Add nftables

Support site to site traffic for network flows in kernel mode
2026-04-12 12:36:15 -04:00 · 2025-03-26 17:30:14 +01:00 · 2025-03-25 00:28:13 +01:00
311 changed files with 9183 additions and 16960 deletions
--- a/.git-branches.toml
+++ b/.git-branches.toml
@@ -1,27 +0,0 @@
-# More info around this file at https://www.git-town.com/configuration-file
-
-[branches]
-main = "main"
-perennials = []
-perennial-regex = ""
-
-[create]
-new-branch-type = "feature"
-push-new-branches = false
-
-[hosting]
-dev-remote = "origin"
-# platform = ""
-# origin-hostname = ""
-
-[ship]
-delete-tracking-branch = false
-strategy = "squash-merge"
-
-[sync]
-feature-strategy = "merge"
-perennial-strategy = "rebase"
-prototype-strategy = "merge"
-push-hook = true
-tags = true
-upstream = false
--- a/.github/pull_request_template.md
+++ b/.github/pull_request_template.md
@@ -2,10 +2,6 @@

 ## Issue ticket number and link

-## Stack
-
-<!-- branch-stack -->
-
 ### Checklist
 - [ ] Is it a bug fix
 - [ ] Is a typo/documentation fix
--- a/.github/workflows/git-town.yml
+++ b/.github/workflows/git-town.yml
@@ -1,21 +0,0 @@
-name: Git Town
-
-on:
-  pull_request:
-    branches:
-      - '**'
-
-jobs:
-  git-town:
-    name: Display the branch stack
-    runs-on: ubuntu-latest
-
-    permissions:
-      contents: read
-      pull-requests: write
-
-    steps:
-      - uses: actions/checkout@v4
-      - uses: git-town/action@v1
-        with:
-          skip-single-stacks: true
--- a/.github/workflows/golang-test-freebsd.yml
+++ b/.github/workflows/golang-test-freebsd.yml
@@ -22,20 +22,14 @@ jobs:
        with:
          usesh: true
          copyback: false
-          release: "14.2"
+          release: "14.1"
          prepare: |
-            pkg install -y curl pkgconf xorg
-            LATEST_VERSION=$(curl -s https://go.dev/VERSION?m=text|head -n 1)
-            GO_TARBALL="$LATEST_VERSION.freebsd-amd64.tar.gz"
-            GO_URL="https://go.dev/dl/$GO_TARBALL"
-            curl -vLO "$GO_URL"
-            tar -C /usr/local -vxzf "$GO_TARBALL"            
+            pkg install -y go pkgconf xorg

          # -x - to print all executed commands
          # -e - to faile on first error
          run: |
            set -e -x
-            export PATH=$PATH:/usr/local/go/bin:$HOME/go/bin
            time go build -o netbird client/main.go
            # check all component except management, since we do not support management server on freebsd
            time go test -timeout 1m -failfast ./base62/...
--- a/.github/workflows/golang-test-linux.yml
+++ b/.github/workflows/golang-test-linux.yml
@@ -146,65 +146,6 @@ jobs:
      - name: Test
        run: CGO_ENABLED=1 GOARCH=${{ matrix.arch }} CI=true go test -tags devcert -exec 'sudo' -timeout 10m -p 1 $(go list ./... | grep -v -e /management -e /signal -e /relay)

-  test_client_on_docker:
-    name: "Client (Docker) / Unit"
-    needs: [build-cache]
-    runs-on: ubuntu-22.04
-    steps:
-      - name: Install Go
-        uses: actions/setup-go@v5
-        with:
-          go-version: "1.23.x"
-          cache: false
-
-      - name: Checkout code
-        uses: actions/checkout@v4
-
-      - name: Get Go environment
-        id: go-env
-        run: |
-          echo "cache_dir=$(go env GOCACHE)" >> $GITHUB_OUTPUT
-          echo "modcache_dir=$(go env GOMODCACHE)" >> $GITHUB_OUTPUT
-
-      - name: Cache Go modules
-        uses: actions/cache/restore@v4
-        id: cache-restore
-        with:
-          path: |
-            ${{ steps.go-env.outputs.cache_dir }}
-            ${{ steps.go-env.outputs.modcache_dir }}
-          key: ${{ runner.os }}-gotest-cache-${{ hashFiles('**/go.sum') }}
-          restore-keys: |
-            ${{ runner.os }}-gotest-cache-
-
-      - name: Run tests in container
-        env:
-          HOST_GOCACHE: ${{ steps.go-env.outputs.cache_dir }}
-          HOST_GOMODCACHE: ${{ steps.go-env.outputs.modcache_dir }}
-        run: |
-          CONTAINER_GOCACHE="/root/.cache/go-build"
-          CONTAINER_GOMODCACHE="/go/pkg/mod"
-
-          docker run --rm \
-            --cap-add=NET_ADMIN \
-            --privileged \
-            -v $PWD:/app \
-            -w /app \
-            -v "${HOST_GOCACHE}:${CONTAINER_GOCACHE}" \
-            -v "${HOST_GOMODCACHE}:${CONTAINER_GOMODCACHE}" \
-            -e CGO_ENABLED=1 \
-            -e CI=true \
-            -e DOCKER_CI=true \
-            -e GOARCH=${GOARCH_TARGET} \
-            -e GOCACHE=${CONTAINER_GOCACHE} \
-            -e GOMODCACHE=${CONTAINER_GOMODCACHE} \
-            golang:1.23-alpine \
-            sh -c ' \
-              apk update; apk add --no-cache \
-                ca-certificates iptables ip6tables dbus dbus-dev libpcap-dev build-base; \
-              go test -buildvcs=false -tags devcert -v -timeout 10m -p 1 $(go list -buildvcs=false ./... | grep -v -e /management -e /signal -e /relay -e /client/ui -e /upload-server)
-            '
-
  test_relay:
    name: "Relay / Unit"
    needs: [build-cache]
@@ -238,6 +179,13 @@ jobs:
          restore-keys: |
            ${{ runner.os }}-gotest-cache-

+      - name: Install dependencies
+        run: sudo apt update && sudo apt install -y -q libgtk-3-dev libayatana-appindicator3-dev libgl1-mesa-dev xorg-dev gcc-multilib libpcap-dev
+
+      - name: Install 32-bit libpcap
+        if: matrix.arch == '386'
+        run: sudo dpkg --add-architecture i386 && sudo apt update && sudo apt-get install -y libpcap0.8-dev:i386
+
      - name: Install modules
        run: go mod tidy

@@ -284,6 +232,13 @@ jobs:
          restore-keys: |
            ${{ runner.os }}-gotest-cache-

+      - name: Install dependencies
+        run: sudo apt update && sudo apt install -y -q libgtk-3-dev libayatana-appindicator3-dev libgl1-mesa-dev xorg-dev gcc-multilib libpcap-dev
+
+      - name: Install 32-bit libpcap
+        if: matrix.arch == '386'
+        run: sudo dpkg --add-architecture i386 && sudo apt update && sudo apt-get install -y libpcap0.8-dev:i386
+
      - name: Install modules
        run: go mod tidy

@@ -331,6 +286,13 @@ jobs:
          restore-keys: |
            ${{ runner.os }}-gotest-cache-

+      - name: Install dependencies
+        run: sudo apt update && sudo apt install -y -q libgtk-3-dev libayatana-appindicator3-dev libgl1-mesa-dev xorg-dev gcc-multilib libpcap-dev
+
+      - name: Install 32-bit libpcap
+        if: matrix.arch == '386'
+        run: sudo dpkg --add-architecture i386 && sudo apt update && sudo apt-get install -y libpcap0.8-dev:i386
+
      - name: Install modules
        run: go mod tidy

@@ -352,7 +314,6 @@ jobs:
        run: |          
          CGO_ENABLED=1 GOARCH=${{ matrix.arch }} \
          NETBIRD_STORE_ENGINE=${{ matrix.store }} \
-            CI=true \
          go test -tags=devcert \
            -exec "sudo --preserve-env=CI,NETBIRD_STORE_ENGINE" \
            -timeout 20m ./management/...
@@ -392,6 +353,13 @@ jobs:
          restore-keys: |
            ${{ runner.os }}-gotest-cache-

+      - name: Install dependencies
+        run: sudo apt update && sudo apt install -y -q libgtk-3-dev libayatana-appindicator3-dev libgl1-mesa-dev xorg-dev gcc-multilib libpcap-dev
+
+      - name: Install 32-bit libpcap
+        if: matrix.arch == '386'
+        run: sudo dpkg --add-architecture i386 && sudo apt update && sudo apt-get install -y libpcap0.8-dev:i386
+
      - name: Install modules
        run: go mod tidy

@@ -412,11 +380,10 @@ jobs:
      - name: Test
        run: |
          CGO_ENABLED=1 GOARCH=${{ matrix.arch }} \
-          NETBIRD_STORE_ENGINE=${{ matrix.store }} \
-          CI=true \
+          NETBIRD_STORE_ENGINE=${{ matrix.store }} CI=true \
          go test -tags devcert -run=^$ -bench=. \
          -exec 'sudo --preserve-env=CI,NETBIRD_STORE_ENGINE' \
-          -timeout 20m ./management/...
+          -timeout 20m ./...

  api_benchmark:
    name: "Management / Benchmark (API)"
@@ -429,33 +396,6 @@ jobs:
        store: [ 'sqlite', 'postgres' ]
    runs-on: ubuntu-22.04
    steps:
-      - name: Create Docker network
-        run: docker network create promnet
-
-      - name: Start Prometheus Pushgateway
-        run: docker run -d --name pushgateway --network promnet -p 9091:9091 prom/pushgateway
-
-      - name: Start Prometheus (for Pushgateway forwarding)
-        run: |
-          echo '
-          global:
-            scrape_interval: 15s
-          scrape_configs:
-            - job_name: "pushgateway"
-              static_configs:
-                - targets: ["pushgateway:9091"]
-          remote_write:
-            - url: ${{ secrets.GRAFANA_URL }}
-              basic_auth:
-                username: ${{ secrets.GRAFANA_USER }}
-                password: ${{ secrets.GRAFANA_API_KEY }}
-          ' > prometheus.yml
-
-          docker run -d --name prometheus --network promnet \
-            -v $PWD/prometheus.yml:/etc/prometheus/prometheus.yml \
-            -p 9090:9090 \
-            prom/prometheus
-
      - name: Install Go
        uses: actions/setup-go@v5
        with:
@@ -480,6 +420,13 @@ jobs:
          restore-keys: |
            ${{ runner.os }}-gotest-cache-

+      - name: Install dependencies
+        run: sudo apt update && sudo apt install -y -q libgtk-3-dev libayatana-appindicator3-dev libgl1-mesa-dev xorg-dev gcc-multilib libpcap-dev
+
+      - name: Install 32-bit libpcap
+        if: matrix.arch == '386'
+        run: sudo dpkg --add-architecture i386 && sudo apt update && sudo apt-get install -y libpcap0.8-dev:i386
+
      - name: Install modules
        run: go mod tidy

@@ -500,13 +447,11 @@ jobs:
      - name: Test
        run: |
          CGO_ENABLED=1 GOARCH=${{ matrix.arch }} \
-          NETBIRD_STORE_ENGINE=${{ matrix.store }} \
-          CI=true \
-          GIT_BRANCH=${{ github.ref_name }} \
+          NETBIRD_STORE_ENGINE=${{ matrix.store }} CI=true \
          go test -tags=benchmark \
            -run=^$ \
            -bench=. \
-            -exec 'sudo --preserve-env=CI,NETBIRD_STORE_ENGINE,GIT_BRANCH,GITHUB_RUN_ID' \
+            -exec 'sudo --preserve-env=CI,NETBIRD_STORE_ENGINE' \
            -timeout 20m ./management/...

  api_integration_test:
@@ -544,6 +489,13 @@ jobs:
          restore-keys: |
            ${{ runner.os }}-gotest-cache-

+      - name: Install dependencies
+        run: sudo apt update && sudo apt install -y -q libgtk-3-dev libayatana-appindicator3-dev libgl1-mesa-dev xorg-dev gcc-multilib libpcap-dev
+
+      - name: Install 32-bit libpcap
+        if: matrix.arch == '386'
+        run: sudo dpkg --add-architecture i386 && sudo apt update && sudo apt-get install -y libpcap0.8-dev:i386
+
      - name: Install modules
        run: go mod tidy

@@ -553,8 +505,89 @@ jobs:
      - name: Test
        run: |
          CGO_ENABLED=1 GOARCH=${{ matrix.arch }} \
-          NETBIRD_STORE_ENGINE=${{ matrix.store }} \
-          CI=true \
+          NETBIRD_STORE_ENGINE=${{ matrix.store }} CI=true \
          go test -tags=integration \
          -exec 'sudo --preserve-env=CI,NETBIRD_STORE_ENGINE' \
          -timeout 20m ./management/...
+
+  test_client_on_docker:
+    name: "Client (Docker) / Unit"
+    needs: [ build-cache ]
+    runs-on: ubuntu-20.04
+    steps:
+      - name: Install Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: "1.23.x"
+          cache: false
+
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Get Go environment
+        run: |
+          echo "cache=$(go env GOCACHE)" >> $GITHUB_ENV
+          echo "modcache=$(go env GOMODCACHE)" >> $GITHUB_ENV     
+
+      - name: Cache Go modules
+        uses: actions/cache/restore@v4
+        with:
+          path: |
+            ${{ env.cache }}
+            ${{ env.modcache }}
+          key: ${{ runner.os }}-gotest-cache-${{ hashFiles('**/go.sum') }}
+          restore-keys: |
+            ${{ runner.os }}-gotest-cache-
+
+      - name: Install dependencies
+        run: sudo apt update && sudo apt install -y -q libgtk-3-dev libayatana-appindicator3-dev libgl1-mesa-dev xorg-dev gcc-multilib libpcap-dev
+
+      - name: Install modules
+        run: go mod tidy
+
+      - name: check git status
+        run: git --no-pager diff --exit-code
+
+      - name: Generate Shared Sock Test bin
+        run: CGO_ENABLED=0 go test -c -o sharedsock-testing.bin ./sharedsock
+
+      - name: Generate RouteManager Test bin
+        run: CGO_ENABLED=0 go test -c -o routemanager-testing.bin  ./client/internal/routemanager
+
+      - name: Generate SystemOps Test bin
+        run: CGO_ENABLED=1 go test -c -o systemops-testing.bin -tags netgo -ldflags '-w -extldflags "-static -ldbus-1 -lpcap"' ./client/internal/routemanager/systemops
+
+      - name: Generate nftables Manager Test bin
+        run: CGO_ENABLED=0 go test -c -o nftablesmanager-testing.bin ./client/firewall/nftables/...
+
+      - name: Generate Engine Test bin
+        run: CGO_ENABLED=1 go test -c -o engine-testing.bin ./client/internal
+
+      - name: Generate Peer Test bin
+        run: CGO_ENABLED=0 go test -c -o peer-testing.bin ./client/internal/peer/
+
+      - run: chmod +x *testing.bin
+
+      - name: Run Shared Sock tests in docker
+        run: docker run -t --cap-add=NET_ADMIN --privileged --rm -v $PWD:/ci -w /ci/sharedsock --entrypoint /busybox/sh gcr.io/distroless/base:debug -c /ci/sharedsock-testing.bin -test.timeout 5m -test.parallel 1
+
+      - name: Run Iface tests in docker
+        run: docker run -t --cap-add=NET_ADMIN --privileged --rm -v $PWD:/netbird -v /tmp/cache:/tmp/cache -v /tmp/modcache:/tmp/modcache -w /netbird -e GOCACHE=/tmp/cache -e GOMODCACHE=/tmp/modcache -e CGO_ENABLED=0 golang:1.23-alpine go test  -test.timeout 5m -test.parallel 1 ./client/iface/...
+
+      - name: Run RouteManager tests in docker
+        run: docker run -t --cap-add=NET_ADMIN --privileged --rm -v $PWD:/ci -w /ci/client/internal/routemanager --entrypoint /busybox/sh gcr.io/distroless/base:debug -c /ci/routemanager-testing.bin  -test.timeout 5m -test.parallel 1
+
+      - name: Run SystemOps tests in docker
+        run: docker run -t --cap-add=NET_ADMIN --privileged --rm -v $PWD:/ci -w /ci/client/internal/routemanager/systemops --entrypoint /busybox/sh gcr.io/distroless/base:debug -c /ci/systemops-testing.bin  -test.timeout 5m -test.parallel 1
+
+      - name: Run nftables Manager tests in docker
+        run: docker run -t --cap-add=NET_ADMIN --privileged --rm -v $PWD:/ci -w /ci/client/firewall --entrypoint /busybox/sh gcr.io/distroless/base:debug -c /ci/nftablesmanager-testing.bin  -test.timeout 5m -test.parallel 1
+
+      - name: Run Engine tests in docker with file store
+        run: docker run -t --cap-add=NET_ADMIN --privileged --rm -v $PWD:/ci -w /ci/client/internal -e NETBIRD_STORE_ENGINE="jsonfile" --entrypoint /busybox/sh gcr.io/distroless/base:debug -c /ci/engine-testing.bin  -test.timeout 5m -test.parallel 1
+
+      - name: Run Engine tests in docker with sqlite store
+        run: docker run -t --cap-add=NET_ADMIN --privileged --rm -v $PWD:/ci -w /ci/client/internal -e NETBIRD_STORE_ENGINE="sqlite" --entrypoint /busybox/sh gcr.io/distroless/base:debug -c /ci/engine-testing.bin  -test.timeout 5m -test.parallel 1
+
+      - name: Run Peer tests in docker
+        run: docker run -t --cap-add=NET_ADMIN --privileged --rm -v $PWD:/ci -w /ci/client/internal/peer  --entrypoint /busybox/sh gcr.io/distroless/base:debug -c /ci/peer-testing.bin  -test.timeout 5m -test.parallel 1
--- a/.github/workflows/golangci-lint.yml
+++ b/.github/workflows/golangci-lint.yml
@@ -19,7 +19,7 @@ jobs:
      - name: codespell
        uses: codespell-project/actions-codespell@v2
        with:
-          ignore_words_list: erro,clienta,hastable,iif,groupd,testin,groupe
+          ignore_words_list: erro,clienta,hastable,iif,groupd,testin
          skip: go.mod,go.sum
          only_warn: 1
  golangci:
--- a/.github/workflows/test-infrastructure-files.yml
+++ b/.github/workflows/test-infrastructure-files.yml
@@ -178,7 +178,6 @@ jobs:
          grep -A 10 'relay:' docker-compose.yml | egrep 'NB_AUTH_SECRET=.+$'
          grep -A 7 Relay management.json | grep "rel://$CI_NETBIRD_DOMAIN:33445"
          grep -A 7 Relay management.json | egrep '"Secret": ".+"'
-          grep DisablePromptLogin management.json | grep 'true'

      - name: Install modules
        run: go mod tidy
--- a/.goreleaser.yaml
+++ b/.goreleaser.yaml
@@ -96,20 +96,6 @@ builds:
      - -s -w -X github.com/netbirdio/netbird/version.version={{.Version}} -X main.commit={{.Commit}} -X main.date={{.CommitDate}} -X main.builtBy=goreleaser
    mod_timestamp: "{{ .CommitTimestamp }}"

-  - id: netbird-upload
-    dir: upload-server
-    env: [CGO_ENABLED=0]
-    binary: netbird-upload
-    goos:
-      - linux
-    goarch:
-      - amd64
-      - arm64
-      - arm
-    ldflags:
-      - -s -w -X github.com/netbirdio/netbird/version.version={{.Version}} -X main.commit={{.Commit}} -X main.date={{.CommitDate}} -X main.builtBy=goreleaser
-    mod_timestamp: "{{ .CommitTimestamp }}"
-
 universal_binaries:
  - id: netbird

@@ -423,52 +409,6 @@ dockers:
      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
      - "--label=org.opencontainers.image.version={{.Version}}"
      - "--label=maintainer=dev@netbird.io"
-  - image_templates:
-      - netbirdio/upload:{{ .Version }}-amd64
-    ids:
-      - netbird-upload
-    goarch: amd64
-    use: buildx
-    dockerfile: upload-server/Dockerfile
-    build_flag_templates:
-      - "--platform=linux/amd64"
-      - "--label=org.opencontainers.image.created={{.Date}}"
-      - "--label=org.opencontainers.image.title={{.ProjectName}}"
-      - "--label=org.opencontainers.image.version={{.Version}}"
-      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
-      - "--label=org.opencontainers.image.version={{.Version}}"
-      - "--label=maintainer=dev@netbird.io"
-  - image_templates:
-      - netbirdio/upload:{{ .Version }}-arm64v8
-    ids:
-      - netbird-upload
-    goarch: arm64
-    use: buildx
-    dockerfile: upload-server/Dockerfile
-    build_flag_templates:
-      - "--platform=linux/arm64"
-      - "--label=org.opencontainers.image.created={{.Date}}"
-      - "--label=org.opencontainers.image.title={{.ProjectName}}"
-      - "--label=org.opencontainers.image.version={{.Version}}"
-      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
-      - "--label=org.opencontainers.image.version={{.Version}}"
-      - "--label=maintainer=dev@netbird.io"
-  - image_templates:
-      - netbirdio/upload:{{ .Version }}-arm
-    ids:
-      - netbird-upload
-    goarch: arm
-    goarm: 6
-    use: buildx
-    dockerfile: upload-server/Dockerfile
-    build_flag_templates:
-      - "--platform=linux/arm"
-      - "--label=org.opencontainers.image.created={{.Date}}"
-      - "--label=org.opencontainers.image.title={{.ProjectName}}"
-      - "--label=org.opencontainers.image.version={{.Version}}"
-      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
-      - "--label=org.opencontainers.image.version={{.Version}}"
-      - "--label=maintainer=dev@netbird.io"
 docker_manifests:
  - name_template: netbirdio/netbird:{{ .Version }}
    image_templates:
@@ -535,17 +475,7 @@ docker_manifests:
      - netbirdio/management:{{ .Version }}-debug-arm64v8
      - netbirdio/management:{{ .Version }}-debug-arm
      - netbirdio/management:{{ .Version }}-debug-amd64
-  - name_template: netbirdio/upload:{{ .Version }}
-    image_templates:
-      - netbirdio/upload:{{ .Version }}-arm64v8
-      - netbirdio/upload:{{ .Version }}-arm
-      - netbirdio/upload:{{ .Version }}-amd64

-  - name_template: netbirdio/upload:latest
-    image_templates:
-      - netbirdio/upload:{{ .Version }}-arm64v8
-      - netbirdio/upload:{{ .Version }}-arm
-      - netbirdio/upload:{{ .Version }}-amd64
 brews:
  - ids:
      - default
--- a/README.md
+++ b/README.md
@@ -57,16 +57,16 @@

 ### Key features

-| Connectivity | Management | Security | Automation| Platforms |
-|----|----|----|----|----|
-| <ul><li>- \[x] Kernel WireGuard</ul></li> | <ul><li>- \[x] [Admin Web UI](https://github.com/netbirdio/dashboard)</ul></li> | <ul><li>- \[x] [SSO & MFA support](https://docs.netbird.io/how-to/installation#running-net-bird-with-sso-login)</ul></li> | <ul><li>- \[x] [Public API](https://docs.netbird.io/api)</ul></li> | <ul><li>- \[x] Linux</ul></li> |
-| <ul><li>- \[x] Peer-to-peer connections</ul></li> | <ul><li>- \[x] Auto peer discovery and configuration</ui></li> | <ul><li>- \[x] [Access control - groups & rules](https://docs.netbird.io/how-to/manage-network-access)</ui></li> | <ul><li>- \[x] [Setup keys for bulk network provisioning](https://docs.netbird.io/how-to/register-machines-using-setup-keys)</ui></li> | <ul><li>- \[x] Mac</ui></li> |
-| <ul><li>- \[x] Connection relay fallback</ui></li> | <ul><li>- \[x] [IdP integrations](https://docs.netbird.io/selfhosted/identity-providers)</ui></li> | <ul><li>- \[x] [Activity logging](https://docs.netbird.io/how-to/audit-events-logging)</ui></li> | <ul><li>- \[x] [Self-hosting quickstart script](https://docs.netbird.io/selfhosted/selfhosted-quickstart)</ui></li> | <ul><li>- \[x] Windows</ui></li> |
-| <ul><li>- \[x] [Routes to external networks](https://docs.netbird.io/how-to/routing-traffic-to-private-networks)</ui></li> | <ul><li>- \[x] [Private DNS](https://docs.netbird.io/how-to/manage-dns-in-your-network)</ui></li> | <ul><li>- \[x] [Device posture checks](https://docs.netbird.io/how-to/manage-posture-checks)</ui></li> | <ul><li>- \[x] IdP groups sync with JWT</ui></li> | <ul><li>- \[x] Android</ui></li> |
-| <ul><li>- \[x] NAT traversal with BPF</ui></li> | <ul><li>- \[x] [Multiuser support](https://docs.netbird.io/how-to/add-users-to-your-network)</ui></li> | <ul><li>- \[x] Peer-to-peer encryption</ui></li> || <ul><li>- \[x] iOS</ui></li> |
-||| <ul><li>- \[x] [Quantum-resistance with Rosenpass](https://netbird.io/knowledge-hub/the-first-quantum-resistant-mesh-vpn)</ui></li> || <ul><li>- \[x] OpenWRT</ui></li> |
-||| <ul><li>- \[x] [Periodic re-authentication](https://docs.netbird.io/how-to/enforce-periodic-user-authentication)</ui></li> || <ul><li>- \[x] [Serverless](https://docs.netbird.io/how-to/netbird-on-faas)</ui></li> |
-||||| <ul><li>- \[x] Docker</ui></li> |
+| Connectivity                                                                                                                 | Management                                                                                               | Security                                                                                                                              | Automation                                                                                                                               | Platforms                                                                               |
+|------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------|
+| <ul><li> - \[x] Kernel WireGuard </ul></li>                                                                                  | <ul><li> - \[x] [Admin Web UI](https://github.com/netbirdio/dashboard) </ul></li>                        | <ul><li> - \[x] [SSO & MFA support](https://docs.netbird.io/how-to/installation#running-net-bird-with-sso-login) </ul></li>           | <ul><li> - \[x] [Public API](https://docs.netbird.io/api) </ul></li>                                                                     | <ul><li> - \[x] Linux </ul></li>                                                        |
+| <ul><li> - \[x] Peer-to-peer connections </ul></li>                                                                          | <ul><li> - \[x] Auto peer discovery and configuration </ul></li>                                         | <ul><li> - \[x] [Access control - groups & rules](https://docs.netbird.io/how-to/manage-network-access) </ul></li>                    | <ul><li> - \[x] [Setup keys for bulk network provisioning](https://docs.netbird.io/how-to/register-machines-using-setup-keys) </ul></li> | <ul><li> - \[x] Mac </ul></li>                                                          |
+| <ul><li> - \[x] Connection relay fallback </ul></li>                                                                         | <ul><li> - \[x] [IdP integrations](https://docs.netbird.io/selfhosted/identity-providers) </ul></li>     | <ul><li> - \[x] [Activity logging](https://docs.netbird.io/how-to/monitor-system-and-network-activity) </ul></li>                     | <ul><li> - \[x] [Self-hosting quickstart script](https://docs.netbird.io/selfhosted/selfhosted-quickstart) </ul></li>                    | <ul><li> - \[x] Windows </ul></li>                                                      |
+| <ul><li> - \[x] [Routes to external networks](https://docs.netbird.io/how-to/routing-traffic-to-private-networks) </ul></li> | <ul><li> - \[x] [Private DNS](https://docs.netbird.io/how-to/manage-dns-in-your-network) </ul></li>      | <ul><li> - \[x] [Device posture checks](https://docs.netbird.io/how-to/manage-posture-checks) </ul></li>                              | <ul><li> - \[x] IdP groups sync with JWT </ul></li>                                                                                      | <ul><li> - \[x] Android </ul></li>                                                      |
+| <ul><li> - \[x] NAT traversal with BPF </ul></li>                                                                            | <ul><li> - \[x] [Multiuser support](https://docs.netbird.io/how-to/add-users-to-your-network) </ul></li> | <ul><li> -  \[x] Peer-to-peer encryption </ul></li>                                                                                   |                                                                                                                                          | <ul><li> - \[x] iOS </ul></li>                                                          |
+|                                                                                                                              |                                                                                                          | <ul><li> - \[x] [Quantum-resistance with Rosenpass](https://netbird.io/knowledge-hub/the-first-quantum-resistant-mesh-vpn) </ul></li> |                                                                                                                                          | <ul><li> - \[x] OpenWRT </ul></li>                                                      |
+|                                                                                                                              |                                                                                                          | <ui><li> - \[x] [Periodic re-authentication](https://docs.netbird.io/how-to/enforce-periodic-user-authentication)</ul></li>           |                                                                                                                                          | <ul><li> - \[x] [Serverless](https://docs.netbird.io/how-to/netbird-on-faas) </ul></li> |
+|                                                                                                                              |                                                                                                          |                                                                                                                                       |                                                                                                                                          | <ul><li> - \[x] Docker </ul></li>                                                       |

 ### Quickstart with NetBird Cloud

--- a/buf.gen.yaml
+++ b/buf.gen.yaml
@@ -1,7 +0,0 @@
-# For details on buf.gen.yaml configuration, visit https://buf.build/docs/configuration/v2/buf-gen-yaml/
-version: v2
-plugins:
-  - remote: buf.build/protocolbuffers/go:v1.35.1
-    out: .
-  - remote: buf.build/grpc/go:v1.5.1
-    out: .
--- a/buf.yaml
+++ b/buf.yaml
@@ -1,10 +0,0 @@
-# For details on buf.yaml configuration, visit https://buf.build/docs/configuration/v2/buf-yaml
-version: v2
-modules:
-  - path: proto
-lint:
-  use:
-    - BASIC
-breaking:
-  use:
-    - FILE
--- a/client/Dockerfile
+++ b/client/Dockerfile
@@ -1,6 +1,5 @@
 FROM alpine:3.21.3
-# iproute2: busybox doesn't display ip rules properly
-RUN apk add --no-cache ca-certificates ip6tables iproute2 iptables
+RUN apk add --no-cache ca-certificates iptables ip6tables
 ENV NB_FOREGROUND_MODE=true
 ENTRYPOINT [ "/usr/local/bin/netbird","up"]
-COPY netbird /usr/local/bin/netbird
+COPY netbird /usr/local/bin/netbird
--- a/client/cmd/debug.go
+++ b/client/cmd/debug.go
@@ -11,12 +11,9 @@ import (
 	"google.golang.org/grpc/status"

 	"github.com/netbirdio/netbird/client/internal"
-	"github.com/netbirdio/netbird/client/internal/debug"
-	"github.com/netbirdio/netbird/client/internal/peer"
 	"github.com/netbirdio/netbird/client/proto"
 	"github.com/netbirdio/netbird/client/server"
 	nbstatus "github.com/netbirdio/netbird/client/status"
-	mgmProto "github.com/netbirdio/netbird/management/proto"
 )

 const errCloseConnection = "Failed to close connection: %v"
@@ -87,27 +84,16 @@ func debugBundle(cmd *cobra.Command, _ []string) error {
 	}()

 	client := proto.NewDaemonServiceClient(conn)
-	request := &proto.DebugBundleRequest{
+	resp, err := client.DebugBundle(cmd.Context(), &proto.DebugBundleRequest{
 		Anonymize:  anonymizeFlag,
 		Status:     getStatusOutput(cmd, anonymizeFlag),
 		SystemInfo: debugSystemInfoFlag,
-	}
-	if debugUploadBundle {
-		request.UploadURL = debugUploadBundleURL
-	}
-	resp, err := client.DebugBundle(cmd.Context(), request)
+	})
 	if err != nil {
 		return fmt.Errorf("failed to bundle debug: %v", status.Convert(err).Message())
 	}
-	cmd.Printf("Local file:\n%s\n", resp.GetPath())

-	if resp.GetUploadFailureReason() != "" {
-		return fmt.Errorf("upload failed: %s", resp.GetUploadFailureReason())
-	}
-
-	if debugUploadBundle {
-		cmd.Printf("Upload file key:\n%s\n", resp.GetUploadedKey())
-	}
+	cmd.Println(resp.GetPath())

 	return nil
 }
@@ -222,19 +208,23 @@ func runForDuration(cmd *cobra.Command, args []string) error {

 	headerPreDown := fmt.Sprintf("----- Netbird pre-down - Timestamp: %s - Duration: %s", time.Now().Format(time.RFC3339), duration)
 	statusOutput = fmt.Sprintf("%s\n%s\n%s", statusOutput, headerPreDown, getStatusOutput(cmd, anonymizeFlag))
-	request := &proto.DebugBundleRequest{
+
+	resp, err := client.DebugBundle(cmd.Context(), &proto.DebugBundleRequest{
 		Anonymize:  anonymizeFlag,
 		Status:     statusOutput,
 		SystemInfo: debugSystemInfoFlag,
-	}
-	if debugUploadBundle {
-		request.UploadURL = debugUploadBundleURL
-	}
-	resp, err := client.DebugBundle(cmd.Context(), request)
+	})
 	if err != nil {
 		return fmt.Errorf("failed to bundle debug: %v", status.Convert(err).Message())
 	}

+	// Disable network map persistence after creating the debug bundle
+	if _, err := client.SetNetworkMapPersistence(cmd.Context(), &proto.SetNetworkMapPersistenceRequest{
+		Enabled: false,
+	}); err != nil {
+		return fmt.Errorf("failed to disable network map persistence: %v", status.Convert(err).Message())
+	}
+
 	if stateWasDown {
 		if _, err := client.Down(cmd.Context(), &proto.DownRequest{}); err != nil {
 			return fmt.Errorf("failed to down: %v", status.Convert(err).Message())
@@ -249,15 +239,7 @@ func runForDuration(cmd *cobra.Command, args []string) error {
 		cmd.Println("Log level restored to", initialLogLevel.GetLevel())
 	}

-	cmd.Printf("Local file:\n%s\n", resp.GetPath())
-
-	if resp.GetUploadFailureReason() != "" {
-		return fmt.Errorf("upload failed: %s", resp.GetUploadFailureReason())
-	}
-
-	if debugUploadBundle {
-		cmd.Printf("Upload file key:\n%s\n", resp.GetUploadedKey())
-	}
+	cmd.Println(resp.GetPath())

 	return nil
 }
@@ -344,34 +326,3 @@ func formatDuration(d time.Duration) string {
 	s := d / time.Second
 	return fmt.Sprintf("%02d:%02d:%02d", h, m, s)
 }
-
-func generateDebugBundle(config *internal.Config, recorder *peer.Status, connectClient *internal.ConnectClient, logFilePath string) {
-	var networkMap *mgmProto.NetworkMap
-	var err error
-
-	if connectClient != nil {
-		networkMap, err = connectClient.GetLatestNetworkMap()
-		if err != nil {
-			log.Warnf("Failed to get latest network map: %v", err)
-		}
-	}
-
-	bundleGenerator := debug.NewBundleGenerator(
-		debug.GeneratorDependencies{
-			InternalConfig: config,
-			StatusRecorder: recorder,
-			NetworkMap:     networkMap,
-			LogFile:        logFilePath,
-		},
-		debug.BundleConfig{
-			IncludeSystemInfo: true,
-		},
-	)
-
-	path, err := bundleGenerator.Generate()
-	if err != nil {
-		log.Errorf("Failed to generate debug bundle: %v", err)
-		return
-	}
-	log.Infof("Generated debug bundle from SIGUSR1 at: %s", path)
-}
--- a/client/cmd/debug_unix.go
+++ b/client/cmd/debug_unix.go
@@ -1,39 +0,0 @@
-//go:build unix
-
-package cmd
-
-import (
-	"context"
-	"os"
-	"os/signal"
-	"syscall"
-
-	log "github.com/sirupsen/logrus"
-
-	"github.com/netbirdio/netbird/client/internal"
-	"github.com/netbirdio/netbird/client/internal/peer"
-)
-
-func SetupDebugHandler(
-	ctx context.Context,
-	config *internal.Config,
-	recorder *peer.Status,
-	connectClient *internal.ConnectClient,
-	logFilePath string,
-) {
-	usr1Ch := make(chan os.Signal, 1)
-
-	signal.Notify(usr1Ch, syscall.SIGUSR1)
-
-	go func() {
-		for {
-			select {
-			case <-ctx.Done():
-				return
-			case <-usr1Ch:
-				log.Info("Received SIGUSR1. Triggering debug bundle generation.")
-				go generateDebugBundle(config, recorder, connectClient, logFilePath)
-			}
-		}
-	}()
-}
--- a/client/cmd/debug_windows.go
+++ b/client/cmd/debug_windows.go
@@ -1,126 +0,0 @@
-package cmd
-
-import (
-	"context"
-	"errors"
-	"os"
-	"strconv"
-	"time"
-
-	log "github.com/sirupsen/logrus"
-	"golang.org/x/sys/windows"
-
-	"github.com/netbirdio/netbird/client/internal"
-	"github.com/netbirdio/netbird/client/internal/peer"
-)
-
-const (
-	envListenEvent        = "NB_LISTEN_DEBUG_EVENT"
-	debugTriggerEventName = `Global\NetbirdDebugTriggerEvent`
-
-	waitTimeout = 5 * time.Second
-)
-
-// SetupDebugHandler sets up a Windows event to listen for a signal to generate a debug bundle.
-// Example usage with PowerShell:
-// $evt = [System.Threading.EventWaitHandle]::OpenExisting("Global\NetbirdDebugTriggerEvent")
-// $evt.Set()
-// $evt.Close()
-func SetupDebugHandler(
-	ctx context.Context,
-	config *internal.Config,
-	recorder *peer.Status,
-	connectClient *internal.ConnectClient,
-	logFilePath string,
-) {
-	env := os.Getenv(envListenEvent)
-	if env == "" {
-		return
-	}
-
-	listenEvent, err := strconv.ParseBool(env)
-	if err != nil {
-		log.Errorf("Failed to parse %s: %v", envListenEvent, err)
-		return
-	}
-	if !listenEvent {
-		return
-	}
-
-	eventNamePtr, err := windows.UTF16PtrFromString(debugTriggerEventName)
-	if err != nil {
-		log.Errorf("Failed to convert event name '%s' to UTF16: %v", debugTriggerEventName, err)
-		return
-	}
-
-	// TODO: restrict access by ACL
-	eventHandle, err := windows.CreateEvent(nil, 1, 0, eventNamePtr)
-	if err != nil {
-		if errors.Is(err, windows.ERROR_ALREADY_EXISTS) {
-			log.Warnf("Debug trigger event '%s' already exists. Attempting to open.", debugTriggerEventName)
-			// SYNCHRONIZE is needed for WaitForSingleObject, EVENT_MODIFY_STATE for ResetEvent.
-			eventHandle, err = windows.OpenEvent(windows.SYNCHRONIZE|windows.EVENT_MODIFY_STATE, false, eventNamePtr)
-			if err != nil {
-				log.Errorf("Failed to open existing debug trigger event '%s': %v", debugTriggerEventName, err)
-				return
-			}
-			log.Infof("Successfully opened existing debug trigger event '%s'.", debugTriggerEventName)
-		} else {
-			log.Errorf("Failed to create debug trigger event '%s': %v", debugTriggerEventName, err)
-			return
-		}
-	}
-
-	if eventHandle == windows.InvalidHandle {
-		log.Errorf("Obtained an invalid handle for debug trigger event '%s'", debugTriggerEventName)
-		return
-	}
-
-	log.Infof("Debug handler waiting for signal on event: %s", debugTriggerEventName)
-
-	go waitForEvent(ctx, config, recorder, connectClient, logFilePath, eventHandle)
-}
-
-func waitForEvent(
-	ctx context.Context,
-	config *internal.Config,
-	recorder *peer.Status,
-	connectClient *internal.ConnectClient,
-	logFilePath string,
-	eventHandle windows.Handle,
-) {
-	defer func() {
-		if err := windows.CloseHandle(eventHandle); err != nil {
-			log.Errorf("Failed to close debug event handle '%s': %v", debugTriggerEventName, err)
-		}
-	}()
-
-	for {
-		if ctx.Err() != nil {
-			return
-		}
-
-		status, err := windows.WaitForSingleObject(eventHandle, uint32(waitTimeout.Milliseconds()))
-
-		switch status {
-		case windows.WAIT_OBJECT_0:
-			log.Info("Received signal on debug event. Triggering debug bundle generation.")
-
-			// reset the event so it can be triggered again later (manual reset == 1)
-			if err := windows.ResetEvent(eventHandle); err != nil {
-				log.Errorf("Failed to reset debug event '%s': %v", debugTriggerEventName, err)
-			}
-
-			go generateDebugBundle(config, recorder, connectClient, logFilePath)
-		case uint32(windows.WAIT_TIMEOUT):
-
-		default:
-			log.Errorf("Unexpected status %d from WaitForSingleObject for debug event '%s': %v", status, debugTriggerEventName, err)
-			select {
-			case <-time.After(5 * time.Second):
-			case <-ctx.Done():
-				return
-			}
-		}
-	}
-}
--- a/client/cmd/login.go
+++ b/client/cmd/login.go
@@ -19,10 +19,6 @@ import (
 	"github.com/netbirdio/netbird/util"
 )

-func init() {
-	loginCmd.PersistentFlags().BoolVar(&noBrowser, noBrowserFlag, false, noBrowserDesc)
-}
-
 var loginCmd = &cobra.Command{
 	Use:   "login",
 	Short: "login to the Netbird Management Service (first run)",
@@ -55,9 +51,6 @@ var loginCmd = &cobra.Command{
 				return err
 			}

-			// update host's static platform and system information
-			system.UpdateStaticInfo()
-
 			ic := internal.ConfigInput{
 				ManagementURL: managementURL,
 				AdminURL:      adminURL,
@@ -134,7 +127,7 @@ var loginCmd = &cobra.Command{
 		}

 		if loginResp.NeedsSSOLogin {
-			openURL(cmd, loginResp.VerificationURIComplete, loginResp.UserCode, noBrowser)
+			openURL(cmd, loginResp.VerificationURIComplete, loginResp.UserCode)

 			_, err = client.WaitSSOLogin(ctx, &proto.WaitSSOLoginRequest{UserCode: loginResp.UserCode, Hostname: hostName})
 			if err != nil {
@@ -205,7 +198,7 @@ func foregroundGetTokenInfo(ctx context.Context, cmd *cobra.Command, config *int
 		return nil, fmt.Errorf("getting a request OAuth flow info failed: %v", err)
 	}

-	openURL(cmd, flowInfo.VerificationURIComplete, flowInfo.UserCode, noBrowser)
+	openURL(cmd, flowInfo.VerificationURIComplete, flowInfo.UserCode)

 	waitTimeout := time.Duration(flowInfo.ExpiresIn) * time.Second
 	waitCTX, c := context.WithTimeout(context.TODO(), waitTimeout)
@@ -219,27 +212,19 @@ func foregroundGetTokenInfo(ctx context.Context, cmd *cobra.Command, config *int
 	return &tokenInfo, nil
 }

-func openURL(cmd *cobra.Command, verificationURIComplete, userCode string, noBrowser bool) {
+func openURL(cmd *cobra.Command, verificationURIComplete, userCode string) {
 	var codeMsg string
 	if userCode != "" && !strings.Contains(verificationURIComplete, userCode) {
 		codeMsg = fmt.Sprintf("and enter the code %s to authenticate.", userCode)
 	}

-	if noBrowser {
-		cmd.Println("Use this URL to log in:\n\n" + verificationURIComplete + " " + codeMsg)
-	} else {
-		cmd.Println("Please do the SSO login in your browser. \n" +
-			"If your browser didn't open automatically, use this URL to log in:\n\n" +
-			verificationURIComplete + " " + codeMsg)
-	}
-
+	cmd.Println("Please do the SSO login in your browser. \n" +
+		"If your browser didn't open automatically, use this URL to log in:\n\n" +
+		verificationURIComplete + " " + codeMsg)
 	cmd.Println("")
-
-	if !noBrowser {
-		if err := open.Run(verificationURIComplete); err != nil {
-			cmd.Println("\nAlternatively, you may want to use a setup key, see:\n\n" +
-				"https://docs.netbird.io/how-to/register-machines-using-setup-keys")
-		}
+	if err := open.Run(verificationURIComplete); err != nil {
+		cmd.Println("\nAlternatively, you may want to use a setup key, see:\n\n" +
+			"https://docs.netbird.io/how-to/register-machines-using-setup-keys")
 	}
 }

--- a/client/cmd/root.go
+++ b/client/cmd/root.go
@@ -22,7 +22,6 @@ import (
 	"google.golang.org/grpc/credentials/insecure"

 	"github.com/netbirdio/netbird/client/internal"
-	"github.com/netbirdio/netbird/upload-server/types"
 )

 const (
@@ -40,8 +39,6 @@ const (
 	dnsRouteIntervalFlag    = "dns-router-interval"
 	systemInfoFlag          = "system-info"
 	blockLANAccessFlag      = "block-lan-access"
-	uploadBundle            = "upload-bundle"
-	uploadBundleURL         = "upload-bundle-url"
 )

 var (
@@ -78,8 +75,6 @@ var (
 	debugSystemInfoFlag     bool
 	dnsRouteInterval        time.Duration
 	blockLANAccess          bool
-	debugUploadBundle       bool
-	debugUploadBundleURL    string

 	rootCmd = &cobra.Command{
 		Use:          "netbird",
@@ -186,8 +181,6 @@ func init() {
 	upCmd.PersistentFlags().BoolVar(&autoConnectDisabled, disableAutoConnectFlag, false, "Disables auto-connect feature. If enabled, then the client won't connect automatically when the service starts.")

 	debugCmd.PersistentFlags().BoolVarP(&debugSystemInfoFlag, systemInfoFlag, "S", true, "Adds system information to the debug bundle")
-	debugCmd.PersistentFlags().BoolVarP(&debugUploadBundle, uploadBundle, "U", false, fmt.Sprintf("Uploads the debug bundle to a server from URL defined by %s", uploadBundleURL))
-	debugCmd.PersistentFlags().StringVar(&debugUploadBundleURL, uploadBundleURL, types.DefaultBundleURL, "Service URL to get an URL to upload the debug bundle")
 }

 // SetupCloseHandler handles SIGTERM signal and exits with success
--- a/client/cmd/service_controller.go
+++ b/client/cmd/service_controller.go
@@ -16,17 +16,12 @@ import (

 	"github.com/netbirdio/netbird/client/proto"
 	"github.com/netbirdio/netbird/client/server"
-	"github.com/netbirdio/netbird/client/system"
 	"github.com/netbirdio/netbird/util"
 )

 func (p *program) Start(svc service.Service) error {
 	// Start should not block. Do the actual work async.
 	log.Info("starting Netbird service") //nolint
-
-	// Collect static system and platform information
-	system.UpdateStaticInfo()
-
 	// in any case, even if configuration does not exists we run daemon to serve CLI gRPC API.
 	p.serv = grpc.NewServer()

@@ -120,7 +115,6 @@ var runCmd = &cobra.Command{

 		ctx, cancel := context.WithCancel(cmd.Context())
 		SetupCloseHandler(ctx, cancel)
-		SetupDebugHandler(ctx, nil, nil, nil, logFile)

 		s, err := newSVC(newProgram(ctx, cancel), newSVCConfig())
 		if err != nil {
--- a/client/cmd/testutil_test.go
+++ b/client/cmd/testutil_test.go
@@ -12,11 +12,9 @@ import (

 	"github.com/netbirdio/netbird/management/server/activity"
 	"github.com/netbirdio/netbird/management/server/integrations/port_forwarding"
-	"github.com/netbirdio/netbird/management/server/permissions"
 	"github.com/netbirdio/netbird/management/server/settings"
 	"github.com/netbirdio/netbird/management/server/store"
 	"github.com/netbirdio/netbird/management/server/telemetry"
-	"github.com/netbirdio/netbird/management/server/types"

 	"github.com/netbirdio/netbird/util"

@@ -34,7 +32,7 @@ import (

 func startTestingServices(t *testing.T) string {
 	t.Helper()
-	config := &types.Config{}
+	config := &mgmt.Config{}
 	_, err := util.ReadJson("../testdata/management.json", config)
 	if err != nil {
 		t.Fatal(err)
@@ -69,7 +67,7 @@ func startSignal(t *testing.T) (*grpc.Server, net.Listener) {
 	return s, lis
 }

-func startManagement(t *testing.T, config *types.Config, testFile string) (*grpc.Server, net.Listener) {
+func startManagement(t *testing.T, config *mgmt.Config, testFile string) (*grpc.Server, net.Listener) {
 	t.Helper()

 	lis, err := net.Listen("tcp", ":0")
@@ -92,18 +90,13 @@ func startManagement(t *testing.T, config *types.Config, testFile string) (*grpc

 	metrics, err := telemetry.NewDefaultAppMetrics(context.Background())
 	require.NoError(t, err)
+
 	ctrl := gomock.NewController(t)
 	t.Cleanup(ctrl.Finish)

 	settingsMockManager := settings.NewMockManager(ctrl)
-	permissionsManagerMock := permissions.NewMockManager(ctrl)

-	settingsMockManager.EXPECT().
-		GetSettings(gomock.Any(), gomock.Any(), gomock.Any()).
-		Return(&types.Settings{}, nil).
-		AnyTimes()
-
-	accountManager, err := mgmt.BuildManager(context.Background(), store, peersUpdateManager, nil, "", "netbird.selfhosted", eventStore, nil, false, iv, metrics, port_forwarding.NewControllerMock(), settingsMockManager, permissionsManagerMock)
+	accountManager, err := mgmt.BuildManager(context.Background(), store, peersUpdateManager, nil, "", "netbird.selfhosted", eventStore, nil, false, iv, metrics, port_forwarding.NewControllerMock(), settingsMockManager)
 	if err != nil {
 		t.Fatal(err)
 	}
--- a/client/cmd/up.go
+++ b/client/cmd/up.go
@@ -32,16 +32,12 @@ const (

 const (
 	dnsLabelsFlag = "extra-dns-labels"
-
-	noBrowserFlag = "no-browser"
-	noBrowserDesc = "do not open the browser for SSO login"
 )

 var (
 	foregroundMode     bool
 	dnsLabels          []string
 	dnsLabelsValidated domain.List
-	noBrowser          bool

 	upCmd = &cobra.Command{
 		Use:   "up",
@@ -69,9 +65,6 @@ func init() {
 			`E.g. --extra-dns-labels vpc1 or --extra-dns-labels vpc1,mgmt1 `+
 			`or --extra-dns-labels ""`,
 	)
-
-	upCmd.PersistentFlags().BoolVar(&noBrowser, noBrowserFlag, false, noBrowserDesc)
-
 }

 func upFunc(cmd *cobra.Command, args []string) error {
@@ -219,8 +212,6 @@ func runInForegroundMode(ctx context.Context, cmd *cobra.Command) error {
 	r.GetFullStatus()

 	connectClient := internal.NewConnectClient(ctx, config, r)
-	SetupDebugHandler(ctx, config, r, connectClient, "")
-
 	return connectClient.Run(nil)
 }

@@ -358,7 +349,7 @@ func runInDaemonMode(ctx context.Context, cmd *cobra.Command) error {

 	if loginResp.NeedsSSOLogin {

-		openURL(cmd, loginResp.VerificationURIComplete, loginResp.UserCode, noBrowser)
+		openURL(cmd, loginResp.VerificationURIComplete, loginResp.UserCode)

 		_, err = client.WaitSSOLogin(ctx, &proto.WaitSSOLoginRequest{UserCode: loginResp.UserCode, Hostname: hostName})
 		if err != nil {
--- a/client/firewall/iptables/manager_linux.go
+++ b/client/firewall/iptables/manager_linux.go
@@ -113,16 +113,17 @@ func (m *Manager) AddPeerFiltering(
 func (m *Manager) AddRouteFiltering(
 	id []byte,
 	sources []netip.Prefix,
-	destination firewall.Network,
+	destination netip.Prefix,
 	proto firewall.Protocol,
-	sPort, dPort *firewall.Port,
+	sPort *firewall.Port,
+	dPort *firewall.Port,
 	action firewall.Action,
 ) (firewall.Rule, error) {
 	m.mutex.Lock()
 	defer m.mutex.Unlock()

-	if destination.IsPrefix() && !destination.Prefix.Addr().Is4() {
-		return nil, fmt.Errorf("unsupported IP version: %s", destination.Prefix.Addr().String())
+	if !destination.Addr().Is4() {
+		return nil, fmt.Errorf("unsupported IP version: %s", destination.Addr().String())
 	}

 	return m.router.AddRouteFiltering(id, sources, destination, proto, sPort, dPort, action)
@@ -242,14 +243,6 @@ func (m *Manager) DeleteDNATRule(rule firewall.Rule) error {
 	return m.router.DeleteDNATRule(rule)
 }

-// UpdateSet updates the set with the given prefixes
-func (m *Manager) UpdateSet(set firewall.Set, prefixes []netip.Prefix) error {
-	m.mutex.Lock()
-	defer m.mutex.Unlock()
-
-	return m.router.UpdateSet(set, prefixes)
-}
-
 func getConntrackEstablished() []string {
 	return []string{"-m", "conntrack", "--ctstate", "RELATED,ESTABLISHED", "-j", "ACCEPT"}
 }
--- a/client/firewall/iptables/router_linux.go
+++ b/client/firewall/iptables/router_linux.go
@@ -16,6 +16,7 @@ import (
 	nberrors "github.com/netbirdio/netbird/client/errors"
 	firewall "github.com/netbirdio/netbird/client/firewall/manager"
 	nbid "github.com/netbirdio/netbird/client/internal/acl/id"
+	nftypes "github.com/netbirdio/netbird/client/internal/netflow/types"
 	"github.com/netbirdio/netbird/client/internal/routemanager/ipfwdstate"
 	"github.com/netbirdio/netbird/client/internal/routemanager/refcounter"
 	"github.com/netbirdio/netbird/client/internal/statemanager"
@@ -27,6 +28,7 @@ const (
 	tableFilter = "filter"
 	tableNat    = "nat"
 	tableMangle = "mangle"
+	tableRaw    = "raw"

 	chainPOSTROUTING        = "POSTROUTING"
 	chainPREROUTING         = "PREROUTING"
@@ -38,12 +40,11 @@ const (
 	routingFinalForwardJump = "ACCEPT"
 	routingFinalNatJump     = "MASQUERADE"

-	jumpManglePre  = "jump-mangle-pre"
-	jumpNatPre     = "jump-nat-pre"
-	jumpNatPost    = "jump-nat-post"
-	markManglePre  = "mark-mangle-pre"
-	markManglePost = "mark-mangle-post"
-	matchSet       = "--match-set"
+	jumpManglePre = "jump-mangle-pre"
+	jumpNatPre    = "jump-nat-pre"
+	jumpNatPost   = "jump-nat-post"
+	zoneRawPre    = "zone-raw-pre"
+	matchSet      = "--match-set"

 	dnatSuffix = "_dnat"
 	snatSuffix = "_snat"
@@ -57,18 +58,18 @@ type ruleInfo struct {
 }

 type routeFilteringRuleParams struct {
-	Source      firewall.Network
-	Destination firewall.Network
+	Sources     []netip.Prefix
+	Destination netip.Prefix
 	Proto       firewall.Protocol
 	SPort       *firewall.Port
 	DPort       *firewall.Port
 	Direction   firewall.RuleDirection
 	Action      firewall.Action
+	SetName     string
 }

 type routeRules map[string][]string

-// the ipset library currently does not support comments, so we use the name only (string)
 type ipsetCounter = refcounter.Counter[string, []netip.Prefix, struct{}]

 type router struct {
@@ -113,12 +114,12 @@ func (r *router) init(stateManager *statemanager.Manager) error {
 		log.Errorf("failed to clean up rules from FORWARD chain: %s", err)
 	}

-	if err := r.createContainers(); err != nil {
-		return fmt.Errorf("create containers: %w", err)
+	if err := r.setupConntrackZones(); err != nil {
+		log.Errorf("failed to setup conntrack zones: %v", err)
 	}

-	if err := r.setupDataPlaneMark(); err != nil {
-		log.Errorf("failed to set up data plane mark: %v", err)
+	if err := r.createContainers(); err != nil {
+		return fmt.Errorf("create containers: %w", err)
 	}

 	r.updateState()
@@ -129,7 +130,7 @@ func (r *router) init(stateManager *statemanager.Manager) error {
 func (r *router) AddRouteFiltering(
 	id []byte,
 	sources []netip.Prefix,
-	destination firewall.Network,
+	destination netip.Prefix,
 	proto firewall.Protocol,
 	sPort *firewall.Port,
 	dPort *firewall.Port,
@@ -140,28 +141,27 @@ func (r *router) AddRouteFiltering(
 		return ruleKey, nil
 	}

-	var source firewall.Network
+	var setName string
 	if len(sources) > 1 {
-		source.Set = firewall.NewPrefixSet(sources)
-	} else if len(sources) > 0 {
-		source.Prefix = sources[0]
+		setName = firewall.GenerateSetName(sources)
+		if _, err := r.ipsetCounter.Increment(setName, sources); err != nil {
+			return nil, fmt.Errorf("create or get ipset: %w", err)
+		}
 	}

 	params := routeFilteringRuleParams{
-		Source:      source,
+		Sources:     sources,
 		Destination: destination,
 		Proto:       proto,
 		SPort:       sPort,
 		DPort:       dPort,
 		Action:      action,
+		SetName:     setName,
 	}

-	rule, err := r.genRouteRuleSpec(params, sources)
-	if err != nil {
-		return nil, fmt.Errorf("generate route rule spec: %w", err)
-	}
-
+	rule := genRouteFilteringRuleSpec(params)
 	// Insert DROP rules at the beginning, append ACCEPT rules at the end
+	var err error
 	if action == firewall.ActionDrop {
 		// after the established rule
 		err = r.iptablesClient.Insert(tableFilter, chainRTFWDIN, 2, rule...)
@@ -184,13 +184,17 @@ func (r *router) DeleteRouteRule(rule firewall.Rule) error {
 	ruleKey := rule.ID()

 	if rule, exists := r.rules[ruleKey]; exists {
+		setName := r.findSetNameInRule(rule)
+
 		if err := r.iptablesClient.Delete(tableFilter, chainRTFWDIN, rule...); err != nil {
 			return fmt.Errorf("delete route rule: %v", err)
 		}
 		delete(r.rules, ruleKey)

-		if err := r.decrementSetCounter(rule); err != nil {
-			return fmt.Errorf("decrement ipset counter: %w", err)
+		if setName != "" {
+			if _, err := r.ipsetCounter.Decrement(setName); err != nil {
+				return fmt.Errorf("failed to remove ipset: %w", err)
+			}
 		}
 	} else {
 		log.Debugf("route rule %s not found", ruleKey)
@@ -201,26 +205,13 @@ func (r *router) DeleteRouteRule(rule firewall.Rule) error {
 	return nil
 }

-func (r *router) decrementSetCounter(rule []string) error {
-	sets := r.findSets(rule)
-	var merr *multierror.Error
-	for _, setName := range sets {
-		if _, err := r.ipsetCounter.Decrement(setName); err != nil {
-			merr = multierror.Append(merr, fmt.Errorf("decrement counter: %w", err))
-		}
-	}
-
-	return nberrors.FormatErrorOrNil(merr)
-}
-
-func (r *router) findSets(rule []string) []string {
-	var sets []string
+func (r *router) findSetNameInRule(rule []string) string {
 	for i, arg := range rule {
 		if arg == "-m" && i+3 < len(rule) && rule[i+1] == "set" && rule[i+2] == matchSet {
-			sets = append(sets, rule[i+3])
+			return rule[i+3]
 		}
 	}
-	return sets
+	return ""
 }

 func (r *router) createIpSet(setName string, sources []netip.Prefix) error {
@@ -241,8 +232,6 @@ func (r *router) deleteIpSet(setName string) error {
 	if err := ipset.Destroy(setName); err != nil {
 		return fmt.Errorf("destroy set %s: %w", setName, err)
 	}
-
-	log.Debugf("Deleted unused ipset %s", setName)
 	return nil
 }

@@ -282,14 +271,12 @@ func (r *router) RemoveNatRule(pair firewall.RouterPair) error {
 		log.Errorf("%v", err)
 	}

-	if pair.Masquerade {
-		if err := r.removeNatRule(pair); err != nil {
-			return fmt.Errorf("remove nat rule: %w", err)
-		}
+	if err := r.removeNatRule(pair); err != nil {
+		return fmt.Errorf("remove nat rule: %w", err)
+	}

-		if err := r.removeNatRule(firewall.GetInversePair(pair)); err != nil {
-			return fmt.Errorf("remove inverse nat rule: %w", err)
-		}
+	if err := r.removeNatRule(firewall.GetInversePair(pair)); err != nil {
+		return fmt.Errorf("remove inverse nat rule: %w", err)
 	}

 	if err := r.removeLegacyRouteRule(pair); err != nil {
@@ -327,10 +314,8 @@ func (r *router) removeLegacyRouteRule(pair firewall.RouterPair) error {
 			return fmt.Errorf("remove legacy forwarding rule %s -> %s: %v", pair.Source, pair.Destination, err)
 		}
 		delete(r.rules, ruleKey)
-
-		if err := r.decrementSetCounter(rule); err != nil {
-			return fmt.Errorf("decrement ipset counter: %w", err)
-		}
+	} else {
+		log.Debugf("legacy forwarding rule %s not found", ruleKey)
 	}

 	return nil
@@ -370,16 +355,16 @@ func (r *router) Reset() error {
 	if err := r.cleanUpDefaultForwardRules(); err != nil {
 		merr = multierror.Append(merr, err)
 	}
+	r.rules = make(map[string][]string)

 	if err := r.ipsetCounter.Flush(); err != nil {
 		merr = multierror.Append(merr, err)
 	}

-	if err := r.cleanupDataPlaneMark(); err != nil {
+	if err := r.cleanupConntrackZones(); err != nil {
 		merr = multierror.Append(merr, err)
 	}

-	r.rules = make(map[string][]string)
 	r.updateState()

 	return nberrors.FormatErrorOrNil(merr)
@@ -449,55 +434,31 @@ func (r *router) createContainers() error {
 	return nil
 }

-// setupDataPlaneMark configures the fwmark for the data plane
-func (r *router) setupDataPlaneMark() error {
-	var merr *multierror.Error
+func (r *router) setupConntrackZones() error {
 	preRule := []string{
 		"-i", r.wgIface.Name(),
-		"-m", "conntrack", "--ctstate", "NEW",
-		"-j", "CONNMARK", "--set-mark", fmt.Sprintf("%#x", nbnet.DataPlaneMarkIn),
+		"-j", "CT",
+		"--zone", fmt.Sprintf("%d", nftypes.ZoneID),
 	}

-	if err := r.iptablesClient.AppendUnique(tableMangle, chainPREROUTING, preRule...); err != nil {
-		merr = multierror.Append(merr, fmt.Errorf("add mangle prerouting rule: %w", err))
-	} else {
-		r.rules[markManglePre] = preRule
+	if err := r.iptablesClient.AppendUnique(tableRaw, chainPREROUTING, preRule...); err != nil {
+		return fmt.Errorf("add raw prerouting zone rule: %w", err)
 	}

-	postRule := []string{
-		"-o", r.wgIface.Name(),
-		"-m", "conntrack", "--ctstate", "NEW",
-		"-j", "CONNMARK", "--set-mark", fmt.Sprintf("%#x", nbnet.DataPlaneMarkOut),
-	}
+	r.rules[zoneRawPre] = preRule

-	if err := r.iptablesClient.AppendUnique(tableMangle, chainPOSTROUTING, postRule...); err != nil {
-		merr = multierror.Append(merr, fmt.Errorf("add mangle postrouting rule: %w", err))
-	} else {
-		r.rules[markManglePost] = postRule
-	}
-
-	return nberrors.FormatErrorOrNil(merr)
+	return nil
 }

-func (r *router) cleanupDataPlaneMark() error {
-	var merr *multierror.Error
-	if preRule, exists := r.rules[markManglePre]; exists {
-		if err := r.iptablesClient.DeleteIfExists(tableMangle, chainPREROUTING, preRule...); err != nil {
-			merr = multierror.Append(merr, fmt.Errorf("remove mangle prerouting rule: %w", err))
-		} else {
-			delete(r.rules, markManglePre)
+func (r *router) cleanupConntrackZones() error {
+	if preRule, exists := r.rules[zoneRawPre]; exists {
+		if err := r.iptablesClient.DeleteIfExists(tableRaw, chainPREROUTING, preRule...); err != nil {
+			return fmt.Errorf("remove raw prerouting zone rule: %w", err)
 		}
+		delete(r.rules, zoneRawPre)
 	}

-	if postRule, exists := r.rules[markManglePost]; exists {
-		if err := r.iptablesClient.DeleteIfExists(tableMangle, chainPOSTROUTING, postRule...); err != nil {
-			merr = multierror.Append(merr, fmt.Errorf("remove mangle postrouting rule: %w", err))
-		} else {
-			delete(r.rules, markManglePost)
-		}
-	}
-
-	return nberrors.FormatErrorOrNil(merr)
+	return nil
 }

 func (r *router) addPostroutingRules() error {
@@ -615,26 +576,12 @@ func (r *router) addNatRule(pair firewall.RouterPair) error {
 	rule = append(rule,
 		"-m", "conntrack",
 		"--ctstate", "NEW",
-	)
-	sourceExp, err := r.applyNetwork("-s", pair.Source, nil)
-	if err != nil {
-		return fmt.Errorf("apply network -s: %w", err)
-	}
-	destExp, err := r.applyNetwork("-d", pair.Destination, nil)
-	if err != nil {
-		return fmt.Errorf("apply network -d: %w", err)
-	}
-
-	rule = append(rule, sourceExp...)
-	rule = append(rule, destExp...)
-	rule = append(rule,
+		"-s", pair.Source.String(),
+		"-d", pair.Destination.String(),
 		"-j", "MARK", "--set-mark", fmt.Sprintf("%#x", markValue),
 	)

-	// Ensure nat rules come first, so the mark can be overwritten.
-	// Currently overwritten by the dst-type LOCAL rules for redirected traffic.
-	if err := r.iptablesClient.Insert(tableMangle, chainRTPRE, 1, rule...); err != nil {
-		// TODO: rollback ipset counter
+	if err := r.iptablesClient.Append(tableMangle, chainRTPRE, rule...); err != nil {
 		return fmt.Errorf("error while adding marking rule for %s: %v", pair.Destination, err)
 	}

@@ -652,10 +599,6 @@ func (r *router) removeNatRule(pair firewall.RouterPair) error {
 			return fmt.Errorf("error while removing marking rule for %s: %v", pair.Destination, err)
 		}
 		delete(r.rules, ruleKey)
-
-		if err := r.decrementSetCounter(rule); err != nil {
-			return fmt.Errorf("decrement ipset counter: %w", err)
-		}
 	} else {
 		log.Debugf("marking rule %s not found", ruleKey)
 	}
@@ -821,21 +764,17 @@ func (r *router) DeleteDNATRule(rule firewall.Rule) error {
 	return nberrors.FormatErrorOrNil(merr)
 }

-func (r *router) genRouteRuleSpec(params routeFilteringRuleParams, sources []netip.Prefix) ([]string, error) {
+func genRouteFilteringRuleSpec(params routeFilteringRuleParams) []string {
 	var rule []string

-	sourceExp, err := r.applyNetwork("-s", params.Source, sources)
-	if err != nil {
-		return nil, fmt.Errorf("apply network -s: %w", err)
-
-	}
-	destExp, err := r.applyNetwork("-d", params.Destination, nil)
-	if err != nil {
-		return nil, fmt.Errorf("apply network -d: %w", err)
+	if params.SetName != "" {
+		rule = append(rule, "-m", "set", matchSet, params.SetName, "src")
+	} else if len(params.Sources) > 0 {
+		source := params.Sources[0]
+		rule = append(rule, "-s", source.String())
 	}

-	rule = append(rule, sourceExp...)
-	rule = append(rule, destExp...)
+	rule = append(rule, "-d", params.Destination.String())

 	if params.Proto != firewall.ProtocolALL {
 		rule = append(rule, "-p", strings.ToLower(string(params.Proto)))
@@ -845,47 +784,7 @@ func (r *router) genRouteRuleSpec(params routeFilteringRuleParams, sources []net

 	rule = append(rule, "-j", actionToStr(params.Action))

-	return rule, nil
-}
-
-func (r *router) applyNetwork(flag string, network firewall.Network, prefixes []netip.Prefix) ([]string, error) {
-	direction := "src"
-	if flag == "-d" {
-		direction = "dst"
-	}
-
-	if network.IsSet() {
-		if _, err := r.ipsetCounter.Increment(network.Set.HashedName(), prefixes); err != nil {
-			return nil, fmt.Errorf("create or get ipset: %w", err)
-		}
-
-		return []string{"-m", "set", matchSet, network.Set.HashedName(), direction}, nil
-	}
-	if network.IsPrefix() {
-		return []string{flag, network.Prefix.String()}, nil
-	}
-
-	// nolint:nilnil
-	return nil, nil
-}
-
-func (r *router) UpdateSet(set firewall.Set, prefixes []netip.Prefix) error {
-	var merr *multierror.Error
-	for _, prefix := range prefixes {
-		// TODO: Implement IPv6 support
-		if prefix.Addr().Is6() {
-			log.Tracef("skipping IPv6 prefix %s: IPv6 support not yet implemented", prefix)
-			continue
-		}
-		if err := ipset.AddPrefix(set.HashedName(), prefix); err != nil {
-			merr = multierror.Append(merr, fmt.Errorf("increment ipset counter: %w", err))
-		}
-	}
-	if merr == nil {
-		log.Debugf("updated set %s with prefixes %v", set.HashedName(), prefixes)
-	}
-
-	return nberrors.FormatErrorOrNil(merr)
+	return rule
 }

 func applyPort(flag string, port *firewall.Port) []string {
--- a/client/firewall/iptables/router_linux_test.go
+++ b/client/firewall/iptables/router_linux_test.go
@@ -46,9 +46,7 @@ func TestIptablesManager_RestoreOrCreateContainers(t *testing.T) {
 	// 5. jump rule to PRE nat chain
 	// 6. static outbound masquerade rule
 	// 7. static return masquerade rule
-	// 8. mangle prerouting mark rule
-	// 9. mangle postrouting mark rule
-	require.Len(t, manager.rules, 9, "should have created rules map")
+	require.Len(t, manager.rules, 7, "should have created rules map")

 	exists, err := manager.iptablesClient.Exists(tableNat, chainPOSTROUTING, "-j", chainRTNAT)
 	require.NoError(t, err, "should be able to query the iptables %s table and %s chain", tableNat, chainPOSTROUTING)
@@ -60,8 +58,8 @@ func TestIptablesManager_RestoreOrCreateContainers(t *testing.T) {

 	pair := firewall.RouterPair{
 		ID:          "abc",
-		Source:      firewall.Network{Prefix: netip.MustParsePrefix("100.100.100.1/32")},
-		Destination: firewall.Network{Prefix: netip.MustParsePrefix("100.100.100.0/24")},
+		Source:      netip.MustParsePrefix("100.100.100.1/32"),
+		Destination: netip.MustParsePrefix("100.100.100.0/24"),
 		Masquerade:  true,
 	}

@@ -332,7 +330,7 @@ func TestRouter_AddRouteFiltering(t *testing.T) {

 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			ruleKey, err := r.AddRouteFiltering(nil, tt.sources, firewall.Network{Prefix: tt.destination}, tt.proto, tt.sPort, tt.dPort, tt.action)
+			ruleKey, err := r.AddRouteFiltering(nil, tt.sources, tt.destination, tt.proto, tt.sPort, tt.dPort, tt.action)
 			require.NoError(t, err, "AddRouteFiltering failed")

 			// Check if the rule is in the internal map
@@ -347,29 +345,23 @@ func TestRouter_AddRouteFiltering(t *testing.T) {
 			assert.NoError(t, err, "Failed to check rule existence")
 			assert.True(t, exists, "Rule not found in iptables")

-			var source firewall.Network
-			if len(tt.sources) > 1 {
-				source.Set = firewall.NewPrefixSet(tt.sources)
-			} else if len(tt.sources) > 0 {
-				source.Prefix = tt.sources[0]
-			}
 			// Verify rule content
 			params := routeFilteringRuleParams{
-				Source:      source,
-				Destination: firewall.Network{Prefix: tt.destination},
+				Sources:     tt.sources,
+				Destination: tt.destination,
 				Proto:       tt.proto,
 				SPort:       tt.sPort,
 				DPort:       tt.dPort,
 				Action:      tt.action,
+				SetName:     "",
 			}

-			expectedRule, err := r.genRouteRuleSpec(params, nil)
-			require.NoError(t, err, "Failed to generate expected rule spec")
+			expectedRule := genRouteFilteringRuleSpec(params)

 			if tt.expectSet {
-				setName := firewall.NewPrefixSet(tt.sources).HashedName()
-				expectedRule, err = r.genRouteRuleSpec(params, nil)
-				require.NoError(t, err, "Failed to generate expected rule spec with set")
+				setName := firewall.GenerateSetName(tt.sources)
+				params.SetName = setName
+				expectedRule = genRouteFilteringRuleSpec(params)

 				// Check if the set was created
 				_, exists := r.ipsetCounter.Get(setName)
@@ -384,62 +376,3 @@ func TestRouter_AddRouteFiltering(t *testing.T) {
 		})
 	}
 }
-
-func TestFindSetNameInRule(t *testing.T) {
-	r := &router{}
-
-	testCases := []struct {
-		name     string
-		rule     []string
-		expected []string
-	}{
-		{
-			name: "Basic rule with two sets",
-			rule: []string{
-				"-A", "NETBIRD-RT-FWD-IN", "-p", "tcp", "-m", "set", "--match-set", "nb-2e5a2a05", "src",
-				"-m", "set", "--match-set", "nb-349ae051", "dst", "-m", "tcp", "--dport", "8080", "-j", "ACCEPT",
-			},
-			expected: []string{"nb-2e5a2a05", "nb-349ae051"},
-		},
-		{
-			name:     "No sets",
-			rule:     []string{"-A", "NETBIRD-RT-FWD-IN", "-p", "tcp", "-j", "ACCEPT"},
-			expected: []string{},
-		},
-		{
-			name: "Multiple sets with different positions",
-			rule: []string{
-				"-m", "set", "--match-set", "set1", "src", "-p", "tcp",
-				"-m", "set", "--match-set", "set-abc123", "dst", "-j", "ACCEPT",
-			},
-			expected: []string{"set1", "set-abc123"},
-		},
-		{
-			name:     "Boundary case - sequence appears at end",
-			rule:     []string{"-p", "tcp", "-m", "set", "--match-set", "final-set"},
-			expected: []string{"final-set"},
-		},
-		{
-			name:     "Incomplete pattern - missing set name",
-			rule:     []string{"-p", "tcp", "-m", "set", "--match-set"},
-			expected: []string{},
-		},
-	}
-
-	for _, tc := range testCases {
-		t.Run(tc.name, func(t *testing.T) {
-			result := r.findSets(tc.rule)
-
-			if len(result) != len(tc.expected) {
-				t.Errorf("Expected %d sets, got %d. Sets found: %v", len(tc.expected), len(result), result)
-				return
-			}
-
-			for i, set := range result {
-				if set != tc.expected[i] {
-					t.Errorf("Expected set %q at position %d, got %q", tc.expected[i], i, set)
-				}
-			}
-		})
-	}
-}
--- a/client/firewall/manager/firewall.go
+++ b/client/firewall/manager/firewall.go
@@ -1,10 +1,13 @@
 package manager

 import (
+	"crypto/sha256"
+	"encoding/hex"
 	"fmt"
 	"net"
 	"net/netip"
 	"sort"
+	"strings"

 	log "github.com/sirupsen/logrus"

@@ -40,18 +43,6 @@ const (
 // Action is the action to be taken on a rule
 type Action int

-// String returns the string representation of the action
-func (a Action) String() string {
-	switch a {
-	case ActionAccept:
-		return "accept"
-	case ActionDrop:
-		return "drop"
-	default:
-		return "unknown"
-	}
-}
-
 const (
 	// ActionAccept is the action to accept a packet
 	ActionAccept Action = iota
@@ -59,33 +50,6 @@ const (
 	ActionDrop
 )

-// Network is a rule destination, either a set or a prefix
-type Network struct {
-	Set    Set
-	Prefix netip.Prefix
-}
-
-// String returns the string representation of the destination
-func (d Network) String() string {
-	if d.Prefix.IsValid() {
-		return d.Prefix.String()
-	}
-	if d.IsSet() {
-		return d.Set.HashedName()
-	}
-	return "<invalid network>"
-}
-
-// IsSet returns true if the destination is a set
-func (d Network) IsSet() bool {
-	return d.Set != Set{}
-}
-
-// IsPrefix returns true if the destination is a valid prefix
-func (d Network) IsPrefix() bool {
-	return d.Prefix.IsValid()
-}
-
 // Manager is the high level abstraction of a firewall manager
 //
 // It declares methods which handle actions required by the
@@ -119,9 +83,10 @@ type Manager interface {
 	AddRouteFiltering(
 		id []byte,
 		sources []netip.Prefix,
-		destination Network,
+		destination netip.Prefix,
 		proto Protocol,
-		sPort, dPort *Port,
+		sPort *Port,
+		dPort *Port,
 		action Action,
 	) (Rule, error)

@@ -154,9 +119,6 @@ type Manager interface {

 	// DeleteDNATRule deletes a DNAT rule
 	DeleteDNATRule(Rule) error
-
-	// UpdateSet updates the set with the given prefixes
-	UpdateSet(hash Set, prefixes []netip.Prefix) error
 }

 func GenKey(format string, pair RouterPair) string {
@@ -191,6 +153,22 @@ func SetLegacyManagement(router LegacyManager, isLegacy bool) error {
 	return nil
 }

+// GenerateSetName generates a unique name for an ipset based on the given sources.
+func GenerateSetName(sources []netip.Prefix) string {
+	// sort for consistent naming
+	SortPrefixes(sources)
+
+	var sourcesStr strings.Builder
+	for _, src := range sources {
+		sourcesStr.WriteString(src.String())
+	}
+
+	hash := sha256.Sum256([]byte(sourcesStr.String()))
+	shortHash := hex.EncodeToString(hash[:])[:8]
+
+	return fmt.Sprintf("nb-%s", shortHash)
+}
+
 // MergeIPRanges merges overlapping IP ranges and returns a slice of non-overlapping netip.Prefix
 func MergeIPRanges(prefixes []netip.Prefix) []netip.Prefix {
 	if len(prefixes) == 0 {
--- a/client/firewall/manager/firewall_test.go
+++ b/client/firewall/manager/firewall_test.go
@@ -20,8 +20,8 @@ func TestGenerateSetName(t *testing.T) {
 			netip.MustParsePrefix("192.168.1.0/24"),
 		}

-		result1 := manager.NewPrefixSet(prefixes1)
-		result2 := manager.NewPrefixSet(prefixes2)
+		result1 := manager.GenerateSetName(prefixes1)
+		result2 := manager.GenerateSetName(prefixes2)

 		if result1 != result2 {
 			t.Errorf("Different orders produced different hashes: %s != %s", result1, result2)
@@ -34,9 +34,9 @@ func TestGenerateSetName(t *testing.T) {
 			netip.MustParsePrefix("10.0.0.0/8"),
 		}

-		result := manager.NewPrefixSet(prefixes)
+		result := manager.GenerateSetName(prefixes)

-		matched, err := regexp.MatchString(`^nb-[0-9a-f]{8}$`, result.HashedName())
+		matched, err := regexp.MatchString(`^nb-[0-9a-f]{8}$`, result)
 		if err != nil {
 			t.Fatalf("Error matching regex: %v", err)
 		}
@@ -46,8 +46,8 @@ func TestGenerateSetName(t *testing.T) {
 	})

 	t.Run("Empty input produces consistent result", func(t *testing.T) {
-		result1 := manager.NewPrefixSet([]netip.Prefix{})
-		result2 := manager.NewPrefixSet([]netip.Prefix{})
+		result1 := manager.GenerateSetName([]netip.Prefix{})
+		result2 := manager.GenerateSetName([]netip.Prefix{})

 		if result1 != result2 {
 			t.Errorf("Empty input produced inconsistent results: %s != %s", result1, result2)
@@ -64,8 +64,8 @@ func TestGenerateSetName(t *testing.T) {
 			netip.MustParsePrefix("192.168.1.0/24"),
 		}

-		result1 := manager.NewPrefixSet(prefixes1)
-		result2 := manager.NewPrefixSet(prefixes2)
+		result1 := manager.GenerateSetName(prefixes1)
+		result2 := manager.GenerateSetName(prefixes2)

 		if result1 != result2 {
 			t.Errorf("Different orders of IPv4 and IPv6 produced different hashes: %s != %s", result1, result2)
--- a/client/firewall/manager/routerpair.go
+++ b/client/firewall/manager/routerpair.go
@@ -1,13 +1,15 @@
 package manager

 import (
+	"net/netip"
+
 	"github.com/netbirdio/netbird/route"
 )

 type RouterPair struct {
 	ID          route.ID
-	Source      Network
-	Destination Network
+	Source      netip.Prefix
+	Destination netip.Prefix
 	Masquerade  bool
 	Inverse     bool
 }
--- a/client/firewall/manager/set.go
+++ b/client/firewall/manager/set.go
@@ -1,74 +0,0 @@
-package manager
-
-import (
-	"crypto/sha256"
-	"encoding/hex"
-	"fmt"
-	"net/netip"
-	"slices"
-
-	log "github.com/sirupsen/logrus"
-
-	"github.com/netbirdio/netbird/management/domain"
-)
-
-type Set struct {
-	hash    [4]byte
-	comment string
-}
-
-// String returns the string representation of the set: hashed name and comment
-func (h Set) String() string {
-	if h.comment == "" {
-		return h.HashedName()
-	}
-	return h.HashedName() + ": " + h.comment
-}
-
-// HashedName returns the string representation of the hash
-func (h Set) HashedName() string {
-	return fmt.Sprintf(
-		"nb-%s",
-		hex.EncodeToString(h.hash[:]),
-	)
-}
-
-// Comment returns the comment of the set
-func (h Set) Comment() string {
-	return h.comment
-}
-
-// NewPrefixSet generates a unique name for an ipset based on the given prefixes.
-func NewPrefixSet(prefixes []netip.Prefix) Set {
-	// sort for consistent naming
-	SortPrefixes(prefixes)
-
-	hash := sha256.New()
-	for _, src := range prefixes {
-		bytes, err := src.MarshalBinary()
-		if err != nil {
-			log.Warnf("failed to marshal prefix %s: %v", src, err)
-		}
-		hash.Write(bytes)
-	}
-	var set Set
-	copy(set.hash[:], hash.Sum(nil)[:4])
-
-	return set
-}
-
-// NewDomainSet generates a unique name for an ipset based on the given domains.
-func NewDomainSet(domains domain.List) Set {
-	slices.Sort(domains)
-
-	hash := sha256.New()
-	for _, d := range domains {
-		hash.Write([]byte(d.PunycodeString()))
-	}
-	set := Set{
-		comment: domains.SafeString(),
-	}
-	copy(set.hash[:], hash.Sum(nil)[:4])
-
-	return set
-}
--- a/client/firewall/nftables/acl_linux.go
+++ b/client/firewall/nftables/acl_linux.go
@@ -25,10 +25,9 @@ const (
 	chainNameInputRules = "netbird-acl-input-rules"

 	// filter chains contains the rules that jump to the rules chains
-	chainNameInputFilter       = "netbird-acl-input-filter"
-	chainNameForwardFilter     = "netbird-acl-forward-filter"
-	chainNameManglePrerouting  = "netbird-mangle-prerouting"
-	chainNameManglePostrouting = "netbird-mangle-postrouting"
+	chainNameInputFilter   = "netbird-acl-input-filter"
+	chainNameForwardFilter = "netbird-acl-forward-filter"
+	chainNamePrerouting    = "netbird-rt-prerouting"

 	allowNetbirdInputRuleID = "allow Netbird incoming traffic"
 )
@@ -463,15 +462,13 @@ func (m *AclManager) createDefaultChains() (err error) {
 // go through the input filter as well. This will enable e.g. Docker services to keep working by accessing the
 // netbird peer IP.
 func (m *AclManager) allowRedirectedTraffic(chainFwFilter *nftables.Chain) error {
-	// Chain is created by route manager
-	// TODO: move creation to a common place
-	m.chainPrerouting = &nftables.Chain{
-		Name:     chainNameManglePrerouting,
+	m.chainPrerouting = m.rConn.AddChain(&nftables.Chain{
+		Name:     chainNamePrerouting,
 		Table:    m.workTable,
 		Type:     nftables.ChainTypeFilter,
 		Hooknum:  nftables.ChainHookPrerouting,
 		Priority: nftables.ChainPriorityMangle,
-	}
+	})

 	m.addFwmarkToForward(chainFwFilter)

--- a/client/firewall/nftables/manager_linux.go
+++ b/client/firewall/nftables/manager_linux.go
@@ -135,16 +135,17 @@ func (m *Manager) AddPeerFiltering(
 func (m *Manager) AddRouteFiltering(
 	id []byte,
 	sources []netip.Prefix,
-	destination firewall.Network,
+	destination netip.Prefix,
 	proto firewall.Protocol,
-	sPort, dPort *firewall.Port,
+	sPort *firewall.Port,
+	dPort *firewall.Port,
 	action firewall.Action,
 ) (firewall.Rule, error) {
 	m.mutex.Lock()
 	defer m.mutex.Unlock()

-	if destination.IsPrefix() && !destination.Prefix.Addr().Is4() {
-		return nil, fmt.Errorf("unsupported IP version: %s", destination.Prefix.Addr().String())
+	if !destination.Addr().Is4() {
+		return nil, fmt.Errorf("unsupported IP version: %s", destination.Addr().String())
 	}

 	return m.router.AddRouteFiltering(id, sources, destination, proto, sPort, dPort, action)
@@ -241,7 +242,7 @@ func (m *Manager) SetLegacyManagement(isLegacy bool) error {
 	return firewall.SetLegacyManagement(m.router, isLegacy)
 }

-// Close closes the firewall manager
+// Reset firewall to the default state
 func (m *Manager) Close(stateManager *statemanager.Manager) error {
 	m.mutex.Lock()
 	defer m.mutex.Unlock()
@@ -358,14 +359,6 @@ func (m *Manager) DeleteDNATRule(rule firewall.Rule) error {
 	return m.router.DeleteDNATRule(rule)
 }

-// UpdateSet updates the set with the given prefixes
-func (m *Manager) UpdateSet(set firewall.Set, prefixes []netip.Prefix) error {
-	m.mutex.Lock()
-	defer m.mutex.Unlock()
-
-	return m.router.UpdateSet(set, prefixes)
-}
-
 func (m *Manager) createWorkTable() (*nftables.Table, error) {
 	tables, err := m.rConn.ListTablesOfFamily(nftables.TableFamilyIPv4)
 	if err != nil {
--- a/client/firewall/nftables/manager_linux_test.go
+++ b/client/firewall/nftables/manager_linux_test.go
@@ -289,7 +289,7 @@ func TestNftablesManagerCompatibilityWithIptables(t *testing.T) {
 	_, err = manager.AddRouteFiltering(
 		nil,
 		[]netip.Prefix{netip.MustParsePrefix("192.168.2.0/24")},
-		fw.Network{Prefix: netip.MustParsePrefix("10.1.0.0/24")},
+		netip.MustParsePrefix("10.1.0.0/24"),
 		fw.ProtocolTCP,
 		nil,
 		&fw.Port{Values: []uint16{443}},
@@ -298,8 +298,8 @@ func TestNftablesManagerCompatibilityWithIptables(t *testing.T) {
 	require.NoError(t, err, "failed to add route filtering rule")

 	pair := fw.RouterPair{
-		Source:      fw.Network{Prefix: netip.MustParsePrefix("192.168.1.0/24")},
-		Destination: fw.Network{Prefix: netip.MustParsePrefix("10.0.0.0/24")},
+		Source:      netip.MustParsePrefix("192.168.1.0/24"),
+		Destination: netip.MustParsePrefix("10.0.0.0/24"),
 		Masquerade:  true,
 	}
 	err = manager.AddNatRule(pair)
--- a/client/firewall/nftables/router_linux.go
+++ b/client/firewall/nftables/router_linux.go
@@ -10,6 +10,7 @@ import (
 	"strings"

 	"github.com/coreos/go-iptables/iptables"
+	"github.com/davecgh/go-spew/spew"
 	"github.com/google/nftables"
 	"github.com/google/nftables/binaryutil"
 	"github.com/google/nftables/expr"
@@ -20,6 +21,7 @@ import (
 	nberrors "github.com/netbirdio/netbird/client/errors"
 	firewall "github.com/netbirdio/netbird/client/firewall/manager"
 	nbid "github.com/netbirdio/netbird/client/internal/acl/id"
+	nftypes "github.com/netbirdio/netbird/client/internal/netflow/types"
 	"github.com/netbirdio/netbird/client/internal/routemanager/ipfwdstate"
 	"github.com/netbirdio/netbird/client/internal/routemanager/refcounter"
 	nbnet "github.com/netbirdio/netbird/util/net"
@@ -32,6 +34,7 @@ const (
 	chainNameRoutingNat    = "netbird-rt-postrouting"
 	chainNameRoutingRdr    = "netbird-rt-redirect"
 	chainNameForward       = "FORWARD"
+	chainNameRaw           = "netbird-raw"

 	userDataAcceptForwardRuleIif = "frwacceptiif"
 	userDataAcceptForwardRuleOif = "frwacceptoif"
@@ -43,14 +46,9 @@ const (
 const refreshRulesMapError = "refresh rules map: %w"

 var (
-	errFilterTableNotFound = fmt.Errorf("'filter' table not found")
+	errFilterTableNotFound = fmt.Errorf("nftables: 'filter' table not found")
 )

-type setInput struct {
-	set      firewall.Set
-	prefixes []netip.Prefix
-}
-
 type router struct {
 	conn        *nftables.Conn
 	workTable   *nftables.Table
@@ -58,7 +56,7 @@ type router struct {
 	chains      map[string]*nftables.Chain
 	// rules is useful to avoid duplicates and to get missing attributes that we don't have when adding new rules
 	rules        map[string]*nftables.Rule
-	ipsetCounter *refcounter.Counter[string, setInput, *nftables.Set]
+	ipsetCounter *refcounter.Counter[string, []netip.Prefix, *nftables.Set]

 	wgIface          iFaceMapper
 	ipFwdState       *ipfwdstate.IPForwardingState
@@ -100,12 +98,12 @@ func (r *router) init(workTable *nftables.Table) error {
 		log.Errorf("failed to clean up rules from FORWARD chain: %s", err)
 	}

-	if err := r.createContainers(); err != nil {
-		return fmt.Errorf("create containers: %w", err)
+	if err := r.setupConntrackZones(); err != nil {
+		log.Errorf("failed to setup conntrack zones: %v", err)
 	}

-	if err := r.setupDataPlaneMark(); err != nil {
-		log.Errorf("failed to set up data plane mark: %v", err)
+	if err := r.createContainers(); err != nil {
+		return fmt.Errorf("create containers: %w", err)
 	}

 	return nil
@@ -167,7 +165,7 @@ func (r *router) removeNatPreroutingRules() error {
 func (r *router) loadFilterTable() (*nftables.Table, error) {
 	tables, err := r.conn.ListTablesOfFamily(nftables.TableFamilyIPv4)
 	if err != nil {
-		return nil, fmt.Errorf("unable to list tables: %v", err)
+		return nil, fmt.Errorf("nftables: unable to list tables: %v", err)
 	}

 	for _, table := range tables {
@@ -204,21 +202,15 @@ func (r *router) createContainers() error {
 		Type:     nftables.ChainTypeNAT,
 	})

-	r.chains[chainNameManglePostrouting] = r.conn.AddChain(&nftables.Chain{
-		Name:     chainNameManglePostrouting,
-		Table:    r.workTable,
-		Hooknum:  nftables.ChainHookPostrouting,
-		Priority: nftables.ChainPriorityMangle,
-		Type:     nftables.ChainTypeFilter,
-	})
-
-	r.chains[chainNameManglePrerouting] = r.conn.AddChain(&nftables.Chain{
-		Name:     chainNameManglePrerouting,
+	// Chain is created by acl manager
+	// TODO: move creation to a common place
+	r.chains[chainNamePrerouting] = &nftables.Chain{
+		Name:     chainNamePrerouting,
 		Table:    r.workTable,
 		Hooknum:  nftables.ChainHookPrerouting,
 		Priority: nftables.ChainPriorityMangle,
 		Type:     nftables.ChainTypeFilter,
-	})
+	}

 	// Add the single NAT rule that matches on mark
 	if err := r.addPostroutingRules(); err != nil {
@@ -234,20 +226,23 @@ func (r *router) createContainers() error {
 	}

 	if err := r.conn.Flush(); err != nil {
-		return fmt.Errorf("initialize tables: %v", err)
+		return fmt.Errorf("nftables: unable to initialize table: %v", err)
 	}

 	return nil
 }

-// setupDataPlaneMark configures the fwmark for the data plane
-func (r *router) setupDataPlaneMark() error {
-	if r.chains[chainNameManglePrerouting] == nil || r.chains[chainNameManglePostrouting] == nil {
-		return errors.New("no mangle chains found")
-	}
+// setupConntrackZones configures the connection tracking zones for the NetBird interface
+func (r *router) setupConntrackZones() error {
+	rawChain := r.conn.AddChain(&nftables.Chain{
+		Name:     chainNameRaw,
+		Table:    r.workTable,
+		Type:     nftables.ChainTypeFilter,
+		Hooknum:  nftables.ChainHookPrerouting,
+		Priority: nftables.ChainPriorityRaw,
+	})

-	ctNew := getCtNewExprs()
-	preExprs := []expr.Any{
+	exprs := []expr.Any{
 		&expr.Meta{
 			Key:      expr.MetaKeyIIFNAME,
 			Register: 1,
@@ -257,62 +252,26 @@ func (r *router) setupDataPlaneMark() error {
 			Register: 1,
 			Data:     ifname(r.wgIface.Name()),
 		},
-	}
-	preExprs = append(preExprs, ctNew...)
-	preExprs = append(preExprs,
 		&expr.Immediate{
 			Register: 1,
-			Data:     binaryutil.NativeEndian.PutUint32(nbnet.DataPlaneMarkIn),
+			Data:     binaryutil.NativeEndian.PutUint32(nftypes.ZoneID),
 		},
 		&expr.Ct{
-			Key:            expr.CtKeyMARK,
+			Key:            expr.CtKeyZONE,
 			Register:       1,
 			SourceRegister: true,
 		},
-	)
+	}

-	preNftRule := &nftables.Rule{
+	r.conn.AddRule(&nftables.Rule{
 		Table: r.workTable,
-		Chain: r.chains[chainNameManglePrerouting],
-		Exprs: preExprs,
-	}
-	r.conn.AddRule(preNftRule)
-
-	postExprs := []expr.Any{
-		&expr.Meta{
-			Key:      expr.MetaKeyOIFNAME,
-			Register: 1,
-		},
-		&expr.Cmp{
-			Op:       expr.CmpOpEq,
-			Register: 1,
-			Data:     ifname(r.wgIface.Name()),
-		},
-	}
-	postExprs = append(postExprs, ctNew...)
-	postExprs = append(postExprs,
-		&expr.Immediate{
-			Register: 1,
-			Data:     binaryutil.NativeEndian.PutUint32(nbnet.DataPlaneMarkOut),
-		},
-		&expr.Ct{
-			Key:            expr.CtKeyMARK,
-			Register:       1,
-			SourceRegister: true,
-		},
-	)
-
-	postNftRule := &nftables.Rule{
-		Table: r.workTable,
-		Chain: r.chains[chainNameManglePostrouting],
-		Exprs: postExprs,
-	}
-	r.conn.AddRule(postNftRule)
+		Chain: rawChain,
+		Exprs: exprs,
+	})

 	if err := r.conn.Flush(); err != nil {
-		return fmt.Errorf("flush: %w", err)
+		return fmt.Errorf("nftables: flush conntrack zone: %w", err)
 	}
-
 	return nil
 }

@@ -320,7 +279,7 @@ func (r *router) setupDataPlaneMark() error {
 func (r *router) AddRouteFiltering(
 	id []byte,
 	sources []netip.Prefix,
-	destination firewall.Network,
+	destination netip.Prefix,
 	proto firewall.Protocol,
 	sPort *firewall.Port,
 	dPort *firewall.Port,
@@ -335,29 +294,23 @@ func (r *router) AddRouteFiltering(
 	chain := r.chains[chainNameRoutingFw]
 	var exprs []expr.Any

-	var source firewall.Network
 	switch {
 	case len(sources) == 1 && sources[0].Bits() == 0:
 		// If it's 0.0.0.0/0, we don't need to add any source matching
 	case len(sources) == 1:
 		// If there's only one source, we can use it directly
-		source.Prefix = sources[0]
+		exprs = append(exprs, generateCIDRMatcherExpressions(true, sources[0])...)
 	default:
-		// If there are multiple sources, use a set
-		source.Set = firewall.NewPrefixSet(sources)
+		// If there are multiple sources, create or get an ipset
+		var err error
+		exprs, err = r.getIpSetExprs(sources, exprs)
+		if err != nil {
+			return nil, fmt.Errorf("get ipset expressions: %w", err)
+		}
 	}

-	sourceExp, err := r.applyNetwork(source, sources, true)
-	if err != nil {
-		return nil, fmt.Errorf("apply source: %w", err)
-	}
-	exprs = append(exprs, sourceExp...)
-
-	destExp, err := r.applyNetwork(destination, nil, false)
-	if err != nil {
-		return nil, fmt.Errorf("apply destination: %w", err)
-	}
-	exprs = append(exprs, destExp...)
+	// Handle destination
+	exprs = append(exprs, generateCIDRMatcherExpressions(false, destination)...)

 	// Handle protocol
 	if proto != firewall.ProtocolALL {
@@ -401,27 +354,39 @@ func (r *router) AddRouteFiltering(
 		rule = r.conn.AddRule(rule)
 	}

+	log.Tracef("Adding route rule %s", spew.Sdump(rule))
 	if err := r.conn.Flush(); err != nil {
 		return nil, fmt.Errorf(flushError, err)
 	}

 	r.rules[string(ruleKey)] = rule

-	log.Debugf("added route rule: sources=%v, destination=%v, proto=%v, sPort=%v, dPort=%v, action=%v", sources, destination, proto, sPort, dPort, action)
+	log.Debugf("nftables: added route rule: sources=%v, destination=%v, proto=%v, sPort=%v, dPort=%v, action=%v", sources, destination, proto, sPort, dPort, action)

 	return ruleKey, nil
 }

-func (r *router) getIpSet(set firewall.Set, prefixes []netip.Prefix, isSource bool) ([]expr.Any, error) {
-	ref, err := r.ipsetCounter.Increment(set.HashedName(), setInput{
-		set:      set,
-		prefixes: prefixes,
-	})
+func (r *router) getIpSetExprs(sources []netip.Prefix, exprs []expr.Any) ([]expr.Any, error) {
+	setName := firewall.GenerateSetName(sources)
+	ref, err := r.ipsetCounter.Increment(setName, sources)
 	if err != nil {
-		return nil, fmt.Errorf("create or get ipset: %w", err)
+		return nil, fmt.Errorf("create or get ipset for sources: %w", err)
 	}

-	return getIpSetExprs(ref, isSource)
+	exprs = append(exprs,
+		&expr.Payload{
+			DestRegister: 1,
+			Base:         expr.PayloadBaseNetworkHeader,
+			Offset:       12,
+			Len:          4,
+		},
+		&expr.Lookup{
+			SourceRegister: 1,
+			SetName:        ref.Out.Name,
+			SetID:          ref.Out.ID,
+		},
+	)
+	return exprs, nil
 }

 func (r *router) DeleteRouteRule(rule firewall.Rule) error {
@@ -440,54 +405,42 @@ func (r *router) DeleteRouteRule(rule firewall.Rule) error {
 		return fmt.Errorf("route rule %s has no handle", ruleKey)
 	}

+	setName := r.findSetNameInRule(nftRule)
+
 	if err := r.deleteNftRule(nftRule, ruleKey); err != nil {
 		return fmt.Errorf("delete: %w", err)
 	}

+	if setName != "" {
+		if _, err := r.ipsetCounter.Decrement(setName); err != nil {
+			return fmt.Errorf("decrement ipset reference: %w", err)
+		}
+	}
+
 	if err := r.conn.Flush(); err != nil {
 		return fmt.Errorf(flushError, err)
 	}

-	if err := r.decrementSetCounter(nftRule); err != nil {
-		return fmt.Errorf("decrement set counter: %w", err)
-	}
-
 	return nil
 }

-func (r *router) createIpSet(setName string, input setInput) (*nftables.Set, error) {
+func (r *router) createIpSet(setName string, sources []netip.Prefix) (*nftables.Set, error) {
 	// overlapping prefixes will result in an error, so we need to merge them
-	prefixes := firewall.MergeIPRanges(input.prefixes)
+	sources = firewall.MergeIPRanges(sources)

-	nfset := &nftables.Set{
-		Name:    setName,
-		Comment: input.set.Comment(),
-		Table:   r.workTable,
+	set := &nftables.Set{
+		Name:  setName,
+		Table: r.workTable,
 		// required for prefixes
 		Interval: true,
 		KeyType:  nftables.TypeIPAddr,
 	}

-	elements := convertPrefixesToSet(prefixes)
-	if err := r.conn.AddSet(nfset, elements); err != nil {
-		return nil, fmt.Errorf("error adding elements to set %s: %w", setName, err)
-	}
-
-	if err := r.conn.Flush(); err != nil {
-		return nil, fmt.Errorf("flush error: %w", err)
-	}
-
-	log.Printf("Created new ipset: %s with %d elements", setName, len(elements)/2)
-
-	return nfset, nil
-}
-
-func convertPrefixesToSet(prefixes []netip.Prefix) []nftables.SetElement {
 	var elements []nftables.SetElement
-	for _, prefix := range prefixes {
+	for _, prefix := range sources {
 		// TODO: Implement IPv6 support
 		if prefix.Addr().Is6() {
-			log.Tracef("skipping IPv6 prefix %s: IPv6 support not yet implemented", prefix)
+			log.Printf("Skipping IPv6 prefix %s: IPv6 support not yet implemented", prefix)
 			continue
 		}

@@ -503,7 +456,18 @@ func convertPrefixesToSet(prefixes []netip.Prefix) []nftables.SetElement {
 			nftables.SetElement{Key: lastIP.AsSlice(), IntervalEnd: true},
 		)
 	}
-	return elements
+
+	if err := r.conn.AddSet(set, elements); err != nil {
+		return nil, fmt.Errorf("error adding elements to set %s: %w", setName, err)
+	}
+
+	if err := r.conn.Flush(); err != nil {
+		return nil, fmt.Errorf("flush error: %w", err)
+	}
+
+	log.Printf("Created new ipset: %s with %d elements", setName, len(elements)/2)
+
+	return set, nil
 }

 // calculateLastIP determines the last IP in a given prefix.
@@ -527,8 +491,8 @@ func uint32ToBytes(ip uint32) [4]byte {
 	return b
 }

-func (r *router) deleteIpSet(setName string, nfset *nftables.Set) error {
-	r.conn.DelSet(nfset)
+func (r *router) deleteIpSet(setName string, set *nftables.Set) error {
+	r.conn.DelSet(set)
 	if err := r.conn.Flush(); err != nil {
 		return fmt.Errorf(flushError, err)
 	}
@@ -537,27 +501,13 @@ func (r *router) deleteIpSet(setName string, nfset *nftables.Set) error {
 	return nil
 }

-func (r *router) decrementSetCounter(rule *nftables.Rule) error {
-	sets := r.findSets(rule)
-
-	var merr *multierror.Error
-	for _, setName := range sets {
-		if _, err := r.ipsetCounter.Decrement(setName); err != nil {
-			merr = multierror.Append(merr, fmt.Errorf("decrement set counter: %w", err))
-		}
-	}
-
-	return nberrors.FormatErrorOrNil(merr)
-}
-
-func (r *router) findSets(rule *nftables.Rule) []string {
-	var sets []string
+func (r *router) findSetNameInRule(rule *nftables.Rule) string {
 	for _, e := range rule.Exprs {
 		if lookup, ok := e.(*expr.Lookup); ok {
-			sets = append(sets, lookup.SetName)
+			return lookup.SetName
 		}
 	}
-	return sets
+	return ""
 }

 func (r *router) deleteNftRule(rule *nftables.Rule, ruleKey string) error {
@@ -599,8 +549,7 @@ func (r *router) AddNatRule(pair firewall.RouterPair) error {
 	}

 	if err := r.conn.Flush(); err != nil {
-		// TODO: rollback ipset counter
-		return fmt.Errorf("insert rules for %s: %v", pair.Destination, err)
+		return fmt.Errorf("nftables: insert rules for %s: %v", pair.Destination, err)
 	}

 	return nil
@@ -608,15 +557,8 @@ func (r *router) AddNatRule(pair firewall.RouterPair) error {

 // addNatRule inserts a nftables rule to the conn client flush queue
 func (r *router) addNatRule(pair firewall.RouterPair) error {
-	sourceExp, err := r.applyNetwork(pair.Source, nil, true)
-	if err != nil {
-		return fmt.Errorf("apply source: %w", err)
-	}
-
-	destExp, err := r.applyNetwork(pair.Destination, nil, false)
-	if err != nil {
-		return fmt.Errorf("apply destination: %w", err)
-	}
+	sourceExp := generateCIDRMatcherExpressions(true, pair.Source)
+	destExp := generateCIDRMatcherExpressions(false, pair.Destination)

 	op := expr.CmpOpEq
 	if pair.Inverse {
@@ -624,6 +566,26 @@ func (r *router) addNatRule(pair firewall.RouterPair) error {
 	}

 	exprs := []expr.Any{
+		// We only care about NEW connections to mark them and later identify them in the postrouting chain for masquerading.
+		// Masquerading will take care of the conntrack state, which means we won't need to mark established connections.
+		&expr.Ct{
+			Key:      expr.CtKeySTATE,
+			Register: 1,
+		},
+		&expr.Bitwise{
+			SourceRegister: 1,
+			DestRegister:   1,
+			Len:            4,
+			Mask:           binaryutil.NativeEndian.PutUint32(expr.CtStateBitNEW),
+			Xor:            binaryutil.NativeEndian.PutUint32(0),
+		},
+		&expr.Cmp{
+			Op:       expr.CmpOpNeq,
+			Register: 1,
+			Data:     []byte{0, 0, 0, 0},
+		},
+
+		// interface matching
 		&expr.Meta{
 			Key:      expr.MetaKeyIIFNAME,
 			Register: 1,
@@ -634,9 +596,6 @@ func (r *router) addNatRule(pair firewall.RouterPair) error {
 			Data:     ifname(r.wgIface.Name()),
 		},
 	}
-	// We only care about NEW connections to mark them and later identify them in the postrouting chain for masquerading.
-	// Masquerading will take care of the conntrack state, which means we won't need to mark established connections.
-	exprs = append(exprs, getCtNewExprs()...)

 	exprs = append(exprs, sourceExp...)
 	exprs = append(exprs, destExp...)
@@ -666,11 +625,9 @@ func (r *router) addNatRule(pair firewall.RouterPair) error {
 		}
 	}

-	// Ensure nat rules come first, so the mark can be overwritten.
-	// Currently overwritten by the dst-type LOCAL rules for redirected traffic.
-	r.rules[ruleKey] = r.conn.InsertRule(&nftables.Rule{
+	r.rules[ruleKey] = r.conn.AddRule(&nftables.Rule{
 		Table:    r.workTable,
-		Chain:    r.chains[chainNameManglePrerouting],
+		Chain:    r.chains[chainNamePrerouting],
 		Exprs:    exprs,
 		UserData: []byte(ruleKey),
 	})
@@ -751,15 +708,8 @@ func (r *router) addPostroutingRules() error {

 // addLegacyRouteRule adds a legacy routing rule for mgmt servers pre route acls
 func (r *router) addLegacyRouteRule(pair firewall.RouterPair) error {
-	sourceExp, err := r.applyNetwork(pair.Source, nil, true)
-	if err != nil {
-		return fmt.Errorf("apply source: %w", err)
-	}
-
-	destExp, err := r.applyNetwork(pair.Destination, nil, false)
-	if err != nil {
-		return fmt.Errorf("apply destination: %w", err)
-	}
+	sourceExp := generateCIDRMatcherExpressions(true, pair.Source)
+	destExp := generateCIDRMatcherExpressions(false, pair.Destination)

 	exprs := []expr.Any{
 		&expr.Counter{},
@@ -768,8 +718,7 @@ func (r *router) addLegacyRouteRule(pair firewall.RouterPair) error {
 		},
 	}

-	exprs = append(exprs, sourceExp...)
-	exprs = append(exprs, destExp...)
+	expression := append(sourceExp, append(destExp, exprs...)...) // nolint:gocritic

 	ruleKey := firewall.GenKey(firewall.ForwardingFormat, pair)

@@ -782,7 +731,7 @@ func (r *router) addLegacyRouteRule(pair firewall.RouterPair) error {
 	r.rules[ruleKey] = r.conn.AddRule(&nftables.Rule{
 		Table:    r.workTable,
 		Chain:    r.chains[chainNameRoutingFw],
-		Exprs:    exprs,
+		Exprs:    expression,
 		UserData: []byte(ruleKey),
 	})
 	return nil
@@ -797,13 +746,11 @@ func (r *router) removeLegacyRouteRule(pair firewall.RouterPair) error {
 			return fmt.Errorf("remove legacy forwarding rule %s -> %s: %v", pair.Source, pair.Destination, err)
 		}

-		log.Debugf("removed legacy forwarding rule %s -> %s", pair.Source, pair.Destination)
+		log.Debugf("nftables: removed legacy forwarding rule %s -> %s", pair.Source, pair.Destination)

 		delete(r.rules, ruleKey)
-
-		if err := r.decrementSetCounter(rule); err != nil {
-			return fmt.Errorf("decrement set counter: %w", err)
-		}
+	} else {
+		log.Debugf("nftables: legacy forwarding rule %s not found", ruleKey)
 	}

 	return nil
@@ -1014,14 +961,12 @@ func (r *router) RemoveNatRule(pair firewall.RouterPair) error {
 		return fmt.Errorf(refreshRulesMapError, err)
 	}

-	if pair.Masquerade {
-		if err := r.removeNatRule(pair); err != nil {
-			return fmt.Errorf("remove prerouting rule: %w", err)
-		}
+	if err := r.removeNatRule(pair); err != nil {
+		return fmt.Errorf("remove prerouting rule: %w", err)
+	}

-		if err := r.removeNatRule(firewall.GetInversePair(pair)); err != nil {
-			return fmt.Errorf("remove inverse prerouting rule: %w", err)
-		}
+	if err := r.removeNatRule(firewall.GetInversePair(pair)); err != nil {
+		return fmt.Errorf("remove inverse prerouting rule: %w", err)
 	}

 	if err := r.removeLegacyRouteRule(pair); err != nil {
@@ -1029,10 +974,10 @@ func (r *router) RemoveNatRule(pair firewall.RouterPair) error {
 	}

 	if err := r.conn.Flush(); err != nil {
-		// TODO: rollback set counter
-		return fmt.Errorf("remove nat rules rule %s: %v", pair.Destination, err)
+		return fmt.Errorf("nftables: received error while applying rule removal for %s: %v", pair.Destination, err)
 	}

+	log.Debugf("nftables: removed nat rules for %s", pair.Destination)
 	return nil
 }

@@ -1040,19 +985,16 @@ func (r *router) removeNatRule(pair firewall.RouterPair) error {
 	ruleKey := firewall.GenKey(firewall.PreroutingFormat, pair)

 	if rule, exists := r.rules[ruleKey]; exists {
-		if err := r.conn.DelRule(rule); err != nil {
+		err := r.conn.DelRule(rule)
+		if err != nil {
 			return fmt.Errorf("remove prerouting rule %s -> %s: %v", pair.Source, pair.Destination, err)
 		}

-		log.Debugf("removed prerouting rule %s -> %s", pair.Source, pair.Destination)
+		log.Debugf("nftables: removed prerouting rule %s -> %s", pair.Source, pair.Destination)

 		delete(r.rules, ruleKey)
-
-		if err := r.decrementSetCounter(rule); err != nil {
-			return fmt.Errorf("decrement set counter: %w", err)
-		}
 	} else {
-		log.Debugf("prerouting rule %s not found", ruleKey)
+		log.Debugf("nftables: prerouting rule %s not found", ruleKey)
 	}

 	return nil
@@ -1064,7 +1006,7 @@ func (r *router) refreshRulesMap() error {
 	for _, chain := range r.chains {
 		rules, err := r.conn.GetRules(chain.Table, chain)
 		if err != nil {
-			return fmt.Errorf(" unable to list rules: %v", err)
+			return fmt.Errorf("nftables: unable to list rules: %v", err)
 		}
 		for _, rule := range rules {
 			if len(rule.UserData) > 0 {
@@ -1338,54 +1280,13 @@ func (r *router) DeleteDNATRule(rule firewall.Rule) error {
 	return nberrors.FormatErrorOrNil(merr)
 }

-func (r *router) UpdateSet(set firewall.Set, prefixes []netip.Prefix) error {
-	nfset, err := r.conn.GetSetByName(r.workTable, set.HashedName())
-	if err != nil {
-		return fmt.Errorf("get set %s: %w", set.HashedName(), err)
-	}
-
-	elements := convertPrefixesToSet(prefixes)
-	if err := r.conn.SetAddElements(nfset, elements); err != nil {
-		return fmt.Errorf("add elements to set %s: %w", set.HashedName(), err)
-	}
-
-	if err := r.conn.Flush(); err != nil {
-		return fmt.Errorf(flushError, err)
-	}
-
-	log.Debugf("updated set %s with prefixes %v", set.HashedName(), prefixes)
-
-	return nil
-}
-
-// applyNetwork generates nftables expressions for networks (CIDR) or sets
-func (r *router) applyNetwork(
-	network firewall.Network,
-	setPrefixes []netip.Prefix,
-	isSource bool,
-) ([]expr.Any, error) {
-	if network.IsSet() {
-		exprs, err := r.getIpSet(network.Set, setPrefixes, isSource)
-		if err != nil {
-			return nil, fmt.Errorf("source: %w", err)
-		}
-		return exprs, nil
-	}
-
-	if network.IsPrefix() {
-		return applyPrefix(network.Prefix, isSource), nil
-	}
-
-	return nil, nil
-}
-
-// applyPrefix generates nftables expressions for a CIDR prefix
-func applyPrefix(prefix netip.Prefix, isSource bool) []expr.Any {
-	// dst offset
-	offset := uint32(16)
-	if isSource {
-		// src offset
-		offset = 12
+// generateCIDRMatcherExpressions generates nftables expressions that matches a CIDR
+func generateCIDRMatcherExpressions(source bool, prefix netip.Prefix) []expr.Any {
+	var offset uint32
+	if source {
+		offset = 12 // src offset
+	} else {
+		offset = 16 // dst offset
 	}

 	ones := prefix.Bits()
@@ -1472,48 +1373,3 @@ func applyPort(port *firewall.Port, isSource bool) []expr.Any {

 	return exprs
 }
-
-func getCtNewExprs() []expr.Any {
-	return []expr.Any{
-		&expr.Ct{
-			Key:      expr.CtKeySTATE,
-			Register: 1,
-		},
-		&expr.Bitwise{
-			SourceRegister: 1,
-			DestRegister:   1,
-			Len:            4,
-			Mask:           binaryutil.NativeEndian.PutUint32(expr.CtStateBitNEW),
-			Xor:            binaryutil.NativeEndian.PutUint32(0),
-		},
-		&expr.Cmp{
-			Op:       expr.CmpOpNeq,
-			Register: 1,
-			Data:     []byte{0, 0, 0, 0},
-		},
-	}
-}
-
-func getIpSetExprs(ref refcounter.Ref[*nftables.Set], isSource bool) ([]expr.Any, error) {
-
-	// dst offset
-	offset := uint32(16)
-	if isSource {
-		// src offset
-		offset = 12
-	}
-
-	return []expr.Any{
-		&expr.Payload{
-			DestRegister: 1,
-			Base:         expr.PayloadBaseNetworkHeader,
-			Offset:       offset,
-			Len:          4,
-		},
-		&expr.Lookup{
-			SourceRegister: 1,
-			SetName:        ref.Out.Name,
-			SetID:          ref.Out.ID,
-		},
-	}, nil
-}
--- a/client/firewall/nftables/router_linux_test.go
+++ b/client/firewall/nftables/router_linux_test.go
@@ -88,8 +88,8 @@ func TestNftablesManager_AddNatRule(t *testing.T) {
 				}

 				// Build CIDR matching expressions
-				sourceExp := applyPrefix(testCase.InputPair.Source.Prefix, true)
-				destExp := applyPrefix(testCase.InputPair.Destination.Prefix, false)
+				sourceExp := generateCIDRMatcherExpressions(true, testCase.InputPair.Source)
+				destExp := generateCIDRMatcherExpressions(false, testCase.InputPair.Destination)

 				// Combine all expressions in the correct order
 				// nolint:gocritic
@@ -100,7 +100,7 @@ func TestNftablesManager_AddNatRule(t *testing.T) {
 				natRuleKey := firewall.GenKey(firewall.PreroutingFormat, testCase.InputPair)
 				found := 0
 				for _, chain := range rtr.chains {
-					if chain.Name == chainNameManglePrerouting {
+					if chain.Name == chainNamePrerouting {
 						rules, err := nftablesTestingClient.GetRules(chain.Table, chain)
 						require.NoError(t, err, "should list rules for %s table and %s chain", chain.Table.Name, chain.Name)
 						for _, rule := range rules {
@@ -141,7 +141,7 @@ func TestNftablesManager_RemoveNatRule(t *testing.T) {
 			// Verify the rule was added
 			natRuleKey := firewall.GenKey(firewall.PreroutingFormat, testCase.InputPair)
 			found := false
-			rules, err := rtr.conn.GetRules(rtr.workTable, rtr.chains[chainNameManglePrerouting])
+			rules, err := rtr.conn.GetRules(rtr.workTable, rtr.chains[chainNamePrerouting])
 			require.NoError(t, err, "should list rules")
 			for _, rule := range rules {
 				if len(rule.UserData) > 0 && string(rule.UserData) == natRuleKey {
@@ -157,7 +157,7 @@ func TestNftablesManager_RemoveNatRule(t *testing.T) {

 			// Verify the rule was removed
 			found = false
-			rules, err = rtr.conn.GetRules(rtr.workTable, rtr.chains[chainNameManglePrerouting])
+			rules, err = rtr.conn.GetRules(rtr.workTable, rtr.chains[chainNamePrerouting])
 			require.NoError(t, err, "should list rules after removal")
 			for _, rule := range rules {
 				if len(rule.UserData) > 0 && string(rule.UserData) == natRuleKey {
@@ -311,7 +311,7 @@ func TestRouter_AddRouteFiltering(t *testing.T) {

 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			ruleKey, err := r.AddRouteFiltering(nil, tt.sources, firewall.Network{Prefix: tt.destination}, tt.proto, tt.sPort, tt.dPort, tt.action)
+			ruleKey, err := r.AddRouteFiltering(nil, tt.sources, tt.destination, tt.proto, tt.sPort, tt.dPort, tt.action)
 			require.NoError(t, err, "AddRouteFiltering failed")

 			t.Cleanup(func() {
@@ -441,8 +441,8 @@ func TestNftablesCreateIpSet(t *testing.T) {

 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			setName := firewall.NewPrefixSet(tt.sources).HashedName()
-			set, err := r.createIpSet(setName, setInput{prefixes: tt.sources})
+			setName := firewall.GenerateSetName(tt.sources)
+			set, err := r.createIpSet(setName, tt.sources)
 			if err != nil {
 				t.Logf("Failed to create IP set: %v", err)
 				printNftSets()
--- a/client/firewall/test/cases_linux.go
+++ b/client/firewall/test/cases_linux.go
@@ -15,8 +15,8 @@ var (
 			Name: "Insert Forwarding IPV4 Rule",
 			InputPair: firewall.RouterPair{
 				ID:          "zxa",
-				Source:      firewall.Network{Prefix: netip.MustParsePrefix("100.100.100.1/32")},
-				Destination: firewall.Network{Prefix: netip.MustParsePrefix("100.100.200.0/24")},
+				Source:      netip.MustParsePrefix("100.100.100.1/32"),
+				Destination: netip.MustParsePrefix("100.100.200.0/24"),
 				Masquerade:  false,
 			},
 		},
@@ -24,8 +24,8 @@ var (
 			Name: "Insert Forwarding And Nat IPV4 Rules",
 			InputPair: firewall.RouterPair{
 				ID:          "zxa",
-				Source:      firewall.Network{Prefix: netip.MustParsePrefix("100.100.100.1/32")},
-				Destination: firewall.Network{Prefix: netip.MustParsePrefix("100.100.200.0/24")},
+				Source:      netip.MustParsePrefix("100.100.100.1/32"),
+				Destination: netip.MustParsePrefix("100.100.200.0/24"),
 				Masquerade:  true,
 			},
 		},
@@ -40,8 +40,8 @@ var (
 			Name: "Remove Forwarding And Nat IPV4 Rules",
 			InputPair: firewall.RouterPair{
 				ID:          "zxa",
-				Source:      firewall.Network{Prefix: netip.MustParsePrefix("100.100.100.1/32")},
-				Destination: firewall.Network{Prefix: netip.MustParsePrefix("100.100.200.0/24")},
+				Source:      netip.MustParsePrefix("100.100.100.1/32"),
+				Destination: netip.MustParsePrefix("100.100.200.0/24"),
 				Masquerade:  true,
 			},
 		},
--- a/client/firewall/uspfilter/allow_netbird.go
+++ b/client/firewall/uspfilter/allow_netbird.go
@@ -12,7 +12,7 @@ import (
 	"github.com/netbirdio/netbird/client/internal/statemanager"
 )

-// Close cleans up the firewall manager by removing all rules and closing trackers
+// Reset firewall to the default state
 func (m *Manager) Close(stateManager *statemanager.Manager) error {
 	m.mutex.Lock()
 	defer m.mutex.Unlock()
--- a/client/firewall/uspfilter/allow_netbird_windows.go
+++ b/client/firewall/uspfilter/allow_netbird_windows.go
@@ -10,6 +10,7 @@ import (

 	log "github.com/sirupsen/logrus"

+	"github.com/netbirdio/netbird/client/firewall/uspfilter/conntrack"
 	"github.com/netbirdio/netbird/client/internal/statemanager"
 )

@@ -21,7 +22,7 @@ const (
 	firewallRuleName        = "Netbird"
 )

-// Close cleans up the firewall manager by removing all rules and closing trackers
+// Reset firewall to the default state
 func (m *Manager) Close(*statemanager.Manager) error {
 	m.mutex.Lock()
 	defer m.mutex.Unlock()
@@ -31,14 +32,17 @@ func (m *Manager) Close(*statemanager.Manager) error {

 	if m.udpTracker != nil {
 		m.udpTracker.Close()
+		m.udpTracker = conntrack.NewUDPTracker(conntrack.DefaultUDPTimeout, m.logger, m.flowLogger)
 	}

 	if m.icmpTracker != nil {
 		m.icmpTracker.Close()
+		m.icmpTracker = conntrack.NewICMPTracker(conntrack.DefaultICMPTimeout, m.logger, m.flowLogger)
 	}

 	if m.tcpTracker != nil {
 		m.tcpTracker.Close()
+		m.tcpTracker = conntrack.NewTCPTracker(conntrack.DefaultTCPTimeout, m.logger, m.flowLogger)
 	}

 	if fwder := m.forwarder.Load(); fwder != nil {
--- a/client/firewall/uspfilter/conntrack/common_test.go
+++ b/client/firewall/uspfilter/conntrack/common_test.go
@@ -1,6 +1,7 @@
 package conntrack

 import (
+	"context"
 	"net/netip"
 	"testing"

@@ -11,7 +12,7 @@ import (
 )

 var logger = log.NewFromLogrus(logrus.StandardLogger())
-var flowLogger = netflow.NewManager(nil, []byte{}, nil).GetLogger()
+var flowLogger = netflow.NewManager(context.Background(), nil, []byte{}, nil).GetLogger()

 // Memory pressure tests
 func BenchmarkMemoryPressure(b *testing.B) {
--- a/client/firewall/uspfilter/conntrack/icmp.go
+++ b/client/firewall/uspfilter/conntrack/icmp.go
@@ -189,7 +189,7 @@ func (t *ICMPTracker) cleanup() {
 		if conn.timeoutExceeded(t.timeout) {
 			delete(t.connections, key)

-			t.logger.Trace("Removed ICMP connection %s (timeout) [in: %d Pkts/%d B out: %d Pkts/%d B]",
+			t.logger.Debug("Removed ICMP connection %s (timeout) [in: %d Pkts/%d B out: %d Pkts/%d B]",
 				key, conn.PacketsRx.Load(), conn.BytesRx.Load(), conn.PacketsTx.Load(), conn.BytesTx.Load())
 			t.sendEvent(nftypes.TypeEnd, conn, nil)
 		}
--- a/client/firewall/uspfilter/conntrack/tcp.go
+++ b/client/firewall/uspfilter/conntrack/tcp.go
@@ -23,11 +23,11 @@ const (
 )

 const (
-	TCPFin  uint8 = 0x01
 	TCPSyn  uint8 = 0x02
+	TCPAck  uint8 = 0x10
+	TCPFin  uint8 = 0x01
 	TCPRst  uint8 = 0x04
 	TCPPush uint8 = 0x08
-	TCPAck  uint8 = 0x10
 	TCPUrg  uint8 = 0x20
 )

@@ -41,7 +41,7 @@ const (
 )

 // TCPState represents the state of a TCP connection
-type TCPState int32
+type TCPState int

 func (s TCPState) String() string {
 	switch s {
@@ -89,25 +89,22 @@ const (
 // TCPConnTrack represents a TCP connection state
 type TCPConnTrack struct {
 	BaseConnTrack
-	SourcePort uint16
-	DestPort   uint16
-	state      atomic.Int32
-	tombstone  atomic.Bool
+	SourcePort  uint16
+	DestPort    uint16
+	State       TCPState
+	established atomic.Bool
+	tombstone   atomic.Bool
+	sync.RWMutex
 }

-// GetState safely retrieves the current state
-func (t *TCPConnTrack) GetState() TCPState {
-	return TCPState(t.state.Load())
+// IsEstablished safely checks if connection is established
+func (t *TCPConnTrack) IsEstablished() bool {
+	return t.established.Load()
 }

-// SetState safely updates the current state
-func (t *TCPConnTrack) SetState(state TCPState) {
-	t.state.Store(int32(state))
-}
-
-// CompareAndSwapState atomically changes the state from old to new if current == old
-func (t *TCPConnTrack) CompareAndSwapState(old, newState TCPState) bool {
-	return t.state.CompareAndSwap(int32(old), int32(newState))
+// SetEstablished safely sets the established state
+func (t *TCPConnTrack) SetEstablished(state bool) {
+	t.established.Store(state)
 }

 // IsTombstone safely checks if the connection is marked for deletion
@@ -128,17 +125,13 @@ type TCPTracker struct {
 	cleanupTicker *time.Ticker
 	tickerCancel  context.CancelFunc
 	timeout       time.Duration
-	waitTimeout   time.Duration
 	flowLogger    nftypes.FlowLogger
 }

 // NewTCPTracker creates a new TCP connection tracker
 func NewTCPTracker(timeout time.Duration, logger *nblog.Logger, flowLogger nftypes.FlowLogger) *TCPTracker {
-	waitTimeout := TimeWaitTimeout
 	if timeout == 0 {
 		timeout = DefaultTCPTimeout
-	} else {
-		waitTimeout = timeout / 45
 	}

 	ctx, cancel := context.WithCancel(context.Background())
@@ -149,7 +142,6 @@ func NewTCPTracker(timeout time.Duration, logger *nblog.Logger, flowLogger nftyp
 		cleanupTicker: time.NewTicker(TCPCleanupInterval),
 		tickerCancel:  cancel,
 		timeout:       timeout,
-		waitTimeout:   waitTimeout,
 		flowLogger:    flowLogger,
 	}

@@ -157,7 +149,7 @@ func NewTCPTracker(timeout time.Duration, logger *nblog.Logger, flowLogger nftyp
 	return tracker
 }

-func (t *TCPTracker) updateIfExists(srcIP, dstIP netip.Addr, srcPort, dstPort uint16, flags uint8, direction nftypes.Direction, size int) (ConnKey, bool) {
+func (t *TCPTracker) updateIfExists(srcIP netip.Addr, dstIP netip.Addr, srcPort uint16, dstPort uint16, flags uint8, direction nftypes.Direction, size int) (ConnKey, bool) {
 	key := ConnKey{
 		SrcIP:   srcIP,
 		DstIP:   dstIP,
@@ -170,7 +162,12 @@ func (t *TCPTracker) updateIfExists(srcIP, dstIP netip.Addr, srcPort, dstPort ui
 	t.mutex.RUnlock()

 	if exists {
-		t.updateState(key, conn, flags, direction, size)
+		conn.Lock()
+		t.updateState(key, conn, flags, conn.Direction == nftypes.Egress)
+		conn.Unlock()
+
+		conn.UpdateCounters(direction, size)
+
 		return key, true
 	}

@@ -178,7 +175,7 @@ func (t *TCPTracker) updateIfExists(srcIP, dstIP netip.Addr, srcPort, dstPort ui
 }

 // TrackOutbound records an outbound TCP connection
-func (t *TCPTracker) TrackOutbound(srcIP, dstIP netip.Addr, srcPort, dstPort uint16, flags uint8, size int) {
+func (t *TCPTracker) TrackOutbound(srcIP netip.Addr, dstIP netip.Addr, srcPort uint16, dstPort uint16, flags uint8, size int) {
 	if _, exists := t.updateIfExists(dstIP, srcIP, dstPort, srcPort, flags, nftypes.Egress, size); !exists {
 		// if (inverted direction) conn is not tracked, track this direction
 		t.track(srcIP, dstIP, srcPort, dstPort, flags, nftypes.Egress, nil, size)
@@ -186,14 +183,14 @@ func (t *TCPTracker) TrackOutbound(srcIP, dstIP netip.Addr, srcPort, dstPort uin
 }

 // TrackInbound processes an inbound TCP packet and updates connection state
-func (t *TCPTracker) TrackInbound(srcIP, dstIP netip.Addr, srcPort, dstPort uint16, flags uint8, ruleID []byte, size int) {
+func (t *TCPTracker) TrackInbound(srcIP netip.Addr, dstIP netip.Addr, srcPort uint16, dstPort uint16, flags uint8, ruleID []byte, size int) {
 	t.track(srcIP, dstIP, srcPort, dstPort, flags, nftypes.Ingress, ruleID, size)
 }

 // track is the common implementation for tracking both inbound and outbound connections
-func (t *TCPTracker) track(srcIP, dstIP netip.Addr, srcPort, dstPort uint16, flags uint8, direction nftypes.Direction, ruleID []byte, size int) {
+func (t *TCPTracker) track(srcIP netip.Addr, dstIP netip.Addr, srcPort uint16, dstPort uint16, flags uint8, direction nftypes.Direction, ruleID []byte, size int) {
 	key, exists := t.updateIfExists(srcIP, dstIP, srcPort, dstPort, flags, direction, size)
-	if exists || flags&TCPSyn == 0 {
+	if exists {
 		return
 	}

@@ -208,11 +205,12 @@ func (t *TCPTracker) track(srcIP, dstIP netip.Addr, srcPort, dstPort uint16, fla
 		DestPort:   dstPort,
 	}

+	conn.established.Store(false)
 	conn.tombstone.Store(false)
-	conn.state.Store(int32(TCPStateNew))

 	t.logger.Trace("New %s TCP connection: %s", direction, key)
-	t.updateState(key, conn, flags, direction, size)
+	t.updateState(key, conn, flags, direction == nftypes.Egress)
+	conn.UpdateCounters(direction, size)

 	t.mutex.Lock()
 	t.connections[key] = conn
@@ -222,7 +220,7 @@ func (t *TCPTracker) track(srcIP, dstIP netip.Addr, srcPort, dstPort uint16, fla
 }

 // IsValidInbound checks if an inbound TCP packet matches a tracked connection
-func (t *TCPTracker) IsValidInbound(srcIP, dstIP netip.Addr, srcPort, dstPort uint16, flags uint8, size int) bool {
+func (t *TCPTracker) IsValidInbound(srcIP netip.Addr, dstIP netip.Addr, srcPort uint16, dstPort uint16, flags uint8, size int) bool {
 	key := ConnKey{
 		SrcIP:   dstIP,
 		DstIP:   srcIP,
@@ -234,125 +232,134 @@ func (t *TCPTracker) IsValidInbound(srcIP, dstIP netip.Addr, srcPort, dstPort ui
 	conn, exists := t.connections[key]
 	t.mutex.RUnlock()

-	if !exists || conn.IsTombstone() {
+	if !exists {
 		return false
 	}

-	currentState := conn.GetState()
-	if !t.isValidStateForFlags(currentState, flags) {
-		t.logger.Warn("TCP state %s is not valid with flags %x for connection %s", currentState, flags, key)
-		// allow all flags for established for now
-		if currentState == TCPStateEstablished {
-			return true
-		}
-		return false
+	// Handle RST flag specially - it always causes transition to closed
+	if flags&TCPRst != 0 {
+		return t.handleRst(key, conn, size)
 	}

-	t.updateState(key, conn, flags, nftypes.Ingress, size)
+	conn.Lock()
+	t.updateState(key, conn, flags, false)
+	isEstablished := conn.IsEstablished()
+	isValidState := t.isValidStateForFlags(conn.State, flags)
+	conn.Unlock()
+	conn.UpdateCounters(nftypes.Ingress, size)
+
+	return isEstablished || isValidState
+}
+
+func (t *TCPTracker) handleRst(key ConnKey, conn *TCPConnTrack, size int) bool {
+	if conn.IsTombstone() {
+		return true
+	}
+
+	conn.Lock()
+	conn.SetTombstone()
+	conn.State = TCPStateClosed
+	conn.SetEstablished(false)
+	conn.Unlock()
+	conn.UpdateCounters(nftypes.Ingress, size)
+
+	t.logger.Trace("TCP connection reset: %s", key)
+	t.sendEvent(nftypes.TypeEnd, conn, nil)
 	return true
 }

 // updateState updates the TCP connection state based on flags
-func (t *TCPTracker) updateState(key ConnKey, conn *TCPConnTrack, flags uint8, packetDir nftypes.Direction, size int) {
+func (t *TCPTracker) updateState(key ConnKey, conn *TCPConnTrack, flags uint8, isOutbound bool) {
 	conn.UpdateLastSeen()
-	conn.UpdateCounters(packetDir, size)

-	currentState := conn.GetState()
-
-	if flags&TCPRst != 0 {
-		if conn.CompareAndSwapState(currentState, TCPStateClosed) {
-			conn.SetTombstone()
-			t.logger.Trace("TCP connection reset: %s (dir: %s) [in: %d Pkts/%d B, out: %d Pkts/%d B]",
-				key, packetDir, conn.PacketsRx.Load(), conn.BytesRx.Load(), conn.PacketsTx.Load(), conn.BytesTx.Load())
-			t.sendEvent(nftypes.TypeEnd, conn, nil)
+	state := conn.State
+	defer func() {
+		if state != conn.State {
+			t.logger.Trace("TCP connection %s transitioned from %s to %s", key, state, conn.State)
 		}
-		return
-	}
+	}()

-	var newState TCPState
-	switch currentState {
+	switch state {
 	case TCPStateNew:
 		if flags&TCPSyn != 0 && flags&TCPAck == 0 {
-			if conn.Direction == nftypes.Egress {
-				newState = TCPStateSynSent
-			} else {
-				newState = TCPStateSynReceived
-			}
+			conn.State = TCPStateSynSent
 		}

 	case TCPStateSynSent:
 		if flags&TCPSyn != 0 && flags&TCPAck != 0 {
-			if packetDir != conn.Direction {
-				newState = TCPStateEstablished
+			if isOutbound {
+				conn.State = TCPStateEstablished
+				conn.SetEstablished(true)
 			} else {
 				// Simultaneous open
-				newState = TCPStateSynReceived
+				conn.State = TCPStateSynReceived
 			}
 		}

 	case TCPStateSynReceived:
 		if flags&TCPAck != 0 && flags&TCPSyn == 0 {
-			if packetDir == conn.Direction {
-				newState = TCPStateEstablished
-			}
+			conn.State = TCPStateEstablished
+			conn.SetEstablished(true)
 		}

 	case TCPStateEstablished:
 		if flags&TCPFin != 0 {
-			if packetDir == conn.Direction {
-				newState = TCPStateFinWait1
+			if isOutbound {
+				conn.State = TCPStateFinWait1
 			} else {
-				newState = TCPStateCloseWait
+				conn.State = TCPStateCloseWait
 			}
+			conn.SetEstablished(false)
+		} else if flags&TCPRst != 0 {
+			conn.State = TCPStateClosed
+			conn.SetTombstone()
+			t.sendEvent(nftypes.TypeEnd, conn, nil)
 		}

 	case TCPStateFinWait1:
-		if packetDir != conn.Direction {
-			switch {
-			case flags&TCPFin != 0 && flags&TCPAck != 0:
-				newState = TCPStateClosing
-			case flags&TCPFin != 0:
-				newState = TCPStateClosing
-			case flags&TCPAck != 0:
-				newState = TCPStateFinWait2
-			}
+		switch {
+		case flags&TCPFin != 0 && flags&TCPAck != 0:
+			conn.State = TCPStateClosing
+		case flags&TCPFin != 0:
+			conn.State = TCPStateFinWait2
+		case flags&TCPAck != 0:
+			conn.State = TCPStateFinWait2
+		case flags&TCPRst != 0:
+			conn.State = TCPStateClosed
+			conn.SetTombstone()
+			t.sendEvent(nftypes.TypeEnd, conn, nil)
 		}

 	case TCPStateFinWait2:
 		if flags&TCPFin != 0 {
-			newState = TCPStateTimeWait
+			conn.State = TCPStateTimeWait
+
+			t.logger.Trace("TCP connection %s completed", key)
+			t.sendEvent(nftypes.TypeEnd, conn, nil)
 		}

 	case TCPStateClosing:
 		if flags&TCPAck != 0 {
-			newState = TCPStateTimeWait
+			conn.State = TCPStateTimeWait
+			// Keep established = false from previous state
+
+			t.logger.Trace("TCP connection %s closed (simultaneous)", key)
+			t.sendEvent(nftypes.TypeEnd, conn, nil)
 		}

 	case TCPStateCloseWait:
 		if flags&TCPFin != 0 {
-			newState = TCPStateLastAck
+			conn.State = TCPStateLastAck
 		}

 	case TCPStateLastAck:
 		if flags&TCPAck != 0 {
-			newState = TCPStateClosed
-		}
-	}
-
-	if newState != 0 && conn.CompareAndSwapState(currentState, newState) {
-		t.logger.Trace("TCP connection %s transitioned from %s to %s (dir: %s)", key, currentState, newState, packetDir)
-
-		switch newState {
-		case TCPStateTimeWait:
-			t.logger.Trace("TCP connection %s completed [in: %d Pkts/%d B, out: %d Pkts/%d B]",
-				key, conn.PacketsRx.Load(), conn.BytesRx.Load(), conn.PacketsTx.Load(), conn.BytesTx.Load())
-			t.sendEvent(nftypes.TypeEnd, conn, nil)
-
-		case TCPStateClosed:
+			conn.State = TCPStateClosed
 			conn.SetTombstone()
-			t.logger.Trace("TCP connection %s closed gracefully [in: %d Pkts/%d, B out: %d Pkts/%d B]",
-				key, conn.PacketsRx.Load(), conn.BytesRx.Load(), conn.PacketsTx.Load(), conn.BytesTx.Load())
+
+			// Send close event for gracefully closed connections
 			t.sendEvent(nftypes.TypeEnd, conn, nil)
+			t.logger.Trace("TCP connection %s closed gracefully", key)
 		}
 	}
 }
@@ -362,22 +369,18 @@ func (t *TCPTracker) isValidStateForFlags(state TCPState, flags uint8) bool {
 	if !isValidFlagCombination(flags) {
 		return false
 	}
-	if flags&TCPRst != 0 {
-		if state == TCPStateSynSent {
-			return flags&TCPAck != 0
-		}
-		return true
-	}

 	switch state {
 	case TCPStateNew:
 		return flags&TCPSyn != 0 && flags&TCPAck == 0
 	case TCPStateSynSent:
-		// TODO: support simultaneous open
 		return flags&TCPSyn != 0 && flags&TCPAck != 0
 	case TCPStateSynReceived:
 		return flags&TCPAck != 0
 	case TCPStateEstablished:
+		if flags&TCPRst != 0 {
+			return true
+		}
 		return flags&TCPAck != 0
 	case TCPStateFinWait1:
 		return flags&TCPFin != 0 || flags&TCPAck != 0
@@ -394,7 +397,9 @@ func (t *TCPTracker) isValidStateForFlags(state TCPState, flags uint8) bool {
 	case TCPStateLastAck:
 		return flags&TCPAck != 0
 	case TCPStateClosed:
-		// Accept retransmitted ACKs in closed state, the final ACK might be lost and the peer will retransmit their FIN-ACK
+		// Accept retransmitted ACKs in closed state
+		// This is important because the final ACK might be lost
+		// and the peer will retransmit their FIN-ACK
 		return flags&TCPAck != 0
 	}
 	return false
@@ -425,24 +430,23 @@ func (t *TCPTracker) cleanup() {
 		}

 		var timeout time.Duration
-		currentState := conn.GetState()
-		switch currentState {
-		case TCPStateTimeWait:
-			timeout = t.waitTimeout
-		case TCPStateEstablished:
+		switch {
+		case conn.State == TCPStateTimeWait:
+			timeout = TimeWaitTimeout
+		case conn.IsEstablished():
 			timeout = t.timeout
 		default:
 			timeout = TCPHandshakeTimeout
 		}

 		if conn.timeoutExceeded(timeout) {
+			// Return IPs to pool
 			delete(t.connections, key)

-			t.logger.Trace("Cleaned up timed-out TCP connection %s (%s) [in: %d Pkts/%d, B out: %d Pkts/%d B]",
-				key, conn.GetState(), conn.PacketsRx.Load(), conn.BytesRx.Load(), conn.PacketsTx.Load(), conn.BytesTx.Load())
+			t.logger.Trace("Cleaned up timed-out TCP connection %s", key)

 			// event already handled by state change
-			if currentState != TCPStateTimeWait {
+			if conn.State != TCPStateTimeWait {
 				t.sendEvent(nftypes.TypeEnd, conn, nil)
 			}
 		}
--- a/client/firewall/uspfilter/conntrack/tcp_bench_test.go
+++ b/client/firewall/uspfilter/conntrack/tcp_bench_test.go
@@ -1,83 +0,0 @@
-package conntrack
-
-import (
-	"net/netip"
-	"testing"
-	"time"
-)
-
-func BenchmarkTCPTracker(b *testing.B) {
-	b.Run("TrackOutbound", func(b *testing.B) {
-		tracker := NewTCPTracker(DefaultTCPTimeout, logger, flowLogger)
-		defer tracker.Close()
-
-		srcIP := netip.MustParseAddr("192.168.1.1")
-		dstIP := netip.MustParseAddr("192.168.1.2")
-
-		b.ResetTimer()
-		for i := 0; i < b.N; i++ {
-			tracker.TrackOutbound(srcIP, dstIP, uint16(i%65535), 80, TCPSyn, 0)
-		}
-	})
-
-	b.Run("IsValidInbound", func(b *testing.B) {
-		tracker := NewTCPTracker(DefaultTCPTimeout, logger, flowLogger)
-		defer tracker.Close()
-
-		srcIP := netip.MustParseAddr("192.168.1.1")
-		dstIP := netip.MustParseAddr("192.168.1.2")
-
-		// Pre-populate some connections
-		for i := 0; i < 1000; i++ {
-			tracker.TrackOutbound(srcIP, dstIP, uint16(i), 80, TCPSyn, 0)
-		}
-
-		b.ResetTimer()
-		for i := 0; i < b.N; i++ {
-			tracker.IsValidInbound(dstIP, srcIP, 80, uint16(i%1000), TCPAck|TCPSyn, 0)
-		}
-	})
-
-	b.Run("ConcurrentAccess", func(b *testing.B) {
-		tracker := NewTCPTracker(DefaultTCPTimeout, logger, flowLogger)
-		defer tracker.Close()
-
-		srcIP := netip.MustParseAddr("192.168.1.1")
-		dstIP := netip.MustParseAddr("192.168.1.2")
-
-		b.RunParallel(func(pb *testing.PB) {
-			i := 0
-			for pb.Next() {
-				if i%2 == 0 {
-					tracker.TrackOutbound(srcIP, dstIP, uint16(i%65535), 80, TCPSyn, 0)
-				} else {
-					tracker.IsValidInbound(dstIP, srcIP, 80, uint16(i%65535), TCPAck|TCPSyn, 0)
-				}
-				i++
-			}
-		})
-	})
-}
-
-// Benchmark connection cleanup
-func BenchmarkCleanup(b *testing.B) {
-	b.Run("TCPCleanup", func(b *testing.B) {
-		tracker := NewTCPTracker(100*time.Millisecond, logger, flowLogger)
-		defer tracker.Close()
-
-		// Pre-populate with expired connections
-		srcIP := netip.MustParseAddr("192.168.1.1")
-		dstIP := netip.MustParseAddr("192.168.1.2")
-		for i := 0; i < 10000; i++ {
-			tracker.TrackOutbound(srcIP, dstIP, uint16(i), 80, TCPSyn, 0)
-		}
-
-		// Wait for connections to expire
-		time.Sleep(200 * time.Millisecond)
-
-		b.ResetTimer()
-		for i := 0; i < b.N; i++ {
-			tracker.cleanup()
-		}
-	})
-}
--- a/client/firewall/uspfilter/conntrack/tcp_test.go
+++ b/client/firewall/uspfilter/conntrack/tcp_test.go
@@ -5,7 +5,6 @@ import (
 	"testing"
 	"time"

-	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 )

@@ -125,6 +124,9 @@ func TestTCPStateMachine(t *testing.T) {
 					// Receive RST
 					valid := tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPRst, 0)
 					require.True(t, valid, "RST should be allowed for established connection")
+
+					// Connection is logically dead but we don't enforce blocking subsequent packets
+					// The connection will be cleaned up by timeout
 				},
 			},
 			{
@@ -215,446 +217,97 @@ func TestRSTHandling(t *testing.T) {
 			conn := tracker.connections[key]
 			if tt.wantValid {
 				require.NotNil(t, conn)
-				require.Equal(t, TCPStateClosed, conn.GetState())
+				require.Equal(t, TCPStateClosed, conn.State)
+				require.False(t, conn.IsEstablished())
 			}
 		})
 	}
 }

-func TestTCPRetransmissions(t *testing.T) {
-	tracker := NewTCPTracker(DefaultTCPTimeout, logger, flowLogger)
-	defer tracker.Close()
-
-	srcIP := netip.MustParseAddr("100.64.0.1")
-	dstIP := netip.MustParseAddr("100.64.0.2")
-	srcPort := uint16(12345)
-	dstPort := uint16(80)
-
-	// Test SYN retransmission
-	t.Run("SYN Retransmission", func(t *testing.T) {
-		// Initial SYN
-		tracker.TrackOutbound(srcIP, dstIP, srcPort, dstPort, TCPSyn, 0)
-
-		// Retransmit SYN (should not affect the state machine)
-		tracker.TrackOutbound(srcIP, dstIP, srcPort, dstPort, TCPSyn, 0)
-
-		// Verify we're still in SYN-SENT state
-		key := ConnKey{
-			SrcIP:   srcIP,
-			DstIP:   dstIP,
-			SrcPort: srcPort,
-			DstPort: dstPort,
-		}
-		conn := tracker.connections[key]
-		require.NotNil(t, conn)
-		require.Equal(t, TCPStateSynSent, conn.GetState())
-
-		// Complete the handshake
-		valid := tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPSyn|TCPAck, 0)
-		require.True(t, valid)
-		tracker.TrackOutbound(srcIP, dstIP, srcPort, dstPort, TCPAck, 0)
-
-		// Verify we're in ESTABLISHED state
-		require.Equal(t, TCPStateEstablished, conn.GetState())
-	})
-
-	// Test ACK retransmission in established state
-	t.Run("ACK Retransmission", func(t *testing.T) {
-		tracker = NewTCPTracker(DefaultTCPTimeout, logger, flowLogger)
-
-		// Establish connection
-		establishConnection(t, tracker, srcIP, dstIP, srcPort, dstPort)
-
-		// Get connection object
-		key := ConnKey{
-			SrcIP:   srcIP,
-			DstIP:   dstIP,
-			SrcPort: srcPort,
-			DstPort: dstPort,
-		}
-		conn := tracker.connections[key]
-		require.NotNil(t, conn)
-		require.Equal(t, TCPStateEstablished, conn.GetState())
-
-		// Retransmit ACK
-		tracker.TrackOutbound(srcIP, dstIP, srcPort, dstPort, TCPAck, 0)
-
-		// State should remain ESTABLISHED
-		require.Equal(t, TCPStateEstablished, conn.GetState())
-	})
-
-	// Test FIN retransmission
-	t.Run("FIN Retransmission", func(t *testing.T) {
-		tracker = NewTCPTracker(DefaultTCPTimeout, logger, flowLogger)
-
-		// Establish connection
-		establishConnection(t, tracker, srcIP, dstIP, srcPort, dstPort)
-
-		// Get connection object
-		key := ConnKey{
-			SrcIP:   srcIP,
-			DstIP:   dstIP,
-			SrcPort: srcPort,
-			DstPort: dstPort,
-		}
-		conn := tracker.connections[key]
-		require.NotNil(t, conn)
-
-		// Send FIN
-		tracker.TrackOutbound(srcIP, dstIP, srcPort, dstPort, TCPFin|TCPAck, 0)
-		require.Equal(t, TCPStateFinWait1, conn.GetState())
-
-		// Retransmit FIN (should not change state)
-		tracker.TrackOutbound(srcIP, dstIP, srcPort, dstPort, TCPFin|TCPAck, 0)
-		require.Equal(t, TCPStateFinWait1, conn.GetState())
-
-		// Receive ACK for FIN
-		valid := tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPAck, 0)
-		require.True(t, valid)
-		require.Equal(t, TCPStateFinWait2, conn.GetState())
-	})
-}
-
-func TestTCPDataTransfer(t *testing.T) {
-	tracker := NewTCPTracker(DefaultTCPTimeout, logger, flowLogger)
-	defer tracker.Close()
-
-	srcIP := netip.MustParseAddr("100.64.0.1")
-	dstIP := netip.MustParseAddr("100.64.0.2")
-	srcPort := uint16(12345)
-	dstPort := uint16(80)
-
-	t.Run("Data Transfer", func(t *testing.T) {
-		establishConnection(t, tracker, srcIP, dstIP, srcPort, dstPort)
-
-		// Get connection object
-		key := ConnKey{
-			SrcIP:   srcIP,
-			DstIP:   dstIP,
-			SrcPort: srcPort,
-			DstPort: dstPort,
-		}
-		conn := tracker.connections[key]
-		require.NotNil(t, conn)
-
-		// Send data
-		tracker.TrackOutbound(srcIP, dstIP, srcPort, dstPort, TCPPush|TCPAck, 1000)
-
-		// Receive ACK for data
-		valid := tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPAck, 100)
-		require.True(t, valid)
-
-		// Receive data
-		valid = tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPPush|TCPAck, 1500)
-		require.True(t, valid)
-
-		// Send ACK for received data
-		tracker.TrackOutbound(srcIP, dstIP, srcPort, dstPort, TCPAck, 100)
-
-		// State should remain ESTABLISHED
-		require.Equal(t, TCPStateEstablished, conn.GetState())
-
-		assert.Equal(t, uint64(1300), conn.BytesTx.Load())
-		assert.Equal(t, uint64(1700), conn.BytesRx.Load())
-		assert.Equal(t, uint64(4), conn.PacketsTx.Load())
-		assert.Equal(t, uint64(3), conn.PacketsRx.Load())
-	})
-}
-
-func TestTCPHalfClosedConnections(t *testing.T) {
-	tracker := NewTCPTracker(DefaultTCPTimeout, logger, flowLogger)
-	defer tracker.Close()
-
-	srcIP := netip.MustParseAddr("100.64.0.1")
-	dstIP := netip.MustParseAddr("100.64.0.2")
-	srcPort := uint16(12345)
-	dstPort := uint16(80)
-
-	// Test half-closed connection: local end closes, remote end continues sending data
-	t.Run("Local Close, Remote Data", func(t *testing.T) {
-		establishConnection(t, tracker, srcIP, dstIP, srcPort, dstPort)
-
-		key := ConnKey{
-			SrcIP:   srcIP,
-			DstIP:   dstIP,
-			SrcPort: srcPort,
-			DstPort: dstPort,
-		}
-		conn := tracker.connections[key]
-		require.NotNil(t, conn)
-
-		// Send FIN
-		tracker.TrackOutbound(srcIP, dstIP, srcPort, dstPort, TCPFin|TCPAck, 0)
-		require.Equal(t, TCPStateFinWait1, conn.GetState())
-
-		// Receive ACK for FIN
-		valid := tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPAck, 0)
-		require.True(t, valid)
-		require.Equal(t, TCPStateFinWait2, conn.GetState())
-
-		// Remote end can still send data
-		valid = tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPPush|TCPAck, 1000)
-		require.True(t, valid)
-
-		// We can still ACK their data
-		tracker.TrackOutbound(srcIP, dstIP, srcPort, dstPort, TCPAck, 0)
-
-		// Receive FIN from remote end
-		valid = tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPFin|TCPAck, 0)
-		require.True(t, valid)
-		require.Equal(t, TCPStateTimeWait, conn.GetState())
-
-		// Send final ACK
-		tracker.TrackOutbound(srcIP, dstIP, srcPort, dstPort, TCPAck, 0)
-
-		// State should remain TIME-WAIT (waiting for possible retransmissions)
-		require.Equal(t, TCPStateTimeWait, conn.GetState())
-	})
-
-	// Test half-closed connection: remote end closes, local end continues sending data
-	t.Run("Remote Close, Local Data", func(t *testing.T) {
-		tracker = NewTCPTracker(DefaultTCPTimeout, logger, flowLogger)
-
-		// Establish connection
-		establishConnection(t, tracker, srcIP, dstIP, srcPort, dstPort)
-
-		// Get connection object
-		key := ConnKey{
-			SrcIP:   srcIP,
-			DstIP:   dstIP,
-			SrcPort: srcPort,
-			DstPort: dstPort,
-		}
-		conn := tracker.connections[key]
-		require.NotNil(t, conn)
-
-		// Receive FIN from remote
-		valid := tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPFin|TCPAck, 0)
-		require.True(t, valid)
-		require.Equal(t, TCPStateCloseWait, conn.GetState())
-
-		// We can still send data
-		tracker.TrackOutbound(srcIP, dstIP, srcPort, dstPort, TCPPush|TCPAck, 1000)
-
-		// Remote can still ACK our data
-		valid = tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPAck, 0)
-		require.True(t, valid)
-
-		// Send our FIN
-		tracker.TrackOutbound(srcIP, dstIP, srcPort, dstPort, TCPFin|TCPAck, 0)
-		require.Equal(t, TCPStateLastAck, conn.GetState())
-
-		// Receive final ACK
-		valid = tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPAck, 0)
-		require.True(t, valid)
-		require.Equal(t, TCPStateClosed, conn.GetState())
-	})
-}
-
-func TestTCPAbnormalSequences(t *testing.T) {
-	tracker := NewTCPTracker(DefaultTCPTimeout, logger, flowLogger)
-	defer tracker.Close()
-
-	srcIP := netip.MustParseAddr("100.64.0.1")
-	dstIP := netip.MustParseAddr("100.64.0.2")
-	srcPort := uint16(12345)
-	dstPort := uint16(80)
-
-	// Test handling of unsolicited RST in various states
-	t.Run("Unsolicited RST in SYN-SENT", func(t *testing.T) {
-		// Send SYN
-		tracker.TrackOutbound(srcIP, dstIP, srcPort, dstPort, TCPSyn, 0)
-
-		// Receive unsolicited RST (without proper ACK)
-		valid := tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPRst, 0)
-		require.False(t, valid, "RST without proper ACK in SYN-SENT should be rejected")
-
-		// Receive RST with proper ACK
-		valid = tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPRst|TCPAck, 0)
-		require.True(t, valid, "RST with proper ACK in SYN-SENT should be accepted")
-
-		key := ConnKey{
-			SrcIP:   srcIP,
-			DstIP:   dstIP,
-			SrcPort: srcPort,
-			DstPort: dstPort,
-		}
-		conn := tracker.connections[key]
-		require.Equal(t, TCPStateClosed, conn.GetState())
-		require.True(t, conn.IsTombstone())
-	})
-}
-
-func TestTCPTimeoutHandling(t *testing.T) {
-	// Create tracker with a very short timeout for testing
-	shortTimeout := 100 * time.Millisecond
-	tracker := NewTCPTracker(shortTimeout, logger, flowLogger)
-	defer tracker.Close()
-
-	srcIP := netip.MustParseAddr("100.64.0.1")
-	dstIP := netip.MustParseAddr("100.64.0.2")
-	srcPort := uint16(12345)
-	dstPort := uint16(80)
-
-	t.Run("Connection Timeout", func(t *testing.T) {
-		// Establish a connection
-		establishConnection(t, tracker, srcIP, dstIP, srcPort, dstPort)
-
-		// Get connection object
-		key := ConnKey{
-			SrcIP:   srcIP,
-			DstIP:   dstIP,
-			SrcPort: srcPort,
-			DstPort: dstPort,
-		}
-		conn := tracker.connections[key]
-		require.NotNil(t, conn)
-		require.Equal(t, TCPStateEstablished, conn.GetState())
-
-		// Wait for the connection to timeout
-		time.Sleep(2 * shortTimeout)
-
-		// Force cleanup
-		tracker.cleanup()
-
-		// Connection should be removed
-		_, exists := tracker.connections[key]
-		require.False(t, exists, "Connection should be removed after timeout")
-	})
-
-	t.Run("TIME_WAIT Timeout", func(t *testing.T) {
-		tracker = NewTCPTracker(shortTimeout, logger, flowLogger)
-
-		establishConnection(t, tracker, srcIP, dstIP, srcPort, dstPort)
-
-		key := ConnKey{
-			SrcIP:   srcIP,
-			DstIP:   dstIP,
-			SrcPort: srcPort,
-			DstPort: dstPort,
-		}
-		conn := tracker.connections[key]
-		require.NotNil(t, conn)
-
-		// Complete the connection close to enter TIME_WAIT
-		tracker.TrackOutbound(srcIP, dstIP, srcPort, dstPort, TCPFin|TCPAck, 0)
-		tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPAck, 0)
-		tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPFin|TCPAck, 0)
-		tracker.TrackOutbound(srcIP, dstIP, srcPort, dstPort, TCPAck, 0)
-
-		require.Equal(t, TCPStateTimeWait, conn.GetState())
-
-		// TIME_WAIT should have its own timeout value (usually 2*MSL)
-		// For the test, we're using a short timeout
-		time.Sleep(2 * shortTimeout)
-
-		tracker.cleanup()
-
-		// Connection should be removed
-		_, exists := tracker.connections[key]
-		require.False(t, exists, "Connection should be removed after TIME_WAIT timeout")
-	})
-}
-
-func TestSynFlood(t *testing.T) {
-	tracker := NewTCPTracker(DefaultTCPTimeout, logger, flowLogger)
-	defer tracker.Close()
-
-	srcIP := netip.MustParseAddr("100.64.0.1")
-	dstIP := netip.MustParseAddr("100.64.0.2")
-	basePort := uint16(10000)
-	dstPort := uint16(80)
-
-	// Create a large number of SYN packets to simulate a SYN flood
-	for i := uint16(0); i < 1000; i++ {
-		tracker.TrackOutbound(srcIP, dstIP, basePort+i, dstPort, TCPSyn, 0)
-	}
-
-	// Check that we're tracking all connections
-	require.Equal(t, 1000, len(tracker.connections))
-
-	// Now simulate SYN timeout
-	var oldConns int
-	tracker.mutex.Lock()
-	for _, conn := range tracker.connections {
-		if conn.GetState() == TCPStateSynSent {
-			// Make the connection appear old
-			conn.lastSeen.Store(time.Now().Add(-TCPHandshakeTimeout - time.Second).UnixNano())
-			oldConns++
-		}
-	}
-	tracker.mutex.Unlock()
-	require.Equal(t, 1000, oldConns)
-
-	// Run cleanup
-	tracker.cleanup()
-
-	// Check that stale connections were cleaned up
-	require.Equal(t, 0, len(tracker.connections))
-}
-
-func TestTCPInboundInitiatedConnection(t *testing.T) {
-	tracker := NewTCPTracker(DefaultTCPTimeout, logger, flowLogger)
-	defer tracker.Close()
-
-	clientIP := netip.MustParseAddr("100.64.0.1")
-	serverIP := netip.MustParseAddr("100.64.0.2")
-	clientPort := uint16(12345)
-	serverPort := uint16(80)
-
-	// 1. Client sends SYN (we receive it as inbound)
-	tracker.TrackInbound(clientIP, serverIP, clientPort, serverPort, TCPSyn, nil, 100)
-
-	key := ConnKey{
-		SrcIP:   clientIP,
-		DstIP:   serverIP,
-		SrcPort: clientPort,
-		DstPort: serverPort,
-	}
-
-	tracker.mutex.RLock()
-	conn := tracker.connections[key]
-	tracker.mutex.RUnlock()
-
-	require.NotNil(t, conn)
-	require.Equal(t, TCPStateSynReceived, conn.GetState(), "Connection should be in SYN-RECEIVED state after inbound SYN")
-
-	// 2. Server sends SYN-ACK response
-	tracker.TrackOutbound(serverIP, clientIP, serverPort, clientPort, TCPSyn|TCPAck, 100)
-
-	// 3. Client sends ACK to complete handshake
-	tracker.TrackInbound(clientIP, serverIP, clientPort, serverPort, TCPAck, nil, 100)
-	require.Equal(t, TCPStateEstablished, conn.GetState(), "Connection should be ESTABLISHED after handshake completion")
-
-	// 4. Test data transfer
-	// Client sends data
-	tracker.TrackInbound(clientIP, serverIP, clientPort, serverPort, TCPPush|TCPAck, nil, 1000)
-
-	// Server sends ACK for data
-	tracker.TrackOutbound(serverIP, clientIP, serverPort, clientPort, TCPAck, 100)
-
-	// Server sends data
-	tracker.TrackOutbound(serverIP, clientIP, serverPort, clientPort, TCPPush|TCPAck, 1500)
-
-	// Client sends ACK for data
-	tracker.TrackInbound(clientIP, serverIP, clientPort, serverPort, TCPAck, nil, 100)
-
-	// Verify state and counters
-	require.Equal(t, TCPStateEstablished, conn.GetState())
-	assert.Equal(t, uint64(1300), conn.BytesRx.Load()) // 3 packets * 100 + 1000 data
-	assert.Equal(t, uint64(1700), conn.BytesTx.Load()) // 2 packets * 100 + 1500 data
-	assert.Equal(t, uint64(4), conn.PacketsRx.Load())  // SYN, ACK, Data
-	assert.Equal(t, uint64(3), conn.PacketsTx.Load())  // SYN-ACK, Data
-}
-
 // Helper to establish a TCP connection
 func establishConnection(t *testing.T, tracker *TCPTracker, srcIP, dstIP netip.Addr, srcPort, dstPort uint16) {
 	t.Helper()

-	tracker.TrackOutbound(srcIP, dstIP, srcPort, dstPort, TCPSyn, 100)
+	tracker.TrackOutbound(srcIP, dstIP, srcPort, dstPort, TCPSyn, 0)

-	valid := tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPSyn|TCPAck, 100)
+	valid := tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPSyn|TCPAck, 0)
 	require.True(t, valid, "SYN-ACK should be allowed")

-	tracker.TrackOutbound(srcIP, dstIP, srcPort, dstPort, TCPAck, 100)
+	tracker.TrackOutbound(srcIP, dstIP, srcPort, dstPort, TCPAck, 0)
+}
+
+func BenchmarkTCPTracker(b *testing.B) {
+	b.Run("TrackOutbound", func(b *testing.B) {
+		tracker := NewTCPTracker(DefaultTCPTimeout, logger, flowLogger)
+		defer tracker.Close()
+
+		srcIP := netip.MustParseAddr("192.168.1.1")
+		dstIP := netip.MustParseAddr("192.168.1.2")
+
+		b.ResetTimer()
+		for i := 0; i < b.N; i++ {
+			tracker.TrackOutbound(srcIP, dstIP, uint16(i%65535), 80, TCPSyn, 0)
+		}
+	})
+
+	b.Run("IsValidInbound", func(b *testing.B) {
+		tracker := NewTCPTracker(DefaultTCPTimeout, logger, flowLogger)
+		defer tracker.Close()
+
+		srcIP := netip.MustParseAddr("192.168.1.1")
+		dstIP := netip.MustParseAddr("192.168.1.2")
+
+		// Pre-populate some connections
+		for i := 0; i < 1000; i++ {
+			tracker.TrackOutbound(srcIP, dstIP, uint16(i), 80, TCPSyn, 0)
+		}
+
+		b.ResetTimer()
+		for i := 0; i < b.N; i++ {
+			tracker.IsValidInbound(dstIP, srcIP, 80, uint16(i%1000), TCPAck, 0)
+		}
+	})
+
+	b.Run("ConcurrentAccess", func(b *testing.B) {
+		tracker := NewTCPTracker(DefaultTCPTimeout, logger, flowLogger)
+		defer tracker.Close()
+
+		srcIP := netip.MustParseAddr("192.168.1.1")
+		dstIP := netip.MustParseAddr("192.168.1.2")
+
+		b.RunParallel(func(pb *testing.PB) {
+			i := 0
+			for pb.Next() {
+				if i%2 == 0 {
+					tracker.TrackOutbound(srcIP, dstIP, uint16(i%65535), 80, TCPSyn, 0)
+				} else {
+					tracker.IsValidInbound(dstIP, srcIP, 80, uint16(i%65535), TCPAck, 0)
+				}
+				i++
+			}
+		})
+	})
+}
+
+// Benchmark connection cleanup
+func BenchmarkCleanup(b *testing.B) {
+	b.Run("TCPCleanup", func(b *testing.B) {
+		tracker := NewTCPTracker(100*time.Millisecond, logger, flowLogger) // Short timeout for testing
+		defer tracker.Close()
+
+		// Pre-populate with expired connections
+		srcIP := netip.MustParseAddr("192.168.1.1")
+		dstIP := netip.MustParseAddr("192.168.1.2")
+		for i := 0; i < 10000; i++ {
+			tracker.TrackOutbound(srcIP, dstIP, uint16(i), 80, TCPSyn, 0)
+		}
+
+		// Wait for connections to expire
+		time.Sleep(200 * time.Millisecond)
+
+		b.ResetTimer()
+		for i := 0; i < b.N; i++ {
+			tracker.cleanup()
+		}
+	})
 }
--- a/client/firewall/uspfilter/conntrack/udp.go
+++ b/client/firewall/uspfilter/conntrack/udp.go
@@ -165,7 +165,7 @@ func (t *UDPTracker) cleanup() {
 		if conn.timeoutExceeded(t.timeout) {
 			delete(t.connections, key)

-			t.logger.Trace("Removed UDP connection %s (timeout) [in: %d Pkts/%d B, out: %d Pkts/%d B]",
+			t.logger.Trace("Removed UDP connection %s (timeout) [in: %d Pkts/%d B out: %d Pkts/%d B]",
 				key, conn.PacketsRx.Load(), conn.BytesRx.Load(), conn.PacketsTx.Load(), conn.BytesTx.Load())
 			t.sendEvent(nftypes.TypeEnd, conn, nil)
 		}
--- a/client/firewall/uspfilter/forwarder/forwarder.go
+++ b/client/firewall/uspfilter/forwarder/forwarder.go
@@ -4,9 +4,7 @@ import (
 	"context"
 	"fmt"
 	"net"
-	"net/netip"
 	"runtime"
-	"sync"

 	log "github.com/sirupsen/logrus"
 	"gvisor.dev/gvisor/pkg/buffer"
@@ -19,7 +17,6 @@ import (
 	"gvisor.dev/gvisor/pkg/tcpip/transport/udp"

 	"github.com/netbirdio/netbird/client/firewall/uspfilter/common"
-	"github.com/netbirdio/netbird/client/firewall/uspfilter/conntrack"
 	nblog "github.com/netbirdio/netbird/client/firewall/uspfilter/log"
 	nftypes "github.com/netbirdio/netbird/client/internal/netflow/types"
 )
@@ -32,10 +29,8 @@ const (
 )

 type Forwarder struct {
-	logger     *nblog.Logger
-	flowLogger nftypes.FlowLogger
-	// ruleIdMap is used to store the rule ID for a given connection
-	ruleIdMap    sync.Map
+	logger       *nblog.Logger
+	flowLogger   nftypes.FlowLogger
 	stack        *stack.Stack
 	endpoint     *endpoint
 	udpForwarder *udpForwarder
@@ -172,35 +167,3 @@ func (f *Forwarder) determineDialAddr(addr tcpip.Address) net.IP {
 	}
 	return addr.AsSlice()
 }
-
-func (f *Forwarder) RegisterRuleID(srcIP, dstIP netip.Addr, srcPort, dstPort uint16, ruleID []byte) {
-	key := buildKey(srcIP, dstIP, srcPort, dstPort)
-	f.ruleIdMap.LoadOrStore(key, ruleID)
-}
-
-func (f *Forwarder) getRuleID(srcIP, dstIP netip.Addr, srcPort, dstPort uint16) ([]byte, bool) {
-
-	if value, ok := f.ruleIdMap.Load(buildKey(srcIP, dstIP, srcPort, dstPort)); ok {
-		return value.([]byte), true
-	} else if value, ok := f.ruleIdMap.Load(buildKey(dstIP, srcIP, dstPort, srcPort)); ok {
-		return value.([]byte), true
-	}
-
-	return nil, false
-}
-
-func (f *Forwarder) DeleteRuleID(srcIP, dstIP netip.Addr, srcPort, dstPort uint16) {
-	if _, ok := f.ruleIdMap.LoadAndDelete(buildKey(srcIP, dstIP, srcPort, dstPort)); ok {
-		return
-	}
-	f.ruleIdMap.LoadAndDelete(buildKey(dstIP, srcIP, dstPort, srcPort))
-}
-
-func buildKey(srcIP, dstIP netip.Addr, srcPort, dstPort uint16) conntrack.ConnKey {
-	return conntrack.ConnKey{
-		SrcIP:   srcIP,
-		DstIP:   dstIP,
-		SrcPort: srcPort,
-		DstPort: dstPort,
-	}
-}
--- a/client/firewall/uspfilter/forwarder/icmp.go
+++ b/client/firewall/uspfilter/forwarder/icmp.go
@@ -25,7 +25,7 @@ func (f *Forwarder) handleICMP(id stack.TransportEndpointID, pkt stack.PacketBuf
 	}

 	flowID := uuid.New()
-	f.sendICMPEvent(nftypes.TypeStart, flowID, id, icmpType, icmpCode, 0, 0)
+	f.sendICMPEvent(nftypes.TypeStart, flowID, id, icmpType, icmpCode)

 	ctx, cancel := context.WithTimeout(f.ctx, 5*time.Second)
 	defer cancel()
@@ -34,14 +34,14 @@ func (f *Forwarder) handleICMP(id stack.TransportEndpointID, pkt stack.PacketBuf
 	// TODO: support non-root
 	conn, err := lc.ListenPacket(ctx, "ip4:icmp", "0.0.0.0")
 	if err != nil {
-		f.logger.Error("forwarder: Failed to create ICMP socket for %v: %v", epID(id), err)
+		f.logger.Error("Failed to create ICMP socket for %v: %v", epID(id), err)

 		// This will make netstack reply on behalf of the original destination, that's ok for now
 		return false
 	}
 	defer func() {
 		if err := conn.Close(); err != nil {
-			f.logger.Debug("forwarder: Failed to close ICMP socket: %v", err)
+			f.logger.Debug("Failed to close ICMP socket: %v", err)
 		}
 	}()

@@ -52,37 +52,36 @@ func (f *Forwarder) handleICMP(id stack.TransportEndpointID, pkt stack.PacketBuf
 	payload := fullPacket.AsSlice()

 	if _, err = conn.WriteTo(payload, dst); err != nil {
-		f.logger.Error("forwarder: Failed to write ICMP packet for %v: %v", epID(id), err)
+		f.logger.Error("Failed to write ICMP packet for %v: %v", epID(id), err)
 		return true
 	}

-	f.logger.Trace("forwarder: Forwarded ICMP packet %v type %v code %v",
+	f.logger.Trace("Forwarded ICMP packet %v type %v code %v",
 		epID(id), icmpHdr.Type(), icmpHdr.Code())

 	// For Echo Requests, send and handle response
 	if header.ICMPv4Type(icmpType) == header.ICMPv4Echo {
-		rxBytes := pkt.Size()
-		txBytes := f.handleEchoResponse(icmpHdr, conn, id)
-		f.sendICMPEvent(nftypes.TypeEnd, flowID, id, icmpType, icmpCode, uint64(rxBytes), uint64(txBytes))
+		f.handleEchoResponse(icmpHdr, conn, id)
+		f.sendICMPEvent(nftypes.TypeEnd, flowID, id, icmpType, icmpCode)
 	}

 	// For other ICMP types (Time Exceeded, Destination Unreachable, etc) do nothing
 	return true
 }

-func (f *Forwarder) handleEchoResponse(icmpHdr header.ICMPv4, conn net.PacketConn, id stack.TransportEndpointID) int {
+func (f *Forwarder) handleEchoResponse(icmpHdr header.ICMPv4, conn net.PacketConn, id stack.TransportEndpointID) {
 	if err := conn.SetReadDeadline(time.Now().Add(5 * time.Second)); err != nil {
-		f.logger.Error("forwarder: Failed to set read deadline for ICMP response: %v", err)
-		return 0
+		f.logger.Error("Failed to set read deadline for ICMP response: %v", err)
+		return
 	}

 	response := make([]byte, f.endpoint.mtu)
 	n, _, err := conn.ReadFrom(response)
 	if err != nil {
 		if !isTimeout(err) {
-			f.logger.Error("forwarder: Failed to read ICMP response: %v", err)
+			f.logger.Error("Failed to read ICMP response: %v", err)
 		}
-		return 0
+		return
 	}

 	ipHdr := make([]byte, header.IPv4MinimumSize)
@@ -101,54 +100,28 @@ func (f *Forwarder) handleEchoResponse(icmpHdr header.ICMPv4, conn net.PacketCon
 	fullPacket = append(fullPacket, response[:n]...)

 	if err := f.InjectIncomingPacket(fullPacket); err != nil {
-		f.logger.Error("forwarder: Failed to inject ICMP response: %v", err)
+		f.logger.Error("Failed to inject ICMP response: %v", err)

-		return 0
+		return
 	}

-	f.logger.Trace("forwarder: Forwarded ICMP echo reply for %v type %v code %v",
+	f.logger.Trace("Forwarded ICMP echo reply for %v type %v code %v",
 		epID(id), icmpHdr.Type(), icmpHdr.Code())
-
-	return len(fullPacket)
 }

 // sendICMPEvent stores flow events for ICMP packets
-func (f *Forwarder) sendICMPEvent(typ nftypes.Type, flowID uuid.UUID, id stack.TransportEndpointID, icmpType, icmpCode uint8, rxBytes, txBytes uint64) {
-	var rxPackets, txPackets uint64
-	if rxBytes > 0 {
-		rxPackets = 1
-	}
-	if txBytes > 0 {
-		txPackets = 1
-	}
-
-	srcIp := netip.AddrFrom4(id.RemoteAddress.As4())
-	dstIp := netip.AddrFrom4(id.LocalAddress.As4())
-
-	fields := nftypes.EventFields{
+func (f *Forwarder) sendICMPEvent(typ nftypes.Type, flowID uuid.UUID, id stack.TransportEndpointID, icmpType, icmpCode uint8) {
+	f.flowLogger.StoreEvent(nftypes.EventFields{
 		FlowID:    flowID,
 		Type:      typ,
 		Direction: nftypes.Ingress,
 		Protocol:  nftypes.ICMP,
 		// TODO: handle ipv6
-		SourceIP: srcIp,
-		DestIP:   dstIp,
+		SourceIP: netip.AddrFrom4(id.RemoteAddress.As4()),
+		DestIP:   netip.AddrFrom4(id.LocalAddress.As4()),
 		ICMPType: icmpType,
 		ICMPCode: icmpCode,

-		RxBytes:   rxBytes,
-		TxBytes:   txBytes,
-		RxPackets: rxPackets,
-		TxPackets: txPackets,
-	}
-
-	if typ == nftypes.TypeStart {
-		if ruleId, ok := f.getRuleID(srcIp, dstIp, id.RemotePort, id.LocalPort); ok {
-			fields.RuleID = ruleId
-		}
-	} else {
-		f.DeleteRuleID(srcIp, dstIp, id.RemotePort, id.LocalPort)
-	}
-
-	f.flowLogger.StoreEvent(fields)
+		// TODO: get packets/bytes
+	})
 }
--- a/client/firewall/uspfilter/forwarder/tcp.go
+++ b/client/firewall/uspfilter/forwarder/tcp.go
@@ -6,10 +6,8 @@ import (
 	"io"
 	"net"
 	"net/netip"
-	"sync"

 	"github.com/google/uuid"
-
 	"gvisor.dev/gvisor/pkg/tcpip"
 	"gvisor.dev/gvisor/pkg/tcpip/adapters/gonet"
 	"gvisor.dev/gvisor/pkg/tcpip/stack"
@@ -25,11 +23,11 @@ func (f *Forwarder) handleTCP(r *tcp.ForwarderRequest) {

 	flowID := uuid.New()

-	f.sendTCPEvent(nftypes.TypeStart, flowID, id, 0, 0, 0, 0)
+	f.sendTCPEvent(nftypes.TypeStart, flowID, id, nil)
 	var success bool
 	defer func() {
 		if !success {
-			f.sendTCPEvent(nftypes.TypeEnd, flowID, id, 0, 0, 0, 0)
+			f.sendTCPEvent(nftypes.TypeEnd, flowID, id, nil)
 		}
 	}()

@@ -67,97 +65,67 @@ func (f *Forwarder) handleTCP(r *tcp.ForwarderRequest) {
 }

 func (f *Forwarder) proxyTCP(id stack.TransportEndpointID, inConn *gonet.TCPConn, outConn net.Conn, ep tcpip.Endpoint, flowID uuid.UUID) {
+	defer func() {
+		if err := inConn.Close(); err != nil {
+			f.logger.Debug("forwarder: inConn close error: %v", err)
+		}
+		if err := outConn.Close(); err != nil {
+			f.logger.Debug("forwarder: outConn close error: %v", err)
+		}
+		ep.Close()

+		f.sendTCPEvent(nftypes.TypeEnd, flowID, id, ep)
+	}()
+
+	// Create context for managing the proxy goroutines
 	ctx, cancel := context.WithCancel(f.ctx)
 	defer cancel()

-	go func() {
-		<-ctx.Done()
-		// Close connections and endpoint.
-		if err := inConn.Close(); err != nil && !isClosedError(err) {
-			f.logger.Debug("forwarder: inConn close error: %v", err)
-		}
-		if err := outConn.Close(); err != nil && !isClosedError(err) {
-			f.logger.Debug("forwarder: outConn close error: %v", err)
-		}
-
-		ep.Close()
-	}()
-
-	var wg sync.WaitGroup
-	wg.Add(2)
-
-	var (
-		bytesFromInToOut int64 // bytes from client to server (tx for client)
-		bytesFromOutToIn int64 // bytes from server to client (rx for client)
-		errInToOut       error
-		errOutToIn       error
-	)
+	errChan := make(chan error, 2)

 	go func() {
-		bytesFromInToOut, errInToOut = io.Copy(outConn, inConn)
-		cancel()
-		wg.Done()
+		_, err := io.Copy(outConn, inConn)
+		errChan <- err
 	}()

 	go func() {
-
-		bytesFromOutToIn, errOutToIn = io.Copy(inConn, outConn)
-		cancel()
-		wg.Done()
+		_, err := io.Copy(inConn, outConn)
+		errChan <- err
 	}()

-	wg.Wait()
-
-	if errInToOut != nil {
-		if !isClosedError(errInToOut) {
-			f.logger.Error("proxyTCP: copy error (in -> out): %v", errInToOut)
+	select {
+	case <-ctx.Done():
+		f.logger.Trace("forwarder: tearing down TCP connection %v due to context done", epID(id))
+		return
+	case err := <-errChan:
+		if err != nil && !isClosedError(err) {
+			f.logger.Error("proxyTCP: copy error: %v", err)
 		}
+		f.logger.Trace("forwarder: tearing down TCP connection %v", epID(id))
+		return
 	}
-	if errOutToIn != nil {
-		if !isClosedError(errOutToIn) {
-			f.logger.Error("proxyTCP: copy error (out -> in): %v", errOutToIn)
-		}
-	}
-
-	var rxPackets, txPackets uint64
-	if tcpStats, ok := ep.Stats().(*tcp.Stats); ok {
-		// fields are flipped since this is the in conn
-		rxPackets = tcpStats.SegmentsSent.Value()
-		txPackets = tcpStats.SegmentsReceived.Value()
-	}
-
-	f.logger.Trace("forwarder: Removed TCP connection %s [in: %d Pkts/%d B, out: %d Pkts/%d B]", epID(id), rxPackets, bytesFromOutToIn, txPackets, bytesFromInToOut)
-
-	f.sendTCPEvent(nftypes.TypeEnd, flowID, id, uint64(bytesFromOutToIn), uint64(bytesFromInToOut), rxPackets, txPackets)
 }

-func (f *Forwarder) sendTCPEvent(typ nftypes.Type, flowID uuid.UUID, id stack.TransportEndpointID, rxBytes, txBytes, rxPackets, txPackets uint64) {
-	srcIp := netip.AddrFrom4(id.RemoteAddress.As4())
-	dstIp := netip.AddrFrom4(id.LocalAddress.As4())
-
+func (f *Forwarder) sendTCPEvent(typ nftypes.Type, flowID uuid.UUID, id stack.TransportEndpointID, ep tcpip.Endpoint) {
 	fields := nftypes.EventFields{
 		FlowID:    flowID,
 		Type:      typ,
 		Direction: nftypes.Ingress,
 		Protocol:  nftypes.TCP,
 		// TODO: handle ipv6
-		SourceIP:   srcIp,
-		DestIP:     dstIp,
+		SourceIP:   netip.AddrFrom4(id.RemoteAddress.As4()),
+		DestIP:     netip.AddrFrom4(id.LocalAddress.As4()),
 		SourcePort: id.RemotePort,
 		DestPort:   id.LocalPort,
-		RxBytes:    rxBytes,
-		TxBytes:    txBytes,
-		RxPackets:  rxPackets,
-		TxPackets:  txPackets,
 	}

-	if typ == nftypes.TypeStart {
-		if ruleId, ok := f.getRuleID(srcIp, dstIp, id.RemotePort, id.LocalPort); ok {
-			fields.RuleID = ruleId
+	if ep != nil {
+		if tcpStats, ok := ep.Stats().(*tcp.Stats); ok {
+			// fields are flipped since this is the in conn
+			// TODO: get bytes
+			fields.RxPackets = tcpStats.SegmentsSent.Value()
+			fields.TxPackets = tcpStats.SegmentsReceived.Value()
 		}
-	} else {
-		f.DeleteRuleID(srcIp, dstIp, id.RemotePort, id.LocalPort)
 	}

 	f.flowLogger.StoreEvent(fields)
--- a/client/firewall/uspfilter/forwarder/udp.go
+++ b/client/firewall/uspfilter/forwarder/udp.go
@@ -149,11 +149,11 @@ func (f *Forwarder) handleUDP(r *udp.ForwarderRequest) {

 	flowID := uuid.New()

-	f.sendUDPEvent(nftypes.TypeStart, flowID, id, 0, 0, 0, 0)
+	f.sendUDPEvent(nftypes.TypeStart, flowID, id, nil)
 	var success bool
 	defer func() {
 		if !success {
-			f.sendUDPEvent(nftypes.TypeEnd, flowID, id, 0, 0, 0, 0)
+			f.sendUDPEvent(nftypes.TypeEnd, flowID, id, nil)
 		}
 	}()

@@ -199,6 +199,7 @@ func (f *Forwarder) handleUDP(r *udp.ForwarderRequest) {
 		if err := outConn.Close(); err != nil {
 			f.logger.Debug("forwarder: UDP outConn close error for %v: %v", epID(id), err)
 		}
+
 		return
 	}
 	f.udpForwarder.conns[id] = pConn
@@ -211,94 +212,68 @@ func (f *Forwarder) handleUDP(r *udp.ForwarderRequest) {
 }

 func (f *Forwarder) proxyUDP(ctx context.Context, pConn *udpPacketConn, id stack.TransportEndpointID, ep tcpip.Endpoint) {
-
-	ctx, cancel := context.WithCancel(f.ctx)
-	defer cancel()
-
-	go func() {
-		<-ctx.Done()
-
+	defer func() {
 		pConn.cancel()
-		if err := pConn.conn.Close(); err != nil && !isClosedError(err) {
+		if err := pConn.conn.Close(); err != nil {
 			f.logger.Debug("forwarder: UDP inConn close error for %v: %v", epID(id), err)
 		}
-		if err := pConn.outConn.Close(); err != nil && !isClosedError(err) {
+		if err := pConn.outConn.Close(); err != nil {
 			f.logger.Debug("forwarder: UDP outConn close error for %v: %v", epID(id), err)
 		}

 		ep.Close()
+
+		f.udpForwarder.Lock()
+		delete(f.udpForwarder.conns, id)
+		f.udpForwarder.Unlock()
+
+		f.sendUDPEvent(nftypes.TypeEnd, pConn.flowID, id, ep)
 	}()

-	var wg sync.WaitGroup
-	wg.Add(2)
+	errChan := make(chan error, 2)

-	var txBytes, rxBytes int64
-	var outboundErr, inboundErr error
-
-	// outbound->inbound: copy from pConn.conn to pConn.outConn
 	go func() {
-		defer wg.Done()
-		txBytes, outboundErr = pConn.copy(ctx, pConn.conn, pConn.outConn, &f.udpForwarder.bufPool, "outbound->inbound")
+		errChan <- pConn.copy(ctx, pConn.conn, pConn.outConn, &f.udpForwarder.bufPool, "outbound->inbound")
 	}()

-	// inbound->outbound: copy from pConn.outConn to pConn.conn
 	go func() {
-		defer wg.Done()
-		rxBytes, inboundErr = pConn.copy(ctx, pConn.outConn, pConn.conn, &f.udpForwarder.bufPool, "inbound->outbound")
+		errChan <- pConn.copy(ctx, pConn.outConn, pConn.conn, &f.udpForwarder.bufPool, "inbound->outbound")
 	}()

-	wg.Wait()
-
-	if outboundErr != nil && !isClosedError(outboundErr) {
-		f.logger.Error("proxyUDP: copy error (outbound->inbound): %v", outboundErr)
+	select {
+	case <-ctx.Done():
+		f.logger.Trace("forwarder: tearing down UDP connection %v due to context done", epID(id))
+		return
+	case err := <-errChan:
+		if err != nil && !isClosedError(err) {
+			f.logger.Error("proxyUDP: copy error: %v", err)
+		}
+		f.logger.Trace("forwarder: tearing down UDP connection %v", epID(id))
+		return
 	}
-	if inboundErr != nil && !isClosedError(inboundErr) {
-		f.logger.Error("proxyUDP: copy error (inbound->outbound): %v", inboundErr)
-	}
-
-	var rxPackets, txPackets uint64
-	if udpStats, ok := ep.Stats().(*tcpip.TransportEndpointStats); ok {
-		// fields are flipped since this is the in conn
-		rxPackets = udpStats.PacketsSent.Value()
-		txPackets = udpStats.PacketsReceived.Value()
-	}
-
-	f.logger.Trace("forwarder: Removed UDP connection %s [in: %d Pkts/%d B, out: %d Pkts/%d B]", epID(id), rxPackets, rxBytes, txPackets, txBytes)
-
-	f.udpForwarder.Lock()
-	delete(f.udpForwarder.conns, id)
-	f.udpForwarder.Unlock()
-
-	f.sendUDPEvent(nftypes.TypeEnd, pConn.flowID, id, uint64(rxBytes), uint64(txBytes), rxPackets, txPackets)
 }

 // sendUDPEvent stores flow events for UDP connections
-func (f *Forwarder) sendUDPEvent(typ nftypes.Type, flowID uuid.UUID, id stack.TransportEndpointID, rxBytes, txBytes, rxPackets, txPackets uint64) {
-	srcIp := netip.AddrFrom4(id.RemoteAddress.As4())
-	dstIp := netip.AddrFrom4(id.LocalAddress.As4())
-
+func (f *Forwarder) sendUDPEvent(typ nftypes.Type, flowID uuid.UUID, id stack.TransportEndpointID, ep tcpip.Endpoint) {
 	fields := nftypes.EventFields{
 		FlowID:    flowID,
 		Type:      typ,
 		Direction: nftypes.Ingress,
 		Protocol:  nftypes.UDP,
 		// TODO: handle ipv6
-		SourceIP:   srcIp,
-		DestIP:     dstIp,
+		SourceIP:   netip.AddrFrom4(id.RemoteAddress.As4()),
+		DestIP:     netip.AddrFrom4(id.LocalAddress.As4()),
 		SourcePort: id.RemotePort,
 		DestPort:   id.LocalPort,
-		RxBytes:    rxBytes,
-		TxBytes:    txBytes,
-		RxPackets:  rxPackets,
-		TxPackets:  txPackets,
 	}

-	if typ == nftypes.TypeStart {
-		if ruleId, ok := f.getRuleID(srcIp, dstIp, id.RemotePort, id.LocalPort); ok {
-			fields.RuleID = ruleId
+	if ep != nil {
+		if tcpStats, ok := ep.Stats().(*tcpip.TransportEndpointStats); ok {
+			// fields are flipped since this is the in conn
+			// TODO: get bytes
+			fields.RxPackets = tcpStats.PacketsSent.Value()
+			fields.TxPackets = tcpStats.PacketsReceived.Value()
 		}
-	} else {
-		f.DeleteRuleID(srcIp, dstIp, id.RemotePort, id.LocalPort)
 	}

 	f.flowLogger.StoreEvent(fields)
@@ -313,20 +288,18 @@ func (c *udpPacketConn) getIdleDuration() time.Duration {
 	return time.Since(lastSeen)
 }

-// copy reads from src and writes to dst.
-func (c *udpPacketConn) copy(ctx context.Context, dst net.Conn, src net.Conn, bufPool *sync.Pool, direction string) (int64, error) {
+func (c *udpPacketConn) copy(ctx context.Context, dst net.Conn, src net.Conn, bufPool *sync.Pool, direction string) error {
 	bufp := bufPool.Get().(*[]byte)
 	defer bufPool.Put(bufp)
 	buffer := *bufp
-	var totalBytes int64 = 0

 	for {
 		if ctx.Err() != nil {
-			return totalBytes, ctx.Err()
+			return ctx.Err()
 		}

 		if err := src.SetDeadline(time.Now().Add(udpTimeout)); err != nil {
-			return totalBytes, fmt.Errorf("set read deadline: %w", err)
+			return fmt.Errorf("set read deadline: %w", err)
 		}

 		n, err := src.Read(buffer)
@@ -334,15 +307,14 @@ func (c *udpPacketConn) copy(ctx context.Context, dst net.Conn, src net.Conn, bu
 			if isTimeout(err) {
 				continue
 			}
-			return totalBytes, fmt.Errorf("read from %s: %w", direction, err)
+			return fmt.Errorf("read from %s: %w", direction, err)
 		}

-		nWritten, err := dst.Write(buffer[:n])
+		_, err = dst.Write(buffer[:n])
 		if err != nil {
-			return totalBytes, fmt.Errorf("write to %s: %w", direction, err)
+			return fmt.Errorf("write to %s: %w", direction, err)
 		}

-		totalBytes += int64(nWritten)
 		c.updateLastSeen()
 	}
 }
--- a/client/firewall/uspfilter/localip.go
+++ b/client/firewall/uspfilter/localip.go
@@ -14,13 +14,8 @@ import (
 type localIPManager struct {
 	mu sync.RWMutex

-	// fixed-size high array for upper byte of a IPv4 address
-	ipv4Bitmap [256]*ipv4LowBitmap
-}
-
-// ipv4LowBitmap is a map for the low 16 bits of a IPv4 address
-type ipv4LowBitmap struct {
-	bitmap [8192]uint32
+	// Use bitmap for IPv4 (32 bits * 2^16 = 256KB memory)
+	ipv4Bitmap [1 << 16]uint32
 }

 func newLocalIPManager() *localIPManager {
@@ -32,59 +27,35 @@ func (m *localIPManager) setBitmapBit(ip net.IP) {
 	if ipv4 == nil {
 		return
 	}
-	high := uint16(ipv4[0])
-	low := (uint16(ipv4[1]) << 8) | (uint16(ipv4[2]) << 4) | uint16(ipv4[3])
-
-	index := low / 32
-	bit := low % 32
-
-	if m.ipv4Bitmap[high] == nil {
-		m.ipv4Bitmap[high] = &ipv4LowBitmap{}
-	}
-
-	m.ipv4Bitmap[high].bitmap[index] |= 1 << bit
-}
-
-func (m *localIPManager) setBitInBitmap(ip net.IP, bitmap *[256]*ipv4LowBitmap, ipv4Set map[string]struct{}, ipv4Addresses *[]string) {
-	if ipv4 := ip.To4(); ipv4 != nil {
-		high := uint16(ipv4[0])
-		low := (uint16(ipv4[1]) << 8) | (uint16(ipv4[2]) << 4) | uint16(ipv4[3])
-
-		if bitmap[high] == nil {
-			bitmap[high] = &ipv4LowBitmap{}
-		}
-
-		index := low / 32
-		bit := low % 32
-		bitmap[high].bitmap[index] |= 1 << bit
-
-		ipStr := ipv4.String()
-		if _, exists := ipv4Set[ipStr]; !exists {
-			ipv4Set[ipStr] = struct{}{}
-			*ipv4Addresses = append(*ipv4Addresses, ipStr)
-		}
-	}
+	high := (uint16(ipv4[0]) << 8) | uint16(ipv4[1])
+	low := (uint16(ipv4[2]) << 8) | uint16(ipv4[3])
+	m.ipv4Bitmap[high] |= 1 << (low % 32)
 }

 func (m *localIPManager) checkBitmapBit(ip []byte) bool {
-	high := uint16(ip[0])
-	low := (uint16(ip[1]) << 8) | (uint16(ip[2]) << 4) | uint16(ip[3])
-
-	if m.ipv4Bitmap[high] == nil {
-		return false
-	}
-
-	index := low / 32
-	bit := low % 32
-	return (m.ipv4Bitmap[high].bitmap[index] & (1 << bit)) != 0
+	high := (uint16(ip[0]) << 8) | uint16(ip[1])
+	low := (uint16(ip[2]) << 8) | uint16(ip[3])
+	return (m.ipv4Bitmap[high] & (1 << (low % 32))) != 0
 }

-func (m *localIPManager) processIP(ip net.IP, bitmap *[256]*ipv4LowBitmap, ipv4Set map[string]struct{}, ipv4Addresses *[]string) error {
-	m.setBitInBitmap(ip, bitmap, ipv4Set, ipv4Addresses)
+func (m *localIPManager) processIP(ip net.IP, newIPv4Bitmap *[1 << 16]uint32, ipv4Set map[string]struct{}, ipv4Addresses *[]string) error {
+	if ipv4 := ip.To4(); ipv4 != nil {
+		high := (uint16(ipv4[0]) << 8) | uint16(ipv4[1])
+		low := (uint16(ipv4[2]) << 8) | uint16(ipv4[3])
+		if int(high) >= len(*newIPv4Bitmap) {
+			return fmt.Errorf("invalid IPv4 address: %s", ip)
+		}
+		ipStr := ip.String()
+		if _, exists := ipv4Set[ipStr]; !exists {
+			ipv4Set[ipStr] = struct{}{}
+			*ipv4Addresses = append(*ipv4Addresses, ipStr)
+			newIPv4Bitmap[high] |= 1 << (low % 32)
+		}
+	}
 	return nil
 }

-func (m *localIPManager) processInterface(iface net.Interface, bitmap *[256]*ipv4LowBitmap, ipv4Set map[string]struct{}, ipv4Addresses *[]string) {
+func (m *localIPManager) processInterface(iface net.Interface, newIPv4Bitmap *[1 << 16]uint32, ipv4Set map[string]struct{}, ipv4Addresses *[]string) {
 	addrs, err := iface.Addrs()
 	if err != nil {
 		log.Debugf("get addresses for interface %s failed: %v", iface.Name, err)
@@ -102,7 +73,7 @@ func (m *localIPManager) processInterface(iface net.Interface, bitmap *[256]*ipv
 			continue
 		}

-		if err := m.processIP(ip, bitmap, ipv4Set, ipv4Addresses); err != nil {
+		if err := m.processIP(ip, newIPv4Bitmap, ipv4Set, ipv4Addresses); err != nil {
 			log.Debugf("process IP failed: %v", err)
 		}
 	}
@@ -115,14 +86,14 @@ func (m *localIPManager) UpdateLocalIPs(iface common.IFaceMapper) (err error) {
 		}
 	}()

-	var newIPv4Bitmap [256]*ipv4LowBitmap
+	var newIPv4Bitmap [1 << 16]uint32
 	ipv4Set := make(map[string]struct{})
 	var ipv4Addresses []string

 	// 127.0.0.0/8
-	newIPv4Bitmap[127] = &ipv4LowBitmap{}
-	for i := 0; i < 8192; i++ {
-		newIPv4Bitmap[127].bitmap[i] = 0xFFFFFFFF
+	high := uint16(127) << 8
+	for i := uint16(0); i < 256; i++ {
+		newIPv4Bitmap[high|i] = 0xffffffff
 	}

 	if iface != nil {
@@ -149,12 +120,12 @@ func (m *localIPManager) UpdateLocalIPs(iface common.IFaceMapper) (err error) {
 }

 func (m *localIPManager) IsLocalIP(ip netip.Addr) bool {
-	if !ip.Is4() {
-		return false
-	}
-
 	m.mu.RLock()
 	defer m.mu.RUnlock()

-	return m.checkBitmapBit(ip.AsSlice())
+	if ip.Is4() {
+		return m.checkBitmapBit(ip.AsSlice())
+	}
+
+	return false
 }
--- a/client/firewall/uspfilter/localip_test.go
+++ b/client/firewall/uspfilter/localip_test.go
@@ -77,18 +77,6 @@ func TestLocalIPManager(t *testing.T) {
 			testIP:   netip.MustParseAddr("192.168.1.2"),
 			expected: false,
 		},
-		{
-			name: "Local IP doesn't match - addresses 32 apart",
-			setupAddr: wgaddr.Address{
-				IP: net.ParseIP("192.168.1.1"),
-				Network: &net.IPNet{
-					IP:   net.ParseIP("192.168.1.0"),
-					Mask: net.CIDRMask(24, 32),
-				},
-			},
-			testIP:   netip.MustParseAddr("192.168.1.33"),
-			expected: false,
-		},
 		{
 			name: "IPv6 address",
 			setupAddr: wgaddr.Address{
@@ -204,8 +192,10 @@ func BenchmarkIPChecks(b *testing.B) {
 		interfaces[i] = net.IPv4(10, 0, byte(i>>8), byte(i))
 	}

-	// Setup bitmap
-	bitmapManager := newLocalIPManager()
+	// Setup bitmap version
+	bitmapManager := &localIPManager{
+		ipv4Bitmap: [1 << 16]uint32{},
+	}
 	for _, ip := range interfaces[:8] { // Add half of IPs
 		bitmapManager.setBitmapBit(ip)
 	}
@@ -258,7 +248,7 @@ func BenchmarkWGPosition(b *testing.B) {

 	// Create two managers - one checks WG IP first, other checks it last
 	b.Run("WG_First", func(b *testing.B) {
-		bm := newLocalIPManager()
+		bm := &localIPManager{ipv4Bitmap: [1 << 16]uint32{}}
 		bm.setBitmapBit(wgIP)
 		b.ResetTimer()
 		for i := 0; i < b.N; i++ {
@@ -267,7 +257,7 @@ func BenchmarkWGPosition(b *testing.B) {
 	})

 	b.Run("WG_Last", func(b *testing.B) {
-		bm := newLocalIPManager()
+		bm := &localIPManager{ipv4Bitmap: [1 << 16]uint32{}}
 		// Fill with other IPs first
 		for i := 0; i < 15; i++ {
 			bm.setBitmapBit(net.IPv4(10, 0, byte(i>>8), byte(i)))
--- a/client/firewall/uspfilter/rule.go
+++ b/client/firewall/uspfilter/rule.go
@@ -29,15 +29,14 @@ func (r *PeerRule) ID() string {
 }

 type RouteRule struct {
-	id           string
-	mgmtId       []byte
-	sources      []netip.Prefix
-	dstSet       firewall.Set
-	destinations []netip.Prefix
-	proto        firewall.Protocol
-	srcPort      *firewall.Port
-	dstPort      *firewall.Port
-	action       firewall.Action
+	id          string
+	mgmtId      []byte
+	sources     []netip.Prefix
+	destination netip.Prefix
+	proto       firewall.Protocol
+	srcPort     *firewall.Port
+	dstPort     *firewall.Port
+	action      firewall.Action
 }

 // ID returns the rule id
--- a/client/firewall/uspfilter/tracer_test.go
+++ b/client/firewall/uspfilter/tracer_test.go
@@ -198,12 +198,12 @@ func TestTracePacket(t *testing.T) {
 				m.forwarder.Store(&forwarder.Forwarder{})

 				src := netip.PrefixFrom(netip.AddrFrom4([4]byte{1, 1, 1, 1}), 32)
-				dst := netip.PrefixFrom(netip.AddrFrom4([4]byte{192, 168, 17, 2}), 32)
-				_, err := m.AddRouteFiltering(nil, []netip.Prefix{src}, fw.Network{Prefix: dst}, fw.ProtocolTCP, nil, &fw.Port{Values: []uint16{80}}, fw.ActionAccept)
+				dst := netip.PrefixFrom(netip.AddrFrom4([4]byte{172, 17, 0, 2}), 32)
+				_, err := m.AddRouteFiltering(nil, []netip.Prefix{src}, dst, fw.ProtocolTCP, nil, &fw.Port{Values: []uint16{80}}, fw.ActionAccept)
 				require.NoError(t, err)
 			},
 			packetBuilder: func() *PacketBuilder {
-				return createPacketBuilder("1.1.1.1", "192.168.17.2", "tcp", 12345, 80, fw.RuleDirectionIN)
+				return createPacketBuilder("1.1.1.1", "172.17.0.2", "tcp", 12345, 80, fw.RuleDirectionIN)
 			},
 			expectedStages: []PacketStage{
 				StageReceived,
@@ -222,12 +222,12 @@ func TestTracePacket(t *testing.T) {
 				m.nativeRouter.Store(false)

 				src := netip.PrefixFrom(netip.AddrFrom4([4]byte{1, 1, 1, 1}), 32)
-				dst := netip.PrefixFrom(netip.AddrFrom4([4]byte{192, 168, 17, 2}), 32)
-				_, err := m.AddRouteFiltering(nil, []netip.Prefix{src}, fw.Network{Prefix: dst}, fw.ProtocolTCP, nil, &fw.Port{Values: []uint16{80}}, fw.ActionDrop)
+				dst := netip.PrefixFrom(netip.AddrFrom4([4]byte{172, 17, 0, 2}), 32)
+				_, err := m.AddRouteFiltering(nil, []netip.Prefix{src}, dst, fw.ProtocolTCP, nil, &fw.Port{Values: []uint16{80}}, fw.ActionDrop)
 				require.NoError(t, err)
 			},
 			packetBuilder: func() *PacketBuilder {
-				return createPacketBuilder("1.1.1.1", "192.168.17.2", "tcp", 12345, 80, fw.RuleDirectionIN)
+				return createPacketBuilder("1.1.1.1", "172.17.0.2", "tcp", 12345, 80, fw.RuleDirectionIN)
 			},
 			expectedStages: []PacketStage{
 				StageReceived,
@@ -245,7 +245,7 @@ func TestTracePacket(t *testing.T) {
 				m.nativeRouter.Store(true)
 			},
 			packetBuilder: func() *PacketBuilder {
-				return createPacketBuilder("1.1.1.1", "192.168.17.2", "tcp", 12345, 80, fw.RuleDirectionIN)
+				return createPacketBuilder("1.1.1.1", "172.17.0.2", "tcp", 12345, 80, fw.RuleDirectionIN)
 			},
 			expectedStages: []PacketStage{
 				StageReceived,
@@ -263,7 +263,7 @@ func TestTracePacket(t *testing.T) {
 				m.routingEnabled.Store(false)
 			},
 			packetBuilder: func() *PacketBuilder {
-				return createPacketBuilder("1.1.1.1", "192.168.17.2", "tcp", 12345, 80, fw.RuleDirectionIN)
+				return createPacketBuilder("1.1.1.1", "172.17.0.2", "tcp", 12345, 80, fw.RuleDirectionIN)
 			},
 			expectedStages: []PacketStage{
 				StageReceived,
@@ -425,8 +425,8 @@ func TestTracePacket(t *testing.T) {

 			require.True(t, m.localipmanager.IsLocalIP(netip.MustParseAddr("100.10.0.100")),
 				"100.10.0.100 should be recognized as a local IP")
-			require.False(t, m.localipmanager.IsLocalIP(netip.MustParseAddr("192.168.17.2")),
-				"192.168.17.2 should not be recognized as a local IP")
+			require.False(t, m.localipmanager.IsLocalIP(netip.MustParseAddr("172.17.0.2")),
+				"172.17.0.2 should not be recognized as a local IP")

 			pb := tc.packetBuilder()

--- a/client/firewall/uspfilter/uspfilter.go
+++ b/client/firewall/uspfilter/uspfilter.go
@@ -49,10 +49,10 @@ var errNatNotSupported = errors.New("nat not supported with userspace firewall")
 // RuleSet is a set of rules grouped by a string key
 type RuleSet map[string]PeerRule

-type RouteRules []*RouteRule
+type RouteRules []RouteRule

 func (r RouteRules) Sort() {
-	slices.SortStableFunc(r, func(a, b *RouteRule) int {
+	slices.SortStableFunc(r, func(a, b RouteRule) int {
 		// Deny rules come first
 		if a.action == firewall.ActionDrop && b.action != firewall.ActionDrop {
 			return -1
@@ -99,8 +99,6 @@ type Manager struct {
 	forwarder   atomic.Pointer[forwarder.Forwarder]
 	logger      *nblog.Logger
 	flowLogger  nftypes.FlowLogger
-
-	blockRule firewall.Rule
 }

 // decoder for packages
@@ -203,35 +201,41 @@ func create(iface common.IFaceMapper, nativeFirewall firewall.Manager, disableSe
 		}
 	}

+	if err := m.blockInvalidRouted(iface); err != nil {
+		log.Errorf("failed to block invalid routed traffic: %v", err)
+	}
+
 	if err := iface.SetFilter(m); err != nil {
 		return nil, fmt.Errorf("set filter: %w", err)
 	}
 	return m, nil
 }

-func (m *Manager) blockInvalidRouted(iface common.IFaceMapper) (firewall.Rule, error) {
+func (m *Manager) blockInvalidRouted(iface common.IFaceMapper) error {
+	if m.forwarder.Load() == nil {
+		return nil
+	}
 	wgPrefix, err := netip.ParsePrefix(iface.Address().Network.String())
 	if err != nil {
-		return nil, fmt.Errorf("parse wireguard network: %w", err)
+		return fmt.Errorf("parse wireguard network: %w", err)
 	}
 	log.Debugf("blocking invalid routed traffic for %s", wgPrefix)

-	rule, err := m.addRouteFiltering(
+	if _, err := m.AddRouteFiltering(
 		nil,
 		[]netip.Prefix{netip.PrefixFrom(netip.IPv4Unspecified(), 0)},
-		firewall.Network{Prefix: wgPrefix},
+		wgPrefix,
 		firewall.ProtocolALL,
 		nil,
 		nil,
 		firewall.ActionDrop,
-	)
-	if err != nil {
-		return nil, fmt.Errorf("block wg nte : %w", err)
+	); err != nil {
+		return fmt.Errorf("block wg nte : %w", err)
 	}

 	// TODO: Block networks that we're a client of

-	return rule, nil
+	return nil
 }

 func (m *Manager) determineRouting() error {
@@ -409,23 +413,10 @@ func (m *Manager) AddPeerFiltering(
 func (m *Manager) AddRouteFiltering(
 	id []byte,
 	sources []netip.Prefix,
-	destination firewall.Network,
+	destination netip.Prefix,
 	proto firewall.Protocol,
-	sPort, dPort *firewall.Port,
-	action firewall.Action,
-) (firewall.Rule, error) {
-	m.mutex.Lock()
-	defer m.mutex.Unlock()
-
-	return m.addRouteFiltering(id, sources, destination, proto, sPort, dPort, action)
-}
-
-func (m *Manager) addRouteFiltering(
-	id []byte,
-	sources []netip.Prefix,
-	destination firewall.Network,
-	proto firewall.Protocol,
-	sPort, dPort *firewall.Port,
+	sPort *firewall.Port,
+	dPort *firewall.Port,
 	action firewall.Action,
 ) (firewall.Rule, error) {
 	if m.nativeRouter.Load() && m.nativeFirewall != nil {
@@ -435,39 +426,34 @@ func (m *Manager) addRouteFiltering(
 	ruleID := uuid.New().String()
 	rule := RouteRule{
 		// TODO: consolidate these IDs
-		id:      ruleID,
-		mgmtId:  id,
-		sources: sources,
-		dstSet:  destination.Set,
-		proto:   proto,
-		srcPort: sPort,
-		dstPort: dPort,
-		action:  action,
-	}
-	if destination.IsPrefix() {
-		rule.destinations = []netip.Prefix{destination.Prefix}
+		id:          ruleID,
+		mgmtId:      id,
+		sources:     sources,
+		destination: destination,
+		proto:       proto,
+		srcPort:     sPort,
+		dstPort:     dPort,
+		action:      action,
 	}

-	m.routeRules = append(m.routeRules, &rule)
+	m.mutex.Lock()
+	m.routeRules = append(m.routeRules, rule)
 	m.routeRules.Sort()
+	m.mutex.Unlock()

 	return &rule, nil
 }

 func (m *Manager) DeleteRouteRule(rule firewall.Rule) error {
-	m.mutex.Lock()
-	defer m.mutex.Unlock()
-
-	return m.deleteRouteRule(rule)
-}
-
-func (m *Manager) deleteRouteRule(rule firewall.Rule) error {
 	if m.nativeRouter.Load() && m.nativeFirewall != nil {
 		return m.nativeFirewall.DeleteRouteRule(rule)
 	}

+	m.mutex.Lock()
+	defer m.mutex.Unlock()
+
 	ruleID := rule.ID()
-	idx := slices.IndexFunc(m.routeRules, func(r *RouteRule) bool {
+	idx := slices.IndexFunc(m.routeRules, func(r RouteRule) bool {
 		return r.id == ruleID
 	})
 	if idx < 0 {
@@ -523,52 +509,6 @@ func (m *Manager) DeleteDNATRule(rule firewall.Rule) error {
 	return m.nativeFirewall.DeleteDNATRule(rule)
 }

-// UpdateSet updates the rule destinations associated with the given set
-// by merging the existing prefixes with the new ones, then deduplicating.
-func (m *Manager) UpdateSet(set firewall.Set, prefixes []netip.Prefix) error {
-	if m.nativeRouter.Load() && m.nativeFirewall != nil {
-		return m.nativeFirewall.UpdateSet(set, prefixes)
-	}
-
-	m.mutex.Lock()
-	defer m.mutex.Unlock()
-
-	var matches []*RouteRule
-	for _, rule := range m.routeRules {
-		if rule.dstSet == set {
-			matches = append(matches, rule)
-		}
-	}
-
-	if len(matches) == 0 {
-		return fmt.Errorf("no route rule found for set: %s", set)
-	}
-
-	destinations := matches[0].destinations
-	for _, prefix := range prefixes {
-		if prefix.Addr().Is4() {
-			destinations = append(destinations, prefix)
-		}
-	}
-
-	slices.SortFunc(destinations, func(a, b netip.Prefix) int {
-		cmp := a.Addr().Compare(b.Addr())
-		if cmp != 0 {
-			return cmp
-		}
-		return a.Bits() - b.Bits()
-	})
-
-	destinations = slices.Compact(destinations)
-
-	for _, rule := range matches {
-		rule.destinations = destinations
-	}
-	log.Debugf("updated set %s to prefixes %v", set.HashedName(), destinations)
-
-	return nil
-}
-
 // DropOutgoing filter outgoing packets
 func (m *Manager) DropOutgoing(packetData []byte, size int) bool {
 	return m.processOutgoingHooks(packetData, size)
@@ -718,8 +658,7 @@ func (m *Manager) dropFilter(packetData []byte, size int) bool {
 	d := m.decoders.Get().(*decoder)
 	defer m.decoders.Put(d)

-	valid, fragment := m.isValidPacket(d, packetData)
-	if !valid {
+	if !m.isValidPacket(d, packetData) {
 		return true
 	}

@@ -729,13 +668,6 @@ func (m *Manager) dropFilter(packetData []byte, size int) bool {
 		return true
 	}

-	// TODO: pass fragments of routed packets to forwarder
-	if fragment {
-		m.logger.Trace("packet is a fragment: src=%v dst=%v id=%v flags=%v",
-			srcIP, dstIP, d.ip4.Id, d.ip4.Flags)
-		return false
-	}
-
 	// For all inbound traffic, first check if it matches a tracked connection.
 	// This must happen before any other filtering because the packets are statefully tracked.
 	if m.stateful && m.isValidTrackedConnection(d, srcIP, dstIP, size) {
@@ -746,7 +678,7 @@ func (m *Manager) dropFilter(packetData []byte, size int) bool {
 		return m.handleLocalTraffic(d, srcIP, dstIP, packetData, size)
 	}

-	return m.handleRoutedTraffic(d, srcIP, dstIP, packetData, size)
+	return m.handleRoutedTraffic(d, srcIP, dstIP, packetData)
 }

 // handleLocalTraffic handles local traffic.
@@ -807,7 +739,7 @@ func (m *Manager) handleNetstackLocalTraffic(packetData []byte) bool {

 // handleRoutedTraffic handles routed traffic.
 // If it returns true, the packet should be dropped.
-func (m *Manager) handleRoutedTraffic(d *decoder, srcIP, dstIP netip.Addr, packetData []byte, size int) bool {
+func (m *Manager) handleRoutedTraffic(d *decoder, srcIP, dstIP netip.Addr, packetData []byte) bool {
 	// Drop if routing is disabled
 	if !m.routingEnabled.Load() {
 		m.logger.Trace("Dropping routed packet (routing disabled): src=%s dst=%s",
@@ -817,15 +749,13 @@ func (m *Manager) handleRoutedTraffic(d *decoder, srcIP, dstIP netip.Addr, packe

 	// Pass to native stack if native router is enabled or forced
 	if m.nativeRouter.Load() {
-		m.trackInbound(d, srcIP, dstIP, nil, size)
 		return false
 	}

 	proto, pnum := getProtocolFromPacket(d)
 	srcPort, dstPort := getPortsFromPacket(d)

-	ruleID, pass := m.routeACLsPass(srcIP, dstIP, proto, srcPort, dstPort)
-	if !pass {
+	if ruleID, pass := m.routeACLsPass(srcIP, dstIP, proto, srcPort, dstPort); !pass {
 		m.logger.Trace("Dropping routed packet (ACL denied): rule_id=%s proto=%v src=%s:%d dst=%s:%d",
 			ruleID, pnum, srcIP, srcPort, dstIP, dstPort)

@@ -840,8 +770,6 @@ func (m *Manager) handleRoutedTraffic(d *decoder, srcIP, dstIP netip.Addr, packe
 			SourcePort: srcPort,
 			DestPort:   dstPort,
 			// TODO: icmp type/code
-			RxPackets: 1,
-			RxBytes:   uint64(size),
 		})
 		return true
 	}
@@ -851,11 +779,8 @@ func (m *Manager) handleRoutedTraffic(d *decoder, srcIP, dstIP netip.Addr, packe
 	if fwd == nil {
 		m.logger.Trace("failed to forward routed packet (forwarder not initialized)")
 	} else {
-		fwd.RegisterRuleID(srcIP, dstIP, srcPort, dstPort, ruleID)
-
 		if err := fwd.InjectIncomingPacket(packetData); err != nil {
 			m.logger.Error("Failed to inject routed packet: %v", err)
-			fwd.DeleteRuleID(srcIP, dstIP, srcPort, dstPort)
 		}
 	}

@@ -887,32 +812,17 @@ func getPortsFromPacket(d *decoder) (srcPort, dstPort uint16) {
 	}
 }

-// isValidPacket checks if the packet is valid.
-// It returns true, false if the packet is valid and not a fragment.
-// It returns true, true if the packet is a fragment and valid.
-func (m *Manager) isValidPacket(d *decoder, packetData []byte) (bool, bool) {
+func (m *Manager) isValidPacket(d *decoder, packetData []byte) bool {
 	if err := d.parser.DecodeLayers(packetData, &d.decoded); err != nil {
 		m.logger.Trace("couldn't decode packet, err: %s", err)
-		return false, false
+		return false
 	}

-	l := len(d.decoded)
-
-	// L3 and L4 are mandatory
-	if l >= 2 {
-		return true, false
+	if len(d.decoded) < 2 {
+		m.logger.Trace("packet doesn't have network and transport layers")
+		return false
 	}
-
-	// Fragments are also valid
-	if l == 1 && d.decoded[0] == layers.LayerTypeIPv4 {
-		ip4 := d.ip4
-		if ip4.Flags&layers.IPv4MoreFragments != 0 || ip4.FragOffset != 0 {
-			return true, true
-		}
-	}
-
-	m.logger.Trace("packet doesn't have network and transport layers")
-	return false, false
+	return true
 }

 func (m *Manager) isValidTrackedConnection(d *decoder, srcIP, dstIP netip.Addr, size int) bool {
@@ -1052,15 +962,8 @@ func (m *Manager) routeACLsPass(srcIP, dstIP netip.Addr, proto firewall.Protocol
 	return nil, false
 }

-func (m *Manager) ruleMatches(rule *RouteRule, srcAddr, dstAddr netip.Addr, proto firewall.Protocol, srcPort, dstPort uint16) bool {
-	destMatched := false
-	for _, dst := range rule.destinations {
-		if dst.Contains(dstAddr) {
-			destMatched = true
-			break
-		}
-	}
-	if !destMatched {
+func (m *Manager) ruleMatches(rule RouteRule, srcAddr, dstAddr netip.Addr, proto firewall.Protocol, srcPort, dstPort uint16) bool {
+	if !rule.destination.Contains(dstAddr) {
 		return false
 	}

@@ -1162,22 +1065,7 @@ func (m *Manager) EnableRouting() error {
 	m.mutex.Lock()
 	defer m.mutex.Unlock()

-	if err := m.determineRouting(); err != nil {
-		return fmt.Errorf("determine routing: %w", err)
-	}
-
-	if m.forwarder.Load() == nil {
-		return nil
-	}
-
-	rule, err := m.blockInvalidRouted(m.wgIface)
-	if err != nil {
-		return fmt.Errorf("block invalid routed: %w", err)
-	}
-
-	m.blockRule = rule
-
-	return nil
+	return m.determineRouting()
 }

 func (m *Manager) DisableRouting() error {
@@ -1202,12 +1090,5 @@ func (m *Manager) DisableRouting() error {

 	log.Debug("forwarder stopped")

-	if m.blockRule != nil {
-		if err := m.deleteRouteRule(m.blockRule); err != nil {
-			return fmt.Errorf("delete block rule: %w", err)
-		}
-		m.blockRule = nil
-	}
-
 	return nil
 }
--- a/client/firewall/uspfilter/uspfilter_filter_test.go
+++ b/client/firewall/uspfilter/uspfilter_filter_test.go
@@ -15,7 +15,6 @@ import (
 	"github.com/netbirdio/netbird/client/iface/device"
 	"github.com/netbirdio/netbird/client/iface/mocks"
 	"github.com/netbirdio/netbird/client/iface/wgaddr"
-	"github.com/netbirdio/netbird/management/domain"
 )

 func TestPeerACLFiltering(t *testing.T) {
@@ -189,281 +188,6 @@ func TestPeerACLFiltering(t *testing.T) {
 			ruleAction:      fw.ActionAccept,
 			shouldBeBlocked: true,
 		},
-		{
-			name:            "Allow TCP traffic without port specification",
-			srcIP:           "100.10.0.1",
-			dstIP:           "100.10.0.100",
-			proto:           fw.ProtocolTCP,
-			srcPort:         12345,
-			dstPort:         443,
-			ruleIP:          "100.10.0.1",
-			ruleProto:       fw.ProtocolTCP,
-			ruleAction:      fw.ActionAccept,
-			shouldBeBlocked: false,
-		},
-		{
-			name:            "Allow UDP traffic without port specification",
-			srcIP:           "100.10.0.1",
-			dstIP:           "100.10.0.100",
-			proto:           fw.ProtocolUDP,
-			srcPort:         12345,
-			dstPort:         53,
-			ruleIP:          "100.10.0.1",
-			ruleProto:       fw.ProtocolUDP,
-			ruleAction:      fw.ActionAccept,
-			shouldBeBlocked: false,
-		},
-		{
-			name:            "TCP packet doesn't match UDP filter with same port",
-			srcIP:           "100.10.0.1",
-			dstIP:           "100.10.0.100",
-			proto:           fw.ProtocolTCP,
-			srcPort:         12345,
-			dstPort:         443,
-			ruleIP:          "100.10.0.1",
-			ruleProto:       fw.ProtocolUDP,
-			ruleDstPort:     &fw.Port{Values: []uint16{443}},
-			ruleAction:      fw.ActionAccept,
-			shouldBeBlocked: true,
-		},
-		{
-			name:            "UDP packet doesn't match TCP filter with same port",
-			srcIP:           "100.10.0.1",
-			dstIP:           "100.10.0.100",
-			proto:           fw.ProtocolUDP,
-			srcPort:         12345,
-			dstPort:         443,
-			ruleIP:          "100.10.0.1",
-			ruleProto:       fw.ProtocolTCP,
-			ruleDstPort:     &fw.Port{Values: []uint16{443}},
-			ruleAction:      fw.ActionAccept,
-			shouldBeBlocked: true,
-		},
-		{
-			name:            "ICMP packet doesn't match TCP filter",
-			srcIP:           "100.10.0.1",
-			dstIP:           "100.10.0.100",
-			proto:           fw.ProtocolICMP,
-			ruleIP:          "100.10.0.1",
-			ruleProto:       fw.ProtocolTCP,
-			ruleAction:      fw.ActionAccept,
-			shouldBeBlocked: true,
-		},
-		{
-			name:            "ICMP packet doesn't match UDP filter",
-			srcIP:           "100.10.0.1",
-			dstIP:           "100.10.0.100",
-			proto:           fw.ProtocolICMP,
-			ruleIP:          "100.10.0.1",
-			ruleProto:       fw.ProtocolUDP,
-			ruleAction:      fw.ActionAccept,
-			shouldBeBlocked: true,
-		},
-		{
-			name:            "Allow TCP traffic within port range",
-			srcIP:           "100.10.0.1",
-			dstIP:           "100.10.0.100",
-			proto:           fw.ProtocolTCP,
-			srcPort:         12345,
-			dstPort:         8080,
-			ruleIP:          "100.10.0.1",
-			ruleProto:       fw.ProtocolTCP,
-			ruleDstPort:     &fw.Port{IsRange: true, Values: []uint16{8000, 8100}},
-			ruleAction:      fw.ActionAccept,
-			shouldBeBlocked: false,
-		},
-		{
-			name:            "Block TCP traffic outside port range",
-			srcIP:           "100.10.0.1",
-			dstIP:           "100.10.0.100",
-			proto:           fw.ProtocolTCP,
-			srcPort:         12345,
-			dstPort:         7999,
-			ruleIP:          "100.10.0.1",
-			ruleProto:       fw.ProtocolTCP,
-			ruleDstPort:     &fw.Port{IsRange: true, Values: []uint16{8000, 8100}},
-			ruleAction:      fw.ActionAccept,
-			shouldBeBlocked: true,
-		},
-		{
-			name:            "Edge Case - Port at Range Boundary",
-			srcIP:           "100.10.0.1",
-			dstIP:           "100.10.0.100",
-			proto:           fw.ProtocolTCP,
-			srcPort:         12345,
-			dstPort:         8100,
-			ruleIP:          "100.10.0.1",
-			ruleProto:       fw.ProtocolTCP,
-			ruleDstPort:     &fw.Port{IsRange: true, Values: []uint16{8000, 8100}},
-			ruleAction:      fw.ActionAccept,
-			shouldBeBlocked: false,
-		},
-		{
-			name:            "UDP Port Range",
-			srcIP:           "100.10.0.1",
-			dstIP:           "100.10.0.100",
-			proto:           fw.ProtocolUDP,
-			srcPort:         12345,
-			dstPort:         5060,
-			ruleIP:          "100.10.0.1",
-			ruleProto:       fw.ProtocolUDP,
-			ruleDstPort:     &fw.Port{IsRange: true, Values: []uint16{5060, 5070}},
-			ruleAction:      fw.ActionAccept,
-			shouldBeBlocked: false,
-		},
-		{
-			name:            "Allow multiple destination ports",
-			srcIP:           "100.10.0.1",
-			dstIP:           "100.10.0.100",
-			proto:           fw.ProtocolTCP,
-			srcPort:         12345,
-			dstPort:         8080,
-			ruleIP:          "100.10.0.1",
-			ruleProto:       fw.ProtocolTCP,
-			ruleDstPort:     &fw.Port{Values: []uint16{80, 8080, 443}},
-			ruleAction:      fw.ActionAccept,
-			shouldBeBlocked: false,
-		},
-		{
-			name:            "Allow multiple source ports",
-			srcIP:           "100.10.0.1",
-			dstIP:           "100.10.0.100",
-			proto:           fw.ProtocolTCP,
-			srcPort:         12345,
-			dstPort:         80,
-			ruleIP:          "100.10.0.1",
-			ruleProto:       fw.ProtocolTCP,
-			ruleSrcPort:     &fw.Port{Values: []uint16{12345, 12346, 12347}},
-			ruleAction:      fw.ActionAccept,
-			shouldBeBlocked: false,
-		},
-		// New drop test cases
-		{
-			name:            "Drop TCP traffic from WG peer",
-			srcIP:           "100.10.0.1",
-			dstIP:           "100.10.0.100",
-			proto:           fw.ProtocolTCP,
-			srcPort:         12345,
-			dstPort:         443,
-			ruleIP:          "100.10.0.1",
-			ruleProto:       fw.ProtocolTCP,
-			ruleDstPort:     &fw.Port{Values: []uint16{443}},
-			ruleAction:      fw.ActionDrop,
-			shouldBeBlocked: true,
-		},
-		{
-			name:            "Drop UDP traffic from WG peer",
-			srcIP:           "100.10.0.1",
-			dstIP:           "100.10.0.100",
-			proto:           fw.ProtocolUDP,
-			srcPort:         12345,
-			dstPort:         53,
-			ruleIP:          "100.10.0.1",
-			ruleProto:       fw.ProtocolUDP,
-			ruleDstPort:     &fw.Port{Values: []uint16{53}},
-			ruleAction:      fw.ActionDrop,
-			shouldBeBlocked: true,
-		},
-		{
-			name:            "Drop ICMP traffic from WG peer",
-			srcIP:           "100.10.0.1",
-			dstIP:           "100.10.0.100",
-			proto:           fw.ProtocolICMP,
-			ruleIP:          "100.10.0.1",
-			ruleProto:       fw.ProtocolICMP,
-			ruleAction:      fw.ActionDrop,
-			shouldBeBlocked: true,
-		},
-		{
-			name:            "Drop all traffic from WG peer",
-			srcIP:           "100.10.0.1",
-			dstIP:           "100.10.0.100",
-			proto:           fw.ProtocolTCP,
-			srcPort:         12345,
-			dstPort:         443,
-			ruleIP:          "100.10.0.1",
-			ruleProto:       fw.ProtocolALL,
-			ruleAction:      fw.ActionDrop,
-			shouldBeBlocked: true,
-		},
-		{
-			name:            "Drop traffic from multiple source ports",
-			srcIP:           "100.10.0.1",
-			dstIP:           "100.10.0.100",
-			proto:           fw.ProtocolTCP,
-			srcPort:         12345,
-			dstPort:         80,
-			ruleIP:          "100.10.0.1",
-			ruleProto:       fw.ProtocolTCP,
-			ruleSrcPort:     &fw.Port{Values: []uint16{12345, 12346, 12347}},
-			ruleAction:      fw.ActionDrop,
-			shouldBeBlocked: true,
-		},
-		{
-			name:            "Drop multiple destination ports",
-			srcIP:           "100.10.0.1",
-			dstIP:           "100.10.0.100",
-			proto:           fw.ProtocolTCP,
-			srcPort:         12345,
-			dstPort:         8080,
-			ruleIP:          "100.10.0.1",
-			ruleProto:       fw.ProtocolTCP,
-			ruleDstPort:     &fw.Port{Values: []uint16{80, 8080, 443}},
-			ruleAction:      fw.ActionDrop,
-			shouldBeBlocked: true,
-		},
-		{
-			name:            "Drop TCP traffic within port range",
-			srcIP:           "100.10.0.1",
-			dstIP:           "100.10.0.100",
-			proto:           fw.ProtocolTCP,
-			srcPort:         12345,
-			dstPort:         8080,
-			ruleIP:          "100.10.0.1",
-			ruleProto:       fw.ProtocolTCP,
-			ruleDstPort:     &fw.Port{IsRange: true, Values: []uint16{8000, 8100}},
-			ruleAction:      fw.ActionDrop,
-			shouldBeBlocked: true,
-		},
-		{
-			name:            "Accept TCP traffic outside drop port range",
-			srcIP:           "100.10.0.1",
-			dstIP:           "100.10.0.100",
-			proto:           fw.ProtocolTCP,
-			srcPort:         12345,
-			dstPort:         7999,
-			ruleIP:          "100.10.0.1",
-			ruleProto:       fw.ProtocolTCP,
-			ruleDstPort:     &fw.Port{IsRange: true, Values: []uint16{8000, 8100}},
-			ruleAction:      fw.ActionDrop,
-			shouldBeBlocked: false,
-		},
-		{
-			name:            "Drop TCP traffic with source port range",
-			srcIP:           "100.10.0.1",
-			dstIP:           "100.10.0.100",
-			proto:           fw.ProtocolTCP,
-			srcPort:         32100,
-			dstPort:         80,
-			ruleIP:          "100.10.0.1",
-			ruleProto:       fw.ProtocolTCP,
-			ruleSrcPort:     &fw.Port{IsRange: true, Values: []uint16{32000, 33000}},
-			ruleAction:      fw.ActionDrop,
-			shouldBeBlocked: true,
-		},
-		{
-			name:            "Mixed rule - drop specific port but allow other ports",
-			srcIP:           "100.10.0.1",
-			dstIP:           "100.10.0.100",
-			proto:           fw.ProtocolTCP,
-			srcPort:         12345,
-			dstPort:         443,
-			ruleIP:          "100.10.0.1",
-			ruleProto:       fw.ProtocolTCP,
-			ruleDstPort:     &fw.Port{Values: []uint16{443}},
-			ruleAction:      fw.ActionDrop,
-			shouldBeBlocked: true,
-		},
 	}

 	t.Run("Implicit DROP (no rules)", func(t *testing.T) {
@@ -474,28 +198,6 @@ func TestPeerACLFiltering(t *testing.T) {

 	for _, tc := range testCases {
 		t.Run(tc.name, func(t *testing.T) {
-
-			if tc.ruleAction == fw.ActionDrop {
-				// add general accept rule to test drop rule
-				// TODO: this only works because 0.0.0.0 is tested last, we need to implement order
-				rules, err := manager.AddPeerFiltering(
-					nil,
-					net.ParseIP("0.0.0.0"),
-					fw.ProtocolALL,
-					nil,
-					nil,
-					fw.ActionAccept,
-					"",
-				)
-				require.NoError(t, err)
-				require.NotEmpty(t, rules)
-				t.Cleanup(func() {
-					for _, rule := range rules {
-						require.NoError(t, manager.DeletePeerRule(rule))
-					}
-				})
-			}
-
 			rules, err := manager.AddPeerFiltering(
 				nil,
 				net.ParseIP(tc.ruleIP),
@@ -601,8 +303,8 @@ func setupRoutedManager(tb testing.TB, network string) *Manager {
 	}

 	manager, err := Create(ifaceMock, false, flowLogger)
-	require.NoError(tb, err)
 	require.NoError(tb, manager.EnableRouting())
+	require.NoError(tb, err)
 	require.NotNil(tb, manager)
 	require.True(tb, manager.routingEnabled.Load())
 	require.False(tb, manager.nativeRouter.Load())
@@ -619,7 +321,7 @@ func TestRouteACLFiltering(t *testing.T) {

 	type rule struct {
 		sources []netip.Prefix
-		dest    fw.Network
+		dest    netip.Prefix
 		proto   fw.Protocol
 		srcPort *fw.Port
 		dstPort *fw.Port
@@ -645,7 +347,7 @@ func TestRouteACLFiltering(t *testing.T) {
 			dstPort: 443,
 			rule: rule{
 				sources: []netip.Prefix{netip.MustParsePrefix("100.10.0.0/16")},
-				dest:    fw.Network{Prefix: netip.MustParsePrefix("192.168.1.0/24")},
+				dest:    netip.MustParsePrefix("192.168.1.0/24"),
 				proto:   fw.ProtocolTCP,
 				dstPort: &fw.Port{Values: []uint16{443}},
 				action:  fw.ActionAccept,
@@ -661,7 +363,7 @@ func TestRouteACLFiltering(t *testing.T) {
 			dstPort: 443,
 			rule: rule{
 				sources: []netip.Prefix{netip.MustParsePrefix("0.0.0.0/0")},
-				dest:    fw.Network{Prefix: netip.MustParsePrefix("192.168.1.0/24")},
+				dest:    netip.MustParsePrefix("192.168.1.0/24"),
 				proto:   fw.ProtocolTCP,
 				dstPort: &fw.Port{Values: []uint16{443}},
 				action:  fw.ActionAccept,
@@ -677,7 +379,7 @@ func TestRouteACLFiltering(t *testing.T) {
 			dstPort: 443,
 			rule: rule{
 				sources: []netip.Prefix{netip.MustParsePrefix("0.0.0.0/0")},
-				dest:    fw.Network{Prefix: netip.MustParsePrefix("0.0.0.0/0")},
+				dest:    netip.MustParsePrefix("0.0.0.0/0"),
 				proto:   fw.ProtocolTCP,
 				dstPort: &fw.Port{Values: []uint16{443}},
 				action:  fw.ActionAccept,
@@ -693,7 +395,7 @@ func TestRouteACLFiltering(t *testing.T) {
 			dstPort: 53,
 			rule: rule{
 				sources: []netip.Prefix{netip.MustParsePrefix("100.10.0.0/16")},
-				dest:    fw.Network{Prefix: netip.MustParsePrefix("192.168.1.0/24")},
+				dest:    netip.MustParsePrefix("192.168.1.0/24"),
 				proto:   fw.ProtocolUDP,
 				dstPort: &fw.Port{Values: []uint16{53}},
 				action:  fw.ActionAccept,
@@ -707,7 +409,7 @@ func TestRouteACLFiltering(t *testing.T) {
 			proto: fw.ProtocolICMP,
 			rule: rule{
 				sources: []netip.Prefix{netip.MustParsePrefix("100.10.0.0/16")},
-				dest:    fw.Network{Prefix: netip.MustParsePrefix("0.0.0.0/0")},
+				dest:    netip.MustParsePrefix("0.0.0.0/0"),
 				proto:   fw.ProtocolICMP,
 				action:  fw.ActionAccept,
 			},
@@ -722,7 +424,7 @@ func TestRouteACLFiltering(t *testing.T) {
 			dstPort: 80,
 			rule: rule{
 				sources: []netip.Prefix{netip.MustParsePrefix("100.10.0.0/16")},
-				dest:    fw.Network{Prefix: netip.MustParsePrefix("192.168.1.0/24")},
+				dest:    netip.MustParsePrefix("192.168.1.0/24"),
 				proto:   fw.ProtocolALL,
 				dstPort: &fw.Port{Values: []uint16{80}},
 				action:  fw.ActionAccept,
@@ -738,7 +440,7 @@ func TestRouteACLFiltering(t *testing.T) {
 			dstPort: 8080,
 			rule: rule{
 				sources: []netip.Prefix{netip.MustParsePrefix("100.10.0.0/16")},
-				dest:    fw.Network{Prefix: netip.MustParsePrefix("192.168.1.0/24")},
+				dest:    netip.MustParsePrefix("192.168.1.0/24"),
 				proto:   fw.ProtocolTCP,
 				dstPort: &fw.Port{Values: []uint16{80}},
 				action:  fw.ActionAccept,
@@ -754,7 +456,7 @@ func TestRouteACLFiltering(t *testing.T) {
 			dstPort: 80,
 			rule: rule{
 				sources: []netip.Prefix{netip.MustParsePrefix("100.10.0.0/16")},
-				dest:    fw.Network{Prefix: netip.MustParsePrefix("192.168.1.0/24")},
+				dest:    netip.MustParsePrefix("192.168.1.0/24"),
 				proto:   fw.ProtocolTCP,
 				dstPort: &fw.Port{Values: []uint16{80}},
 				action:  fw.ActionAccept,
@@ -770,7 +472,7 @@ func TestRouteACLFiltering(t *testing.T) {
 			dstPort: 80,
 			rule: rule{
 				sources: []netip.Prefix{netip.MustParsePrefix("100.10.0.0/16")},
-				dest:    fw.Network{Prefix: netip.MustParsePrefix("192.168.1.0/24")},
+				dest:    netip.MustParsePrefix("192.168.1.0/24"),
 				proto:   fw.ProtocolTCP,
 				dstPort: &fw.Port{Values: []uint16{80}},
 				action:  fw.ActionAccept,
@@ -786,7 +488,7 @@ func TestRouteACLFiltering(t *testing.T) {
 			dstPort: 80,
 			rule: rule{
 				sources: []netip.Prefix{netip.MustParsePrefix("100.10.0.0/16")},
-				dest:    fw.Network{Prefix: netip.MustParsePrefix("192.168.1.0/24")},
+				dest:    netip.MustParsePrefix("192.168.1.0/24"),
 				proto:   fw.ProtocolTCP,
 				srcPort: &fw.Port{Values: []uint16{12345}},
 				action:  fw.ActionAccept,
@@ -805,7 +507,7 @@ func TestRouteACLFiltering(t *testing.T) {
 					netip.MustParsePrefix("100.10.0.0/16"),
 					netip.MustParsePrefix("172.16.0.0/16"),
 				},
-				dest:    fw.Network{Prefix: netip.MustParsePrefix("192.168.1.0/24")},
+				dest:    netip.MustParsePrefix("192.168.1.0/24"),
 				proto:   fw.ProtocolTCP,
 				dstPort: &fw.Port{Values: []uint16{80}},
 				action:  fw.ActionAccept,
@@ -819,7 +521,7 @@ func TestRouteACLFiltering(t *testing.T) {
 			proto: fw.ProtocolICMP,
 			rule: rule{
 				sources: []netip.Prefix{netip.MustParsePrefix("100.10.0.0/16")},
-				dest:    fw.Network{Prefix: netip.MustParsePrefix("192.168.1.0/24")},
+				dest:    netip.MustParsePrefix("192.168.1.0/24"),
 				proto:   fw.ProtocolALL,
 				action:  fw.ActionAccept,
 			},
@@ -834,13 +536,33 @@ func TestRouteACLFiltering(t *testing.T) {
 			dstPort: 80,
 			rule: rule{
 				sources: []netip.Prefix{netip.MustParsePrefix("100.10.0.0/16")},
-				dest:    fw.Network{Prefix: netip.MustParsePrefix("192.168.1.0/24")},
+				dest:    netip.MustParsePrefix("192.168.1.0/24"),
 				proto:   fw.ProtocolALL,
 				dstPort: &fw.Port{Values: []uint16{80}},
 				action:  fw.ActionAccept,
 			},
 			shouldPass: true,
 		},
+		{
+			name:  "Multiple source networks with mismatched protocol",
+			srcIP: "172.16.0.1",
+			dstIP: "192.168.1.100",
+			// Should not match TCP rule
+			proto:   fw.ProtocolUDP,
+			srcPort: 12345,
+			dstPort: 80,
+			rule: rule{
+				sources: []netip.Prefix{
+					netip.MustParsePrefix("100.10.0.0/16"),
+					netip.MustParsePrefix("172.16.0.0/16"),
+				},
+				dest:    netip.MustParsePrefix("192.168.1.0/24"),
+				proto:   fw.ProtocolTCP,
+				dstPort: &fw.Port{Values: []uint16{80}},
+				action:  fw.ActionAccept,
+			},
+			shouldPass: false,
+		},
 		{
 			name:    "Allow multiple destination ports",
 			srcIP:   "100.10.0.1",
@@ -850,7 +572,7 @@ func TestRouteACLFiltering(t *testing.T) {
 			dstPort: 8080,
 			rule: rule{
 				sources: []netip.Prefix{netip.MustParsePrefix("100.10.0.0/16")},
-				dest:    fw.Network{Prefix: netip.MustParsePrefix("192.168.1.0/24")},
+				dest:    netip.MustParsePrefix("192.168.1.0/24"),
 				proto:   fw.ProtocolTCP,
 				dstPort: &fw.Port{Values: []uint16{80, 8080, 443}},
 				action:  fw.ActionAccept,
@@ -866,7 +588,7 @@ func TestRouteACLFiltering(t *testing.T) {
 			dstPort: 80,
 			rule: rule{
 				sources: []netip.Prefix{netip.MustParsePrefix("100.10.0.0/16")},
-				dest:    fw.Network{Prefix: netip.MustParsePrefix("192.168.1.0/24")},
+				dest:    netip.MustParsePrefix("192.168.1.0/24"),
 				proto:   fw.ProtocolTCP,
 				srcPort: &fw.Port{Values: []uint16{12345, 12346, 12347}},
 				action:  fw.ActionAccept,
@@ -882,7 +604,7 @@ func TestRouteACLFiltering(t *testing.T) {
 			dstPort: 80,
 			rule: rule{
 				sources: []netip.Prefix{netip.MustParsePrefix("100.10.0.0/16")},
-				dest:    fw.Network{Prefix: netip.MustParsePrefix("192.168.1.0/24")},
+				dest:    netip.MustParsePrefix("192.168.1.0/24"),
 				proto:   fw.ProtocolALL,
 				srcPort: &fw.Port{Values: []uint16{12345}},
 				dstPort: &fw.Port{Values: []uint16{80}},
@@ -899,7 +621,7 @@ func TestRouteACLFiltering(t *testing.T) {
 			dstPort: 8080,
 			rule: rule{
 				sources: []netip.Prefix{netip.MustParsePrefix("100.10.0.0/16")},
-				dest:    fw.Network{Prefix: netip.MustParsePrefix("192.168.1.0/24")},
+				dest:    netip.MustParsePrefix("192.168.1.0/24"),
 				proto:   fw.ProtocolTCP,
 				dstPort: &fw.Port{
 					IsRange: true,
@@ -918,7 +640,7 @@ func TestRouteACLFiltering(t *testing.T) {
 			dstPort: 7999,
 			rule: rule{
 				sources: []netip.Prefix{netip.MustParsePrefix("100.10.0.0/16")},
-				dest:    fw.Network{Prefix: netip.MustParsePrefix("192.168.1.0/24")},
+				dest:    netip.MustParsePrefix("192.168.1.0/24"),
 				proto:   fw.ProtocolTCP,
 				dstPort: &fw.Port{
 					IsRange: true,
@@ -937,7 +659,7 @@ func TestRouteACLFiltering(t *testing.T) {
 			dstPort: 80,
 			rule: rule{
 				sources: []netip.Prefix{netip.MustParsePrefix("100.10.0.0/16")},
-				dest:    fw.Network{Prefix: netip.MustParsePrefix("192.168.1.0/24")},
+				dest:    netip.MustParsePrefix("192.168.1.0/24"),
 				proto:   fw.ProtocolTCP,
 				srcPort: &fw.Port{
 					IsRange: true,
@@ -956,7 +678,7 @@ func TestRouteACLFiltering(t *testing.T) {
 			dstPort: 443,
 			rule: rule{
 				sources: []netip.Prefix{netip.MustParsePrefix("100.10.0.0/16")},
-				dest:    fw.Network{Prefix: netip.MustParsePrefix("192.168.1.0/24")},
+				dest:    netip.MustParsePrefix("192.168.1.0/24"),
 				proto:   fw.ProtocolTCP,
 				srcPort: &fw.Port{
 					IsRange: true,
@@ -978,7 +700,7 @@ func TestRouteACLFiltering(t *testing.T) {
 			dstPort: 8100,
 			rule: rule{
 				sources: []netip.Prefix{netip.MustParsePrefix("100.10.0.0/16")},
-				dest:    fw.Network{Prefix: netip.MustParsePrefix("192.168.1.0/24")},
+				dest:    netip.MustParsePrefix("192.168.1.0/24"),
 				proto:   fw.ProtocolTCP,
 				dstPort: &fw.Port{
 					IsRange: true,
@@ -997,7 +719,7 @@ func TestRouteACLFiltering(t *testing.T) {
 			dstPort: 5060,
 			rule: rule{
 				sources: []netip.Prefix{netip.MustParsePrefix("100.10.0.0/16")},
-				dest:    fw.Network{Prefix: netip.MustParsePrefix("192.168.1.0/24")},
+				dest:    netip.MustParsePrefix("192.168.1.0/24"),
 				proto:   fw.ProtocolUDP,
 				dstPort: &fw.Port{
 					IsRange: true,
@@ -1016,7 +738,7 @@ func TestRouteACLFiltering(t *testing.T) {
 			dstPort: 8080,
 			rule: rule{
 				sources: []netip.Prefix{netip.MustParsePrefix("100.10.0.0/16")},
-				dest:    fw.Network{Prefix: netip.MustParsePrefix("192.168.1.0/24")},
+				dest:    netip.MustParsePrefix("192.168.1.0/24"),
 				proto:   fw.ProtocolALL,
 				dstPort: &fw.Port{
 					IsRange: true,
@@ -1035,7 +757,7 @@ func TestRouteACLFiltering(t *testing.T) {
 			dstPort: 443,
 			rule: rule{
 				sources: []netip.Prefix{netip.MustParsePrefix("100.10.0.0/16")},
-				dest:    fw.Network{Prefix: netip.MustParsePrefix("192.168.1.0/24")},
+				dest:    netip.MustParsePrefix("192.168.1.0/24"),
 				proto:   fw.ProtocolTCP,
 				dstPort: &fw.Port{Values: []uint16{443}},
 				action:  fw.ActionDrop,
@@ -1051,7 +773,7 @@ func TestRouteACLFiltering(t *testing.T) {
 			dstPort: 80,
 			rule: rule{
 				sources: []netip.Prefix{netip.MustParsePrefix("100.10.0.0/16")},
-				dest:    fw.Network{Prefix: netip.MustParsePrefix("192.168.1.0/24")},
+				dest:    netip.MustParsePrefix("192.168.1.0/24"),
 				proto:   fw.ProtocolALL,
 				action:  fw.ActionDrop,
 			},
@@ -1069,158 +791,17 @@ func TestRouteACLFiltering(t *testing.T) {
 					netip.MustParsePrefix("100.10.0.0/16"),
 					netip.MustParsePrefix("172.16.0.0/16"),
 				},
-				dest:    fw.Network{Prefix: netip.MustParsePrefix("192.168.1.0/24")},
+				dest:    netip.MustParsePrefix("192.168.1.0/24"),
 				proto:   fw.ProtocolTCP,
 				dstPort: &fw.Port{Values: []uint16{80}},
 				action:  fw.ActionDrop,
 			},
 			shouldPass: false,
 		},
-
-		{
-			name:    "Drop empty destination set",
-			srcIP:   "172.16.0.1",
-			dstIP:   "192.168.1.100",
-			proto:   fw.ProtocolTCP,
-			srcPort: 12345,
-			dstPort: 80,
-			rule: rule{
-				sources: []netip.Prefix{
-					netip.MustParsePrefix("172.16.0.0/16"),
-				},
-				dest:    fw.Network{Set: fw.Set{}},
-				proto:   fw.ProtocolTCP,
-				dstPort: &fw.Port{Values: []uint16{80}},
-				action:  fw.ActionAccept,
-			},
-			shouldPass: false,
-		},
-		{
-			name:    "Accept TCP traffic outside drop port range",
-			srcIP:   "100.10.0.1",
-			dstIP:   "192.168.1.100",
-			proto:   fw.ProtocolTCP,
-			srcPort: 12345,
-			dstPort: 7999,
-			rule: rule{
-				sources: []netip.Prefix{netip.MustParsePrefix("100.10.0.0/16")},
-				dest:    fw.Network{Prefix: netip.MustParsePrefix("192.168.1.0/24")},
-				proto:   fw.ProtocolTCP,
-				dstPort: &fw.Port{IsRange: true, Values: []uint16{8000, 8100}},
-				action:  fw.ActionDrop,
-			},
-			shouldPass: true,
-		},
-		{
-			name:    "Allow TCP traffic without port specification",
-			srcIP:   "100.10.0.1",
-			dstIP:   "192.168.1.100",
-			proto:   fw.ProtocolTCP,
-			srcPort: 12345,
-			dstPort: 443,
-			rule: rule{
-				sources: []netip.Prefix{netip.MustParsePrefix("100.10.0.0/16")},
-				dest:    fw.Network{Prefix: netip.MustParsePrefix("192.168.1.0/24")},
-				proto:   fw.ProtocolTCP,
-				action:  fw.ActionAccept,
-			},
-			shouldPass: true,
-		},
-		{
-			name:    "Allow UDP traffic without port specification",
-			srcIP:   "100.10.0.1",
-			dstIP:   "192.168.1.100",
-			proto:   fw.ProtocolUDP,
-			srcPort: 12345,
-			dstPort: 53,
-			rule: rule{
-				sources: []netip.Prefix{netip.MustParsePrefix("100.10.0.0/16")},
-				dest:    fw.Network{Prefix: netip.MustParsePrefix("192.168.1.0/24")},
-				proto:   fw.ProtocolUDP,
-				action:  fw.ActionAccept,
-			},
-			shouldPass: true,
-		},
-		{
-			name:    "TCP packet doesn't match UDP filter with same port",
-			srcIP:   "100.10.0.1",
-			dstIP:   "192.168.1.100",
-			proto:   fw.ProtocolTCP,
-			srcPort: 12345,
-			dstPort: 80,
-			rule: rule{
-				sources: []netip.Prefix{netip.MustParsePrefix("100.10.0.0/16")},
-				dest:    fw.Network{Prefix: netip.MustParsePrefix("192.168.1.0/24")},
-				proto:   fw.ProtocolUDP,
-				dstPort: &fw.Port{Values: []uint16{80}},
-				action:  fw.ActionAccept,
-			},
-			shouldPass: false,
-		},
-		{
-			name:    "UDP packet doesn't match TCP filter with same port",
-			srcIP:   "100.10.0.1",
-			dstIP:   "192.168.1.100",
-			proto:   fw.ProtocolUDP,
-			srcPort: 12345,
-			dstPort: 80,
-			rule: rule{
-				sources: []netip.Prefix{netip.MustParsePrefix("100.10.0.0/16")},
-				dest:    fw.Network{Prefix: netip.MustParsePrefix("192.168.1.0/24")},
-				proto:   fw.ProtocolTCP,
-				dstPort: &fw.Port{Values: []uint16{80}},
-				action:  fw.ActionAccept,
-			},
-			shouldPass: false,
-		},
-		{
-			name:  "ICMP packet doesn't match TCP filter",
-			srcIP: "100.10.0.1",
-			dstIP: "192.168.1.100",
-			proto: fw.ProtocolICMP,
-			rule: rule{
-				sources: []netip.Prefix{netip.MustParsePrefix("100.10.0.0/16")},
-				dest:    fw.Network{Prefix: netip.MustParsePrefix("192.168.1.0/24")},
-				proto:   fw.ProtocolTCP,
-				action:  fw.ActionAccept,
-			},
-			shouldPass: false,
-		},
-		{
-			name:  "ICMP packet doesn't match UDP filter",
-			srcIP: "100.10.0.1",
-			dstIP: "192.168.1.100",
-			proto: fw.ProtocolICMP,
-			rule: rule{
-				sources: []netip.Prefix{netip.MustParsePrefix("100.10.0.0/16")},
-				dest:    fw.Network{Prefix: netip.MustParsePrefix("192.168.1.0/24")},
-				proto:   fw.ProtocolUDP,
-				action:  fw.ActionAccept,
-			},
-			shouldPass: false,
-		},
 	}

 	for _, tc := range testCases {
 		t.Run(tc.name, func(t *testing.T) {
-			if tc.rule.action == fw.ActionDrop {
-				// add general accept rule to test drop rule
-				rule, err := manager.AddRouteFiltering(
-					nil,
-					[]netip.Prefix{netip.MustParsePrefix("0.0.0.0/0")},
-					fw.Network{Prefix: netip.MustParsePrefix("0.0.0.0/0")},
-					fw.ProtocolALL,
-					nil,
-					nil,
-					fw.ActionAccept,
-				)
-				require.NoError(t, err)
-				require.NotNil(t, rule)
-				t.Cleanup(func() {
-					require.NoError(t, manager.DeleteRouteRule(rule))
-				})
-			}
-
 			rule, err := manager.AddRouteFiltering(
 				nil,
 				tc.rule.sources,
@@ -1255,7 +836,7 @@ func TestRouteACLOrder(t *testing.T) {
 		name  string
 		rules []struct {
 			sources []netip.Prefix
-			dest    fw.Network
+			dest    netip.Prefix
 			proto   fw.Protocol
 			srcPort *fw.Port
 			dstPort *fw.Port
@@ -1276,7 +857,7 @@ func TestRouteACLOrder(t *testing.T) {
 			name: "Drop rules take precedence over accept",
 			rules: []struct {
 				sources []netip.Prefix
-				dest    fw.Network
+				dest    netip.Prefix
 				proto   fw.Protocol
 				srcPort *fw.Port
 				dstPort *fw.Port
@@ -1285,7 +866,7 @@ func TestRouteACLOrder(t *testing.T) {
 				{
 					// Accept rule added first
 					sources: []netip.Prefix{netip.MustParsePrefix("100.10.0.0/16")},
-					dest:    fw.Network{Prefix: netip.MustParsePrefix("192.168.1.0/24")},
+					dest:    netip.MustParsePrefix("192.168.1.0/24"),
 					proto:   fw.ProtocolTCP,
 					dstPort: &fw.Port{Values: []uint16{80, 443}},
 					action:  fw.ActionAccept,
@@ -1293,7 +874,7 @@ func TestRouteACLOrder(t *testing.T) {
 				{
 					// Drop rule added second but should be evaluated first
 					sources: []netip.Prefix{netip.MustParsePrefix("100.10.0.0/16")},
-					dest:    fw.Network{Prefix: netip.MustParsePrefix("192.168.1.0/24")},
+					dest:    netip.MustParsePrefix("192.168.1.0/24"),
 					proto:   fw.ProtocolTCP,
 					dstPort: &fw.Port{Values: []uint16{443}},
 					action:  fw.ActionDrop,
@@ -1331,7 +912,7 @@ func TestRouteACLOrder(t *testing.T) {
 			name: "Multiple drop rules take precedence",
 			rules: []struct {
 				sources []netip.Prefix
-				dest    fw.Network
+				dest    netip.Prefix
 				proto   fw.Protocol
 				srcPort *fw.Port
 				dstPort *fw.Port
@@ -1340,14 +921,14 @@ func TestRouteACLOrder(t *testing.T) {
 				{
 					// Accept all
 					sources: []netip.Prefix{netip.MustParsePrefix("0.0.0.0/0")},
-					dest:    fw.Network{Prefix: netip.MustParsePrefix("0.0.0.0/0")},
+					dest:    netip.MustParsePrefix("0.0.0.0/0"),
 					proto:   fw.ProtocolALL,
 					action:  fw.ActionAccept,
 				},
 				{
 					// Drop specific port
 					sources: []netip.Prefix{netip.MustParsePrefix("100.10.0.0/16")},
-					dest:    fw.Network{Prefix: netip.MustParsePrefix("192.168.1.0/24")},
+					dest:    netip.MustParsePrefix("192.168.1.0/24"),
 					proto:   fw.ProtocolTCP,
 					dstPort: &fw.Port{Values: []uint16{443}},
 					action:  fw.ActionDrop,
@@ -1355,7 +936,7 @@ func TestRouteACLOrder(t *testing.T) {
 				{
 					// Drop different port
 					sources: []netip.Prefix{netip.MustParsePrefix("100.10.0.0/16")},
-					dest:    fw.Network{Prefix: netip.MustParsePrefix("192.168.1.0/24")},
+					dest:    netip.MustParsePrefix("192.168.1.0/24"),
 					proto:   fw.ProtocolTCP,
 					dstPort: &fw.Port{Values: []uint16{80}},
 					action:  fw.ActionDrop,
@@ -1434,53 +1015,3 @@ func TestRouteACLOrder(t *testing.T) {
 		})
 	}
 }
-
-func TestRouteACLSet(t *testing.T) {
-	ifaceMock := &IFaceMock{
-		SetFilterFunc: func(device.PacketFilter) error { return nil },
-		AddressFunc: func() wgaddr.Address {
-			return wgaddr.Address{
-				IP: net.ParseIP("100.10.0.100"),
-				Network: &net.IPNet{
-					IP:   net.ParseIP("100.10.0.0"),
-					Mask: net.CIDRMask(16, 32),
-				},
-			}
-		},
-	}
-
-	manager, err := Create(ifaceMock, false, flowLogger)
-	require.NoError(t, err)
-	t.Cleanup(func() {
-		require.NoError(t, manager.Close(nil))
-	})
-
-	set := fw.NewDomainSet(domain.List{"example.org"})
-
-	// Add rule that uses the set (initially empty)
-	rule, err := manager.AddRouteFiltering(
-		nil,
-		[]netip.Prefix{netip.MustParsePrefix("0.0.0.0/0")},
-		fw.Network{Set: set},
-		fw.ProtocolTCP,
-		nil,
-		nil,
-		fw.ActionAccept,
-	)
-	require.NoError(t, err)
-	require.NotNil(t, rule)
-
-	srcIP := netip.MustParseAddr("100.10.0.1")
-	dstIP := netip.MustParseAddr("192.168.1.100")
-
-	// Check that traffic is dropped (empty set shouldn't match anything)
-	_, isAllowed := manager.routeACLsPass(srcIP, dstIP, fw.ProtocolTCP, 12345, 80)
-	require.False(t, isAllowed, "Empty set should not allow any traffic")
-
-	err = manager.UpdateSet(set, []netip.Prefix{netip.MustParsePrefix("192.168.1.0/24")})
-	require.NoError(t, err)
-
-	// Now the packet should be allowed
-	_, isAllowed = manager.routeACLsPass(srcIP, dstIP, fw.ProtocolTCP, 12345, 80)
-	require.True(t, isAllowed, "After set update, traffic to the added network should be allowed")
-}
--- a/client/firewall/uspfilter/uspfilter_test.go
+++ b/client/firewall/uspfilter/uspfilter_test.go
@@ -1,6 +1,7 @@
 package uspfilter

 import (
+	"context"
 	"fmt"
 	"net"
 	"net/netip"
@@ -20,11 +21,10 @@ import (
 	"github.com/netbirdio/netbird/client/iface/device"
 	"github.com/netbirdio/netbird/client/iface/wgaddr"
 	"github.com/netbirdio/netbird/client/internal/netflow"
-	"github.com/netbirdio/netbird/management/domain"
 )

 var logger = log.NewFromLogrus(logrus.StandardLogger())
-var flowLogger = netflow.NewManager(nil, []byte{}, nil).GetLogger()
+var flowLogger = netflow.NewManager(context.Background(), nil, []byte{}, nil).GetLogger()

 type IFaceMock struct {
 	SetFilterFunc   func(device.PacketFilter) error
@@ -712,203 +712,3 @@ func TestStatefulFirewall_UDPTracking(t *testing.T) {
 		})
 	}
 }
-
-func TestUpdateSetMerge(t *testing.T) {
-	ifaceMock := &IFaceMock{
-		SetFilterFunc: func(device.PacketFilter) error { return nil },
-	}
-
-	manager, err := Create(ifaceMock, false, flowLogger)
-	require.NoError(t, err)
-	t.Cleanup(func() {
-		require.NoError(t, manager.Close(nil))
-	})
-
-	set := fw.NewDomainSet(domain.List{"example.org"})
-
-	initialPrefixes := []netip.Prefix{
-		netip.MustParsePrefix("10.0.0.0/24"),
-		netip.MustParsePrefix("192.168.1.0/24"),
-	}
-
-	rule, err := manager.AddRouteFiltering(
-		nil,
-		[]netip.Prefix{netip.MustParsePrefix("0.0.0.0/0")},
-		fw.Network{Set: set},
-		fw.ProtocolTCP,
-		nil,
-		nil,
-		fw.ActionAccept,
-	)
-	require.NoError(t, err)
-	require.NotNil(t, rule)
-
-	// Update the set with initial prefixes
-	err = manager.UpdateSet(set, initialPrefixes)
-	require.NoError(t, err)
-
-	// Test initial prefixes work
-	srcIP := netip.MustParseAddr("100.10.0.1")
-	dstIP1 := netip.MustParseAddr("10.0.0.100")
-	dstIP2 := netip.MustParseAddr("192.168.1.100")
-	dstIP3 := netip.MustParseAddr("172.16.0.100")
-
-	_, isAllowed1 := manager.routeACLsPass(srcIP, dstIP1, fw.ProtocolTCP, 12345, 80)
-	_, isAllowed2 := manager.routeACLsPass(srcIP, dstIP2, fw.ProtocolTCP, 12345, 80)
-	_, isAllowed3 := manager.routeACLsPass(srcIP, dstIP3, fw.ProtocolTCP, 12345, 80)
-
-	require.True(t, isAllowed1, "Traffic to 10.0.0.100 should be allowed")
-	require.True(t, isAllowed2, "Traffic to 192.168.1.100 should be allowed")
-	require.False(t, isAllowed3, "Traffic to 172.16.0.100 should be denied")
-
-	newPrefixes := []netip.Prefix{
-		netip.MustParsePrefix("172.16.0.0/16"),
-		netip.MustParsePrefix("10.1.0.0/24"),
-	}
-
-	err = manager.UpdateSet(set, newPrefixes)
-	require.NoError(t, err)
-
-	// Check that all original prefixes are still included
-	_, isAllowed1 = manager.routeACLsPass(srcIP, dstIP1, fw.ProtocolTCP, 12345, 80)
-	_, isAllowed2 = manager.routeACLsPass(srcIP, dstIP2, fw.ProtocolTCP, 12345, 80)
-	require.True(t, isAllowed1, "Traffic to 10.0.0.100 should still be allowed after update")
-	require.True(t, isAllowed2, "Traffic to 192.168.1.100 should still be allowed after update")
-
-	// Check that new prefixes are included
-	dstIP4 := netip.MustParseAddr("172.16.1.100")
-	dstIP5 := netip.MustParseAddr("10.1.0.50")
-
-	_, isAllowed4 := manager.routeACLsPass(srcIP, dstIP4, fw.ProtocolTCP, 12345, 80)
-	_, isAllowed5 := manager.routeACLsPass(srcIP, dstIP5, fw.ProtocolTCP, 12345, 80)
-
-	require.True(t, isAllowed4, "Traffic to new prefix 172.16.0.0/16 should be allowed")
-	require.True(t, isAllowed5, "Traffic to new prefix 10.1.0.0/24 should be allowed")
-
-	// Verify the rule has all prefixes
-	manager.mutex.RLock()
-	foundRule := false
-	for _, r := range manager.routeRules {
-		if r.id == rule.ID() {
-			foundRule = true
-			require.Len(t, r.destinations, len(initialPrefixes)+len(newPrefixes),
-				"Rule should have all prefixes merged")
-		}
-	}
-	manager.mutex.RUnlock()
-	require.True(t, foundRule, "Rule should be found")
-}
-
-func TestUpdateSetDeduplication(t *testing.T) {
-	ifaceMock := &IFaceMock{
-		SetFilterFunc: func(device.PacketFilter) error { return nil },
-	}
-
-	manager, err := Create(ifaceMock, false, flowLogger)
-	require.NoError(t, err)
-	t.Cleanup(func() {
-		require.NoError(t, manager.Close(nil))
-	})
-
-	set := fw.NewDomainSet(domain.List{"example.org"})
-
-	rule, err := manager.AddRouteFiltering(
-		nil,
-		[]netip.Prefix{netip.MustParsePrefix("0.0.0.0/0")},
-		fw.Network{Set: set},
-		fw.ProtocolTCP,
-		nil,
-		nil,
-		fw.ActionAccept,
-	)
-	require.NoError(t, err)
-	require.NotNil(t, rule)
-
-	initialPrefixes := []netip.Prefix{
-		netip.MustParsePrefix("10.0.0.0/24"),
-		netip.MustParsePrefix("10.0.0.0/24"), // Duplicate
-		netip.MustParsePrefix("192.168.1.0/24"),
-		netip.MustParsePrefix("192.168.1.0/24"), // Duplicate
-	}
-
-	err = manager.UpdateSet(set, initialPrefixes)
-	require.NoError(t, err)
-
-	// Check the internal state for deduplication
-	manager.mutex.RLock()
-	foundRule := false
-	for _, r := range manager.routeRules {
-		if r.id == rule.ID() {
-			foundRule = true
-			// Should have deduplicated to 2 prefixes
-			require.Len(t, r.destinations, 2, "Duplicate prefixes should be removed")
-
-			// Check the prefixes are correct
-			expectedPrefixes := []netip.Prefix{
-				netip.MustParsePrefix("10.0.0.0/24"),
-				netip.MustParsePrefix("192.168.1.0/24"),
-			}
-			for i, prefix := range expectedPrefixes {
-				require.True(t, r.destinations[i] == prefix,
-					"Prefix should match expected value")
-			}
-		}
-	}
-	manager.mutex.RUnlock()
-	require.True(t, foundRule, "Rule should be found")
-
-	// Test with overlapping prefixes of different sizes
-	overlappingPrefixes := []netip.Prefix{
-		netip.MustParsePrefix("10.0.0.0/16"),    // More general
-		netip.MustParsePrefix("10.0.0.0/24"),    // More specific (already exists)
-		netip.MustParsePrefix("192.168.0.0/16"), // More general
-		netip.MustParsePrefix("192.168.1.0/24"), // More specific (already exists)
-	}
-
-	err = manager.UpdateSet(set, overlappingPrefixes)
-	require.NoError(t, err)
-
-	// Check that all prefixes are included (no deduplication of overlapping prefixes)
-	manager.mutex.RLock()
-	for _, r := range manager.routeRules {
-		if r.id == rule.ID() {
-			// Should have all 4 prefixes (2 original + 2 new more general ones)
-			require.Len(t, r.destinations, 4,
-				"Overlapping prefixes should not be deduplicated")
-
-			// Verify they're sorted correctly (more specific prefixes should come first)
-			prefixes := make([]string, 0, len(r.destinations))
-			for _, p := range r.destinations {
-				prefixes = append(prefixes, p.String())
-			}
-
-			// Check sorted order
-			require.Equal(t, []string{
-				"10.0.0.0/16",
-				"10.0.0.0/24",
-				"192.168.0.0/16",
-				"192.168.1.0/24",
-			}, prefixes, "Prefixes should be sorted")
-		}
-	}
-	manager.mutex.RUnlock()
-
-	// Test functionality with all prefixes
-	testCases := []struct {
-		dstIP    netip.Addr
-		expected bool
-		desc     string
-	}{
-		{netip.MustParseAddr("10.0.0.100"), true, "IP in both /16 and /24"},
-		{netip.MustParseAddr("10.0.1.100"), true, "IP only in /16"},
-		{netip.MustParseAddr("192.168.1.100"), true, "IP in both /16 and /24"},
-		{netip.MustParseAddr("192.168.2.100"), true, "IP only in /16"},
-		{netip.MustParseAddr("172.16.0.100"), false, "IP not in any prefix"},
-	}
-
-	srcIP := netip.MustParseAddr("100.10.0.1")
-	for _, tc := range testCases {
-		_, isAllowed := manager.routeACLsPass(srcIP, tc.dstIP, fw.ProtocolTCP, 12345, 80)
-		require.Equal(t, tc.expected, isAllowed, tc.desc)
-	}
-}
--- a/client/iface/bind/udp_mux.go
+++ b/client/iface/bind/udp_mux.go
@@ -150,7 +150,7 @@ func isZeros(ip net.IP) bool {
 // NewUDPMuxDefault creates an implementation of UDPMux
 func NewUDPMuxDefault(params UDPMuxParams) *UDPMuxDefault {
 	if params.Logger == nil {
-		params.Logger = getLogger()
+		params.Logger = logging.NewDefaultLoggerFactory().NewLogger("ice")
 	}

 	mux := &UDPMuxDefault{
@@ -455,9 +455,3 @@ func newBufferHolder(size int) *bufferHolder {
 		buf: make([]byte, size),
 	}
 }
-
-func getLogger() logging.LeveledLogger {
-	fac := logging.NewDefaultLoggerFactory()
-	//fac.Writer = log.StandardLogger().Writer()
-	return fac.NewLogger("ice")
-}
--- a/client/iface/bind/udp_mux_universal.go
+++ b/client/iface/bind/udp_mux_universal.go
@@ -49,7 +49,7 @@ type UniversalUDPMuxParams struct {
 // NewUniversalUDPMuxDefault creates an implementation of UniversalUDPMux embedding UDPMux
 func NewUniversalUDPMuxDefault(params UniversalUDPMuxParams) *UniversalUDPMuxDefault {
 	if params.Logger == nil {
-		params.Logger = getLogger()
+		params.Logger = logging.NewDefaultLoggerFactory().NewLogger("ice")
 	}
 	if params.XORMappedAddrCacheTTL == 0 {
 		params.XORMappedAddrCacheTTL = time.Second * 25
--- a/client/iface/configurer/usp.go
+++ b/client/iface/configurer/usp.go
@@ -357,7 +357,7 @@ func toWgUserspaceString(wgCfg wgtypes.Config) string {

 func getFwmark() int {
 	if nbnet.AdvancedRouting() {
-		return nbnet.ControlPlaneMark
+		return nbnet.NetbirdFwmark
 	}
 	return 0
 }
--- a/client/internal/acl/id/id.go
+++ b/client/internal/acl/id/id.go
@@ -18,7 +18,7 @@ func (r RuleID) ID() string {

 func GenerateRouteRuleKey(
 	sources []netip.Prefix,
-	destination manager.Network,
+	destination netip.Prefix,
 	proto manager.Protocol,
 	sPort *manager.Port,
 	dPort *manager.Port,
--- a/client/internal/acl/manager.go
+++ b/client/internal/acl/manager.go
@@ -18,7 +18,6 @@ import (
 	firewall "github.com/netbirdio/netbird/client/firewall/manager"
 	"github.com/netbirdio/netbird/client/internal/acl/id"
 	"github.com/netbirdio/netbird/client/ssh"
-	"github.com/netbirdio/netbird/management/domain"
 	mgmProto "github.com/netbirdio/netbird/management/proto"
 )

@@ -26,7 +25,7 @@ var ErrSourceRangesEmpty = errors.New("sources range is empty")

 // Manager is a ACL rules manager
 type Manager interface {
-	ApplyFiltering(networkMap *mgmProto.NetworkMap, dnsRouteFeatureFlag bool)
+	ApplyFiltering(networkMap *mgmProto.NetworkMap)
 }

 type protoMatch struct {
@@ -54,7 +53,7 @@ func NewDefaultManager(fm firewall.Manager) *DefaultManager {
 // ApplyFiltering firewall rules to the local firewall manager processed by ACL policy.
 //
 // If allowByDefault is true it appends allow ALL traffic rules to input and output chains.
-func (d *DefaultManager) ApplyFiltering(networkMap *mgmProto.NetworkMap, dnsRouteFeatureFlag bool) {
+func (d *DefaultManager) ApplyFiltering(networkMap *mgmProto.NetworkMap) {
 	d.mutex.Lock()
 	defer d.mutex.Unlock()

@@ -83,7 +82,7 @@ func (d *DefaultManager) ApplyFiltering(networkMap *mgmProto.NetworkMap, dnsRout
 		log.Errorf("failed to set legacy management flag: %v", err)
 	}

-	if err := d.applyRouteACLs(networkMap.RoutesFirewallRules, dnsRouteFeatureFlag); err != nil {
+	if err := d.applyRouteACLs(networkMap.RoutesFirewallRules); err != nil {
 		log.Errorf("Failed to apply route ACLs: %v", err)
 	}

@@ -177,16 +176,16 @@ func (d *DefaultManager) applyPeerACLs(networkMap *mgmProto.NetworkMap) {
 	d.peerRulesPairs = newRulePairs
 }

-func (d *DefaultManager) applyRouteACLs(rules []*mgmProto.RouteFirewallRule, dynamicResolver bool) error {
+func (d *DefaultManager) applyRouteACLs(rules []*mgmProto.RouteFirewallRule) error {
 	newRouteRules := make(map[id.RuleID]struct{}, len(rules))
 	var merr *multierror.Error

 	// Apply new rules - firewall manager will return existing rule ID if already present
 	for _, rule := range rules {
-		id, err := d.applyRouteACL(rule, dynamicResolver)
+		id, err := d.applyRouteACL(rule)
 		if err != nil {
 			if errors.Is(err, ErrSourceRangesEmpty) {
-				log.Debugf("skipping empty sources rule with destination %s: %v", rule.Destination, err)
+				log.Debugf("skipping empty rule with destination %s: %v", rule.Destination, err)
 			} else {
 				merr = multierror.Append(merr, fmt.Errorf("add route rule: %w", err))
 			}
@@ -209,7 +208,7 @@ func (d *DefaultManager) applyRouteACLs(rules []*mgmProto.RouteFirewallRule, dyn
 	return nberrors.FormatErrorOrNil(merr)
 }

-func (d *DefaultManager) applyRouteACL(rule *mgmProto.RouteFirewallRule, dynamicResolver bool) (id.RuleID, error) {
+func (d *DefaultManager) applyRouteACL(rule *mgmProto.RouteFirewallRule) (id.RuleID, error) {
 	if len(rule.SourceRanges) == 0 {
 		return "", ErrSourceRangesEmpty
 	}
@@ -223,9 +222,15 @@ func (d *DefaultManager) applyRouteACL(rule *mgmProto.RouteFirewallRule, dynamic
 		sources = append(sources, source)
 	}

-	destination, err := determineDestination(rule, dynamicResolver, sources)
-	if err != nil {
-		return "", fmt.Errorf("determine destination: %w", err)
+	var destination netip.Prefix
+	if rule.IsDynamic {
+		destination = getDefault(sources[0])
+	} else {
+		var err error
+		destination, err = netip.ParsePrefix(rule.Destination)
+		if err != nil {
+			return "", fmt.Errorf("parse destination: %w", err)
+		}
 	}

 	protocol, err := convertToFirewallProtocol(rule.Protocol)
@@ -575,33 +580,6 @@ func convertPortInfo(portInfo *mgmProto.PortInfo) *firewall.Port {
 	return nil
 }

-func determineDestination(rule *mgmProto.RouteFirewallRule, dynamicResolver bool, sources []netip.Prefix) (firewall.Network, error) {
-	var destination firewall.Network
-
-	if rule.IsDynamic {
-		if dynamicResolver {
-			if len(rule.Domains) > 0 {
-				destination.Set = firewall.NewDomainSet(domain.FromPunycodeList(rule.Domains))
-			} else {
-				// isDynamic is set but no domains = outdated management server
-				log.Warn("connected to an older version of management server (no domains in rules), using default destination")
-				destination.Prefix = getDefault(sources[0])
-			}
-		} else {
-			// client resolves DNS, we (router) don't know the destination
-			destination.Prefix = getDefault(sources[0])
-		}
-		return destination, nil
-	}
-
-	prefix, err := netip.ParsePrefix(rule.Destination)
-	if err != nil {
-		return destination, fmt.Errorf("parse destination: %w", err)
-	}
-	destination.Prefix = prefix
-	return destination, nil
-}
-
 func getDefault(prefix netip.Prefix) netip.Prefix {
 	if prefix.Addr().Is6() {
 		return netip.PrefixFrom(netip.IPv6Unspecified(), 0)
--- a/client/internal/acl/manager_test.go
+++ b/client/internal/acl/manager_test.go
@@ -1,6 +1,7 @@
 package acl

 import (
+	"context"
 	"net"
 	"testing"

@@ -14,7 +15,7 @@ import (
 	mgmProto "github.com/netbirdio/netbird/management/proto"
 )

-var flowLogger = netflow.NewManager(nil, []byte{}, nil).GetLogger()
+var flowLogger = netflow.NewManager(context.Background(), nil, []byte{}, nil).GetLogger()

 func TestDefaultManager(t *testing.T) {
 	networkMap := &mgmProto.NetworkMap{
@@ -66,7 +67,7 @@ func TestDefaultManager(t *testing.T) {
 	acl := NewDefaultManager(fw)

 	t.Run("apply firewall rules", func(t *testing.T) {
-		acl.ApplyFiltering(networkMap, false)
+		acl.ApplyFiltering(networkMap)

 		if len(acl.peerRulesPairs) != 2 {
 			t.Errorf("firewall rules not applied: %v", acl.peerRulesPairs)
@@ -92,7 +93,7 @@ func TestDefaultManager(t *testing.T) {
 			},
 		)

-		acl.ApplyFiltering(networkMap, false)
+		acl.ApplyFiltering(networkMap)

 		// we should have one old and one new rule in the existed rules
 		if len(acl.peerRulesPairs) != 2 {
@@ -116,13 +117,13 @@ func TestDefaultManager(t *testing.T) {
 		networkMap.FirewallRules = networkMap.FirewallRules[:0]

 		networkMap.FirewallRulesIsEmpty = true
-		if acl.ApplyFiltering(networkMap, false); len(acl.peerRulesPairs) != 0 {
+		if acl.ApplyFiltering(networkMap); len(acl.peerRulesPairs) != 0 {
 			t.Errorf("rules should be empty if FirewallRulesIsEmpty is set, got: %v", len(acl.peerRulesPairs))
 			return
 		}

 		networkMap.FirewallRulesIsEmpty = false
-		acl.ApplyFiltering(networkMap, false)
+		acl.ApplyFiltering(networkMap)
 		if len(acl.peerRulesPairs) != 1 {
 			t.Errorf("rules should contain 1 rules if FirewallRulesIsEmpty is not set, got: %v", len(acl.peerRulesPairs))
 			return
@@ -359,7 +360,7 @@ func TestDefaultManagerEnableSSHRules(t *testing.T) {
 	}(fw)
 	acl := NewDefaultManager(fw)

-	acl.ApplyFiltering(networkMap, false)
+	acl.ApplyFiltering(networkMap)

 	if len(acl.peerRulesPairs) != 3 {
 		t.Errorf("expect 3 rules (last must be SSH), got: %d", len(acl.peerRulesPairs))
--- a/client/internal/auth/pkce_flow.go
+++ b/client/internal/auth/pkce_flow.go
@@ -94,17 +94,12 @@ func (p *PKCEAuthorizationFlow) RequestAuthInfo(ctx context.Context) (AuthFlowIn
 	p.codeVerifier = codeVerifier

 	codeChallenge := createCodeChallenge(codeVerifier)
-
-	params := []oauth2.AuthCodeOption{
+	authURL := p.oAuthConfig.AuthCodeURL(
+		state,
 		oauth2.SetAuthURLParam("code_challenge_method", "S256"),
 		oauth2.SetAuthURLParam("code_challenge", codeChallenge),
 		oauth2.SetAuthURLParam("audience", p.providerConfig.Audience),
-	}
-	if !p.providerConfig.DisablePromptLogin {
-		params = append(params, oauth2.SetAuthURLParam("prompt", "login"))
-	}
-
-	authURL := p.oAuthConfig.AuthCodeURL(state, params...)
+	)

 	return AuthFlowInfo{
 		VerificationURIComplete: authURL,
--- a/client/internal/auth/pkce_flow_test.go
+++ b/client/internal/auth/pkce_flow_test.go
@@ -1,49 +0,0 @@
-package auth
-
-import (
-	"context"
-	"testing"
-
-	"github.com/stretchr/testify/require"
-
-	"github.com/netbirdio/netbird/client/internal"
-)
-
-func TestPromptLogin(t *testing.T) {
-	tt := []struct {
-		name   string
-		prompt bool
-	}{
-		{"PromptLogin", true},
-		{"NoPromptLogin", false},
-	}
-
-	for _, tc := range tt {
-		t.Run(tc.name, func(t *testing.T) {
-			config := internal.PKCEAuthProviderConfig{
-				ClientID:              "test-client-id",
-				Audience:              "test-audience",
-				TokenEndpoint:         "https://test-token-endpoint.com/token",
-				Scope:                 "openid email profile",
-				AuthorizationEndpoint: "https://test-auth-endpoint.com/authorize",
-				RedirectURLs:          []string{"http://127.0.0.1:33992/"},
-				UseIDToken:            true,
-				DisablePromptLogin:    !tc.prompt,
-			}
-			pkce, err := NewPKCEAuthorizationFlow(config)
-			if err != nil {
-				t.Fatalf("Failed to create PKCEAuthorizationFlow: %v", err)
-			}
-			authInfo, err := pkce.RequestAuthInfo(context.Background())
-			if err != nil {
-				t.Fatalf("Failed to request auth info: %v", err)
-			}
-			pattern := "prompt=login"
-			if tc.prompt {
-				require.Contains(t, authInfo.VerificationURIComplete, pattern)
-			} else {
-				require.NotContains(t, authInfo.VerificationURIComplete, pattern)
-			}
-		})
-	}
-}
--- a/client/internal/connect.go
+++ b/client/internal/connect.go
@@ -349,25 +349,6 @@ func (c *ConnectClient) Engine() *Engine {
 	return e
 }

-// GetLatestNetworkMap returns the latest network map from the engine.
-func (c *ConnectClient) GetLatestNetworkMap() (*mgmProto.NetworkMap, error) {
-	engine := c.Engine()
-	if engine == nil {
-		return nil, errors.New("engine is not initialized")
-	}
-
-	networkMap, err := engine.GetLatestNetworkMap()
-	if err != nil {
-		return nil, fmt.Errorf("get latest network map: %w", err)
-	}
-
-	if networkMap == nil {
-		return nil, errors.New("network map is not available")
-	}
-
-	return networkMap, nil
-}
-
 // Status returns the current client status
 func (c *ConnectClient) Status() StatusType {
 	if c == nil {
--- a/client/internal/debug/debug.go
+++ b/client/internal/debug/debug.go
--- a/client/internal/debug/debug_mobile.go
+++ b/client/internal/debug/debug_mobile.go
@@ -1,7 +0,0 @@
-//go:build ios || android
-
-package debug
-
-func (g *BundleGenerator) addRoutes() error {
-	return nil
-}
--- a/client/internal/debug/debug_nonlinux.go
+++ b/client/internal/debug/debug_nonlinux.go
@@ -1,8 +0,0 @@
-//go:build !linux || android
-
-package debug
-
-// collectFirewallRules returns nothing on non-linux systems
-func (g *BundleGenerator) addFirewallRules() error {
-	return nil
-}
--- a/client/internal/debug/debug_nonmobile.go
+++ b/client/internal/debug/debug_nonmobile.go
@@ -1,25 +0,0 @@
-//go:build !ios && !android
-
-package debug
-
-import (
-	"fmt"
-	"strings"
-
-	"github.com/netbirdio/netbird/client/internal/routemanager/systemops"
-)
-
-func (g *BundleGenerator) addRoutes() error {
-	routes, err := systemops.GetRoutesFromTable()
-	if err != nil {
-		return fmt.Errorf("get routes: %w", err)
-	}
-
-	// TODO: get routes including nexthop
-	routesContent := formatRoutes(routes, g.anonymize, g.anonymizer)
-	routesReader := strings.NewReader(routesContent)
-	if err := g.addFileToZip(routesReader, "routes.txt"); err != nil {
-		return fmt.Errorf("add routes file to zip: %w", err)
-	}
-	return nil
-}
--- a/client/internal/debug/debug_test.go
+++ b/client/internal/debug/debug_test.go
@@ -1,543 +0,0 @@
-package debug
-
-import (
-	"encoding/json"
-	"net"
-	"strings"
-	"testing"
-
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
-
-	"github.com/netbirdio/netbird/client/anonymize"
-	mgmProto "github.com/netbirdio/netbird/management/proto"
-)
-
-func TestAnonymizeStateFile(t *testing.T) {
-	testState := map[string]json.RawMessage{
-		"null_state": json.RawMessage("null"),
-		"test_state": mustMarshal(map[string]any{
-			// Test simple fields
-			"public_ip":      "203.0.113.1",
-			"private_ip":     "192.168.1.1",
-			"protected_ip":   "100.64.0.1",
-			"well_known_ip":  "8.8.8.8",
-			"ipv6_addr":      "2001:db8::1",
-			"private_ipv6":   "fd00::1",
-			"domain":         "test.example.com",
-			"uri":            "stun:stun.example.com:3478",
-			"uri_with_ip":    "turn:203.0.113.1:3478",
-			"netbird_domain": "device.netbird.cloud",
-
-			// Test CIDR ranges
-			"public_cidr":       "203.0.113.0/24",
-			"private_cidr":      "192.168.0.0/16",
-			"protected_cidr":    "100.64.0.0/10",
-			"ipv6_cidr":         "2001:db8::/32",
-			"private_ipv6_cidr": "fd00::/8",
-
-			// Test nested structures
-			"nested": map[string]any{
-				"ip":     "203.0.113.2",
-				"domain": "nested.example.com",
-				"more_nest": map[string]any{
-					"ip":     "203.0.113.3",
-					"domain": "deep.example.com",
-				},
-			},
-
-			// Test arrays
-			"string_array": []any{
-				"203.0.113.4",
-				"test1.example.com",
-				"test2.example.com",
-			},
-			"object_array": []any{
-				map[string]any{
-					"ip":     "203.0.113.5",
-					"domain": "array1.example.com",
-				},
-				map[string]any{
-					"ip":     "203.0.113.6",
-					"domain": "array2.example.com",
-				},
-			},
-
-			// Test multiple occurrences of same value
-			"duplicate_ip":     "203.0.113.1",      // Same as public_ip
-			"duplicate_domain": "test.example.com", // Same as domain
-
-			// Test URIs with various schemes
-			"stun_uri":  "stun:stun.example.com:3478",
-			"turns_uri": "turns:turns.example.com:5349",
-			"http_uri":  "http://web.example.com:80",
-			"https_uri": "https://secure.example.com:443",
-
-			// Test strings that might look like IPs but aren't
-			"not_ip":         "300.300.300.300",
-			"partial_ip":     "192.168",
-			"ip_like_string": "1234.5678",
-
-			// Test mixed content strings
-			"mixed_content": "Server at 203.0.113.1 (test.example.com) on port 80",
-
-			// Test empty and special values
-			"empty_string":  "",
-			"null_value":    nil,
-			"numeric_value": 42,
-			"boolean_value": true,
-		}),
-		"route_state": mustMarshal(map[string]any{
-			"routes": []any{
-				map[string]any{
-					"network": "203.0.113.0/24",
-					"gateway": "203.0.113.1",
-					"domains": []any{
-						"route1.example.com",
-						"route2.example.com",
-					},
-				},
-				map[string]any{
-					"network": "2001:db8::/32",
-					"gateway": "2001:db8::1",
-					"domains": []any{
-						"route3.example.com",
-						"route4.example.com",
-					},
-				},
-			},
-			// Test map with IP/CIDR keys
-			"refCountMap": map[string]any{
-				"203.0.113.1/32": map[string]any{
-					"Count": 1,
-					"Out": map[string]any{
-						"IP": "192.168.0.1",
-						"Intf": map[string]any{
-							"Name":  "eth0",
-							"Index": 1,
-						},
-					},
-				},
-				"2001:db8::1/128": map[string]any{
-					"Count": 1,
-					"Out": map[string]any{
-						"IP": "fe80::1",
-						"Intf": map[string]any{
-							"Name":  "eth0",
-							"Index": 1,
-						},
-					},
-				},
-				"10.0.0.1/32": map[string]any{ // private IP should remain unchanged
-					"Count": 1,
-					"Out": map[string]any{
-						"IP": "192.168.0.1",
-					},
-				},
-			},
-		}),
-	}
-
-	anonymizer := anonymize.NewAnonymizer(anonymize.DefaultAddresses())
-
-	// Pre-seed the domains we need to verify in the test assertions
-	anonymizer.AnonymizeDomain("test.example.com")
-	anonymizer.AnonymizeDomain("nested.example.com")
-	anonymizer.AnonymizeDomain("deep.example.com")
-	anonymizer.AnonymizeDomain("array1.example.com")
-
-	err := anonymizeStateFile(&testState, anonymizer)
-	require.NoError(t, err)
-
-	// Helper function to unmarshal and get nested values
-	var state map[string]any
-	err = json.Unmarshal(testState["test_state"], &state)
-	require.NoError(t, err)
-
-	// Test null state remains unchanged
-	require.Equal(t, "null", string(testState["null_state"]))
-
-	// Basic assertions
-	assert.NotEqual(t, "203.0.113.1", state["public_ip"])
-	assert.Equal(t, "192.168.1.1", state["private_ip"])  // Private IP unchanged
-	assert.Equal(t, "100.64.0.1", state["protected_ip"]) // Protected IP unchanged
-	assert.Equal(t, "8.8.8.8", state["well_known_ip"])   // Well-known IP unchanged
-	assert.NotEqual(t, "2001:db8::1", state["ipv6_addr"])
-	assert.Equal(t, "fd00::1", state["private_ipv6"]) // Private IPv6 unchanged
-	assert.NotEqual(t, "test.example.com", state["domain"])
-	assert.True(t, strings.HasSuffix(state["domain"].(string), ".domain"))
-	assert.Equal(t, "device.netbird.cloud", state["netbird_domain"]) // Netbird domain unchanged
-
-	// CIDR ranges
-	assert.NotEqual(t, "203.0.113.0/24", state["public_cidr"])
-	assert.Contains(t, state["public_cidr"], "/24")           // Prefix preserved
-	assert.Equal(t, "192.168.0.0/16", state["private_cidr"])  // Private CIDR unchanged
-	assert.Equal(t, "100.64.0.0/10", state["protected_cidr"]) // Protected CIDR unchanged
-	assert.NotEqual(t, "2001:db8::/32", state["ipv6_cidr"])
-	assert.Contains(t, state["ipv6_cidr"], "/32") // IPv6 prefix preserved
-
-	// Nested structures
-	nested := state["nested"].(map[string]any)
-	assert.NotEqual(t, "203.0.113.2", nested["ip"])
-	assert.NotEqual(t, "nested.example.com", nested["domain"])
-	moreNest := nested["more_nest"].(map[string]any)
-	assert.NotEqual(t, "203.0.113.3", moreNest["ip"])
-	assert.NotEqual(t, "deep.example.com", moreNest["domain"])
-
-	// Arrays
-	strArray := state["string_array"].([]any)
-	assert.NotEqual(t, "203.0.113.4", strArray[0])
-	assert.NotEqual(t, "test1.example.com", strArray[1])
-	assert.True(t, strings.HasSuffix(strArray[1].(string), ".domain"))
-
-	objArray := state["object_array"].([]any)
-	firstObj := objArray[0].(map[string]any)
-	assert.NotEqual(t, "203.0.113.5", firstObj["ip"])
-	assert.NotEqual(t, "array1.example.com", firstObj["domain"])
-
-	// Duplicate values should be anonymized consistently
-	assert.Equal(t, state["public_ip"], state["duplicate_ip"])
-	assert.Equal(t, state["domain"], state["duplicate_domain"])
-
-	// URIs
-	assert.NotContains(t, state["stun_uri"], "stun.example.com")
-	assert.NotContains(t, state["turns_uri"], "turns.example.com")
-	assert.NotContains(t, state["http_uri"], "web.example.com")
-	assert.NotContains(t, state["https_uri"], "secure.example.com")
-
-	// Non-IP strings should remain unchanged
-	assert.Equal(t, "300.300.300.300", state["not_ip"])
-	assert.Equal(t, "192.168", state["partial_ip"])
-	assert.Equal(t, "1234.5678", state["ip_like_string"])
-
-	// Mixed content should have IPs and domains replaced
-	mixedContent := state["mixed_content"].(string)
-	assert.NotContains(t, mixedContent, "203.0.113.1")
-	assert.NotContains(t, mixedContent, "test.example.com")
-	assert.Contains(t, mixedContent, "Server at ")
-	assert.Contains(t, mixedContent, " on port 80")
-
-	// Special values should remain unchanged
-	assert.Equal(t, "", state["empty_string"])
-	assert.Nil(t, state["null_value"])
-	assert.Equal(t, float64(42), state["numeric_value"])
-	assert.Equal(t, true, state["boolean_value"])
-
-	// Check route state
-	var routeState map[string]any
-	err = json.Unmarshal(testState["route_state"], &routeState)
-	require.NoError(t, err)
-
-	routes := routeState["routes"].([]any)
-	route1 := routes[0].(map[string]any)
-	assert.NotEqual(t, "203.0.113.0/24", route1["network"])
-	assert.Contains(t, route1["network"], "/24")
-	assert.NotEqual(t, "203.0.113.1", route1["gateway"])
-	domains := route1["domains"].([]any)
-	assert.True(t, strings.HasSuffix(domains[0].(string), ".domain"))
-	assert.True(t, strings.HasSuffix(domains[1].(string), ".domain"))
-
-	// Check map keys are anonymized
-	refCountMap := routeState["refCountMap"].(map[string]any)
-	hasPublicIPKey := false
-	hasIPv6Key := false
-	hasPrivateIPKey := false
-	for key := range refCountMap {
-		if strings.Contains(key, "203.0.113.1") {
-			hasPublicIPKey = true
-		}
-		if strings.Contains(key, "2001:db8::1") {
-			hasIPv6Key = true
-		}
-		if key == "10.0.0.1/32" {
-			hasPrivateIPKey = true
-		}
-	}
-	assert.False(t, hasPublicIPKey, "public IP in key should be anonymized")
-	assert.False(t, hasIPv6Key, "IPv6 in key should be anonymized")
-	assert.True(t, hasPrivateIPKey, "private IP in key should remain unchanged")
-}
-
-func mustMarshal(v any) json.RawMessage {
-	data, err := json.Marshal(v)
-	if err != nil {
-		panic(err)
-	}
-	return data
-}
-
-func TestAnonymizeNetworkMap(t *testing.T) {
-	networkMap := &mgmProto.NetworkMap{
-		PeerConfig: &mgmProto.PeerConfig{
-			Address: "203.0.113.5",
-			Dns:     "1.2.3.4",
-			Fqdn:    "peer1.corp.example.com",
-			SshConfig: &mgmProto.SSHConfig{
-				SshPubKey: []byte("ssh-rsa AAAAB3NzaC1..."),
-			},
-		},
-		RemotePeers: []*mgmProto.RemotePeerConfig{
-			{
-				AllowedIps: []string{
-					"203.0.113.1/32",
-					"2001:db8:1234::1/128",
-					"192.168.1.1/32",
-					"100.64.0.1/32",
-					"10.0.0.1/32",
-				},
-				Fqdn: "peer2.corp.example.com",
-				SshConfig: &mgmProto.SSHConfig{
-					SshPubKey: []byte("ssh-rsa AAAAB3NzaC2..."),
-				},
-			},
-		},
-		Routes: []*mgmProto.Route{
-			{
-				Network: "197.51.100.0/24",
-				Domains: []string{"prod.example.com", "staging.example.com"},
-				NetID:   "net-123abc",
-			},
-		},
-		DNSConfig: &mgmProto.DNSConfig{
-			NameServerGroups: []*mgmProto.NameServerGroup{
-				{
-					NameServers: []*mgmProto.NameServer{
-						{IP: "8.8.8.8"},
-						{IP: "1.1.1.1"},
-						{IP: "203.0.113.53"},
-					},
-					Domains: []string{"example.com", "internal.example.com"},
-				},
-			},
-			CustomZones: []*mgmProto.CustomZone{
-				{
-					Domain: "custom.example.com",
-					Records: []*mgmProto.SimpleRecord{
-						{
-							Name:  "www.custom.example.com",
-							Type:  1,
-							RData: "203.0.113.10",
-						},
-						{
-							Name:  "internal.custom.example.com",
-							Type:  1,
-							RData: "192.168.1.10",
-						},
-					},
-				},
-			},
-		},
-	}
-
-	// Create anonymizer with test addresses
-	anonymizer := anonymize.NewAnonymizer(anonymize.DefaultAddresses())
-
-	// Anonymize the network map
-	err := anonymizeNetworkMap(networkMap, anonymizer)
-	require.NoError(t, err)
-
-	// Test PeerConfig anonymization
-	peerCfg := networkMap.PeerConfig
-	require.NotEqual(t, "203.0.113.5", peerCfg.Address)
-
-	// Verify DNS and FQDN are properly anonymized
-	require.NotEqual(t, "1.2.3.4", peerCfg.Dns)
-	require.NotEqual(t, "peer1.corp.example.com", peerCfg.Fqdn)
-	require.True(t, strings.HasSuffix(peerCfg.Fqdn, ".domain"))
-
-	// Verify SSH key is replaced
-	require.Equal(t, []byte("ssh-placeholder-key"), peerCfg.SshConfig.SshPubKey)
-
-	// Test RemotePeers anonymization
-	remotePeer := networkMap.RemotePeers[0]
-
-	// Verify FQDN is anonymized
-	require.NotEqual(t, "peer2.corp.example.com", remotePeer.Fqdn)
-	require.True(t, strings.HasSuffix(remotePeer.Fqdn, ".domain"))
-
-	// Check that public IPs are anonymized but private IPs are preserved
-	for _, allowedIP := range remotePeer.AllowedIps {
-		ip, _, err := net.ParseCIDR(allowedIP)
-		require.NoError(t, err)
-
-		if ip.IsPrivate() || isInCGNATRange(ip) {
-			require.Contains(t, []string{
-				"192.168.1.1/32",
-				"100.64.0.1/32",
-				"10.0.0.1/32",
-			}, allowedIP)
-		} else {
-			require.NotContains(t, []string{
-				"203.0.113.1/32",
-				"2001:db8:1234::1/128",
-			}, allowedIP)
-		}
-	}
-
-	// Test Routes anonymization
-	route := networkMap.Routes[0]
-	require.NotEqual(t, "197.51.100.0/24", route.Network)
-	for _, domain := range route.Domains {
-		require.True(t, strings.HasSuffix(domain, ".domain"))
-		require.NotContains(t, domain, "example.com")
-	}
-
-	// Test DNS config anonymization
-	dnsConfig := networkMap.DNSConfig
-	nameServerGroup := dnsConfig.NameServerGroups[0]
-
-	// Verify well-known DNS servers are preserved
-	require.Equal(t, "8.8.8.8", nameServerGroup.NameServers[0].IP)
-	require.Equal(t, "1.1.1.1", nameServerGroup.NameServers[1].IP)
-
-	// Verify public DNS server is anonymized
-	require.NotEqual(t, "203.0.113.53", nameServerGroup.NameServers[2].IP)
-
-	// Verify domains are anonymized
-	for _, domain := range nameServerGroup.Domains {
-		require.True(t, strings.HasSuffix(domain, ".domain"))
-		require.NotContains(t, domain, "example.com")
-	}
-
-	// Test CustomZones anonymization
-	customZone := dnsConfig.CustomZones[0]
-	require.True(t, strings.HasSuffix(customZone.Domain, ".domain"))
-	require.NotContains(t, customZone.Domain, "example.com")
-
-	// Verify records are properly anonymized
-	for _, record := range customZone.Records {
-		require.True(t, strings.HasSuffix(record.Name, ".domain"))
-		require.NotContains(t, record.Name, "example.com")
-
-		ip := net.ParseIP(record.RData)
-		if ip != nil {
-			if !ip.IsPrivate() {
-				require.NotEqual(t, "203.0.113.10", record.RData)
-			} else {
-				require.Equal(t, "192.168.1.10", record.RData)
-			}
-		}
-	}
-}
-
-// Helper function to check if IP is in CGNAT range
-func isInCGNATRange(ip net.IP) bool {
-	cgnat := net.IPNet{
-		IP:   net.ParseIP("100.64.0.0"),
-		Mask: net.CIDRMask(10, 32),
-	}
-	return cgnat.Contains(ip)
-}
-
-func TestAnonymizeFirewallRules(t *testing.T) {
-	// TODO: Add ipv6
-
-	// Example iptables-save output
-	iptablesSave := `# Generated by iptables-save v1.8.7 on Thu Dec 19 10:00:00 2024
-*filter
-:INPUT ACCEPT [0:0]
-:FORWARD ACCEPT [0:0]
-:OUTPUT ACCEPT [0:0]
-A INPUT -s 192.168.1.0/24 -j ACCEPT
-A INPUT -s 44.192.140.1/32 -j DROP
-A FORWARD -s 10.0.0.0/8 -j DROP
-A FORWARD -s 44.192.140.0/24 -d 52.84.12.34/24 -j ACCEPT
-COMMIT
-
-*nat
-:PREROUTING ACCEPT [0:0]
-:INPUT ACCEPT [0:0]
-:OUTPUT ACCEPT [0:0]
-:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -s 192.168.100.0/24 -j MASQUERADE
-A PREROUTING -d 44.192.140.10/32 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.1.10:80
-COMMIT`
-
-	// Example iptables -v -n -L output
-	iptablesVerbose := `Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
-    pkts bytes target     prot opt in     out     source               destination         
-       0     0 ACCEPT     all  --  *      *       192.168.1.0/24       0.0.0.0/0           
-     100  1024 DROP       all  --  *      *       44.192.140.1         0.0.0.0/0
-
-Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
-    pkts bytes target     prot opt in     out     source               destination         
-       0     0 DROP       all  --  *      *       10.0.0.0/8           0.0.0.0/0           
-      25   256 ACCEPT     all  --  *      *       44.192.140.0/24      52.84.12.34/24
-
-Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
-    pkts bytes target     prot opt in     out     source               destination`
-
-	// Example nftables output
-	nftablesRules := `table inet filter {
-        chain input {
-                type filter hook input priority filter; policy accept;
-                ip saddr 192.168.1.1 accept
-                ip saddr 44.192.140.1 drop
-        }
-        chain forward {
-                type filter hook forward priority filter; policy accept;
-                ip saddr 10.0.0.0/8 drop
-                ip saddr 44.192.140.0/24 ip daddr 52.84.12.34/24 accept
-        }
-    }`
-
-	anonymizer := anonymize.NewAnonymizer(anonymize.DefaultAddresses())
-
-	// Test iptables-save anonymization
-	anonIptablesSave := anonymizer.AnonymizeString(iptablesSave)
-
-	// Private IP addresses should remain unchanged
-	assert.Contains(t, anonIptablesSave, "192.168.1.0/24")
-	assert.Contains(t, anonIptablesSave, "10.0.0.0/8")
-	assert.Contains(t, anonIptablesSave, "192.168.100.0/24")
-	assert.Contains(t, anonIptablesSave, "192.168.1.10")
-
-	// Public IP addresses should be anonymized to the default range
-	assert.NotContains(t, anonIptablesSave, "44.192.140.1")
-	assert.NotContains(t, anonIptablesSave, "44.192.140.0/24")
-	assert.NotContains(t, anonIptablesSave, "52.84.12.34")
-	assert.Contains(t, anonIptablesSave, "198.51.100.") // Default anonymous range
-
-	// Structure should be preserved
-	assert.Contains(t, anonIptablesSave, "*filter")
-	assert.Contains(t, anonIptablesSave, ":INPUT ACCEPT [0:0]")
-	assert.Contains(t, anonIptablesSave, "COMMIT")
-	assert.Contains(t, anonIptablesSave, "-j MASQUERADE")
-	assert.Contains(t, anonIptablesSave, "--dport 80")
-
-	// Test iptables verbose output anonymization
-	anonIptablesVerbose := anonymizer.AnonymizeString(iptablesVerbose)
-
-	// Private IP addresses should remain unchanged
-	assert.Contains(t, anonIptablesVerbose, "192.168.1.0/24")
-	assert.Contains(t, anonIptablesVerbose, "10.0.0.0/8")
-
-	// Public IP addresses should be anonymized to the default range
-	assert.NotContains(t, anonIptablesVerbose, "44.192.140.1")
-	assert.NotContains(t, anonIptablesVerbose, "44.192.140.0/24")
-	assert.NotContains(t, anonIptablesVerbose, "52.84.12.34")
-	assert.Contains(t, anonIptablesVerbose, "198.51.100.") // Default anonymous range
-
-	// Structure and counters should be preserved
-	assert.Contains(t, anonIptablesVerbose, "Chain INPUT (policy ACCEPT 0 packets, 0 bytes)")
-	assert.Contains(t, anonIptablesVerbose, "100  1024 DROP")
-	assert.Contains(t, anonIptablesVerbose, "pkts bytes target")
-
-	// Test nftables anonymization
-	anonNftables := anonymizer.AnonymizeString(nftablesRules)
-
-	// Private IP addresses should remain unchanged
-	assert.Contains(t, anonNftables, "192.168.1.1")
-	assert.Contains(t, anonNftables, "10.0.0.0/8")
-
-	// Public IP addresses should be anonymized to the default range
-	assert.NotContains(t, anonNftables, "44.192.140.1")
-	assert.NotContains(t, anonNftables, "44.192.140.0/24")
-	assert.NotContains(t, anonNftables, "52.84.12.34")
-	assert.Contains(t, anonNftables, "198.51.100.") // Default anonymous range
-
-	// Structure should be preserved
-	assert.Contains(t, anonNftables, "table inet filter {")
-	assert.Contains(t, anonNftables, "chain input {")
-	assert.Contains(t, anonNftables, "type filter hook input priority filter; policy accept;")
-}
--- a/client/internal/dns/file_unix.go
+++ b/client/internal/dns/file_unix.go
@@ -239,7 +239,7 @@ func searchDomains(config HostDNSConfig) []string {
 			continue
 		}

-		listOfDomains = append(listOfDomains, strings.TrimSuffix(dConf.Domain, "."))
+		listOfDomains = append(listOfDomains, dConf.Domain)
 	}
 	return listOfDomains
 }
--- a/client/internal/dns/handler_chain.go
+++ b/client/internal/dns/handler_chain.go
@@ -75,7 +75,12 @@ func (c *HandlerChain) AddHandler(pattern string, handler dns.Handler, priority
 	}

 	// First remove any existing handler with same pattern (case-insensitive) and priority
-	c.removeEntry(origPattern, priority)
+	for i := len(c.handlers) - 1; i >= 0; i-- {
+		if strings.EqualFold(c.handlers[i].OrigPattern, origPattern) && c.handlers[i].Priority == priority {
+			c.handlers = append(c.handlers[:i], c.handlers[i+1:]...)
+			break
+		}
+	}

 	// Check if handler implements SubdomainMatcher interface
 	matchSubdomains := false
@@ -128,20 +133,30 @@ func (c *HandlerChain) RemoveHandler(pattern string, priority int) {

 	pattern = dns.Fqdn(pattern)

-	c.removeEntry(pattern, priority)
-}
-
-func (c *HandlerChain) removeEntry(pattern string, priority int) {
 	// Find and remove handlers matching both original pattern (case-insensitive) and priority
 	for i := len(c.handlers) - 1; i >= 0; i-- {
 		entry := c.handlers[i]
 		if strings.EqualFold(entry.OrigPattern, pattern) && entry.Priority == priority {
 			c.handlers = append(c.handlers[:i], c.handlers[i+1:]...)
-			break
+			return
 		}
 	}
 }

+// HasHandlers returns true if there are any handlers remaining for the given pattern
+func (c *HandlerChain) HasHandlers(pattern string) bool {
+	c.mu.RLock()
+	defer c.mu.RUnlock()
+
+	pattern = strings.ToLower(dns.Fqdn(pattern))
+	for _, entry := range c.handlers {
+		if strings.EqualFold(entry.Pattern, pattern) {
+			return true
+		}
+	}
+	return false
+}
+
 func (c *HandlerChain) ServeDNS(w dns.ResponseWriter, r *dns.Msg) {
 	if len(r.Question) == 0 {
 		return
--- a/client/internal/dns/handler_chain_test.go
+++ b/client/internal/dns/handler_chain_test.go
@@ -1,6 +1,7 @@
 package dns_test

 import (
+	"net"
 	"testing"

 	"github.com/miekg/dns"
@@ -8,7 +9,6 @@ import (
 	"github.com/stretchr/testify/mock"

 	nbdns "github.com/netbirdio/netbird/client/internal/dns"
-	"github.com/netbirdio/netbird/client/internal/dns/test"
 )

 // TestHandlerChain_ServeDNS_Priorities tests that handlers are executed in priority order
@@ -30,7 +30,7 @@ func TestHandlerChain_ServeDNS_Priorities(t *testing.T) {
 	r.SetQuestion("example.com.", dns.TypeA)

 	// Create test writer
-	w := &nbdns.ResponseWriterChain{ResponseWriter: &test.MockResponseWriter{}}
+	w := &nbdns.ResponseWriterChain{ResponseWriter: &mockResponseWriter{}}

 	// Setup expectations - only highest priority handler should be called
 	dnsRouteHandler.On("ServeDNS", mock.Anything, r).Once()
@@ -142,7 +142,7 @@ func TestHandlerChain_ServeDNS_DomainMatching(t *testing.T) {

 			r := new(dns.Msg)
 			r.SetQuestion(tt.queryDomain, dns.TypeA)
-			w := &nbdns.ResponseWriterChain{ResponseWriter: &test.MockResponseWriter{}}
+			w := &nbdns.ResponseWriterChain{ResponseWriter: &mockResponseWriter{}}

 			chain.ServeDNS(w, r)

@@ -259,7 +259,7 @@ func TestHandlerChain_ServeDNS_OverlappingDomains(t *testing.T) {
 			// Create and execute request
 			r := new(dns.Msg)
 			r.SetQuestion(tt.queryDomain, dns.TypeA)
-			w := &nbdns.ResponseWriterChain{ResponseWriter: &test.MockResponseWriter{}}
+			w := &nbdns.ResponseWriterChain{ResponseWriter: &mockResponseWriter{}}
 			chain.ServeDNS(w, r)

 			// Verify expectations
@@ -316,7 +316,7 @@ func TestHandlerChain_ServeDNS_ChainContinuation(t *testing.T) {
 	}).Once()

 	// Execute
-	w := &nbdns.ResponseWriterChain{ResponseWriter: &test.MockResponseWriter{}}
+	w := &nbdns.ResponseWriterChain{ResponseWriter: &mockResponseWriter{}}
 	chain.ServeDNS(w, r)

 	// Verify all handlers were called in order
@@ -325,6 +325,20 @@ func TestHandlerChain_ServeDNS_ChainContinuation(t *testing.T) {
 	handler3.AssertExpectations(t)
 }

+// mockResponseWriter implements dns.ResponseWriter for testing
+type mockResponseWriter struct {
+	mock.Mock
+}
+
+func (m *mockResponseWriter) LocalAddr() net.Addr       { return nil }
+func (m *mockResponseWriter) RemoteAddr() net.Addr      { return nil }
+func (m *mockResponseWriter) WriteMsg(*dns.Msg) error   { return nil }
+func (m *mockResponseWriter) Write([]byte) (int, error) { return 0, nil }
+func (m *mockResponseWriter) Close() error              { return nil }
+func (m *mockResponseWriter) TsigStatus() error         { return nil }
+func (m *mockResponseWriter) TsigTimersOnly(bool)       {}
+func (m *mockResponseWriter) Hijack()                   {}
+
 func TestHandlerChain_PriorityDeregistration(t *testing.T) {
 	tests := []struct {
 		name string
@@ -411,7 +425,7 @@ func TestHandlerChain_PriorityDeregistration(t *testing.T) {
 			// Create test request
 			r := new(dns.Msg)
 			r.SetQuestion(tt.query, dns.TypeA)
-			w := &nbdns.ResponseWriterChain{ResponseWriter: &test.MockResponseWriter{}}
+			w := &nbdns.ResponseWriterChain{ResponseWriter: &mockResponseWriter{}}

 			// Setup expectations
 			for priority, handler := range handlers {
@@ -429,6 +443,14 @@ func TestHandlerChain_PriorityDeregistration(t *testing.T) {
 			for _, handler := range handlers {
 				handler.AssertExpectations(t)
 			}
+
+			// Verify handler exists check
+			for priority, shouldExist := range tt.expectedCalls {
+				if shouldExist {
+					assert.True(t, chain.HasHandlers(tt.ops[0].pattern),
+						"Handler chain should have handlers for pattern after removing priority %d", priority)
+				}
+			}
 		})
 	}
 }
@@ -448,69 +470,45 @@ func TestHandlerChain_MultiPriorityHandling(t *testing.T) {
 	r := new(dns.Msg)
 	r.SetQuestion(testQuery, dns.TypeA)

-	// Keep track of mocks for the final assertion in Step 4
-	mocks := []*nbdns.MockSubdomainHandler{routeHandler, matchHandler, defaultHandler}
-
 	// Add handlers in mixed order
 	chain.AddHandler(testDomain, defaultHandler, nbdns.PriorityDefault)
 	chain.AddHandler(testDomain, routeHandler, nbdns.PriorityDNSRoute)
 	chain.AddHandler(testDomain, matchHandler, nbdns.PriorityMatchDomain)

-	// Test 1: Initial state
-	w1 := &nbdns.ResponseWriterChain{ResponseWriter: &test.MockResponseWriter{}}
+	// Test 1: Initial state with all three handlers
+	w := &nbdns.ResponseWriterChain{ResponseWriter: &mockResponseWriter{}}
 	// Highest priority handler (routeHandler) should be called
 	routeHandler.On("ServeDNS", mock.Anything, r).Return().Once()
-	matchHandler.On("ServeDNS", mock.Anything, r).Maybe()   // Ensure others are not expected yet
-	defaultHandler.On("ServeDNS", mock.Anything, r).Maybe() // Ensure others are not expected yet

-	chain.ServeDNS(w1, r)
+	chain.ServeDNS(w, r)
 	routeHandler.AssertExpectations(t)

-	routeHandler.ExpectedCalls = nil
-	routeHandler.Calls = nil
-	matchHandler.ExpectedCalls = nil
-	matchHandler.Calls = nil
-	defaultHandler.ExpectedCalls = nil
-	defaultHandler.Calls = nil
-
 	// Test 2: Remove highest priority handler
 	chain.RemoveHandler(testDomain, nbdns.PriorityDNSRoute)
+	assert.True(t, chain.HasHandlers(testDomain))

-	w2 := &nbdns.ResponseWriterChain{ResponseWriter: &test.MockResponseWriter{}}
+	w = &nbdns.ResponseWriterChain{ResponseWriter: &mockResponseWriter{}}
 	// Now middle priority handler (matchHandler) should be called
 	matchHandler.On("ServeDNS", mock.Anything, r).Return().Once()
-	defaultHandler.On("ServeDNS", mock.Anything, r).Maybe() // Ensure default is not expected yet

-	chain.ServeDNS(w2, r)
+	chain.ServeDNS(w, r)
 	matchHandler.AssertExpectations(t)

-	matchHandler.ExpectedCalls = nil
-	matchHandler.Calls = nil
-	defaultHandler.ExpectedCalls = nil
-	defaultHandler.Calls = nil
-
 	// Test 3: Remove middle priority handler
 	chain.RemoveHandler(testDomain, nbdns.PriorityMatchDomain)
+	assert.True(t, chain.HasHandlers(testDomain))

-	w3 := &nbdns.ResponseWriterChain{ResponseWriter: &test.MockResponseWriter{}}
+	w = &nbdns.ResponseWriterChain{ResponseWriter: &mockResponseWriter{}}
 	// Now lowest priority handler (defaultHandler) should be called
 	defaultHandler.On("ServeDNS", mock.Anything, r).Return().Once()

-	chain.ServeDNS(w3, r)
+	chain.ServeDNS(w, r)
 	defaultHandler.AssertExpectations(t)

-	defaultHandler.ExpectedCalls = nil
-	defaultHandler.Calls = nil
-
 	// Test 4: Remove last handler
 	chain.RemoveHandler(testDomain, nbdns.PriorityDefault)

-	w4 := &nbdns.ResponseWriterChain{ResponseWriter: &test.MockResponseWriter{}}
-	chain.ServeDNS(w4, r) // Call ServeDNS on the now empty chain for this domain
-
-	for _, m := range mocks {
-		m.AssertNumberOfCalls(t, "ServeDNS", 0)
-	}
+	assert.False(t, chain.HasHandlers(testDomain))
 }

 func TestHandlerChain_CaseSensitivity(t *testing.T) {
@@ -661,7 +659,7 @@ func TestHandlerChain_CaseSensitivity(t *testing.T) {
 			// Execute request
 			r := new(dns.Msg)
 			r.SetQuestion(tt.query, dns.TypeA)
-			chain.ServeDNS(&test.MockResponseWriter{}, r)
+			chain.ServeDNS(&mockResponseWriter{}, r)

 			// Verify each handler was called exactly as expected
 			for _, h := range tt.addHandlers {
@@ -805,7 +803,7 @@ func TestHandlerChain_DomainSpecificityOrdering(t *testing.T) {

 			r := new(dns.Msg)
 			r.SetQuestion(tt.query, dns.TypeA)
-			w := &nbdns.ResponseWriterChain{ResponseWriter: &test.MockResponseWriter{}}
+			w := &nbdns.ResponseWriterChain{ResponseWriter: &mockResponseWriter{}}

 			// Setup handler expectations
 			for pattern, handler := range handlers {
@@ -832,165 +830,3 @@ func TestHandlerChain_DomainSpecificityOrdering(t *testing.T) {
 		})
 	}
 }
-
-func TestHandlerChain_AddRemoveRoundtrip(t *testing.T) {
-	tests := []struct {
-		name            string
-		addPattern      string
-		removePattern   string
-		queryPattern    string
-		shouldBeRemoved bool
-		description     string
-	}{
-		{
-			name:            "exact same pattern",
-			addPattern:      "example.com.",
-			removePattern:   "example.com.",
-			queryPattern:    "example.com.",
-			shouldBeRemoved: true,
-			description:     "Adding and removing with identical patterns",
-		},
-		{
-			name:            "case difference",
-			addPattern:      "Example.Com.",
-			removePattern:   "EXAMPLE.COM.",
-			queryPattern:    "example.com.",
-			shouldBeRemoved: true,
-			description:     "Adding with mixed case, removing with uppercase",
-		},
-		{
-			name:            "reversed case difference",
-			addPattern:      "EXAMPLE.ORG.",
-			removePattern:   "example.org.",
-			queryPattern:    "example.org.",
-			shouldBeRemoved: true,
-			description:     "Adding with uppercase, removing with lowercase",
-		},
-		{
-			name:            "add wildcard, remove wildcard",
-			addPattern:      "*.example.com.",
-			removePattern:   "*.example.com.",
-			queryPattern:    "sub.example.com.",
-			shouldBeRemoved: true,
-			description:     "Adding and removing with identical wildcard patterns",
-		},
-		{
-			name:            "add wildcard, remove transformed pattern",
-			addPattern:      "*.example.net.",
-			removePattern:   "example.net.",
-			queryPattern:    "sub.example.net.",
-			shouldBeRemoved: false,
-			description:     "Adding with wildcard, removing with non-wildcard pattern",
-		},
-		{
-			name:            "add transformed pattern, remove wildcard",
-			addPattern:      "example.io.",
-			removePattern:   "*.example.io.",
-			queryPattern:    "example.io.",
-			shouldBeRemoved: false,
-			description:     "Adding with non-wildcard pattern, removing with wildcard pattern",
-		},
-		{
-			name:            "trailing dot difference",
-			addPattern:      "example.dev",
-			removePattern:   "example.dev.",
-			queryPattern:    "example.dev.",
-			shouldBeRemoved: true,
-			description:     "Adding without trailing dot, removing with trailing dot",
-		},
-		{
-			name:            "reversed trailing dot difference",
-			addPattern:      "example.app.",
-			removePattern:   "example.app",
-			queryPattern:    "example.app.",
-			shouldBeRemoved: true,
-			description:     "Adding with trailing dot, removing without trailing dot",
-		},
-		{
-			name:            "mixed case and wildcard",
-			addPattern:      "*.Example.Site.",
-			removePattern:   "*.EXAMPLE.SITE.",
-			queryPattern:    "sub.example.site.",
-			shouldBeRemoved: true,
-			description:     "Adding mixed case wildcard, removing uppercase wildcard",
-		},
-		{
-			name:            "root zone",
-			addPattern:      ".",
-			removePattern:   ".",
-			queryPattern:    "random.domain.",
-			shouldBeRemoved: true,
-			description:     "Adding and removing root zone",
-		},
-		{
-			name:            "wrong domain",
-			addPattern:      "example.com.",
-			removePattern:   "different.com.",
-			queryPattern:    "example.com.",
-			shouldBeRemoved: false,
-			description:     "Adding one domain, trying to remove a different domain",
-		},
-		{
-			name:            "subdomain mismatch",
-			addPattern:      "sub.example.com.",
-			removePattern:   "example.com.",
-			queryPattern:    "sub.example.com.",
-			shouldBeRemoved: false,
-			description:     "Adding subdomain, trying to remove parent domain",
-		},
-		{
-			name:            "parent domain mismatch",
-			addPattern:      "example.com.",
-			removePattern:   "sub.example.com.",
-			queryPattern:    "example.com.",
-			shouldBeRemoved: false,
-			description:     "Adding parent domain, trying to remove subdomain",
-		},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			chain := nbdns.NewHandlerChain()
-
-			handler := &nbdns.MockHandler{}
-			r := new(dns.Msg)
-			r.SetQuestion(tt.queryPattern, dns.TypeA)
-			w := &nbdns.ResponseWriterChain{ResponseWriter: &test.MockResponseWriter{}}
-
-			// First verify no handler is called before adding any
-			chain.ServeDNS(w, r)
-			handler.AssertNotCalled(t, "ServeDNS")
-
-			// Add handler
-			chain.AddHandler(tt.addPattern, handler, nbdns.PriorityDefault)
-
-			// Verify handler is called after adding
-			handler.On("ServeDNS", mock.Anything, r).Once()
-			chain.ServeDNS(w, r)
-			handler.AssertExpectations(t)
-
-			// Reset mock for the next test
-			handler.ExpectedCalls = nil
-
-			// Remove handler
-			chain.RemoveHandler(tt.removePattern, nbdns.PriorityDefault)
-
-			// Set up expectations based on whether removal should succeed
-			if !tt.shouldBeRemoved {
-				handler.On("ServeDNS", mock.Anything, r).Once()
-			}
-
-			// Test if handler is still called after removal attempt
-			chain.ServeDNS(w, r)
-
-			if tt.shouldBeRemoved {
-				handler.AssertNotCalled(t, "ServeDNS",
-					"Handler should not be called after successful removal with pattern %q",
-					tt.removePattern)
-			} else {
-				handler.AssertExpectations(t)
-				handler.ExpectedCalls = nil
-			}
-		})
-	}
-}
--- a/client/internal/dns/host.go
+++ b/client/internal/dns/host.go
@@ -5,8 +5,6 @@ import (
 	"net/netip"
 	"strings"

-	"github.com/miekg/dns"
-
 	"github.com/netbirdio/netbird/client/internal/statemanager"
 	nbdns "github.com/netbirdio/netbird/dns"
 )
@@ -14,8 +12,8 @@ import (
 var ErrRouteAllWithoutNameserverGroup = fmt.Errorf("unable to configure DNS for this peer using file manager without a nameserver group with all domains configured")

 const (
-	ipv4ReverseZone = ".in-addr.arpa."
-	ipv6ReverseZone = ".ip6.arpa."
+	ipv4ReverseZone = ".in-addr.arpa"
+	ipv6ReverseZone = ".ip6.arpa"
 )

 type hostManager interface {
@@ -105,7 +103,7 @@ func dnsConfigToHostDNSConfig(dnsConfig nbdns.Config, ip string, port int) HostD

 		for _, domain := range nsConfig.Domains {
 			config.Domains = append(config.Domains, DomainConfig{
-				Domain:    strings.ToLower(dns.Fqdn(domain)),
+				Domain:    strings.TrimSuffix(domain, "."),
 				MatchOnly: !nsConfig.SearchDomainsEnabled,
 			})
 		}
@@ -114,7 +112,7 @@ func dnsConfigToHostDNSConfig(dnsConfig nbdns.Config, ip string, port int) HostD
 	for _, customZone := range dnsConfig.CustomZones {
 		matchOnly := strings.HasSuffix(customZone.Domain, ipv4ReverseZone) || strings.HasSuffix(customZone.Domain, ipv6ReverseZone)
 		config.Domains = append(config.Domains, DomainConfig{
-			Domain:    strings.ToLower(dns.Fqdn(customZone.Domain)),
+			Domain:    strings.TrimSuffix(customZone.Domain, "."),
 			MatchOnly: matchOnly,
 		})
 	}
--- a/client/internal/dns/host_darwin.go
+++ b/client/internal/dns/host_darwin.go
@@ -79,10 +79,10 @@ func (s *systemConfigurator) applyDNSConfig(config HostDNSConfig, stateManager *
 			continue
 		}
 		if dConf.MatchOnly {
-			matchDomains = append(matchDomains, strings.TrimSuffix(dConf.Domain, "."))
+			matchDomains = append(matchDomains, dConf.Domain)
 			continue
 		}
-		searchDomains = append(searchDomains, strings.TrimSuffix(""+dConf.Domain, "."))
+		searchDomains = append(searchDomains, dConf.Domain)
 	}

 	matchKey := getKeyWithInput(netbirdDNSStateKeyFormat, matchSuffix)
--- a/client/internal/dns/host_windows.go
+++ b/client/internal/dns/host_windows.go
@@ -17,12 +17,9 @@ import (

 var (
 	userenv = syscall.NewLazyDLL("userenv.dll")
-	dnsapi  = syscall.NewLazyDLL("dnsapi.dll")

 	// https://learn.microsoft.com/en-us/windows/win32/api/userenv/nf-userenv-refreshpolicyex
 	refreshPolicyExFn = userenv.NewProc("RefreshPolicyEx")
-
-	dnsFlushResolverCacheFn = dnsapi.NewProc("DnsFlushResolverCache")
 )

 const (
@@ -100,9 +97,9 @@ func (r *registryConfigurator) applyDNSConfig(config HostDNSConfig, stateManager
 			continue
 		}
 		if !dConf.MatchOnly {
-			searchDomains = append(searchDomains, strings.TrimSuffix(dConf.Domain, "."))
+			searchDomains = append(searchDomains, dConf.Domain)
 		}
-		matchDomains = append(matchDomains, "."+strings.TrimSuffix(dConf.Domain, "."))
+		matchDomains = append(matchDomains, "."+dConf.Domain)
 	}

 	if len(matchDomains) != 0 {
@@ -119,10 +116,6 @@ func (r *registryConfigurator) applyDNSConfig(config HostDNSConfig, stateManager
 		return fmt.Errorf("update search domains: %w", err)
 	}

-	if err := r.flushDNSCache(); err != nil {
-		log.Errorf("failed to flush DNS cache: %v", err)
-	}
-
 	return nil
 }

@@ -191,26 +184,6 @@ func (r *registryConfigurator) string() string {
 	return "registry"
 }

-func (r *registryConfigurator) flushDNSCache() error {
-	// dnsFlushResolverCacheFn.Call() may panic if the func is not found
-	defer func() {
-		if rec := recover(); rec != nil {
-			log.Errorf("Recovered from panic in flushDNSCache: %v", rec)
-		}
-	}()
-
-	ret, _, err := dnsFlushResolverCacheFn.Call()
-	if ret == 0 {
-		if err != nil && !errors.Is(err, syscall.Errno(0)) {
-			return fmt.Errorf("DnsFlushResolverCache failed: %w", err)
-		}
-		return fmt.Errorf("DnsFlushResolverCache failed")
-	}
-
-	log.Info("flushed DNS cache")
-	return nil
-}
-
 func (r *registryConfigurator) updateSearchDomains(domains []string) error {
 	if err := r.setInterfaceRegistryKeyStringValue(interfaceConfigSearchListKey, strings.Join(domains, ",")); err != nil {
 		return fmt.Errorf("update search domains: %w", err)
@@ -263,10 +236,6 @@ func (r *registryConfigurator) restoreHostDNS() error {
 		return fmt.Errorf("remove interface registry key: %w", err)
 	}

-	if err := r.flushDNSCache(); err != nil {
-		log.Errorf("failed to flush DNS cache: %v", err)
-	}
-
 	return nil
 }

--- a/client/internal/dns/local.go
+++ b/client/internal/dns/local.go
@@ -0,0 +1,124 @@
+package dns
+
+import (
+	"fmt"
+	"strings"
+	"sync"
+
+	"github.com/miekg/dns"
+	log "github.com/sirupsen/logrus"
+
+	nbdns "github.com/netbirdio/netbird/dns"
+)
+
+type registrationMap map[string]struct{}
+
+type localResolver struct {
+	registeredMap registrationMap
+	records       sync.Map // key: string (domain_class_type), value: []dns.RR
+}
+
+func (d *localResolver) MatchSubdomains() bool {
+	return true
+}
+
+func (d *localResolver) stop() {
+}
+
+// String returns a string representation of the local resolver
+func (d *localResolver) String() string {
+	return fmt.Sprintf("local resolver [%d records]", len(d.registeredMap))
+}
+
+// ID returns the unique handler ID
+func (d *localResolver) id() handlerID {
+	return "local-resolver"
+}
+
+// ServeDNS handles a DNS request
+func (d *localResolver) ServeDNS(w dns.ResponseWriter, r *dns.Msg) {
+	if len(r.Question) > 0 {
+		log.Tracef("received local question: domain=%s type=%v class=%v", r.Question[0].Name, r.Question[0].Qtype, r.Question[0].Qclass)
+	}
+
+	replyMessage := &dns.Msg{}
+	replyMessage.SetReply(r)
+	replyMessage.RecursionAvailable = true
+
+	// lookup all records matching the question
+	records := d.lookupRecords(r)
+	if len(records) > 0 {
+		replyMessage.Rcode = dns.RcodeSuccess
+		replyMessage.Answer = append(replyMessage.Answer, records...)
+	} else {
+		replyMessage.Rcode = dns.RcodeNameError
+	}
+
+	err := w.WriteMsg(replyMessage)
+	if err != nil {
+		log.Debugf("got an error while writing the local resolver response, error: %v", err)
+	}
+}
+
+// lookupRecords fetches *all* DNS records matching the first question in r.
+func (d *localResolver) lookupRecords(r *dns.Msg) []dns.RR {
+	if len(r.Question) == 0 {
+		return nil
+	}
+	question := r.Question[0]
+	question.Name = strings.ToLower(question.Name)
+	key := buildRecordKey(question.Name, question.Qclass, question.Qtype)
+
+	value, found := d.records.Load(key)
+	if !found {
+		return nil
+	}
+
+	records, ok := value.([]dns.RR)
+	if !ok {
+		log.Errorf("failed to cast records to []dns.RR, records: %v", value)
+		return nil
+	}
+
+	// if there's more than one record, rotate them (round-robin)
+	if len(records) > 1 {
+		first := records[0]
+		records = append(records[1:], first)
+		d.records.Store(key, records)
+	}
+
+	return records
+}
+
+// registerRecord stores a new record by appending it to any existing list
+func (d *localResolver) registerRecord(record nbdns.SimpleRecord) (string, error) {
+	rr, err := dns.NewRR(record.String())
+	if err != nil {
+		return "", fmt.Errorf("register record: %w", err)
+	}
+
+	rr.Header().Rdlength = record.Len()
+	header := rr.Header()
+	key := buildRecordKey(header.Name, header.Class, header.Rrtype)
+
+	// load any existing slice of records, then append
+	existing, _ := d.records.LoadOrStore(key, []dns.RR{})
+	records := existing.([]dns.RR)
+	records = append(records, rr)
+
+	// store updated slice
+	d.records.Store(key, records)
+	return key, nil
+}
+
+// deleteRecord removes *all* records under the recordKey.
+func (d *localResolver) deleteRecord(recordKey string) {
+	d.records.Delete(dns.Fqdn(recordKey))
+}
+
+// buildRecordKey consistently generates a key: name_class_type
+func buildRecordKey(name string, class, qType uint16) string {
+	return fmt.Sprintf("%s_%d_%d", dns.Fqdn(name), class, qType)
+}
+
+func (d *localResolver) probeAvailability() {}
--- a/client/internal/dns/local/local.go
+++ b/client/internal/dns/local/local.go
@@ -1,149 +0,0 @@
-package local
-
-import (
-	"fmt"
-	"slices"
-	"strings"
-	"sync"
-
-	"github.com/miekg/dns"
-	log "github.com/sirupsen/logrus"
-	"golang.org/x/exp/maps"
-
-	"github.com/netbirdio/netbird/client/internal/dns/types"
-	nbdns "github.com/netbirdio/netbird/dns"
-)
-
-type Resolver struct {
-	mu      sync.RWMutex
-	records map[dns.Question][]dns.RR
-}
-
-func NewResolver() *Resolver {
-	return &Resolver{
-		records: make(map[dns.Question][]dns.RR),
-	}
-}
-
-func (d *Resolver) MatchSubdomains() bool {
-	return true
-}
-
-// String returns a string representation of the local resolver
-func (d *Resolver) String() string {
-	return fmt.Sprintf("local resolver [%d records]", len(d.records))
-}
-
-func (d *Resolver) Stop() {}
-
-// ID returns the unique handler ID
-func (d *Resolver) ID() types.HandlerID {
-	return "local-resolver"
-}
-
-func (d *Resolver) ProbeAvailability() {}
-
-// ServeDNS handles a DNS request
-func (d *Resolver) ServeDNS(w dns.ResponseWriter, r *dns.Msg) {
-	if len(r.Question) == 0 {
-		log.Debugf("received local resolver request with no question")
-		return
-	}
-	question := r.Question[0]
-	question.Name = strings.ToLower(dns.Fqdn(question.Name))
-
-	log.Tracef("received local question: domain=%s type=%v class=%v", r.Question[0].Name, question.Qtype, question.Qclass)
-
-	replyMessage := &dns.Msg{}
-	replyMessage.SetReply(r)
-	replyMessage.RecursionAvailable = true
-
-	// lookup all records matching the question
-	records := d.lookupRecords(question)
-	if len(records) > 0 {
-		replyMessage.Rcode = dns.RcodeSuccess
-		replyMessage.Answer = append(replyMessage.Answer, records...)
-	} else {
-		// TODO: return success if we have a different record type for the same name, relevant for search domains
-		replyMessage.Rcode = dns.RcodeNameError
-	}
-
-	if err := w.WriteMsg(replyMessage); err != nil {
-		log.Warnf("failed to write the local resolver response: %v", err)
-	}
-}
-
-// lookupRecords fetches *all* DNS records matching the first question in r.
-func (d *Resolver) lookupRecords(question dns.Question) []dns.RR {
-	d.mu.RLock()
-	records, found := d.records[question]
-
-	if !found {
-		d.mu.RUnlock()
-		// alternatively check if we have a cname
-		if question.Qtype != dns.TypeCNAME {
-			question.Qtype = dns.TypeCNAME
-			return d.lookupRecords(question)
-		}
-		return nil
-	}
-
-	recordsCopy := slices.Clone(records)
-	d.mu.RUnlock()
-
-	// if there's more than one record, rotate them (round-robin)
-	if len(recordsCopy) > 1 {
-		d.mu.Lock()
-		records = d.records[question]
-		if len(records) > 1 {
-			first := records[0]
-			records = append(records[1:], first)
-			d.records[question] = records
-		}
-		d.mu.Unlock()
-	}
-
-	return recordsCopy
-}
-
-func (d *Resolver) Update(update []nbdns.SimpleRecord) {
-	d.mu.Lock()
-	defer d.mu.Unlock()
-
-	maps.Clear(d.records)
-
-	for _, rec := range update {
-		if err := d.registerRecord(rec); err != nil {
-			log.Warnf("failed to register the record (%s): %v", rec, err)
-			continue
-		}
-	}
-}
-
-// RegisterRecord stores a new record by appending it to any existing list
-func (d *Resolver) RegisterRecord(record nbdns.SimpleRecord) error {
-	d.mu.Lock()
-	defer d.mu.Unlock()
-
-	return d.registerRecord(record)
-}
-
-// registerRecord performs the registration with the lock already held
-func (d *Resolver) registerRecord(record nbdns.SimpleRecord) error {
-	rr, err := dns.NewRR(record.String())
-	if err != nil {
-		return fmt.Errorf("register record: %w", err)
-	}
-
-	rr.Header().Rdlength = record.Len()
-	header := rr.Header()
-	q := dns.Question{
-		Name:   strings.ToLower(dns.Fqdn(header.Name)),
-		Qtype:  header.Rrtype,
-		Qclass: header.Class,
-	}
-
-	d.records[q] = append(d.records[q], rr)
-
-	return nil
-}
--- a/client/internal/dns/local/local_test.go
+++ b/client/internal/dns/local/local_test.go
@@ -1,472 +0,0 @@
-package local
-
-import (
-	"strings"
-	"testing"
-
-	"github.com/miekg/dns"
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
-
-	"github.com/netbirdio/netbird/client/internal/dns/test"
-	nbdns "github.com/netbirdio/netbird/dns"
-)
-
-func TestLocalResolver_ServeDNS(t *testing.T) {
-	recordA := nbdns.SimpleRecord{
-		Name:  "peera.netbird.cloud.",
-		Type:  1,
-		Class: nbdns.DefaultClass,
-		TTL:   300,
-		RData: "1.2.3.4",
-	}
-
-	recordCNAME := nbdns.SimpleRecord{
-		Name:  "peerb.netbird.cloud.",
-		Type:  5,
-		Class: nbdns.DefaultClass,
-		TTL:   300,
-		RData: "www.netbird.io",
-	}
-
-	testCases := []struct {
-		name                string
-		inputRecord         nbdns.SimpleRecord
-		inputMSG            *dns.Msg
-		responseShouldBeNil bool
-	}{
-		{
-			name:        "Should Resolve A Record",
-			inputRecord: recordA,
-			inputMSG:    new(dns.Msg).SetQuestion(recordA.Name, dns.TypeA),
-		},
-		{
-			name:        "Should Resolve CNAME Record",
-			inputRecord: recordCNAME,
-			inputMSG:    new(dns.Msg).SetQuestion(recordCNAME.Name, dns.TypeCNAME),
-		},
-		{
-			name:                "Should Not Write When Not Found A Record",
-			inputRecord:         recordA,
-			inputMSG:            new(dns.Msg).SetQuestion("not.found.com", dns.TypeA),
-			responseShouldBeNil: true,
-		},
-	}
-
-	for _, testCase := range testCases {
-		t.Run(testCase.name, func(t *testing.T) {
-			resolver := NewResolver()
-			_ = resolver.RegisterRecord(testCase.inputRecord)
-			var responseMSG *dns.Msg
-			responseWriter := &test.MockResponseWriter{
-				WriteMsgFunc: func(m *dns.Msg) error {
-					responseMSG = m
-					return nil
-				},
-			}
-
-			resolver.ServeDNS(responseWriter, testCase.inputMSG)
-
-			if responseMSG == nil || len(responseMSG.Answer) == 0 {
-				if testCase.responseShouldBeNil {
-					return
-				}
-				t.Fatalf("should write a response message")
-			}
-
-			answerString := responseMSG.Answer[0].String()
-			if !strings.Contains(answerString, testCase.inputRecord.Name) {
-				t.Fatalf("answer doesn't contain the same domain name: \nWant: %s\nGot:%s", testCase.name, answerString)
-			}
-			if !strings.Contains(answerString, dns.Type(testCase.inputRecord.Type).String()) {
-				t.Fatalf("answer doesn't contain the correct type: \nWant: %s\nGot:%s", dns.Type(testCase.inputRecord.Type).String(), answerString)
-			}
-			if !strings.Contains(answerString, testCase.inputRecord.RData) {
-				t.Fatalf("answer doesn't contain the same address: \nWant: %s\nGot:%s", testCase.inputRecord.RData, answerString)
-			}
-		})
-	}
-}
-
-// TestLocalResolver_Update_StaleRecord verifies that updating
-// a record correctly replaces the old one, preventing stale entries.
-func TestLocalResolver_Update_StaleRecord(t *testing.T) {
-	recordName := "host.example.com."
-	recordType := dns.TypeA
-	recordClass := dns.ClassINET
-
-	record1 := nbdns.SimpleRecord{
-		Name: recordName, Type: int(recordType), Class: nbdns.DefaultClass, TTL: 300, RData: "1.1.1.1",
-	}
-	record2 := nbdns.SimpleRecord{
-		Name: recordName, Type: int(recordType), Class: nbdns.DefaultClass, TTL: 300, RData: "2.2.2.2",
-	}
-
-	recordKey := dns.Question{Name: recordName, Qtype: uint16(recordClass), Qclass: recordType}
-
-	resolver := NewResolver()
-
-	update1 := []nbdns.SimpleRecord{record1}
-	update2 := []nbdns.SimpleRecord{record2}
-
-	// Apply first update
-	resolver.Update(update1)
-
-	// Verify first update
-	resolver.mu.RLock()
-	rrSlice1, found1 := resolver.records[recordKey]
-	resolver.mu.RUnlock()
-
-	require.True(t, found1, "Record key %s not found after first update", recordKey)
-	require.Len(t, rrSlice1, 1, "Should have exactly 1 record after first update")
-	assert.Contains(t, rrSlice1[0].String(), record1.RData, "Record after first update should be %s", record1.RData)
-
-	// Apply second update
-	resolver.Update(update2)
-
-	// Verify second update
-	resolver.mu.RLock()
-	rrSlice2, found2 := resolver.records[recordKey]
-	resolver.mu.RUnlock()
-
-	require.True(t, found2, "Record key %s not found after second update", recordKey)
-	require.Len(t, rrSlice2, 1, "Should have exactly 1 record after update overwriting the key")
-	assert.Contains(t, rrSlice2[0].String(), record2.RData, "The single record should be the updated one (%s)", record2.RData)
-	assert.NotContains(t, rrSlice2[0].String(), record1.RData, "The stale record (%s) should not be present", record1.RData)
-}
-
-// TestLocalResolver_MultipleRecords_SameQuestion verifies that multiple records
-// with the same question are stored properly
-func TestLocalResolver_MultipleRecords_SameQuestion(t *testing.T) {
-	resolver := NewResolver()
-
-	recordName := "multi.example.com."
-	recordType := dns.TypeA
-
-	// Create two records with the same name and type but different IPs
-	record1 := nbdns.SimpleRecord{
-		Name: recordName, Type: int(recordType), Class: nbdns.DefaultClass, TTL: 300, RData: "10.0.0.1",
-	}
-	record2 := nbdns.SimpleRecord{
-		Name: recordName, Type: int(recordType), Class: nbdns.DefaultClass, TTL: 300, RData: "10.0.0.2",
-	}
-
-	update := []nbdns.SimpleRecord{record1, record2}
-
-	// Apply update with both records
-	resolver.Update(update)
-
-	// Create question that matches both records
-	question := dns.Question{
-		Name:   recordName,
-		Qtype:  recordType,
-		Qclass: dns.ClassINET,
-	}
-
-	// Verify both records are stored
-	resolver.mu.RLock()
-	records, found := resolver.records[question]
-	resolver.mu.RUnlock()
-
-	require.True(t, found, "Records for question %v not found", question)
-	require.Len(t, records, 2, "Should have exactly 2 records for the same question")
-
-	// Verify both record data values are present
-	recordStrings := []string{records[0].String(), records[1].String()}
-	assert.Contains(t, recordStrings[0]+recordStrings[1], record1.RData, "First record data should be present")
-	assert.Contains(t, recordStrings[0]+recordStrings[1], record2.RData, "Second record data should be present")
-}
-
-// TestLocalResolver_RecordRotation verifies that records are rotated in a round-robin fashion
-func TestLocalResolver_RecordRotation(t *testing.T) {
-	resolver := NewResolver()
-
-	recordName := "rotation.example.com."
-	recordType := dns.TypeA
-
-	// Create three records with the same name and type but different IPs
-	record1 := nbdns.SimpleRecord{
-		Name: recordName, Type: int(recordType), Class: nbdns.DefaultClass, TTL: 300, RData: "192.168.1.1",
-	}
-	record2 := nbdns.SimpleRecord{
-		Name: recordName, Type: int(recordType), Class: nbdns.DefaultClass, TTL: 300, RData: "192.168.1.2",
-	}
-	record3 := nbdns.SimpleRecord{
-		Name: recordName, Type: int(recordType), Class: nbdns.DefaultClass, TTL: 300, RData: "192.168.1.3",
-	}
-
-	update := []nbdns.SimpleRecord{record1, record2, record3}
-
-	// Apply update with all three records
-	resolver.Update(update)
-
-	msg := new(dns.Msg).SetQuestion(recordName, recordType)
-
-	// First lookup - should return the records in original order
-	var responses [3]*dns.Msg
-
-	// Perform three lookups to verify rotation
-	for i := 0; i < 3; i++ {
-		responseWriter := &test.MockResponseWriter{
-			WriteMsgFunc: func(m *dns.Msg) error {
-				responses[i] = m
-				return nil
-			},
-		}
-
-		resolver.ServeDNS(responseWriter, msg)
-	}
-
-	// Verify all three responses contain answers
-	for i, resp := range responses {
-		require.NotNil(t, resp, "Response %d should not be nil", i)
-		require.Len(t, resp.Answer, 3, "Response %d should have 3 answers", i)
-	}
-
-	// Verify the first record in each response is different due to rotation
-	firstRecordIPs := []string{
-		responses[0].Answer[0].String(),
-		responses[1].Answer[0].String(),
-		responses[2].Answer[0].String(),
-	}
-
-	// Each record should be different (rotated)
-	assert.NotEqual(t, firstRecordIPs[0], firstRecordIPs[1], "First lookup should differ from second lookup due to rotation")
-	assert.NotEqual(t, firstRecordIPs[1], firstRecordIPs[2], "Second lookup should differ from third lookup due to rotation")
-	assert.NotEqual(t, firstRecordIPs[0], firstRecordIPs[2], "First lookup should differ from third lookup due to rotation")
-
-	// After three rotations, we should have cycled through all records
-	assert.Contains(t, firstRecordIPs[0]+firstRecordIPs[1]+firstRecordIPs[2], record1.RData)
-	assert.Contains(t, firstRecordIPs[0]+firstRecordIPs[1]+firstRecordIPs[2], record2.RData)
-	assert.Contains(t, firstRecordIPs[0]+firstRecordIPs[1]+firstRecordIPs[2], record3.RData)
-}
-
-// TestLocalResolver_CaseInsensitiveMatching verifies that DNS record lookups are case-insensitive
-func TestLocalResolver_CaseInsensitiveMatching(t *testing.T) {
-	resolver := NewResolver()
-
-	// Create record with lowercase name
-	lowerCaseRecord := nbdns.SimpleRecord{
-		Name:  "lower.example.com.",
-		Type:  int(dns.TypeA),
-		Class: nbdns.DefaultClass,
-		TTL:   300,
-		RData: "10.10.10.10",
-	}
-
-	// Create record with mixed case name
-	mixedCaseRecord := nbdns.SimpleRecord{
-		Name:  "MiXeD.ExAmPlE.CoM.",
-		Type:  int(dns.TypeA),
-		Class: nbdns.DefaultClass,
-		TTL:   300,
-		RData: "20.20.20.20",
-	}
-
-	// Update resolver with the records
-	resolver.Update([]nbdns.SimpleRecord{lowerCaseRecord, mixedCaseRecord})
-
-	testCases := []struct {
-		name          string
-		queryName     string
-		expectedRData string
-		shouldResolve bool
-	}{
-		{
-			name:          "Query lowercase with lowercase record",
-			queryName:     "lower.example.com.",
-			expectedRData: "10.10.10.10",
-			shouldResolve: true,
-		},
-		{
-			name:          "Query uppercase with lowercase record",
-			queryName:     "LOWER.EXAMPLE.COM.",
-			expectedRData: "10.10.10.10",
-			shouldResolve: true,
-		},
-		{
-			name:          "Query mixed case with lowercase record",
-			queryName:     "LoWeR.eXaMpLe.CoM.",
-			expectedRData: "10.10.10.10",
-			shouldResolve: true,
-		},
-		{
-			name:          "Query lowercase with mixed case record",
-			queryName:     "mixed.example.com.",
-			expectedRData: "20.20.20.20",
-			shouldResolve: true,
-		},
-		{
-			name:          "Query uppercase with mixed case record",
-			queryName:     "MIXED.EXAMPLE.COM.",
-			expectedRData: "20.20.20.20",
-			shouldResolve: true,
-		},
-		{
-			name:          "Query with different casing pattern",
-			queryName:     "mIxEd.ExaMpLe.cOm.",
-			expectedRData: "20.20.20.20",
-			shouldResolve: true,
-		},
-		{
-			name:          "Query non-existent domain",
-			queryName:     "nonexistent.example.com.",
-			shouldResolve: false,
-		},
-	}
-
-	for _, tc := range testCases {
-		t.Run(tc.name, func(t *testing.T) {
-			var responseMSG *dns.Msg
-
-			// Create DNS query with the test case name
-			msg := new(dns.Msg).SetQuestion(tc.queryName, dns.TypeA)
-
-			// Create mock response writer to capture the response
-			responseWriter := &test.MockResponseWriter{
-				WriteMsgFunc: func(m *dns.Msg) error {
-					responseMSG = m
-					return nil
-				},
-			}
-
-			// Perform DNS query
-			resolver.ServeDNS(responseWriter, msg)
-
-			// Check if we expect a successful resolution
-			if !tc.shouldResolve {
-				if responseMSG == nil || len(responseMSG.Answer) == 0 {
-					// Expected no answer, test passes
-					return
-				}
-				t.Fatalf("Expected no resolution for %s, but got answer: %v", tc.queryName, responseMSG.Answer)
-			}
-
-			// Verify we got a response
-			require.NotNil(t, responseMSG, "Should have received a response message")
-			require.Greater(t, len(responseMSG.Answer), 0, "Response should contain at least one answer")
-
-			// Verify the response contains the expected data
-			answerString := responseMSG.Answer[0].String()
-			assert.Contains(t, answerString, tc.expectedRData,
-				"Answer should contain the expected IP address %s, got: %s",
-				tc.expectedRData, answerString)
-		})
-	}
-}
-
-// TestLocalResolver_CNAMEFallback verifies that the resolver correctly falls back
-// to checking for CNAME records when the requested record type isn't found
-func TestLocalResolver_CNAMEFallback(t *testing.T) {
-	resolver := NewResolver()
-
-	// Create a CNAME record (but no A record for this name)
-	cnameRecord := nbdns.SimpleRecord{
-		Name:  "alias.example.com.",
-		Type:  int(dns.TypeCNAME),
-		Class: nbdns.DefaultClass,
-		TTL:   300,
-		RData: "target.example.com.",
-	}
-
-	// Create an A record for the CNAME target
-	targetRecord := nbdns.SimpleRecord{
-		Name:  "target.example.com.",
-		Type:  int(dns.TypeA),
-		Class: nbdns.DefaultClass,
-		TTL:   300,
-		RData: "192.168.100.100",
-	}
-
-	// Update resolver with both records
-	resolver.Update([]nbdns.SimpleRecord{cnameRecord, targetRecord})
-
-	testCases := []struct {
-		name          string
-		queryName     string
-		queryType     uint16
-		expectedType  string
-		expectedRData string
-		shouldResolve bool
-	}{
-		{
-			name:          "Directly query CNAME record",
-			queryName:     "alias.example.com.",
-			queryType:     dns.TypeCNAME,
-			expectedType:  "CNAME",
-			expectedRData: "target.example.com.",
-			shouldResolve: true,
-		},
-		{
-			name:          "Query A record but get CNAME fallback",
-			queryName:     "alias.example.com.",
-			queryType:     dns.TypeA,
-			expectedType:  "CNAME",
-			expectedRData: "target.example.com.",
-			shouldResolve: true,
-		},
-		{
-			name:          "Query AAAA record but get CNAME fallback",
-			queryName:     "alias.example.com.",
-			queryType:     dns.TypeAAAA,
-			expectedType:  "CNAME",
-			expectedRData: "target.example.com.",
-			shouldResolve: true,
-		},
-		{
-			name:          "Query direct A record",
-			queryName:     "target.example.com.",
-			queryType:     dns.TypeA,
-			expectedType:  "A",
-			expectedRData: "192.168.100.100",
-			shouldResolve: true,
-		},
-		{
-			name:          "Query non-existent name",
-			queryName:     "nonexistent.example.com.",
-			queryType:     dns.TypeA,
-			shouldResolve: false,
-		},
-	}
-
-	for _, tc := range testCases {
-		t.Run(tc.name, func(t *testing.T) {
-			var responseMSG *dns.Msg
-
-			// Create DNS query with the test case parameters
-			msg := new(dns.Msg).SetQuestion(tc.queryName, tc.queryType)
-
-			// Create mock response writer to capture the response
-			responseWriter := &test.MockResponseWriter{
-				WriteMsgFunc: func(m *dns.Msg) error {
-					responseMSG = m
-					return nil
-				},
-			}
-
-			// Perform DNS query
-			resolver.ServeDNS(responseWriter, msg)
-
-			// Check if we expect a successful resolution
-			if !tc.shouldResolve {
-				if responseMSG == nil || len(responseMSG.Answer) == 0 || responseMSG.Rcode != dns.RcodeSuccess {
-					// Expected no resolution, test passes
-					return
-				}
-				t.Fatalf("Expected no resolution for %s, but got answer: %v", tc.queryName, responseMSG.Answer)
-			}
-
-			// Verify we got a successful response
-			require.NotNil(t, responseMSG, "Should have received a response message")
-			require.Equal(t, dns.RcodeSuccess, responseMSG.Rcode, "Response should have success status code")
-			require.Greater(t, len(responseMSG.Answer), 0, "Response should contain at least one answer")
-
-			// Verify the response contains the expected data
-			answerString := responseMSG.Answer[0].String()
-			assert.Contains(t, answerString, tc.expectedType,
-				"Answer should be of type %s, got: %s", tc.expectedType, answerString)
-			assert.Contains(t, answerString, tc.expectedRData,
-				"Answer should contain the expected data %s, got: %s", tc.expectedRData, answerString)
-		})
-	}
-}
--- a/client/internal/dns/local_test.go
+++ b/client/internal/dns/local_test.go
@@ -0,0 +1,88 @@
+package dns
+
+import (
+	"strings"
+	"testing"
+
+	"github.com/miekg/dns"
+
+	nbdns "github.com/netbirdio/netbird/dns"
+)
+
+func TestLocalResolver_ServeDNS(t *testing.T) {
+	recordA := nbdns.SimpleRecord{
+		Name:  "peera.netbird.cloud.",
+		Type:  1,
+		Class: nbdns.DefaultClass,
+		TTL:   300,
+		RData: "1.2.3.4",
+	}
+
+	recordCNAME := nbdns.SimpleRecord{
+		Name:  "peerb.netbird.cloud.",
+		Type:  5,
+		Class: nbdns.DefaultClass,
+		TTL:   300,
+		RData: "www.netbird.io",
+	}
+
+	testCases := []struct {
+		name                string
+		inputRecord         nbdns.SimpleRecord
+		inputMSG            *dns.Msg
+		responseShouldBeNil bool
+	}{
+		{
+			name:        "Should Resolve A Record",
+			inputRecord: recordA,
+			inputMSG:    new(dns.Msg).SetQuestion(recordA.Name, dns.TypeA),
+		},
+		{
+			name:        "Should Resolve CNAME Record",
+			inputRecord: recordCNAME,
+			inputMSG:    new(dns.Msg).SetQuestion(recordCNAME.Name, dns.TypeCNAME),
+		},
+		{
+			name:                "Should Not Write When Not Found A Record",
+			inputRecord:         recordA,
+			inputMSG:            new(dns.Msg).SetQuestion("not.found.com", dns.TypeA),
+			responseShouldBeNil: true,
+		},
+	}
+
+	for _, testCase := range testCases {
+		t.Run(testCase.name, func(t *testing.T) {
+			resolver := &localResolver{
+				registeredMap: make(registrationMap),
+			}
+			_, _ = resolver.registerRecord(testCase.inputRecord)
+			var responseMSG *dns.Msg
+			responseWriter := &mockResponseWriter{
+				WriteMsgFunc: func(m *dns.Msg) error {
+					responseMSG = m
+					return nil
+				},
+			}
+
+			resolver.ServeDNS(responseWriter, testCase.inputMSG)
+
+			if responseMSG == nil || len(responseMSG.Answer) == 0 {
+				if testCase.responseShouldBeNil {
+					return
+				}
+				t.Fatalf("should write a response message")
+			}
+
+			answerString := responseMSG.Answer[0].String()
+			if !strings.Contains(answerString, testCase.inputRecord.Name) {
+				t.Fatalf("answer doesn't contain the same domain name: \nWant: %s\nGot:%s", testCase.name, answerString)
+			}
+			if !strings.Contains(answerString, dns.Type(testCase.inputRecord.Type).String()) {
+				t.Fatalf("answer doesn't contain the correct type: \nWant: %s\nGot:%s", dns.Type(testCase.inputRecord.Type).String(), answerString)
+			}
+			if !strings.Contains(answerString, testCase.inputRecord.RData) {
+				t.Fatalf("answer doesn't contain the same address: \nWant: %s\nGot:%s", testCase.inputRecord.RData, answerString)
+			}
+		})
+	}
+}
--- a/client/internal/dns/mock_server.go
+++ b/client/internal/dns/mock_server.go
@@ -6,7 +6,6 @@ import (
 	"github.com/miekg/dns"

 	nbdns "github.com/netbirdio/netbird/dns"
-	"github.com/netbirdio/netbird/management/domain"
 )

 // MockServer is the mock instance of a dns server
@@ -14,17 +13,17 @@ type MockServer struct {
 	InitializeFunc        func() error
 	StopFunc              func()
 	UpdateDNSServerFunc   func(serial uint64, update nbdns.Config) error
-	RegisterHandlerFunc   func(domain.List, dns.Handler, int)
-	DeregisterHandlerFunc func(domain.List, int)
+	RegisterHandlerFunc   func([]string, dns.Handler, int)
+	DeregisterHandlerFunc func([]string, int)
 }

-func (m *MockServer) RegisterHandler(domains domain.List, handler dns.Handler, priority int) {
+func (m *MockServer) RegisterHandler(domains []string, handler dns.Handler, priority int) {
 	if m.RegisterHandlerFunc != nil {
 		m.RegisterHandlerFunc(domains, handler, priority)
 	}
 }

-func (m *MockServer) DeregisterHandler(domains domain.List, priority int) {
+func (m *MockServer) DeregisterHandler(domains []string, priority int) {
 	if m.DeregisterHandlerFunc != nil {
 		m.DeregisterHandlerFunc(domains, priority)
 	}
--- a/client/internal/dns/mock_test.go
+++ b/client/internal/dns/mock_test.go
@@ -0,0 +1,26 @@
+package dns
+
+import (
+	"net"
+
+	"github.com/miekg/dns"
+)
+
+type mockResponseWriter struct {
+	WriteMsgFunc func(m *dns.Msg) error
+}
+
+func (rw *mockResponseWriter) WriteMsg(m *dns.Msg) error {
+	if rw.WriteMsgFunc != nil {
+		return rw.WriteMsgFunc(m)
+	}
+	return nil
+}
+
+func (rw *mockResponseWriter) LocalAddr() net.Addr       { return nil }
+func (rw *mockResponseWriter) RemoteAddr() net.Addr      { return nil }
+func (rw *mockResponseWriter) Write([]byte) (int, error) { return 0, nil }
+func (rw *mockResponseWriter) Close() error              { return nil }
+func (rw *mockResponseWriter) TsigStatus() error         { return nil }
+func (rw *mockResponseWriter) TsigTimersOnly(bool)       {}
+func (rw *mockResponseWriter) Hijack()                   {}
--- a/client/internal/dns/network_manager_unix.go
+++ b/client/internal/dns/network_manager_unix.go
@@ -13,6 +13,7 @@ import (

 	"github.com/godbus/dbus/v5"
 	"github.com/hashicorp/go-version"
+	"github.com/miekg/dns"
 	log "github.com/sirupsen/logrus"

 	"github.com/netbirdio/netbird/client/internal/statemanager"
@@ -125,10 +126,10 @@ func (n *networkManagerDbusConfigurator) applyDNSConfig(config HostDNSConfig, st
 			continue
 		}
 		if dConf.MatchOnly {
-			matchDomains = append(matchDomains, "~."+dConf.Domain)
+			matchDomains = append(matchDomains, "~."+dns.Fqdn(dConf.Domain))
 			continue
 		}
-		searchDomains = append(searchDomains, dConf.Domain)
+		searchDomains = append(searchDomains, dns.Fqdn(dConf.Domain))
 	}

 	newDomainList := append(searchDomains, matchDomains...) //nolint:gocritic
--- a/client/internal/dns/server.go
+++ b/client/internal/dns/server.go
@@ -6,23 +6,18 @@ import (
 	"fmt"
 	"net/netip"
 	"runtime"
-	"strings"
 	"sync"

 	"github.com/miekg/dns"
 	"github.com/mitchellh/hashstructure/v2"
 	log "github.com/sirupsen/logrus"
-	"golang.org/x/exp/maps"

 	"github.com/netbirdio/netbird/client/iface/netstack"
-	"github.com/netbirdio/netbird/client/internal/dns/local"
-	"github.com/netbirdio/netbird/client/internal/dns/types"
 	"github.com/netbirdio/netbird/client/internal/listener"
 	"github.com/netbirdio/netbird/client/internal/peer"
 	"github.com/netbirdio/netbird/client/internal/statemanager"
 	cProto "github.com/netbirdio/netbird/client/proto"
 	nbdns "github.com/netbirdio/netbird/dns"
-	"github.com/netbirdio/netbird/management/domain"
 )

 // ReadyListener is a notification mechanism what indicate the server is ready to handle host dns address changes
@@ -37,8 +32,8 @@ type IosDnsManager interface {

 // Server is a dns server interface
 type Server interface {
-	RegisterHandler(domains domain.List, handler dns.Handler, priority int)
-	DeregisterHandler(domains domain.List, priority int)
+	RegisterHandler(domains []string, handler dns.Handler, priority int)
+	DeregisterHandler(domains []string, priority int)
 	Initialize() error
 	Stop()
 	DnsIP() string
@@ -48,6 +43,8 @@ type Server interface {
 	ProbeAvailability()
 }

+type handlerID string
+
 type nsGroupsByDomain struct {
 	domain string
 	groups []*nbdns.NameServerGroup
@@ -61,14 +58,13 @@ type DefaultServer struct {
 	mux                sync.Mutex
 	service            service
 	dnsMuxMap          registeredHandlerMap
-	localResolver      *local.Resolver
+	localResolver      *localResolver
 	wgInterface        WGIface
 	hostManager        hostManager
 	updateSerial       uint64
 	previousConfigHash uint64
 	currentConfig      HostDNSConfig
 	handlerChain       *HandlerChain
-	extraDomains       map[domain.Domain]int

 	// permanent related properties
 	permanent      bool
@@ -84,9 +80,9 @@ type DefaultServer struct {

 type handlerWithStop interface {
 	dns.Handler
-	Stop()
-	ProbeAvailability()
-	ID() types.HandlerID
+	stop()
+	probeAvailability()
+	id() handlerID
 }

 type handlerWrapper struct {
@@ -95,7 +91,7 @@ type handlerWrapper struct {
 	priority int
 }

-type registeredHandlerMap map[types.HandlerID]handlerWrapper
+type registeredHandlerMap map[handlerID]handlerWrapper

 // NewDefaultServer returns a new dns server
 func NewDefaultServer(
@@ -168,43 +164,31 @@ func newDefaultServer(
 	stateManager *statemanager.Manager,
 	disableSys bool,
 ) *DefaultServer {
-	handlerChain := NewHandlerChain()
 	ctx, stop := context.WithCancel(ctx)
 	defaultServer := &DefaultServer{
-		ctx:            ctx,
-		ctxCancel:      stop,
-		disableSys:     disableSys,
-		service:        dnsService,
-		handlerChain:   handlerChain,
-		extraDomains:   make(map[domain.Domain]int),
-		dnsMuxMap:      make(registeredHandlerMap),
-		localResolver:  local.NewResolver(),
+		ctx:          ctx,
+		ctxCancel:    stop,
+		disableSys:   disableSys,
+		service:      dnsService,
+		handlerChain: NewHandlerChain(),
+		dnsMuxMap:    make(registeredHandlerMap),
+		localResolver: &localResolver{
+			registeredMap: make(registrationMap),
+		},
 		wgInterface:    wgInterface,
 		statusRecorder: statusRecorder,
 		stateManager:   stateManager,
 		hostsDNSHolder: newHostsDNSHolder(),
 	}

-	// register with root zone, handler chain takes care of the routing
-	dnsService.RegisterMux(".", handlerChain)
-
 	return defaultServer
 }

-// RegisterHandler registers a handler for the given domains with the given priority.
-// Any previously registered handler for the same domain and priority will be replaced.
-func (s *DefaultServer) RegisterHandler(domains domain.List, handler dns.Handler, priority int) {
+func (s *DefaultServer) RegisterHandler(domains []string, handler dns.Handler, priority int) {
 	s.mux.Lock()
 	defer s.mux.Unlock()

-	s.registerHandler(domains.ToPunycodeList(), handler, priority)
-
-	// TODO: This will take over zones for non-wildcard domains, for which we might not have a handler in the chain
-	for _, domain := range domains {
-		// convert to zone with simple ref counter
-		s.extraDomains[toZone(domain)]++
-	}
-	s.applyHostConfig()
+	s.registerHandler(domains, handler, priority)
 }

 func (s *DefaultServer) registerHandler(domains []string, handler dns.Handler, priority int) {
@@ -216,23 +200,15 @@ func (s *DefaultServer) registerHandler(domains []string, handler dns.Handler, p
 			continue
 		}
 		s.handlerChain.AddHandler(domain, handler, priority)
+		s.service.RegisterMux(nbdns.NormalizeZone(domain), s.handlerChain)
 	}
 }

-// DeregisterHandler deregisters the handler for the given domains with the given priority.
-func (s *DefaultServer) DeregisterHandler(domains domain.List, priority int) {
+func (s *DefaultServer) DeregisterHandler(domains []string, priority int) {
 	s.mux.Lock()
 	defer s.mux.Unlock()

-	s.deregisterHandler(domains.ToPunycodeList(), priority)
-	for _, domain := range domains {
-		zone := toZone(domain)
-		s.extraDomains[zone]--
-		if s.extraDomains[zone] <= 0 {
-			delete(s.extraDomains, zone)
-		}
-	}
-	s.applyHostConfig()
+	s.deregisterHandler(domains, priority)
 }

 func (s *DefaultServer) deregisterHandler(domains []string, priority int) {
@@ -245,6 +221,11 @@ func (s *DefaultServer) deregisterHandler(domains []string, priority int) {
 		}

 		s.handlerChain.RemoveHandler(domain, priority)
+
+		// Only deregister from service if no handlers remain
+		if !s.handlerChain.HasHandlers(domain) {
+			s.service.DeregisterMux(nbdns.NormalizeZone(domain))
+		}
 	}
 }

@@ -305,8 +286,6 @@ func (s *DefaultServer) Stop() {
 	}

 	s.service.Stop()
-
-	maps.Clear(s.extraDomains)
 }

 // OnUpdatedHostDNSServer update the DNS servers addresses for root zones
@@ -401,7 +380,7 @@ func (s *DefaultServer) ProbeAvailability() {
 		wg.Add(1)
 		go func(mux handlerWithStop) {
 			defer wg.Done()
-			mux.ProbeAvailability()
+			mux.probeAvailability()
 		}(mux.handler)
 	}
 	wg.Wait()
@@ -411,14 +390,12 @@ func (s *DefaultServer) applyConfiguration(update nbdns.Config) error {
 	// is the service should be Disabled, we stop the listener or fake resolver
 	// and proceed with a regular update to clean up the handlers and records
 	if update.ServiceEnable {
-		if err := s.service.Listen(); err != nil {
-			log.Errorf("failed to start DNS service: %v", err)
-		}
+		_ = s.service.Listen()
 	} else if !s.permanent {
 		s.service.Stop()
 	}

-	localMuxUpdates, localRecords, err := s.buildLocalHandlerUpdate(update.CustomZones)
+	localMuxUpdates, localRecordsByDomain, err := s.buildLocalHandlerUpdate(update.CustomZones)
 	if err != nil {
 		return fmt.Errorf("local handler updater: %w", err)
 	}
@@ -432,17 +409,21 @@ func (s *DefaultServer) applyConfiguration(update nbdns.Config) error {
 	s.updateMux(muxUpdates)

 	// register local records
-	s.localResolver.Update(localRecords)
+	s.updateLocalResolver(localRecordsByDomain)

 	s.currentConfig = dnsConfigToHostDNSConfig(update, s.service.RuntimeIP(), s.service.RuntimePort())

+	hostUpdate := s.currentConfig
 	if s.service.RuntimePort() != defaultPort && !s.hostManager.supportCustomPort() {
 		log.Warnf("the DNS manager of this peer doesn't support custom port. Disabling primary DNS setup. " +
 			"Learn more at: https://docs.netbird.io/how-to/manage-dns-in-your-network#local-resolver")
-		s.currentConfig.RouteAll = false
+		hostUpdate.RouteAll = false
 	}

-	s.applyHostConfig()
+	if err = s.hostManager.applyDNSConfig(hostUpdate, s.stateManager); err != nil {
+		log.Error(err)
+		s.handleErrNoGroupaAll(err)
+	}

 	go func() {
 		// persist dns state right away
@@ -460,43 +441,6 @@ func (s *DefaultServer) applyConfiguration(update nbdns.Config) error {
 	return nil
 }

-func (s *DefaultServer) applyHostConfig() {
-	if s.hostManager == nil {
-		return
-	}
-
-	// prevent reapplying config if we're shutting down
-	if s.ctx.Err() != nil {
-		return
-	}
-
-	config := s.currentConfig
-
-	existingDomains := make(map[string]struct{})
-	for _, d := range config.Domains {
-		existingDomains[d.Domain] = struct{}{}
-	}
-
-	// add extra domains only if they're not already in the config
-	for domain := range s.extraDomains {
-		domainStr := domain.PunycodeString()
-
-		if _, exists := existingDomains[domainStr]; !exists {
-			config.Domains = append(config.Domains, DomainConfig{
-				Domain:    domainStr,
-				MatchOnly: true,
-			})
-		}
-	}
-
-	log.Debugf("extra match domains: %v", s.extraDomains)
-
-	if err := s.hostManager.applyDNSConfig(config, s.stateManager); err != nil {
-		log.Errorf("failed to apply DNS host manager update: %v", err)
-		s.handleErrNoGroupaAll(err)
-	}
-}
-
 func (s *DefaultServer) handleErrNoGroupaAll(err error) {
 	if !errors.Is(ErrRouteAllWithoutNameserverGroup, err) {
 		return
@@ -514,9 +458,11 @@ func (s *DefaultServer) handleErrNoGroupaAll(err error) {
 	)
 }

-func (s *DefaultServer) buildLocalHandlerUpdate(customZones []nbdns.CustomZone) ([]handlerWrapper, []nbdns.SimpleRecord, error) {
+func (s *DefaultServer) buildLocalHandlerUpdate(
+	customZones []nbdns.CustomZone,
+) ([]handlerWrapper, map[string][]nbdns.SimpleRecord, error) {
 	var muxUpdates []handlerWrapper
-	var localRecords []nbdns.SimpleRecord
+	localRecords := make(map[string][]nbdns.SimpleRecord)

 	for _, customZone := range customZones {
 		if len(customZone.Records) == 0 {
@@ -530,13 +476,17 @@ func (s *DefaultServer) buildLocalHandlerUpdate(customZones []nbdns.CustomZone)
 			priority: PriorityMatchDomain,
 		})

+		// group all records under this domain
 		for _, record := range customZone.Records {
+			var class uint16 = dns.ClassINET
 			if record.Class != nbdns.DefaultClass {
 				log.Warnf("received an invalid class type: %s", record.Class)
 				continue
 			}
-			// zone records contain the fqdn, so we can just flatten them
-			localRecords = append(localRecords, record)
+
+			key := buildRecordKey(record.Name, class, uint16(record.Type))
+
+			localRecords[key] = append(localRecords[key], record)
 		}
 	}

@@ -619,7 +569,7 @@ func (s *DefaultServer) createHandlersForDomainGroup(domainGroup nsGroupsByDomai
 		}

 		if len(handler.upstreamServers) == 0 {
-			handler.Stop()
+			handler.stop()
 			log.Errorf("received a nameserver group with an invalid nameserver list")
 			continue
 		}
@@ -648,7 +598,7 @@ func (s *DefaultServer) updateMux(muxUpdates []handlerWrapper) {
 	// this will introduce a short period of time when the server is not able to handle DNS requests
 	for _, existing := range s.dnsMuxMap {
 		s.deregisterHandler([]string{existing.domain}, existing.priority)
-		existing.handler.Stop()
+		existing.handler.stop()
 	}

 	muxUpdateMap := make(registeredHandlerMap)
@@ -659,7 +609,7 @@ func (s *DefaultServer) updateMux(muxUpdates []handlerWrapper) {
 			containsRootUpdate = true
 		}
 		s.registerHandler([]string{update.domain}, update.handler, update.priority)
-		muxUpdateMap[update.handler.ID()] = update
+		muxUpdateMap[update.handler.id()] = update
 	}

 	// If there's no root update and we had a root handler, restore it
@@ -675,6 +625,33 @@ func (s *DefaultServer) updateMux(muxUpdates []handlerWrapper) {
 	s.dnsMuxMap = muxUpdateMap
 }

+func (s *DefaultServer) updateLocalResolver(update map[string][]nbdns.SimpleRecord) {
+	// remove old records that are no longer present
+	for key := range s.localResolver.registeredMap {
+		_, found := update[key]
+		if !found {
+			s.localResolver.deleteRecord(key)
+		}
+	}
+
+	updatedMap := make(registrationMap)
+	for _, recs := range update {
+		for _, rec := range recs {
+			// convert the record to a dns.RR and register
+			key, err := s.localResolver.registerRecord(rec)
+			if err != nil {
+				log.Warnf("got an error while registering the record (%s), error: %v",
+					rec.String(), err)
+				continue
+			}
+
+			updatedMap[key] = struct{}{}
+		}
+	}
+
+	s.localResolver.registeredMap = updatedMap
+}
+
 func getNSHostPort(ns nbdns.NameServer) string {
 	return fmt.Sprintf("%s:%d", ns.IP.String(), ns.Port)
 }
@@ -713,7 +690,10 @@ func (s *DefaultServer) upstreamCallbacks(
 			}
 		}

-		s.applyHostConfig()
+		if err := s.hostManager.applyDNSConfig(s.currentConfig, s.stateManager); err != nil {
+			s.handleErrNoGroupaAll(err)
+			l.Errorf("Failed to apply nameserver deactivation on the host: %v", err)
+		}

 		go func() {
 			if err := s.stateManager.PersistState(s.ctx); err != nil {
@@ -748,7 +728,12 @@ func (s *DefaultServer) upstreamCallbacks(
 			s.registerHandler([]string{nbdns.RootZone}, handler, priority)
 		}

-		s.applyHostConfig()
+		if s.hostManager != nil {
+			if err := s.hostManager.applyDNSConfig(s.currentConfig, s.stateManager); err != nil {
+				s.handleErrNoGroupaAll(err)
+				l.WithError(err).Error("reactivate temporary disabled nameserver group, DNS update apply")
+			}
+		}

 		s.updateNSState(nsGroup, nil, true)
 	}
@@ -851,13 +836,3 @@ func groupNSGroupsByDomain(nsGroups []*nbdns.NameServerGroup) []nsGroupsByDomain

 	return result
 }
-
-func toZone(d domain.Domain) domain.Domain {
-	return domain.Domain(
-		nbdns.NormalizeZone(
-			dns.Fqdn(
-				strings.ToLower(d.PunycodeString()),
-			),
-		),
-	)
-}
--- a/client/internal/dns/server_test.go
+++ b/client/internal/dns/server_test.go
@@ -23,26 +23,22 @@ import (
 	"github.com/netbirdio/netbird/client/iface/device"
 	pfmock "github.com/netbirdio/netbird/client/iface/mocks"
 	"github.com/netbirdio/netbird/client/iface/wgaddr"
-	"github.com/netbirdio/netbird/client/internal/dns/local"
-	"github.com/netbirdio/netbird/client/internal/dns/test"
-	"github.com/netbirdio/netbird/client/internal/dns/types"
 	"github.com/netbirdio/netbird/client/internal/netflow"
 	"github.com/netbirdio/netbird/client/internal/peer"
 	"github.com/netbirdio/netbird/client/internal/statemanager"
 	"github.com/netbirdio/netbird/client/internal/stdnet"
 	nbdns "github.com/netbirdio/netbird/dns"
 	"github.com/netbirdio/netbird/formatter"
-	"github.com/netbirdio/netbird/management/domain"
 )

-var flowLogger = netflow.NewManager(nil, []byte{}, nil).GetLogger()
+var flowLogger = netflow.NewManager(context.Background(), nil, []byte{}, nil).GetLogger()

 type mocWGIface struct {
 	filter device.PacketFilter
 }

 func (w *mocWGIface) Name() string {
-	return "utun2301"
+	panic("implement me")
 }

 func (w *mocWGIface) Address() wgaddr.Address {
@@ -110,7 +106,6 @@ func generateDummyHandler(domain string, servers []nbdns.NameServer) *upstreamRe
 }

 func TestUpdateDNSServer(t *testing.T) {
-
 	nameServers := []nbdns.NameServer{
 		{
 			IP:     netip.MustParseAddr("8.8.8.8"),
@@ -124,21 +119,22 @@ func TestUpdateDNSServer(t *testing.T) {
 		},
 	}

-	dummyHandler := local.NewResolver()
+	dummyHandler := &localResolver{}

 	testCases := []struct {
 		name                string
 		initUpstreamMap     registeredHandlerMap
-		initLocalRecords    []nbdns.SimpleRecord
+		initLocalMap        registrationMap
 		initSerial          uint64
 		inputSerial         uint64
 		inputUpdate         nbdns.Config
 		shouldFail          bool
 		expectedUpstreamMap registeredHandlerMap
-		expectedLocalQs     []dns.Question
+		expectedLocalMap    registrationMap
 	}{
 		{
 			name:            "Initial Config Should Succeed",
+			initLocalMap:    make(registrationMap),
 			initUpstreamMap: make(registeredHandlerMap),
 			initSerial:      0,
 			inputSerial:     1,
@@ -162,30 +158,30 @@ func TestUpdateDNSServer(t *testing.T) {
 				},
 			},
 			expectedUpstreamMap: registeredHandlerMap{
-				generateDummyHandler("netbird.io", nameServers).ID(): handlerWrapper{
+				generateDummyHandler("netbird.io", nameServers).id(): handlerWrapper{
 					domain:   "netbird.io",
 					handler:  dummyHandler,
 					priority: PriorityMatchDomain,
 				},
-				dummyHandler.ID(): handlerWrapper{
+				dummyHandler.id(): handlerWrapper{
 					domain:   "netbird.cloud",
 					handler:  dummyHandler,
 					priority: PriorityMatchDomain,
 				},
-				generateDummyHandler(".", nameServers).ID(): handlerWrapper{
+				generateDummyHandler(".", nameServers).id(): handlerWrapper{
 					domain:   nbdns.RootZone,
 					handler:  dummyHandler,
 					priority: PriorityDefault,
 				},
 			},
-			expectedLocalQs: []dns.Question{{Name: "peera.netbird.cloud.", Qtype: dns.TypeA, Qclass: dns.ClassINET}},
+			expectedLocalMap: registrationMap{buildRecordKey(zoneRecords[0].Name, 1, 1): struct{}{}},
 		},
 		{
-			name:             "New Config Should Succeed",
-			initLocalRecords: []nbdns.SimpleRecord{{Name: "netbird.cloud", Type: 1, Class: nbdns.DefaultClass, TTL: 300, RData: "10.0.0.1"}},
+			name:         "New Config Should Succeed",
+			initLocalMap: registrationMap{"netbird.cloud": struct{}{}},
 			initUpstreamMap: registeredHandlerMap{
-				generateDummyHandler(zoneRecords[0].Name, nameServers).ID(): handlerWrapper{
-					domain:   "netbird.cloud",
+				generateDummyHandler(zoneRecords[0].Name, nameServers).id(): handlerWrapper{
+					domain:   buildRecordKey(zoneRecords[0].Name, 1, 1),
 					handler:  dummyHandler,
 					priority: PriorityMatchDomain,
 				},
@@ -208,7 +204,7 @@ func TestUpdateDNSServer(t *testing.T) {
 				},
 			},
 			expectedUpstreamMap: registeredHandlerMap{
-				generateDummyHandler("netbird.io", nameServers).ID(): handlerWrapper{
+				generateDummyHandler("netbird.io", nameServers).id(): handlerWrapper{
 					domain:   "netbird.io",
 					handler:  dummyHandler,
 					priority: PriorityMatchDomain,
@@ -219,22 +215,22 @@ func TestUpdateDNSServer(t *testing.T) {
 					priority: PriorityMatchDomain,
 				},
 			},
-			expectedLocalQs: []dns.Question{{Name: zoneRecords[0].Name, Qtype: 1, Qclass: 1}},
+			expectedLocalMap: registrationMap{buildRecordKey(zoneRecords[0].Name, 1, 1): struct{}{}},
 		},
 		{
-			name:             "Smaller Config Serial Should Be Skipped",
-			initLocalRecords: []nbdns.SimpleRecord{},
-			initUpstreamMap:  make(registeredHandlerMap),
-			initSerial:       2,
-			inputSerial:      1,
-			shouldFail:       true,
+			name:            "Smaller Config Serial Should Be Skipped",
+			initLocalMap:    make(registrationMap),
+			initUpstreamMap: make(registeredHandlerMap),
+			initSerial:      2,
+			inputSerial:     1,
+			shouldFail:      true,
 		},
 		{
-			name:             "Empty NS Group Domain Or Not Primary Element Should Fail",
-			initLocalRecords: []nbdns.SimpleRecord{},
-			initUpstreamMap:  make(registeredHandlerMap),
-			initSerial:       0,
-			inputSerial:      1,
+			name:            "Empty NS Group Domain Or Not Primary Element Should Fail",
+			initLocalMap:    make(registrationMap),
+			initUpstreamMap: make(registeredHandlerMap),
+			initSerial:      0,
+			inputSerial:     1,
 			inputUpdate: nbdns.Config{
 				ServiceEnable: true,
 				CustomZones: []nbdns.CustomZone{
@@ -252,11 +248,11 @@ func TestUpdateDNSServer(t *testing.T) {
 			shouldFail: true,
 		},
 		{
-			name:             "Invalid NS Group Nameservers list Should Fail",
-			initLocalRecords: []nbdns.SimpleRecord{},
-			initUpstreamMap:  make(registeredHandlerMap),
-			initSerial:       0,
-			inputSerial:      1,
+			name:            "Invalid NS Group Nameservers list Should Fail",
+			initLocalMap:    make(registrationMap),
+			initUpstreamMap: make(registeredHandlerMap),
+			initSerial:      0,
+			inputSerial:     1,
 			inputUpdate: nbdns.Config{
 				ServiceEnable: true,
 				CustomZones: []nbdns.CustomZone{
@@ -274,11 +270,11 @@ func TestUpdateDNSServer(t *testing.T) {
 			shouldFail: true,
 		},
 		{
-			name:             "Invalid Custom Zone Records list Should Skip",
-			initLocalRecords: []nbdns.SimpleRecord{},
-			initUpstreamMap:  make(registeredHandlerMap),
-			initSerial:       0,
-			inputSerial:      1,
+			name:            "Invalid Custom Zone Records list Should Skip",
+			initLocalMap:    make(registrationMap),
+			initUpstreamMap: make(registeredHandlerMap),
+			initSerial:      0,
+			inputSerial:     1,
 			inputUpdate: nbdns.Config{
 				ServiceEnable: true,
 				CustomZones: []nbdns.CustomZone{
@@ -293,17 +289,17 @@ func TestUpdateDNSServer(t *testing.T) {
 					},
 				},
 			},
-			expectedUpstreamMap: registeredHandlerMap{generateDummyHandler(".", nameServers).ID(): handlerWrapper{
+			expectedUpstreamMap: registeredHandlerMap{generateDummyHandler(".", nameServers).id(): handlerWrapper{
 				domain:   ".",
 				handler:  dummyHandler,
 				priority: PriorityDefault,
 			}},
 		},
 		{
-			name:             "Empty Config Should Succeed and Clean Maps",
-			initLocalRecords: []nbdns.SimpleRecord{{Name: "netbird.cloud", Type: int(dns.TypeA), Class: nbdns.DefaultClass, TTL: 300, RData: "10.0.0.1"}},
+			name:         "Empty Config Should Succeed and Clean Maps",
+			initLocalMap: registrationMap{"netbird.cloud": struct{}{}},
 			initUpstreamMap: registeredHandlerMap{
-				generateDummyHandler(zoneRecords[0].Name, nameServers).ID(): handlerWrapper{
+				generateDummyHandler(zoneRecords[0].Name, nameServers).id(): handlerWrapper{
 					domain:   zoneRecords[0].Name,
 					handler:  dummyHandler,
 					priority: PriorityMatchDomain,
@@ -313,13 +309,13 @@ func TestUpdateDNSServer(t *testing.T) {
 			inputSerial:         1,
 			inputUpdate:         nbdns.Config{ServiceEnable: true},
 			expectedUpstreamMap: make(registeredHandlerMap),
-			expectedLocalQs:     []dns.Question{},
+			expectedLocalMap:    make(registrationMap),
 		},
 		{
-			name:             "Disabled Service Should clean map",
-			initLocalRecords: []nbdns.SimpleRecord{{Name: "netbird.cloud", Type: int(dns.TypeA), Class: nbdns.DefaultClass, TTL: 300, RData: "10.0.0.1"}},
+			name:         "Disabled Service Should clean map",
+			initLocalMap: registrationMap{"netbird.cloud": struct{}{}},
 			initUpstreamMap: registeredHandlerMap{
-				generateDummyHandler(zoneRecords[0].Name, nameServers).ID(): handlerWrapper{
+				generateDummyHandler(zoneRecords[0].Name, nameServers).id(): handlerWrapper{
 					domain:   zoneRecords[0].Name,
 					handler:  dummyHandler,
 					priority: PriorityMatchDomain,
@@ -329,7 +325,7 @@ func TestUpdateDNSServer(t *testing.T) {
 			inputSerial:         1,
 			inputUpdate:         nbdns.Config{ServiceEnable: false},
 			expectedUpstreamMap: make(registeredHandlerMap),
-			expectedLocalQs:     []dns.Question{},
+			expectedLocalMap:    make(registrationMap),
 		},
 	}

@@ -380,7 +376,7 @@ func TestUpdateDNSServer(t *testing.T) {
 			}()

 			dnsServer.dnsMuxMap = testCase.initUpstreamMap
-			dnsServer.localResolver.Update(testCase.initLocalRecords)
+			dnsServer.localResolver.registeredMap = testCase.initLocalMap
 			dnsServer.updateSerial = testCase.initSerial

 			err = dnsServer.UpdateDNSServer(testCase.inputSerial, testCase.inputUpdate)
@@ -402,23 +398,15 @@ func TestUpdateDNSServer(t *testing.T) {
 				}
 			}

-			var responseMSG *dns.Msg
-			responseWriter := &test.MockResponseWriter{
-				WriteMsgFunc: func(m *dns.Msg) error {
-					responseMSG = m
-					return nil
-				},
-			}
-			for _, q := range testCase.expectedLocalQs {
-				dnsServer.localResolver.ServeDNS(responseWriter, &dns.Msg{
-					Question: []dns.Question{q},
-				})
+			if len(dnsServer.localResolver.registeredMap) != len(testCase.expectedLocalMap) {
+				t.Fatalf("update local failed, registered map size is different than expected, want %d, got %d", len(testCase.expectedLocalMap), len(dnsServer.localResolver.registeredMap))
 			}

-			if len(testCase.expectedLocalQs) > 0 {
-				assert.NotNil(t, responseMSG, "response message should not be nil")
-				assert.Equal(t, dns.RcodeSuccess, responseMSG.Rcode, "response code should be success")
-				assert.NotEmpty(t, responseMSG.Answer, "response message should have answers")
+			for key := range testCase.expectedLocalMap {
+				_, found := dnsServer.localResolver.registeredMap[key]
+				if !found {
+					t.Fatalf("update local failed, key %s was not found in the localResolver.registeredMap: %#v", key, dnsServer.localResolver.registeredMap)
+				}
 			}
 		})
 	}
@@ -502,12 +490,11 @@ func TestDNSFakeResolverHandleUpdates(t *testing.T) {
 	dnsServer.dnsMuxMap = registeredHandlerMap{
 		"id1": handlerWrapper{
 			domain:   zoneRecords[0].Name,
-			handler:  &local.Resolver{},
+			handler:  &localResolver{},
 			priority: PriorityMatchDomain,
 		},
 	}
-	//dnsServer.localResolver.RegisteredMap = local.RegistrationMap{local.BuildRecordKey("netbird.cloud", dns.ClassINET, dns.TypeA): struct{}{}}
-	dnsServer.localResolver.Update([]nbdns.SimpleRecord{{Name: "netbird.cloud", Type: int(dns.TypeA), Class: nbdns.DefaultClass, TTL: 300, RData: "10.0.0.1"}})
+	dnsServer.localResolver.registeredMap = registrationMap{"netbird.cloud": struct{}{}}
 	dnsServer.updateSerial = 0

 	nameServers := []nbdns.NameServer{
@@ -594,7 +581,7 @@ func TestDNSServerStartStop(t *testing.T) {
 			}
 			time.Sleep(100 * time.Millisecond)
 			defer dnsServer.Stop()
-			err = dnsServer.localResolver.RegisterRecord(zoneRecords[0])
+			_, err = dnsServer.localResolver.registerRecord(zoneRecords[0])
 			if err != nil {
 				t.Error(err)
 			}
@@ -642,11 +629,13 @@ func TestDNSServerStartStop(t *testing.T) {
 func TestDNSServerUpstreamDeactivateCallback(t *testing.T) {
 	hostManager := &mockHostConfigurator{}
 	server := DefaultServer{
-		ctx:           context.Background(),
-		service:       NewServiceViaMemory(&mocWGIface{}),
-		localResolver: local.NewResolver(),
-		handlerChain:  NewHandlerChain(),
-		hostManager:   hostManager,
+		ctx:     context.Background(),
+		service: NewServiceViaMemory(&mocWGIface{}),
+		localResolver: &localResolver{
+			registeredMap: make(registrationMap),
+		},
+		handlerChain: NewHandlerChain(),
+		hostManager:  hostManager,
 		currentConfig: HostDNSConfig{
 			Domains: []DomainConfig{
 				{false, "domain0", false},
@@ -1014,7 +1003,7 @@ func TestHandlerChain_DomainPriorities(t *testing.T) {
 		t.Run(tc.name, func(t *testing.T) {
 			r := new(dns.Msg)
 			r.SetQuestion(tc.query, dns.TypeA)
-			w := &ResponseWriterChain{ResponseWriter: &test.MockResponseWriter{}}
+			w := &ResponseWriterChain{ResponseWriter: &mockResponseWriter{}}

 			if mh, ok := tc.expectedHandler.(*MockHandler); ok {
 				mh.On("ServeDNS", mock.Anything, r).Once()
@@ -1047,9 +1036,9 @@ type mockHandler struct {
 }

 func (m *mockHandler) ServeDNS(dns.ResponseWriter, *dns.Msg) {}
-func (m *mockHandler) Stop()                                 {}
-func (m *mockHandler) ProbeAvailability()                    {}
-func (m *mockHandler) ID() types.HandlerID                   { return types.HandlerID(m.Id) }
+func (m *mockHandler) stop()                                 {}
+func (m *mockHandler) probeAvailability()                    {}
+func (m *mockHandler) id() handlerID                         { return handlerID(m.Id) }

 type mockService struct{}

@@ -1123,7 +1112,7 @@ func TestDefaultServer_UpdateMux(t *testing.T) {
 		name             string
 		initialHandlers  registeredHandlerMap
 		updates          []handlerWrapper
-		expectedHandlers map[string]string // map[HandlerID]domain
+		expectedHandlers map[string]string // map[handlerID]domain
 		description      string
 	}{
 		{
@@ -1419,7 +1408,7 @@ func TestDefaultServer_UpdateMux(t *testing.T) {

 			// Check each expected handler
 			for id, expectedDomain := range tt.expectedHandlers {
-				handler, exists := server.dnsMuxMap[types.HandlerID(id)]
+				handler, exists := server.dnsMuxMap[handlerID(id)]
 				assert.True(t, exists, "Expected handler %s not found", id)
 				if exists {
 					assert.Equal(t, expectedDomain, handler.domain,
@@ -1428,9 +1417,9 @@ func TestDefaultServer_UpdateMux(t *testing.T) {
 			}

 			// Verify no unexpected handlers exist
-			for HandlerID := range server.dnsMuxMap {
-				_, expected := tt.expectedHandlers[string(HandlerID)]
-				assert.True(t, expected, "Unexpected handler found: %s", HandlerID)
+			for handlerID := range server.dnsMuxMap {
+				_, expected := tt.expectedHandlers[string(handlerID)]
+				assert.True(t, expected, "Unexpected handler found: %s", handlerID)
 			}

 			// Verify the handlerChain state and order
@@ -1459,497 +1448,3 @@ func TestDefaultServer_UpdateMux(t *testing.T) {
 		})
 	}
 }
-
-func TestExtraDomains(t *testing.T) {
-	tests := []struct {
-		name                string
-		initialConfig       nbdns.Config
-		registerDomains     []domain.List
-		deregisterDomains   []domain.List
-		finalConfig         nbdns.Config
-		expectedDomains     []string
-		expectedMatchOnly   []string
-		applyHostConfigCall int
-	}{
-		{
-			name: "Register domains before config update",
-			registerDomains: []domain.List{
-				{"extra1.example.com", "extra2.example.com"},
-			},
-			initialConfig: nbdns.Config{
-				ServiceEnable: true,
-				CustomZones: []nbdns.CustomZone{
-					{Domain: "config.example.com"},
-				},
-			},
-			expectedDomains: []string{
-				"config.example.com.",
-				"extra1.example.com.",
-				"extra2.example.com.",
-			},
-			expectedMatchOnly: []string{
-				"extra1.example.com.",
-				"extra2.example.com.",
-			},
-			applyHostConfigCall: 2,
-		},
-		{
-			name: "Register domains after config update",
-			initialConfig: nbdns.Config{
-				ServiceEnable: true,
-				CustomZones: []nbdns.CustomZone{
-					{Domain: "config.example.com"},
-				},
-			},
-			registerDomains: []domain.List{
-				{"extra1.example.com", "extra2.example.com"},
-			},
-			expectedDomains: []string{
-				"config.example.com.",
-				"extra1.example.com.",
-				"extra2.example.com.",
-			},
-			expectedMatchOnly: []string{
-				"extra1.example.com.",
-				"extra2.example.com.",
-			},
-			applyHostConfigCall: 2,
-		},
-		{
-			name: "Register overlapping domains",
-			initialConfig: nbdns.Config{
-				ServiceEnable: true,
-				CustomZones: []nbdns.CustomZone{
-					{Domain: "config.example.com"},
-					{Domain: "overlap.example.com"},
-				},
-			},
-			registerDomains: []domain.List{
-				{"extra.example.com", "overlap.example.com"},
-			},
-			expectedDomains: []string{
-				"config.example.com.",
-				"overlap.example.com.",
-				"extra.example.com.",
-			},
-			expectedMatchOnly: []string{
-				"extra.example.com.",
-			},
-			applyHostConfigCall: 2,
-		},
-		{
-			name: "Register and deregister domains",
-			initialConfig: nbdns.Config{
-				ServiceEnable: true,
-				CustomZones: []nbdns.CustomZone{
-					{Domain: "config.example.com"},
-				},
-			},
-			registerDomains: []domain.List{
-				{"extra1.example.com", "extra2.example.com"},
-				{"extra3.example.com", "extra4.example.com"},
-			},
-			deregisterDomains: []domain.List{
-				{"extra1.example.com", "extra3.example.com"},
-			},
-			expectedDomains: []string{
-				"config.example.com.",
-				"extra2.example.com.",
-				"extra4.example.com.",
-			},
-			expectedMatchOnly: []string{
-				"extra2.example.com.",
-				"extra4.example.com.",
-			},
-			applyHostConfigCall: 4,
-		},
-		{
-			name: "Register domains with ref counter",
-			initialConfig: nbdns.Config{
-				ServiceEnable: true,
-				CustomZones: []nbdns.CustomZone{
-					{Domain: "config.example.com"},
-				},
-			},
-			registerDomains: []domain.List{
-				{"extra.example.com", "duplicate.example.com"},
-				{"other.example.com", "duplicate.example.com"},
-			},
-			deregisterDomains: []domain.List{
-				{"duplicate.example.com"},
-			},
-			expectedDomains: []string{
-				"config.example.com.",
-				"extra.example.com.",
-				"other.example.com.",
-				"duplicate.example.com.",
-			},
-			expectedMatchOnly: []string{
-				"extra.example.com.",
-				"other.example.com.",
-				"duplicate.example.com.",
-			},
-			applyHostConfigCall: 4,
-		},
-		{
-			name: "Config update with new domains after registration",
-			initialConfig: nbdns.Config{
-				ServiceEnable: true,
-				CustomZones: []nbdns.CustomZone{
-					{Domain: "config.example.com"},
-				},
-			},
-			registerDomains: []domain.List{
-				{"extra.example.com", "duplicate.example.com"},
-			},
-			finalConfig: nbdns.Config{
-				ServiceEnable: true,
-				CustomZones: []nbdns.CustomZone{
-					{Domain: "config.example.com"},
-					{Domain: "newconfig.example.com"},
-				},
-			},
-			expectedDomains: []string{
-				"config.example.com.",
-				"newconfig.example.com.",
-				"extra.example.com.",
-				"duplicate.example.com.",
-			},
-			expectedMatchOnly: []string{
-				"extra.example.com.",
-				"duplicate.example.com.",
-			},
-			applyHostConfigCall: 3,
-		},
-		{
-			name: "Deregister domain that is part of customZones",
-			initialConfig: nbdns.Config{
-				ServiceEnable: true,
-				CustomZones: []nbdns.CustomZone{
-					{Domain: "config.example.com"},
-					{Domain: "protected.example.com"},
-				},
-			},
-			registerDomains: []domain.List{
-				{"extra.example.com", "protected.example.com"},
-			},
-			deregisterDomains: []domain.List{
-				{"protected.example.com"},
-			},
-			expectedDomains: []string{
-				"extra.example.com.",
-				"config.example.com.",
-				"protected.example.com.",
-			},
-			expectedMatchOnly: []string{
-				"extra.example.com.",
-			},
-			applyHostConfigCall: 3,
-		},
-		{
-			name: "Register domain that is part of nameserver group",
-			initialConfig: nbdns.Config{
-				ServiceEnable: true,
-				NameServerGroups: []*nbdns.NameServerGroup{
-					{
-						Domains: []string{"ns.example.com", "overlap.ns.example.com"},
-						NameServers: []nbdns.NameServer{
-							{
-								IP:     netip.MustParseAddr("8.8.8.8"),
-								NSType: nbdns.UDPNameServerType,
-								Port:   53,
-							},
-						},
-					},
-				},
-			},
-			registerDomains: []domain.List{
-				{"extra.example.com", "overlap.ns.example.com"},
-			},
-			expectedDomains: []string{
-				"ns.example.com.",
-				"overlap.ns.example.com.",
-				"extra.example.com.",
-			},
-			expectedMatchOnly: []string{
-				"ns.example.com.",
-				"overlap.ns.example.com.",
-				"extra.example.com.",
-			},
-			applyHostConfigCall: 2,
-		},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			var capturedConfigs []HostDNSConfig
-			mockHostConfig := &mockHostConfigurator{
-				applyDNSConfigFunc: func(config HostDNSConfig, _ *statemanager.Manager) error {
-					capturedConfigs = append(capturedConfigs, config)
-					return nil
-				},
-				restoreHostDNSFunc: func() error {
-					return nil
-				},
-				supportCustomPortFunc: func() bool {
-					return true
-				},
-				stringFunc: func() string {
-					return "mock"
-				},
-			}
-
-			mockSvc := &mockService{}
-
-			server := &DefaultServer{
-				ctx:            context.Background(),
-				handlerChain:   NewHandlerChain(),
-				wgInterface:    &mocWGIface{},
-				hostManager:    mockHostConfig,
-				localResolver:  &local.Resolver{},
-				service:        mockSvc,
-				statusRecorder: peer.NewRecorder("test"),
-				extraDomains:   make(map[domain.Domain]int),
-			}
-
-			// Apply initial configuration
-			if tt.initialConfig.ServiceEnable {
-				err := server.applyConfiguration(tt.initialConfig)
-				assert.NoError(t, err)
-			}
-
-			// Register domains
-			for _, domains := range tt.registerDomains {
-				server.RegisterHandler(domains, &MockHandler{}, PriorityDefault)
-			}
-
-			// Deregister domains if specified
-			for _, domains := range tt.deregisterDomains {
-				server.DeregisterHandler(domains, PriorityDefault)
-			}
-
-			// Apply final configuration if specified
-			if tt.finalConfig.ServiceEnable {
-				err := server.applyConfiguration(tt.finalConfig)
-				assert.NoError(t, err)
-			}
-
-			// Verify number of calls
-			assert.Equal(t, tt.applyHostConfigCall, len(capturedConfigs),
-				"Expected %d calls to applyDNSConfig, got %d", tt.applyHostConfigCall, len(capturedConfigs))
-
-			// Get the last applied config
-			lastConfig := capturedConfigs[len(capturedConfigs)-1]
-
-			// Check all expected domains are present
-			domainMap := make(map[string]bool)
-			matchOnlyMap := make(map[string]bool)
-
-			for _, d := range lastConfig.Domains {
-				domainMap[d.Domain] = true
-				if d.MatchOnly {
-					matchOnlyMap[d.Domain] = true
-				}
-			}
-
-			// Verify expected domains
-			for _, d := range tt.expectedDomains {
-				assert.True(t, domainMap[d], "Expected domain %s not found in final config", d)
-			}
-
-			// Verify match-only domains
-			for _, d := range tt.expectedMatchOnly {
-				assert.True(t, matchOnlyMap[d], "Expected match-only domain %s not found in final config", d)
-			}
-
-			// Verify no unexpected domains
-			assert.Equal(t, len(tt.expectedDomains), len(domainMap), "Unexpected number of domains in final config")
-			assert.Equal(t, len(tt.expectedMatchOnly), len(matchOnlyMap), "Unexpected number of match-only domains in final config")
-		})
-	}
-}
-
-func TestExtraDomainsRefCounting(t *testing.T) {
-	mockHostConfig := &mockHostConfigurator{
-		applyDNSConfigFunc: func(config HostDNSConfig, _ *statemanager.Manager) error {
-			return nil
-		},
-		restoreHostDNSFunc: func() error {
-			return nil
-		},
-		supportCustomPortFunc: func() bool {
-			return true
-		},
-		stringFunc: func() string {
-			return "mock"
-		},
-	}
-
-	mockSvc := &mockService{}
-
-	server := &DefaultServer{
-		ctx:            context.Background(),
-		handlerChain:   NewHandlerChain(),
-		hostManager:    mockHostConfig,
-		localResolver:  &local.Resolver{},
-		service:        mockSvc,
-		statusRecorder: peer.NewRecorder("test"),
-		extraDomains:   make(map[domain.Domain]int),
-	}
-
-	// Register domains from different handlers with same domain
-	server.RegisterHandler(domain.List{"*.shared.example.com"}, &MockHandler{}, PriorityDNSRoute)
-	server.RegisterHandler(domain.List{"shared.example.com."}, &MockHandler{}, PriorityMatchDomain)
-
-	// Verify refcount is 2
-	zoneKey := toZone("shared.example.com")
-	assert.Equal(t, 2, server.extraDomains[zoneKey], "Refcount should be 2 after registering same domain twice")
-
-	// Deregister one handler
-	server.DeregisterHandler(domain.List{"shared.example.com"}, PriorityMatchDomain)
-
-	// Verify refcount is 1
-	assert.Equal(t, 1, server.extraDomains[zoneKey], "Refcount should be 1 after deregistering one handler")
-
-	// Deregister the other handler
-	server.DeregisterHandler(domain.List{"shared.example.com"}, PriorityDNSRoute)
-
-	// Verify domain is removed
-	_, exists := server.extraDomains[zoneKey]
-	assert.False(t, exists, "Domain should be removed after deregistering all handlers")
-}
-
-func TestUpdateConfigWithExistingExtraDomains(t *testing.T) {
-	var capturedConfig HostDNSConfig
-	mockHostConfig := &mockHostConfigurator{
-		applyDNSConfigFunc: func(config HostDNSConfig, _ *statemanager.Manager) error {
-			capturedConfig = config
-			return nil
-		},
-		restoreHostDNSFunc: func() error {
-			return nil
-		},
-		supportCustomPortFunc: func() bool {
-			return true
-		},
-		stringFunc: func() string {
-			return "mock"
-		},
-	}
-
-	mockSvc := &mockService{}
-
-	server := &DefaultServer{
-		ctx:            context.Background(),
-		handlerChain:   NewHandlerChain(),
-		hostManager:    mockHostConfig,
-		localResolver:  &local.Resolver{},
-		service:        mockSvc,
-		statusRecorder: peer.NewRecorder("test"),
-		extraDomains:   make(map[domain.Domain]int),
-	}
-
-	server.RegisterHandler(domain.List{"extra.example.com"}, &MockHandler{}, PriorityDefault)
-
-	initialConfig := nbdns.Config{
-		ServiceEnable: true,
-		CustomZones: []nbdns.CustomZone{
-			{Domain: "config.example.com"},
-		},
-	}
-	err := server.applyConfiguration(initialConfig)
-	assert.NoError(t, err)
-
-	var domains []string
-	for _, d := range capturedConfig.Domains {
-		domains = append(domains, d.Domain)
-	}
-	assert.Contains(t, domains, "config.example.com.")
-	assert.Contains(t, domains, "extra.example.com.")
-
-	// Now apply a new configuration with overlapping domain
-	updatedConfig := nbdns.Config{
-		ServiceEnable: true,
-		CustomZones: []nbdns.CustomZone{
-			{Domain: "config.example.com"},
-			{Domain: "extra.example.com"},
-		},
-	}
-	err = server.applyConfiguration(updatedConfig)
-	assert.NoError(t, err)
-
-	// Verify both domains are in config, but no duplicates
-	domains = []string{}
-	matchOnlyCount := 0
-	for _, d := range capturedConfig.Domains {
-		domains = append(domains, d.Domain)
-		if d.MatchOnly {
-			matchOnlyCount++
-		}
-	}
-
-	assert.Contains(t, domains, "config.example.com.")
-	assert.Contains(t, domains, "extra.example.com.")
-	assert.Equal(t, 2, len(domains), "Should have exactly 2 domains with no duplicates")
-
-	// Extra domain should no longer be marked as match-only when in config
-	matchOnlyDomain := ""
-	for _, d := range capturedConfig.Domains {
-		if d.Domain == "extra.example.com." && d.MatchOnly {
-			matchOnlyDomain = d.Domain
-			break
-		}
-	}
-	assert.Empty(t, matchOnlyDomain, "Domain should not be match-only when included in config")
-}
-
-func TestDomainCaseHandling(t *testing.T) {
-	var capturedConfig HostDNSConfig
-	mockHostConfig := &mockHostConfigurator{
-		applyDNSConfigFunc: func(config HostDNSConfig, _ *statemanager.Manager) error {
-			capturedConfig = config
-			return nil
-		},
-		restoreHostDNSFunc: func() error {
-			return nil
-		},
-		supportCustomPortFunc: func() bool {
-			return true
-		},
-		stringFunc: func() string {
-			return "mock"
-		},
-	}
-
-	mockSvc := &mockService{}
-	server := &DefaultServer{
-		ctx:            context.Background(),
-		handlerChain:   NewHandlerChain(),
-		hostManager:    mockHostConfig,
-		localResolver:  &local.Resolver{},
-		service:        mockSvc,
-		statusRecorder: peer.NewRecorder("test"),
-		extraDomains:   make(map[domain.Domain]int),
-	}
-
-	server.RegisterHandler(domain.List{"MIXED.example.com"}, &MockHandler{}, PriorityDefault)
-	server.RegisterHandler(domain.List{"mixed.EXAMPLE.com"}, &MockHandler{}, PriorityMatchDomain)
-
-	assert.Equal(t, 1, len(server.extraDomains), "Case differences should be normalized")
-
-	config := nbdns.Config{
-		ServiceEnable: true,
-		CustomZones: []nbdns.CustomZone{
-			{Domain: "config.example.com"},
-		},
-	}
-	err := server.applyConfiguration(config)
-	assert.NoError(t, err)
-
-	var domains []string
-	for _, d := range capturedConfig.Domains {
-		domains = append(domains, d.Domain)
-	}
-	assert.Contains(t, domains, "config.example.com.", "Mixed case domain should be normalized and pre.sent")
-	assert.Contains(t, domains, "mixed.example.com.", "Mixed case domain should be normalized and present")
-}
--- a/client/internal/dns/systemd_linux.go
+++ b/client/internal/dns/systemd_linux.go
@@ -11,6 +11,7 @@ import (
 	"time"

 	"github.com/godbus/dbus/v5"
+	"github.com/miekg/dns"
 	log "github.com/sirupsen/logrus"
 	"golang.org/x/sys/unix"

@@ -37,6 +38,7 @@ const (

 type systemdDbusConfigurator struct {
 	dbusLinkObject dbus.ObjectPath
+	routingAll     bool
 	ifaceName      string
 }

@@ -110,7 +112,7 @@ func (s *systemdDbusConfigurator) applyDNSConfig(config HostDNSConfig, stateMana
 			continue
 		}
 		domainsInput = append(domainsInput, systemdDbusLinkDomainsInput{
-			Domain:    dConf.Domain,
+			Domain:    dns.Fqdn(dConf.Domain),
 			MatchOnly: dConf.MatchOnly,
 		})

@@ -122,19 +124,18 @@ func (s *systemdDbusConfigurator) applyDNSConfig(config HostDNSConfig, stateMana
 	}

 	if config.RouteAll {
+		log.Infof("configured %s:%d as main DNS forwarder for this peer", config.ServerIP, config.ServerPort)
 		err = s.callLinkMethod(systemdDbusSetDefaultRouteMethodSuffix, true)
 		if err != nil {
-			return fmt.Errorf("set link as default dns router: %w", err)
+			return fmt.Errorf("setting link as default dns router, failed with error: %w", err)
 		}
 		domainsInput = append(domainsInput, systemdDbusLinkDomainsInput{
 			Domain:    nbdns.RootZone,
 			MatchOnly: true,
 		})
-		log.Infof("configured %s:%d as main DNS forwarder for this peer", config.ServerIP, config.ServerPort)
-	} else {
-		if err = s.callLinkMethod(systemdDbusSetDefaultRouteMethodSuffix, false); err != nil {
-			return fmt.Errorf("remove link as default dns router: %w", err)
-		}
+		s.routingAll = true
+	} else if s.routingAll {
+		log.Infof("removing %s:%d as main DNS forwarder for this peer", config.ServerIP, config.ServerPort)
 	}

 	state := &ShutdownState{
@@ -150,11 +151,6 @@ func (s *systemdDbusConfigurator) applyDNSConfig(config HostDNSConfig, stateMana
 	if err != nil {
 		log.Error(err)
 	}
-
-	if err := s.flushDNSCache(); err != nil {
-		log.Errorf("failed to flush DNS cache: %v", err)
-	}
-
 	return nil
 }

@@ -167,8 +163,7 @@ func (s *systemdDbusConfigurator) setDomainsForInterface(domainsInput []systemdD
 	if err != nil {
 		return fmt.Errorf("setting domains configuration failed with error: %w", err)
 	}
-
-	return nil
+	return s.flushCaches()
 }

 func (s *systemdDbusConfigurator) restoreHostDNS() error {
@@ -188,14 +183,10 @@ func (s *systemdDbusConfigurator) restoreHostDNS() error {
 		return fmt.Errorf("unable to revert link configuration, got error: %w", err)
 	}

-	if err := s.flushDNSCache(); err != nil {
-		log.Errorf("failed to flush DNS cache: %v", err)
-	}
-
-	return nil
+	return s.flushCaches()
 }

-func (s *systemdDbusConfigurator) flushDNSCache() error {
+func (s *systemdDbusConfigurator) flushCaches() error {
 	obj, closeConn, err := getDbusObject(systemdResolvedDest, systemdDbusObjectNode)
 	if err != nil {
 		return fmt.Errorf("attempting to retrieve the object %s, err: %w", systemdDbusObjectNode, err)
--- a/client/internal/dns/test/mock.go
+++ b/client/internal/dns/test/mock.go
@@ -1,26 +0,0 @@
-package test
-
-import (
-	"net"
-
-	"github.com/miekg/dns"
-)
-
-type MockResponseWriter struct {
-	WriteMsgFunc func(m *dns.Msg) error
-}
-
-func (rw *MockResponseWriter) WriteMsg(m *dns.Msg) error {
-	if rw.WriteMsgFunc != nil {
-		return rw.WriteMsgFunc(m)
-	}
-	return nil
-}
-
-func (rw *MockResponseWriter) LocalAddr() net.Addr       { return nil }
-func (rw *MockResponseWriter) RemoteAddr() net.Addr      { return nil }
-func (rw *MockResponseWriter) Write([]byte) (int, error) { return 0, nil }
-func (rw *MockResponseWriter) Close() error              { return nil }
-func (rw *MockResponseWriter) TsigStatus() error         { return nil }
-func (rw *MockResponseWriter) TsigTimersOnly(bool)       {}
-func (rw *MockResponseWriter) Hijack()                   {}
--- a/client/internal/dns/types/types.go
+++ b/client/internal/dns/types/types.go
@@ -1,3 +0,0 @@
-package types
-
-type HandlerID string
--- a/client/internal/dns/upstream.go
+++ b/client/internal/dns/upstream.go
@@ -18,17 +18,14 @@ import (
 	"github.com/miekg/dns"
 	log "github.com/sirupsen/logrus"

-	"github.com/netbirdio/netbird/client/iface"
-	"github.com/netbirdio/netbird/client/internal/dns/types"
 	"github.com/netbirdio/netbird/client/internal/peer"
 	"github.com/netbirdio/netbird/client/proto"
 )

 const (
-	UpstreamTimeout = 15 * time.Second
-
 	failsTillDeact   = int32(5)
 	reactivatePeriod = 30 * time.Second
+	upstreamTimeout  = 15 * time.Second
 	probeTimeout     = 2 * time.Second
 )

@@ -69,7 +66,7 @@ func newUpstreamResolverBase(ctx context.Context, statusRecorder *peer.Status, d
 		ctx:              ctx,
 		cancel:           cancel,
 		domain:           domain,
-		upstreamTimeout:  UpstreamTimeout,
+		upstreamTimeout:  upstreamTimeout,
 		reactivatePeriod: reactivatePeriod,
 		failsTillDeact:   failsTillDeact,
 		statusRecorder:   statusRecorder,
@@ -82,21 +79,21 @@ func (u *upstreamResolverBase) String() string {
 }

 // ID returns the unique handler ID
-func (u *upstreamResolverBase) ID() types.HandlerID {
+func (u *upstreamResolverBase) id() handlerID {
 	servers := slices.Clone(u.upstreamServers)
 	slices.Sort(servers)

 	hash := sha256.New()
 	hash.Write([]byte(u.domain + ":"))
 	hash.Write([]byte(strings.Join(servers, ",")))
-	return types.HandlerID("upstream-" + hex.EncodeToString(hash.Sum(nil)[:8]))
+	return handlerID("upstream-" + hex.EncodeToString(hash.Sum(nil)[:8]))
 }

 func (u *upstreamResolverBase) MatchSubdomains() bool {
 	return true
 }

-func (u *upstreamResolverBase) Stop() {
+func (u *upstreamResolverBase) stop() {
 	log.Debugf("stopping serving DNS for upstreams %s", u.upstreamServers)
 	u.cancel()
 }
@@ -109,7 +106,9 @@ func (u *upstreamResolverBase) ServeDNS(w dns.ResponseWriter, r *dns.Msg) {
 	}()

 	log.Tracef("received upstream question: domain=%s type=%v class=%v", r.Question[0].Name, r.Question[0].Qtype, r.Question[0].Qclass)
+	// set the AuthenticatedData flag and the EDNS0 buffer size to 4096 bytes to support larger dns records
 	if r.Extra == nil {
+		r.SetEdns0(4096, false)
 		r.MsgHdr.AuthenticatedData = true
 	}

@@ -199,9 +198,9 @@ func (u *upstreamResolverBase) checkUpstreamFails(err error) {
 	)
 }

-// ProbeAvailability tests all upstream servers simultaneously and
+// probeAvailability tests all upstream servers simultaneously and
 // disables the resolver if none work
-func (u *upstreamResolverBase) ProbeAvailability() {
+func (u *upstreamResolverBase) probeAvailability() {
 	u.mutex.Lock()
 	defer u.mutex.Unlock()

@@ -337,51 +336,3 @@ func (u *upstreamResolverBase) testNameserver(server string, timeout time.Durati
 	_, _, err := u.upstreamClient.exchange(ctx, server, r)
 	return err
 }
-
-// ExchangeWithFallback exchanges a DNS message with the upstream server.
-// It first tries to use UDP, and if it is truncated, it falls back to TCP.
-// If the passed context is nil, this will use Exchange instead of ExchangeContext.
-func ExchangeWithFallback(ctx context.Context, client *dns.Client, r *dns.Msg, upstream string) (*dns.Msg, time.Duration, error) {
-	// MTU - ip + udp headers
-	// Note: this could be sent out on an interface that is not ours, but our MTU should always be lower.
-	client.UDPSize = iface.DefaultMTU - (60 + 8)
-
-	var (
-		rm  *dns.Msg
-		t   time.Duration
-		err error
-	)
-
-	if ctx == nil {
-		rm, t, err = client.Exchange(r, upstream)
-	} else {
-		rm, t, err = client.ExchangeContext(ctx, r, upstream)
-	}
-
-	if err != nil {
-		return nil, t, fmt.Errorf("with udp: %w", err)
-	}
-
-	if rm == nil || !rm.MsgHdr.Truncated {
-		return rm, t, nil
-	}
-
-	log.Tracef("udp response for domain=%s type=%v class=%v is truncated, trying TCP.",
-		r.Question[0].Name, r.Question[0].Qtype, r.Question[0].Qclass)
-
-	client.Net = "tcp"
-
-	if ctx == nil {
-		rm, t, err = client.Exchange(r, upstream)
-	} else {
-		rm, t, err = client.ExchangeContext(ctx, r, upstream)
-	}
-
-	if err != nil {
-		return nil, t, fmt.Errorf("with tcp: %w", err)
-	}
-
-	// TODO: once TCP is implemented, rm.Truncate() if the request came in over UDP
-
-	return rm, t, nil
-}
--- a/client/internal/dns/upstream_android.go
+++ b/client/internal/dns/upstream_android.go
@@ -55,7 +55,7 @@ func (u *upstreamResolver) exchangeWithinVPN(ctx context.Context, upstream strin

 // exchangeWithoutVPN protect the UDP socket by Android SDK to avoid to goes through the VPN
 func (u *upstreamResolver) exchangeWithoutVPN(ctx context.Context, upstream string, r *dns.Msg) (rm *dns.Msg, t time.Duration, err error) {
-	timeout := UpstreamTimeout
+	timeout := upstreamTimeout
 	if deadline, ok := ctx.Deadline(); ok {
 		timeout = time.Until(deadline)
 	}
--- a/client/internal/dns/upstream_general.go
+++ b/client/internal/dns/upstream_general.go
@@ -34,5 +34,6 @@ func newUpstreamResolver(
 }

 func (u *upstreamResolver) exchange(ctx context.Context, upstream string, r *dns.Msg) (rm *dns.Msg, t time.Duration, err error) {
-	return ExchangeWithFallback(ctx, &dns.Client{}, r, upstream)
+	upstreamExchangeClient := &dns.Client{}
+	return upstreamExchangeClient.ExchangeContext(ctx, r, upstream)
 }
--- a/client/internal/dns/upstream_ios.go
+++ b/client/internal/dns/upstream_ios.go
@@ -52,7 +52,7 @@ func (u *upstreamResolverIOS) exchange(ctx context.Context, upstream string, r *
 		return nil, 0, fmt.Errorf("error while parsing upstream host: %s", err)
 	}

-	timeout := UpstreamTimeout
+	timeout := upstreamTimeout
 	if deadline, ok := ctx.Deadline(); ok {
 		timeout = time.Until(deadline)
 	}
@@ -68,7 +68,7 @@ func (u *upstreamResolverIOS) exchange(ctx context.Context, upstream string, r *
 	}

 	// Cannot use client.ExchangeContext because it overwrites our Dialer
-	return ExchangeWithFallback(nil, client, r, upstream)
+	return client.Exchange(r, upstream)
 }

 // GetClientPrivate returns a new DNS client bound to the local IP address of the Netbird interface
--- a/client/internal/dns/upstream_test.go
+++ b/client/internal/dns/upstream_test.go
@@ -8,8 +8,6 @@ import (
 	"time"

 	"github.com/miekg/dns"
-
-	"github.com/netbirdio/netbird/client/internal/dns/test"
 )

 func TestUpstreamResolver_ServeDNS(t *testing.T) {
@@ -28,7 +26,7 @@ func TestUpstreamResolver_ServeDNS(t *testing.T) {
 			name:           "Should Resolve A Record",
 			inputMSG:       new(dns.Msg).SetQuestion("one.one.one.one.", dns.TypeA),
 			InputServers:   []string{"8.8.8.8:53", "8.8.4.4:53"},
-			timeout:        UpstreamTimeout,
+			timeout:        upstreamTimeout,
 			expectedAnswer: "1.1.1.1",
 		},
 		{
@@ -50,7 +48,7 @@ func TestUpstreamResolver_ServeDNS(t *testing.T) {
 			inputMSG:            new(dns.Msg).SetQuestion("one.one.one.one.", dns.TypeA),
 			InputServers:        []string{"8.0.0.0:53", "8.8.4.4:53"},
 			cancelCTX:           true,
-			timeout:             UpstreamTimeout,
+			timeout:             upstreamTimeout,
 			responseShouldBeNil: true,
 		},
 	}
@@ -68,7 +66,7 @@ func TestUpstreamResolver_ServeDNS(t *testing.T) {
 			}

 			var responseMSG *dns.Msg
-			responseWriter := &test.MockResponseWriter{
+			responseWriter := &mockResponseWriter{
 				WriteMsgFunc: func(m *dns.Msg) error {
 					responseMSG = m
 					return nil
@@ -124,7 +122,7 @@ func TestUpstreamResolver_DeactivationReactivation(t *testing.T) {
 			r:   new(dns.Msg),
 			rtt: time.Millisecond,
 		},
-		upstreamTimeout:  UpstreamTimeout,
+		upstreamTimeout:  upstreamTimeout,
 		reactivatePeriod: reactivatePeriod,
 		failsTillDeact:   failsTillDeact,
 	}
@@ -132,7 +130,7 @@ func TestUpstreamResolver_DeactivationReactivation(t *testing.T) {
 	resolver.failsTillDeact = 0
 	resolver.reactivatePeriod = time.Microsecond * 100

-	responseWriter := &test.MockResponseWriter{
+	responseWriter := &mockResponseWriter{
 		WriteMsgFunc: func(m *dns.Msg) error { return nil },
 	}

--- a/client/internal/dnsfwd/forwarder.go
+++ b/client/internal/dnsfwd/forwarder.go
@@ -3,280 +3,117 @@ package dnsfwd
 import (
 	"context"
 	"errors"
-	"fmt"
-	"math"
 	"net"
-	"net/netip"
-	"strings"
-	"sync"
-	"time"

-	"github.com/hashicorp/go-multierror"
 	"github.com/miekg/dns"
 	log "github.com/sirupsen/logrus"

-	nberrors "github.com/netbirdio/netbird/client/errors"
-	firewall "github.com/netbirdio/netbird/client/firewall/manager"
-	"github.com/netbirdio/netbird/client/internal/peer"
 	nbdns "github.com/netbirdio/netbird/dns"
-	"github.com/netbirdio/netbird/management/domain"
-	"github.com/netbirdio/netbird/route"
 )

 const errResolveFailed = "failed to resolve query for domain=%s: %v"
-const upstreamTimeout = 15 * time.Second

 type DNSForwarder struct {
-	listenAddress  string
-	ttl            uint32
-	statusRecorder *peer.Status
+	listenAddress string
+	ttl           uint32
+	domains       []string

 	dnsServer *dns.Server
 	mux       *dns.ServeMux
-	tcpServer *dns.Server
-	tcpMux    *dns.ServeMux
-
-	mutex      sync.RWMutex
-	fwdEntries []*ForwarderEntry
-	firewall   firewall.Manager
 }

-func NewDNSForwarder(listenAddress string, ttl uint32, firewall firewall.Manager, statusRecorder *peer.Status) *DNSForwarder {
+func NewDNSForwarder(listenAddress string, ttl uint32) *DNSForwarder {
 	log.Debugf("creating DNS forwarder with listen_address=%s ttl=%d", listenAddress, ttl)
 	return &DNSForwarder{
-		listenAddress:  listenAddress,
-		ttl:            ttl,
-		firewall:       firewall,
-		statusRecorder: statusRecorder,
+		listenAddress: listenAddress,
+		ttl:           ttl,
 	}
 }

-func (f *DNSForwarder) Listen(entries []*ForwarderEntry) error {
-	log.Infof("starting DNS forwarder on address=%s", f.listenAddress)
-
-	// UDP server
+func (f *DNSForwarder) Listen(domains []string) error {
+	log.Infof("listen DNS forwarder on address=%s", f.listenAddress)
 	mux := dns.NewServeMux()
-	f.mux = mux
-	f.dnsServer = &dns.Server{
+
+	dnsServer := &dns.Server{
 		Addr:    f.listenAddress,
 		Net:     "udp",
 		Handler: mux,
 	}
-	// TCP server
-	tcpMux := dns.NewServeMux()
-	f.tcpMux = tcpMux
-	f.tcpServer = &dns.Server{
-		Addr:    f.listenAddress,
-		Net:     "tcp",
-		Handler: tcpMux,
-	}
+	f.dnsServer = dnsServer
+	f.mux = mux

-	f.UpdateDomains(entries)
+	f.UpdateDomains(domains)

-	errCh := make(chan error, 2)
-
-	go func() {
-		log.Infof("DNS UDP listener running on %s", f.listenAddress)
-		errCh <- f.dnsServer.ListenAndServe()
-	}()
-	go func() {
-		log.Infof("DNS TCP listener running on %s", f.listenAddress)
-		errCh <- f.tcpServer.ListenAndServe()
-	}()
-
-	// return the first error we get (e.g. bind failure or shutdown)
-	return <-errCh
+	return dnsServer.ListenAndServe()
 }
-func (f *DNSForwarder) UpdateDomains(entries []*ForwarderEntry) {
-	f.mutex.Lock()
-	defer f.mutex.Unlock()

-	if f.mux == nil {
-		log.Debug("DNS mux is nil, skipping domain update")
-		f.fwdEntries = entries
-		return
+func (f *DNSForwarder) UpdateDomains(domains []string) {
+	log.Debugf("Updating domains from %v to %v", f.domains, domains)
+
+	for _, d := range f.domains {
+		f.mux.HandleRemove(d)
 	}

-	oldDomains := filterDomains(f.fwdEntries)
-	for _, d := range oldDomains {
-		f.mux.HandleRemove(d.PunycodeString())
-		f.tcpMux.HandleRemove(d.PunycodeString())
-	}
-
-	newDomains := filterDomains(entries)
+	newDomains := filterDomains(domains)
 	for _, d := range newDomains {
-		f.mux.HandleFunc(d.PunycodeString(), f.handleDNSQueryUDP)
-		f.tcpMux.HandleFunc(d.PunycodeString(), f.handleDNSQueryTCP)
+		f.mux.HandleFunc(d, f.handleDNSQuery)
 	}
-
-	f.fwdEntries = entries
-	log.Debugf("Updated domains from %v to %v", oldDomains, newDomains)
+	f.domains = newDomains
 }

 func (f *DNSForwarder) Close(ctx context.Context) error {
-	var result *multierror.Error
-
-	if f.dnsServer != nil {
-		if err := f.dnsServer.ShutdownContext(ctx); err != nil {
-			result = multierror.Append(result, fmt.Errorf("UDP shutdown: %w", err))
-		}
-	}
-	if f.tcpServer != nil {
-		if err := f.tcpServer.ShutdownContext(ctx); err != nil {
-			result = multierror.Append(result, fmt.Errorf("TCP shutdown: %w", err))
-		}
-	}
-
-	return nberrors.FormatErrorOrNil(result)
-}
-
-func (f *DNSForwarder) handleDNSQuery(w dns.ResponseWriter, query *dns.Msg) *dns.Msg {
-	if len(query.Question) == 0 {
+	if f.dnsServer == nil {
 		return nil
 	}
-	question := query.Question[0]
-	log.Tracef("received DNS request for DNS forwarder: domain=%v type=%v class=%v",
-		question.Name, question.Qtype, question.Qclass)
+	return f.dnsServer.ShutdownContext(ctx)
+}

-	domain := strings.ToLower(question.Name)
+func (f *DNSForwarder) handleDNSQuery(w dns.ResponseWriter, query *dns.Msg) {
+	if len(query.Question) == 0 {
+		return
+	}
+	log.Tracef("received DNS request for DNS forwarder: domain=%v type=%v class=%v",
+		query.Question[0].Name, query.Question[0].Qtype, query.Question[0].Qclass)
+
+	question := query.Question[0]
+	domain := question.Name

 	resp := query.SetReply(query)
-	var network string
-	switch question.Qtype {
-	case dns.TypeA:
-		network = "ip4"
-	case dns.TypeAAAA:
-		network = "ip6"
-	default:
-		// TODO: Handle other types

-		resp.Rcode = dns.RcodeNotImplemented
-		if err := w.WriteMsg(resp); err != nil {
-			log.Errorf("failed to write DNS response: %v", err)
-		}
-		return nil
-	}
-
-	ctx, cancel := context.WithTimeout(context.Background(), upstreamTimeout)
-	defer cancel()
-	ips, err := net.DefaultResolver.LookupNetIP(ctx, network, domain)
+	ips, err := net.LookupIP(domain)
 	if err != nil {
-		f.handleDNSError(w, query, resp, domain, err)
-		return nil
-	}
+		var dnsErr *net.DNSError

-	f.updateInternalState(domain, ips)
-	f.addIPsToResponse(resp, domain, ips)
-
-	return resp
-}
-
-func (f *DNSForwarder) handleDNSQueryUDP(w dns.ResponseWriter, query *dns.Msg) {
-
-	resp := f.handleDNSQuery(w, query)
-	if resp == nil {
-		return
-	}
-
-	opt := query.IsEdns0()
-	maxSize := dns.MinMsgSize
-	if opt != nil {
-		// client advertised a larger EDNS0 buffer
-		maxSize = int(opt.UDPSize())
-	}
-
-	// if our response is too big, truncate and set the TC bit
-	if resp.Len() > maxSize {
-		resp.Truncate(maxSize)
-	}
-
-	if err := w.WriteMsg(resp); err != nil {
-		log.Errorf("failed to write DNS response: %v", err)
-	}
-}
-
-func (f *DNSForwarder) handleDNSQueryTCP(w dns.ResponseWriter, query *dns.Msg) {
-	resp := f.handleDNSQuery(w, query)
-	if resp == nil {
-		return
-	}
-
-	if err := w.WriteMsg(resp); err != nil {
-		log.Errorf("failed to write DNS response: %v", err)
-	}
-}
-
-func (f *DNSForwarder) updateInternalState(domain string, ips []netip.Addr) {
-	var prefixes []netip.Prefix
-	mostSpecificResId, matchingEntries := f.getMatchingEntries(strings.TrimSuffix(domain, "."))
-	if mostSpecificResId != "" {
-		for _, ip := range ips {
-			var prefix netip.Prefix
-			if ip.Is4() {
-				prefix = netip.PrefixFrom(ip, 32)
-			} else {
-				prefix = netip.PrefixFrom(ip, 128)
+		switch {
+		case errors.As(err, &dnsErr):
+			resp.Rcode = dns.RcodeServerFailure
+			if dnsErr.IsNotFound {
+				// Pass through NXDOMAIN
+				resp.Rcode = dns.RcodeNameError
 			}
-			prefixes = append(prefixes, prefix)
-			f.statusRecorder.AddResolvedIPLookupEntry(prefix, mostSpecificResId)
-		}
-	}

-	if f.firewall != nil {
-		f.updateFirewall(matchingEntries, prefixes)
-	}
-}
-
-func (f *DNSForwarder) updateFirewall(matchingEntries []*ForwarderEntry, prefixes []netip.Prefix) {
-	var merr *multierror.Error
-	for _, entry := range matchingEntries {
-		if err := f.firewall.UpdateSet(entry.Set, prefixes); err != nil {
-			merr = multierror.Append(merr, fmt.Errorf("update set for domain=%s: %w", entry.Domain, err))
-		}
-	}
-	if merr != nil {
-		log.Errorf("failed to update firewall sets (%d/%d): %v",
-			len(merr.Errors),
-			len(matchingEntries),
-			nberrors.FormatErrorOrNil(merr))
-	}
-}
-
-// handleDNSError processes DNS lookup errors and sends an appropriate error response
-func (f *DNSForwarder) handleDNSError(w dns.ResponseWriter, query, resp *dns.Msg, domain string, err error) {
-	var dnsErr *net.DNSError
-
-	switch {
-	case errors.As(err, &dnsErr):
-		resp.Rcode = dns.RcodeServerFailure
-		if dnsErr.IsNotFound {
-			// Pass through NXDOMAIN
-			resp.Rcode = dns.RcodeNameError
-		}
-
-		if dnsErr.Server != "" {
-			log.Warnf("failed to resolve query for type=%s domain=%s server=%s: %v", dns.TypeToString[query.Question[0].Qtype], domain, dnsErr.Server, err)
-		} else {
+			if dnsErr.Server != "" {
+				log.Warnf("failed to resolve query for domain=%s server=%s: %v", domain, dnsErr.Server, err)
+			} else {
+				log.Warnf(errResolveFailed, domain, err)
+			}
+		default:
+			resp.Rcode = dns.RcodeServerFailure
 			log.Warnf(errResolveFailed, domain, err)
 		}
-	default:
-		resp.Rcode = dns.RcodeServerFailure
-		log.Warnf(errResolveFailed, domain, err)
+
+		if err := w.WriteMsg(resp); err != nil {
+			log.Errorf("failed to write failure DNS response: %v", err)
+		}
+		return
 	}

-	if err := w.WriteMsg(resp); err != nil {
-		log.Errorf("failed to write failure DNS response: %v", err)
-	}
-}
-
-// addIPsToResponse adds IP addresses to the DNS response as appropriate A or AAAA records
-func (f *DNSForwarder) addIPsToResponse(resp *dns.Msg, domain string, ips []netip.Addr) {
 	for _, ip := range ips {
 		var respRecord dns.RR
-		if ip.Is6() {
+		if ip.To4() == nil {
 			log.Tracef("resolved domain=%s to IPv6=%s", domain, ip)
 			rr := dns.AAAA{
-				AAAA: ip.AsSlice(),
+				AAAA: ip,
 				Hdr: dns.RR_Header{
 					Name:   domain,
 					Rrtype: dns.TypeAAAA,
@@ -288,7 +125,7 @@ func (f *DNSForwarder) addIPsToResponse(resp *dns.Msg, domain string, ips []neti
 		} else {
 			log.Tracef("resolved domain=%s to IPv4=%s", domain, ip)
 			rr := dns.A{
-				A: ip.AsSlice(),
+				A: ip,
 				Hdr: dns.RR_Header{
 					Name:   domain,
 					Rrtype: dns.TypeA,
@@ -300,55 +137,21 @@ func (f *DNSForwarder) addIPsToResponse(resp *dns.Msg, domain string, ips []neti
 		}
 		resp.Answer = append(resp.Answer, respRecord)
 	}
-}

-// getMatchingEntries retrieves the resource IDs for a given domain.
-// It returns the most specific match and all matching resource IDs.
-func (f *DNSForwarder) getMatchingEntries(domain string) (route.ResID, []*ForwarderEntry) {
-	var selectedResId route.ResID
-	var bestScore int
-	var matches []*ForwarderEntry
-
-	f.mutex.RLock()
-	defer f.mutex.RUnlock()
-
-	for _, entry := range f.fwdEntries {
-		var score int
-		pattern := entry.Domain.PunycodeString()
-
-		switch {
-		case strings.HasPrefix(pattern, "*."):
-			baseDomain := strings.TrimPrefix(pattern, "*.")
-
-			if strings.EqualFold(domain, baseDomain) || strings.HasSuffix(domain, "."+baseDomain) {
-				score = len(baseDomain)
-				matches = append(matches, entry)
-			}
-		case domain == pattern:
-			score = math.MaxInt
-			matches = append(matches, entry)
-		default:
-			continue
-		}
-
-		if score > bestScore {
-			bestScore = score
-			selectedResId = entry.ResID
-		}
+	if err := w.WriteMsg(resp); err != nil {
+		log.Errorf("failed to write DNS response: %v", err)
 	}
-
-	return selectedResId, matches
 }

 // filterDomains returns a list of normalized domains
-func filterDomains(entries []*ForwarderEntry) domain.List {
-	newDomains := make(domain.List, 0, len(entries))
-	for _, d := range entries {
-		if d.Domain == "" {
+func filterDomains(domains []string) []string {
+	newDomains := make([]string, 0, len(domains))
+	for _, d := range domains {
+		if d == "" {
 			log.Warn("empty domain in DNS forwarder")
 			continue
 		}
-		newDomains = append(newDomains, domain.Domain(nbdns.NormalizeZone(d.Domain.PunycodeString())))
+		newDomains = append(newDomains, nbdns.NormalizeZone(d))
 	}
 	return newDomains
 }
--- a/client/internal/dnsfwd/forwarder_test.go
+++ b/client/internal/dnsfwd/forwarder_test.go
@@ -1,103 +0,0 @@
-package dnsfwd
-
-import (
-	"testing"
-
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
-
-	"github.com/netbirdio/netbird/management/domain"
-	"github.com/netbirdio/netbird/route"
-)
-
-func Test_getMatchingEntries(t *testing.T) {
-	testCases := []struct {
-		name           string
-		storedMappings map[string]route.ResID // key: domain pattern, value: resId
-		queryDomain    string
-		expectedResId  route.ResID
-	}{
-		{
-			name:           "Empty map returns empty string",
-			storedMappings: map[string]route.ResID{},
-			queryDomain:    "example.com",
-			expectedResId:  "",
-		},
-		{
-			name:           "Exact match returns stored resId",
-			storedMappings: map[string]route.ResID{"example.com": "res1"},
-			queryDomain:    "example.com",
-			expectedResId:  "res1",
-		},
-		{
-			name:           "Wildcard pattern matches base domain",
-			storedMappings: map[string]route.ResID{"*.example.com": "res2"},
-			queryDomain:    "example.com",
-			expectedResId:  "res2",
-		},
-		{
-			name:           "Wildcard pattern matches subdomain",
-			storedMappings: map[string]route.ResID{"*.example.com": "res3"},
-			queryDomain:    "foo.example.com",
-			expectedResId:  "res3",
-		},
-		{
-			name:           "Wildcard pattern does not match different domain",
-			storedMappings: map[string]route.ResID{"*.example.com": "res4"},
-			queryDomain:    "foo.notexample.com",
-			expectedResId:  "",
-		},
-		{
-			name:           "Non-wildcard pattern does not match subdomain",
-			storedMappings: map[string]route.ResID{"example.com": "res5"},
-			queryDomain:    "foo.example.com",
-			expectedResId:  "",
-		},
-		{
-			name: "Exact match over overlapping wildcard",
-			storedMappings: map[string]route.ResID{
-				"*.example.com":   "resWildcard",
-				"foo.example.com": "resExact",
-			},
-			queryDomain:   "foo.example.com",
-			expectedResId: "resExact",
-		},
-		{
-			name: "Overlapping wildcards: Select more specific wildcard",
-			storedMappings: map[string]route.ResID{
-				"*.example.com":     "resA",
-				"*.sub.example.com": "resB",
-			},
-			queryDomain:   "bar.sub.example.com",
-			expectedResId: "resB",
-		},
-		{
-			name: "Wildcard multi-level subdomain match",
-			storedMappings: map[string]route.ResID{
-				"*.example.com": "resMulti",
-			},
-			queryDomain:   "a.b.example.com",
-			expectedResId: "resMulti",
-		},
-	}
-
-	for _, tc := range testCases {
-		t.Run(tc.name, func(t *testing.T) {
-			fwd := &DNSForwarder{}
-
-			var entries []*ForwarderEntry
-			for domainPattern, resId := range tc.storedMappings {
-				d, err := domain.FromString(domainPattern)
-				require.NoError(t, err)
-				entries = append(entries, &ForwarderEntry{
-					Domain: d,
-					ResID:  resId,
-				})
-			}
-			fwd.UpdateDomains(entries)
-
-			got, _ := fwd.getMatchingEntries(tc.queryDomain)
-			assert.Equal(t, got, tc.expectedResId)
-		})
-	}
-}
--- a/client/internal/dnsfwd/manager.go
+++ b/client/internal/dnsfwd/manager.go
@@ -10,9 +10,6 @@ import (

 	nberrors "github.com/netbirdio/netbird/client/errors"
 	firewall "github.com/netbirdio/netbird/client/firewall/manager"
-	"github.com/netbirdio/netbird/client/internal/peer"
-	"github.com/netbirdio/netbird/management/domain"
-	"github.com/netbirdio/netbird/route"
 )

 const (
@@ -21,30 +18,20 @@ const (
 	dnsTTL     = 60 //seconds
 )

-// ForwarderEntry is a mapping from a domain to a resource ID and a hash of the parent domain list.
-type ForwarderEntry struct {
-	Domain domain.Domain
-	ResID  route.ResID
-	Set    firewall.Set
-}
-
 type Manager struct {
-	firewall       firewall.Manager
-	statusRecorder *peer.Status
+	firewall firewall.Manager

 	fwRules      []firewall.Rule
-	tcpRules     []firewall.Rule
 	dnsForwarder *DNSForwarder
 }

-func NewManager(fw firewall.Manager, statusRecorder *peer.Status) *Manager {
+func NewManager(fw firewall.Manager) *Manager {
 	return &Manager{
-		firewall:       fw,
-		statusRecorder: statusRecorder,
+		firewall: fw,
 	}
 }

-func (m *Manager) Start(fwdEntries []*ForwarderEntry) error {
+func (m *Manager) Start(domains []string) error {
 	log.Infof("starting DNS forwarder")
 	if m.dnsForwarder != nil {
 		return nil
@@ -54,9 +41,9 @@ func (m *Manager) Start(fwdEntries []*ForwarderEntry) error {
 		return err
 	}

-	m.dnsForwarder = NewDNSForwarder(fmt.Sprintf(":%d", ListenPort), dnsTTL, m.firewall, m.statusRecorder)
+	m.dnsForwarder = NewDNSForwarder(fmt.Sprintf(":%d", ListenPort), dnsTTL)
 	go func() {
-		if err := m.dnsForwarder.Listen(fwdEntries); err != nil {
+		if err := m.dnsForwarder.Listen(domains); err != nil {
 			// todo handle close error if it is exists
 			log.Errorf("failed to start DNS forwarder, err: %v", err)
 		}
@@ -65,12 +52,12 @@ func (m *Manager) Start(fwdEntries []*ForwarderEntry) error {
 	return nil
 }

-func (m *Manager) UpdateDomains(entries []*ForwarderEntry) {
+func (m *Manager) UpdateDomains(domains []string) {
 	if m.dnsForwarder == nil {
 		return
 	}

-	m.dnsForwarder.UpdateDomains(entries)
+	m.dnsForwarder.UpdateDomains(domains)
 }

 func (m *Manager) Stop(ctx context.Context) error {
@@ -91,47 +78,34 @@ func (m *Manager) Stop(ctx context.Context) error {
 	return nberrors.FormatErrorOrNil(mErr)
 }

-func (m *Manager) allowDNSFirewall() error {
+func (h *Manager) allowDNSFirewall() error {
 	dport := &firewall.Port{
 		IsRange: false,
 		Values:  []uint16{ListenPort},
 	}

-	if m.firewall == nil {
+	if h.firewall == nil {
 		return nil
 	}

-	dnsRules, err := m.firewall.AddPeerFiltering(nil, net.IP{0, 0, 0, 0}, firewall.ProtocolUDP, nil, dport, firewall.ActionAccept, "")
+	dnsRules, err := h.firewall.AddPeerFiltering(nil, net.IP{0, 0, 0, 0}, firewall.ProtocolUDP, nil, dport, firewall.ActionAccept, "")
 	if err != nil {
 		log.Errorf("failed to add allow DNS router rules, err: %v", err)
 		return err
 	}
-	m.fwRules = dnsRules
-
-	tcpRules, err := m.firewall.AddPeerFiltering(nil, net.IP{0, 0, 0, 0}, firewall.ProtocolTCP, nil, dport, firewall.ActionAccept, "")
-	if err != nil {
-		log.Errorf("failed to add allow DNS router rules, err: %v", err)
-		return err
-	}
-	m.tcpRules = tcpRules
+	h.fwRules = dnsRules

 	return nil
 }

-func (m *Manager) dropDNSFirewall() error {
+func (h *Manager) dropDNSFirewall() error {
 	var mErr *multierror.Error
-	for _, rule := range m.fwRules {
-		if err := m.firewall.DeletePeerRule(rule); err != nil {
-			mErr = multierror.Append(mErr, fmt.Errorf("failed to delete DNS router rules, err: %v", err))
-		}
-	}
-	for _, rule := range m.tcpRules {
-		if err := m.firewall.DeletePeerRule(rule); err != nil {
+	for _, rule := range h.fwRules {
+		if err := h.firewall.DeletePeerRule(rule); err != nil {
 			mErr = multierror.Append(mErr, fmt.Errorf("failed to delete DNS router rules, err: %v", err))
 		}
 	}

-	m.fwRules = nil
-	m.tcpRules = nil
+	h.fwRules = nil
 	return nberrors.FormatErrorOrNil(mErr)
 }
--- a/client/internal/engine.go
+++ b/client/internal/engine.go
@@ -353,7 +353,7 @@ func (e *Engine) Start() error {

 	// start flow manager right after interface creation
 	publicKey := e.config.WgPrivateKey.PublicKey()
-	e.flowManager = netflow.NewManager(e.wgInterface, publicKey[:], e.statusRecorder)
+	e.flowManager = netflow.NewManager(e.ctx, e.wgInterface, publicKey[:], e.statusRecorder)

 	if e.config.RosenpassEnabled {
 		log.Infof("rosenpass is enabled")
@@ -527,7 +527,7 @@ func (e *Engine) blockLanAccess() {
 		if _, err := e.firewall.AddRouteFiltering(
 			nil,
 			[]netip.Prefix{v4},
-			firewallManager.Network{Prefix: network},
+			network,
 			firewallManager.ProtocolALL,
 			nil,
 			nil,
@@ -952,6 +952,11 @@ func (e *Engine) updateNetworkMap(networkMap *mgmProto.NetworkMap) error {
 		return nil
 	}

+	// Apply ACLs in the beginning to avoid security leaks
+	if e.acl != nil {
+		e.acl.ApplyFiltering(networkMap)
+	}
+
 	if e.firewall != nil {
 		if localipfw, ok := e.firewall.(localIpUpdater); ok {
 			if err := localipfw.UpdateLocalIPs(); err != nil {
@@ -960,21 +965,16 @@ func (e *Engine) updateNetworkMap(networkMap *mgmProto.NetworkMap) error {
 		}
 	}

+	// DNS forwarder
 	dnsRouteFeatureFlag := toDNSFeatureFlag(networkMap)
+	dnsRouteDomains := toRouteDomains(e.config.WgPrivateKey.PublicKey().String(), networkMap.GetRoutes())
+	e.updateDNSForwarder(dnsRouteFeatureFlag, dnsRouteDomains)

-	// apply routes first, route related actions might depend on routing being enabled
 	routes := toRoutes(networkMap.GetRoutes())
 	if err := e.routeManager.UpdateRoutes(serial, routes, dnsRouteFeatureFlag); err != nil {
 		log.Errorf("failed to update clientRoutes, err: %v", err)
 	}

-	if e.acl != nil {
-		e.acl.ApplyFiltering(networkMap, dnsRouteFeatureFlag)
-	}
-
-	fwdEntries := toRouteDomains(e.config.WgPrivateKey.PublicKey().String(), routes)
-	e.updateDNSForwarder(dnsRouteFeatureFlag, fwdEntries)
-
 	// Ingress forward rules
 	if err := e.updateForwardRules(networkMap.GetForwardingRules()); err != nil {
 		log.Errorf("failed to update forward rules, err: %v", err)
@@ -1079,24 +1079,21 @@ func toRoutes(protoRoutes []*mgmProto.Route) []*route.Route {
 	return routes
 }

-func toRouteDomains(myPubKey string, routes []*route.Route) []*dnsfwd.ForwarderEntry {
-	var entries []*dnsfwd.ForwarderEntry
-	for _, route := range routes {
-		if len(route.Domains) == 0 {
+func toRouteDomains(myPubKey string, protoRoutes []*mgmProto.Route) []string {
+	if protoRoutes == nil {
+		protoRoutes = []*mgmProto.Route{}
+	}
+
+	var dnsRoutes []string
+	for _, protoRoute := range protoRoutes {
+		if len(protoRoute.Domains) == 0 {
 			continue
 		}
-		if route.Peer == myPubKey {
-			domainSet := firewallManager.NewDomainSet(route.Domains)
-			for _, d := range route.Domains {
-				entries = append(entries, &dnsfwd.ForwarderEntry{
-					Domain: d,
-					Set:    domainSet,
-					ResID:  route.GetResourceID(),
-				})
-			}
+		if protoRoute.Peer == myPubKey {
+			dnsRoutes = append(dnsRoutes, protoRoute.Domains...)
 		}
 	}
-	return entries
+	return dnsRoutes
 }

 func toDNSConfig(protoDNSConfig *mgmProto.DNSConfig, network *net.IPNet) nbdns.Config {
@@ -1226,19 +1223,36 @@ func (e *Engine) createPeerConn(pubKey string, allowedIPs []netip.Prefix) (*peer
 		PreSharedKey: e.config.PreSharedKey,
 	}

+	if e.config.RosenpassEnabled && !e.config.RosenpassPermissive {
+		lk := []byte(e.config.WgPrivateKey.PublicKey().String())
+		rk := []byte(wgConfig.RemoteKey)
+		var keyInput []byte
+		if string(lk) > string(rk) {
+			//nolint:gocritic
+			keyInput = append(lk[:16], rk[:16]...)
+		} else {
+			//nolint:gocritic
+			keyInput = append(rk[:16], lk[:16]...)
+		}
+
+		key, err := wgtypes.NewKey(keyInput)
+		if err != nil {
+			return nil, err
+		}
+
+		wgConfig.PreSharedKey = &key
+	}
+
 	// randomize connection timeout
 	timeout := time.Duration(rand.Intn(PeerConnectionTimeoutMax-PeerConnectionTimeoutMin)+PeerConnectionTimeoutMin) * time.Millisecond
 	config := peer.ConnConfig{
-		Key:         pubKey,
-		LocalKey:    e.config.WgPrivateKey.PublicKey().String(),
-		Timeout:     timeout,
-		WgConfig:    wgConfig,
-		LocalWgPort: e.config.WgPort,
-		RosenpassConfig: peer.RosenpassConfig{
-			PubKey:         e.getRosenpassPubKey(),
-			Addr:           e.getRosenpassAddr(),
-			PermissiveMode: e.config.RosenpassPermissive,
-		},
+		Key:             pubKey,
+		LocalKey:        e.config.WgPrivateKey.PublicKey().String(),
+		Timeout:         timeout,
+		WgConfig:        wgConfig,
+		LocalWgPort:     e.config.WgPort,
+		RosenpassPubKey: e.getRosenpassPubKey(),
+		RosenpassAddr:   e.getRosenpassAddr(),
 		ICEConfig: icemaker.Config{
 			StunTurn:             &e.stunTurn,
 			InterfaceBlackList:   e.config.IFaceBlackList,
@@ -1746,10 +1760,7 @@ func (e *Engine) GetWgAddr() net.IP {
 }

 // updateDNSForwarder start or stop the DNS forwarder based on the domains and the feature flag
-func (e *Engine) updateDNSForwarder(
-	enabled bool,
-	fwdEntries []*dnsfwd.ForwarderEntry,
-) {
+func (e *Engine) updateDNSForwarder(enabled bool, domains []string) {
 	if !enabled {
 		if e.dnsForwardMgr == nil {
 			return
@@ -1760,18 +1771,18 @@ func (e *Engine) updateDNSForwarder(
 		return
 	}

-	if len(fwdEntries) > 0 {
+	if len(domains) > 0 {
+		log.Infof("enable domain router service for domains: %v", domains)
 		if e.dnsForwardMgr == nil {
-			e.dnsForwardMgr = dnsfwd.NewManager(e.firewall, e.statusRecorder)
+			e.dnsForwardMgr = dnsfwd.NewManager(e.firewall)

-			if err := e.dnsForwardMgr.Start(fwdEntries); err != nil {
+			if err := e.dnsForwardMgr.Start(domains); err != nil {
 				log.Errorf("failed to start DNS forward: %v", err)
 				e.dnsForwardMgr = nil
 			}
-
-			log.Infof("started domain router service with %d entries", len(fwdEntries))
 		} else {
-			e.dnsForwardMgr.UpdateDomains(fwdEntries)
+			log.Infof("update domain router service for domains: %v", domains)
+			e.dnsForwardMgr.UpdateDomains(domains)
 		}
 	} else if e.dnsForwardMgr != nil {
 		log.Infof("disable domain router service")
--- a/client/internal/engine_test.go
+++ b/client/internal/engine_test.go
@@ -49,7 +49,6 @@ import (
 	"github.com/netbirdio/netbird/management/server"
 	"github.com/netbirdio/netbird/management/server/activity"
 	"github.com/netbirdio/netbird/management/server/integrations/port_forwarding"
-	"github.com/netbirdio/netbird/management/server/permissions"
 	"github.com/netbirdio/netbird/management/server/settings"
 	"github.com/netbirdio/netbird/management/server/store"
 	"github.com/netbirdio/netbird/management/server/telemetry"
@@ -1401,15 +1400,15 @@ func startSignal(t *testing.T) (*grpc.Server, string, error) {
 func startManagement(t *testing.T, dataDir, testFile string) (*grpc.Server, string, error) {
 	t.Helper()

-	config := &types.Config{
-		Stuns:      []*types.Host{},
-		TURNConfig: &types.TURNConfig{},
-		Relay: &types.Relay{
+	config := &server.Config{
+		Stuns:      []*server.Host{},
+		TURNConfig: &server.TURNConfig{},
+		Relay: &server.Relay{
 			Addresses:      []string{"127.0.0.1:1234"},
 			CredentialsTTL: util.Duration{Duration: time.Hour},
 			Secret:         "222222222222222222",
 		},
-		Signal: &types.Host{
+		Signal: &server.Host{
 			Proto: "http",
 			URI:   "localhost:10000",
 		},
@@ -1447,9 +1446,7 @@ func startManagement(t *testing.T, dataDir, testFile string) (*grpc.Server, stri
 		Return(&types.Settings{}, nil).
 		AnyTimes()

-	permissionsManager := permissions.NewManager(store)
-
-	accountManager, err := server.BuildManager(context.Background(), store, peersUpdateManager, nil, "", "netbird.selfhosted", eventStore, nil, false, ia, metrics, port_forwarding.NewControllerMock(), settingsMockManager, permissionsManager)
+	accountManager, err := server.BuildManager(context.Background(), store, peersUpdateManager, nil, "", "netbird.selfhosted", eventStore, nil, false, ia, metrics, port_forwarding.NewControllerMock(), settingsMockManager)
 	if err != nil {
 		return nil, "", err
 	}
--- a/client/internal/netflow/conntrack/conntrack.go
+++ b/client/internal/netflow/conntrack/conntrack.go
@@ -14,7 +14,6 @@ import (
 	"github.com/ti-mo/netfilter"

 	nftypes "github.com/netbirdio/netbird/client/internal/netflow/types"
-	nbnet "github.com/netbirdio/netbird/util/net"
 )

 const defaultChannelSize = 100
@@ -177,7 +176,7 @@ func (c *ConnTrack) handleEvent(event nfct.Event) {
 	srcIP := flow.TupleOrig.IP.SourceAddress
 	dstIP := flow.TupleOrig.IP.DestinationAddress

-	if !c.relevantFlow(flow.Mark, srcIP, dstIP) {
+	if !c.relevantFlow(flow.Zone, srcIP, dstIP) {
 		return
 	}

@@ -194,7 +193,7 @@ func (c *ConnTrack) handleEvent(event nfct.Event) {
 	}

 	flowID := c.getFlowID(flow.ID)
-	direction := c.inferDirection(flow.Mark, srcIP, dstIP)
+	direction := c.inferDirection(srcIP, dstIP)

 	eventType := nftypes.TypeStart
 	eventStr := "New"
@@ -225,12 +224,13 @@ func (c *ConnTrack) handleEvent(event nfct.Event) {
 }

 // relevantFlow checks if the flow is related to the specified interface
-func (c *ConnTrack) relevantFlow(mark uint32, srcIP, dstIP netip.Addr) bool {
-	if nbnet.IsDataPlaneMark(mark) {
+func (c *ConnTrack) relevantFlow(zone uint16, srcIP, dstIP netip.Addr) bool {
+	// This currently only covers inbound.
+	// TODO: handle outbound flows based on interface for site2site traffic
+	if zone == nftypes.ZoneID {
 		return true
 	}

-	// fallback if mark rules are not in place
 	wgnet := c.iface.Address().Network
 	return wgnet.Contains(srcIP.AsSlice()) || wgnet.Contains(dstIP.AsSlice())
 }
@@ -282,15 +282,7 @@ func (c *ConnTrack) getFlowID(conntrackID uint32) uuid.UUID {
 	return uuid.NewSHA1(c.instanceID, buf[:])
 }

-func (c *ConnTrack) inferDirection(mark uint32, srcIP, dstIP netip.Addr) nftypes.Direction {
-	switch mark {
-	case nbnet.DataPlaneMarkIn:
-		return nftypes.Ingress
-	case nbnet.DataPlaneMarkOut:
-		return nftypes.Egress
-	}
-
-	// fallback if marks are not set
+func (c *ConnTrack) inferDirection(srcIP, dstIP netip.Addr) nftypes.Direction {
 	wgaddr := c.iface.Address().IP
 	wgnetwork := c.iface.Address().Network
 	src, dst := srcIP.AsSlice(), dstIP.AsSlice()
@@ -306,6 +298,8 @@ func (c *ConnTrack) inferDirection(mark uint32, srcIP, dstIP netip.Addr) nftypes
 	case wgnetwork.Contains(dst):
 		// resource network -> netbird network
 		return nftypes.Egress
+
+		// TODO: handle site2site traffic
 	}

 	return nftypes.DirectionUnknown
--- a/client/internal/netflow/logger/logger.go
+++ b/client/internal/netflow/logger/logger.go
@@ -19,9 +19,11 @@ import (
 type rcvChan chan *types.EventFields
 type Logger struct {
 	mux                sync.Mutex
+	ctx                context.Context
+	cancel             context.CancelFunc
 	enabled            atomic.Bool
 	rcvChan            atomic.Pointer[rcvChan]
-	cancel             context.CancelFunc
+	cancelReceiver     context.CancelFunc
 	statusRecorder     *peer.Status
 	wgIfaceIPNet       net.IPNet
 	dnsCollection      atomic.Bool
@@ -29,9 +31,12 @@ type Logger struct {
 	Store              types.Store
 }

-func New(statusRecorder *peer.Status, wgIfaceIPNet net.IPNet) *Logger {
+func New(ctx context.Context, statusRecorder *peer.Status, wgIfaceIPNet net.IPNet) *Logger {

+	ctx, cancel := context.WithCancel(ctx)
 	return &Logger{
+		ctx:            ctx,
+		cancel:         cancel,
 		statusRecorder: statusRecorder,
 		wgIfaceIPNet:   wgIfaceIPNet,
 		Store:          store.NewMemoryStore(),
@@ -65,8 +70,8 @@ func (l *Logger) startReceiver() {
 	}

 	l.mux.Lock()
-	ctx, cancel := context.WithCancel(context.Background())
-	l.cancel = cancel
+	ctx, cancel := context.WithCancel(l.ctx)
+	l.cancelReceiver = cancel
 	l.mux.Unlock()

 	c := make(rcvChan, 100)
@@ -86,25 +91,25 @@ func (l *Logger) startReceiver() {
 				Timestamp:   time.Now().UTC(),
 			}

-			var isSrcExitNode bool
-			var isDestExitNode bool
-
-			if !l.wgIfaceIPNet.Contains(net.IP(event.SourceIP.AsSlice())) {
-				event.SourceResourceID, isSrcExitNode = l.statusRecorder.CheckRoutes(event.SourceIP)
+			var isExitNode bool
+			if event.Direction == types.Ingress {
+				if !l.wgIfaceIPNet.Contains(net.IP(event.SourceIP.AsSlice())) {
+					event.SourceResourceID, isExitNode = l.statusRecorder.CheckRoutes(event.SourceIP)
+				}
+			} else if event.Direction == types.Egress {
+				if !l.wgIfaceIPNet.Contains(net.IP(event.DestIP.AsSlice())) {
+					event.DestResourceID, isExitNode = l.statusRecorder.CheckRoutes(event.DestIP)
+				}
 			}

-			if !l.wgIfaceIPNet.Contains(net.IP(event.DestIP.AsSlice())) {
-				event.DestResourceID, isDestExitNode = l.statusRecorder.CheckRoutes(event.DestIP)
-			}
-
-			if l.shouldStore(eventFields, isSrcExitNode || isDestExitNode) {
+			if l.shouldStore(eventFields, isExitNode) {
 				l.Store.StoreEvent(&event)
 			}
 		}
 	}
 }

-func (l *Logger) Close() {
+func (l *Logger) Disable() {
 	l.stop()
 	l.Store.Close()
 }
@@ -116,9 +121,9 @@ func (l *Logger) stop() {

 	l.enabled.Store(false)
 	l.mux.Lock()
-	if l.cancel != nil {
-		l.cancel()
-		l.cancel = nil
+	if l.cancelReceiver != nil {
+		l.cancelReceiver()
+		l.cancelReceiver = nil
 	}
 	l.rcvChan.Store(nil)
 	l.mux.Unlock()
@@ -137,6 +142,11 @@ func (l *Logger) UpdateConfig(dnsCollection, exitNodeCollection bool) {
 	l.exitNodeCollection.Store(exitNodeCollection)
 }

+func (l *Logger) Close() {
+	l.stop()
+	l.cancel()
+}
+
 func (l *Logger) shouldStore(event *types.EventFields, isExitNode bool) bool {
 	// check dns collection
 	if !l.dnsCollection.Load() && event.Protocol == types.UDP && (event.DestPort == 53 || event.DestPort == dnsfwd.ListenPort) {
--- a/client/internal/netflow/logger/logger_test.go
+++ b/client/internal/netflow/logger/logger_test.go
@@ -1,6 +1,7 @@
 package logger_test

 import (
+	"context"
 	"net"
 	"testing"
 	"time"
@@ -12,7 +13,7 @@ import (
 )

 func TestStore(t *testing.T) {
-	logger := logger.New(nil, net.IPNet{})
+	logger := logger.New(context.Background(), nil, net.IPNet{})
 	logger.Enable()

 	event := types.EventFields{
@@ -39,7 +40,7 @@ func TestStore(t *testing.T) {
 	}

 	// test disable
-	logger.Close()
+	logger.Disable()
 	wait()
 	logger.StoreEvent(event)
 	wait()
--- a/client/internal/netflow/manager.go
+++ b/client/internal/netflow/manager.go
@@ -27,18 +27,18 @@ type Manager struct {
 	logger         nftypes.FlowLogger
 	flowConfig     *nftypes.FlowConfig
 	conntrack      nftypes.ConnTracker
+	ctx            context.Context
 	receiverClient *client.GRPCClient
 	publicKey      []byte
-	cancel         context.CancelFunc
 }

 // NewManager creates a new netflow manager
-func NewManager(iface nftypes.IFaceMapper, publicKey []byte, statusRecorder *peer.Status) *Manager {
+func NewManager(ctx context.Context, iface nftypes.IFaceMapper, publicKey []byte, statusRecorder *peer.Status) *Manager {
 	var ipNet net.IPNet
 	if iface != nil {
 		ipNet = *iface.Address().Network
 	}
-	flowLogger := logger.New(statusRecorder, ipNet)
+	flowLogger := logger.New(ctx, statusRecorder, ipNet)

 	var ct nftypes.ConnTracker
 	if runtime.GOOS == "linux" && iface != nil && !iface.IsUserspaceBind() {
@@ -48,6 +48,7 @@ func NewManager(iface nftypes.IFaceMapper, publicKey []byte, statusRecorder *pee
 	return &Manager{
 		logger:    flowLogger,
 		conntrack: ct,
+		ctx:       ctx,
 		publicKey: publicKey,
 	}
 }
@@ -67,9 +68,21 @@ func (m *Manager) needsNewClient(previous *nftypes.FlowConfig) bool {
 func (m *Manager) enableFlow(previous *nftypes.FlowConfig) error {
 	// first make sender ready so events don't pile up
 	if m.needsNewClient(previous) {
-		if err := m.resetClient(); err != nil {
-			return fmt.Errorf("reset client: %w", err)
+		if m.receiverClient != nil {
+			if err := m.receiverClient.Close(); err != nil {
+				log.Warnf("error closing previous flow client: %v", err)
+			}
 		}
+
+		flowClient, err := client.NewClient(m.flowConfig.URL, m.flowConfig.TokenPayload, m.flowConfig.TokenSignature, m.flowConfig.Interval)
+		if err != nil {
+			return fmt.Errorf("create client: %w", err)
+		}
+		log.Infof("flow client configured to connect to %s", m.flowConfig.URL)
+
+		m.receiverClient = flowClient
+		go m.receiveACKs(flowClient)
+		go m.startSender()
 	}

 	m.logger.Enable()
@@ -83,50 +96,17 @@ func (m *Manager) enableFlow(previous *nftypes.FlowConfig) error {
 	return nil
 }

-func (m *Manager) resetClient() error {
-	if m.receiverClient != nil {
-		if err := m.receiverClient.Close(); err != nil {
-			log.Warnf("error closing previous flow client: %v", err)
-		}
-	}
-
-	flowClient, err := client.NewClient(m.flowConfig.URL, m.flowConfig.TokenPayload, m.flowConfig.TokenSignature, m.flowConfig.Interval)
-	if err != nil {
-		return fmt.Errorf("create client: %w", err)
-	}
-	log.Infof("flow client configured to connect to %s", m.flowConfig.URL)
-
-	m.receiverClient = flowClient
-
-	if m.cancel != nil {
-		m.cancel()
-	}
-
-	ctx, cancel := context.WithCancel(context.Background())
-	m.cancel = cancel
-
-	go m.receiveACKs(ctx, flowClient)
-	go m.startSender(ctx)
-
-	return nil
-}
-
 // disableFlow stops components for flow tracking
 func (m *Manager) disableFlow() error {
-	if m.cancel != nil {
-		m.cancel()
-	}
-
 	if m.conntrack != nil {
 		m.conntrack.Stop()
 	}

-	m.logger.Close()
+	m.logger.Disable()

 	if m.receiverClient != nil {
 		return m.receiverClient.Close()
 	}
-
 	return nil
 }

@@ -153,18 +133,17 @@ func (m *Manager) Update(update *nftypes.FlowConfig) error {

 	m.logger.UpdateConfig(update.DNSCollection, update.ExitNodeCollection)

-	changed := previous != nil && update.Enabled != previous.Enabled
 	if update.Enabled {
-		if changed {
-			log.Infof("netflow manager enabled; starting netflow manager")
-		}
+		log.Infof("netflow manager enabled; starting netflow manager")
 		return m.enableFlow(previous)
 	}

-	if changed {
-		log.Infof("netflow manager disabled; stopping netflow manager")
+	log.Infof("netflow manager disabled; stopping netflow manager")
+	err := m.disableFlow()
+	if err != nil {
+		log.Errorf("failed to disable netflow manager: %v", err)
 	}
-	return m.disableFlow()
+	return err
 }

 // Close cleans up all resources
@@ -172,9 +151,17 @@ func (m *Manager) Close() {
 	m.mux.Lock()
 	defer m.mux.Unlock()

-	if err := m.disableFlow(); err != nil {
-		log.Warnf("failed to disable flow manager: %v", err)
+	if m.conntrack != nil {
+		m.conntrack.Close()
 	}
+
+	if m.receiverClient != nil {
+		if err := m.receiverClient.Close(); err != nil {
+			log.Warnf("failed to close receiver client: %v", err)
+		}
+	}
+
+	m.logger.Close()
 }

 // GetLogger returns the flow logger
@@ -182,13 +169,13 @@ func (m *Manager) GetLogger() nftypes.FlowLogger {
 	return m.logger
 }

-func (m *Manager) startSender(ctx context.Context) {
+func (m *Manager) startSender() {
 	ticker := time.NewTicker(m.flowConfig.Interval)
 	defer ticker.Stop()

 	for {
 		select {
-		case <-ctx.Done():
+		case <-m.ctx.Done():
 			return
 		case <-ticker.C:
 			events := m.logger.GetEvents()
@@ -203,8 +190,8 @@ func (m *Manager) startSender(ctx context.Context) {
 	}
 }

-func (m *Manager) receiveACKs(ctx context.Context, client *client.GRPCClient) {
-	err := client.Receive(ctx, m.flowConfig.Interval, func(ack *proto.FlowEventAck) error {
+func (m *Manager) receiveACKs(client *client.GRPCClient) {
+	err := client.Receive(m.ctx, m.flowConfig.Interval, func(ack *proto.FlowEventAck) error {
 		id, err := uuid.FromBytes(ack.EventId)
 		if err != nil {
 			log.Warnf("failed to convert ack event id to uuid: %v", err)
--- a/client/internal/netflow/manager_test.go
+++ b/client/internal/netflow/manager_test.go
@@ -1,200 +0,0 @@
-package netflow
-
-import (
-	"net"
-	"testing"
-	"time"
-
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
-
-	"github.com/netbirdio/netbird/client/iface/wgaddr"
-	"github.com/netbirdio/netbird/client/internal/netflow/types"
-	"github.com/netbirdio/netbird/client/internal/peer"
-)
-
-type mockIFaceMapper struct {
-	address         wgaddr.Address
-	isUserspaceBind bool
-}
-
-func (m *mockIFaceMapper) Name() string {
-	return "wt0"
-}
-
-func (m *mockIFaceMapper) Address() wgaddr.Address {
-	return m.address
-}
-
-func (m *mockIFaceMapper) IsUserspaceBind() bool {
-	return m.isUserspaceBind
-}
-
-func TestManager_Update(t *testing.T) {
-	mockIFace := &mockIFaceMapper{
-		address: wgaddr.Address{
-			Network: &net.IPNet{
-				IP:   net.ParseIP("192.168.1.1"),
-				Mask: net.CIDRMask(24, 32),
-			},
-		},
-		isUserspaceBind: true,
-	}
-
-	publicKey := []byte("test-public-key")
-	statusRecorder := peer.NewRecorder("")
-
-	manager := NewManager(mockIFace, publicKey, statusRecorder)
-
-	tests := []struct {
-		name   string
-		config *types.FlowConfig
-	}{
-		{
-			name:   "nil config",
-			config: nil,
-		},
-		{
-			name: "disabled config",
-			config: &types.FlowConfig{
-				Enabled: false,
-			},
-		},
-		{
-			name: "enabled config with minimal valid settings",
-			config: &types.FlowConfig{
-				Enabled:        true,
-				URL:            "https://example.com",
-				TokenPayload:   "test-payload",
-				TokenSignature: "test-signature",
-				Interval:       30 * time.Second,
-			},
-		},
-	}
-
-	for _, tc := range tests {
-		t.Run(tc.name, func(t *testing.T) {
-			err := manager.Update(tc.config)
-
-			assert.NoError(t, err)
-
-			if tc.config == nil {
-				return
-			}
-
-			require.NotNil(t, manager.flowConfig)
-
-			if tc.config.Enabled {
-				assert.Equal(t, tc.config.Enabled, manager.flowConfig.Enabled)
-			}
-
-			if tc.config.URL != "" {
-				assert.Equal(t, tc.config.URL, manager.flowConfig.URL)
-			}
-
-			if tc.config.TokenPayload != "" {
-				assert.Equal(t, tc.config.TokenPayload, manager.flowConfig.TokenPayload)
-			}
-		})
-	}
-}
-
-func TestManager_Update_TokenPreservation(t *testing.T) {
-	mockIFace := &mockIFaceMapper{
-		address: wgaddr.Address{
-			Network: &net.IPNet{
-				IP:   net.ParseIP("192.168.1.1"),
-				Mask: net.CIDRMask(24, 32),
-			},
-		},
-		isUserspaceBind: true,
-	}
-
-	publicKey := []byte("test-public-key")
-	manager := NewManager(mockIFace, publicKey, nil)
-
-	// First update with tokens
-	initialConfig := &types.FlowConfig{
-		Enabled:        false,
-		TokenPayload:   "initial-payload",
-		TokenSignature: "initial-signature",
-	}
-
-	err := manager.Update(initialConfig)
-	require.NoError(t, err)
-
-	// Second update without tokens should preserve them
-	updatedConfig := &types.FlowConfig{
-		Enabled: false,
-		URL:     "https://example.com",
-	}
-
-	err = manager.Update(updatedConfig)
-	require.NoError(t, err)
-
-	// Verify tokens were preserved
-	assert.Equal(t, "initial-payload", manager.flowConfig.TokenPayload)
-	assert.Equal(t, "initial-signature", manager.flowConfig.TokenSignature)
-}
-
-func TestManager_NeedsNewClient(t *testing.T) {
-	manager := &Manager{}
-
-	tests := []struct {
-		name     string
-		previous *types.FlowConfig
-		current  *types.FlowConfig
-		expected bool
-	}{
-		{
-			name:     "nil previous config",
-			previous: nil,
-			current:  &types.FlowConfig{},
-			expected: true,
-		},
-		{
-			name:     "previous disabled",
-			previous: &types.FlowConfig{Enabled: false},
-			current:  &types.FlowConfig{Enabled: true},
-			expected: true,
-		},
-		{
-			name:     "different URL",
-			previous: &types.FlowConfig{Enabled: true, URL: "old-url"},
-			current:  &types.FlowConfig{Enabled: true, URL: "new-url"},
-			expected: true,
-		},
-		{
-			name:     "different TokenPayload",
-			previous: &types.FlowConfig{Enabled: true, TokenPayload: "old-payload"},
-			current:  &types.FlowConfig{Enabled: true, TokenPayload: "new-payload"},
-			expected: true,
-		},
-		{
-			name:     "different TokenSignature",
-			previous: &types.FlowConfig{Enabled: true, TokenSignature: "old-signature"},
-			current:  &types.FlowConfig{Enabled: true, TokenSignature: "new-signature"},
-			expected: true,
-		},
-		{
-			name:     "same config",
-			previous: &types.FlowConfig{Enabled: true, URL: "url", TokenPayload: "payload", TokenSignature: "signature"},
-			current:  &types.FlowConfig{Enabled: true, URL: "url", TokenPayload: "payload", TokenSignature: "signature"},
-			expected: false,
-		},
-		{
-			name:     "only interval changed",
-			previous: &types.FlowConfig{Enabled: true, URL: "url", TokenPayload: "payload", TokenSignature: "signature", Interval: 30 * time.Second},
-			current:  &types.FlowConfig{Enabled: true, URL: "url", TokenPayload: "payload", TokenSignature: "signature", Interval: 60 * time.Second},
-			expected: false,
-		},
-	}
-
-	for _, tc := range tests {
-		t.Run(tc.name, func(t *testing.T) {
-			manager.flowConfig = tc.current
-			result := manager.needsNewClient(tc.previous)
-			assert.Equal(t, tc.expected, result)
-		})
-	}
-}
--- a/client/internal/netflow/types/types.go
+++ b/client/internal/netflow/types/types.go
@@ -122,6 +122,9 @@ type FlowLogger interface {
 	Close()
 	// Enable enables the flow logger receiver
 	Enable()
+	// Disable disables the flow logger receiver
+	Disable()
+
 	// UpdateConfig updates the flow manager configuration
 	UpdateConfig(dnsCollection, exitNodeCollection bool)
 }
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Viktor Liu	d2c96469f0	Add nftables	2025-03-26 17:30:14 +01:00
Viktor Liu	13ec9ea0e7	Support site to site traffic for network flows in kernel mode	2025-03-25 00:28:13 +01:00