add disk encryption check

2026-04-09 11:06:26 -04:00 · 2026-01-17 19:56:50 +01:00
895 changed files with 11689 additions and 131544 deletions
--- a/.dockerignore
+++ b/.dockerignore
@@ -1,6 +0,0 @@
-.env
-.env.*
-*.pem
-*.key
-*.crt
-*.p12
--- a/.github/ISSUE_TEMPLATE/config.yml
+++ b/.github/ISSUE_TEMPLATE/config.yml
@@ -1,14 +0,0 @@
-blank_issues_enabled: true
-contact_links:
-  - name: Community Support
-    url: https://forum.netbird.io/
-    about: Community support forum
-  - name: Cloud Support
-    url: https://docs.netbird.io/help/report-bug-issues
-    about: Contact us for support
-  - name: Client/Connection Troubleshooting
-    url: https://docs.netbird.io/help/troubleshooting-client
-    about: See our client troubleshooting guide for help addressing common issues
-  - name: Self-host Troubleshooting
-    url: https://docs.netbird.io/selfhosted/troubleshooting
-    about: See our self-host troubleshooting guide for help addressing common issues
--- a/.github/workflows/check-license-dependencies.yml
+++ b/.github/workflows/check-license-dependencies.yml
@@ -23,7 +23,7 @@ jobs:

      - name: Check for problematic license dependencies
        run: |
-          echo "Checking for dependencies on management/, signal/, relay/, and proxy/ packages..."
+          echo "Checking for dependencies on management/, signal/, and relay/ packages..."
          echo ""

          # Find all directories except the problematic ones and system dirs
@@ -31,7 +31,7 @@ jobs:
          while IFS= read -r dir; do
            echo "=== Checking $dir ==="
            # Search for problematic imports, excluding test files
-            RESULTS=$(grep -r "github.com/netbirdio/netbird/\(management\|signal\|relay\|proxy\)" "$dir" --include="*.go" 2>/dev/null | grep -v "_test.go" | grep -v "test_" | grep -v "/test/" | grep -v "tools/idp-migrate/" || true)
+            RESULTS=$(grep -r "github.com/netbirdio/netbird/\(management\|signal\|relay\)" "$dir" --include="*.go" 2>/dev/null | grep -v "_test.go" | grep -v "test_" | grep -v "/test/" || true)
            if [ -n "$RESULTS" ]; then
              echo "❌ Found problematic dependencies:"
              echo "$RESULTS"
@@ -39,11 +39,11 @@ jobs:
            else
              echo "✓ No problematic dependencies found"
            fi
-          done < <(find . -maxdepth 1 -type d -not -name "." -not -name "management" -not -name "signal" -not -name "relay" -not -name "proxy" -not -name "combined" -not -name ".git*" | sort)
+          done < <(find . -maxdepth 1 -type d -not -name "." -not -name "management" -not -name "signal" -not -name "relay" -not -name ".git*" | sort)

          echo ""
          if [ $FOUND_ISSUES -eq 1 ]; then
-            echo "❌ Found dependencies on management/, signal/, relay/, or proxy/ packages"
+            echo "❌ Found dependencies on management/, signal/, or relay/ packages"
            echo "These packages are licensed under AGPLv3 and must not be imported by BSD-licensed code"
            exit 1
          else
@@ -88,7 +88,7 @@ jobs:
              IMPORTERS=$(go list -json -deps ./... 2>/dev/null | jq -r "select(.Imports[]? == \"$package\") | .ImportPath")

              # Check if any importer is NOT in management/signal/relay
-              BSD_IMPORTER=$(echo "$IMPORTERS" | grep -v "github.com/netbirdio/netbird/\(management\|signal\|relay\|proxy\|combined\|tools/idp-migrate\)" | head -1)
+              BSD_IMPORTER=$(echo "$IMPORTERS" | grep -v "github.com/netbirdio/netbird/\(management\|signal\|relay\)" | head -1)

              if [ -n "$BSD_IMPORTER" ]; then
                echo "❌ $package ($license) is imported by BSD-licensed code: $BSD_IMPORTER"
--- a/.github/workflows/golang-test-darwin.yml
+++ b/.github/workflows/golang-test-darwin.yml
@@ -43,5 +43,5 @@ jobs:
        run: git --no-pager diff --exit-code

      - name: Test
-        run: NETBIRD_STORE_ENGINE=${{ matrix.store }} CI=true go test -tags=devcert -exec 'sudo --preserve-env=CI,NETBIRD_STORE_ENGINE' -timeout 5m -p 1 $(go list ./... | grep -v -e /management -e /signal -e /relay -e /proxy -e /combined)
+        run: NETBIRD_STORE_ENGINE=${{ matrix.store }} CI=true go test -tags=devcert -exec 'sudo --preserve-env=CI,NETBIRD_STORE_ENGINE' -timeout 5m -p 1 $(go list ./... | grep -v /management)

--- a/.github/workflows/golang-test-freebsd.yml
+++ b/.github/workflows/golang-test-freebsd.yml
@@ -46,5 +46,6 @@ jobs:
            time go test -timeout 1m -failfast ./client/iface/...
            time go test -timeout 1m -failfast ./route/...
            time go test -timeout 1m -failfast ./sharedsock/...
+            time go test -timeout 1m -failfast ./signal/...
            time go test -timeout 1m -failfast ./util/...
            time go test -timeout 1m -failfast ./version/...
--- a/.github/workflows/golang-test-linux.yml
+++ b/.github/workflows/golang-test-linux.yml
@@ -97,16 +97,6 @@ jobs:
        working-directory: relay
        run: CGO_ENABLED=1 GOARCH=386 go build -o relay-386 .

-      - name: Build combined
-        if: steps.cache.outputs.cache-hit != 'true'
-        working-directory: combined
-        run: CGO_ENABLED=1 go build .
-
-      - name: Build combined 386
-        if: steps.cache.outputs.cache-hit != 'true'
-        working-directory: combined
-        run: CGO_ENABLED=1 GOARCH=386 go build -o combined-386 .
-
  test:
    name: "Client / Unit"
    needs: [build-cache]
@@ -154,7 +144,7 @@ jobs:
        run: git --no-pager diff --exit-code

      - name: Test
-        run: CGO_ENABLED=1 GOARCH=${{ matrix.arch }} CI=true go test -tags devcert -exec 'sudo' -timeout 10m -p 1 $(go list ./... | grep -v -e /management -e /signal -e /relay -e /proxy -e /combined)
+        run: CGO_ENABLED=1 GOARCH=${{ matrix.arch }} CI=true go test -tags devcert -exec 'sudo' -timeout 10m -p 1 $(go list ./... | grep -v -e /management -e /signal -e /relay)

  test_client_on_docker:
    name: "Client (Docker) / Unit"
@@ -214,7 +204,7 @@ jobs:
            sh -c ' \
              apk update; apk add --no-cache \
                ca-certificates iptables ip6tables dbus dbus-dev libpcap-dev build-base; \
-              go test -buildvcs=false -tags devcert -v -timeout 10m -p 1 $(go list -buildvcs=false ./... | grep -v -e /management -e /signal -e /relay -e /proxy -e /combined -e /client/ui -e /upload-server)
+              go test -buildvcs=false -tags devcert -v -timeout 10m -p 1 $(go list -buildvcs=false ./... | grep -v -e /management -e /signal -e /relay -e /client/ui -e /upload-server)
            '

  test_relay:
@@ -271,53 +261,6 @@ jobs:
            -exec 'sudo' \
            -timeout 10m -p 1 ./relay/... ./shared/relay/...

-  test_proxy:
-    name: "Proxy / Unit"
-    needs: [build-cache]
-    strategy:
-      fail-fast: false
-      matrix:
-        arch: [ '386','amd64' ]
-    runs-on: ubuntu-22.04
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@v4
-
-      - name: Install Go
-        uses: actions/setup-go@v5
-        with:
-          go-version-file: "go.mod"
-          cache: false
-
-      - name: Install dependencies
-        run: sudo apt update && sudo apt install -y gcc-multilib g++-multilib libc6-dev-i386
-
-      - name: Get Go environment
-        run: |
-          echo "cache=$(go env GOCACHE)" >> $GITHUB_ENV
-          echo "modcache=$(go env GOMODCACHE)" >> $GITHUB_ENV
-
-      - name: Cache Go modules
-        uses: actions/cache/restore@v4
-        with:
-          path: |
-            ${{ env.cache }}
-            ${{ env.modcache }}
-          key: ${{ runner.os }}-gotest-cache-${{ hashFiles('**/go.sum') }}
-          restore-keys: |
-            ${{ runner.os }}-gotest-cache-
-
-      - name: Install modules
-        run: go mod tidy
-
-      - name: check git status
-        run: git --no-pager diff --exit-code
-
-      - name: Test
-        run: |
-          CGO_ENABLED=1 GOARCH=${{ matrix.arch }} \
-          go test -timeout 10m -p 1 ./proxy/...
-
  test_signal:
    name: "Signal / Unit"
    needs: [build-cache]
@@ -409,19 +352,12 @@ jobs:
        run: git --no-pager diff --exit-code

      - name: Login to Docker hub
-        if: github.event.pull_request && github.event.pull_request.head.repo && github.event.pull_request.head.repo.full_name == '' || github.repository == github.event.pull_request.head.repo.full_name || !github.head_ref
-        uses: docker/login-action@v3
+        if: matrix.store == 'mysql' && (github.repository == github.head.repo.full_name || !github.head_ref)
+        uses: docker/login-action@v1
        with:
          username: ${{ secrets.DOCKER_USER }}
          password: ${{ secrets.DOCKER_TOKEN }}

-      - name: docker login for root user
-        if: github.event.pull_request && github.event.pull_request.head.repo && github.event.pull_request.head.repo.full_name == '' || github.repository == github.event.pull_request.head.repo.full_name || !github.head_ref
-        env:
-          DOCKER_USER: ${{ secrets.DOCKER_USER }}
-          DOCKER_TOKEN: ${{ secrets.DOCKER_TOKEN }}
-        run: echo "$DOCKER_TOKEN" | sudo docker login --username "$DOCKER_USER" --password-stdin
-
      - name: download mysql image
        if: matrix.store == 'mysql'
        run: docker pull mlsmaycon/warmed-mysql:8
@@ -504,18 +440,15 @@ jobs:
        run: git --no-pager diff --exit-code

      - name: Login to Docker hub
-        if: github.event.pull_request && github.event.pull_request.head.repo && github.event.pull_request.head.repo.full_name == '' || github.repository == github.event.pull_request.head.repo.full_name || !github.head_ref
-        uses: docker/login-action@v3
+        if: matrix.store == 'mysql' && (github.repository == github.head.repo.full_name || !github.head_ref)
+        uses: docker/login-action@v1
        with:
          username: ${{ secrets.DOCKER_USER }}
          password: ${{ secrets.DOCKER_TOKEN }}

-      - name: docker login for root user
-        if: github.event.pull_request && github.event.pull_request.head.repo && github.event.pull_request.head.repo.full_name == '' || github.repository == github.event.pull_request.head.repo.full_name || !github.head_ref
-        env:
-          DOCKER_USER: ${{ secrets.DOCKER_USER }}
-          DOCKER_TOKEN: ${{ secrets.DOCKER_TOKEN }}
-        run: echo "$DOCKER_TOKEN" | sudo docker login --username "$DOCKER_USER" --password-stdin
+      - name: download mysql image
+        if: matrix.store == 'mysql'
+        run: docker pull mlsmaycon/warmed-mysql:8

      - name: Test
        run: |
@@ -596,18 +529,15 @@ jobs:
        run: git --no-pager diff --exit-code

      - name: Login to Docker hub
-        if: github.event.pull_request && github.event.pull_request.head.repo && github.event.pull_request.head.repo.full_name == '' || github.repository == github.event.pull_request.head.repo.full_name || !github.head_ref
-        uses: docker/login-action@v3
+        if: matrix.store == 'mysql' && (github.repository == github.head.repo.full_name || !github.head_ref)
+        uses: docker/login-action@v1
        with:
          username: ${{ secrets.DOCKER_USER }}
          password: ${{ secrets.DOCKER_TOKEN }}

-      - name: docker login for root user
-        if: github.event.pull_request && github.event.pull_request.head.repo && github.event.pull_request.head.repo.full_name == '' || github.repository == github.event.pull_request.head.repo.full_name || !github.head_ref
-        env:
-          DOCKER_USER: ${{ secrets.DOCKER_USER }}
-          DOCKER_TOKEN: ${{ secrets.DOCKER_TOKEN }}
-        run: echo "$DOCKER_TOKEN" | sudo docker login --username "$DOCKER_USER" --password-stdin
+      - name: download mysql image
+        if: matrix.store == 'mysql'
+        run: docker pull mlsmaycon/warmed-mysql:8

      - name: Test
        run: |
--- a/.github/workflows/golang-test-windows.yml
+++ b/.github/workflows/golang-test-windows.yml
@@ -63,15 +63,10 @@ jobs:
      - run: PsExec64 -s -w ${{ github.workspace }} C:\hostedtoolcache\windows\go\${{ steps.go.outputs.go-version }}\x64\bin\go.exe env -w GOMODCACHE=${{ env.cache }}
      - run: PsExec64 -s -w ${{ github.workspace }} C:\hostedtoolcache\windows\go\${{ steps.go.outputs.go-version }}\x64\bin\go.exe env -w GOCACHE=${{ env.modcache }}
      - run: PsExec64 -s -w ${{ github.workspace }} C:\hostedtoolcache\windows\go\${{ steps.go.outputs.go-version }}\x64\bin\go.exe mod tidy
-      - name: Generate test script
-        run: |
-          $packages = go list ./... | Where-Object { $_ -notmatch '/management' } | Where-Object { $_ -notmatch '/relay' } | Where-Object { $_ -notmatch '/signal' } | Where-Object { $_ -notmatch '/proxy' } | Where-Object { $_ -notmatch '/combined' }
-          $goExe = "C:\hostedtoolcache\windows\go\${{ steps.go.outputs.go-version }}\x64\bin\go.exe"
-          $cmd = "$goExe test -tags=devcert -timeout 10m -p 1 $($packages -join ' ') > test-out.txt 2>&1"
-          Set-Content -Path "${{ github.workspace }}\run-tests.cmd" -Value $cmd
+      - run: echo "files=$(go list ./... | ForEach-Object { $_ } | Where-Object { $_ -notmatch '/management' } | Where-Object { $_ -notmatch '/relay' } | Where-Object { $_ -notmatch '/signal' })" >> $env:GITHUB_ENV

      - name: test
-        run: PsExec64 -s -w ${{ github.workspace }} cmd.exe /c "${{ github.workspace }}\run-tests.cmd"
+        run: PsExec64 -s -w ${{ github.workspace }} cmd.exe /c "C:\hostedtoolcache\windows\go\${{ steps.go.outputs.go-version }}\x64\bin\go.exe test -tags=devcert -timeout 10m -p 1 ${{ env.files }} > test-out.txt 2>&1"
      - name: test output
        if: ${{ always() }}
        run: Get-Content test-out.txt
--- a/.github/workflows/golangci-lint.yml
+++ b/.github/workflows/golangci-lint.yml
@@ -19,8 +19,8 @@ jobs:
      - name: codespell
        uses: codespell-project/actions-codespell@v2
        with:
-          ignore_words_list: erro,clienta,hastable,iif,groupd,testin,groupe,cros,ans,deriver,te,userA
-          skip: go.mod,go.sum,**/proxy/web/**
+          ignore_words_list: erro,clienta,hastable,iif,groupd,testin,groupe,cros
+          skip: go.mod,go.sum
  golangci:
    strategy:
      fail-fast: false
--- a/.github/workflows/pr-title-check.yml
+++ b/.github/workflows/pr-title-check.yml
@@ -1,51 +0,0 @@
-name: PR Title Check
-
-on:
-  pull_request:
-    types: [opened, edited, synchronize, reopened]
-
-jobs:
-  check-title:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Validate PR title prefix
-        uses: actions/github-script@v7
-        with:
-          script: |
-            const title = context.payload.pull_request.title;
-            const allowedTags = [
-              'management',
-              'client',
-              'signal',
-              'proxy',
-              'relay',
-              'misc',
-              'infrastructure',
-              'self-hosted',
-              'doc',
-            ];
-
-            const pattern = /^\[([^\]]+)\]\s+.+/;
-            const match = title.match(pattern);
-
-            if (!match) {
-              core.setFailed(
-                `PR title must start with a tag in brackets.\n` +
-                `Example: [client] fix something\n` +
-                `Allowed tags: ${allowedTags.join(', ')}`
-              );
-              return;
-            }
-
-            const tags = match[1].split(',').map(t => t.trim().toLowerCase());
-
-            const invalid = tags.filter(t => !allowedTags.includes(t));
-            if (invalid.length > 0) {
-              core.setFailed(
-                `Invalid tag(s): ${invalid.join(', ')}\n` +
-                `Allowed tags: ${allowedTags.join(', ')}`
-              );
-              return;
-            }
-
-            console.log(`Valid PR title tags: [${tags.join(', ')}]`);
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -9,8 +9,8 @@ on:
  pull_request:

 env:
-  SIGN_PIPE_VER: "v0.1.1"
-  GORELEASER_VER: "v2.14.3"
+  SIGN_PIPE_VER: "v0.1.0"
+  GORELEASER_VER: "v2.3.2"
  PRODUCT_NAME: "NetBird"
  COPYRIGHT: "NetBird GmbH"

@@ -160,7 +160,7 @@ jobs:
          username: ${{ secrets.DOCKER_USER }}
          password: ${{ secrets.DOCKER_TOKEN }}
      - name: Log in to the GitHub container registry
-        if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository
+        if: github.event_name != 'pull_request'
        uses: docker/login-action@v3
        with:
          registry: ghcr.io
@@ -169,14 +169,6 @@ jobs:
      - name: Install OS build dependencies
        run: sudo apt update && sudo apt install -y -q gcc-arm-linux-gnueabihf gcc-aarch64-linux-gnu

-      - name: Decode GPG signing key
-        if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository
-        env:
-          GPG_RPM_PRIVATE_KEY: ${{ secrets.GPG_RPM_PRIVATE_KEY }}
-        run: |
-          echo "$GPG_RPM_PRIVATE_KEY" | base64 -d > /tmp/gpg-rpm-signing-key.asc
-          echo "GPG_RPM_KEY_FILE=/tmp/gpg-rpm-signing-key.asc" >> $GITHUB_ENV
-
      - name: Install goversioninfo
        run: go install github.com/josephspurrier/goversioninfo/cmd/goversioninfo@233067e
      - name: Generate windows syso amd64
@@ -184,7 +176,6 @@ jobs:
      - name: Generate windows syso arm64
        run: goversioninfo -arm -64 -icon client/ui/assets/netbird.ico -manifest client/manifest.xml -product-name ${{ env.PRODUCT_NAME }} -copyright "${{ env.COPYRIGHT }}" -ver-major ${{ steps.semver_parser.outputs.major }} -ver-minor ${{ steps.semver_parser.outputs.minor }} -ver-patch ${{ steps.semver_parser.outputs.patch }} -ver-build 0 -file-version ${{ steps.semver_parser.outputs.fullversion }}.0 -product-version ${{ steps.semver_parser.outputs.fullversion }}.0 -o client/resources_windows_arm64.syso
      - name: Run GoReleaser
-        id: goreleaser
        uses: goreleaser/goreleaser-action@v4
        with:
          version: ${{ env.GORELEASER_VER }}
@@ -194,55 +185,6 @@ jobs:
          HOMEBREW_TAP_GITHUB_TOKEN: ${{ secrets.HOMEBREW_TAP_GITHUB_TOKEN }}
          UPLOAD_DEBIAN_SECRET: ${{ secrets.PKG_UPLOAD_SECRET }}
          UPLOAD_YUM_SECRET: ${{ secrets.PKG_UPLOAD_SECRET }}
-          GPG_RPM_KEY_FILE: ${{ env.GPG_RPM_KEY_FILE }}
-          NFPM_NETBIRD_RPM_PASSPHRASE: ${{ secrets.GPG_RPM_PASSPHRASE }}
-      - name: Verify RPM signatures
-        run: |
-          docker run --rm -v $(pwd)/dist:/dist fedora:41 bash -c '
-            dnf install -y -q rpm-sign curl >/dev/null 2>&1
-            curl -sSL https://pkgs.netbird.io/yum/repodata/repomd.xml.key -o /tmp/rpm-pub.key
-            rpm --import /tmp/rpm-pub.key
-            echo "=== Verifying RPM signatures ==="
-            for rpm_file in /dist/*amd64*.rpm; do
-              [ -f "$rpm_file" ] || continue
-              echo "--- $(basename $rpm_file) ---"
-              rpm -K "$rpm_file"
-            done
-          '
-      - name: Clean up GPG key
-        if: always()
-        run: rm -f /tmp/gpg-rpm-signing-key.asc
-      - name: Tag and push images (amd64 only)
-        if: |
-          (github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == github.repository) ||
-          (github.event_name == 'push' && github.ref == 'refs/heads/main')
-        run: |
-          resolve_tags() {
-            if [[ "${{ github.event_name }}" == "pull_request" ]]; then
-              echo "pr-${{ github.event.pull_request.number }}"
-            else
-              echo "main sha-$(git rev-parse --short HEAD)"
-            fi
-          }
-
-          tag_and_push() {
-            local src="$1" img_name tag dst
-            img_name="${src%%:*}"
-            for tag in $(resolve_tags); do
-              dst="${img_name}:${tag}"
-              echo "Tagging ${src} -> ${dst}"
-              docker tag "$src" "$dst"
-              docker push "$dst"
-            done
-          }
-
-          export -f tag_and_push resolve_tags
-
-          echo '${{ steps.goreleaser.outputs.artifacts }}' | \
-            jq -r '.[] | select(.type == "Docker Image") | select(.goarch == "amd64") | .name' | \
-            grep '^ghcr.io/' | while read -r SRC; do
-              tag_and_push "$SRC"
-            done
      - name: upload non tags for debug purposes
        uses: actions/upload-artifact@v4
        with:
@@ -309,14 +251,6 @@ jobs:
      - name: Install dependencies
        run: sudo apt update && sudo apt install -y -q libappindicator3-dev gir1.2-appindicator3-0.1 libxxf86vm-dev gcc-mingw-w64-x86-64

-      - name: Decode GPG signing key
-        if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository
-        env:
-          GPG_RPM_PRIVATE_KEY: ${{ secrets.GPG_RPM_PRIVATE_KEY }}
-        run: |
-          echo "$GPG_RPM_PRIVATE_KEY" | base64 -d > /tmp/gpg-rpm-signing-key.asc
-          echo "GPG_RPM_KEY_FILE=/tmp/gpg-rpm-signing-key.asc" >> $GITHUB_ENV
-
      - name: Install LLVM-MinGW for ARM64 cross-compilation
        run: |
          cd /tmp
@@ -341,24 +275,6 @@ jobs:
          HOMEBREW_TAP_GITHUB_TOKEN: ${{ secrets.HOMEBREW_TAP_GITHUB_TOKEN }}
          UPLOAD_DEBIAN_SECRET: ${{ secrets.PKG_UPLOAD_SECRET }}
          UPLOAD_YUM_SECRET: ${{ secrets.PKG_UPLOAD_SECRET }}
-          GPG_RPM_KEY_FILE: ${{ env.GPG_RPM_KEY_FILE }}
-          NFPM_NETBIRD_UI_RPM_PASSPHRASE: ${{ secrets.GPG_RPM_PASSPHRASE }}
-      - name: Verify RPM signatures
-        run: |
-          docker run --rm -v $(pwd)/dist:/dist fedora:41 bash -c '
-            dnf install -y -q rpm-sign curl >/dev/null 2>&1
-            curl -sSL https://pkgs.netbird.io/yum/repodata/repomd.xml.key -o /tmp/rpm-pub.key
-            rpm --import /tmp/rpm-pub.key
-            echo "=== Verifying RPM signatures ==="
-            for rpm_file in /dist/*.rpm; do
-              [ -f "$rpm_file" ] || continue
-              echo "--- $(basename $rpm_file) ---"
-              rpm -K "$rpm_file"
-            done
-          '
-      - name: Clean up GPG key
-        if: always()
-        run: rm -f /tmp/gpg-rpm-signing-key.asc
      - name: upload non tags for debug purposes
        uses: actions/upload-artifact@v4
        with:
--- a/.github/workflows/wasm-build-validation.yml
+++ b/.github/workflows/wasm-build-validation.yml
@@ -61,8 +61,8 @@ jobs:

          echo "Size: ${SIZE} bytes (${SIZE_MB} MB)"

-          if [ ${SIZE} -gt 58720256 ]; then
-            echo "Wasm binary size (${SIZE_MB}MB) exceeds 56MB limit!"
+          if [ ${SIZE} -gt 57671680 ]; then
+            echo "Wasm binary size (${SIZE_MB}MB) exceeds 55MB limit!"
            exit 1
          fi

--- a/.gitignore
+++ b/.gitignore
@@ -2,7 +2,6 @@
 .run
 *.iml
 dist/
-!proxy/web/dist/
 bin/
 .env
 conf.json
@@ -33,4 +32,3 @@ infrastructure_files/setup-*.env
 vendor/
 /netbird
 client/netbird-electron/
-management/server/types/testdata/
--- a/.goreleaser.yaml
+++ b/.goreleaser.yaml
@@ -106,26 +106,6 @@ builds:
      - -s -w -X github.com/netbirdio/netbird/version.version={{.Version}} -X main.commit={{.Commit}} -X main.date={{.CommitDate}} -X main.builtBy=goreleaser
    mod_timestamp: "{{ .CommitTimestamp }}"

-  - id: netbird-server
-    dir: combined
-    env:
-      - CGO_ENABLED=1
-      - >-
-        {{- if eq .Runtime.Goos "linux" }}
-          {{- if eq .Arch "arm64"}}CC=aarch64-linux-gnu-gcc{{- end }}
-          {{- if eq .Arch "arm"}}CC=arm-linux-gnueabihf-gcc{{- end }}
-        {{- end }}
-    binary: netbird-server
-    goos:
-      - linux
-    goarch:
-      - amd64
-      - arm64
-      - arm
-    ldflags:
-      - -s -w -X github.com/netbirdio/netbird/version.version={{.Version}} -X main.commit={{.Commit}} -X main.date={{.CommitDate}} -X main.builtBy=goreleaser
-    mod_timestamp: "{{ .CommitTimestamp }}"
-
  - id: netbird-upload
    dir: upload-server
    env: [CGO_ENABLED=0]
@@ -140,40 +120,6 @@ builds:
      - -s -w -X github.com/netbirdio/netbird/version.version={{.Version}} -X main.commit={{.Commit}} -X main.date={{.CommitDate}} -X main.builtBy=goreleaser
    mod_timestamp: "{{ .CommitTimestamp }}"

-  - id: netbird-proxy
-    dir: proxy/cmd/proxy
-    env: [CGO_ENABLED=0]
-    binary: netbird-proxy
-    goos:
-      - linux
-    goarch:
-      - amd64
-      - arm64
-      - arm
-    ldflags:
-      - -s -w -X main.Version={{.Version}} -X main.Commit={{.Commit}} -X main.BuildDate={{.CommitDate}}
-    mod_timestamp: "{{ .CommitTimestamp }}"
-
-  - id: netbird-idp-migrate
-    dir: tools/idp-migrate
-    env:
-      - CGO_ENABLED=1
-      - >-
-        {{- if eq .Runtime.Goos "linux" }}
-          {{- if eq .Arch "arm64"}}CC=aarch64-linux-gnu-gcc{{- end }}
-          {{- if eq .Arch "arm"}}CC=arm-linux-gnueabihf-gcc{{- end }}
-        {{- end }}
-    binary: netbird-idp-migrate
-    goos:
-      - linux
-    goarch:
-      - amd64
-      - arm64
-      - arm
-    ldflags:
-      - -s -w -X github.com/netbirdio/netbird/version.version={{.Version}} -X main.commit={{.Commit}} -X main.date={{.CommitDate}} -X main.builtBy=goreleaser
-    mod_timestamp: "{{ .CommitTimestamp }}"
-
 universal_binaries:
  - id: netbird

@@ -186,22 +132,18 @@ archives:
      - netbird-wasm
    name_template: "{{ .ProjectName }}_{{ .Version }}"
    format: binary
-  - id: netbird-idp-migrate
-    builds:
-      - netbird-idp-migrate
-    name_template: "netbird-idp-migrate_{{ .Version }}_{{ .Os }}_{{ .Arch }}"

 nfpms:
  - maintainer: Netbird <dev@netbird.io>
    description: Netbird client.
    homepage: https://netbird.io/
-    license: BSD-3-Clause
-    id: netbird_deb
+    id: netbird-deb
    bindir: /usr/bin
    builds:
      - netbird
    formats:
      - deb
+
    scripts:
      postinstall: "release_files/post_install.sh"
      preremove: "release_files/pre_remove.sh"
@@ -209,19 +151,16 @@ nfpms:
  - maintainer: Netbird <dev@netbird.io>
    description: Netbird client.
    homepage: https://netbird.io/
-    license: BSD-3-Clause
-    id: netbird_rpm
+    id: netbird-rpm
    bindir: /usr/bin
    builds:
      - netbird
    formats:
      - rpm
+
    scripts:
      postinstall: "release_files/post_install.sh"
      preremove: "release_files/pre_remove.sh"
-    rpm:
-      signature:
-        key_file: '{{ if index .Env "GPG_RPM_KEY_FILE" }}{{ .Env.GPG_RPM_KEY_FILE }}{{ end }}'
 dockers:
  - image_templates:
      - netbirdio/netbird:{{ .Version }}-amd64
@@ -581,104 +520,6 @@ dockers:
      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
      - "--label=org.opencontainers.image.source=https://github.com/netbirdio/{{.ProjectName}}"
      - "--label=maintainer=dev@netbird.io"
-  - image_templates:
-      - netbirdio/netbird-server:{{ .Version }}-amd64
-      - ghcr.io/netbirdio/netbird-server:{{ .Version }}-amd64
-    ids:
-      - netbird-server
-    goarch: amd64
-    use: buildx
-    dockerfile: combined/Dockerfile
-    build_flag_templates:
-      - "--platform=linux/amd64"
-      - "--label=org.opencontainers.image.created={{.Date}}"
-      - "--label=org.opencontainers.image.title={{.ProjectName}}"
-      - "--label=org.opencontainers.image.version={{.Version}}"
-      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
-      - "--label=org.opencontainers.image.source=https://github.com/netbirdio/{{.ProjectName}}"
-      - "--label=maintainer=dev@netbird.io"
-  - image_templates:
-      - netbirdio/netbird-server:{{ .Version }}-arm64v8
-      - ghcr.io/netbirdio/netbird-server:{{ .Version }}-arm64v8
-    ids:
-      - netbird-server
-    goarch: arm64
-    use: buildx
-    dockerfile: combined/Dockerfile
-    build_flag_templates:
-      - "--platform=linux/arm64"
-      - "--label=org.opencontainers.image.created={{.Date}}"
-      - "--label=org.opencontainers.image.title={{.ProjectName}}"
-      - "--label=org.opencontainers.image.version={{.Version}}"
-      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
-      - "--label=org.opencontainers.image.source=https://github.com/netbirdio/{{.ProjectName}}"
-      - "--label=maintainer=dev@netbird.io"
-  - image_templates:
-      - netbirdio/netbird-server:{{ .Version }}-arm
-      - ghcr.io/netbirdio/netbird-server:{{ .Version }}-arm
-    ids:
-      - netbird-server
-    goarch: arm
-    goarm: 6
-    use: buildx
-    dockerfile: combined/Dockerfile
-    build_flag_templates:
-      - "--platform=linux/arm"
-      - "--label=org.opencontainers.image.created={{.Date}}"
-      - "--label=org.opencontainers.image.title={{.ProjectName}}"
-      - "--label=org.opencontainers.image.version={{.Version}}"
-      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
-      - "--label=org.opencontainers.image.source=https://github.com/netbirdio/{{.ProjectName}}"
-      - "--label=maintainer=dev@netbird.io"
-  - image_templates:
-      - netbirdio/reverse-proxy:{{ .Version }}-amd64
-      - ghcr.io/netbirdio/reverse-proxy:{{ .Version }}-amd64
-    ids:
-      - netbird-proxy
-    goarch: amd64
-    use: buildx
-    dockerfile: proxy/Dockerfile
-    build_flag_templates:
-      - "--platform=linux/amd64"
-      - "--label=org.opencontainers.image.created={{.Date}}"
-      - "--label=org.opencontainers.image.title={{.ProjectName}}"
-      - "--label=org.opencontainers.image.version={{.Version}}"
-      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
-      - "--label=org.opencontainers.image.source=https://github.com/netbirdio/{{.ProjectName}}"
-      - "--label=maintainer=dev@netbird.io"
-  - image_templates:
-      - netbirdio/reverse-proxy:{{ .Version }}-arm64v8
-      - ghcr.io/netbirdio/reverse-proxy:{{ .Version }}-arm64v8
-    ids:
-      - netbird-proxy
-    goarch: arm64
-    use: buildx
-    dockerfile: proxy/Dockerfile
-    build_flag_templates:
-      - "--platform=linux/arm64"
-      - "--label=org.opencontainers.image.created={{.Date}}"
-      - "--label=org.opencontainers.image.title={{.ProjectName}}"
-      - "--label=org.opencontainers.image.version={{.Version}}"
-      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
-      - "--label=org.opencontainers.image.source=https://github.com/netbirdio/{{.ProjectName}}"
-      - "--label=maintainer=dev@netbird.io"
-  - image_templates:
-      - netbirdio/reverse-proxy:{{ .Version }}-arm
-      - ghcr.io/netbirdio/reverse-proxy:{{ .Version }}-arm
-    ids:
-      - netbird-proxy
-    goarch: arm
-    goarm: 6
-    use: buildx
-    dockerfile: proxy/Dockerfile
-    build_flag_templates:
-      - "--platform=linux/arm"
-      - "--label=org.opencontainers.image.created={{.Date}}"
-      - "--label=org.opencontainers.image.title={{.ProjectName}}"
-      - "--label=org.opencontainers.image.version={{.Version}}"
-      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
-      - "--label=org.opencontainers.image.source=https://github.com/netbirdio/{{.ProjectName}}"
-      - "--label=maintainer=dev@netbird.io"
 docker_manifests:
  - name_template: netbirdio/netbird:{{ .Version }}
    image_templates:
@@ -757,18 +598,6 @@ docker_manifests:
      - netbirdio/upload:{{ .Version }}-arm
      - netbirdio/upload:{{ .Version }}-amd64

-  - name_template: netbirdio/netbird-server:{{ .Version }}
-    image_templates:
-      - netbirdio/netbird-server:{{ .Version }}-arm64v8
-      - netbirdio/netbird-server:{{ .Version }}-arm
-      - netbirdio/netbird-server:{{ .Version }}-amd64
-
-  - name_template: netbirdio/netbird-server:latest
-    image_templates:
-      - netbirdio/netbird-server:{{ .Version }}-arm64v8
-      - netbirdio/netbird-server:{{ .Version }}-arm
-      - netbirdio/netbird-server:{{ .Version }}-amd64
-
  - name_template: ghcr.io/netbirdio/netbird:{{ .Version }}
    image_templates:
      - ghcr.io/netbirdio/netbird:{{ .Version }}-arm64v8
@@ -846,43 +675,6 @@ docker_manifests:
      - ghcr.io/netbirdio/upload:{{ .Version }}-arm64v8
      - ghcr.io/netbirdio/upload:{{ .Version }}-arm
      - ghcr.io/netbirdio/upload:{{ .Version }}-amd64
-
-  - name_template: ghcr.io/netbirdio/netbird-server:{{ .Version }}
-    image_templates:
-      - ghcr.io/netbirdio/netbird-server:{{ .Version }}-arm64v8
-      - ghcr.io/netbirdio/netbird-server:{{ .Version }}-arm
-      - ghcr.io/netbirdio/netbird-server:{{ .Version }}-amd64
-
-  - name_template: ghcr.io/netbirdio/netbird-server:latest
-    image_templates:
-      - ghcr.io/netbirdio/netbird-server:{{ .Version }}-arm64v8
-      - ghcr.io/netbirdio/netbird-server:{{ .Version }}-arm
-      - ghcr.io/netbirdio/netbird-server:{{ .Version }}-amd64
-
-  - name_template: netbirdio/reverse-proxy:{{ .Version }}
-    image_templates:
-      - netbirdio/reverse-proxy:{{ .Version }}-arm64v8
-      - netbirdio/reverse-proxy:{{ .Version }}-arm
-      - netbirdio/reverse-proxy:{{ .Version }}-amd64
-
-  - name_template: netbirdio/reverse-proxy:latest
-    image_templates:
-      - netbirdio/reverse-proxy:{{ .Version }}-arm64v8
-      - netbirdio/reverse-proxy:{{ .Version }}-arm
-      - netbirdio/reverse-proxy:{{ .Version }}-amd64
-
-  - name_template: ghcr.io/netbirdio/reverse-proxy:{{ .Version }}
-    image_templates:
-      - ghcr.io/netbirdio/reverse-proxy:{{ .Version }}-arm64v8
-      - ghcr.io/netbirdio/reverse-proxy:{{ .Version }}-arm
-      - ghcr.io/netbirdio/reverse-proxy:{{ .Version }}-amd64
-
-  - name_template: ghcr.io/netbirdio/reverse-proxy:latest
-    image_templates:
-      - ghcr.io/netbirdio/reverse-proxy:{{ .Version }}-arm64v8
-      - ghcr.io/netbirdio/reverse-proxy:{{ .Version }}-arm
-      - ghcr.io/netbirdio/reverse-proxy:{{ .Version }}-amd64
-
 brews:
  - ids:
      - default
@@ -903,7 +695,7 @@ brews:
 uploads:
  - name: debian
    ids:
-      - netbird_deb
+      - netbird-deb
    mode: archive
    target: https://pkgs.wiretrustee.com/debian/pool/{{ .ArtifactName }};deb.distribution=stable;deb.component=main;deb.architecture={{ if .Arm }}armhf{{ else }}{{ .Arch }}{{ end }};deb.package=
    username: dev@wiretrustee.com
@@ -911,7 +703,7 @@ uploads:

  - name: yum
    ids:
-      - netbird_rpm
+      - netbird-rpm
    mode: archive
    target: https://pkgs.wiretrustee.com/yum/{{ .Arch }}{{ if .Arm }}{{ .Arm }}{{ end }}
    username: dev@wiretrustee.com
--- a/.goreleaser_ui.yaml
+++ b/.goreleaser_ui.yaml
@@ -61,7 +61,7 @@ nfpms:
  - maintainer: Netbird <dev@netbird.io>
    description: Netbird client UI.
    homepage: https://netbird.io/
-    id: netbird_ui_deb
+    id: netbird-ui-deb
    package_name: netbird-ui
    builds:
      - netbird-ui
@@ -80,7 +80,7 @@ nfpms:
  - maintainer: Netbird <dev@netbird.io>
    description: Netbird client UI.
    homepage: https://netbird.io/
-    id: netbird_ui_rpm
+    id: netbird-ui-rpm
    package_name: netbird-ui
    builds:
      - netbird-ui
@@ -95,14 +95,11 @@ nfpms:
        dst: /usr/share/pixmaps/netbird.png
    dependencies:
      - netbird
-    rpm:
-      signature:
-        key_file: '{{ if index .Env "GPG_RPM_KEY_FILE" }}{{ .Env.GPG_RPM_KEY_FILE }}{{ end }}'

 uploads:
  - name: debian
    ids:
-      - netbird_ui_deb
+      - netbird-ui-deb
    mode: archive
    target: https://pkgs.wiretrustee.com/debian/pool/{{ .ArtifactName }};deb.distribution=stable;deb.component=main;deb.architecture={{ if .Arm }}armhf{{ else }}{{ .Arch }}{{ end }};deb.package=
    username: dev@wiretrustee.com
@@ -110,7 +107,7 @@ uploads:

  - name: yum
    ids:
-      - netbird_ui_rpm
+      - netbird-ui-rpm
    mode: archive
    target: https://pkgs.wiretrustee.com/yum/{{ .Arch }}{{ if .Arm }}{{ .Arm }}{{ end }}
    username: dev@wiretrustee.com
--- a/CONTRIBUTOR_LICENSE_AGREEMENT.md
+++ b/CONTRIBUTOR_LICENSE_AGREEMENT.md
@@ -1,7 +1,7 @@
 ##  Contributor License Agreement

 This Contributor License Agreement (referred to as the "Agreement") is entered into by the individual 
-submitting this Agreement and NetBird GmbH, Brunnenstraße 196, 10119 Berlin, Germany, 
+submitting this Agreement and NetBird GmbH, c/o Max-Beer-Straße 2-4 Münzstraße 12 10178 Berlin, Germany, 
 referred to as "NetBird" (collectively, the "Parties"). The Agreement outlines the terms and conditions 
 under which NetBird may utilize software contributions provided by the Contributor for inclusion in 
 its software development projects. By submitting this Agreement, the Contributor confirms their acceptance 
--- a/2
+++ b/2
@@ -1,4 +1,4 @@
-This BSD‑3‑Clause license applies to all parts of the repository except for the directories management/, signal/, relay/ and combined/.
+This BSD‑3‑Clause license applies to all parts of the repository except for the directories management/, signal/ and relay/.
 Those directories are licensed under the GNU Affero General Public License version 3.0 (AGPLv3). See the respective LICENSE files inside each directory.

 BSD 3-Clause License
--- a/README.md
+++ b/README.md
@@ -60,8 +60,8 @@

 https://github.com/user-attachments/assets/10cec749-bb56-4ab3-97af-4e38850108d2

-### Self-Host NetBird (Video)
-[![Watch the video](https://img.youtube.com/vi/bZAgpT6nzaQ/0.jpg)](https://youtu.be/bZAgpT6nzaQ)
+### NetBird on Lawrence Systems (Video)
+[![Watch the video](https://img.youtube.com/vi/Kwrff6h0rEw/0.jpg)](https://www.youtube.com/watch?v=Kwrff6h0rEw)

 ### Key features

@@ -126,7 +126,6 @@ See a complete [architecture overview](https://docs.netbird.io/about-netbird/how
 ### Community projects
 -  [NetBird installer script](https://github.com/physk/netbird-installer)
 -  [NetBird ansible collection by Dominion Solutions](https://galaxy.ansible.com/ui/repo/published/dominion_solutions/netbird/)
-  [netbird-tui](https://github.com/n0pashkov/netbird-tui) — terminal UI for managing NetBird peers, routes, and settings

 **Note**: The `main` branch may be in an *unstable or even broken state* during development.
 For stable versions, see [releases](https://github.com/netbirdio/netbird/releases).
--- a/client/Dockerfile
+++ b/client/Dockerfile
@@ -4,7 +4,7 @@
 #   sudo podman build -t localhost/netbird:latest -f client/Dockerfile --ignorefile .dockerignore-client .
 #   sudo podman run --rm -it --cap-add={BPF,NET_ADMIN,NET_RAW} localhost/netbird:latest

-FROM alpine:3.23.3
+FROM alpine:3.23.2
 # iproute2: busybox doesn't display ip rules properly
 RUN apk add --no-cache \
    bash \
@@ -17,7 +17,8 @@ ENV \
    NETBIRD_BIN="/usr/local/bin/netbird" \
    NB_LOG_FILE="console,/var/log/netbird/client.log" \
    NB_DAEMON_ADDR="unix:///var/run/netbird.sock" \
-    NB_ENTRYPOINT_SERVICE_TIMEOUT="30"
+    NB_ENTRYPOINT_SERVICE_TIMEOUT="5" \
+    NB_ENTRYPOINT_LOGIN_TIMEOUT="5"

 ENTRYPOINT [ "/usr/local/bin/netbird-entrypoint.sh" ]

--- a/client/Dockerfile-rootless
+++ b/client/Dockerfile-rootless
@@ -23,7 +23,8 @@ ENV \
    NB_DAEMON_ADDR="unix:///var/lib/netbird/netbird.sock" \
    NB_LOG_FILE="console,/var/lib/netbird/client.log" \
    NB_DISABLE_DNS="true" \
-    NB_ENTRYPOINT_SERVICE_TIMEOUT="30"
+    NB_ENTRYPOINT_SERVICE_TIMEOUT="5" \
+    NB_ENTRYPOINT_LOGIN_TIMEOUT="1"

 ENTRYPOINT [ "/usr/local/bin/netbird-entrypoint.sh" ]

--- a/client/android/client.go
+++ b/client/android/client.go
@@ -124,7 +124,7 @@ func (c *Client) Run(platformFiles PlatformFiles, urlOpener URLOpener, isAndroid

 	// todo do not throw error in case of cancelled context
 	ctx = internal.CtxInitState(ctx)
-	c.connectClient = internal.NewConnectClient(ctx, cfg, c.recorder)
+	c.connectClient = internal.NewConnectClient(ctx, cfg, c.recorder, false)
 	return c.connectClient.RunOnAndroid(c.tunAdapter, c.iFaceDiscover, c.networkChangeListener, slices.Clone(dns.items), dnsReadyListener, stateFile)
 }

@@ -157,7 +157,7 @@ func (c *Client) RunWithoutLogin(platformFiles PlatformFiles, dns *DNSList, dnsR

 	// todo do not throw error in case of cancelled context
 	ctx = internal.CtxInitState(ctx)
-	c.connectClient = internal.NewConnectClient(ctx, cfg, c.recorder)
+	c.connectClient = internal.NewConnectClient(ctx, cfg, c.recorder, false)
 	return c.connectClient.RunOnAndroid(c.tunAdapter, c.iFaceDiscover, c.networkChangeListener, slices.Clone(dns.items), dnsReadyListener, stateFile)
 }

@@ -203,11 +203,10 @@ func (c *Client) PeersList() *PeerInfoArray {
 	peerInfos := make([]PeerInfo, len(fullStatus.Peers))
 	for n, p := range fullStatus.Peers {
 		pi := PeerInfo{
-			IP:         p.IP,
-			IPv6:       p.IPv6,
-			FQDN:       p.FQDN,
-			ConnStatus: int(p.ConnStatus),
-			Routes:     PeerRoutes{routes: maps.Keys(p.GetRoutes())},
+			p.IP,
+			p.FQDN,
+			p.ConnStatus.String(),
+			PeerRoutes{routes: maps.Keys(p.GetRoutes())},
 		}
 		peerInfos[n] = pi
 	}
@@ -238,84 +237,43 @@ func (c *Client) Networks() *NetworkArray {
 		return nil
 	}

-	routesMap := routeManager.GetClientRoutesWithNetID()
-	v6Merged := route.V6ExitMergeSet(routesMap)
-	resolvedDomains := c.recorder.GetResolvedDomainsStates()
-
 	networkArray := &NetworkArray{
 		items: make([]Network, 0),
 	}

-	for id, routes := range routesMap {
+	resolvedDomains := c.recorder.GetResolvedDomainsStates()
+
+	for id, routes := range routeManager.GetClientRoutesWithNetID() {
 		if len(routes) == 0 {
 			continue
 		}
-		if _, skip := v6Merged[id]; skip {
-			continue
+
+		r := routes[0]
+		domains := c.getNetworkDomainsFromRoute(r, resolvedDomains)
+		netStr := r.Network.String()
+
+		if r.IsDynamic() {
+			netStr = r.Domains.SafeString()
 		}

-		network := c.buildNetwork(id, routes, routeSelector.IsSelected(id), resolvedDomains, v6Merged)
-		if network == nil {
+		routePeer, err := c.recorder.GetPeer(routes[0].Peer)
+		if err != nil {
+			log.Errorf("could not get peer info for %s: %v", routes[0].Peer, err)
 			continue
 		}
-		networkArray.Add(*network)
+		network := Network{
+			Name:       string(id),
+			Network:    netStr,
+			Peer:       routePeer.FQDN,
+			Status:     routePeer.ConnStatus.String(),
+			IsSelected: routeSelector.IsSelected(id),
+			Domains:    domains,
+		}
+		networkArray.Add(network)
 	}
 	return networkArray
 }

-func (c *Client) buildNetwork(id route.NetID, routes []*route.Route, selected bool, resolvedDomains map[domain.Domain]peer.ResolvedDomainInfo, v6Merged map[route.NetID]struct{}) *Network {
-	r := routes[0]
-	netStr := r.Network.String()
-	if r.IsDynamic() {
-		netStr = r.Domains.SafeString()
-	}
-
-	routePeer, err := c.findBestRoutePeer(routes)
-	if err != nil {
-		log.Errorf("could not get peer info for route %s: %v", id, err)
-		return nil
-	}
-
-	network := &Network{
-		Name:       string(id),
-		Network:    netStr,
-		Peer:       routePeer.FQDN,
-		Status:     routePeer.ConnStatus.String(),
-		IsSelected: selected,
-		Domains:    c.getNetworkDomainsFromRoute(r, resolvedDomains),
-	}
-
-	if route.IsV4DefaultRoute(r.Network) && route.HasV6ExitPair(id, v6Merged) {
-		network.Network = "0.0.0.0/0, ::/0"
-	}
-
-	return network
-}
-
-// findBestRoutePeer returns the peer actively routing traffic for the given
-// HA route group. Falls back to the first connected peer, then the first peer.
-func (c *Client) findBestRoutePeer(routes []*route.Route) (peer.State, error) {
-	netStr := routes[0].Network.String()
-
-	fullStatus := c.recorder.GetFullStatus()
-	for _, p := range fullStatus.Peers {
-		if _, ok := p.GetRoutes()[netStr]; ok {
-			return p, nil
-		}
-	}
-
-	for _, r := range routes {
-		p, err := c.recorder.GetPeer(r.Peer)
-		if err != nil {
-			continue
-		}
-		if p.ConnStatus == peer.StatusConnected {
-			return p, nil
-		}
-	}
-	return c.recorder.GetPeer(routes[0].Peer)
-}
-
 // OnUpdatedHostDNS update the DNS servers addresses for root zones
 func (c *Client) OnUpdatedHostDNS(list *DNSList) error {
 	dnsServer, err := dns.GetServerDns()
--- a/client/android/env_list.go
+++ b/client/android/env_list.go
@@ -1,19 +1,10 @@
 package android

-import (
-	"github.com/netbirdio/netbird/client/internal/lazyconn"
-	"github.com/netbirdio/netbird/client/internal/peer"
-)
+import "github.com/netbirdio/netbird/client/internal/peer"

 var (
-	// EnvKeyNBForceRelay Exported for Android java client to force relay connections
+	// EnvKeyNBForceRelay Exported for Android java client
 	EnvKeyNBForceRelay = peer.EnvKeyNBForceRelay
-
-	// EnvKeyNBLazyConn Exported for Android java client to configure lazy connection
-	EnvKeyNBLazyConn = lazyconn.EnvEnableLazyConn
-
-	// EnvKeyNBInactivityThreshold Exported for Android java client to configure connection inactivity threshold
-	EnvKeyNBInactivityThreshold = lazyconn.EnvInactivityThreshold
 )

 // EnvList wraps a Go map for export to Java
--- a/client/android/login.go
+++ b/client/android/login.go
@@ -3,7 +3,15 @@ package android
 import (
 	"context"
 	"fmt"
+	"time"

+	"github.com/cenkalti/backoff/v4"
+	log "github.com/sirupsen/logrus"
+	"google.golang.org/grpc/codes"
+	gstatus "google.golang.org/grpc/status"
+
+	"github.com/netbirdio/netbird/client/cmd"
+	"github.com/netbirdio/netbird/client/internal"
 	"github.com/netbirdio/netbird/client/internal/auth"
 	"github.com/netbirdio/netbird/client/internal/profilemanager"
 	"github.com/netbirdio/netbird/client/system"
@@ -76,21 +84,34 @@ func (a *Auth) SaveConfigIfSSOSupported(listener SSOListener) {
 }

 func (a *Auth) saveConfigIfSSOSupported() (bool, error) {
-	authClient, err := auth.NewAuth(a.ctx, a.config.PrivateKey, a.config.ManagementURL, a.config)
-	if err != nil {
-		return false, fmt.Errorf("failed to create auth client: %v", err)
-	}
-	defer authClient.Close()
+	supportsSSO := true
+	err := a.withBackOff(a.ctx, func() (err error) {
+		_, err = internal.GetPKCEAuthorizationFlowInfo(a.ctx, a.config.PrivateKey, a.config.ManagementURL, nil)
+		if s, ok := gstatus.FromError(err); ok && (s.Code() == codes.NotFound || s.Code() == codes.Unimplemented) {
+			_, err = internal.GetDeviceAuthorizationFlowInfo(a.ctx, a.config.PrivateKey, a.config.ManagementURL)
+			s, ok := gstatus.FromError(err)
+			if !ok {
+				return err
+			}
+			if s.Code() == codes.NotFound || s.Code() == codes.Unimplemented {
+				supportsSSO = false
+				err = nil
+			}

-	supportsSSO, err := authClient.IsSSOSupported(a.ctx)
-	if err != nil {
-		return false, fmt.Errorf("failed to check SSO support: %v", err)
-	}
+			return err
+		}
+
+		return err
+	})

 	if !supportsSSO {
 		return false, nil
 	}

+	if err != nil {
+		return false, fmt.Errorf("backoff cycle failed: %v", err)
+	}
+
 	err = profilemanager.WriteOutConfig(a.cfgPath, a.config)
 	return true, err
 }
@@ -108,17 +129,19 @@ func (a *Auth) LoginWithSetupKeyAndSaveConfig(resultListener ErrListener, setupK
 }

 func (a *Auth) loginWithSetupKeyAndSaveConfig(setupKey string, deviceName string) error {
-	authClient, err := auth.NewAuth(a.ctx, a.config.PrivateKey, a.config.ManagementURL, a.config)
-	if err != nil {
-		return fmt.Errorf("failed to create auth client: %v", err)
-	}
-	defer authClient.Close()
-
 	//nolint
 	ctxWithValues := context.WithValue(a.ctx, system.DeviceNameCtxKey, deviceName)
-	err, _ = authClient.Login(ctxWithValues, setupKey, "")
+
+	err := a.withBackOff(a.ctx, func() error {
+		backoffErr := internal.Login(ctxWithValues, a.config, setupKey, "")
+		if s, ok := gstatus.FromError(backoffErr); ok && (s.Code() == codes.PermissionDenied) {
+			// we got an answer from management, exit backoff earlier
+			return backoff.Permanent(backoffErr)
+		}
+		return backoffErr
+	})
 	if err != nil {
-		return fmt.Errorf("login failed: %v", err)
+		return fmt.Errorf("backoff cycle failed: %v", err)
 	}

 	return profilemanager.WriteOutConfig(a.cfgPath, a.config)
@@ -137,41 +160,49 @@ func (a *Auth) Login(resultListener ErrListener, urlOpener URLOpener, isAndroidT
 }

 func (a *Auth) login(urlOpener URLOpener, isAndroidTV bool) error {
-	authClient, err := auth.NewAuth(a.ctx, a.config.PrivateKey, a.config.ManagementURL, a.config)
-	if err != nil {
-		return fmt.Errorf("failed to create auth client: %v", err)
-	}
-	defer authClient.Close()
+	var needsLogin bool

 	// check if we need to generate JWT token
-	needsLogin, err := authClient.IsLoginRequired(a.ctx)
+	err := a.withBackOff(a.ctx, func() (err error) {
+		needsLogin, err = internal.IsLoginRequired(a.ctx, a.config)
+		return
+	})
 	if err != nil {
-		return fmt.Errorf("failed to check login requirement: %v", err)
+		return fmt.Errorf("backoff cycle failed: %v", err)
 	}

 	jwtToken := ""
 	if needsLogin {
-		tokenInfo, err := a.foregroundGetTokenInfo(authClient, urlOpener, isAndroidTV)
+		tokenInfo, err := a.foregroundGetTokenInfo(urlOpener, isAndroidTV)
 		if err != nil {
 			return fmt.Errorf("interactive sso login failed: %v", err)
 		}
 		jwtToken = tokenInfo.GetTokenToUse()
 	}

-	err, _ = authClient.Login(a.ctx, "", jwtToken)
-	if err != nil {
-		return fmt.Errorf("login failed: %v", err)
-	}
+	err = a.withBackOff(a.ctx, func() error {
+		err := internal.Login(a.ctx, a.config, "", jwtToken)

-	go urlOpener.OnLoginSuccess()
+		if err == nil {
+			go urlOpener.OnLoginSuccess()
+		}
+
+		if s, ok := gstatus.FromError(err); ok && (s.Code() == codes.InvalidArgument || s.Code() == codes.PermissionDenied) {
+			return nil
+		}
+		return err
+	})
+	if err != nil {
+		return fmt.Errorf("backoff cycle failed: %v", err)
+	}

 	return nil
 }

-func (a *Auth) foregroundGetTokenInfo(authClient *auth.Auth, urlOpener URLOpener, isAndroidTV bool) (*auth.TokenInfo, error) {
-	oAuthFlow, err := authClient.GetOAuthFlow(a.ctx, isAndroidTV)
+func (a *Auth) foregroundGetTokenInfo(urlOpener URLOpener, isAndroidTV bool) (*auth.TokenInfo, error) {
+	oAuthFlow, err := auth.NewOAuthFlow(a.ctx, a.config, false, isAndroidTV, "")
 	if err != nil {
-		return nil, fmt.Errorf("failed to get OAuth flow: %v", err)
+		return nil, err
 	}

 	flowInfo, err := oAuthFlow.RequestAuthInfo(context.TODO())
@@ -181,10 +212,22 @@ func (a *Auth) foregroundGetTokenInfo(authClient *auth.Auth, urlOpener URLOpener

 	go urlOpener.Open(flowInfo.VerificationURIComplete, flowInfo.UserCode)

-	tokenInfo, err := oAuthFlow.WaitToken(a.ctx, flowInfo)
+	waitTimeout := time.Duration(flowInfo.ExpiresIn) * time.Second
+	waitCTX, cancel := context.WithTimeout(a.ctx, waitTimeout)
+	defer cancel()
+	tokenInfo, err := oAuthFlow.WaitToken(waitCTX, flowInfo)
 	if err != nil {
 		return nil, fmt.Errorf("waiting for browser login failed: %v", err)
 	}

 	return &tokenInfo, nil
 }
+
+func (a *Auth) withBackOff(ctx context.Context, bf func() error) error {
+	return backoff.RetryNotify(
+		bf,
+		backoff.WithContext(cmd.CLIBackOffSettings, ctx),
+		func(err error, duration time.Duration) {
+			log.Warnf("retrying Login to the Management service in %v due to error %v", duration, err)
+		})
+}
--- a/client/android/peer_notifier.go
+++ b/client/android/peer_notifier.go
@@ -2,21 +2,11 @@

 package android

-import "github.com/netbirdio/netbird/client/internal/peer"
-
-// Connection status constants exported via gomobile.
-const (
-	ConnStatusIdle       = int(peer.StatusIdle)
-	ConnStatusConnecting = int(peer.StatusConnecting)
-	ConnStatusConnected  = int(peer.StatusConnected)
-)
-
 // PeerInfo describe information about the peers. It designed for the UI usage
 type PeerInfo struct {
 	IP         string
-	IPv6       string
 	FQDN       string
-	ConnStatus int
+	ConnStatus string // Todo replace to enum
 	Routes     PeerRoutes
 }

--- a/client/android/preferences.go
+++ b/client/android/preferences.go
@@ -307,24 +307,6 @@ func (p *Preferences) SetBlockInbound(block bool) {
 	p.configInput.BlockInbound = &block
 }

-// GetDisableIPv6 reads disable IPv6 setting from config file
-func (p *Preferences) GetDisableIPv6() (bool, error) {
-	if p.configInput.DisableIPv6 != nil {
-		return *p.configInput.DisableIPv6, nil
-	}
-
-	cfg, err := profilemanager.ReadConfig(p.configInput.ConfigPath)
-	if err != nil {
-		return false, err
-	}
-	return cfg.DisableIPv6, err
-}
-
-// SetDisableIPv6 stores the given value and waits for commit
-func (p *Preferences) SetDisableIPv6(disable bool) {
-	p.configInput.DisableIPv6 = &disable
-}
-
 // Commit writes out the changes to the config file
 func (p *Preferences) Commit() error {
 	_, err := profilemanager.UpdateOrCreateConfig(p.configInput)
--- a/client/android/route_command.go
+++ b/client/android/route_command.go
@@ -18,12 +18,9 @@ func executeRouteToggle(id string, manager routemanager.Manager,
 	netID := route.NetID(id)
 	routes := []route.NetID{netID}

-	routesMap := manager.GetClientRoutesWithNetID()
-	routes = route.ExpandV6ExitPairs(routes, routesMap)
+	log.Debugf("%s with id: %s", operationName, id)

-	log.Debugf("%s with ids: %v", operationName, routes)
-
-	if err := routeOperation(routes, maps.Keys(routesMap)); err != nil {
+	if err := routeOperation(routes, maps.Keys(manager.GetClientRoutesWithNetID())); err != nil {
 		log.Debugf("error when %s: %s", operationName, err)
 		return fmt.Errorf("error %s: %w", operationName, err)
 	}
--- a/client/anonymize/anonymize.go
+++ b/client/anonymize/anonymize.go
@@ -9,7 +9,6 @@ import (
 	"net/url"
 	"regexp"
 	"slices"
-	"strconv"
 	"strings"
 )

@@ -27,9 +26,8 @@ type Anonymizer struct {
 }

 func DefaultAddresses() (netip.Addr, netip.Addr) {
-	// 198.51.100.0 (RFC 5737 TEST-NET-2), 2001:db8:ffff:: (RFC 3849 documentation, last /48)
-	// The old start 100:: (discard, RFC 6666) is now used for fake IPs on Android.
-	return netip.AddrFrom4([4]byte{198, 51, 100, 0}), netip.MustParseAddr("2001:db8:ffff::")
+	// 198.51.100.0, 100::
+	return netip.AddrFrom4([4]byte{198, 51, 100, 0}), netip.AddrFrom16([16]byte{0x01})
 }

 func NewAnonymizer(startIPv4, startIPv6 netip.Addr) *Anonymizer {
@@ -98,11 +96,6 @@ func (a *Anonymizer) isInAnonymizedRange(ip netip.Addr) bool {
 }

 func (a *Anonymizer) AnonymizeIPString(ip string) string {
-	// Handle CIDR notation (e.g. "2001:db8::/32")
-	if prefix, err := netip.ParsePrefix(ip); err == nil {
-		return a.AnonymizeIP(prefix.Addr()).String() + "/" + strconv.Itoa(prefix.Bits())
-	}
-
 	addr, err := netip.ParseAddr(ip)
 	if err != nil {
 		return ip
--- a/client/anonymize/anonymize_test.go
+++ b/client/anonymize/anonymize_test.go
@@ -13,7 +13,7 @@ import (

 func TestAnonymizeIP(t *testing.T) {
 	startIPv4 := netip.MustParseAddr("198.51.100.0")
-	startIPv6 := netip.MustParseAddr("2001:db8:ffff::")
+	startIPv6 := netip.MustParseAddr("100::")
 	anonymizer := anonymize.NewAnonymizer(startIPv4, startIPv6)

 	tests := []struct {
@@ -26,9 +26,9 @@ func TestAnonymizeIP(t *testing.T) {
 		{"Second Public IPv4", "4.3.2.1", "198.51.100.1"},
 		{"Repeated IPv4", "1.2.3.4", "198.51.100.0"},
 		{"Private IPv4", "192.168.1.1", "192.168.1.1"},
-		{"First Public IPv6", "2607:f8b0:4005:805::200e", "2001:db8:ffff::"},
-		{"Second Public IPv6", "a::b", "2001:db8:ffff::1"},
-		{"Repeated IPv6", "2607:f8b0:4005:805::200e", "2001:db8:ffff::"},
+		{"First Public IPv6", "2607:f8b0:4005:805::200e", "100::"},
+		{"Second Public IPv6", "a::b", "100::1"},
+		{"Repeated IPv6", "2607:f8b0:4005:805::200e", "100::"},
 		{"Private IPv6", "fe80::1", "fe80::1"},
 		{"In Range IPv4", "198.51.100.2", "198.51.100.2"},
 	}
@@ -274,17 +274,17 @@ func TestAnonymizeString_IPAddresses(t *testing.T) {
 		{
 			name:   "IPv6 Address",
 			input:  "Access attempted from 2001:db8::ff00:42",
-			expect: "Access attempted from 2001:db8:ffff::",
+			expect: "Access attempted from 100::",
 		},
 		{
 			name:   "IPv6 Address with Port",
 			input:  "Access attempted from [2001:db8::ff00:42]:8080",
-			expect: "Access attempted from [2001:db8:ffff::]:8080",
+			expect: "Access attempted from [100::]:8080",
 		},
 		{
 			name:   "Both IPv4 and IPv6",
 			input:  "IPv4: 142.108.0.1 and IPv6: 2001:db8::ff00:43",
-			expect: "IPv4: 198.51.100.1 and IPv6: 2001:db8:ffff::1",
+			expect: "IPv4: 198.51.100.1 and IPv6: 100::1",
 		},
 	}

--- a/client/cmd/debug.go
+++ b/client/cmd/debug.go
@@ -16,6 +16,7 @@ import (
 	"github.com/netbirdio/netbird/client/internal/profilemanager"
 	"github.com/netbirdio/netbird/client/proto"
 	"github.com/netbirdio/netbird/client/server"
+	nbstatus "github.com/netbirdio/netbird/client/status"
 	mgmProto "github.com/netbirdio/netbird/shared/management/proto"
 	"github.com/netbirdio/netbird/upload-server/types"
 )
@@ -97,6 +98,7 @@ func debugBundle(cmd *cobra.Command, _ []string) error {
 	client := proto.NewDaemonServiceClient(conn)
 	request := &proto.DebugBundleRequest{
 		Anonymize:    anonymizeFlag,
+		Status:       getStatusOutput(cmd, anonymizeFlag),
 		SystemInfo:   systemInfoFlag,
 		LogFileCount: logFileCount,
 	}
@@ -181,11 +183,10 @@ func runForDuration(cmd *cobra.Command, args []string) error {

 	if stateWasDown {
 		if _, err := client.Up(cmd.Context(), &proto.UpRequest{}); err != nil {
-			cmd.PrintErrf("Failed to bring service up: %v\n", status.Convert(err).Message())
-		} else {
-			cmd.Println("netbird up")
-			time.Sleep(time.Second * 10)
+			return fmt.Errorf("failed to up: %v", status.Convert(err).Message())
 		}
+		cmd.Println("netbird up")
+		time.Sleep(time.Second * 10)
 	}

 	initialLevelTrace := initialLogLevel.GetLevel() >= proto.LogLevel_TRACE
@@ -199,13 +200,10 @@ func runForDuration(cmd *cobra.Command, args []string) error {
 		cmd.Println("Log level set to trace.")
 	}

-	needsRestoreUp := false
 	if _, err := client.Down(cmd.Context(), &proto.DownRequest{}); err != nil {
-		cmd.PrintErrf("Failed to bring service down: %v\n", status.Convert(err).Message())
-	} else {
-		needsRestoreUp = !stateWasDown
-		cmd.Println("netbird down")
+		return fmt.Errorf("failed to down: %v", status.Convert(err).Message())
 	}
+	cmd.Println("netbird down")

 	time.Sleep(1 * time.Second)

@@ -213,49 +211,31 @@ func runForDuration(cmd *cobra.Command, args []string) error {
 	if _, err := client.SetSyncResponsePersistence(cmd.Context(), &proto.SetSyncResponsePersistenceRequest{
 		Enabled: true,
 	}); err != nil {
-		cmd.PrintErrf("Failed to enable sync response persistence: %v\n", status.Convert(err).Message())
+		return fmt.Errorf("failed to enable sync response persistence: %v", status.Convert(err).Message())
 	}

 	if _, err := client.Up(cmd.Context(), &proto.UpRequest{}); err != nil {
-		cmd.PrintErrf("Failed to bring service up: %v\n", status.Convert(err).Message())
-	} else {
-		needsRestoreUp = false
-		cmd.Println("netbird up")
+		return fmt.Errorf("failed to up: %v", status.Convert(err).Message())
 	}
+	cmd.Println("netbird up")

 	time.Sleep(3 * time.Second)

-	cpuProfilingStarted := false
-	if _, err := client.StartCPUProfile(cmd.Context(), &proto.StartCPUProfileRequest{}); err != nil {
-		cmd.PrintErrf("Failed to start CPU profiling: %v\n", err)
-	} else {
-		cpuProfilingStarted = true
-		defer func() {
-			if cpuProfilingStarted {
-				if _, err := client.StopCPUProfile(cmd.Context(), &proto.StopCPUProfileRequest{}); err != nil {
-					cmd.PrintErrf("Failed to stop CPU profiling: %v\n", err)
-				}
-			}
-		}()
-	}
+	headerPostUp := fmt.Sprintf("----- NetBird post-up - Timestamp: %s", time.Now().Format(time.RFC3339))
+	statusOutput := fmt.Sprintf("%s\n%s", headerPostUp, getStatusOutput(cmd, anonymizeFlag))

 	if waitErr := waitForDurationOrCancel(cmd.Context(), duration, cmd); waitErr != nil {
 		return waitErr
 	}
 	cmd.Println("\nDuration completed")

-	if cpuProfilingStarted {
-		if _, err := client.StopCPUProfile(cmd.Context(), &proto.StopCPUProfileRequest{}); err != nil {
-			cmd.PrintErrf("Failed to stop CPU profiling: %v\n", err)
-		} else {
-			cpuProfilingStarted = false
-		}
-	}
-
 	cmd.Println("Creating debug bundle...")

+	headerPreDown := fmt.Sprintf("----- NetBird pre-down - Timestamp: %s - Duration: %s", time.Now().Format(time.RFC3339), duration)
+	statusOutput = fmt.Sprintf("%s\n%s\n%s", statusOutput, headerPreDown, getStatusOutput(cmd, anonymizeFlag))
 	request := &proto.DebugBundleRequest{
 		Anonymize:    anonymizeFlag,
+		Status:       statusOutput,
 		SystemInfo:   systemInfoFlag,
 		LogFileCount: logFileCount,
 	}
@@ -267,28 +247,18 @@ func runForDuration(cmd *cobra.Command, args []string) error {
 		return fmt.Errorf("failed to bundle debug: %v", status.Convert(err).Message())
 	}

-	if needsRestoreUp {
-		if _, err := client.Up(cmd.Context(), &proto.UpRequest{}); err != nil {
-			cmd.PrintErrf("Failed to restore service up state: %v\n", status.Convert(err).Message())
-		} else {
-			cmd.Println("netbird up (restored)")
-		}
-	}
-
 	if stateWasDown {
 		if _, err := client.Down(cmd.Context(), &proto.DownRequest{}); err != nil {
-			cmd.PrintErrf("Failed to restore service down state: %v\n", status.Convert(err).Message())
-		} else {
-			cmd.Println("netbird down")
+			return fmt.Errorf("failed to down: %v", status.Convert(err).Message())
 		}
+		cmd.Println("netbird down")
 	}

 	if !initialLevelTrace {
 		if _, err := client.SetLogLevel(cmd.Context(), &proto.SetLogLevelRequest{Level: initialLogLevel.GetLevel()}); err != nil {
-			cmd.PrintErrf("Failed to restore log level: %v\n", status.Convert(err).Message())
-		} else {
-			cmd.Println("Log level restored to", initialLogLevel.GetLevel())
+			return fmt.Errorf("failed to restore log level: %v", status.Convert(err).Message())
 		}
+		cmd.Println("Log level restored to", initialLogLevel.GetLevel())
 	}

 	cmd.Printf("Local file:\n%s\n", resp.GetPath())
@@ -332,6 +302,24 @@ func setSyncResponsePersistence(cmd *cobra.Command, args []string) error {
 	return nil
 }

+func getStatusOutput(cmd *cobra.Command, anon bool) string {
+	var statusOutputString string
+	statusResp, err := getStatus(cmd.Context(), true)
+	if err != nil {
+		cmd.PrintErrf("Failed to get status: %v\n", err)
+	} else {
+		pm := profilemanager.NewProfileManager()
+		var profName string
+		if activeProf, err := pm.GetActiveProfile(); err == nil {
+			profName = activeProf.Name
+		}
+
+		overview := nbstatus.ConvertToStatusOutputOverview(statusResp, anon, "", nil, nil, nil, "", profName)
+		statusOutputString = overview.FullDetailSummary()
+	}
+	return statusOutputString
+}
+
 func waitForDurationOrCancel(ctx context.Context, duration time.Duration, cmd *cobra.Command) error {
 	ticker := time.NewTicker(1 * time.Second)
 	defer ticker.Stop()
@@ -390,8 +378,7 @@ func generateDebugBundle(config *profilemanager.Config, recorder *peer.Status, c
 			InternalConfig: config,
 			StatusRecorder: recorder,
 			SyncResponse:   syncResponse,
-			LogPath:        logFilePath,
-			CPUProfile:     nil,
+			LogFile:        logFilePath,
 		},
 		debug.BundleConfig{
 			IncludeSystemInfo: true,
--- a/client/cmd/expose.go
+++ b/client/cmd/expose.go
@@ -1,287 +0,0 @@
-package cmd
-
-import (
-	"context"
-	"errors"
-	"fmt"
-	"io"
-	"os"
-	"os/signal"
-	"regexp"
-	"strconv"
-	"strings"
-	"syscall"
-
-	log "github.com/sirupsen/logrus"
-	"github.com/spf13/cobra"
-	"google.golang.org/grpc/status"
-
-	"github.com/netbirdio/netbird/client/internal/expose"
-	"github.com/netbirdio/netbird/client/proto"
-	"github.com/netbirdio/netbird/util"
-)
-
-var pinRegexp = regexp.MustCompile(`^\d{6}$`)
-
-var (
-	exposePin          string
-	exposePassword     string
-	exposeUserGroups   []string
-	exposeDomain       string
-	exposeNamePrefix   string
-	exposeProtocol     string
-	exposeExternalPort uint16
-)
-
-var exposeCmd = &cobra.Command{
-	Use:   "expose <port>",
-	Short: "Expose a local port via the NetBird reverse proxy",
-	Args:  cobra.ExactArgs(1),
-	Example: `  netbird expose --with-password safe-pass 8080
-  netbird expose --protocol tcp 5432
-  netbird expose --protocol tcp --with-external-port 5433 5432
-  netbird expose --protocol tls --with-custom-domain tls.example.com 4443`,
-	RunE: exposeFn,
-}
-
-func init() {
-	exposeCmd.Flags().StringVar(&exposePin, "with-pin", "", "Protect the exposed service with a 6-digit PIN (e.g. --with-pin 123456)")
-	exposeCmd.Flags().StringVar(&exposePassword, "with-password", "", "Protect the exposed service with a password (e.g. --with-password my-secret)")
-	exposeCmd.Flags().StringSliceVar(&exposeUserGroups, "with-user-groups", nil, "Restrict access to specific user groups with SSO (e.g. --with-user-groups devops,Backend)")
-	exposeCmd.Flags().StringVar(&exposeDomain, "with-custom-domain", "", "Custom domain for the exposed service, must be configured to your account (e.g. --with-custom-domain myapp.example.com)")
-	exposeCmd.Flags().StringVar(&exposeNamePrefix, "with-name-prefix", "", "Prefix for the generated service name (e.g. --with-name-prefix my-app)")
-	exposeCmd.Flags().StringVar(&exposeProtocol, "protocol", "http", "Protocol to use: http, https, tcp, udp, or tls (e.g. --protocol tcp)")
-	exposeCmd.Flags().Uint16Var(&exposeExternalPort, "with-external-port", 0, "Public-facing external port on the proxy cluster (defaults to the target port for L4)")
-}
-
-// isClusterProtocol returns true for L4/TLS protocols that reject HTTP-style auth flags.
-func isClusterProtocol(protocol string) bool {
-	switch strings.ToLower(protocol) {
-	case "tcp", "udp", "tls":
-		return true
-	default:
-		return false
-	}
-}
-
-// isPortBasedProtocol returns true for pure port-based protocols (TCP/UDP)
-// where domain display doesn't apply. TLS uses SNI so it has a domain.
-func isPortBasedProtocol(protocol string) bool {
-	switch strings.ToLower(protocol) {
-	case "tcp", "udp":
-		return true
-	default:
-		return false
-	}
-}
-
-// extractPort returns the port portion of a URL like "tcp://host:12345", or
-// falls back to the given default formatted as a string.
-func extractPort(serviceURL string, fallback uint16) string {
-	u := serviceURL
-	if idx := strings.Index(u, "://"); idx != -1 {
-		u = u[idx+3:]
-	}
-	if i := strings.LastIndex(u, ":"); i != -1 {
-		if p := u[i+1:]; p != "" {
-			return p
-		}
-	}
-	return strconv.FormatUint(uint64(fallback), 10)
-}
-
-// resolveExternalPort returns the effective external port, defaulting to the target port.
-func resolveExternalPort(targetPort uint64) uint16 {
-	if exposeExternalPort != 0 {
-		return exposeExternalPort
-	}
-	return uint16(targetPort)
-}
-
-func validateExposeFlags(cmd *cobra.Command, portStr string) (uint64, error) {
-	port, err := strconv.ParseUint(portStr, 10, 32)
-	if err != nil {
-		return 0, fmt.Errorf("invalid port number: %s", portStr)
-	}
-	if port == 0 || port > 65535 {
-		return 0, fmt.Errorf("invalid port number: must be between 1 and 65535")
-	}
-
-	if !isProtocolValid(exposeProtocol) {
-		return 0, fmt.Errorf("unsupported protocol %q: must be http, https, tcp, udp, or tls", exposeProtocol)
-	}
-
-	if isClusterProtocol(exposeProtocol) {
-		if exposePin != "" || exposePassword != "" || len(exposeUserGroups) > 0 {
-			return 0, fmt.Errorf("auth flags (--with-pin, --with-password, --with-user-groups) are not supported for %s protocol", exposeProtocol)
-		}
-	} else if cmd.Flags().Changed("with-external-port") {
-		return 0, fmt.Errorf("--with-external-port is not supported for %s protocol", exposeProtocol)
-	}
-
-	if exposePin != "" && !pinRegexp.MatchString(exposePin) {
-		return 0, fmt.Errorf("invalid pin: must be exactly 6 digits")
-	}
-
-	if cmd.Flags().Changed("with-password") && exposePassword == "" {
-		return 0, fmt.Errorf("password cannot be empty")
-	}
-
-	if cmd.Flags().Changed("with-user-groups") && len(exposeUserGroups) == 0 {
-		return 0, fmt.Errorf("user groups cannot be empty")
-	}
-
-	return port, nil
-}
-
-func isProtocolValid(exposeProtocol string) bool {
-	switch strings.ToLower(exposeProtocol) {
-	case "http", "https", "tcp", "udp", "tls":
-		return true
-	default:
-		return false
-	}
-}
-
-func exposeFn(cmd *cobra.Command, args []string) error {
-	SetFlagsFromEnvVars(rootCmd)
-
-	if err := util.InitLog(logLevel, util.LogConsole); err != nil {
-		log.Errorf("failed initializing log %v", err)
-		return err
-	}
-
-	cmd.Root().SilenceUsage = false
-
-	port, err := validateExposeFlags(cmd, args[0])
-	if err != nil {
-		return err
-	}
-
-	cmd.Root().SilenceUsage = true
-
-	ctx, cancel := context.WithCancel(cmd.Context())
-	defer cancel()
-
-	sigCh := make(chan os.Signal, 1)
-	signal.Notify(sigCh, syscall.SIGINT, syscall.SIGTERM)
-	go func() {
-		<-sigCh
-		cancel()
-	}()
-
-	conn, err := DialClientGRPCServer(ctx, daemonAddr)
-	if err != nil {
-		return fmt.Errorf("connect to daemon: %w", err)
-	}
-	defer func() {
-		if err := conn.Close(); err != nil {
-			log.Debugf("failed to close daemon connection: %v", err)
-		}
-	}()
-
-	client := proto.NewDaemonServiceClient(conn)
-
-	protocol, err := toExposeProtocol(exposeProtocol)
-	if err != nil {
-		return err
-	}
-
-	req := &proto.ExposeServiceRequest{
-		Port:       uint32(port),
-		Protocol:   protocol,
-		Pin:        exposePin,
-		Password:   exposePassword,
-		UserGroups: exposeUserGroups,
-		Domain:     exposeDomain,
-		NamePrefix: exposeNamePrefix,
-	}
-	if isClusterProtocol(exposeProtocol) {
-		req.ListenPort = uint32(resolveExternalPort(port))
-	}
-
-	stream, err := client.ExposeService(ctx, req)
-	if err != nil {
-		return fmt.Errorf("expose service: %v", status.Convert(err).Message())
-	}
-
-	if err := handleExposeReady(cmd, stream, port); err != nil {
-		return err
-	}
-
-	return waitForExposeEvents(cmd, ctx, stream)
-}
-
-func toExposeProtocol(exposeProtocol string) (proto.ExposeProtocol, error) {
-	p, err := expose.ParseProtocolType(exposeProtocol)
-	if err != nil {
-		return 0, fmt.Errorf("invalid protocol: %w", err)
-	}
-
-	switch p {
-	case expose.ProtocolHTTP:
-		return proto.ExposeProtocol_EXPOSE_HTTP, nil
-	case expose.ProtocolHTTPS:
-		return proto.ExposeProtocol_EXPOSE_HTTPS, nil
-	case expose.ProtocolTCP:
-		return proto.ExposeProtocol_EXPOSE_TCP, nil
-	case expose.ProtocolUDP:
-		return proto.ExposeProtocol_EXPOSE_UDP, nil
-	case expose.ProtocolTLS:
-		return proto.ExposeProtocol_EXPOSE_TLS, nil
-	default:
-		return 0, fmt.Errorf("unhandled protocol type: %d", p)
-	}
-}
-
-func handleExposeReady(cmd *cobra.Command, stream proto.DaemonService_ExposeServiceClient, port uint64) error {
-	event, err := stream.Recv()
-	if err != nil {
-		return fmt.Errorf("receive expose event: %v", status.Convert(err).Message())
-	}
-
-	ready, ok := event.Event.(*proto.ExposeServiceEvent_Ready)
-	if !ok {
-		return fmt.Errorf("unexpected expose event: %T", event.Event)
-	}
-	printExposeReady(cmd, ready.Ready, port)
-	return nil
-}
-
-func printExposeReady(cmd *cobra.Command, r *proto.ExposeServiceReady, port uint64) {
-	cmd.Println("Service exposed successfully!")
-	cmd.Printf("  Name:     %s\n", r.ServiceName)
-	if r.ServiceUrl != "" {
-		cmd.Printf("  URL:      %s\n", r.ServiceUrl)
-	}
-	if r.Domain != "" && !isPortBasedProtocol(exposeProtocol) {
-		cmd.Printf("  Domain:   %s\n", r.Domain)
-	}
-	cmd.Printf("  Protocol: %s\n", exposeProtocol)
-	cmd.Printf("  Internal: %d\n", port)
-	if isClusterProtocol(exposeProtocol) {
-		cmd.Printf("  External: %s\n", extractPort(r.ServiceUrl, resolveExternalPort(port)))
-	}
-	if r.PortAutoAssigned && exposeExternalPort != 0 {
-		cmd.Printf("\n  Note: requested port %d was reassigned\n", exposeExternalPort)
-	}
-	cmd.Println()
-	cmd.Println("Press Ctrl+C to stop exposing.")
-}
-
-func waitForExposeEvents(cmd *cobra.Command, ctx context.Context, stream proto.DaemonService_ExposeServiceClient) error {
-	for {
-		_, err := stream.Recv()
-		if err != nil {
-			if ctx.Err() != nil {
-				cmd.Println("\nService stopped.")
-				//nolint:nilerr
-				return nil
-			}
-			if errors.Is(err, io.EOF) {
-				return fmt.Errorf("connection to daemon closed unexpectedly")
-			}
-			return fmt.Errorf("stream error: %w", err)
-		}
-	}
-}
--- a/client/cmd/login.go
+++ b/client/cmd/login.go
@@ -7,6 +7,7 @@ import (
 	"os/user"
 	"runtime"
 	"strings"
+	"time"

 	log "github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
@@ -276,15 +277,18 @@ func handleSSOLogin(ctx context.Context, cmd *cobra.Command, loginResp *proto.Lo
 }

 func foregroundLogin(ctx context.Context, cmd *cobra.Command, config *profilemanager.Config, setupKey, profileName string) error {
-	authClient, err := auth.NewAuth(ctx, config.PrivateKey, config.ManagementURL, config)
-	if err != nil {
-		return fmt.Errorf("failed to create auth client: %v", err)
-	}
-	defer authClient.Close()
+	needsLogin := false

-	needsLogin, err := authClient.IsLoginRequired(ctx)
+	err := WithBackOff(func() error {
+		err := internal.Login(ctx, config, "", "")
+		if s, ok := gstatus.FromError(err); ok && (s.Code() == codes.InvalidArgument || s.Code() == codes.PermissionDenied) {
+			needsLogin = true
+			return nil
+		}
+		return err
+	})
 	if err != nil {
-		return fmt.Errorf("check login required: %v", err)
+		return fmt.Errorf("backoff cycle failed: %v", err)
 	}

 	jwtToken := ""
@@ -296,9 +300,23 @@ func foregroundLogin(ctx context.Context, cmd *cobra.Command, config *profileman
 		jwtToken = tokenInfo.GetTokenToUse()
 	}

-	err, _ = authClient.Login(ctx, setupKey, jwtToken)
+	var lastError error
+
+	err = WithBackOff(func() error {
+		err := internal.Login(ctx, config, setupKey, jwtToken)
+		if s, ok := gstatus.FromError(err); ok && (s.Code() == codes.InvalidArgument || s.Code() == codes.PermissionDenied) {
+			lastError = err
+			return nil
+		}
+		return err
+	})
+
+	if lastError != nil {
+		return fmt.Errorf("login failed: %v", lastError)
+	}
+
 	if err != nil {
-		return fmt.Errorf("login failed: %v", err)
+		return fmt.Errorf("backoff cycle failed: %v", err)
 	}

 	return nil
@@ -326,7 +344,11 @@ func foregroundGetTokenInfo(ctx context.Context, cmd *cobra.Command, config *pro

 	openURL(cmd, flowInfo.VerificationURIComplete, flowInfo.UserCode, noBrowser)

-	tokenInfo, err := oAuthFlow.WaitToken(context.TODO(), flowInfo)
+	waitTimeout := time.Duration(flowInfo.ExpiresIn) * time.Second
+	waitCTX, c := context.WithTimeout(context.TODO(), waitTimeout)
+	defer c()
+
+	tokenInfo, err := oAuthFlow.WaitToken(waitCTX, flowInfo)
 	if err != nil {
 		return nil, fmt.Errorf("waiting for browser login failed: %v", err)
 	}
--- a/client/cmd/root.go
+++ b/client/cmd/root.go
@@ -22,7 +22,6 @@ import (
 	"google.golang.org/grpc"
 	"google.golang.org/grpc/credentials/insecure"

-	daddr "github.com/netbirdio/netbird/client/internal/daemonaddr"
 	"github.com/netbirdio/netbird/client/internal/profilemanager"
 )

@@ -81,15 +80,6 @@ var (
 		Short:        "",
 		Long:         "",
 		SilenceUsage: true,
-		PersistentPreRunE: func(cmd *cobra.Command, args []string) error {
-			SetFlagsFromEnvVars(cmd.Root())
-
-			// Don't resolve for service commands — they create the socket, not connect to it.
-			if !isServiceCmd(cmd) {
-				daemonAddr = daddr.ResolveUnixDaemonAddr(daemonAddr)
-			}
-			return nil
-		},
 	}
 )

@@ -154,7 +144,6 @@ func init() {
 	rootCmd.AddCommand(forwardingRulesCmd)
 	rootCmd.AddCommand(debugCmd)
 	rootCmd.AddCommand(profileCmd)
-	rootCmd.AddCommand(exposeCmd)

 	networksCMD.AddCommand(routesListCmd)
 	networksCMD.AddCommand(routesSelectCmd, routesDeselectCmd)
@@ -396,6 +385,7 @@ func migrateToNetbird(oldPath, newPath string) bool {
 }

 func getClient(cmd *cobra.Command) (*grpc.ClientConn, error) {
+	SetFlagsFromEnvVars(rootCmd)
 	cmd.SetOut(cmd.OutOrStdout())

 	conn, err := DialClientGRPCServer(cmd.Context(), daemonAddr)
@@ -408,13 +398,3 @@ func getClient(cmd *cobra.Command) (*grpc.ClientConn, error) {

 	return conn, nil
 }
-
-// isServiceCmd returns true if cmd is the "service" command or a child of it.
-func isServiceCmd(cmd *cobra.Command) bool {
-	for c := cmd; c != nil; c = c.Parent() {
-		if c.Name() == "service" {
-			return true
-		}
-	}
-	return false
-}
--- a/client/cmd/service.go
+++ b/client/cmd/service.go
@@ -41,7 +41,7 @@ func init() {
 		defaultServiceName = "Netbird"
 	}

-	serviceCmd.AddCommand(runCmd, startCmd, stopCmd, restartCmd, svcStatusCmd, installCmd, uninstallCmd, reconfigureCmd, resetParamsCmd)
+	serviceCmd.AddCommand(runCmd, startCmd, stopCmd, restartCmd, svcStatusCmd, installCmd, uninstallCmd, reconfigureCmd)
 	serviceCmd.PersistentFlags().BoolVar(&profilesDisabled, "disable-profiles", false, "Disables profiles feature. If enabled, the client will not be able to change or edit any profile. To persist this setting, use: netbird service install --disable-profiles")
 	serviceCmd.PersistentFlags().BoolVar(&updateSettingsDisabled, "disable-update-settings", false, "Disables update settings feature. If enabled, the client will not be able to change or edit any settings. To persist this setting, use: netbird service install --disable-update-settings")

--- a/client/cmd/service_controller.go
+++ b/client/cmd/service_controller.go
@@ -103,7 +103,7 @@ func (p *program) Stop(srv service.Service) error {

 // Common setup for service control commands
 func setupServiceControlCommand(cmd *cobra.Command, ctx context.Context, cancel context.CancelFunc) (service.Service, error) {
-	// rootCmd env vars are already applied by PersistentPreRunE.
+	SetFlagsFromEnvVars(rootCmd)
 	SetFlagsFromEnvVars(serviceCmd)

 	cmd.SetOut(cmd.OutOrStdout())
--- a/client/cmd/service_installer.go
+++ b/client/cmd/service_installer.go
@@ -119,10 +119,6 @@ var installCmd = &cobra.Command{
 			return err
 		}

-		if err := loadAndApplyServiceParams(cmd); err != nil {
-			cmd.PrintErrf("Warning: failed to load saved service params: %v\n", err)
-		}
-
 		svcConfig, err := createServiceConfigForInstall()
 		if err != nil {
 			return err
@@ -140,10 +136,6 @@ var installCmd = &cobra.Command{
 			return fmt.Errorf("install service: %w", err)
 		}

-		if err := saveServiceParams(currentServiceParams()); err != nil {
-			cmd.PrintErrf("Warning: failed to save service params: %v\n", err)
-		}
-
 		cmd.Println("NetBird service has been installed")
 		return nil
 	},
@@ -195,10 +187,6 @@ This command will temporarily stop the service, update its configuration, and re
 			return err
 		}

-		if err := loadAndApplyServiceParams(cmd); err != nil {
-			cmd.PrintErrf("Warning: failed to load saved service params: %v\n", err)
-		}
-
 		wasRunning, err := isServiceRunning()
 		if err != nil && !errors.Is(err, ErrGetServiceStatus) {
 			return fmt.Errorf("check service status: %w", err)
@@ -234,10 +222,6 @@ This command will temporarily stop the service, update its configuration, and re
 			return fmt.Errorf("install service with new config: %w", err)
 		}

-		if err := saveServiceParams(currentServiceParams()); err != nil {
-			cmd.PrintErrf("Warning: failed to save service params: %v\n", err)
-		}
-
 		if wasRunning {
 			cmd.Println("Starting NetBird service...")
 			if err := s.Start(); err != nil {
--- a/client/cmd/service_params.go
+++ b/client/cmd/service_params.go
@@ -1,201 +0,0 @@
-//go:build !ios && !android
-
-package cmd
-
-import (
-	"context"
-	"encoding/json"
-	"fmt"
-	"maps"
-	"os"
-	"path/filepath"
-
-	"github.com/spf13/cobra"
-
-	"github.com/netbirdio/netbird/client/configs"
-	"github.com/netbirdio/netbird/util"
-)
-
-const serviceParamsFile = "service.json"
-
-// serviceParams holds install-time service parameters that persist across
-// uninstall/reinstall cycles. Saved to <stateDir>/service.json.
-type serviceParams struct {
-	LogLevel              string            `json:"log_level"`
-	DaemonAddr            string            `json:"daemon_addr"`
-	ManagementURL         string            `json:"management_url,omitempty"`
-	ConfigPath            string            `json:"config_path,omitempty"`
-	LogFiles              []string          `json:"log_files,omitempty"`
-	DisableProfiles       bool              `json:"disable_profiles,omitempty"`
-	DisableUpdateSettings bool              `json:"disable_update_settings,omitempty"`
-	ServiceEnvVars        map[string]string `json:"service_env_vars,omitempty"`
-}
-
-// serviceParamsPath returns the path to the service params file.
-func serviceParamsPath() string {
-	return filepath.Join(configs.StateDir, serviceParamsFile)
-}
-
-// loadServiceParams reads saved service parameters from disk.
-// Returns nil with no error if the file does not exist.
-func loadServiceParams() (*serviceParams, error) {
-	path := serviceParamsPath()
-
-	data, err := os.ReadFile(path)
-	if err != nil {
-		if os.IsNotExist(err) {
-			return nil, nil //nolint:nilnil
-		}
-		return nil, fmt.Errorf("read service params %s: %w", path, err)
-	}
-
-	var params serviceParams
-	if err := json.Unmarshal(data, &params); err != nil {
-		return nil, fmt.Errorf("parse service params %s: %w", path, err)
-	}
-
-	return &params, nil
-}
-
-// saveServiceParams writes current service parameters to disk atomically
-// with restricted permissions.
-func saveServiceParams(params *serviceParams) error {
-	path := serviceParamsPath()
-	if err := util.WriteJsonWithRestrictedPermission(context.Background(), path, params); err != nil {
-		return fmt.Errorf("save service params: %w", err)
-	}
-	return nil
-}
-
-// currentServiceParams captures the current state of all package-level
-// variables into a serviceParams struct.
-func currentServiceParams() *serviceParams {
-	params := &serviceParams{
-		LogLevel:              logLevel,
-		DaemonAddr:            daemonAddr,
-		ManagementURL:         managementURL,
-		ConfigPath:            configPath,
-		LogFiles:              logFiles,
-		DisableProfiles:       profilesDisabled,
-		DisableUpdateSettings: updateSettingsDisabled,
-	}
-
-	if len(serviceEnvVars) > 0 {
-		parsed, err := parseServiceEnvVars(serviceEnvVars)
-		if err == nil && len(parsed) > 0 {
-			params.ServiceEnvVars = parsed
-		}
-	}
-
-	return params
-}
-
-// loadAndApplyServiceParams loads saved params from disk and applies them
-// to any flags that were not explicitly set.
-func loadAndApplyServiceParams(cmd *cobra.Command) error {
-	params, err := loadServiceParams()
-	if err != nil {
-		return err
-	}
-	applyServiceParams(cmd, params)
-	return nil
-}
-
-// applyServiceParams merges saved parameters into package-level variables
-// for any flag that was not explicitly set by the user (via CLI or env var).
-// Flags that were Changed() are left untouched.
-func applyServiceParams(cmd *cobra.Command, params *serviceParams) {
-	if params == nil {
-		return
-	}
-
-	// For fields with non-empty defaults (log-level, daemon-addr), keep the
-	// != "" guard so that an older service.json missing the field doesn't
-	// clobber the default with an empty string.
-	if !rootCmd.PersistentFlags().Changed("log-level") && params.LogLevel != "" {
-		logLevel = params.LogLevel
-	}
-
-	if !rootCmd.PersistentFlags().Changed("daemon-addr") && params.DaemonAddr != "" {
-		daemonAddr = params.DaemonAddr
-	}
-
-	// For optional fields where empty means "use default", always apply so
-	// that an explicit clear (--management-url "") persists across reinstalls.
-	if !rootCmd.PersistentFlags().Changed("management-url") {
-		managementURL = params.ManagementURL
-	}
-
-	if !rootCmd.PersistentFlags().Changed("config") {
-		configPath = params.ConfigPath
-	}
-
-	if !rootCmd.PersistentFlags().Changed("log-file") {
-		logFiles = params.LogFiles
-	}
-
-	if !serviceCmd.PersistentFlags().Changed("disable-profiles") {
-		profilesDisabled = params.DisableProfiles
-	}
-
-	if !serviceCmd.PersistentFlags().Changed("disable-update-settings") {
-		updateSettingsDisabled = params.DisableUpdateSettings
-	}
-
-	applyServiceEnvParams(cmd, params)
-}
-
-// applyServiceEnvParams merges saved service environment variables.
-// If --service-env was explicitly set, explicit values win on key conflict
-// but saved keys not in the explicit set are carried over.
-// If --service-env was not set, saved env vars are used entirely.
-func applyServiceEnvParams(cmd *cobra.Command, params *serviceParams) {
-	if len(params.ServiceEnvVars) == 0 {
-		return
-	}
-
-	if !cmd.Flags().Changed("service-env") {
-		// No explicit env vars: rebuild serviceEnvVars from saved params.
-		serviceEnvVars = envMapToSlice(params.ServiceEnvVars)
-		return
-	}
-
-	// Explicit env vars were provided: merge saved values underneath.
-	explicit, err := parseServiceEnvVars(serviceEnvVars)
-	if err != nil {
-		cmd.PrintErrf("Warning: parse explicit service env vars for merge: %v\n", err)
-		return
-	}
-
-	merged := make(map[string]string, len(params.ServiceEnvVars)+len(explicit))
-	maps.Copy(merged, params.ServiceEnvVars)
-	maps.Copy(merged, explicit) // explicit wins on conflict
-	serviceEnvVars = envMapToSlice(merged)
-}
-
-var resetParamsCmd = &cobra.Command{
-	Use:   "reset-params",
-	Short: "Remove saved service install parameters",
-	Long:  "Removes the saved service.json file so the next install uses default parameters.",
-	RunE: func(cmd *cobra.Command, args []string) error {
-		path := serviceParamsPath()
-		if err := os.Remove(path); err != nil {
-			if os.IsNotExist(err) {
-				cmd.Println("No saved service parameters found")
-				return nil
-			}
-			return fmt.Errorf("remove service params: %w", err)
-		}
-		cmd.Printf("Removed saved service parameters (%s)\n", path)
-		return nil
-	},
-}
-
-// envMapToSlice converts a map of env vars to a KEY=VALUE slice.
-func envMapToSlice(m map[string]string) []string {
-	s := make([]string, 0, len(m))
-	for k, v := range m {
-		s = append(s, k+"="+v)
-	}
-	return s
-}
--- a/client/cmd/service_params_test.go
+++ b/client/cmd/service_params_test.go
@@ -1,523 +0,0 @@
-//go:build !ios && !android
-
-package cmd
-
-import (
-	"encoding/json"
-	"go/ast"
-	"go/parser"
-	"go/token"
-	"os"
-	"path/filepath"
-	"strings"
-	"testing"
-
-	"github.com/spf13/cobra"
-	"github.com/spf13/pflag"
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
-
-	"github.com/netbirdio/netbird/client/configs"
-)
-
-func TestServiceParamsPath(t *testing.T) {
-	original := configs.StateDir
-	t.Cleanup(func() { configs.StateDir = original })
-
-	configs.StateDir = "/var/lib/netbird"
-	assert.Equal(t, filepath.Join("/var/lib/netbird", "service.json"), serviceParamsPath())
-
-	configs.StateDir = "/custom/state"
-	assert.Equal(t, filepath.Join("/custom/state", "service.json"), serviceParamsPath())
-}
-
-func TestSaveAndLoadServiceParams(t *testing.T) {
-	tmpDir := t.TempDir()
-
-	original := configs.StateDir
-	t.Cleanup(func() { configs.StateDir = original })
-	configs.StateDir = tmpDir
-
-	params := &serviceParams{
-		LogLevel:              "debug",
-		DaemonAddr:            "unix:///var/run/netbird.sock",
-		ManagementURL:         "https://my.server.com",
-		ConfigPath:            "/etc/netbird/config.json",
-		LogFiles:              []string{"/var/log/netbird/client.log", "console"},
-		DisableProfiles:       true,
-		DisableUpdateSettings: false,
-		ServiceEnvVars:        map[string]string{"NB_LOG_FORMAT": "json", "CUSTOM": "val"},
-	}
-
-	err := saveServiceParams(params)
-	require.NoError(t, err)
-
-	// Verify the file exists and is valid JSON.
-	data, err := os.ReadFile(filepath.Join(tmpDir, "service.json"))
-	require.NoError(t, err)
-	assert.True(t, json.Valid(data))
-
-	loaded, err := loadServiceParams()
-	require.NoError(t, err)
-	require.NotNil(t, loaded)
-
-	assert.Equal(t, params.LogLevel, loaded.LogLevel)
-	assert.Equal(t, params.DaemonAddr, loaded.DaemonAddr)
-	assert.Equal(t, params.ManagementURL, loaded.ManagementURL)
-	assert.Equal(t, params.ConfigPath, loaded.ConfigPath)
-	assert.Equal(t, params.LogFiles, loaded.LogFiles)
-	assert.Equal(t, params.DisableProfiles, loaded.DisableProfiles)
-	assert.Equal(t, params.DisableUpdateSettings, loaded.DisableUpdateSettings)
-	assert.Equal(t, params.ServiceEnvVars, loaded.ServiceEnvVars)
-}
-
-func TestLoadServiceParams_FileNotExists(t *testing.T) {
-	tmpDir := t.TempDir()
-
-	original := configs.StateDir
-	t.Cleanup(func() { configs.StateDir = original })
-	configs.StateDir = tmpDir
-
-	params, err := loadServiceParams()
-	assert.NoError(t, err)
-	assert.Nil(t, params)
-}
-
-func TestLoadServiceParams_InvalidJSON(t *testing.T) {
-	tmpDir := t.TempDir()
-
-	original := configs.StateDir
-	t.Cleanup(func() { configs.StateDir = original })
-	configs.StateDir = tmpDir
-
-	err := os.WriteFile(filepath.Join(tmpDir, "service.json"), []byte("not json"), 0600)
-	require.NoError(t, err)
-
-	params, err := loadServiceParams()
-	assert.Error(t, err)
-	assert.Nil(t, params)
-}
-
-func TestCurrentServiceParams(t *testing.T) {
-	origLogLevel := logLevel
-	origDaemonAddr := daemonAddr
-	origManagementURL := managementURL
-	origConfigPath := configPath
-	origLogFiles := logFiles
-	origProfilesDisabled := profilesDisabled
-	origUpdateSettingsDisabled := updateSettingsDisabled
-	origServiceEnvVars := serviceEnvVars
-	t.Cleanup(func() {
-		logLevel = origLogLevel
-		daemonAddr = origDaemonAddr
-		managementURL = origManagementURL
-		configPath = origConfigPath
-		logFiles = origLogFiles
-		profilesDisabled = origProfilesDisabled
-		updateSettingsDisabled = origUpdateSettingsDisabled
-		serviceEnvVars = origServiceEnvVars
-	})
-
-	logLevel = "trace"
-	daemonAddr = "tcp://127.0.0.1:9999"
-	managementURL = "https://mgmt.example.com"
-	configPath = "/tmp/test-config.json"
-	logFiles = []string{"/tmp/test.log"}
-	profilesDisabled = true
-	updateSettingsDisabled = true
-	serviceEnvVars = []string{"FOO=bar", "BAZ=qux"}
-
-	params := currentServiceParams()
-
-	assert.Equal(t, "trace", params.LogLevel)
-	assert.Equal(t, "tcp://127.0.0.1:9999", params.DaemonAddr)
-	assert.Equal(t, "https://mgmt.example.com", params.ManagementURL)
-	assert.Equal(t, "/tmp/test-config.json", params.ConfigPath)
-	assert.Equal(t, []string{"/tmp/test.log"}, params.LogFiles)
-	assert.True(t, params.DisableProfiles)
-	assert.True(t, params.DisableUpdateSettings)
-	assert.Equal(t, map[string]string{"FOO": "bar", "BAZ": "qux"}, params.ServiceEnvVars)
-}
-
-func TestApplyServiceParams_OnlyUnchangedFlags(t *testing.T) {
-	origLogLevel := logLevel
-	origDaemonAddr := daemonAddr
-	origManagementURL := managementURL
-	origConfigPath := configPath
-	origLogFiles := logFiles
-	origProfilesDisabled := profilesDisabled
-	origUpdateSettingsDisabled := updateSettingsDisabled
-	origServiceEnvVars := serviceEnvVars
-	t.Cleanup(func() {
-		logLevel = origLogLevel
-		daemonAddr = origDaemonAddr
-		managementURL = origManagementURL
-		configPath = origConfigPath
-		logFiles = origLogFiles
-		profilesDisabled = origProfilesDisabled
-		updateSettingsDisabled = origUpdateSettingsDisabled
-		serviceEnvVars = origServiceEnvVars
-	})
-
-	// Reset all flags to defaults.
-	logLevel = "info"
-	daemonAddr = "unix:///var/run/netbird.sock"
-	managementURL = ""
-	configPath = "/etc/netbird/config.json"
-	logFiles = []string{"/var/log/netbird/client.log"}
-	profilesDisabled = false
-	updateSettingsDisabled = false
-	serviceEnvVars = nil
-
-	// Reset Changed state on all relevant flags.
-	rootCmd.PersistentFlags().VisitAll(func(f *pflag.Flag) {
-		f.Changed = false
-	})
-	serviceCmd.PersistentFlags().VisitAll(func(f *pflag.Flag) {
-		f.Changed = false
-	})
-
-	// Simulate user explicitly setting --log-level via CLI.
-	logLevel = "warn"
-	require.NoError(t, rootCmd.PersistentFlags().Set("log-level", "warn"))
-
-	saved := &serviceParams{
-		LogLevel:              "debug",
-		DaemonAddr:            "tcp://127.0.0.1:5555",
-		ManagementURL:         "https://saved.example.com",
-		ConfigPath:            "/saved/config.json",
-		LogFiles:              []string{"/saved/client.log"},
-		DisableProfiles:       true,
-		DisableUpdateSettings: true,
-		ServiceEnvVars:        map[string]string{"SAVED_KEY": "saved_val"},
-	}
-
-	cmd := &cobra.Command{}
-	cmd.Flags().StringSlice("service-env", nil, "")
-	applyServiceParams(cmd, saved)
-
-	// log-level was Changed, so it should keep "warn", not use saved "debug".
-	assert.Equal(t, "warn", logLevel)
-
-	// All other fields were not Changed, so they should use saved values.
-	assert.Equal(t, "tcp://127.0.0.1:5555", daemonAddr)
-	assert.Equal(t, "https://saved.example.com", managementURL)
-	assert.Equal(t, "/saved/config.json", configPath)
-	assert.Equal(t, []string{"/saved/client.log"}, logFiles)
-	assert.True(t, profilesDisabled)
-	assert.True(t, updateSettingsDisabled)
-	assert.Equal(t, []string{"SAVED_KEY=saved_val"}, serviceEnvVars)
-}
-
-func TestApplyServiceParams_BooleanRevertToFalse(t *testing.T) {
-	origProfilesDisabled := profilesDisabled
-	origUpdateSettingsDisabled := updateSettingsDisabled
-	t.Cleanup(func() {
-		profilesDisabled = origProfilesDisabled
-		updateSettingsDisabled = origUpdateSettingsDisabled
-	})
-
-	// Simulate current state where booleans are true (e.g. set by previous install).
-	profilesDisabled = true
-	updateSettingsDisabled = true
-
-	// Reset Changed state so flags appear unset.
-	serviceCmd.PersistentFlags().VisitAll(func(f *pflag.Flag) {
-		f.Changed = false
-	})
-
-	// Saved params have both as false.
-	saved := &serviceParams{
-		DisableProfiles:       false,
-		DisableUpdateSettings: false,
-	}
-
-	cmd := &cobra.Command{}
-	cmd.Flags().StringSlice("service-env", nil, "")
-	applyServiceParams(cmd, saved)
-
-	assert.False(t, profilesDisabled, "saved false should override current true")
-	assert.False(t, updateSettingsDisabled, "saved false should override current true")
-}
-
-func TestApplyServiceParams_ClearManagementURL(t *testing.T) {
-	origManagementURL := managementURL
-	t.Cleanup(func() { managementURL = origManagementURL })
-
-	managementURL = "https://leftover.example.com"
-
-	// Simulate saved params where management URL was explicitly cleared.
-	saved := &serviceParams{
-		LogLevel:   "info",
-		DaemonAddr: "unix:///var/run/netbird.sock",
-		// ManagementURL intentionally empty: was cleared with --management-url "".
-	}
-
-	rootCmd.PersistentFlags().VisitAll(func(f *pflag.Flag) {
-		f.Changed = false
-	})
-
-	cmd := &cobra.Command{}
-	cmd.Flags().StringSlice("service-env", nil, "")
-	applyServiceParams(cmd, saved)
-
-	assert.Equal(t, "", managementURL, "saved empty management URL should clear the current value")
-}
-
-func TestApplyServiceParams_NilParams(t *testing.T) {
-	origLogLevel := logLevel
-	t.Cleanup(func() { logLevel = origLogLevel })
-
-	logLevel = "info"
-	cmd := &cobra.Command{}
-	cmd.Flags().StringSlice("service-env", nil, "")
-
-	// Should be a no-op.
-	applyServiceParams(cmd, nil)
-	assert.Equal(t, "info", logLevel)
-}
-
-func TestApplyServiceEnvParams_MergeExplicitAndSaved(t *testing.T) {
-	origServiceEnvVars := serviceEnvVars
-	t.Cleanup(func() { serviceEnvVars = origServiceEnvVars })
-
-	// Set up a command with --service-env marked as Changed.
-	cmd := &cobra.Command{}
-	cmd.Flags().StringSlice("service-env", nil, "")
-	require.NoError(t, cmd.Flags().Set("service-env", "EXPLICIT=yes,OVERLAP=explicit"))
-
-	serviceEnvVars = []string{"EXPLICIT=yes", "OVERLAP=explicit"}
-
-	saved := &serviceParams{
-		ServiceEnvVars: map[string]string{
-			"SAVED":   "val",
-			"OVERLAP": "saved",
-		},
-	}
-
-	applyServiceEnvParams(cmd, saved)
-
-	// Parse result for easier assertion.
-	result, err := parseServiceEnvVars(serviceEnvVars)
-	require.NoError(t, err)
-
-	assert.Equal(t, "yes", result["EXPLICIT"])
-	assert.Equal(t, "val", result["SAVED"])
-	// Explicit wins on conflict.
-	assert.Equal(t, "explicit", result["OVERLAP"])
-}
-
-func TestApplyServiceEnvParams_NotChanged(t *testing.T) {
-	origServiceEnvVars := serviceEnvVars
-	t.Cleanup(func() { serviceEnvVars = origServiceEnvVars })
-
-	serviceEnvVars = nil
-
-	cmd := &cobra.Command{}
-	cmd.Flags().StringSlice("service-env", nil, "")
-
-	saved := &serviceParams{
-		ServiceEnvVars: map[string]string{"FROM_SAVED": "val"},
-	}
-
-	applyServiceEnvParams(cmd, saved)
-
-	result, err := parseServiceEnvVars(serviceEnvVars)
-	require.NoError(t, err)
-	assert.Equal(t, map[string]string{"FROM_SAVED": "val"}, result)
-}
-
-// TestServiceParams_FieldsCoveredInFunctions ensures that all serviceParams fields are
-// referenced in both currentServiceParams() and applyServiceParams(). If a new field is
-// added to serviceParams but not wired into these functions, this test fails.
-func TestServiceParams_FieldsCoveredInFunctions(t *testing.T) {
-	fset := token.NewFileSet()
-	file, err := parser.ParseFile(fset, "service_params.go", nil, 0)
-	require.NoError(t, err)
-
-	// Collect all JSON field names from the serviceParams struct.
-	structFields := extractStructJSONFields(t, file, "serviceParams")
-	require.NotEmpty(t, structFields, "failed to find serviceParams struct fields")
-
-	// Collect field names referenced in currentServiceParams and applyServiceParams.
-	currentFields := extractFuncFieldRefs(t, file, "currentServiceParams", structFields)
-	applyFields := extractFuncFieldRefs(t, file, "applyServiceParams", structFields)
-	// applyServiceEnvParams handles ServiceEnvVars indirectly.
-	applyEnvFields := extractFuncFieldRefs(t, file, "applyServiceEnvParams", structFields)
-	for k, v := range applyEnvFields {
-		applyFields[k] = v
-	}
-
-	for _, field := range structFields {
-		assert.Contains(t, currentFields, field,
-			"serviceParams field %q is not captured in currentServiceParams()", field)
-		assert.Contains(t, applyFields, field,
-			"serviceParams field %q is not restored in applyServiceParams()/applyServiceEnvParams()", field)
-	}
-}
-
-// TestServiceParams_BuildArgsCoversAllFlags ensures that buildServiceArguments references
-// all serviceParams fields that should become CLI args. ServiceEnvVars is excluded because
-// it flows through newSVCConfig() EnvVars, not CLI args.
-func TestServiceParams_BuildArgsCoversAllFlags(t *testing.T) {
-	fset := token.NewFileSet()
-	file, err := parser.ParseFile(fset, "service_params.go", nil, 0)
-	require.NoError(t, err)
-
-	structFields := extractStructJSONFields(t, file, "serviceParams")
-	require.NotEmpty(t, structFields)
-
-	installerFile, err := parser.ParseFile(fset, "service_installer.go", nil, 0)
-	require.NoError(t, err)
-
-	// Fields that are handled outside of buildServiceArguments (env vars go through newSVCConfig).
-	fieldsNotInArgs := map[string]bool{
-		"ServiceEnvVars": true,
-	}
-
-	buildFields := extractFuncGlobalRefs(t, installerFile, "buildServiceArguments")
-
-	// Forward: every struct field must appear in buildServiceArguments.
-	for _, field := range structFields {
-		if fieldsNotInArgs[field] {
-			continue
-		}
-		globalVar := fieldToGlobalVar(field)
-		assert.Contains(t, buildFields, globalVar,
-			"serviceParams field %q (global %q) is not referenced in buildServiceArguments()", field, globalVar)
-	}
-
-	// Reverse: every service-related global used in buildServiceArguments must
-	// have a corresponding serviceParams field. This catches a developer adding
-	// a new flag to buildServiceArguments without adding it to the struct.
-	globalToField := make(map[string]string, len(structFields))
-	for _, field := range structFields {
-		globalToField[fieldToGlobalVar(field)] = field
-	}
-	// Identifiers in buildServiceArguments that are not service params
-	// (builtins, boilerplate, loop variables).
-	nonParamGlobals := map[string]bool{
-		"args": true, "append": true, "string": true, "_": true,
-		"logFile": true, // range variable over logFiles
-	}
-	for ref := range buildFields {
-		if nonParamGlobals[ref] {
-			continue
-		}
-		_, inStruct := globalToField[ref]
-		assert.True(t, inStruct,
-			"buildServiceArguments() references global %q which has no corresponding serviceParams field", ref)
-	}
-}
-
-// extractStructJSONFields returns field names from a named struct type.
-func extractStructJSONFields(t *testing.T, file *ast.File, structName string) []string {
-	t.Helper()
-	var fields []string
-	ast.Inspect(file, func(n ast.Node) bool {
-		ts, ok := n.(*ast.TypeSpec)
-		if !ok || ts.Name.Name != structName {
-			return true
-		}
-		st, ok := ts.Type.(*ast.StructType)
-		if !ok {
-			return false
-		}
-		for _, f := range st.Fields.List {
-			if len(f.Names) > 0 {
-				fields = append(fields, f.Names[0].Name)
-			}
-		}
-		return false
-	})
-	return fields
-}
-
-// extractFuncFieldRefs returns which of the given field names appear inside the
-// named function, either as selector expressions (params.FieldName) or as
-// composite literal keys (&serviceParams{FieldName: ...}).
-func extractFuncFieldRefs(t *testing.T, file *ast.File, funcName string, fields []string) map[string]bool {
-	t.Helper()
-	fieldSet := make(map[string]bool, len(fields))
-	for _, f := range fields {
-		fieldSet[f] = true
-	}
-
-	found := make(map[string]bool)
-	fn := findFuncDecl(file, funcName)
-	require.NotNil(t, fn, "function %s not found", funcName)
-
-	ast.Inspect(fn.Body, func(n ast.Node) bool {
-		switch v := n.(type) {
-		case *ast.SelectorExpr:
-			if fieldSet[v.Sel.Name] {
-				found[v.Sel.Name] = true
-			}
-		case *ast.KeyValueExpr:
-			if ident, ok := v.Key.(*ast.Ident); ok && fieldSet[ident.Name] {
-				found[ident.Name] = true
-			}
-		}
-		return true
-	})
-	return found
-}
-
-// extractFuncGlobalRefs returns all identifier names referenced in the named function body.
-func extractFuncGlobalRefs(t *testing.T, file *ast.File, funcName string) map[string]bool {
-	t.Helper()
-	fn := findFuncDecl(file, funcName)
-	require.NotNil(t, fn, "function %s not found", funcName)
-
-	refs := make(map[string]bool)
-	ast.Inspect(fn.Body, func(n ast.Node) bool {
-		if ident, ok := n.(*ast.Ident); ok {
-			refs[ident.Name] = true
-		}
-		return true
-	})
-	return refs
-}
-
-func findFuncDecl(file *ast.File, name string) *ast.FuncDecl {
-	for _, decl := range file.Decls {
-		fn, ok := decl.(*ast.FuncDecl)
-		if ok && fn.Name.Name == name {
-			return fn
-		}
-	}
-	return nil
-}
-
-// fieldToGlobalVar maps serviceParams field names to the package-level variable
-// names used in buildServiceArguments and applyServiceParams.
-func fieldToGlobalVar(field string) string {
-	m := map[string]string{
-		"LogLevel":              "logLevel",
-		"DaemonAddr":            "daemonAddr",
-		"ManagementURL":         "managementURL",
-		"ConfigPath":            "configPath",
-		"LogFiles":              "logFiles",
-		"DisableProfiles":       "profilesDisabled",
-		"DisableUpdateSettings": "updateSettingsDisabled",
-		"ServiceEnvVars":        "serviceEnvVars",
-	}
-	if v, ok := m[field]; ok {
-		return v
-	}
-	// Default: lowercase first letter.
-	return strings.ToLower(field[:1]) + field[1:]
-}
-
-func TestEnvMapToSlice(t *testing.T) {
-	m := map[string]string{"A": "1", "B": "2"}
-	s := envMapToSlice(m)
-	assert.Len(t, s, 2)
-	assert.Contains(t, s, "A=1")
-	assert.Contains(t, s, "B=2")
-}
-
-func TestEnvMapToSlice_Empty(t *testing.T) {
-	s := envMapToSlice(map[string]string{})
-	assert.Empty(t, s)
-}
--- a/client/cmd/service_test.go
+++ b/client/cmd/service_test.go
@@ -4,9 +4,7 @@ import (
 	"context"
 	"fmt"
 	"os"
-	"os/signal"
 	"runtime"
-	"syscall"
 	"testing"
 	"time"

@@ -15,22 +13,6 @@ import (
 	"github.com/stretchr/testify/require"
 )

-// TestMain intercepts when this test binary is run as a daemon subprocess.
-// On FreeBSD, the rc.d service script runs the binary via daemon(8) -r with
-// "service run ..." arguments. Since the test binary can't handle cobra CLI
-// args, it exits immediately, causing daemon -r to respawn rapidly until
-// hitting the rate limit and exiting. This makes service restart unreliable.
-// Blocking here keeps the subprocess alive until the init system sends SIGTERM.
-func TestMain(m *testing.M) {
-	if len(os.Args) > 2 && os.Args[1] == "service" && os.Args[2] == "run" {
-		sig := make(chan os.Signal, 1)
-		signal.Notify(sig, syscall.SIGTERM, os.Interrupt)
-		<-sig
-		return
-	}
-	os.Exit(m.Run())
-}
-
 const (
 	serviceStartTimeout = 10 * time.Second
 	serviceStopTimeout  = 5 * time.Second
@@ -97,34 +79,6 @@ func TestServiceLifecycle(t *testing.T) {
 	logLevel = "info"
 	daemonAddr = fmt.Sprintf("unix://%s/netbird-test.sock", tempDir)

-	// Ensure cleanup even if a subtest fails and Stop/Uninstall subtests don't run.
-	t.Cleanup(func() {
-		cfg, err := newSVCConfig()
-		if err != nil {
-			t.Errorf("cleanup: create service config: %v", err)
-			return
-		}
-		ctxSvc, cancel := context.WithCancel(context.Background())
-		defer cancel()
-		s, err := newSVC(newProgram(ctxSvc, cancel), cfg)
-		if err != nil {
-			t.Errorf("cleanup: create service: %v", err)
-			return
-		}
-
-		// If the subtests already cleaned up, there's nothing to do.
-		if _, err := s.Status(); err != nil {
-			return
-		}
-
-		if err := s.Stop(); err != nil {
-			t.Errorf("cleanup: stop service: %v", err)
-		}
-		if err := s.Uninstall(); err != nil {
-			t.Errorf("cleanup: uninstall service: %v", err)
-		}
-	})
-
 	ctx := context.Background()

 	t.Run("Install", func(t *testing.T) {
--- a/client/cmd/signer/artifactkey.go
+++ b/client/cmd/signer/artifactkey.go
@@ -7,7 +7,7 @@ import (

 	"github.com/spf13/cobra"

-	"github.com/netbirdio/netbird/client/internal/updater/reposign"
+	"github.com/netbirdio/netbird/client/internal/updatemanager/reposign"
 )

 var (
--- a/client/cmd/signer/artifactsign.go
+++ b/client/cmd/signer/artifactsign.go
@@ -6,7 +6,7 @@ import (

 	"github.com/spf13/cobra"

-	"github.com/netbirdio/netbird/client/internal/updater/reposign"
+	"github.com/netbirdio/netbird/client/internal/updatemanager/reposign"
 )

 const (
--- a/client/cmd/signer/revocation.go
+++ b/client/cmd/signer/revocation.go
@@ -7,7 +7,7 @@ import (

 	"github.com/spf13/cobra"

-	"github.com/netbirdio/netbird/client/internal/updater/reposign"
+	"github.com/netbirdio/netbird/client/internal/updatemanager/reposign"
 )

 const (
--- a/client/cmd/signer/rootkey.go
+++ b/client/cmd/signer/rootkey.go
@@ -7,7 +7,7 @@ import (

 	"github.com/spf13/cobra"

-	"github.com/netbirdio/netbird/client/internal/updater/reposign"
+	"github.com/netbirdio/netbird/client/internal/updatemanager/reposign"
 )

 var (
--- a/client/cmd/ssh.go
+++ b/client/cmd/ssh.go
@@ -787,10 +787,10 @@ func isUnixSocket(path string) bool {
 	return strings.HasPrefix(path, "/") || strings.HasPrefix(path, "./")
 }

-// normalizeLocalHost converts "*" to "" for binding to all interfaces (dual-stack).
+// normalizeLocalHost converts "*" to "0.0.0.0" for binding to all interfaces.
 func normalizeLocalHost(host string) string {
 	if host == "*" {
-		return ""
+		return "0.0.0.0"
 	}
 	return host
 }
--- a/client/cmd/ssh_test.go
+++ b/client/cmd/ssh_test.go
@@ -527,10 +527,10 @@ func TestParsePortForward(t *testing.T) {
 		{
 			name:           "wildcard bind all interfaces",
 			spec:           "*:8080:localhost:80",
-			expectedLocal:  ":8080",
+			expectedLocal:  "0.0.0.0:8080",
 			expectedRemote: "localhost:80",
 			expectError:    false,
-			description:    "Wildcard * should bind to all interfaces (dual-stack)",
+			description:    "Wildcard * should bind to all interfaces (0.0.0.0)",
 		},
 		{
 			name:           "wildcard for port only",
--- a/client/cmd/status.go
+++ b/client/cmd/status.go
@@ -20,7 +20,6 @@ import (
 var (
 	detailFlag           bool
 	ipv4Flag             bool
-	ipv6Flag             bool
 	jsonFlag             bool
 	yamlFlag             bool
 	ipsFilter            []string
@@ -29,7 +28,6 @@ var (
 	ipsFilterMap         map[string]struct{}
 	prefixNamesFilterMap map[string]struct{}
 	connectionTypeFilter string
-	checkFlag            string
 )

 var statusCmd = &cobra.Command{
@@ -46,13 +44,11 @@ func init() {
 	statusCmd.PersistentFlags().BoolVar(&jsonFlag, "json", false, "display detailed status information in json format")
 	statusCmd.PersistentFlags().BoolVar(&yamlFlag, "yaml", false, "display detailed status information in yaml format")
 	statusCmd.PersistentFlags().BoolVar(&ipv4Flag, "ipv4", false, "display only NetBird IPv4 of this peer, e.g., --ipv4 will output 100.64.0.33")
-	statusCmd.PersistentFlags().BoolVar(&ipv6Flag, "ipv6", false, "display only NetBird IPv6 of this peer")
-	statusCmd.MarkFlagsMutuallyExclusive("detail", "json", "yaml", "ipv4", "ipv6")
-	statusCmd.PersistentFlags().StringSliceVar(&ipsFilter, "filter-by-ips", []string{}, "filters the detailed output by a list of one or more IPs (v4 or v6), e.g., --filter-by-ips 100.64.0.100,fd00::1")
+	statusCmd.MarkFlagsMutuallyExclusive("detail", "json", "yaml", "ipv4")
+	statusCmd.PersistentFlags().StringSliceVar(&ipsFilter, "filter-by-ips", []string{}, "filters the detailed output by a list of one or more IPs, e.g., --filter-by-ips 100.64.0.100,100.64.0.200")
 	statusCmd.PersistentFlags().StringSliceVar(&prefixNamesFilter, "filter-by-names", []string{}, "filters the detailed output by a list of one or more peer FQDN or hostnames, e.g., --filter-by-names peer-a,peer-b.netbird.cloud")
 	statusCmd.PersistentFlags().StringVar(&statusFilter, "filter-by-status", "", "filters the detailed output by connection status(idle|connecting|connected), e.g., --filter-by-status connected")
 	statusCmd.PersistentFlags().StringVar(&connectionTypeFilter, "filter-by-connection-type", "", "filters the detailed output by connection type (P2P|Relayed), e.g., --filter-by-connection-type P2P")
-	statusCmd.PersistentFlags().StringVar(&checkFlag, "check", "", "run a health check and exit with code 0 on success, 1 on failure (live|ready|startup)")
 }

 func statusFunc(cmd *cobra.Command, args []string) error {
@@ -60,10 +56,6 @@ func statusFunc(cmd *cobra.Command, args []string) error {

 	cmd.SetOut(cmd.OutOrStdout())

-	if checkFlag != "" {
-		return runHealthCheck(cmd)
-	}
-
 	err := parseFilters()
 	if err != nil {
 		return err
@@ -76,17 +68,15 @@ func statusFunc(cmd *cobra.Command, args []string) error {

 	ctx := internal.CtxInitState(cmd.Context())

-	resp, err := getStatus(ctx, true, false)
+	resp, err := getStatus(ctx, false)
 	if err != nil {
 		return err
 	}

 	status := resp.GetStatus()

-	needsAuth := status == string(internal.StatusNeedsLogin) || status == string(internal.StatusLoginFailed) ||
-		status == string(internal.StatusSessionExpired)
-
-	if needsAuth && !jsonFlag && !yamlFlag {
+	if status == string(internal.StatusNeedsLogin) || status == string(internal.StatusLoginFailed) ||
+		status == string(internal.StatusSessionExpired) {
 		cmd.Printf("Daemon status: %s\n\n"+
 			"Run UP command to log in with SSO (interactive login):\n\n"+
 			" netbird up \n\n"+
@@ -103,31 +93,13 @@ func statusFunc(cmd *cobra.Command, args []string) error {
 		return nil
 	}

-	if ipv6Flag {
-		ipv6 := resp.GetFullStatus().GetLocalPeerState().GetIpv6()
-		if ipv6 != "" {
-			cmd.Print(parseInterfaceIP(ipv6))
-		}
-		return nil
-	}
-
 	pm := profilemanager.NewProfileManager()
 	var profName string
 	if activeProf, err := pm.GetActiveProfile(); err == nil {
 		profName = activeProf.Name
 	}

-	var outputInformationHolder = nbstatus.ConvertToStatusOutputOverview(resp.GetFullStatus(), nbstatus.ConvertOptions{
-		Anonymize:            anonymizeFlag,
-		DaemonVersion:        resp.GetDaemonVersion(),
-		DaemonStatus:         nbstatus.ParseDaemonStatus(status),
-		StatusFilter:         statusFilter,
-		PrefixNamesFilter:    prefixNamesFilter,
-		PrefixNamesFilterMap: prefixNamesFilterMap,
-		IPsFilter:            ipsFilterMap,
-		ConnectionTypeFilter: connectionTypeFilter,
-		ProfileName:          profName,
-	})
+	var outputInformationHolder = nbstatus.ConvertToStatusOutputOverview(resp, anonymizeFlag, statusFilter, prefixNamesFilter, prefixNamesFilterMap, ipsFilterMap, connectionTypeFilter, profName)
 	var statusOutputString string
 	switch {
 	case detailFlag:
@@ -149,7 +121,7 @@ func statusFunc(cmd *cobra.Command, args []string) error {
 	return nil
 }

-func getStatus(ctx context.Context, fullPeerStatus bool, shouldRunProbes bool) (*proto.StatusResponse, error) {
+func getStatus(ctx context.Context, shouldRunProbes bool) (*proto.StatusResponse, error) {
 	conn, err := DialClientGRPCServer(ctx, daemonAddr)
 	if err != nil {
 		//nolint
@@ -159,7 +131,7 @@ func getStatus(ctx context.Context, fullPeerStatus bool, shouldRunProbes bool) (
 	}
 	defer conn.Close()

-	resp, err := proto.NewDaemonServiceClient(conn).Status(ctx, &proto.StatusRequest{GetFullPeerStatus: fullPeerStatus, ShouldRunProbes: shouldRunProbes})
+	resp, err := proto.NewDaemonServiceClient(conn).Status(ctx, &proto.StatusRequest{GetFullPeerStatus: true, ShouldRunProbes: shouldRunProbes})
 	if err != nil {
 		return nil, fmt.Errorf("status failed: %v", status.Convert(err).Message())
 	}
@@ -213,83 +185,6 @@ func enableDetailFlagWhenFilterFlag() {
 	}
 }

-func runHealthCheck(cmd *cobra.Command) error {
-	check := strings.ToLower(checkFlag)
-	switch check {
-	case "live", "ready", "startup":
-	default:
-		return fmt.Errorf("unknown check %q, must be one of: live, ready, startup", checkFlag)
-	}
-
-	if err := util.InitLog(logLevel, util.LogConsole); err != nil {
-		return fmt.Errorf("init log: %w", err)
-	}
-
-	ctx := internal.CtxInitState(cmd.Context())
-
-	isStartup := check == "startup"
-	resp, err := getStatus(ctx, isStartup, false)
-	if err != nil {
-		return err
-	}
-
-	switch check {
-	case "live":
-		return nil
-	case "ready":
-		return checkReadiness(resp)
-	case "startup":
-		return checkStartup(resp)
-	default:
-		return nil
-	}
-}
-
-func checkReadiness(resp *proto.StatusResponse) error {
-	daemonStatus := internal.StatusType(resp.GetStatus())
-	switch daemonStatus {
-	case internal.StatusIdle, internal.StatusConnecting, internal.StatusConnected:
-		return nil
-	case internal.StatusNeedsLogin, internal.StatusLoginFailed, internal.StatusSessionExpired:
-		return fmt.Errorf("readiness check: daemon status is %s", daemonStatus)
-	default:
-		return fmt.Errorf("readiness check: unexpected daemon status %q", daemonStatus)
-	}
-}
-
-func checkStartup(resp *proto.StatusResponse) error {
-	fullStatus := resp.GetFullStatus()
-	if fullStatus == nil {
-		return fmt.Errorf("startup check: no full status available")
-	}
-
-	if !fullStatus.GetManagementState().GetConnected() {
-		return fmt.Errorf("startup check: management not connected")
-	}
-
-	if !fullStatus.GetSignalState().GetConnected() {
-		return fmt.Errorf("startup check: signal not connected")
-	}
-
-	var relayCount, relaysConnected int
-	for _, r := range fullStatus.GetRelays() {
-		uri := r.GetURI()
-		if !strings.HasPrefix(uri, "rel://") && !strings.HasPrefix(uri, "rels://") {
-			continue
-		}
-		relayCount++
-		if r.GetAvailable() {
-			relaysConnected++
-		}
-	}
-
-	if relayCount > 0 && relaysConnected == 0 {
-		return fmt.Errorf("startup check: no relay servers available (0/%d connected)", relayCount)
-	}
-
-	return nil
-}
-
 func parseInterfaceIP(interfaceIP string) string {
 	ip, _, err := net.ParseCIDR(interfaceIP)
 	if err != nil {
--- a/client/cmd/system.go
+++ b/client/cmd/system.go
@@ -8,7 +8,6 @@ const (
 	disableFirewallFlag     = "disable-firewall"
 	blockLANAccessFlag      = "block-lan-access"
 	blockInboundFlag        = "block-inbound"
-	disableIPv6Flag         = "disable-ipv6"
 )

 var (
@@ -18,7 +17,6 @@ var (
 	disableFirewall     bool
 	blockLANAccess      bool
 	blockInbound        bool
-	disableIPv6         bool
 )

 func init() {
@@ -41,7 +39,4 @@ func init() {
 	upCmd.PersistentFlags().BoolVar(&blockInbound, blockInboundFlag, false,
 		"Block inbound connections. If enabled, the client will not allow any inbound connections to the local machine nor routed networks.\n"+
 			"This overrides any policies received from the management service.")
-
-	upCmd.PersistentFlags().BoolVar(&disableIPv6, disableIPv6Flag, false,
-		"Disable IPv6 overlay. If enabled, the client won't request or use an IPv6 overlay address.")
 }
--- a/client/cmd/testutil_test.go
+++ b/client/cmd/testutil_test.go
@@ -18,7 +18,6 @@ import (
 	"github.com/netbirdio/netbird/management/internals/modules/peers"
 	"github.com/netbirdio/netbird/management/internals/modules/peers/ephemeral/manager"
 	nbgrpc "github.com/netbirdio/netbird/management/internals/shared/grpc"
-	"github.com/netbirdio/netbird/management/server/job"

 	clientProto "github.com/netbirdio/netbird/client/proto"
 	client "github.com/netbirdio/netbird/client/server"
@@ -98,8 +97,6 @@ func startManagement(t *testing.T, config *config.Config, testFile string) (*grp
 	peersmanager := peers.NewManager(store, permissionsManagerMock)
 	settingsManagerMock := settings.NewMockManager(ctrl)

-	jobManager := job.NewJobManager(nil, store, peersmanager)
-
 	iv, _ := integrations.NewIntegratedValidator(context.Background(), peersmanager, settingsManagerMock, eventStore)

 	metrics, err := telemetry.NewDefaultAppMetrics(context.Background())
@@ -118,7 +115,7 @@ func startManagement(t *testing.T, config *config.Config, testFile string) (*grp
 	requestBuffer := mgmt.NewAccountRequestBuffer(ctx, store)
 	networkMapController := controller.NewController(ctx, store, metrics, updateManager, requestBuffer, mgmt.MockIntegratedValidator{}, settingsMockManager, "netbird.cloud", port_forwarding.NewControllerMock(), manager.NewEphemeralManager(store, peersmanager), config)

-	accountManager, err := mgmt.BuildManager(context.Background(), config, store, networkMapController, jobManager, nil, "", eventStore, nil, false, iv, metrics, port_forwarding.NewControllerMock(), settingsMockManager, permissionsManagerMock, false)
+	accountManager, err := mgmt.BuildManager(context.Background(), config, store, networkMapController, nil, "", eventStore, nil, false, iv, metrics, port_forwarding.NewControllerMock(), settingsMockManager, permissionsManagerMock, false)
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -127,7 +124,7 @@ func startManagement(t *testing.T, config *config.Config, testFile string) (*grp
 	if err != nil {
 		t.Fatal(err)
 	}
-	mgmtServer, err := nbgrpc.NewServer(config, accountManager, settingsMockManager, jobManager, secretsManager, nil, nil, &mgmt.MockIntegratedValidator{}, networkMapController, nil)
+	mgmtServer, err := nbgrpc.NewServer(config, accountManager, settingsMockManager, secretsManager, nil, nil, &mgmt.MockIntegratedValidator{}, networkMapController, nil)
 	if err != nil {
 		t.Fatal(err)
 	}
--- a/client/cmd/up.go
+++ b/client/cmd/up.go
@@ -197,10 +197,10 @@ func runInForegroundMode(ctx context.Context, cmd *cobra.Command, activeProf *pr
 	r := peer.NewRecorder(config.ManagementURL.String())
 	r.GetFullStatus()

-	connectClient := internal.NewConnectClient(ctx, config, r)
+	connectClient := internal.NewConnectClient(ctx, config, r, false)
 	SetupDebugHandler(ctx, config, r, connectClient, "")

-	return connectClient.Run(nil, util.FindFirstLogPath(logFiles))
+	return connectClient.Run(nil)
 }

 func runInDaemonMode(ctx context.Context, cmd *cobra.Command, pm *profilemanager.ProfileManager, activeProf *profilemanager.Profile, profileSwitched bool) error {
@@ -430,10 +430,6 @@ func setupSetConfigReq(customDNSAddressConverted []byte, cmd *cobra.Command, pro
 		req.BlockInbound = &blockInbound
 	}

-	if cmd.Flag(disableIPv6Flag).Changed {
-		req.DisableIpv6 = &disableIPv6
-	}
-
 	if cmd.Flag(enableLazyConnectionFlag).Changed {
 		req.LazyConnectionEnabled = &lazyConnEnabled
 	}
@@ -551,10 +547,6 @@ func setupConfig(customDNSAddressConverted []byte, cmd *cobra.Command, configFil
 		ic.BlockInbound = &blockInbound
 	}

-	if cmd.Flag(disableIPv6Flag).Changed {
-		ic.DisableIPv6 = &disableIPv6
-	}
-
 	if cmd.Flag(enableLazyConnectionFlag).Changed {
 		ic.LazyConnectionEnabled = &lazyConnEnabled
 	}
@@ -669,10 +661,6 @@ func setupLoginRequest(providedSetupKey string, customDNSAddressConverted []byte
 		loginRequest.BlockInbound = &blockInbound
 	}

-	if cmd.Flag(disableIPv6Flag).Changed {
-		loginRequest.DisableIpv6 = &disableIPv6
-	}
-
 	if cmd.Flag(enableLazyConnectionFlag).Changed {
 		loginRequest.LazyConnectionEnabled = &lazyConnEnabled
 	}
--- a/client/cmd/update_supported.go
+++ b/client/cmd/update_supported.go
@@ -11,7 +11,7 @@ import (
 	log "github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"

-	"github.com/netbirdio/netbird/client/internal/updater/installer"
+	"github.com/netbirdio/netbird/client/internal/updatemanager/installer"
 	"github.com/netbirdio/netbird/util"
 )

--- a/client/embed/embed.go
+++ b/client/embed/embed.go
@@ -14,15 +14,12 @@ import (
 	"github.com/sirupsen/logrus"
 	wgnetstack "golang.zx2c4.com/wireguard/tun/netstack"

-	"github.com/netbirdio/netbird/client/iface"
 	"github.com/netbirdio/netbird/client/iface/netstack"
 	"github.com/netbirdio/netbird/client/internal"
-	"github.com/netbirdio/netbird/client/internal/auth"
 	"github.com/netbirdio/netbird/client/internal/peer"
 	"github.com/netbirdio/netbird/client/internal/profilemanager"
 	sshcommon "github.com/netbirdio/netbird/client/ssh"
 	"github.com/netbirdio/netbird/client/system"
-	"github.com/netbirdio/netbird/shared/management/domain"
 	mgmProto "github.com/netbirdio/netbird/shared/management/proto"
 )

@@ -33,14 +30,6 @@ var (
 	ErrConfigNotInitialized = errors.New("config not initialized")
 )

-const (
-	// PeerStatusConnected indicates the peer is in connected state.
-	PeerStatusConnected = peer.StatusConnected
-)
-
-// PeerConnStatus is a peer's connection status.
-type PeerConnStatus = peer.ConnStatus
-
 // Client manages a netbird embedded client instance.
 type Client struct {
 	deviceName string
@@ -79,20 +68,6 @@ type Options struct {
 	StatePath string
 	// DisableClientRoutes disables the client routes
 	DisableClientRoutes bool
-	// DisableIPv6 disables IPv6 overlay addressing
-	DisableIPv6 bool
-	// BlockInbound blocks all inbound connections from peers
-	BlockInbound bool
-	// WireguardPort is the port for the WireGuard interface. Use 0 for a random port.
-	WireguardPort *int
-	// MTU is the MTU for the WireGuard interface.
-	// Valid values are in the range 576..8192 bytes.
-	// If non-nil, this value overrides any value stored in the config file.
-	// If nil, the existing config MTU (if non-zero) is preserved; otherwise it defaults to 1280.
-	// Set to a higher value (e.g. 1400) if carrying QUIC or other protocols that require larger datagrams.
-	MTU *uint16
-	// DNSLabels defines additional DNS labels configured in the peer.
-	DNSLabels []string
 }

 // validateCredentials checks that exactly one credential type is provided
@@ -124,12 +99,6 @@ func New(opts Options) (*Client, error) {
 		return nil, err
 	}

-	if opts.MTU != nil {
-		if err := iface.ValidateMTU(*opts.MTU); err != nil {
-			return nil, fmt.Errorf("invalid MTU: %w", err)
-		}
-	}
-
 	if opts.LogOutput != nil {
 		logrus.SetOutput(opts.LogOutput)
 	}
@@ -158,25 +127,15 @@ func New(opts Options) (*Client, error) {
 		}
 	}

-	var err error
-	var parsedLabels domain.List
-	if parsedLabels, err = domain.FromStringList(opts.DNSLabels); err != nil {
-		return nil, fmt.Errorf("invalid dns labels: %w", err)
-	}
-
 	t := true
 	var config *profilemanager.Config
+	var err error
 	input := profilemanager.ConfigInput{
 		ConfigPath:          opts.ConfigPath,
 		ManagementURL:       opts.ManagementURL,
 		PreSharedKey:        &opts.PreSharedKey,
 		DisableServerRoutes: &t,
 		DisableClientRoutes: &opts.DisableClientRoutes,
-		DisableIPv6:         &opts.DisableIPv6,
-		BlockInbound:        &opts.BlockInbound,
-		WireguardPort:       opts.WireguardPort,
-		MTU:                 opts.MTU,
-		DNSLabels:           parsedLabels,
 	}
 	if opts.ConfigPath != "" {
 		config, err = profilemanager.UpdateOrCreateConfig(input)
@@ -196,7 +155,6 @@ func New(opts Options) (*Client, error) {
 		setupKey:   opts.SetupKey,
 		jwtToken:   opts.JWTToken,
 		config:     config,
-		recorder:   peer.NewRecorder(config.ManagementURL.String()),
 	}, nil
 }

@@ -218,17 +176,13 @@ func (c *Client) Start(startCtx context.Context) error {

 	// nolint:staticcheck
 	ctx = context.WithValue(ctx, system.DeviceNameCtxKey, c.deviceName)
-
-	authClient, err := auth.NewAuth(ctx, c.config.PrivateKey, c.config.ManagementURL, c.config)
-	if err != nil {
-		return fmt.Errorf("create auth client: %w", err)
-	}
-	defer authClient.Close()
-
-	if err, _ := authClient.Login(ctx, c.setupKey, c.jwtToken); err != nil {
+	if err := internal.Login(ctx, c.config, c.setupKey, c.jwtToken); err != nil {
 		return fmt.Errorf("login: %w", err)
 	}
-	client := internal.NewConnectClient(ctx, c.config, c.recorder)
+
+	recorder := peer.NewRecorder(c.config.ManagementURL.String())
+	c.recorder = recorder
+	client := internal.NewConnectClient(ctx, c.config, recorder, false)
 	client.SetSyncResponsePersistence(true)

 	// either startup error (permanent backoff err) or nil err (successful engine up)
@@ -236,7 +190,7 @@ func (c *Client) Start(startCtx context.Context) error {
 	run := make(chan struct{})
 	clientErr := make(chan error, 1)
 	go func() {
-		if err := client.Run(run, ""); err != nil {
+		if err := client.Run(run); err != nil {
 			clientErr <- err
 		}
 	}()
@@ -378,38 +332,17 @@ func (c *Client) NewHTTPClient() *http.Client {
 	}
 }

-// Expose exposes a local service via the NetBird reverse proxy, making it accessible through a public URL.
-// It returns an ExposeSession. Call Wait on the session to keep it alive.
-func (c *Client) Expose(ctx context.Context, req ExposeRequest) (*ExposeSession, error) {
-	engine, err := c.getEngine()
-	if err != nil {
-		return nil, err
-	}
-
-	mgr := engine.GetExposeManager()
-	if mgr == nil {
-		return nil, fmt.Errorf("expose manager not available")
-	}
-
-	resp, err := mgr.Expose(ctx, req)
-	if err != nil {
-		return nil, fmt.Errorf("expose: %w", err)
-	}
-
-	return &ExposeSession{
-		Domain:      resp.Domain,
-		ServiceName: resp.ServiceName,
-		ServiceURL:  resp.ServiceURL,
-		mgr:         mgr,
-	}, nil
-}
-
 // Status returns the current status of the client.
 func (c *Client) Status() (peer.FullStatus, error) {
 	c.mu.Lock()
+	recorder := c.recorder
 	connect := c.connect
 	c.mu.Unlock()

+	if recorder == nil {
+		return peer.FullStatus{}, errors.New("client not started")
+	}
+
 	if connect != nil {
 		engine := connect.Engine()
 		if engine != nil {
@@ -417,7 +350,7 @@ func (c *Client) Status() (peer.FullStatus, error) {
 		}
 	}

-	return c.recorder.GetFullStatus(), nil
+	return recorder.GetFullStatus(), nil
 }

 // GetLatestSyncResponse returns the latest sync response from the management server.
--- a/client/embed/expose.go
+++ b/client/embed/expose.go
@@ -1,45 +0,0 @@
-package embed
-
-import (
-	"context"
-	"errors"
-
-	"github.com/netbirdio/netbird/client/internal/expose"
-)
-
-const (
-	// ExposeProtocolHTTP exposes the service as HTTP.
-	ExposeProtocolHTTP = expose.ProtocolHTTP
-	// ExposeProtocolHTTPS exposes the service as HTTPS.
-	ExposeProtocolHTTPS = expose.ProtocolHTTPS
-	// ExposeProtocolTCP exposes the service as TCP.
-	ExposeProtocolTCP = expose.ProtocolTCP
-	// ExposeProtocolUDP exposes the service as UDP.
-	ExposeProtocolUDP = expose.ProtocolUDP
-	// ExposeProtocolTLS exposes the service as TLS.
-	ExposeProtocolTLS = expose.ProtocolTLS
-)
-
-// ExposeRequest is a request to expose a local service via the NetBird reverse proxy.
-type ExposeRequest = expose.Request
-
-// ExposeProtocolType represents the protocol used for exposing a service.
-type ExposeProtocolType = expose.ProtocolType
-
-// ExposeSession represents an active expose session. Use Wait to block until the session ends.
-type ExposeSession struct {
-	Domain      string
-	ServiceName string
-	ServiceURL  string
-
-	mgr *expose.Manager
-}
-
-// Wait blocks while keeping the expose session alive.
-// It returns when ctx is cancelled or a keep-alive error occurs, then terminates the session.
-func (s *ExposeSession) Wait(ctx context.Context) error {
-	if s == nil || s.mgr == nil {
-		return errors.New("expose session is not initialized")
-	}
-	return s.mgr.KeepAlive(ctx, s.Domain)
-}
--- a/client/firewall/iptables/acl_linux.go
+++ b/client/firewall/iptables/acl_linux.go
@@ -36,7 +36,6 @@ type aclManager struct {
 	entries         aclEntries
 	optionalEntries map[string][]entry
 	ipsetStore      *ipsetStore
-	v6              bool

 	stateManager *statemanager.Manager
 }
@@ -48,7 +47,6 @@ func newAclManager(iptablesClient *iptables.IPTables, wgIface iFaceMapper) (*acl
 		entries:         make(map[string][][]string),
 		optionalEntries: make(map[string][]entry),
 		ipsetStore:      newIpsetStore(),
-		v6:              iptablesClient.Proto() == iptables.ProtocolIPv6,
 	}, nil
 }

@@ -83,11 +81,7 @@ func (m *aclManager) AddPeerFiltering(
 	chain := chainNameInputRules

 	ipsetName = transformIPsetName(ipsetName, sPort, dPort, action)
-	if m.v6 && ipsetName != "" {
-		ipsetName += "-v6"
-	}
-	proto := protoForFamily(protocol, m.v6)
-	specs := filterRuleSpecs(ip, proto, sPort, dPort, action, ipsetName)
+	specs := filterRuleSpecs(ip, string(protocol), sPort, dPort, action, ipsetName)

 	mangleSpecs := slices.Clone(specs)
 	mangleSpecs = append(mangleSpecs,
@@ -111,7 +105,6 @@ func (m *aclManager) AddPeerFiltering(
 				ip:        ip.String(),
 				chain:     chain,
 				specs:     specs,
-				v6:        m.v6,
 			}}, nil
 		}

@@ -164,7 +157,6 @@ func (m *aclManager) AddPeerFiltering(
 		ipsetName:   ipsetName,
 		ip:          ip.String(),
 		chain:       chain,
-		v6:          m.v6,
 	}

 	m.updateState()
@@ -384,13 +376,8 @@ func (m *aclManager) updateState() {
 	currentState.Lock()
 	defer currentState.Unlock()

-	if m.v6 {
-		currentState.ACLEntries6 = m.entries
-		currentState.ACLIPsetStore6 = m.ipsetStore
-	} else {
-		currentState.ACLEntries = m.entries
-		currentState.ACLIPsetStore = m.ipsetStore
-	}
+	currentState.ACLEntries = m.entries
+	currentState.ACLIPsetStore = m.ipsetStore

 	if err := m.stateManager.UpdateState(currentState); err != nil {
 		log.Errorf("failed to update state: %v", err)
@@ -398,15 +385,6 @@ func (m *aclManager) updateState() {
 }

 // filterRuleSpecs returns the specs of a filtering rule
-// protoForFamily translates ICMP to ICMPv6 for ip6tables.
-// ip6tables requires "ipv6-icmp" (or "icmpv6") instead of "icmp".
-func protoForFamily(protocol firewall.Protocol, v6 bool) string {
-	if v6 && protocol == firewall.ProtocolICMP {
-		return "ipv6-icmp"
-	}
-	return string(protocol)
-}
-
 func filterRuleSpecs(ip net.IP, protocol string, sPort, dPort *firewall.Port, action firewall.Action, ipsetName string) (specs []string) {
 	// don't use IP matching if IP is 0.0.0.0
 	matchByIP := !ip.IsUnspecified()
@@ -459,9 +437,6 @@ func (m *aclManager) createIPSet(name string) error {
 	opts := ipset.CreateOptions{
 		Replace: true,
 	}
-	if m.v6 {
-		opts.Family = ipset.FamilyIPV6
-	}

 	if err := ipset.Create(name, ipset.TypeHashNet, opts); err != nil {
 		return fmt.Errorf("create ipset %s: %w", name, err)
--- a/client/firewall/iptables/manager_linux.go
+++ b/client/firewall/iptables/manager_linux.go
@@ -17,25 +17,15 @@ import (
 	"github.com/netbirdio/netbird/client/internal/statemanager"
 )

-type resetter interface {
-	Reset() error
-}
-
 // Manager of iptables firewall
 type Manager struct {
 	mutex sync.Mutex

 	wgIface iFaceMapper

-	ipv4Client   *iptables.IPTables
-	aclMgr       *aclManager
-	router       *router
-	rawSupported bool
-
-	// IPv6 counterparts, nil when no v6 overlay
-	ipv6Client *iptables.IPTables
-	aclMgr6    *aclManager
-	router6    *router
+	ipv4Client *iptables.IPTables
+	aclMgr     *aclManager
+	router     *router
 }

 // iFaceMapper defines subset methods of interface required for manager
@@ -67,43 +57,9 @@ func Create(wgIface iFaceMapper, mtu uint16) (*Manager, error) {
 		return nil, fmt.Errorf("create acl manager: %w", err)
 	}

-	if wgIface.Address().HasIPv6() {
-		if err := m.createIPv6Components(wgIface, mtu); err != nil {
-			return nil, fmt.Errorf("create IPv6 firewall: %w", err)
-		}
-	}
-
 	return m, nil
 }

-func (m *Manager) createIPv6Components(wgIface iFaceMapper, mtu uint16) error {
-	ip6Client, err := iptables.NewWithProtocol(iptables.ProtocolIPv6)
-	if err != nil {
-		return fmt.Errorf("init ip6tables: %w", err)
-	}
-	m.ipv6Client = ip6Client
-
-	m.router6, err = newRouter(ip6Client, wgIface, mtu)
-	if err != nil {
-		return fmt.Errorf("create v6 router: %w", err)
-	}
-
-	// Share the same IP forwarding state with the v4 router, since
-	// EnableIPForwarding controls both v4 and v6 sysctls.
-	m.router6.ipFwdState = m.router.ipFwdState
-
-	m.aclMgr6, err = newAclManager(ip6Client, wgIface)
-	if err != nil {
-		return fmt.Errorf("create v6 acl manager: %w", err)
-	}
-
-	return nil
-}
-
-func (m *Manager) hasIPv6() bool {
-	return m.ipv6Client != nil
-}
-
 func (m *Manager) Init(stateManager *statemanager.Manager) error {
 	state := &ShutdownState{
 		InterfaceState: &InterfaceState{
@@ -118,12 +74,13 @@ func (m *Manager) Init(stateManager *statemanager.Manager) error {
 		log.Errorf("failed to update state: %v", err)
 	}

-	if err := m.initChains(stateManager); err != nil {
-		return err
+	if err := m.router.init(stateManager); err != nil {
+		return fmt.Errorf("router init: %w", err)
 	}

-	if err := m.initNoTrackChain(); err != nil {
-		log.Warnf("raw table not available, notrack rules will be disabled: %v", err)
+	if err := m.aclMgr.init(stateManager); err != nil {
+		// TODO: cleanup router
+		return fmt.Errorf("acl manager init: %w", err)
 	}

 	// persist early to ensure cleanup of chains
@@ -136,41 +93,6 @@ func (m *Manager) Init(stateManager *statemanager.Manager) error {
 	return nil
 }

-// initChains initializes router and ACL chains for both address families,
-// rolling back on failure.
-func (m *Manager) initChains(stateManager *statemanager.Manager) error {
-	type initStep struct {
-		name string
-		init func(*statemanager.Manager) error
-		mgr  resetter
-	}
-
-	steps := []initStep{
-		{"router", m.router.init, m.router},
-		{"acl manager", m.aclMgr.init, m.aclMgr},
-	}
-	if m.hasIPv6() {
-		steps = append(steps,
-			initStep{"v6 router", m.router6.init, m.router6},
-			initStep{"v6 acl manager", m.aclMgr6.init, m.aclMgr6},
-		)
-	}
-
-	var initialized []initStep
-	for _, s := range steps {
-		if err := s.init(stateManager); err != nil {
-			for i := len(initialized) - 1; i >= 0; i-- {
-				if rerr := initialized[i].mgr.Reset(); rerr != nil {
-					log.Warnf("rollback %s: %v", initialized[i].name, rerr)
-				}
-			}
-			return fmt.Errorf("%s init: %w", s.name, err)
-		}
-		initialized = append(initialized, s)
-	}
-	return nil
-}
-
 // AddPeerFiltering adds a rule to the firewall
 //
 // Comment will be ignored because some system this feature is not supported
@@ -186,13 +108,7 @@ func (m *Manager) AddPeerFiltering(
 	m.mutex.Lock()
 	defer m.mutex.Unlock()

-	if ip.To4() != nil {
-		return m.aclMgr.AddPeerFiltering(id, ip, proto, sPort, dPort, action, ipsetName)
-	}
-	if !m.hasIPv6() {
-		return nil, fmt.Errorf("IPv6 not initialized, cannot add rule for %s", ip)
-	}
-	return m.aclMgr6.AddPeerFiltering(id, ip, proto, sPort, dPort, action, ipsetName)
+	return m.aclMgr.AddPeerFiltering(id, ip, proto, sPort, dPort, action, ipsetName)
 }

 func (m *Manager) AddRouteFiltering(
@@ -206,48 +122,25 @@ func (m *Manager) AddRouteFiltering(
 	m.mutex.Lock()
 	defer m.mutex.Unlock()

-	if isIPv6RouteRule(sources, destination) {
-		if !m.hasIPv6() {
-			return nil, fmt.Errorf("IPv6 not initialized, cannot add route rule")
-		}
-		return m.router6.AddRouteFiltering(id, sources, destination, proto, sPort, dPort, action)
+	if destination.IsPrefix() && !destination.Prefix.Addr().Is4() {
+		return nil, fmt.Errorf("unsupported IP version: %s", destination.Prefix.Addr().String())
 	}

 	return m.router.AddRouteFiltering(id, sources, destination, proto, sPort, dPort, action)
 }

-func isIPv6RouteRule(sources []netip.Prefix, destination firewall.Network) bool {
-	if destination.IsPrefix() {
-		return destination.Prefix.Addr().Is6()
-	}
-	return len(sources) > 0 && sources[0].Addr().Is6()
-}
-
 // DeletePeerRule from the firewall by rule definition
 func (m *Manager) DeletePeerRule(rule firewall.Rule) error {
 	m.mutex.Lock()
 	defer m.mutex.Unlock()

-	if m.hasIPv6() && isIPv6IptRule(rule) {
-		return m.aclMgr6.DeletePeerRule(rule)
-	}
 	return m.aclMgr.DeletePeerRule(rule)
 }

-func isIPv6IptRule(rule firewall.Rule) bool {
-	r, ok := rule.(*Rule)
-	return ok && r.v6
-}
-
-// DeleteRouteRule deletes a routing rule.
-// Route rules are keyed by content hash. Check v4 first, try v6 if not found.
 func (m *Manager) DeleteRouteRule(rule firewall.Rule) error {
 	m.mutex.Lock()
 	defer m.mutex.Unlock()

-	if m.hasIPv6() && !m.router.hasRule(rule.ID()) {
-		return m.router6.DeleteRouteRule(rule)
-	}
 	return m.router.DeleteRouteRule(rule)
 }

@@ -263,63 +156,18 @@ func (m *Manager) AddNatRule(pair firewall.RouterPair) error {
 	m.mutex.Lock()
 	defer m.mutex.Unlock()

-	if pair.Destination.IsPrefix() && pair.Destination.Prefix.Addr().Is6() {
-		if !m.hasIPv6() {
-			return fmt.Errorf("IPv6 not initialized, cannot add NAT rule")
-		}
-		return m.router6.AddNatRule(pair)
-	}
-
-	if err := m.router.AddNatRule(pair); err != nil {
-		return err
-	}
-
-	// Dynamic routes need NAT in both tables
-	if m.hasIPv6() && pair.Destination.IsSet() {
-		v6Pair := pair
-		v6Pair.Source = firewall.Network{Prefix: netip.PrefixFrom(netip.IPv6Unspecified(), 0)}
-		if err := m.router6.AddNatRule(v6Pair); err != nil {
-			return fmt.Errorf("add v6 NAT rule: %w", err)
-		}
-	}
-
-	return nil
+	return m.router.AddNatRule(pair)
 }

 func (m *Manager) RemoveNatRule(pair firewall.RouterPair) error {
 	m.mutex.Lock()
 	defer m.mutex.Unlock()

-	if pair.Destination.IsPrefix() && pair.Destination.Prefix.Addr().Is6() {
-		if !m.hasIPv6() {
-			return nil
-		}
-		return m.router6.RemoveNatRule(pair)
-	}
-
-	if err := m.router.RemoveNatRule(pair); err != nil {
-		return err
-	}
-
-	if m.hasIPv6() && pair.Destination.IsSet() {
-		v6Pair := pair
-		v6Pair.Source = firewall.Network{Prefix: netip.PrefixFrom(netip.IPv6Unspecified(), 0)}
-		if err := m.router6.RemoveNatRule(v6Pair); err != nil {
-			return fmt.Errorf("remove v6 NAT rule: %w", err)
-		}
-	}
-
-	return nil
+	return m.router.RemoveNatRule(pair)
 }

 func (m *Manager) SetLegacyManagement(isLegacy bool) error {
-	if err := firewall.SetLegacyManagement(m.router, isLegacy); err != nil {
-		return err
-	}
-	if m.hasIPv6() {
-		return firewall.SetLegacyManagement(m.router6, isLegacy)
-	}
-	return nil
+	return firewall.SetLegacyManagement(m.router, isLegacy)
 }

 // Reset firewall to the default state
@@ -329,19 +177,6 @@ func (m *Manager) Close(stateManager *statemanager.Manager) error {

 	var merr *multierror.Error

-	if err := m.cleanupNoTrackChain(); err != nil {
-		merr = multierror.Append(merr, fmt.Errorf("cleanup notrack chain: %w", err))
-	}
-
-	if m.hasIPv6() {
-		if err := m.aclMgr6.Reset(); err != nil {
-			merr = multierror.Append(merr, fmt.Errorf("reset v6 acl manager: %w", err))
-		}
-		if err := m.router6.Reset(); err != nil {
-			merr = multierror.Append(merr, fmt.Errorf("reset v6 router: %w", err))
-		}
-	}
-
 	if err := m.aclMgr.Reset(); err != nil {
 		merr = multierror.Append(merr, fmt.Errorf("reset acl manager: %w", err))
 	}
@@ -365,16 +200,19 @@ func (m *Manager) AllowNetbird() error {
 		return nil
 	}

-	var merr *multierror.Error
-	if _, err := m.aclMgr.AddPeerFiltering(nil, net.IP{0, 0, 0, 0}, firewall.ProtocolALL, nil, nil, firewall.ActionAccept, ""); err != nil {
-		merr = multierror.Append(merr, fmt.Errorf("allow netbird interface traffic: %w", err))
+	_, err := m.AddPeerFiltering(
+		nil,
+		net.IP{0, 0, 0, 0},
+		firewall.ProtocolALL,
+		nil,
+		nil,
+		firewall.ActionAccept,
+		"",
+	)
+	if err != nil {
+		return fmt.Errorf("allow netbird interface traffic: %w", err)
 	}
-	if m.hasIPv6() {
-		if _, err := m.aclMgr6.AddPeerFiltering(nil, net.IPv6zero, firewall.ProtocolALL, nil, nil, firewall.ActionAccept, ""); err != nil {
-			merr = multierror.Append(merr, fmt.Errorf("allow v6 netbird interface traffic: %w", err))
-		}
-	}
-	return nberrors.FormatErrorOrNil(merr)
+	return nil
 }

 // Flush doesn't need to be implemented for this manager
@@ -404,9 +242,6 @@ func (m *Manager) AddDNATRule(rule firewall.ForwardRule) (firewall.Rule, error)
 	m.mutex.Lock()
 	defer m.mutex.Unlock()

-	if m.hasIPv6() && rule.TranslatedAddress.Is6() {
-		return m.router6.AddDNATRule(rule)
-	}
 	return m.router.AddDNATRule(rule)
 }

@@ -415,9 +250,6 @@ func (m *Manager) DeleteDNATRule(rule firewall.Rule) error {
 	m.mutex.Lock()
 	defer m.mutex.Unlock()

-	if m.hasIPv6() && !m.router.hasRule(rule.ID()+dnatSuffix) {
-		return m.router6.DeleteDNATRule(rule)
-	}
 	return m.router.DeleteDNATRule(rule)
 }

@@ -426,26 +258,7 @@ func (m *Manager) UpdateSet(set firewall.Set, prefixes []netip.Prefix) error {
 	m.mutex.Lock()
 	defer m.mutex.Unlock()

-	var v4Prefixes, v6Prefixes []netip.Prefix
-	for _, p := range prefixes {
-		if p.Addr().Is6() {
-			v6Prefixes = append(v6Prefixes, p)
-		} else {
-			v4Prefixes = append(v4Prefixes, p)
-		}
-	}
-
-	if err := m.router.UpdateSet(set, v4Prefixes); err != nil {
-		return err
-	}
-
-	if m.hasIPv6() && len(v6Prefixes) > 0 {
-		if err := m.router6.UpdateSet(set, v6Prefixes); err != nil {
-			return fmt.Errorf("update v6 set: %w", err)
-		}
-	}
-
-	return nil
+	return m.router.UpdateSet(set, prefixes)
 }

 // AddInboundDNAT adds an inbound DNAT rule redirecting traffic from NetBird peers to local services.
@@ -453,9 +266,6 @@ func (m *Manager) AddInboundDNAT(localAddr netip.Addr, protocol firewall.Protoco
 	m.mutex.Lock()
 	defer m.mutex.Unlock()

-	if m.hasIPv6() && localAddr.Is6() {
-		return m.router6.AddInboundDNAT(localAddr, protocol, sourcePort, targetPort)
-	}
 	return m.router.AddInboundDNAT(localAddr, protocol, sourcePort, targetPort)
 }

@@ -464,156 +274,9 @@ func (m *Manager) RemoveInboundDNAT(localAddr netip.Addr, protocol firewall.Prot
 	m.mutex.Lock()
 	defer m.mutex.Unlock()

-	if m.hasIPv6() && localAddr.Is6() {
-		return m.router6.RemoveInboundDNAT(localAddr, protocol, sourcePort, targetPort)
-	}
 	return m.router.RemoveInboundDNAT(localAddr, protocol, sourcePort, targetPort)
 }

-// AddOutputDNAT adds an OUTPUT chain DNAT rule for locally-generated traffic.
-func (m *Manager) AddOutputDNAT(localAddr netip.Addr, protocol firewall.Protocol, sourcePort, targetPort uint16) error {
-	m.mutex.Lock()
-	defer m.mutex.Unlock()
-
-	return m.router.AddOutputDNAT(localAddr, protocol, sourcePort, targetPort)
-}
-
-// RemoveOutputDNAT removes an OUTPUT chain DNAT rule.
-func (m *Manager) RemoveOutputDNAT(localAddr netip.Addr, protocol firewall.Protocol, sourcePort, targetPort uint16) error {
-	m.mutex.Lock()
-	defer m.mutex.Unlock()
-
-	return m.router.RemoveOutputDNAT(localAddr, protocol, sourcePort, targetPort)
-}
-
-const (
-	chainNameRaw = "NETBIRD-RAW"
-	chainOUTPUT  = "OUTPUT"
-	tableRaw     = "raw"
-)
-
-// SetupEBPFProxyNoTrack creates notrack rules for eBPF proxy loopback traffic.
-// This prevents conntrack from tracking WireGuard proxy traffic on loopback, which
-// can interfere with MASQUERADE rules (e.g., from container runtimes like Podman/netavark).
-//
-// Traffic flows that need NOTRACK:
-//
-//  1. Egress: WireGuard -> fake endpoint (before eBPF rewrite)
-//     src=127.0.0.1:wgPort -> dst=127.0.0.1:fakePort
-//     Matched by: sport=wgPort
-//
-//  2. Egress: Proxy -> WireGuard (via raw socket)
-//     src=127.0.0.1:fakePort -> dst=127.0.0.1:wgPort
-//     Matched by: dport=wgPort
-//
-//  3. Ingress: Packets to WireGuard
-//     dst=127.0.0.1:wgPort
-//     Matched by: dport=wgPort
-//
-//  4. Ingress: Packets to proxy (after eBPF rewrite)
-//     dst=127.0.0.1:proxyPort
-//     Matched by: dport=proxyPort
-//
-// Rules are cleaned up when the firewall manager is closed.
-func (m *Manager) SetupEBPFProxyNoTrack(proxyPort, wgPort uint16) error {
-	m.mutex.Lock()
-	defer m.mutex.Unlock()
-
-	if !m.rawSupported {
-		return fmt.Errorf("raw table not available")
-	}
-
-	wgPortStr := fmt.Sprintf("%d", wgPort)
-	proxyPortStr := fmt.Sprintf("%d", proxyPort)
-
-	// Egress rules: match outgoing loopback UDP packets
-	outputRuleSport := []string{"-o", "lo", "-s", "127.0.0.1", "-d", "127.0.0.1", "-p", "udp", "--sport", wgPortStr, "-j", "NOTRACK"}
-	if err := m.ipv4Client.AppendUnique(tableRaw, chainNameRaw, outputRuleSport...); err != nil {
-		return fmt.Errorf("add output sport notrack rule: %w", err)
-	}
-
-	outputRuleDport := []string{"-o", "lo", "-s", "127.0.0.1", "-d", "127.0.0.1", "-p", "udp", "--dport", wgPortStr, "-j", "NOTRACK"}
-	if err := m.ipv4Client.AppendUnique(tableRaw, chainNameRaw, outputRuleDport...); err != nil {
-		return fmt.Errorf("add output dport notrack rule: %w", err)
-	}
-
-	// Ingress rules: match incoming loopback UDP packets
-	preroutingRuleWg := []string{"-i", "lo", "-s", "127.0.0.1", "-d", "127.0.0.1", "-p", "udp", "--dport", wgPortStr, "-j", "NOTRACK"}
-	if err := m.ipv4Client.AppendUnique(tableRaw, chainNameRaw, preroutingRuleWg...); err != nil {
-		return fmt.Errorf("add prerouting wg notrack rule: %w", err)
-	}
-
-	preroutingRuleProxy := []string{"-i", "lo", "-s", "127.0.0.1", "-d", "127.0.0.1", "-p", "udp", "--dport", proxyPortStr, "-j", "NOTRACK"}
-	if err := m.ipv4Client.AppendUnique(tableRaw, chainNameRaw, preroutingRuleProxy...); err != nil {
-		return fmt.Errorf("add prerouting proxy notrack rule: %w", err)
-	}
-
-	log.Debugf("set up ebpf proxy notrack rules for ports %d,%d", proxyPort, wgPort)
-	return nil
-}
-
-func (m *Manager) initNoTrackChain() error {
-	if err := m.cleanupNoTrackChain(); err != nil {
-		log.Debugf("cleanup notrack chain: %v", err)
-	}
-
-	if err := m.ipv4Client.NewChain(tableRaw, chainNameRaw); err != nil {
-		return fmt.Errorf("create chain: %w", err)
-	}
-
-	jumpRule := []string{"-j", chainNameRaw}
-
-	if err := m.ipv4Client.InsertUnique(tableRaw, chainOUTPUT, 1, jumpRule...); err != nil {
-		if delErr := m.ipv4Client.DeleteChain(tableRaw, chainNameRaw); delErr != nil {
-			log.Debugf("delete orphan chain: %v", delErr)
-		}
-		return fmt.Errorf("add output jump rule: %w", err)
-	}
-
-	if err := m.ipv4Client.InsertUnique(tableRaw, chainPREROUTING, 1, jumpRule...); err != nil {
-		if delErr := m.ipv4Client.DeleteIfExists(tableRaw, chainOUTPUT, jumpRule...); delErr != nil {
-			log.Debugf("delete output jump rule: %v", delErr)
-		}
-		if delErr := m.ipv4Client.DeleteChain(tableRaw, chainNameRaw); delErr != nil {
-			log.Debugf("delete orphan chain: %v", delErr)
-		}
-		return fmt.Errorf("add prerouting jump rule: %w", err)
-	}
-
-	m.rawSupported = true
-	return nil
-}
-
-func (m *Manager) cleanupNoTrackChain() error {
-	exists, err := m.ipv4Client.ChainExists(tableRaw, chainNameRaw)
-	if err != nil {
-		if !m.rawSupported {
-			return nil
-		}
-		return fmt.Errorf("check chain exists: %w", err)
-	}
-	if !exists {
-		return nil
-	}
-
-	jumpRule := []string{"-j", chainNameRaw}
-
-	if err := m.ipv4Client.DeleteIfExists(tableRaw, chainOUTPUT, jumpRule...); err != nil {
-		return fmt.Errorf("remove output jump rule: %w", err)
-	}
-
-	if err := m.ipv4Client.DeleteIfExists(tableRaw, chainPREROUTING, jumpRule...); err != nil {
-		return fmt.Errorf("remove prerouting jump rule: %w", err)
-	}
-
-	if err := m.ipv4Client.ClearAndDeleteChain(tableRaw, chainNameRaw); err != nil {
-		return fmt.Errorf("clear and delete chain: %w", err)
-	}
-
-	m.rawSupported = false
-	return nil
-}
-
 func getConntrackEstablished() []string {
 	return []string{"-m", "conntrack", "--ctstate", "RELATED,ESTABLISHED", "-j", "ACCEPT"}
 }
--- a/client/firewall/iptables/router_linux.go
+++ b/client/firewall/iptables/router_linux.go
@@ -36,7 +36,6 @@ const (
 	chainRTFWDOUT           = "NETBIRD-RT-FWD-OUT"
 	chainRTPRE              = "NETBIRD-RT-PRE"
 	chainRTRDR              = "NETBIRD-RT-RDR"
-	chainNATOutput          = "NETBIRD-NAT-OUTPUT"
 	chainRTMSSCLAMP         = "NETBIRD-RT-MSSCLAMP"
 	routingFinalForwardJump = "ACCEPT"
 	routingFinalNatJump     = "MASQUERADE"
@@ -44,7 +43,6 @@ const (
 	jumpManglePre  = "jump-mangle-pre"
 	jumpNatPre     = "jump-nat-pre"
 	jumpNatPost    = "jump-nat-post"
-	jumpNatOutput  = "jump-nat-output"
 	jumpMSSClamp   = "jump-mss-clamp"
 	markManglePre  = "mark-mangle-pre"
 	markManglePost = "mark-mangle-post"
@@ -54,10 +52,8 @@ const (
 	snatSuffix = "_snat"
 	fwdSuffix  = "_fwd"

-	// ipv4TCPHeaderSize is the minimum IPv4 (20) + TCP (20) header size for MSS calculation.
-	ipv4TCPHeaderSize = 40
-	// ipv6TCPHeaderSize is the minimum IPv6 (40) + TCP (20) header size for MSS calculation.
-	ipv6TCPHeaderSize = 60
+	// ipTCPHeaderMinSize represents minimum IP (20) + TCP (20) header size for MSS calculation
+	ipTCPHeaderMinSize = 40
 )

 type ruleInfo struct {
@@ -88,7 +84,6 @@ type router struct {
 	wgIface          iFaceMapper
 	legacyManagement bool
 	mtu              uint16
-	v6               bool

 	stateManager *statemanager.Manager
 	ipFwdState   *ipfwdstate.IPForwardingState
@@ -100,7 +95,6 @@ func newRouter(iptablesClient *iptables.IPTables, wgIface iFaceMapper, mtu uint1
 		rules:          make(map[string][]string),
 		wgIface:        wgIface,
 		mtu:            mtu,
-		v6:             iptablesClient.Proto() == iptables.ProtocolIPv6,
 		ipFwdState:     ipfwdstate.NewIPForwardingState(),
 	}

@@ -190,11 +184,6 @@ func (r *router) AddRouteFiltering(
 	return ruleKey, nil
 }

-func (r *router) hasRule(id string) bool {
-	_, ok := r.rules[id]
-	return ok
-}
-
 func (r *router) DeleteRouteRule(rule firewall.Rule) error {
 	ruleKey := rule.ID()

@@ -398,14 +387,6 @@ func (r *router) cleanUpDefaultForwardRules() error {
 	}

 	log.Debug("flushing routing related tables")
-
-	// Remove jump rules from built-in chains before deleting custom chains,
-	// otherwise the chain deletion fails with "device or resource busy".
-	jumpRule := []string{"-j", chainNATOutput}
-	if err := r.iptablesClient.Delete(tableNat, "OUTPUT", jumpRule...); err != nil {
-		log.Debugf("clean OUTPUT jump rule: %v", err)
-	}
-
 	for _, chainInfo := range []struct {
 		chain string
 		table string
@@ -415,7 +396,6 @@ func (r *router) cleanUpDefaultForwardRules() error {
 		{chainRTPRE, tableMangle},
 		{chainRTNAT, tableNat},
 		{chainRTRDR, tableNat},
-		{chainNATOutput, tableNat},
 		{chainRTMSSCLAMP, tableMangle},
 	} {
 		ok, err := r.iptablesClient.ChainExists(chainInfo.table, chainInfo.chain)
@@ -443,12 +423,6 @@ func (r *router) createContainers() error {
 		{chainRTRDR, tableNat},
 		{chainRTMSSCLAMP, tableMangle},
 	} {
-		// Fallback: clear chains that survived an unclean shutdown.
-		if ok, _ := r.iptablesClient.ChainExists(chainInfo.table, chainInfo.chain); ok {
-			if err := r.iptablesClient.ClearAndDeleteChain(chainInfo.table, chainInfo.chain); err != nil {
-				log.Warnf("clear stale chain %s in %s: %v", chainInfo.chain, chainInfo.table, err)
-			}
-		}
 		if err := r.iptablesClient.NewChain(chainInfo.table, chainInfo.chain); err != nil {
 			return fmt.Errorf("create chain %s in table %s: %w", chainInfo.chain, chainInfo.table, err)
 		}
@@ -555,12 +529,9 @@ func (r *router) addPostroutingRules() error {
 }

 // addMSSClampingRules adds MSS clamping rules to prevent fragmentation for forwarded traffic.
+// TODO: Add IPv6 support
 func (r *router) addMSSClampingRules() error {
-	overhead := uint16(ipv4TCPHeaderSize)
-	if r.v6 {
-		overhead = ipv6TCPHeaderSize
-	}
-	mss := r.mtu - overhead
+	mss := r.mtu - ipTCPHeaderMinSize

 	// Add jump rule from FORWARD chain in mangle table to our custom chain
 	jumpRule := []string{
@@ -745,13 +716,8 @@ func (r *router) updateState() {
 	currentState.Lock()
 	defer currentState.Unlock()

-	if r.v6 {
-		currentState.RouteRules6 = r.rules
-		currentState.RouteIPsetCounter6 = r.ipsetCounter
-	} else {
-		currentState.RouteRules = r.rules
-		currentState.RouteIPsetCounter = r.ipsetCounter
-	}
+	currentState.RouteRules = r.rules
+	currentState.RouteIPsetCounter = r.ipsetCounter

 	if err := r.stateManager.UpdateState(currentState); err != nil {
 		log.Errorf("failed to update state: %v", err)
@@ -879,7 +845,7 @@ func (r *router) DeleteDNATRule(rule firewall.Rule) error {
 	}

 	if fwdRule, exists := r.rules[ruleKey+fwdSuffix]; exists {
-		if err := r.iptablesClient.Delete(tableFilter, chainRTFWDOUT, fwdRule...); err != nil {
+		if err := r.iptablesClient.Delete(tableFilter, chainRTFWDIN, fwdRule...); err != nil {
 			merr = multierror.Append(merr, fmt.Errorf("delete forward rule: %w", err))
 		}
 		delete(r.rules, ruleKey+fwdSuffix)
@@ -906,7 +872,7 @@ func (r *router) genRouteRuleSpec(params routeFilteringRuleParams, sources []net
 	rule = append(rule, destExp...)

 	if params.Proto != firewall.ProtocolALL {
-		rule = append(rule, "-p", strings.ToLower(protoForFamily(params.Proto, r.v6)))
+		rule = append(rule, "-p", strings.ToLower(string(params.Proto)))
 		rule = append(rule, applyPort("--sport", params.SPort)...)
 		rule = append(rule, applyPort("--dport", params.DPort)...)
 	}
@@ -923,12 +889,11 @@ func (r *router) applyNetwork(flag string, network firewall.Network, prefixes []
 	}

 	if network.IsSet() {
-		name := r.ipsetName(network.Set.HashedName())
-		if _, err := r.ipsetCounter.Increment(name, prefixes); err != nil {
+		if _, err := r.ipsetCounter.Increment(network.Set.HashedName(), prefixes); err != nil {
 			return nil, fmt.Errorf("create or get ipset: %w", err)
 		}

-		return []string{"-m", "set", matchSet, name, direction}, nil
+		return []string{"-m", "set", matchSet, network.Set.HashedName(), direction}, nil
 	}
 	if network.IsPrefix() {
 		return []string{flag, network.Prefix.String()}, nil
@@ -939,15 +904,19 @@ func (r *router) applyNetwork(flag string, network firewall.Network, prefixes []
 }

 func (r *router) UpdateSet(set firewall.Set, prefixes []netip.Prefix) error {
-	name := r.ipsetName(set.HashedName())
 	var merr *multierror.Error
 	for _, prefix := range prefixes {
-		if err := r.addPrefixToIPSet(name, prefix); err != nil {
+		// TODO: Implement IPv6 support
+		if prefix.Addr().Is6() {
+			log.Tracef("skipping IPv6 prefix %s: IPv6 support not yet implemented", prefix)
+			continue
+		}
+		if err := r.addPrefixToIPSet(set.HashedName(), prefix); err != nil {
 			merr = multierror.Append(merr, fmt.Errorf("add prefix to ipset: %w", err))
 		}
 	}
 	if merr == nil {
-		log.Debugf("updated set %s with prefixes %v", name, prefixes)
+		log.Debugf("updated set %s with prefixes %v", set.HashedName(), prefixes)
 	}

 	return nberrors.FormatErrorOrNil(merr)
@@ -963,7 +932,7 @@ func (r *router) AddInboundDNAT(localAddr netip.Addr, protocol firewall.Protocol

 	dnatRule := []string{
 		"-i", r.wgIface.Name(),
-		"-p", strings.ToLower(protoForFamily(protocol, r.v6)),
+		"-p", strings.ToLower(string(protocol)),
 		"--dport", strconv.Itoa(int(sourcePort)),
 		"-d", localAddr.String(),
 		"-m", "addrtype", "--dst-type", "LOCAL",
@@ -1001,81 +970,6 @@ func (r *router) RemoveInboundDNAT(localAddr netip.Addr, protocol firewall.Proto
 	return nil
 }

-// ensureNATOutputChain lazily creates the OUTPUT NAT chain and jump rule on first use.
-func (r *router) ensureNATOutputChain() error {
-	if _, exists := r.rules[jumpNatOutput]; exists {
-		return nil
-	}
-
-	chainExists, err := r.iptablesClient.ChainExists(tableNat, chainNATOutput)
-	if err != nil {
-		return fmt.Errorf("check chain %s: %w", chainNATOutput, err)
-	}
-	if !chainExists {
-		if err := r.iptablesClient.NewChain(tableNat, chainNATOutput); err != nil {
-			return fmt.Errorf("create chain %s: %w", chainNATOutput, err)
-		}
-	}
-
-	jumpRule := []string{"-j", chainNATOutput}
-	if err := r.iptablesClient.Insert(tableNat, "OUTPUT", 1, jumpRule...); err != nil {
-		if !chainExists {
-			if delErr := r.iptablesClient.ClearAndDeleteChain(tableNat, chainNATOutput); delErr != nil {
-				log.Warnf("failed to rollback chain %s: %v", chainNATOutput, delErr)
-			}
-		}
-		return fmt.Errorf("add OUTPUT jump rule: %w", err)
-	}
-	r.rules[jumpNatOutput] = jumpRule
-
-	r.updateState()
-	return nil
-}
-
-// AddOutputDNAT adds an OUTPUT chain DNAT rule for locally-generated traffic.
-func (r *router) AddOutputDNAT(localAddr netip.Addr, protocol firewall.Protocol, sourcePort, targetPort uint16) error {
-	ruleID := fmt.Sprintf("output-dnat-%s-%s-%d-%d", localAddr.String(), protocol, sourcePort, targetPort)
-
-	if _, exists := r.rules[ruleID]; exists {
-		return nil
-	}
-
-	if err := r.ensureNATOutputChain(); err != nil {
-		return err
-	}
-
-	dnatRule := []string{
-		"-p", strings.ToLower(string(protocol)),
-		"--dport", strconv.Itoa(int(sourcePort)),
-		"-d", localAddr.String(),
-		"-j", "DNAT",
-		"--to-destination", ":" + strconv.Itoa(int(targetPort)),
-	}
-
-	if err := r.iptablesClient.Append(tableNat, chainNATOutput, dnatRule...); err != nil {
-		return fmt.Errorf("add output DNAT rule: %w", err)
-	}
-	r.rules[ruleID] = dnatRule
-
-	r.updateState()
-	return nil
-}
-
-// RemoveOutputDNAT removes an OUTPUT chain DNAT rule.
-func (r *router) RemoveOutputDNAT(localAddr netip.Addr, protocol firewall.Protocol, sourcePort, targetPort uint16) error {
-	ruleID := fmt.Sprintf("output-dnat-%s-%s-%d-%d", localAddr.String(), protocol, sourcePort, targetPort)
-
-	if dnatRule, exists := r.rules[ruleID]; exists {
-		if err := r.iptablesClient.Delete(tableNat, chainNATOutput, dnatRule...); err != nil {
-			return fmt.Errorf("delete output DNAT rule: %w", err)
-		}
-		delete(r.rules, ruleID)
-	}
-
-	r.updateState()
-	return nil
-}
-
 func applyPort(flag string, port *firewall.Port) []string {
 	if port == nil {
 		return nil
@@ -1096,22 +990,10 @@ func applyPort(flag string, port *firewall.Port) []string {
 	return []string{flag, strconv.Itoa(int(port.Values[0]))}
 }

-// ipsetName returns the ipset name, suffixed with "-v6" for the v6 router
-// to avoid collisions since ipsets are global in the kernel.
-func (r *router) ipsetName(name string) string {
-	if r.v6 {
-		return name + "-v6"
-	}
-	return name
-}
-
 func (r *router) createIPSet(name string) error {
 	opts := ipset.CreateOptions{
 		Replace: true,
 	}
-	if r.v6 {
-		opts.Family = ipset.FamilyIPV6
-	}

 	if err := ipset.Create(name, ipset.TypeHashNet, opts); err != nil {
 		return fmt.Errorf("create ipset %s: %w", name, err)
--- a/client/firewall/iptables/rule.go
+++ b/client/firewall/iptables/rule.go
@@ -9,7 +9,6 @@ type Rule struct {
 	mangleSpecs []string
 	ip          string
 	chain       string
-	v6          bool
 }

 // GetRuleID returns the rule id
--- a/client/firewall/iptables/state_linux.go
+++ b/client/firewall/iptables/state_linux.go
@@ -4,8 +4,6 @@ import (
 	"fmt"
 	"sync"

-	log "github.com/sirupsen/logrus"
-
 	"github.com/netbirdio/netbird/client/iface"
 	"github.com/netbirdio/netbird/client/iface/wgaddr"
 )
@@ -39,12 +37,6 @@ type ShutdownState struct {

 	ACLEntries    aclEntries  `json:"acl_entries,omitempty"`
 	ACLIPsetStore *ipsetStore `json:"acl_ipset_store,omitempty"`
-
-	// IPv6 counterparts
-	RouteRules6        routeRules    `json:"route_rules_v6,omitempty"`
-	RouteIPsetCounter6 *ipsetCounter `json:"route_ipset_counter_v6,omitempty"`
-	ACLEntries6        aclEntries    `json:"acl_entries_v6,omitempty"`
-	ACLIPsetStore6     *ipsetStore   `json:"acl_ipset_store_v6,omitempty"`
 }

 func (s *ShutdownState) Name() string {
@@ -75,28 +67,6 @@ func (s *ShutdownState) Cleanup() error {
 		ipt.aclMgr.ipsetStore = s.ACLIPsetStore
 	}

-	// Clean up v6 state even if the current run has no IPv6.
-	// The previous run may have left ip6tables rules behind.
-	if !ipt.hasIPv6() {
-		if err := ipt.createIPv6Components(s.InterfaceState, mtu); err != nil {
-			log.Warnf("failed to create v6 components for cleanup: %v", err)
-		}
-	}
-	if ipt.hasIPv6() {
-		if s.RouteRules6 != nil {
-			ipt.router6.rules = s.RouteRules6
-		}
-		if s.RouteIPsetCounter6 != nil {
-			ipt.router6.ipsetCounter.LoadData(s.RouteIPsetCounter6)
-		}
-		if s.ACLEntries6 != nil {
-			ipt.aclMgr6.entries = s.ACLEntries6
-		}
-		if s.ACLIPsetStore6 != nil {
-			ipt.aclMgr6.ipsetStore = s.ACLIPsetStore6
-		}
-	}
-
 	if err := ipt.Close(nil); err != nil {
 		return fmt.Errorf("reset iptables manager: %w", err)
 	}
--- a/client/firewall/manager/firewall.go
+++ b/client/firewall/manager/firewall.go
@@ -168,18 +168,6 @@ type Manager interface {

 	// RemoveInboundDNAT removes inbound DNAT rule
 	RemoveInboundDNAT(localAddr netip.Addr, protocol Protocol, sourcePort, targetPort uint16) error
-
-	// AddOutputDNAT adds an OUTPUT chain DNAT rule for locally-generated traffic.
-	// localAddr must be IPv4; the underlying iptables/nftables backends are IPv4-only.
-	AddOutputDNAT(localAddr netip.Addr, protocol Protocol, sourcePort, targetPort uint16) error
-
-	// RemoveOutputDNAT removes an OUTPUT chain DNAT rule.
-	// localAddr must be IPv4; the underlying iptables/nftables backends are IPv4-only.
-	RemoveOutputDNAT(localAddr netip.Addr, protocol Protocol, sourcePort, targetPort uint16) error
-
-	// SetupEBPFProxyNoTrack creates static notrack rules for eBPF proxy loopback traffic.
-	// This prevents conntrack from interfering with WireGuard proxy communication.
-	SetupEBPFProxyNoTrack(proxyPort, wgPort uint16) error
 }

 func GenKey(format string, pair RouterPair) string {
--- a/client/firewall/nftables/acl_linux.go
+++ b/client/firewall/nftables/acl_linux.go
@@ -33,12 +33,15 @@ const (

 const flushError = "flush: %w"

+var (
+	anyIP = []byte{0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0}
+)
+
 type AclManager struct {
 	rConn              *nftables.Conn
 	sConn              *nftables.Conn
 	wgIface            iFaceMapper
 	routingFwChainName string
-	af                 addrFamily

 	workTable       *nftables.Table
 	chainInputRules *nftables.Chain
@@ -64,7 +67,6 @@ func newAclManager(table *nftables.Table, wgIface iFaceMapper, routingFwChainNam
 		wgIface:            wgIface,
 		workTable:          table,
 		routingFwChainName: routingFwChainName,
-		af:                 familyForAddr(table.Family == nftables.TableFamilyIPv4),

 		ipsetStore: newIpsetStore(),
 		rules:      make(map[string]*Rule),
@@ -143,7 +145,7 @@ func (m *AclManager) DeletePeerRule(rule firewall.Rule) error {
 	}

 	if _, ok := ips[r.ip.String()]; ok {
-		err := m.sConn.SetDeleteElements(r.nftSet, []nftables.SetElement{{Key: ipToBytes(r.ip, m.af)}})
+		err := m.sConn.SetDeleteElements(r.nftSet, []nftables.SetElement{{Key: r.ip.To4()}})
 		if err != nil {
 			log.Errorf("delete elements for set %q: %v", r.nftSet.Name, err)
 		}
@@ -252,11 +254,11 @@ func (m *AclManager) addIOFiltering(
 		expressions = append(expressions, &expr.Payload{
 			DestRegister: 1,
 			Base:         expr.PayloadBaseNetworkHeader,
-			Offset:       m.af.protoOffset,
+			Offset:       uint32(9),
 			Len:          uint32(1),
 		})

-		protoData, err := m.af.protoNum(proto)
+		protoData, err := protoToInt(proto)
 		if err != nil {
 			return nil, fmt.Errorf("convert protocol to number: %v", err)
 		}
@@ -268,16 +270,19 @@ func (m *AclManager) addIOFiltering(
 		})
 	}

-	rawIP := ipToBytes(ip, m.af)
+	rawIP := ip.To4()
 	// check if rawIP contains zeroed IPv4 0.0.0.0 value
 	// in that case not add IP match expression into the rule definition
-	if slices.ContainsFunc(rawIP, func(v byte) bool { return v != 0 }) {
+	if !bytes.HasPrefix(anyIP, rawIP) {
+		// source address position
+		addrOffset := uint32(12)
+
 		expressions = append(expressions,
 			&expr.Payload{
 				DestRegister: 1,
 				Base:         expr.PayloadBaseNetworkHeader,
-				Offset:       m.af.srcAddrOffset,
-				Len:          m.af.addrLen,
+				Offset:       addrOffset,
+				Len:          4,
 			},
 		)
 		// add individual IP for match if no ipset defined
@@ -582,7 +587,7 @@ func (m *AclManager) addJumpRule(chain *nftables.Chain, to string, ifaceKey expr

 func (m *AclManager) addIpToSet(ipsetName string, ip net.IP) (*nftables.Set, error) {
 	ipset, err := m.rConn.GetSetByName(m.workTable, ipsetName)
-	rawIP := ipToBytes(ip, m.af)
+	rawIP := ip.To4()
 	if err != nil {
 		if ipset, err = m.createSet(m.workTable, ipsetName); err != nil {
 			return nil, fmt.Errorf("get set name: %v", err)
@@ -614,7 +619,7 @@ func (m *AclManager) createSet(table *nftables.Table, name string) (*nftables.Se
 		Name:    name,
 		Table:   table,
 		Dynamic: true,
-		KeyType: m.af.setKeyType,
+		KeyType: nftables.TypeIPAddr,
 	}

 	if err := m.rConn.AddSet(ipset, nil); err != nil {
@@ -702,12 +707,15 @@ func ifname(n string) []byte {
 	return b
 }

-
-// ipToBytes converts net.IP to the correct byte length for the address family.
-func ipToBytes(ip net.IP, af addrFamily) []byte {
-	if af.addrLen == 4 {
-		return ip.To4()
+func protoToInt(protocol firewall.Protocol) (uint8, error) {
+	switch protocol {
+	case firewall.ProtocolTCP:
+		return unix.IPPROTO_TCP, nil
+	case firewall.ProtocolUDP:
+		return unix.IPPROTO_UDP, nil
+	case firewall.ProtocolICMP:
+		return unix.IPPROTO_ICMP, nil
 	}
-	return ip.To16()
-}

+	return 0, fmt.Errorf("unsupported protocol: %s", protocol)
+}
--- a/client/firewall/nftables/addr_family_linux.go
+++ b/client/firewall/nftables/addr_family_linux.go
@@ -1,81 +0,0 @@
-package nftables
-
-import (
-	"fmt"
-	"net"
-
-	"github.com/google/nftables"
-	"golang.org/x/sys/unix"
-
-	firewall "github.com/netbirdio/netbird/client/firewall/manager"
-)
-
-var (
-	// afIPv4 defines IPv4 header layout and nftables types.
-	afIPv4 = addrFamily{
-		protoOffset:   9,
-		srcAddrOffset: 12,
-		dstAddrOffset: 16,
-		addrLen:       net.IPv4len,
-		totalBits:     8 * net.IPv4len,
-		setKeyType:    nftables.TypeIPAddr,
-		tableFamily:   nftables.TableFamilyIPv4,
-		icmpProto:     unix.IPPROTO_ICMP,
-	}
-	// afIPv6 defines IPv6 header layout and nftables types.
-	afIPv6 = addrFamily{
-		protoOffset:   6,
-		srcAddrOffset: 8,
-		dstAddrOffset: 24,
-		addrLen:       net.IPv6len,
-		totalBits:     8 * net.IPv6len,
-		setKeyType:    nftables.TypeIP6Addr,
-		tableFamily:   nftables.TableFamilyIPv6,
-		icmpProto:     unix.IPPROTO_ICMPV6,
-	}
-)
-
-// addrFamily holds protocol-specific constants for nftables expression building.
-type addrFamily struct {
-	// protoOffset is the IP header offset for the protocol/next-header field (9 for v4, 6 for v6)
-	protoOffset uint32
-	// srcAddrOffset is the IP header offset for the source address (12 for v4, 8 for v6)
-	srcAddrOffset uint32
-	// dstAddrOffset is the IP header offset for the destination address (16 for v4, 24 for v6)
-	dstAddrOffset uint32
-	// addrLen is the byte length of addresses (4 for v4, 16 for v6)
-	addrLen uint32
-	// totalBits is the address size in bits (32 for v4, 128 for v6)
-	totalBits int
-	// setKeyType is the nftables set data type for addresses
-	setKeyType nftables.SetDatatype
-	// tableFamily is the nftables table family
-	tableFamily nftables.TableFamily
-	// icmpProto is the ICMP protocol number for this family (1 for v4, 58 for v6)
-	icmpProto uint8
-}
-
-// familyForAddr returns the address family for the given IP.
-func familyForAddr(is4 bool) addrFamily {
-	if is4 {
-		return afIPv4
-	}
-	return afIPv6
-}
-
-// protoNum converts a firewall protocol to the IP protocol number,
-// using the correct ICMP variant for the address family.
-func (af addrFamily) protoNum(protocol firewall.Protocol) (uint8, error) {
-	switch protocol {
-	case firewall.ProtocolTCP:
-		return unix.IPPROTO_TCP, nil
-	case firewall.ProtocolUDP:
-		return unix.IPPROTO_UDP, nil
-	case firewall.ProtocolICMP:
-		return af.icmpProto, nil
-	case firewall.ProtocolALL:
-		return 0, nil
-	default:
-		return 0, fmt.Errorf("unsupported protocol: %s", protocol)
-	}
-}
--- a/client/firewall/nftables/manager_linux.go
+++ b/client/firewall/nftables/manager_linux.go
@@ -11,11 +11,8 @@ import (
 	"github.com/google/nftables"
 	"github.com/google/nftables/binaryutil"
 	"github.com/google/nftables/expr"
-	"github.com/hashicorp/go-multierror"
 	log "github.com/sirupsen/logrus"
-	"golang.org/x/sys/unix"

-	nberrors "github.com/netbirdio/netbird/client/errors"
 	firewall "github.com/netbirdio/netbird/client/firewall/manager"
 	"github.com/netbirdio/netbird/client/iface/wgaddr"
 	"github.com/netbirdio/netbird/client/internal/statemanager"
@@ -53,13 +50,6 @@ type Manager struct {

 	router     *router
 	aclManager *AclManager
-
-	// IPv6 counterparts, nil when no v6 overlay
-	router6     *router
-	aclManager6 *AclManager
-
-	notrackOutputChain     *nftables.Chain
-	notrackPreroutingChain *nftables.Chain
 }

 // Create nftables firewall manager
@@ -69,8 +59,7 @@ func Create(wgIface iFaceMapper, mtu uint16) (*Manager, error) {
 		wgIface: wgIface,
 	}

-	tableName := getTableName()
-	workTable := &nftables.Table{Name: tableName, Family: nftables.TableFamilyIPv4}
+	workTable := &nftables.Table{Name: getTableName(), Family: nftables.TableFamilyIPv4}

 	var err error
 	m.router, err = newRouter(workTable, wgIface, mtu)
@@ -83,70 +72,11 @@ func Create(wgIface iFaceMapper, mtu uint16) (*Manager, error) {
 		return nil, fmt.Errorf("create acl manager: %w", err)
 	}

-	if wgIface.Address().HasIPv6() {
-		if err := m.createIPv6Components(tableName, wgIface, mtu); err != nil {
-			return nil, fmt.Errorf("create IPv6 firewall: %w", err)
-		}
-	}
-
 	return m, nil
 }

-func (m *Manager) createIPv6Components(tableName string, wgIface iFaceMapper, mtu uint16) error {
-	workTable6 := &nftables.Table{Name: tableName, Family: nftables.TableFamilyIPv6}
-
-	var err error
-	m.router6, err = newRouter(workTable6, wgIface, mtu)
-	if err != nil {
-		return fmt.Errorf("create v6 router: %w", err)
-	}
-
-	// Share the same IP forwarding state with the v4 router, since
-	// EnableIPForwarding controls both v4 and v6 sysctls.
-	m.router6.ipFwdState = m.router.ipFwdState
-
-	m.aclManager6, err = newAclManager(workTable6, wgIface, chainNameRoutingFw)
-	if err != nil {
-		return fmt.Errorf("create v6 acl manager: %w", err)
-	}
-
-	return nil
-}
-
-// hasIPv6 reports whether the manager has IPv6 components initialized.
-func (m *Manager) hasIPv6() bool {
-	return m.router6 != nil
-}
-
-func (m *Manager) initIPv6() error {
-	workTable6, err := m.createWorkTableFamily(nftables.TableFamilyIPv6)
-	if err != nil {
-		return fmt.Errorf("create v6 work table: %w", err)
-	}
-
-	if err := m.router6.init(workTable6); err != nil {
-		return fmt.Errorf("v6 router init: %w", err)
-	}
-
-	if err := m.aclManager6.init(workTable6); err != nil {
-		return fmt.Errorf("v6 acl manager init: %w", err)
-	}
-
-	return nil
-}
-
 // Init nftables firewall manager
 func (m *Manager) Init(stateManager *statemanager.Manager) error {
-	if err := m.initFirewall(); err != nil {
-		return err
-	}
-
-	m.persistState(stateManager)
-
-	return nil
-}
-
-func (m *Manager) initFirewall() error {
 	workTable, err := m.createWorkTable()
 	if err != nil {
 		return fmt.Errorf("create work table: %w", err)
@@ -157,32 +87,16 @@ func (m *Manager) initFirewall() error {
 	}

 	if err := m.aclManager.init(workTable); err != nil {
-		m.rollbackInit()
+		// TODO: cleanup router
 		return fmt.Errorf("acl manager init: %w", err)
 	}

-	if m.hasIPv6() {
-		if err := m.initIPv6(); err != nil {
-			// Peer has a v6 address: v6 firewall MUST work or we risk fail-open.
-			m.rollbackInit()
-			return fmt.Errorf("init IPv6 firewall (required because peer has IPv6 address): %w", err)
-		}
-	}
-
-	if err := m.initNoTrackChains(workTable); err != nil {
-		log.Warnf("raw priority chains not available, notrack rules will be disabled: %v", err)
-	}
-
-	return nil
-}
-
-// persistState saves the current interface state for potential recreation on restart.
-// Unlike iptables, which requires tracking individual rules, nftables maintains
-// a known state (our netbird table plus a few static rules). This allows for easy
-// cleanup using Close() without needing to store specific rules.
-func (m *Manager) persistState(stateManager *statemanager.Manager) {
 	stateManager.RegisterState(&ShutdownState{})

+	// We only need to record minimal interface state for potential recreation.
+	// Unlike iptables, which requires tracking individual rules, nftables maintains
+	// a known state (our netbird table plus a few static rules). This allows for easy
+	// cleanup using Close() without needing to store specific rules.
 	if err := stateManager.UpdateState(&ShutdownState{
 		InterfaceState: &InterfaceState{
 			NameStr:       m.wgIface.Name(),
@@ -194,29 +108,14 @@ func (m *Manager) persistState(stateManager *statemanager.Manager) {
 		log.Errorf("failed to update state: %v", err)
 	}

+	// persist early
 	go func() {
 		if err := stateManager.PersistState(context.Background()); err != nil {
 			log.Errorf("failed to persist state: %v", err)
 		}
 	}()
-}

-// rollbackInit performs best-effort cleanup of already-initialized state when Init fails partway through.
-func (m *Manager) rollbackInit() {
-	if err := m.router.Reset(); err != nil {
-		log.Warnf("rollback router: %v", err)
-	}
-	if m.hasIPv6() {
-		if err := m.router6.Reset(); err != nil {
-			log.Warnf("rollback v6 router: %v", err)
-		}
-	}
-	if err := m.cleanupNetbirdTables(); err != nil {
-		log.Warnf("cleanup tables: %v", err)
-	}
-	if err := m.rConn.Flush(); err != nil {
-		log.Warnf("flush: %v", err)
-	}
+	return nil
 }

 // AddPeerFiltering rule to the firewall
@@ -235,14 +134,12 @@ func (m *Manager) AddPeerFiltering(
 	m.mutex.Lock()
 	defer m.mutex.Unlock()

-	if ip.To4() != nil {
-		return m.aclManager.AddPeerFiltering(id, ip, proto, sPort, dPort, action, ipsetName)
+	rawIP := ip.To4()
+	if rawIP == nil {
+		return nil, fmt.Errorf("unsupported IP version: %s", ip.String())
 	}

-	if !m.hasIPv6() {
-		return nil, fmt.Errorf("IPv6 not initialized, cannot add rule for %s", ip)
-	}
-	return m.aclManager6.AddPeerFiltering(id, ip, proto, sPort, dPort, action, ipsetName)
+	return m.aclManager.AddPeerFiltering(id, ip, proto, sPort, dPort, action, ipsetName)
 }

 func (m *Manager) AddRouteFiltering(
@@ -256,11 +153,8 @@ func (m *Manager) AddRouteFiltering(
 	m.mutex.Lock()
 	defer m.mutex.Unlock()

-	if isIPv6RouteRule(sources, destination) {
-		if !m.hasIPv6() {
-			return nil, fmt.Errorf("IPv6 not initialized, cannot add route rule")
-		}
-		return m.router6.AddRouteFiltering(id, sources, destination, proto, sPort, dPort, action)
+	if destination.IsPrefix() && !destination.Prefix.Addr().Is4() {
+		return nil, fmt.Errorf("unsupported IP version: %s", destination.Prefix.Addr().String())
 	}

 	return m.router.AddRouteFiltering(id, sources, destination, proto, sPort, dPort, action)
@@ -271,38 +165,14 @@ func (m *Manager) DeletePeerRule(rule firewall.Rule) error {
 	m.mutex.Lock()
 	defer m.mutex.Unlock()

-	if m.hasIPv6() && isIPv6Rule(rule) {
-		return m.aclManager6.DeletePeerRule(rule)
-	}
 	return m.aclManager.DeletePeerRule(rule)
 }

-func isIPv6Rule(rule firewall.Rule) bool {
-	r, ok := rule.(*Rule)
-	return ok && r.nftRule != nil && r.nftRule.Table != nil && r.nftRule.Table.Family == nftables.TableFamilyIPv6
-}
-
-// isIPv6RouteRule determines whether a route rule belongs to the v6 table.
-// For static routes, the destination prefix determines the family. For dynamic
-// routes (DomainSet), the sources determine the family since management
-// duplicates dynamic rules per family.
-func isIPv6RouteRule(sources []netip.Prefix, destination firewall.Network) bool {
-	if destination.IsPrefix() {
-		return destination.Prefix.Addr().Is6()
-	}
-	return len(sources) > 0 && sources[0].Addr().Is6()
-}
-
-// DeleteRouteRule deletes a routing rule.
-// Route rules are keyed by content hash, so the rule exists in exactly one
-// router. We check v4 first; if the key isn't there, try v6.
+// DeleteRouteRule deletes a routing rule
 func (m *Manager) DeleteRouteRule(rule firewall.Rule) error {
 	m.mutex.Lock()
 	defer m.mutex.Unlock()

-	if m.hasIPv6() && !m.router.hasRule(rule.ID()) {
-		return m.router6.DeleteRouteRule(rule)
-	}
 	return m.router.DeleteRouteRule(rule)
 }

@@ -318,63 +188,17 @@ func (m *Manager) AddNatRule(pair firewall.RouterPair) error {
 	m.mutex.Lock()
 	defer m.mutex.Unlock()

-	if pair.Destination.IsPrefix() && pair.Destination.Prefix.Addr().Is6() {
-		if !m.hasIPv6() {
-			return fmt.Errorf("IPv6 not initialized, cannot add NAT rule")
-		}
-		return m.router6.AddNatRule(pair)
-	}
-
-	if err := m.router.AddNatRule(pair); err != nil {
-		return err
-	}
-
-	// Dynamic routes (DomainSet) need NAT in both tables since resolved IPs
-	// can be either v4 or v6.
-	if m.hasIPv6() && pair.Destination.IsSet() {
-		v6Pair := pair
-		v6Pair.Source = firewall.Network{Prefix: netip.PrefixFrom(netip.IPv6Unspecified(), 0)}
-		if err := m.router6.AddNatRule(v6Pair); err != nil {
-			return fmt.Errorf("add v6 NAT rule: %w", err)
-		}
-	}
-
-	return nil
+	return m.router.AddNatRule(pair)
 }

 func (m *Manager) RemoveNatRule(pair firewall.RouterPair) error {
 	m.mutex.Lock()
 	defer m.mutex.Unlock()

-	if pair.Destination.IsPrefix() && pair.Destination.Prefix.Addr().Is6() {
-		if !m.hasIPv6() {
-			return nil
-		}
-		return m.router6.RemoveNatRule(pair)
-	}
-
-	if err := m.router.RemoveNatRule(pair); err != nil {
-		return err
-	}
-
-	if m.hasIPv6() && pair.Destination.IsSet() {
-		v6Pair := pair
-		v6Pair.Source = firewall.Network{Prefix: netip.PrefixFrom(netip.IPv6Unspecified(), 0)}
-		if err := m.router6.RemoveNatRule(v6Pair); err != nil {
-			return fmt.Errorf("remove v6 NAT rule: %w", err)
-		}
-	}
-
-	return nil
+	return m.router.RemoveNatRule(pair)
 }

-// AllowNetbird allows netbird interface traffic.
-// TODO: In USP mode this only adds ACCEPT to the netbird table's own chains,
-// which doesn't override DROP rules in external tables (e.g. firewalld).
-// Should add passthrough rules to external chains (like the native mode router's
-// addExternalChainsRules does) for both the netbird table family and inet tables.
-// The netbird table itself is fine (routing chains already exist there), but
-// non-netbird tables with INPUT/FORWARD hooks can still DROP our WG traffic.
+// AllowNetbird allows netbird interface traffic
 func (m *Manager) AllowNetbird() error {
 	if !m.wgIface.IsUserspaceBind() {
 		return nil
@@ -386,11 +210,6 @@ func (m *Manager) AllowNetbird() error {
 	if err := m.aclManager.createDefaultAllowRules(); err != nil {
 		return fmt.Errorf("create default allow rules: %w", err)
 	}
-	if m.hasIPv6() {
-		if err := m.aclManager6.createDefaultAllowRules(); err != nil {
-			return fmt.Errorf("create v6 default allow rules: %w", err)
-		}
-	}
 	if err := m.rConn.Flush(); err != nil {
 		return fmt.Errorf("flush allow input netbird rules: %w", err)
 	}
@@ -400,13 +219,7 @@ func (m *Manager) AllowNetbird() error {

 // SetLegacyManagement sets the route manager to use legacy management
 func (m *Manager) SetLegacyManagement(isLegacy bool) error {
-	if err := firewall.SetLegacyManagement(m.router, isLegacy); err != nil {
-		return err
-	}
-	if m.hasIPv6() {
-		return firewall.SetLegacyManagement(m.router6, isLegacy)
-	}
-	return nil
+	return firewall.SetLegacyManagement(m.router, isLegacy)
 }

 // Close closes the firewall manager
@@ -414,31 +227,23 @@ func (m *Manager) Close(stateManager *statemanager.Manager) error {
 	m.mutex.Lock()
 	defer m.mutex.Unlock()

-	var merr *multierror.Error
-
 	if err := m.router.Reset(); err != nil {
-		merr = multierror.Append(merr, fmt.Errorf("reset router: %v", err))
-	}
-
-	if m.hasIPv6() {
-		if err := m.router6.Reset(); err != nil {
-			merr = multierror.Append(merr, fmt.Errorf("reset v6 router: %v", err))
-		}
+		return fmt.Errorf("reset router: %v", err)
 	}

 	if err := m.cleanupNetbirdTables(); err != nil {
-		merr = multierror.Append(merr, fmt.Errorf("cleanup netbird tables: %v", err))
+		return fmt.Errorf("cleanup netbird tables: %v", err)
 	}

 	if err := m.rConn.Flush(); err != nil {
-		merr = multierror.Append(merr, fmt.Errorf(flushError, err))
+		return fmt.Errorf(flushError, err)
 	}

 	if err := stateManager.DeleteState(&ShutdownState{}); err != nil {
-		merr = multierror.Append(merr, fmt.Errorf("delete state: %v", err))
+		return fmt.Errorf("delete state: %v", err)
 	}

-	return nberrors.FormatErrorOrNil(merr)
+	return nil
 }

 func (m *Manager) cleanupNetbirdTables() error {
@@ -483,21 +288,7 @@ func (m *Manager) Flush() error {
 	m.mutex.Lock()
 	defer m.mutex.Unlock()

-	if err := m.aclManager.Flush(); err != nil {
-		return err
-	}
-
-	if m.hasIPv6() {
-		if err := m.aclManager6.Flush(); err != nil {
-			return fmt.Errorf("flush v6 acl: %w", err)
-		}
-	}
-
-	if err := m.refreshNoTrackChains(); err != nil {
-		log.Errorf("failed to refresh notrack chains: %v", err)
-	}
-
-	return nil
+	return m.aclManager.Flush()
 }

 // AddDNATRule adds a DNAT rule
@@ -505,9 +296,6 @@ func (m *Manager) AddDNATRule(rule firewall.ForwardRule) (firewall.Rule, error)
 	m.mutex.Lock()
 	defer m.mutex.Unlock()

-	if m.hasIPv6() && rule.TranslatedAddress.Is6() {
-		return m.router6.AddDNATRule(rule)
-	}
 	return m.router.AddDNATRule(rule)
 }

@@ -516,9 +304,6 @@ func (m *Manager) DeleteDNATRule(rule firewall.Rule) error {
 	m.mutex.Lock()
 	defer m.mutex.Unlock()

-	if m.hasIPv6() && !m.router.hasDNATRule(rule.ID()) {
-		return m.router6.DeleteDNATRule(rule)
-	}
 	return m.router.DeleteDNATRule(rule)
 }

@@ -527,26 +312,7 @@ func (m *Manager) UpdateSet(set firewall.Set, prefixes []netip.Prefix) error {
 	m.mutex.Lock()
 	defer m.mutex.Unlock()

-	var v4Prefixes, v6Prefixes []netip.Prefix
-	for _, p := range prefixes {
-		if p.Addr().Is6() {
-			v6Prefixes = append(v6Prefixes, p)
-		} else {
-			v4Prefixes = append(v4Prefixes, p)
-		}
-	}
-
-	if err := m.router.UpdateSet(set, v4Prefixes); err != nil {
-		return err
-	}
-
-	if m.hasIPv6() && len(v6Prefixes) > 0 {
-		if err := m.router6.UpdateSet(set, v6Prefixes); err != nil {
-			return fmt.Errorf("update v6 set: %w", err)
-		}
-	}
-
-	return nil
+	return m.router.UpdateSet(set, prefixes)
 }

 // AddInboundDNAT adds an inbound DNAT rule redirecting traffic from NetBird peers to local services.
@@ -554,9 +320,6 @@ func (m *Manager) AddInboundDNAT(localAddr netip.Addr, protocol firewall.Protoco
 	m.mutex.Lock()
 	defer m.mutex.Unlock()

-	if m.hasIPv6() && localAddr.Is6() {
-		return m.router6.AddInboundDNAT(localAddr, protocol, sourcePort, targetPort)
-	}
 	return m.router.AddInboundDNAT(localAddr, protocol, sourcePort, targetPort)
 }

@@ -565,204 +328,11 @@ func (m *Manager) RemoveInboundDNAT(localAddr netip.Addr, protocol firewall.Prot
 	m.mutex.Lock()
 	defer m.mutex.Unlock()

-	if m.hasIPv6() && localAddr.Is6() {
-		return m.router6.RemoveInboundDNAT(localAddr, protocol, sourcePort, targetPort)
-	}
 	return m.router.RemoveInboundDNAT(localAddr, protocol, sourcePort, targetPort)
 }

-// AddOutputDNAT adds an OUTPUT chain DNAT rule for locally-generated traffic.
-func (m *Manager) AddOutputDNAT(localAddr netip.Addr, protocol firewall.Protocol, sourcePort, targetPort uint16) error {
-	m.mutex.Lock()
-	defer m.mutex.Unlock()
-
-	return m.router.AddOutputDNAT(localAddr, protocol, sourcePort, targetPort)
-}
-
-// RemoveOutputDNAT removes an OUTPUT chain DNAT rule.
-func (m *Manager) RemoveOutputDNAT(localAddr netip.Addr, protocol firewall.Protocol, sourcePort, targetPort uint16) error {
-	m.mutex.Lock()
-	defer m.mutex.Unlock()
-
-	return m.router.RemoveOutputDNAT(localAddr, protocol, sourcePort, targetPort)
-}
-
-const (
-	chainNameRawOutput     = "netbird-raw-out"
-	chainNameRawPrerouting = "netbird-raw-pre"
-)
-
-// SetupEBPFProxyNoTrack creates notrack rules for eBPF proxy loopback traffic.
-// This prevents conntrack from tracking WireGuard proxy traffic on loopback, which
-// can interfere with MASQUERADE rules (e.g., from container runtimes like Podman/netavark).
-//
-// Traffic flows that need NOTRACK:
-//
-//  1. Egress: WireGuard -> fake endpoint (before eBPF rewrite)
-//     src=127.0.0.1:wgPort -> dst=127.0.0.1:fakePort
-//     Matched by: sport=wgPort
-//
-//  2. Egress: Proxy -> WireGuard (via raw socket)
-//     src=127.0.0.1:fakePort -> dst=127.0.0.1:wgPort
-//     Matched by: dport=wgPort
-//
-//  3. Ingress: Packets to WireGuard
-//     dst=127.0.0.1:wgPort
-//     Matched by: dport=wgPort
-//
-//  4. Ingress: Packets to proxy (after eBPF rewrite)
-//     dst=127.0.0.1:proxyPort
-//     Matched by: dport=proxyPort
-//
-// Rules are cleaned up when the firewall manager is closed.
-func (m *Manager) SetupEBPFProxyNoTrack(proxyPort, wgPort uint16) error {
-	m.mutex.Lock()
-	defer m.mutex.Unlock()
-
-	if m.notrackOutputChain == nil || m.notrackPreroutingChain == nil {
-		return fmt.Errorf("notrack chains not initialized")
-	}
-
-	proxyPortBytes := binaryutil.BigEndian.PutUint16(proxyPort)
-	wgPortBytes := binaryutil.BigEndian.PutUint16(wgPort)
-	loopback := []byte{127, 0, 0, 1}
-
-	// Egress rules: match outgoing loopback UDP packets
-	m.rConn.AddRule(&nftables.Rule{
-		Table: m.notrackOutputChain.Table,
-		Chain: m.notrackOutputChain,
-		Exprs: []expr.Any{
-			&expr.Meta{Key: expr.MetaKeyOIFNAME, Register: 1},
-			&expr.Cmp{Op: expr.CmpOpEq, Register: 1, Data: ifname("lo")},
-			&expr.Payload{DestRegister: 1, Base: expr.PayloadBaseNetworkHeader, Offset: 12, Len: 4}, // saddr
-			&expr.Cmp{Op: expr.CmpOpEq, Register: 1, Data: loopback},
-			&expr.Payload{DestRegister: 1, Base: expr.PayloadBaseNetworkHeader, Offset: 16, Len: 4}, // daddr
-			&expr.Cmp{Op: expr.CmpOpEq, Register: 1, Data: loopback},
-			&expr.Meta{Key: expr.MetaKeyL4PROTO, Register: 1},
-			&expr.Cmp{Op: expr.CmpOpEq, Register: 1, Data: []byte{unix.IPPROTO_UDP}},
-			&expr.Payload{DestRegister: 1, Base: expr.PayloadBaseTransportHeader, Offset: 0, Len: 2},
-			&expr.Cmp{Op: expr.CmpOpEq, Register: 1, Data: wgPortBytes}, // sport=wgPort
-			&expr.Counter{},
-			&expr.Notrack{},
-		},
-	})
-	m.rConn.AddRule(&nftables.Rule{
-		Table: m.notrackOutputChain.Table,
-		Chain: m.notrackOutputChain,
-		Exprs: []expr.Any{
-			&expr.Meta{Key: expr.MetaKeyOIFNAME, Register: 1},
-			&expr.Cmp{Op: expr.CmpOpEq, Register: 1, Data: ifname("lo")},
-			&expr.Payload{DestRegister: 1, Base: expr.PayloadBaseNetworkHeader, Offset: 12, Len: 4}, // saddr
-			&expr.Cmp{Op: expr.CmpOpEq, Register: 1, Data: loopback},
-			&expr.Payload{DestRegister: 1, Base: expr.PayloadBaseNetworkHeader, Offset: 16, Len: 4}, // daddr
-			&expr.Cmp{Op: expr.CmpOpEq, Register: 1, Data: loopback},
-			&expr.Meta{Key: expr.MetaKeyL4PROTO, Register: 1},
-			&expr.Cmp{Op: expr.CmpOpEq, Register: 1, Data: []byte{unix.IPPROTO_UDP}},
-			&expr.Payload{DestRegister: 1, Base: expr.PayloadBaseTransportHeader, Offset: 2, Len: 2},
-			&expr.Cmp{Op: expr.CmpOpEq, Register: 1, Data: wgPortBytes}, // dport=wgPort
-			&expr.Counter{},
-			&expr.Notrack{},
-		},
-	})
-
-	// Ingress rules: match incoming loopback UDP packets
-	m.rConn.AddRule(&nftables.Rule{
-		Table: m.notrackPreroutingChain.Table,
-		Chain: m.notrackPreroutingChain,
-		Exprs: []expr.Any{
-			&expr.Meta{Key: expr.MetaKeyIIFNAME, Register: 1},
-			&expr.Cmp{Op: expr.CmpOpEq, Register: 1, Data: ifname("lo")},
-			&expr.Payload{DestRegister: 1, Base: expr.PayloadBaseNetworkHeader, Offset: 12, Len: 4}, // saddr
-			&expr.Cmp{Op: expr.CmpOpEq, Register: 1, Data: loopback},
-			&expr.Payload{DestRegister: 1, Base: expr.PayloadBaseNetworkHeader, Offset: 16, Len: 4}, // daddr
-			&expr.Cmp{Op: expr.CmpOpEq, Register: 1, Data: loopback},
-			&expr.Meta{Key: expr.MetaKeyL4PROTO, Register: 1},
-			&expr.Cmp{Op: expr.CmpOpEq, Register: 1, Data: []byte{unix.IPPROTO_UDP}},
-			&expr.Payload{DestRegister: 1, Base: expr.PayloadBaseTransportHeader, Offset: 2, Len: 2},
-			&expr.Cmp{Op: expr.CmpOpEq, Register: 1, Data: wgPortBytes}, // dport=wgPort
-			&expr.Counter{},
-			&expr.Notrack{},
-		},
-	})
-	m.rConn.AddRule(&nftables.Rule{
-		Table: m.notrackPreroutingChain.Table,
-		Chain: m.notrackPreroutingChain,
-		Exprs: []expr.Any{
-			&expr.Meta{Key: expr.MetaKeyIIFNAME, Register: 1},
-			&expr.Cmp{Op: expr.CmpOpEq, Register: 1, Data: ifname("lo")},
-			&expr.Payload{DestRegister: 1, Base: expr.PayloadBaseNetworkHeader, Offset: 12, Len: 4}, // saddr
-			&expr.Cmp{Op: expr.CmpOpEq, Register: 1, Data: loopback},
-			&expr.Payload{DestRegister: 1, Base: expr.PayloadBaseNetworkHeader, Offset: 16, Len: 4}, // daddr
-			&expr.Cmp{Op: expr.CmpOpEq, Register: 1, Data: loopback},
-			&expr.Meta{Key: expr.MetaKeyL4PROTO, Register: 1},
-			&expr.Cmp{Op: expr.CmpOpEq, Register: 1, Data: []byte{unix.IPPROTO_UDP}},
-			&expr.Payload{DestRegister: 1, Base: expr.PayloadBaseTransportHeader, Offset: 2, Len: 2},
-			&expr.Cmp{Op: expr.CmpOpEq, Register: 1, Data: proxyPortBytes}, // dport=proxyPort
-			&expr.Counter{},
-			&expr.Notrack{},
-		},
-	})
-
-	if err := m.rConn.Flush(); err != nil {
-		return fmt.Errorf("flush notrack rules: %w", err)
-	}
-
-	log.Debugf("set up ebpf proxy notrack rules for ports %d,%d", proxyPort, wgPort)
-	return nil
-}
-
-func (m *Manager) initNoTrackChains(table *nftables.Table) error {
-	m.notrackOutputChain = m.rConn.AddChain(&nftables.Chain{
-		Name:     chainNameRawOutput,
-		Table:    table,
-		Type:     nftables.ChainTypeFilter,
-		Hooknum:  nftables.ChainHookOutput,
-		Priority: nftables.ChainPriorityRaw,
-	})
-
-	m.notrackPreroutingChain = m.rConn.AddChain(&nftables.Chain{
-		Name:     chainNameRawPrerouting,
-		Table:    table,
-		Type:     nftables.ChainTypeFilter,
-		Hooknum:  nftables.ChainHookPrerouting,
-		Priority: nftables.ChainPriorityRaw,
-	})
-
-	if err := m.rConn.Flush(); err != nil {
-		return fmt.Errorf("flush chain creation: %w", err)
-	}
-
-	return nil
-}
-
-func (m *Manager) refreshNoTrackChains() error {
-	chains, err := m.rConn.ListChainsOfTableFamily(nftables.TableFamilyIPv4)
-	if err != nil {
-		return fmt.Errorf("list chains: %w", err)
-	}
-
-	tableName := getTableName()
-	for _, c := range chains {
-		if c.Table.Name != tableName {
-			continue
-		}
-		switch c.Name {
-		case chainNameRawOutput:
-			m.notrackOutputChain = c
-		case chainNameRawPrerouting:
-			m.notrackPreroutingChain = c
-		}
-	}
-
-	return nil
-}
-
 func (m *Manager) createWorkTable() (*nftables.Table, error) {
-	return m.createWorkTableFamily(nftables.TableFamilyIPv4)
-}
-
-func (m *Manager) createWorkTableFamily(family nftables.TableFamily) (*nftables.Table, error) {
-	tables, err := m.rConn.ListTablesOfFamily(family)
+	tables, err := m.rConn.ListTablesOfFamily(nftables.TableFamilyIPv4)
 	if err != nil {
 		return nil, fmt.Errorf("list of tables: %w", err)
 	}
@@ -774,7 +344,7 @@ func (m *Manager) createWorkTableFamily(family nftables.TableFamily) (*nftables.
 		}
 	}

-	table := m.rConn.AddTable(&nftables.Table{Name: tableName, Family: family})
+	table := m.rConn.AddTable(&nftables.Table{Name: getTableName(), Family: nftables.TableFamilyIPv4})
 	err = m.rConn.Flush()
 	return table, err
 }
--- a/client/firewall/nftables/manager_linux_test.go
+++ b/client/firewall/nftables/manager_linux_test.go
@@ -385,134 +385,10 @@ func TestNftablesManagerCompatibilityWithIptables(t *testing.T) {
 	err = manager.AddNatRule(pair)
 	require.NoError(t, err, "failed to add NAT rule")

-	dnatRule, err := manager.AddDNATRule(fw.ForwardRule{
-		Protocol:          fw.ProtocolTCP,
-		DestinationPort:   fw.Port{Values: []uint16{8080}},
-		TranslatedAddress: netip.MustParseAddr("100.96.0.2"),
-		TranslatedPort:    fw.Port{Values: []uint16{80}},
-	})
-	require.NoError(t, err, "failed to add DNAT rule")
-
-	t.Cleanup(func() {
-		require.NoError(t, manager.DeleteDNATRule(dnatRule), "failed to delete DNAT rule")
-	})
-
 	stdout, stderr = runIptablesSave(t)
 	verifyIptablesOutput(t, stdout, stderr)
 }

-func TestNftablesManagerIPv6CompatibilityWithIp6tables(t *testing.T) {
-	if check() != NFTABLES {
-		t.Skip("nftables not supported on this system")
-	}
-
-	for _, bin := range []string{"ip6tables", "ip6tables-save", "iptables-save"} {
-		if _, err := exec.LookPath(bin); err != nil {
-			t.Skipf("%s not available on this system: %v", bin, err)
-		}
-	}
-
-	// Seed ip6 tables in the nft backend. Docker may not create them.
-	seedIp6tables(t)
-
-	ifaceMockV6 := &iFaceMock{
-		NameFunc: func() string { return "wt-test" },
-		AddressFunc: func() wgaddr.Address {
-			return wgaddr.Address{
-				IP:      netip.MustParseAddr("100.96.0.1"),
-				Network: netip.MustParsePrefix("100.96.0.0/16"),
-				IPv6:    netip.MustParseAddr("fd00::1"),
-				IPv6Net: netip.MustParsePrefix("fd00::/64"),
-			}
-		},
-	}
-
-	manager, err := Create(ifaceMockV6, iface.DefaultMTU)
-	require.NoError(t, err, "create manager")
-	require.NoError(t, manager.Init(nil))
-
-	t.Cleanup(func() {
-		require.NoError(t, manager.Close(nil), "close manager")
-
-		stdout, stderr := runIp6tablesSave(t)
-		verifyIp6tablesOutput(t, stdout, stderr)
-	})
-
-	ip := netip.MustParseAddr("fd00::2")
-	_, err = manager.AddPeerFiltering(nil, ip.AsSlice(), fw.ProtocolTCP, nil, &fw.Port{Values: []uint16{80}}, fw.ActionAccept, "")
-	require.NoError(t, err, "add v6 peer filtering rule")
-
-	_, err = manager.AddRouteFiltering(
-		nil,
-		[]netip.Prefix{netip.MustParsePrefix("fd00:1::/64")},
-		fw.Network{Prefix: netip.MustParsePrefix("2001:db8::/48")},
-		fw.ProtocolTCP,
-		nil,
-		&fw.Port{Values: []uint16{443}},
-		fw.ActionAccept,
-	)
-	require.NoError(t, err, "add v6 route filtering rule")
-
-	err = manager.AddNatRule(fw.RouterPair{
-		Source:      fw.Network{Prefix: netip.MustParsePrefix("fd00::/64")},
-		Destination: fw.Network{Prefix: netip.MustParsePrefix("2001:db8::/48")},
-		Masquerade:  true,
-	})
-	require.NoError(t, err, "add v6 NAT rule")
-
-	dnatRule, err := manager.AddDNATRule(fw.ForwardRule{
-		Protocol:          fw.ProtocolTCP,
-		DestinationPort:   fw.Port{Values: []uint16{8080}},
-		TranslatedAddress: netip.MustParseAddr("fd00::2"),
-		TranslatedPort:    fw.Port{Values: []uint16{80}},
-	})
-	require.NoError(t, err, "add v6 DNAT rule")
-
-	t.Cleanup(func() {
-		require.NoError(t, manager.DeleteDNATRule(dnatRule), "delete v6 DNAT rule")
-	})
-
-	stdout, stderr := runIptablesSave(t)
-	verifyIptablesOutput(t, stdout, stderr)
-
-	stdout, stderr = runIp6tablesSave(t)
-	verifyIp6tablesOutput(t, stdout, stderr)
-}
-
-func seedIp6tables(t *testing.T) {
-	t.Helper()
-	for _, tc := range []struct{ table, chain string }{
-		{"filter", "FORWARD"},
-		{"nat", "POSTROUTING"},
-		{"mangle", "FORWARD"},
-	} {
-		add := exec.Command("ip6tables", "-t", tc.table, "-A", tc.chain, "-j", "ACCEPT")
-		require.NoError(t, add.Run(), "seed ip6tables -t %s", tc.table)
-		del := exec.Command("ip6tables", "-t", tc.table, "-D", tc.chain, "-j", "ACCEPT")
-		require.NoError(t, del.Run(), "unseed ip6tables -t %s", tc.table)
-	}
-}
-
-func runIp6tablesSave(t *testing.T) (string, string) {
-	t.Helper()
-	var stdout, stderr bytes.Buffer
-	cmd := exec.Command("ip6tables-save")
-	cmd.Stdout = &stdout
-	cmd.Stderr = &stderr
-	require.NoError(t, cmd.Run(), "ip6tables-save failed")
-	return stdout.String(), stderr.String()
-}
-
-func verifyIp6tablesOutput(t *testing.T, stdout, stderr string) {
-	t.Helper()
-	require.NotContains(t, stdout, "Table `nat' is incompatible",
-		"ip6tables-save: nat table incompatible. Full output: %s", stdout)
-	require.NotContains(t, stdout, "Table `mangle' is incompatible",
-		"ip6tables-save: mangle table incompatible. Full output: %s", stdout)
-	require.NotContains(t, stdout, "Table `filter' is incompatible",
-		"ip6tables-save: filter table incompatible. Full output: %s", stdout)
-}
-
 func TestNftablesManagerCompatibilityWithIptablesFor6kPrefixes(t *testing.T) {
 	if check() != NFTABLES {
 		t.Skip("nftables not supported on this system")
--- a/client/firewall/nftables/router_linux.go
+++ b/client/firewall/nftables/router_linux.go
@@ -36,7 +36,6 @@ const (
 	chainNameRoutingFw     = "netbird-rt-fwd"
 	chainNameRoutingNat    = "netbird-rt-postrouting"
 	chainNameRoutingRdr    = "netbird-rt-redirect"
-	chainNameNATOutput     = "netbird-nat-output"
 	chainNameForward       = "FORWARD"
 	chainNameMangleForward = "netbird-mangle-forward"

@@ -47,10 +46,8 @@ const (
 	dnatSuffix = "_dnat"
 	snatSuffix = "_snat"

-	// ipv4TCPHeaderSize is the minimum IPv4 (20) + TCP (20) header size for MSS calculation.
-	ipv4TCPHeaderSize = 40
-	// ipv6TCPHeaderSize is the minimum IPv6 (40) + TCP (20) header size for MSS calculation.
-	ipv6TCPHeaderSize = 60
+	// ipTCPHeaderMinSize represents minimum IP (20) + TCP (20) header size for MSS calculation
+	ipTCPHeaderMinSize = 40

 	// maxPrefixesSet 1638 prefixes start to fail, taking some margin
 	maxPrefixesSet       = 1500
@@ -75,7 +72,6 @@ type router struct {
 	rules        map[string]*nftables.Rule
 	ipsetCounter *refcounter.Counter[string, setInput, *nftables.Set]

-	af               addrFamily
 	wgIface          iFaceMapper
 	ipFwdState       *ipfwdstate.IPForwardingState
 	legacyManagement bool
@@ -88,7 +84,6 @@ func newRouter(workTable *nftables.Table, wgIface iFaceMapper, mtu uint16) (*rou
 		workTable:  workTable,
 		chains:     make(map[string]*nftables.Chain),
 		rules:      make(map[string]*nftables.Rule),
-		af:         familyForAddr(workTable.Family == nftables.TableFamilyIPv4),
 		wgIface:    wgIface,
 		ipFwdState: ipfwdstate.NewIPForwardingState(),
 		mtu:        mtu,
@@ -147,7 +142,7 @@ func (r *router) Reset() error {
 func (r *router) removeNatPreroutingRules() error {
 	table := &nftables.Table{
 		Name:   tableNat,
-		Family: r.af.tableFamily,
+		Family: nftables.TableFamilyIPv4,
 	}
 	chain := &nftables.Chain{
 		Name:     chainNameNatPrerouting,
@@ -180,7 +175,7 @@ func (r *router) removeNatPreroutingRules() error {
 }

 func (r *router) loadFilterTable() (*nftables.Table, error) {
-	tables, err := r.conn.ListTablesOfFamily(r.af.tableFamily)
+	tables, err := r.conn.ListTablesOfFamily(nftables.TableFamilyIPv4)
 	if err != nil {
 		return nil, fmt.Errorf("list tables: %w", err)
 	}
@@ -412,7 +407,7 @@ func (r *router) AddRouteFiltering(

 	// Handle protocol
 	if proto != firewall.ProtocolALL {
-		protoNum, err := r.af.protoNum(proto)
+		protoNum, err := protoToInt(proto)
 		if err != nil {
 			return nil, fmt.Errorf("convert protocol to number: %w", err)
 		}
@@ -472,24 +467,7 @@ func (r *router) getIpSet(set firewall.Set, prefixes []netip.Prefix, isSource bo
 		return nil, fmt.Errorf("create or get ipset: %w", err)
 	}

-	return r.getIpSetExprs(ref, isSource)
-}
-
-func (r *router) iptablesProto() iptables.Protocol {
-	if r.af.tableFamily == nftables.TableFamilyIPv6 {
-		return iptables.ProtocolIPv6
-	}
-	return iptables.ProtocolIPv4
-}
-
-func (r *router) hasRule(id string) bool {
-	_, ok := r.rules[id]
-	return ok
-}
-
-func (r *router) hasDNATRule(id string) bool {
-	_, ok := r.rules[id+dnatSuffix]
-	return ok
+	return getIpSetExprs(ref, isSource)
 }

 func (r *router) DeleteRouteRule(rule firewall.Rule) error {
@@ -505,12 +483,7 @@ func (r *router) DeleteRouteRule(rule firewall.Rule) error {
 	}

 	if nftRule.Handle == 0 {
-		log.Warnf("route rule %s has no handle, removing stale entry", ruleKey)
-		if err := r.decrementSetCounter(nftRule); err != nil {
-			log.Warnf("decrement set counter for stale rule %s: %v", ruleKey, err)
-		}
-		delete(r.rules, ruleKey)
-		return nil
+		return fmt.Errorf("route rule %s has no handle", ruleKey)
 	}

 	if err := r.deleteNftRule(nftRule, ruleKey); err != nil {
@@ -538,10 +511,10 @@ func (r *router) createIpSet(setName string, input setInput) (*nftables.Set, err
 		Table:   r.workTable,
 		// required for prefixes
 		Interval: true,
-		KeyType:  r.af.setKeyType,
+		KeyType:  nftables.TypeIPAddr,
 	}

-	elements := r.convertPrefixesToSet(prefixes)
+	elements := convertPrefixesToSet(prefixes)
 	nElements := len(elements)

 	maxElements := maxPrefixesSet * 2
@@ -574,17 +547,23 @@ func (r *router) createIpSet(setName string, input setInput) (*nftables.Set, err
 	return nfset, nil
 }

-func (r *router) convertPrefixesToSet(prefixes []netip.Prefix) []nftables.SetElement {
+func convertPrefixesToSet(prefixes []netip.Prefix) []nftables.SetElement {
 	var elements []nftables.SetElement
 	for _, prefix := range prefixes {
+		// TODO: Implement IPv6 support
+		if prefix.Addr().Is6() {
+			log.Tracef("skipping IPv6 prefix %s: IPv6 support not yet implemented", prefix)
+			continue
+		}
+
 		// nftables needs half-open intervals [firstIP, lastIP) for prefixes
 		// e.g. 10.0.0.0/24 becomes [10.0.0.0, 10.0.1.0), 10.1.1.1/32 becomes [10.1.1.1, 10.1.1.2) etc
 		firstIP := prefix.Addr()
 		lastIP := calculateLastIP(prefix).Next()

 		elements = append(elements,
-			// the nft tool also adds a zero-address IntervalEnd element, see https://github.com/google/nftables/issues/247
-			// nftables.SetElement{Key: make([]byte, r.af.addrLen), IntervalEnd: true},
+			// the nft tool also adds a line like this, see https://github.com/google/nftables/issues/247
+			// nftables.SetElement{Key: []byte{0, 0, 0, 0}, IntervalEnd: true},
 			nftables.SetElement{Key: firstIP.AsSlice()},
 			nftables.SetElement{Key: lastIP.AsSlice(), IntervalEnd: true},
 		)
@@ -594,20 +573,10 @@ func (r *router) convertPrefixesToSet(prefixes []netip.Prefix) []nftables.SetEle

 // calculateLastIP determines the last IP in a given prefix.
 func calculateLastIP(prefix netip.Prefix) netip.Addr {
-	masked := prefix.Masked()
-	if masked.Addr().Is4() {
-		hostMask := ^uint32(0) >> masked.Bits()
-		lastIP := uint32FromNetipAddr(masked.Addr()) | hostMask
-		return netip.AddrFrom4(uint32ToBytes(lastIP))
-	}
+	hostMask := ^uint32(0) >> prefix.Masked().Bits()
+	lastIP := uint32FromNetipAddr(prefix.Addr()) | hostMask

-	// IPv6: set host bits to all 1s
-	b := masked.Addr().As16()
-	bits := masked.Bits()
-	for i := bits; i < 128; i++ {
-		b[i/8] |= 1 << (7 - i%8)
-	}
-	return netip.AddrFrom16(b)
+	return netip.AddrFrom4(uint32ToBytes(lastIP))
 }

 // Utility function to convert netip.Addr to uint32.
@@ -691,32 +660,13 @@ func (r *router) AddNatRule(pair firewall.RouterPair) error {
 	}

 	if err := r.conn.Flush(); err != nil {
-		r.rollbackRules(pair)
-		return fmt.Errorf("insert rules for %s: %w", pair.Destination, err)
+		// TODO: rollback ipset counter
+		return fmt.Errorf("insert rules for %s: %v", pair.Destination, err)
 	}

 	return nil
 }

-// rollbackRules cleans up unflushed rules and their set counters after a flush failure.
-func (r *router) rollbackRules(pair firewall.RouterPair) {
-	keys := []string{
-		firewall.GenKey(firewall.ForwardingFormat, pair),
-		firewall.GenKey(firewall.PreroutingFormat, pair),
-		firewall.GenKey(firewall.PreroutingFormat, firewall.GetInversePair(pair)),
-	}
-	for _, key := range keys {
-		rule, ok := r.rules[key]
-		if !ok {
-			continue
-		}
-		if err := r.decrementSetCounter(rule); err != nil {
-			log.Warnf("rollback set counter for %s: %v", key, err)
-		}
-		delete(r.rules, key)
-	}
-}
-
 // addNatRule inserts a nftables rule to the conn client flush queue
 func (r *router) addNatRule(pair firewall.RouterPair) error {
 	sourceExp, err := r.applyNetwork(pair.Source, nil, true)
@@ -859,12 +809,9 @@ func (r *router) addPostroutingRules() {
 }

 // addMSSClampingRules adds MSS clamping rules to prevent fragmentation for forwarded traffic.
+// TODO: Add IPv6 support
 func (r *router) addMSSClampingRules() error {
-	overhead := uint16(ipv4TCPHeaderSize)
-	if r.af.tableFamily == nftables.TableFamilyIPv6 {
-		overhead = ipv6TCPHeaderSize
-	}
-	mss := r.mtu - overhead
+	mss := r.mtu - ipTCPHeaderMinSize

 	exprsOut := []expr.Any{
 		&expr.Meta{
@@ -981,30 +928,18 @@ func (r *router) addLegacyRouteRule(pair firewall.RouterPair) error {
 func (r *router) removeLegacyRouteRule(pair firewall.RouterPair) error {
 	ruleKey := firewall.GenKey(firewall.ForwardingFormat, pair)

-	rule, exists := r.rules[ruleKey]
-	if !exists {
-		return nil
-	}
-
-	if rule.Handle == 0 {
-		log.Warnf("legacy forwarding rule %s has no handle, removing stale entry", ruleKey)
-		if err := r.decrementSetCounter(rule); err != nil {
-			log.Warnf("decrement set counter for stale rule %s: %v", ruleKey, err)
+	if rule, exists := r.rules[ruleKey]; exists {
+		if err := r.conn.DelRule(rule); err != nil {
+			return fmt.Errorf("remove legacy forwarding rule %s -> %s: %v", pair.Source, pair.Destination, err)
 		}
+
+		log.Debugf("removed legacy forwarding rule %s -> %s", pair.Source, pair.Destination)
+
 		delete(r.rules, ruleKey)
-		return nil
-	}

-	if err := r.conn.DelRule(rule); err != nil {
-		return fmt.Errorf("remove legacy forwarding rule %s -> %s: %w", pair.Source, pair.Destination, err)
-	}
-
-	log.Debugf("removed legacy forwarding rule %s -> %s", pair.Source, pair.Destination)
-
-	delete(r.rules, ruleKey)
-
-	if err := r.decrementSetCounter(rule); err != nil {
-		return fmt.Errorf("decrement set counter: %w", err)
+		if err := r.decrementSetCounter(rule); err != nil {
+			return fmt.Errorf("decrement set counter: %w", err)
+		}
 	}

 	return nil
@@ -1071,22 +1006,17 @@ func (r *router) acceptFilterTableRules() error {
 		log.Debugf("Used %s to add accept forward and input rules", fw)
 	}()

-	// Try iptables first and fallback to nftables if iptables is not available.
-	// Use the correct protocol (iptables vs ip6tables) for the address family.
-	ipt, err := iptables.NewWithProtocol(r.iptablesProto())
+	// Try iptables first and fallback to nftables if iptables is not available
+	ipt, err := iptables.New()
 	if err != nil {
+		// iptables is not available but the filter table exists
 		log.Warnf("Will use nftables to manipulate the filter table because iptables is not available: %v", err)

 		fw = "nftables"
 		return r.acceptFilterRulesNftables(r.filterTable)
 	}

-	if err := r.acceptFilterRulesIptables(ipt); err != nil {
-		log.Warnf("iptables failed (table may be incompatible), falling back to nftables: %v", err)
-		fw = "nftables"
-		return r.acceptFilterRulesNftables(r.filterTable)
-	}
-	return nil
+	return r.acceptFilterRulesIptables(ipt)
 }

 func (r *router) acceptFilterRulesIptables(ipt *iptables.IPTables) error {
@@ -1255,17 +1185,13 @@ func (r *router) removeFilterTableRules() error {
 		return nil
 	}

-	ipt, err := iptables.NewWithProtocol(r.iptablesProto())
+	ipt, err := iptables.New()
 	if err != nil {
 		log.Debugf("iptables not available, using nftables to remove filter rules: %v", err)
 		return r.removeAcceptRulesFromTable(r.filterTable)
 	}

-	if err := r.removeAcceptFilterRulesIptables(ipt); err != nil {
-		log.Debugf("iptables removal failed (table may be incompatible), falling back to nftables: %v", err)
-		return r.removeAcceptRulesFromTable(r.filterTable)
-	}
-	return nil
+	return r.removeAcceptFilterRulesIptables(ipt)
 }

 func (r *router) removeAcceptRulesFromTable(table *nftables.Table) error {
@@ -1332,7 +1258,7 @@ func (r *router) removeExternalChainsRules() error {
 func (r *router) findExternalChains() []*nftables.Chain {
 	var chains []*nftables.Chain

-	families := []nftables.TableFamily{r.af.tableFamily, nftables.TableFamilyINet}
+	families := []nftables.TableFamily{nftables.TableFamilyIPv4, nftables.TableFamilyINet}

 	for _, family := range families {
 		allChains, err := r.conn.ListChainsOfTableFamily(family)
@@ -1356,8 +1282,8 @@ func (r *router) isExternalChain(chain *nftables.Chain) bool {
 		return false
 	}

-	// Skip iptables/ip6tables-managed tables (adding nft-native rules breaks iptables-save compat)
-	if (chain.Table.Family == nftables.TableFamilyIPv4 || chain.Table.Family == nftables.TableFamilyIPv6) && isIptablesTable(chain.Table.Name) {
+	// Skip all iptables-managed tables in the ip family
+	if chain.Table.Family == nftables.TableFamilyIPv4 && isIptablesTable(chain.Table.Name) {
 		return false
 	}

@@ -1403,89 +1329,65 @@ func (r *router) RemoveNatRule(pair firewall.RouterPair) error {
 		return fmt.Errorf(refreshRulesMapError, err)
 	}

-	var merr *multierror.Error
-
 	if pair.Masquerade {
 		if err := r.removeNatRule(pair); err != nil {
-			merr = multierror.Append(merr, fmt.Errorf("remove prerouting rule: %w", err))
+			return fmt.Errorf("remove prerouting rule: %w", err)
 		}

 		if err := r.removeNatRule(firewall.GetInversePair(pair)); err != nil {
-			merr = multierror.Append(merr, fmt.Errorf("remove inverse prerouting rule: %w", err))
+			return fmt.Errorf("remove inverse prerouting rule: %w", err)
 		}
 	}

 	if err := r.removeLegacyRouteRule(pair); err != nil {
-		merr = multierror.Append(merr, fmt.Errorf("remove legacy routing rule: %w", err))
+		return fmt.Errorf("remove legacy routing rule: %w", err)
 	}

-	// Set counters are decremented in the sub-methods above before flush. If flush fails,
-	// counters will be off until the next successful removal or refresh cycle.
 	if err := r.conn.Flush(); err != nil {
-		merr = multierror.Append(merr, fmt.Errorf("flush remove nat rules %s: %w", pair.Destination, err))
-	}
-
-	return nberrors.FormatErrorOrNil(merr)
-}
-
-func (r *router) removeNatRule(pair firewall.RouterPair) error {
-	ruleKey := firewall.GenKey(firewall.PreroutingFormat, pair)
-
-	rule, exists := r.rules[ruleKey]
-	if !exists {
-		log.Debugf("prerouting rule %s not found", ruleKey)
-		return nil
-	}
-
-	if rule.Handle == 0 {
-		log.Warnf("prerouting rule %s has no handle, removing stale entry", ruleKey)
-		if err := r.decrementSetCounter(rule); err != nil {
-			log.Warnf("decrement set counter for stale rule %s: %v", ruleKey, err)
-		}
-		delete(r.rules, ruleKey)
-		return nil
-	}
-
-	if err := r.conn.DelRule(rule); err != nil {
-		return fmt.Errorf("remove prerouting rule %s -> %s: %w", pair.Source, pair.Destination, err)
-	}
-
-	log.Debugf("removed prerouting rule %s -> %s", pair.Source, pair.Destination)
-
-	delete(r.rules, ruleKey)
-
-	if err := r.decrementSetCounter(rule); err != nil {
-		return fmt.Errorf("decrement set counter: %w", err)
+		// TODO: rollback set counter
+		return fmt.Errorf("remove nat rules rule %s: %v", pair.Destination, err)
 	}

 	return nil
 }

-// refreshRulesMap rebuilds the rule map from the kernel. This removes stale entries
-// (e.g. from failed flushes) and updates handles for all existing rules.
+func (r *router) removeNatRule(pair firewall.RouterPair) error {
+	ruleKey := firewall.GenKey(firewall.PreroutingFormat, pair)
+
+	if rule, exists := r.rules[ruleKey]; exists {
+		if err := r.conn.DelRule(rule); err != nil {
+			return fmt.Errorf("remove prerouting rule %s -> %s: %v", pair.Source, pair.Destination, err)
+		}
+
+		log.Debugf("removed prerouting rule %s -> %s", pair.Source, pair.Destination)
+
+		delete(r.rules, ruleKey)
+
+		if err := r.decrementSetCounter(rule); err != nil {
+			return fmt.Errorf("decrement set counter: %w", err)
+		}
+	} else {
+		log.Debugf("prerouting rule %s not found", ruleKey)
+	}
+
+	return nil
+}
+
+// refreshRulesMap refreshes the rule map with the latest rules. this is useful to avoid
+// duplicates and to get missing attributes that we don't have when adding new rules
 func (r *router) refreshRulesMap() error {
-	var merr *multierror.Error
-	newRules := make(map[string]*nftables.Rule)
 	for _, chain := range r.chains {
 		rules, err := r.conn.GetRules(chain.Table, chain)
 		if err != nil {
-			merr = multierror.Append(merr, fmt.Errorf("list rules for chain %s: %w", chain.Name, err))
-			// preserve existing entries for this chain since we can't verify their state
-			for k, v := range r.rules {
-				if v.Chain != nil && v.Chain.Name == chain.Name {
-					newRules[k] = v
-				}
-			}
-			continue
+			return fmt.Errorf("list rules: %w", err)
 		}
 		for _, rule := range rules {
 			if len(rule.UserData) > 0 {
-				newRules[string(rule.UserData)] = rule
+				r.rules[string(rule.UserData)] = rule
 			}
 		}
 	}
-	r.rules = newRules
-	return nberrors.FormatErrorOrNil(merr)
+	return nil
 }

 func (r *router) AddDNATRule(rule firewall.ForwardRule) (firewall.Rule, error) {
@@ -1498,7 +1400,7 @@ func (r *router) AddDNATRule(rule firewall.ForwardRule) (firewall.Rule, error) {
 		return rule, nil
 	}

-	protoNum, err := r.af.protoNum(rule.Protocol)
+	protoNum, err := protoToInt(rule.Protocol)
 	if err != nil {
 		return nil, fmt.Errorf("convert protocol to number: %w", err)
 	}
@@ -1561,7 +1463,7 @@ func (r *router) addDnatRedirect(rule firewall.ForwardRule, protoNum uint8, rule
 	dnatExprs = append(dnatExprs,
 		&expr.NAT{
 			Type:        expr.NATTypeDestNAT,
-			Family:      uint32(r.af.tableFamily),
+			Family:      uint32(nftables.TableFamilyIPv4),
 			RegAddrMin:  1,
 			RegProtoMin: regProtoMin,
 			RegProtoMax: regProtoMax,
@@ -1657,7 +1559,7 @@ func (r *router) addXTablesRedirect(dnatExprs []expr.Any, ruleKey string, rule f
 	dnatRule := &nftables.Rule{
 		Table: &nftables.Table{
 			Name:   tableNat,
-			Family: r.af.tableFamily,
+			Family: nftables.TableFamilyIPv4,
 		},
 		Chain: &nftables.Chain{
 			Name:     chainNameNatPrerouting,
@@ -1692,8 +1594,8 @@ func (r *router) addDnatMasq(rule firewall.ForwardRule, protoNum uint8, ruleKey
 		&expr.Payload{
 			DestRegister: 1,
 			Base:         expr.PayloadBaseNetworkHeader,
-			Offset:       r.af.dstAddrOffset,
-			Len:          r.af.addrLen,
+			Offset:       16,
+			Len:          4,
 		},
 		&expr.Cmp{
 			Op:       expr.CmpOpEq,
@@ -1727,34 +1629,20 @@ func (r *router) DeleteDNATRule(rule firewall.Rule) error {
 	}

 	var merr *multierror.Error
-	var needsFlush bool
-
 	if dnatRule, exists := r.rules[ruleKey+dnatSuffix]; exists {
-		if dnatRule.Handle == 0 {
-			log.Warnf("dnat rule %s has no handle, removing stale entry", ruleKey+dnatSuffix)
-			delete(r.rules, ruleKey+dnatSuffix)
-		} else if err := r.conn.DelRule(dnatRule); err != nil {
+		if err := r.conn.DelRule(dnatRule); err != nil {
 			merr = multierror.Append(merr, fmt.Errorf("delete dnat rule: %w", err))
-		} else {
-			needsFlush = true
 		}
 	}

 	if masqRule, exists := r.rules[ruleKey+snatSuffix]; exists {
-		if masqRule.Handle == 0 {
-			log.Warnf("snat rule %s has no handle, removing stale entry", ruleKey+snatSuffix)
-			delete(r.rules, ruleKey+snatSuffix)
-		} else if err := r.conn.DelRule(masqRule); err != nil {
+		if err := r.conn.DelRule(masqRule); err != nil {
 			merr = multierror.Append(merr, fmt.Errorf("delete snat rule: %w", err))
-		} else {
-			needsFlush = true
 		}
 	}

-	if needsFlush {
-		if err := r.conn.Flush(); err != nil {
-			merr = multierror.Append(merr, fmt.Errorf(flushError, err))
-		}
+	if err := r.conn.Flush(); err != nil {
+		merr = multierror.Append(merr, fmt.Errorf(flushError, err))
 	}

 	if merr == nil {
@@ -1771,7 +1659,7 @@ func (r *router) UpdateSet(set firewall.Set, prefixes []netip.Prefix) error {
 		return fmt.Errorf("get set %s: %w", set.HashedName(), err)
 	}

-	elements := r.convertPrefixesToSet(prefixes)
+	elements := convertPrefixesToSet(prefixes)
 	if err := r.conn.SetAddElements(nfset, elements); err != nil {
 		return fmt.Errorf("add elements to set %s: %w", set.HashedName(), err)
 	}
@@ -1793,7 +1681,7 @@ func (r *router) AddInboundDNAT(localAddr netip.Addr, protocol firewall.Protocol
 		return nil
 	}

-	protoNum, err := r.af.protoNum(protocol)
+	protoNum, err := protoToInt(protocol)
 	if err != nil {
 		return fmt.Errorf("convert protocol to number: %w", err)
 	}
@@ -1824,11 +1712,7 @@ func (r *router) AddInboundDNAT(localAddr netip.Addr, protocol firewall.Protocol
 		},
 	}

-	bits := 32
-	if localAddr.Is6() {
-		bits = 128
-	}
-	exprs = append(exprs, r.applyPrefix(netip.PrefixFrom(localAddr, bits), false)...)
+	exprs = append(exprs, applyPrefix(netip.PrefixFrom(localAddr, 32), false)...)

 	exprs = append(exprs,
 		&expr.Immediate{
@@ -1841,7 +1725,7 @@ func (r *router) AddInboundDNAT(localAddr netip.Addr, protocol firewall.Protocol
 		},
 		&expr.NAT{
 			Type:        expr.NATTypeDestNAT,
-			Family:      uint32(r.af.tableFamily),
+			Family:      uint32(nftables.TableFamilyIPv4),
 			RegAddrMin:  1,
 			RegProtoMin: 2,
 			RegProtoMax: 0,
@@ -1873,153 +1757,16 @@ func (r *router) RemoveInboundDNAT(localAddr netip.Addr, protocol firewall.Proto

 	ruleID := fmt.Sprintf("inbound-dnat-%s-%s-%d-%d", localAddr.String(), protocol, sourcePort, targetPort)

-	rule, exists := r.rules[ruleID]
-	if !exists {
-		return nil
-	}
-
-	if rule.Handle == 0 {
-		log.Warnf("inbound DNAT rule %s has no handle, removing stale entry", ruleID)
+	if rule, exists := r.rules[ruleID]; exists {
+		if err := r.conn.DelRule(rule); err != nil {
+			return fmt.Errorf("delete inbound DNAT rule %s: %w", ruleID, err)
+		}
+		if err := r.conn.Flush(); err != nil {
+			return fmt.Errorf("flush delete inbound DNAT rule: %w", err)
+		}
 		delete(r.rules, ruleID)
-		return nil
 	}

-	if err := r.conn.DelRule(rule); err != nil {
-		return fmt.Errorf("delete inbound DNAT rule %s: %w", ruleID, err)
-	}
-	if err := r.conn.Flush(); err != nil {
-		return fmt.Errorf("flush delete inbound DNAT rule: %w", err)
-	}
-	delete(r.rules, ruleID)
-
-	return nil
-}
-
-// ensureNATOutputChain lazily creates the OUTPUT NAT chain on first use.
-func (r *router) ensureNATOutputChain() error {
-	if _, exists := r.chains[chainNameNATOutput]; exists {
-		return nil
-	}
-
-	r.chains[chainNameNATOutput] = r.conn.AddChain(&nftables.Chain{
-		Name:     chainNameNATOutput,
-		Table:    r.workTable,
-		Hooknum:  nftables.ChainHookOutput,
-		Priority: nftables.ChainPriorityNATDest,
-		Type:     nftables.ChainTypeNAT,
-	})
-
-	if err := r.conn.Flush(); err != nil {
-		delete(r.chains, chainNameNATOutput)
-		return fmt.Errorf("create NAT output chain: %w", err)
-	}
-	return nil
-}
-
-// AddOutputDNAT adds an OUTPUT chain DNAT rule for locally-generated traffic.
-func (r *router) AddOutputDNAT(localAddr netip.Addr, protocol firewall.Protocol, sourcePort, targetPort uint16) error {
-	ruleID := fmt.Sprintf("output-dnat-%s-%s-%d-%d", localAddr.String(), protocol, sourcePort, targetPort)
-
-	if _, exists := r.rules[ruleID]; exists {
-		return nil
-	}
-
-	if err := r.ensureNATOutputChain(); err != nil {
-		return err
-	}
-
-	protoNum, err := r.af.protoNum(protocol)
-	if err != nil {
-		return fmt.Errorf("convert protocol to number: %w", err)
-	}
-
-	exprs := []expr.Any{
-		&expr.Meta{Key: expr.MetaKeyL4PROTO, Register: 1},
-		&expr.Cmp{
-			Op:       expr.CmpOpEq,
-			Register: 1,
-			Data:     []byte{protoNum},
-		},
-		&expr.Payload{
-			DestRegister: 2,
-			Base:         expr.PayloadBaseTransportHeader,
-			Offset:       2,
-			Len:          2,
-		},
-		&expr.Cmp{
-			Op:       expr.CmpOpEq,
-			Register: 2,
-			Data:     binaryutil.BigEndian.PutUint16(sourcePort),
-		},
-	}
-
-	bits := 32
-	if localAddr.Is6() {
-		bits = 128
-	}
-	exprs = append(exprs, r.applyPrefix(netip.PrefixFrom(localAddr, bits), false)...)
-
-	exprs = append(exprs,
-		&expr.Immediate{
-			Register: 1,
-			Data:     localAddr.AsSlice(),
-		},
-		&expr.Immediate{
-			Register: 2,
-			Data:     binaryutil.BigEndian.PutUint16(targetPort),
-		},
-		&expr.NAT{
-			Type:        expr.NATTypeDestNAT,
-			Family:      uint32(r.af.tableFamily),
-			RegAddrMin:  1,
-			RegProtoMin: 2,
-		},
-	)
-
-	dnatRule := &nftables.Rule{
-		Table:    r.workTable,
-		Chain:    r.chains[chainNameNATOutput],
-		Exprs:    exprs,
-		UserData: []byte(ruleID),
-	}
-	r.conn.AddRule(dnatRule)
-
-	if err := r.conn.Flush(); err != nil {
-		return fmt.Errorf("add output DNAT rule: %w", err)
-	}
-
-	r.rules[ruleID] = dnatRule
-
-	return nil
-}
-
-// RemoveOutputDNAT removes an OUTPUT chain DNAT rule.
-func (r *router) RemoveOutputDNAT(localAddr netip.Addr, protocol firewall.Protocol, sourcePort, targetPort uint16) error {
-	if err := r.refreshRulesMap(); err != nil {
-		return fmt.Errorf(refreshRulesMapError, err)
-	}
-
-	ruleID := fmt.Sprintf("output-dnat-%s-%s-%d-%d", localAddr.String(), protocol, sourcePort, targetPort)
-
-	rule, exists := r.rules[ruleID]
-	if !exists {
-		return nil
-	}
-
-	if rule.Handle == 0 {
-		log.Warnf("output DNAT rule %s has no handle, removing stale entry", ruleID)
-		delete(r.rules, ruleID)
-		return nil
-	}
-
-	if err := r.conn.DelRule(rule); err != nil {
-		return fmt.Errorf("delete output DNAT rule %s: %w", ruleID, err)
-	}
-	if err := r.conn.Flush(); err != nil {
-		return fmt.Errorf("flush delete output DNAT rule: %w", err)
-	}
-	delete(r.rules, ruleID)
-
 	return nil
 }

@@ -2038,44 +1785,45 @@ func (r *router) applyNetwork(
 	}

 	if network.IsPrefix() {
-		return r.applyPrefix(network.Prefix, isSource), nil
+		return applyPrefix(network.Prefix, isSource), nil
 	}

 	return nil, nil
 }

 // applyPrefix generates nftables expressions for a CIDR prefix
-func (r *router) applyPrefix(prefix netip.Prefix, isSource bool) []expr.Any {
-	// dst offset by default
-	offset := r.af.dstAddrOffset
+func applyPrefix(prefix netip.Prefix, isSource bool) []expr.Any {
+	// dst offset
+	offset := uint32(16)
 	if isSource {
 		// src offset
-		offset = r.af.srcAddrOffset
+		offset = 12
 	}

 	ones := prefix.Bits()
-	// unspecified address (/0) doesn't need extra expressions
+	// 0.0.0.0/0 doesn't need extra expressions
 	if ones == 0 {
 		return nil
 	}

-	mask := net.CIDRMask(ones, r.af.totalBits)
-	xor := make([]byte, r.af.addrLen)
+	mask := net.CIDRMask(ones, 32)

 	return []expr.Any{
 		&expr.Payload{
 			DestRegister: 1,
 			Base:         expr.PayloadBaseNetworkHeader,
 			Offset:       offset,
-			Len:          r.af.addrLen,
+			Len:          4,
 		},
+		// netmask
 		&expr.Bitwise{
 			DestRegister:   1,
 			SourceRegister: 1,
-			Len:            r.af.addrLen,
+			Len:            4,
 			Mask:           mask,
-			Xor:            xor,
+			Xor:            []byte{0, 0, 0, 0},
 		},
+		// net address
 		&expr.Cmp{
 			Op:       expr.CmpOpEq,
 			Register: 1,
@@ -2158,12 +1906,13 @@ func getCtNewExprs() []expr.Any {
 	}
 }

-func (r *router) getIpSetExprs(ref refcounter.Ref[*nftables.Set], isSource bool) ([]expr.Any, error) {
-	// dst offset by default
-	offset := r.af.dstAddrOffset
+func getIpSetExprs(ref refcounter.Ref[*nftables.Set], isSource bool) ([]expr.Any, error) {
+
+	// dst offset
+	offset := uint32(16)
 	if isSource {
 		// src offset
-		offset = r.af.srcAddrOffset
+		offset = 12
 	}

 	return []expr.Any{
@@ -2171,7 +1920,7 @@ func (r *router) getIpSetExprs(ref refcounter.Ref[*nftables.Set], isSource bool)
 			DestRegister: 1,
 			Base:         expr.PayloadBaseNetworkHeader,
 			Offset:       offset,
-			Len:          r.af.addrLen,
+			Len:          4,
 		},
 		&expr.Lookup{
 			SourceRegister: 1,
--- a/client/firewall/nftables/router_linux_test.go
+++ b/client/firewall/nftables/router_linux_test.go
@@ -18,7 +18,6 @@ import (
 	firewall "github.com/netbirdio/netbird/client/firewall/manager"
 	"github.com/netbirdio/netbird/client/firewall/test"
 	"github.com/netbirdio/netbird/client/iface"
-	"github.com/netbirdio/netbird/client/internal/acl/id"
 )

 const (
@@ -90,9 +89,8 @@ func TestNftablesManager_AddNatRule(t *testing.T) {
 				}

 				// Build CIDR matching expressions
-				testRouter := &router{af: afIPv4}
-				sourceExp := testRouter.applyPrefix(testCase.InputPair.Source.Prefix, true)
-				destExp := testRouter.applyPrefix(testCase.InputPair.Destination.Prefix, false)
+				sourceExp := applyPrefix(testCase.InputPair.Source.Prefix, true)
+				destExp := applyPrefix(testCase.InputPair.Destination.Prefix, false)

 				// Combine all expressions in the correct order
 				// nolint:gocritic
@@ -509,136 +507,6 @@ func TestNftablesCreateIpSet(t *testing.T) {
 	}
 }

-func TestNftablesCreateIpSet_IPv6(t *testing.T) {
-	if check() != NFTABLES {
-		t.Skip("nftables not supported on this system")
-	}
-
-	workTable, err := createWorkTableIPv6()
-	require.NoError(t, err, "Failed to create v6 work table")
-	defer deleteWorkTableIPv6()
-
-	r, err := newRouter(workTable, ifaceMock, iface.DefaultMTU)
-	require.NoError(t, err, "Failed to create router")
-	require.NoError(t, r.init(workTable))
-	defer func() {
-		require.NoError(t, r.Reset(), "Failed to reset router")
-	}()
-
-	tests := []struct {
-		name     string
-		sources  []netip.Prefix
-		expected []netip.Prefix
-	}{
-		{
-			name:    "Single IPv6",
-			sources: []netip.Prefix{netip.MustParsePrefix("2001:db8::1/128")},
-		},
-		{
-			name: "Multiple IPv6 Subnets",
-			sources: []netip.Prefix{
-				netip.MustParsePrefix("fd00::/64"),
-				netip.MustParsePrefix("2001:db8::/48"),
-				netip.MustParsePrefix("fe80::/10"),
-			},
-		},
-		{
-			name: "Overlapping IPv6",
-			sources: []netip.Prefix{
-				netip.MustParsePrefix("fd00::/48"),
-				netip.MustParsePrefix("fd00::/64"),
-				netip.MustParsePrefix("fd00::1/128"),
-			},
-			expected: []netip.Prefix{
-				netip.MustParsePrefix("fd00::/48"),
-			},
-		},
-		{
-			name: "Mixed prefix lengths",
-			sources: []netip.Prefix{
-				netip.MustParsePrefix("2001:db8:1::/48"),
-				netip.MustParsePrefix("2001:db8:2::1/128"),
-				netip.MustParsePrefix("fd00:abcd::/32"),
-			},
-		},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			setName := firewall.NewPrefixSet(tt.sources).HashedName()
-			set, err := r.createIpSet(setName, setInput{prefixes: tt.sources})
-			require.NoError(t, err, "Failed to create IPv6 set")
-			require.NotNil(t, set)
-
-			assert.Equal(t, setName, set.Name)
-			assert.True(t, set.Interval)
-			assert.Equal(t, nftables.TypeIP6Addr, set.KeyType)
-
-			fetchedSet, err := r.conn.GetSetByName(r.workTable, setName)
-			require.NoError(t, err, "Failed to fetch created set")
-
-			elements, err := r.conn.GetSetElements(fetchedSet)
-			require.NoError(t, err, "Failed to get set elements")
-
-			uniquePrefixes := make(map[string]bool)
-			for _, elem := range elements {
-				if !elem.IntervalEnd && len(elem.Key) == 16 {
-					ip := netip.AddrFrom16([16]byte(elem.Key))
-					uniquePrefixes[ip.String()] = true
-				}
-			}
-
-			expectedCount := len(tt.expected)
-			if expectedCount == 0 {
-				expectedCount = len(tt.sources)
-			}
-			assert.Equal(t, expectedCount, len(uniquePrefixes), "unique prefix count mismatch")
-
-			r.conn.DelSet(set)
-			require.NoError(t, r.conn.Flush())
-		})
-	}
-}
-
-func createWorkTableIPv6() (*nftables.Table, error) {
-	sConn, err := nftables.New(nftables.AsLasting())
-	if err != nil {
-		return nil, err
-	}
-
-	tables, err := sConn.ListTablesOfFamily(nftables.TableFamilyIPv6)
-	if err != nil {
-		return nil, err
-	}
-	for _, t := range tables {
-		if t.Name == tableNameNetbird {
-			sConn.DelTable(t)
-		}
-	}
-
-	table := sConn.AddTable(&nftables.Table{Name: tableNameNetbird, Family: nftables.TableFamilyIPv6})
-	err = sConn.Flush()
-	return table, err
-}
-
-func deleteWorkTableIPv6() {
-	sConn, err := nftables.New(nftables.AsLasting())
-	if err != nil {
-		return
-	}
-
-	tables, err := sConn.ListTablesOfFamily(nftables.TableFamilyIPv6)
-	if err != nil {
-		return
-	}
-	for _, t := range tables {
-		if t.Name == tableNameNetbird {
-			sConn.DelTable(t)
-			_ = sConn.Flush()
-		}
-	}
-}
-
 func verifyRule(t *testing.T, rule *nftables.Rule, sources []netip.Prefix, destination netip.Prefix, proto firewall.Protocol, sPort, dPort *firewall.Port, direction firewall.RuleDirection, action firewall.Action, expectSet bool) {
 	t.Helper()

@@ -758,7 +626,7 @@ func containsPort(exprs []expr.Any, port *firewall.Port, isSource bool) bool {

 func containsProtocol(exprs []expr.Any, proto firewall.Protocol) bool {
 	var metaFound, cmpFound bool
-	expectedProto, _ := afIPv4.protoNum(proto)
+	expectedProto, _ := protoToInt(proto)
 	for _, e := range exprs {
 		switch ex := e.(type) {
 		case *expr.Meta:
@@ -851,189 +719,3 @@ func deleteWorkTable() {
 		}
 	}
 }
-
-func TestRouter_RefreshRulesMap_RemovesStaleEntries(t *testing.T) {
-	if check() != NFTABLES {
-		t.Skip("nftables not supported on this system")
-	}
-
-	workTable, err := createWorkTable()
-	require.NoError(t, err)
-	defer deleteWorkTable()
-
-	r, err := newRouter(workTable, ifaceMock, iface.DefaultMTU)
-	require.NoError(t, err)
-	require.NoError(t, r.init(workTable))
-	defer func() { require.NoError(t, r.Reset()) }()
-
-	// Add a real rule to the kernel
-	ruleKey, err := r.AddRouteFiltering(
-		nil,
-		[]netip.Prefix{netip.MustParsePrefix("192.168.1.0/24")},
-		firewall.Network{Prefix: netip.MustParsePrefix("10.0.0.0/24")},
-		firewall.ProtocolTCP,
-		nil,
-		&firewall.Port{Values: []uint16{80}},
-		firewall.ActionAccept,
-	)
-	require.NoError(t, err)
-	t.Cleanup(func() {
-		require.NoError(t, r.DeleteRouteRule(ruleKey))
-	})
-
-	// Inject a stale entry with Handle=0 (simulates store-before-flush failure)
-	staleKey := "stale-rule-that-does-not-exist"
-	r.rules[staleKey] = &nftables.Rule{
-		Table:    r.workTable,
-		Chain:    r.chains[chainNameRoutingFw],
-		Handle:   0,
-		UserData: []byte(staleKey),
-	}
-
-	require.Contains(t, r.rules, staleKey, "stale entry should be in map before refresh")
-
-	err = r.refreshRulesMap()
-	require.NoError(t, err)
-
-	assert.NotContains(t, r.rules, staleKey, "stale entry should be removed after refresh")
-
-	realRule, ok := r.rules[ruleKey.ID()]
-	assert.True(t, ok, "real rule should still exist after refresh")
-	assert.NotZero(t, realRule.Handle, "real rule should have a valid handle")
-}
-
-func TestRouter_DeleteRouteRule_StaleHandle(t *testing.T) {
-	if check() != NFTABLES {
-		t.Skip("nftables not supported on this system")
-	}
-
-	workTable, err := createWorkTable()
-	require.NoError(t, err)
-	defer deleteWorkTable()
-
-	r, err := newRouter(workTable, ifaceMock, iface.DefaultMTU)
-	require.NoError(t, err)
-	require.NoError(t, r.init(workTable))
-	defer func() { require.NoError(t, r.Reset()) }()
-
-	// Inject a stale entry with Handle=0
-	staleKey := "stale-route-rule"
-	r.rules[staleKey] = &nftables.Rule{
-		Table:    r.workTable,
-		Chain:    r.chains[chainNameRoutingFw],
-		Handle:   0,
-		UserData: []byte(staleKey),
-	}
-
-	// DeleteRouteRule should not return an error for stale handles
-	err = r.DeleteRouteRule(id.RuleID(staleKey))
-	assert.NoError(t, err, "deleting a stale rule should not error")
-	assert.NotContains(t, r.rules, staleKey, "stale entry should be cleaned up")
-}
-
-func TestRouter_AddNatRule_WithStaleEntry(t *testing.T) {
-	if check() != NFTABLES {
-		t.Skip("nftables not supported on this system")
-	}
-
-	manager, err := Create(ifaceMock, iface.DefaultMTU)
-	require.NoError(t, err)
-	require.NoError(t, manager.Init(nil))
-	t.Cleanup(func() {
-		require.NoError(t, manager.Close(nil))
-	})
-
-	pair := firewall.RouterPair{
-		ID:          "staletest",
-		Source:      firewall.Network{Prefix: netip.MustParsePrefix("100.100.100.1/32")},
-		Destination: firewall.Network{Prefix: netip.MustParsePrefix("100.100.200.0/24")},
-		Masquerade:  true,
-	}
-
-	rtr := manager.router
-
-	// First add succeeds
-	err = rtr.AddNatRule(pair)
-	require.NoError(t, err)
-	t.Cleanup(func() {
-		require.NoError(t, rtr.RemoveNatRule(pair))
-	})
-
-	// Corrupt the handle to simulate stale state
-	natRuleKey := firewall.GenKey(firewall.PreroutingFormat, pair)
-	if rule, exists := rtr.rules[natRuleKey]; exists {
-		rule.Handle = 0
-	}
-	inverseKey := firewall.GenKey(firewall.PreroutingFormat, firewall.GetInversePair(pair))
-	if rule, exists := rtr.rules[inverseKey]; exists {
-		rule.Handle = 0
-	}
-
-	// Adding the same rule again should succeed despite stale handles
-	err = rtr.AddNatRule(pair)
-	assert.NoError(t, err, "AddNatRule should succeed even with stale entries")
-
-	// Verify rules exist in kernel
-	rules, err := rtr.conn.GetRules(rtr.workTable, rtr.chains[chainNameManglePrerouting])
-	require.NoError(t, err)
-
-	found := 0
-	for _, rule := range rules {
-		if len(rule.UserData) > 0 && string(rule.UserData) == natRuleKey {
-			found++
-		}
-	}
-	assert.Equal(t, 1, found, "NAT rule should exist in kernel")
-}
-
-func TestCalculateLastIP(t *testing.T) {
-	tests := []struct {
-		prefix string
-		want   string
-	}{
-		{"10.0.0.0/24", "10.0.0.255"},
-		{"10.0.0.0/32", "10.0.0.0"},
-		{"0.0.0.0/0", "255.255.255.255"},
-		{"192.168.1.0/28", "192.168.1.15"},
-		{"fd00::/64", "fd00::ffff:ffff:ffff:ffff"},
-		{"fd00::/128", "fd00::"},
-		{"2001:db8::/48", "2001:db8:0:ffff:ffff:ffff:ffff:ffff"},
-		{"::/0", "ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff"},
-	}
-	for _, tt := range tests {
-		t.Run(tt.prefix, func(t *testing.T) {
-			prefix := netip.MustParsePrefix(tt.prefix)
-			got := calculateLastIP(prefix)
-			assert.Equal(t, tt.want, got.String())
-		})
-	}
-}
-
-func TestConvertPrefixesToSet_IPv6(t *testing.T) {
-	r := &router{af: afIPv6}
-	prefixes := []netip.Prefix{
-		netip.MustParsePrefix("fd00::/64"),
-		netip.MustParsePrefix("2001:db8::1/128"),
-	}
-
-	elements := r.convertPrefixesToSet(prefixes)
-
-	// Each prefix produces 2 elements (start + end)
-	require.Len(t, elements, 4)
-
-	// fd00::/64 start
-	assert.Equal(t, netip.MustParseAddr("fd00::").As16(), [16]byte(elements[0].Key))
-	assert.False(t, elements[0].IntervalEnd)
-
-	// fd00::/64 end (fd00:0:0:1::, one past the last)
-	assert.Equal(t, netip.MustParseAddr("fd00:0:0:1::").As16(), [16]byte(elements[1].Key))
-	assert.True(t, elements[1].IntervalEnd)
-
-	// 2001:db8::1/128 start
-	assert.Equal(t, netip.MustParseAddr("2001:db8::1").As16(), [16]byte(elements[2].Key))
-	assert.False(t, elements[2].IntervalEnd)
-
-	// 2001:db8::1/128 end (2001:db8::2)
-	assert.Equal(t, netip.MustParseAddr("2001:db8::2").As16(), [16]byte(elements[3].Key))
-	assert.True(t, elements[3].IntervalEnd)
-}
--- a/client/firewall/uspfilter/allow_netbird.go
+++ b/client/firewall/uspfilter/allow_netbird.go
@@ -3,6 +3,12 @@
 package uspfilter

 import (
+	"context"
+	"net/netip"
+	"time"
+
+	log "github.com/sirupsen/logrus"
+
 	"github.com/netbirdio/netbird/client/internal/statemanager"
 )

@@ -11,7 +17,33 @@ func (m *Manager) Close(stateManager *statemanager.Manager) error {
 	m.mutex.Lock()
 	defer m.mutex.Unlock()

-	m.resetState()
+	m.outgoingRules = make(map[netip.Addr]RuleSet)
+	m.incomingDenyRules = make(map[netip.Addr]RuleSet)
+	m.incomingRules = make(map[netip.Addr]RuleSet)
+
+	if m.udpTracker != nil {
+		m.udpTracker.Close()
+	}
+
+	if m.icmpTracker != nil {
+		m.icmpTracker.Close()
+	}
+
+	if m.tcpTracker != nil {
+		m.tcpTracker.Close()
+	}
+
+	if fwder := m.forwarder.Load(); fwder != nil {
+		fwder.Stop()
+	}
+
+	if m.logger != nil {
+		ctx, cancel := context.WithTimeout(context.Background(), 2*time.Second)
+		defer cancel()
+		if err := m.logger.Stop(ctx); err != nil {
+			log.Errorf("failed to shutdown logger: %v", err)
+		}
+	}

 	if m.nativeFirewall != nil {
 		return m.nativeFirewall.Close(stateManager)
--- a/client/firewall/uspfilter/allow_netbird_windows.go
+++ b/client/firewall/uspfilter/allow_netbird_windows.go
@@ -1,14 +1,15 @@
 package uspfilter

 import (
+	"context"
 	"fmt"
+	"net/netip"
 	"os/exec"
 	"syscall"
+	"time"

-	"github.com/hashicorp/go-multierror"
 	log "github.com/sirupsen/logrus"

-	nberrors "github.com/netbirdio/netbird/client/errors"
 	"github.com/netbirdio/netbird/client/internal/statemanager"
 )

@@ -25,26 +26,47 @@ func (m *Manager) Close(*statemanager.Manager) error {
 	m.mutex.Lock()
 	defer m.mutex.Unlock()

-	m.resetState()
+	m.outgoingRules = make(map[netip.Addr]RuleSet)
+	m.incomingDenyRules = make(map[netip.Addr]RuleSet)
+	m.incomingRules = make(map[netip.Addr]RuleSet)
+
+	if m.udpTracker != nil {
+		m.udpTracker.Close()
+	}
+
+	if m.icmpTracker != nil {
+		m.icmpTracker.Close()
+	}
+
+	if m.tcpTracker != nil {
+		m.tcpTracker.Close()
+	}
+
+	if fwder := m.forwarder.Load(); fwder != nil {
+		fwder.Stop()
+	}
+
+	if m.logger != nil {
+		ctx, cancel := context.WithTimeout(context.Background(), 2*time.Second)
+		defer cancel()
+		if err := m.logger.Stop(ctx); err != nil {
+			log.Errorf("failed to shutdown logger: %v", err)
+		}
+	}

 	if !isWindowsFirewallReachable() {
 		return nil
 	}

-	var merr *multierror.Error
-	if isFirewallRuleActive(firewallRuleName) {
-		if err := manageFirewallRule(firewallRuleName, deleteRule); err != nil {
-			merr = multierror.Append(merr, fmt.Errorf("remove windows firewall rule: %w", err))
-		}
+	if !isFirewallRuleActive(firewallRuleName) {
+		return nil
 	}

-	if isFirewallRuleActive(firewallRuleName + "-v6") {
-		if err := manageFirewallRule(firewallRuleName+"-v6", deleteRule); err != nil {
-			merr = multierror.Append(merr, fmt.Errorf("remove windows v6 firewall rule: %w", err))
-		}
+	if err := manageFirewallRule(firewallRuleName, deleteRule); err != nil {
+		return fmt.Errorf("couldn't remove windows firewall: %w", err)
 	}

-	return nberrors.FormatErrorOrNil(merr)
+	return nil
 }

 // AllowNetbird allows netbird interface traffic
@@ -53,33 +75,17 @@ func (m *Manager) AllowNetbird() error {
 		return nil
 	}

-	if !isFirewallRuleActive(firewallRuleName) {
-		if err := manageFirewallRule(firewallRuleName,
-			addRule,
-			"dir=in",
-			"enable=yes",
-			"action=allow",
-			"profile=any",
-			"localip="+m.wgIface.Address().IP.String(),
-		); err != nil {
-			return err
-		}
+	if isFirewallRuleActive(firewallRuleName) {
+		return nil
 	}
-
-	if v6 := m.wgIface.Address().IPv6; v6.IsValid() && !isFirewallRuleActive(firewallRuleName+"-v6") {
-		if err := manageFirewallRule(firewallRuleName+"-v6",
-			addRule,
-			"dir=in",
-			"enable=yes",
-			"action=allow",
-			"profile=any",
-			"localip="+v6.String(),
-		); err != nil {
-			return err
-		}
-	}
-
-	return nil
+	return manageFirewallRule(firewallRuleName,
+		addRule,
+		"dir=in",
+		"enable=yes",
+		"action=allow",
+		"profile=any",
+		"localip="+m.wgIface.Address().IP.String(),
+	)
 }

 func manageFirewallRule(ruleName string, action action, extraArgs ...string) error {
--- a/client/firewall/uspfilter/conntrack/common.go
+++ b/client/firewall/uspfilter/conntrack/common.go
@@ -1,9 +1,8 @@
 package conntrack

 import (
-	"net"
+	"fmt"
 	"net/netip"
-	"strconv"
 	"sync/atomic"
 	"time"

@@ -65,7 +64,5 @@ type ConnKey struct {
 }

 func (c ConnKey) String() string {
-	return net.JoinHostPort(c.SrcIP.Unmap().String(), strconv.Itoa(int(c.SrcPort))) +
-		" → " +
-		net.JoinHostPort(c.DstIP.Unmap().String(), strconv.Itoa(int(c.DstPort)))
+	return fmt.Sprintf("%s:%d → %s:%d", c.SrcIP.Unmap(), c.SrcPort, c.DstIP.Unmap(), c.DstPort)
 }
--- a/client/firewall/uspfilter/conntrack/icmp.go
+++ b/client/firewall/uspfilter/conntrack/icmp.go
@@ -21,10 +21,9 @@ const (
 	// ICMPCleanupInterval is how often we check for stale ICMP connections
 	ICMPCleanupInterval = 15 * time.Second

-	// MaxICMPPayloadLength is the maximum length of ICMP payload we consider for original packet info.
-	// IPv4: 20-byte header + 8-byte transport = 28 bytes.
-	// IPv6: 40-byte header + 8-byte transport = 48 bytes.
-	MaxICMPPayloadLength = 48
+	// MaxICMPPayloadLength is the maximum length of ICMP payload we consider for original packet info,
+	// which includes the IP header (20 bytes) and transport header (8 bytes)
+	MaxICMPPayloadLength = 28
 )

 // ICMPConnKey uniquely identifies an ICMP connection
@@ -75,64 +74,32 @@ func (info ICMPInfo) String() string {
 	return info.TypeCode.String()
 }

-// isErrorMessage returns true if this ICMP type carries original packet info.
-// Covers both ICMPv4 and ICMPv6 error types. Without a family field we match
-// both sets; type 3 overlaps (v4 DestUnreachable / v6 TimeExceeded) so it's
-// kept as a literal.
+// isErrorMessage returns true if this ICMP type carries original packet info
 func (info ICMPInfo) isErrorMessage() bool {
 	typ := info.TypeCode.Type()
-	// ICMPv4 error types
-	if typ == layers.ICMPv4TypeDestinationUnreachable ||
-		typ == layers.ICMPv4TypeRedirect ||
-		typ == layers.ICMPv4TypeTimeExceeded ||
-		typ == layers.ICMPv4TypeParameterProblem {
-		return true
-	}
-	// ICMPv6 error types (type 3 already matched above as v4 DestUnreachable)
-	if typ == layers.ICMPv6TypeDestinationUnreachable ||
-		typ == layers.ICMPv6TypePacketTooBig ||
-		typ == layers.ICMPv6TypeParameterProblem {
-		return true
-	}
-	return false
+	return typ == 3 || // Destination Unreachable
+		typ == 5 || // Redirect
+		typ == 11 || // Time Exceeded
+		typ == 12 // Parameter Problem
 }

 // parseOriginalPacket extracts info about the original packet from ICMP payload
 func (info ICMPInfo) parseOriginalPacket() string {
-	if info.PayloadLen == 0 {
+	if info.PayloadLen < MaxICMPPayloadLength {
 		return ""
 	}

-	version := (info.PayloadData[0] >> 4) & 0xF
-
-	var protocol uint8
-	var srcIP, dstIP net.IP
-	var transportData []byte
-
-	switch version {
-	case 4:
-		// 20-byte IPv4 header + 8-byte transport minimum
-		if info.PayloadLen < 28 {
-			return ""
-		}
-		protocol = info.PayloadData[9]
-		srcIP = net.IP(info.PayloadData[12:16])
-		dstIP = net.IP(info.PayloadData[16:20])
-		transportData = info.PayloadData[20:]
-	case 6:
-		// 40-byte IPv6 header + 8-byte transport minimum
-		if info.PayloadLen < 48 {
-			return ""
-		}
-		// Next Header field in IPv6 header
-		protocol = info.PayloadData[6]
-		srcIP = net.IP(info.PayloadData[8:24])
-		dstIP = net.IP(info.PayloadData[24:40])
-		transportData = info.PayloadData[40:]
-	default:
+	// TODO: handle IPv6
+	if version := (info.PayloadData[0] >> 4) & 0xF; version != 4 {
 		return ""
 	}

+	protocol := info.PayloadData[9]
+	srcIP := net.IP(info.PayloadData[12:16])
+	dstIP := net.IP(info.PayloadData[16:20])
+
+	transportData := info.PayloadData[20:]
+
 	switch nftypes.Protocol(protocol) {
 	case nftypes.TCP:
 		srcPort := uint16(transportData[0])<<8 | uint16(transportData[1])
@@ -280,10 +247,9 @@ func (t *ICMPTracker) track(
 	t.sendEvent(nftypes.TypeStart, conn, ruleId)
 }

-// IsValidInbound checks if an inbound ICMP Echo Reply matches a tracked request.
-// Accepts both ICMPv4 (type 0) and ICMPv6 (type 129) echo replies.
+// IsValidInbound checks if an inbound ICMP Echo Reply matches a tracked request
 func (t *ICMPTracker) IsValidInbound(srcIP netip.Addr, dstIP netip.Addr, id uint16, icmpType uint8, size int) bool {
-	if icmpType != uint8(layers.ICMPv4TypeEchoReply) && icmpType != uint8(layers.ICMPv6TypeEchoReply) {
+	if icmpType != uint8(layers.ICMPv4TypeEchoReply) {
 		return false
 	}

@@ -335,13 +301,6 @@ func (t *ICMPTracker) cleanup() {
 	}
 }

-func icmpProtocolForAddr(ip netip.Addr) nftypes.Protocol {
-	if ip.Is6() {
-		return nftypes.ICMPv6
-	}
-	return nftypes.ICMP
-}
-
 // Close stops the cleanup routine and releases resources
 func (t *ICMPTracker) Close() {
 	t.tickerCancel()
@@ -357,7 +316,7 @@ func (t *ICMPTracker) sendEvent(typ nftypes.Type, conn *ICMPConnTrack, ruleID []
 		Type:      typ,
 		RuleID:    ruleID,
 		Direction: conn.Direction,
-		Protocol:  icmpProtocolForAddr(conn.SourceIP),
+		Protocol:  nftypes.ICMP, // TODO: adjust for IPv6/icmpv6
 		SourceIP:  conn.SourceIP,
 		DestIP:    conn.DestIP,
 		ICMPType:  conn.ICMPType,
@@ -375,7 +334,7 @@ func (t *ICMPTracker) sendStartEvent(direction nftypes.Direction, srcIP netip.Ad
 		Type:      nftypes.TypeStart,
 		RuleID:    ruleID,
 		Direction: direction,
-		Protocol:  icmpProtocolForAddr(srcIP),
+		Protocol:  nftypes.ICMP,
 		SourceIP:  srcIP,
 		DestIP:    dstIP,
 		ICMPType:  typ,
--- a/client/firewall/uspfilter/conntrack/tcp.go
+++ b/client/firewall/uspfilter/conntrack/tcp.go
@@ -115,17 +115,6 @@ func (t *TCPConnTrack) IsTombstone() bool {
 	return t.tombstone.Load()
 }

-// IsSupersededBy returns true if this connection should be replaced by a new one
-// carrying the given flags. Tombstoned connections are always superseded; TIME-WAIT
-// connections are superseded by a pure SYN (a new connection attempt for the same
-// four-tuple, as contemplated by RFC 1122 §4.2.2.13 and RFC 6191).
-func (t *TCPConnTrack) IsSupersededBy(flags uint8) bool {
-	if t.tombstone.Load() {
-		return true
-	}
-	return flags&TCPSyn != 0 && flags&TCPAck == 0 && TCPState(t.state.Load()) == TCPStateTimeWait
-}
-
 // SetTombstone safely marks the connection for deletion
 func (t *TCPConnTrack) SetTombstone() {
 	t.tombstone.Store(true)
@@ -180,7 +169,7 @@ func (t *TCPTracker) updateIfExists(srcIP, dstIP netip.Addr, srcPort, dstPort ui
 	conn, exists := t.connections[key]
 	t.mutex.RUnlock()

-	if exists && !conn.IsSupersededBy(flags) {
+	if exists {
 		t.updateState(key, conn, flags, direction, size)
 		return key, uint16(conn.DNATOrigPort.Load()), true
 	}
@@ -252,7 +241,7 @@ func (t *TCPTracker) IsValidInbound(srcIP, dstIP netip.Addr, srcPort, dstPort ui
 	conn, exists := t.connections[key]
 	t.mutex.RUnlock()

-	if !exists || conn.IsSupersededBy(flags) {
+	if !exists || conn.IsTombstone() {
 		return false
 	}

--- a/client/firewall/uspfilter/conntrack/tcp_test.go
+++ b/client/firewall/uspfilter/conntrack/tcp_test.go
@@ -485,261 +485,6 @@ func TestTCPAbnormalSequences(t *testing.T) {
 	})
 }

-// TestTCPPortReuseTombstone verifies that a new connection on a port with a
-// tombstoned (closed) conntrack entry is properly tracked. Without the fix,
-// updateIfExists treats tombstoned entries as live, causing track() to skip
-// creating a new connection. The subsequent SYN-ACK then fails IsValidInbound
-// because the entry is tombstoned, and the response packet gets dropped by ACL.
-func TestTCPPortReuseTombstone(t *testing.T) {
-	srcIP := netip.MustParseAddr("100.64.0.1")
-	dstIP := netip.MustParseAddr("100.64.0.2")
-	srcPort := uint16(12345)
-	dstPort := uint16(80)
-
-	t.Run("Outbound port reuse after graceful close", func(t *testing.T) {
-		tracker := NewTCPTracker(DefaultTCPTimeout, logger, flowLogger)
-		defer tracker.Close()
-
-		key := ConnKey{SrcIP: srcIP, DstIP: dstIP, SrcPort: srcPort, DstPort: dstPort}
-
-		// Establish and gracefully close a connection (server-initiated close)
-		establishConnection(t, tracker, srcIP, dstIP, srcPort, dstPort)
-
-		// Server sends FIN
-		valid := tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPFin|TCPAck, 0)
-		require.True(t, valid)
-
-		// Client sends FIN-ACK
-		tracker.TrackOutbound(srcIP, dstIP, srcPort, dstPort, TCPFin|TCPAck, 0)
-
-		// Server sends final ACK
-		valid = tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPAck, 0)
-		require.True(t, valid)
-
-		// Connection should be tombstoned
-		conn := tracker.connections[key]
-		require.NotNil(t, conn, "old connection should still be in map")
-		require.True(t, conn.IsTombstone(), "old connection should be tombstoned")
-
-		// Now reuse the same port for a new connection
-		tracker.TrackOutbound(srcIP, dstIP, srcPort, dstPort, TCPSyn, 100)
-
-		// The old tombstoned entry should be replaced with a new one
-		newConn := tracker.connections[key]
-		require.NotNil(t, newConn, "new connection should exist")
-		require.False(t, newConn.IsTombstone(), "new connection should not be tombstoned")
-		require.Equal(t, TCPStateSynSent, newConn.GetState())
-
-		// SYN-ACK for the new connection should be valid
-		valid = tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPSyn|TCPAck, 100)
-		require.True(t, valid, "SYN-ACK for new connection on reused port should be accepted")
-		require.Equal(t, TCPStateEstablished, newConn.GetState())
-
-		// Data transfer should work
-		tracker.TrackOutbound(srcIP, dstIP, srcPort, dstPort, TCPAck, 100)
-		valid = tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPPush|TCPAck, 500)
-		require.True(t, valid, "data should be allowed on new connection")
-	})
-
-	t.Run("Outbound port reuse after RST", func(t *testing.T) {
-		tracker := NewTCPTracker(DefaultTCPTimeout, logger, flowLogger)
-		defer tracker.Close()
-
-		key := ConnKey{SrcIP: srcIP, DstIP: dstIP, SrcPort: srcPort, DstPort: dstPort}
-
-		// Establish and RST a connection
-		establishConnection(t, tracker, srcIP, dstIP, srcPort, dstPort)
-		valid := tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPRst|TCPAck, 0)
-		require.True(t, valid)
-
-		conn := tracker.connections[key]
-		require.True(t, conn.IsTombstone(), "RST connection should be tombstoned")
-
-		// Reuse the same port
-		tracker.TrackOutbound(srcIP, dstIP, srcPort, dstPort, TCPSyn, 100)
-
-		newConn := tracker.connections[key]
-		require.NotNil(t, newConn)
-		require.False(t, newConn.IsTombstone())
-		require.Equal(t, TCPStateSynSent, newConn.GetState())
-
-		valid = tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPSyn|TCPAck, 100)
-		require.True(t, valid, "SYN-ACK should be accepted after RST tombstone")
-	})
-
-	t.Run("Inbound port reuse after close", func(t *testing.T) {
-		tracker := NewTCPTracker(DefaultTCPTimeout, logger, flowLogger)
-		defer tracker.Close()
-
-		clientIP := srcIP
-		serverIP := dstIP
-		clientPort := srcPort
-		serverPort := dstPort
-		key := ConnKey{SrcIP: clientIP, DstIP: serverIP, SrcPort: clientPort, DstPort: serverPort}
-
-		// Inbound connection: client SYN → server SYN-ACK → client ACK
-		tracker.TrackInbound(clientIP, serverIP, clientPort, serverPort, TCPSyn, nil, 100, 0)
-		tracker.TrackOutbound(serverIP, clientIP, serverPort, clientPort, TCPSyn|TCPAck, 100)
-		tracker.TrackInbound(clientIP, serverIP, clientPort, serverPort, TCPAck, nil, 100, 0)
-
-		conn := tracker.connections[key]
-		require.Equal(t, TCPStateEstablished, conn.GetState())
-
-		// Server-initiated close to reach Closed/tombstoned:
-		// Server FIN (opposite dir) → CloseWait
-		tracker.TrackOutbound(serverIP, clientIP, serverPort, clientPort, TCPFin|TCPAck, 100)
-		require.Equal(t, TCPStateCloseWait, conn.GetState())
-		// Client FIN-ACK (same dir as conn) → LastAck
-		tracker.TrackInbound(clientIP, serverIP, clientPort, serverPort, TCPFin|TCPAck, nil, 100, 0)
-		require.Equal(t, TCPStateLastAck, conn.GetState())
-		// Server final ACK (opposite dir) → Closed → tombstoned
-		tracker.TrackOutbound(serverIP, clientIP, serverPort, clientPort, TCPAck, 100)
-
-		require.True(t, conn.IsTombstone())
-
-		// New inbound connection on same ports
-		tracker.TrackInbound(clientIP, serverIP, clientPort, serverPort, TCPSyn, nil, 100, 0)
-
-		newConn := tracker.connections[key]
-		require.NotNil(t, newConn)
-		require.False(t, newConn.IsTombstone())
-		require.Equal(t, TCPStateSynReceived, newConn.GetState())
-
-		// Complete handshake: server SYN-ACK, then client ACK
-		tracker.TrackOutbound(serverIP, clientIP, serverPort, clientPort, TCPSyn|TCPAck, 100)
-		tracker.TrackInbound(clientIP, serverIP, clientPort, serverPort, TCPAck, nil, 100, 0)
-		require.Equal(t, TCPStateEstablished, newConn.GetState())
-	})
-
-	t.Run("Late ACK on tombstoned connection is harmless", func(t *testing.T) {
-		tracker := NewTCPTracker(DefaultTCPTimeout, logger, flowLogger)
-		defer tracker.Close()
-
-		key := ConnKey{SrcIP: srcIP, DstIP: dstIP, SrcPort: srcPort, DstPort: dstPort}
-
-		// Establish and close via passive close (server-initiated FIN → Closed → tombstoned)
-		establishConnection(t, tracker, srcIP, dstIP, srcPort, dstPort)
-		tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPFin|TCPAck, 0) // CloseWait
-		tracker.TrackOutbound(srcIP, dstIP, srcPort, dstPort, TCPFin|TCPAck, 0)  // LastAck
-		tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPAck, 0)        // Closed
-
-		conn := tracker.connections[key]
-		require.True(t, conn.IsTombstone())
-
-		// Late ACK should be rejected (tombstoned)
-		valid := tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPAck, 0)
-		require.False(t, valid, "late ACK on tombstoned connection should be rejected")
-
-		// Late outbound ACK should not create a new connection (not a SYN)
-		tracker.TrackOutbound(srcIP, dstIP, srcPort, dstPort, TCPAck, 0)
-		require.True(t, tracker.connections[key].IsTombstone(), "late outbound ACK should not replace tombstoned entry")
-	})
-}
-
-func TestTCPPortReuseTimeWait(t *testing.T) {
-	srcIP := netip.MustParseAddr("100.64.0.1")
-	dstIP := netip.MustParseAddr("100.64.0.2")
-	srcPort := uint16(12345)
-	dstPort := uint16(80)
-
-	t.Run("Outbound port reuse during TIME-WAIT (active close)", func(t *testing.T) {
-		tracker := NewTCPTracker(DefaultTCPTimeout, logger, flowLogger)
-		defer tracker.Close()
-
-		key := ConnKey{SrcIP: srcIP, DstIP: dstIP, SrcPort: srcPort, DstPort: dstPort}
-
-		// Establish connection
-		establishConnection(t, tracker, srcIP, dstIP, srcPort, dstPort)
-
-		// Active close: client (outbound initiator) sends FIN first
-		tracker.TrackOutbound(srcIP, dstIP, srcPort, dstPort, TCPFin|TCPAck, 0)
-		conn := tracker.connections[key]
-		require.Equal(t, TCPStateFinWait1, conn.GetState())
-
-		// Server ACKs the FIN
-		valid := tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPAck, 0)
-		require.True(t, valid)
-		require.Equal(t, TCPStateFinWait2, conn.GetState())
-
-		// Server sends its own FIN
-		valid = tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPFin|TCPAck, 0)
-		require.True(t, valid)
-		require.Equal(t, TCPStateTimeWait, conn.GetState())
-
-		// Client sends final ACK (TIME-WAIT stays, not tombstoned)
-		tracker.TrackOutbound(srcIP, dstIP, srcPort, dstPort, TCPAck, 0)
-		require.False(t, conn.IsTombstone(), "TIME-WAIT should not be tombstoned")
-
-		// New outbound SYN on the same port (port reuse during TIME-WAIT)
-		tracker.TrackOutbound(srcIP, dstIP, srcPort, dstPort, TCPSyn, 100)
-
-		// Per RFC 1122/6191, new SYN during TIME-WAIT should start a new connection
-		newConn := tracker.connections[key]
-		require.NotNil(t, newConn, "new connection should exist")
-		require.False(t, newConn.IsTombstone(), "new connection should not be tombstoned")
-		require.Equal(t, TCPStateSynSent, newConn.GetState(), "new connection should be in SYN-SENT")
-
-		// SYN-ACK for new connection should be valid
-		valid = tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPSyn|TCPAck, 100)
-		require.True(t, valid, "SYN-ACK for new connection should be accepted")
-		require.Equal(t, TCPStateEstablished, newConn.GetState())
-	})
-
-	t.Run("Inbound SYN during TIME-WAIT falls through to normal tracking", func(t *testing.T) {
-		tracker := NewTCPTracker(DefaultTCPTimeout, logger, flowLogger)
-		defer tracker.Close()
-
-		key := ConnKey{SrcIP: srcIP, DstIP: dstIP, SrcPort: srcPort, DstPort: dstPort}
-
-		// Establish outbound connection and close via active close → TIME-WAIT
-		establishConnection(t, tracker, srcIP, dstIP, srcPort, dstPort)
-		tracker.TrackOutbound(srcIP, dstIP, srcPort, dstPort, TCPFin|TCPAck, 0)
-		tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPAck, 0)
-		tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPFin|TCPAck, 0)
-		tracker.TrackOutbound(srcIP, dstIP, srcPort, dstPort, TCPAck, 0)
-
-		conn := tracker.connections[key]
-		require.Equal(t, TCPStateTimeWait, conn.GetState())
-
-		// Inbound SYN on same ports during TIME-WAIT: IsValidInbound returns false
-		// so the filter falls through to ACL check + TrackInbound (which creates
-		// a new connection via track() → updateIfExists skips TIME-WAIT for SYN)
-		valid := tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPSyn, 0)
-		require.False(t, valid, "inbound SYN during TIME-WAIT should fail conntrack validation")
-
-		// Simulate what the filter does next: TrackInbound via the normal path
-		tracker.TrackInbound(dstIP, srcIP, dstPort, srcPort, TCPSyn, nil, 100, 0)
-
-		// The new inbound connection uses the inverted key (dst→src becomes src→dst in track)
-		invertedKey := ConnKey{SrcIP: dstIP, DstIP: srcIP, SrcPort: dstPort, DstPort: srcPort}
-		newConn := tracker.connections[invertedKey]
-		require.NotNil(t, newConn, "new inbound connection should be tracked")
-		require.Equal(t, TCPStateSynReceived, newConn.GetState())
-		require.False(t, newConn.IsTombstone())
-	})
-
-	t.Run("Late retransmit during TIME-WAIT still allowed", func(t *testing.T) {
-		tracker := NewTCPTracker(DefaultTCPTimeout, logger, flowLogger)
-		defer tracker.Close()
-
-		key := ConnKey{SrcIP: srcIP, DstIP: dstIP, SrcPort: srcPort, DstPort: dstPort}
-
-		// Establish and active close → TIME-WAIT
-		establishConnection(t, tracker, srcIP, dstIP, srcPort, dstPort)
-		tracker.TrackOutbound(srcIP, dstIP, srcPort, dstPort, TCPFin|TCPAck, 0)
-		tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPAck, 0)
-		tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPFin|TCPAck, 0)
-		tracker.TrackOutbound(srcIP, dstIP, srcPort, dstPort, TCPAck, 0)
-
-		conn := tracker.connections[key]
-		require.Equal(t, TCPStateTimeWait, conn.GetState())
-
-		// Late ACK retransmits during TIME-WAIT should still be accepted
-		valid := tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPAck, 0)
-		require.True(t, valid, "retransmitted ACK during TIME-WAIT should be accepted")
-	})
-}
-
 func TestTCPTimeoutHandling(t *testing.T) {
 	// Create tracker with a very short timeout for testing
 	shortTimeout := 100 * time.Millisecond
--- a/client/firewall/uspfilter/filter.go
+++ b/client/firewall/uspfilter/filter.go
@@ -1,7 +1,6 @@
 package uspfilter

 import (
-	"context"
 	"encoding/binary"
 	"errors"
 	"fmt"
@@ -13,13 +12,11 @@ import (
 	"strings"
 	"sync"
 	"sync/atomic"
-	"time"

 	"github.com/google/gopacket"
 	"github.com/google/gopacket/layers"
 	"github.com/google/uuid"
 	log "github.com/sirupsen/logrus"
-	"golang.org/x/exp/maps"

 	firewall "github.com/netbirdio/netbird/client/firewall/manager"
 	"github.com/netbirdio/netbird/client/firewall/uspfilter/common"
@@ -27,7 +24,6 @@ import (
 	"github.com/netbirdio/netbird/client/firewall/uspfilter/forwarder"
 	nblog "github.com/netbirdio/netbird/client/firewall/uspfilter/log"
 	"github.com/netbirdio/netbird/client/iface/netstack"
-	nbid "github.com/netbirdio/netbird/client/internal/acl/id"
 	nftypes "github.com/netbirdio/netbird/client/internal/netflow/types"
 	"github.com/netbirdio/netbird/client/internal/statemanager"
 )
@@ -35,10 +31,8 @@ import (
 const (
 	layerTypeAll = 255

-	// ipv4TCPHeaderMinSize represents minimum IPv4 (20) + TCP (20) header size for MSS calculation
-	ipv4TCPHeaderMinSize = 40
-	// ipv6TCPHeaderMinSize represents minimum IPv6 (40) + TCP (20) header size for MSS calculation
-	ipv6TCPHeaderMinSize = 60
+	// ipTCPHeaderMinSize represents minimum IP (20) + TCP (20) header size for MSS calculation
+	ipTCPHeaderMinSize = 40
 )

 // serviceKey represents a protocol/port combination for netstack service registry
@@ -95,7 +89,6 @@ type Manager struct {
 	incomingDenyRules map[netip.Addr]RuleSet
 	incomingRules     map[netip.Addr]RuleSet
 	routeRules        RouteRules
-	routeRulesMap     map[nbid.RuleID]*RouteRule
 	decoders          sync.Pool
 	wgIface           common.IFaceMapper
 	nativeFirewall    firewall.Manager
@@ -139,21 +132,9 @@ type Manager struct {
 	netstackServices     map[serviceKey]struct{}
 	netstackServiceMutex sync.RWMutex

-	mtu               uint16
-	mssClampValueIPv4 uint16
-	mssClampValueIPv6 uint16
-	mssClampEnabled   bool
-
-	// Only one hook per protocol is supported. Outbound direction only.
-	udpHookOut atomic.Pointer[packetHook]
-	tcpHookOut atomic.Pointer[packetHook]
-}
-
-// packetHook stores a registered hook for a specific IP:port.
-type packetHook struct {
-	ip   netip.Addr
-	port uint16
-	fn   func([]byte) bool
+	mtu             uint16
+	mssClampValue   uint16
+	mssClampEnabled bool
 }

 // decoder for packages
@@ -166,28 +147,11 @@ type decoder struct {
 	icmp4   layers.ICMPv4
 	icmp6   layers.ICMPv6
 	decoded []gopacket.LayerType
-	parser4 *gopacket.DecodingLayerParser
-	parser6 *gopacket.DecodingLayerParser
+	parser  *gopacket.DecodingLayerParser

 	dnatOrigPort uint16
 }

-// decodePacket decodes packet data using the appropriate parser based on IP version.
-func (d *decoder) decodePacket(data []byte) error {
-	if len(data) == 0 {
-		return errors.New("empty packet")
-	}
-	version := data[0] >> 4
-	switch version {
-	case 4:
-		return d.parser4.DecodeLayers(data, &d.decoded)
-	case 6:
-		return d.parser6.DecodeLayers(data, &d.decoded)
-	default:
-		return fmt.Errorf("unknown IP version %d", version)
-	}
-}
-
 // Create userspace firewall manager constructor
 func Create(iface common.IFaceMapper, disableServerRoutes bool, flowLogger nftypes.FlowLogger, mtu uint16) (*Manager, error) {
 	return create(iface, nil, disableServerRoutes, flowLogger, mtu)
@@ -245,17 +209,11 @@ func create(iface common.IFaceMapper, nativeFirewall firewall.Manager, disableSe
 				d := &decoder{
 					decoded: []gopacket.LayerType{},
 				}
-				d.parser4 = gopacket.NewDecodingLayerParser(
+				d.parser = gopacket.NewDecodingLayerParser(
 					layers.LayerTypeIPv4,
 					&d.eth, &d.ip4, &d.ip6, &d.icmp4, &d.icmp6, &d.tcp, &d.udp,
 				)
-				d.parser4.IgnoreUnsupported = true
-
-				d.parser6 = gopacket.NewDecodingLayerParser(
-					layers.LayerTypeIPv6,
-					&d.eth, &d.ip4, &d.ip6, &d.icmp4, &d.icmp6, &d.tcp, &d.udp,
-				)
-				d.parser6.IgnoreUnsupported = true
+				d.parser.IgnoreUnsupported = true
 				return d
 			},
 		},
@@ -271,7 +229,6 @@ func create(iface common.IFaceMapper, nativeFirewall firewall.Manager, disableSe
 		flowLogger:          flowLogger,
 		netstack:            netstack.IsEnabled(),
 		localForwarding:     enableLocalForwarding,
-		routeRulesMap:       make(map[nbid.RuleID]*RouteRule),
 		dnatMappings:        make(map[netip.Addr]netip.Addr),
 		portDNATRules:       []portDNATRule{},
 		netstackServices:    make(map[serviceKey]struct{}),
@@ -281,8 +238,7 @@ func create(iface common.IFaceMapper, nativeFirewall firewall.Manager, disableSe

 	if !disableMSSClamping {
 		m.mssClampEnabled = true
-		m.mssClampValueIPv4 = mtu - ipv4TCPHeaderMinSize
-		m.mssClampValueIPv6 = mtu - ipv6TCPHeaderMinSize
+		m.mssClampValue = mtu - ipTCPHeaderMinSize
 	}
 	if err := m.localipmanager.UpdateLocalIPs(iface); err != nil {
 		return nil, fmt.Errorf("update local IPs: %w", err)
@@ -309,14 +265,9 @@ func (m *Manager) blockInvalidRouted(iface common.IFaceMapper) (firewall.Rule, e
 	wgPrefix := iface.Address().Network
 	log.Debugf("blocking invalid routed traffic for %s", wgPrefix)

-	sources := []netip.Prefix{netip.PrefixFrom(netip.IPv4Unspecified(), 0)}
-	if v6 := iface.Address().IPv6Net; v6.IsValid() {
-		sources = append(sources, netip.PrefixFrom(netip.IPv6Unspecified(), 0))
-	}
-
 	rule, err := m.addRouteFiltering(
 		nil,
-		sources,
+		[]netip.Prefix{netip.PrefixFrom(netip.IPv4Unspecified(), 0)},
 		firewall.Network{Prefix: wgPrefix},
 		firewall.ProtocolALL,
 		nil,
@@ -324,22 +275,7 @@ func (m *Manager) blockInvalidRouted(iface common.IFaceMapper) (firewall.Rule, e
 		firewall.ActionDrop,
 	)
 	if err != nil {
-		return nil, fmt.Errorf("block wg v4 net: %w", err)
-	}
-
-	if v6Net := iface.Address().IPv6Net; v6Net.IsValid() {
-		log.Debugf("blocking invalid routed traffic for %s", v6Net)
-		if _, err := m.addRouteFiltering(
-			nil,
-			sources,
-			firewall.Network{Prefix: v6Net},
-			firewall.ProtocolALL,
-			nil,
-			nil,
-			firewall.ActionDrop,
-		); err != nil {
-			return nil, fmt.Errorf("block wg v6 net: %w", err)
-		}
+		return nil, fmt.Errorf("block wg nte : %w", err)
 	}

 	// TODO: Block networks that we're a client of
@@ -544,19 +480,15 @@ func (m *Manager) addRouteFiltering(
 		return m.nativeFirewall.AddRouteFiltering(id, sources, destination, proto, sPort, dPort, action)
 	}

-	ruleKey := nbid.GenerateRouteRuleKey(sources, destination, proto, sPort, dPort, action)
-
-	if existingRule, ok := m.routeRulesMap[ruleKey]; ok {
-		return existingRule, nil
-	}
+	ruleID := uuid.New().String()

 	rule := RouteRule{
 		// TODO: consolidate these IDs
-		id:         string(ruleKey),
+		id:         ruleID,
 		mgmtId:     id,
 		sources:    sources,
 		dstSet:     destination.Set,
-		protoLayer: protoToLayer(proto, ipLayerFromPrefix(destination.Prefix)),
+		protoLayer: protoToLayer(proto, layers.LayerTypeIPv4),
 		srcPort:    sPort,
 		dstPort:    dPort,
 		action:     action,
@@ -567,7 +499,6 @@ func (m *Manager) addRouteFiltering(

 	m.routeRules = append(m.routeRules, &rule)
 	m.routeRules.Sort()
-	m.routeRulesMap[ruleKey] = &rule

 	return &rule, nil
 }
@@ -584,20 +515,15 @@ func (m *Manager) deleteRouteRule(rule firewall.Rule) error {
 		return m.nativeFirewall.DeleteRouteRule(rule)
 	}

-	ruleKey := nbid.RuleID(rule.ID())
-	if _, ok := m.routeRulesMap[ruleKey]; !ok {
-		return fmt.Errorf("route rule not found: %s", ruleKey)
-	}
-
+	ruleID := rule.ID()
 	idx := slices.IndexFunc(m.routeRules, func(r *RouteRule) bool {
-		return r.id == string(ruleKey)
+		return r.id == ruleID
 	})
 	if idx < 0 {
-		return fmt.Errorf("route rule not found in slice: %s", ruleKey)
+		return fmt.Errorf("route rule not found: %s", ruleID)
 	}

 	m.routeRules = slices.Delete(m.routeRules, idx, idx+1)
-	delete(m.routeRulesMap, ruleKey)
 	return nil
 }

@@ -644,50 +570,6 @@ func (m *Manager) SetLegacyManagement(isLegacy bool) error {
 // Flush doesn't need to be implemented for this manager
 func (m *Manager) Flush() error { return nil }

-// resetState clears all firewall rules and closes connection trackers.
-// Must be called with m.mutex held.
-func (m *Manager) resetState() {
-	maps.Clear(m.outgoingRules)
-	maps.Clear(m.incomingDenyRules)
-	maps.Clear(m.incomingRules)
-	maps.Clear(m.routeRulesMap)
-	m.routeRules = m.routeRules[:0]
-	m.udpHookOut.Store(nil)
-	m.tcpHookOut.Store(nil)
-
-	if m.udpTracker != nil {
-		m.udpTracker.Close()
-	}
-
-	if m.icmpTracker != nil {
-		m.icmpTracker.Close()
-	}
-
-	if m.tcpTracker != nil {
-		m.tcpTracker.Close()
-	}
-
-	if fwder := m.forwarder.Load(); fwder != nil {
-		fwder.Stop()
-	}
-
-	if m.logger != nil {
-		ctx, cancel := context.WithTimeout(context.Background(), 2*time.Second)
-		defer cancel()
-		if err := m.logger.Stop(ctx); err != nil {
-			log.Errorf("failed to shutdown logger: %v", err)
-		}
-	}
-}
-
-// SetupEBPFProxyNoTrack creates notrack rules for eBPF proxy loopback traffic.
-func (m *Manager) SetupEBPFProxyNoTrack(proxyPort, wgPort uint16) error {
-	if m.nativeFirewall == nil {
-		return nil
-	}
-	return m.nativeFirewall.SetupEBPFProxyNoTrack(proxyPort, wgPort)
-}
-
 // UpdateSet updates the rule destinations associated with the given set
 // by merging the existing prefixes with the new ones, then deduplicating.
 func (m *Manager) UpdateSet(set firewall.Set, prefixes []netip.Prefix) error {
@@ -710,7 +592,11 @@ func (m *Manager) UpdateSet(set firewall.Set, prefixes []netip.Prefix) error {
 	}

 	destinations := matches[0].destinations
-	destinations = append(destinations, prefixes...)
+	for _, prefix := range prefixes {
+		if prefix.Addr().Is4() {
+			destinations = append(destinations, prefix)
+		}
+	}

 	slices.SortFunc(destinations, func(a, b netip.Prefix) int {
 		cmp := a.Addr().Compare(b.Addr())
@@ -749,7 +635,7 @@ func (m *Manager) filterOutbound(packetData []byte, size int) bool {
 	d := m.decoders.Get().(*decoder)
 	defer m.decoders.Put(d)

-	if err := d.decodePacket(packetData); err != nil {
+	if err := d.parser.DecodeLayers(packetData, &d.decoded); err != nil {
 		return false
 	}

@@ -769,9 +655,6 @@ func (m *Manager) filterOutbound(packetData []byte, size int) bool {
 			return true
 		}
 	case layers.LayerTypeTCP:
-		if m.tcpHooksDrop(uint16(d.tcp.DstPort), dstIP, packetData) {
-			return true
-		}
 		// Clamp MSS on all TCP SYN packets, including those from local IPs.
 		// SNATed routed traffic may appear as local IP but still requires clamping.
 		if m.mssClampEnabled {
@@ -833,28 +716,12 @@ func (m *Manager) clampTCPMSS(packetData []byte, d *decoder) bool {
 		return false
 	}

-	var mssClampValue uint16
-	var ipHeaderSize int
-	switch d.decoded[0] {
-	case layers.LayerTypeIPv4:
-		mssClampValue = m.mssClampValueIPv4
-		ipHeaderSize = int(d.ip4.IHL) * 4
-		if ipHeaderSize < 20 {
-			return false
-		}
-	case layers.LayerTypeIPv6:
-		mssClampValue = m.mssClampValueIPv6
-		ipHeaderSize = 40
-	default:
-		return false
-	}
-
 	mssOptionIndex := -1
 	var currentMSS uint16
 	for i, opt := range d.tcp.Options {
 		if opt.OptionType == layers.TCPOptionKindMSS && len(opt.OptionData) == 2 {
 			currentMSS = binary.BigEndian.Uint16(opt.OptionData)
-			if currentMSS > mssClampValue {
+			if currentMSS > m.mssClampValue {
 				mssOptionIndex = i
 				break
 			}
@@ -865,15 +732,20 @@ func (m *Manager) clampTCPMSS(packetData []byte, d *decoder) bool {
 		return false
 	}

-	if !m.updateMSSOption(packetData, d, mssOptionIndex, mssClampValue, ipHeaderSize) {
+	ipHeaderSize := int(d.ip4.IHL) * 4
+	if ipHeaderSize < 20 {
 		return false
 	}

-	m.logger.Trace2("Clamped TCP MSS from %d to %d", currentMSS, mssClampValue)
+	if !m.updateMSSOption(packetData, d, mssOptionIndex, ipHeaderSize) {
+		return false
+	}
+
+	m.logger.Trace2("Clamped TCP MSS from %d to %d", currentMSS, m.mssClampValue)
 	return true
 }

-func (m *Manager) updateMSSOption(packetData []byte, d *decoder, mssOptionIndex int, mssClampValue uint16, ipHeaderSize int) bool {
+func (m *Manager) updateMSSOption(packetData []byte, d *decoder, mssOptionIndex, ipHeaderSize int) bool {
 	tcpHeaderStart := ipHeaderSize
 	tcpOptionsStart := tcpHeaderStart + 20

@@ -888,7 +760,7 @@ func (m *Manager) updateMSSOption(packetData []byte, d *decoder, mssOptionIndex
 	}

 	mssValueOffset := optOffset + 2
-	binary.BigEndian.PutUint16(packetData[mssValueOffset:mssValueOffset+2], mssClampValue)
+	binary.BigEndian.PutUint16(packetData[mssValueOffset:mssValueOffset+2], m.mssClampValue)

 	m.recalculateTCPChecksum(packetData, d, tcpHeaderStart)
 	return true
@@ -898,32 +770,18 @@ func (m *Manager) recalculateTCPChecksum(packetData []byte, d *decoder, tcpHeade
 	tcpLayer := packetData[tcpHeaderStart:]
 	tcpLength := len(packetData) - tcpHeaderStart

-	// Zero out existing checksum
 	tcpLayer[16] = 0
 	tcpLayer[17] = 0

-	// Build pseudo-header checksum based on IP version
 	var pseudoSum uint32
-	switch d.decoded[0] {
-	case layers.LayerTypeIPv4:
-		pseudoSum += uint32(d.ip4.SrcIP[0])<<8 | uint32(d.ip4.SrcIP[1])
-		pseudoSum += uint32(d.ip4.SrcIP[2])<<8 | uint32(d.ip4.SrcIP[3])
-		pseudoSum += uint32(d.ip4.DstIP[0])<<8 | uint32(d.ip4.DstIP[1])
-		pseudoSum += uint32(d.ip4.DstIP[2])<<8 | uint32(d.ip4.DstIP[3])
-		pseudoSum += uint32(d.ip4.Protocol)
-		pseudoSum += uint32(tcpLength)
-	case layers.LayerTypeIPv6:
-		for i := 0; i < 16; i += 2 {
-			pseudoSum += uint32(d.ip6.SrcIP[i])<<8 | uint32(d.ip6.SrcIP[i+1])
-		}
-		for i := 0; i < 16; i += 2 {
-			pseudoSum += uint32(d.ip6.DstIP[i])<<8 | uint32(d.ip6.DstIP[i+1])
-		}
-		pseudoSum += uint32(tcpLength)
-		pseudoSum += uint32(layers.IPProtocolTCP)
-	}
+	pseudoSum += uint32(d.ip4.SrcIP[0])<<8 | uint32(d.ip4.SrcIP[1])
+	pseudoSum += uint32(d.ip4.SrcIP[2])<<8 | uint32(d.ip4.SrcIP[3])
+	pseudoSum += uint32(d.ip4.DstIP[0])<<8 | uint32(d.ip4.DstIP[1])
+	pseudoSum += uint32(d.ip4.DstIP[2])<<8 | uint32(d.ip4.DstIP[3])
+	pseudoSum += uint32(d.ip4.Protocol)
+	pseudoSum += uint32(tcpLength)

-	sum := pseudoSum
+	var sum = pseudoSum
 	for i := 0; i < tcpLength-1; i += 2 {
 		sum += uint32(tcpLayer[i])<<8 | uint32(tcpLayer[i+1])
 	}
@@ -961,9 +819,6 @@ func (m *Manager) trackOutbound(d *decoder, srcIP, dstIP netip.Addr, packetData
 		}
 	case layers.LayerTypeICMPv4:
 		m.icmpTracker.TrackOutbound(srcIP, dstIP, d.icmp4.Id, d.icmp4.TypeCode, d.icmp4.Payload, size)
-	case layers.LayerTypeICMPv6:
-		id, tc := icmpv6EchoFields(d)
-		m.icmpTracker.TrackOutbound(srcIP, dstIP, id, tc, d.icmp6.Payload, size)
 	}
 }

@@ -977,29 +832,43 @@ func (m *Manager) trackInbound(d *decoder, srcIP, dstIP netip.Addr, ruleID []byt
 		m.tcpTracker.TrackInbound(srcIP, dstIP, uint16(d.tcp.SrcPort), uint16(d.tcp.DstPort), flags, ruleID, size, d.dnatOrigPort)
 	case layers.LayerTypeICMPv4:
 		m.icmpTracker.TrackInbound(srcIP, dstIP, d.icmp4.Id, d.icmp4.TypeCode, ruleID, d.icmp4.Payload, size)
-	case layers.LayerTypeICMPv6:
-		id, tc := icmpv6EchoFields(d)
-		m.icmpTracker.TrackInbound(srcIP, dstIP, id, tc, ruleID, d.icmp6.Payload, size)
 	}

 	d.dnatOrigPort = 0
 }

+// udpHooksDrop checks if any UDP hooks should drop the packet
 func (m *Manager) udpHooksDrop(dport uint16, dstIP netip.Addr, packetData []byte) bool {
-	return hookMatches(m.udpHookOut.Load(), dstIP, dport, packetData)
-}
+	m.mutex.RLock()
+	defer m.mutex.RUnlock()

-func (m *Manager) tcpHooksDrop(dport uint16, dstIP netip.Addr, packetData []byte) bool {
-	return hookMatches(m.tcpHookOut.Load(), dstIP, dport, packetData)
-}
+	// Check specific destination IP first
+	if rules, exists := m.outgoingRules[dstIP]; exists {
+		for _, rule := range rules {
+			if rule.udpHook != nil && portsMatch(rule.dPort, dport) {
+				return rule.udpHook(packetData)
+			}
+		}
+	}

-func hookMatches(h *packetHook, dstIP netip.Addr, dport uint16, packetData []byte) bool {
-	if h == nil {
-		return false
+	// Check IPv4 unspecified address
+	if rules, exists := m.outgoingRules[netip.IPv4Unspecified()]; exists {
+		for _, rule := range rules {
+			if rule.udpHook != nil && portsMatch(rule.dPort, dport) {
+				return rule.udpHook(packetData)
+			}
+		}
 	}
-	if h.ip == dstIP && h.port == dport {
-		return h.fn(packetData)
+
+	// Check IPv6 unspecified address
+	if rules, exists := m.outgoingRules[netip.IPv6Unspecified()]; exists {
+		for _, rule := range rules {
+			if rule.udpHook != nil && portsMatch(rule.dPort, dport) {
+				return rule.udpHook(packetData)
+			}
+		}
 	}
+
 	return false
 }

@@ -1022,19 +891,15 @@ func (m *Manager) filterInbound(packetData []byte, size int) bool {

 	// TODO: pass fragments of routed packets to forwarder
 	if fragment {
-		if d.decoded[0] == layers.LayerTypeIPv4 {
-			m.logger.Trace4("packet is a fragment: src=%v dst=%v id=%v flags=%v",
-				srcIP, dstIP, d.ip4.Id, d.ip4.Flags)
-		} else {
-			m.logger.Trace2("packet is an IPv6 fragment: src=%v dst=%v", srcIP, dstIP)
-		}
+		m.logger.Trace4("packet is a fragment: src=%v dst=%v id=%v flags=%v",
+			srcIP, dstIP, d.ip4.Id, d.ip4.Flags)
 		return false
 	}

 	// TODO: optimize port DNAT by caching matched rules in conntrack
 	if translated := m.translateInboundPortDNAT(packetData, d, srcIP, dstIP); translated {
 		// Re-decode after port DNAT translation to update port information
-		if err := d.decodePacket(packetData); err != nil {
+		if err := d.parser.DecodeLayers(packetData, &d.decoded); err != nil {
 			m.logger.Error1("failed to re-decode packet after port DNAT: %v", err)
 			return true
 		}
@@ -1043,7 +908,7 @@ func (m *Manager) filterInbound(packetData []byte, size int) bool {

 	if translated := m.translateInboundReverse(packetData, d); translated {
 		// Re-decode after translation to get original addresses
-		if err := d.decodePacket(packetData); err != nil {
+		if err := d.parser.DecodeLayers(packetData, &d.decoded); err != nil {
 			m.logger.Error1("failed to re-decode packet after reverse DNAT: %v", err)
 			return true
 		}
@@ -1175,48 +1040,6 @@ func (m *Manager) handleRoutedTraffic(d *decoder, srcIP, dstIP netip.Addr, packe
 	return true
 }

-// icmpv6EchoFields extracts the echo identifier from an ICMPv6 packet and maps
-// the ICMPv6 type code to an ICMPv4TypeCode so the ICMP conntrack can handle
-// both families uniformly. The echo ID is in the first two payload bytes.
-func icmpv6EchoFields(d *decoder) (id uint16, tc layers.ICMPv4TypeCode) {
-	if len(d.icmp6.Payload) >= 2 {
-		id = uint16(d.icmp6.Payload[0])<<8 | uint16(d.icmp6.Payload[1])
-	}
-	// Map ICMPv6 echo types to ICMPv4 equivalents for unified tracking.
-	switch d.icmp6.TypeCode.Type() {
-	case layers.ICMPv6TypeEchoRequest:
-		tc = layers.CreateICMPv4TypeCode(layers.ICMPv4TypeEchoRequest, 0)
-	case layers.ICMPv6TypeEchoReply:
-		tc = layers.CreateICMPv4TypeCode(layers.ICMPv4TypeEchoReply, 0)
-	default:
-		tc = layers.CreateICMPv4TypeCode(d.icmp6.TypeCode.Type(), d.icmp6.TypeCode.Code())
-	}
-	return id, tc
-}
-
-// protoLayerMatches checks if a packet's protocol layer matches a rule's expected
-// protocol layer. ICMPv4 and ICMPv6 are treated as equivalent when matching
-// ICMP rules since management sends a single ICMP rule for both families.
-func protoLayerMatches(ruleLayer, packetLayer gopacket.LayerType) bool {
-	if ruleLayer == packetLayer {
-		return true
-	}
-	if ruleLayer == layers.LayerTypeICMPv4 && packetLayer == layers.LayerTypeICMPv6 {
-		return true
-	}
-	if ruleLayer == layers.LayerTypeICMPv6 && packetLayer == layers.LayerTypeICMPv4 {
-		return true
-	}
-	return false
-}
-
-func ipLayerFromPrefix(p netip.Prefix) gopacket.LayerType {
-	if p.Addr().Is6() {
-		return layers.LayerTypeIPv6
-	}
-	return layers.LayerTypeIPv4
-}
-
 func protoToLayer(proto firewall.Protocol, ipLayer gopacket.LayerType) gopacket.LayerType {
 	switch proto {
 	case firewall.ProtocolTCP:
@@ -1240,10 +1063,8 @@ func getProtocolFromPacket(d *decoder) nftypes.Protocol {
 		return nftypes.TCP
 	case layers.LayerTypeUDP:
 		return nftypes.UDP
-	case layers.LayerTypeICMPv4:
+	case layers.LayerTypeICMPv4, layers.LayerTypeICMPv6:
 		return nftypes.ICMP
-	case layers.LayerTypeICMPv6:
-		return nftypes.ICMPv6
 	default:
 		return nftypes.ProtocolUnknown
 	}
@@ -1264,7 +1085,7 @@ func getPortsFromPacket(d *decoder) (srcPort, dstPort uint16) {
 // It returns true, false if the packet is valid and not a fragment.
 // It returns true, true if the packet is a fragment and valid.
 func (m *Manager) isValidPacket(d *decoder, packetData []byte) (bool, bool) {
-	if err := d.decodePacket(packetData); err != nil {
+	if err := d.parser.DecodeLayers(packetData, &d.decoded); err != nil {
 		m.logger.Trace1("couldn't decode packet, err: %s", err)
 		return false, false
 	}
@@ -1277,18 +1098,10 @@ func (m *Manager) isValidPacket(d *decoder, packetData []byte) (bool, bool) {
 	}

 	// Fragments are also valid
-	if l == 1 {
-		switch d.decoded[0] {
-		case layers.LayerTypeIPv4:
-			if d.ip4.Flags&layers.IPv4MoreFragments != 0 || d.ip4.FragOffset != 0 {
-				return true, true
-			}
-		case layers.LayerTypeIPv6:
-			// IPv6 uses Fragment extension header (NextHeader=44). If gopacket
-			// only decoded the IPv6 layer, the transport is in a fragment.
-			if d.ip6.NextHeader == layers.IPProtocolIPv6Fragment {
-				return true, true
-			}
+	if l == 1 && d.decoded[0] == layers.LayerTypeIPv4 {
+		ip4 := d.ip4
+		if ip4.Flags&layers.IPv4MoreFragments != 0 || ip4.FragOffset != 0 {
+			return true, true
 		}
 	}

@@ -1326,34 +1139,21 @@ func (m *Manager) isValidTrackedConnection(d *decoder, srcIP, dstIP netip.Addr,
 			size,
 		)

-	case layers.LayerTypeICMPv6:
-		id, _ := icmpv6EchoFields(d)
-		return m.icmpTracker.IsValidInbound(
-			srcIP,
-			dstIP,
-			id,
-			d.icmp6.TypeCode.Type(),
-			size,
-		)
+		// TODO: ICMPv6
 	}

 	return false
 }

-// isSpecialICMP returns true if the packet is a special ICMP error packet that should be allowed.
+// isSpecialICMP returns true if the packet is a special ICMP packet that should be allowed
 func (m *Manager) isSpecialICMP(d *decoder) bool {
-	switch d.decoded[1] {
-	case layers.LayerTypeICMPv4:
-		icmpType := d.icmp4.TypeCode.Type()
-		return icmpType == layers.ICMPv4TypeDestinationUnreachable ||
-			icmpType == layers.ICMPv4TypeTimeExceeded
-	case layers.LayerTypeICMPv6:
-		icmpType := d.icmp6.TypeCode.Type()
-		return icmpType == layers.ICMPv6TypeDestinationUnreachable ||
-			icmpType == layers.ICMPv6TypePacketTooBig ||
-			icmpType == layers.ICMPv6TypeTimeExceeded
+	if d.decoded[1] != layers.LayerTypeICMPv4 {
+		return false
 	}
-	return false
+
+	icmpType := d.icmp4.TypeCode.Type()
+	return icmpType == layers.ICMPv4TypeDestinationUnreachable ||
+		icmpType == layers.ICMPv4TypeTimeExceeded
 }

 func (m *Manager) peerACLsBlock(srcIP netip.Addr, d *decoder, packetData []byte) ([]byte, bool) {
@@ -1410,7 +1210,7 @@ func validateRule(ip netip.Addr, packetData []byte, rules map[string]PeerRule, d
 			return rule.mgmtId, rule.drop, true
 		}

-		if !protoLayerMatches(rule.protoLayer, payloadLayer) {
+		if payloadLayer != rule.protoLayer {
 			continue
 		}

@@ -1420,6 +1220,12 @@ func validateRule(ip netip.Addr, packetData []byte, rules map[string]PeerRule, d
 				return rule.mgmtId, rule.drop, true
 			}
 		case layers.LayerTypeUDP:
+			// if rule has UDP hook (and if we are here we match this rule)
+			// we ignore rule.drop and call this hook
+			if rule.udpHook != nil {
+				return rule.mgmtId, rule.udpHook(packetData), true
+			}
+
 			if portsMatch(rule.sPort, uint16(d.udp.SrcPort)) && portsMatch(rule.dPort, uint16(d.udp.DstPort)) {
 				return rule.mgmtId, rule.drop, true
 			}
@@ -1445,7 +1251,8 @@ func (m *Manager) routeACLsPass(srcIP, dstIP netip.Addr, protoLayer gopacket.Lay
 }

 func (m *Manager) ruleMatches(rule *RouteRule, srcAddr, dstAddr netip.Addr, protoLayer gopacket.LayerType, srcPort, dstPort uint16) bool {
-	if rule.protoLayer != layerTypeAll && !protoLayerMatches(rule.protoLayer, protoLayer) {
+	// TODO: handle ipv6 vs ipv4 icmp rules
+	if rule.protoLayer != layerTypeAll && rule.protoLayer != protoLayer {
 		return false
 	}

@@ -1477,30 +1284,65 @@ func (m *Manager) ruleMatches(rule *RouteRule, srcAddr, dstAddr netip.Addr, prot
 	return sourceMatched
 }

-// SetUDPPacketHook sets the outbound UDP packet hook. Pass nil hook to remove.
-func (m *Manager) SetUDPPacketHook(ip netip.Addr, dPort uint16, hook func(packet []byte) bool) {
-	if hook == nil {
-		m.udpHookOut.Store(nil)
-		return
+// AddUDPPacketHook calls hook when UDP packet from given direction matched
+//
+// Hook function returns flag which indicates should be the matched package dropped or not
+func (m *Manager) AddUDPPacketHook(in bool, ip netip.Addr, dPort uint16, hook func(packet []byte) bool) string {
+	r := PeerRule{
+		id:         uuid.New().String(),
+		ip:         ip,
+		protoLayer: layers.LayerTypeUDP,
+		dPort:      &firewall.Port{Values: []uint16{dPort}},
+		ipLayer:    layers.LayerTypeIPv6,
+		udpHook:    hook,
 	}
-	m.udpHookOut.Store(&packetHook{
-		ip:   ip,
-		port: dPort,
-		fn:   hook,
-	})
+
+	if ip.Is4() {
+		r.ipLayer = layers.LayerTypeIPv4
+	}
+
+	m.mutex.Lock()
+	if in {
+		// Incoming UDP hooks are stored in allow rules map
+		if _, ok := m.incomingRules[r.ip]; !ok {
+			m.incomingRules[r.ip] = make(map[string]PeerRule)
+		}
+		m.incomingRules[r.ip][r.id] = r
+	} else {
+		if _, ok := m.outgoingRules[r.ip]; !ok {
+			m.outgoingRules[r.ip] = make(map[string]PeerRule)
+		}
+		m.outgoingRules[r.ip][r.id] = r
+	}
+	m.mutex.Unlock()
+
+	return r.id
 }

-// SetTCPPacketHook sets the outbound TCP packet hook. Pass nil hook to remove.
-func (m *Manager) SetTCPPacketHook(ip netip.Addr, dPort uint16, hook func(packet []byte) bool) {
-	if hook == nil {
-		m.tcpHookOut.Store(nil)
-		return
+// RemovePacketHook removes packet hook by given ID
+func (m *Manager) RemovePacketHook(hookID string) error {
+	m.mutex.Lock()
+	defer m.mutex.Unlock()
+
+	// Check incoming hooks (stored in allow rules)
+	for _, arr := range m.incomingRules {
+		for _, r := range arr {
+			if r.id == hookID {
+				delete(arr, r.id)
+				return nil
+			}
+		}
 	}
-	m.tcpHookOut.Store(&packetHook{
-		ip:   ip,
-		port: dPort,
-		fn:   hook,
-	})
+	// Check outgoing hooks
+	for _, arr := range m.outgoingRules {
+		for _, r := range arr {
+			if r.id == hookID {
+				delete(arr, r.id)
+				return nil
+			}
+		}
+	}
+	return fmt.Errorf("hook with given id not found")
 }

 // SetLogLevel sets the log level for the firewall manager
@@ -1615,8 +1457,7 @@ func (m *Manager) shouldForward(d *decoder, dstIP netip.Addr) bool {
 	}

 	// traffic to our other local interfaces (not NetBird IP) - always forward
-	addr := m.wgIface.Address()
-	if dstIP != addr.IP && (!addr.IPv6.IsValid() || dstIP != addr.IPv6) {
+	if dstIP != m.wgIface.Address().IP {
 		return true
 	}

--- a/client/firewall/uspfilter/filter_bench_test.go
+++ b/client/firewall/uspfilter/filter_bench_test.go
@@ -1023,8 +1023,7 @@ func BenchmarkMSSClamping(b *testing.B) {
 			}()

 			manager.mssClampEnabled = true
-			manager.mssClampValueIPv4 = 1240
-			manager.mssClampValueIPv6 = 1220
+			manager.mssClampValue = 1240

 			srcIP := net.ParseIP("100.64.0.2")
 			dstIP := net.ParseIP("8.8.8.8")
@@ -1089,8 +1088,7 @@ func BenchmarkMSSClampingOverhead(b *testing.B) {

 			manager.mssClampEnabled = sc.enabled
 			if sc.enabled {
-				manager.mssClampValueIPv4 = 1240
-				manager.mssClampValueIPv6 = 1220
+				manager.mssClampValue = 1240
 			}

 			srcIP := net.ParseIP("100.64.0.2")
@@ -1143,8 +1141,7 @@ func BenchmarkMSSClampingMemory(b *testing.B) {
 			}()

 			manager.mssClampEnabled = true
-			manager.mssClampValueIPv4 = 1240
-			manager.mssClampValueIPv6 = 1220
+			manager.mssClampValue = 1240

 			srcIP := net.ParseIP("100.64.0.2")
 			dstIP := net.ParseIP("8.8.8.8")
--- a/client/firewall/uspfilter/filter_filter_test.go
+++ b/client/firewall/uspfilter/filter_filter_test.go
@@ -539,236 +539,53 @@ func TestPeerACLFiltering(t *testing.T) {
 	}
 }

-func TestPeerACLFilteringIPv6(t *testing.T) {
-	localIP := netip.MustParseAddr("100.10.0.100")
-	localIPv6 := netip.MustParseAddr("fd00::100")
-	wgNet := netip.MustParsePrefix("100.10.0.0/16")
-	wgNetV6 := netip.MustParsePrefix("fd00::/64")
-
-	ifaceMock := &IFaceMock{
-		SetFilterFunc: func(device.PacketFilter) error { return nil },
-		AddressFunc: func() wgaddr.Address {
-			return wgaddr.Address{
-				IP:      localIP,
-				Network: wgNet,
-				IPv6:    localIPv6,
-				IPv6Net: wgNetV6,
-			}
-		},
-	}
-
-	manager, err := Create(ifaceMock, false, flowLogger, iface.DefaultMTU)
-	require.NoError(t, err)
-	t.Cleanup(func() { require.NoError(t, manager.Close(nil)) })
-
-	err = manager.UpdateLocalIPs()
-	require.NoError(t, err)
-
-	testCases := []struct {
-		name            string
-		srcIP           string
-		dstIP           string
-		proto           fw.Protocol
-		srcPort         uint16
-		dstPort         uint16
-		ruleIP          string
-		ruleProto       fw.Protocol
-		ruleDstPort     *fw.Port
-		ruleAction      fw.Action
-		shouldBeBlocked bool
-	}{
-		{
-			name:            "IPv6: allow TCP from peer",
-			srcIP:           "fd00::1",
-			dstIP:           "fd00::100",
-			proto:           fw.ProtocolTCP,
-			srcPort:         12345,
-			dstPort:         443,
-			ruleIP:          "fd00::1",
-			ruleProto:       fw.ProtocolTCP,
-			ruleDstPort:     &fw.Port{Values: []uint16{443}},
-			ruleAction:      fw.ActionAccept,
-			shouldBeBlocked: false,
-		},
-		{
-			name:            "IPv6: allow UDP from peer",
-			srcIP:           "fd00::1",
-			dstIP:           "fd00::100",
-			proto:           fw.ProtocolUDP,
-			srcPort:         12345,
-			dstPort:         53,
-			ruleIP:          "fd00::1",
-			ruleProto:       fw.ProtocolUDP,
-			ruleDstPort:     &fw.Port{Values: []uint16{53}},
-			ruleAction:      fw.ActionAccept,
-			shouldBeBlocked: false,
-		},
-		{
-			name:            "IPv6: allow ICMPv6 from peer",
-			srcIP:           "fd00::1",
-			dstIP:           "fd00::100",
-			proto:           fw.ProtocolICMP,
-			ruleIP:          "fd00::1",
-			ruleProto:       fw.ProtocolICMP,
-			ruleAction:      fw.ActionAccept,
-			shouldBeBlocked: false,
-		},
-		{
-			name:            "IPv6: block TCP without rule",
-			srcIP:           "fd00::2",
-			dstIP:           "fd00::100",
-			proto:           fw.ProtocolTCP,
-			srcPort:         12345,
-			dstPort:         443,
-			ruleIP:          "fd00::1",
-			ruleProto:       fw.ProtocolTCP,
-			ruleDstPort:     &fw.Port{Values: []uint16{443}},
-			ruleAction:      fw.ActionAccept,
-			shouldBeBlocked: true,
-		},
-		{
-			name:            "IPv6: drop rule",
-			srcIP:           "fd00::1",
-			dstIP:           "fd00::100",
-			proto:           fw.ProtocolTCP,
-			srcPort:         12345,
-			dstPort:         22,
-			ruleIP:          "fd00::1",
-			ruleProto:       fw.ProtocolTCP,
-			ruleDstPort:     &fw.Port{Values: []uint16{22}},
-			ruleAction:      fw.ActionDrop,
-			shouldBeBlocked: true,
-		},
-		{
-			name:            "IPv6: allow all protocols",
-			srcIP:           "fd00::1",
-			dstIP:           "fd00::100",
-			proto:           fw.ProtocolUDP,
-			srcPort:         12345,
-			dstPort:         9999,
-			ruleIP:          "fd00::1",
-			ruleProto:       fw.ProtocolALL,
-			ruleAction:      fw.ActionAccept,
-			shouldBeBlocked: false,
-		},
-		{
-			name:            "IPv6: v4 wildcard ICMP rule matches ICMPv6 via protoLayerMatches",
-			srcIP:           "fd00::1",
-			dstIP:           "fd00::100",
-			proto:           fw.ProtocolICMP,
-			ruleIP:          "0.0.0.0",
-			ruleProto:       fw.ProtocolICMP,
-			ruleAction:      fw.ActionAccept,
-			shouldBeBlocked: false,
-		},
-	}
-
-	t.Run("IPv6 implicit DROP (no rules)", func(t *testing.T) {
-		packet := createTestPacket(t, "fd00::1", "fd00::100", fw.ProtocolTCP, 12345, 443)
-		isDropped := manager.FilterInbound(packet, 0)
-		require.True(t, isDropped, "IPv6 packet should be dropped when no rules exist")
-	})
-
-	for _, tc := range testCases {
-		t.Run(tc.name, func(t *testing.T) {
-			if tc.ruleAction == fw.ActionDrop {
-				rules, err := manager.AddPeerFiltering(nil, net.ParseIP(tc.ruleIP), fw.ProtocolALL, nil, nil, fw.ActionAccept, "")
-				require.NoError(t, err)
-				t.Cleanup(func() {
-					for _, rule := range rules {
-						require.NoError(t, manager.DeletePeerRule(rule))
-					}
-				})
-			}
-
-			rules, err := manager.AddPeerFiltering(nil, net.ParseIP(tc.ruleIP), tc.ruleProto, nil, tc.ruleDstPort, tc.ruleAction, "")
-			require.NoError(t, err)
-			require.NotEmpty(t, rules)
-			t.Cleanup(func() {
-				for _, rule := range rules {
-					require.NoError(t, manager.DeletePeerRule(rule))
-				}
-			})
-
-			packet := createTestPacket(t, tc.srcIP, tc.dstIP, tc.proto, tc.srcPort, tc.dstPort)
-			isDropped := manager.FilterInbound(packet, 0)
-			require.Equal(t, tc.shouldBeBlocked, isDropped, "packet filter result mismatch")
-		})
-	}
-}
-
 func createTestPacket(t *testing.T, srcIP, dstIP string, proto fw.Protocol, srcPort, dstPort uint16) []byte {
 	t.Helper()

-	src := net.ParseIP(srcIP)
-	dst := net.ParseIP(dstIP)
-
 	buf := gopacket.NewSerializeBuffer()
 	opts := gopacket.SerializeOptions{
 		ComputeChecksums: true,
 		FixLengths:       true,
 	}

-	// Detect address family
-	isV6 := src.To4() == nil
+	ipLayer := &layers.IPv4{
+		Version: 4,
+		TTL:     64,
+		SrcIP:   net.ParseIP(srcIP),
+		DstIP:   net.ParseIP(dstIP),
+	}

 	var err error
+	switch proto {
+	case fw.ProtocolTCP:
+		ipLayer.Protocol = layers.IPProtocolTCP
+		tcp := &layers.TCP{
+			SrcPort: layers.TCPPort(srcPort),
+			DstPort: layers.TCPPort(dstPort),
+		}
+		err = tcp.SetNetworkLayerForChecksum(ipLayer)
+		require.NoError(t, err)
+		err = gopacket.SerializeLayers(buf, opts, ipLayer, tcp)

-	if isV6 {
-		ip6 := &layers.IPv6{
-			Version:  6,
-			HopLimit: 64,
-			SrcIP:    src,
-			DstIP:    dst,
+	case fw.ProtocolUDP:
+		ipLayer.Protocol = layers.IPProtocolUDP
+		udp := &layers.UDP{
+			SrcPort: layers.UDPPort(srcPort),
+			DstPort: layers.UDPPort(dstPort),
 		}
+		err = udp.SetNetworkLayerForChecksum(ipLayer)
+		require.NoError(t, err)
+		err = gopacket.SerializeLayers(buf, opts, ipLayer, udp)

-		switch proto {
-		case fw.ProtocolTCP:
-			ip6.NextHeader = layers.IPProtocolTCP
-			tcp := &layers.TCP{SrcPort: layers.TCPPort(srcPort), DstPort: layers.TCPPort(dstPort)}
-			_ = tcp.SetNetworkLayerForChecksum(ip6)
-			err = gopacket.SerializeLayers(buf, opts, ip6, tcp)
-		case fw.ProtocolUDP:
-			ip6.NextHeader = layers.IPProtocolUDP
-			udp := &layers.UDP{SrcPort: layers.UDPPort(srcPort), DstPort: layers.UDPPort(dstPort)}
-			_ = udp.SetNetworkLayerForChecksum(ip6)
-			err = gopacket.SerializeLayers(buf, opts, ip6, udp)
-		case fw.ProtocolICMP:
-			ip6.NextHeader = layers.IPProtocolICMPv6
-			icmp := &layers.ICMPv6{
-				TypeCode: layers.CreateICMPv6TypeCode(layers.ICMPv6TypeEchoRequest, 0),
-			}
-			_ = icmp.SetNetworkLayerForChecksum(ip6)
-			err = gopacket.SerializeLayers(buf, opts, ip6, icmp)
-		default:
-			err = gopacket.SerializeLayers(buf, opts, ip6)
-		}
-	} else {
-		ip4 := &layers.IPv4{
-			Version: 4,
-			TTL:     64,
-			SrcIP:   src,
-			DstIP:   dst,
+	case fw.ProtocolICMP:
+		ipLayer.Protocol = layers.IPProtocolICMPv4
+		icmp := &layers.ICMPv4{
+			TypeCode: layers.CreateICMPv4TypeCode(layers.ICMPv4TypeEchoRequest, 0),
 		}
+		err = gopacket.SerializeLayers(buf, opts, ipLayer, icmp)

-		switch proto {
-		case fw.ProtocolTCP:
-			ip4.Protocol = layers.IPProtocolTCP
-			tcp := &layers.TCP{SrcPort: layers.TCPPort(srcPort), DstPort: layers.TCPPort(dstPort)}
-			_ = tcp.SetNetworkLayerForChecksum(ip4)
-			err = gopacket.SerializeLayers(buf, opts, ip4, tcp)
-		case fw.ProtocolUDP:
-			ip4.Protocol = layers.IPProtocolUDP
-			udp := &layers.UDP{SrcPort: layers.UDPPort(srcPort), DstPort: layers.UDPPort(dstPort)}
-			_ = udp.SetNetworkLayerForChecksum(ip4)
-			err = gopacket.SerializeLayers(buf, opts, ip4, udp)
-		case fw.ProtocolICMP:
-			ip4.Protocol = layers.IPProtocolICMPv4
-			icmp := &layers.ICMPv4{TypeCode: layers.CreateICMPv4TypeCode(layers.ICMPv4TypeEchoRequest, 0)}
-			err = gopacket.SerializeLayers(buf, opts, ip4, icmp)
-		default:
-			err = gopacket.SerializeLayers(buf, opts, ip4)
-		}
+	default:
+		err = gopacket.SerializeLayers(buf, opts, ipLayer)
 	}

 	require.NoError(t, err)
@@ -1681,103 +1498,3 @@ func TestRouteACLSet(t *testing.T) {
 	_, isAllowed = manager.routeACLsPass(srcIP, dstIP, protoToLayer(fw.ProtocolTCP, layers.LayerTypeIPv4), 12345, 80)
 	require.True(t, isAllowed, "After set update, traffic to the added network should be allowed")
 }
-
-// TestRouteACLFilteringIPv6 tests IPv6 route ACL matching directly via routeACLsPass.
-// Note: full FilterInbound for routed IPv6 traffic drops at the forwarder stage (IPv4-only)
-// but the ACL decision itself is correct.
-func TestRouteACLFilteringIPv6(t *testing.T) {
-	manager := setupRoutedManager(t, "10.10.0.100/16")
-
-	v6Dst := netip.MustParsePrefix("fd00:dead:beef::/48")
-	_, err := manager.AddRouteFiltering(
-		nil,
-		[]netip.Prefix{netip.MustParsePrefix("fd00::/16")},
-		fw.Network{Prefix: v6Dst},
-		fw.ProtocolTCP,
-		nil,
-		&fw.Port{Values: []uint16{80}},
-		fw.ActionAccept,
-	)
-	require.NoError(t, err)
-
-	_, err = manager.AddRouteFiltering(
-		nil,
-		[]netip.Prefix{netip.MustParsePrefix("fd00::/16")},
-		fw.Network{Prefix: netip.MustParsePrefix("fd00:dead:beef:1::/64")},
-		fw.ProtocolALL,
-		nil,
-		nil,
-		fw.ActionDrop,
-	)
-	require.NoError(t, err)
-
-	tests := []struct {
-		name    string
-		srcIP   netip.Addr
-		dstIP   netip.Addr
-		proto   gopacket.LayerType
-		srcPort uint16
-		dstPort uint16
-		allowed bool
-	}{
-		{
-			name:    "IPv6 TCP to allowed dest",
-			srcIP:   netip.MustParseAddr("fd00::1"),
-			dstIP:   netip.MustParseAddr("fd00:dead:beef::80"),
-			proto:   layers.LayerTypeTCP,
-			srcPort: 12345,
-			dstPort: 80,
-			allowed: true,
-		},
-		{
-			name:    "IPv6 TCP wrong port",
-			srcIP:   netip.MustParseAddr("fd00::1"),
-			dstIP:   netip.MustParseAddr("fd00:dead:beef::80"),
-			proto:   layers.LayerTypeTCP,
-			srcPort: 12345,
-			dstPort: 443,
-			allowed: false,
-		},
-		{
-			name:    "IPv6 UDP not matched by TCP rule",
-			srcIP:   netip.MustParseAddr("fd00::1"),
-			dstIP:   netip.MustParseAddr("fd00:dead:beef::80"),
-			proto:   layers.LayerTypeUDP,
-			srcPort: 12345,
-			dstPort: 80,
-			allowed: false,
-		},
-		{
-			name:    "IPv6 ICMPv6 matches ICMP rule via protoLayerMatches",
-			srcIP:   netip.MustParseAddr("fd00::1"),
-			dstIP:   netip.MustParseAddr("fd00:dead:beef::80"),
-			proto:   layers.LayerTypeICMPv6,
-			allowed: false,
-		},
-		{
-			name:    "IPv6 to denied subnet",
-			srcIP:   netip.MustParseAddr("fd00::1"),
-			dstIP:   netip.MustParseAddr("fd00:dead:beef:1::1"),
-			proto:   layers.LayerTypeTCP,
-			srcPort: 12345,
-			dstPort: 80,
-			allowed: false,
-		},
-		{
-			name:    "IPv6 source outside allowed range",
-			srcIP:   netip.MustParseAddr("fe80::1"),
-			dstIP:   netip.MustParseAddr("fd00:dead:beef::80"),
-			proto:   layers.LayerTypeTCP,
-			srcPort: 12345,
-			dstPort: 80,
-			allowed: false,
-		},
-	}
-
-	for _, tc := range tests {
-		t.Run(tc.name, func(t *testing.T) {
-			_, pass := manager.routeACLsPass(tc.srcIP, tc.dstIP, tc.proto, tc.srcPort, tc.dstPort)
-			require.Equal(t, tc.allowed, pass, "route ACL result mismatch")
-		})
-	}
-}
--- a/client/firewall/uspfilter/filter_routeacl_test.go
+++ b/client/firewall/uspfilter/filter_routeacl_test.go
@@ -1,376 +0,0 @@
-package uspfilter
-
-import (
-	"net/netip"
-	"testing"
-
-	"github.com/golang/mock/gomock"
-	"github.com/google/gopacket/layers"
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
-	wgdevice "golang.zx2c4.com/wireguard/device"
-
-	fw "github.com/netbirdio/netbird/client/firewall/manager"
-	"github.com/netbirdio/netbird/client/iface"
-	"github.com/netbirdio/netbird/client/iface/device"
-	"github.com/netbirdio/netbird/client/iface/mocks"
-	"github.com/netbirdio/netbird/client/iface/wgaddr"
-)
-
-// TestAddRouteFilteringReturnsExistingRule verifies that adding the same route
-// filtering rule twice returns the same rule ID (idempotent behavior).
-func TestAddRouteFilteringReturnsExistingRule(t *testing.T) {
-	manager := setupTestManager(t)
-
-	sources := []netip.Prefix{
-		netip.MustParsePrefix("100.64.1.0/24"),
-		netip.MustParsePrefix("100.64.2.0/24"),
-	}
-	destination := fw.Network{Prefix: netip.MustParsePrefix("192.168.1.0/24")}
-
-	// Add rule first time
-	rule1, err := manager.AddRouteFiltering(
-		[]byte("policy-1"),
-		sources,
-		destination,
-		fw.ProtocolTCP,
-		nil,
-		&fw.Port{Values: []uint16{443}},
-		fw.ActionAccept,
-	)
-	require.NoError(t, err)
-	require.NotNil(t, rule1)
-
-	// Add the same rule again
-	rule2, err := manager.AddRouteFiltering(
-		[]byte("policy-1"),
-		sources,
-		destination,
-		fw.ProtocolTCP,
-		nil,
-		&fw.Port{Values: []uint16{443}},
-		fw.ActionAccept,
-	)
-	require.NoError(t, err)
-	require.NotNil(t, rule2)
-
-	// These should be the same (idempotent) like nftables/iptables implementations
-	assert.Equal(t, rule1.ID(), rule2.ID(),
-		"Adding the same rule twice should return the same rule ID (idempotent)")
-
-	manager.mutex.RLock()
-	ruleCount := len(manager.routeRules)
-	manager.mutex.RUnlock()
-
-	assert.Equal(t, 2, ruleCount,
-		"Should have exactly 2 rules (1 user rule + 1 block rule)")
-}
-
-// TestAddRouteFilteringDifferentRulesGetDifferentIDs verifies that rules with
-// different parameters get distinct IDs.
-func TestAddRouteFilteringDifferentRulesGetDifferentIDs(t *testing.T) {
-	manager := setupTestManager(t)
-
-	sources := []netip.Prefix{netip.MustParsePrefix("100.64.1.0/24")}
-
-	// Add first rule
-	rule1, err := manager.AddRouteFiltering(
-		[]byte("policy-1"),
-		sources,
-		fw.Network{Prefix: netip.MustParsePrefix("192.168.1.0/24")},
-		fw.ProtocolTCP,
-		nil,
-		&fw.Port{Values: []uint16{443}},
-		fw.ActionAccept,
-	)
-	require.NoError(t, err)
-
-	// Add different rule (different destination)
-	rule2, err := manager.AddRouteFiltering(
-		[]byte("policy-2"),
-		sources,
-		fw.Network{Prefix: netip.MustParsePrefix("192.168.2.0/24")}, // Different!
-		fw.ProtocolTCP,
-		nil,
-		&fw.Port{Values: []uint16{443}},
-		fw.ActionAccept,
-	)
-	require.NoError(t, err)
-
-	assert.NotEqual(t, rule1.ID(), rule2.ID(),
-		"Different rules should have different IDs")
-
-	manager.mutex.RLock()
-	ruleCount := len(manager.routeRules)
-	manager.mutex.RUnlock()
-
-	assert.Equal(t, 3, ruleCount, "Should have 3 rules (2 user rules + 1 block rule)")
-}
-
-// TestRouteRuleUpdateDoesNotCauseGap verifies that re-adding the same route
-// rule during a network map update does not disrupt existing traffic.
-func TestRouteRuleUpdateDoesNotCauseGap(t *testing.T) {
-	manager := setupTestManager(t)
-
-	sources := []netip.Prefix{netip.MustParsePrefix("100.64.1.0/24")}
-	destination := fw.Network{Prefix: netip.MustParsePrefix("192.168.1.0/24")}
-
-	rule1, err := manager.AddRouteFiltering(
-		[]byte("policy-1"),
-		sources,
-		destination,
-		fw.ProtocolTCP,
-		nil,
-		nil,
-		fw.ActionAccept,
-	)
-	require.NoError(t, err)
-
-	srcIP := netip.MustParseAddr("100.64.1.5")
-	dstIP := netip.MustParseAddr("192.168.1.10")
-	_, pass := manager.routeACLsPass(srcIP, dstIP, layers.LayerTypeTCP, 12345, 443)
-	require.True(t, pass, "Traffic should pass with rule in place")
-
-	// Re-add same rule (simulates network map update)
-	rule2, err := manager.AddRouteFiltering(
-		[]byte("policy-1"),
-		sources,
-		destination,
-		fw.ProtocolTCP,
-		nil,
-		nil,
-		fw.ActionAccept,
-	)
-	require.NoError(t, err)
-
-	// Idempotent IDs mean rule1.ID() == rule2.ID(), so the ACL manager
-	// won't delete rule1 during cleanup. If IDs differed, deleting rule1
-	// would remove the only matching rule and cause a traffic gap.
-	if rule1.ID() != rule2.ID() {
-		err = manager.DeleteRouteRule(rule1)
-		require.NoError(t, err)
-	}
-
-	_, passAfter := manager.routeACLsPass(srcIP, dstIP, layers.LayerTypeTCP, 12345, 443)
-	assert.True(t, passAfter,
-		"Traffic should still pass after rule update - no gap should occur")
-}
-
-// TestBlockInvalidRoutedIdempotent verifies that blockInvalidRouted creates
-// exactly one drop rule for the WireGuard network prefix, and calling it again
-// returns the same rule without duplicating.
-func TestBlockInvalidRoutedIdempotent(t *testing.T) {
-	ctrl := gomock.NewController(t)
-	dev := mocks.NewMockDevice(ctrl)
-	dev.EXPECT().MTU().Return(1500, nil).AnyTimes()
-
-	wgNet := netip.MustParsePrefix("100.64.0.1/16")
-
-	ifaceMock := &IFaceMock{
-		SetFilterFunc: func(device.PacketFilter) error { return nil },
-		AddressFunc: func() wgaddr.Address {
-			return wgaddr.Address{
-				IP:      wgNet.Addr(),
-				Network: wgNet,
-			}
-		},
-		GetDeviceFunc: func() *device.FilteredDevice {
-			return &device.FilteredDevice{Device: dev}
-		},
-		GetWGDeviceFunc: func() *wgdevice.Device {
-			return &wgdevice.Device{}
-		},
-	}
-
-	manager, err := Create(ifaceMock, false, flowLogger, iface.DefaultMTU)
-	require.NoError(t, err)
-	t.Cleanup(func() {
-		require.NoError(t, manager.Close(nil))
-	})
-
-	// Call blockInvalidRouted directly multiple times
-	rule1, err := manager.blockInvalidRouted(ifaceMock)
-	require.NoError(t, err)
-	require.NotNil(t, rule1)
-
-	rule2, err := manager.blockInvalidRouted(ifaceMock)
-	require.NoError(t, err)
-	require.NotNil(t, rule2)
-
-	rule3, err := manager.blockInvalidRouted(ifaceMock)
-	require.NoError(t, err)
-	require.NotNil(t, rule3)
-
-	// All should return the same rule
-	assert.Equal(t, rule1.ID(), rule2.ID(), "Second call should return same rule")
-	assert.Equal(t, rule2.ID(), rule3.ID(), "Third call should return same rule")
-
-	// Should have exactly 1 route rule
-	manager.mutex.RLock()
-	ruleCount := len(manager.routeRules)
-	manager.mutex.RUnlock()
-
-	assert.Equal(t, 1, ruleCount, "Should have exactly 1 block rule after 3 calls")
-
-	// Verify the rule blocks traffic to the WG network
-	srcIP := netip.MustParseAddr("10.0.0.1")
-	dstIP := netip.MustParseAddr("100.64.0.50")
-	_, pass := manager.routeACLsPass(srcIP, dstIP, layers.LayerTypeTCP, 12345, 80)
-	assert.False(t, pass, "Block rule should deny traffic to WG prefix")
-}
-
-// TestBlockRuleNotAccumulatedOnRepeatedEnableRouting verifies that calling
-// EnableRouting multiple times (as happens on each route update) does not
-// accumulate duplicate block rules in the routeRules slice.
-func TestBlockRuleNotAccumulatedOnRepeatedEnableRouting(t *testing.T) {
-	ctrl := gomock.NewController(t)
-	dev := mocks.NewMockDevice(ctrl)
-	dev.EXPECT().MTU().Return(1500, nil).AnyTimes()
-
-	wgNet := netip.MustParsePrefix("100.64.0.1/16")
-
-	ifaceMock := &IFaceMock{
-		SetFilterFunc: func(device.PacketFilter) error { return nil },
-		AddressFunc: func() wgaddr.Address {
-			return wgaddr.Address{
-				IP:      wgNet.Addr(),
-				Network: wgNet,
-			}
-		},
-		GetDeviceFunc: func() *device.FilteredDevice {
-			return &device.FilteredDevice{Device: dev}
-		},
-		GetWGDeviceFunc: func() *wgdevice.Device {
-			return &wgdevice.Device{}
-		},
-	}
-
-	manager, err := Create(ifaceMock, false, flowLogger, iface.DefaultMTU)
-	require.NoError(t, err)
-	t.Cleanup(func() {
-		require.NoError(t, manager.Close(nil))
-	})
-
-	// Call EnableRouting multiple times (simulating repeated route updates)
-	for i := 0; i < 5; i++ {
-		require.NoError(t, manager.EnableRouting())
-	}
-
-	manager.mutex.RLock()
-	ruleCount := len(manager.routeRules)
-	manager.mutex.RUnlock()
-
-	assert.Equal(t, 1, ruleCount,
-		"Repeated EnableRouting should not accumulate block rules")
-}
-
-// TestRouteRuleCountStableAcrossUpdates verifies that adding the same route
-// rule multiple times does not create duplicate entries.
-func TestRouteRuleCountStableAcrossUpdates(t *testing.T) {
-	manager := setupTestManager(t)
-
-	sources := []netip.Prefix{netip.MustParsePrefix("100.64.1.0/24")}
-	destination := fw.Network{Prefix: netip.MustParsePrefix("192.168.1.0/24")}
-
-	// Simulate 5 network map updates with the same route rule
-	for i := 0; i < 5; i++ {
-		rule, err := manager.AddRouteFiltering(
-			[]byte("policy-1"),
-			sources,
-			destination,
-			fw.ProtocolTCP,
-			nil,
-			&fw.Port{Values: []uint16{443}},
-			fw.ActionAccept,
-		)
-		require.NoError(t, err)
-		require.NotNil(t, rule)
-	}
-
-	manager.mutex.RLock()
-	ruleCount := len(manager.routeRules)
-	manager.mutex.RUnlock()
-
-	assert.Equal(t, 2, ruleCount,
-		"Should have exactly 2 rules (1 user rule + 1 block rule) after 5 updates")
-}
-
-// TestDeleteRouteRuleAfterIdempotentAdd verifies that deleting a route rule
-// after adding it multiple times works correctly.
-func TestDeleteRouteRuleAfterIdempotentAdd(t *testing.T) {
-	manager := setupTestManager(t)
-
-	sources := []netip.Prefix{netip.MustParsePrefix("100.64.1.0/24")}
-	destination := fw.Network{Prefix: netip.MustParsePrefix("192.168.1.0/24")}
-
-	// Add same rule twice
-	rule1, err := manager.AddRouteFiltering(
-		[]byte("policy-1"),
-		sources,
-		destination,
-		fw.ProtocolTCP,
-		nil,
-		nil,
-		fw.ActionAccept,
-	)
-	require.NoError(t, err)
-
-	rule2, err := manager.AddRouteFiltering(
-		[]byte("policy-1"),
-		sources,
-		destination,
-		fw.ProtocolTCP,
-		nil,
-		nil,
-		fw.ActionAccept,
-	)
-	require.NoError(t, err)
-
-	require.Equal(t, rule1.ID(), rule2.ID(), "Should return same rule ID")
-
-	// Delete using first reference
-	err = manager.DeleteRouteRule(rule1)
-	require.NoError(t, err)
-
-	// Verify traffic no longer passes
-	srcIP := netip.MustParseAddr("100.64.1.5")
-	dstIP := netip.MustParseAddr("192.168.1.10")
-	_, pass := manager.routeACLsPass(srcIP, dstIP, layers.LayerTypeTCP, 12345, 443)
-	assert.False(t, pass, "Traffic should not pass after rule deletion")
-}
-
-func setupTestManager(t *testing.T) *Manager {
-	t.Helper()
-
-	ctrl := gomock.NewController(t)
-	dev := mocks.NewMockDevice(ctrl)
-	dev.EXPECT().MTU().Return(1500, nil).AnyTimes()
-
-	wgNet := netip.MustParsePrefix("100.64.0.1/16")
-
-	ifaceMock := &IFaceMock{
-		SetFilterFunc: func(device.PacketFilter) error { return nil },
-		AddressFunc: func() wgaddr.Address {
-			return wgaddr.Address{
-				IP:      wgNet.Addr(),
-				Network: wgNet,
-			}
-		},
-		GetDeviceFunc: func() *device.FilteredDevice {
-			return &device.FilteredDevice{Device: dev}
-		},
-		GetWGDeviceFunc: func() *wgdevice.Device {
-			return &wgdevice.Device{}
-		},
-	}
-
-	manager, err := Create(ifaceMock, false, flowLogger, iface.DefaultMTU)
-	require.NoError(t, err)
-	require.NoError(t, manager.EnableRouting())
-
-	t.Cleanup(func() {
-		require.NoError(t, manager.Close(nil))
-	})
-
-	return manager
-}
--- a/client/firewall/uspfilter/filter_test.go
+++ b/client/firewall/uspfilter/filter_test.go
@@ -12,7 +12,6 @@ import (
 	"github.com/google/gopacket"
 	"github.com/google/gopacket/layers"
 	"github.com/sirupsen/logrus"
-	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	wgdevice "golang.zx2c4.com/wireguard/device"

@@ -187,204 +186,81 @@ func TestManagerDeleteRule(t *testing.T) {
 	}
 }

-func TestSetUDPPacketHook(t *testing.T) {
-	manager, err := Create(&IFaceMock{
-		SetFilterFunc: func(device.PacketFilter) error { return nil },
-	}, false, flowLogger, nbiface.DefaultMTU)
-	require.NoError(t, err)
-	t.Cleanup(func() { require.NoError(t, manager.Close(nil)) })
-
-	var called bool
-	manager.SetUDPPacketHook(netip.MustParseAddr("10.168.0.1"), 8000, func([]byte) bool {
-		called = true
-		return true
-	})
-
-	h := manager.udpHookOut.Load()
-	require.NotNil(t, h)
-	assert.Equal(t, netip.MustParseAddr("10.168.0.1"), h.ip)
-	assert.Equal(t, uint16(8000), h.port)
-	assert.True(t, h.fn(nil))
-	assert.True(t, called)
-
-	manager.SetUDPPacketHook(netip.MustParseAddr("10.168.0.1"), 8000, nil)
-	assert.Nil(t, manager.udpHookOut.Load())
-}
-
-func TestSetTCPPacketHook(t *testing.T) {
-	manager, err := Create(&IFaceMock{
-		SetFilterFunc: func(device.PacketFilter) error { return nil },
-	}, false, flowLogger, nbiface.DefaultMTU)
-	require.NoError(t, err)
-	t.Cleanup(func() { require.NoError(t, manager.Close(nil)) })
-
-	var called bool
-	manager.SetTCPPacketHook(netip.MustParseAddr("10.168.0.1"), 53, func([]byte) bool {
-		called = true
-		return true
-	})
-
-	h := manager.tcpHookOut.Load()
-	require.NotNil(t, h)
-	assert.Equal(t, netip.MustParseAddr("10.168.0.1"), h.ip)
-	assert.Equal(t, uint16(53), h.port)
-	assert.True(t, h.fn(nil))
-	assert.True(t, called)
-
-	manager.SetTCPPacketHook(netip.MustParseAddr("10.168.0.1"), 53, nil)
-	assert.Nil(t, manager.tcpHookOut.Load())
-}
-
-// TestPeerRuleLifecycleDenyRules verifies that deny rules are correctly added
-// to the deny map and can be cleanly deleted without leaving orphans.
-func TestPeerRuleLifecycleDenyRules(t *testing.T) {
-	ifaceMock := &IFaceMock{
-		SetFilterFunc: func(device.PacketFilter) error { return nil },
+func TestAddUDPPacketHook(t *testing.T) {
+	tests := []struct {
+		name       string
+		in         bool
+		expDir     fw.RuleDirection
+		ip         netip.Addr
+		dPort      uint16
+		hook       func([]byte) bool
+		expectedID string
+	}{
+		{
+			name:   "Test Outgoing UDP Packet Hook",
+			in:     false,
+			expDir: fw.RuleDirectionOUT,
+			ip:     netip.MustParseAddr("10.168.0.1"),
+			dPort:  8000,
+			hook:   func([]byte) bool { return true },
+		},
+		{
+			name:   "Test Incoming UDP Packet Hook",
+			in:     true,
+			expDir: fw.RuleDirectionIN,
+			ip:     netip.MustParseAddr("::1"),
+			dPort:  9000,
+			hook:   func([]byte) bool { return false },
+		},
 	}

-	m, err := Create(ifaceMock, false, flowLogger, nbiface.DefaultMTU)
-	require.NoError(t, err)
-	defer func() {
-		require.NoError(t, m.Close(nil))
-	}()
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			manager, err := Create(&IFaceMock{
+				SetFilterFunc: func(device.PacketFilter) error { return nil },
+			}, false, flowLogger, nbiface.DefaultMTU)
+			require.NoError(t, err)

-	ip := net.ParseIP("192.168.1.1")
-	addr := netip.MustParseAddr("192.168.1.1")
+			manager.AddUDPPacketHook(tt.in, tt.ip, tt.dPort, tt.hook)

-	// Add multiple deny rules for different ports
-	rule1, err := m.AddPeerFiltering(nil, ip, fw.ProtocolTCP, nil,
-		&fw.Port{Values: []uint16{22}}, fw.ActionDrop, "")
-	require.NoError(t, err)
+			var addedRule PeerRule
+			if tt.in {
+				// Incoming UDP hooks are stored in allow rules map
+				if len(manager.incomingRules[tt.ip]) != 1 {
+					t.Errorf("expected 1 incoming rule, got %d", len(manager.incomingRules[tt.ip]))
+					return
+				}
+				for _, rule := range manager.incomingRules[tt.ip] {
+					addedRule = rule
+				}
+			} else {
+				if len(manager.outgoingRules[tt.ip]) != 1 {
+					t.Errorf("expected 1 outgoing rule, got %d", len(manager.outgoingRules[tt.ip]))
+					return
+				}
+				for _, rule := range manager.outgoingRules[tt.ip] {
+					addedRule = rule
+				}
+			}

-	rule2, err := m.AddPeerFiltering(nil, ip, fw.ProtocolTCP, nil,
-		&fw.Port{Values: []uint16{80}}, fw.ActionDrop, "")
-	require.NoError(t, err)
-
-	m.mutex.RLock()
-	denyCount := len(m.incomingDenyRules[addr])
-	m.mutex.RUnlock()
-	require.Equal(t, 2, denyCount, "Should have exactly 2 deny rules")
-
-	// Delete the first deny rule
-	err = m.DeletePeerRule(rule1[0])
-	require.NoError(t, err)
-
-	m.mutex.RLock()
-	denyCount = len(m.incomingDenyRules[addr])
-	m.mutex.RUnlock()
-	require.Equal(t, 1, denyCount, "Should have 1 deny rule after deleting first")
-
-	// Delete the second deny rule
-	err = m.DeletePeerRule(rule2[0])
-	require.NoError(t, err)
-
-	m.mutex.RLock()
-	_, exists := m.incomingDenyRules[addr]
-	m.mutex.RUnlock()
-	require.False(t, exists, "Deny rules IP entry should be cleaned up when empty")
-}
-
-// TestPeerRuleAddAndDeleteDontLeak verifies that repeatedly adding and deleting
-// peer rules (simulating network map updates) does not leak rules in the maps.
-func TestPeerRuleAddAndDeleteDontLeak(t *testing.T) {
-	ifaceMock := &IFaceMock{
-		SetFilterFunc: func(device.PacketFilter) error { return nil },
+			if tt.ip.Compare(addedRule.ip) != 0 {
+				t.Errorf("expected ip %s, got %s", tt.ip, addedRule.ip)
+				return
+			}
+			if tt.dPort != addedRule.dPort.Values[0] {
+				t.Errorf("expected dPort %d, got %d", tt.dPort, addedRule.dPort.Values[0])
+				return
+			}
+			if layers.LayerTypeUDP != addedRule.protoLayer {
+				t.Errorf("expected protoLayer %s, got %s", layers.LayerTypeUDP, addedRule.protoLayer)
+				return
+			}
+			if addedRule.udpHook == nil {
+				t.Errorf("expected udpHook to be set")
+				return
+			}
+		})
 	}
-
-	m, err := Create(ifaceMock, false, flowLogger, nbiface.DefaultMTU)
-	require.NoError(t, err)
-	defer func() {
-		require.NoError(t, m.Close(nil))
-	}()
-
-	ip := net.ParseIP("192.168.1.1")
-	addr := netip.MustParseAddr("192.168.1.1")
-
-	// Simulate 10 network map updates: add rule, delete old, add new
-	for i := 0; i < 10; i++ {
-		// Add a deny rule
-		rules, err := m.AddPeerFiltering(nil, ip, fw.ProtocolTCP, nil,
-			&fw.Port{Values: []uint16{22}}, fw.ActionDrop, "")
-		require.NoError(t, err)
-
-		// Add an allow rule
-		allowRules, err := m.AddPeerFiltering(nil, ip, fw.ProtocolTCP, nil,
-			&fw.Port{Values: []uint16{80}}, fw.ActionAccept, "")
-		require.NoError(t, err)
-
-		// Delete them (simulating ACL manager cleanup)
-		for _, r := range rules {
-			require.NoError(t, m.DeletePeerRule(r))
-		}
-		for _, r := range allowRules {
-			require.NoError(t, m.DeletePeerRule(r))
-		}
-	}
-
-	m.mutex.RLock()
-	denyCount := len(m.incomingDenyRules[addr])
-	allowCount := len(m.incomingRules[addr])
-	m.mutex.RUnlock()
-
-	require.Equal(t, 0, denyCount, "No deny rules should remain after cleanup")
-	require.Equal(t, 0, allowCount, "No allow rules should remain after cleanup")
-}
-
-// TestMixedAllowDenyRulesSameIP verifies that allow and deny rules for the same
-// IP are stored in separate maps and don't interfere with each other.
-func TestMixedAllowDenyRulesSameIP(t *testing.T) {
-	ifaceMock := &IFaceMock{
-		SetFilterFunc: func(device.PacketFilter) error { return nil },
-	}
-
-	m, err := Create(ifaceMock, false, flowLogger, nbiface.DefaultMTU)
-	require.NoError(t, err)
-	defer func() {
-		require.NoError(t, m.Close(nil))
-	}()
-
-	ip := net.ParseIP("192.168.1.1")
-
-	// Add allow rule for port 80
-	allowRule, err := m.AddPeerFiltering(nil, ip, fw.ProtocolTCP, nil,
-		&fw.Port{Values: []uint16{80}}, fw.ActionAccept, "")
-	require.NoError(t, err)
-
-	// Add deny rule for port 22
-	denyRule, err := m.AddPeerFiltering(nil, ip, fw.ProtocolTCP, nil,
-		&fw.Port{Values: []uint16{22}}, fw.ActionDrop, "")
-	require.NoError(t, err)
-
-	addr := netip.MustParseAddr("192.168.1.1")
-	m.mutex.RLock()
-	allowCount := len(m.incomingRules[addr])
-	denyCount := len(m.incomingDenyRules[addr])
-	m.mutex.RUnlock()
-
-	require.Equal(t, 1, allowCount, "Should have 1 allow rule")
-	require.Equal(t, 1, denyCount, "Should have 1 deny rule")
-
-	// Delete allow rule should not affect deny rule
-	err = m.DeletePeerRule(allowRule[0])
-	require.NoError(t, err)
-
-	m.mutex.RLock()
-	denyCountAfter := len(m.incomingDenyRules[addr])
-	m.mutex.RUnlock()
-
-	require.Equal(t, 1, denyCountAfter, "Deny rule should still exist after deleting allow rule")
-
-	// Delete deny rule
-	err = m.DeletePeerRule(denyRule[0])
-	require.NoError(t, err)
-
-	m.mutex.RLock()
-	_, denyExists := m.incomingDenyRules[addr]
-	_, allowExists := m.incomingRules[addr]
-	m.mutex.RUnlock()
-
-	require.False(t, denyExists, "Deny rules should be empty")
-	require.False(t, allowExists, "Allow rules should be empty")
 }

 func TestManagerReset(t *testing.T) {
@@ -502,12 +378,39 @@ func TestRemovePacketHook(t *testing.T) {
 		require.NoError(t, manager.Close(nil))
 	}()

-	manager.SetUDPPacketHook(netip.MustParseAddr("192.168.0.1"), 8080, func([]byte) bool { return true })
+	// Add a UDP packet hook
+	hookFunc := func(data []byte) bool { return true }
+	hookID := manager.AddUDPPacketHook(false, netip.MustParseAddr("192.168.0.1"), 8080, hookFunc)

-	require.NotNil(t, manager.udpHookOut.Load(), "hook should be registered")
+	// Assert the hook is added by finding it in the manager's outgoing rules
+	found := false
+	for _, arr := range manager.outgoingRules {
+		for _, rule := range arr {
+			if rule.id == hookID {
+				found = true
+				break
+			}
+		}
+	}

-	manager.SetUDPPacketHook(netip.MustParseAddr("192.168.0.1"), 8080, nil)
-	assert.Nil(t, manager.udpHookOut.Load(), "hook should be removed")
+	if !found {
+		t.Fatalf("The hook was not added properly.")
+	}
+
+	// Now remove the packet hook
+	err = manager.RemovePacketHook(hookID)
+	if err != nil {
+		t.Fatalf("Failed to remove hook: %s", err)
+	}
+
+	// Assert the hook is removed by checking it in the manager's outgoing rules
+	for _, arr := range manager.outgoingRules {
+		for _, rule := range arr {
+			if rule.id == hookID {
+				t.Fatalf("The hook was not removed properly.")
+			}
+		}
+	}
 }

 func TestProcessOutgoingHooks(t *testing.T) {
@@ -527,22 +430,18 @@ func TestProcessOutgoingHooks(t *testing.T) {
 			d := &decoder{
 				decoded: []gopacket.LayerType{},
 			}
-			d.parser4 = gopacket.NewDecodingLayerParser(
+			d.parser = gopacket.NewDecodingLayerParser(
 				layers.LayerTypeIPv4,
 				&d.eth, &d.ip4, &d.ip6, &d.icmp4, &d.icmp6, &d.tcp, &d.udp,
 			)
-			d.parser4.IgnoreUnsupported = true
-			d.parser6 = gopacket.NewDecodingLayerParser(
-				layers.LayerTypeIPv6,
-				&d.eth, &d.ip4, &d.ip6, &d.icmp4, &d.icmp6, &d.tcp, &d.udp,
-			)
-			d.parser6.IgnoreUnsupported = true
+			d.parser.IgnoreUnsupported = true
 			return d
 		},
 	}

 	hookCalled := false
-	manager.SetUDPPacketHook(
+	hookID := manager.AddUDPPacketHook(
+		false,
 		netip.MustParseAddr("100.10.0.100"),
 		53,
 		func([]byte) bool {
@@ -550,6 +449,7 @@ func TestProcessOutgoingHooks(t *testing.T) {
 			return true
 		},
 	)
+	require.NotEmpty(t, hookID)

 	// Create test UDP packet
 	ipv4 := &layers.IPv4{
@@ -635,16 +535,11 @@ func TestStatefulFirewall_UDPTracking(t *testing.T) {
 			d := &decoder{
 				decoded: []gopacket.LayerType{},
 			}
-			d.parser4 = gopacket.NewDecodingLayerParser(
+			d.parser = gopacket.NewDecodingLayerParser(
 				layers.LayerTypeIPv4,
 				&d.eth, &d.ip4, &d.ip6, &d.icmp4, &d.icmp6, &d.tcp, &d.udp,
 			)
-			d.parser4.IgnoreUnsupported = true
-			d.parser6 = gopacket.NewDecodingLayerParser(
-				layers.LayerTypeIPv6,
-				&d.eth, &d.ip4, &d.ip6, &d.icmp4, &d.icmp6, &d.tcp, &d.udp,
-			)
-			d.parser6.IgnoreUnsupported = true
+			d.parser.IgnoreUnsupported = true
 			return d
 		},
 	}
@@ -1050,8 +945,8 @@ func TestMSSClamping(t *testing.T) {
 	}()

 	require.True(t, manager.mssClampEnabled, "MSS clamping should be enabled by default")
-	require.Equal(t, uint16(1280-ipv4TCPHeaderMinSize), manager.mssClampValueIPv4, "IPv4 MSS clamp value should be MTU - 40")
-	require.Equal(t, uint16(1280-ipv6TCPHeaderMinSize), manager.mssClampValueIPv6, "IPv6 MSS clamp value should be MTU - 60")
+	expectedMSSValue := uint16(1280 - ipTCPHeaderMinSize)
+	require.Equal(t, expectedMSSValue, manager.mssClampValue, "MSS clamp value should be MTU - 40")

 	err = manager.UpdateLocalIPs()
 	require.NoError(t, err)
@@ -1069,7 +964,7 @@ func TestMSSClamping(t *testing.T) {
 		require.Len(t, d.tcp.Options, 1, "Should have MSS option")
 		require.Equal(t, uint8(layers.TCPOptionKindMSS), uint8(d.tcp.Options[0].OptionType))
 		actualMSS := binary.BigEndian.Uint16(d.tcp.Options[0].OptionData)
-		require.Equal(t, manager.mssClampValueIPv4, actualMSS, "MSS should be clamped to MTU - 40")
+		require.Equal(t, expectedMSSValue, actualMSS, "MSS should be clamped to MTU - 40")
 	})

 	t.Run("SYN packet with low MSS unchanged", func(t *testing.T) {
@@ -1093,7 +988,7 @@ func TestMSSClamping(t *testing.T) {
 		d := parsePacket(t, packet)
 		require.Len(t, d.tcp.Options, 1, "Should have MSS option")
 		actualMSS := binary.BigEndian.Uint16(d.tcp.Options[0].OptionData)
-		require.Equal(t, manager.mssClampValueIPv4, actualMSS, "MSS in SYN-ACK should be clamped")
+		require.Equal(t, expectedMSSValue, actualMSS, "MSS in SYN-ACK should be clamped")
 	})

 	t.Run("Non-SYN packet unchanged", func(t *testing.T) {
@@ -1265,18 +1160,13 @@ func TestShouldForward(t *testing.T) {
 		d := &decoder{
 			decoded: []gopacket.LayerType{},
 		}
-		d.parser4 = gopacket.NewDecodingLayerParser(
+		d.parser = gopacket.NewDecodingLayerParser(
 			layers.LayerTypeIPv4,
 			&d.eth, &d.ip4, &d.ip6, &d.icmp4, &d.icmp6, &d.tcp, &d.udp,
 		)
-		d.parser4.IgnoreUnsupported = true
-		d.parser6 = gopacket.NewDecodingLayerParser(
-			layers.LayerTypeIPv6,
-			&d.eth, &d.ip4, &d.ip6, &d.icmp4, &d.icmp6, &d.tcp, &d.udp,
-		)
-		d.parser6.IgnoreUnsupported = true
+		d.parser.IgnoreUnsupported = true

-		err = d.decodePacket(buf.Bytes())
+		err = d.parser.DecodeLayers(buf.Bytes(), &d.decoded)
 		require.NoError(t, err)

 		return d
@@ -1336,44 +1226,6 @@ func TestShouldForward(t *testing.T) {
 		},
 	}

-	// Add IPv6 to the interface and test dual-stack cases
-	wgIPv6 := netip.MustParseAddr("fd00::1")
-	otherIPv6 := netip.MustParseAddr("fd00::2")
-	ifaceMock.AddressFunc = func() wgaddr.Address {
-		return wgaddr.Address{
-			IP:      wgIP,
-			Network: netip.PrefixFrom(wgIP, 24),
-			IPv6:    wgIPv6,
-			IPv6Net: netip.PrefixFrom(wgIPv6, 64),
-		}
-	}
-
-	// Re-create manager to pick up the new address with IPv6
-	require.NoError(t, manager.Close(nil))
-	manager, err = Create(ifaceMock, false, flowLogger, nbiface.DefaultMTU)
-	require.NoError(t, err)
-
-	v6Cases := []struct {
-		name        string
-		dstIP       netip.Addr
-		expected    bool
-		description string
-	}{
-		{"v6 traffic to other address", otherIPv6, true, "should forward v6 traffic not destined to our v6 address"},
-		{"v6 traffic to our v6 IP", wgIPv6, false, "should not forward traffic destined to our v6 address"},
-		{"v4 traffic to other with v6 configured", otherIP, true, "should forward v4 traffic when v6 configured"},
-		{"v4 traffic to our v4 IP with v6 configured", wgIP, false, "should not forward traffic to our v4 address"},
-	}
-	for _, tt := range v6Cases {
-		t.Run(tt.name, func(t *testing.T) {
-			manager.localForwarding = true
-			manager.netstack = false
-			decoder := createTCPDecoder(8080)
-			result := manager.shouldForward(decoder, tt.dstIP)
-			require.Equal(t, tt.expected, result, tt.description)
-		})
-	}
-
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			// Configure manager
--- a/client/firewall/uspfilter/forwarder/endpoint.go
+++ b/client/firewall/uspfilter/forwarder/endpoint.go
@@ -1,8 +1,7 @@
 package forwarder

 import (
-	"net"
-	"strconv"
+	"fmt"
 	"sync/atomic"

 	wgdevice "golang.zx2c4.com/wireguard/device"
@@ -48,23 +47,17 @@ func (e *endpoint) LinkAddress() tcpip.LinkAddress {
 func (e *endpoint) WritePackets(pkts stack.PacketBufferList) (int, tcpip.Error) {
 	var written int
 	for _, pkt := range pkts.AsSlice() {
+		netHeader := header.IPv4(pkt.NetworkHeader().View().AsSlice())
+
 		data := stack.PayloadSince(pkt.NetworkHeader())
 		if data == nil {
 			continue
 		}

-		raw := pkt.NetworkHeader().View().AsSlice()
-		if len(raw) == 0 {
-			continue
-		}
-		var address tcpip.Address
-		if raw[0]>>4 == 6 {
-			address = header.IPv6(raw).DestinationAddress()
-		} else {
-			address = header.IPv4(raw).DestinationAddress()
-		}
-
-		if err := e.device.CreateOutboundPacket(data.AsSlice(), address.AsSlice()); err != nil {
+		// Send the packet through WireGuard
+		address := netHeader.DestinationAddress()
+		err := e.device.CreateOutboundPacket(data.AsSlice(), address.AsSlice())
+		if err != nil {
 			e.logger.Error1("CreateOutboundPacket: %v", err)
 			continue
 		}
@@ -110,7 +103,5 @@ type epID stack.TransportEndpointID

 func (i epID) String() string {
 	// src and remote is swapped
-	return net.JoinHostPort(i.RemoteAddress.String(), strconv.Itoa(int(i.RemotePort))) +
-		" → " +
-		net.JoinHostPort(i.LocalAddress.String(), strconv.Itoa(int(i.LocalPort)))
+	return fmt.Sprintf("%s:%d → %s:%d", i.RemoteAddress, i.RemotePort, i.LocalAddress, i.LocalPort)
 }
--- a/client/firewall/uspfilter/forwarder/forwarder.go
+++ b/client/firewall/uspfilter/forwarder/forwarder.go
@@ -14,7 +14,6 @@ import (
 	"gvisor.dev/gvisor/pkg/tcpip"
 	"gvisor.dev/gvisor/pkg/tcpip/header"
 	"gvisor.dev/gvisor/pkg/tcpip/network/ipv4"
-	"gvisor.dev/gvisor/pkg/tcpip/network/ipv6"
 	"gvisor.dev/gvisor/pkg/tcpip/stack"
 	"gvisor.dev/gvisor/pkg/tcpip/transport/icmp"
 	"gvisor.dev/gvisor/pkg/tcpip/transport/tcp"
@@ -37,31 +36,25 @@ type Forwarder struct {
 	logger     *nblog.Logger
 	flowLogger nftypes.FlowLogger
 	// ruleIdMap is used to store the rule ID for a given connection
-	ruleIdMap          sync.Map
-	stack              *stack.Stack
-	endpoint           *endpoint
-	udpForwarder       *udpForwarder
-	ctx                context.Context
-	cancel             context.CancelFunc
-	ip                 tcpip.Address
-	ipv6               tcpip.Address
-	netstack           bool
-	hasRawICMPAccess   bool
-	hasRawICMPv6Access bool
-	pingSemaphore      chan struct{}
+	ruleIdMap        sync.Map
+	stack            *stack.Stack
+	endpoint         *endpoint
+	udpForwarder     *udpForwarder
+	ctx              context.Context
+	cancel           context.CancelFunc
+	ip               tcpip.Address
+	netstack         bool
+	hasRawICMPAccess bool
+	pingSemaphore    chan struct{}
 }

 func New(iface common.IFaceMapper, logger *nblog.Logger, flowLogger nftypes.FlowLogger, netstack bool, mtu uint16) (*Forwarder, error) {
 	s := stack.New(stack.Options{
-		NetworkProtocols: []stack.NetworkProtocolFactory{
-			ipv4.NewProtocol,
-			ipv6.NewProtocol,
-		},
+		NetworkProtocols: []stack.NetworkProtocolFactory{ipv4.NewProtocol},
 		TransportProtocols: []stack.TransportProtocolFactory{
 			tcp.NewProtocol,
 			udp.NewProtocol,
 			icmp.NewProtocol4,
-			icmp.NewProtocol6,
 		},
 		HandleLocal: false,
 	})
@@ -80,7 +73,7 @@ func New(iface common.IFaceMapper, logger *nblog.Logger, flowLogger nftypes.Flow
 	protoAddr := tcpip.ProtocolAddress{
 		Protocol: ipv4.ProtocolNumber,
 		AddressWithPrefix: tcpip.AddressWithPrefix{
-			Address:   tcpip.AddrFrom4(iface.Address().IP.As4()),
+			Address:   tcpip.AddrFromSlice(iface.Address().IP.AsSlice()),
 			PrefixLen: iface.Address().Network.Bits(),
 		},
 	}
@@ -89,19 +82,6 @@ func New(iface common.IFaceMapper, logger *nblog.Logger, flowLogger nftypes.Flow
 		return nil, fmt.Errorf("failed to add protocol address: %s", err)
 	}

-	if v6 := iface.Address().IPv6; v6.IsValid() {
-		v6Addr := tcpip.ProtocolAddress{
-			Protocol: ipv6.ProtocolNumber,
-			AddressWithPrefix: tcpip.AddressWithPrefix{
-				Address:   tcpip.AddrFrom16(v6.As16()),
-				PrefixLen: iface.Address().IPv6Net.Bits(),
-			},
-		}
-		if err := s.AddProtocolAddress(nicID, v6Addr, stack.AddressProperties{}); err != nil {
-			return nil, fmt.Errorf("add IPv6 protocol address: %s", err)
-		}
-	}
-
 	defaultSubnet, err := tcpip.NewSubnet(
 		tcpip.AddrFrom4([4]byte{0, 0, 0, 0}),
 		tcpip.MaskFromBytes([]byte{0, 0, 0, 0}),
@@ -110,14 +90,6 @@ func New(iface common.IFaceMapper, logger *nblog.Logger, flowLogger nftypes.Flow
 		return nil, fmt.Errorf("creating default subnet: %w", err)
 	}

-	defaultSubnetV6, err := tcpip.NewSubnet(
-		tcpip.AddrFrom16([16]byte{}),
-		tcpip.MaskFromBytes(make([]byte, 16)),
-	)
-	if err != nil {
-		return nil, fmt.Errorf("creating default v6 subnet: %w", err)
-	}
-
 	if err := s.SetPromiscuousMode(nicID, true); err != nil {
 		return nil, fmt.Errorf("set promiscuous mode: %s", err)
 	}
@@ -126,8 +98,10 @@ func New(iface common.IFaceMapper, logger *nblog.Logger, flowLogger nftypes.Flow
 	}

 	s.SetRouteTable([]tcpip.Route{
-		{Destination: defaultSubnet, NIC: nicID},
-		{Destination: defaultSubnetV6, NIC: nicID},
+		{
+			Destination: defaultSubnet,
+			NIC:         nicID,
+		},
 	})

 	ctx, cancel := context.WithCancel(context.Background())
@@ -140,8 +114,7 @@ func New(iface common.IFaceMapper, logger *nblog.Logger, flowLogger nftypes.Flow
 		ctx:           ctx,
 		cancel:        cancel,
 		netstack:      netstack,
-		ip:            tcpip.AddrFrom4(iface.Address().IP.As4()),
-		ipv6:          addrFromNetipAddr(iface.Address().IPv6),
+		ip:            tcpip.AddrFromSlice(iface.Address().IP.AsSlice()),
 		pingSemaphore: make(chan struct{}, 3),
 	}

@@ -158,10 +131,7 @@ func New(iface common.IFaceMapper, logger *nblog.Logger, flowLogger nftypes.Flow
 	udpForwarder := udp.NewForwarder(s, f.handleUDP)
 	s.SetTransportProtocolHandler(udp.ProtocolNumber, udpForwarder.HandlePacket)

-	// ICMP is handled directly in InjectIncomingPacket, bypassing gVisor's
-	// network layer. This avoids duplicate echo replies (v4) and the v6
-	// auto-reply bug where gVisor responds at the network layer before
-	// our transport handler fires.
+	s.SetTransportProtocolHandler(icmp.ProtocolNumber4, f.handleICMP)

 	f.checkICMPCapability()

@@ -170,30 +140,8 @@ func New(iface common.IFaceMapper, logger *nblog.Logger, flowLogger nftypes.Flow
 }

 func (f *Forwarder) InjectIncomingPacket(payload []byte) error {
-	if len(payload) == 0 {
-		return fmt.Errorf("empty packet")
-	}
-
-	var protoNum tcpip.NetworkProtocolNumber
-	switch payload[0] >> 4 {
-	case 4:
-		if len(payload) < header.IPv4MinimumSize {
-			return fmt.Errorf("IPv4 packet too small: %d bytes", len(payload))
-		}
-		if f.handleICMPDirect(payload) {
-			return nil
-		}
-		protoNum = ipv4.ProtocolNumber
-	case 6:
-		if len(payload) < header.IPv6MinimumSize {
-			return fmt.Errorf("IPv6 packet too small: %d bytes", len(payload))
-		}
-		if f.handleICMPDirect(payload) {
-			return nil
-		}
-		protoNum = ipv6.ProtocolNumber
-	default:
-		return fmt.Errorf("unknown IP version: %d", payload[0]>>4)
+	if len(payload) < header.IPv4MinimumSize {
+		return fmt.Errorf("packet too small: %d bytes", len(payload))
 	}

 	pkt := stack.NewPacketBuffer(stack.PacketBufferOptions{
@@ -202,95 +150,11 @@ func (f *Forwarder) InjectIncomingPacket(payload []byte) error {
 	defer pkt.DecRef()

 	if f.endpoint.dispatcher != nil {
-		f.endpoint.dispatcher.DeliverNetworkPacket(protoNum, pkt)
+		f.endpoint.dispatcher.DeliverNetworkPacket(ipv4.ProtocolNumber, pkt)
 	}
 	return nil
 }

-// handleICMPDirect intercepts ICMP packets from raw IP payloads before they
-// enter gVisor. It synthesizes the TransportEndpointID and PacketBuffer that
-// the existing handlers expect, then dispatches to handleICMP/handleICMPv6.
-// This bypasses gVisor's network layer which causes duplicate v4 echo replies
-// and auto-replies to all v6 echo requests in promiscuous mode.
-//
-// Unlike gVisor's network layer, this does not validate ICMP checksums or
-// reassemble IP fragments. Fragmented ICMP packets fall through to gVisor.
-func parseICMPv4(payload []byte) (ipHdrLen int, src, dst tcpip.Address, ok bool) {
-	ip := header.IPv4(payload)
-	if ip.Protocol() != uint8(header.ICMPv4ProtocolNumber) {
-		return 0, src, dst, false
-	}
-	if ip.FragmentOffset() != 0 || ip.Flags()&header.IPv4FlagMoreFragments != 0 {
-		return 0, src, dst, false
-	}
-	ipHdrLen = int(ip.HeaderLength())
-	if len(payload)-ipHdrLen < header.ICMPv4MinimumSize {
-		return 0, src, dst, false
-	}
-	return ipHdrLen, ip.SourceAddress(), ip.DestinationAddress(), true
-}
-
-func parseICMPv6(payload []byte) (ipHdrLen int, src, dst tcpip.Address, ok bool) {
-	ip := header.IPv6(payload)
-	if ip.NextHeader() != uint8(header.ICMPv6ProtocolNumber) {
-		return 0, src, dst, false
-	}
-	ipHdrLen = header.IPv6MinimumSize
-	if len(payload)-ipHdrLen < header.ICMPv6MinimumSize {
-		return 0, src, dst, false
-	}
-	return ipHdrLen, ip.SourceAddress(), ip.DestinationAddress(), true
-}
-
-func (f *Forwarder) handleICMPDirect(payload []byte) bool {
-	var (
-		ipHdrLen int
-		srcAddr  tcpip.Address
-		dstAddr  tcpip.Address
-		ok       bool
-	)
-	switch payload[0] >> 4 {
-	case 4:
-		ipHdrLen, srcAddr, dstAddr, ok = parseICMPv4(payload)
-	case 6:
-		ipHdrLen, srcAddr, dstAddr, ok = parseICMPv6(payload)
-	}
-	if !ok {
-		return false
-	}
-
-	// Let gVisor handle ICMP destined for our own addresses natively.
-	// Its network-layer auto-reply is correct and efficient for local traffic.
-	if f.ip.Equal(dstAddr) || f.ipv6.Equal(dstAddr) {
-		return false
-	}
-
-	id := stack.TransportEndpointID{
-		LocalAddress:  dstAddr,
-		RemoteAddress: srcAddr,
-	}
-
-	// Build a PacketBuffer with headers consumed the same way gVisor would.
-	pkt := stack.NewPacketBuffer(stack.PacketBufferOptions{
-		Payload: buffer.MakeWithData(payload),
-	})
-	defer pkt.DecRef()
-
-	if _, ok := pkt.NetworkHeader().Consume(ipHdrLen); !ok {
-		return false
-	}
-
-	icmpPayload := payload[ipHdrLen:]
-	if _, ok := pkt.TransportHeader().Consume(len(icmpPayload)); !ok {
-		return false
-	}
-
-	if payload[0]>>4 == 6 {
-		return f.handleICMPv6(id, pkt)
-	}
-	return f.handleICMP(id, pkt)
-}
-
 // Stop gracefully shuts down the forwarder
 func (f *Forwarder) Stop() {
 	f.cancel()
@@ -303,14 +167,11 @@ func (f *Forwarder) Stop() {
 	f.stack.Wait()
 }

-func (f *Forwarder) determineDialAddr(addr tcpip.Address) netip.Addr {
+func (f *Forwarder) determineDialAddr(addr tcpip.Address) net.IP {
 	if f.netstack && f.ip.Equal(addr) {
-		return netip.AddrFrom4([4]byte{127, 0, 0, 1})
+		return net.IPv4(127, 0, 0, 1)
 	}
-	if f.netstack && f.ipv6.Equal(addr) {
-		return netip.IPv6Loopback()
-	}
-	return addrToNetipAddr(addr)
+	return addr.AsSlice()
 }

 func (f *Forwarder) RegisterRuleID(srcIP, dstIP netip.Addr, srcPort, dstPort uint16, ruleID []byte) {
@@ -344,50 +205,23 @@ func buildKey(srcIP, dstIP netip.Addr, srcPort, dstPort uint16) conntrack.ConnKe
 	}
 }

-// addrFromNetipAddr converts a netip.Addr to a gvisor tcpip.Address without allocating.
-func addrFromNetipAddr(addr netip.Addr) tcpip.Address {
-	if !addr.IsValid() {
-		return tcpip.Address{}
-	}
-	if addr.Is4() {
-		return tcpip.AddrFrom4(addr.As4())
-	}
-	return tcpip.AddrFrom16(addr.As16())
-}
-
-// addrToNetipAddr converts a gvisor tcpip.Address to netip.Addr without allocating.
-func addrToNetipAddr(addr tcpip.Address) netip.Addr {
-	switch addr.Len() {
-	case 4:
-		return netip.AddrFrom4(addr.As4())
-	case 16:
-		return netip.AddrFrom16(addr.As16())
-	default:
-		return netip.Addr{}
-	}
-}
-
 // checkICMPCapability tests whether we have raw ICMP socket access at startup.
 func (f *Forwarder) checkICMPCapability() {
-	f.hasRawICMPAccess = probeRawICMP("ip4:icmp", "0.0.0.0", f.logger)
-	f.hasRawICMPv6Access = probeRawICMP("ip6:ipv6-icmp", "::", f.logger)
-}
-
-func probeRawICMP(network, addr string, logger *nblog.Logger) bool {
 	ctx, cancel := context.WithTimeout(context.Background(), 100*time.Millisecond)
 	defer cancel()

 	lc := net.ListenConfig{}
-	conn, err := lc.ListenPacket(ctx, network, addr)
+	conn, err := lc.ListenPacket(ctx, "ip4:icmp", "0.0.0.0")
 	if err != nil {
-		logger.Debug1("forwarder: no raw %s socket access, will use ping binary fallback", network)
-		return false
+		f.hasRawICMPAccess = false
+		f.logger.Debug("forwarder: No raw ICMP socket access, will use ping binary fallback")
+		return
 	}

 	if err := conn.Close(); err != nil {
-		logger.Debug2("forwarder: failed to close %s capability test socket: %v", network, err)
+		f.logger.Debug1("forwarder: Failed to close ICMP capability test socket: %v", err)
 	}

-	logger.Debug1("forwarder: raw %s socket access available", network)
-	return true
+	f.hasRawICMPAccess = true
+	f.logger.Debug("forwarder: Raw ICMP socket access available")
 }
--- a/client/firewall/uspfilter/forwarder/icmp.go
+++ b/client/firewall/uspfilter/forwarder/icmp.go
@@ -35,7 +35,7 @@ func (f *Forwarder) handleICMP(id stack.TransportEndpointID, pkt *stack.PacketBu
 	}

 	icmpData := stack.PayloadSince(pkt.TransportHeader()).AsSlice()
-	conn, err := f.forwardICMPPacket(id, icmpData, uint8(icmpHdr.Type()), uint8(icmpHdr.Code()), false, 100*time.Millisecond)
+	conn, err := f.forwardICMPPacket(id, icmpData, uint8(icmpHdr.Type()), uint8(icmpHdr.Code()), 100*time.Millisecond)
 	if err != nil {
 		f.logger.Error2("forwarder: Failed to forward ICMP packet for %v: %v", epID(id), err)
 		return true
@@ -58,7 +58,7 @@ func (f *Forwarder) handleICMPEcho(flowID uuid.UUID, id stack.TransportEndpointI
 			defer func() { <-f.pingSemaphore }()

 			if f.hasRawICMPAccess {
-				f.handleICMPViaSocket(flowID, id, icmpType, icmpCode, icmpData, rxBytes, false)
+				f.handleICMPViaSocket(flowID, id, icmpType, icmpCode, icmpData, rxBytes)
 			} else {
 				f.handleICMPViaPing(flowID, id, icmpType, icmpCode, icmpData, rxBytes)
 			}
@@ -72,23 +72,18 @@ func (f *Forwarder) handleICMPEcho(flowID uuid.UUID, id stack.TransportEndpointI

 // forwardICMPPacket creates a raw ICMP socket and sends the packet, returning the connection.
 // The caller is responsible for closing the returned connection.
-func (f *Forwarder) forwardICMPPacket(id stack.TransportEndpointID, payload []byte, icmpType, icmpCode uint8, v6 bool, timeout time.Duration) (net.PacketConn, error) {
+func (f *Forwarder) forwardICMPPacket(id stack.TransportEndpointID, payload []byte, icmpType, icmpCode uint8, timeout time.Duration) (net.PacketConn, error) {
 	ctx, cancel := context.WithTimeout(f.ctx, timeout)
 	defer cancel()

-	network, listenAddr := "ip4:icmp", "0.0.0.0"
-	if v6 {
-		network, listenAddr = "ip6:ipv6-icmp", "::"
-	}
-
 	lc := net.ListenConfig{}
-	conn, err := lc.ListenPacket(ctx, network, listenAddr)
+	conn, err := lc.ListenPacket(ctx, "ip4:icmp", "0.0.0.0")
 	if err != nil {
 		return nil, fmt.Errorf("create ICMP socket: %w", err)
 	}

 	dstIP := f.determineDialAddr(id.LocalAddress)
-	dst := &net.IPAddr{IP: dstIP.AsSlice()}
+	dst := &net.IPAddr{IP: dstIP}

 	if _, err = conn.WriteTo(payload, dst); err != nil {
 		if closeErr := conn.Close(); closeErr != nil {
@@ -103,11 +98,11 @@ func (f *Forwarder) forwardICMPPacket(id stack.TransportEndpointID, payload []by
 	return conn, nil
 }

-// handleICMPViaSocket handles ICMP echo requests using raw sockets for both v4 and v6.
-func (f *Forwarder) handleICMPViaSocket(flowID uuid.UUID, id stack.TransportEndpointID, icmpType, icmpCode uint8, icmpData []byte, rxBytes int, v6 bool) {
+// handleICMPViaSocket handles ICMP echo requests using raw sockets.
+func (f *Forwarder) handleICMPViaSocket(flowID uuid.UUID, id stack.TransportEndpointID, icmpType, icmpCode uint8, icmpData []byte, rxBytes int) {
 	sendTime := time.Now()

-	conn, err := f.forwardICMPPacket(id, icmpData, icmpType, icmpCode, v6, 5*time.Second)
+	conn, err := f.forwardICMPPacket(id, icmpData, icmpType, icmpCode, 5*time.Second)
 	if err != nil {
 		f.logger.Error2("forwarder: Failed to send ICMP packet for %v: %v", epID(id), err)
 		return
@@ -118,20 +113,16 @@ func (f *Forwarder) handleICMPViaSocket(flowID uuid.UUID, id stack.TransportEndp
 		}
 	}()

-	txBytes := f.handleEchoResponse(conn, id, v6)
+	txBytes := f.handleEchoResponse(conn, id)
 	rtt := time.Since(sendTime).Round(10 * time.Microsecond)

-	proto := "ICMP"
-	if v6 {
-		proto = "ICMPv6"
-	}
-	f.logger.Trace5("forwarder: Forwarded %s echo reply %v type %v code %v (rtt=%v, raw socket)",
-		proto, epID(id), icmpType, icmpCode, rtt)
+	f.logger.Trace4("forwarder: Forwarded ICMP echo reply %v type %v code %v (rtt=%v, raw socket)",
+		epID(id), icmpType, icmpCode, rtt)

 	f.sendICMPEvent(nftypes.TypeEnd, flowID, id, icmpType, icmpCode, uint64(rxBytes), uint64(txBytes))
 }

-func (f *Forwarder) handleEchoResponse(conn net.PacketConn, id stack.TransportEndpointID, v6 bool) int {
+func (f *Forwarder) handleEchoResponse(conn net.PacketConn, id stack.TransportEndpointID) int {
 	if err := conn.SetReadDeadline(time.Now().Add(5 * time.Second)); err != nil {
 		f.logger.Error1("forwarder: Failed to set read deadline for ICMP response: %v", err)
 		return 0
@@ -146,19 +137,6 @@ func (f *Forwarder) handleEchoResponse(conn net.PacketConn, id stack.TransportEn
 		return 0
 	}

-	if v6 {
-		// Recompute checksum: the raw socket response has a checksum computed
-		// over the real endpoint addresses, but we inject with overlay addresses.
-		icmpHdr := header.ICMPv6(response[:n])
-		icmpHdr.SetChecksum(0)
-		icmpHdr.SetChecksum(header.ICMPv6Checksum(header.ICMPv6ChecksumParams{
-			Header: icmpHdr,
-			Src:    id.LocalAddress,
-			Dst:    id.RemoteAddress,
-		}))
-		return f.injectICMPv6Reply(id, response[:n])
-	}
-
 	return f.injectICMPReply(id, response[:n])
 }

@@ -172,23 +150,19 @@ func (f *Forwarder) sendICMPEvent(typ nftypes.Type, flowID uuid.UUID, id stack.T
 		txPackets = 1
 	}

-	srcIp := addrToNetipAddr(id.RemoteAddress)
-	dstIp := addrToNetipAddr(id.LocalAddress)
-
-	proto := nftypes.ICMP
-	if srcIp.Is6() {
-		proto = nftypes.ICMPv6
-	}
+	srcIp := netip.AddrFrom4(id.RemoteAddress.As4())
+	dstIp := netip.AddrFrom4(id.LocalAddress.As4())

 	fields := nftypes.EventFields{
 		FlowID:    flowID,
 		Type:      typ,
 		Direction: nftypes.Ingress,
-		Protocol:  proto,
-		SourceIP:  srcIp,
-		DestIP:    dstIp,
-		ICMPType:  icmpType,
-		ICMPCode:  icmpCode,
+		Protocol:  nftypes.ICMP,
+		// TODO: handle ipv6
+		SourceIP: srcIp,
+		DestIP:   dstIp,
+		ICMPType: icmpType,
+		ICMPCode: icmpCode,

 		RxBytes:   rxBytes,
 		TxBytes:   txBytes,
@@ -235,164 +209,26 @@ func (f *Forwarder) handleICMPViaPing(flowID uuid.UUID, id stack.TransportEndpoi
 	f.sendICMPEvent(nftypes.TypeEnd, flowID, id, icmpType, icmpCode, uint64(rxBytes), uint64(txBytes))
 }

-// handleICMPv6 handles ICMPv6 packets from the network stack.
-func (f *Forwarder) handleICMPv6(id stack.TransportEndpointID, pkt *stack.PacketBuffer) bool {
-	icmpHdr := header.ICMPv6(pkt.TransportHeader().View().AsSlice())
-
-	flowID := uuid.New()
-	f.sendICMPEvent(nftypes.TypeStart, flowID, id, uint8(icmpHdr.Type()), uint8(icmpHdr.Code()), 0, 0)
-
-	if icmpHdr.Type() == header.ICMPv6EchoRequest {
-		return f.handleICMPv6Echo(flowID, id, pkt, uint8(icmpHdr.Type()), uint8(icmpHdr.Code()))
-	}
-
-	// For non-echo types (Destination Unreachable, Packet Too Big, etc), forward without waiting
-	if !f.hasRawICMPv6Access {
-		f.logger.Debug2("forwarder: Cannot handle ICMPv6 type %v without raw socket access for %v", icmpHdr.Type(), epID(id))
-		return false
-	}
-
-	icmpData := stack.PayloadSince(pkt.TransportHeader()).AsSlice()
-	conn, err := f.forwardICMPPacket(id, icmpData, uint8(icmpHdr.Type()), uint8(icmpHdr.Code()), true, 100*time.Millisecond)
-	if err != nil {
-		f.logger.Error2("forwarder: Failed to forward ICMPv6 packet for %v: %v", epID(id), err)
-		return true
-	}
-	if err := conn.Close(); err != nil {
-		f.logger.Debug1("forwarder: Failed to close ICMPv6 socket: %v", err)
-	}
-
-	return true
-}
-
-// handleICMPv6Echo handles ICMPv6 echo requests via raw socket or ping binary fallback.
-func (f *Forwarder) handleICMPv6Echo(flowID uuid.UUID, id stack.TransportEndpointID, pkt *stack.PacketBuffer, icmpType, icmpCode uint8) bool {
-	select {
-	case f.pingSemaphore <- struct{}{}:
-		icmpData := stack.PayloadSince(pkt.TransportHeader()).ToSlice()
-		rxBytes := pkt.Size()
-
-		go func() {
-			defer func() { <-f.pingSemaphore }()
-
-			if f.hasRawICMPv6Access {
-				f.handleICMPViaSocket(flowID, id, icmpType, icmpCode, icmpData, rxBytes, true)
-			} else {
-				f.handleICMPv6ViaPing(flowID, id, icmpType, icmpCode, icmpData, rxBytes)
-			}
-		}()
-	default:
-		f.logger.Debug3("forwarder: ICMPv6 rate limit exceeded for %v type %v code %v", epID(id), icmpType, icmpCode)
-	}
-	return true
-}
-
-// handleICMPv6ViaPing uses the system ping6 binary for ICMPv6 echo.
-func (f *Forwarder) handleICMPv6ViaPing(flowID uuid.UUID, id stack.TransportEndpointID, icmpType, icmpCode uint8, icmpData []byte, rxBytes int) {
-	ctx, cancel := context.WithTimeout(f.ctx, 5*time.Second)
-	defer cancel()
-
-	dstIP := f.determineDialAddr(id.LocalAddress)
-	cmd := buildPingCommand(ctx, dstIP, 5*time.Second)
-
-	pingStart := time.Now()
-	if err := cmd.Run(); err != nil {
-		f.logger.Warn4("forwarder: Ping6 failed for %v type %v code %v: %v", epID(id), icmpType, icmpCode, err)
-		return
-	}
-	rtt := time.Since(pingStart).Round(10 * time.Microsecond)
-
-	f.logger.Trace3("forwarder: Forwarded ICMPv6 echo request %v type %v code %v",
-		epID(id), icmpType, icmpCode)
-
-	txBytes := f.synthesizeICMPv6EchoReply(id, icmpData)
-
-	f.logger.Trace4("forwarder: Forwarded ICMPv6 echo reply %v type %v code %v (rtt=%v, ping binary)",
-		epID(id), icmpType, icmpCode, rtt)
-
-	f.sendICMPEvent(nftypes.TypeEnd, flowID, id, icmpType, icmpCode, uint64(rxBytes), uint64(txBytes))
-}
-
-// synthesizeICMPv6EchoReply creates an ICMPv6 echo reply and injects it back.
-func (f *Forwarder) synthesizeICMPv6EchoReply(id stack.TransportEndpointID, icmpData []byte) int {
-	replyICMP := make([]byte, len(icmpData))
-	copy(replyICMP, icmpData)
-
-	replyHdr := header.ICMPv6(replyICMP)
-	replyHdr.SetType(header.ICMPv6EchoReply)
-	replyHdr.SetChecksum(0)
-	// ICMPv6Checksum computes the pseudo-header internally from Src/Dst.
-	// Header contains the full ICMP message, so PayloadCsum/PayloadLen are zero.
-	replyHdr.SetChecksum(header.ICMPv6Checksum(header.ICMPv6ChecksumParams{
-		Header: replyHdr,
-		Src:    id.LocalAddress,
-		Dst:    id.RemoteAddress,
-	}))
-
-	return f.injectICMPv6Reply(id, replyICMP)
-}
-
-// injectICMPv6Reply wraps an ICMPv6 payload in an IPv6 header and sends to the peer.
-func (f *Forwarder) injectICMPv6Reply(id stack.TransportEndpointID, icmpPayload []byte) int {
-	ipHdr := make([]byte, header.IPv6MinimumSize)
-	ip := header.IPv6(ipHdr)
-	ip.Encode(&header.IPv6Fields{
-		PayloadLength:     uint16(len(icmpPayload)),
-		TransportProtocol: header.ICMPv6ProtocolNumber,
-		HopLimit:          64,
-		SrcAddr:           id.LocalAddress,
-		DstAddr:           id.RemoteAddress,
-	})
-
-	fullPacket := make([]byte, 0, len(ipHdr)+len(icmpPayload))
-	fullPacket = append(fullPacket, ipHdr...)
-	fullPacket = append(fullPacket, icmpPayload...)
-
-	if err := f.endpoint.device.CreateOutboundPacket(fullPacket, id.RemoteAddress.AsSlice()); err != nil {
-		f.logger.Error1("forwarder: Failed to send ICMPv6 reply to peer: %v", err)
-		return 0
-	}
-
-	return len(fullPacket)
-}
-
-const (
-	pingBin  = "ping"
-	ping6Bin = "ping6"
-)
-
 // buildPingCommand creates a platform-specific ping command.
-// Most platforms auto-detect IPv6 from raw addresses. macOS/iOS/OpenBSD require ping6.
-func buildPingCommand(ctx context.Context, target netip.Addr, timeout time.Duration) *exec.Cmd {
+func buildPingCommand(ctx context.Context, target net.IP, timeout time.Duration) *exec.Cmd {
 	timeoutSec := int(timeout.Seconds())
 	if timeoutSec < 1 {
 		timeoutSec = 1
 	}

-	isV6 := target.Is6()
-	timeoutStr := fmt.Sprintf("%d", timeoutSec)
-
 	switch runtime.GOOS {
 	case "linux", "android":
-		return exec.CommandContext(ctx, pingBin, "-c", "1", "-W", timeoutStr, "-q", target.String())
+		return exec.CommandContext(ctx, "ping", "-c", "1", "-W", fmt.Sprintf("%d", timeoutSec), "-q", target.String())
 	case "darwin", "ios":
-		bin := pingBin
-		if isV6 {
-			bin = ping6Bin
-		}
-		return exec.CommandContext(ctx, bin, "-c", "1", "-t", timeoutStr, "-q", target.String())
+		return exec.CommandContext(ctx, "ping", "-c", "1", "-t", fmt.Sprintf("%d", timeoutSec), "-q", target.String())
 	case "freebsd":
-		return exec.CommandContext(ctx, pingBin, "-c", "1", "-t", timeoutStr, target.String())
+		return exec.CommandContext(ctx, "ping", "-c", "1", "-t", fmt.Sprintf("%d", timeoutSec), target.String())
 	case "openbsd", "netbsd":
-		bin := pingBin
-		if isV6 {
-			bin = ping6Bin
-		}
-		return exec.CommandContext(ctx, bin, "-c", "1", "-w", timeoutStr, target.String())
+		return exec.CommandContext(ctx, "ping", "-c", "1", "-w", fmt.Sprintf("%d", timeoutSec), target.String())
 	case "windows":
-		return exec.CommandContext(ctx, pingBin, "-n", "1", "-w", fmt.Sprintf("%d", timeoutSec*1000), target.String())
+		return exec.CommandContext(ctx, "ping", "-n", "1", "-w", fmt.Sprintf("%d", timeoutSec*1000), target.String())
 	default:
-		return exec.CommandContext(ctx, pingBin, "-c", "1", target.String())
+		return exec.CommandContext(ctx, "ping", "-c", "1", target.String())
 	}
 }

--- a/client/firewall/uspfilter/forwarder/tcp.go
+++ b/client/firewall/uspfilter/forwarder/tcp.go
@@ -2,9 +2,10 @@ package forwarder

 import (
 	"context"
+	"fmt"
 	"io"
 	"net"
-	"strconv"
+	"net/netip"
 	"sync"

 	"github.com/google/uuid"
@@ -32,7 +33,7 @@ func (f *Forwarder) handleTCP(r *tcp.ForwarderRequest) {
 		}
 	}()

-	dialAddr := net.JoinHostPort(f.determineDialAddr(id.LocalAddress).String(), strconv.Itoa(int(id.LocalPort)))
+	dialAddr := fmt.Sprintf("%s:%d", f.determineDialAddr(id.LocalAddress), id.LocalPort)

 	outConn, err := (&net.Dialer{}).DialContext(f.ctx, "tcp", dialAddr)
 	if err != nil {
@@ -132,14 +133,15 @@ func (f *Forwarder) proxyTCP(id stack.TransportEndpointID, inConn *gonet.TCPConn
 }

 func (f *Forwarder) sendTCPEvent(typ nftypes.Type, flowID uuid.UUID, id stack.TransportEndpointID, rxBytes, txBytes, rxPackets, txPackets uint64) {
-	srcIp := addrToNetipAddr(id.RemoteAddress)
-	dstIp := addrToNetipAddr(id.LocalAddress)
+	srcIp := netip.AddrFrom4(id.RemoteAddress.As4())
+	dstIp := netip.AddrFrom4(id.LocalAddress.As4())

 	fields := nftypes.EventFields{
-		FlowID:     flowID,
-		Type:       typ,
-		Direction:  nftypes.Ingress,
-		Protocol:   nftypes.TCP,
+		FlowID:    flowID,
+		Type:      typ,
+		Direction: nftypes.Ingress,
+		Protocol:  nftypes.TCP,
+		// TODO: handle ipv6
 		SourceIP:   srcIp,
 		DestIP:     dstIp,
 		SourcePort: id.RemotePort,
--- a/client/firewall/uspfilter/forwarder/udp.go
+++ b/client/firewall/uspfilter/forwarder/udp.go
@@ -6,7 +6,7 @@ import (
 	"fmt"
 	"io"
 	"net"
-	"strconv"
+	"net/netip"
 	"sync"
 	"sync/atomic"
 	"time"
@@ -158,7 +158,7 @@ func (f *Forwarder) handleUDP(r *udp.ForwarderRequest) bool {
 		}
 	}()

-	dstAddr := net.JoinHostPort(f.determineDialAddr(id.LocalAddress).String(), strconv.Itoa(int(id.LocalPort)))
+	dstAddr := fmt.Sprintf("%s:%d", f.determineDialAddr(id.LocalAddress), id.LocalPort)
 	outConn, err := (&net.Dialer{}).DialContext(f.ctx, "udp", dstAddr)
 	if err != nil {
 		f.logger.Debug2("forwarder: UDP dial error for %v: %v", epID(id), err)
@@ -276,14 +276,15 @@ func (f *Forwarder) proxyUDP(ctx context.Context, pConn *udpPacketConn, id stack

 // sendUDPEvent stores flow events for UDP connections
 func (f *Forwarder) sendUDPEvent(typ nftypes.Type, flowID uuid.UUID, id stack.TransportEndpointID, rxBytes, txBytes, rxPackets, txPackets uint64) {
-	srcIp := addrToNetipAddr(id.RemoteAddress)
-	dstIp := addrToNetipAddr(id.LocalAddress)
+	srcIp := netip.AddrFrom4(id.RemoteAddress.As4())
+	dstIp := netip.AddrFrom4(id.LocalAddress.As4())

 	fields := nftypes.EventFields{
-		FlowID:     flowID,
-		Type:       typ,
-		Direction:  nftypes.Ingress,
-		Protocol:   nftypes.UDP,
+		FlowID:    flowID,
+		Type:      typ,
+		Direction: nftypes.Ingress,
+		Protocol:  nftypes.UDP,
+		// TODO: handle ipv6
 		SourceIP:   srcIp,
 		DestIP:     dstIp,
 		SourcePort: id.RemotePort,
--- a/client/firewall/uspfilter/localip.go
+++ b/client/firewall/uspfilter/localip.go
@@ -4,32 +4,89 @@ import (
 	"fmt"
 	"net"
 	"net/netip"
-	"sync/atomic"
+	"sync"

 	log "github.com/sirupsen/logrus"

 	"github.com/netbirdio/netbird/client/firewall/uspfilter/common"
 )

-// localIPSnapshot is an immutable snapshot of local IP addresses, swapped
-// atomically so reads are lock-free.
-type localIPSnapshot struct {
-	ips map[netip.Addr]struct{}
+type localIPManager struct {
+	mu sync.RWMutex
+
+	// fixed-size high array for upper byte of a IPv4 address
+	ipv4Bitmap [256]*ipv4LowBitmap
 }

-type localIPManager struct {
-	snapshot atomic.Pointer[localIPSnapshot]
+// ipv4LowBitmap is a map for the low 16 bits of a IPv4 address
+type ipv4LowBitmap struct {
+	bitmap [8192]uint32
 }

 func newLocalIPManager() *localIPManager {
-	m := &localIPManager{}
-	m.snapshot.Store(&localIPSnapshot{
-		ips: make(map[netip.Addr]struct{}),
-	})
-	return m
+	return &localIPManager{}
 }

-func processInterface(iface net.Interface, ips map[netip.Addr]struct{}, addresses *[]netip.Addr) {
+func (m *localIPManager) setBitmapBit(ip net.IP) {
+	ipv4 := ip.To4()
+	if ipv4 == nil {
+		return
+	}
+	high := uint16(ipv4[0])
+	low := (uint16(ipv4[1]) << 8) | (uint16(ipv4[2]) << 4) | uint16(ipv4[3])
+
+	index := low / 32
+	bit := low % 32
+
+	if m.ipv4Bitmap[high] == nil {
+		m.ipv4Bitmap[high] = &ipv4LowBitmap{}
+	}
+
+	m.ipv4Bitmap[high].bitmap[index] |= 1 << bit
+}
+
+func (m *localIPManager) setBitInBitmap(ip netip.Addr, bitmap *[256]*ipv4LowBitmap, ipv4Set map[netip.Addr]struct{}, ipv4Addresses *[]netip.Addr) {
+	if !ip.Is4() {
+		return
+	}
+	ipv4 := ip.AsSlice()
+
+	high := uint16(ipv4[0])
+	low := (uint16(ipv4[1]) << 8) | (uint16(ipv4[2]) << 4) | uint16(ipv4[3])
+
+	if bitmap[high] == nil {
+		bitmap[high] = &ipv4LowBitmap{}
+	}
+
+	index := low / 32
+	bit := low % 32
+	bitmap[high].bitmap[index] |= 1 << bit
+
+	if _, exists := ipv4Set[ip]; !exists {
+		ipv4Set[ip] = struct{}{}
+		*ipv4Addresses = append(*ipv4Addresses, ip)
+	}
+}
+
+func (m *localIPManager) checkBitmapBit(ip []byte) bool {
+	high := uint16(ip[0])
+	low := (uint16(ip[1]) << 8) | (uint16(ip[2]) << 4) | uint16(ip[3])
+
+	if m.ipv4Bitmap[high] == nil {
+		return false
+	}
+
+	index := low / 32
+	bit := low % 32
+	return (m.ipv4Bitmap[high].bitmap[index] & (1 << bit)) != 0
+}
+
+func (m *localIPManager) processIP(ip netip.Addr, bitmap *[256]*ipv4LowBitmap, ipv4Set map[netip.Addr]struct{}, ipv4Addresses *[]netip.Addr) error {
+	m.setBitInBitmap(ip, bitmap, ipv4Set, ipv4Addresses)
+	return nil
+}
+
+func (m *localIPManager) processInterface(iface net.Interface, bitmap *[256]*ipv4LowBitmap, ipv4Set map[netip.Addr]struct{}, ipv4Addresses *[]netip.Addr) {
 	addrs, err := iface.Addrs()
 	if err != nil {
 		log.Debugf("get addresses for interface %s failed: %v", iface.Name, err)
@@ -47,19 +104,18 @@ func processInterface(iface net.Interface, ips map[netip.Addr]struct{}, addresse
 			continue
 		}

-		parsed, ok := netip.AddrFromSlice(ip)
+		addr, ok := netip.AddrFromSlice(ip)
 		if !ok {
 			log.Warnf("invalid IP address %s in interface %s", ip.String(), iface.Name)
 			continue
 		}

-		parsed = parsed.Unmap()
-		ips[parsed] = struct{}{}
-		*addresses = append(*addresses, parsed)
+		if err := m.processIP(addr.Unmap(), bitmap, ipv4Set, ipv4Addresses); err != nil {
+			log.Debugf("process IP failed: %v", err)
+		}
 	}
 }

-// UpdateLocalIPs rebuilds the local IP snapshot and swaps it in atomically.
 func (m *localIPManager) UpdateLocalIPs(iface common.IFaceMapper) (err error) {
 	defer func() {
 		if r := recover(); r != nil {
@@ -67,20 +123,20 @@ func (m *localIPManager) UpdateLocalIPs(iface common.IFaceMapper) (err error) {
 		}
 	}()

-	ips := make(map[netip.Addr]struct{})
-	var addresses []netip.Addr
+	var newIPv4Bitmap [256]*ipv4LowBitmap
+	ipv4Set := make(map[netip.Addr]struct{})
+	var ipv4Addresses []netip.Addr

-	// loopback
-	ips[netip.AddrFrom4([4]byte{127, 0, 0, 1})] = struct{}{}
-	ips[netip.IPv6Loopback()] = struct{}{}
+	// 127.0.0.0/8
+	newIPv4Bitmap[127] = &ipv4LowBitmap{}
+	for i := 0; i < 8192; i++ {
+		// #nosec G602 -- bitmap is defined as [8192]uint32, loop range is correct
+		newIPv4Bitmap[127].bitmap[i] = 0xFFFFFFFF
+	}

 	if iface != nil {
-		ip := iface.Address().IP
-		ips[ip] = struct{}{}
-		addresses = append(addresses, ip)
-		if v6 := iface.Address().IPv6; v6.IsValid() {
-			ips[v6] = struct{}{}
-			addresses = append(addresses, v6)
+		if err := m.processIP(iface.Address().IP, &newIPv4Bitmap, ipv4Set, &ipv4Addresses); err != nil {
+			return err
 		}
 	}

@@ -88,27 +144,26 @@ func (m *localIPManager) UpdateLocalIPs(iface common.IFaceMapper) (err error) {
 	if err != nil {
 		log.Warnf("failed to get interfaces: %v", err)
 	} else {
-		// TODO: filter out down interfaces (net.FlagUp). Also handle the reverse
-		// case where an interface comes up between refreshes.
 		for _, intf := range interfaces {
-			processInterface(intf, ips, &addresses)
+			m.processInterface(intf, &newIPv4Bitmap, ipv4Set, &ipv4Addresses)
 		}
 	}

-	m.snapshot.Store(&localIPSnapshot{ips: ips})
+	m.mu.Lock()
+	m.ipv4Bitmap = newIPv4Bitmap
+	m.mu.Unlock()

-	log.Debugf("Local IP addresses: %v", addresses)
+	log.Debugf("Local IPv4 addresses: %v", ipv4Addresses)
 	return nil
 }

-// IsLocalIP checks if the given IP is a local address. Lock-free on the read path.
 func (m *localIPManager) IsLocalIP(ip netip.Addr) bool {
-	s := m.snapshot.Load()
-
-	if ip.Is4() && ip.As4()[0] == 127 {
-		return true
+	if !ip.Is4() {
+		return false
 	}

-	_, found := s.ips[ip]
-	return found
+	m.mu.RLock()
+	defer m.mu.RUnlock()
+
+	return m.checkBitmapBit(ip.AsSlice())
 }
--- a/client/firewall/uspfilter/localip_bench_test.go
+++ b/client/firewall/uspfilter/localip_bench_test.go
@@ -1,72 +0,0 @@
-package uspfilter
-
-import (
-	"net/netip"
-	"testing"
-
-	"github.com/netbirdio/netbird/client/iface/wgaddr"
-)
-
-func setupManager(b *testing.B) *localIPManager {
-	b.Helper()
-	m := newLocalIPManager()
-	mock := &IFaceMock{
-		AddressFunc: func() wgaddr.Address {
-			return wgaddr.Address{
-				IP:      netip.MustParseAddr("100.64.0.1"),
-				Network: netip.MustParsePrefix("100.64.0.0/16"),
-				IPv6:    netip.MustParseAddr("fd00::1"),
-				IPv6Net: netip.MustParsePrefix("fd00::/64"),
-			}
-		},
-	}
-	if err := m.UpdateLocalIPs(mock); err != nil {
-		b.Fatalf("UpdateLocalIPs: %v", err)
-	}
-	return m
-}
-
-func BenchmarkIsLocalIP_v4_hit(b *testing.B) {
-	m := setupManager(b)
-	ip := netip.MustParseAddr("100.64.0.1")
-	b.ResetTimer()
-	for i := 0; i < b.N; i++ {
-		m.IsLocalIP(ip)
-	}
-}
-
-func BenchmarkIsLocalIP_v4_miss(b *testing.B) {
-	m := setupManager(b)
-	ip := netip.MustParseAddr("8.8.8.8")
-	b.ResetTimer()
-	for i := 0; i < b.N; i++ {
-		m.IsLocalIP(ip)
-	}
-}
-
-func BenchmarkIsLocalIP_v6_hit(b *testing.B) {
-	m := setupManager(b)
-	ip := netip.MustParseAddr("fd00::1")
-	b.ResetTimer()
-	for i := 0; i < b.N; i++ {
-		m.IsLocalIP(ip)
-	}
-}
-
-func BenchmarkIsLocalIP_v6_miss(b *testing.B) {
-	m := setupManager(b)
-	ip := netip.MustParseAddr("2001:db8::1")
-	b.ResetTimer()
-	for i := 0; i < b.N; i++ {
-		m.IsLocalIP(ip)
-	}
-}
-
-func BenchmarkIsLocalIP_loopback(b *testing.B) {
-	m := setupManager(b)
-	ip := netip.MustParseAddr("127.0.0.1")
-	b.ResetTimer()
-	for i := 0; i < b.N; i++ {
-		m.IsLocalIP(ip)
-	}
-}
--- a/client/firewall/uspfilter/localip_test.go
+++ b/client/firewall/uspfilter/localip_test.go
@@ -72,45 +72,14 @@ func TestLocalIPManager(t *testing.T) {
 			expected: false,
 		},
 		{
-			name: "IPv6 address matches",
+			name: "IPv6 address",
 			setupAddr: wgaddr.Address{
-				IP:      netip.MustParseAddr("100.64.0.1"),
-				Network: netip.MustParsePrefix("100.64.0.0/16"),
-				IPv6:    netip.MustParseAddr("fd00::1"),
-				IPv6Net: netip.MustParsePrefix("fd00::/64"),
-			},
-			testIP:   netip.MustParseAddr("fd00::1"),
-			expected: true,
-		},
-		{
-			name: "IPv6 address does not match",
-			setupAddr: wgaddr.Address{
-				IP:      netip.MustParseAddr("100.64.0.1"),
-				Network: netip.MustParsePrefix("100.64.0.0/16"),
-				IPv6:    netip.MustParseAddr("fd00::1"),
-				IPv6Net: netip.MustParsePrefix("fd00::/64"),
-			},
-			testIP:   netip.MustParseAddr("fd00::99"),
-			expected: false,
-		},
-		{
-			name: "No aliasing between similar IPs",
-			setupAddr: wgaddr.Address{
-				IP:      netip.MustParseAddr("192.168.1.1"),
+				IP:      netip.MustParseAddr("fe80::1"),
 				Network: netip.MustParsePrefix("192.168.1.0/24"),
 			},
-			testIP:   netip.MustParseAddr("192.168.0.17"),
+			testIP:   netip.MustParseAddr("fe80::1"),
 			expected: false,
 		},
-		{
-			name: "IPv6 loopback",
-			setupAddr: wgaddr.Address{
-				IP:      netip.MustParseAddr("100.64.0.1"),
-				Network: netip.MustParsePrefix("100.64.0.0/16"),
-			},
-			testIP:   netip.MustParseAddr("::1"),
-			expected: true,
-		},
 	}

 	for _, tt := range tests {
@@ -202,3 +171,90 @@ func TestLocalIPManager_AllInterfaces(t *testing.T) {
 		})
 	}
 }
+
+// MapImplementation is a version using map[string]struct{}
+type MapImplementation struct {
+	localIPs map[string]struct{}
+}
+
+func BenchmarkIPChecks(b *testing.B) {
+	interfaces := make([]net.IP, 16)
+	for i := range interfaces {
+		interfaces[i] = net.IPv4(10, 0, byte(i>>8), byte(i))
+	}
+
+	// Setup bitmap
+	bitmapManager := newLocalIPManager()
+	for _, ip := range interfaces[:8] { // Add half of IPs
+		bitmapManager.setBitmapBit(ip)
+	}
+
+	// Setup map version
+	mapManager := &MapImplementation{
+		localIPs: make(map[string]struct{}),
+	}
+	for _, ip := range interfaces[:8] {
+		mapManager.localIPs[ip.String()] = struct{}{}
+	}
+
+	b.Run("Bitmap_Hit", func(b *testing.B) {
+		ip := interfaces[4]
+		b.ResetTimer()
+		for i := 0; i < b.N; i++ {
+			bitmapManager.checkBitmapBit(ip)
+		}
+	})
+
+	b.Run("Bitmap_Miss", func(b *testing.B) {
+		ip := interfaces[12]
+		b.ResetTimer()
+		for i := 0; i < b.N; i++ {
+			bitmapManager.checkBitmapBit(ip)
+		}
+	})
+
+	b.Run("Map_Hit", func(b *testing.B) {
+		ip := interfaces[4]
+		b.ResetTimer()
+		for i := 0; i < b.N; i++ {
+			// nolint:gosimple
+			_ = mapManager.localIPs[ip.String()]
+		}
+	})
+
+	b.Run("Map_Miss", func(b *testing.B) {
+		ip := interfaces[12]
+		b.ResetTimer()
+		for i := 0; i < b.N; i++ {
+			// nolint:gosimple
+			_ = mapManager.localIPs[ip.String()]
+		}
+	})
+}
+
+func BenchmarkWGPosition(b *testing.B) {
+	wgIP := net.ParseIP("10.10.0.1")
+
+	// Create two managers - one checks WG IP first, other checks it last
+	b.Run("WG_First", func(b *testing.B) {
+		bm := newLocalIPManager()
+		bm.setBitmapBit(wgIP)
+		b.ResetTimer()
+		for i := 0; i < b.N; i++ {
+			bm.checkBitmapBit(wgIP)
+		}
+	})
+
+	b.Run("WG_Last", func(b *testing.B) {
+		bm := newLocalIPManager()
+		// Fill with other IPs first
+		for i := 0; i < 15; i++ {
+			bm.setBitmapBit(net.IPv4(10, 0, byte(i>>8), byte(i)))
+		}
+		bm.setBitmapBit(wgIP) // Add WG IP last
+		b.ResetTimer()
+		for i := 0; i < b.N; i++ {
+			bm.checkBitmapBit(wgIP)
+		}
+	})
+}
--- a/client/firewall/uspfilter/log/log.go
+++ b/client/firewall/uspfilter/log/log.go
@@ -5,8 +5,6 @@ import (
 	"context"
 	"fmt"
 	"io"
-	"os"
-	"strconv"
 	"sync"
 	"sync/atomic"
 	"time"
@@ -18,18 +16,9 @@ const (
 	maxBatchSize         = 1024 * 16
 	maxMessageSize       = 1024 * 2
 	defaultFlushInterval = 2 * time.Second
-	defaultLogChanSize   = 1000
+	logChannelSize       = 1000
 )

-func getLogChannelSize() int {
-	if v := os.Getenv("NB_USPFILTER_LOG_BUFFER"); v != "" {
-		if n, err := strconv.Atoi(v); err == nil && n > 0 {
-			return n
-		}
-	}
-	return defaultLogChanSize
-}
-
 type Level uint32

 const (
@@ -80,7 +69,7 @@ type Logger struct {
 func NewFromLogrus(logrusLogger *log.Logger) *Logger {
 	l := &Logger{
 		output:     logrusLogger.Out,
-		msgChannel: make(chan logMessage, getLogChannelSize()),
+		msgChannel: make(chan logMessage, logChannelSize),
 		shutdown:   make(chan struct{}),
 		bufPool: sync.Pool{
 			New: func() any {
--- a/client/firewall/uspfilter/nat.go
+++ b/client/firewall/uspfilter/nat.go
@@ -13,6 +13,8 @@ import (
 	firewall "github.com/netbirdio/netbird/client/firewall/manager"
 )

+var ErrIPv4Only = errors.New("only IPv4 is supported for DNAT")
+
 var (
 	errInvalidIPHeaderLength = errors.New("invalid IP header length")
 )
@@ -23,33 +25,10 @@ const (
 	destinationPortOffset = 2

 	// IP address offsets in IPv4 header
-	ipv4SrcOffset = 12
-	ipv4DstOffset = 16
-
-	// IP address offsets in IPv6 header
-	ipv6SrcOffset = 8
-	ipv6DstOffset = 24
-
-	// IPv6 fixed header length
-	ipv6HeaderLen = 40
+	sourceIPOffset      = 12
+	destinationIPOffset = 16
 )

-// ipHeaderLen returns the IP header length based on the decoded layer type.
-func ipHeaderLen(d *decoder) (int, error) {
-	switch d.decoded[0] {
-	case layers.LayerTypeIPv4:
-		n := int(d.ip4.IHL) * 4
-		if n < 20 {
-			return 0, errInvalidIPHeaderLength
-		}
-		return n, nil
-	case layers.LayerTypeIPv6:
-		return ipv6HeaderLen, nil
-	default:
-		return 0, fmt.Errorf("unknown IP layer: %v", d.decoded[0])
-	}
-}
-
 // ipv4Checksum calculates IPv4 header checksum.
 func ipv4Checksum(header []byte) uint16 {
 	if len(header) < 20 {
@@ -255,13 +234,14 @@ func (m *Manager) translateOutboundDNAT(packetData []byte, d *decoder) bool {
 		return false
 	}

-	_, dstIP := extractPacketIPs(packetData, d)
+	dstIP := netip.AddrFrom4([4]byte{packetData[16], packetData[17], packetData[18], packetData[19]})
+
 	translatedIP, exists := m.getDNATTranslation(dstIP)
 	if !exists {
 		return false
 	}

-	if err := m.rewritePacketIP(packetData, d, translatedIP, false); err != nil {
+	if err := m.rewritePacketIP(packetData, d, translatedIP, destinationIPOffset); err != nil {
 		m.logger.Error1("failed to rewrite packet destination: %v", err)
 		return false
 	}
@@ -276,13 +256,14 @@ func (m *Manager) translateInboundReverse(packetData []byte, d *decoder) bool {
 		return false
 	}

-	srcIP, _ := extractPacketIPs(packetData, d)
+	srcIP := netip.AddrFrom4([4]byte{packetData[12], packetData[13], packetData[14], packetData[15]})
+
 	originalIP, exists := m.findReverseDNATMapping(srcIP)
 	if !exists {
 		return false
 	}

-	if err := m.rewritePacketIP(packetData, d, originalIP, true); err != nil {
+	if err := m.rewritePacketIP(packetData, d, originalIP, sourceIPOffset); err != nil {
 		m.logger.Error1("failed to rewrite packet source: %v", err)
 		return false
 	}
@@ -291,96 +272,38 @@ func (m *Manager) translateInboundReverse(packetData []byte, d *decoder) bool {
 	return true
 }

-// extractPacketIPs extracts src and dst IP addresses directly from raw packet bytes.
-func extractPacketIPs(packetData []byte, d *decoder) (src, dst netip.Addr) {
-	switch d.decoded[0] {
-	case layers.LayerTypeIPv4:
-		src = netip.AddrFrom4([4]byte{packetData[ipv4SrcOffset], packetData[ipv4SrcOffset+1], packetData[ipv4SrcOffset+2], packetData[ipv4SrcOffset+3]})
-		dst = netip.AddrFrom4([4]byte{packetData[ipv4DstOffset], packetData[ipv4DstOffset+1], packetData[ipv4DstOffset+2], packetData[ipv4DstOffset+3]})
-	case layers.LayerTypeIPv6:
-		src = netip.AddrFrom16([16]byte(packetData[ipv6SrcOffset : ipv6SrcOffset+16]))
-		dst = netip.AddrFrom16([16]byte(packetData[ipv6DstOffset : ipv6DstOffset+16]))
-	}
-	return src, dst
-}
-
-// rewritePacketIP replaces a source (isSource=true) or destination IP address in the packet and updates checksums.
-func (m *Manager) rewritePacketIP(packetData []byte, d *decoder, newIP netip.Addr, isSource bool) error {
-	hdrLen, err := ipHeaderLen(d)
-	if err != nil {
-		return err
-	}
-
-	switch d.decoded[0] {
-	case layers.LayerTypeIPv4:
-		return m.rewriteIPv4(packetData, d, newIP, hdrLen, isSource)
-	case layers.LayerTypeIPv6:
-		return m.rewriteIPv6(packetData, d, newIP, hdrLen, isSource)
-	default:
-		return fmt.Errorf("unknown IP layer: %v", d.decoded[0])
-	}
-}
-
-func (m *Manager) rewriteIPv4(packetData []byte, d *decoder, newIP netip.Addr, hdrLen int, isSource bool) error {
+// rewritePacketIP replaces an IP address (source or destination) in the packet and updates checksums.
+func (m *Manager) rewritePacketIP(packetData []byte, d *decoder, newIP netip.Addr, ipOffset int) error {
 	if !newIP.Is4() {
-		return fmt.Errorf("cannot write IPv6 address into IPv4 packet")
-	}
-
-	offset := ipv4DstOffset
-	if isSource {
-		offset = ipv4SrcOffset
+		return ErrIPv4Only
 	}

 	var oldIP [4]byte
-	copy(oldIP[:], packetData[offset:offset+4])
+	copy(oldIP[:], packetData[ipOffset:ipOffset+4])
 	newIPBytes := newIP.As4()
-	copy(packetData[offset:offset+4], newIPBytes[:])

-	// Recalculate IPv4 header checksum
+	copy(packetData[ipOffset:ipOffset+4], newIPBytes[:])
+
+	ipHeaderLen := int(d.ip4.IHL) * 4
+	if ipHeaderLen < 20 || ipHeaderLen > len(packetData) {
+		return errInvalidIPHeaderLength
+	}
+
 	binary.BigEndian.PutUint16(packetData[10:12], 0)
-	binary.BigEndian.PutUint16(packetData[10:12], ipv4Checksum(packetData[:hdrLen]))
+	ipChecksum := ipv4Checksum(packetData[:ipHeaderLen])
+	binary.BigEndian.PutUint16(packetData[10:12], ipChecksum)

-	// Update transport checksums incrementally
 	if len(d.decoded) > 1 {
 		switch d.decoded[1] {
 		case layers.LayerTypeTCP:
-			m.updateTCPChecksum(packetData, hdrLen, oldIP[:], newIPBytes[:])
+			m.updateTCPChecksum(packetData, ipHeaderLen, oldIP[:], newIPBytes[:])
 		case layers.LayerTypeUDP:
-			m.updateUDPChecksum(packetData, hdrLen, oldIP[:], newIPBytes[:])
+			m.updateUDPChecksum(packetData, ipHeaderLen, oldIP[:], newIPBytes[:])
 		case layers.LayerTypeICMPv4:
-			m.updateICMPChecksum(packetData, hdrLen)
+			m.updateICMPChecksum(packetData, ipHeaderLen)
 		}
 	}
-	return nil
-}

-func (m *Manager) rewriteIPv6(packetData []byte, d *decoder, newIP netip.Addr, hdrLen int, isSource bool) error {
-	if !newIP.Is6() {
-		return fmt.Errorf("cannot write IPv4 address into IPv6 packet")
-	}
-
-	offset := ipv6DstOffset
-	if isSource {
-		offset = ipv6SrcOffset
-	}
-
-	var oldIP [16]byte
-	copy(oldIP[:], packetData[offset:offset+16])
-	newIPBytes := newIP.As16()
-	copy(packetData[offset:offset+16], newIPBytes[:])
-
-	// IPv6 has no header checksum, only update transport checksums
-	if len(d.decoded) > 1 {
-		switch d.decoded[1] {
-		case layers.LayerTypeTCP:
-			m.updateTCPChecksum(packetData, hdrLen, oldIP[:], newIPBytes[:])
-		case layers.LayerTypeUDP:
-			m.updateUDPChecksum(packetData, hdrLen, oldIP[:], newIPBytes[:])
-		case layers.LayerTypeICMPv6:
-			// ICMPv6 checksum includes pseudo-header with addresses, use incremental update
-			m.updateICMPv6Checksum(packetData, hdrLen, oldIP[:], newIPBytes[:])
-		}
-	}
 	return nil
 }

@@ -428,20 +351,6 @@ func (m *Manager) updateICMPChecksum(packetData []byte, ipHeaderLen int) {
 	binary.BigEndian.PutUint16(icmpData[2:4], checksum)
 }

-// updateICMPv6Checksum updates ICMPv6 checksum after address change.
-// ICMPv6 uses a pseudo-header (like TCP/UDP), so incremental update applies.
-func (m *Manager) updateICMPv6Checksum(packetData []byte, ipHeaderLen int, oldIP, newIP []byte) {
-	icmpStart := ipHeaderLen
-	if len(packetData) < icmpStart+4 {
-		return
-	}
-
-	checksumOffset := icmpStart + 2
-	oldChecksum := binary.BigEndian.Uint16(packetData[checksumOffset : checksumOffset+2])
-	newChecksum := incrementalUpdate(oldChecksum, oldIP, newIP)
-	binary.BigEndian.PutUint16(packetData[checksumOffset:checksumOffset+2], newChecksum)
-}
-
 // incrementalUpdate performs incremental checksum update per RFC 1624.
 func incrementalUpdate(oldChecksum uint16, oldBytes, newBytes []byte) uint16 {
 	sum := uint32(^oldChecksum)
@@ -449,9 +358,9 @@ func incrementalUpdate(oldChecksum uint16, oldBytes, newBytes []byte) uint16 {
 	// Fast path for IPv4 addresses (4 bytes) - most common case
 	if len(oldBytes) == 4 && len(newBytes) == 4 {
 		sum += uint32(^binary.BigEndian.Uint16(oldBytes[0:2]))
-		sum += uint32(^binary.BigEndian.Uint16(oldBytes[2:4])) //nolint:gosec // length checked above
+		sum += uint32(^binary.BigEndian.Uint16(oldBytes[2:4]))
 		sum += uint32(binary.BigEndian.Uint16(newBytes[0:2]))
-		sum += uint32(binary.BigEndian.Uint16(newBytes[2:4])) //nolint:gosec // length checked above
+		sum += uint32(binary.BigEndian.Uint16(newBytes[2:4]))
 	} else {
 		// Fallback for other lengths
 		for i := 0; i < len(oldBytes)-1; i += 2 {
@@ -512,7 +421,6 @@ func (m *Manager) addPortRedirection(targetIP netip.Addr, protocol gopacket.Laye
 }

 // AddInboundDNAT adds an inbound DNAT rule redirecting traffic from NetBird peers to local services.
-// TODO: also delegate to nativeFirewall when available for kernel WG mode
 func (m *Manager) AddInboundDNAT(localAddr netip.Addr, protocol firewall.Protocol, sourcePort, targetPort uint16) error {
 	var layerType gopacket.LayerType
 	switch protocol {
@@ -558,22 +466,6 @@ func (m *Manager) RemoveInboundDNAT(localAddr netip.Addr, protocol firewall.Prot
 	return m.removePortRedirection(localAddr, layerType, sourcePort, targetPort)
 }

-// AddOutputDNAT delegates to the native firewall if available.
-func (m *Manager) AddOutputDNAT(localAddr netip.Addr, protocol firewall.Protocol, sourcePort, targetPort uint16) error {
-	if m.nativeFirewall == nil {
-		return fmt.Errorf("output DNAT not supported without native firewall")
-	}
-	return m.nativeFirewall.AddOutputDNAT(localAddr, protocol, sourcePort, targetPort)
-}
-
-// RemoveOutputDNAT delegates to the native firewall if available.
-func (m *Manager) RemoveOutputDNAT(localAddr netip.Addr, protocol firewall.Protocol, sourcePort, targetPort uint16) error {
-	if m.nativeFirewall == nil {
-		return nil
-	}
-	return m.nativeFirewall.RemoveOutputDNAT(localAddr, protocol, sourcePort, targetPort)
-}
-
 // translateInboundPortDNAT applies port-specific DNAT translation to inbound packets.
 func (m *Manager) translateInboundPortDNAT(packetData []byte, d *decoder, srcIP, dstIP netip.Addr) bool {
 	if !m.portDNATEnabled.Load() {
@@ -623,12 +515,12 @@ func (m *Manager) applyPortRule(packetData []byte, d *decoder, srcIP, dstIP neti

 // rewriteTCPPort rewrites a TCP port (source or destination) and updates checksum.
 func (m *Manager) rewriteTCPPort(packetData []byte, d *decoder, newPort uint16, portOffset int) error {
-	hdrLen, err := ipHeaderLen(d)
-	if err != nil {
-		return err
+	ipHeaderLen := int(d.ip4.IHL) * 4
+	if ipHeaderLen < 20 || ipHeaderLen > len(packetData) {
+		return errInvalidIPHeaderLength
 	}

-	tcpStart := hdrLen
+	tcpStart := ipHeaderLen
 	if len(packetData) < tcpStart+4 {
 		return fmt.Errorf("packet too short for TCP header")
 	}
@@ -654,12 +546,12 @@ func (m *Manager) rewriteTCPPort(packetData []byte, d *decoder, newPort uint16,

 // rewriteUDPPort rewrites a UDP port (source or destination) and updates checksum.
 func (m *Manager) rewriteUDPPort(packetData []byte, d *decoder, newPort uint16, portOffset int) error {
-	hdrLen, err := ipHeaderLen(d)
-	if err != nil {
-		return err
+	ipHeaderLen := int(d.ip4.IHL) * 4
+	if ipHeaderLen < 20 || ipHeaderLen > len(packetData) {
+		return errInvalidIPHeaderLength
 	}

-	udpStart := hdrLen
+	udpStart := ipHeaderLen
 	if len(packetData) < udpStart+8 {
 		return fmt.Errorf("packet too short for UDP header")
 	}
--- a/client/firewall/uspfilter/nat_bench_test.go
+++ b/client/firewall/uspfilter/nat_bench_test.go
@@ -342,17 +342,12 @@ func BenchmarkDNATMemoryAllocations(b *testing.B) {

 		// Parse the packet fresh each time to get a clean decoder
 		d := &decoder{decoded: []gopacket.LayerType{}}
-		d.parser4 = gopacket.NewDecodingLayerParser(
+		d.parser = gopacket.NewDecodingLayerParser(
 			layers.LayerTypeIPv4,
 			&d.eth, &d.ip4, &d.ip6, &d.icmp4, &d.icmp6, &d.tcp, &d.udp,
 		)
-		d.parser4.IgnoreUnsupported = true
-		d.parser6 = gopacket.NewDecodingLayerParser(
-			layers.LayerTypeIPv6,
-			&d.eth, &d.ip4, &d.ip6, &d.icmp4, &d.icmp6, &d.tcp, &d.udp,
-		)
-		d.parser6.IgnoreUnsupported = true
-		err = d.decodePacket(testPacket)
+		d.parser.IgnoreUnsupported = true
+		err = d.parser.DecodeLayers(testPacket, &d.decoded)
 		assert.NoError(b, err)

 		manager.translateOutboundDNAT(testPacket, d)
@@ -376,17 +371,12 @@ func BenchmarkDirectIPExtraction(b *testing.B) {
 	b.Run("decoder_extraction", func(b *testing.B) {
 		// Create decoder once for comparison
 		d := &decoder{decoded: []gopacket.LayerType{}}
-		d.parser4 = gopacket.NewDecodingLayerParser(
+		d.parser = gopacket.NewDecodingLayerParser(
 			layers.LayerTypeIPv4,
 			&d.eth, &d.ip4, &d.ip6, &d.icmp4, &d.icmp6, &d.tcp, &d.udp,
 		)
-		d.parser4.IgnoreUnsupported = true
-		d.parser6 = gopacket.NewDecodingLayerParser(
-			layers.LayerTypeIPv6,
-			&d.eth, &d.ip4, &d.ip6, &d.icmp4, &d.icmp6, &d.tcp, &d.udp,
-		)
-		d.parser6.IgnoreUnsupported = true
-		err := d.decodePacket(packet)
+		d.parser.IgnoreUnsupported = true
+		err := d.parser.DecodeLayers(packet, &d.decoded)
 		assert.NoError(b, err)

 		for i := 0; i < b.N; i++ {
--- a/client/firewall/uspfilter/nat_test.go
+++ b/client/firewall/uspfilter/nat_test.go
@@ -86,18 +86,13 @@ func parsePacket(t testing.TB, packetData []byte) *decoder {
 	d := &decoder{
 		decoded: []gopacket.LayerType{},
 	}
-	d.parser4 = gopacket.NewDecodingLayerParser(
+	d.parser = gopacket.NewDecodingLayerParser(
 		layers.LayerTypeIPv4,
 		&d.eth, &d.ip4, &d.ip6, &d.icmp4, &d.icmp6, &d.tcp, &d.udp,
 	)
-	d.parser4.IgnoreUnsupported = true
-	d.parser6 = gopacket.NewDecodingLayerParser(
-		layers.LayerTypeIPv6,
-		&d.eth, &d.ip4, &d.ip6, &d.icmp4, &d.icmp6, &d.tcp, &d.udp,
-	)
-	d.parser6.IgnoreUnsupported = true
+	d.parser.IgnoreUnsupported = true

-	err := d.decodePacket(packetData)
+	err := d.parser.DecodeLayers(packetData, &d.decoded)
 	require.NoError(t, err)
 	return d
 }
--- a/client/firewall/uspfilter/rule.go
+++ b/client/firewall/uspfilter/rule.go
@@ -18,7 +18,9 @@ type PeerRule struct {
 	protoLayer gopacket.LayerType
 	sPort      *firewall.Port
 	dPort      *firewall.Port
-	drop bool
+	drop       bool
+
+	udpHook func([]byte) bool
 }

 // ID returns the rule id
--- a/client/firewall/uspfilter/tracer.go
+++ b/client/firewall/uspfilter/tracer.go
@@ -112,13 +112,10 @@ func (t *PacketTrace) AddResultWithForwarder(stage PacketStage, message string,
 }

 func (p *PacketBuilder) Build() ([]byte, error) {
-	ipLayer, err := p.buildIPLayer()
-	if err != nil {
-		return nil, err
-	}
-	pktLayers := []gopacket.SerializableLayer{ipLayer}
+	ip := p.buildIPLayer()
+	pktLayers := []gopacket.SerializableLayer{ip}

-	transportLayer, err := p.buildTransportLayer(ipLayer)
+	transportLayer, err := p.buildTransportLayer(ip)
 	if err != nil {
 		return nil, err
 	}
@@ -132,43 +129,30 @@ func (p *PacketBuilder) Build() ([]byte, error) {
 	return serializePacket(pktLayers)
 }

-func (p *PacketBuilder) buildIPLayer() (gopacket.SerializableLayer, error) {
-	if p.SrcIP.Is4() != p.DstIP.Is4() {
-		return nil, fmt.Errorf("mixed address families: src=%s dst=%s", p.SrcIP, p.DstIP)
-	}
-	proto := getIPProtocolNumber(p.Protocol, p.SrcIP.Is6())
-	if p.SrcIP.Is6() {
-		return &layers.IPv6{
-			Version:    6,
-			HopLimit:   64,
-			NextHeader: proto,
-			SrcIP:      p.SrcIP.AsSlice(),
-			DstIP:      p.DstIP.AsSlice(),
-		}, nil
-	}
+func (p *PacketBuilder) buildIPLayer() *layers.IPv4 {
 	return &layers.IPv4{
 		Version:  4,
 		TTL:      64,
-		Protocol: proto,
+		Protocol: layers.IPProtocol(getIPProtocolNumber(p.Protocol)),
 		SrcIP:    p.SrcIP.AsSlice(),
 		DstIP:    p.DstIP.AsSlice(),
-	}, nil
+	}
 }

-func (p *PacketBuilder) buildTransportLayer(ipLayer gopacket.SerializableLayer) ([]gopacket.SerializableLayer, error) {
+func (p *PacketBuilder) buildTransportLayer(ip *layers.IPv4) ([]gopacket.SerializableLayer, error) {
 	switch p.Protocol {
 	case "tcp":
-		return p.buildTCPLayer(ipLayer)
+		return p.buildTCPLayer(ip)
 	case "udp":
-		return p.buildUDPLayer(ipLayer)
+		return p.buildUDPLayer(ip)
 	case "icmp":
-		return p.buildICMPLayer(ipLayer)
+		return p.buildICMPLayer()
 	default:
 		return nil, fmt.Errorf("unsupported protocol: %s", p.Protocol)
 	}
 }

-func (p *PacketBuilder) buildTCPLayer(ipLayer gopacket.SerializableLayer) ([]gopacket.SerializableLayer, error) {
+func (p *PacketBuilder) buildTCPLayer(ip *layers.IPv4) ([]gopacket.SerializableLayer, error) {
 	tcp := &layers.TCP{
 		SrcPort: layers.TCPPort(p.SrcPort),
 		DstPort: layers.TCPPort(p.DstPort),
@@ -180,44 +164,24 @@ func (p *PacketBuilder) buildTCPLayer(ipLayer gopacket.SerializableLayer) ([]gop
 		PSH:     p.TCPState != nil && p.TCPState.PSH,
 		URG:     p.TCPState != nil && p.TCPState.URG,
 	}
-	if nl, ok := ipLayer.(gopacket.NetworkLayer); ok {
-		if err := tcp.SetNetworkLayerForChecksum(nl); err != nil {
-			return nil, fmt.Errorf("set network layer for TCP checksum: %w", err)
-		}
+	if err := tcp.SetNetworkLayerForChecksum(ip); err != nil {
+		return nil, fmt.Errorf("set network layer for TCP checksum: %w", err)
 	}
 	return []gopacket.SerializableLayer{tcp}, nil
 }

-func (p *PacketBuilder) buildUDPLayer(ipLayer gopacket.SerializableLayer) ([]gopacket.SerializableLayer, error) {
+func (p *PacketBuilder) buildUDPLayer(ip *layers.IPv4) ([]gopacket.SerializableLayer, error) {
 	udp := &layers.UDP{
 		SrcPort: layers.UDPPort(p.SrcPort),
 		DstPort: layers.UDPPort(p.DstPort),
 	}
-	if nl, ok := ipLayer.(gopacket.NetworkLayer); ok {
-		if err := udp.SetNetworkLayerForChecksum(nl); err != nil {
-			return nil, fmt.Errorf("set network layer for UDP checksum: %w", err)
-		}
+	if err := udp.SetNetworkLayerForChecksum(ip); err != nil {
+		return nil, fmt.Errorf("set network layer for UDP checksum: %w", err)
 	}
 	return []gopacket.SerializableLayer{udp}, nil
 }

-func (p *PacketBuilder) buildICMPLayer(ipLayer gopacket.SerializableLayer) ([]gopacket.SerializableLayer, error) {
-	if p.SrcIP.Is6() || p.DstIP.Is6() {
-		icmp := &layers.ICMPv6{
-			TypeCode: layers.CreateICMPv6TypeCode(p.ICMPType, p.ICMPCode),
-		}
-		if nl, ok := ipLayer.(gopacket.NetworkLayer); ok {
-			_ = icmp.SetNetworkLayerForChecksum(nl)
-		}
-		if p.ICMPType == layers.ICMPv6TypeEchoRequest || p.ICMPType == layers.ICMPv6TypeEchoReply {
-			echo := &layers.ICMPv6Echo{
-				Identifier: 1,
-				SeqNumber:  1,
-			}
-			return []gopacket.SerializableLayer{icmp, echo}, nil
-		}
-		return []gopacket.SerializableLayer{icmp}, nil
-	}
+func (p *PacketBuilder) buildICMPLayer() ([]gopacket.SerializableLayer, error) {
 	icmp := &layers.ICMPv4{
 		TypeCode: layers.CreateICMPv4TypeCode(p.ICMPType, p.ICMPCode),
 	}
@@ -240,17 +204,14 @@ func serializePacket(layers []gopacket.SerializableLayer) ([]byte, error) {
 	return buf.Bytes(), nil
 }

-func getIPProtocolNumber(protocol fw.Protocol, isV6 bool) layers.IPProtocol {
+func getIPProtocolNumber(protocol fw.Protocol) int {
 	switch protocol {
 	case fw.ProtocolTCP:
-		return layers.IPProtocolTCP
+		return int(layers.IPProtocolTCP)
 	case fw.ProtocolUDP:
-		return layers.IPProtocolUDP
+		return int(layers.IPProtocolUDP)
 	case fw.ProtocolICMP:
-		if isV6 {
-			return layers.IPProtocolICMPv6
-		}
-		return layers.IPProtocolICMPv4
+		return int(layers.IPProtocolICMPv4)
 	default:
 		return 0
 	}
@@ -273,7 +234,7 @@ func (m *Manager) TracePacket(packetData []byte, direction fw.RuleDirection) *Pa
 	trace := &PacketTrace{Direction: direction}

 	// Initial packet decoding
-	if err := d.decodePacket(packetData); err != nil {
+	if err := d.parser.DecodeLayers(packetData, &d.decoded); err != nil {
 		trace.AddResult(StageReceived, fmt.Sprintf("Failed to decode packet: %v", err), false)
 		return trace
 	}
@@ -295,8 +256,6 @@ func (m *Manager) TracePacket(packetData []byte, direction fw.RuleDirection) *Pa
 		trace.DestinationPort = uint16(d.udp.DstPort)
 	case layers.LayerTypeICMPv4:
 		trace.Protocol = "ICMP"
-	case layers.LayerTypeICMPv6:
-		trace.Protocol = "ICMPv6"
 	}

 	trace.AddResult(StageReceived, fmt.Sprintf("Received %s packet: %s:%d -> %s:%d",
@@ -360,13 +319,6 @@ func (m *Manager) buildConntrackStateMessage(d *decoder) string {
 			flags&conntrack.TCPFin != 0)
 	case layers.LayerTypeICMPv4:
 		msg += fmt.Sprintf(" (ICMP ID=%d, Seq=%d)", d.icmp4.Id, d.icmp4.Seq)
-	case layers.LayerTypeICMPv6:
-		var id, seq uint16
-		if len(d.icmp6.Payload) >= 4 {
-			id = uint16(d.icmp6.Payload[0])<<8 | uint16(d.icmp6.Payload[1])
-			seq = uint16(d.icmp6.Payload[2])<<8 | uint16(d.icmp6.Payload[3])
-		}
-		msg += fmt.Sprintf(" (ICMPv6 ID=%d, Seq=%d)", id, seq)
 	}
 	return msg
 }
@@ -463,7 +415,7 @@ func (m *Manager) traceOutbound(packetData []byte, trace *PacketTrace) *PacketTr
 	d := m.decoders.Get().(*decoder)
 	defer m.decoders.Put(d)

-	if err := d.decodePacket(packetData); err != nil {
+	if err := d.parser.DecodeLayers(packetData, &d.decoded); err != nil {
 		trace.AddResult(StageCompleted, "Packet dropped - decode error", false)
 		return trace
 	}
@@ -482,7 +434,7 @@ func (m *Manager) traceOutbound(packetData []byte, trace *PacketTrace) *PacketTr
 func (m *Manager) handleInboundDNAT(trace *PacketTrace, packetData []byte, d *decoder, srcIP, dstIP *netip.Addr) bool {
 	portDNATApplied := m.traceInboundPortDNAT(trace, packetData, d)
 	if portDNATApplied {
-		if err := d.decodePacket(packetData); err != nil {
+		if err := d.parser.DecodeLayers(packetData, &d.decoded); err != nil {
 			trace.AddResult(StageInboundPortDNAT, "Failed to re-decode after port DNAT", false)
 			return true
 		}
@@ -492,7 +444,7 @@ func (m *Manager) handleInboundDNAT(trace *PacketTrace, packetData []byte, d *de

 	nat1to1Applied := m.traceInbound1to1NAT(trace, packetData, d)
 	if nat1to1Applied {
-		if err := d.decodePacket(packetData); err != nil {
+		if err := d.parser.DecodeLayers(packetData, &d.decoded); err != nil {
 			trace.AddResult(StageInbound1to1NAT, "Failed to re-decode after 1:1 NAT", false)
 			return true
 		}
@@ -557,7 +509,7 @@ func (m *Manager) traceInbound1to1NAT(trace *PacketTrace, packetData []byte, d *
 		return false
 	}

-	srcIP, _ := extractPacketIPs(packetData, d)
+	srcIP := netip.AddrFrom4([4]byte{packetData[12], packetData[13], packetData[14], packetData[15]})

 	translated := m.translateInboundReverse(packetData, d)
 	if translated {
@@ -587,7 +539,7 @@ func (m *Manager) traceOutbound1to1NAT(trace *PacketTrace, packetData []byte, d
 		return false
 	}

-	_, dstIP := extractPacketIPs(packetData, d)
+	dstIP := netip.AddrFrom4([4]byte{packetData[16], packetData[17], packetData[18], packetData[19]})

 	translated := m.translateOutboundDNAT(packetData, d)
 	if translated {
--- a/client/firewall/uspfilter/tracer_test.go
+++ b/client/firewall/uspfilter/tracer_test.go
@@ -399,17 +399,21 @@ func TestTracePacket(t *testing.T) {
 		{
 			name: "UDPTraffic_WithHook",
 			setup: func(m *Manager) {
-				m.SetUDPPacketHook(netip.MustParseAddr("100.10.255.254"), 53, func([]byte) bool {
-					return true // drop (intercepted by hook)
-				})
+				hookFunc := func([]byte) bool {
+					return true
+				}
+				m.AddUDPPacketHook(true, netip.MustParseAddr("1.1.1.1"), 53, hookFunc)
 			},
 			packetBuilder: func() *PacketBuilder {
-				return createPacketBuilder("100.10.0.100", "100.10.255.254", "udp", 12345, 53, fw.RuleDirectionOUT)
+				return createPacketBuilder("1.1.1.1", "100.10.0.100", "udp", 12345, 53, fw.RuleDirectionIN)
 			},
 			expectedStages: []PacketStage{
 				StageReceived,
-				StageOutbound1to1NAT,
-				StageOutboundPortReverse,
+				StageInboundPortDNAT,
+				StageInbound1to1NAT,
+				StageConntrack,
+				StageRouting,
+				StagePeerACL,
 				StageCompleted,
 			},
 			expectedAllow: false,
--- a/client/grpc/dialer.go
+++ b/client/grpc/dialer.go
@@ -28,7 +28,7 @@ func Backoff(ctx context.Context) backoff.BackOff {

 // CreateConnection creates a gRPC client connection with the appropriate transport options.
 // The component parameter specifies the WebSocket proxy component path (e.g., "/management", "/signal").
-func CreateConnection(ctx context.Context, addr string, tlsEnabled bool, component string, extraOpts ...grpc.DialOption) (*grpc.ClientConn, error) {
+func CreateConnection(ctx context.Context, addr string, tlsEnabled bool, component string) (*grpc.ClientConn, error) {
 	transportOption := grpc.WithTransportCredentials(insecure.NewCredentials())
 	// for js, the outer websocket layer takes care of tls
 	if tlsEnabled && runtime.GOOS != "js" {
@@ -46,7 +46,9 @@ func CreateConnection(ctx context.Context, addr string, tlsEnabled bool, compone
 	connCtx, cancel := context.WithTimeout(ctx, 30*time.Second)
 	defer cancel()

-	opts := []grpc.DialOption{
+	conn, err := grpc.DialContext(
+		connCtx,
+		addr,
 		transportOption,
 		WithCustomDialer(tlsEnabled, component),
 		grpc.WithBlock(),
@@ -54,10 +56,7 @@ func CreateConnection(ctx context.Context, addr string, tlsEnabled bool, compone
 			Time:    30 * time.Second,
 			Timeout: 10 * time.Second,
 		}),
-	}
-	opts = append(opts, extraOpts...)
-
-	conn, err := grpc.DialContext(connCtx, addr, opts...)
+	)
 	if err != nil {
 		return nil, fmt.Errorf("dial context: %w", err)
 	}
--- a/client/iface/bind/dual_stack_conn.go
+++ b/client/iface/bind/dual_stack_conn.go
@@ -1,169 +0,0 @@
-package bind
-
-import (
-	"errors"
-	"net"
-	"sync"
-	"time"
-
-	"github.com/hashicorp/go-multierror"
-	log "github.com/sirupsen/logrus"
-
-	nberrors "github.com/netbirdio/netbird/client/errors"
-)
-
-var (
-	errNoIPv4Conn  = errors.New("no IPv4 connection available")
-	errNoIPv6Conn  = errors.New("no IPv6 connection available")
-	errInvalidAddr = errors.New("invalid address type")
-)
-
-// DualStackPacketConn wraps IPv4 and IPv6 UDP connections and routes writes
-// to the appropriate connection based on the destination address.
-// ReadFrom is not used in the hot path - ICEBind receives packets via
-// BatchReader.ReadBatch() directly. This is only used by udpMux for sending.
-type DualStackPacketConn struct {
-	ipv4Conn net.PacketConn
-	ipv6Conn net.PacketConn
-
-	readFromWarn sync.Once
-}
-
-// NewDualStackPacketConn creates a new dual-stack packet connection.
-func NewDualStackPacketConn(ipv4Conn, ipv6Conn net.PacketConn) *DualStackPacketConn {
-	return &DualStackPacketConn{
-		ipv4Conn: ipv4Conn,
-		ipv6Conn: ipv6Conn,
-	}
-}
-
-// ReadFrom reads from the available connection (preferring IPv4).
-// NOTE: This method is NOT used in the data path. ICEBind receives packets via
-// BatchReader.ReadBatch() directly for both IPv4 and IPv6, which is much more efficient.
-// This implementation exists only to satisfy the net.PacketConn interface for the udpMux,
-// but the udpMux only uses WriteTo() for sending STUN responses - it never calls ReadFrom()
-// because STUN packets are filtered and forwarded via HandleSTUNMessage() from the receive path.
-func (d *DualStackPacketConn) ReadFrom(b []byte) (n int, addr net.Addr, err error) {
-	d.readFromWarn.Do(func() {
-		log.Warn("DualStackPacketConn.ReadFrom called - this is unexpected and may indicate an inefficient code path")
-	})
-
-	if d.ipv4Conn != nil {
-		return d.ipv4Conn.ReadFrom(b)
-	}
-	if d.ipv6Conn != nil {
-		return d.ipv6Conn.ReadFrom(b)
-	}
-	return 0, nil, net.ErrClosed
-}
-
-// WriteTo writes to the appropriate connection based on the address type.
-func (d *DualStackPacketConn) WriteTo(b []byte, addr net.Addr) (n int, err error) {
-	udpAddr, ok := addr.(*net.UDPAddr)
-	if !ok {
-		return 0, &net.OpError{
-			Op:   "write",
-			Net:  "udp",
-			Addr: addr,
-			Err:  errInvalidAddr,
-		}
-	}
-
-	if udpAddr.IP.To4() == nil {
-		if d.ipv6Conn != nil {
-			return d.ipv6Conn.WriteTo(b, addr)
-		}
-		return 0, &net.OpError{
-			Op:   "write",
-			Net:  "udp6",
-			Addr: addr,
-			Err:  errNoIPv6Conn,
-		}
-	}
-
-	if d.ipv4Conn != nil {
-		return d.ipv4Conn.WriteTo(b, addr)
-	}
-	return 0, &net.OpError{
-		Op:   "write",
-		Net:  "udp4",
-		Addr: addr,
-		Err:  errNoIPv4Conn,
-	}
-}
-
-// Close closes both connections.
-func (d *DualStackPacketConn) Close() error {
-	var result *multierror.Error
-	if d.ipv4Conn != nil {
-		if err := d.ipv4Conn.Close(); err != nil {
-			result = multierror.Append(result, err)
-		}
-	}
-	if d.ipv6Conn != nil {
-		if err := d.ipv6Conn.Close(); err != nil {
-			result = multierror.Append(result, err)
-		}
-	}
-	return nberrors.FormatErrorOrNil(result)
-}
-
-// LocalAddr returns the local address of the IPv4 connection if available,
-// otherwise the IPv6 connection.
-func (d *DualStackPacketConn) LocalAddr() net.Addr {
-	if d.ipv4Conn != nil {
-		return d.ipv4Conn.LocalAddr()
-	}
-	if d.ipv6Conn != nil {
-		return d.ipv6Conn.LocalAddr()
-	}
-	return nil
-}
-
-// SetDeadline sets the deadline for both connections.
-func (d *DualStackPacketConn) SetDeadline(t time.Time) error {
-	var result *multierror.Error
-	if d.ipv4Conn != nil {
-		if err := d.ipv4Conn.SetDeadline(t); err != nil {
-			result = multierror.Append(result, err)
-		}
-	}
-	if d.ipv6Conn != nil {
-		if err := d.ipv6Conn.SetDeadline(t); err != nil {
-			result = multierror.Append(result, err)
-		}
-	}
-	return nberrors.FormatErrorOrNil(result)
-}
-
-// SetReadDeadline sets the read deadline for both connections.
-func (d *DualStackPacketConn) SetReadDeadline(t time.Time) error {
-	var result *multierror.Error
-	if d.ipv4Conn != nil {
-		if err := d.ipv4Conn.SetReadDeadline(t); err != nil {
-			result = multierror.Append(result, err)
-		}
-	}
-	if d.ipv6Conn != nil {
-		if err := d.ipv6Conn.SetReadDeadline(t); err != nil {
-			result = multierror.Append(result, err)
-		}
-	}
-	return nberrors.FormatErrorOrNil(result)
-}
-
-// SetWriteDeadline sets the write deadline for both connections.
-func (d *DualStackPacketConn) SetWriteDeadline(t time.Time) error {
-	var result *multierror.Error
-	if d.ipv4Conn != nil {
-		if err := d.ipv4Conn.SetWriteDeadline(t); err != nil {
-			result = multierror.Append(result, err)
-		}
-	}
-	if d.ipv6Conn != nil {
-		if err := d.ipv6Conn.SetWriteDeadline(t); err != nil {
-			result = multierror.Append(result, err)
-		}
-	}
-	return nberrors.FormatErrorOrNil(result)
-}
--- a/client/iface/bind/dual_stack_conn_bench_test.go
+++ b/client/iface/bind/dual_stack_conn_bench_test.go
@@ -1,119 +0,0 @@
-package bind
-
-import (
-	"net"
-	"testing"
-)
-
-var (
-	ipv4Addr = &net.UDPAddr{IP: net.ParseIP("127.0.0.1"), Port: 12345}
-	ipv6Addr = &net.UDPAddr{IP: net.ParseIP("::1"), Port: 12345}
-	payload  = make([]byte, 1200)
-)
-
-func BenchmarkWriteTo_DirectUDPConn(b *testing.B) {
-	conn, err := net.ListenUDP("udp4", &net.UDPAddr{IP: net.IPv4zero, Port: 0})
-	if err != nil {
-		b.Fatal(err)
-	}
-	defer conn.Close()
-
-	b.ResetTimer()
-	for i := 0; i < b.N; i++ {
-		_, _ = conn.WriteTo(payload, ipv4Addr)
-	}
-}
-
-func BenchmarkWriteTo_DualStack_IPv4Only(b *testing.B) {
-	conn, err := net.ListenUDP("udp4", &net.UDPAddr{IP: net.IPv4zero, Port: 0})
-	if err != nil {
-		b.Fatal(err)
-	}
-	defer conn.Close()
-
-	ds := NewDualStackPacketConn(conn, nil)
-
-	b.ResetTimer()
-	for i := 0; i < b.N; i++ {
-		_, _ = ds.WriteTo(payload, ipv4Addr)
-	}
-}
-
-func BenchmarkWriteTo_DualStack_IPv6Only(b *testing.B) {
-	conn, err := net.ListenUDP("udp6", &net.UDPAddr{IP: net.IPv6zero, Port: 0})
-	if err != nil {
-		b.Skipf("IPv6 not available: %v", err)
-	}
-	defer conn.Close()
-
-	ds := NewDualStackPacketConn(nil, conn)
-
-	b.ResetTimer()
-	for i := 0; i < b.N; i++ {
-		_, _ = ds.WriteTo(payload, ipv6Addr)
-	}
-}
-
-func BenchmarkWriteTo_DualStack_Both_IPv4Traffic(b *testing.B) {
-	conn4, err := net.ListenUDP("udp4", &net.UDPAddr{IP: net.IPv4zero, Port: 0})
-	if err != nil {
-		b.Fatal(err)
-	}
-	defer conn4.Close()
-
-	conn6, err := net.ListenUDP("udp6", &net.UDPAddr{IP: net.IPv6zero, Port: 0})
-	if err != nil {
-		b.Skipf("IPv6 not available: %v", err)
-	}
-	defer conn6.Close()
-
-	ds := NewDualStackPacketConn(conn4, conn6)
-
-	b.ResetTimer()
-	for i := 0; i < b.N; i++ {
-		_, _ = ds.WriteTo(payload, ipv4Addr)
-	}
-}
-
-func BenchmarkWriteTo_DualStack_Both_IPv6Traffic(b *testing.B) {
-	conn4, err := net.ListenUDP("udp4", &net.UDPAddr{IP: net.IPv4zero, Port: 0})
-	if err != nil {
-		b.Fatal(err)
-	}
-	defer conn4.Close()
-
-	conn6, err := net.ListenUDP("udp6", &net.UDPAddr{IP: net.IPv6zero, Port: 0})
-	if err != nil {
-		b.Skipf("IPv6 not available: %v", err)
-	}
-	defer conn6.Close()
-
-	ds := NewDualStackPacketConn(conn4, conn6)
-
-	b.ResetTimer()
-	for i := 0; i < b.N; i++ {
-		_, _ = ds.WriteTo(payload, ipv6Addr)
-	}
-}
-
-func BenchmarkWriteTo_DualStack_Both_MixedTraffic(b *testing.B) {
-	conn4, err := net.ListenUDP("udp4", &net.UDPAddr{IP: net.IPv4zero, Port: 0})
-	if err != nil {
-		b.Fatal(err)
-	}
-	defer conn4.Close()
-
-	conn6, err := net.ListenUDP("udp6", &net.UDPAddr{IP: net.IPv6zero, Port: 0})
-	if err != nil {
-		b.Skipf("IPv6 not available: %v", err)
-	}
-	defer conn6.Close()
-
-	ds := NewDualStackPacketConn(conn4, conn6)
-	addrs := []net.Addr{ipv4Addr, ipv6Addr}
-
-	b.ResetTimer()
-	for i := 0; i < b.N; i++ {
-		_, _ = ds.WriteTo(payload, addrs[i&1])
-	}
-}
--- a/client/iface/bind/dual_stack_conn_test.go
+++ b/client/iface/bind/dual_stack_conn_test.go
@@ -1,191 +0,0 @@
-package bind
-
-import (
-	"net"
-	"testing"
-	"time"
-
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
-)
-
-func TestDualStackPacketConn_RoutesWritesToCorrectSocket(t *testing.T) {
-	ipv4Conn := &mockPacketConn{network: "udp4"}
-	ipv6Conn := &mockPacketConn{network: "udp6"}
-	dualStack := NewDualStackPacketConn(ipv4Conn, ipv6Conn)
-
-	tests := []struct {
-		name       string
-		addr       *net.UDPAddr
-		wantSocket string
-	}{
-		{
-			name:       "IPv4 address",
-			addr:       &net.UDPAddr{IP: net.ParseIP("192.168.1.1"), Port: 1234},
-			wantSocket: "udp4",
-		},
-		{
-			name:       "IPv6 address",
-			addr:       &net.UDPAddr{IP: net.ParseIP("2001:db8::1"), Port: 1234},
-			wantSocket: "udp6",
-		},
-		{
-			name:       "IPv4-mapped IPv6 goes to IPv4",
-			addr:       &net.UDPAddr{IP: net.ParseIP("::ffff:192.168.1.1"), Port: 1234},
-			wantSocket: "udp4",
-		},
-		{
-			name:       "IPv4 loopback",
-			addr:       &net.UDPAddr{IP: net.ParseIP("127.0.0.1"), Port: 1234},
-			wantSocket: "udp4",
-		},
-		{
-			name:       "IPv6 loopback",
-			addr:       &net.UDPAddr{IP: net.ParseIP("::1"), Port: 1234},
-			wantSocket: "udp6",
-		},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			ipv4Conn.writeCount = 0
-			ipv6Conn.writeCount = 0
-
-			n, err := dualStack.WriteTo([]byte("test"), tt.addr)
-			require.NoError(t, err)
-			assert.Equal(t, 4, n)
-
-			if tt.wantSocket == "udp4" {
-				assert.Equal(t, 1, ipv4Conn.writeCount, "expected write to IPv4")
-				assert.Equal(t, 0, ipv6Conn.writeCount, "expected no write to IPv6")
-			} else {
-				assert.Equal(t, 0, ipv4Conn.writeCount, "expected no write to IPv4")
-				assert.Equal(t, 1, ipv6Conn.writeCount, "expected write to IPv6")
-			}
-		})
-	}
-}
-
-func TestDualStackPacketConn_IPv4OnlyRejectsIPv6(t *testing.T) {
-	dualStack := NewDualStackPacketConn(&mockPacketConn{network: "udp4"}, nil)
-
-	// IPv4 works
-	_, err := dualStack.WriteTo([]byte("test"), &net.UDPAddr{IP: net.ParseIP("192.168.1.1"), Port: 1234})
-	require.NoError(t, err)
-
-	// IPv6 fails
-	_, err = dualStack.WriteTo([]byte("test"), &net.UDPAddr{IP: net.ParseIP("2001:db8::1"), Port: 1234})
-	require.Error(t, err)
-	assert.Contains(t, err.Error(), "no IPv6 connection")
-}
-
-func TestDualStackPacketConn_IPv6OnlyRejectsIPv4(t *testing.T) {
-	dualStack := NewDualStackPacketConn(nil, &mockPacketConn{network: "udp6"})
-
-	// IPv6 works
-	_, err := dualStack.WriteTo([]byte("test"), &net.UDPAddr{IP: net.ParseIP("2001:db8::1"), Port: 1234})
-	require.NoError(t, err)
-
-	// IPv4 fails
-	_, err = dualStack.WriteTo([]byte("test"), &net.UDPAddr{IP: net.ParseIP("192.168.1.1"), Port: 1234})
-	require.Error(t, err)
-	assert.Contains(t, err.Error(), "no IPv4 connection")
-}
-
-// TestDualStackPacketConn_ReadFromIsNotUsedInHotPath documents that ReadFrom
-// only reads from one socket (IPv4 preferred). This is fine because the actual
-// receive path uses wireguard-go's BatchReader directly, not ReadFrom.
-func TestDualStackPacketConn_ReadFromIsNotUsedInHotPath(t *testing.T) {
-	ipv4Conn := &mockPacketConn{
-		network:  "udp4",
-		readData: []byte("from ipv4"),
-		readAddr: &net.UDPAddr{IP: net.ParseIP("192.168.1.1"), Port: 1234},
-	}
-	ipv6Conn := &mockPacketConn{
-		network:  "udp6",
-		readData: []byte("from ipv6"),
-		readAddr: &net.UDPAddr{IP: net.ParseIP("2001:db8::1"), Port: 1234},
-	}
-
-	dualStack := NewDualStackPacketConn(ipv4Conn, ipv6Conn)
-
-	buf := make([]byte, 100)
-	n, addr, err := dualStack.ReadFrom(buf)
-
-	require.NoError(t, err)
-	// reads from IPv4 (preferred) - this is expected behavior
-	assert.Equal(t, "from ipv4", string(buf[:n]))
-	assert.Equal(t, "192.168.1.1", addr.(*net.UDPAddr).IP.String())
-}
-
-func TestDualStackPacketConn_LocalAddrPrefersIPv4(t *testing.T) {
-	ipv4Addr := &net.UDPAddr{IP: net.ParseIP("0.0.0.0"), Port: 51820}
-	ipv6Addr := &net.UDPAddr{IP: net.ParseIP("::"), Port: 51820}
-
-	tests := []struct {
-		name     string
-		ipv4     net.PacketConn
-		ipv6     net.PacketConn
-		wantAddr net.Addr
-	}{
-		{
-			name:     "both available returns IPv4",
-			ipv4:     &mockPacketConn{localAddr: ipv4Addr},
-			ipv6:     &mockPacketConn{localAddr: ipv6Addr},
-			wantAddr: ipv4Addr,
-		},
-		{
-			name:     "IPv4 only",
-			ipv4:     &mockPacketConn{localAddr: ipv4Addr},
-			ipv6:     nil,
-			wantAddr: ipv4Addr,
-		},
-		{
-			name:     "IPv6 only",
-			ipv4:     nil,
-			ipv6:     &mockPacketConn{localAddr: ipv6Addr},
-			wantAddr: ipv6Addr,
-		},
-		{
-			name:     "neither returns nil",
-			ipv4:     nil,
-			ipv6:     nil,
-			wantAddr: nil,
-		},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			dualStack := NewDualStackPacketConn(tt.ipv4, tt.ipv6)
-			assert.Equal(t, tt.wantAddr, dualStack.LocalAddr())
-		})
-	}
-}
-
-// mock
-
-type mockPacketConn struct {
-	network    string
-	writeCount int
-	readData   []byte
-	readAddr   net.Addr
-	localAddr  net.Addr
-}
-
-func (m *mockPacketConn) ReadFrom(b []byte) (n int, addr net.Addr, err error) {
-	if m.readData != nil {
-		return copy(b, m.readData), m.readAddr, nil
-	}
-	return 0, nil, nil
-}
-
-func (m *mockPacketConn) WriteTo(b []byte, addr net.Addr) (n int, err error) {
-	m.writeCount++
-	return len(b), nil
-}
-
-func (m *mockPacketConn) Close() error                       { return nil }
-func (m *mockPacketConn) LocalAddr() net.Addr                { return m.localAddr }
-func (m *mockPacketConn) SetDeadline(t time.Time) error      { return nil }
-func (m *mockPacketConn) SetReadDeadline(t time.Time) error  { return nil }
-func (m *mockPacketConn) SetWriteDeadline(t time.Time) error { return nil }
--- a/client/iface/bind/ice_bind.go
+++ b/client/iface/bind/ice_bind.go
@@ -14,6 +14,7 @@ import (
 	"github.com/pion/stun/v3"
 	"github.com/pion/transport/v3"
 	log "github.com/sirupsen/logrus"
+	"golang.org/x/net/ipv4"
 	"golang.org/x/net/ipv6"
 	wgConn "golang.zx2c4.com/wireguard/conn"

@@ -27,7 +28,22 @@ type receiverCreator struct {
 }

 func (rc receiverCreator) CreateReceiverFn(pc wgConn.BatchReader, conn *net.UDPConn, rxOffload bool, msgPool *sync.Pool) wgConn.ReceiveFunc {
-	return rc.iceBind.createReceiverFn(pc, conn, rxOffload, msgPool)
+	if ipv4PC, ok := pc.(*ipv4.PacketConn); ok {
+		return rc.iceBind.createIPv4ReceiverFn(ipv4PC, conn, rxOffload, msgPool)
+	}
+	// IPv6 is currently not supported in the udpmux, this is a stub for compatibility with the
+	// wireguard-go ReceiverCreator interface which is called for both IPv4 and IPv6.
+	return func(bufs [][]byte, sizes []int, eps []wgConn.Endpoint) (n int, err error) {
+		buf := bufs[0]
+		size, ep, err := conn.ReadFromUDPAddrPort(buf)
+		if err != nil {
+			return 0, err
+		}
+		sizes[0] = size
+		stdEp := &wgConn.StdNetEndpoint{AddrPort: ep}
+		eps[0] = stdEp
+		return 1, nil
+	}
 }

 // ICEBind is a bind implementation with two main features:
@@ -57,8 +73,6 @@ type ICEBind struct {

 	muUDPMux sync.Mutex
 	udpMux   *udpmux.UniversalUDPMuxDefault
-	ipv4Conn *net.UDPConn
-	ipv6Conn *net.UDPConn
 }

 func NewICEBind(transportNet transport.Net, filterFn udpmux.FilterFn, address wgaddr.Address, mtu uint16) *ICEBind {
@@ -104,12 +118,6 @@ func (s *ICEBind) Close() error {

 	close(s.closedChan)

-	s.muUDPMux.Lock()
-	s.ipv4Conn = nil
-	s.ipv6Conn = nil
-	s.udpMux = nil
-	s.muUDPMux.Unlock()
-
 	return s.StdNetBind.Close()
 }

@@ -167,18 +175,19 @@ func (b *ICEBind) Send(bufs [][]byte, ep wgConn.Endpoint) error {
 	return nil
 }

-func (s *ICEBind) createReceiverFn(pc wgConn.BatchReader, conn *net.UDPConn, rxOffload bool, msgsPool *sync.Pool) wgConn.ReceiveFunc {
+func (s *ICEBind) createIPv4ReceiverFn(pc *ipv4.PacketConn, conn *net.UDPConn, rxOffload bool, msgsPool *sync.Pool) wgConn.ReceiveFunc {
 	s.muUDPMux.Lock()
 	defer s.muUDPMux.Unlock()

-	// Detect IPv4 vs IPv6 from connection's local address
-	if localAddr := conn.LocalAddr().(*net.UDPAddr); localAddr.IP.To4() != nil {
-		s.ipv4Conn = conn
-	} else {
-		s.ipv6Conn = conn
-	}
-	s.createOrUpdateMux()
-
+	s.udpMux = udpmux.NewUniversalUDPMuxDefault(
+		udpmux.UniversalUDPMuxParams{
+			UDPConn:   nbnet.WrapPacketConn(conn),
+			Net:       s.transportNet,
+			FilterFn:  s.filterFn,
+			WGAddress: s.address,
+			MTU:       s.mtu,
+		},
+	)
 	return func(bufs [][]byte, sizes []int, eps []wgConn.Endpoint) (n int, err error) {
 		msgs := getMessages(msgsPool)
 		for i := range bufs {
@@ -186,13 +195,12 @@ func (s *ICEBind) createReceiverFn(pc wgConn.BatchReader, conn *net.UDPConn, rxO
 			(*msgs)[i].OOB = (*msgs)[i].OOB[:cap((*msgs)[i].OOB)]
 		}
 		defer putMessages(msgs, msgsPool)
-
 		var numMsgs int
 		if runtime.GOOS == "linux" || runtime.GOOS == "android" {
 			if rxOffload {
 				readAt := len(*msgs) - (wgConn.IdealBatchSize / wgConn.UdpSegmentMaxDatagrams)
-				//nolint:staticcheck
-				_, err = pc.ReadBatch((*msgs)[readAt:], 0)
+				//nolint
+				numMsgs, err = pc.ReadBatch((*msgs)[readAt:], 0)
 				if err != nil {
 					return 0, err
 				}
@@ -214,12 +222,12 @@ func (s *ICEBind) createReceiverFn(pc wgConn.BatchReader, conn *net.UDPConn, rxO
 			}
 			numMsgs = 1
 		}
-
 		for i := 0; i < numMsgs; i++ {
 			msg := &(*msgs)[i]

 			// todo: handle err
-			if ok, _ := s.filterOutStunMessages(msg.Buffers, msg.N, msg.Addr); ok {
+			ok, _ := s.filterOutStunMessages(msg.Buffers, msg.N, msg.Addr)
+			if ok {
 				continue
 			}
 			sizes[i] = msg.N
@@ -240,38 +248,6 @@ func (s *ICEBind) createReceiverFn(pc wgConn.BatchReader, conn *net.UDPConn, rxO
 	}
 }

-// createOrUpdateMux creates or updates the UDP mux with the available connections.
-// Must be called with muUDPMux held.
-func (s *ICEBind) createOrUpdateMux() {
-	var muxConn net.PacketConn
-
-	switch {
-	case s.ipv4Conn != nil && s.ipv6Conn != nil:
-		muxConn = NewDualStackPacketConn(
-			nbnet.WrapPacketConn(s.ipv4Conn),
-			nbnet.WrapPacketConn(s.ipv6Conn),
-		)
-	case s.ipv4Conn != nil:
-		muxConn = nbnet.WrapPacketConn(s.ipv4Conn)
-	case s.ipv6Conn != nil:
-		muxConn = nbnet.WrapPacketConn(s.ipv6Conn)
-	default:
-		return
-	}
-
-	// Don't close the old mux - it doesn't own the underlying connections.
-	// The sockets are managed by WireGuard's StdNetBind, not by us.
-	s.udpMux = udpmux.NewUniversalUDPMuxDefault(
-		udpmux.UniversalUDPMuxParams{
-			UDPConn:   muxConn,
-			Net:       s.transportNet,
-			FilterFn:  s.filterFn,
-			WGAddress: s.address,
-			MTU:       s.mtu,
-		},
-	)
-}
-
 func (s *ICEBind) filterOutStunMessages(buffers [][]byte, n int, addr net.Addr) (bool, error) {
 	for i := range buffers {
 		if !stun.IsMessage(buffers[i]) {
@@ -284,14 +260,9 @@ func (s *ICEBind) filterOutStunMessages(buffers [][]byte, n int, addr net.Addr)
 			return true, err
 		}

-		s.muUDPMux.Lock()
-		mux := s.udpMux
-		s.muUDPMux.Unlock()
-
-		if mux != nil {
-			if muxErr := mux.HandleSTUNMessage(msg, addr); muxErr != nil {
-				log.Warnf("failed to handle STUN packet: %v", muxErr)
-			}
+		muxErr := s.udpMux.HandleSTUNMessage(msg, addr)
+		if muxErr != nil {
+			log.Warnf("failed to handle STUN packet")
 		}

 		buffers[i] = []byte{}
--- a/client/iface/bind/ice_bind_test.go
+++ b/client/iface/bind/ice_bind_test.go
@@ -1,324 +0,0 @@
-package bind
-
-import (
-	"fmt"
-	"net"
-	"net/netip"
-	"sync"
-	"testing"
-	"time"
-
-	"github.com/pion/transport/v3/stdnet"
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
-	"golang.org/x/net/ipv4"
-	"golang.org/x/net/ipv6"
-
-	"github.com/netbirdio/netbird/client/iface/wgaddr"
-)
-
-func TestICEBind_CreatesReceiverForBothIPv4AndIPv6(t *testing.T) {
-	iceBind := setupICEBind(t)
-
-	ipv4Conn, ipv6Conn := createDualStackConns(t)
-	defer ipv4Conn.Close()
-	defer ipv6Conn.Close()
-
-	rc := receiverCreator{iceBind}
-	pool := createMsgPool()
-
-	// Simulate wireguard-go calling CreateReceiverFn for IPv4
-	ipv4RecvFn := rc.CreateReceiverFn(ipv4.NewPacketConn(ipv4Conn), ipv4Conn, false, pool)
-	require.NotNil(t, ipv4RecvFn)
-
-	iceBind.muUDPMux.Lock()
-	assert.NotNil(t, iceBind.ipv4Conn, "should store IPv4 connection")
-	assert.Nil(t, iceBind.ipv6Conn, "IPv6 not added yet")
-	assert.NotNil(t, iceBind.udpMux, "mux should be created after first connection")
-	iceBind.muUDPMux.Unlock()
-
-	// Simulate wireguard-go calling CreateReceiverFn for IPv6
-	ipv6RecvFn := rc.CreateReceiverFn(ipv6.NewPacketConn(ipv6Conn), ipv6Conn, false, pool)
-	require.NotNil(t, ipv6RecvFn)
-
-	iceBind.muUDPMux.Lock()
-	assert.NotNil(t, iceBind.ipv4Conn, "should still have IPv4 connection")
-	assert.NotNil(t, iceBind.ipv6Conn, "should now have IPv6 connection")
-	assert.NotNil(t, iceBind.udpMux, "mux should still exist")
-	iceBind.muUDPMux.Unlock()
-
-	mux, err := iceBind.GetICEMux()
-	require.NoError(t, err)
-	require.NotNil(t, mux)
-}
-
-func TestICEBind_WorksWithIPv4Only(t *testing.T) {
-	iceBind := setupICEBind(t)
-
-	ipv4Conn, err := net.ListenUDP("udp4", &net.UDPAddr{IP: net.IPv4zero, Port: 0})
-	require.NoError(t, err)
-	defer ipv4Conn.Close()
-
-	rc := receiverCreator{iceBind}
-	recvFn := rc.CreateReceiverFn(ipv4.NewPacketConn(ipv4Conn), ipv4Conn, false, createMsgPool())
-	require.NotNil(t, recvFn)
-
-	iceBind.muUDPMux.Lock()
-	assert.NotNil(t, iceBind.ipv4Conn)
-	assert.Nil(t, iceBind.ipv6Conn)
-	assert.NotNil(t, iceBind.udpMux)
-	iceBind.muUDPMux.Unlock()
-
-	mux, err := iceBind.GetICEMux()
-	require.NoError(t, err)
-	require.NotNil(t, mux)
-}
-
-func TestICEBind_WorksWithIPv6Only(t *testing.T) {
-	iceBind := setupICEBind(t)
-
-	ipv6Conn, err := net.ListenUDP("udp6", &net.UDPAddr{IP: net.IPv6zero, Port: 0})
-	if err != nil {
-		t.Skipf("IPv6 not available: %v", err)
-	}
-	defer ipv6Conn.Close()
-
-	rc := receiverCreator{iceBind}
-	recvFn := rc.CreateReceiverFn(ipv6.NewPacketConn(ipv6Conn), ipv6Conn, false, createMsgPool())
-	require.NotNil(t, recvFn)
-
-	iceBind.muUDPMux.Lock()
-	assert.Nil(t, iceBind.ipv4Conn)
-	assert.NotNil(t, iceBind.ipv6Conn)
-	assert.NotNil(t, iceBind.udpMux)
-	iceBind.muUDPMux.Unlock()
-
-	mux, err := iceBind.GetICEMux()
-	require.NoError(t, err)
-	require.NotNil(t, mux)
-}
-
-// TestICEBind_SendsToIPv4AndIPv6PeersSimultaneously verifies that we can communicate
-// with peers on different address families through the same DualStackPacketConn.
-func TestICEBind_SendsToIPv4AndIPv6PeersSimultaneously(t *testing.T) {
-	// two "remote peers" listening on different address families
-	ipv4Peer := listenUDP(t, "udp4", "127.0.0.1:0")
-	defer ipv4Peer.Close()
-
-	ipv6Peer, err := net.ListenUDP("udp6", &net.UDPAddr{IP: net.IPv6loopback, Port: 0})
-	if err != nil {
-		t.Skipf("IPv6 not available: %v", err)
-	}
-	defer ipv6Peer.Close()
-
-	// our local dual-stack connection
-	ipv4Local := listenUDP(t, "udp4", "127.0.0.1:0")
-	defer ipv4Local.Close()
-
-	ipv6Local := listenUDP(t, "udp6", "[::1]:0")
-	defer ipv6Local.Close()
-
-	dualStack := NewDualStackPacketConn(ipv4Local, ipv6Local)
-
-	// send to both peers
-	_, err = dualStack.WriteTo([]byte("to-ipv4"), ipv4Peer.LocalAddr())
-	require.NoError(t, err)
-
-	_, err = dualStack.WriteTo([]byte("to-ipv6"), ipv6Peer.LocalAddr())
-	require.NoError(t, err)
-
-	// verify IPv4 peer got its packet from the IPv4 socket
-	buf := make([]byte, 100)
-	_ = ipv4Peer.SetReadDeadline(time.Now().Add(time.Second))
-	n, addr, err := ipv4Peer.ReadFrom(buf)
-	require.NoError(t, err)
-	assert.Equal(t, "to-ipv4", string(buf[:n]))
-	assert.Equal(t, ipv4Local.LocalAddr().(*net.UDPAddr).Port, addr.(*net.UDPAddr).Port)
-
-	// verify IPv6 peer got its packet from the IPv6 socket
-	_ = ipv6Peer.SetReadDeadline(time.Now().Add(time.Second))
-	n, addr, err = ipv6Peer.ReadFrom(buf)
-	require.NoError(t, err)
-	assert.Equal(t, "to-ipv6", string(buf[:n]))
-	assert.Equal(t, ipv6Local.LocalAddr().(*net.UDPAddr).Port, addr.(*net.UDPAddr).Port)
-}
-
-// TestICEBind_HandlesConcurrentMixedTraffic sends packets concurrently to both IPv4
-// and IPv6 peers. Verifies no packets get misrouted (IPv4 peer only gets v4- packets,
-// IPv6 peer only gets v6- packets). Some packet loss is acceptable for UDP.
-func TestICEBind_HandlesConcurrentMixedTraffic(t *testing.T) {
-	ipv4Peer := listenUDP(t, "udp4", "127.0.0.1:0")
-	defer ipv4Peer.Close()
-
-	ipv6Peer, err := net.ListenUDP("udp6", &net.UDPAddr{IP: net.IPv6loopback, Port: 0})
-	if err != nil {
-		t.Skipf("IPv6 not available: %v", err)
-	}
-	defer ipv6Peer.Close()
-
-	ipv4Local := listenUDP(t, "udp4", "127.0.0.1:0")
-	defer ipv4Local.Close()
-
-	ipv6Local := listenUDP(t, "udp6", "[::1]:0")
-	defer ipv6Local.Close()
-
-	dualStack := NewDualStackPacketConn(ipv4Local, ipv6Local)
-
-	const packetsPerFamily = 500
-
-	ipv4Received := make(chan string, packetsPerFamily)
-	ipv6Received := make(chan string, packetsPerFamily)
-
-	startGate := make(chan struct{})
-	var wg sync.WaitGroup
-
-	wg.Add(1)
-	go func() {
-		defer wg.Done()
-		buf := make([]byte, 100)
-		for i := 0; i < packetsPerFamily; i++ {
-			n, _, err := ipv4Peer.ReadFrom(buf)
-			if err != nil {
-				return
-			}
-			ipv4Received <- string(buf[:n])
-		}
-	}()
-
-	wg.Add(1)
-	go func() {
-		defer wg.Done()
-		buf := make([]byte, 100)
-		for i := 0; i < packetsPerFamily; i++ {
-			n, _, err := ipv6Peer.ReadFrom(buf)
-			if err != nil {
-				return
-			}
-			ipv6Received <- string(buf[:n])
-		}
-	}()
-
-	wg.Add(1)
-	go func() {
-		defer wg.Done()
-		<-startGate
-		for i := 0; i < packetsPerFamily; i++ {
-			_, _ = dualStack.WriteTo([]byte(fmt.Sprintf("v4-%04d", i)), ipv4Peer.LocalAddr())
-		}
-	}()
-
-	wg.Add(1)
-	go func() {
-		defer wg.Done()
-		<-startGate
-		for i := 0; i < packetsPerFamily; i++ {
-			_, _ = dualStack.WriteTo([]byte(fmt.Sprintf("v6-%04d", i)), ipv6Peer.LocalAddr())
-		}
-	}()
-
-	close(startGate)
-
-	time.AfterFunc(5*time.Second, func() {
-		_ = ipv4Peer.SetReadDeadline(time.Now())
-		_ = ipv6Peer.SetReadDeadline(time.Now())
-	})
-
-	wg.Wait()
-	close(ipv4Received)
-	close(ipv6Received)
-
-	ipv4Count := 0
-	for pkt := range ipv4Received {
-		require.True(t, len(pkt) >= 3 && pkt[:3] == "v4-", "IPv4 peer got misrouted packet: %s", pkt)
-		ipv4Count++
-	}
-
-	ipv6Count := 0
-	for pkt := range ipv6Received {
-		require.True(t, len(pkt) >= 3 && pkt[:3] == "v6-", "IPv6 peer got misrouted packet: %s", pkt)
-		ipv6Count++
-	}
-
-	assert.Equal(t, packetsPerFamily, ipv4Count)
-	assert.Equal(t, packetsPerFamily, ipv6Count)
-}
-
-func TestICEBind_DetectsAddressFamilyFromConnection(t *testing.T) {
-	tests := []struct {
-		name     string
-		network  string
-		addr     string
-		wantIPv4 bool
-	}{
-		{"IPv4 any", "udp4", "0.0.0.0:0", true},
-		{"IPv4 loopback", "udp4", "127.0.0.1:0", true},
-		{"IPv6 any", "udp6", "[::]:0", false},
-		{"IPv6 loopback", "udp6", "[::1]:0", false},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			addr, err := net.ResolveUDPAddr(tt.network, tt.addr)
-			require.NoError(t, err)
-
-			conn, err := net.ListenUDP(tt.network, addr)
-			if err != nil {
-				t.Skipf("%s not available: %v", tt.network, err)
-			}
-			defer conn.Close()
-
-			localAddr := conn.LocalAddr().(*net.UDPAddr)
-			isIPv4 := localAddr.IP.To4() != nil
-			assert.Equal(t, tt.wantIPv4, isIPv4)
-		})
-	}
-}
-
-// helpers
-
-func setupICEBind(t *testing.T) *ICEBind {
-	t.Helper()
-	transportNet, err := stdnet.NewNet()
-	require.NoError(t, err)
-
-	address := wgaddr.Address{
-		IP:      netip.MustParseAddr("100.64.0.1"),
-		Network: netip.MustParsePrefix("100.64.0.0/10"),
-	}
-	return NewICEBind(transportNet, nil, address, 1280)
-}
-
-func createDualStackConns(t *testing.T) (*net.UDPConn, *net.UDPConn) {
-	t.Helper()
-	ipv4Conn, err := net.ListenUDP("udp4", &net.UDPAddr{IP: net.IPv4zero, Port: 0})
-	require.NoError(t, err)
-
-	ipv6Conn, err := net.ListenUDP("udp6", &net.UDPAddr{IP: net.IPv6zero, Port: 0})
-	if err != nil {
-		ipv4Conn.Close()
-		t.Skipf("IPv6 not available: %v", err)
-	}
-	return ipv4Conn, ipv6Conn
-}
-
-func createMsgPool() *sync.Pool {
-	return &sync.Pool{
-		New: func() any {
-			msgs := make([]ipv6.Message, 1)
-			for i := range msgs {
-				msgs[i].Buffers = make(net.Buffers, 1)
-				msgs[i].OOB = make([]byte, 0, 40)
-			}
-			return &msgs
-		},
-	}
-}
-
-func listenUDP(t *testing.T, network, addr string) *net.UDPConn {
-	t.Helper()
-	udpAddr, err := net.ResolveUDPAddr(network, addr)
-	require.NoError(t, err)
-	conn, err := net.ListenUDP(network, udpAddr)
-	require.NoError(t, err)
-	return conn
-}
--- a/client/iface/configurer/common.go
+++ b/client/iface/configurer/common.go
@@ -3,22 +3,8 @@ package configurer
 import (
 	"net"
 	"net/netip"
-
-	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
 )

-// buildPresharedKeyConfig creates a wgtypes.Config for setting a preshared key on a peer.
-// This is a shared helper used by both kernel and userspace configurers.
-func buildPresharedKeyConfig(peerKey wgtypes.Key, psk wgtypes.Key, updateOnly bool) wgtypes.Config {
-	return wgtypes.Config{
-		Peers: []wgtypes.PeerConfig{{
-			PublicKey:    peerKey,
-			PresharedKey: &psk,
-			UpdateOnly:   updateOnly,
-		}},
-	}
-}
-
 func prefixesToIPNets(prefixes []netip.Prefix) []net.IPNet {
 	ipNets := make([]net.IPNet, len(prefixes))
 	for i, prefix := range prefixes {
--- a/client/iface/configurer/kernel_unix.go
+++ b/client/iface/configurer/kernel_unix.go
@@ -15,6 +15,8 @@ import (
 	"github.com/netbirdio/netbird/monotime"
 )

+var zeroKey wgtypes.Key
+
 type KernelConfigurer struct {
 	deviceName string
 }
@@ -46,18 +48,6 @@ func (c *KernelConfigurer) ConfigureInterface(privateKey string, port int) error
 	return nil
 }

-// SetPresharedKey sets the preshared key for a peer.
-// If updateOnly is true, only updates the existing peer; if false, creates or updates.
-func (c *KernelConfigurer) SetPresharedKey(peerKey string, psk wgtypes.Key, updateOnly bool) error {
-	parsedPeerKey, err := wgtypes.ParseKey(peerKey)
-	if err != nil {
-		return err
-	}
-
-	cfg := buildPresharedKeyConfig(parsedPeerKey, psk, updateOnly)
-	return c.configure(cfg)
-}
-
 func (c *KernelConfigurer) UpdatePeer(peerKey string, allowedIps []netip.Prefix, keepAlive time.Duration, endpoint *net.UDPAddr, preSharedKey *wgtypes.Key) error {
 	peerKeyParsed, err := wgtypes.ParseKey(peerKey)
 	if err != nil {
@@ -289,7 +279,7 @@ func (c *KernelConfigurer) FullStats() (*Stats, error) {
 			TxBytes:       p.TransmitBytes,
 			RxBytes:       p.ReceiveBytes,
 			LastHandshake: p.LastHandshakeTime,
-			PresharedKey:  [32]byte(p.PresharedKey),
+			PresharedKey:  p.PresharedKey != zeroKey,
 		}
 		if p.Endpoint != nil {
 			peer.Endpoint = *p.Endpoint
--- a/client/iface/configurer/uapi.go
+++ b/client/iface/configurer/uapi.go
@@ -5,18 +5,20 @@ package configurer
 import (
 	"net"

+	log "github.com/sirupsen/logrus"
 	"golang.zx2c4.com/wireguard/ipc"
 )

 func openUAPI(deviceName string) (net.Listener, error) {
 	uapiSock, err := ipc.UAPIOpen(deviceName)
 	if err != nil {
+		log.Errorf("failed to open uapi socket: %v", err)
 		return nil, err
 	}

 	listener, err := ipc.UAPIListen(deviceName, uapiSock)
 	if err != nil {
-		_ = uapiSock.Close()
+		log.Errorf("failed to listen on uapi socket: %v", err)
 		return nil, err
 	}

--- a/client/iface/configurer/usp.go
+++ b/client/iface/configurer/usp.go
@@ -22,16 +22,17 @@ import (
 )

 const (
-	privateKey                 = "private_key"
-	ipcKeyLastHandshakeTimeSec = "last_handshake_time_sec"
-	ipcKeyTxBytes              = "tx_bytes"
-	ipcKeyRxBytes              = "rx_bytes"
-	allowedIP                  = "allowed_ip"
-	endpoint                   = "endpoint"
-	fwmark                     = "fwmark"
-	listenPort                 = "listen_port"
-	publicKey                  = "public_key"
-	presharedKey               = "preshared_key"
+	privateKey                  = "private_key"
+	ipcKeyLastHandshakeTimeSec  = "last_handshake_time_sec"
+	ipcKeyLastHandshakeTimeNsec = "last_handshake_time_nsec"
+	ipcKeyTxBytes               = "tx_bytes"
+	ipcKeyRxBytes               = "rx_bytes"
+	allowedIP                   = "allowed_ip"
+	endpoint                    = "endpoint"
+	fwmark                      = "fwmark"
+	listenPort                  = "listen_port"
+	publicKey                   = "public_key"
+	presharedKey                = "preshared_key"
 )

 var ErrAllowedIPNotFound = fmt.Errorf("allowed IP not found")
@@ -54,14 +55,6 @@ func NewUSPConfigurer(device *device.Device, deviceName string, activityRecorder
 	return wgCfg
 }

-func NewUSPConfigurerNoUAPI(device *device.Device, deviceName string, activityRecorder *bind.ActivityRecorder) *WGUSPConfigurer {
-	return &WGUSPConfigurer{
-		device:           device,
-		deviceName:       deviceName,
-		activityRecorder: activityRecorder,
-	}
-}
-
 func (c *WGUSPConfigurer) ConfigureInterface(privateKey string, port int) error {
 	log.Debugf("adding Wireguard private key")
 	key, err := wgtypes.ParseKey(privateKey)
@@ -79,18 +72,6 @@ func (c *WGUSPConfigurer) ConfigureInterface(privateKey string, port int) error
 	return c.device.IpcSet(toWgUserspaceString(config))
 }

-// SetPresharedKey sets the preshared key for a peer.
-// If updateOnly is true, only updates the existing peer; if false, creates or updates.
-func (c *WGUSPConfigurer) SetPresharedKey(peerKey string, psk wgtypes.Key, updateOnly bool) error {
-	parsedPeerKey, err := wgtypes.ParseKey(peerKey)
-	if err != nil {
-		return err
-	}
-
-	cfg := buildPresharedKeyConfig(parsedPeerKey, psk, updateOnly)
-	return c.device.IpcSet(toWgUserspaceString(cfg))
-}
-
 func (c *WGUSPConfigurer) UpdatePeer(peerKey string, allowedIps []netip.Prefix, keepAlive time.Duration, endpoint *net.UDPAddr, preSharedKey *wgtypes.Key) error {
 	peerKeyParsed, err := wgtypes.ParseKey(peerKey)
 	if err != nil {
@@ -119,7 +100,7 @@ func (c *WGUSPConfigurer) UpdatePeer(peerKey string, allowedIps []netip.Prefix,
 		if err != nil {
 			return fmt.Errorf("failed to parse endpoint address: %w", err)
 		}
-		addrPort := netip.AddrPortFrom(addr.Unmap(), uint16(endpoint.Port))
+		addrPort := netip.AddrPortFrom(addr, uint16(endpoint.Port))
 		c.activityRecorder.UpsertAddress(peerKey, addrPort)
 	}
 	return nil
@@ -441,25 +422,13 @@ func toWgUserspaceString(wgCfg wgtypes.Config) string {
 		hexKey := hex.EncodeToString(p.PublicKey[:])
 		sb.WriteString(fmt.Sprintf("public_key=%s\n", hexKey))

-		if p.Remove {
-			sb.WriteString("remove=true\n")
-		}
-
-		if p.UpdateOnly {
-			sb.WriteString("update_only=true\n")
-		}
-
 		if p.PresharedKey != nil {
 			preSharedHexKey := hex.EncodeToString(p.PresharedKey[:])
 			sb.WriteString(fmt.Sprintf("preshared_key=%s\n", preSharedHexKey))
 		}

-		if p.Endpoint != nil {
-			sb.WriteString(fmt.Sprintf("endpoint=%s\n", p.Endpoint.String()))
-		}
-
-		if p.PersistentKeepaliveInterval != nil {
-			sb.WriteString(fmt.Sprintf("persistent_keepalive_interval=%d\n", int(p.PersistentKeepaliveInterval.Seconds())))
+		if p.Remove {
+			sb.WriteString("remove=true")
 		}

 		if p.ReplaceAllowedIPs {
@@ -469,6 +438,14 @@ func toWgUserspaceString(wgCfg wgtypes.Config) string {
 		for _, aip := range p.AllowedIPs {
 			sb.WriteString(fmt.Sprintf("allowed_ip=%s\n", aip.String()))
 		}
+
+		if p.Endpoint != nil {
+			sb.WriteString(fmt.Sprintf("endpoint=%s\n", p.Endpoint.String()))
+		}
+
+		if p.PersistentKeepaliveInterval != nil {
+			sb.WriteString(fmt.Sprintf("persistent_keepalive_interval=%d\n", int(p.PersistentKeepaliveInterval.Seconds())))
+		}
 	}
 	return sb.String()
 }
@@ -566,7 +543,7 @@ func parseStatus(deviceName, ipcStr string) (*Stats, error) {
 				continue
 			}

-			host, portStr, err := net.SplitHostPort(val)
+			host, portStr, err := net.SplitHostPort(strings.Trim(val, "[]"))
 			if err != nil {
 				log.Errorf("failed to parse endpoint: %v", err)
 				continue
@@ -622,9 +599,7 @@ func parseStatus(deviceName, ipcStr string) (*Stats, error) {
 				continue
 			}
 			if val != "" && val != "0000000000000000000000000000000000000000000000000000000000000000" {
-				if pskKey, err := hexToWireguardKey(val); err == nil {
-					currentPeer.PresharedKey = [32]byte(pskKey)
-				}
+				currentPeer.PresharedKey = true
 			}
 		}
 	}
--- a/client/iface/configurer/wgshow.go
+++ b/client/iface/configurer/wgshow.go
@@ -12,7 +12,7 @@ type Peer struct {
 	TxBytes       int64
 	RxBytes       int64
 	LastHandshake time.Time
-	PresharedKey  [32]byte
+	PresharedKey  bool
 }

 type Stats struct {
--- a/client/iface/device/adapter.go
+++ b/client/iface/device/adapter.go
@@ -2,7 +2,7 @@ package device

 // TunAdapter is an interface for create tun device from external service
 type TunAdapter interface {
-	ConfigureInterface(address string, addressV6 string, mtu int, dns string, searchDomains string, routes string) (int, error)
+	ConfigureInterface(address string, mtu int, dns string, searchDomains string, routes string) (int, error)
 	UpdateAddr(address string) error
 	ProtectSocket(fd int32) bool
 }
--- a/Show More
+++ b/Show More