update build

update gitignore
Add prototype UI clients
2026-04-13 21:16:18 -04:00 · 2025-11-24 18:24:16 +01:00 · 2025-11-01 12:17:03 +01:00 · 2025-11-01 12:17:02 +01:00
284 changed files with 45808 additions and 9232 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -31,3 +31,4 @@ infrastructure_files/setup-*.env
 .DS_Store
 vendor/
 /netbird
+client/ui/ui
--- a/client/cmd/debug.go
+++ b/client/cmd/debug.go
@@ -168,7 +168,7 @@ func runForDuration(cmd *cobra.Command, args []string) error {

 	client := proto.NewDaemonServiceClient(conn)

-	stat, err := client.Status(cmd.Context(), &proto.StatusRequest{ShouldRunProbes: true})
+	stat, err := client.Status(cmd.Context(), &proto.StatusRequest{})
 	if err != nil {
 		return fmt.Errorf("failed to get status: %v", status.Convert(err).Message())
 	}
@@ -303,18 +303,12 @@ func setSyncResponsePersistence(cmd *cobra.Command, args []string) error {

 func getStatusOutput(cmd *cobra.Command, anon bool) string {
 	var statusOutputString string
-	statusResp, err := getStatus(cmd.Context(), true)
+	statusResp, err := getStatus(cmd.Context())
 	if err != nil {
 		cmd.PrintErrf("Failed to get status: %v\n", err)
 	} else {
-		pm := profilemanager.NewProfileManager()
-		var profName string
-		if activeProf, err := pm.GetActiveProfile(); err == nil {
-			profName = activeProf.Name
-		}
-
 		statusOutputString = nbstatus.ParseToFullDetailSummary(
-			nbstatus.ConvertToStatusOutputOverview(statusResp, anon, "", nil, nil, nil, "", profName),
+			nbstatus.ConvertToStatusOutputOverview(statusResp, anon, "", nil, nil, nil, "", ""),
 		)
 	}
 	return statusOutputString
--- a/client/cmd/status.go
+++ b/client/cmd/status.go
@@ -68,7 +68,7 @@ func statusFunc(cmd *cobra.Command, args []string) error {

 	ctx := internal.CtxInitState(cmd.Context())

-	resp, err := getStatus(ctx, false)
+	resp, err := getStatus(ctx)
 	if err != nil {
 		return err
 	}
@@ -121,7 +121,7 @@ func statusFunc(cmd *cobra.Command, args []string) error {
 	return nil
 }

-func getStatus(ctx context.Context, shouldRunProbes bool) (*proto.StatusResponse, error) {
+func getStatus(ctx context.Context) (*proto.StatusResponse, error) {
 	conn, err := DialClientGRPCServer(ctx, daemonAddr)
 	if err != nil {
 		return nil, fmt.Errorf("failed to connect to daemon error: %v\n"+
@@ -130,7 +130,7 @@ func getStatus(ctx context.Context, shouldRunProbes bool) (*proto.StatusResponse
 	}
 	defer conn.Close()

-	resp, err := proto.NewDaemonServiceClient(conn).Status(ctx, &proto.StatusRequest{GetFullPeerStatus: true, ShouldRunProbes: shouldRunProbes})
+	resp, err := proto.NewDaemonServiceClient(conn).Status(ctx, &proto.StatusRequest{GetFullPeerStatus: true, ShouldRunProbes: true})
 	if err != nil {
 		return nil, fmt.Errorf("status failed: %v", status.Convert(err).Message())
 	}
--- a/client/firewall/iptables/manager_linux.go
+++ b/client/firewall/iptables/manager_linux.go
@@ -260,22 +260,6 @@ func (m *Manager) UpdateSet(set firewall.Set, prefixes []netip.Prefix) error {
 	return m.router.UpdateSet(set, prefixes)
 }

-// AddInboundDNAT adds an inbound DNAT rule redirecting traffic from NetBird peers to local services.
-func (m *Manager) AddInboundDNAT(localAddr netip.Addr, protocol firewall.Protocol, sourcePort, targetPort uint16) error {
-	m.mutex.Lock()
-	defer m.mutex.Unlock()
-
-	return m.router.AddInboundDNAT(localAddr, protocol, sourcePort, targetPort)
-}
-
-// RemoveInboundDNAT removes an inbound DNAT rule.
-func (m *Manager) RemoveInboundDNAT(localAddr netip.Addr, protocol firewall.Protocol, sourcePort, targetPort uint16) error {
-	m.mutex.Lock()
-	defer m.mutex.Unlock()
-
-	return m.router.RemoveInboundDNAT(localAddr, protocol, sourcePort, targetPort)
-}
-
 func getConntrackEstablished() []string {
 	return []string{"-m", "conntrack", "--ctstate", "RELATED,ESTABLISHED", "-j", "ACCEPT"}
 }
--- a/client/firewall/iptables/router_linux.go
+++ b/client/firewall/iptables/router_linux.go
@@ -880,54 +880,6 @@ func (r *router) UpdateSet(set firewall.Set, prefixes []netip.Prefix) error {
 	return nberrors.FormatErrorOrNil(merr)
 }

-// AddInboundDNAT adds an inbound DNAT rule redirecting traffic from NetBird peers to local services.
-func (r *router) AddInboundDNAT(localAddr netip.Addr, protocol firewall.Protocol, sourcePort, targetPort uint16) error {
-	ruleID := fmt.Sprintf("inbound-dnat-%s-%s-%d-%d", localAddr.String(), protocol, sourcePort, targetPort)
-
-	if _, exists := r.rules[ruleID]; exists {
-		return nil
-	}
-
-	dnatRule := []string{
-		"-i", r.wgIface.Name(),
-		"-p", strings.ToLower(string(protocol)),
-		"--dport", strconv.Itoa(int(sourcePort)),
-		"-d", localAddr.String(),
-		"-m", "addrtype", "--dst-type", "LOCAL",
-		"-j", "DNAT",
-		"--to-destination", ":" + strconv.Itoa(int(targetPort)),
-	}
-
-	ruleInfo := ruleInfo{
-		table: tableNat,
-		chain: chainRTRDR,
-		rule:  dnatRule,
-	}
-
-	if err := r.iptablesClient.Append(ruleInfo.table, ruleInfo.chain, ruleInfo.rule...); err != nil {
-		return fmt.Errorf("add inbound DNAT rule: %w", err)
-	}
-	r.rules[ruleID] = ruleInfo.rule
-
-	r.updateState()
-	return nil
-}
-
-// RemoveInboundDNAT removes an inbound DNAT rule.
-func (r *router) RemoveInboundDNAT(localAddr netip.Addr, protocol firewall.Protocol, sourcePort, targetPort uint16) error {
-	ruleID := fmt.Sprintf("inbound-dnat-%s-%s-%d-%d", localAddr.String(), protocol, sourcePort, targetPort)
-
-	if dnatRule, exists := r.rules[ruleID]; exists {
-		if err := r.iptablesClient.Delete(tableNat, chainRTRDR, dnatRule...); err != nil {
-			return fmt.Errorf("delete inbound DNAT rule: %w", err)
-		}
-		delete(r.rules, ruleID)
-	}
-
-	r.updateState()
-	return nil
-}
-
 func applyPort(flag string, port *firewall.Port) []string {
 	if port == nil {
 		return nil
--- a/client/firewall/manager/firewall.go
+++ b/client/firewall/manager/firewall.go
@@ -151,20 +151,14 @@ type Manager interface {

 	DisableRouting() error

-	// AddDNATRule adds outbound DNAT rule for forwarding external traffic to the NetBird network.
+	// AddDNATRule adds a DNAT rule
 	AddDNATRule(ForwardRule) (Rule, error)

-	// DeleteDNATRule deletes the outbound DNAT rule.
+	// DeleteDNATRule deletes a DNAT rule
 	DeleteDNATRule(Rule) error

 	// UpdateSet updates the set with the given prefixes
 	UpdateSet(hash Set, prefixes []netip.Prefix) error
-
-	// AddInboundDNAT adds an inbound DNAT rule redirecting traffic from NetBird peers to local services
-	AddInboundDNAT(localAddr netip.Addr, protocol Protocol, sourcePort, targetPort uint16) error
-
-	// RemoveInboundDNAT removes inbound DNAT rule
-	RemoveInboundDNAT(localAddr netip.Addr, protocol Protocol, sourcePort, targetPort uint16) error
 }

 func GenKey(format string, pair RouterPair) string {
--- a/client/firewall/nftables/manager_linux.go
+++ b/client/firewall/nftables/manager_linux.go
@@ -376,22 +376,6 @@ func (m *Manager) UpdateSet(set firewall.Set, prefixes []netip.Prefix) error {
 	return m.router.UpdateSet(set, prefixes)
 }

-// AddInboundDNAT adds an inbound DNAT rule redirecting traffic from NetBird peers to local services.
-func (m *Manager) AddInboundDNAT(localAddr netip.Addr, protocol firewall.Protocol, sourcePort, targetPort uint16) error {
-	m.mutex.Lock()
-	defer m.mutex.Unlock()
-
-	return m.router.AddInboundDNAT(localAddr, protocol, sourcePort, targetPort)
-}
-
-// RemoveInboundDNAT removes an inbound DNAT rule.
-func (m *Manager) RemoveInboundDNAT(localAddr netip.Addr, protocol firewall.Protocol, sourcePort, targetPort uint16) error {
-	m.mutex.Lock()
-	defer m.mutex.Unlock()
-
-	return m.router.RemoveInboundDNAT(localAddr, protocol, sourcePort, targetPort)
-}
-
 func (m *Manager) createWorkTable() (*nftables.Table, error) {
 	tables, err := m.rConn.ListTablesOfFamily(nftables.TableFamilyIPv4)
 	if err != nil {
--- a/client/firewall/nftables/router_linux.go
+++ b/client/firewall/nftables/router_linux.go
@@ -1350,103 +1350,6 @@ func (r *router) UpdateSet(set firewall.Set, prefixes []netip.Prefix) error {
 	return nil
 }

-// AddInboundDNAT adds an inbound DNAT rule redirecting traffic from NetBird peers to local services.
-func (r *router) AddInboundDNAT(localAddr netip.Addr, protocol firewall.Protocol, sourcePort, targetPort uint16) error {
-	ruleID := fmt.Sprintf("inbound-dnat-%s-%s-%d-%d", localAddr.String(), protocol, sourcePort, targetPort)
-
-	if _, exists := r.rules[ruleID]; exists {
-		return nil
-	}
-
-	protoNum, err := protoToInt(protocol)
-	if err != nil {
-		return fmt.Errorf("convert protocol to number: %w", err)
-	}
-
-	exprs := []expr.Any{
-		&expr.Meta{Key: expr.MetaKeyIIFNAME, Register: 1},
-		&expr.Cmp{
-			Op:       expr.CmpOpEq,
-			Register: 1,
-			Data:     ifname(r.wgIface.Name()),
-		},
-		&expr.Meta{Key: expr.MetaKeyL4PROTO, Register: 2},
-		&expr.Cmp{
-			Op:       expr.CmpOpEq,
-			Register: 2,
-			Data:     []byte{protoNum},
-		},
-		&expr.Payload{
-			DestRegister: 3,
-			Base:         expr.PayloadBaseTransportHeader,
-			Offset:       2,
-			Len:          2,
-		},
-		&expr.Cmp{
-			Op:       expr.CmpOpEq,
-			Register: 3,
-			Data:     binaryutil.BigEndian.PutUint16(sourcePort),
-		},
-	}
-
-	exprs = append(exprs, applyPrefix(netip.PrefixFrom(localAddr, 32), false)...)
-
-	exprs = append(exprs,
-		&expr.Immediate{
-			Register: 1,
-			Data:     localAddr.AsSlice(),
-		},
-		&expr.Immediate{
-			Register: 2,
-			Data:     binaryutil.BigEndian.PutUint16(targetPort),
-		},
-		&expr.NAT{
-			Type:        expr.NATTypeDestNAT,
-			Family:      uint32(nftables.TableFamilyIPv4),
-			RegAddrMin:  1,
-			RegProtoMin: 2,
-			RegProtoMax: 0,
-		},
-	)
-
-	dnatRule := &nftables.Rule{
-		Table:    r.workTable,
-		Chain:    r.chains[chainNameRoutingRdr],
-		Exprs:    exprs,
-		UserData: []byte(ruleID),
-	}
-	r.conn.AddRule(dnatRule)
-
-	if err := r.conn.Flush(); err != nil {
-		return fmt.Errorf("add inbound DNAT rule: %w", err)
-	}
-
-	r.rules[ruleID] = dnatRule
-
-	return nil
-}
-
-// RemoveInboundDNAT removes an inbound DNAT rule.
-func (r *router) RemoveInboundDNAT(localAddr netip.Addr, protocol firewall.Protocol, sourcePort, targetPort uint16) error {
-	if err := r.refreshRulesMap(); err != nil {
-		return fmt.Errorf(refreshRulesMapError, err)
-	}
-
-	ruleID := fmt.Sprintf("inbound-dnat-%s-%s-%d-%d", localAddr.String(), protocol, sourcePort, targetPort)
-
-	if rule, exists := r.rules[ruleID]; exists {
-		if err := r.conn.DelRule(rule); err != nil {
-			return fmt.Errorf("delete inbound DNAT rule %s: %w", ruleID, err)
-		}
-		if err := r.conn.Flush(); err != nil {
-			return fmt.Errorf("flush delete inbound DNAT rule: %w", err)
-		}
-		delete(r.rules, ruleID)
-	}
-
-	return nil
-}
-
 // applyNetwork generates nftables expressions for networks (CIDR) or sets
 func (r *router) applyNetwork(
 	network firewall.Network,
--- a/client/firewall/uspfilter/conntrack/common.go
+++ b/client/firewall/uspfilter/conntrack/common.go
@@ -22,8 +22,6 @@ type BaseConnTrack struct {
 	PacketsRx atomic.Uint64
 	BytesTx   atomic.Uint64
 	BytesRx   atomic.Uint64
-
-	DNATOrigPort atomic.Uint32
 }

 // these small methods will be inlined by the compiler
--- a/client/firewall/uspfilter/conntrack/tcp.go
+++ b/client/firewall/uspfilter/conntrack/tcp.go
@@ -157,7 +157,7 @@ func NewTCPTracker(timeout time.Duration, logger *nblog.Logger, flowLogger nftyp
 	return tracker
 }

-func (t *TCPTracker) updateIfExists(srcIP, dstIP netip.Addr, srcPort, dstPort uint16, flags uint8, direction nftypes.Direction, size int) (ConnKey, uint16, bool) {
+func (t *TCPTracker) updateIfExists(srcIP, dstIP netip.Addr, srcPort, dstPort uint16, flags uint8, direction nftypes.Direction, size int) (ConnKey, bool) {
 	key := ConnKey{
 		SrcIP:   srcIP,
 		DstIP:   dstIP,
@@ -171,30 +171,28 @@ func (t *TCPTracker) updateIfExists(srcIP, dstIP netip.Addr, srcPort, dstPort ui

 	if exists {
 		t.updateState(key, conn, flags, direction, size)
-		return key, uint16(conn.DNATOrigPort.Load()), true
+		return key, true
 	}

-	return key, 0, false
+	return key, false
 }

-// TrackOutbound records an outbound TCP connection and returns the original port if DNAT reversal is needed
-func (t *TCPTracker) TrackOutbound(srcIP, dstIP netip.Addr, srcPort, dstPort uint16, flags uint8, size int) uint16 {
-	if _, origPort, exists := t.updateIfExists(dstIP, srcIP, dstPort, srcPort, flags, nftypes.Egress, size); exists {
-		return origPort
+// TrackOutbound records an outbound TCP connection
+func (t *TCPTracker) TrackOutbound(srcIP, dstIP netip.Addr, srcPort, dstPort uint16, flags uint8, size int) {
+	if _, exists := t.updateIfExists(dstIP, srcIP, dstPort, srcPort, flags, nftypes.Egress, size); !exists {
+		// if (inverted direction) conn is not tracked, track this direction
+		t.track(srcIP, dstIP, srcPort, dstPort, flags, nftypes.Egress, nil, size)
 	}
-	// if (inverted direction) conn is not tracked, track this direction
-	t.track(srcIP, dstIP, srcPort, dstPort, flags, nftypes.Egress, nil, size, 0)
-	return 0
 }

 // TrackInbound processes an inbound TCP packet and updates connection state
-func (t *TCPTracker) TrackInbound(srcIP, dstIP netip.Addr, srcPort, dstPort uint16, flags uint8, ruleID []byte, size int, dnatOrigPort uint16) {
-	t.track(srcIP, dstIP, srcPort, dstPort, flags, nftypes.Ingress, ruleID, size, dnatOrigPort)
+func (t *TCPTracker) TrackInbound(srcIP, dstIP netip.Addr, srcPort, dstPort uint16, flags uint8, ruleID []byte, size int) {
+	t.track(srcIP, dstIP, srcPort, dstPort, flags, nftypes.Ingress, ruleID, size)
 }

 // track is the common implementation for tracking both inbound and outbound connections
-func (t *TCPTracker) track(srcIP, dstIP netip.Addr, srcPort, dstPort uint16, flags uint8, direction nftypes.Direction, ruleID []byte, size int, origPort uint16) {
-	key, _, exists := t.updateIfExists(srcIP, dstIP, srcPort, dstPort, flags, direction, size)
+func (t *TCPTracker) track(srcIP, dstIP netip.Addr, srcPort, dstPort uint16, flags uint8, direction nftypes.Direction, ruleID []byte, size int) {
+	key, exists := t.updateIfExists(srcIP, dstIP, srcPort, dstPort, flags, direction, size)
 	if exists || flags&TCPSyn == 0 {
 		return
 	}
@@ -212,13 +210,8 @@ func (t *TCPTracker) track(srcIP, dstIP netip.Addr, srcPort, dstPort uint16, fla

 	conn.tombstone.Store(false)
 	conn.state.Store(int32(TCPStateNew))
-	conn.DNATOrigPort.Store(uint32(origPort))

-	if origPort != 0 {
-		t.logger.Trace4("New %s TCP connection: %s (port DNAT %d -> %d)", direction, key, origPort, dstPort)
-	} else {
-		t.logger.Trace2("New %s TCP connection: %s", direction, key)
-	}
+	t.logger.Trace2("New %s TCP connection: %s", direction, key)
 	t.updateState(key, conn, flags, direction, size)

 	t.mutex.Lock()
@@ -456,21 +449,6 @@ func (t *TCPTracker) cleanup() {
 	}
 }

-// GetConnection safely retrieves a connection state
-func (t *TCPTracker) GetConnection(srcIP netip.Addr, srcPort uint16, dstIP netip.Addr, dstPort uint16) (*TCPConnTrack, bool) {
-	t.mutex.RLock()
-	defer t.mutex.RUnlock()
-
-	key := ConnKey{
-		SrcIP:   srcIP,
-		DstIP:   dstIP,
-		SrcPort: srcPort,
-		DstPort: dstPort,
-	}
-	conn, exists := t.connections[key]
-	return conn, exists
-}
-
 // Close stops the cleanup routine and releases resources
 func (t *TCPTracker) Close() {
 	t.tickerCancel()
--- a/client/firewall/uspfilter/conntrack/tcp_test.go
+++ b/client/firewall/uspfilter/conntrack/tcp_test.go
@@ -603,7 +603,7 @@ func TestTCPInboundInitiatedConnection(t *testing.T) {
 	serverPort := uint16(80)

 	// 1. Client sends SYN (we receive it as inbound)
-	tracker.TrackInbound(clientIP, serverIP, clientPort, serverPort, TCPSyn, nil, 100, 0)
+	tracker.TrackInbound(clientIP, serverIP, clientPort, serverPort, TCPSyn, nil, 100)

 	key := ConnKey{
 		SrcIP:   clientIP,
@@ -623,12 +623,12 @@ func TestTCPInboundInitiatedConnection(t *testing.T) {
 	tracker.TrackOutbound(serverIP, clientIP, serverPort, clientPort, TCPSyn|TCPAck, 100)

 	// 3. Client sends ACK to complete handshake
-	tracker.TrackInbound(clientIP, serverIP, clientPort, serverPort, TCPAck, nil, 100, 0)
+	tracker.TrackInbound(clientIP, serverIP, clientPort, serverPort, TCPAck, nil, 100)
 	require.Equal(t, TCPStateEstablished, conn.GetState(), "Connection should be ESTABLISHED after handshake completion")

 	// 4. Test data transfer
 	// Client sends data
-	tracker.TrackInbound(clientIP, serverIP, clientPort, serverPort, TCPPush|TCPAck, nil, 1000, 0)
+	tracker.TrackInbound(clientIP, serverIP, clientPort, serverPort, TCPPush|TCPAck, nil, 1000)

 	// Server sends ACK for data
 	tracker.TrackOutbound(serverIP, clientIP, serverPort, clientPort, TCPAck, 100)
@@ -637,7 +637,7 @@ func TestTCPInboundInitiatedConnection(t *testing.T) {
 	tracker.TrackOutbound(serverIP, clientIP, serverPort, clientPort, TCPPush|TCPAck, 1500)

 	// Client sends ACK for data
-	tracker.TrackInbound(clientIP, serverIP, clientPort, serverPort, TCPAck, nil, 100, 0)
+	tracker.TrackInbound(clientIP, serverIP, clientPort, serverPort, TCPAck, nil, 100)

 	// Verify state and counters
 	require.Equal(t, TCPStateEstablished, conn.GetState())
--- a/client/firewall/uspfilter/conntrack/udp.go
+++ b/client/firewall/uspfilter/conntrack/udp.go
@@ -58,23 +58,20 @@ func NewUDPTracker(timeout time.Duration, logger *nblog.Logger, flowLogger nftyp
 	return tracker
 }

-// TrackOutbound records an outbound UDP connection and returns the original port if DNAT reversal is needed
-func (t *UDPTracker) TrackOutbound(srcIP netip.Addr, dstIP netip.Addr, srcPort uint16, dstPort uint16, size int) uint16 {
-	_, origPort, exists := t.updateIfExists(dstIP, srcIP, dstPort, srcPort, nftypes.Egress, size)
-	if exists {
-		return origPort
+// TrackOutbound records an outbound UDP connection
+func (t *UDPTracker) TrackOutbound(srcIP netip.Addr, dstIP netip.Addr, srcPort uint16, dstPort uint16, size int) {
+	if _, exists := t.updateIfExists(dstIP, srcIP, dstPort, srcPort, nftypes.Egress, size); !exists {
+		// if (inverted direction) conn is not tracked, track this direction
+		t.track(srcIP, dstIP, srcPort, dstPort, nftypes.Egress, nil, size)
 	}
-	// if (inverted direction) conn is not tracked, track this direction
-	t.track(srcIP, dstIP, srcPort, dstPort, nftypes.Egress, nil, size, 0)
-	return 0
 }

 // TrackInbound records an inbound UDP connection
-func (t *UDPTracker) TrackInbound(srcIP netip.Addr, dstIP netip.Addr, srcPort uint16, dstPort uint16, ruleID []byte, size int, dnatOrigPort uint16) {
-	t.track(srcIP, dstIP, srcPort, dstPort, nftypes.Ingress, ruleID, size, dnatOrigPort)
+func (t *UDPTracker) TrackInbound(srcIP netip.Addr, dstIP netip.Addr, srcPort uint16, dstPort uint16, ruleID []byte, size int) {
+	t.track(srcIP, dstIP, srcPort, dstPort, nftypes.Ingress, ruleID, size)
 }

-func (t *UDPTracker) updateIfExists(srcIP netip.Addr, dstIP netip.Addr, srcPort uint16, dstPort uint16, direction nftypes.Direction, size int) (ConnKey, uint16, bool) {
+func (t *UDPTracker) updateIfExists(srcIP netip.Addr, dstIP netip.Addr, srcPort uint16, dstPort uint16, direction nftypes.Direction, size int) (ConnKey, bool) {
 	key := ConnKey{
 		SrcIP:   srcIP,
 		DstIP:   dstIP,
@@ -89,15 +86,15 @@ func (t *UDPTracker) updateIfExists(srcIP netip.Addr, dstIP netip.Addr, srcPort
 	if exists {
 		conn.UpdateLastSeen()
 		conn.UpdateCounters(direction, size)
-		return key, uint16(conn.DNATOrigPort.Load()), true
+		return key, true
 	}

-	return key, 0, false
+	return key, false
 }

 // track is the common implementation for tracking both inbound and outbound connections
-func (t *UDPTracker) track(srcIP netip.Addr, dstIP netip.Addr, srcPort uint16, dstPort uint16, direction nftypes.Direction, ruleID []byte, size int, origPort uint16) {
-	key, _, exists := t.updateIfExists(srcIP, dstIP, srcPort, dstPort, direction, size)
+func (t *UDPTracker) track(srcIP netip.Addr, dstIP netip.Addr, srcPort uint16, dstPort uint16, direction nftypes.Direction, ruleID []byte, size int) {
+	key, exists := t.updateIfExists(srcIP, dstIP, srcPort, dstPort, direction, size)
 	if exists {
 		return
 	}
@@ -112,7 +109,6 @@ func (t *UDPTracker) track(srcIP netip.Addr, dstIP netip.Addr, srcPort uint16, d
 		SourcePort: srcPort,
 		DestPort:   dstPort,
 	}
-	conn.DNATOrigPort.Store(uint32(origPort))
 	conn.UpdateLastSeen()
 	conn.UpdateCounters(direction, size)

@@ -120,11 +116,7 @@ func (t *UDPTracker) track(srcIP netip.Addr, dstIP netip.Addr, srcPort uint16, d
 	t.connections[key] = conn
 	t.mutex.Unlock()

-	if origPort != 0 {
-		t.logger.Trace4("New %s UDP connection: %s (port DNAT %d -> %d)", direction, key, origPort, dstPort)
-	} else {
-		t.logger.Trace2("New %s UDP connection: %s", direction, key)
-	}
+	t.logger.Trace2("New %s UDP connection: %s", direction, key)
 	t.sendEvent(nftypes.TypeStart, conn, ruleID)
 }

--- a/client/firewall/uspfilter/filter.go
+++ b/client/firewall/uspfilter/filter.go
@@ -109,10 +109,6 @@ type Manager struct {
 	dnatMappings map[netip.Addr]netip.Addr
 	dnatMutex    sync.RWMutex
 	dnatBiMap    *biDNATMap
-
-	portDNATEnabled atomic.Bool
-	portDNATRules   []portDNATRule
-	portDNATMutex   sync.RWMutex
 }

 // decoder for packages
@@ -126,8 +122,6 @@ type decoder struct {
 	icmp6   layers.ICMPv6
 	decoded []gopacket.LayerType
 	parser  *gopacket.DecodingLayerParser
-
-	dnatOrigPort uint16
 }

 // Create userspace firewall manager constructor
@@ -202,7 +196,6 @@ func create(iface common.IFaceMapper, nativeFirewall firewall.Manager, disableSe
 		netstack:            netstack.IsEnabled(),
 		localForwarding:     enableLocalForwarding,
 		dnatMappings:        make(map[netip.Addr]netip.Addr),
-		portDNATRules:       []portDNATRule{},
 	}
 	m.routingEnabled.Store(false)

@@ -637,7 +630,7 @@ func (m *Manager) filterOutbound(packetData []byte, size int) bool {
 		return true
 	}

-	m.trackOutbound(d, srcIP, dstIP, packetData, size)
+	m.trackOutbound(d, srcIP, dstIP, size)
 	m.translateOutboundDNAT(packetData, d)

 	return false
@@ -681,26 +674,14 @@ func getTCPFlags(tcp *layers.TCP) uint8 {
 	return flags
 }

-func (m *Manager) trackOutbound(d *decoder, srcIP, dstIP netip.Addr, packetData []byte, size int) {
+func (m *Manager) trackOutbound(d *decoder, srcIP, dstIP netip.Addr, size int) {
 	transport := d.decoded[1]
 	switch transport {
 	case layers.LayerTypeUDP:
-		origPort := m.udpTracker.TrackOutbound(srcIP, dstIP, uint16(d.udp.SrcPort), uint16(d.udp.DstPort), size)
-		if origPort == 0 {
-			break
-		}
-		if err := m.rewriteUDPPort(packetData, d, origPort, sourcePortOffset); err != nil {
-			m.logger.Error1("failed to rewrite UDP port: %v", err)
-		}
+		m.udpTracker.TrackOutbound(srcIP, dstIP, uint16(d.udp.SrcPort), uint16(d.udp.DstPort), size)
 	case layers.LayerTypeTCP:
 		flags := getTCPFlags(&d.tcp)
-		origPort := m.tcpTracker.TrackOutbound(srcIP, dstIP, uint16(d.tcp.SrcPort), uint16(d.tcp.DstPort), flags, size)
-		if origPort == 0 {
-			break
-		}
-		if err := m.rewriteTCPPort(packetData, d, origPort, sourcePortOffset); err != nil {
-			m.logger.Error1("failed to rewrite TCP port: %v", err)
-		}
+		m.tcpTracker.TrackOutbound(srcIP, dstIP, uint16(d.tcp.SrcPort), uint16(d.tcp.DstPort), flags, size)
 	case layers.LayerTypeICMPv4:
 		m.icmpTracker.TrackOutbound(srcIP, dstIP, d.icmp4.Id, d.icmp4.TypeCode, d.icmp4.Payload, size)
 	}
@@ -710,15 +691,13 @@ func (m *Manager) trackInbound(d *decoder, srcIP, dstIP netip.Addr, ruleID []byt
 	transport := d.decoded[1]
 	switch transport {
 	case layers.LayerTypeUDP:
-		m.udpTracker.TrackInbound(srcIP, dstIP, uint16(d.udp.SrcPort), uint16(d.udp.DstPort), ruleID, size, d.dnatOrigPort)
+		m.udpTracker.TrackInbound(srcIP, dstIP, uint16(d.udp.SrcPort), uint16(d.udp.DstPort), ruleID, size)
 	case layers.LayerTypeTCP:
 		flags := getTCPFlags(&d.tcp)
-		m.tcpTracker.TrackInbound(srcIP, dstIP, uint16(d.tcp.SrcPort), uint16(d.tcp.DstPort), flags, ruleID, size, d.dnatOrigPort)
+		m.tcpTracker.TrackInbound(srcIP, dstIP, uint16(d.tcp.SrcPort), uint16(d.tcp.DstPort), flags, ruleID, size)
 	case layers.LayerTypeICMPv4:
 		m.icmpTracker.TrackInbound(srcIP, dstIP, d.icmp4.Id, d.icmp4.TypeCode, ruleID, d.icmp4.Payload, size)
 	}
-
-	d.dnatOrigPort = 0
 }

 // udpHooksDrop checks if any UDP hooks should drop the packet
@@ -780,20 +759,10 @@ func (m *Manager) filterInbound(packetData []byte, size int) bool {
 		return false
 	}

-	// TODO: optimize port DNAT by caching matched rules in conntrack
-	if translated := m.translateInboundPortDNAT(packetData, d, srcIP, dstIP); translated {
-		// Re-decode after port DNAT translation to update port information
-		if err := d.parser.DecodeLayers(packetData, &d.decoded); err != nil {
-			m.logger.Error1("failed to re-decode packet after port DNAT: %v", err)
-			return true
-		}
-		srcIP, dstIP = m.extractIPs(d)
-	}
-
 	if translated := m.translateInboundReverse(packetData, d); translated {
 		// Re-decode after translation to get original addresses
 		if err := d.parser.DecodeLayers(packetData, &d.decoded); err != nil {
-			m.logger.Error1("failed to re-decode packet after reverse DNAT: %v", err)
+			m.logger.Error1("Failed to re-decode packet after reverse DNAT: %v", err)
 			return true
 		}
 		srcIP, dstIP = m.extractIPs(d)
--- a/client/firewall/uspfilter/log/log.go
+++ b/client/firewall/uspfilter/log/log.go
@@ -50,8 +50,6 @@ type logMessage struct {
 	arg4   any
 	arg5   any
 	arg6   any
-	arg7   any
-	arg8   any
 }

 // Logger is a high-performance, non-blocking logger
@@ -96,6 +94,7 @@ func (l *Logger) SetLevel(level Level) {
 	log.Debugf("Set uspfilter logger loglevel to %v", levelStrings[level])
 }

+
 func (l *Logger) Error(format string) {
 	if l.level.Load() >= uint32(LevelError) {
 		select {
@@ -186,15 +185,6 @@ func (l *Logger) Debug2(format string, arg1, arg2 any) {
 	}
 }

-func (l *Logger) Debug3(format string, arg1, arg2, arg3 any) {
-	if l.level.Load() >= uint32(LevelDebug) {
-		select {
-		case l.msgChannel <- logMessage{level: LevelDebug, format: format, arg1: arg1, arg2: arg2, arg3: arg3}:
-		default:
-		}
-	}
-}
-
 func (l *Logger) Trace1(format string, arg1 any) {
 	if l.level.Load() >= uint32(LevelTrace) {
 		select {
@@ -249,16 +239,6 @@ func (l *Logger) Trace6(format string, arg1, arg2, arg3, arg4, arg5, arg6 any) {
 	}
 }

-// Trace8 logs a trace message with 8 arguments (8 placeholder in format string)
-func (l *Logger) Trace8(format string, arg1, arg2, arg3, arg4, arg5, arg6, arg7, arg8 any) {
-	if l.level.Load() >= uint32(LevelTrace) {
-		select {
-		case l.msgChannel <- logMessage{level: LevelTrace, format: format, arg1: arg1, arg2: arg2, arg3: arg3, arg4: arg4, arg5: arg5, arg6: arg6, arg7: arg7, arg8: arg8}:
-		default:
-		}
-	}
-}
-
 func (l *Logger) formatMessage(buf *[]byte, msg logMessage) {
 	*buf = (*buf)[:0]
 	*buf = time.Now().AppendFormat(*buf, "2006-01-02T15:04:05-07:00")
@@ -280,12 +260,6 @@ func (l *Logger) formatMessage(buf *[]byte, msg logMessage) {
 						argCount++
 						if msg.arg6 != nil {
 							argCount++
-							if msg.arg7 != nil {
-								argCount++
-								if msg.arg8 != nil {
-									argCount++
-								}
-							}
 						}
 					}
 				}
@@ -309,10 +283,6 @@ func (l *Logger) formatMessage(buf *[]byte, msg logMessage) {
 		formatted = fmt.Sprintf(msg.format, msg.arg1, msg.arg2, msg.arg3, msg.arg4, msg.arg5)
 	case 6:
 		formatted = fmt.Sprintf(msg.format, msg.arg1, msg.arg2, msg.arg3, msg.arg4, msg.arg5, msg.arg6)
-	case 7:
-		formatted = fmt.Sprintf(msg.format, msg.arg1, msg.arg2, msg.arg3, msg.arg4, msg.arg5, msg.arg6, msg.arg7)
-	case 8:
-		formatted = fmt.Sprintf(msg.format, msg.arg1, msg.arg2, msg.arg3, msg.arg4, msg.arg5, msg.arg6, msg.arg7, msg.arg8)
 	}

 	*buf = append(*buf, formatted...)
@@ -420,4 +390,4 @@ func (l *Logger) Stop(ctx context.Context) error {
 	case <-done:
 		return nil
 	}
-}
+}
--- a/client/firewall/uspfilter/nat.go
+++ b/client/firewall/uspfilter/nat.go
@@ -5,9 +5,7 @@ import (
 	"errors"
 	"fmt"
 	"net/netip"
-	"slices"

-	"github.com/google/gopacket"
 	"github.com/google/gopacket/layers"

 	firewall "github.com/netbirdio/netbird/client/firewall/manager"
@@ -15,21 +13,6 @@ import (

 var ErrIPv4Only = errors.New("only IPv4 is supported for DNAT")

-var (
-	errInvalidIPHeaderLength = errors.New("invalid IP header length")
-)
-
-const (
-	// Port offsets in TCP/UDP headers
-	sourcePortOffset      = 0
-	destinationPortOffset = 2
-
-	// IP address offsets in IPv4 header
-	sourceIPOffset      = 12
-	destinationIPOffset = 16
-)
-
-// ipv4Checksum calculates IPv4 header checksum.
 func ipv4Checksum(header []byte) uint16 {
 	if len(header) < 20 {
 		return 0
@@ -69,7 +52,6 @@ func ipv4Checksum(header []byte) uint16 {
 	return ^uint16(sum)
 }

-// icmpChecksum calculates ICMP checksum.
 func icmpChecksum(data []byte) uint16 {
 	var sum1, sum2, sum3, sum4 uint32
 	i := 0
@@ -107,21 +89,11 @@ func icmpChecksum(data []byte) uint16 {
 	return ^uint16(sum)
 }

-// biDNATMap maintains bidirectional DNAT mappings.
 type biDNATMap struct {
 	forward map[netip.Addr]netip.Addr
 	reverse map[netip.Addr]netip.Addr
 }

-// portDNATRule represents a port-specific DNAT rule.
-type portDNATRule struct {
-	protocol   gopacket.LayerType
-	origPort   uint16
-	targetPort uint16
-	targetIP   netip.Addr
-}
-
-// newBiDNATMap creates a new bidirectional DNAT mapping structure.
 func newBiDNATMap() *biDNATMap {
 	return &biDNATMap{
 		forward: make(map[netip.Addr]netip.Addr),
@@ -129,13 +101,11 @@ func newBiDNATMap() *biDNATMap {
 	}
 }

-// set adds a bidirectional DNAT mapping between original and translated addresses.
 func (b *biDNATMap) set(original, translated netip.Addr) {
 	b.forward[original] = translated
 	b.reverse[translated] = original
 }

-// delete removes a bidirectional DNAT mapping for the given original address.
 func (b *biDNATMap) delete(original netip.Addr) {
 	if translated, exists := b.forward[original]; exists {
 		delete(b.forward, original)
@@ -143,25 +113,19 @@ func (b *biDNATMap) delete(original netip.Addr) {
 	}
 }

-// getTranslated returns the translated address for a given original address.
 func (b *biDNATMap) getTranslated(original netip.Addr) (netip.Addr, bool) {
 	translated, exists := b.forward[original]
 	return translated, exists
 }

-// getOriginal returns the original address for a given translated address.
 func (b *biDNATMap) getOriginal(translated netip.Addr) (netip.Addr, bool) {
 	original, exists := b.reverse[translated]
 	return original, exists
 }

-// AddInternalDNATMapping adds a 1:1 IP address mapping for internal DNAT translation.
 func (m *Manager) AddInternalDNATMapping(originalAddr, translatedAddr netip.Addr) error {
-	if !originalAddr.IsValid() {
-		return fmt.Errorf("invalid original IP address")
-	}
-	if !translatedAddr.IsValid() {
-		return fmt.Errorf("invalid translated IP address")
+	if !originalAddr.IsValid() || !translatedAddr.IsValid() {
+		return fmt.Errorf("invalid IP addresses")
 	}

 	if m.localipmanager.IsLocalIP(translatedAddr) {
@@ -171,6 +135,7 @@ func (m *Manager) AddInternalDNATMapping(originalAddr, translatedAddr netip.Addr
 	m.dnatMutex.Lock()
 	defer m.dnatMutex.Unlock()

+	// Initialize both maps together if either is nil
 	if m.dnatMappings == nil || m.dnatBiMap == nil {
 		m.dnatMappings = make(map[netip.Addr]netip.Addr)
 		m.dnatBiMap = newBiDNATMap()
@@ -186,7 +151,7 @@ func (m *Manager) AddInternalDNATMapping(originalAddr, translatedAddr netip.Addr
 	return nil
 }

-// RemoveInternalDNATMapping removes a 1:1 IP address mapping.
+// RemoveInternalDNATMapping removes a 1:1 IP address mapping
 func (m *Manager) RemoveInternalDNATMapping(originalAddr netip.Addr) error {
 	m.dnatMutex.Lock()
 	defer m.dnatMutex.Unlock()
@@ -204,7 +169,7 @@ func (m *Manager) RemoveInternalDNATMapping(originalAddr netip.Addr) error {
 	return nil
 }

-// getDNATTranslation returns the translated address if a mapping exists.
+// getDNATTranslation returns the translated address if a mapping exists
 func (m *Manager) getDNATTranslation(addr netip.Addr) (netip.Addr, bool) {
 	if !m.dnatEnabled.Load() {
 		return addr, false
@@ -216,7 +181,7 @@ func (m *Manager) getDNATTranslation(addr netip.Addr) (netip.Addr, bool) {
 	return translated, exists
 }

-// findReverseDNATMapping finds original address for return traffic.
+// findReverseDNATMapping finds original address for return traffic
 func (m *Manager) findReverseDNATMapping(translatedAddr netip.Addr) (netip.Addr, bool) {
 	if !m.dnatEnabled.Load() {
 		return translatedAddr, false
@@ -228,12 +193,16 @@ func (m *Manager) findReverseDNATMapping(translatedAddr netip.Addr) (netip.Addr,
 	return original, exists
 }

-// translateOutboundDNAT applies DNAT translation to outbound packets.
+// translateOutboundDNAT applies DNAT translation to outbound packets
 func (m *Manager) translateOutboundDNAT(packetData []byte, d *decoder) bool {
 	if !m.dnatEnabled.Load() {
 		return false
 	}

+	if len(packetData) < 20 || d.decoded[0] != layers.LayerTypeIPv4 {
+		return false
+	}
+
 	dstIP := netip.AddrFrom4([4]byte{packetData[16], packetData[17], packetData[18], packetData[19]})

 	translatedIP, exists := m.getDNATTranslation(dstIP)
@@ -241,8 +210,8 @@ func (m *Manager) translateOutboundDNAT(packetData []byte, d *decoder) bool {
 		return false
 	}

-	if err := m.rewritePacketIP(packetData, d, translatedIP, destinationIPOffset); err != nil {
-		m.logger.Error1("failed to rewrite packet destination: %v", err)
+	if err := m.rewritePacketDestination(packetData, d, translatedIP); err != nil {
+		m.logger.Error1("Failed to rewrite packet destination: %v", err)
 		return false
 	}

@@ -250,12 +219,16 @@ func (m *Manager) translateOutboundDNAT(packetData []byte, d *decoder) bool {
 	return true
 }

-// translateInboundReverse applies reverse DNAT to inbound return traffic.
+// translateInboundReverse applies reverse DNAT to inbound return traffic
 func (m *Manager) translateInboundReverse(packetData []byte, d *decoder) bool {
 	if !m.dnatEnabled.Load() {
 		return false
 	}

+	if len(packetData) < 20 || d.decoded[0] != layers.LayerTypeIPv4 {
+		return false
+	}
+
 	srcIP := netip.AddrFrom4([4]byte{packetData[12], packetData[13], packetData[14], packetData[15]})

 	originalIP, exists := m.findReverseDNATMapping(srcIP)
@@ -263,8 +236,8 @@ func (m *Manager) translateInboundReverse(packetData []byte, d *decoder) bool {
 		return false
 	}

-	if err := m.rewritePacketIP(packetData, d, originalIP, sourceIPOffset); err != nil {
-		m.logger.Error1("failed to rewrite packet source: %v", err)
+	if err := m.rewritePacketSource(packetData, d, originalIP); err != nil {
+		m.logger.Error1("Failed to rewrite packet source: %v", err)
 		return false
 	}

@@ -272,21 +245,21 @@ func (m *Manager) translateInboundReverse(packetData []byte, d *decoder) bool {
 	return true
 }

-// rewritePacketIP replaces an IP address (source or destination) in the packet and updates checksums.
-func (m *Manager) rewritePacketIP(packetData []byte, d *decoder, newIP netip.Addr, ipOffset int) error {
-	if !newIP.Is4() {
+// rewritePacketDestination replaces destination IP in the packet
+func (m *Manager) rewritePacketDestination(packetData []byte, d *decoder, newIP netip.Addr) error {
+	if len(packetData) < 20 || d.decoded[0] != layers.LayerTypeIPv4 || !newIP.Is4() {
 		return ErrIPv4Only
 	}

-	var oldIP [4]byte
-	copy(oldIP[:], packetData[ipOffset:ipOffset+4])
-	newIPBytes := newIP.As4()
+	var oldDst [4]byte
+	copy(oldDst[:], packetData[16:20])
+	newDst := newIP.As4()

-	copy(packetData[ipOffset:ipOffset+4], newIPBytes[:])
+	copy(packetData[16:20], newDst[:])

 	ipHeaderLen := int(d.ip4.IHL) * 4
 	if ipHeaderLen < 20 || ipHeaderLen > len(packetData) {
-		return errInvalidIPHeaderLength
+		return fmt.Errorf("invalid IP header length")
 	}

 	binary.BigEndian.PutUint16(packetData[10:12], 0)
@@ -296,9 +269,44 @@ func (m *Manager) rewritePacketIP(packetData []byte, d *decoder, newIP netip.Add
 	if len(d.decoded) > 1 {
 		switch d.decoded[1] {
 		case layers.LayerTypeTCP:
-			m.updateTCPChecksum(packetData, ipHeaderLen, oldIP[:], newIPBytes[:])
+			m.updateTCPChecksum(packetData, ipHeaderLen, oldDst[:], newDst[:])
 		case layers.LayerTypeUDP:
-			m.updateUDPChecksum(packetData, ipHeaderLen, oldIP[:], newIPBytes[:])
+			m.updateUDPChecksum(packetData, ipHeaderLen, oldDst[:], newDst[:])
+		case layers.LayerTypeICMPv4:
+			m.updateICMPChecksum(packetData, ipHeaderLen)
+		}
+	}
+
+	return nil
+}
+
+// rewritePacketSource replaces the source IP address in the packet
+func (m *Manager) rewritePacketSource(packetData []byte, d *decoder, newIP netip.Addr) error {
+	if len(packetData) < 20 || d.decoded[0] != layers.LayerTypeIPv4 || !newIP.Is4() {
+		return ErrIPv4Only
+	}
+
+	var oldSrc [4]byte
+	copy(oldSrc[:], packetData[12:16])
+	newSrc := newIP.As4()
+
+	copy(packetData[12:16], newSrc[:])
+
+	ipHeaderLen := int(d.ip4.IHL) * 4
+	if ipHeaderLen < 20 || ipHeaderLen > len(packetData) {
+		return fmt.Errorf("invalid IP header length")
+	}
+
+	binary.BigEndian.PutUint16(packetData[10:12], 0)
+	ipChecksum := ipv4Checksum(packetData[:ipHeaderLen])
+	binary.BigEndian.PutUint16(packetData[10:12], ipChecksum)
+
+	if len(d.decoded) > 1 {
+		switch d.decoded[1] {
+		case layers.LayerTypeTCP:
+			m.updateTCPChecksum(packetData, ipHeaderLen, oldSrc[:], newSrc[:])
+		case layers.LayerTypeUDP:
+			m.updateUDPChecksum(packetData, ipHeaderLen, oldSrc[:], newSrc[:])
 		case layers.LayerTypeICMPv4:
 			m.updateICMPChecksum(packetData, ipHeaderLen)
 		}
@@ -307,7 +315,6 @@ func (m *Manager) rewritePacketIP(packetData []byte, d *decoder, newIP netip.Add
 	return nil
 }

-// updateTCPChecksum updates TCP checksum after IP address change per RFC 1624.
 func (m *Manager) updateTCPChecksum(packetData []byte, ipHeaderLen int, oldIP, newIP []byte) {
 	tcpStart := ipHeaderLen
 	if len(packetData) < tcpStart+18 {
@@ -320,7 +327,6 @@ func (m *Manager) updateTCPChecksum(packetData []byte, ipHeaderLen int, oldIP, n
 	binary.BigEndian.PutUint16(packetData[checksumOffset:checksumOffset+2], newChecksum)
 }

-// updateUDPChecksum updates UDP checksum after IP address change per RFC 1624.
 func (m *Manager) updateUDPChecksum(packetData []byte, ipHeaderLen int, oldIP, newIP []byte) {
 	udpStart := ipHeaderLen
 	if len(packetData) < udpStart+8 {
@@ -338,7 +344,6 @@ func (m *Manager) updateUDPChecksum(packetData []byte, ipHeaderLen int, oldIP, n
 	binary.BigEndian.PutUint16(packetData[checksumOffset:checksumOffset+2], newChecksum)
 }

-// updateICMPChecksum recalculates ICMP checksum after packet modification.
 func (m *Manager) updateICMPChecksum(packetData []byte, ipHeaderLen int) {
 	icmpStart := ipHeaderLen
 	if len(packetData) < icmpStart+8 {
@@ -351,7 +356,7 @@ func (m *Manager) updateICMPChecksum(packetData []byte, ipHeaderLen int) {
 	binary.BigEndian.PutUint16(icmpData[2:4], checksum)
 }

-// incrementalUpdate performs incremental checksum update per RFC 1624.
+// incrementalUpdate performs incremental checksum update per RFC 1624
 func incrementalUpdate(oldChecksum uint16, oldBytes, newBytes []byte) uint16 {
 	sum := uint32(^oldChecksum)

@@ -386,7 +391,7 @@ func incrementalUpdate(oldChecksum uint16, oldBytes, newBytes []byte) uint16 {
 	return ^uint16(sum)
 }

-// AddDNATRule adds outbound DNAT rule for forwarding external traffic to NetBird network.
+// AddDNATRule adds a DNAT rule (delegates to native firewall for port forwarding)
 func (m *Manager) AddDNATRule(rule firewall.ForwardRule) (firewall.Rule, error) {
 	if m.nativeFirewall == nil {
 		return nil, errNatNotSupported
@@ -394,184 +399,10 @@ func (m *Manager) AddDNATRule(rule firewall.ForwardRule) (firewall.Rule, error)
 	return m.nativeFirewall.AddDNATRule(rule)
 }

-// DeleteDNATRule deletes outbound DNAT rule.
+// DeleteDNATRule deletes a DNAT rule (delegates to native firewall)
 func (m *Manager) DeleteDNATRule(rule firewall.Rule) error {
 	if m.nativeFirewall == nil {
 		return errNatNotSupported
 	}
 	return m.nativeFirewall.DeleteDNATRule(rule)
 }
-
-// addPortRedirection adds a port redirection rule.
-func (m *Manager) addPortRedirection(targetIP netip.Addr, protocol gopacket.LayerType, sourcePort, targetPort uint16) error {
-	m.portDNATMutex.Lock()
-	defer m.portDNATMutex.Unlock()
-
-	rule := portDNATRule{
-		protocol:   protocol,
-		origPort:   sourcePort,
-		targetPort: targetPort,
-		targetIP:   targetIP,
-	}
-
-	m.portDNATRules = append(m.portDNATRules, rule)
-	m.portDNATEnabled.Store(true)
-
-	return nil
-}
-
-// AddInboundDNAT adds an inbound DNAT rule redirecting traffic from NetBird peers to local services.
-func (m *Manager) AddInboundDNAT(localAddr netip.Addr, protocol firewall.Protocol, sourcePort, targetPort uint16) error {
-	var layerType gopacket.LayerType
-	switch protocol {
-	case firewall.ProtocolTCP:
-		layerType = layers.LayerTypeTCP
-	case firewall.ProtocolUDP:
-		layerType = layers.LayerTypeUDP
-	default:
-		return fmt.Errorf("unsupported protocol: %s", protocol)
-	}
-
-	return m.addPortRedirection(localAddr, layerType, sourcePort, targetPort)
-}
-
-// removePortRedirection removes a port redirection rule.
-func (m *Manager) removePortRedirection(targetIP netip.Addr, protocol gopacket.LayerType, sourcePort, targetPort uint16) error {
-	m.portDNATMutex.Lock()
-	defer m.portDNATMutex.Unlock()
-
-	m.portDNATRules = slices.DeleteFunc(m.portDNATRules, func(rule portDNATRule) bool {
-		return rule.protocol == protocol && rule.origPort == sourcePort && rule.targetPort == targetPort && rule.targetIP.Compare(targetIP) == 0
-	})
-
-	if len(m.portDNATRules) == 0 {
-		m.portDNATEnabled.Store(false)
-	}
-
-	return nil
-}
-
-// RemoveInboundDNAT removes an inbound DNAT rule.
-func (m *Manager) RemoveInboundDNAT(localAddr netip.Addr, protocol firewall.Protocol, sourcePort, targetPort uint16) error {
-	var layerType gopacket.LayerType
-	switch protocol {
-	case firewall.ProtocolTCP:
-		layerType = layers.LayerTypeTCP
-	case firewall.ProtocolUDP:
-		layerType = layers.LayerTypeUDP
-	default:
-		return fmt.Errorf("unsupported protocol: %s", protocol)
-	}
-
-	return m.removePortRedirection(localAddr, layerType, sourcePort, targetPort)
-}
-
-// translateInboundPortDNAT applies port-specific DNAT translation to inbound packets.
-func (m *Manager) translateInboundPortDNAT(packetData []byte, d *decoder, srcIP, dstIP netip.Addr) bool {
-	if !m.portDNATEnabled.Load() {
-		return false
-	}
-
-	switch d.decoded[1] {
-	case layers.LayerTypeTCP:
-		dstPort := uint16(d.tcp.DstPort)
-		return m.applyPortRule(packetData, d, srcIP, dstIP, dstPort, layers.LayerTypeTCP, m.rewriteTCPPort)
-	case layers.LayerTypeUDP:
-		dstPort := uint16(d.udp.DstPort)
-		return m.applyPortRule(packetData, d, netip.Addr{}, dstIP, dstPort, layers.LayerTypeUDP, m.rewriteUDPPort)
-	default:
-		return false
-	}
-}
-
-type portRewriteFunc func(packetData []byte, d *decoder, newPort uint16, portOffset int) error
-
-func (m *Manager) applyPortRule(packetData []byte, d *decoder, srcIP, dstIP netip.Addr, port uint16, protocol gopacket.LayerType, rewriteFn portRewriteFunc) bool {
-	m.portDNATMutex.RLock()
-	defer m.portDNATMutex.RUnlock()
-
-	for _, rule := range m.portDNATRules {
-		if rule.protocol != protocol || rule.targetIP.Compare(dstIP) != 0 {
-			continue
-		}
-
-		if rule.targetPort == port && rule.targetIP.Compare(srcIP) == 0 {
-			return false
-		}
-
-		if rule.origPort != port {
-			continue
-		}
-
-		if err := rewriteFn(packetData, d, rule.targetPort, destinationPortOffset); err != nil {
-			m.logger.Error1("failed to rewrite port: %v", err)
-			return false
-		}
-		d.dnatOrigPort = rule.origPort
-		return true
-	}
-	return false
-}
-
-// rewriteTCPPort rewrites a TCP port (source or destination) and updates checksum.
-func (m *Manager) rewriteTCPPort(packetData []byte, d *decoder, newPort uint16, portOffset int) error {
-	ipHeaderLen := int(d.ip4.IHL) * 4
-	if ipHeaderLen < 20 || ipHeaderLen > len(packetData) {
-		return errInvalidIPHeaderLength
-	}
-
-	tcpStart := ipHeaderLen
-	if len(packetData) < tcpStart+4 {
-		return fmt.Errorf("packet too short for TCP header")
-	}
-
-	portStart := tcpStart + portOffset
-	oldPort := binary.BigEndian.Uint16(packetData[portStart : portStart+2])
-	binary.BigEndian.PutUint16(packetData[portStart:portStart+2], newPort)
-
-	if len(packetData) >= tcpStart+18 {
-		checksumOffset := tcpStart + 16
-		oldChecksum := binary.BigEndian.Uint16(packetData[checksumOffset : checksumOffset+2])
-
-		var oldPortBytes, newPortBytes [2]byte
-		binary.BigEndian.PutUint16(oldPortBytes[:], oldPort)
-		binary.BigEndian.PutUint16(newPortBytes[:], newPort)
-
-		newChecksum := incrementalUpdate(oldChecksum, oldPortBytes[:], newPortBytes[:])
-		binary.BigEndian.PutUint16(packetData[checksumOffset:checksumOffset+2], newChecksum)
-	}
-
-	return nil
-}
-
-// rewriteUDPPort rewrites a UDP port (source or destination) and updates checksum.
-func (m *Manager) rewriteUDPPort(packetData []byte, d *decoder, newPort uint16, portOffset int) error {
-	ipHeaderLen := int(d.ip4.IHL) * 4
-	if ipHeaderLen < 20 || ipHeaderLen > len(packetData) {
-		return errInvalidIPHeaderLength
-	}
-
-	udpStart := ipHeaderLen
-	if len(packetData) < udpStart+8 {
-		return fmt.Errorf("packet too short for UDP header")
-	}
-
-	portStart := udpStart + portOffset
-	oldPort := binary.BigEndian.Uint16(packetData[portStart : portStart+2])
-	binary.BigEndian.PutUint16(packetData[portStart:portStart+2], newPort)
-
-	checksumOffset := udpStart + 6
-	if len(packetData) >= udpStart+8 {
-		oldChecksum := binary.BigEndian.Uint16(packetData[checksumOffset : checksumOffset+2])
-		if oldChecksum != 0 {
-			var oldPortBytes, newPortBytes [2]byte
-			binary.BigEndian.PutUint16(oldPortBytes[:], oldPort)
-			binary.BigEndian.PutUint16(newPortBytes[:], newPort)
-
-			newChecksum := incrementalUpdate(oldChecksum, oldPortBytes[:], newPortBytes[:])
-			binary.BigEndian.PutUint16(packetData[checksumOffset:checksumOffset+2], newChecksum)
-		}
-	}
-
-	return nil
-}
--- a/client/firewall/uspfilter/nat_bench_test.go
+++ b/client/firewall/uspfilter/nat_bench_test.go
@@ -414,127 +414,3 @@ func BenchmarkChecksumOptimizations(b *testing.B) {
 		}
 	})
 }
-
-// BenchmarkPortDNAT measures the performance of port DNAT operations
-func BenchmarkPortDNAT(b *testing.B) {
-	scenarios := []struct {
-		name         string
-		proto        layers.IPProtocol
-		setupDNAT    bool
-		useMatchPort bool
-		description  string
-	}{
-		{
-			name:         "tcp_inbound_dnat_match",
-			proto:        layers.IPProtocolTCP,
-			setupDNAT:    true,
-			useMatchPort: true,
-			description:  "TCP inbound port DNAT translation (22 → 22022)",
-		},
-		{
-			name:         "tcp_inbound_dnat_nomatch",
-			proto:        layers.IPProtocolTCP,
-			setupDNAT:    true,
-			useMatchPort: false,
-			description:  "TCP inbound with DNAT configured but no port match",
-		},
-		{
-			name:         "tcp_inbound_no_dnat",
-			proto:        layers.IPProtocolTCP,
-			setupDNAT:    false,
-			useMatchPort: false,
-			description:  "TCP inbound without DNAT (baseline)",
-		},
-		{
-			name:         "udp_inbound_dnat_match",
-			proto:        layers.IPProtocolUDP,
-			setupDNAT:    true,
-			useMatchPort: true,
-			description:  "UDP inbound port DNAT translation (5353 → 22054)",
-		},
-		{
-			name:         "udp_inbound_dnat_nomatch",
-			proto:        layers.IPProtocolUDP,
-			setupDNAT:    true,
-			useMatchPort: false,
-			description:  "UDP inbound with DNAT configured but no port match",
-		},
-		{
-			name:         "udp_inbound_no_dnat",
-			proto:        layers.IPProtocolUDP,
-			setupDNAT:    false,
-			useMatchPort: false,
-			description:  "UDP inbound without DNAT (baseline)",
-		},
-	}
-
-	for _, sc := range scenarios {
-		b.Run(sc.name, func(b *testing.B) {
-			manager, err := Create(&IFaceMock{
-				SetFilterFunc: func(device.PacketFilter) error { return nil },
-			}, false, flowLogger)
-			require.NoError(b, err)
-			defer func() {
-				require.NoError(b, manager.Close(nil))
-			}()
-
-			// Set logger to error level to reduce noise during benchmarking
-			manager.SetLogLevel(log.ErrorLevel)
-			defer func() {
-				// Restore to info level after benchmark
-				manager.SetLogLevel(log.InfoLevel)
-			}()
-
-			localAddr := netip.MustParseAddr("100.0.2.175")
-			clientIP := netip.MustParseAddr("100.0.169.249")
-
-			var origPort, targetPort, testPort uint16
-			if sc.proto == layers.IPProtocolTCP {
-				origPort, targetPort = 22, 22022
-			} else {
-				origPort, targetPort = 5353, 22054
-			}
-
-			if sc.useMatchPort {
-				testPort = origPort
-			} else {
-				testPort = 443 // Different port
-			}
-
-			// Setup port DNAT mapping if needed
-			if sc.setupDNAT {
-				err := manager.AddInboundDNAT(localAddr, protocolToFirewall(sc.proto), origPort, targetPort)
-				require.NoError(b, err)
-			}
-
-			// Pre-establish inbound connection for outbound reverse test
-			if sc.setupDNAT && sc.useMatchPort {
-				inboundPacket := generateDNATTestPacket(b, clientIP, localAddr, sc.proto, 54321, origPort)
-				manager.filterInbound(inboundPacket, 0)
-			}
-
-			b.ResetTimer()
-			b.ReportAllocs()
-
-			// Benchmark inbound DNAT translation
-			b.Run("inbound", func(b *testing.B) {
-				for i := 0; i < b.N; i++ {
-					// Create fresh packet each time
-					packet := generateDNATTestPacket(b, clientIP, localAddr, sc.proto, 54321, testPort)
-					manager.filterInbound(packet, 0)
-				}
-			})
-
-			// Benchmark outbound reverse DNAT translation (only if DNAT is set up and port matches)
-			if sc.setupDNAT && sc.useMatchPort {
-				b.Run("outbound_reverse", func(b *testing.B) {
-					for i := 0; i < b.N; i++ {
-						// Create fresh return packet (from target port)
-						packet := generateDNATTestPacket(b, localAddr, clientIP, sc.proto, targetPort, 54321)
-						manager.filterOutbound(packet, 0)
-					}
-				})
-			}
-		})
-	}
-}
--- a/client/firewall/uspfilter/nat_test.go
+++ b/client/firewall/uspfilter/nat_test.go
@@ -8,7 +8,6 @@ import (
 	"github.com/google/gopacket/layers"
 	"github.com/stretchr/testify/require"

-	firewall "github.com/netbirdio/netbird/client/firewall/manager"
 	"github.com/netbirdio/netbird/client/iface/device"
 )

@@ -144,111 +143,3 @@ func TestDNATMappingManagement(t *testing.T) {
 	err = manager.RemoveInternalDNATMapping(originalIP)
 	require.Error(t, err, "Should error when removing non-existent mapping")
 }
-
-func TestInboundPortDNAT(t *testing.T) {
-	manager, err := Create(&IFaceMock{
-		SetFilterFunc: func(device.PacketFilter) error { return nil },
-	}, false, flowLogger)
-	require.NoError(t, err)
-	defer func() {
-		require.NoError(t, manager.Close(nil))
-	}()
-
-	localAddr := netip.MustParseAddr("100.0.2.175")
-	clientIP := netip.MustParseAddr("100.0.169.249")
-
-	testCases := []struct {
-		name       string
-		protocol   layers.IPProtocol
-		sourcePort uint16
-		targetPort uint16
-	}{
-		{"TCP SSH", layers.IPProtocolTCP, 22, 22022},
-		{"UDP DNS", layers.IPProtocolUDP, 5353, 22054},
-	}
-
-	for _, tc := range testCases {
-		t.Run(tc.name, func(t *testing.T) {
-			err := manager.AddInboundDNAT(localAddr, protocolToFirewall(tc.protocol), tc.sourcePort, tc.targetPort)
-			require.NoError(t, err)
-
-			inboundPacket := generateDNATTestPacket(t, clientIP, localAddr, tc.protocol, 54321, tc.sourcePort)
-			d := parsePacket(t, inboundPacket)
-
-			translated := manager.translateInboundPortDNAT(inboundPacket, d, clientIP, localAddr)
-			require.True(t, translated, "Inbound packet should be translated")
-
-			d = parsePacket(t, inboundPacket)
-			var dstPort uint16
-			switch tc.protocol {
-			case layers.IPProtocolTCP:
-				dstPort = uint16(d.tcp.DstPort)
-			case layers.IPProtocolUDP:
-				dstPort = uint16(d.udp.DstPort)
-			}
-
-			require.Equal(t, tc.targetPort, dstPort, "Destination port should be rewritten to target port")
-
-			err = manager.RemoveInboundDNAT(localAddr, protocolToFirewall(tc.protocol), tc.sourcePort, tc.targetPort)
-			require.NoError(t, err)
-		})
-	}
-}
-
-func TestInboundPortDNATNegative(t *testing.T) {
-	manager, err := Create(&IFaceMock{
-		SetFilterFunc: func(device.PacketFilter) error { return nil },
-	}, false, flowLogger)
-	require.NoError(t, err)
-	defer func() {
-		require.NoError(t, manager.Close(nil))
-	}()
-
-	localAddr := netip.MustParseAddr("100.0.2.175")
-	clientIP := netip.MustParseAddr("100.0.169.249")
-
-	err = manager.AddInboundDNAT(localAddr, firewall.ProtocolTCP, 22, 22022)
-	require.NoError(t, err)
-
-	testCases := []struct {
-		name     string
-		protocol layers.IPProtocol
-		srcIP    netip.Addr
-		dstIP    netip.Addr
-		srcPort  uint16
-		dstPort  uint16
-	}{
-		{"Wrong port", layers.IPProtocolTCP, clientIP, localAddr, 54321, 80},
-		{"Wrong IP", layers.IPProtocolTCP, clientIP, netip.MustParseAddr("100.64.0.99"), 54321, 22},
-		{"Wrong protocol", layers.IPProtocolUDP, clientIP, localAddr, 54321, 22},
-		{"ICMP", layers.IPProtocolICMPv4, clientIP, localAddr, 0, 0},
-	}
-
-	for _, tc := range testCases {
-		t.Run(tc.name, func(t *testing.T) {
-			packet := generateDNATTestPacket(t, tc.srcIP, tc.dstIP, tc.protocol, tc.srcPort, tc.dstPort)
-			d := parsePacket(t, packet)
-
-			translated := manager.translateInboundPortDNAT(packet, d, tc.srcIP, tc.dstIP)
-			require.False(t, translated, "Packet should NOT be translated for %s", tc.name)
-
-			d = parsePacket(t, packet)
-			if tc.protocol == layers.IPProtocolTCP {
-				require.Equal(t, tc.dstPort, uint16(d.tcp.DstPort), "Port should remain unchanged")
-			} else if tc.protocol == layers.IPProtocolUDP {
-				require.Equal(t, tc.dstPort, uint16(d.udp.DstPort), "Port should remain unchanged")
-			}
-		})
-	}
-}
-
-func protocolToFirewall(proto layers.IPProtocol) firewall.Protocol {
-	switch proto {
-	case layers.IPProtocolTCP:
-		return firewall.ProtocolTCP
-	case layers.IPProtocolUDP:
-		return firewall.ProtocolUDP
-	default:
-		return firewall.ProtocolALL
-	}
-}
--- a/client/firewall/uspfilter/tracer.go
+++ b/client/firewall/uspfilter/tracer.go
@@ -16,33 +16,25 @@ type PacketStage int

 const (
 	StageReceived PacketStage = iota
-	StageInboundPortDNAT
-	StageInbound1to1NAT
 	StageConntrack
 	StagePeerACL
 	StageRouting
 	StageRouteACL
 	StageForwarding
 	StageCompleted
-	StageOutbound1to1NAT
-	StageOutboundPortReverse
 )

 const msgProcessingCompleted = "Processing completed"

 func (s PacketStage) String() string {
 	return map[PacketStage]string{
-		StageReceived:            "Received",
-		StageInboundPortDNAT:     "Inbound Port DNAT",
-		StageInbound1to1NAT:      "Inbound 1:1 NAT",
-		StageConntrack:           "Connection Tracking",
-		StagePeerACL:             "Peer ACL",
-		StageRouting:             "Routing",
-		StageRouteACL:            "Route ACL",
-		StageForwarding:          "Forwarding",
-		StageCompleted:           "Completed",
-		StageOutbound1to1NAT:     "Outbound 1:1 NAT",
-		StageOutboundPortReverse: "Outbound DNAT Reverse",
+		StageReceived:   "Received",
+		StageConntrack:  "Connection Tracking",
+		StagePeerACL:    "Peer ACL",
+		StageRouting:    "Routing",
+		StageRouteACL:   "Route ACL",
+		StageForwarding: "Forwarding",
+		StageCompleted:  "Completed",
 	}[s]
 }

@@ -269,10 +261,6 @@ func (m *Manager) TracePacket(packetData []byte, direction fw.RuleDirection) *Pa
 }

 func (m *Manager) traceInbound(packetData []byte, trace *PacketTrace, d *decoder, srcIP netip.Addr, dstIP netip.Addr) *PacketTrace {
-	if m.handleInboundDNAT(trace, packetData, d, &srcIP, &dstIP) {
-		return trace
-	}
-
 	if m.stateful && m.handleConntrackState(trace, d, srcIP, dstIP) {
 		return trace
 	}
@@ -412,16 +400,7 @@ func (m *Manager) addForwardingResult(trace *PacketTrace, action, remoteAddr str
 }

 func (m *Manager) traceOutbound(packetData []byte, trace *PacketTrace) *PacketTrace {
-	d := m.decoders.Get().(*decoder)
-	defer m.decoders.Put(d)
-
-	if err := d.parser.DecodeLayers(packetData, &d.decoded); err != nil {
-		trace.AddResult(StageCompleted, "Packet dropped - decode error", false)
-		return trace
-	}
-
-	m.handleOutboundDNAT(trace, packetData, d)
-
+	// will create or update the connection state
 	dropped := m.filterOutbound(packetData, 0)
 	if dropped {
 		trace.AddResult(StageCompleted, "Packet dropped by outgoing hook", false)
@@ -430,199 +409,3 @@ func (m *Manager) traceOutbound(packetData []byte, trace *PacketTrace) *PacketTr
 	}
 	return trace
 }
-
-func (m *Manager) handleInboundDNAT(trace *PacketTrace, packetData []byte, d *decoder, srcIP, dstIP *netip.Addr) bool {
-	portDNATApplied := m.traceInboundPortDNAT(trace, packetData, d)
-	if portDNATApplied {
-		if err := d.parser.DecodeLayers(packetData, &d.decoded); err != nil {
-			trace.AddResult(StageInboundPortDNAT, "Failed to re-decode after port DNAT", false)
-			return true
-		}
-		*srcIP, *dstIP = m.extractIPs(d)
-		trace.DestinationPort = m.getDestPort(d)
-	}
-
-	nat1to1Applied := m.traceInbound1to1NAT(trace, packetData, d)
-	if nat1to1Applied {
-		if err := d.parser.DecodeLayers(packetData, &d.decoded); err != nil {
-			trace.AddResult(StageInbound1to1NAT, "Failed to re-decode after 1:1 NAT", false)
-			return true
-		}
-		*srcIP, *dstIP = m.extractIPs(d)
-	}
-
-	return false
-}
-
-func (m *Manager) traceInboundPortDNAT(trace *PacketTrace, packetData []byte, d *decoder) bool {
-	if !m.portDNATEnabled.Load() {
-		trace.AddResult(StageInboundPortDNAT, "Port DNAT not enabled", true)
-		return false
-	}
-
-	if len(packetData) < 20 || d.decoded[0] != layers.LayerTypeIPv4 {
-		trace.AddResult(StageInboundPortDNAT, "Not IPv4, skipping port DNAT", true)
-		return false
-	}
-
-	if len(d.decoded) < 2 {
-		trace.AddResult(StageInboundPortDNAT, "No transport layer, skipping port DNAT", true)
-		return false
-	}
-
-	protocol := d.decoded[1]
-	if protocol != layers.LayerTypeTCP && protocol != layers.LayerTypeUDP {
-		trace.AddResult(StageInboundPortDNAT, "Not TCP/UDP, skipping port DNAT", true)
-		return false
-	}
-
-	srcIP := netip.AddrFrom4([4]byte{packetData[12], packetData[13], packetData[14], packetData[15]})
-	dstIP := netip.AddrFrom4([4]byte{packetData[16], packetData[17], packetData[18], packetData[19]})
-	var originalPort uint16
-	if protocol == layers.LayerTypeTCP {
-		originalPort = uint16(d.tcp.DstPort)
-	} else {
-		originalPort = uint16(d.udp.DstPort)
-	}
-
-	translated := m.translateInboundPortDNAT(packetData, d, srcIP, dstIP)
-	if translated {
-		ipHeaderLen := int((packetData[0] & 0x0F) * 4)
-		translatedPort := uint16(packetData[ipHeaderLen+2])<<8 | uint16(packetData[ipHeaderLen+3])
-
-		protoStr := "TCP"
-		if protocol == layers.LayerTypeUDP {
-			protoStr = "UDP"
-		}
-		msg := fmt.Sprintf("%s port DNAT applied: %s:%d -> %s:%d", protoStr, dstIP, originalPort, dstIP, translatedPort)
-		trace.AddResult(StageInboundPortDNAT, msg, true)
-		return true
-	}
-
-	trace.AddResult(StageInboundPortDNAT, "No matching port DNAT rule", true)
-	return false
-}
-
-func (m *Manager) traceInbound1to1NAT(trace *PacketTrace, packetData []byte, d *decoder) bool {
-	if !m.dnatEnabled.Load() {
-		trace.AddResult(StageInbound1to1NAT, "1:1 NAT not enabled", true)
-		return false
-	}
-
-	srcIP := netip.AddrFrom4([4]byte{packetData[12], packetData[13], packetData[14], packetData[15]})
-
-	translated := m.translateInboundReverse(packetData, d)
-	if translated {
-		m.dnatMutex.RLock()
-		translatedIP, exists := m.dnatBiMap.getOriginal(srcIP)
-		m.dnatMutex.RUnlock()
-
-		if exists {
-			msg := fmt.Sprintf("1:1 NAT reverse applied: %s -> %s", srcIP, translatedIP)
-			trace.AddResult(StageInbound1to1NAT, msg, true)
-			return true
-		}
-	}
-
-	trace.AddResult(StageInbound1to1NAT, "No matching 1:1 NAT rule", true)
-	return false
-}
-
-func (m *Manager) handleOutboundDNAT(trace *PacketTrace, packetData []byte, d *decoder) {
-	m.traceOutbound1to1NAT(trace, packetData, d)
-	m.traceOutboundPortReverse(trace, packetData, d)
-}
-
-func (m *Manager) traceOutbound1to1NAT(trace *PacketTrace, packetData []byte, d *decoder) bool {
-	if !m.dnatEnabled.Load() {
-		trace.AddResult(StageOutbound1to1NAT, "1:1 NAT not enabled", true)
-		return false
-	}
-
-	dstIP := netip.AddrFrom4([4]byte{packetData[16], packetData[17], packetData[18], packetData[19]})
-
-	translated := m.translateOutboundDNAT(packetData, d)
-	if translated {
-		m.dnatMutex.RLock()
-		translatedIP, exists := m.dnatMappings[dstIP]
-		m.dnatMutex.RUnlock()
-
-		if exists {
-			msg := fmt.Sprintf("1:1 NAT applied: %s -> %s", dstIP, translatedIP)
-			trace.AddResult(StageOutbound1to1NAT, msg, true)
-			return true
-		}
-	}
-
-	trace.AddResult(StageOutbound1to1NAT, "No matching 1:1 NAT rule", true)
-	return false
-}
-
-func (m *Manager) traceOutboundPortReverse(trace *PacketTrace, packetData []byte, d *decoder) bool {
-	if !m.portDNATEnabled.Load() {
-		trace.AddResult(StageOutboundPortReverse, "Port DNAT not enabled", true)
-		return false
-	}
-
-	if len(packetData) < 20 || d.decoded[0] != layers.LayerTypeIPv4 {
-		trace.AddResult(StageOutboundPortReverse, "Not IPv4, skipping port reverse", true)
-		return false
-	}
-
-	if len(d.decoded) < 2 {
-		trace.AddResult(StageOutboundPortReverse, "No transport layer, skipping port reverse", true)
-		return false
-	}
-
-	srcIP := netip.AddrFrom4([4]byte{packetData[12], packetData[13], packetData[14], packetData[15]})
-	dstIP := netip.AddrFrom4([4]byte{packetData[16], packetData[17], packetData[18], packetData[19]})
-
-	var origPort uint16
-	transport := d.decoded[1]
-	switch transport {
-	case layers.LayerTypeTCP:
-		srcPort := uint16(d.tcp.SrcPort)
-		dstPort := uint16(d.tcp.DstPort)
-		conn, exists := m.tcpTracker.GetConnection(dstIP, dstPort, srcIP, srcPort)
-		if exists {
-			origPort = uint16(conn.DNATOrigPort.Load())
-		}
-		if origPort != 0 {
-			msg := fmt.Sprintf("TCP DNAT reverse (tracked connection): %s:%d -> %s:%d", srcIP, srcPort, srcIP, origPort)
-			trace.AddResult(StageOutboundPortReverse, msg, true)
-			return true
-		}
-	case layers.LayerTypeUDP:
-		srcPort := uint16(d.udp.SrcPort)
-		dstPort := uint16(d.udp.DstPort)
-		conn, exists := m.udpTracker.GetConnection(dstIP, dstPort, srcIP, srcPort)
-		if exists {
-			origPort = uint16(conn.DNATOrigPort.Load())
-		}
-		if origPort != 0 {
-			msg := fmt.Sprintf("UDP DNAT reverse (tracked connection): %s:%d -> %s:%d", srcIP, srcPort, srcIP, origPort)
-			trace.AddResult(StageOutboundPortReverse, msg, true)
-			return true
-		}
-	default:
-		trace.AddResult(StageOutboundPortReverse, "Not TCP/UDP, skipping port reverse", true)
-		return false
-	}
-
-	trace.AddResult(StageOutboundPortReverse, "No tracked connection for DNAT reverse", true)
-	return false
-}
-
-func (m *Manager) getDestPort(d *decoder) uint16 {
-	if len(d.decoded) < 2 {
-		return 0
-	}
-	switch d.decoded[1] {
-	case layers.LayerTypeTCP:
-		return uint16(d.tcp.DstPort)
-	case layers.LayerTypeUDP:
-		return uint16(d.udp.DstPort)
-	default:
-		return 0
-	}
-}
--- a/client/firewall/uspfilter/tracer_test.go
+++ b/client/firewall/uspfilter/tracer_test.go
@@ -104,8 +104,6 @@ func TestTracePacket(t *testing.T) {
 			},
 			expectedStages: []PacketStage{
 				StageReceived,
-				StageInboundPortDNAT,
-				StageInbound1to1NAT,
 				StageConntrack,
 				StageRouting,
 				StagePeerACL,
@@ -128,8 +126,6 @@ func TestTracePacket(t *testing.T) {
 			},
 			expectedStages: []PacketStage{
 				StageReceived,
-				StageInboundPortDNAT,
-				StageInbound1to1NAT,
 				StageConntrack,
 				StageRouting,
 				StagePeerACL,
@@ -157,8 +153,6 @@ func TestTracePacket(t *testing.T) {
 			},
 			expectedStages: []PacketStage{
 				StageReceived,
-				StageInboundPortDNAT,
-				StageInbound1to1NAT,
 				StageConntrack,
 				StageRouting,
 				StagePeerACL,
@@ -185,8 +179,6 @@ func TestTracePacket(t *testing.T) {
 			},
 			expectedStages: []PacketStage{
 				StageReceived,
-				StageInboundPortDNAT,
-				StageInbound1to1NAT,
 				StageConntrack,
 				StageRouting,
 				StagePeerACL,
@@ -212,8 +204,6 @@ func TestTracePacket(t *testing.T) {
 			},
 			expectedStages: []PacketStage{
 				StageReceived,
-				StageInboundPortDNAT,
-				StageInbound1to1NAT,
 				StageConntrack,
 				StageRouting,
 				StageRouteACL,
@@ -238,8 +228,6 @@ func TestTracePacket(t *testing.T) {
 			},
 			expectedStages: []PacketStage{
 				StageReceived,
-				StageInboundPortDNAT,
-				StageInbound1to1NAT,
 				StageConntrack,
 				StageRouting,
 				StageRouteACL,
@@ -258,8 +246,6 @@ func TestTracePacket(t *testing.T) {
 			},
 			expectedStages: []PacketStage{
 				StageReceived,
-				StageInboundPortDNAT,
-				StageInbound1to1NAT,
 				StageConntrack,
 				StageRouting,
 				StageRouteACL,
@@ -278,8 +264,6 @@ func TestTracePacket(t *testing.T) {
 			},
 			expectedStages: []PacketStage{
 				StageReceived,
-				StageInboundPortDNAT,
-				StageInbound1to1NAT,
 				StageConntrack,
 				StageRouting,
 				StageCompleted,
@@ -303,8 +287,6 @@ func TestTracePacket(t *testing.T) {
 			},
 			expectedStages: []PacketStage{
 				StageReceived,
-				StageInboundPortDNAT,
-				StageInbound1to1NAT,
 				StageConntrack,
 				StageCompleted,
 			},
@@ -319,8 +301,6 @@ func TestTracePacket(t *testing.T) {
 			},
 			expectedStages: []PacketStage{
 				StageReceived,
-				StageOutbound1to1NAT,
-				StageOutboundPortReverse,
 				StageCompleted,
 			},
 			expectedAllow: true,
@@ -339,8 +319,6 @@ func TestTracePacket(t *testing.T) {
 			},
 			expectedStages: []PacketStage{
 				StageReceived,
-				StageInboundPortDNAT,
-				StageInbound1to1NAT,
 				StageConntrack,
 				StageRouting,
 				StagePeerACL,
@@ -362,8 +340,6 @@ func TestTracePacket(t *testing.T) {
 			},
 			expectedStages: []PacketStage{
 				StageReceived,
-				StageInboundPortDNAT,
-				StageInbound1to1NAT,
 				StageConntrack,
 				StageRouting,
 				StagePeerACL,
@@ -386,8 +362,6 @@ func TestTracePacket(t *testing.T) {
 			},
 			expectedStages: []PacketStage{
 				StageReceived,
-				StageInboundPortDNAT,
-				StageInbound1to1NAT,
 				StageConntrack,
 				StageRouting,
 				StagePeerACL,
@@ -408,8 +382,6 @@ func TestTracePacket(t *testing.T) {
 			},
 			expectedStages: []PacketStage{
 				StageReceived,
-				StageInboundPortDNAT,
-				StageInbound1to1NAT,
 				StageConntrack,
 				StageRouting,
 				StagePeerACL,
@@ -434,8 +406,6 @@ func TestTracePacket(t *testing.T) {
 			},
 			expectedStages: []PacketStage{
 				StageReceived,
-				StageInboundPortDNAT,
-				StageInbound1to1NAT,
 				StageRouting,
 				StagePeerACL,
 				StageCompleted,
--- a/client/internal/debug/debug.go
+++ b/client/internal/debug/debug.go
@@ -47,7 +47,7 @@ nftables.txt: Anonymized nftables rules with packet counters, if --system-info f
 resolved_domains.txt: Anonymized resolved domain IP addresses from the status recorder.
 config.txt: Anonymized configuration information of the NetBird client.
 network_map.json: Anonymized sync response containing peer configurations, routes, DNS settings, and firewall rules.
-state.json: Anonymized client state dump containing netbird states for the active profile.
+state.json: Anonymized client state dump containing netbird states.
 mutex.prof: Mutex profiling information.
 goroutine.prof: Goroutine profiling information.
 block.prof: Block profiling information.
@@ -564,8 +564,6 @@ func (g *BundleGenerator) addStateFile() error {
 		return nil
 	}

-	log.Debugf("Adding state file from: %s", path)
-
 	data, err := os.ReadFile(path)
 	if err != nil {
 		if errors.Is(err, fs.ErrNotExist) {
--- a/client/internal/dns/host_darwin.go
+++ b/client/internal/dns/host_darwin.go
@@ -13,7 +13,6 @@ import (
 	"strings"

 	log "github.com/sirupsen/logrus"
-	"golang.org/x/exp/maps"

 	"github.com/netbirdio/netbird/client/internal/statemanager"
 )
@@ -51,21 +50,28 @@ func (s *systemConfigurator) supportCustomPort() bool {
 }

 func (s *systemConfigurator) applyDNSConfig(config HostDNSConfig, stateManager *statemanager.Manager) error {
+	var err error
+
+	if err := stateManager.UpdateState(&ShutdownState{}); err != nil {
+		log.Errorf("failed to update shutdown state: %s", err)
+	}
+
 	var (
 		searchDomains []string
 		matchDomains  []string
 	)

-	if err := s.recordSystemDNSSettings(true); err != nil {
+	err = s.recordSystemDNSSettings(true)
+	if err != nil {
 		log.Errorf("unable to update record of System's DNS config: %s", err.Error())
 	}

 	if config.RouteAll {
 		searchDomains = append(searchDomains, "\"\"")
-		if err := s.addLocalDNS(); err != nil {
-			log.Warnf("failed to add local DNS: %v", err)
+		err = s.addLocalDNS()
+		if err != nil {
+			log.Infof("failed to enable split DNS")
 		}
-		s.updateState(stateManager)
 	}

 	for _, dConf := range config.Domains {
@@ -80,7 +86,6 @@ func (s *systemConfigurator) applyDNSConfig(config HostDNSConfig, stateManager *
 	}

 	matchKey := getKeyWithInput(netbirdDNSStateKeyFormat, matchSuffix)
-	var err error
 	if len(matchDomains) != 0 {
 		err = s.addMatchDomains(matchKey, strings.Join(matchDomains, " "), config.ServerIP, config.ServerPort)
 	} else {
@@ -90,7 +95,6 @@ func (s *systemConfigurator) applyDNSConfig(config HostDNSConfig, stateManager *
 	if err != nil {
 		return fmt.Errorf("add match domains: %w", err)
 	}
-	s.updateState(stateManager)

 	searchKey := getKeyWithInput(netbirdDNSStateKeyFormat, searchSuffix)
 	if len(searchDomains) != 0 {
@@ -102,7 +106,6 @@ func (s *systemConfigurator) applyDNSConfig(config HostDNSConfig, stateManager *
 	if err != nil {
 		return fmt.Errorf("add search domains: %w", err)
 	}
-	s.updateState(stateManager)

 	if err := s.flushDNSCache(); err != nil {
 		log.Errorf("failed to flush DNS cache: %v", err)
@@ -111,12 +114,6 @@ func (s *systemConfigurator) applyDNSConfig(config HostDNSConfig, stateManager *
 	return nil
 }

-func (s *systemConfigurator) updateState(stateManager *statemanager.Manager) {
-	if err := stateManager.UpdateState(&ShutdownState{CreatedKeys: maps.Keys(s.createdKeys)}); err != nil {
-		log.Errorf("failed to update shutdown state: %s", err)
-	}
-}
-
 func (s *systemConfigurator) string() string {
 	return "scutil"
 }
@@ -170,20 +167,18 @@ func (s *systemConfigurator) removeKeyFromSystemConfig(key string) error {
 func (s *systemConfigurator) addLocalDNS() error {
 	if !s.systemDNSSettings.ServerIP.IsValid() || len(s.systemDNSSettings.Domains) == 0 {
 		if err := s.recordSystemDNSSettings(true); err != nil {
+			log.Errorf("Unable to get system DNS configuration")
 			return fmt.Errorf("recordSystemDNSSettings(): %w", err)
 		}
 	}
 	localKey := getKeyWithInput(netbirdDNSStateKeyFormat, localSuffix)
-	if !s.systemDNSSettings.ServerIP.IsValid() || len(s.systemDNSSettings.Domains) == 0 {
+	if s.systemDNSSettings.ServerIP.IsValid() && len(s.systemDNSSettings.Domains) != 0 {
+		err := s.addSearchDomains(localKey, strings.Join(s.systemDNSSettings.Domains, " "), s.systemDNSSettings.ServerIP, s.systemDNSSettings.ServerPort)
+		if err != nil {
+			return fmt.Errorf("couldn't add local network DNS conf: %w", err)
+		}
+	} else {
 		log.Info("Not enabling local DNS server")
-		return nil
-	}
-
-	if err := s.addSearchDomains(
-		localKey,
-		strings.Join(s.systemDNSSettings.Domains, " "), s.systemDNSSettings.ServerIP, s.systemDNSSettings.ServerPort,
-	); err != nil {
-		return fmt.Errorf("add search domains: %w", err)
 	}

 	return nil
--- a/client/internal/dns/host_darwin_test.go
+++ b/client/internal/dns/host_darwin_test.go
@@ -1,111 +0,0 @@
-//go:build !ios
-
-package dns
-
-import (
-	"context"
-	"net/netip"
-	"os/exec"
-	"path/filepath"
-	"strings"
-	"testing"
-
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
-
-	"github.com/netbirdio/netbird/client/internal/statemanager"
-)
-
-func TestDarwinDNSUncleanShutdownCleanup(t *testing.T) {
-	if testing.Short() {
-		t.Skip("skipping scutil integration test in short mode")
-	}
-
-	tmpDir := t.TempDir()
-	stateFile := filepath.Join(tmpDir, "state.json")
-
-	sm := statemanager.New(stateFile)
-	sm.RegisterState(&ShutdownState{})
-	sm.Start()
-	defer func() {
-		require.NoError(t, sm.Stop(context.Background()))
-	}()
-
-	configurator := &systemConfigurator{
-		createdKeys: make(map[string]struct{}),
-	}
-
-	config := HostDNSConfig{
-		ServerIP:   netip.MustParseAddr("100.64.0.1"),
-		ServerPort: 53,
-		RouteAll:   true,
-		Domains: []DomainConfig{
-			{Domain: "example.com", MatchOnly: true},
-		},
-	}
-
-	err := configurator.applyDNSConfig(config, sm)
-	require.NoError(t, err)
-
-	require.NoError(t, sm.PersistState(context.Background()))
-
-	searchKey := getKeyWithInput(netbirdDNSStateKeyFormat, searchSuffix)
-	matchKey := getKeyWithInput(netbirdDNSStateKeyFormat, matchSuffix)
-	localKey := getKeyWithInput(netbirdDNSStateKeyFormat, localSuffix)
-
-	defer func() {
-		for _, key := range []string{searchKey, matchKey, localKey} {
-			_ = removeTestDNSKey(key)
-		}
-	}()
-
-	for _, key := range []string{searchKey, matchKey, localKey} {
-		exists, err := checkDNSKeyExists(key)
-		require.NoError(t, err)
-		if exists {
-			t.Logf("Key %s exists before cleanup", key)
-		}
-	}
-
-	sm2 := statemanager.New(stateFile)
-	sm2.RegisterState(&ShutdownState{})
-	err = sm2.LoadState(&ShutdownState{})
-	require.NoError(t, err)
-
-	state := sm2.GetState(&ShutdownState{})
-	if state == nil {
-		t.Skip("State not saved, skipping cleanup test")
-	}
-
-	shutdownState, ok := state.(*ShutdownState)
-	require.True(t, ok)
-
-	err = shutdownState.Cleanup()
-	require.NoError(t, err)
-
-	for _, key := range []string{searchKey, matchKey, localKey} {
-		exists, err := checkDNSKeyExists(key)
-		require.NoError(t, err)
-		assert.False(t, exists, "Key %s should NOT exist after cleanup", key)
-	}
-}
-
-func checkDNSKeyExists(key string) (bool, error) {
-	cmd := exec.Command(scutilPath)
-	cmd.Stdin = strings.NewReader("show " + key + "\nquit\n")
-	output, err := cmd.CombinedOutput()
-	if err != nil {
-		if strings.Contains(string(output), "No such key") {
-			return false, nil
-		}
-		return false, err
-	}
-	return !strings.Contains(string(output), "No such key"), nil
-}
-
-func removeTestDNSKey(key string) error {
-	cmd := exec.Command(scutilPath)
-	cmd.Stdin = strings.NewReader("remove " + key + "\nquit\n")
-	_, err := cmd.CombinedOutput()
-	return err
-}
--- a/client/internal/dns/host_windows.go
+++ b/client/internal/dns/host_windows.go
@@ -179,7 +179,13 @@ func (r *registryConfigurator) applyDNSConfig(config HostDNSConfig, stateManager
 		log.Infof("removed %s as main DNS forwarder for this peer", config.ServerIP)
 	}

-	r.updateState(stateManager)
+	if err := stateManager.UpdateState(&ShutdownState{
+		Guid:           r.guid,
+		GPO:            r.gpo,
+		NRPTEntryCount: r.nrptEntryCount,
+	}); err != nil {
+		log.Errorf("failed to update shutdown state: %s", err)
+	}

 	var searchDomains, matchDomains []string
 	for _, dConf := range config.Domains {
@@ -206,7 +212,13 @@ func (r *registryConfigurator) applyDNSConfig(config HostDNSConfig, stateManager
 		r.nrptEntryCount = 0
 	}

-	r.updateState(stateManager)
+	if err := stateManager.UpdateState(&ShutdownState{
+		Guid:           r.guid,
+		GPO:            r.gpo,
+		NRPTEntryCount: r.nrptEntryCount,
+	}); err != nil {
+		log.Errorf("failed to update shutdown state: %s", err)
+	}

 	if err := r.updateSearchDomains(searchDomains); err != nil {
 		return fmt.Errorf("update search domains: %w", err)
@@ -217,16 +229,6 @@ func (r *registryConfigurator) applyDNSConfig(config HostDNSConfig, stateManager
 	return nil
 }

-func (r *registryConfigurator) updateState(stateManager *statemanager.Manager) {
-	if err := stateManager.UpdateState(&ShutdownState{
-		Guid:           r.guid,
-		GPO:            r.gpo,
-		NRPTEntryCount: r.nrptEntryCount,
-	}); err != nil {
-		log.Errorf("failed to update shutdown state: %s", err)
-	}
-}
-
 func (r *registryConfigurator) addDNSSetupForAll(ip netip.Addr) error {
 	if err := r.setInterfaceRegistryKeyStringValue(interfaceConfigNameServerKey, ip.String()); err != nil {
 		return fmt.Errorf("adding dns setup for all failed: %w", err)
--- a/client/internal/dns/unclean_shutdown_darwin.go
+++ b/client/internal/dns/unclean_shutdown_darwin.go
@@ -7,7 +7,6 @@ import (
 )

 type ShutdownState struct {
-	CreatedKeys []string
 }

 func (s *ShutdownState) Name() string {
@@ -20,10 +19,6 @@ func (s *ShutdownState) Cleanup() error {
 		return fmt.Errorf("create host manager: %w", err)
 	}

-	for _, key := range s.CreatedKeys {
-		manager.createdKeys[key] = struct{}{}
-	}
-
 	if err := manager.restoreUncleanShutdownDNS(); err != nil {
 		return fmt.Errorf("restore unclean shutdown dns: %w", err)
 	}
--- a/client/internal/dnsfwd/manager.go
+++ b/client/internal/dnsfwd/manager.go
@@ -4,9 +4,7 @@ import (
 	"context"
 	"fmt"
 	"net"
-	"net/netip"
-	"os"
-	"strconv"
+	"sync"

 	"github.com/hashicorp/go-multierror"
 	log "github.com/sirupsen/logrus"
@@ -14,14 +12,18 @@ import (
 	nberrors "github.com/netbirdio/netbird/client/errors"
 	firewall "github.com/netbirdio/netbird/client/firewall/manager"
 	"github.com/netbirdio/netbird/client/internal/peer"
-	nbdns "github.com/netbirdio/netbird/dns"
 	"github.com/netbirdio/netbird/route"
 	"github.com/netbirdio/netbird/shared/management/domain"
 )

+var (
+	// ListenPort is the port that the DNS forwarder listens on. It has been used by the client peers also
+	listenPort   uint16 = 5353
+	listenPortMu sync.RWMutex
+)
+
 const (
-	dnsTTL        = 60
-	envServerPort = "NB_DNS_FORWARDER_PORT"
+	dnsTTL = 60 //seconds
 )

 // ForwarderEntry is a mapping from a domain to a resource ID and a hash of the parent domain list.
@@ -34,30 +36,28 @@ type ForwarderEntry struct {
 type Manager struct {
 	firewall       firewall.Manager
 	statusRecorder *peer.Status
-	localAddr      netip.Addr
-	serverPort     uint16

 	fwRules      []firewall.Rule
 	tcpRules     []firewall.Rule
 	dnsForwarder *DNSForwarder
 }

-func NewManager(fw firewall.Manager, statusRecorder *peer.Status, localAddr netip.Addr) *Manager {
-	serverPort := nbdns.ForwarderServerPort
-	if envPort := os.Getenv(envServerPort); envPort != "" {
-		if port, err := strconv.ParseUint(envPort, 10, 16); err == nil && port > 0 {
-			serverPort = uint16(port)
-			log.Infof("using custom DNS forwarder port from %s: %d", envServerPort, serverPort)
-		} else {
-			log.Warnf("invalid %s value %q, using default %d", envServerPort, envPort, nbdns.ForwarderServerPort)
-		}
-	}
+func ListenPort() uint16 {
+	listenPortMu.RLock()
+	defer listenPortMu.RUnlock()
+	return listenPort
+}

+func SetListenPort(port uint16) {
+	listenPortMu.Lock()
+	listenPort = port
+	listenPortMu.Unlock()
+}
+
+func NewManager(fw firewall.Manager, statusRecorder *peer.Status) *Manager {
 	return &Manager{
 		firewall:       fw,
 		statusRecorder: statusRecorder,
-		localAddr:      localAddr,
-		serverPort:     serverPort,
 	}
 }

@@ -71,21 +71,7 @@ func (m *Manager) Start(fwdEntries []*ForwarderEntry) error {
 		return err
 	}

-	if m.localAddr.IsValid() && m.firewall != nil {
-		if err := m.firewall.AddInboundDNAT(m.localAddr, firewall.ProtocolUDP, nbdns.ForwarderClientPort, m.serverPort); err != nil {
-			log.Warnf("failed to add DNS UDP DNAT rule: %v", err)
-		} else {
-			log.Infof("added DNS UDP DNAT rule: %s:%d -> %s:%d", m.localAddr, nbdns.ForwarderClientPort, m.localAddr, m.serverPort)
-		}
-
-		if err := m.firewall.AddInboundDNAT(m.localAddr, firewall.ProtocolTCP, nbdns.ForwarderClientPort, m.serverPort); err != nil {
-			log.Warnf("failed to add DNS TCP DNAT rule: %v", err)
-		} else {
-			log.Infof("added DNS TCP DNAT rule: %s:%d -> %s:%d", m.localAddr, nbdns.ForwarderClientPort, m.localAddr, m.serverPort)
-		}
-	}
-
-	m.dnsForwarder = NewDNSForwarder(fmt.Sprintf(":%d", m.serverPort), dnsTTL, m.firewall, m.statusRecorder)
+	m.dnsForwarder = NewDNSForwarder(fmt.Sprintf(":%d", ListenPort()), dnsTTL, m.firewall, m.statusRecorder)
 	go func() {
 		if err := m.dnsForwarder.Listen(fwdEntries); err != nil {
 			// todo handle close error if it is exists
@@ -110,17 +96,6 @@ func (m *Manager) Stop(ctx context.Context) error {
 	}

 	var mErr *multierror.Error
-
-	if m.localAddr.IsValid() && m.firewall != nil {
-		if err := m.firewall.RemoveInboundDNAT(m.localAddr, firewall.ProtocolUDP, nbdns.ForwarderClientPort, m.serverPort); err != nil {
-			mErr = multierror.Append(mErr, fmt.Errorf("remove DNS UDP DNAT rule: %w", err))
-		}
-
-		if err := m.firewall.RemoveInboundDNAT(m.localAddr, firewall.ProtocolTCP, nbdns.ForwarderClientPort, m.serverPort); err != nil {
-			mErr = multierror.Append(mErr, fmt.Errorf("remove DNS TCP DNAT rule: %w", err))
-		}
-	}
-
 	if err := m.dropDNSFirewall(); err != nil {
 		mErr = multierror.Append(mErr, err)
 	}
@@ -136,7 +111,7 @@ func (m *Manager) Stop(ctx context.Context) error {
 func (m *Manager) allowDNSFirewall() error {
 	dport := &firewall.Port{
 		IsRange: false,
-		Values:  []uint16{m.serverPort},
+		Values:  []uint16{ListenPort()},
 	}

 	if m.firewall == nil {
--- a/client/internal/engine.go
+++ b/client/internal/engine.go
@@ -203,7 +203,8 @@ type Engine struct {
 	wgIfaceMonitor   *WGIfaceMonitor
 	wgIfaceMonitorWg sync.WaitGroup

-	probeStunTurn *relay.StunTurnProbe
+	// dns forwarder port
+	dnsFwdPort uint16
 }

 // Peer is an instance of the Connection Peer
@@ -246,7 +247,7 @@ func NewEngine(
 		statusRecorder: statusRecorder,
 		checks:         checks,
 		connSemaphore:  semaphoregroup.NewSemaphoreGroup(connInitLimit),
-		probeStunTurn:  relay.NewStunTurnProbe(relay.DefaultCacheTTL),
+		dnsFwdPort:     dnsfwd.ListenPort(),
 	}

 	sm := profilemanager.NewServiceManager("")
@@ -1059,14 +1060,10 @@ func (e *Engine) updateNetworkMap(networkMap *mgmProto.NetworkMap) error {
 		protoDNSConfig = &mgmProto.DNSConfig{}
 	}

-	dnsConfig := toDNSConfig(protoDNSConfig, e.wgInterface.Address().Network)
-
-	if err := e.dnsServer.UpdateDNSServer(serial, dnsConfig); err != nil {
+	if err := e.dnsServer.UpdateDNSServer(serial, toDNSConfig(protoDNSConfig, e.wgInterface.Address().Network)); err != nil {
 		log.Errorf("failed to update dns server, err: %v", err)
 	}

-	e.routeManager.SetDNSForwarderPort(dnsConfig.ForwarderPort)
-
 	// apply routes first, route related actions might depend on routing being enabled
 	routes := toRoutes(networkMap.GetRoutes())
 	serverRoutes, clientRoutes := e.routeManager.ClassifyRoutes(routes)
@@ -1087,7 +1084,7 @@ func (e *Engine) updateNetworkMap(networkMap *mgmProto.NetworkMap) error {
 	}

 	fwdEntries := toRouteDomains(e.config.WgPrivateKey.PublicKey().String(), routes)
-	e.updateDNSForwarder(dnsRouteFeatureFlag, fwdEntries)
+	e.updateDNSForwarder(dnsRouteFeatureFlag, fwdEntries, uint16(protoDNSConfig.ForwarderPort))

 	// Ingress forward rules
 	forwardingRules, err := e.updateForwardRules(networkMap.GetForwardingRules())
@@ -1211,16 +1208,10 @@ func toRouteDomains(myPubKey string, routes []*route.Route) []*dnsfwd.ForwarderE
 }

 func toDNSConfig(protoDNSConfig *mgmProto.DNSConfig, network netip.Prefix) nbdns.Config {
-	forwarderPort := uint16(protoDNSConfig.GetForwarderPort())
-	if forwarderPort == 0 {
-		forwarderPort = nbdns.ForwarderClientPort
-	}
-
 	dnsUpdate := nbdns.Config{
 		ServiceEnable:    protoDNSConfig.GetServiceEnable(),
 		CustomZones:      make([]nbdns.CustomZone, 0),
 		NameServerGroups: make([]*nbdns.NameServerGroup, 0),
-		ForwarderPort:    forwarderPort,
 	}

 	for _, zone := range protoDNSConfig.GetCustomZones() {
@@ -1676,7 +1667,7 @@ func (e *Engine) getRosenpassAddr() string {

 // RunHealthProbes executes health checks for Signal, Management, Relay and WireGuard services
 // and updates the status recorder with the latest states.
-func (e *Engine) RunHealthProbes(waitForResult bool) bool {
+func (e *Engine) RunHealthProbes() bool {
 	e.syncMsgMux.Lock()

 	signalHealthy := e.signal.IsHealthy()
@@ -1708,12 +1699,8 @@ func (e *Engine) RunHealthProbes(waitForResult bool) bool {
 	}

 	e.syncMsgMux.Unlock()
-	var results []relay.ProbeResult
-	if waitForResult {
-		results = e.probeStunTurn.ProbeAllWaitResult(e.ctx, stuns, turns)
-	} else {
-		results = e.probeStunTurn.ProbeAll(e.ctx, stuns, turns)
-	}
+
+	results := e.probeICE(stuns, turns)
 	e.statusRecorder.UpdateRelayStates(results)

 	relayHealthy := true
@@ -1730,6 +1717,13 @@ func (e *Engine) RunHealthProbes(waitForResult bool) bool {
 	return allHealthy
 }

+func (e *Engine) probeICE(stuns, turns []*stun.URI) []relay.ProbeResult {
+	return append(
+		relay.ProbeAll(e.ctx, relay.ProbeSTUN, stuns),
+		relay.ProbeAll(e.ctx, relay.ProbeTURN, turns)...,
+	)
+}
+
 // restartEngine restarts the engine by cancelling the client context
 func (e *Engine) restartEngine() {
 	e.syncMsgMux.Lock()
@@ -1849,11 +1843,16 @@ func (e *Engine) GetWgAddr() netip.Addr {
 func (e *Engine) updateDNSForwarder(
 	enabled bool,
 	fwdEntries []*dnsfwd.ForwarderEntry,
+	forwarderPort uint16,
 ) {
 	if e.config.DisableServerRoutes {
 		return
 	}

+	if forwarderPort > 0 {
+		dnsfwd.SetListenPort(forwarderPort)
+	}
+
 	if !enabled {
 		if e.dnsForwardMgr == nil {
 			return
@@ -1865,17 +1864,20 @@ func (e *Engine) updateDNSForwarder(
 	}

 	if len(fwdEntries) > 0 {
-		if e.dnsForwardMgr == nil {
-			localAddr := e.wgInterface.Address().IP
-			e.dnsForwardMgr = dnsfwd.NewManager(e.firewall, e.statusRecorder, localAddr)
-
+		switch {
+		case e.dnsForwardMgr == nil:
+			e.dnsForwardMgr = dnsfwd.NewManager(e.firewall, e.statusRecorder)
 			if err := e.dnsForwardMgr.Start(fwdEntries); err != nil {
 				log.Errorf("failed to start DNS forward: %v", err)
 				e.dnsForwardMgr = nil
 			}
-
 			log.Infof("started domain router service with %d entries", len(fwdEntries))
-		} else {
+		case e.dnsFwdPort != forwarderPort:
+			log.Infof("updating domain router service port from %d to %d", e.dnsFwdPort, forwarderPort)
+			e.restartDnsFwd(fwdEntries, forwarderPort)
+			e.dnsFwdPort = forwarderPort
+
+		default:
 			e.dnsForwardMgr.UpdateDomains(fwdEntries)
 		}
 	} else if e.dnsForwardMgr != nil {
@@ -1885,6 +1887,20 @@ func (e *Engine) updateDNSForwarder(
 		}
 		e.dnsForwardMgr = nil
 	}
+
+}
+
+func (e *Engine) restartDnsFwd(fwdEntries []*dnsfwd.ForwarderEntry, forwarderPort uint16) {
+	log.Infof("updating domain router service port from %d to %d", e.dnsFwdPort, forwarderPort)
+	// stop and start the forwarder to apply the new port
+	if err := e.dnsForwardMgr.Stop(context.Background()); err != nil {
+		log.Errorf("failed to stop DNS forward: %v", err)
+	}
+	e.dnsForwardMgr = dnsfwd.NewManager(e.firewall, e.statusRecorder)
+	if err := e.dnsForwardMgr.Start(fwdEntries); err != nil {
+		log.Errorf("failed to start DNS forward: %v", err)
+		e.dnsForwardMgr = nil
+	}
 }

 func (e *Engine) GetNet() (*netstack.Net, error) {
--- a/client/internal/netflow/logger/logger.go
+++ b/client/internal/netflow/logger/logger.go
@@ -10,10 +10,10 @@ import (
 	"github.com/google/uuid"
 	log "github.com/sirupsen/logrus"

+	"github.com/netbirdio/netbird/client/internal/dnsfwd"
 	"github.com/netbirdio/netbird/client/internal/netflow/store"
 	"github.com/netbirdio/netbird/client/internal/netflow/types"
 	"github.com/netbirdio/netbird/client/internal/peer"
-	"github.com/netbirdio/netbird/dns"
 )

 type rcvChan chan *types.EventFields
@@ -138,8 +138,7 @@ func (l *Logger) UpdateConfig(dnsCollection, exitNodeCollection bool) {

 func (l *Logger) shouldStore(event *types.EventFields, isExitNode bool) bool {
 	// check dns collection
-	if !l.dnsCollection.Load() && event.Protocol == types.UDP &&
-		(event.DestPort == 53 || event.DestPort == dns.ForwarderClientPort || event.DestPort == dns.ForwarderServerPort) {
+	if !l.dnsCollection.Load() && event.Protocol == types.UDP && (event.DestPort == 53 || event.DestPort == uint16(dnsfwd.ListenPort())) {
 		return false
 	}

--- a/client/internal/relay/relay.go
+++ b/client/internal/relay/relay.go
@@ -2,8 +2,6 @@ package relay

 import (
 	"context"
-	"crypto/sha256"
-	"errors"
 	"fmt"
 	"net"
 	"sync"
@@ -17,15 +15,6 @@ import (
 	nbnet "github.com/netbirdio/netbird/client/net"
 )

-const (
-	DefaultCacheTTL = 20 * time.Second
-	probeTimeout    = 6 * time.Second
-)
-
-var (
-	ErrCheckInProgress = errors.New("probe check is already in progress")
-)
-
 // ProbeResult holds the info about the result of a relay probe request
 type ProbeResult struct {
 	URI  string
@@ -33,164 +22,8 @@ type ProbeResult struct {
 	Addr string
 }

-type StunTurnProbe struct {
-	cacheResults    []ProbeResult
-	cacheTimestamp  time.Time
-	cacheKey        string
-	cacheTTL        time.Duration
-	probeInProgress bool
-	probeDone       chan struct{}
-	mu              sync.Mutex
-}
-
-func NewStunTurnProbe(cacheTTL time.Duration) *StunTurnProbe {
-	return &StunTurnProbe{
-		cacheTTL: cacheTTL,
-	}
-}
-
-func (p *StunTurnProbe) ProbeAllWaitResult(ctx context.Context, stuns []*stun.URI, turns []*stun.URI) []ProbeResult {
-	cacheKey := generateCacheKey(stuns, turns)
-
-	p.mu.Lock()
-	if p.probeInProgress {
-		doneChan := p.probeDone
-		p.mu.Unlock()
-
-		select {
-		case <-ctx.Done():
-			log.Debugf("Context cancelled while waiting for probe results")
-			return createErrorResults(stuns, turns)
-		case <-doneChan:
-			return p.getCachedResults(cacheKey, stuns, turns)
-		}
-	}
-
-	p.probeInProgress = true
-	probeDone := make(chan struct{})
-	p.probeDone = probeDone
-	p.mu.Unlock()
-
-	p.doProbe(ctx, stuns, turns, cacheKey)
-	close(probeDone)
-
-	return p.getCachedResults(cacheKey, stuns, turns)
-}
-
-// ProbeAll probes all given servers asynchronously and returns the results
-func (p *StunTurnProbe) ProbeAll(ctx context.Context, stuns []*stun.URI, turns []*stun.URI) []ProbeResult {
-	cacheKey := generateCacheKey(stuns, turns)
-
-	p.mu.Lock()
-
-	if results := p.checkCache(cacheKey); results != nil {
-		p.mu.Unlock()
-		return results
-	}
-
-	if p.probeInProgress {
-		p.mu.Unlock()
-		return createErrorResults(stuns, turns)
-	}
-
-	p.probeInProgress = true
-	probeDone := make(chan struct{})
-	p.probeDone = probeDone
-	log.Infof("started new probe for STUN, TURN servers")
-	go func() {
-		p.doProbe(ctx, stuns, turns, cacheKey)
-		close(probeDone)
-	}()
-
-	p.mu.Unlock()
-
-	timer := time.NewTimer(1300 * time.Millisecond)
-	defer timer.Stop()
-
-	select {
-	case <-ctx.Done():
-		log.Debugf("Context cancelled while waiting for probe results")
-		return createErrorResults(stuns, turns)
-	case <-probeDone:
-		// when the probe is return fast, return the results right away
-		return p.getCachedResults(cacheKey, stuns, turns)
-	case <-timer.C:
-		// if the probe takes longer than 1.3s, return error results to avoid blocking
-		return createErrorResults(stuns, turns)
-	}
-}
-
-func (p *StunTurnProbe) checkCache(cacheKey string) []ProbeResult {
-	if p.cacheKey == cacheKey && len(p.cacheResults) > 0 {
-		age := time.Since(p.cacheTimestamp)
-		if age < p.cacheTTL {
-			results := append([]ProbeResult(nil), p.cacheResults...)
-			log.Debugf("returning cached probe results (age: %v)", age)
-			return results
-		}
-	}
-	return nil
-}
-
-func (p *StunTurnProbe) getCachedResults(cacheKey string, stuns []*stun.URI, turns []*stun.URI) []ProbeResult {
-	p.mu.Lock()
-	defer p.mu.Unlock()
-
-	if p.cacheKey == cacheKey && len(p.cacheResults) > 0 {
-		return append([]ProbeResult(nil), p.cacheResults...)
-	}
-	return createErrorResults(stuns, turns)
-}
-
-func (p *StunTurnProbe) doProbe(ctx context.Context, stuns []*stun.URI, turns []*stun.URI, cacheKey string) {
-	defer func() {
-		p.mu.Lock()
-		p.probeInProgress = false
-		p.mu.Unlock()
-	}()
-	results := make([]ProbeResult, len(stuns)+len(turns))
-
-	var wg sync.WaitGroup
-	for i, uri := range stuns {
-		wg.Add(1)
-		go func(idx int, stunURI *stun.URI) {
-			defer wg.Done()
-
-			probeCtx, cancel := context.WithTimeout(ctx, probeTimeout)
-			defer cancel()
-
-			results[idx].URI = stunURI.String()
-			results[idx].Addr, results[idx].Err = p.probeSTUN(probeCtx, stunURI)
-		}(i, uri)
-	}
-
-	stunOffset := len(stuns)
-	for i, uri := range turns {
-		wg.Add(1)
-		go func(idx int, turnURI *stun.URI) {
-			defer wg.Done()
-
-			probeCtx, cancel := context.WithTimeout(ctx, probeTimeout)
-			defer cancel()
-
-			results[idx].URI = turnURI.String()
-			results[idx].Addr, results[idx].Err = p.probeTURN(probeCtx, turnURI)
-		}(stunOffset+i, uri)
-	}
-
-	wg.Wait()
-
-	p.mu.Lock()
-	p.cacheResults = results
-	p.cacheTimestamp = time.Now()
-	p.cacheKey = cacheKey
-	p.mu.Unlock()
-
-	log.Debug("Stored new probe results in cache")
-}
-
 // ProbeSTUN tries binding to the given STUN uri and acquiring an address
-func (p *StunTurnProbe) probeSTUN(ctx context.Context, uri *stun.URI) (addr string, probeErr error) {
+func ProbeSTUN(ctx context.Context, uri *stun.URI) (addr string, probeErr error) {
 	defer func() {
 		if probeErr != nil {
 			log.Debugf("stun probe error from %s: %s", uri, probeErr)
@@ -250,7 +83,7 @@ func (p *StunTurnProbe) probeSTUN(ctx context.Context, uri *stun.URI) (addr stri
 }

 // ProbeTURN tries allocating a session from the given TURN URI
-func (p *StunTurnProbe) probeTURN(ctx context.Context, uri *stun.URI) (addr string, probeErr error) {
+func ProbeTURN(ctx context.Context, uri *stun.URI) (addr string, probeErr error) {
 	defer func() {
 		if probeErr != nil {
 			log.Debugf("turn probe error from %s: %s", uri, probeErr)
@@ -327,28 +160,28 @@ func (p *StunTurnProbe) probeTURN(ctx context.Context, uri *stun.URI) (addr stri
 	return relayConn.LocalAddr().String(), nil
 }

-func createErrorResults(stuns []*stun.URI, turns []*stun.URI) []ProbeResult {
-	total := len(stuns) + len(turns)
-	results := make([]ProbeResult, total)
+// ProbeAll probes all given servers asynchronously and returns the results
+func ProbeAll(
+	ctx context.Context,
+	fn func(ctx context.Context, uri *stun.URI) (addr string, probeErr error),
+	relays []*stun.URI,
+) []ProbeResult {
+	results := make([]ProbeResult, len(relays))

-	allURIs := append(append([]*stun.URI{}, stuns...), turns...)
-	for i, uri := range allURIs {
-		results[i] = ProbeResult{
-			URI: uri.String(),
-			Err: ErrCheckInProgress,
-		}
+	var wg sync.WaitGroup
+	for i, uri := range relays {
+		ctx, cancel := context.WithTimeout(ctx, 6*time.Second)
+		defer cancel()
+
+		wg.Add(1)
+		go func(res *ProbeResult, stunURI *stun.URI) {
+			defer wg.Done()
+			res.URI = stunURI.String()
+			res.Addr, res.Err = fn(ctx, stunURI)
+		}(&results[i], uri)
 	}

+	wg.Wait()
+
 	return results
 }
-
-func generateCacheKey(stuns []*stun.URI, turns []*stun.URI) string {
-	h := sha256.New()
-	for _, uri := range stuns {
-		h.Write([]byte(uri.String()))
-	}
-	for _, uri := range turns {
-		h.Write([]byte(uri.String()))
-	}
-	return fmt.Sprintf("%x", h.Sum(nil))
-}
--- a/client/internal/routemanager/common/params.go
+++ b/client/internal/routemanager/common/params.go
@@ -1,7 +1,6 @@
 package common

 import (
-	"sync/atomic"
 	"time"

 	"github.com/netbirdio/netbird/client/firewall/manager"
@@ -26,5 +25,4 @@ type HandlerParams struct {
 	UseNewDNSRoute       bool
 	Firewall             manager.Manager
 	FakeIPManager        *fakeip.Manager
-	ForwarderPort        *atomic.Uint32
 }
--- a/client/internal/routemanager/dnsinterceptor/handler.go
+++ b/client/internal/routemanager/dnsinterceptor/handler.go
@@ -8,7 +8,6 @@ import (
 	"runtime"
 	"strings"
 	"sync"
-	"sync/atomic"
 	"time"

 	"github.com/hashicorp/go-multierror"
@@ -19,6 +18,7 @@ import (
 	firewall "github.com/netbirdio/netbird/client/firewall/manager"
 	"github.com/netbirdio/netbird/client/iface/wgaddr"
 	nbdns "github.com/netbirdio/netbird/client/internal/dns"
+	"github.com/netbirdio/netbird/client/internal/dnsfwd"
 	"github.com/netbirdio/netbird/client/internal/peer"
 	"github.com/netbirdio/netbird/client/internal/peerstore"
 	"github.com/netbirdio/netbird/client/internal/routemanager/common"
@@ -55,7 +55,6 @@ type DnsInterceptor struct {
 	peerStore            *peerstore.Store
 	firewall             firewall.Manager
 	fakeIPManager        *fakeip.Manager
-	forwarderPort        *atomic.Uint32
 }

 func New(params common.HandlerParams) *DnsInterceptor {
@@ -70,7 +69,6 @@ func New(params common.HandlerParams) *DnsInterceptor {
 		firewall:             params.Firewall,
 		fakeIPManager:        params.FakeIPManager,
 		interceptedDomains:   make(domainMap),
-		forwarderPort:        params.ForwarderPort,
 	}
 }

@@ -259,7 +257,7 @@ func (d *DnsInterceptor) ServeDNS(w dns.ResponseWriter, r *dns.Msg) {
 		r.MsgHdr.AuthenticatedData = true
 	}

-	upstream := fmt.Sprintf("%s:%d", upstreamIP.String(), uint16(d.forwarderPort.Load()))
+	upstream := fmt.Sprintf("%s:%d", upstreamIP.String(), dnsfwd.ListenPort())
 	ctx, cancel := context.WithTimeout(context.Background(), dnsTimeout)
 	defer cancel()

--- a/client/internal/routemanager/manager.go
+++ b/client/internal/routemanager/manager.go
@@ -10,7 +10,6 @@ import (
 	"runtime"
 	"slices"
 	"sync"
-	"sync/atomic"
 	"time"

 	"github.com/google/uuid"
@@ -24,7 +23,6 @@ import (
 	"github.com/netbirdio/netbird/client/iface/netstack"
 	"github.com/netbirdio/netbird/client/internal/dns"
 	"github.com/netbirdio/netbird/client/internal/listener"
-	nbdns "github.com/netbirdio/netbird/dns"
 	"github.com/netbirdio/netbird/client/internal/peer"
 	"github.com/netbirdio/netbird/client/internal/peerstore"
 	"github.com/netbirdio/netbird/client/internal/routemanager/client"
@@ -56,7 +54,6 @@ type Manager interface {
 	SetRouteChangeListener(listener listener.NetworkChangeListener)
 	InitialRouteRange() []string
 	SetFirewall(firewall.Manager) error
-	SetDNSForwarderPort(port uint16)
 	Stop(stateManager *statemanager.Manager)
 }

@@ -104,13 +101,12 @@ type DefaultManager struct {
 	disableServerRoutes bool
 	activeRoutes        map[route.HAUniqueID]client.RouteHandler
 	fakeIPManager       *fakeip.Manager
-	dnsForwarderPort    atomic.Uint32
 }

 func NewManager(config ManagerConfig) *DefaultManager {
 	mCTX, cancel := context.WithCancel(config.Context)
 	notifier := notifier.NewNotifier()
-	sysOps := systemops.New(config.WGInterface, notifier)
+	sysOps := systemops.NewSysOps(config.WGInterface, notifier)

 	if runtime.GOOS == "windows" && config.WGInterface != nil {
 		nbnet.SetVPNInterfaceName(config.WGInterface.Name())
@@ -134,7 +130,6 @@ func NewManager(config ManagerConfig) *DefaultManager {
 		disableServerRoutes: config.DisableServerRoutes,
 		activeRoutes:        make(map[route.HAUniqueID]client.RouteHandler),
 	}
-	dm.dnsForwarderPort.Store(uint32(nbdns.ForwarderClientPort))

 	useNoop := netstack.IsEnabled() || config.DisableClientRoutes
 	dm.setupRefCounters(useNoop)
@@ -275,11 +270,6 @@ func (m *DefaultManager) SetFirewall(firewall firewall.Manager) error {
 	return nil
 }

-// SetDNSForwarderPort sets the DNS forwarder port for route handlers
-func (m *DefaultManager) SetDNSForwarderPort(port uint16) {
-	m.dnsForwarderPort.Store(uint32(port))
-}
-
 // Stop stops the manager watchers and clean firewall rules
 func (m *DefaultManager) Stop(stateManager *statemanager.Manager) {
 	m.stop()
@@ -355,7 +345,6 @@ func (m *DefaultManager) updateSystemRoutes(newRoutes route.HAMap) error {
 			UseNewDNSRoute:       m.useNewDNSRoute,
 			Firewall:             m.firewall,
 			FakeIPManager:        m.fakeIPManager,
-			ForwarderPort:        &m.dnsForwarderPort,
 		}
 		handler := client.HandlerFromRoute(params)
 		if err := handler.AddRoute(m.ctx); err != nil {
--- a/client/internal/routemanager/mock.go
+++ b/client/internal/routemanager/mock.go
@@ -90,10 +90,6 @@ func (m *MockManager) SetFirewall(firewall.Manager) error {
 	panic("implement me")
 }

-// SetDNSForwarderPort mock implementation of SetDNSForwarderPort from Manager interface
-func (m *MockManager) SetDNSForwarderPort(port uint16) {
-}
-
 // Stop mock implementation of Stop from Manager interface
 func (m *MockManager) Stop(stateManager *statemanager.Manager) {
 	if m.StopFunc != nil {
--- a/client/internal/routemanager/systemops/flush_nonbsd.go
+++ b/client/internal/routemanager/systemops/flush_nonbsd.go
@@ -1,8 +0,0 @@
-//go:build !((darwin && !ios) || dragonfly || freebsd || netbsd || openbsd)
-
-package systemops
-
-// FlushMarkedRoutes is a no-op on non-BSD platforms.
-func (r *SysOps) FlushMarkedRoutes() error {
-	return nil
-}
--- a/client/internal/routemanager/systemops/state.go
+++ b/client/internal/routemanager/systemops/state.go
@@ -13,11 +13,11 @@ func (s *ShutdownState) Name() string {
 }

 func (s *ShutdownState) Cleanup() error {
-	sysOps := New(nil, nil)
-	sysOps.refCounter = refcounter.New[netip.Prefix, struct{}, Nexthop](nil, sysOps.removeFromRouteTable)
-	sysOps.refCounter.LoadData((*ExclusionCounter)(s))
+	sysops := NewSysOps(nil, nil)
+	sysops.refCounter = refcounter.New[netip.Prefix, struct{}, Nexthop](nil, sysops.removeFromRouteTable)
+	sysops.refCounter.LoadData((*ExclusionCounter)(s))

-	return sysOps.refCounter.Flush()
+	return sysops.refCounter.Flush()
 }

 func (s *ShutdownState) MarshalJSON() ([]byte, error) {
--- a/client/internal/routemanager/systemops/systemops.go
+++ b/client/internal/routemanager/systemops/systemops.go
@@ -83,7 +83,7 @@ type SysOps struct {
 	localSubnetsCacheTime time.Time
 }

-func New(wgInterface wgIface, notifier *notifier.Notifier) *SysOps {
+func NewSysOps(wgInterface wgIface, notifier *notifier.Notifier) *SysOps {
 	return &SysOps{
 		wgInterface: wgInterface,
 		notifier:    notifier,
--- a/client/internal/routemanager/systemops/systemops_bsd_test.go
+++ b/client/internal/routemanager/systemops/systemops_bsd_test.go
@@ -42,7 +42,7 @@ func TestConcurrentRoutes(t *testing.T) {
 	_, intf = setupDummyInterface(t)
 	nexthop = Nexthop{netip.Addr{}, intf}

-	r := New(nil, nil)
+	r := NewSysOps(nil, nil)

 	var wg sync.WaitGroup
 	for i := 0; i < 1024; i++ {
@@ -146,7 +146,7 @@ func createAndSetupDummyInterface(t *testing.T, intf string, ipAddressCIDR strin

 	nexthop := Nexthop{netip.Addr{}, netIntf}

-	r := New(nil, nil)
+	r := NewSysOps(nil, nil)
 	err = r.addToRouteTable(prefix, nexthop)
 	require.NoError(t, err, "Failed to add route to table")

--- a/client/internal/routemanager/systemops/systemops_generic_test.go
+++ b/client/internal/routemanager/systemops/systemops_generic_test.go
@@ -143,7 +143,7 @@ func TestAddVPNRoute(t *testing.T) {

 			wgInterface := createWGInterface(t, fmt.Sprintf("utun53%d", n), "100.65.75.2/24", 33100+n)

-			r := New(wgInterface, nil)
+			r := NewSysOps(wgInterface, nil)
 			advancedRouting := nbnet.AdvancedRouting()
 			err := r.SetupRouting(nil, nil, advancedRouting)
 			require.NoError(t, err)
@@ -342,7 +342,7 @@ func TestAddRouteToNonVPNIntf(t *testing.T) {

 			wgInterface := createWGInterface(t, fmt.Sprintf("utun54%d", n), "100.65.75.2/24", 33200+n)

-			r := New(wgInterface, nil)
+			r := NewSysOps(wgInterface, nil)
 			advancedRouting := nbnet.AdvancedRouting()
 			err := r.SetupRouting(nil, nil, advancedRouting)
 			require.NoError(t, err)
@@ -486,7 +486,7 @@ func setupTestEnv(t *testing.T) {
 		assert.NoError(t, wgInterface.Close())
 	})

-	r := New(wgInterface, nil)
+	r := NewSysOps(wgInterface, nil)
 	advancedRouting := nbnet.AdvancedRouting()
 	err := r.SetupRouting(nil, nil, advancedRouting)
 	require.NoError(t, err, "setupRouting should not return err")
--- a/client/internal/routemanager/systemops/systemops_unix.go
+++ b/client/internal/routemanager/systemops/systemops_unix.go
@@ -7,39 +7,19 @@ import (
 	"fmt"
 	"net"
 	"net/netip"
-	"os"
 	"strconv"
 	"syscall"
 	"time"
 	"unsafe"

 	"github.com/cenkalti/backoff/v4"
-	"github.com/hashicorp/go-multierror"
 	log "github.com/sirupsen/logrus"
 	"golang.org/x/net/route"
 	"golang.org/x/sys/unix"

-	nberrors "github.com/netbirdio/netbird/client/errors"
 	"github.com/netbirdio/netbird/client/internal/statemanager"
 )

-const (
-	envRouteProtoFlag = "NB_ROUTE_PROTO_FLAG"
-)
-
-var routeProtoFlag int
-
-func init() {
-	switch os.Getenv(envRouteProtoFlag) {
-	case "2":
-		routeProtoFlag = unix.RTF_PROTO2
-	case "3":
-		routeProtoFlag = unix.RTF_PROTO3
-	default:
-		routeProtoFlag = unix.RTF_PROTO1
-	}
-}
-
 func (r *SysOps) SetupRouting(initAddresses []net.IP, stateManager *statemanager.Manager, advancedRouting bool) error {
 	return r.setupRefCounter(initAddresses, stateManager)
 }
@@ -48,62 +28,6 @@ func (r *SysOps) CleanupRouting(stateManager *statemanager.Manager, advancedRout
 	return r.cleanupRefCounter(stateManager)
 }

-// FlushMarkedRoutes removes single IP exclusion routes marked with the configured RTF_PROTO flag.
-func (r *SysOps) FlushMarkedRoutes() error {
-	rib, err := retryFetchRIB()
-	if err != nil {
-		return fmt.Errorf("fetch routing table: %w", err)
-	}
-
-	msgs, err := route.ParseRIB(route.RIBTypeRoute, rib)
-	if err != nil {
-		return fmt.Errorf("parse routing table: %w", err)
-	}
-
-	var merr *multierror.Error
-	flushedCount := 0
-
-	for _, msg := range msgs {
-		rtMsg, ok := msg.(*route.RouteMessage)
-		if !ok {
-			continue
-		}
-
-		if rtMsg.Flags&routeProtoFlag == 0 {
-			continue
-		}
-
-		routeInfo, err := MsgToRoute(rtMsg)
-		if err != nil {
-			log.Debugf("Skipping route flush: %v", err)
-			continue
-		}
-
-		if !routeInfo.Dst.IsValid() || !routeInfo.Dst.IsSingleIP() {
-			continue
-		}
-
-		nexthop := Nexthop{
-			IP:   routeInfo.Gw,
-			Intf: routeInfo.Interface,
-		}
-
-		if err := r.removeFromRouteTable(routeInfo.Dst, nexthop); err != nil {
-			merr = multierror.Append(merr, fmt.Errorf("remove route %s: %w", routeInfo.Dst, err))
-			continue
-		}
-
-		flushedCount++
-		log.Debugf("Flushed marked route: %s", routeInfo.Dst)
-	}
-
-	if flushedCount > 0 {
-		log.Infof("Flushed %d residual NetBird routes from previous session", flushedCount)
-	}
-
-	return nberrors.FormatErrorOrNil(merr)
-}
-
 func (r *SysOps) addToRouteTable(prefix netip.Prefix, nexthop Nexthop) error {
 	return r.routeSocket(unix.RTM_ADD, prefix, nexthop)
 }
@@ -181,7 +105,7 @@ func (r *SysOps) routeOp(action int, prefix netip.Prefix, nexthop Nexthop) func(
 func (r *SysOps) buildRouteMessage(action int, prefix netip.Prefix, nexthop Nexthop) (msg *route.RouteMessage, err error) {
 	msg = &route.RouteMessage{
 		Type:    action,
-		Flags:   unix.RTF_UP | routeProtoFlag,
+		Flags:   unix.RTF_UP,
 		Version: unix.RTM_VERSION,
 		Seq:     r.getSeq(),
 	}
--- a/client/internal/statemanager/manager.go
+++ b/client/internal/statemanager/manager.go
@@ -295,7 +295,7 @@ func (m *Manager) loadStateFile(deleteCorrupt bool) (map[string]json.RawMessage,
 	data, err := os.ReadFile(m.filePath)
 	if err != nil {
 		if errors.Is(err, fs.ErrNotExist) {
-			log.Debugf("state file %s does not exist", m.filePath)
+			log.Debug("state file does not exist")
 			return nil, nil // nolint:nilnil
 		}
 		return nil, fmt.Errorf("read state file: %w", err)
--- a/client/netbird-electron/.gitignore
+++ b/client/netbird-electron/.gitignore
@@ -0,0 +1,29 @@
+# Dependencies
+node_modules/
+package-lock.json
+
+# Build outputs
+dist/
+release/
+*.tsbuildinfo
+
+# Editor
+.vscode/
+.idea/
+*.swp
+*.swo
+*~
+
+# OS
+.DS_Store
+Thumbs.db
+
+# Environment
+.env
+.env.local
+
+# Logs
+*.log
+npm-debug.log*
+yarn-debug.log*
+yarn-error.log*
--- a/client/netbird-electron/electron/assets/bug-extra-thick.png
+++ b/client/netbird-electron/electron/assets/bug-extra-thick.png
--- a/client/netbird-electron/electron/assets/bug-extra-thick.svg
+++ b/client/netbird-electron/electron/assets/bug-extra-thick.svg
@@ -0,0 +1 @@
+<svg xmlns="http://www.w3.org/2000/svg" width="16" height="16" viewBox="0 0 24 24"><path fill="none" stroke="currentColor" stroke-linecap="round" stroke-linejoin="round" stroke-width="6" d="M14.7 6.3a1 1 0 0 0 0 1.4l1.6 1.6a1 1 0 0 0 1.4 0l3.106-3.105c.32-.322.863-.22.983.218a6 6 0 0 1-8.259 7.057l-7.91 7.91a1 1 0 0 1-2.999-3l7.91-7.91a6 6 0 0 1 7.057-8.259c.438.12.54.662.219.984z"/></svg>
--- a/client/netbird-electron/electron/assets/bug-simple.svg
+++ b/client/netbird-electron/electron/assets/bug-simple.svg
@@ -0,0 +1 @@
+<svg xmlns="http://www.w3.org/2000/svg" width="16" height="16" viewBox="0 0 24 24"><g fill="none" stroke="white" stroke-linecap="round" stroke-linejoin="round" stroke-width="2"><path d="M12 20v-9m2-4a4 4 0 0 1 4 4v3a6 6 0 0 1-12 0v-3a4 4 0 0 1 4-4zm.12-3.12L16 2"/><path d="M21 21a4 4 0 0 0-3.81-4M21 5a4 4 0 0 1-3.55 3.97M22 13h-4M3 21a4 4 0 0 1 3.81-4M3 5a4 4 0 0 0 3.55 3.97M6 13H2M8 2l1.88 1.88M9 7.13V6a3 3 0 1 1 6 0v1.13"/></g></svg>
--- a/client/netbird-electron/electron/assets/debug-bundle-icon.png
+++ b/client/netbird-electron/electron/assets/debug-bundle-icon.png
--- a/client/netbird-electron/electron/assets/debug-bundle-icon.svg
+++ b/client/netbird-electron/electron/assets/debug-bundle-icon.svg
@@ -0,0 +1 @@
+<svg xmlns="http://www.w3.org/2000/svg" width="16" height="16" viewBox="0 0 24 24"><g fill="none" stroke="#ffffff" stroke-linecap="round" stroke-linejoin="round" stroke-width="2"><path d="M11 21.73a2 2 0 0 0 2 0l7-4A2 2 0 0 0 21 16V8a2 2 0 0 0-1-1.73l-7-4a2 2 0 0 0-2 0l-7 4A2 2 0 0 0 3 8v8a2 2 0 0 0 1 1.73zm1 .27V12"/><path d="M3.29 7L12 12l8.71-5M7.5 4.27l9 5.15"/></g></svg>
--- a/client/netbird-electron/electron/assets/debug-icon-new.png
+++ b/client/netbird-electron/electron/assets/debug-icon-new.png
--- a/client/netbird-electron/electron/assets/debug-icon-thick.png
+++ b/client/netbird-electron/electron/assets/debug-icon-thick.png
--- a/client/netbird-electron/electron/assets/debug-icon-thick.svg
+++ b/client/netbird-electron/electron/assets/debug-icon-thick.svg
@@ -0,0 +1 @@
+<svg xmlns="http://www.w3.org/2000/svg" width="16" height="16" viewBox="0 0 24 24"><g fill="none" stroke="#ffffff" stroke-linecap="round" stroke-linejoin="round" stroke-width="3"><path d="M12 20v-9m2-4a4 4 0 0 1 4 4v3a6 6 0 0 1-12 0v-3a4 4 0 0 1 4-4zm.12-3.12L16 2"/><path d="M21 21a4 4 0 0 0-3.81-4M21 5a4 4 0 0 1-3.55 3.97M22 13h-4M3 21a4 4 0 0 1 3.81-4M3 5a4 4 0 0 0 3.55 3.97M6 13H2M8 2l1.88 1.88M9 7.13V6a3 3 0 1 1 6 0v1.13"/></g></svg>
--- a/client/netbird-electron/electron/assets/debug-icon-very-thick.png
+++ b/client/netbird-electron/electron/assets/debug-icon-very-thick.png
--- a/client/netbird-electron/electron/assets/debug-icon-very-thick.svg
+++ b/client/netbird-electron/electron/assets/debug-icon-very-thick.svg
@@ -0,0 +1 @@
+<svg xmlns="http://www.w3.org/2000/svg" width="16" height="16" viewBox="0 0 24 24"><g fill="none" stroke="#ffffff" stroke-linecap="round" stroke-linejoin="round" stroke-width="4"><path d="M12 20v-9m2-4a4 4 0 0 1 4 4v3a6 6 0 0 1-12 0v-3a4 4 0 0 1 4-4zm.12-3.12L16 2"/><path d="M21 21a4 4 0 0 0-3.81-4M21 5a4 4 0 0 1-3.55 3.97M22 13h-4M3 21a4 4 0 0 1 3.81-4M3 5a4 4 0 0 0 3.55 3.97M6 13H2M8 2l1.88 1.88M9 7.13V6a3 3 0 1 1 6 0v1.13"/></g></svg>
--- a/client/netbird-electron/electron/assets/debug-icon.png
+++ b/client/netbird-electron/electron/assets/debug-icon.png
--- a/client/netbird-electron/electron/assets/debug-icon.svg
+++ b/client/netbird-electron/electron/assets/debug-icon.svg
@@ -0,0 +1 @@
+<svg xmlns="http://www.w3.org/2000/svg" width="16" height="16" viewBox="0 0 24 24"><path fill="none" stroke="currentColor" stroke-linecap="round" stroke-linejoin="round" stroke-width="6" d="M14.7 6.3a1 1 0 0 0 0 1.4l1.6 1.6a1 1 0 0 0 1.4 0l3.106-3.105c.32-.322.863-.22.983.218a6 6 0 0 1-8.259 7.057l-7.91 7.91a1 1 0 0 1-2.999-3l7.91-7.91a6 6 0 0 1 7.057-8.259c.438.12.54.662.219.984z"/></svg>
--- a/client/netbird-electron/electron/assets/exit-node-icon.png
+++ b/client/netbird-electron/electron/assets/exit-node-icon.png
--- a/client/netbird-electron/electron/assets/exit-node-icon.svg
+++ b/client/netbird-electron/electron/assets/exit-node-icon.svg
@@ -0,0 +1 @@
+<svg xmlns="http://www.w3.org/2000/svg" width="16" height="16" viewBox="0 0 24 24"><path fill="none" stroke="#ffffff" stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="m10 17l5-5l-5-5m5 5H3m12-9h4a2 2 0 0 1 2 2v14a2 2 0 0 1-2 2h-4"/></svg>
--- a/client/netbird-electron/electron/assets/info-icon.png
+++ b/client/netbird-electron/electron/assets/info-icon.png
--- a/client/netbird-electron/electron/assets/info-icon.svg
+++ b/client/netbird-electron/electron/assets/info-icon.svg
@@ -0,0 +1 @@
+<svg xmlns="http://www.w3.org/2000/svg" width="16" height="16" viewBox="0 0 24 24"><g fill="none" stroke="#ffffff" stroke-linecap="round" stroke-linejoin="round" stroke-width="2"><circle cx="12" cy="12" r="10"/><path d="M12 16v-4m0-4h.01"/></g></svg>
--- a/client/netbird-electron/electron/assets/netbird-systemtray-connected-dark.png
+++ b/client/netbird-electron/electron/assets/netbird-systemtray-connected-dark.png
--- a/client/netbird-electron/electron/assets/netbird-systemtray-connected-macos.png
+++ b/client/netbird-electron/electron/assets/netbird-systemtray-connected-macos.png
--- a/client/netbird-electron/electron/assets/netbird-systemtray-connected-white-monochrome.png
+++ b/client/netbird-electron/electron/assets/netbird-systemtray-connected-white-monochrome.png
--- a/client/netbird-electron/electron/assets/netbird-systemtray-connected.png
+++ b/client/netbird-electron/electron/assets/netbird-systemtray-connected.png
--- a/client/netbird-electron/electron/assets/netbird-systemtray-connecting-dark.png
+++ b/client/netbird-electron/electron/assets/netbird-systemtray-connecting-dark.png
--- a/client/netbird-electron/electron/assets/netbird-systemtray-connecting-macos.png
+++ b/client/netbird-electron/electron/assets/netbird-systemtray-connecting-macos.png
--- a/client/netbird-electron/electron/assets/netbird-systemtray-connecting-white-monochrome.png
+++ b/client/netbird-electron/electron/assets/netbird-systemtray-connecting-white-monochrome.png
--- a/client/netbird-electron/electron/assets/netbird-systemtray-connecting.png
+++ b/client/netbird-electron/electron/assets/netbird-systemtray-connecting.png
--- a/client/netbird-electron/electron/assets/netbird-systemtray-disconnected-macos.png
+++ b/client/netbird-electron/electron/assets/netbird-systemtray-disconnected-macos.png
--- a/client/netbird-electron/electron/assets/netbird-systemtray-disconnected-white-monochrome.png
+++ b/client/netbird-electron/electron/assets/netbird-systemtray-disconnected-white-monochrome.png
--- a/client/netbird-electron/electron/assets/netbird-systemtray-disconnected.png
+++ b/client/netbird-electron/electron/assets/netbird-systemtray-disconnected.png
--- a/client/netbird-electron/electron/assets/netbird-systemtray-error-dark.png
+++ b/client/netbird-electron/electron/assets/netbird-systemtray-error-dark.png
--- a/client/netbird-electron/electron/assets/netbird-systemtray-error-macos.png
+++ b/client/netbird-electron/electron/assets/netbird-systemtray-error-macos.png
--- a/client/netbird-electron/electron/assets/netbird-systemtray-error-white-monochrome.png
+++ b/client/netbird-electron/electron/assets/netbird-systemtray-error-white-monochrome.png
--- a/client/netbird-electron/electron/assets/netbird-systemtray-error.png
+++ b/client/netbird-electron/electron/assets/netbird-systemtray-error.png
--- a/client/netbird-electron/electron/assets/netbird-systemtray-update-connected-dark.png
+++ b/client/netbird-electron/electron/assets/netbird-systemtray-update-connected-dark.png
--- a/client/netbird-electron/electron/assets/netbird-systemtray-update-connected-macos.png
+++ b/client/netbird-electron/electron/assets/netbird-systemtray-update-connected-macos.png
--- a/client/netbird-electron/electron/assets/netbird-systemtray-update-connected-white-monochrome.png
+++ b/client/netbird-electron/electron/assets/netbird-systemtray-update-connected-white-monochrome.png
--- a/client/netbird-electron/electron/assets/netbird-systemtray-update-connected.png
+++ b/client/netbird-electron/electron/assets/netbird-systemtray-update-connected.png
--- a/client/netbird-electron/electron/assets/netbird-systemtray-update-disconnected-dark.png
+++ b/client/netbird-electron/electron/assets/netbird-systemtray-update-disconnected-dark.png
--- a/client/netbird-electron/electron/assets/netbird-systemtray-update-disconnected-macos.png
+++ b/client/netbird-electron/electron/assets/netbird-systemtray-update-disconnected-macos.png
--- a/client/netbird-electron/electron/assets/netbird-systemtray-update-disconnected-white-monochrome.png
+++ b/client/netbird-electron/electron/assets/netbird-systemtray-update-disconnected-white-monochrome.png
--- a/client/netbird-electron/electron/assets/netbird-systemtray-update-disconnected.png
+++ b/client/netbird-electron/electron/assets/netbird-systemtray-update-disconnected.png
--- a/client/netbird-electron/electron/assets/networks-icon.png
+++ b/client/netbird-electron/electron/assets/networks-icon.png
--- a/client/netbird-electron/electron/assets/networks-icon.svg
+++ b/client/netbird-electron/electron/assets/networks-icon.svg
@@ -0,0 +1 @@
+<svg xmlns="http://www.w3.org/2000/svg" width="16" height="16" viewBox="0 0 24 24"><g fill="none" stroke="#ffffff" stroke-linecap="round" stroke-linejoin="round" stroke-width="2"><rect width="6" height="6" x="16" y="16" rx="1"/><rect width="6" height="6" x="2" y="16" rx="1"/><rect width="6" height="6" x="9" y="2" rx="1"/><path d="M5 16v-3a1 1 0 0 1 1-1h12a1 1 0 0 1 1 1v3m-7-4V8"/></g></svg>
--- a/client/netbird-electron/electron/assets/package-icon.png
+++ b/client/netbird-electron/electron/assets/package-icon.png
--- a/client/netbird-electron/electron/assets/package-icon.svg
+++ b/client/netbird-electron/electron/assets/package-icon.svg
@@ -0,0 +1 @@
+<svg xmlns="http://www.w3.org/2000/svg" width="16" height="16" viewBox="0 0 24 24"><g fill="none" stroke="#ffffff" stroke-linecap="round" stroke-linejoin="round" stroke-width="2"><path d="m16 16l2 2l4-4"/><path d="M21 10V8a2 2 0 0 0-1-1.73l-7-4a2 2 0 0 0-2 0l-7 4A2 2 0 0 0 3 8v8a2 2 0 0 0 1 1.73l7 4a2 2 0 0 0 2 0l2-1.14M7.5 4.27l9 5.15"/><path d="M3.29 7L12 12l8.71-5M12 22V12"/></g></svg>
--- a/client/netbird-electron/electron/assets/power-icon.png
+++ b/client/netbird-electron/electron/assets/power-icon.png
--- a/client/netbird-electron/electron/assets/power-icon.svg
+++ b/client/netbird-electron/electron/assets/power-icon.svg
@@ -0,0 +1 @@
+<svg xmlns="http://www.w3.org/2000/svg" width="16" height="16" viewBox="0 0 24 24"><path fill="none" stroke="#ffffff" stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M12 2v10m6.4-5.4a9 9 0 1 1-12.77.04"/></svg>
--- a/client/netbird-electron/electron/assets/power-off-icon.png
+++ b/client/netbird-electron/electron/assets/power-off-icon.png
--- a/client/netbird-electron/electron/assets/power-off-icon.svg
+++ b/client/netbird-electron/electron/assets/power-off-icon.svg
@@ -0,0 +1 @@
+<svg xmlns="http://www.w3.org/2000/svg" width="16" height="16" viewBox="0 0 24 24"><path fill="none" stroke="#ffffff" stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M18.36 6.64A9 9 0 0 1 20.77 15M6.16 6.16a9 9 0 1 0 12.68 12.68M12 2v4M2 2l20 20"/></svg>
--- a/client/netbird-electron/electron/assets/power-on.png
+++ b/client/netbird-electron/electron/assets/power-on.png
@@ -0,0 +1,14 @@
+<svg
+  xmlns="http://www.w3.org/2000/svg"
+  width="24"
+  height="24"
+  viewBox="0 0 24 24"
+  fill="none"
+  stroke="currentColor"
+  stroke-width="2"
+  stroke-linecap="round"
+  stroke-linejoin="round"
+>
+  <path d="M12 2v10" />
+  <path d="M18.4 6.6a9 9 0 1 1-12.77.04" />
+</svg>
--- a/client/netbird-electron/electron/assets/profiles-icon.png
+++ b/client/netbird-electron/electron/assets/profiles-icon.png
--- a/client/netbird-electron/electron/assets/profiles-icon.svg
+++ b/client/netbird-electron/electron/assets/profiles-icon.svg
@@ -0,0 +1 @@
+<svg xmlns="http://www.w3.org/2000/svg" width="16" height="16" viewBox="0 0 24 24"><g fill="none" stroke="#ffffff" stroke-linecap="round" stroke-linejoin="round" stroke-width="2"><circle cx="12" cy="12" r="10"/><circle cx="12" cy="10" r="3"/><path d="M7 20.662V19a2 2 0 0 1 2-2h6a2 2 0 0 1 2 2v1.662"/></g></svg>
--- a/client/netbird-electron/electron/assets/quit-icon-test.svg
+++ b/client/netbird-electron/electron/assets/quit-icon-test.svg
@@ -0,0 +1,18 @@
+<?xml version="1.0" standalone="no"?>
+<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 20010904//EN"
+ "http://www.w3.org/TR/2001/REC-SVG-20010904/DTD/svg10.dtd">
+<svg version="1.0" xmlns="http://www.w3.org/2000/svg"
+ width="16.000000pt" height="16.000000pt" viewBox="0 0 16.000000 16.000000"
+ preserveAspectRatio="xMidYMid meet">
+<metadata>
+Created by potrace 1.16, written by Peter Selinger 2001-2019
+</metadata>
+<g transform="translate(0.000000,16.000000) scale(0.100000,-0.100000)"
+fill="#000000" stroke="none">
+<path d="M0 80 l0 -80 80 0 80 0 0 80 0 80 -80 0 -80 0 0 -80z m70 60 c0 -5
+-9 -10 -20 -10 -17 0 -20 -7 -20 -50 0 -43 3 -50 20 -50 11 0 20 -4 20 -10 0
+-5 -13 -10 -30 -10 l-30 0 0 70 0 70 30 0 c17 0 30 -4 30 -10z m65 -40 c17
+-19 17 -21 0 -40 -21 -24 -40 -26 -31 -5 4 11 -2 15 -24 15 -17 0 -30 5 -30
+10 0 6 13 10 30 10 22 0 28 4 24 15 -9 21 10 19 31 -5z"/>
+</g>
+</svg>
--- a/client/netbird-electron/electron/assets/quit-icon.png
+++ b/client/netbird-electron/electron/assets/quit-icon.png
--- a/client/netbird-electron/electron/assets/quit-icon.svg
+++ b/client/netbird-electron/electron/assets/quit-icon.svg
@@ -0,0 +1 @@
+<svg xmlns="http://www.w3.org/2000/svg" width="16" height="16" viewBox="0 0 24 24"><path fill="none" stroke="#ffffff" stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="m16 17l5-5l-5-5m5 5H9m0 9H5a2 2 0 0 1-2-2V5a2 2 0 0 1 2-2h4"/></svg>
--- a/client/netbird-electron/electron/assets/refresh-icon.png
+++ b/client/netbird-electron/electron/assets/refresh-icon.png
--- a/client/netbird-electron/electron/assets/refresh-icon.svg
+++ b/client/netbird-electron/electron/assets/refresh-icon.svg
@@ -0,0 +1 @@
+<svg xmlns="http://www.w3.org/2000/svg" width="16" height="16" viewBox="0 0 24 24"><g fill="none" stroke="#ffffff" stroke-linecap="round" stroke-linejoin="round" stroke-width="2"><path d="M3 12a9 9 0 0 1 9-9a9.75 9.75 0 0 1 6.74 2.74L21 8"/><path d="M21 3v5h-5m5 4a9 9 0 0 1-9 9a9.75 9.75 0 0 1-6.74-2.74L3 16"/><path d="M8 16H3v5"/></g></svg>
--- a/client/netbird-electron/electron/assets/settings-icon.png
+++ b/client/netbird-electron/electron/assets/settings-icon.png
--- a/client/netbird-electron/electron/assets/settings-icon.svg
+++ b/client/netbird-electron/electron/assets/settings-icon.svg
@@ -0,0 +1 @@
+<svg xmlns="http://www.w3.org/2000/svg" width="16" height="16" viewBox="0 0 24 24"><g fill="none" stroke="#ffffff" stroke-linecap="round" stroke-linejoin="round" stroke-width="2"><path d="M9.671 4.136a2.34 2.34 0 0 1 4.659 0a2.34 2.34 0 0 0 3.319 1.915a2.34 2.34 0 0 1 2.33 4.033a2.34 2.34 0 0 0 0 3.831a2.34 2.34 0 0 1-2.33 4.033a2.34 2.34 0 0 0-3.319 1.915a2.34 2.34 0 0 1-4.659 0a2.34 2.34 0 0 0-3.32-1.915a2.34 2.34 0 0 1-2.33-4.033a2.34 2.34 0 0 0 0-3.831A2.34 2.34 0 0 1 6.35 6.051a2.34 2.34 0 0 0 3.319-1.915"/><circle cx="12" cy="12" r="3"/></g></svg>
--- a/client/netbird-electron/electron/assets/test-from-quit.png
+++ b/client/netbird-electron/electron/assets/test-from-quit.png
--- a/client/netbird-electron/electron/assets/test-power.png
+++ b/client/netbird-electron/electron/assets/test-power.png
--- a/client/netbird-electron/electron/assets/version-icon.png
+++ b/client/netbird-electron/electron/assets/version-icon.png
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
pascal	9c18770159	update build	2025-11-24 18:24:16 +01:00
pascal	b24fdf8b09	update gitignore	2025-11-01 12:17:03 +01:00
pascal	76b1003810	Add prototype UI clients	2025-11-01 12:17:02 +01:00
				`@@ -0,0 +1 @@`
				`<svg xmlns="http://www.w3.org/2000/svg" width="16" height="16" viewBox="0 0 24 24"><path fill="none" stroke="currentColor" stroke-linecap="round" stroke-linejoin="round" stroke-width="6" d="M14.7 6.3a1 1 0 0 0 0 1.4l1.6 1.6a1 1 0 0 0 1.4 0l3.106-3.105c.32-.322.863-.22.983.218a6 6 0 0 1-8.259 7.057l-7.91 7.91a1 1 0 0 1-2.999-3l7.91-7.91a6 6 0 0 1 7.057-8.259c.438.12.54.662.219.984z"/></svg>`
				`@@ -0,0 +1 @@`
				<svg xmlns="http://www.w3.org/2000/svg" width="16" height="16" viewBox="0 0 24 24"><g fill="none" stroke="#ffffff" stroke-linecap="round" stroke-linejoin="round" stroke-width="2"><path d="M9.671 4.136a2.34 2.34 0 0 1 4.659 0a2.34 2.34 0 0 0 3.319 1.915a2.34 2.34 0 0 1 2.33 4.033a2.34 2.34 0 0 0 0 3.831a2.34 2.34 0 0 1-2.33 4.033a2.34 2.34 0 0 0-3.319 1.915a2.34 2.34 0 0 1-4.659 0a2.34 2.34 0 0 0-3.32-1.915a2.34 2.34 0 0 1-2.33-4.033a2.34 2.34 0 0 0 0-3.831A2.34 2.34 0 0 1 6.35 6.051a2.34 2.34 0 0 0 3.319-1.915"/><circle cx="12" cy="12" r="3"/></g></svg>