	}()
-
-	go func() {
-		time.Sleep(3 * time.Second)
-		im.Stop()
-	}()
-
-	select {
-	case <-timeoutChan:
-		t.Fatal("unexpected timeout")
-	case <-exitChan:
-	case <-tCtx.Done():
-		t.Fatal("timeout")
-	}
-}
-
-func TestPauseInactivityMonitor(t *testing.T) {
-	tCtx, testTimeoutCancel := context.WithTimeout(context.Background(), time.Second*10)
-	defer testTimeoutCancel()
-
-	p := &MocPeer{}
-	trashHold := time.Second * 3
-	im := NewInactivityMonitor(p.ConnID(), trashHold)
-
-	ctx, cancel := context.WithCancel(context.Background())
-	defer cancel()
-
-	timeoutChan := make(chan peerid.ConnID)
-
-	exitChan := make(chan struct{})
-
-	go func() {
-		defer close(exitChan)
-		im.Start(ctx, timeoutChan)
-	}()
-
-	time.Sleep(1 * time.Second) // grant time to start the monitor
-	im.PauseTimer()
-
-	// check to do not receive timeout
-	thresholdCtx, thresholdCancel := context.WithTimeout(context.Background(), trashHold+time.Second)
-	defer thresholdCancel()
-	select {
-	case <-exitChan:
-		t.Fatal("unexpected exit")
-	case <-timeoutChan:
-		t.Fatal("unexpected timeout")
-	case <-thresholdCtx.Done():
-		// test ok
-	case <-tCtx.Done():
-		t.Fatal("test timed out")
-	}
-
-	// test reset timer
-	im.ResetTimer()
-
-	select {
-	case <-tCtx.Done():
-		t.Fatal("test timed out")
-	case <-exitChan:
-		t.Fatal("unexpected exit")
-	case <-timeoutChan:
-		// expected timeout
-	}
-}

client/internal/lazyconn/inactivity/manager.go

@@ -0,0 +1,152 @@
+package inactivity
+
+import (
+	"context"
+	"fmt"
+	"time"
+
+	log "github.com/sirupsen/logrus"
+
+	"github.com/netbirdio/netbird/client/internal/lazyconn"
+)
+
+const (
+	checkInterval = 1 * time.Minute
+
+	DefaultInactivityThreshold = 15 * time.Minute
+	MinimumInactivityThreshold = 1 * time.Minute
+)
+
+type WgInterface interface {
+	LastActivities() map[string]time.Time
+}
+
+type Manager struct {
+	inactivePeersChan chan map[string]struct{}
+
+	iface               WgInterface
+	interestedPeers     map[string]*lazyconn.PeerConfig
+	inactivityThreshold time.Duration
+}
+
+func NewManager(iface WgInterface, configuredThreshold *time.Duration) *Manager {
+	inactivityThreshold, err := validateInactivityThreshold(configuredThreshold)
+	if err != nil {
+		inactivityThreshold = DefaultInactivityThreshold
+		log.Warnf("invalid inactivity threshold configured: %v, using default: %v", err, DefaultInactivityThreshold)
+	}
+
+	log.Infof("inactivity threshold configured: %v", inactivityThreshold)
+	return &Manager{
+		inactivePeersChan:   make(chan map[string]struct{}, 1),
+		iface:               iface,
+		interestedPeers:     make(map[string]*lazyconn.PeerConfig),
+		inactivityThreshold: inactivityThreshold,
+	}
+}
+
+func (m *Manager) InactivePeersChan() chan map[string]struct{} {
+	if m == nil {
+		// return a nil channel that blocks forever
+		return nil
+	}
+
+	return m.inactivePeersChan
+}
+
+func (m *Manager) AddPeer(peerCfg *lazyconn.PeerConfig) {
+	if m == nil {
+		return
+	}
+
+	if _, exists := m.interestedPeers[peerCfg.PublicKey]; exists {
+		return
+	}
+
+	peerCfg.Log.Infof("adding peer to inactivity manager")
+	m.interestedPeers[peerCfg.PublicKey] = peerCfg
+}
+
+func (m *Manager) RemovePeer(peer string) {
+	if m == nil {
+		return
+	}
+
+	pi, ok := m.interestedPeers[peer]
+	if !ok {
+		return
+	}
+
+	pi.Log.Debugf("remove peer from inactivity manager")
+	delete(m.interestedPeers, peer)
+}
+
+func (m *Manager) Start(ctx context.Context) {
+	if m == nil {
+		return
+	}
+
+	ticker := newTicker(checkInterval)
+	defer ticker.Stop()
+
+	for {
+		select {
+		case <-ctx.Done():
+			return
+		case <-ticker.C():
+			idlePeers, err := m.checkStats()
+			if err != nil {
+				log.Errorf("error checking stats: %v", err)
+				return
+			}
+
+			if len(idlePeers) == 0 {
+				continue
+			}
+
+			m.notifyInactivePeers(ctx, idlePeers)
+		}
+	}
+}
+
+func (m *Manager) notifyInactivePeers(ctx context.Context, inactivePeers map[string]struct{}) {
+	select {
+	case m.inactivePeersChan <- inactivePeers:
+	case <-ctx.Done():
+		return
+	default:
+		return
+	}
+}
+
+func (m *Manager) checkStats() (map[string]struct{}, error) {
+	lastActivities := m.iface.LastActivities()
+
+	idlePeers := make(map[string]struct{})
+
+	for peerID, peerCfg := range m.interestedPeers {
+		lastActive, ok := lastActivities[peerID]
+		if !ok {
+			// when peer is in connecting state
+			peerCfg.Log.Warnf("peer not found in wg stats")
+			continue
+		}
+
+		if time.Since(lastActive) > m.inactivityThreshold {
+			peerCfg.Log.Infof("peer is inactive since: %v", lastActive)
+			idlePeers[peerID] = struct{}{}
+		}
+	}
+
+	return idlePeers, nil
+}
+
+func validateInactivityThreshold(configuredThreshold *time.Duration) (time.Duration, error) {
+	if configuredThreshold == nil {
+		return DefaultInactivityThreshold, nil
+	}
+	if *configuredThreshold < MinimumInactivityThreshold {
+		return 0, fmt.Errorf("configured inactivity threshold %v is too low, using %v", *configuredThreshold, MinimumInactivityThreshold)
+	}
+	return *configuredThreshold, nil
+}

client/internal/lazyconn/inactivity/manager_test.go

@@ -0,0 +1,113 @@
+package inactivity
+
+import (
+	"context"
+	"testing"
+	"time"
+
+	log "github.com/sirupsen/logrus"
+	"github.com/stretchr/testify/assert"
+
+	"github.com/netbirdio/netbird/client/internal/lazyconn"
+)
+
+type mockWgInterface struct {
+	lastActivities map[string]time.Time
+}
+
+func (m *mockWgInterface) LastActivities() map[string]time.Time {
+	return m.lastActivities
+}
+
+func TestPeerTriggersInactivity(t *testing.T) {
+	peerID := "peer1"
+
+	wgMock := &mockWgInterface{
+		lastActivities: map[string]time.Time{
+			peerID: time.Now().Add(-20 * time.Minute),
+		},
+	}
+
+	fakeTick := make(chan time.Time, 1)
+	newTicker = func(d time.Duration) Ticker {
+		return &fakeTickerMock{CChan: fakeTick}
+	}
+
+	peerLog := log.WithField("peer", peerID)
+	peerCfg := &lazyconn.PeerConfig{
+		PublicKey: peerID,
+		Log:       peerLog,
+	}
+
+	manager := NewManager(wgMock, nil)
+	manager.AddPeer(peerCfg)
+
+	ctx, cancel := context.WithCancel(context.Background())
+	defer cancel()
+
+	// Start the manager in a goroutine
+	go manager.Start(ctx)
+
+	// Send a tick to simulate time passage
+	fakeTick <- time.Now()
+
+	// Check if peer appears on inactivePeersChan
+	select {
+	case inactivePeers := <-manager.inactivePeersChan:
+		assert.Contains(t, inactivePeers, peerID, "expected peer to be marked inactive")
+	case <-time.After(1 * time.Second):
+		t.Fatal("expected inactivity event, but none received")
+	}
+}
+
+func TestPeerTriggersActivity(t *testing.T) {
+	peerID := "peer1"
+
+	wgMock := &mockWgInterface{
+		lastActivities: map[string]time.Time{
+			peerID: time.Now().Add(-5 * time.Minute),
+		},
+	}
+
+	fakeTick := make(chan time.Time, 1)
+	newTicker = func(d time.Duration) Ticker {
+		return &fakeTickerMock{CChan: fakeTick}
+	}
+
+	peerLog := log.WithField("peer", peerID)
+	peerCfg := &lazyconn.PeerConfig{
+		PublicKey: peerID,
+		Log:       peerLog,
+	}
+
+	manager := NewManager(wgMock, nil)
+	manager.AddPeer(peerCfg)
+
+	ctx, cancel := context.WithCancel(context.Background())
+	defer cancel()
+
+	// Start the manager in a goroutine
+	go manager.Start(ctx)
+
+	// Send a tick to simulate time passage
+	fakeTick <- time.Now()
+
+	// Check if peer appears on inactivePeersChan
+	select {
+	case <-manager.inactivePeersChan:
+		t.Fatal("expected inactive peer to be marked inactive")
+	case <-time.After(1 * time.Second):
+		// No inactivity event should be received
+	}
+}
+
+// fakeTickerMock implements Ticker interface for testing
+type fakeTickerMock struct {
+	CChan chan time.Time
+}
+
+func (f *fakeTickerMock) C() <-chan time.Time {
+	return f.CChan
+}
+
+func (f *fakeTickerMock) Stop() {}

client/internal/lazyconn/inactivity/ticker.go

@@ -0,0 +1,24 @@
+package inactivity
+
+import "time"
+
+var newTicker = func(d time.Duration) Ticker {
+	return &realTicker{t: time.NewTicker(d)}
+}
+
+type Ticker interface {
+	C() <-chan time.Time
+	Stop()
+}
+
+type realTicker struct {
+	t *time.Ticker
+}
+
+func (r *realTicker) C() <-chan time.Time {
+	return r.t.C
+}
+
+func (r *realTicker) Stop() {
+	r.t.Stop()
+}

client/internal/lazyconn/manager/manager.go

@@ -11,7 +11,6 @@ import (
 	"github.com/netbirdio/netbird/client/internal/lazyconn"
 	"github.com/netbirdio/netbird/client/internal/lazyconn/activity"
 	"github.com/netbirdio/netbird/client/internal/lazyconn/inactivity"
-	"github.com/netbirdio/netbird/client/internal/peer/dispatcher"
 	peerid "github.com/netbirdio/netbird/client/internal/peer/id"
 	"github.com/netbirdio/netbird/client/internal/peerstore"
 	"github.com/netbirdio/netbird/route"
@@ -43,60 +42,46 @@ type Config struct {
 type Manager struct {
 	engineCtx           context.Context
 	peerStore           *peerstore.Store
-	connStateDispatcher *dispatcher.ConnectionDispatcher
 	inactivityThreshold time.Duration
 
-	connStateListener    *dispatcher.ConnectionListener
 	managedPeers         map[string]*lazyconn.PeerConfig
 	managedPeersByConnID map[peerid.ConnID]*managedPeer
 	excludes             map[string]lazyconn.PeerConfig
 	managedPeersMu       sync.Mutex
 
-	activityManager    *activity.Manager
+	activityManager   *activity.Manager
-	inactivityMonitors map[peerid.ConnID]*inactivity.Monitor
+	inactivityManager *inactivity.Manager
 
 	// Route HA group management
+	// If any peer in the same HA group is active, all peers in that group should prevent going idle
 	peerToHAGroups map[string][]route.HAUniqueID // peer ID -> HA groups they belong to
 	haGroupToPeers map[route.HAUniqueID][]string // HA group -> peer IDs in the group
 	routesMu       sync.RWMutex
-
-	onInactive chan peerid.ConnID
 }
 
 // NewManager creates a new lazy connection manager
 // engineCtx is the context for creating peer Connection
-func NewManager(config Config, engineCtx context.Context, peerStore *peerstore.Store, wgIface lazyconn.WGIface, connStateDispatcher *dispatcher.ConnectionDispatcher) *Manager {
+func NewManager(config Config, engineCtx context.Context, peerStore *peerstore.Store, wgIface lazyconn.WGIface) *Manager {
 	log.Infof("setup lazy connection service")
+
 	m := &Manager{
 		engineCtx:            engineCtx,
 		peerStore:            peerStore,
-		connStateDispatcher:  connStateDispatcher,
 		inactivityThreshold:  inactivity.DefaultInactivityThreshold,
 		managedPeers:         make(map[string]*lazyconn.PeerConfig),
 		managedPeersByConnID: make(map[peerid.ConnID]*managedPeer),
 		excludes:             make(map[string]lazyconn.PeerConfig),
 		activityManager:      activity.NewManager(wgIface),
-		inactivityMonitors:   make(map[peerid.ConnID]*inactivity.Monitor),
 		peerToHAGroups:       make(map[string][]route.HAUniqueID),
 		haGroupToPeers:       make(map[route.HAUniqueID][]string),
-		onInactive:           make(chan peerid.ConnID),
 	}
 
-	if config.InactivityThreshold != nil {
+	if wgIface.IsUserspaceBind() {
-		if *config.InactivityThreshold >= inactivity.MinimumInactivityThreshold {
+		m.inactivityManager = inactivity.NewManager(wgIface, config.InactivityThreshold)
-			m.inactivityThreshold = *config.InactivityThreshold
+	} else {
-		} else {
+		log.Warnf("inactivity manager not supported for kernel mode, wait for remote peer to close the connection")
-			log.Warnf("inactivity threshold is too low, using %v", m.inactivityThreshold)
-		}
 	}
 
-	m.connStateListener = &dispatcher.ConnectionListener{
-		OnConnected:    m.onPeerConnected,
-		OnDisconnected: m.onPeerDisconnected,
-	}
-
-	connStateDispatcher.AddListener(m.connStateListener)
-
 	return m
 }
 
@@ -131,24 +116,28 @@ func (m *Manager) UpdateRouteHAMap(haMap route.HAMap) {
 		}
 	}
 
-	log.Debugf("updated route HA mappings: %d HA groups, %d peers with routes",
+	log.Debugf("updated route HA mappings: %d HA groups, %d peers with routes", len(m.haGroupToPeers), len(m.peerToHAGroups))
-		len(m.haGroupToPeers), len(m.peerToHAGroups))
 }
 
 // Start starts the manager and listens for peer activity and inactivity events
 func (m *Manager) Start(ctx context.Context) {
 	defer m.close()
 
+	if m.inactivityManager != nil {
+		go m.inactivityManager.Start(ctx)
+	}
+
 	for {
 		select {
 		case <-ctx.Done():
 			return
 		case peerConnID := <-m.activityManager.OnActivityChan:
-			m.onPeerActivity(ctx, peerConnID)
+			m.onPeerActivity(peerConnID)
-		case peerConnID := <-m.onInactive:
+		case peerIDs := <-m.inactivityManager.InactivePeersChan():
-			m.onPeerInactivityTimedOut(ctx, peerConnID)
+			m.onPeerInactivityTimedOut(peerIDs)
 		}
 	}
+
 }
 
 // ExcludePeer marks peers for a permanent connection
@@ -156,7 +145,7 @@ func (m *Manager) Start(ctx context.Context) {
 // Adds them back to the managed list and start the inactivity listener if they are removed from the exclude list. In
 // this case, we suppose that the connection status is connected or connecting.
 // If the peer is not exists yet in the managed list then the responsibility is the upper layer to call the AddPeer function
-func (m *Manager) ExcludePeer(ctx context.Context, peerConfigs []lazyconn.PeerConfig) []string {
+func (m *Manager) ExcludePeer(peerConfigs []lazyconn.PeerConfig) []string {
 	m.managedPeersMu.Lock()
 	defer m.managedPeersMu.Unlock()
 
@@ -187,7 +176,7 @@ func (m *Manager) ExcludePeer(ctx context.Context, peerConfigs []lazyconn.PeerCo
 
 		peerCfg.Log.Infof("peer removed from lazy connection exclude list")
 
-		if err := m.addActivePeer(ctx, peerCfg); err != nil {
+		if err := m.addActivePeer(&peerCfg); err != nil {
 			log.Errorf("failed to add peer to lazy connection manager: %s", err)
 			continue
 		}
@@ -197,7 +186,7 @@ func (m *Manager) ExcludePeer(ctx context.Context, peerConfigs []lazyconn.PeerCo
 	return added
 }
 
-func (m *Manager) AddPeer(ctx context.Context, peerCfg lazyconn.PeerConfig) (bool, error) {
+func (m *Manager) AddPeer(peerCfg lazyconn.PeerConfig) (bool, error) {
 	m.managedPeersMu.Lock()
 	defer m.managedPeersMu.Unlock()
 
@@ -217,9 +206,6 @@ func (m *Manager) AddPeer(ctx context.Context, peerCfg lazyconn.PeerConfig) (boo
 		return false, err
 	}
 
-	im := inactivity.NewInactivityMonitor(peerCfg.PeerConnID, m.inactivityThreshold)
-	m.inactivityMonitors[peerCfg.PeerConnID] = im
-
 	m.managedPeers[peerCfg.PublicKey] = &peerCfg
 	m.managedPeersByConnID[peerCfg.PeerConnID] = &managedPeer{
 		peerCfg:         &peerCfg,
@@ -229,7 +215,7 @@ func (m *Manager) AddPeer(ctx context.Context, peerCfg lazyconn.PeerConfig) (boo
 	// Check if this peer should be activated because its HA group peers are active
 	if group, ok := m.shouldActivateNewPeer(peerCfg.PublicKey); ok {
 		peerCfg.Log.Debugf("peer belongs to active HA group %s, will activate immediately", group)
-		m.activateNewPeerInActiveGroup(ctx, peerCfg)
+		m.activateNewPeerInActiveGroup(peerCfg)
 	}
 
 	return false, nil
@@ -237,7 +223,7 @@ func (m *Manager) AddPeer(ctx context.Context, peerCfg lazyconn.PeerConfig) (boo
 
 // AddActivePeers adds a list of peers to the lazy connection manager
 // suppose these peers was in connected or in connecting states
-func (m *Manager) AddActivePeers(ctx context.Context, peerCfg []lazyconn.PeerConfig) error {
+func (m *Manager) AddActivePeers(peerCfg []lazyconn.PeerConfig) error {
 	m.managedPeersMu.Lock()
 	defer m.managedPeersMu.Unlock()
 
@@ -247,7 +233,7 @@ func (m *Manager) AddActivePeers(ctx context.Context, peerCfg []lazyconn.PeerCon
 			continue
 		}
 
-		if err := m.addActivePeer(ctx, cfg); err != nil {
+		if err := m.addActivePeer(&cfg); err != nil {
 			cfg.Log.Errorf("failed to add peer to lazy connection manager: %v", err)
 			return err
 		}
@@ -264,7 +250,7 @@ func (m *Manager) RemovePeer(peerID string) {
 
 // ActivatePeer activates a peer connection when a signal message is received
 // Also activates all peers in the same HA groups as this peer
-func (m *Manager) ActivatePeer(ctx context.Context, peerID string) (found bool) {
+func (m *Manager) ActivatePeer(peerID string) (found bool) {
 	m.managedPeersMu.Lock()
 	defer m.managedPeersMu.Unlock()
 	cfg, mp := m.getPeerForActivation(peerID)
@@ -272,15 +258,42 @@ func (m *Manager) ActivatePeer(ctx context.Context, peerID string) (found bool)
 		return false
 	}
 
-	if !m.activateSinglePeer(ctx, cfg, mp) {
+	if !m.activateSinglePeer(cfg, mp) {
 		return false
 	}
 
-	m.activateHAGroupPeers(ctx, peerID)
+	m.activateHAGroupPeers(cfg)
 
 	return true
 }
 
+func (m *Manager) DeactivatePeer(peerID peerid.ConnID) {
+	m.managedPeersMu.Lock()
+	defer m.managedPeersMu.Unlock()
+
+	mp, ok := m.managedPeersByConnID[peerID]
+	if !ok {
+		return
+	}
+
+	if mp.expectedWatcher != watcherInactivity {
+		return
+	}
+
+	m.peerStore.PeerConnClose(mp.peerCfg.PublicKey)
+
+	mp.peerCfg.Log.Infof("start activity monitor")
+
+	mp.expectedWatcher = watcherActivity
+
+	m.inactivityManager.RemovePeer(mp.peerCfg.PublicKey)
+
+	if err := m.activityManager.MonitorPeerActivity(*mp.peerCfg); err != nil {
+		mp.peerCfg.Log.Errorf("failed to create activity monitor: %v", err)
+		return
+	}
+}
+
 // getPeerForActivation checks if a peer can be activated and returns the necessary structs
 // Returns nil values if the peer should be skipped
 func (m *Manager) getPeerForActivation(peerID string) (*lazyconn.PeerConfig, *managedPeer) {
@@ -302,41 +315,36 @@ func (m *Manager) getPeerForActivation(peerID string) (*lazyconn.PeerConfig, *ma
 	return cfg, mp
 }
 
-// activateSinglePeer activates a single peer (internal method)
+// activateSinglePeer activates a single peer
-func (m *Manager) activateSinglePeer(ctx context.Context, cfg *lazyconn.PeerConfig, mp *managedPeer) bool {
+// return true if the peer was activated, false if it was already active
-	mp.expectedWatcher = watcherInactivity
+func (m *Manager) activateSinglePeer(cfg *lazyconn.PeerConfig, mp *managedPeer) bool {
-
+	if mp.expectedWatcher == watcherInactivity {
-	m.activityManager.RemovePeer(cfg.Log, cfg.PeerConnID)
-
-	im, ok := m.inactivityMonitors[cfg.PeerConnID]
-	if !ok {
-		cfg.Log.Errorf("inactivity monitor not found for peer")
 		return false
 	}
 
-	cfg.Log.Infof("starting inactivity monitor")
+	mp.expectedWatcher = watcherInactivity
-	go im.Start(ctx, m.onInactive)
+	m.activityManager.RemovePeer(cfg.Log, cfg.PeerConnID)
-
+	m.inactivityManager.AddPeer(cfg)
 	return true
 }
 
 // activateHAGroupPeers activates all peers in HA groups that the given peer belongs to
-func (m *Manager) activateHAGroupPeers(ctx context.Context, triggerPeerID string) {
+func (m *Manager) activateHAGroupPeers(triggeredPeerCfg *lazyconn.PeerConfig) {
 	var peersToActivate []string
 
 	m.routesMu.RLock()
-	haGroups := m.peerToHAGroups[triggerPeerID]
+	haGroups := m.peerToHAGroups[triggeredPeerCfg.PublicKey]
 
 	if len(haGroups) == 0 {
 		m.routesMu.RUnlock()
-		log.Debugf("peer %s is not part of any HA groups", triggerPeerID)
+		triggeredPeerCfg.Log.Debugf("peer is not part of any HA groups")
 		return
 	}
 
 	for _, haGroup := range haGroups {
 		peers := m.haGroupToPeers[haGroup]
 		for _, peerID := range peers {
-			if peerID != triggerPeerID {
+			if peerID != triggeredPeerCfg.PublicKey {
 				peersToActivate = append(peersToActivate, peerID)
 			}
 		}
@@ -350,16 +358,16 @@ func (m *Manager) activateHAGroupPeers(ctx context.Context, triggerPeerID string
 			continue
 		}
 
-		if m.activateSinglePeer(ctx, cfg, mp) {
+		if m.activateSinglePeer(cfg, mp) {
 			activatedCount++
-			cfg.Log.Infof("activated peer as part of HA group (triggered by %s)", triggerPeerID)
+			cfg.Log.Infof("activated peer as part of HA group (triggered by %s)", triggeredPeerCfg.PublicKey)
 			m.peerStore.PeerConnOpen(m.engineCtx, cfg.PublicKey)
 		}
 	}
 
 	if activatedCount > 0 {
 		log.Infof("activated %d additional peers in HA groups for peer %s (groups: %v)",
-			activatedCount, triggerPeerID, haGroups)
+			activatedCount, triggeredPeerCfg.PublicKey, haGroups)
 	}
 }
 
@@ -394,13 +402,13 @@ func (m *Manager) shouldActivateNewPeer(peerID string) (route.HAUniqueID, bool)
 }
 
 // activateNewPeerInActiveGroup activates a newly added peer that should be active due to HA group
-func (m *Manager) activateNewPeerInActiveGroup(ctx context.Context, peerCfg lazyconn.PeerConfig) {
+func (m *Manager) activateNewPeerInActiveGroup(peerCfg lazyconn.PeerConfig) {
 	mp, ok := m.managedPeersByConnID[peerCfg.PeerConnID]
 	if !ok {
 		return
 	}
 
-	if !m.activateSinglePeer(ctx, &peerCfg, mp) {
+	if !m.activateSinglePeer(&peerCfg, mp) {
 		return
 	}
 
@@ -408,23 +416,19 @@ func (m *Manager) activateNewPeerInActiveGroup(ctx context.Context, peerCfg lazy
 	m.peerStore.PeerConnOpen(m.engineCtx, peerCfg.PublicKey)
 }
 
-func (m *Manager) addActivePeer(ctx context.Context, peerCfg lazyconn.PeerConfig) error {
+func (m *Manager) addActivePeer(peerCfg *lazyconn.PeerConfig) error {
 	if _, ok := m.managedPeers[peerCfg.PublicKey]; ok {
 		peerCfg.Log.Warnf("peer already managed")
 		return nil
 	}
 
-	im := inactivity.NewInactivityMonitor(peerCfg.PeerConnID, m.inactivityThreshold)
+	m.managedPeers[peerCfg.PublicKey] = peerCfg
-	m.inactivityMonitors[peerCfg.PeerConnID] = im
-
-	m.managedPeers[peerCfg.PublicKey] = &peerCfg
 	m.managedPeersByConnID[peerCfg.PeerConnID] = &managedPeer{
-		peerCfg:         &peerCfg,
+		peerCfg:         peerCfg,
 		expectedWatcher: watcherInactivity,
 	}
 
-	peerCfg.Log.Infof("starting inactivity monitor on peer that has been removed from exclude list")
+	m.inactivityManager.AddPeer(peerCfg)
-	go im.Start(ctx, m.onInactive)
 	return nil
 }
 
@@ -436,12 +440,7 @@ func (m *Manager) removePeer(peerID string) {
 
 	cfg.Log.Infof("removing lazy peer")
 
-	if im, ok := m.inactivityMonitors[cfg.PeerConnID]; ok {
+	m.inactivityManager.RemovePeer(cfg.PublicKey)
-		im.Stop()
-		delete(m.inactivityMonitors, cfg.PeerConnID)
-		cfg.Log.Debugf("inactivity monitor stopped")
-	}
-
 	m.activityManager.RemovePeer(cfg.Log, cfg.PeerConnID)
 	delete(m.managedPeers, peerID)
 	delete(m.managedPeersByConnID, cfg.PeerConnID)
@@ -451,12 +450,8 @@ func (m *Manager) close() {
 	m.managedPeersMu.Lock()
 	defer m.managedPeersMu.Unlock()
 
-	m.connStateDispatcher.RemoveListener(m.connStateListener)
 	m.activityManager.Close()
-	for _, iw := range m.inactivityMonitors {
+
-		iw.Stop()
-	}
-	m.inactivityMonitors = make(map[peerid.ConnID]*inactivity.Monitor)
 	m.managedPeers = make(map[string]*lazyconn.PeerConfig)
 	m.managedPeersByConnID = make(map[peerid.ConnID]*managedPeer)
 
@@ -470,7 +465,7 @@ func (m *Manager) close() {
 }
 
 // shouldDeferIdleForHA checks if peer should stay connected due to HA group requirements
-func (m *Manager) shouldDeferIdleForHA(peerID string) bool {
+func (m *Manager) shouldDeferIdleForHA(inactivePeers map[string]struct{}, peerID string) bool {
 	m.routesMu.RLock()
 	defer m.routesMu.RUnlock()
 
@@ -480,38 +475,45 @@ func (m *Manager) shouldDeferIdleForHA(peerID string) bool {
 	}
 
 	for _, haGroup := range haGroups {
-		groupPeers := m.haGroupToPeers[haGroup]
+		if active := m.checkHaGroupActivity(haGroup, peerID, inactivePeers); active {
-
+			return true
-		for _, groupPeerID := range groupPeers {
-			if groupPeerID == peerID {
-				continue
-			}
-
-			cfg, ok := m.managedPeers[groupPeerID]
-			if !ok {
-				continue
-			}
-
-			groupMp, ok := m.managedPeersByConnID[cfg.PeerConnID]
-			if !ok {
-				continue
-			}
-
-			if groupMp.expectedWatcher != watcherInactivity {
-				continue
-			}
-
-			// Other member is still connected, defer idle
-			if peer, ok := m.peerStore.PeerConn(groupPeerID); ok && peer.IsConnected() {
-				return true
-			}
 		}
 	}
 
 	return false
 }
 
-func (m *Manager) onPeerActivity(ctx context.Context, peerConnID peerid.ConnID) {
+func (m *Manager) checkHaGroupActivity(haGroup route.HAUniqueID, peerID string, inactivePeers map[string]struct{}) bool {
+	groupPeers := m.haGroupToPeers[haGroup]
+	for _, groupPeerID := range groupPeers {
+
+		if groupPeerID == peerID {
+			continue
+		}
+
+		cfg, ok := m.managedPeers[groupPeerID]
+		if !ok {
+			continue
+		}
+
+		groupMp, ok := m.managedPeersByConnID[cfg.PeerConnID]
+		if !ok {
+			continue
+		}
+
+		if groupMp.expectedWatcher != watcherInactivity {
+			continue
+		}
+
+		// If any peer in the group is active, do defer idle
+		if _, isInactive := inactivePeers[groupPeerID]; !isInactive {
+			return true
+		}
+	}
+	return false
+}
+
+func (m *Manager) onPeerActivity(peerConnID peerid.ConnID) {
 	m.managedPeersMu.Lock()
 	defer m.managedPeersMu.Unlock()
 
@@ -528,100 +530,56 @@ func (m *Manager) onPeerActivity(ctx context.Context, peerConnID peerid.ConnID)
 
 	mp.peerCfg.Log.Infof("detected peer activity")
 
-	if !m.activateSinglePeer(ctx, mp.peerCfg, mp) {
+	if !m.activateSinglePeer(mp.peerCfg, mp) {
 		return
 	}
 
-	m.activateHAGroupPeers(ctx, mp.peerCfg.PublicKey)
+	m.activateHAGroupPeers(mp.peerCfg)
 
 	m.peerStore.PeerConnOpen(m.engineCtx, mp.peerCfg.PublicKey)
 }
 
-func (m *Manager) onPeerInactivityTimedOut(ctx context.Context, peerConnID peerid.ConnID) {
+func (m *Manager) onPeerInactivityTimedOut(peerIDs map[string]struct{}) {
 	m.managedPeersMu.Lock()
 	defer m.managedPeersMu.Unlock()
 
-	mp, ok := m.managedPeersByConnID[peerConnID]
+	for peerID := range peerIDs {
-	if !ok {
+		peerCfg, ok := m.managedPeers[peerID]
-		log.Errorf("peer not found by id: %v", peerConnID)
+		if !ok {
-		return
+			log.Errorf("peer not found by peerId: %v", peerID)
-	}
+			continue
-
-	if mp.expectedWatcher != watcherInactivity {
-		mp.peerCfg.Log.Warnf("ignore inactivity event")
-		return
-	}
-
-	if m.shouldDeferIdleForHA(mp.peerCfg.PublicKey) {
-		iw, ok := m.inactivityMonitors[peerConnID]
-		if ok {
-			mp.peerCfg.Log.Debugf("resetting inactivity timer due to HA group requirements")
-			iw.ResetMonitor(ctx, m.onInactive)
-		} else {
-			mp.peerCfg.Log.Errorf("inactivity monitor not found for HA defer reset")
 		}
-		return
-	}
 
-	mp.peerCfg.Log.Infof("connection timed out")
+		mp, ok := m.managedPeersByConnID[peerCfg.PeerConnID]
+		if !ok {
+			log.Errorf("peer not found by conn id: %v", peerCfg.PeerConnID)
+			continue
+		}
 
-	// this is blocking operation, potentially can be optimized
+		if mp.expectedWatcher != watcherInactivity {
-	m.peerStore.PeerConnClose(mp.peerCfg.PublicKey)
+			mp.peerCfg.Log.Warnf("ignore inactivity event")
+			continue
+		}
 
-	mp.peerCfg.Log.Infof("start activity monitor")
+		if m.shouldDeferIdleForHA(peerIDs, mp.peerCfg.PublicKey) {
+			mp.peerCfg.Log.Infof("defer inactivity due to active HA group peers")
+			continue
+		}
 
-	mp.expectedWatcher = watcherActivity
+		mp.peerCfg.Log.Infof("connection timed out")
 
-	// just in case free up
+		// this is blocking operation, potentially can be optimized
-	m.inactivityMonitors[peerConnID].PauseTimer()
+		m.peerStore.PeerConnIdle(mp.peerCfg.PublicKey)
 
-	if err := m.activityManager.MonitorPeerActivity(*mp.peerCfg); err != nil {
+		mp.peerCfg.Log.Infof("start activity monitor")
-		mp.peerCfg.Log.Errorf("failed to create activity monitor: %v", err)
+
-		return
+		mp.expectedWatcher = watcherActivity
+
+		m.inactivityManager.RemovePeer(mp.peerCfg.PublicKey)
+
+		if err := m.activityManager.MonitorPeerActivity(*mp.peerCfg); err != nil {
+			mp.peerCfg.Log.Errorf("failed to create activity monitor: %v", err)
+			continue
+		}
 	}
 }
-
-func (m *Manager) onPeerConnected(peerConnID peerid.ConnID) {
-	m.managedPeersMu.Lock()
-	defer m.managedPeersMu.Unlock()
-
-	mp, ok := m.managedPeersByConnID[peerConnID]
-	if !ok {
-		return
-	}
-
-	if mp.expectedWatcher != watcherInactivity {
-		return
-	}
-
-	iw, ok := m.inactivityMonitors[mp.peerCfg.PeerConnID]
-	if !ok {
-		mp.peerCfg.Log.Warnf("inactivity monitor not found for peer")
-		return
-	}
-
-	mp.peerCfg.Log.Infof("peer connected, pausing inactivity monitor while connection is not disconnected")
-	iw.PauseTimer()
-}
-
-func (m *Manager) onPeerDisconnected(peerConnID peerid.ConnID) {
-	m.managedPeersMu.Lock()
-	defer m.managedPeersMu.Unlock()
-
-	mp, ok := m.managedPeersByConnID[peerConnID]
-	if !ok {
-		return
-	}
-
-	if mp.expectedWatcher != watcherInactivity {
-		return
-	}
-
-	iw, ok := m.inactivityMonitors[mp.peerCfg.PeerConnID]
-	if !ok {
-		return
-	}
-
-	mp.peerCfg.Log.Infof("reset inactivity monitor timer")
-	iw.ResetTimer()
-}

client/internal/lazyconn/wgiface.go

@@ -11,4 +11,6 @@ import (
 type WGIface interface {
 	RemovePeer(peerKey string) error
 	UpdatePeer(peerKey string, allowedIps []netip.Prefix, keepAlive time.Duration, endpoint *net.UDPAddr, preSharedKey *wgtypes.Key) error
+	IsUserspaceBind() bool
+	LastActivities() map[string]time.Time
 }

client/internal/login.go

@@ -148,7 +148,7 @@ func registerPeer(ctx context.Context, serverPublicKey wgtypes.Key, client *mgm.
 	)
 	loginResp, err := client.Register(serverPublicKey, validSetupKey.String(), jwtToken, info, pubSSHKey, config.DNSLabels)
 	if err != nil {
-		log.Errorf("failed registering peer %v,%s", err, validSetupKey.String())
+		log.Errorf("failed registering peer %v", err)
 		return nil, err
 	}
 

client/internal/peer/conn.go

@@ -117,10 +117,9 @@ type Conn struct {
 	wgProxyRelay wgproxy.Proxy
 	handshaker   *Handshaker
 
-	guard              *guard.Guard
+	guard     *guard.Guard
-	semaphore          *semaphoregroup.SemaphoreGroup
+	semaphore *semaphoregroup.SemaphoreGroup
-	peerConnDispatcher *dispatcher.ConnectionDispatcher
+	wg        sync.WaitGroup
-	wg                 sync.WaitGroup
 
 	// debug purpose
 	dumpState *stateDump
@@ -136,18 +135,17 @@ func NewConn(config ConnConfig, services ServiceDependencies) (*Conn, error) {
 	connLog := log.WithField("peer", config.Key)
 
 	var conn = &Conn{
-		Log:                connLog,
+		Log:            connLog,
-		config:             config,
+		config:         config,
-		statusRecorder:     services.StatusRecorder,
+		statusRecorder: services.StatusRecorder,
-		signaler:           services.Signaler,
+		signaler:       services.Signaler,
-		iFaceDiscover:      services.IFaceDiscover,
+		iFaceDiscover:  services.IFaceDiscover,
-		relayManager:       services.RelayManager,
+		relayManager:   services.RelayManager,
-		srWatcher:          services.SrWatcher,
+		srWatcher:      services.SrWatcher,
-		semaphore:          services.Semaphore,
+		semaphore:      services.Semaphore,
-		peerConnDispatcher: services.PeerConnDispatcher,
+		statusRelay:    worker.NewAtomicStatus(),
-		statusRelay:        worker.NewAtomicStatus(),
+		statusICE:      worker.NewAtomicStatus(),
-		statusICE:          worker.NewAtomicStatus(),
+		dumpState:      newStateDump(config.Key, connLog, services.StatusRecorder),
-		dumpState:          newStateDump(config.Key, connLog, services.StatusRecorder),
 	}
 
 	return conn, nil
@@ -226,7 +224,7 @@ func (conn *Conn) Open(engineCtx context.Context) error {
 }
 
 // Close closes this peer Conn issuing a close event to the Conn closeCh
-func (conn *Conn) Close() {
+func (conn *Conn) Close(signalToRemote bool) {
 	conn.mu.Lock()
 	defer conn.wgWatcherWg.Wait()
 	defer conn.mu.Unlock()
@@ -236,6 +234,12 @@ func (conn *Conn) Close() {
 		return
 	}
 
+	if signalToRemote {
+		if err := conn.signaler.SignalIdle(conn.config.Key); err != nil {
+			conn.Log.Errorf("failed to signal idle state to peer: %v", err)
+		}
+	}
+
 	conn.Log.Infof("close peer connection")
 	conn.ctxCancel()
 
@@ -404,15 +408,10 @@ func (conn *Conn) onICEConnectionIsReady(priority conntype.ConnPriority, iceConn
 	}
 	wgConfigWorkaround()
 
-	oldState := conn.currentConnPriority
 	conn.currentConnPriority = priority
 	conn.statusICE.SetConnected()
 	conn.updateIceState(iceConnInfo)
 	conn.doOnConnected(iceConnInfo.RosenpassPubKey, iceConnInfo.RosenpassAddr)
-
-	if oldState == conntype.None {
-		conn.peerConnDispatcher.NotifyConnected(conn.ConnID())
-	}
 }
 
 func (conn *Conn) onICEStateDisconnected() {
@@ -450,7 +449,6 @@ func (conn *Conn) onICEStateDisconnected() {
 	} else {
 		conn.Log.Infof("ICE disconnected, do not switch to Relay. Reset priority to: %s", conntype.None.String())
 		conn.currentConnPriority = conntype.None
-		conn.peerConnDispatcher.NotifyDisconnected(conn.ConnID())
 	}
 
 	changed := conn.statusICE.Get() != worker.StatusDisconnected
@@ -530,7 +528,6 @@ func (conn *Conn) onRelayConnectionIsReady(rci RelayConnInfo) {
 	conn.updateRelayStatus(rci.relayedConn.RemoteAddr().String(), rci.rosenpassPubKey)
 	conn.Log.Infof("start to communicate with peer via relay")
 	conn.doOnConnected(rci.rosenpassPubKey, rci.rosenpassAddr)
-	conn.peerConnDispatcher.NotifyConnected(conn.ConnID())
 }
 
 func (conn *Conn) onRelayDisconnected() {
@@ -545,11 +542,7 @@ func (conn *Conn) onRelayDisconnected() {
 
 	if conn.currentConnPriority == conntype.Relay {
 		conn.Log.Debugf("clean up WireGuard config")
-		if err := conn.removeWgPeer(); err != nil {
-			conn.Log.Errorf("failed to remove wg endpoint: %v", err)
-		}
 		conn.currentConnPriority = conntype.None
-		conn.peerConnDispatcher.NotifyDisconnected(conn.ConnID())
 	}
 
 	if conn.wgProxyRelay != nil {

client/internal/peer/signaler.go

@@ -68,3 +68,13 @@ func (s *Signaler) signalOfferAnswer(offerAnswer OfferAnswer, remoteKey string,
 
 	return nil
 }
+
+func (s *Signaler) SignalIdle(remoteKey string) error {
+	return s.signal.Send(&sProto.Message{
+		Key:       s.wgPrivateKey.PublicKey().String(),
+		RemoteKey: remoteKey,
+		Body: &sProto.Body{
+			Type: sProto.Body_GO_IDLE,
+		},
+	})
+}

client/internal/peerstore/store.go

@@ -95,6 +95,17 @@ func (s *Store) PeerConnOpen(ctx context.Context, pubKey string) {
 
 }
 
+func (s *Store) PeerConnIdle(pubKey string) {
+	s.peerConnsMu.RLock()
+	defer s.peerConnsMu.RUnlock()
+
+	p, ok := s.peerConns[pubKey]
+	if !ok {
+		return
+	}
+	p.Close(true)
+}
+
 func (s *Store) PeerConnClose(pubKey string) {
 	s.peerConnsMu.RLock()
 	defer s.peerConnsMu.RUnlock()
@@ -103,7 +114,7 @@ func (s *Store) PeerConnClose(pubKey string) {
 	if !ok {
 		return
 	}
-	p.Close()
+	p.Close(false)
 }
 
 func (s *Store) PeersPubKey() []string {

client/internal/routemanager/client/client.go

@@ -10,11 +10,10 @@ import (
 
 	nbdns "github.com/netbirdio/netbird/client/internal/dns"
 	"github.com/netbirdio/netbird/client/internal/peer"
-	"github.com/netbirdio/netbird/client/internal/peerstore"
+	"github.com/netbirdio/netbird/client/internal/routemanager/common"
 	"github.com/netbirdio/netbird/client/internal/routemanager/dnsinterceptor"
 	"github.com/netbirdio/netbird/client/internal/routemanager/dynamic"
 	"github.com/netbirdio/netbird/client/internal/routemanager/iface"
-	"github.com/netbirdio/netbird/client/internal/routemanager/refcounter"
 	"github.com/netbirdio/netbird/client/internal/routemanager/static"
 	"github.com/netbirdio/netbird/client/proto"
 	"github.com/netbirdio/netbird/route"
@@ -553,41 +552,16 @@ func (w *Watcher) Stop() {
 	w.currentChosenStatus = nil
 }
 
-func HandlerFromRoute(
+func HandlerFromRoute(params common.HandlerParams) RouteHandler {
-	rt *route.Route,
+	switch handlerType(params.Route, params.UseNewDNSRoute) {
-	routeRefCounter *refcounter.RouteRefCounter,
-	allowedIPsRefCounter *refcounter.AllowedIPsRefCounter,
-	dnsRouterInteval time.Duration,
-	statusRecorder *peer.Status,
-	wgInterface iface.WGIface,
-	dnsServer nbdns.Server,
-	peerStore *peerstore.Store,
-	useNewDNSRoute bool,
-) RouteHandler {
-	switch handlerType(rt, useNewDNSRoute) {
 	case handlerTypeDnsInterceptor:
-		return dnsinterceptor.New(
+		return dnsinterceptor.New(params)
-			rt,
-			routeRefCounter,
-			allowedIPsRefCounter,
-			statusRecorder,
-			dnsServer,
-			wgInterface,
-			peerStore,
-		)
 	case handlerTypeDynamic:
-		dns := nbdns.NewServiceViaMemory(wgInterface)
+		dns := nbdns.NewServiceViaMemory(params.WgInterface)
-		return dynamic.NewRoute(
+		dnsAddr := fmt.Sprintf("%s:%d", dns.RuntimeIP(), dns.RuntimePort())
-			rt,
+		return dynamic.NewRoute(params, dnsAddr)
-			routeRefCounter,
-			allowedIPsRefCounter,
-			dnsRouterInteval,
-			statusRecorder,
-			wgInterface,
-			fmt.Sprintf("%s:%d", dns.RuntimeIP(), dns.RuntimePort()),
-		)
 	default:
-		return static.NewRoute(rt, routeRefCounter, allowedIPsRefCounter)
+		return static.NewRoute(params)
 	}
 }
 

client/internal/routemanager/client/client_test.go

@@ -7,12 +7,12 @@ import (
 	"time"
 
 	"github.com/netbirdio/netbird/client/internal/peer"
+	"github.com/netbirdio/netbird/client/internal/routemanager/common"
 	"github.com/netbirdio/netbird/client/internal/routemanager/static"
 	"github.com/netbirdio/netbird/route"
 )
 
 func TestGetBestrouteFromStatuses(t *testing.T) {
-
 	testCases := []struct {
 		name            string
 		statuses        map[route.ID]routerPeerStatus
@@ -811,9 +811,12 @@ func TestGetBestrouteFromStatuses(t *testing.T) {
 				currentRoute = tc.existingRoutes[tc.currentRoute]
 			}
 
+			params := common.HandlerParams{
+				Route:               &route.Route{Network: netip.MustParsePrefix("192.168.0.0/24")},
+			}
 			// create new clientNetwork
 			client := &Watcher{
-				handler:       static.NewRoute(&route.Route{Network: netip.MustParsePrefix("192.168.0.0/24")}, nil, nil),
+				handler:       static.NewRoute(params),
 				routes:        tc.existingRoutes,
 				currentChosen: currentRoute,
 			}

client/internal/routemanager/common/params.go

@@ -0,0 +1,28 @@
+package common
+
+import (
+	"time"
+
+	"github.com/netbirdio/netbird/client/firewall/manager"
+	"github.com/netbirdio/netbird/client/internal/dns"
+	"github.com/netbirdio/netbird/client/internal/peer"
+	"github.com/netbirdio/netbird/client/internal/peerstore"
+	"github.com/netbirdio/netbird/client/internal/routemanager/fakeip"
+	"github.com/netbirdio/netbird/client/internal/routemanager/iface"
+	"github.com/netbirdio/netbird/client/internal/routemanager/refcounter"
+	"github.com/netbirdio/netbird/route"
+)
+
+type HandlerParams struct {
+	Route                *route.Route
+	RouteRefCounter      *refcounter.RouteRefCounter
+	AllowedIPsRefCounter *refcounter.AllowedIPsRefCounter
+	DnsRouterInterval    time.Duration
+	StatusRecorder       *peer.Status
+	WgInterface          iface.WGIface
+	DnsServer            dns.Server
+	PeerStore            *peerstore.Store
+	UseNewDNSRoute       bool
+	Firewall             manager.Manager
+	FakeIPManager        *fakeip.Manager
+}

client/internal/routemanager/dnsinterceptor/handler.go

@@ -4,6 +4,7 @@ import (
 	"context"
 	"fmt"
 	"net/netip"
+	"runtime"
 	"strings"
 	"sync"
 
@@ -12,11 +13,14 @@ import (
 	log "github.com/sirupsen/logrus"
 
 	nberrors "github.com/netbirdio/netbird/client/errors"
+	firewall "github.com/netbirdio/netbird/client/firewall/manager"
 	"github.com/netbirdio/netbird/client/iface/wgaddr"
 	nbdns "github.com/netbirdio/netbird/client/internal/dns"
 	"github.com/netbirdio/netbird/client/internal/dnsfwd"
 	"github.com/netbirdio/netbird/client/internal/peer"
 	"github.com/netbirdio/netbird/client/internal/peerstore"
+	"github.com/netbirdio/netbird/client/internal/routemanager/common"
+	"github.com/netbirdio/netbird/client/internal/routemanager/fakeip"
 	"github.com/netbirdio/netbird/client/internal/routemanager/refcounter"
 	"github.com/netbirdio/netbird/management/domain"
 	"github.com/netbirdio/netbird/route"
@@ -24,6 +28,11 @@ import (
 
 type domainMap map[domain.Domain][]netip.Prefix
 
+type internalDNATer interface {
+	RemoveInternalDNATMapping(netip.Addr) error
+	AddInternalDNATMapping(netip.Addr, netip.Addr) error
+}
+
 type wgInterface interface {
 	Name() string
 	Address() wgaddr.Address
@@ -40,26 +49,22 @@ type DnsInterceptor struct {
 	interceptedDomains   domainMap
 	wgInterface          wgInterface
 	peerStore            *peerstore.Store
+	firewall             firewall.Manager
+	fakeIPManager        *fakeip.Manager
 }
 
-func New(
+func New(params common.HandlerParams) *DnsInterceptor {
-	rt *route.Route,
-	routeRefCounter *refcounter.RouteRefCounter,
-	allowedIPsRefCounter *refcounter.AllowedIPsRefCounter,
-	statusRecorder *peer.Status,
-	dnsServer nbdns.Server,
-	wgInterface wgInterface,
-	peerStore *peerstore.Store,
-) *DnsInterceptor {
 	return &DnsInterceptor{
-		route:                rt,
+		route:                params.Route,
-		routeRefCounter:      routeRefCounter,
+		routeRefCounter:      params.RouteRefCounter,
-		allowedIPsRefcounter: allowedIPsRefCounter,
+		allowedIPsRefcounter: params.AllowedIPsRefCounter,
-		statusRecorder:       statusRecorder,
+		statusRecorder:       params.StatusRecorder,
-		dnsServer:            dnsServer,
+		dnsServer:            params.DnsServer,
-		wgInterface:          wgInterface,
+		wgInterface:          params.WgInterface,
+		peerStore:            params.PeerStore,
+		firewall:             params.Firewall,
+		fakeIPManager:        params.FakeIPManager,
 		interceptedDomains:   make(domainMap),
-		peerStore:            peerStore,
 	}
 }
 
@@ -78,9 +83,13 @@ func (d *DnsInterceptor) RemoveRoute() error {
 	var merr *multierror.Error
 	for domain, prefixes := range d.interceptedDomains {
 		for _, prefix := range prefixes {
-			if _, err := d.routeRefCounter.Decrement(prefix); err != nil {
+			// Routes should use fake IPs
-				merr = multierror.Append(merr, fmt.Errorf("remove dynamic route for IP %s: %v", prefix, err))
+			routePrefix := d.transformRealToFakePrefix(prefix)
+			if _, err := d.routeRefCounter.Decrement(routePrefix); err != nil {
+				merr = multierror.Append(merr, fmt.Errorf("remove dynamic route for IP %s: %v", routePrefix, err))
 			}
+
+			// AllowedIPs should use real IPs
 			if d.currentPeerKey != "" {
 				if _, err := d.allowedIPsRefcounter.Decrement(prefix); err != nil {
 					merr = multierror.Append(merr, fmt.Errorf("remove allowed IP %s: %v", prefix, err))
@@ -88,8 +97,10 @@ func (d *DnsInterceptor) RemoveRoute() error {
 			}
 		}
 		log.Debugf("removed dynamic route(s) for [%s]: %s", domain.SafeString(), strings.ReplaceAll(fmt.Sprintf("%s", prefixes), " ", ", "))
-
 	}
+
+	d.cleanupDNATMappings()
+
 	for _, domain := range d.route.Domains {
 		d.statusRecorder.DeleteResolvedDomainsStates(domain)
 	}
@@ -102,6 +113,68 @@ func (d *DnsInterceptor) RemoveRoute() error {
 	return nberrors.FormatErrorOrNil(merr)
 }
 
+// transformRealToFakePrefix returns fake IP prefix for routes (if DNAT enabled)
+func (d *DnsInterceptor) transformRealToFakePrefix(realPrefix netip.Prefix) netip.Prefix {
+	if _, hasDNAT := d.internalDnatFw(); !hasDNAT {
+		return realPrefix
+	}
+
+	if fakeIP, ok := d.fakeIPManager.GetFakeIP(realPrefix.Addr()); ok {
+		return netip.PrefixFrom(fakeIP, realPrefix.Bits())
+	}
+
+	return realPrefix
+}
+
+// addAllowedIPForPrefix handles the AllowedIPs logic for a single prefix (uses real IPs)
+func (d *DnsInterceptor) addAllowedIPForPrefix(realPrefix netip.Prefix, peerKey string, domain domain.Domain) error {
+	// AllowedIPs always use real IPs
+	ref, err := d.allowedIPsRefcounter.Increment(realPrefix, peerKey)
+	if err != nil {
+		return fmt.Errorf("add allowed IP %s: %v", realPrefix, err)
+	}
+
+	if ref.Count > 1 && ref.Out != peerKey {
+		log.Warnf("IP [%s] for domain [%s] is already routed by peer [%s]. HA routing disabled",
+			realPrefix.Addr(),
+			domain.SafeString(),
+			ref.Out,
+		)
+	}
+
+	return nil
+}
+
+// addRouteAndAllowedIP handles both route and AllowedIPs addition for a prefix
+func (d *DnsInterceptor) addRouteAndAllowedIP(realPrefix netip.Prefix, domain domain.Domain) error {
+	// Routes use fake IPs (so traffic to fake IPs gets routed to interface)
+	routePrefix := d.transformRealToFakePrefix(realPrefix)
+	if _, err := d.routeRefCounter.Increment(routePrefix, struct{}{}); err != nil {
+		return fmt.Errorf("add route for IP %s: %v", routePrefix, err)
+	}
+
+	// Add to AllowedIPs if we have a current peer (uses real IPs)
+	if d.currentPeerKey == "" {
+		return nil
+	}
+
+	return d.addAllowedIPForPrefix(realPrefix, d.currentPeerKey, domain)
+}
+
+// removeAllowedIP handles AllowedIPs removal for a prefix (uses real IPs)
+func (d *DnsInterceptor) removeAllowedIP(realPrefix netip.Prefix) error {
+	if d.currentPeerKey == "" {
+		return nil
+	}
+
+	// AllowedIPs use real IPs
+	if _, err := d.allowedIPsRefcounter.Decrement(realPrefix); err != nil {
+		return fmt.Errorf("remove allowed IP %s: %v", realPrefix, err)
+	}
+
+	return nil
+}
+
 func (d *DnsInterceptor) AddAllowedIPs(peerKey string) error {
 	d.mu.Lock()
 	defer d.mu.Unlock()
@@ -109,14 +182,9 @@ func (d *DnsInterceptor) AddAllowedIPs(peerKey string) error {
 	var merr *multierror.Error
 	for domain, prefixes := range d.interceptedDomains {
 		for _, prefix := range prefixes {
-			if ref, err := d.allowedIPsRefcounter.Increment(prefix, peerKey); err != nil {
+			// AllowedIPs use real IPs
-				merr = multierror.Append(merr, fmt.Errorf("add allowed IP %s: %v", prefix, err))
+			if err := d.addAllowedIPForPrefix(prefix, peerKey, domain); err != nil {
-			} else if ref.Count > 1 && ref.Out != peerKey {
+				merr = multierror.Append(merr, err)
-				log.Warnf("IP [%s] for domain [%s] is already routed by peer [%s]. HA routing disabled",
-					prefix.Addr(),
-					domain.SafeString(),
-					ref.Out,
-				)
 			}
 		}
 	}
@@ -132,6 +200,7 @@ func (d *DnsInterceptor) RemoveAllowedIPs() error {
 	var merr *multierror.Error
 	for _, prefixes := range d.interceptedDomains {
 		for _, prefix := range prefixes {
+			// AllowedIPs use real IPs
 			if _, err := d.allowedIPsRefcounter.Decrement(prefix); err != nil {
 				merr = multierror.Append(merr, fmt.Errorf("remove allowed IP %s: %v", prefix, err))
 			}
@@ -287,6 +356,8 @@ func (d *DnsInterceptor) writeMsg(w dns.ResponseWriter, r *dns.Msg) error {
 			if err := d.updateDomainPrefixes(resolvedDomain, originalDomain, newPrefixes); err != nil {
 				log.Errorf("failed to update domain prefixes: %v", err)
 			}
+
+			d.replaceIPsInDNSResponse(r, newPrefixes)
 		}
 	}
 
@@ -297,6 +368,22 @@ func (d *DnsInterceptor) writeMsg(w dns.ResponseWriter, r *dns.Msg) error {
 	return nil
 }
 
+// logPrefixChanges handles the logging for prefix changes
+func (d *DnsInterceptor) logPrefixChanges(resolvedDomain, originalDomain domain.Domain, toAdd, toRemove []netip.Prefix) {
+	if len(toAdd) > 0 {
+		log.Debugf("added dynamic route(s) for domain=%s (pattern: domain=%s): %s",
+			resolvedDomain.SafeString(),
+			originalDomain.SafeString(),
+			toAdd)
+	}
+	if len(toRemove) > 0 && !d.route.KeepRoute {
+		log.Debugf("removed dynamic route(s) for domain=%s (pattern: domain=%s): %s",
+			resolvedDomain.SafeString(),
+			originalDomain.SafeString(),
+			toRemove)
+	}
+}
+
 func (d *DnsInterceptor) updateDomainPrefixes(resolvedDomain, originalDomain domain.Domain, newPrefixes []netip.Prefix) error {
 	d.mu.Lock()
 	defer d.mu.Unlock()
@@ -305,70 +392,163 @@ func (d *DnsInterceptor) updateDomainPrefixes(resolvedDomain, originalDomain dom
 	toAdd, toRemove := determinePrefixChanges(oldPrefixes, newPrefixes)
 
 	var merr *multierror.Error
+	var dnatMappings map[netip.Addr]netip.Addr
+
+	// Handle DNAT mappings for new prefixes
+	if _, hasDNAT := d.internalDnatFw(); hasDNAT {
+		dnatMappings = make(map[netip.Addr]netip.Addr)
+		for _, prefix := range toAdd {
+			realIP := prefix.Addr()
+			if fakeIP, err := d.fakeIPManager.AllocateFakeIP(realIP); err == nil {
+				dnatMappings[fakeIP] = realIP
+				log.Tracef("allocated fake IP %s for real IP %s", fakeIP, realIP)
+			} else {
+				log.Errorf("Failed to allocate fake IP for %s: %v", realIP, err)
+			}
+		}
+	}
 
 	// Add new prefixes
 	for _, prefix := range toAdd {
-		if _, err := d.routeRefCounter.Increment(prefix, struct{}{}); err != nil {
+		if err := d.addRouteAndAllowedIP(prefix, resolvedDomain); err != nil {
-			merr = multierror.Append(merr, fmt.Errorf("add route for IP %s: %v", prefix, err))
+			merr = multierror.Append(merr, err)
-			continue
-		}
-
-		if d.currentPeerKey == "" {
-			continue
-		}
-		if ref, err := d.allowedIPsRefcounter.Increment(prefix, d.currentPeerKey); err != nil {
-			merr = multierror.Append(merr, fmt.Errorf("add allowed IP %s: %v", prefix, err))
-		} else if ref.Count > 1 && ref.Out != d.currentPeerKey {
-			log.Warnf("IP [%s] for domain [%s] is already routed by peer [%s]. HA routing disabled",
-				prefix.Addr(),
-				resolvedDomain.SafeString(),
-				ref.Out,
-			)
 		}
 	}
 
+	d.addDNATMappings(dnatMappings)
+
 	if !d.route.KeepRoute {
 		// Remove old prefixes
 		for _, prefix := range toRemove {
-			if _, err := d.routeRefCounter.Decrement(prefix); err != nil {
+			// Routes use fake IPs
-				merr = multierror.Append(merr, fmt.Errorf("remove route for IP %s: %v", prefix, err))
+			routePrefix := d.transformRealToFakePrefix(prefix)
+			if _, err := d.routeRefCounter.Decrement(routePrefix); err != nil {
+				merr = multierror.Append(merr, fmt.Errorf("remove route for IP %s: %v", routePrefix, err))
 			}
-			if d.currentPeerKey != "" {
+			// AllowedIPs use real IPs
-				if _, err := d.allowedIPsRefcounter.Decrement(prefix); err != nil {
+			if err := d.removeAllowedIP(prefix); err != nil {
-					merr = multierror.Append(merr, fmt.Errorf("remove allowed IP %s: %v", prefix, err))
+				merr = multierror.Append(merr, err)
-				}
 			}
 		}
+
+		d.removeDNATMappings(toRemove)
 	}
 
-	// Update domain prefixes using resolved domain as key
+	// Update domain prefixes using resolved domain as key - store real IPs
 	if len(toAdd) > 0 || len(toRemove) > 0 {
 		if d.route.KeepRoute {
-			// replace stored prefixes with old + added
 			// nolint:gocritic
 			newPrefixes = append(oldPrefixes, toAdd...)
 		}
 		d.interceptedDomains[resolvedDomain] = newPrefixes
 		originalDomain = domain.Domain(strings.TrimSuffix(string(originalDomain), "."))
+
+		// Store real IPs for status (user-facing), not fake IPs
 		d.statusRecorder.UpdateResolvedDomainsStates(originalDomain, resolvedDomain, newPrefixes, d.route.GetResourceID())
 
-		if len(toAdd) > 0 {
+		d.logPrefixChanges(resolvedDomain, originalDomain, toAdd, toRemove)
-			log.Debugf("added dynamic route(s) for domain=%s (pattern: domain=%s): %s",
-				resolvedDomain.SafeString(),
-				originalDomain.SafeString(),
-				toAdd)
-		}
-		if len(toRemove) > 0 && !d.route.KeepRoute {
-			log.Debugf("removed dynamic route(s) for domain=%s (pattern: domain=%s): %s",
-				resolvedDomain.SafeString(),
-				originalDomain.SafeString(),
-				toRemove)
-		}
 	}
 
 	return nberrors.FormatErrorOrNil(merr)
 }
 
+// removeDNATMappings removes DNAT mappings from the firewall for real IP prefixes
+func (d *DnsInterceptor) removeDNATMappings(realPrefixes []netip.Prefix) {
+	if len(realPrefixes) == 0 {
+		return
+	}
+
+	dnatFirewall, ok := d.internalDnatFw()
+	if !ok {
+		return
+	}
+
+	for _, prefix := range realPrefixes {
+		realIP := prefix.Addr()
+		if fakeIP, exists := d.fakeIPManager.GetFakeIP(realIP); exists {
+			if err := dnatFirewall.RemoveInternalDNATMapping(fakeIP); err != nil {
+				log.Errorf("Failed to remove DNAT mapping for %s: %v", fakeIP, err)
+			} else {
+				log.Debugf("Removed DNAT mapping for: %s -> %s", fakeIP, realIP)
+			}
+		}
+	}
+}
+
+// internalDnatFw checks if the firewall supports internal DNAT
+func (d *DnsInterceptor) internalDnatFw() (internalDNATer, bool) {
+	if d.firewall == nil || runtime.GOOS != "android" {
+		return nil, false
+	}
+	fw, ok := d.firewall.(internalDNATer)
+	return fw, ok
+}
+
+// addDNATMappings adds DNAT mappings to the firewall
+func (d *DnsInterceptor) addDNATMappings(mappings map[netip.Addr]netip.Addr) {
+	if len(mappings) == 0 {
+		return
+	}
+
+	dnatFirewall, ok := d.internalDnatFw()
+	if !ok {
+		return
+	}
+
+	for fakeIP, realIP := range mappings {
+		if err := dnatFirewall.AddInternalDNATMapping(fakeIP, realIP); err != nil {
+			log.Errorf("Failed to add DNAT mapping %s -> %s: %v", fakeIP, realIP, err)
+		} else {
+			log.Debugf("Added DNAT mapping: %s -> %s", fakeIP, realIP)
+		}
+	}
+}
+
+// cleanupDNATMappings removes all DNAT mappings for this interceptor
+func (d *DnsInterceptor) cleanupDNATMappings() {
+	if _, ok := d.internalDnatFw(); !ok {
+		return
+	}
+
+	for _, prefixes := range d.interceptedDomains {
+		d.removeDNATMappings(prefixes)
+	}
+}
+
+// replaceIPsInDNSResponse replaces real IPs with fake IPs in the DNS response
+func (d *DnsInterceptor) replaceIPsInDNSResponse(reply *dns.Msg, realPrefixes []netip.Prefix) {
+	if _, ok := d.internalDnatFw(); !ok {
+		return
+	}
+
+	// Replace A and AAAA records with fake IPs
+	for _, answer := range reply.Answer {
+		switch rr := answer.(type) {
+		case *dns.A:
+			realIP, ok := netip.AddrFromSlice(rr.A)
+			if !ok {
+				continue
+			}
+
+			if fakeIP, exists := d.fakeIPManager.GetFakeIP(realIP); exists {
+				rr.A = fakeIP.AsSlice()
+				log.Tracef("Replaced real IP %s with fake IP %s in DNS response", realIP, fakeIP)
+			}
+
+		case *dns.AAAA:
+			realIP, ok := netip.AddrFromSlice(rr.AAAA)
+			if !ok {
+				continue
+			}
+
+			if fakeIP, exists := d.fakeIPManager.GetFakeIP(realIP); exists {
+				rr.AAAA = fakeIP.AsSlice()
+				log.Tracef("Replaced real IP %s with fake IP %s in DNS response", realIP, fakeIP)
+			}
+		}
+	}
+}
+
 func determinePrefixChanges(oldPrefixes, newPrefixes []netip.Prefix) (toAdd, toRemove []netip.Prefix) {
 	prefixSet := make(map[netip.Prefix]bool)
 	for _, prefix := range oldPrefixes {

client/internal/routemanager/dynamic/route.go

@@ -14,6 +14,7 @@ import (
 
 	nberrors "github.com/netbirdio/netbird/client/errors"
 	"github.com/netbirdio/netbird/client/internal/peer"
+	"github.com/netbirdio/netbird/client/internal/routemanager/common"
 	"github.com/netbirdio/netbird/client/internal/routemanager/iface"
 	"github.com/netbirdio/netbird/client/internal/routemanager/refcounter"
 	"github.com/netbirdio/netbird/client/internal/routemanager/util"
@@ -52,24 +53,16 @@ type Route struct {
 	resolverAddr         string
 }
 
-func NewRoute(
+func NewRoute(params common.HandlerParams, resolverAddr string) *Route {
-	rt *route.Route,
-	routeRefCounter *refcounter.RouteRefCounter,
-	allowedIPsRefCounter *refcounter.AllowedIPsRefCounter,
-	interval time.Duration,
-	statusRecorder *peer.Status,
-	wgInterface iface.WGIface,
-	resolverAddr string,
-) *Route {
 	return &Route{
-		route:                rt,
+		route:                params.Route,
-		routeRefCounter:      routeRefCounter,
+		routeRefCounter:      params.RouteRefCounter,
-		allowedIPsRefcounter: allowedIPsRefCounter,
+		allowedIPsRefcounter: params.AllowedIPsRefCounter,
-		interval:             interval,
+		interval:             params.DnsRouterInterval,
-		dynamicDomains:       domainMap{},
+		statusRecorder:       params.StatusRecorder,
-		statusRecorder:       statusRecorder,
+		wgInterface:          params.WgInterface,
-		wgInterface:          wgInterface,
 		resolverAddr:         resolverAddr,
+		dynamicDomains:       domainMap{},
 	}
 }
 

client/internal/routemanager/fakeip/fakeip.go

@@ -0,0 +1,93 @@
+package fakeip
+
+import (
+	"fmt"
+	"net/netip"
+	"sync"
+)
+
+// Manager manages allocation of fake IPs from the 240.0.0.0/8 block
+type Manager struct {
+	mu         sync.Mutex
+	nextIP     netip.Addr                // Next IP to allocate
+	allocated  map[netip.Addr]netip.Addr // real IP -> fake IP
+	fakeToReal map[netip.Addr]netip.Addr // fake IP -> real IP
+	baseIP     netip.Addr                // First usable IP: 240.0.0.1
+	maxIP      netip.Addr                // Last usable IP: 240.255.255.254
+}
+
+// NewManager creates a new fake IP manager using 240.0.0.0/8 block
+func NewManager() *Manager {
+	baseIP := netip.AddrFrom4([4]byte{240, 0, 0, 1})
+	maxIP := netip.AddrFrom4([4]byte{240, 255, 255, 254})
+
+	return &Manager{
+		nextIP:     baseIP,
+		allocated:  make(map[netip.Addr]netip.Addr),
+		fakeToReal: make(map[netip.Addr]netip.Addr),
+		baseIP:     baseIP,
+		maxIP:      maxIP,
+	}
+}
+
+// AllocateFakeIP allocates a fake IP for the given real IP
+// Returns the fake IP, or existing fake IP if already allocated
+func (m *Manager) AllocateFakeIP(realIP netip.Addr) (netip.Addr, error) {
+	if !realIP.Is4() {
+		return netip.Addr{}, fmt.Errorf("only IPv4 addresses supported")
+	}
+
+	m.mu.Lock()
+	defer m.mu.Unlock()
+
+	if fakeIP, exists := m.allocated[realIP]; exists {
+		return fakeIP, nil
+	}
+
+	startIP := m.nextIP
+	for {
+		currentIP := m.nextIP
+
+		// Advance to next IP, wrapping at boundary
+		if m.nextIP.Compare(m.maxIP) >= 0 {
+			m.nextIP = m.baseIP
+		} else {
+			m.nextIP = m.nextIP.Next()
+		}
+
+		// Check if current IP is available
+		if _, inUse := m.fakeToReal[currentIP]; !inUse {
+			m.allocated[realIP] = currentIP
+			m.fakeToReal[currentIP] = realIP
+			return currentIP, nil
+		}
+
+		// Prevent infinite loop if all IPs exhausted
+		if m.nextIP.Compare(startIP) == 0 {
+			return netip.Addr{}, fmt.Errorf("no more fake IPs available in 240.0.0.0/8 block")
+		}
+	}
+}
+
+// GetFakeIP returns the fake IP for a real IP if it exists
+func (m *Manager) GetFakeIP(realIP netip.Addr) (netip.Addr, bool) {
+	m.mu.Lock()
+	defer m.mu.Unlock()
+
+	fakeIP, exists := m.allocated[realIP]
+	return fakeIP, exists
+}
+
+// GetRealIP returns the real IP for a fake IP if it exists, otherwise false
+func (m *Manager) GetRealIP(fakeIP netip.Addr) (netip.Addr, bool) {
+	m.mu.Lock()
+	defer m.mu.Unlock()
+
+	realIP, exists := m.fakeToReal[fakeIP]
+	return realIP, exists
+}
+
+// GetFakeIPBlock returns the fake IP block used by this manager
+func (m *Manager) GetFakeIPBlock() netip.Prefix {
+	return netip.MustParsePrefix("240.0.0.0/8")
+}

client/internal/routemanager/fakeip/fakeip_test.go

@@ -0,0 +1,240 @@
+package fakeip
+
+import (
+	"net/netip"
+	"sync"
+	"testing"
+)
+
+func TestNewManager(t *testing.T) {
+	manager := NewManager()
+
+	if manager.baseIP.String() != "240.0.0.1" {
+		t.Errorf("Expected base IP 240.0.0.1, got %s", manager.baseIP.String())
+	}
+
+	if manager.maxIP.String() != "240.255.255.254" {
+		t.Errorf("Expected max IP 240.255.255.254, got %s", manager.maxIP.String())
+	}
+
+	if manager.nextIP.Compare(manager.baseIP) != 0 {
+		t.Errorf("Expected nextIP to start at baseIP")
+	}
+}
+
+func TestAllocateFakeIP(t *testing.T) {
+	manager := NewManager()
+	realIP := netip.MustParseAddr("8.8.8.8")
+
+	fakeIP, err := manager.AllocateFakeIP(realIP)
+	if err != nil {
+		t.Fatalf("Failed to allocate fake IP: %v", err)
+	}
+
+	if !fakeIP.Is4() {
+		t.Error("Fake IP should be IPv4")
+	}
+
+	// Check it's in the correct range
+	if fakeIP.As4()[0] != 240 {
+		t.Errorf("Fake IP should be in 240.0.0.0/8 range, got %s", fakeIP.String())
+	}
+
+	// Should return same fake IP for same real IP
+	fakeIP2, err := manager.AllocateFakeIP(realIP)
+	if err != nil {
+		t.Fatalf("Failed to get existing fake IP: %v", err)
+	}
+
+	if fakeIP.Compare(fakeIP2) != 0 {
+		t.Errorf("Expected same fake IP for same real IP, got %s and %s", fakeIP.String(), fakeIP2.String())
+	}
+}
+
+func TestAllocateFakeIPIPv6Rejection(t *testing.T) {
+	manager := NewManager()
+	realIPv6 := netip.MustParseAddr("2001:db8::1")
+
+	_, err := manager.AllocateFakeIP(realIPv6)
+	if err == nil {
+		t.Error("Expected error for IPv6 address")
+	}
+}
+
+func TestGetFakeIP(t *testing.T) {
+	manager := NewManager()
+	realIP := netip.MustParseAddr("1.1.1.1")
+
+	// Should not exist initially
+	_, exists := manager.GetFakeIP(realIP)
+	if exists {
+		t.Error("Fake IP should not exist before allocation")
+	}
+
+	// Allocate and check
+	expectedFakeIP, err := manager.AllocateFakeIP(realIP)
+	if err != nil {
+		t.Fatalf("Failed to allocate: %v", err)
+	}
+
+	fakeIP, exists := manager.GetFakeIP(realIP)
+	if !exists {
+		t.Error("Fake IP should exist after allocation")
+	}
+
+	if fakeIP.Compare(expectedFakeIP) != 0 {
+		t.Errorf("Expected %s, got %s", expectedFakeIP.String(), fakeIP.String())
+	}
+}
+
+func TestMultipleAllocations(t *testing.T) {
+	manager := NewManager()
+
+	allocations := make(map[netip.Addr]netip.Addr)
+
+	// Allocate multiple IPs
+	for i := 1; i <= 100; i++ {
+		realIP := netip.AddrFrom4([4]byte{10, 0, byte(i / 256), byte(i % 256)})
+		fakeIP, err := manager.AllocateFakeIP(realIP)
+		if err != nil {
+			t.Fatalf("Failed to allocate fake IP for %s: %v", realIP.String(), err)
+		}
+
+		// Check for duplicates
+		for _, existingFake := range allocations {
+			if fakeIP.Compare(existingFake) == 0 {
+				t.Errorf("Duplicate fake IP allocated: %s", fakeIP.String())
+			}
+		}
+
+		allocations[realIP] = fakeIP
+	}
+
+	// Verify all allocations can be retrieved
+	for realIP, expectedFake := range allocations {
+		actualFake, exists := manager.GetFakeIP(realIP)
+		if !exists {
+			t.Errorf("Missing allocation for %s", realIP.String())
+		}
+		if actualFake.Compare(expectedFake) != 0 {
+			t.Errorf("Mismatch for %s: expected %s, got %s", realIP.String(), expectedFake.String(), actualFake.String())
+		}
+	}
+}
+
+func TestGetFakeIPBlock(t *testing.T) {
+	manager := NewManager()
+	block := manager.GetFakeIPBlock()
+
+	expected := "240.0.0.0/8"
+	if block.String() != expected {
+		t.Errorf("Expected %s, got %s", expected, block.String())
+	}
+}
+
+func TestConcurrentAccess(t *testing.T) {
+	manager := NewManager()
+
+	const numGoroutines = 50
+	const allocationsPerGoroutine = 10
+
+	var wg sync.WaitGroup
+	results := make(chan netip.Addr, numGoroutines*allocationsPerGoroutine)
+
+	// Concurrent allocations
+	for i := 0; i < numGoroutines; i++ {
+		wg.Add(1)
+		go func(goroutineID int) {
+			defer wg.Done()
+			for j := 0; j < allocationsPerGoroutine; j++ {
+				realIP := netip.AddrFrom4([4]byte{192, 168, byte(goroutineID), byte(j)})
+				fakeIP, err := manager.AllocateFakeIP(realIP)
+				if err != nil {
+					t.Errorf("Failed to allocate in goroutine %d: %v", goroutineID, err)
+					return
+				}
+				results <- fakeIP
+			}
+		}(i)
+	}
+
+	wg.Wait()
+	close(results)
+
+	// Check for duplicates
+	seen := make(map[netip.Addr]bool)
+	count := 0
+	for fakeIP := range results {
+		if seen[fakeIP] {
+			t.Errorf("Duplicate fake IP in concurrent test: %s", fakeIP.String())
+		}
+		seen[fakeIP] = true
+		count++
+	}
+
+	if count != numGoroutines*allocationsPerGoroutine {
+		t.Errorf("Expected %d allocations, got %d", numGoroutines*allocationsPerGoroutine, count)
+	}
+}
+
+func TestIPExhaustion(t *testing.T) {
+	// Create a manager with limited range for testing
+	manager := &Manager{
+		nextIP:     netip.AddrFrom4([4]byte{240, 0, 0, 1}),
+		allocated:  make(map[netip.Addr]netip.Addr),
+		fakeToReal: make(map[netip.Addr]netip.Addr),
+		baseIP:     netip.AddrFrom4([4]byte{240, 0, 0, 1}),
+		maxIP:      netip.AddrFrom4([4]byte{240, 0, 0, 3}), // Only 3 IPs available
+	}
+
+	// Allocate all available IPs
+	realIPs := []netip.Addr{
+		netip.MustParseAddr("1.0.0.1"),
+		netip.MustParseAddr("1.0.0.2"),
+		netip.MustParseAddr("1.0.0.3"),
+	}
+
+	for _, realIP := range realIPs {
+		_, err := manager.AllocateFakeIP(realIP)
+		if err != nil {
+			t.Fatalf("Failed to allocate fake IP: %v", err)
+		}
+	}
+
+	// Try to allocate one more - should fail
+	_, err := manager.AllocateFakeIP(netip.MustParseAddr("1.0.0.4"))
+	if err == nil {
+		t.Error("Expected exhaustion error")
+	}
+}
+
+func TestWrapAround(t *testing.T) {
+	// Create manager starting near the end of range
+	manager := &Manager{
+		nextIP:     netip.AddrFrom4([4]byte{240, 0, 0, 254}),
+		allocated:  make(map[netip.Addr]netip.Addr),
+		fakeToReal: make(map[netip.Addr]netip.Addr),
+		baseIP:     netip.AddrFrom4([4]byte{240, 0, 0, 1}),
+		maxIP:      netip.AddrFrom4([4]byte{240, 0, 0, 254}),
+	}
+
+	// Allocate the last IP
+	fakeIP1, err := manager.AllocateFakeIP(netip.MustParseAddr("1.0.0.1"))
+	if err != nil {
+		t.Fatalf("Failed to allocate first IP: %v", err)
+	}
+
+	if fakeIP1.String() != "240.0.0.254" {
+		t.Errorf("Expected 240.0.0.254, got %s", fakeIP1.String())
+	}
+
+	// Next allocation should wrap around to the beginning
+	fakeIP2, err := manager.AllocateFakeIP(netip.MustParseAddr("1.0.0.2"))
+	if err != nil {
+		t.Fatalf("Failed to allocate second IP: %v", err)
+	}
+
+	if fakeIP2.String() != "240.0.0.1" {
+		t.Errorf("Expected 240.0.0.1 after wrap, got %s", fakeIP2.String())
+	}
+}

client/internal/routemanager/manager.go

@@ -8,9 +8,11 @@ import (
 	"net/netip"
 	"net/url"
 	"runtime"
+	"slices"
 	"sync"
 	"time"
 
+	"github.com/google/uuid"
 	"github.com/hashicorp/go-multierror"
 	log "github.com/sirupsen/logrus"
 	"golang.org/x/exp/maps"
@@ -24,6 +26,8 @@ import (
 	"github.com/netbirdio/netbird/client/internal/peer"
 	"github.com/netbirdio/netbird/client/internal/peerstore"
 	"github.com/netbirdio/netbird/client/internal/routemanager/client"
+	"github.com/netbirdio/netbird/client/internal/routemanager/common"
+	"github.com/netbirdio/netbird/client/internal/routemanager/fakeip"
 	"github.com/netbirdio/netbird/client/internal/routemanager/iface"
 	"github.com/netbirdio/netbird/client/internal/routemanager/notifier"
 	"github.com/netbirdio/netbird/client/internal/routemanager/refcounter"
@@ -49,7 +53,7 @@ type Manager interface {
 	GetClientRoutesWithNetID() map[route.NetID][]*route.Route
 	SetRouteChangeListener(listener listener.NetworkChangeListener)
 	InitialRouteRange() []string
-	EnableServerRouter(firewall firewall.Manager) error
+	SetFirewall(firewall.Manager) error
 	Stop(stateManager *statemanager.Manager)
 }
 
@@ -63,6 +67,7 @@ type ManagerConfig struct {
 	InitialRoutes       []*route.Route
 	StateManager        *statemanager.Manager
 	DNSServer           dns.Server
+	DNSFeatureFlag      bool
 	PeerStore           *peerstore.Store
 	DisableClientRoutes bool
 	DisableServerRoutes bool
@@ -89,11 +94,13 @@ type DefaultManager struct {
 	// clientRoutes is the most recent list of clientRoutes received from the Management Service
 	clientRoutes        route.HAMap
 	dnsServer           dns.Server
+	firewall            firewall.Manager
 	peerStore           *peerstore.Store
 	useNewDNSRoute      bool
 	disableClientRoutes bool
 	disableServerRoutes bool
 	activeRoutes        map[route.HAUniqueID]client.RouteHandler
+	fakeIPManager       *fakeip.Manager
 }
 
 func NewManager(config ManagerConfig) *DefaultManager {
@@ -129,11 +136,31 @@ func NewManager(config ManagerConfig) *DefaultManager {
 	}
 
 	if runtime.GOOS == "android" {
-		cr := dm.initialClientRoutes(config.InitialRoutes)
+		dm.setupAndroidRoutes(config)
-		dm.notifier.SetInitialClientRoutes(cr)
 	}
 	return dm
 }
+func (m *DefaultManager) setupAndroidRoutes(config ManagerConfig) {
+	cr := m.initialClientRoutes(config.InitialRoutes)
+
+	routesForComparison := slices.Clone(cr)
+
+	if config.DNSFeatureFlag {
+		m.fakeIPManager = fakeip.NewManager()
+
+		id := uuid.NewString()
+		fakeIPRoute := &route.Route{
+			ID:          route.ID(id),
+			Network:     m.fakeIPManager.GetFakeIPBlock(),
+			NetID:       route.NetID(id),
+			Peer:        m.pubKey,
+			NetworkType: route.IPv4Network,
+		}
+		cr = append(cr, fakeIPRoute)
+	}
+
+	m.notifier.SetInitialClientRoutes(cr, routesForComparison)
+}
 
 func (m *DefaultManager) setupRefCounters(useNoop bool) {
 	m.routeRefCounter = refcounter.New(
@@ -222,16 +249,16 @@ func (m *DefaultManager) initSelector() *routeselector.RouteSelector {
 	return routeselector.NewRouteSelector()
 }
 
-func (m *DefaultManager) EnableServerRouter(firewall firewall.Manager) error {
+// SetFirewall sets the firewall manager for the DefaultManager
-	if m.disableServerRoutes {
+// Not thread-safe, should be called before starting the manager
+func (m *DefaultManager) SetFirewall(firewall firewall.Manager) error {
+	m.firewall = firewall
+
+	if m.disableServerRoutes || firewall == nil {
 		log.Info("server routes are disabled")
 		return nil
 	}
 
-	if firewall == nil {
-		return errors.New("firewall manager is not set")
-	}
-
 	var err error
 	m.serverRouter, err = server.NewRouter(m.ctx, m.wgInterface, firewall, m.statusRecorder)
 	if err != nil {
@@ -299,17 +326,20 @@ func (m *DefaultManager) updateSystemRoutes(newRoutes route.HAMap) error {
 	}
 
 	for id, route := range toAdd {
-		handler := client.HandlerFromRoute(
+		params := common.HandlerParams{
-			route,
+			Route:                route,
-			m.routeRefCounter,
+			RouteRefCounter:      m.routeRefCounter,
-			m.allowedIPsRefCounter,
+			AllowedIPsRefCounter: m.allowedIPsRefCounter,
-			m.dnsRouteInterval,
+			DnsRouterInterval:    m.dnsRouteInterval,
-			m.statusRecorder,
+			StatusRecorder:       m.statusRecorder,
-			m.wgInterface,
+			WgInterface:          m.wgInterface,
-			m.dnsServer,
+			DnsServer:            m.dnsServer,
-			m.peerStore,
+			PeerStore:            m.peerStore,
-			m.useNewDNSRoute,
+			UseNewDNSRoute:       m.useNewDNSRoute,
-		)
+			Firewall:             m.firewall,
+			FakeIPManager:        m.fakeIPManager,
+		}
+		handler := client.HandlerFromRoute(params)
 		if err := handler.AddRoute(m.ctx); err != nil {
 			merr = multierror.Append(merr, fmt.Errorf("add route %s: %w", handler.String(), err))
 			continue
@@ -517,6 +547,7 @@ func (m *DefaultManager) initialClientRoutes(initialRoutes []*route.Route) []*ro
 	for _, routes := range crMap {
 		rs = append(rs, routes...)
 	}
+
 	return rs
 }
 

client/internal/routemanager/mock.go

@@ -87,7 +87,7 @@ func (m *MockManager) SetRouteChangeListener(listener listener.NetworkChangeList
 
 }
 
-func (m *MockManager) EnableServerRouter(firewall firewall.Manager) error {
+func (m *MockManager) SetFirewall(firewall.Manager) error {
 	panic("implement me")
 }
 

client/internal/routemanager/notifier/notifier.go

@@ -1,124 +0,0 @@
-package notifier
-
-import (
-	"net/netip"
-	"runtime"
-	"sort"
-	"strings"
-	"sync"
-
-	"github.com/netbirdio/netbird/client/internal/listener"
-	"github.com/netbirdio/netbird/route"
-)
-
-type Notifier struct {
-	initialRouteRanges []string
-	routeRanges        []string
-
-	listener    listener.NetworkChangeListener
-	listenerMux sync.Mutex
-}
-
-func NewNotifier() *Notifier {
-	return &Notifier{}
-}
-
-func (n *Notifier) SetListener(listener listener.NetworkChangeListener) {
-	n.listenerMux.Lock()
-	defer n.listenerMux.Unlock()
-	n.listener = listener
-}
-
-func (n *Notifier) SetInitialClientRoutes(clientRoutes []*route.Route) {
-	nets := make([]string, 0)
-	for _, r := range clientRoutes {
-		if r.IsDynamic() {
-			continue
-		}
-		nets = append(nets, r.Network.String())
-	}
-	sort.Strings(nets)
-	n.initialRouteRanges = nets
-}
-
-func (n *Notifier) OnNewRoutes(idMap route.HAMap) {
-	if runtime.GOOS != "android" {
-		return
-	}
-
-	var newNets []string
-	for _, routes := range idMap {
-		for _, r := range routes {
-			if r.IsDynamic() {
-				continue
-			}
-			newNets = append(newNets, r.Network.String())
-		}
-	}
-
-	sort.Strings(newNets)
-	if !n.hasDiff(n.initialRouteRanges, newNets) {
-		return
-	}
-
-	n.routeRanges = newNets
-	n.notify()
-}
-
-// OnNewPrefixes is called from iOS only
-func (n *Notifier) OnNewPrefixes(prefixes []netip.Prefix) {
-	newNets := make([]string, 0)
-	for _, prefix := range prefixes {
-		newNets = append(newNets, prefix.String())
-	}
-
-	sort.Strings(newNets)
-	if !n.hasDiff(n.routeRanges, newNets) {
-		return
-	}
-
-	n.routeRanges = newNets
-	n.notify()
-}
-
-func (n *Notifier) notify() {
-	n.listenerMux.Lock()
-	defer n.listenerMux.Unlock()
-	if n.listener == nil {
-		return
-	}
-
-	go func(l listener.NetworkChangeListener) {
-		l.OnNetworkChanged(strings.Join(addIPv6RangeIfNeeded(n.routeRanges), ","))
-	}(n.listener)
-}
-
-func (n *Notifier) hasDiff(a []string, b []string) bool {
-	if len(a) != len(b) {
-		return true
-	}
-	for i, v := range a {
-		if v != b[i] {
-			return true
-		}
-	}
-	return false
-}
-
-func (n *Notifier) GetInitialRouteRanges() []string {
-	return addIPv6RangeIfNeeded(n.initialRouteRanges)
-}
-
-// addIPv6RangeIfNeeded returns the input ranges with the default IPv6 range when there is an IPv4 default route.
-func addIPv6RangeIfNeeded(inputRanges []string) []string {
-	ranges := inputRanges
-	for _, r := range inputRanges {
-		// we are intentionally adding the ipv6 default range in case of ipv4 default range
-		// to ensure that all traffic is managed by the tunnel interface on android
-		if r == "0.0.0.0/0" {
-			ranges = append(ranges, "::/0")
-			break
-		}
-	}
-	return ranges
-}

client/internal/routemanager/notifier/notifier_android.go

@@ -0,0 +1,127 @@
+//go:build android
+
+package notifier
+
+import (
+	"net/netip"
+	"slices"
+	"sort"
+	"strings"
+	"sync"
+
+	"github.com/netbirdio/netbird/client/internal/listener"
+	"github.com/netbirdio/netbird/route"
+)
+
+type Notifier struct {
+	initialRoutes []*route.Route
+	currentRoutes []*route.Route
+
+	listener    listener.NetworkChangeListener
+	listenerMux sync.Mutex
+}
+
+func NewNotifier() *Notifier {
+	return &Notifier{}
+}
+
+func (n *Notifier) SetListener(listener listener.NetworkChangeListener) {
+	n.listenerMux.Lock()
+	defer n.listenerMux.Unlock()
+	n.listener = listener
+}
+
+func (n *Notifier) SetInitialClientRoutes(initialRoutes []*route.Route, routesForComparison []*route.Route) {
+	// initialRoutes contains fake IP block for interface configuration
+	filteredInitial := make([]*route.Route, 0)
+	for _, r := range initialRoutes {
+		if r.IsDynamic() {
+			continue
+		}
+		filteredInitial = append(filteredInitial, r)
+	}
+	n.initialRoutes = filteredInitial
+
+	// routesForComparison excludes fake IP block for comparison with new routes
+	filteredComparison := make([]*route.Route, 0)
+	for _, r := range routesForComparison {
+		if r.IsDynamic() {
+			continue
+		}
+		filteredComparison = append(filteredComparison, r)
+	}
+	n.currentRoutes = filteredComparison
+}
+
+func (n *Notifier) OnNewRoutes(idMap route.HAMap) {
+	var newRoutes []*route.Route
+	for _, routes := range idMap {
+		for _, r := range routes {
+			if r.IsDynamic() {
+				continue
+			}
+			newRoutes = append(newRoutes, r)
+		}
+	}
+
+	if !n.hasRouteDiff(n.currentRoutes, newRoutes) {
+		return
+	}
+
+	n.currentRoutes = newRoutes
+	n.notify()
+}
+
+func (n *Notifier) OnNewPrefixes([]netip.Prefix) {
+	// Not used on Android
+}
+
+func (n *Notifier) notify() {
+	n.listenerMux.Lock()
+	defer n.listenerMux.Unlock()
+	if n.listener == nil {
+		return
+	}
+
+	routeStrings := n.routesToStrings(n.currentRoutes)
+	sort.Strings(routeStrings)
+	go func(l listener.NetworkChangeListener) {
+		l.OnNetworkChanged(strings.Join(n.addIPv6RangeIfNeeded(routeStrings, n.currentRoutes), ","))
+	}(n.listener)
+}
+
+func (n *Notifier) routesToStrings(routes []*route.Route) []string {
+	nets := make([]string, 0, len(routes))
+	for _, r := range routes {
+		nets = append(nets, r.NetString())
+	}
+	return nets
+}
+
+func (n *Notifier) hasRouteDiff(a []*route.Route, b []*route.Route) bool {
+	slices.SortFunc(a, func(x, y *route.Route) int {
+		return strings.Compare(x.NetString(), y.NetString())
+	})
+	slices.SortFunc(b, func(x, y *route.Route) int {
+		return strings.Compare(x.NetString(), y.NetString())
+	})
+
+	return !slices.EqualFunc(a, b, func(x, y *route.Route) bool {
+		return x.NetString() == y.NetString()
+	})
+}
+
+func (n *Notifier) GetInitialRouteRanges() []string {
+	initialStrings := n.routesToStrings(n.initialRoutes)
+	sort.Strings(initialStrings)
+	return n.addIPv6RangeIfNeeded(initialStrings, n.initialRoutes)
+}
+
+func (n *Notifier) addIPv6RangeIfNeeded(inputRanges []string, routes []*route.Route) []string {
+	for _, r := range routes {
+		if r.Network.Addr().Is4() && r.Network.Bits() == 0 {
+			return append(slices.Clone(inputRanges), "::/0")
+		}
+	}
+	return inputRanges
+}

client/internal/routemanager/notifier/notifier_ios.go

@@ -0,0 +1,80 @@
+//go:build ios
+
+package notifier
+
+import (
+	"net/netip"
+	"slices"
+	"sort"
+	"strings"
+	"sync"
+
+	"github.com/netbirdio/netbird/client/internal/listener"
+	"github.com/netbirdio/netbird/route"
+)
+
+type Notifier struct {
+	currentPrefixes []string
+
+	listener    listener.NetworkChangeListener
+	listenerMux sync.Mutex
+}
+
+func NewNotifier() *Notifier {
+	return &Notifier{}
+}
+
+func (n *Notifier) SetListener(listener listener.NetworkChangeListener) {
+	n.listenerMux.Lock()
+	defer n.listenerMux.Unlock()
+	n.listener = listener
+}
+
+func (n *Notifier) SetInitialClientRoutes([]*route.Route, []*route.Route) {
+	// iOS doesn't care about initial routes
+}
+
+func (n *Notifier) OnNewRoutes(route.HAMap) {
+	// Not used on iOS
+}
+
+func (n *Notifier) OnNewPrefixes(prefixes []netip.Prefix) {
+	newNets := make([]string, 0)
+	for _, prefix := range prefixes {
+		newNets = append(newNets, prefix.String())
+	}
+
+	sort.Strings(newNets)
+
+	if slices.Equal(n.currentPrefixes, newNets) {
+		return
+	}
+
+	n.currentPrefixes = newNets
+	n.notify()
+}
+
+func (n *Notifier) notify() {
+	n.listenerMux.Lock()
+	defer n.listenerMux.Unlock()
+	if n.listener == nil {
+		return
+	}
+
+	go func(l listener.NetworkChangeListener) {
+		l.OnNetworkChanged(strings.Join(n.addIPv6RangeIfNeeded(n.currentPrefixes), ","))
+	}(n.listener)
+}
+
+func (n *Notifier) GetInitialRouteRanges() []string {
+	return nil
+}
+
+func (n *Notifier) addIPv6RangeIfNeeded(inputRanges []string) []string {
+	for _, r := range inputRanges {
+		if r == "0.0.0.0/0" {
+			return append(slices.Clone(inputRanges), "::/0")
+		}
+	}
+	return inputRanges
+}

client/internal/routemanager/notifier/notifier_other.go

@@ -0,0 +1,36 @@
+//go:build !android && !ios
+
+package notifier
+
+import (
+	"net/netip"
+
+	"github.com/netbirdio/netbird/client/internal/listener"
+	"github.com/netbirdio/netbird/route"
+)
+
+type Notifier struct{}
+
+func NewNotifier() *Notifier {
+	return &Notifier{}
+}
+
+func (n *Notifier) SetListener(listener listener.NetworkChangeListener) {
+	// Not used on non-mobile platforms
+}
+
+func (n *Notifier) SetInitialClientRoutes([]*route.Route, []*route.Route) {
+	// Not used on non-mobile platforms
+}
+
+func (n *Notifier) OnNewRoutes(idMap route.HAMap) {
+	// Not used on non-mobile platforms
+}
+
+func (n *Notifier) OnNewPrefixes(prefixes []netip.Prefix) {
+	// Not used on non-mobile platforms
+}
+
+func (n *Notifier) GetInitialRouteRanges() []string {
+	return []string{}
+}

client/internal/routemanager/static/route.go

@@ -6,6 +6,7 @@ import (
 
 	log "github.com/sirupsen/logrus"
 
+	"github.com/netbirdio/netbird/client/internal/routemanager/common"
 	"github.com/netbirdio/netbird/client/internal/routemanager/refcounter"
 	"github.com/netbirdio/netbird/route"
 )
@@ -16,11 +17,11 @@ type Route struct {
 	allowedIPsRefcounter *refcounter.AllowedIPsRefCounter
 }
 
-func NewRoute(rt *route.Route, routeRefCounter *refcounter.RouteRefCounter, allowedIPsRefCounter *refcounter.AllowedIPsRefCounter) *Route {
+func NewRoute(params common.HandlerParams) *Route {
 	return &Route{
-		route:                rt,
+		route:                params.Route,
-		routeRefCounter:      routeRefCounter,
+		routeRefCounter:      params.RouteRefCounter,
-		allowedIPsRefcounter: allowedIPsRefCounter,
+		allowedIPsRefcounter: params.AllowedIPsRefCounter,
 	}
 }
 

client/internal/routemanager/systemops/systemops.go

@@ -5,6 +5,7 @@ import (
 	"net"
 	"net/netip"
 	"sync"
+	"sync/atomic"
 
 	"github.com/netbirdio/netbird/client/iface/wgaddr"
 	"github.com/netbirdio/netbird/client/internal/routemanager/notifier"
@@ -28,7 +29,10 @@ func (n Nexthop) String() string {
 	if n.Intf == nil {
 		return n.IP.String()
 	}
-	return fmt.Sprintf("%s @ %d (%s)", n.IP.String(), n.Intf.Index, n.Intf.Name)
+	if n.IP.IsValid() {
+		return fmt.Sprintf("%s @ %d (%s)", n.IP.String(), n.Intf.Index, n.Intf.Name)
+	}
+	return fmt.Sprintf("no-ip @ %d (%s)", n.Intf.Index, n.Intf.Name)
 }
 
 type wgIface interface {
@@ -49,6 +53,9 @@ type SysOps struct {
 	mu sync.Mutex
 	// notifier is used to notify the system of route changes (also used on mobile)
 	notifier *notifier.Notifier
+	// seq is an atomic counter for generating unique sequence numbers for route messages
+	//nolint:unused // only used on BSD systems
+	seq atomic.Uint32
 }
 
 func NewSysOps(wgInterface wgIface, notifier *notifier.Notifier) *SysOps {
@@ -58,6 +65,11 @@ func NewSysOps(wgInterface wgIface, notifier *notifier.Notifier) *SysOps {
 	}
 }
 
+//nolint:unused // only used on BSD systems
+func (r *SysOps) getSeq() int {
+	return int(r.seq.Add(1))
+}
+
 func (r *SysOps) validateRoute(prefix netip.Prefix) error {
 	addr := prefix.Addr()
 

client/internal/routemanager/systemops/systemops_unix.go

@@ -108,7 +108,7 @@ func (r *SysOps) buildRouteMessage(action int, prefix netip.Prefix, nexthop Next
 		Type:    action,
 		Flags:   unix.RTF_UP,
 		Version: unix.RTM_VERSION,
-		Seq:     1,
+		Seq:     r.getSeq(),
 	}
 
 	const numAddrs = unix.RTAX_NETMASK + 1

client/proto/daemon.proto

@@ -158,6 +158,7 @@ message UpResponse {}
 
 message StatusRequest{
   bool getFullPeerStatus = 1;
+  bool shouldRunProbes   = 2;
 }
 
 message StatusResponse{

client/proto/daemon_grpc.pb.go

@@ -1,4 +1,8 @@
 // Code generated by protoc-gen-go-grpc. DO NOT EDIT.
+// versions:
+// - protoc-gen-go-grpc v1.5.1
+// - protoc             v5.29.3
+// source: daemon.proto
 
 package proto
 
@@ -11,8 +15,31 @@ import (
 
 // This is a compile-time assertion to ensure that this generated file
 // is compatible with the grpc package it is being compiled against.
-// Requires gRPC-Go v1.32.0 or later.
+// Requires gRPC-Go v1.64.0 or later.
-const _ = grpc.SupportPackageIsVersion7
+const _ = grpc.SupportPackageIsVersion9
+
+const (
+	DaemonService_Login_FullMethodName                    = "/daemon.DaemonService/Login"
+	DaemonService_WaitSSOLogin_FullMethodName             = "/daemon.DaemonService/WaitSSOLogin"
+	DaemonService_Up_FullMethodName                       = "/daemon.DaemonService/Up"
+	DaemonService_Status_FullMethodName                   = "/daemon.DaemonService/Status"
+	DaemonService_Down_FullMethodName                     = "/daemon.DaemonService/Down"
+	DaemonService_GetConfig_FullMethodName                = "/daemon.DaemonService/GetConfig"
+	DaemonService_ListNetworks_FullMethodName             = "/daemon.DaemonService/ListNetworks"
+	DaemonService_SelectNetworks_FullMethodName           = "/daemon.DaemonService/SelectNetworks"
+	DaemonService_DeselectNetworks_FullMethodName         = "/daemon.DaemonService/DeselectNetworks"
+	DaemonService_ForwardingRules_FullMethodName          = "/daemon.DaemonService/ForwardingRules"
+	DaemonService_DebugBundle_FullMethodName              = "/daemon.DaemonService/DebugBundle"
+	DaemonService_GetLogLevel_FullMethodName              = "/daemon.DaemonService/GetLogLevel"
+	DaemonService_SetLogLevel_FullMethodName              = "/daemon.DaemonService/SetLogLevel"
+	DaemonService_ListStates_FullMethodName               = "/daemon.DaemonService/ListStates"
+	DaemonService_CleanState_FullMethodName               = "/daemon.DaemonService/CleanState"
+	DaemonService_DeleteState_FullMethodName              = "/daemon.DaemonService/DeleteState"
+	DaemonService_SetNetworkMapPersistence_FullMethodName = "/daemon.DaemonService/SetNetworkMapPersistence"
+	DaemonService_TracePacket_FullMethodName              = "/daemon.DaemonService/TracePacket"
+	DaemonService_SubscribeEvents_FullMethodName          = "/daemon.DaemonService/SubscribeEvents"
+	DaemonService_GetEvents_FullMethodName                = "/daemon.DaemonService/GetEvents"
+)
 
 // DaemonServiceClient is the client API for DaemonService service.
 //
@@ -53,7 +80,7 @@ type DaemonServiceClient interface {
 	// SetNetworkMapPersistence enables or disables network map persistence
 	SetNetworkMapPersistence(ctx context.Context, in *SetNetworkMapPersistenceRequest, opts ...grpc.CallOption) (*SetNetworkMapPersistenceResponse, error)
 	TracePacket(ctx context.Context, in *TracePacketRequest, opts ...grpc.CallOption) (*TracePacketResponse, error)
-	SubscribeEvents(ctx context.Context, in *SubscribeRequest, opts ...grpc.CallOption) (DaemonService_SubscribeEventsClient, error)
+	SubscribeEvents(ctx context.Context, in *SubscribeRequest, opts ...grpc.CallOption) (grpc.ServerStreamingClient[SystemEvent], error)
 	GetEvents(ctx context.Context, in *GetEventsRequest, opts ...grpc.CallOption) (*GetEventsResponse, error)
 }
 
@@ -66,8 +93,9 @@ func NewDaemonServiceClient(cc grpc.ClientConnInterface) DaemonServiceClient {
 }
 
 func (c *daemonServiceClient) Login(ctx context.Context, in *LoginRequest, opts ...grpc.CallOption) (*LoginResponse, error) {
+	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
 	out := new(LoginResponse)
-	err := c.cc.Invoke(ctx, "/daemon.DaemonService/Login", in, out, opts...)
+	err := c.cc.Invoke(ctx, DaemonService_Login_FullMethodName, in, out, cOpts...)
 	if err != nil {
 		return nil, err
 	}
@@ -75,8 +103,9 @@ func (c *daemonServiceClient) Login(ctx context.Context, in *LoginRequest, opts
 }
 
 func (c *daemonServiceClient) WaitSSOLogin(ctx context.Context, in *WaitSSOLoginRequest, opts ...grpc.CallOption) (*WaitSSOLoginResponse, error) {
+	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
 	out := new(WaitSSOLoginResponse)
-	err := c.cc.Invoke(ctx, "/daemon.DaemonService/WaitSSOLogin", in, out, opts...)
+	err := c.cc.Invoke(ctx, DaemonService_WaitSSOLogin_FullMethodName, in, out, cOpts...)
 	if err != nil {
 		return nil, err
 	}
@@ -84,8 +113,9 @@ func (c *daemonServiceClient) WaitSSOLogin(ctx context.Context, in *WaitSSOLogin
 }
 
 func (c *daemonServiceClient) Up(ctx context.Context, in *UpRequest, opts ...grpc.CallOption) (*UpResponse, error) {
+	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
 	out := new(UpResponse)
-	err := c.cc.Invoke(ctx, "/daemon.DaemonService/Up", in, out, opts...)
+	err := c.cc.Invoke(ctx, DaemonService_Up_FullMethodName, in, out, cOpts...)
 	if err != nil {
 		return nil, err
 	}
@@ -93,8 +123,9 @@ func (c *daemonServiceClient) Up(ctx context.Context, in *UpRequest, opts ...grp
 }
 
 func (c *daemonServiceClient) Status(ctx context.Context, in *StatusRequest, opts ...grpc.CallOption) (*StatusResponse, error) {
+	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
 	out := new(StatusResponse)
-	err := c.cc.Invoke(ctx, "/daemon.DaemonService/Status", in, out, opts...)
+	err := c.cc.Invoke(ctx, DaemonService_Status_FullMethodName, in, out, cOpts...)
 	if err != nil {
 		return nil, err
 	}
@@ -102,8 +133,9 @@ func (c *daemonServiceClient) Status(ctx context.Context, in *StatusRequest, opt
 }
 
 func (c *daemonServiceClient) Down(ctx context.Context, in *DownRequest, opts ...grpc.CallOption) (*DownResponse, error) {
+	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
 	out := new(DownResponse)
-	err := c.cc.Invoke(ctx, "/daemon.DaemonService/Down", in, out, opts...)
+	err := c.cc.Invoke(ctx, DaemonService_Down_FullMethodName, in, out, cOpts...)
 	if err != nil {
 		return nil, err
 	}
@@ -111,8 +143,9 @@ func (c *daemonServiceClient) Down(ctx context.Context, in *DownRequest, opts ..
 }
 
 func (c *daemonServiceClient) GetConfig(ctx context.Context, in *GetConfigRequest, opts ...grpc.CallOption) (*GetConfigResponse, error) {
+	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
 	out := new(GetConfigResponse)
-	err := c.cc.Invoke(ctx, "/daemon.DaemonService/GetConfig", in, out, opts...)
+	err := c.cc.Invoke(ctx, DaemonService_GetConfig_FullMethodName, in, out, cOpts...)
 	if err != nil {
 		return nil, err
 	}
@@ -120,8 +153,9 @@ func (c *daemonServiceClient) GetConfig(ctx context.Context, in *GetConfigReques
 }
 
 func (c *daemonServiceClient) ListNetworks(ctx context.Context, in *ListNetworksRequest, opts ...grpc.CallOption) (*ListNetworksResponse, error) {
+	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
 	out := new(ListNetworksResponse)
-	err := c.cc.Invoke(ctx, "/daemon.DaemonService/ListNetworks", in, out, opts...)
+	err := c.cc.Invoke(ctx, DaemonService_ListNetworks_FullMethodName, in, out, cOpts...)
 	if err != nil {
 		return nil, err
 	}
@@ -129,8 +163,9 @@ func (c *daemonServiceClient) ListNetworks(ctx context.Context, in *ListNetworks
 }
 
 func (c *daemonServiceClient) SelectNetworks(ctx context.Context, in *SelectNetworksRequest, opts ...grpc.CallOption) (*SelectNetworksResponse, error) {
+	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
 	out := new(SelectNetworksResponse)
-	err := c.cc.Invoke(ctx, "/daemon.DaemonService/SelectNetworks", in, out, opts...)
+	err := c.cc.Invoke(ctx, DaemonService_SelectNetworks_FullMethodName, in, out, cOpts...)
 	if err != nil {
 		return nil, err
 	}
@@ -138,8 +173,9 @@ func (c *daemonServiceClient) SelectNetworks(ctx context.Context, in *SelectNetw
 }
 
 func (c *daemonServiceClient) DeselectNetworks(ctx context.Context, in *SelectNetworksRequest, opts ...grpc.CallOption) (*SelectNetworksResponse, error) {
+	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
 	out := new(SelectNetworksResponse)
-	err := c.cc.Invoke(ctx, "/daemon.DaemonService/DeselectNetworks", in, out, opts...)
+	err := c.cc.Invoke(ctx, DaemonService_DeselectNetworks_FullMethodName, in, out, cOpts...)
 	if err != nil {
 		return nil, err
 	}
@@ -147,8 +183,9 @@ func (c *daemonServiceClient) DeselectNetworks(ctx context.Context, in *SelectNe
 }
 
 func (c *daemonServiceClient) ForwardingRules(ctx context.Context, in *EmptyRequest, opts ...grpc.CallOption) (*ForwardingRulesResponse, error) {
+	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
 	out := new(ForwardingRulesResponse)
-	err := c.cc.Invoke(ctx, "/daemon.DaemonService/ForwardingRules", in, out, opts...)
+	err := c.cc.Invoke(ctx, DaemonService_ForwardingRules_FullMethodName, in, out, cOpts...)
 	if err != nil {
 		return nil, err
 	}
@@ -156,8 +193,9 @@ func (c *daemonServiceClient) ForwardingRules(ctx context.Context, in *EmptyRequ
 }
 
 func (c *daemonServiceClient) DebugBundle(ctx context.Context, in *DebugBundleRequest, opts ...grpc.CallOption) (*DebugBundleResponse, error) {
+	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
 	out := new(DebugBundleResponse)
-	err := c.cc.Invoke(ctx, "/daemon.DaemonService/DebugBundle", in, out, opts...)
+	err := c.cc.Invoke(ctx, DaemonService_DebugBundle_FullMethodName, in, out, cOpts...)
 	if err != nil {
 		return nil, err
 	}
@@ -165,8 +203,9 @@ func (c *daemonServiceClient) DebugBundle(ctx context.Context, in *DebugBundleRe
 }
 
 func (c *daemonServiceClient) GetLogLevel(ctx context.Context, in *GetLogLevelRequest, opts ...grpc.CallOption) (*GetLogLevelResponse, error) {
+	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
 	out := new(GetLogLevelResponse)
-	err := c.cc.Invoke(ctx, "/daemon.DaemonService/GetLogLevel", in, out, opts...)
+	err := c.cc.Invoke(ctx, DaemonService_GetLogLevel_FullMethodName, in, out, cOpts...)
 	if err != nil {
 		return nil, err
 	}
@@ -174,8 +213,9 @@ func (c *daemonServiceClient) GetLogLevel(ctx context.Context, in *GetLogLevelRe
 }
 
 func (c *daemonServiceClient) SetLogLevel(ctx context.Context, in *SetLogLevelRequest, opts ...grpc.CallOption) (*SetLogLevelResponse, error) {
+	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
 	out := new(SetLogLevelResponse)
-	err := c.cc.Invoke(ctx, "/daemon.DaemonService/SetLogLevel", in, out, opts...)
+	err := c.cc.Invoke(ctx, DaemonService_SetLogLevel_FullMethodName, in, out, cOpts...)
 	if err != nil {
 		return nil, err
 	}
@@ -183,8 +223,9 @@ func (c *daemonServiceClient) SetLogLevel(ctx context.Context, in *SetLogLevelRe
 }
 
 func (c *daemonServiceClient) ListStates(ctx context.Context, in *ListStatesRequest, opts ...grpc.CallOption) (*ListStatesResponse, error) {
+	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
 	out := new(ListStatesResponse)
-	err := c.cc.Invoke(ctx, "/daemon.DaemonService/ListStates", in, out, opts...)
+	err := c.cc.Invoke(ctx, DaemonService_ListStates_FullMethodName, in, out, cOpts...)
 	if err != nil {
 		return nil, err
 	}
@@ -192,8 +233,9 @@ func (c *daemonServiceClient) ListStates(ctx context.Context, in *ListStatesRequ
 }
 
 func (c *daemonServiceClient) CleanState(ctx context.Context, in *CleanStateRequest, opts ...grpc.CallOption) (*CleanStateResponse, error) {
+	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
 	out := new(CleanStateResponse)
-	err := c.cc.Invoke(ctx, "/daemon.DaemonService/CleanState", in, out, opts...)
+	err := c.cc.Invoke(ctx, DaemonService_CleanState_FullMethodName, in, out, cOpts...)
 	if err != nil {
 		return nil, err
 	}
@@ -201,8 +243,9 @@ func (c *daemonServiceClient) CleanState(ctx context.Context, in *CleanStateRequ
 }
 
 func (c *daemonServiceClient) DeleteState(ctx context.Context, in *DeleteStateRequest, opts ...grpc.CallOption) (*DeleteStateResponse, error) {
+	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
 	out := new(DeleteStateResponse)
-	err := c.cc.Invoke(ctx, "/daemon.DaemonService/DeleteState", in, out, opts...)
+	err := c.cc.Invoke(ctx, DaemonService_DeleteState_FullMethodName, in, out, cOpts...)
 	if err != nil {
 		return nil, err
 	}
@@ -210,8 +253,9 @@ func (c *daemonServiceClient) DeleteState(ctx context.Context, in *DeleteStateRe
 }
 
 func (c *daemonServiceClient) SetNetworkMapPersistence(ctx context.Context, in *SetNetworkMapPersistenceRequest, opts ...grpc.CallOption) (*SetNetworkMapPersistenceResponse, error) {
+	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
 	out := new(SetNetworkMapPersistenceResponse)
-	err := c.cc.Invoke(ctx, "/daemon.DaemonService/SetNetworkMapPersistence", in, out, opts...)
+	err := c.cc.Invoke(ctx, DaemonService_SetNetworkMapPersistence_FullMethodName, in, out, cOpts...)
 	if err != nil {
 		return nil, err
 	}
@@ -219,20 +263,22 @@ func (c *daemonServiceClient) SetNetworkMapPersistence(ctx context.Context, in *
 }
 
 func (c *daemonServiceClient) TracePacket(ctx context.Context, in *TracePacketRequest, opts ...grpc.CallOption) (*TracePacketResponse, error) {
+	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
 	out := new(TracePacketResponse)
-	err := c.cc.Invoke(ctx, "/daemon.DaemonService/TracePacket", in, out, opts...)
+	err := c.cc.Invoke(ctx, DaemonService_TracePacket_FullMethodName, in, out, cOpts...)
 	if err != nil {
 		return nil, err
 	}
 	return out, nil
 }
 
-func (c *daemonServiceClient) SubscribeEvents(ctx context.Context, in *SubscribeRequest, opts ...grpc.CallOption) (DaemonService_SubscribeEventsClient, error) {
+func (c *daemonServiceClient) SubscribeEvents(ctx context.Context, in *SubscribeRequest, opts ...grpc.CallOption) (grpc.ServerStreamingClient[SystemEvent], error) {
-	stream, err := c.cc.NewStream(ctx, &DaemonService_ServiceDesc.Streams[0], "/daemon.DaemonService/SubscribeEvents", opts...)
+	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
+	stream, err := c.cc.NewStream(ctx, &DaemonService_ServiceDesc.Streams[0], DaemonService_SubscribeEvents_FullMethodName, cOpts...)
 	if err != nil {
 		return nil, err
 	}
-	x := &daemonServiceSubscribeEventsClient{stream}
+	x := &grpc.GenericClientStream[SubscribeRequest, SystemEvent]{ClientStream: stream}
 	if err := x.ClientStream.SendMsg(in); err != nil {
 		return nil, err
 	}
@@ -242,26 +288,13 @@ func (c *daemonServiceClient) SubscribeEvents(ctx context.Context, in *Subscribe
 	return x, nil
 }
 
-type DaemonService_SubscribeEventsClient interface {
+// This type alias is provided for backwards compatibility with existing code that references the prior non-generic stream type by name.
-	Recv() (*SystemEvent, error)
+type DaemonService_SubscribeEventsClient = grpc.ServerStreamingClient[SystemEvent]
-	grpc.ClientStream
-}
-
-type daemonServiceSubscribeEventsClient struct {
-	grpc.ClientStream
-}
-
-func (x *daemonServiceSubscribeEventsClient) Recv() (*SystemEvent, error) {
-	m := new(SystemEvent)
-	if err := x.ClientStream.RecvMsg(m); err != nil {
-		return nil, err
-	}
-	return m, nil
-}
 
 func (c *daemonServiceClient) GetEvents(ctx context.Context, in *GetEventsRequest, opts ...grpc.CallOption) (*GetEventsResponse, error) {
+	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
 	out := new(GetEventsResponse)
-	err := c.cc.Invoke(ctx, "/daemon.DaemonService/GetEvents", in, out, opts...)
+	err := c.cc.Invoke(ctx, DaemonService_GetEvents_FullMethodName, in, out, cOpts...)
 	if err != nil {
 		return nil, err
 	}
@@ -270,7 +303,7 @@ func (c *daemonServiceClient) GetEvents(ctx context.Context, in *GetEventsReques
 
 // DaemonServiceServer is the server API for DaemonService service.
 // All implementations must embed UnimplementedDaemonServiceServer
-// for forward compatibility
+// for forward compatibility.
 type DaemonServiceServer interface {
 	// Login uses setup key to prepare configuration for the daemon.
 	Login(context.Context, *LoginRequest) (*LoginResponse, error)
@@ -307,14 +340,17 @@ type DaemonServiceServer interface {
 	// SetNetworkMapPersistence enables or disables network map persistence
 	SetNetworkMapPersistence(context.Context, *SetNetworkMapPersistenceRequest) (*SetNetworkMapPersistenceResponse, error)
 	TracePacket(context.Context, *TracePacketRequest) (*TracePacketResponse, error)
-	SubscribeEvents(*SubscribeRequest, DaemonService_SubscribeEventsServer) error
+	SubscribeEvents(*SubscribeRequest, grpc.ServerStreamingServer[SystemEvent]) error
 	GetEvents(context.Context, *GetEventsRequest) (*GetEventsResponse, error)
 	mustEmbedUnimplementedDaemonServiceServer()
 }
 
-// UnimplementedDaemonServiceServer must be embedded to have forward compatible implementations.
+// UnimplementedDaemonServiceServer must be embedded to have
-type UnimplementedDaemonServiceServer struct {
+// forward compatible implementations.
-}
+//
+// NOTE: this should be embedded by value instead of pointer to avoid a nil
+// pointer dereference when methods are called.
+type UnimplementedDaemonServiceServer struct{}
 
 func (UnimplementedDaemonServiceServer) Login(context.Context, *LoginRequest) (*LoginResponse, error) {
 	return nil, status.Errorf(codes.Unimplemented, "method Login not implemented")
@@ -370,13 +406,14 @@ func (UnimplementedDaemonServiceServer) SetNetworkMapPersistence(context.Context
 func (UnimplementedDaemonServiceServer) TracePacket(context.Context, *TracePacketRequest) (*TracePacketResponse, error) {
 	return nil, status.Errorf(codes.Unimplemented, "method TracePacket not implemented")
 }
-func (UnimplementedDaemonServiceServer) SubscribeEvents(*SubscribeRequest, DaemonService_SubscribeEventsServer) error {
+func (UnimplementedDaemonServiceServer) SubscribeEvents(*SubscribeRequest, grpc.ServerStreamingServer[SystemEvent]) error {
 	return status.Errorf(codes.Unimplemented, "method SubscribeEvents not implemented")
 }
 func (UnimplementedDaemonServiceServer) GetEvents(context.Context, *GetEventsRequest) (*GetEventsResponse, error) {
 	return nil, status.Errorf(codes.Unimplemented, "method GetEvents not implemented")
 }
 func (UnimplementedDaemonServiceServer) mustEmbedUnimplementedDaemonServiceServer() {}
+func (UnimplementedDaemonServiceServer) testEmbeddedByValue()                       {}
 
 // UnsafeDaemonServiceServer may be embedded to opt out of forward compatibility for this service.
 // Use of this interface is not recommended, as added methods to DaemonServiceServer will
@@ -386,6 +423,13 @@ type UnsafeDaemonServiceServer interface {
 }
 
 func RegisterDaemonServiceServer(s grpc.ServiceRegistrar, srv DaemonServiceServer) {
+	// If the following call pancis, it indicates UnimplementedDaemonServiceServer was
+	// embedded by pointer and is nil.  This will cause panics if an
+	// unimplemented method is ever invoked, so we test this at initialization
+	// time to prevent it from happening at runtime later due to I/O.
+	if t, ok := srv.(interface{ testEmbeddedByValue() }); ok {
+		t.testEmbeddedByValue()
+	}
 	s.RegisterService(&DaemonService_ServiceDesc, srv)
 }
 
@@ -399,7 +443,7 @@ func _DaemonService_Login_Handler(srv interface{}, ctx context.Context, dec func
 	}
 	info := &grpc.UnaryServerInfo{
 		Server:     srv,
-		FullMethod: "/daemon.DaemonService/Login",
+		FullMethod: DaemonService_Login_FullMethodName,
 	}
 	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
 		return srv.(DaemonServiceServer).Login(ctx, req.(*LoginRequest))
@@ -417,7 +461,7 @@ func _DaemonService_WaitSSOLogin_Handler(srv interface{}, ctx context.Context, d
 	}
 	info := &grpc.UnaryServerInfo{
 		Server:     srv,
-		FullMethod: "/daemon.DaemonService/WaitSSOLogin",
+		FullMethod: DaemonService_WaitSSOLogin_FullMethodName,
 	}
 	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
 		return srv.(DaemonServiceServer).WaitSSOLogin(ctx, req.(*WaitSSOLoginRequest))
@@ -435,7 +479,7 @@ func _DaemonService_Up_Handler(srv interface{}, ctx context.Context, dec func(in
 	}
 	info := &grpc.UnaryServerInfo{
 		Server:     srv,
-		FullMethod: "/daemon.DaemonService/Up",
+		FullMethod: DaemonService_Up_FullMethodName,
 	}
 	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
 		return srv.(DaemonServiceServer).Up(ctx, req.(*UpRequest))
@@ -453,7 +497,7 @@ func _DaemonService_Status_Handler(srv interface{}, ctx context.Context, dec fun
 	}
 	info := &grpc.UnaryServerInfo{
 		Server:     srv,
-		FullMethod: "/daemon.DaemonService/Status",
+		FullMethod: DaemonService_Status_FullMethodName,
 	}
 	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
 		return srv.(DaemonServiceServer).Status(ctx, req.(*StatusRequest))
@@ -471,7 +515,7 @@ func _DaemonService_Down_Handler(srv interface{}, ctx context.Context, dec func(
 	}
 	info := &grpc.UnaryServerInfo{
 		Server:     srv,
-		FullMethod: "/daemon.DaemonService/Down",
+		FullMethod: DaemonService_Down_FullMethodName,
 	}
 	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
 		return srv.(DaemonServiceServer).Down(ctx, req.(*DownRequest))
@@ -489,7 +533,7 @@ func _DaemonService_GetConfig_Handler(srv interface{}, ctx context.Context, dec
 	}
 	info := &grpc.UnaryServerInfo{
 		Server:     srv,
-		FullMethod: "/daemon.DaemonService/GetConfig",
+		FullMethod: DaemonService_GetConfig_FullMethodName,
 	}
 	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
 		return srv.(DaemonServiceServer).GetConfig(ctx, req.(*GetConfigRequest))
@@ -507,7 +551,7 @@ func _DaemonService_ListNetworks_Handler(srv interface{}, ctx context.Context, d
 	}
 	info := &grpc.UnaryServerInfo{
 		Server:     srv,
-		FullMethod: "/daemon.DaemonService/ListNetworks",
+		FullMethod: DaemonService_ListNetworks_FullMethodName,
 	}
 	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
 		return srv.(DaemonServiceServer).ListNetworks(ctx, req.(*ListNetworksRequest))
@@ -525,7 +569,7 @@ func _DaemonService_SelectNetworks_Handler(srv interface{}, ctx context.Context,
 	}
 	info := &grpc.UnaryServerInfo{
 		Server:     srv,
-		FullMethod: "/daemon.DaemonService/SelectNetworks",
+		FullMethod: DaemonService_SelectNetworks_FullMethodName,
 	}
 	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
 		return srv.(DaemonServiceServer).SelectNetworks(ctx, req.(*SelectNetworksRequest))
@@ -543,7 +587,7 @@ func _DaemonService_DeselectNetworks_Handler(srv interface{}, ctx context.Contex
 	}
 	info := &grpc.UnaryServerInfo{
 		Server:     srv,
-		FullMethod: "/daemon.DaemonService/DeselectNetworks",
+		FullMethod: DaemonService_DeselectNetworks_FullMethodName,
 	}
 	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
 		return srv.(DaemonServiceServer).DeselectNetworks(ctx, req.(*SelectNetworksRequest))
@@ -561,7 +605,7 @@ func _DaemonService_ForwardingRules_Handler(srv interface{}, ctx context.Context
 	}
 	info := &grpc.UnaryServerInfo{
 		Server:     srv,
-		FullMethod: "/daemon.DaemonService/ForwardingRules",
+		FullMethod: DaemonService_ForwardingRules_FullMethodName,
 	}
 	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
 		return srv.(DaemonServiceServer).ForwardingRules(ctx, req.(*EmptyRequest))
@@ -579,7 +623,7 @@ func _DaemonService_DebugBundle_Handler(srv interface{}, ctx context.Context, de
 	}
 	info := &grpc.UnaryServerInfo{
 		Server:     srv,
-		FullMethod: "/daemon.DaemonService/DebugBundle",
+		FullMethod: DaemonService_DebugBundle_FullMethodName,
 	}
 	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
 		return srv.(DaemonServiceServer).DebugBundle(ctx, req.(*DebugBundleRequest))
@@ -597,7 +641,7 @@ func _DaemonService_GetLogLevel_Handler(srv interface{}, ctx context.Context, de
 	}
 	info := &grpc.UnaryServerInfo{
 		Server:     srv,
-		FullMethod: "/daemon.DaemonService/GetLogLevel",
+		FullMethod: DaemonService_GetLogLevel_FullMethodName,
 	}
 	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
 		return srv.(DaemonServiceServer).GetLogLevel(ctx, req.(*GetLogLevelRequest))
@@ -615,7 +659,7 @@ func _DaemonService_SetLogLevel_Handler(srv interface{}, ctx context.Context, de
 	}
 	info := &grpc.UnaryServerInfo{
 		Server:     srv,
-		FullMethod: "/daemon.DaemonService/SetLogLevel",
+		FullMethod: DaemonService_SetLogLevel_FullMethodName,
 	}
 	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
 		return srv.(DaemonServiceServer).SetLogLevel(ctx, req.(*SetLogLevelRequest))
@@ -633,7 +677,7 @@ func _DaemonService_ListStates_Handler(srv interface{}, ctx context.Context, dec
 	}
 	info := &grpc.UnaryServerInfo{
 		Server:     srv,
-		FullMethod: "/daemon.DaemonService/ListStates",
+		FullMethod: DaemonService_ListStates_FullMethodName,
 	}
 	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
 		return srv.(DaemonServiceServer).ListStates(ctx, req.(*ListStatesRequest))
@@ -651,7 +695,7 @@ func _DaemonService_CleanState_Handler(srv interface{}, ctx context.Context, dec
 	}
 	info := &grpc.UnaryServerInfo{
 		Server:     srv,
-		FullMethod: "/daemon.DaemonService/CleanState",
+		FullMethod: DaemonService_CleanState_FullMethodName,
 	}
 	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
 		return srv.(DaemonServiceServer).CleanState(ctx, req.(*CleanStateRequest))
@@ -669,7 +713,7 @@ func _DaemonService_DeleteState_Handler(srv interface{}, ctx context.Context, de
 	}
 	info := &grpc.UnaryServerInfo{
 		Server:     srv,
-		FullMethod: "/daemon.DaemonService/DeleteState",
+		FullMethod: DaemonService_DeleteState_FullMethodName,
 	}
 	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
 		return srv.(DaemonServiceServer).DeleteState(ctx, req.(*DeleteStateRequest))
@@ -687,7 +731,7 @@ func _DaemonService_SetNetworkMapPersistence_Handler(srv interface{}, ctx contex
 	}
 	info := &grpc.UnaryServerInfo{
 		Server:     srv,
-		FullMethod: "/daemon.DaemonService/SetNetworkMapPersistence",
+		FullMethod: DaemonService_SetNetworkMapPersistence_FullMethodName,
 	}
 	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
 		return srv.(DaemonServiceServer).SetNetworkMapPersistence(ctx, req.(*SetNetworkMapPersistenceRequest))
@@ -705,7 +749,7 @@ func _DaemonService_TracePacket_Handler(srv interface{}, ctx context.Context, de
 	}
 	info := &grpc.UnaryServerInfo{
 		Server:     srv,
-		FullMethod: "/daemon.DaemonService/TracePacket",
+		FullMethod: DaemonService_TracePacket_FullMethodName,
 	}
 	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
 		return srv.(DaemonServiceServer).TracePacket(ctx, req.(*TracePacketRequest))
@@ -718,21 +762,11 @@ func _DaemonService_SubscribeEvents_Handler(srv interface{}, stream grpc.ServerS
 	if err := stream.RecvMsg(m); err != nil {
 		return err
 	}
-	return srv.(DaemonServiceServer).SubscribeEvents(m, &daemonServiceSubscribeEventsServer{stream})
+	return srv.(DaemonServiceServer).SubscribeEvents(m, &grpc.GenericServerStream[SubscribeRequest, SystemEvent]{ServerStream: stream})
 }
 
-type DaemonService_SubscribeEventsServer interface {
+// This type alias is provided for backwards compatibility with existing code that references the prior non-generic stream type by name.
-	Send(*SystemEvent) error
+type DaemonService_SubscribeEventsServer = grpc.ServerStreamingServer[SystemEvent]
-	grpc.ServerStream
-}
-
-type daemonServiceSubscribeEventsServer struct {
-	grpc.ServerStream
-}
-
-func (x *daemonServiceSubscribeEventsServer) Send(m *SystemEvent) error {
-	return x.ServerStream.SendMsg(m)
-}
 
 func _DaemonService_GetEvents_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
 	in := new(GetEventsRequest)
@@ -744,7 +778,7 @@ func _DaemonService_GetEvents_Handler(srv interface{}, ctx context.Context, dec
 	}
 	info := &grpc.UnaryServerInfo{
 		Server:     srv,
-		FullMethod: "/daemon.DaemonService/GetEvents",
+		FullMethod: DaemonService_GetEvents_FullMethodName,
 	}
 	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
 		return srv.(DaemonServiceServer).GetEvents(ctx, req.(*GetEventsRequest))

client/server/server.go

@@ -707,7 +707,9 @@ func (s *Server) Status(
 	s.statusRecorder.UpdateRosenpass(s.config.RosenpassEnabled, s.config.RosenpassPermissive)
 
 	if msg.GetFullPeerStatus {
-		s.runProbes()
+		if msg.ShouldRunProbes {
+			s.runProbes()
+		}
 
 		fullStatus := s.statusRecorder.GetFullStatus()
 		pbFullStatus := toProtoFullStatus(fullStatus)

client/server/server_test.go

@@ -206,7 +206,7 @@ func startManagement(t *testing.T, signalAddr string, counter *int) (*grpc.Serve
 	settingsMockManager := settings.NewMockManager(ctrl)
 	permissionsManagerMock := permissions.NewMockManager(ctrl)
 
-	accountManager, err := server.BuildManager(context.Background(), store, peersUpdateManager, nil, "", "netbird.selfhosted", eventStore, nil, false, ia, metrics, port_forwarding.NewControllerMock(), settingsMockManager, permissionsManagerMock)
+	accountManager, err := server.BuildManager(context.Background(), store, peersUpdateManager, nil, "", "netbird.selfhosted", eventStore, nil, false, ia, metrics, port_forwarding.NewControllerMock(), settingsMockManager, permissionsManagerMock, false)
 	if err != nil {
 		return nil, "", err
 	}

client/ui/client_ui.go

@@ -879,7 +879,7 @@ func (s *serviceClient) onUpdateAvailable() {
 func (s *serviceClient) onSessionExpire() {
 	s.sendNotification = true
 	if s.sendNotification {
-		s.eventHandler.runSelfCommand(s.ctx, "login-url", "true")
+		go s.eventHandler.runSelfCommand(s.ctx, "login-url", "true")
 		s.sendNotification = false
 	}
 }

infrastructure_files/base.setup.env

@@ -15,6 +15,7 @@ NETBIRD_MGMT_API_CERT_KEY_FILE="/etc/letsencrypt/live/$NETBIRD_LETSENCRYPT_DOMAI
 NETBIRD_MGMT_SINGLE_ACCOUNT_MODE_DOMAIN=$NETBIRD_DOMAIN
 NETBIRD_MGMT_DNS_DOMAIN=${NETBIRD_MGMT_DNS_DOMAIN:-netbird.selfhosted}
 NETBIRD_MGMT_IDP_SIGNKEY_REFRESH=${NETBIRD_MGMT_IDP_SIGNKEY_REFRESH:-false}
+NETBIRD_MGMT_DISABLE_DEFAULT_POLICY=${NETBIRD_MGMT_DISABLE_DEFAULT_POLICY:-false}
 
 # Signal
 NETBIRD_SIGNAL_PROTOCOL="http"
@@ -60,7 +61,7 @@ NETBIRD_TOKEN_SOURCE=${NETBIRD_TOKEN_SOURCE:-accessToken}
 NETBIRD_AUTH_PKCE_REDIRECT_URL_PORTS=${NETBIRD_AUTH_PKCE_REDIRECT_URL_PORTS:-"53000"}
 NETBIRD_AUTH_PKCE_USE_ID_TOKEN=${NETBIRD_AUTH_PKCE_USE_ID_TOKEN:-false}
 NETBIRD_AUTH_PKCE_DISABLE_PROMPT_LOGIN=${NETBIRD_AUTH_PKCE_DISABLE_PROMPT_LOGIN:-false}
-NETBIRD_AUTH_PKCE_LOGIN_FLAG=${NETBIRD_AUTH_PKCE_LOGIN_FLAG:-1}
+NETBIRD_AUTH_PKCE_LOGIN_FLAG=${NETBIRD_AUTH_PKCE_LOGIN_FLAG:-0}
 NETBIRD_AUTH_PKCE_AUDIENCE=$NETBIRD_AUTH_AUDIENCE
 
 # Dashboard
@@ -139,3 +140,4 @@ export NETBIRD_RELAY_PORT
 export NETBIRD_RELAY_ENDPOINT
 export NETBIRD_RELAY_AUTH_SECRET
 export NETBIRD_RELAY_TAG
+export NETBIRD_MGMT_DISABLE_DEFAULT_POLICY

infrastructure_files/getting-started-with-zitadel.sh

@@ -791,7 +791,6 @@ services:
       - '443:443'
       - '443:443/udp'
       - '80:80'
-      - '8080:8080'
     volumes:
       - netbird_caddy_data:/data
       - ./Caddyfile:/etc/caddy/Caddyfile

infrastructure_files/management.json.tmpl

@@ -38,6 +38,7 @@
              "0.0.0.0/0"
         ]
     },
+    "DisableDefaultPolicy": $NETBIRD_MGMT_DISABLE_DEFAULT_POLICY,
     "Datadir": "",
     "DataStoreEncryptionKey": "$NETBIRD_DATASTORE_ENC_KEY",
     "StoreConfig": {

infrastructure_files/setup.env.example

@@ -92,7 +92,8 @@ NETBIRD_LETSENCRYPT_EMAIL=""
 NETBIRD_DISABLE_ANONYMOUS_METRICS=false
 # DNS DOMAIN configures the domain name used for peer resolution. By default it is netbird.selfhosted
 NETBIRD_MGMT_DNS_DOMAIN=netbird.selfhosted
-
+# Disable default all-to-all policy for new accounts
+NETBIRD_MGMT_DISABLE_DEFAULT_POLICY=false
 # -------------------------------------------
 # Relay settings
 # -------------------------------------------

infrastructure_files/tests/setup.env

@@ -29,3 +29,4 @@ NETBIRD_TURN_EXTERNAL_IP=1.2.3.4
 NETBIRD_RELAY_PORT=33445
 NETBIRD_AUTH_PKCE_DISABLE_PROMPT_LOGIN=true
 NETBIRD_AUTH_PKCE_LOGIN_FLAG=0
+NETBIRD_MGMT_DISABLE_DEFAULT_POLICY=$CI_NETBIRD_MGMT_DISABLE_DEFAULT_POLICY

management/client/client_test.go

@@ -100,7 +100,7 @@ func startManagement(t *testing.T) (*grpc.Server, net.Listener) {
 		Return(true, nil).
 		AnyTimes()
 
-	accountManager, err := mgmt.BuildManager(context.Background(), store, peersUpdateManager, nil, "", "netbird.selfhosted", eventStore, nil, false, ia, metrics, port_forwarding.NewControllerMock(), settingsMockManager, permissionsManagerMock)
+	accountManager, err := mgmt.BuildManager(context.Background(), store, peersUpdateManager, nil, "", "netbird.selfhosted", eventStore, nil, false, ia, metrics, port_forwarding.NewControllerMock(), settingsMockManager, permissionsManagerMock, false)
 	if err != nil {
 		t.Fatal(err)
 	}

management/client/rest/accounts.go

@@ -16,7 +16,7 @@ type AccountsAPI struct {
 // List list all accounts, only returns one account always
 // See more: https://docs.netbird.io/api/resources/accounts#list-all-accounts
 func (a *AccountsAPI) List(ctx context.Context) ([]api.Account, error) {
-	resp, err := a.c.NewRequest(ctx, "GET", "/api/accounts", nil)
+	resp, err := a.c.NewRequest(ctx, "GET", "/api/accounts", nil, nil)
 	if err != nil {
 		return nil, err
 	}
@@ -34,7 +34,7 @@ func (a *AccountsAPI) Update(ctx context.Context, accountID string, request api.
 	if err != nil {
 		return nil, err
 	}
-	resp, err := a.c.NewRequest(ctx, "PUT", "/api/accounts/"+accountID, bytes.NewReader(requestBytes))
+	resp, err := a.c.NewRequest(ctx, "PUT", "/api/accounts/"+accountID, bytes.NewReader(requestBytes), nil)
 	if err != nil {
 		return nil, err
 	}
@@ -48,7 +48,7 @@ func (a *AccountsAPI) Update(ctx context.Context, accountID string, request api.
 // Delete delete account
 // See more: https://docs.netbird.io/api/resources/accounts#delete-an-account
 func (a *AccountsAPI) Delete(ctx context.Context, accountID string) error {
-	resp, err := a.c.NewRequest(ctx, "DELETE", "/api/accounts/"+accountID, nil)
+	resp, err := a.c.NewRequest(ctx, "DELETE", "/api/accounts/"+accountID, nil, nil)
 	if err != nil {
 		return err
 	}

management/client/rest/client.go

@@ -117,7 +117,7 @@ func (c *Client) initialize() {
 }
 
 // NewRequest creates and executes new management API request
-func (c *Client) NewRequest(ctx context.Context, method, path string, body io.Reader) (*http.Response, error) {
+func (c *Client) NewRequest(ctx context.Context, method, path string, body io.Reader, query map[string]string) (*http.Response, error) {
 	req, err := http.NewRequestWithContext(ctx, method, c.managementURL+path, body)
 	if err != nil {
 		return nil, err
@@ -129,6 +129,14 @@ func (c *Client) NewRequest(ctx context.Context, method, path string, body io.Re
 		req.Header.Add("Content-Type", "application/json")
 	}
 
+	if len(query) != 0 {
+		q := req.URL.Query()
+		for k, v := range query {
+			q.Add(k, v)
+		}
+		req.URL.RawQuery = q.Encode()
+	}
+
 	resp, err := c.httpClient.Do(req)
 	if err != nil {
 		return nil, err

management/client/rest/dns.go

@@ -16,7 +16,7 @@ type DNSAPI struct {
 // ListNameserverGroups list all nameserver groups
 // See more: https://docs.netbird.io/api/resources/dns#list-all-nameserver-groups
 func (a *DNSAPI) ListNameserverGroups(ctx context.Context) ([]api.NameserverGroup, error) {
-	resp, err := a.c.NewRequest(ctx, "GET", "/api/dns/nameservers", nil)
+	resp, err := a.c.NewRequest(ctx, "GET", "/api/dns/nameservers", nil, nil)
 	if err != nil {
 		return nil, err
 	}
@@ -30,7 +30,7 @@ func (a *DNSAPI) ListNameserverGroups(ctx context.Context) ([]api.NameserverGrou
 // GetNameserverGroup get nameserver group info
 // See more: https://docs.netbird.io/api/resources/dns#retrieve-a-nameserver-group
 func (a *DNSAPI) GetNameserverGroup(ctx context.Context, nameserverGroupID string) (*api.NameserverGroup, error) {
-	resp, err := a.c.NewRequest(ctx, "GET", "/api/dns/nameservers/"+nameserverGroupID, nil)
+	resp, err := a.c.NewRequest(ctx, "GET", "/api/dns/nameservers/"+nameserverGroupID, nil, nil)
 	if err != nil {
 		return nil, err
 	}
@@ -48,7 +48,7 @@ func (a *DNSAPI) CreateNameserverGroup(ctx context.Context, request api.PostApiD
 	if err != nil {
 		return nil, err
 	}
-	resp, err := a.c.NewRequest(ctx, "POST", "/api/dns/nameservers", bytes.NewReader(requestBytes))
+	resp, err := a.c.NewRequest(ctx, "POST", "/api/dns/nameservers", bytes.NewReader(requestBytes), nil)
 	if err != nil {
 		return nil, err
 	}
@@ -66,7 +66,7 @@ func (a *DNSAPI) UpdateNameserverGroup(ctx context.Context, nameserverGroupID st
 	if err != nil {
 		return nil, err
 	}
-	resp, err := a.c.NewRequest(ctx, "PUT", "/api/dns/nameservers/"+nameserverGroupID, bytes.NewReader(requestBytes))
+	resp, err := a.c.NewRequest(ctx, "PUT", "/api/dns/nameservers/"+nameserverGroupID, bytes.NewReader(requestBytes), nil)
 	if err != nil {
 		return nil, err
 	}
@@ -80,7 +80,7 @@ func (a *DNSAPI) UpdateNameserverGroup(ctx context.Context, nameserverGroupID st
 // DeleteNameserverGroup delete nameserver group
 // See more: https://docs.netbird.io/api/resources/dns#delete-a-nameserver-group
 func (a *DNSAPI) DeleteNameserverGroup(ctx context.Context, nameserverGroupID string) error {
-	resp, err := a.c.NewRequest(ctx, "DELETE", "/api/dns/nameservers/"+nameserverGroupID, nil)
+	resp, err := a.c.NewRequest(ctx, "DELETE", "/api/dns/nameservers/"+nameserverGroupID, nil, nil)
 	if err != nil {
 		return err
 	}
@@ -94,7 +94,7 @@ func (a *DNSAPI) DeleteNameserverGroup(ctx context.Context, nameserverGroupID st
 // GetSettings get DNS settings
 // See more: https://docs.netbird.io/api/resources/dns#retrieve-dns-settings
 func (a *DNSAPI) GetSettings(ctx context.Context) (*api.DNSSettings, error) {
-	resp, err := a.c.NewRequest(ctx, "GET", "/api/dns/settings", nil)
+	resp, err := a.c.NewRequest(ctx, "GET", "/api/dns/settings", nil, nil)
 	if err != nil {
 		return nil, err
 	}
@@ -112,7 +112,7 @@ func (a *DNSAPI) UpdateSettings(ctx context.Context, request api.PutApiDnsSettin
 	if err != nil {
 		return nil, err
 	}
-	resp, err := a.c.NewRequest(ctx, "PUT", "/api/dns/settings", bytes.NewReader(requestBytes))
+	resp, err := a.c.NewRequest(ctx, "PUT", "/api/dns/settings", bytes.NewReader(requestBytes), nil)
 	if err != nil {
 		return nil, err
 	}

management/client/rest/events.go

@@ -14,7 +14,7 @@ type EventsAPI struct {
 // List list all events
 // See more: https://docs.netbird.io/api/resources/events#list-all-events
 func (a *EventsAPI) List(ctx context.Context) ([]api.Event, error) {
-	resp, err := a.c.NewRequest(ctx, "GET", "/api/events", nil)
+	resp, err := a.c.NewRequest(ctx, "GET", "/api/events", nil, nil)
 	if err != nil {
 		return nil, err
 	}

management/client/rest/geo.go

@@ -14,7 +14,7 @@ type GeoLocationAPI struct {
 // ListCountries list all country codes
 // See more: https://docs.netbird.io/api/resources/geo-locations#list-all-country-codes
 func (a *GeoLocationAPI) ListCountries(ctx context.Context) ([]api.Country, error) {
-	resp, err := a.c.NewRequest(ctx, "GET", "/api/locations/countries", nil)
+	resp, err := a.c.NewRequest(ctx, "GET", "/api/locations/countries", nil, nil)
 	if err != nil {
 		return nil, err
 	}
@@ -28,7 +28,7 @@ func (a *GeoLocationAPI) ListCountries(ctx context.Context) ([]api.Country, erro
 // ListCountryCities Get a list of all English city names for a given country code
 // See more: https://docs.netbird.io/api/resources/geo-locations#list-all-city-names-by-country
 func (a *GeoLocationAPI) ListCountryCities(ctx context.Context, countryCode string) ([]api.City, error) {
-	resp, err := a.c.NewRequest(ctx, "GET", "/api/locations/countries/"+countryCode+"/cities", nil)
+	resp, err := a.c.NewRequest(ctx, "GET", "/api/locations/countries/"+countryCode+"/cities", nil, nil)
 	if err != nil {
 		return nil, err
 	}

management/client/rest/groups.go

@@ -16,7 +16,7 @@ type GroupsAPI struct {
 // List list all groups
 // See more: https://docs.netbird.io/api/resources/groups#list-all-groups
 func (a *GroupsAPI) List(ctx context.Context) ([]api.Group, error) {
-	resp, err := a.c.NewRequest(ctx, "GET", "/api/groups", nil)
+	resp, err := a.c.NewRequest(ctx, "GET", "/api/groups", nil, nil)
 	if err != nil {
 		return nil, err
 	}
@@ -30,7 +30,7 @@ func (a *GroupsAPI) List(ctx context.Context) ([]api.Group, error) {
 // Get get group info
 // See more: https://docs.netbird.io/api/resources/groups#retrieve-a-group
 func (a *GroupsAPI) Get(ctx context.Context, groupID string) (*api.Group, error) {
-	resp, err := a.c.NewRequest(ctx, "GET", "/api/groups/"+groupID, nil)
+	resp, err := a.c.NewRequest(ctx, "GET", "/api/groups/"+groupID, nil, nil)
 	if err != nil {
 		return nil, err
 	}
@@ -48,7 +48,7 @@ func (a *GroupsAPI) Create(ctx context.Context, request api.PostApiGroupsJSONReq
 	if err != nil {
 		return nil, err
 	}
-	resp, err := a.c.NewRequest(ctx, "POST", "/api/groups", bytes.NewReader(requestBytes))
+	resp, err := a.c.NewRequest(ctx, "POST", "/api/groups", bytes.NewReader(requestBytes), nil)
 	if err != nil {
 		return nil, err
 	}
@@ -66,7 +66,7 @@ func (a *GroupsAPI) Update(ctx context.Context, groupID string, request api.PutA
 	if err != nil {
 		return nil, err
 	}
-	resp, err := a.c.NewRequest(ctx, "PUT", "/api/groups/"+groupID, bytes.NewReader(requestBytes))
+	resp, err := a.c.NewRequest(ctx, "PUT", "/api/groups/"+groupID, bytes.NewReader(requestBytes), nil)
 	if err != nil {
 		return nil, err
 	}
@@ -80,7 +80,7 @@ func (a *GroupsAPI) Update(ctx context.Context, groupID string, request api.PutA
 // Delete delete group
 // See more: https://docs.netbird.io/api/resources/groups#delete-a-group
 func (a *GroupsAPI) Delete(ctx context.Context, groupID string) error {
-	resp, err := a.c.NewRequest(ctx, "DELETE", "/api/groups/"+groupID, nil)
+	resp, err := a.c.NewRequest(ctx, "DELETE", "/api/groups/"+groupID, nil, nil)
 	if err != nil {
 		return err
 	}

management/client/rest/networks.go

@@ -16,7 +16,7 @@ type NetworksAPI struct {
 // List list all networks
 // See more: https://docs.netbird.io/api/resources/networks#list-all-networks
 func (a *NetworksAPI) List(ctx context.Context) ([]api.Network, error) {
-	resp, err := a.c.NewRequest(ctx, "GET", "/api/networks", nil)
+	resp, err := a.c.NewRequest(ctx, "GET", "/api/networks", nil, nil)
 	if err != nil {
 		return nil, err
 	}
@@ -30,7 +30,7 @@ func (a *NetworksAPI) List(ctx context.Context) ([]api.Network, error) {
 // Get get network info
 // See more: https://docs.netbird.io/api/resources/networks#retrieve-a-network
 func (a *NetworksAPI) Get(ctx context.Context, networkID string) (*api.Network, error) {
-	resp, err := a.c.NewRequest(ctx, "GET", "/api/networks/"+networkID, nil)
+	resp, err := a.c.NewRequest(ctx, "GET", "/api/networks/"+networkID, nil, nil)
 	if err != nil {
 		return nil, err
 	}
@@ -48,7 +48,7 @@ func (a *NetworksAPI) Create(ctx context.Context, request api.PostApiNetworksJSO
 	if err != nil {
 		return nil, err
 	}
-	resp, err := a.c.NewRequest(ctx, "POST", "/api/networks", bytes.NewReader(requestBytes))
+	resp, err := a.c.NewRequest(ctx, "POST", "/api/networks", bytes.NewReader(requestBytes), nil)
 	if err != nil {
 		return nil, err
 	}
@@ -66,7 +66,7 @@ func (a *NetworksAPI) Update(ctx context.Context, networkID string, request api.
 	if err != nil {
 		return nil, err
 	}
-	resp, err := a.c.NewRequest(ctx, "PUT", "/api/networks/"+networkID, bytes.NewReader(requestBytes))
+	resp, err := a.c.NewRequest(ctx, "PUT", "/api/networks/"+networkID, bytes.NewReader(requestBytes), nil)
 	if err != nil {
 		return nil, err
 	}
@@ -80,7 +80,7 @@ func (a *NetworksAPI) Update(ctx context.Context, networkID string, request api.
 // Delete delete network
 // See more: https://docs.netbird.io/api/resources/networks#delete-a-network
 func (a *NetworksAPI) Delete(ctx context.Context, networkID string) error {
-	resp, err := a.c.NewRequest(ctx, "DELETE", "/api/networks/"+networkID, nil)
+	resp, err := a.c.NewRequest(ctx, "DELETE", "/api/networks/"+networkID, nil, nil)
 	if err != nil {
 		return err
 	}
@@ -108,7 +108,7 @@ func (a *NetworksAPI) Resources(networkID string) *NetworkResourcesAPI {
 // List list all resources in networks
 // See more: https://docs.netbird.io/api/resources/networks#list-all-network-resources
 func (a *NetworkResourcesAPI) List(ctx context.Context) ([]api.NetworkResource, error) {
-	resp, err := a.c.NewRequest(ctx, "GET", "/api/networks/"+a.networkID+"/resources", nil)
+	resp, err := a.c.NewRequest(ctx, "GET", "/api/networks/"+a.networkID+"/resources", nil, nil)
 	if err != nil {
 		return nil, err
 	}
@@ -122,7 +122,7 @@ func (a *NetworkResourcesAPI) List(ctx context.Context) ([]api.NetworkResource,
 // Get get network resource info
 // See more: https://docs.netbird.io/api/resources/networks#retrieve-a-network-resource
 func (a *NetworkResourcesAPI) Get(ctx context.Context, networkResourceID string) (*api.NetworkResource, error) {
-	resp, err := a.c.NewRequest(ctx, "GET", "/api/networks/"+a.networkID+"/resources/"+networkResourceID, nil)
+	resp, err := a.c.NewRequest(ctx, "GET", "/api/networks/"+a.networkID+"/resources/"+networkResourceID, nil, nil)
 	if err != nil {
 		return nil, err
 	}
@@ -140,7 +140,7 @@ func (a *NetworkResourcesAPI) Create(ctx context.Context, request api.PostApiNet
 	if err != nil {
 		return nil, err
 	}
-	resp, err := a.c.NewRequest(ctx, "POST", "/api/networks/"+a.networkID+"/resources", bytes.NewReader(requestBytes))
+	resp, err := a.c.NewRequest(ctx, "POST", "/api/networks/"+a.networkID+"/resources", bytes.NewReader(requestBytes), nil)
 	if err != nil {
 		return nil, err
 	}
@@ -158,7 +158,7 @@ func (a *NetworkResourcesAPI) Update(ctx context.Context, networkResourceID stri
 	if err != nil {
 		return nil, err
 	}
-	resp, err := a.c.NewRequest(ctx, "PUT", "/api/networks/"+a.networkID+"/resources/"+networkResourceID, bytes.NewReader(requestBytes))
+	resp, err := a.c.NewRequest(ctx, "PUT", "/api/networks/"+a.networkID+"/resources/"+networkResourceID, bytes.NewReader(requestBytes), nil)
 	if err != nil {
 		return nil, err
 	}
@@ -172,7 +172,7 @@ func (a *NetworkResourcesAPI) Update(ctx context.Context, networkResourceID stri
 // Delete delete network resource
 // See more: https://docs.netbird.io/api/resources/networks#delete-a-network-resource
 func (a *NetworkResourcesAPI) Delete(ctx context.Context, networkResourceID string) error {
-	resp, err := a.c.NewRequest(ctx, "DELETE", "/api/networks/"+a.networkID+"/resources/"+networkResourceID, nil)
+	resp, err := a.c.NewRequest(ctx, "DELETE", "/api/networks/"+a.networkID+"/resources/"+networkResourceID, nil, nil)
 	if err != nil {
 		return err
 	}
@@ -200,7 +200,7 @@ func (a *NetworksAPI) Routers(networkID string) *NetworkRoutersAPI {
 // List list all routers in networks
 // See more: https://docs.netbird.io/api/routers/networks#list-all-network-routers
 func (a *NetworkRoutersAPI) List(ctx context.Context) ([]api.NetworkRouter, error) {
-	resp, err := a.c.NewRequest(ctx, "GET", "/api/networks/"+a.networkID+"/routers", nil)
+	resp, err := a.c.NewRequest(ctx, "GET", "/api/networks/"+a.networkID+"/routers", nil, nil)
 	if err != nil {
 		return nil, err
 	}
@@ -214,7 +214,7 @@ func (a *NetworkRoutersAPI) List(ctx context.Context) ([]api.NetworkRouter, erro
 // Get get network router info
 // See more: https://docs.netbird.io/api/routers/networks#retrieve-a-network-router
 func (a *NetworkRoutersAPI) Get(ctx context.Context, networkRouterID string) (*api.NetworkRouter, error) {
-	resp, err := a.c.NewRequest(ctx, "GET", "/api/networks/"+a.networkID+"/routers/"+networkRouterID, nil)
+	resp, err := a.c.NewRequest(ctx, "GET", "/api/networks/"+a.networkID+"/routers/"+networkRouterID, nil, nil)
 	if err != nil {
 		return nil, err
 	}
@@ -232,7 +232,7 @@ func (a *NetworkRoutersAPI) Create(ctx context.Context, request api.PostApiNetwo
 	if err != nil {
 		return nil, err
 	}
-	resp, err := a.c.NewRequest(ctx, "POST", "/api/networks/"+a.networkID+"/routers", bytes.NewReader(requestBytes))
+	resp, err := a.c.NewRequest(ctx, "POST", "/api/networks/"+a.networkID+"/routers", bytes.NewReader(requestBytes), nil)
 	if err != nil {
 		return nil, err
 	}
@@ -250,7 +250,7 @@ func (a *NetworkRoutersAPI) Update(ctx context.Context, networkRouterID string,
 	if err != nil {
 		return nil, err
 	}
-	resp, err := a.c.NewRequest(ctx, "PUT", "/api/networks/"+a.networkID+"/routers/"+networkRouterID, bytes.NewReader(requestBytes))
+	resp, err := a.c.NewRequest(ctx, "PUT", "/api/networks/"+a.networkID+"/routers/"+networkRouterID, bytes.NewReader(requestBytes), nil)
 	if err != nil {
 		return nil, err
 	}
@@ -264,7 +264,7 @@ func (a *NetworkRoutersAPI) Update(ctx context.Context, networkRouterID string,
 // Delete delete network router
 // See more: https://docs.netbird.io/api/routers/networks#delete-a-network-router
 func (a *NetworkRoutersAPI) Delete(ctx context.Context, networkRouterID string) error {
-	resp, err := a.c.NewRequest(ctx, "DELETE", "/api/networks/"+a.networkID+"/routers/"+networkRouterID, nil)
+	resp, err := a.c.NewRequest(ctx, "DELETE", "/api/networks/"+a.networkID+"/routers/"+networkRouterID, nil, nil)
 	if err != nil {
 		return err
 	}

management/client/rest/peers.go

@@ -13,10 +13,30 @@ type PeersAPI struct {
 	c *Client
 }
 
+// PeersListOption options for Peers List API
+type PeersListOption func() (string, string)
+
+func PeerNameFilter(name string) PeersListOption {
+	return func() (string, string) {
+		return "name", name
+	}
+}
+
+func PeerIPFilter(ip string) PeersListOption {
+	return func() (string, string) {
+		return "ip", ip
+	}
+}
+
 // List list all peers
 // See more: https://docs.netbird.io/api/resources/peers#list-all-peers
-func (a *PeersAPI) List(ctx context.Context) ([]api.Peer, error) {
+func (a *PeersAPI) List(ctx context.Context, opts ...PeersListOption) ([]api.Peer, error) {
-	resp, err := a.c.NewRequest(ctx, "GET", "/api/peers", nil)
+	query := make(map[string]string)
+	for _, o := range opts {
+		k, v := o()
+		query[k] = v
+	}
+	resp, err := a.c.NewRequest(ctx, "GET", "/api/peers", nil, query)
 	if err != nil {
 		return nil, err
 	}
@@ -30,7 +50,7 @@ func (a *PeersAPI) List(ctx context.Context) ([]api.Peer, error) {
 // Get retrieve a peer
 // See more: https://docs.netbird.io/api/resources/peers#retrieve-a-peer
 func (a *PeersAPI) Get(ctx context.Context, peerID string) (*api.Peer, error) {
-	resp, err := a.c.NewRequest(ctx, "GET", "/api/peers/"+peerID, nil)
+	resp, err := a.c.NewRequest(ctx, "GET", "/api/peers/"+peerID, nil, nil)
 	if err != nil {
 		return nil, err
 	}
@@ -48,7 +68,7 @@ func (a *PeersAPI) Update(ctx context.Context, peerID string, request api.PutApi
 	if err != nil {
 		return nil, err
 	}
-	resp, err := a.c.NewRequest(ctx, "PUT", "/api/peers/"+peerID, bytes.NewReader(requestBytes))
+	resp, err := a.c.NewRequest(ctx, "PUT", "/api/peers/"+peerID, bytes.NewReader(requestBytes), nil)
 	if err != nil {
 		return nil, err
 	}
@@ -62,7 +82,7 @@ func (a *PeersAPI) Update(ctx context.Context, peerID string, request api.PutApi
 // Delete delete a peer
 // See more: https://docs.netbird.io/api/resources/peers#delete-a-peer
 func (a *PeersAPI) Delete(ctx context.Context, peerID string) error {
-	resp, err := a.c.NewRequest(ctx, "DELETE", "/api/peers/"+peerID, nil)
+	resp, err := a.c.NewRequest(ctx, "DELETE", "/api/peers/"+peerID, nil, nil)
 	if err != nil {
 		return err
 	}
@@ -76,7 +96,7 @@ func (a *PeersAPI) Delete(ctx context.Context, peerID string) error {
 // ListAccessiblePeers list all peers that the specified peer can connect to within the network
 // See more: https://docs.netbird.io/api/resources/peers#list-accessible-peers
 func (a *PeersAPI) ListAccessiblePeers(ctx context.Context, peerID string) ([]api.Peer, error) {
-	resp, err := a.c.NewRequest(ctx, "GET", "/api/peers/"+peerID+"/accessible-peers", nil)
+	resp, err := a.c.NewRequest(ctx, "GET", "/api/peers/"+peerID+"/accessible-peers", nil, nil)
 	if err != nil {
 		return nil, err
 	}

management/client/rest/peers_test.go

@@ -184,6 +184,10 @@ func TestPeers_Integration(t *testing.T) {
 		require.NoError(t, err)
 		require.NotEmpty(t, peers)
 
+		filteredPeers, err := c.Peers.List(context.Background(), rest.PeerIPFilter("192.168.10.0"))
+		require.NoError(t, err)
+		require.Empty(t, filteredPeers)
+
 		peer, err := c.Peers.Get(context.Background(), peers[0].Id)
 		require.NoError(t, err)
 		assert.Equal(t, peers[0].Id, peer.Id)

management/client/rest/policies.go

@@ -18,7 +18,7 @@ type PoliciesAPI struct {
 func (a *PoliciesAPI) List(ctx context.Context) ([]api.Policy, error) {
 	path := "/api/policies"
 
-	resp, err := a.c.NewRequest(ctx, "GET", path, nil)
+	resp, err := a.c.NewRequest(ctx, "GET", path, nil, nil)
 	if err != nil {
 		return nil, err
 	}
@@ -32,7 +32,7 @@ func (a *PoliciesAPI) List(ctx context.Context) ([]api.Policy, error) {
 // Get get policy info
 // See more: https://docs.netbird.io/api/resources/policies#retrieve-a-policy
 func (a *PoliciesAPI) Get(ctx context.Context, policyID string) (*api.Policy, error) {
-	resp, err := a.c.NewRequest(ctx, "GET", "/api/policies/"+policyID, nil)
+	resp, err := a.c.NewRequest(ctx, "GET", "/api/policies/"+policyID, nil, nil)
 	if err != nil {
 		return nil, err
 	}
@@ -50,7 +50,7 @@ func (a *PoliciesAPI) Create(ctx context.Context, request api.PostApiPoliciesJSO
 	if err != nil {
 		return nil, err
 	}
-	resp, err := a.c.NewRequest(ctx, "POST", "/api/policies", bytes.NewReader(requestBytes))
+	resp, err := a.c.NewRequest(ctx, "POST", "/api/policies", bytes.NewReader(requestBytes), nil)
 	if err != nil {
 		return nil, err
 	}
@@ -70,7 +70,7 @@ func (a *PoliciesAPI) Update(ctx context.Context, policyID string, request api.P
 	if err != nil {
 		return nil, err
 	}
-	resp, err := a.c.NewRequest(ctx, "PUT", path, bytes.NewReader(requestBytes))
+	resp, err := a.c.NewRequest(ctx, "PUT", path, bytes.NewReader(requestBytes), nil)
 	if err != nil {
 		return nil, err
 	}
@@ -84,7 +84,7 @@ func (a *PoliciesAPI) Update(ctx context.Context, policyID string, request api.P
 // Delete delete policy
 // See more: https://docs.netbird.io/api/resources/policies#delete-a-policy
 func (a *PoliciesAPI) Delete(ctx context.Context, policyID string) error {
-	resp, err := a.c.NewRequest(ctx, "DELETE", "/api/policies/"+policyID, nil)
+	resp, err := a.c.NewRequest(ctx, "DELETE", "/api/policies/"+policyID, nil, nil)
 	if err != nil {
 		return err
 	}

management/client/rest/posturechecks.go

@@ -16,7 +16,7 @@ type PostureChecksAPI struct {
 // List list all posture checks
 // See more: https://docs.netbird.io/api/resources/posture-checks#list-all-posture-checks
 func (a *PostureChecksAPI) List(ctx context.Context) ([]api.PostureCheck, error) {
-	resp, err := a.c.NewRequest(ctx, "GET", "/api/posture-checks", nil)
+	resp, err := a.c.NewRequest(ctx, "GET", "/api/posture-checks", nil, nil)
 	if err != nil {
 		return nil, err
 	}
@@ -30,7 +30,7 @@ func (a *PostureChecksAPI) List(ctx context.Context) ([]api.PostureCheck, error)
 // Get get posture check info
 // See more: https://docs.netbird.io/api/resources/posture-checks#retrieve-a-posture-check
 func (a *PostureChecksAPI) Get(ctx context.Context, postureCheckID string) (*api.PostureCheck, error) {
-	resp, err := a.c.NewRequest(ctx, "GET", "/api/posture-checks/"+postureCheckID, nil)
+	resp, err := a.c.NewRequest(ctx, "GET", "/api/posture-checks/"+postureCheckID, nil, nil)
 	if err != nil {
 		return nil, err
 	}
@@ -48,7 +48,7 @@ func (a *PostureChecksAPI) Create(ctx context.Context, request api.PostApiPostur
 	if err != nil {
 		return nil, err
 	}
-	resp, err := a.c.NewRequest(ctx, "POST", "/api/posture-checks", bytes.NewReader(requestBytes))
+	resp, err := a.c.NewRequest(ctx, "POST", "/api/posture-checks", bytes.NewReader(requestBytes), nil)
 	if err != nil {
 		return nil, err
 	}
@@ -66,7 +66,7 @@ func (a *PostureChecksAPI) Update(ctx context.Context, postureCheckID string, re
 	if err != nil {
 		return nil, err
 	}
-	resp, err := a.c.NewRequest(ctx, "PUT", "/api/posture-checks/"+postureCheckID, bytes.NewReader(requestBytes))
+	resp, err := a.c.NewRequest(ctx, "PUT", "/api/posture-checks/"+postureCheckID, bytes.NewReader(requestBytes), nil)
 	if err != nil {
 		return nil, err
 	}
@@ -80,7 +80,7 @@ func (a *PostureChecksAPI) Update(ctx context.Context, postureCheckID string, re
 // Delete delete posture check
 // See more: https://docs.netbird.io/api/resources/posture-checks#delete-a-posture-check
 func (a *PostureChecksAPI) Delete(ctx context.Context, postureCheckID string) error {
-	resp, err := a.c.NewRequest(ctx, "DELETE", "/api/posture-checks/"+postureCheckID, nil)
+	resp, err := a.c.NewRequest(ctx, "DELETE", "/api/posture-checks/"+postureCheckID, nil, nil)
 	if err != nil {
 		return err
 	}

management/client/rest/routes.go

@@ -16,7 +16,7 @@ type RoutesAPI struct {
 // List list all routes
 // See more: https://docs.netbird.io/api/resources/routes#list-all-routes
 func (a *RoutesAPI) List(ctx context.Context) ([]api.Route, error) {
-	resp, err := a.c.NewRequest(ctx, "GET", "/api/routes", nil)
+	resp, err := a.c.NewRequest(ctx, "GET", "/api/routes", nil, nil)
 	if err != nil {
 		return nil, err
 	}
@@ -30,7 +30,7 @@ func (a *RoutesAPI) List(ctx context.Context) ([]api.Route, error) {
 // Get get route info
 // See more: https://docs.netbird.io/api/resources/routes#retrieve-a-route
 func (a *RoutesAPI) Get(ctx context.Context, routeID string) (*api.Route, error) {
-	resp, err := a.c.NewRequest(ctx, "GET", "/api/routes/"+routeID, nil)
+	resp, err := a.c.NewRequest(ctx, "GET", "/api/routes/"+routeID, nil, nil)
 	if err != nil {
 		return nil, err
 	}
@@ -48,7 +48,7 @@ func (a *RoutesAPI) Create(ctx context.Context, request api.PostApiRoutesJSONReq
 	if err != nil {
 		return nil, err
 	}
-	resp, err := a.c.NewRequest(ctx, "POST", "/api/routes", bytes.NewReader(requestBytes))
+	resp, err := a.c.NewRequest(ctx, "POST", "/api/routes", bytes.NewReader(requestBytes), nil)
 	if err != nil {
 		return nil, err
 	}
@@ -66,7 +66,7 @@ func (a *RoutesAPI) Update(ctx context.Context, routeID string, request api.PutA
 	if err != nil {
 		return nil, err
 	}
-	resp, err := a.c.NewRequest(ctx, "PUT", "/api/routes/"+routeID, bytes.NewReader(requestBytes))
+	resp, err := a.c.NewRequest(ctx, "PUT", "/api/routes/"+routeID, bytes.NewReader(requestBytes), nil)
 	if err != nil {
 		return nil, err
 	}
@@ -80,7 +80,7 @@ func (a *RoutesAPI) Update(ctx context.Context, routeID string, request api.PutA
 // Delete delete route
 // See more: https://docs.netbird.io/api/resources/routes#delete-a-route
 func (a *RoutesAPI) Delete(ctx context.Context, routeID string) error {
-	resp, err := a.c.NewRequest(ctx, "DELETE", "/api/routes/"+routeID, nil)
+	resp, err := a.c.NewRequest(ctx, "DELETE", "/api/routes/"+routeID, nil, nil)
 	if err != nil {
 		return err
 	}

management/client/rest/setupkeys.go

@@ -16,7 +16,7 @@ type SetupKeysAPI struct {
 // List list all setup keys
 // See more: https://docs.netbird.io/api/resources/setup-keys#list-all-setup-keys
 func (a *SetupKeysAPI) List(ctx context.Context) ([]api.SetupKey, error) {
-	resp, err := a.c.NewRequest(ctx, "GET", "/api/setup-keys", nil)
+	resp, err := a.c.NewRequest(ctx, "GET", "/api/setup-keys", nil, nil)
 	if err != nil {
 		return nil, err
 	}
@@ -30,7 +30,7 @@ func (a *SetupKeysAPI) List(ctx context.Context) ([]api.SetupKey, error) {
 // Get get setup key info
 // See more: https://docs.netbird.io/api/resources/setup-keys#retrieve-a-setup-key
 func (a *SetupKeysAPI) Get(ctx context.Context, setupKeyID string) (*api.SetupKey, error) {
-	resp, err := a.c.NewRequest(ctx, "GET", "/api/setup-keys/"+setupKeyID, nil)
+	resp, err := a.c.NewRequest(ctx, "GET", "/api/setup-keys/"+setupKeyID, nil, nil)
 	if err != nil {
 		return nil, err
 	}
@@ -50,7 +50,7 @@ func (a *SetupKeysAPI) Create(ctx context.Context, request api.PostApiSetupKeysJ
 	if err != nil {
 		return nil, err
 	}
-	resp, err := a.c.NewRequest(ctx, "POST", path, bytes.NewReader(requestBytes))
+	resp, err := a.c.NewRequest(ctx, "POST", path, bytes.NewReader(requestBytes), nil)
 	if err != nil {
 		return nil, err
 	}
@@ -68,7 +68,7 @@ func (a *SetupKeysAPI) Update(ctx context.Context, setupKeyID string, request ap
 	if err != nil {
 		return nil, err
 	}
-	resp, err := a.c.NewRequest(ctx, "PUT", "/api/setup-keys/"+setupKeyID, bytes.NewReader(requestBytes))
+	resp, err := a.c.NewRequest(ctx, "PUT", "/api/setup-keys/"+setupKeyID, bytes.NewReader(requestBytes), nil)
 	if err != nil {
 		return nil, err
 	}
@@ -82,7 +82,7 @@ func (a *SetupKeysAPI) Update(ctx context.Context, setupKeyID string, request ap
 // Delete delete setup key
 // See more: https://docs.netbird.io/api/resources/setup-keys#delete-a-setup-key
 func (a *SetupKeysAPI) Delete(ctx context.Context, setupKeyID string) error {
-	resp, err := a.c.NewRequest(ctx, "DELETE", "/api/setup-keys/"+setupKeyID, nil)
+	resp, err := a.c.NewRequest(ctx, "DELETE", "/api/setup-keys/"+setupKeyID, nil, nil)
 	if err != nil {
 		return err
 	}

management/client/rest/tokens.go

@@ -16,7 +16,7 @@ type TokensAPI struct {
 // List list user tokens
 // See more: https://docs.netbird.io/api/resources/tokens#list-all-tokens
 func (a *TokensAPI) List(ctx context.Context, userID string) ([]api.PersonalAccessToken, error) {
-	resp, err := a.c.NewRequest(ctx, "GET", "/api/users/"+userID+"/tokens", nil)
+	resp, err := a.c.NewRequest(ctx, "GET", "/api/users/"+userID+"/tokens", nil, nil)
 	if err != nil {
 		return nil, err
 	}
@@ -30,7 +30,7 @@ func (a *TokensAPI) List(ctx context.Context, userID string) ([]api.PersonalAcce
 // Get get user token info
 // See more: https://docs.netbird.io/api/resources/tokens#retrieve-a-token
 func (a *TokensAPI) Get(ctx context.Context, userID, tokenID string) (*api.PersonalAccessToken, error) {
-	resp, err := a.c.NewRequest(ctx, "GET", "/api/users/"+userID+"/tokens/"+tokenID, nil)
+	resp, err := a.c.NewRequest(ctx, "GET", "/api/users/"+userID+"/tokens/"+tokenID, nil, nil)
 	if err != nil {
 		return nil, err
 	}
@@ -48,7 +48,7 @@ func (a *TokensAPI) Create(ctx context.Context, userID string, request api.PostA
 	if err != nil {
 		return nil, err
 	}
-	resp, err := a.c.NewRequest(ctx, "POST", "/api/users/"+userID+"/tokens", bytes.NewReader(requestBytes))
+	resp, err := a.c.NewRequest(ctx, "POST", "/api/users/"+userID+"/tokens", bytes.NewReader(requestBytes), nil)
 	if err != nil {
 		return nil, err
 	}
@@ -62,7 +62,7 @@ func (a *TokensAPI) Create(ctx context.Context, userID string, request api.PostA
 // Delete delete user token
 // See more: https://docs.netbird.io/api/resources/tokens#delete-a-token
 func (a *TokensAPI) Delete(ctx context.Context, userID, tokenID string) error {
-	resp, err := a.c.NewRequest(ctx, "DELETE", "/api/users/"+userID+"/tokens/"+tokenID, nil)
+	resp, err := a.c.NewRequest(ctx, "DELETE", "/api/users/"+userID+"/tokens/"+tokenID, nil, nil)
 	if err != nil {
 		return err
 	}

management/client/rest/users.go

@@ -16,7 +16,7 @@ type UsersAPI struct {
 // List list all users, only returns one user always
 // See more: https://docs.netbird.io/api/resources/users#list-all-users
 func (a *UsersAPI) List(ctx context.Context) ([]api.User, error) {
-	resp, err := a.c.NewRequest(ctx, "GET", "/api/users", nil)
+	resp, err := a.c.NewRequest(ctx, "GET", "/api/users", nil, nil)
 	if err != nil {
 		return nil, err
 	}
@@ -34,7 +34,7 @@ func (a *UsersAPI) Create(ctx context.Context, request api.PostApiUsersJSONReque
 	if err != nil {
 		return nil, err
 	}
-	resp, err := a.c.NewRequest(ctx, "POST", "/api/users", bytes.NewReader(requestBytes))
+	resp, err := a.c.NewRequest(ctx, "POST", "/api/users", bytes.NewReader(requestBytes), nil)
 	if err != nil {
 		return nil, err
 	}
@@ -52,7 +52,7 @@ func (a *UsersAPI) Update(ctx context.Context, userID string, request api.PutApi
 	if err != nil {
 		return nil, err
 	}
-	resp, err := a.c.NewRequest(ctx, "PUT", "/api/users/"+userID, bytes.NewReader(requestBytes))
+	resp, err := a.c.NewRequest(ctx, "PUT", "/api/users/"+userID, bytes.NewReader(requestBytes), nil)
 	if err != nil {
 		return nil, err
 	}
@@ -66,7 +66,7 @@ func (a *UsersAPI) Update(ctx context.Context, userID string, request api.PutApi
 // Delete delete user
 // See more: https://docs.netbird.io/api/resources/users#delete-a-user
 func (a *UsersAPI) Delete(ctx context.Context, userID string) error {
-	resp, err := a.c.NewRequest(ctx, "DELETE", "/api/users/"+userID, nil)
+	resp, err := a.c.NewRequest(ctx, "DELETE", "/api/users/"+userID, nil, nil)
 	if err != nil {
 		return err
 	}
@@ -80,7 +80,7 @@ func (a *UsersAPI) Delete(ctx context.Context, userID string) error {
 // ResendInvitation resend user invitation
 // See more: https://docs.netbird.io/api/resources/users#resend-user-invitation
 func (a *UsersAPI) ResendInvitation(ctx context.Context, userID string) error {
-	resp, err := a.c.NewRequest(ctx, "POST", "/api/users/"+userID+"/invite", nil)
+	resp, err := a.c.NewRequest(ctx, "POST", "/api/users/"+userID+"/invite", nil, nil)
 	if err != nil {
 		return err
 	}
@@ -94,7 +94,7 @@ func (a *UsersAPI) ResendInvitation(ctx context.Context, userID string) error {
 // Current gets the current user info
 // See more: https://docs.netbird.io/api/resources/users#retrieve-current-user
 func (a *UsersAPI) Current(ctx context.Context) (*api.User, error) {
-	resp, err := a.c.NewRequest(ctx, "GET", "/api/users/current", nil)
+	resp, err := a.c.NewRequest(ctx, "GET", "/api/users/current", nil, nil)
 	if err != nil {
 		return nil, err
 	}

management/cmd/management.go

@@ -215,7 +215,7 @@ var (
 			peersManager := peers.NewManager(store, permissionsManager)
 			proxyController := integrations.NewController(store)
 			accountManager, err := server.BuildManager(ctx, store, peersUpdateManager, idpManager, mgmtSingleAccModeDomain,
-				dnsDomain, eventStore, geo, userDeleteFromIDPEnabled, integratedPeerValidator, appMetrics, proxyController, settingsManager, permissionsManager)
+				dnsDomain, eventStore, geo, userDeleteFromIDPEnabled, integratedPeerValidator, appMetrics, proxyController, settingsManager, permissionsManager, config.DisableDefaultPolicy)
 			if err != nil {
 				return fmt.Errorf("failed to build default manager: %v", err)
 			}

management/server/account.go

@@ -102,6 +102,20 @@ type DefaultAccountManager struct {
 
 	accountUpdateLocks               sync.Map
 	updateAccountPeersBufferInterval atomic.Int64
+
+	disableDefaultPolicy bool
+}
+
+func isUniqueConstraintError(err error) bool {
+	switch {
+	case strings.Contains(err.Error(), "(SQLSTATE 23505)"),
+		strings.Contains(err.Error(), "Error 1062 (23000)"),
+		strings.Contains(err.Error(), "UNIQUE constraint failed"):
+		return true
+
+	default:
+		return false
+	}
 }
 
 // getJWTGroupsChanges calculates the changes needed to sync a user's JWT groups.
@@ -170,6 +184,7 @@ func BuildManager(
 	proxyController port_forwarding.Controller,
 	settingsManager settings.Manager,
 	permissionsManager permissions.Manager,
+	disableDefaultPolicy bool,
 ) (*DefaultAccountManager, error) {
 	start := time.Now()
 	defer func() {
@@ -195,6 +210,7 @@ func BuildManager(
 		proxyController:          proxyController,
 		settingsManager:          settingsManager,
 		permissionsManager:       permissionsManager,
+		disableDefaultPolicy:     disableDefaultPolicy,
 	}
 
 	am.startWarmup(ctx)
@@ -543,7 +559,7 @@ func (am *DefaultAccountManager) newAccount(ctx context.Context, userID, domain
 			log.WithContext(ctx).Warnf("an account with ID already exists, retrying...")
 			continue
 		case statusErr.Type() == status.NotFound:
-			newAccount := newAccountWithId(ctx, accountId, userID, domain)
+			newAccount := newAccountWithId(ctx, accountId, userID, domain, am.disableDefaultPolicy)
 			am.StoreEvent(ctx, userID, newAccount.Id, accountId, activity.AccountCreated, nil)
 			return newAccount, nil
 		default:
@@ -1188,6 +1204,71 @@ func (am *DefaultAccountManager) GetAccountMeta(ctx context.Context, accountID s
 	return am.Store.GetAccountMeta(ctx, store.LockingStrengthShare, accountID)
 }
 
+// GetAccountOnboarding retrieves the onboarding information for a specific account.
+func (am *DefaultAccountManager) GetAccountOnboarding(ctx context.Context, accountID string, userID string) (*types.AccountOnboarding, error) {
+	allowed, err := am.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Accounts, operations.Read)
+	if err != nil {
+		return nil, status.NewPermissionValidationError(err)
+	}
+
+	if !allowed {
+		return nil, status.NewPermissionDeniedError()
+	}
+
+	onboarding, err := am.Store.GetAccountOnboarding(ctx, accountID)
+	if err != nil && err.Error() != status.NewAccountOnboardingNotFoundError(accountID).Error() {
+		log.Errorf("failed to get account onboarding for accountssssssss %s: %v", accountID, err)
+		return nil, err
+	}
+
+	if onboarding == nil {
+		onboarding = &types.AccountOnboarding{
+			AccountID: accountID,
+		}
+	}
+
+	return onboarding, nil
+}
+
+func (am *DefaultAccountManager) UpdateAccountOnboarding(ctx context.Context, accountID, userID string, newOnboarding *types.AccountOnboarding) (*types.AccountOnboarding, error) {
+	allowed, err := am.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Settings, operations.Update)
+	if err != nil {
+		return nil, fmt.Errorf("failed to validate user permissions: %w", err)
+	}
+
+	if !allowed {
+		return nil, status.NewPermissionDeniedError()
+	}
+
+	oldOnboarding, err := am.Store.GetAccountOnboarding(ctx, accountID)
+	if err != nil && err.Error() != status.NewAccountOnboardingNotFoundError(accountID).Error() {
+		return nil, fmt.Errorf("failed to get account onboarding: %w", err)
+	}
+
+	if oldOnboarding == nil {
+		oldOnboarding = &types.AccountOnboarding{
+			AccountID: accountID,
+		}
+	}
+
+	if newOnboarding == nil {
+		return oldOnboarding, nil
+	}
+
+	if oldOnboarding.IsEqual(*newOnboarding) {
+		log.WithContext(ctx).Debugf("no changes in onboarding for account %s", accountID)
+		return oldOnboarding, nil
+	}
+
+	newOnboarding.AccountID = accountID
+	err = am.Store.SaveAccountOnboarding(ctx, newOnboarding)
+	if err != nil {
+		return nil, fmt.Errorf("failed to update account onboarding: %w", err)
+	}
+
+	return newOnboarding, nil
+}
+
 func (am *DefaultAccountManager) GetAccountIDFromUserAuth(ctx context.Context, userAuth nbcontext.UserAuth) (string, string, error) {
 	if userAuth.UserId == "" {
 		return "", "", errors.New(emptyUserID)
@@ -1657,25 +1738,6 @@ func (am *DefaultAccountManager) handleUserPeer(ctx context.Context, transaction
 	return false, nil
 }
 
-func (am *DefaultAccountManager) getFreeDNSLabel(ctx context.Context, s store.Store, accountID string, peerHostName string) (string, error) {
-	existingLabels, err := s.GetPeerLabelsInAccount(ctx, store.LockingStrengthShare, accountID)
-	if err != nil {
-		return "", fmt.Errorf("failed to get peer dns labels: %w", err)
-	}
-
-	labelMap := ConvertSliceToMap(existingLabels)
-	newLabel, err := types.GetPeerHostLabel(peerHostName, labelMap)
-	if err != nil {
-		return "", fmt.Errorf("failed to get new host label: %w", err)
-	}
-
-	if newLabel == "" {
-		return "", fmt.Errorf("failed to get new host label: %w", err)
-	}
-
-	return newLabel, nil
-}
-
 func (am *DefaultAccountManager) GetAccountSettings(ctx context.Context, accountID string, userID string) (*types.Settings, error) {
 	allowed, err := am.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Settings, operations.Read)
 	if err != nil {
@@ -1688,7 +1750,7 @@ func (am *DefaultAccountManager) GetAccountSettings(ctx context.Context, account
 }
 
 // newAccountWithId creates a new Account with a default SetupKey (doesn't store in a Store) and provided id
-func newAccountWithId(ctx context.Context, accountID, userID, domain string) *types.Account {
+func newAccountWithId(ctx context.Context, accountID, userID, domain string, disableDefaultPolicy bool) *types.Account {
 	log.WithContext(ctx).Debugf("creating new account")
 
 	network := types.NewNetwork()
@@ -1729,9 +1791,13 @@ func newAccountWithId(ctx context.Context, accountID, userID, domain string) *ty
 			PeerInactivityExpiration:        types.DefaultPeerInactivityExpiration,
 			RoutingPeerDNSResolutionEnabled: true,
 		},
+		Onboarding: types.AccountOnboarding{
+			OnboardingFlowPending: true,
+			SignupFormPending:     true,
+		},
 	}
 
-	if err := acc.AddAllGroup(); err != nil {
+	if err := acc.AddAllGroup(disableDefaultPolicy); err != nil {
 		log.WithContext(ctx).Errorf("error adding all group to account %s: %v", acc.Id, err)
 	}
 	return acc
@@ -1833,7 +1899,7 @@ func (am *DefaultAccountManager) GetOrCreateAccountByPrivateDomain(ctx context.C
 			},
 		}
 
-		if err := newAccount.AddAllGroup(); err != nil {
+		if err := newAccount.AddAllGroup(am.disableDefaultPolicy); err != nil {
 			return nil, false, status.Errorf(status.Internal, "failed to add all group to new account by private domain")
 		}
 

management/server/account/manager.go

@@ -39,6 +39,7 @@ type Manager interface {
 	GetSetupKey(ctx context.Context, accountID, userID, keyID string) (*types.SetupKey, error)
 	GetAccountByID(ctx context.Context, accountID string, userID string) (*types.Account, error)
 	GetAccountMeta(ctx context.Context, accountID string, userID string) (*types.AccountMeta, error)
+	GetAccountOnboarding(ctx context.Context, accountID string, userID string) (*types.AccountOnboarding, error)
 	AccountExists(ctx context.Context, accountID string) (bool, error)
 	GetAccountIDByUserID(ctx context.Context, userID, domain string) (string, error)
 	GetAccountIDFromUserAuth(ctx context.Context, userAuth nbcontext.UserAuth) (string, string, error)
@@ -89,6 +90,7 @@ type Manager interface {
 	SaveDNSSettings(ctx context.Context, accountID string, userID string, dnsSettingsToSave *types.DNSSettings) error
 	GetPeer(ctx context.Context, accountID, peerID, userID string) (*nbpeer.Peer, error)
 	UpdateAccountSettings(ctx context.Context, accountID, userID string, newSettings *types.Settings) (*types.Settings, error)
+	UpdateAccountOnboarding(ctx context.Context, accountID, userID string, newOnboarding *types.AccountOnboarding) (*types.AccountOnboarding, error)
 	LoginPeer(ctx context.Context, login types.PeerLogin) (*nbpeer.Peer, *types.NetworkMap, []*posture.Checks, error)                // used by peer gRPC API
 	SyncPeer(ctx context.Context, sync types.PeerSync, accountID string) (*nbpeer.Peer, *types.NetworkMap, []*posture.Checks, error) // used by peer gRPC API
 	GetAllConnectedPeers() (map[string]struct{}, error)