cli client timeout

add some logs
add waitForConnectingShift and wait for it to change
2026-04-01 15:14:03 -04:00 · 2025-09-19 11:47:32 +02:00 · 2025-09-19 11:05:44 +02:00 · 2025-09-19 09:40:43 +02:00
316 changed files with 3587 additions and 14973 deletions
--- a/.github/workflows/golangci-lint.yml
+++ b/.github/workflows/golangci-lint.yml
@@ -19,7 +19,7 @@ jobs:
      - name: codespell
        uses: codespell-project/actions-codespell@v2
        with:
-          ignore_words_list: erro,clienta,hastable,iif,groupd,testin,groupe,cros
+          ignore_words_list: erro,clienta,hastable,iif,groupd,testin,groupe
          skip: go.mod,go.sum
  golangci:
    strategy:
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -9,7 +9,7 @@ on:
  pull_request:

 env:
-  SIGN_PIPE_VER: "v0.0.23"
+  SIGN_PIPE_VER: "v0.0.22"
  GORELEASER_VER: "v2.3.2"
  PRODUCT_NAME: "NetBird"
  COPYRIGHT: "NetBird GmbH"
--- a/.github/workflows/wasm-build-validation.yml
+++ b/.github/workflows/wasm-build-validation.yml
@@ -1,67 +0,0 @@
-name: Wasm
-
-on:
-  push:
-    branches:
-      - main
-  pull_request:
-
-concurrency:
-  group: ${{ github.workflow }}-${{ github.ref }}-${{ github.head_ref || github.actor_id }}
-  cancel-in-progress: true
-
-jobs:
-  js_lint:
-    name: "JS / Lint"
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@v4
-      - name: Install Go
-        uses: actions/setup-go@v5
-        with:
-          go-version: "1.23.x"
-      - name: Install dependencies
-        run: sudo apt update && sudo apt install -y -q libgtk-3-dev libayatana-appindicator3-dev libgl1-mesa-dev xorg-dev libpcap-dev
-      - name: Install golangci-lint
-        uses: golangci/golangci-lint-action@d6238b002a20823d52840fda27e2d4891c5952dc
-        with:
-          version: latest
-          install-mode: binary
-          skip-cache: true
-          skip-pkg-cache: true
-          skip-build-cache: true
-      - name: Run golangci-lint for WASM
-        run: |
-          GOOS=js GOARCH=wasm golangci-lint run --timeout=12m --out-format colored-line-number ./client/...
-        continue-on-error: true
-
-  js_build:
-    name: "JS / Build"
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@v4
-      - name: Install Go
-        uses: actions/setup-go@v5
-        with:
-          go-version: "1.23.x"
-      - name: Build Wasm client
-        run: GOOS=js GOARCH=wasm go build -o netbird.wasm ./client/wasm/cmd
-        env:
-          CGO_ENABLED: 0
-      - name: Check Wasm build size
-        run: |
-          echo "Wasm build size:"
-          ls -lh netbird.wasm
-
-          SIZE=$(stat -c%s netbird.wasm)
-          SIZE_MB=$((SIZE / 1024 / 1024))
-
-          echo "Size: ${SIZE} bytes (${SIZE_MB} MB)"
-
-          if [ ${SIZE} -gt 52428800 ]; then
-            echo "Wasm binary size (${SIZE_MB}MB) exceeds 50MB limit!"
-            exit 1
-          fi
-
--- a/.gitmodules
+++ b/.gitmodules
--- a/.goreleaser.yaml
+++ b/.goreleaser.yaml
@@ -2,18 +2,6 @@ version: 2

 project_name: netbird
 builds:
-  - id: netbird-wasm
-    dir: client/wasm/cmd
-    binary: netbird
-    env: [GOOS=js, GOARCH=wasm, CGO_ENABLED=0]
-    goos:
-      - js
-    goarch:
-      - wasm
-    ldflags:
-      - -s -w -X github.com/netbirdio/netbird/version.version={{.Version}} -X main.commit={{.Commit}} -X main.date={{.CommitDate}} -X main.builtBy=goreleaser
-    mod_timestamp: "{{ .CommitTimestamp }}"
-
  - id: netbird
    dir: client
    binary: netbird
@@ -127,11 +115,6 @@ archives:
  - builds:
      - netbird
      - netbird-static
-  - id: netbird-wasm
-    builds:
-      - netbird-wasm
-    name_template: "{{ .ProjectName }}_{{ .Version }}"
-    format: binary

 nfpms:
  - maintainer: Netbird <dev@netbird.io>
--- a/README.md
+++ b/README.md
@@ -1,4 +1,3 @@
-
 <div align="center">
 <br/>
  <br/>
@@ -53,7 +52,7 @@

 ### Open Source Network Security in a Single Platform

-https://github.com/user-attachments/assets/10cec749-bb56-4ab3-97af-4e38850108d2
+<img width="1188" alt="centralized-network-management 1" src="https://github.com/user-attachments/assets/c28cc8e4-15d2-4d2f-bb97-a6433db39d56" />

 ### NetBird on Lawrence Systems (Video)
 [![Watch the video](https://img.youtube.com/vi/Kwrff6h0rEw/0.jpg)](https://www.youtube.com/watch?v=Kwrff6h0rEw)
--- a/client/Dockerfile
+++ b/client/Dockerfile
@@ -4,7 +4,7 @@
 #   sudo podman build -t localhost/netbird:latest -f client/Dockerfile --ignorefile .dockerignore-client .
 #   sudo podman run --rm -it --cap-add={BPF,NET_ADMIN,NET_RAW} localhost/netbird:latest

-FROM alpine:3.22.2
+FROM alpine:3.22.0
 # iproute2: busybox doesn't display ip rules properly
 RUN apk add --no-cache \
    bash \
@@ -18,7 +18,7 @@ ENV \
    NB_LOG_FILE="console,/var/log/netbird/client.log" \
    NB_DAEMON_ADDR="unix:///var/run/netbird.sock" \
    NB_ENTRYPOINT_SERVICE_TIMEOUT="5" \
-    NB_ENTRYPOINT_LOGIN_TIMEOUT="5"
+    NB_ENTRYPOINT_LOGIN_TIMEOUT="1"

 ENTRYPOINT [ "/usr/local/bin/netbird-entrypoint.sh" ]

--- a/client/android/client.go
+++ b/client/android/client.go
@@ -19,7 +19,7 @@ import (
 	"github.com/netbirdio/netbird/client/internal/stdnet"
 	"github.com/netbirdio/netbird/client/system"
 	"github.com/netbirdio/netbird/formatter"
-	"github.com/netbirdio/netbird/client/net"
+	"github.com/netbirdio/netbird/util/net"
 )

 // ConnectionListener export internal Listener for mobile
--- a/client/cmd/debug.go
+++ b/client/cmd/debug.go
@@ -168,7 +168,7 @@ func runForDuration(cmd *cobra.Command, args []string) error {

 	client := proto.NewDaemonServiceClient(conn)

-	stat, err := client.Status(cmd.Context(), &proto.StatusRequest{ShouldRunProbes: true})
+	stat, err := client.Status(cmd.Context(), &proto.StatusRequest{})
 	if err != nil {
 		return fmt.Errorf("failed to get status: %v", status.Convert(err).Message())
 	}
@@ -303,18 +303,12 @@ func setSyncResponsePersistence(cmd *cobra.Command, args []string) error {

 func getStatusOutput(cmd *cobra.Command, anon bool) string {
 	var statusOutputString string
-	statusResp, err := getStatus(cmd.Context(), true)
+	statusResp, err := getStatus(cmd.Context())
 	if err != nil {
 		cmd.PrintErrf("Failed to get status: %v\n", err)
 	} else {
-		pm := profilemanager.NewProfileManager()
-		var profName string
-		if activeProf, err := pm.GetActiveProfile(); err == nil {
-			profName = activeProf.Name
-		}
-
 		statusOutputString = nbstatus.ParseToFullDetailSummary(
-			nbstatus.ConvertToStatusOutputOverview(statusResp, anon, "", nil, nil, nil, "", profName),
+			nbstatus.ConvertToStatusOutputOverview(statusResp, anon, "", nil, nil, nil, "", ""),
 		)
 	}
 	return statusOutputString
--- a/client/cmd/debug_js.go
+++ b/client/cmd/debug_js.go
@@ -1,8 +0,0 @@
-package cmd
-
-import "context"
-
-// SetupDebugHandler is a no-op for WASM
-func SetupDebugHandler(context.Context, interface{}, interface{}, interface{}, string) {
-	// Debug handler not needed for WASM
-}
--- a/client/cmd/down.go
+++ b/client/cmd/down.go
@@ -27,7 +27,7 @@ var downCmd = &cobra.Command{
 			return err
 		}

-		ctx, cancel := context.WithTimeout(context.Background(), time.Second*20)
+		ctx, cancel := context.WithTimeout(context.Background(), time.Second*7)
 		defer cancel()

 		conn, err := DialClientGRPCServer(ctx, daemonAddr)
--- a/client/cmd/login.go
+++ b/client/cmd/login.go
@@ -4,7 +4,6 @@ import (
 	"context"
 	"fmt"
 	"os"
-	"os/exec"
 	"os/user"
 	"runtime"
 	"strings"
@@ -357,21 +356,13 @@ func openURL(cmd *cobra.Command, verificationURIComplete, userCode string, noBro
 	cmd.Println("")

 	if !noBrowser {
-		if err := openBrowser(verificationURIComplete); err != nil {
+		if err := open.Run(verificationURIComplete); err != nil {
 			cmd.Println("\nAlternatively, you may want to use a setup key, see:\n\n" +
 				"https://docs.netbird.io/how-to/register-machines-using-setup-keys")
 		}
 	}
 }

-// openBrowser opens the URL in a browser, respecting the BROWSER environment variable.
-func openBrowser(url string) error {
-	if browser := os.Getenv("BROWSER"); browser != "" {
-		return exec.Command(browser, url).Start()
-	}
-	return open.Run(url)
-}
-
 // isUnixRunningDesktop checks if a Linux OS is running desktop environment
 func isUnixRunningDesktop() bool {
 	if runtime.GOOS != "linux" && runtime.GOOS != "freebsd" {
--- a/client/cmd/status.go
+++ b/client/cmd/status.go
@@ -68,7 +68,7 @@ func statusFunc(cmd *cobra.Command, args []string) error {

 	ctx := internal.CtxInitState(cmd.Context())

-	resp, err := getStatus(ctx, false)
+	resp, err := getStatus(ctx)
 	if err != nil {
 		return err
 	}
@@ -121,7 +121,7 @@ func statusFunc(cmd *cobra.Command, args []string) error {
 	return nil
 }

-func getStatus(ctx context.Context, shouldRunProbes bool) (*proto.StatusResponse, error) {
+func getStatus(ctx context.Context) (*proto.StatusResponse, error) {
 	conn, err := DialClientGRPCServer(ctx, daemonAddr)
 	if err != nil {
 		return nil, fmt.Errorf("failed to connect to daemon error: %v\n"+
@@ -130,7 +130,7 @@ func getStatus(ctx context.Context, shouldRunProbes bool) (*proto.StatusResponse
 	}
 	defer conn.Close()

-	resp, err := proto.NewDaemonServiceClient(conn).Status(ctx, &proto.StatusRequest{GetFullPeerStatus: true, ShouldRunProbes: shouldRunProbes})
+	resp, err := proto.NewDaemonServiceClient(conn).Status(ctx, &proto.StatusRequest{GetFullPeerStatus: true, ShouldRunProbes: true})
 	if err != nil {
 		return nil, fmt.Errorf("status failed: %v", status.Convert(err).Message())
 	}
--- a/client/cmd/testutil_test.go
+++ b/client/cmd/testutil_test.go
@@ -12,7 +12,6 @@ import (
 	"google.golang.org/grpc"

 	"github.com/netbirdio/management-integrations/integrations"
-
 	clientProto "github.com/netbirdio/netbird/client/proto"
 	client "github.com/netbirdio/netbird/client/server"
 	"github.com/netbirdio/netbird/management/internals/server/config"
@@ -21,7 +20,6 @@ import (
 	"github.com/netbirdio/netbird/management/server/groups"
 	"github.com/netbirdio/netbird/management/server/integrations/port_forwarding"
 	"github.com/netbirdio/netbird/management/server/peers"
-	"github.com/netbirdio/netbird/management/server/peers/ephemeral/manager"
 	"github.com/netbirdio/netbird/management/server/permissions"
 	"github.com/netbirdio/netbird/management/server/settings"
 	"github.com/netbirdio/netbird/management/server/store"
@@ -116,7 +114,7 @@ func startManagement(t *testing.T, config *config.Config, testFile string) (*grp
 	}

 	secretsManager := mgmt.NewTimeBasedAuthSecretsManager(peersUpdateManager, config.TURNConfig, config.Relay, settingsMockManager, groupsManager)
-	mgmtServer, err := mgmt.NewServer(context.Background(), config, accountManager, settingsMockManager, peersUpdateManager, secretsManager, nil, &manager.EphemeralManager{}, nil, &mgmt.MockIntegratedValidator{})
+	mgmtServer, err := mgmt.NewServer(context.Background(), config, accountManager, settingsMockManager, peersUpdateManager, secretsManager, nil, nil, nil, &mgmt.MockIntegratedValidator{})
 	if err != nil {
 		t.Fatal(err)
 	}
--- a/client/cmd/up.go
+++ b/client/cmd/up.go
@@ -230,9 +230,7 @@ func runInDaemonMode(ctx context.Context, cmd *cobra.Command, pm *profilemanager

 	client := proto.NewDaemonServiceClient(conn)

-	status, err := client.Status(ctx, &proto.StatusRequest{
-		WaitForReady: func() *bool { b := true; return &b }(),
-	})
+	status, err := client.Status(ctx, &proto.StatusRequest{WaitForConnectingShift: true})
 	if err != nil {
 		return fmt.Errorf("unable to get daemon status: %v", err)
 	}
--- a/client/embed/embed.go
+++ b/client/embed/embed.go
@@ -23,29 +23,23 @@ import (

 var ErrClientAlreadyStarted = errors.New("client already started")
 var ErrClientNotStarted = errors.New("client not started")
-var ErrConfigNotInitialized = errors.New("config not initialized")

-// Client manages a netbird embedded client instance.
+// Client manages a netbird embedded client instance
 type Client struct {
 	deviceName string
 	config     *profilemanager.Config
 	mu         sync.Mutex
 	cancel     context.CancelFunc
 	setupKey   string
-	jwtToken   string
 	connect    *internal.ConnectClient
 }

-// Options configures a new Client.
+// Options configures a new Client
 type Options struct {
 	// DeviceName is this peer's name in the network
 	DeviceName string
 	// SetupKey is used for authentication
 	SetupKey string
-	// JWTToken is used for JWT-based authentication
-	JWTToken string
-	// PrivateKey is used for direct private key authentication
-	PrivateKey string
 	// ManagementURL overrides the default management server URL
 	ManagementURL string
 	// PreSharedKey is the pre-shared key for the WireGuard interface
@@ -64,35 +58,8 @@ type Options struct {
 	DisableClientRoutes bool
 }

-// validateCredentials checks that exactly one credential type is provided
-func (opts *Options) validateCredentials() error {
-	credentialsProvided := 0
-	if opts.SetupKey != "" {
-		credentialsProvided++
-	}
-	if opts.JWTToken != "" {
-		credentialsProvided++
-	}
-	if opts.PrivateKey != "" {
-		credentialsProvided++
-	}
-
-	if credentialsProvided == 0 {
-		return fmt.Errorf("one of SetupKey, JWTToken, or PrivateKey must be provided")
-	}
-	if credentialsProvided > 1 {
-		return fmt.Errorf("only one of SetupKey, JWTToken, or PrivateKey can be specified")
-	}
-
-	return nil
-}
-
-// New creates a new netbird embedded client.
+// New creates a new netbird embedded client
 func New(opts Options) (*Client, error) {
-	if err := opts.validateCredentials(); err != nil {
-		return nil, err
-	}
-
 	if opts.LogOutput != nil {
 		logrus.SetOutput(opts.LogOutput)
 	}
@@ -140,14 +107,9 @@ func New(opts Options) (*Client, error) {
 		return nil, fmt.Errorf("create config: %w", err)
 	}

-	if opts.PrivateKey != "" {
-		config.PrivateKey = opts.PrivateKey
-	}
-
 	return &Client{
 		deviceName: opts.DeviceName,
 		setupKey:   opts.SetupKey,
-		jwtToken:   opts.JWTToken,
 		config:     config,
 	}, nil
 }
@@ -164,7 +126,7 @@ func (c *Client) Start(startCtx context.Context) error {
 	ctx := internal.CtxInitState(context.Background())
 	// nolint:staticcheck
 	ctx = context.WithValue(ctx, system.DeviceNameCtxKey, c.deviceName)
-	if err := internal.Login(ctx, c.config, c.setupKey, c.jwtToken); err != nil {
+	if err := internal.Login(ctx, c.config, c.setupKey, ""); err != nil {
 		return fmt.Errorf("login: %w", err)
 	}

@@ -173,7 +135,7 @@ func (c *Client) Start(startCtx context.Context) error {

 	// either startup error (permanent backoff err) or nil err (successful engine up)
 	// TODO: make after-startup backoff err available
-	run := make(chan struct{})
+	run := make(chan struct{}, 1)
 	clientErr := make(chan error, 1)
 	go func() {
 		if err := client.Run(run); err != nil {
@@ -225,16 +187,6 @@ func (c *Client) Stop(ctx context.Context) error {
 	}
 }

-// GetConfig returns a copy of the internal client config.
-func (c *Client) GetConfig() (profilemanager.Config, error) {
-	c.mu.Lock()
-	defer c.mu.Unlock()
-	if c.config == nil {
-		return profilemanager.Config{}, ErrConfigNotInitialized
-	}
-	return *c.config, nil
-}
-
 // Dial dials a network address in the netbird network.
 // Not applicable if the userspace networking mode is disabled.
 func (c *Client) Dial(ctx context.Context, network, address string) (net.Conn, error) {
@@ -259,7 +211,7 @@ func (c *Client) Dial(ctx context.Context, network, address string) (net.Conn, e
 	return nsnet.DialContext(ctx, network, address)
 }

-// ListenTCP listens on the given address in the netbird network.
+// ListenTCP listens on the given address in the netbird network
 // Not applicable if the userspace networking mode is disabled.
 func (c *Client) ListenTCP(address string) (net.Listener, error) {
 	nsnet, addr, err := c.getNet()
@@ -280,7 +232,7 @@ func (c *Client) ListenTCP(address string) (net.Listener, error) {
 	return nsnet.ListenTCP(tcpAddr)
 }

-// ListenUDP listens on the given address in the netbird network.
+// ListenUDP listens on the given address in the netbird network
 // Not applicable if the userspace networking mode is disabled.
 func (c *Client) ListenUDP(address string) (net.PacketConn, error) {
 	nsnet, addr, err := c.getNet()
--- a/client/firewall/iptables/acl_linux.go
+++ b/client/firewall/iptables/acl_linux.go
@@ -12,7 +12,7 @@ import (

 	firewall "github.com/netbirdio/netbird/client/firewall/manager"
 	"github.com/netbirdio/netbird/client/internal/statemanager"
-	nbnet "github.com/netbirdio/netbird/client/net"
+	nbnet "github.com/netbirdio/netbird/util/net"
 )

 const (
@@ -400,6 +400,7 @@ func transformIPsetName(ipsetName string, sPort, dPort *firewall.Port, action fi
 		return ""
 	}

+	// Include action in the ipset name to prevent squashing rules with different actions
 	actionSuffix := ""
 	if action == firewall.ActionDrop {
 		actionSuffix = "-drop"
--- a/client/firewall/iptables/manager_linux.go
+++ b/client/firewall/iptables/manager_linux.go
@@ -260,22 +260,6 @@ func (m *Manager) UpdateSet(set firewall.Set, prefixes []netip.Prefix) error {
 	return m.router.UpdateSet(set, prefixes)
 }

-// AddInboundDNAT adds an inbound DNAT rule redirecting traffic from NetBird peers to local services.
-func (m *Manager) AddInboundDNAT(localAddr netip.Addr, protocol firewall.Protocol, sourcePort, targetPort uint16) error {
-	m.mutex.Lock()
-	defer m.mutex.Unlock()
-
-	return m.router.AddInboundDNAT(localAddr, protocol, sourcePort, targetPort)
-}
-
-// RemoveInboundDNAT removes an inbound DNAT rule.
-func (m *Manager) RemoveInboundDNAT(localAddr netip.Addr, protocol firewall.Protocol, sourcePort, targetPort uint16) error {
-	m.mutex.Lock()
-	defer m.mutex.Unlock()
-
-	return m.router.RemoveInboundDNAT(localAddr, protocol, sourcePort, targetPort)
-}
-
 func getConntrackEstablished() []string {
 	return []string{"-m", "conntrack", "--ctstate", "RELATED,ESTABLISHED", "-j", "ACCEPT"}
 }
--- a/client/firewall/iptables/router_linux.go
+++ b/client/firewall/iptables/router_linux.go
@@ -19,7 +19,7 @@ import (
 	"github.com/netbirdio/netbird/client/internal/routemanager/ipfwdstate"
 	"github.com/netbirdio/netbird/client/internal/routemanager/refcounter"
 	"github.com/netbirdio/netbird/client/internal/statemanager"
-	nbnet "github.com/netbirdio/netbird/client/net"
+	nbnet "github.com/netbirdio/netbird/util/net"
 )

 // constants needed to manage and create iptable rules
@@ -880,54 +880,6 @@ func (r *router) UpdateSet(set firewall.Set, prefixes []netip.Prefix) error {
 	return nberrors.FormatErrorOrNil(merr)
 }

-// AddInboundDNAT adds an inbound DNAT rule redirecting traffic from NetBird peers to local services.
-func (r *router) AddInboundDNAT(localAddr netip.Addr, protocol firewall.Protocol, sourcePort, targetPort uint16) error {
-	ruleID := fmt.Sprintf("inbound-dnat-%s-%s-%d-%d", localAddr.String(), protocol, sourcePort, targetPort)
-
-	if _, exists := r.rules[ruleID]; exists {
-		return nil
-	}
-
-	dnatRule := []string{
-		"-i", r.wgIface.Name(),
-		"-p", strings.ToLower(string(protocol)),
-		"--dport", strconv.Itoa(int(sourcePort)),
-		"-d", localAddr.String(),
-		"-m", "addrtype", "--dst-type", "LOCAL",
-		"-j", "DNAT",
-		"--to-destination", ":" + strconv.Itoa(int(targetPort)),
-	}
-
-	ruleInfo := ruleInfo{
-		table: tableNat,
-		chain: chainRTRDR,
-		rule:  dnatRule,
-	}
-
-	if err := r.iptablesClient.Append(ruleInfo.table, ruleInfo.chain, ruleInfo.rule...); err != nil {
-		return fmt.Errorf("add inbound DNAT rule: %w", err)
-	}
-	r.rules[ruleID] = ruleInfo.rule
-
-	r.updateState()
-	return nil
-}
-
-// RemoveInboundDNAT removes an inbound DNAT rule.
-func (r *router) RemoveInboundDNAT(localAddr netip.Addr, protocol firewall.Protocol, sourcePort, targetPort uint16) error {
-	ruleID := fmt.Sprintf("inbound-dnat-%s-%s-%d-%d", localAddr.String(), protocol, sourcePort, targetPort)
-
-	if dnatRule, exists := r.rules[ruleID]; exists {
-		if err := r.iptablesClient.Delete(tableNat, chainRTRDR, dnatRule...); err != nil {
-			return fmt.Errorf("delete inbound DNAT rule: %w", err)
-		}
-		delete(r.rules, ruleID)
-	}
-
-	r.updateState()
-	return nil
-}
-
 func applyPort(flag string, port *firewall.Port) []string {
 	if port == nil {
 		return nil
--- a/client/firewall/iptables/router_linux_test.go
+++ b/client/firewall/iptables/router_linux_test.go
@@ -14,7 +14,7 @@ import (

 	firewall "github.com/netbirdio/netbird/client/firewall/manager"
 	"github.com/netbirdio/netbird/client/firewall/test"
-	nbnet "github.com/netbirdio/netbird/client/net"
+	nbnet "github.com/netbirdio/netbird/util/net"
 )

 func isIptablesSupported() bool {
--- a/client/firewall/manager/firewall.go
+++ b/client/firewall/manager/firewall.go
@@ -151,20 +151,14 @@ type Manager interface {

 	DisableRouting() error

-	// AddDNATRule adds outbound DNAT rule for forwarding external traffic to the NetBird network.
+	// AddDNATRule adds a DNAT rule
 	AddDNATRule(ForwardRule) (Rule, error)

-	// DeleteDNATRule deletes the outbound DNAT rule.
+	// DeleteDNATRule deletes a DNAT rule
 	DeleteDNATRule(Rule) error

 	// UpdateSet updates the set with the given prefixes
 	UpdateSet(hash Set, prefixes []netip.Prefix) error
-
-	// AddInboundDNAT adds an inbound DNAT rule redirecting traffic from NetBird peers to local services
-	AddInboundDNAT(localAddr netip.Addr, protocol Protocol, sourcePort, targetPort uint16) error
-
-	// RemoveInboundDNAT removes inbound DNAT rule
-	RemoveInboundDNAT(localAddr netip.Addr, protocol Protocol, sourcePort, targetPort uint16) error
 }

 func GenKey(format string, pair RouterPair) string {
--- a/client/firewall/nftables/acl_linux.go
+++ b/client/firewall/nftables/acl_linux.go
@@ -16,7 +16,7 @@ import (
 	"golang.org/x/sys/unix"

 	firewall "github.com/netbirdio/netbird/client/firewall/manager"
-	nbnet "github.com/netbirdio/netbird/client/net"
+	nbnet "github.com/netbirdio/netbird/util/net"
 )

 const (
--- a/client/firewall/nftables/manager_linux.go
+++ b/client/firewall/nftables/manager_linux.go
@@ -376,22 +376,6 @@ func (m *Manager) UpdateSet(set firewall.Set, prefixes []netip.Prefix) error {
 	return m.router.UpdateSet(set, prefixes)
 }

-// AddInboundDNAT adds an inbound DNAT rule redirecting traffic from NetBird peers to local services.
-func (m *Manager) AddInboundDNAT(localAddr netip.Addr, protocol firewall.Protocol, sourcePort, targetPort uint16) error {
-	m.mutex.Lock()
-	defer m.mutex.Unlock()
-
-	return m.router.AddInboundDNAT(localAddr, protocol, sourcePort, targetPort)
-}
-
-// RemoveInboundDNAT removes an inbound DNAT rule.
-func (m *Manager) RemoveInboundDNAT(localAddr netip.Addr, protocol firewall.Protocol, sourcePort, targetPort uint16) error {
-	m.mutex.Lock()
-	defer m.mutex.Unlock()
-
-	return m.router.RemoveInboundDNAT(localAddr, protocol, sourcePort, targetPort)
-}
-
 func (m *Manager) createWorkTable() (*nftables.Table, error) {
 	tables, err := m.rConn.ListTablesOfFamily(nftables.TableFamilyIPv4)
 	if err != nil {
--- a/client/firewall/nftables/router_linux.go
+++ b/client/firewall/nftables/router_linux.go
@@ -22,7 +22,7 @@ import (
 	nbid "github.com/netbirdio/netbird/client/internal/acl/id"
 	"github.com/netbirdio/netbird/client/internal/routemanager/ipfwdstate"
 	"github.com/netbirdio/netbird/client/internal/routemanager/refcounter"
-	nbnet "github.com/netbirdio/netbird/client/net"
+	nbnet "github.com/netbirdio/netbird/util/net"
 )

 const (
@@ -1350,103 +1350,6 @@ func (r *router) UpdateSet(set firewall.Set, prefixes []netip.Prefix) error {
 	return nil
 }

-// AddInboundDNAT adds an inbound DNAT rule redirecting traffic from NetBird peers to local services.
-func (r *router) AddInboundDNAT(localAddr netip.Addr, protocol firewall.Protocol, sourcePort, targetPort uint16) error {
-	ruleID := fmt.Sprintf("inbound-dnat-%s-%s-%d-%d", localAddr.String(), protocol, sourcePort, targetPort)
-
-	if _, exists := r.rules[ruleID]; exists {
-		return nil
-	}
-
-	protoNum, err := protoToInt(protocol)
-	if err != nil {
-		return fmt.Errorf("convert protocol to number: %w", err)
-	}
-
-	exprs := []expr.Any{
-		&expr.Meta{Key: expr.MetaKeyIIFNAME, Register: 1},
-		&expr.Cmp{
-			Op:       expr.CmpOpEq,
-			Register: 1,
-			Data:     ifname(r.wgIface.Name()),
-		},
-		&expr.Meta{Key: expr.MetaKeyL4PROTO, Register: 2},
-		&expr.Cmp{
-			Op:       expr.CmpOpEq,
-			Register: 2,
-			Data:     []byte{protoNum},
-		},
-		&expr.Payload{
-			DestRegister: 3,
-			Base:         expr.PayloadBaseTransportHeader,
-			Offset:       2,
-			Len:          2,
-		},
-		&expr.Cmp{
-			Op:       expr.CmpOpEq,
-			Register: 3,
-			Data:     binaryutil.BigEndian.PutUint16(sourcePort),
-		},
-	}
-
-	exprs = append(exprs, applyPrefix(netip.PrefixFrom(localAddr, 32), false)...)
-
-	exprs = append(exprs,
-		&expr.Immediate{
-			Register: 1,
-			Data:     localAddr.AsSlice(),
-		},
-		&expr.Immediate{
-			Register: 2,
-			Data:     binaryutil.BigEndian.PutUint16(targetPort),
-		},
-		&expr.NAT{
-			Type:        expr.NATTypeDestNAT,
-			Family:      uint32(nftables.TableFamilyIPv4),
-			RegAddrMin:  1,
-			RegProtoMin: 2,
-			RegProtoMax: 0,
-		},
-	)
-
-	dnatRule := &nftables.Rule{
-		Table:    r.workTable,
-		Chain:    r.chains[chainNameRoutingRdr],
-		Exprs:    exprs,
-		UserData: []byte(ruleID),
-	}
-	r.conn.AddRule(dnatRule)
-
-	if err := r.conn.Flush(); err != nil {
-		return fmt.Errorf("add inbound DNAT rule: %w", err)
-	}
-
-	r.rules[ruleID] = dnatRule
-
-	return nil
-}
-
-// RemoveInboundDNAT removes an inbound DNAT rule.
-func (r *router) RemoveInboundDNAT(localAddr netip.Addr, protocol firewall.Protocol, sourcePort, targetPort uint16) error {
-	if err := r.refreshRulesMap(); err != nil {
-		return fmt.Errorf(refreshRulesMapError, err)
-	}
-
-	ruleID := fmt.Sprintf("inbound-dnat-%s-%s-%d-%d", localAddr.String(), protocol, sourcePort, targetPort)
-
-	if rule, exists := r.rules[ruleID]; exists {
-		if err := r.conn.DelRule(rule); err != nil {
-			return fmt.Errorf("delete inbound DNAT rule %s: %w", ruleID, err)
-		}
-		if err := r.conn.Flush(); err != nil {
-			return fmt.Errorf("flush delete inbound DNAT rule: %w", err)
-		}
-		delete(r.rules, ruleID)
-	}
-
-	return nil
-}
-
 // applyNetwork generates nftables expressions for networks (CIDR) or sets
 func (r *router) applyNetwork(
 	network firewall.Network,
--- a/client/firewall/uspfilter/conntrack/common.go
+++ b/client/firewall/uspfilter/conntrack/common.go
@@ -22,8 +22,6 @@ type BaseConnTrack struct {
 	PacketsRx atomic.Uint64
 	BytesTx   atomic.Uint64
 	BytesRx   atomic.Uint64
-
-	DNATOrigPort atomic.Uint32
 }

 // these small methods will be inlined by the compiler
--- a/client/firewall/uspfilter/conntrack/tcp.go
+++ b/client/firewall/uspfilter/conntrack/tcp.go
@@ -157,7 +157,7 @@ func NewTCPTracker(timeout time.Duration, logger *nblog.Logger, flowLogger nftyp
 	return tracker
 }

-func (t *TCPTracker) updateIfExists(srcIP, dstIP netip.Addr, srcPort, dstPort uint16, flags uint8, direction nftypes.Direction, size int) (ConnKey, uint16, bool) {
+func (t *TCPTracker) updateIfExists(srcIP, dstIP netip.Addr, srcPort, dstPort uint16, flags uint8, direction nftypes.Direction, size int) (ConnKey, bool) {
 	key := ConnKey{
 		SrcIP:   srcIP,
 		DstIP:   dstIP,
@@ -171,30 +171,28 @@ func (t *TCPTracker) updateIfExists(srcIP, dstIP netip.Addr, srcPort, dstPort ui

 	if exists {
 		t.updateState(key, conn, flags, direction, size)
-		return key, uint16(conn.DNATOrigPort.Load()), true
+		return key, true
 	}

-	return key, 0, false
+	return key, false
 }

-// TrackOutbound records an outbound TCP connection and returns the original port if DNAT reversal is needed
-func (t *TCPTracker) TrackOutbound(srcIP, dstIP netip.Addr, srcPort, dstPort uint16, flags uint8, size int) uint16 {
-	if _, origPort, exists := t.updateIfExists(dstIP, srcIP, dstPort, srcPort, flags, nftypes.Egress, size); exists {
-		return origPort
+// TrackOutbound records an outbound TCP connection
+func (t *TCPTracker) TrackOutbound(srcIP, dstIP netip.Addr, srcPort, dstPort uint16, flags uint8, size int) {
+	if _, exists := t.updateIfExists(dstIP, srcIP, dstPort, srcPort, flags, nftypes.Egress, size); !exists {
+		// if (inverted direction) conn is not tracked, track this direction
+		t.track(srcIP, dstIP, srcPort, dstPort, flags, nftypes.Egress, nil, size)
 	}
-	// if (inverted direction) conn is not tracked, track this direction
-	t.track(srcIP, dstIP, srcPort, dstPort, flags, nftypes.Egress, nil, size, 0)
-	return 0
 }

 // TrackInbound processes an inbound TCP packet and updates connection state
-func (t *TCPTracker) TrackInbound(srcIP, dstIP netip.Addr, srcPort, dstPort uint16, flags uint8, ruleID []byte, size int, dnatOrigPort uint16) {
-	t.track(srcIP, dstIP, srcPort, dstPort, flags, nftypes.Ingress, ruleID, size, dnatOrigPort)
+func (t *TCPTracker) TrackInbound(srcIP, dstIP netip.Addr, srcPort, dstPort uint16, flags uint8, ruleID []byte, size int) {
+	t.track(srcIP, dstIP, srcPort, dstPort, flags, nftypes.Ingress, ruleID, size)
 }

 // track is the common implementation for tracking both inbound and outbound connections
-func (t *TCPTracker) track(srcIP, dstIP netip.Addr, srcPort, dstPort uint16, flags uint8, direction nftypes.Direction, ruleID []byte, size int, origPort uint16) {
-	key, _, exists := t.updateIfExists(srcIP, dstIP, srcPort, dstPort, flags, direction, size)
+func (t *TCPTracker) track(srcIP, dstIP netip.Addr, srcPort, dstPort uint16, flags uint8, direction nftypes.Direction, ruleID []byte, size int) {
+	key, exists := t.updateIfExists(srcIP, dstIP, srcPort, dstPort, flags, direction, size)
 	if exists || flags&TCPSyn == 0 {
 		return
 	}
@@ -212,13 +210,8 @@ func (t *TCPTracker) track(srcIP, dstIP netip.Addr, srcPort, dstPort uint16, fla

 	conn.tombstone.Store(false)
 	conn.state.Store(int32(TCPStateNew))
-	conn.DNATOrigPort.Store(uint32(origPort))

-	if origPort != 0 {
-		t.logger.Trace4("New %s TCP connection: %s (port DNAT %d -> %d)", direction, key, origPort, dstPort)
-	} else {
-		t.logger.Trace2("New %s TCP connection: %s", direction, key)
-	}
+	t.logger.Trace2("New %s TCP connection: %s", direction, key)
 	t.updateState(key, conn, flags, direction, size)

 	t.mutex.Lock()
@@ -456,21 +449,6 @@ func (t *TCPTracker) cleanup() {
 	}
 }

-// GetConnection safely retrieves a connection state
-func (t *TCPTracker) GetConnection(srcIP netip.Addr, srcPort uint16, dstIP netip.Addr, dstPort uint16) (*TCPConnTrack, bool) {
-	t.mutex.RLock()
-	defer t.mutex.RUnlock()
-
-	key := ConnKey{
-		SrcIP:   srcIP,
-		DstIP:   dstIP,
-		SrcPort: srcPort,
-		DstPort: dstPort,
-	}
-	conn, exists := t.connections[key]
-	return conn, exists
-}
-
 // Close stops the cleanup routine and releases resources
 func (t *TCPTracker) Close() {
 	t.tickerCancel()
--- a/client/firewall/uspfilter/conntrack/tcp_test.go
+++ b/client/firewall/uspfilter/conntrack/tcp_test.go
@@ -603,7 +603,7 @@ func TestTCPInboundInitiatedConnection(t *testing.T) {
 	serverPort := uint16(80)

 	// 1. Client sends SYN (we receive it as inbound)
-	tracker.TrackInbound(clientIP, serverIP, clientPort, serverPort, TCPSyn, nil, 100, 0)
+	tracker.TrackInbound(clientIP, serverIP, clientPort, serverPort, TCPSyn, nil, 100)

 	key := ConnKey{
 		SrcIP:   clientIP,
@@ -623,12 +623,12 @@ func TestTCPInboundInitiatedConnection(t *testing.T) {
 	tracker.TrackOutbound(serverIP, clientIP, serverPort, clientPort, TCPSyn|TCPAck, 100)

 	// 3. Client sends ACK to complete handshake
-	tracker.TrackInbound(clientIP, serverIP, clientPort, serverPort, TCPAck, nil, 100, 0)
+	tracker.TrackInbound(clientIP, serverIP, clientPort, serverPort, TCPAck, nil, 100)
 	require.Equal(t, TCPStateEstablished, conn.GetState(), "Connection should be ESTABLISHED after handshake completion")

 	// 4. Test data transfer
 	// Client sends data
-	tracker.TrackInbound(clientIP, serverIP, clientPort, serverPort, TCPPush|TCPAck, nil, 1000, 0)
+	tracker.TrackInbound(clientIP, serverIP, clientPort, serverPort, TCPPush|TCPAck, nil, 1000)

 	// Server sends ACK for data
 	tracker.TrackOutbound(serverIP, clientIP, serverPort, clientPort, TCPAck, 100)
@@ -637,7 +637,7 @@ func TestTCPInboundInitiatedConnection(t *testing.T) {
 	tracker.TrackOutbound(serverIP, clientIP, serverPort, clientPort, TCPPush|TCPAck, 1500)

 	// Client sends ACK for data
-	tracker.TrackInbound(clientIP, serverIP, clientPort, serverPort, TCPAck, nil, 100, 0)
+	tracker.TrackInbound(clientIP, serverIP, clientPort, serverPort, TCPAck, nil, 100)

 	// Verify state and counters
 	require.Equal(t, TCPStateEstablished, conn.GetState())
--- a/client/firewall/uspfilter/conntrack/udp.go
+++ b/client/firewall/uspfilter/conntrack/udp.go
@@ -58,23 +58,20 @@ func NewUDPTracker(timeout time.Duration, logger *nblog.Logger, flowLogger nftyp
 	return tracker
 }

-// TrackOutbound records an outbound UDP connection and returns the original port if DNAT reversal is needed
-func (t *UDPTracker) TrackOutbound(srcIP netip.Addr, dstIP netip.Addr, srcPort uint16, dstPort uint16, size int) uint16 {
-	_, origPort, exists := t.updateIfExists(dstIP, srcIP, dstPort, srcPort, nftypes.Egress, size)
-	if exists {
-		return origPort
+// TrackOutbound records an outbound UDP connection
+func (t *UDPTracker) TrackOutbound(srcIP netip.Addr, dstIP netip.Addr, srcPort uint16, dstPort uint16, size int) {
+	if _, exists := t.updateIfExists(dstIP, srcIP, dstPort, srcPort, nftypes.Egress, size); !exists {
+		// if (inverted direction) conn is not tracked, track this direction
+		t.track(srcIP, dstIP, srcPort, dstPort, nftypes.Egress, nil, size)
 	}
-	// if (inverted direction) conn is not tracked, track this direction
-	t.track(srcIP, dstIP, srcPort, dstPort, nftypes.Egress, nil, size, 0)
-	return 0
 }

 // TrackInbound records an inbound UDP connection
-func (t *UDPTracker) TrackInbound(srcIP netip.Addr, dstIP netip.Addr, srcPort uint16, dstPort uint16, ruleID []byte, size int, dnatOrigPort uint16) {
-	t.track(srcIP, dstIP, srcPort, dstPort, nftypes.Ingress, ruleID, size, dnatOrigPort)
+func (t *UDPTracker) TrackInbound(srcIP netip.Addr, dstIP netip.Addr, srcPort uint16, dstPort uint16, ruleID []byte, size int) {
+	t.track(srcIP, dstIP, srcPort, dstPort, nftypes.Ingress, ruleID, size)
 }

-func (t *UDPTracker) updateIfExists(srcIP netip.Addr, dstIP netip.Addr, srcPort uint16, dstPort uint16, direction nftypes.Direction, size int) (ConnKey, uint16, bool) {
+func (t *UDPTracker) updateIfExists(srcIP netip.Addr, dstIP netip.Addr, srcPort uint16, dstPort uint16, direction nftypes.Direction, size int) (ConnKey, bool) {
 	key := ConnKey{
 		SrcIP:   srcIP,
 		DstIP:   dstIP,
@@ -89,15 +86,15 @@ func (t *UDPTracker) updateIfExists(srcIP netip.Addr, dstIP netip.Addr, srcPort
 	if exists {
 		conn.UpdateLastSeen()
 		conn.UpdateCounters(direction, size)
-		return key, uint16(conn.DNATOrigPort.Load()), true
+		return key, true
 	}

-	return key, 0, false
+	return key, false
 }

 // track is the common implementation for tracking both inbound and outbound connections
-func (t *UDPTracker) track(srcIP netip.Addr, dstIP netip.Addr, srcPort uint16, dstPort uint16, direction nftypes.Direction, ruleID []byte, size int, origPort uint16) {
-	key, _, exists := t.updateIfExists(srcIP, dstIP, srcPort, dstPort, direction, size)
+func (t *UDPTracker) track(srcIP netip.Addr, dstIP netip.Addr, srcPort uint16, dstPort uint16, direction nftypes.Direction, ruleID []byte, size int) {
+	key, exists := t.updateIfExists(srcIP, dstIP, srcPort, dstPort, direction, size)
 	if exists {
 		return
 	}
@@ -112,7 +109,6 @@ func (t *UDPTracker) track(srcIP netip.Addr, dstIP netip.Addr, srcPort uint16, d
 		SourcePort: srcPort,
 		DestPort:   dstPort,
 	}
-	conn.DNATOrigPort.Store(uint32(origPort))
 	conn.UpdateLastSeen()
 	conn.UpdateCounters(direction, size)

@@ -120,11 +116,7 @@ func (t *UDPTracker) track(srcIP netip.Addr, dstIP netip.Addr, srcPort uint16, d
 	t.connections[key] = conn
 	t.mutex.Unlock()

-	if origPort != 0 {
-		t.logger.Trace4("New %s UDP connection: %s (port DNAT %d -> %d)", direction, key, origPort, dstPort)
-	} else {
-		t.logger.Trace2("New %s UDP connection: %s", direction, key)
-	}
+	t.logger.Trace2("New %s UDP connection: %s", direction, key)
 	t.sendEvent(nftypes.TypeStart, conn, ruleID)
 }

--- a/client/firewall/uspfilter/filter.go
+++ b/client/firewall/uspfilter/filter.go
@@ -109,10 +109,6 @@ type Manager struct {
 	dnatMappings map[netip.Addr]netip.Addr
 	dnatMutex    sync.RWMutex
 	dnatBiMap    *biDNATMap
-
-	portDNATEnabled atomic.Bool
-	portDNATRules   []portDNATRule
-	portDNATMutex   sync.RWMutex
 }

 // decoder for packages
@@ -126,8 +122,6 @@ type decoder struct {
 	icmp6   layers.ICMPv6
 	decoded []gopacket.LayerType
 	parser  *gopacket.DecodingLayerParser
-
-	dnatOrigPort uint16
 }

 // Create userspace firewall manager constructor
@@ -202,7 +196,6 @@ func create(iface common.IFaceMapper, nativeFirewall firewall.Manager, disableSe
 		netstack:            netstack.IsEnabled(),
 		localForwarding:     enableLocalForwarding,
 		dnatMappings:        make(map[netip.Addr]netip.Addr),
-		portDNATRules:       []portDNATRule{},
 	}
 	m.routingEnabled.Store(false)

@@ -637,7 +630,7 @@ func (m *Manager) filterOutbound(packetData []byte, size int) bool {
 		return true
 	}

-	m.trackOutbound(d, srcIP, dstIP, packetData, size)
+	m.trackOutbound(d, srcIP, dstIP, size)
 	m.translateOutboundDNAT(packetData, d)

 	return false
@@ -681,26 +674,14 @@ func getTCPFlags(tcp *layers.TCP) uint8 {
 	return flags
 }

-func (m *Manager) trackOutbound(d *decoder, srcIP, dstIP netip.Addr, packetData []byte, size int) {
+func (m *Manager) trackOutbound(d *decoder, srcIP, dstIP netip.Addr, size int) {
 	transport := d.decoded[1]
 	switch transport {
 	case layers.LayerTypeUDP:
-		origPort := m.udpTracker.TrackOutbound(srcIP, dstIP, uint16(d.udp.SrcPort), uint16(d.udp.DstPort), size)
-		if origPort == 0 {
-			break
-		}
-		if err := m.rewriteUDPPort(packetData, d, origPort, sourcePortOffset); err != nil {
-			m.logger.Error1("failed to rewrite UDP port: %v", err)
-		}
+		m.udpTracker.TrackOutbound(srcIP, dstIP, uint16(d.udp.SrcPort), uint16(d.udp.DstPort), size)
 	case layers.LayerTypeTCP:
 		flags := getTCPFlags(&d.tcp)
-		origPort := m.tcpTracker.TrackOutbound(srcIP, dstIP, uint16(d.tcp.SrcPort), uint16(d.tcp.DstPort), flags, size)
-		if origPort == 0 {
-			break
-		}
-		if err := m.rewriteTCPPort(packetData, d, origPort, sourcePortOffset); err != nil {
-			m.logger.Error1("failed to rewrite TCP port: %v", err)
-		}
+		m.tcpTracker.TrackOutbound(srcIP, dstIP, uint16(d.tcp.SrcPort), uint16(d.tcp.DstPort), flags, size)
 	case layers.LayerTypeICMPv4:
 		m.icmpTracker.TrackOutbound(srcIP, dstIP, d.icmp4.Id, d.icmp4.TypeCode, d.icmp4.Payload, size)
 	}
@@ -710,15 +691,13 @@ func (m *Manager) trackInbound(d *decoder, srcIP, dstIP netip.Addr, ruleID []byt
 	transport := d.decoded[1]
 	switch transport {
 	case layers.LayerTypeUDP:
-		m.udpTracker.TrackInbound(srcIP, dstIP, uint16(d.udp.SrcPort), uint16(d.udp.DstPort), ruleID, size, d.dnatOrigPort)
+		m.udpTracker.TrackInbound(srcIP, dstIP, uint16(d.udp.SrcPort), uint16(d.udp.DstPort), ruleID, size)
 	case layers.LayerTypeTCP:
 		flags := getTCPFlags(&d.tcp)
-		m.tcpTracker.TrackInbound(srcIP, dstIP, uint16(d.tcp.SrcPort), uint16(d.tcp.DstPort), flags, ruleID, size, d.dnatOrigPort)
+		m.tcpTracker.TrackInbound(srcIP, dstIP, uint16(d.tcp.SrcPort), uint16(d.tcp.DstPort), flags, ruleID, size)
 	case layers.LayerTypeICMPv4:
 		m.icmpTracker.TrackInbound(srcIP, dstIP, d.icmp4.Id, d.icmp4.TypeCode, ruleID, d.icmp4.Payload, size)
 	}
-
-	d.dnatOrigPort = 0
 }

 // udpHooksDrop checks if any UDP hooks should drop the packet
@@ -780,20 +759,10 @@ func (m *Manager) filterInbound(packetData []byte, size int) bool {
 		return false
 	}

-	// TODO: optimize port DNAT by caching matched rules in conntrack
-	if translated := m.translateInboundPortDNAT(packetData, d, srcIP, dstIP); translated {
-		// Re-decode after port DNAT translation to update port information
-		if err := d.parser.DecodeLayers(packetData, &d.decoded); err != nil {
-			m.logger.Error1("failed to re-decode packet after port DNAT: %v", err)
-			return true
-		}
-		srcIP, dstIP = m.extractIPs(d)
-	}
-
 	if translated := m.translateInboundReverse(packetData, d); translated {
 		// Re-decode after translation to get original addresses
 		if err := d.parser.DecodeLayers(packetData, &d.decoded); err != nil {
-			m.logger.Error1("failed to re-decode packet after reverse DNAT: %v", err)
+			m.logger.Error1("Failed to re-decode packet after reverse DNAT: %v", err)
 			return true
 		}
 		srcIP, dstIP = m.extractIPs(d)
--- a/client/firewall/uspfilter/log/log.go
+++ b/client/firewall/uspfilter/log/log.go
@@ -50,8 +50,6 @@ type logMessage struct {
 	arg4   any
 	arg5   any
 	arg6   any
-	arg7   any
-	arg8   any
 }

 // Logger is a high-performance, non-blocking logger
@@ -96,6 +94,7 @@ func (l *Logger) SetLevel(level Level) {
 	log.Debugf("Set uspfilter logger loglevel to %v", levelStrings[level])
 }

+
 func (l *Logger) Error(format string) {
 	if l.level.Load() >= uint32(LevelError) {
 		select {
@@ -186,15 +185,6 @@ func (l *Logger) Debug2(format string, arg1, arg2 any) {
 	}
 }

-func (l *Logger) Debug3(format string, arg1, arg2, arg3 any) {
-	if l.level.Load() >= uint32(LevelDebug) {
-		select {
-		case l.msgChannel <- logMessage{level: LevelDebug, format: format, arg1: arg1, arg2: arg2, arg3: arg3}:
-		default:
-		}
-	}
-}
-
 func (l *Logger) Trace1(format string, arg1 any) {
 	if l.level.Load() >= uint32(LevelTrace) {
 		select {
@@ -249,16 +239,6 @@ func (l *Logger) Trace6(format string, arg1, arg2, arg3, arg4, arg5, arg6 any) {
 	}
 }

-// Trace8 logs a trace message with 8 arguments (8 placeholder in format string)
-func (l *Logger) Trace8(format string, arg1, arg2, arg3, arg4, arg5, arg6, arg7, arg8 any) {
-	if l.level.Load() >= uint32(LevelTrace) {
-		select {
-		case l.msgChannel <- logMessage{level: LevelTrace, format: format, arg1: arg1, arg2: arg2, arg3: arg3, arg4: arg4, arg5: arg5, arg6: arg6, arg7: arg7, arg8: arg8}:
-		default:
-		}
-	}
-}
-
 func (l *Logger) formatMessage(buf *[]byte, msg logMessage) {
 	*buf = (*buf)[:0]
 	*buf = time.Now().AppendFormat(*buf, "2006-01-02T15:04:05-07:00")
@@ -280,12 +260,6 @@ func (l *Logger) formatMessage(buf *[]byte, msg logMessage) {
 						argCount++
 						if msg.arg6 != nil {
 							argCount++
-							if msg.arg7 != nil {
-								argCount++
-								if msg.arg8 != nil {
-									argCount++
-								}
-							}
 						}
 					}
 				}
@@ -309,10 +283,6 @@ func (l *Logger) formatMessage(buf *[]byte, msg logMessage) {
 		formatted = fmt.Sprintf(msg.format, msg.arg1, msg.arg2, msg.arg3, msg.arg4, msg.arg5)
 	case 6:
 		formatted = fmt.Sprintf(msg.format, msg.arg1, msg.arg2, msg.arg3, msg.arg4, msg.arg5, msg.arg6)
-	case 7:
-		formatted = fmt.Sprintf(msg.format, msg.arg1, msg.arg2, msg.arg3, msg.arg4, msg.arg5, msg.arg6, msg.arg7)
-	case 8:
-		formatted = fmt.Sprintf(msg.format, msg.arg1, msg.arg2, msg.arg3, msg.arg4, msg.arg5, msg.arg6, msg.arg7, msg.arg8)
 	}

 	*buf = append(*buf, formatted...)
@@ -420,4 +390,4 @@ func (l *Logger) Stop(ctx context.Context) error {
 	case <-done:
 		return nil
 	}
-}
+}
--- a/client/firewall/uspfilter/nat.go
+++ b/client/firewall/uspfilter/nat.go
@@ -5,9 +5,7 @@ import (
 	"errors"
 	"fmt"
 	"net/netip"
-	"slices"

-	"github.com/google/gopacket"
 	"github.com/google/gopacket/layers"

 	firewall "github.com/netbirdio/netbird/client/firewall/manager"
@@ -15,21 +13,6 @@ import (

 var ErrIPv4Only = errors.New("only IPv4 is supported for DNAT")

-var (
-	errInvalidIPHeaderLength = errors.New("invalid IP header length")
-)
-
-const (
-	// Port offsets in TCP/UDP headers
-	sourcePortOffset      = 0
-	destinationPortOffset = 2
-
-	// IP address offsets in IPv4 header
-	sourceIPOffset      = 12
-	destinationIPOffset = 16
-)
-
-// ipv4Checksum calculates IPv4 header checksum.
 func ipv4Checksum(header []byte) uint16 {
 	if len(header) < 20 {
 		return 0
@@ -69,7 +52,6 @@ func ipv4Checksum(header []byte) uint16 {
 	return ^uint16(sum)
 }

-// icmpChecksum calculates ICMP checksum.
 func icmpChecksum(data []byte) uint16 {
 	var sum1, sum2, sum3, sum4 uint32
 	i := 0
@@ -107,21 +89,11 @@ func icmpChecksum(data []byte) uint16 {
 	return ^uint16(sum)
 }

-// biDNATMap maintains bidirectional DNAT mappings.
 type biDNATMap struct {
 	forward map[netip.Addr]netip.Addr
 	reverse map[netip.Addr]netip.Addr
 }

-// portDNATRule represents a port-specific DNAT rule.
-type portDNATRule struct {
-	protocol   gopacket.LayerType
-	origPort   uint16
-	targetPort uint16
-	targetIP   netip.Addr
-}
-
-// newBiDNATMap creates a new bidirectional DNAT mapping structure.
 func newBiDNATMap() *biDNATMap {
 	return &biDNATMap{
 		forward: make(map[netip.Addr]netip.Addr),
@@ -129,13 +101,11 @@ func newBiDNATMap() *biDNATMap {
 	}
 }

-// set adds a bidirectional DNAT mapping between original and translated addresses.
 func (b *biDNATMap) set(original, translated netip.Addr) {
 	b.forward[original] = translated
 	b.reverse[translated] = original
 }

-// delete removes a bidirectional DNAT mapping for the given original address.
 func (b *biDNATMap) delete(original netip.Addr) {
 	if translated, exists := b.forward[original]; exists {
 		delete(b.forward, original)
@@ -143,25 +113,19 @@ func (b *biDNATMap) delete(original netip.Addr) {
 	}
 }

-// getTranslated returns the translated address for a given original address.
 func (b *biDNATMap) getTranslated(original netip.Addr) (netip.Addr, bool) {
 	translated, exists := b.forward[original]
 	return translated, exists
 }

-// getOriginal returns the original address for a given translated address.
 func (b *biDNATMap) getOriginal(translated netip.Addr) (netip.Addr, bool) {
 	original, exists := b.reverse[translated]
 	return original, exists
 }

-// AddInternalDNATMapping adds a 1:1 IP address mapping for internal DNAT translation.
 func (m *Manager) AddInternalDNATMapping(originalAddr, translatedAddr netip.Addr) error {
-	if !originalAddr.IsValid() {
-		return fmt.Errorf("invalid original IP address")
-	}
-	if !translatedAddr.IsValid() {
-		return fmt.Errorf("invalid translated IP address")
+	if !originalAddr.IsValid() || !translatedAddr.IsValid() {
+		return fmt.Errorf("invalid IP addresses")
 	}

 	if m.localipmanager.IsLocalIP(translatedAddr) {
@@ -171,6 +135,7 @@ func (m *Manager) AddInternalDNATMapping(originalAddr, translatedAddr netip.Addr
 	m.dnatMutex.Lock()
 	defer m.dnatMutex.Unlock()

+	// Initialize both maps together if either is nil
 	if m.dnatMappings == nil || m.dnatBiMap == nil {
 		m.dnatMappings = make(map[netip.Addr]netip.Addr)
 		m.dnatBiMap = newBiDNATMap()
@@ -186,7 +151,7 @@ func (m *Manager) AddInternalDNATMapping(originalAddr, translatedAddr netip.Addr
 	return nil
 }

-// RemoveInternalDNATMapping removes a 1:1 IP address mapping.
+// RemoveInternalDNATMapping removes a 1:1 IP address mapping
 func (m *Manager) RemoveInternalDNATMapping(originalAddr netip.Addr) error {
 	m.dnatMutex.Lock()
 	defer m.dnatMutex.Unlock()
@@ -204,7 +169,7 @@ func (m *Manager) RemoveInternalDNATMapping(originalAddr netip.Addr) error {
 	return nil
 }

-// getDNATTranslation returns the translated address if a mapping exists.
+// getDNATTranslation returns the translated address if a mapping exists
 func (m *Manager) getDNATTranslation(addr netip.Addr) (netip.Addr, bool) {
 	if !m.dnatEnabled.Load() {
 		return addr, false
@@ -216,7 +181,7 @@ func (m *Manager) getDNATTranslation(addr netip.Addr) (netip.Addr, bool) {
 	return translated, exists
 }

-// findReverseDNATMapping finds original address for return traffic.
+// findReverseDNATMapping finds original address for return traffic
 func (m *Manager) findReverseDNATMapping(translatedAddr netip.Addr) (netip.Addr, bool) {
 	if !m.dnatEnabled.Load() {
 		return translatedAddr, false
@@ -228,12 +193,16 @@ func (m *Manager) findReverseDNATMapping(translatedAddr netip.Addr) (netip.Addr,
 	return original, exists
 }

-// translateOutboundDNAT applies DNAT translation to outbound packets.
+// translateOutboundDNAT applies DNAT translation to outbound packets
 func (m *Manager) translateOutboundDNAT(packetData []byte, d *decoder) bool {
 	if !m.dnatEnabled.Load() {
 		return false
 	}

+	if len(packetData) < 20 || d.decoded[0] != layers.LayerTypeIPv4 {
+		return false
+	}
+
 	dstIP := netip.AddrFrom4([4]byte{packetData[16], packetData[17], packetData[18], packetData[19]})

 	translatedIP, exists := m.getDNATTranslation(dstIP)
@@ -241,8 +210,8 @@ func (m *Manager) translateOutboundDNAT(packetData []byte, d *decoder) bool {
 		return false
 	}

-	if err := m.rewritePacketIP(packetData, d, translatedIP, destinationIPOffset); err != nil {
-		m.logger.Error1("failed to rewrite packet destination: %v", err)
+	if err := m.rewritePacketDestination(packetData, d, translatedIP); err != nil {
+		m.logger.Error1("Failed to rewrite packet destination: %v", err)
 		return false
 	}

@@ -250,12 +219,16 @@ func (m *Manager) translateOutboundDNAT(packetData []byte, d *decoder) bool {
 	return true
 }

-// translateInboundReverse applies reverse DNAT to inbound return traffic.
+// translateInboundReverse applies reverse DNAT to inbound return traffic
 func (m *Manager) translateInboundReverse(packetData []byte, d *decoder) bool {
 	if !m.dnatEnabled.Load() {
 		return false
 	}

+	if len(packetData) < 20 || d.decoded[0] != layers.LayerTypeIPv4 {
+		return false
+	}
+
 	srcIP := netip.AddrFrom4([4]byte{packetData[12], packetData[13], packetData[14], packetData[15]})

 	originalIP, exists := m.findReverseDNATMapping(srcIP)
@@ -263,8 +236,8 @@ func (m *Manager) translateInboundReverse(packetData []byte, d *decoder) bool {
 		return false
 	}

-	if err := m.rewritePacketIP(packetData, d, originalIP, sourceIPOffset); err != nil {
-		m.logger.Error1("failed to rewrite packet source: %v", err)
+	if err := m.rewritePacketSource(packetData, d, originalIP); err != nil {
+		m.logger.Error1("Failed to rewrite packet source: %v", err)
 		return false
 	}

@@ -272,21 +245,21 @@ func (m *Manager) translateInboundReverse(packetData []byte, d *decoder) bool {
 	return true
 }

-// rewritePacketIP replaces an IP address (source or destination) in the packet and updates checksums.
-func (m *Manager) rewritePacketIP(packetData []byte, d *decoder, newIP netip.Addr, ipOffset int) error {
-	if !newIP.Is4() {
+// rewritePacketDestination replaces destination IP in the packet
+func (m *Manager) rewritePacketDestination(packetData []byte, d *decoder, newIP netip.Addr) error {
+	if len(packetData) < 20 || d.decoded[0] != layers.LayerTypeIPv4 || !newIP.Is4() {
 		return ErrIPv4Only
 	}

-	var oldIP [4]byte
-	copy(oldIP[:], packetData[ipOffset:ipOffset+4])
-	newIPBytes := newIP.As4()
+	var oldDst [4]byte
+	copy(oldDst[:], packetData[16:20])
+	newDst := newIP.As4()

-	copy(packetData[ipOffset:ipOffset+4], newIPBytes[:])
+	copy(packetData[16:20], newDst[:])

 	ipHeaderLen := int(d.ip4.IHL) * 4
 	if ipHeaderLen < 20 || ipHeaderLen > len(packetData) {
-		return errInvalidIPHeaderLength
+		return fmt.Errorf("invalid IP header length")
 	}

 	binary.BigEndian.PutUint16(packetData[10:12], 0)
@@ -296,9 +269,44 @@ func (m *Manager) rewritePacketIP(packetData []byte, d *decoder, newIP netip.Add
 	if len(d.decoded) > 1 {
 		switch d.decoded[1] {
 		case layers.LayerTypeTCP:
-			m.updateTCPChecksum(packetData, ipHeaderLen, oldIP[:], newIPBytes[:])
+			m.updateTCPChecksum(packetData, ipHeaderLen, oldDst[:], newDst[:])
 		case layers.LayerTypeUDP:
-			m.updateUDPChecksum(packetData, ipHeaderLen, oldIP[:], newIPBytes[:])
+			m.updateUDPChecksum(packetData, ipHeaderLen, oldDst[:], newDst[:])
+		case layers.LayerTypeICMPv4:
+			m.updateICMPChecksum(packetData, ipHeaderLen)
+		}
+	}
+
+	return nil
+}
+
+// rewritePacketSource replaces the source IP address in the packet
+func (m *Manager) rewritePacketSource(packetData []byte, d *decoder, newIP netip.Addr) error {
+	if len(packetData) < 20 || d.decoded[0] != layers.LayerTypeIPv4 || !newIP.Is4() {
+		return ErrIPv4Only
+	}
+
+	var oldSrc [4]byte
+	copy(oldSrc[:], packetData[12:16])
+	newSrc := newIP.As4()
+
+	copy(packetData[12:16], newSrc[:])
+
+	ipHeaderLen := int(d.ip4.IHL) * 4
+	if ipHeaderLen < 20 || ipHeaderLen > len(packetData) {
+		return fmt.Errorf("invalid IP header length")
+	}
+
+	binary.BigEndian.PutUint16(packetData[10:12], 0)
+	ipChecksum := ipv4Checksum(packetData[:ipHeaderLen])
+	binary.BigEndian.PutUint16(packetData[10:12], ipChecksum)
+
+	if len(d.decoded) > 1 {
+		switch d.decoded[1] {
+		case layers.LayerTypeTCP:
+			m.updateTCPChecksum(packetData, ipHeaderLen, oldSrc[:], newSrc[:])
+		case layers.LayerTypeUDP:
+			m.updateUDPChecksum(packetData, ipHeaderLen, oldSrc[:], newSrc[:])
 		case layers.LayerTypeICMPv4:
 			m.updateICMPChecksum(packetData, ipHeaderLen)
 		}
@@ -307,7 +315,6 @@ func (m *Manager) rewritePacketIP(packetData []byte, d *decoder, newIP netip.Add
 	return nil
 }

-// updateTCPChecksum updates TCP checksum after IP address change per RFC 1624.
 func (m *Manager) updateTCPChecksum(packetData []byte, ipHeaderLen int, oldIP, newIP []byte) {
 	tcpStart := ipHeaderLen
 	if len(packetData) < tcpStart+18 {
@@ -320,7 +327,6 @@ func (m *Manager) updateTCPChecksum(packetData []byte, ipHeaderLen int, oldIP, n
 	binary.BigEndian.PutUint16(packetData[checksumOffset:checksumOffset+2], newChecksum)
 }

-// updateUDPChecksum updates UDP checksum after IP address change per RFC 1624.
 func (m *Manager) updateUDPChecksum(packetData []byte, ipHeaderLen int, oldIP, newIP []byte) {
 	udpStart := ipHeaderLen
 	if len(packetData) < udpStart+8 {
@@ -338,7 +344,6 @@ func (m *Manager) updateUDPChecksum(packetData []byte, ipHeaderLen int, oldIP, n
 	binary.BigEndian.PutUint16(packetData[checksumOffset:checksumOffset+2], newChecksum)
 }

-// updateICMPChecksum recalculates ICMP checksum after packet modification.
 func (m *Manager) updateICMPChecksum(packetData []byte, ipHeaderLen int) {
 	icmpStart := ipHeaderLen
 	if len(packetData) < icmpStart+8 {
@@ -351,7 +356,7 @@ func (m *Manager) updateICMPChecksum(packetData []byte, ipHeaderLen int) {
 	binary.BigEndian.PutUint16(icmpData[2:4], checksum)
 }

-// incrementalUpdate performs incremental checksum update per RFC 1624.
+// incrementalUpdate performs incremental checksum update per RFC 1624
 func incrementalUpdate(oldChecksum uint16, oldBytes, newBytes []byte) uint16 {
 	sum := uint32(^oldChecksum)

@@ -386,7 +391,7 @@ func incrementalUpdate(oldChecksum uint16, oldBytes, newBytes []byte) uint16 {
 	return ^uint16(sum)
 }

-// AddDNATRule adds outbound DNAT rule for forwarding external traffic to NetBird network.
+// AddDNATRule adds a DNAT rule (delegates to native firewall for port forwarding)
 func (m *Manager) AddDNATRule(rule firewall.ForwardRule) (firewall.Rule, error) {
 	if m.nativeFirewall == nil {
 		return nil, errNatNotSupported
@@ -394,184 +399,10 @@ func (m *Manager) AddDNATRule(rule firewall.ForwardRule) (firewall.Rule, error)
 	return m.nativeFirewall.AddDNATRule(rule)
 }

-// DeleteDNATRule deletes outbound DNAT rule.
+// DeleteDNATRule deletes a DNAT rule (delegates to native firewall)
 func (m *Manager) DeleteDNATRule(rule firewall.Rule) error {
 	if m.nativeFirewall == nil {
 		return errNatNotSupported
 	}
 	return m.nativeFirewall.DeleteDNATRule(rule)
 }
-
-// addPortRedirection adds a port redirection rule.
-func (m *Manager) addPortRedirection(targetIP netip.Addr, protocol gopacket.LayerType, sourcePort, targetPort uint16) error {
-	m.portDNATMutex.Lock()
-	defer m.portDNATMutex.Unlock()
-
-	rule := portDNATRule{
-		protocol:   protocol,
-		origPort:   sourcePort,
-		targetPort: targetPort,
-		targetIP:   targetIP,
-	}
-
-	m.portDNATRules = append(m.portDNATRules, rule)
-	m.portDNATEnabled.Store(true)
-
-	return nil
-}
-
-// AddInboundDNAT adds an inbound DNAT rule redirecting traffic from NetBird peers to local services.
-func (m *Manager) AddInboundDNAT(localAddr netip.Addr, protocol firewall.Protocol, sourcePort, targetPort uint16) error {
-	var layerType gopacket.LayerType
-	switch protocol {
-	case firewall.ProtocolTCP:
-		layerType = layers.LayerTypeTCP
-	case firewall.ProtocolUDP:
-		layerType = layers.LayerTypeUDP
-	default:
-		return fmt.Errorf("unsupported protocol: %s", protocol)
-	}
-
-	return m.addPortRedirection(localAddr, layerType, sourcePort, targetPort)
-}
-
-// removePortRedirection removes a port redirection rule.
-func (m *Manager) removePortRedirection(targetIP netip.Addr, protocol gopacket.LayerType, sourcePort, targetPort uint16) error {
-	m.portDNATMutex.Lock()
-	defer m.portDNATMutex.Unlock()
-
-	m.portDNATRules = slices.DeleteFunc(m.portDNATRules, func(rule portDNATRule) bool {
-		return rule.protocol == protocol && rule.origPort == sourcePort && rule.targetPort == targetPort && rule.targetIP.Compare(targetIP) == 0
-	})
-
-	if len(m.portDNATRules) == 0 {
-		m.portDNATEnabled.Store(false)
-	}
-
-	return nil
-}
-
-// RemoveInboundDNAT removes an inbound DNAT rule.
-func (m *Manager) RemoveInboundDNAT(localAddr netip.Addr, protocol firewall.Protocol, sourcePort, targetPort uint16) error {
-	var layerType gopacket.LayerType
-	switch protocol {
-	case firewall.ProtocolTCP:
-		layerType = layers.LayerTypeTCP
-	case firewall.ProtocolUDP:
-		layerType = layers.LayerTypeUDP
-	default:
-		return fmt.Errorf("unsupported protocol: %s", protocol)
-	}
-
-	return m.removePortRedirection(localAddr, layerType, sourcePort, targetPort)
-}
-
-// translateInboundPortDNAT applies port-specific DNAT translation to inbound packets.
-func (m *Manager) translateInboundPortDNAT(packetData []byte, d *decoder, srcIP, dstIP netip.Addr) bool {
-	if !m.portDNATEnabled.Load() {
-		return false
-	}
-
-	switch d.decoded[1] {
-	case layers.LayerTypeTCP:
-		dstPort := uint16(d.tcp.DstPort)
-		return m.applyPortRule(packetData, d, srcIP, dstIP, dstPort, layers.LayerTypeTCP, m.rewriteTCPPort)
-	case layers.LayerTypeUDP:
-		dstPort := uint16(d.udp.DstPort)
-		return m.applyPortRule(packetData, d, netip.Addr{}, dstIP, dstPort, layers.LayerTypeUDP, m.rewriteUDPPort)
-	default:
-		return false
-	}
-}
-
-type portRewriteFunc func(packetData []byte, d *decoder, newPort uint16, portOffset int) error
-
-func (m *Manager) applyPortRule(packetData []byte, d *decoder, srcIP, dstIP netip.Addr, port uint16, protocol gopacket.LayerType, rewriteFn portRewriteFunc) bool {
-	m.portDNATMutex.RLock()
-	defer m.portDNATMutex.RUnlock()
-
-	for _, rule := range m.portDNATRules {
-		if rule.protocol != protocol || rule.targetIP.Compare(dstIP) != 0 {
-			continue
-		}
-
-		if rule.targetPort == port && rule.targetIP.Compare(srcIP) == 0 {
-			return false
-		}
-
-		if rule.origPort != port {
-			continue
-		}
-
-		if err := rewriteFn(packetData, d, rule.targetPort, destinationPortOffset); err != nil {
-			m.logger.Error1("failed to rewrite port: %v", err)
-			return false
-		}
-		d.dnatOrigPort = rule.origPort
-		return true
-	}
-	return false
-}
-
-// rewriteTCPPort rewrites a TCP port (source or destination) and updates checksum.
-func (m *Manager) rewriteTCPPort(packetData []byte, d *decoder, newPort uint16, portOffset int) error {
-	ipHeaderLen := int(d.ip4.IHL) * 4
-	if ipHeaderLen < 20 || ipHeaderLen > len(packetData) {
-		return errInvalidIPHeaderLength
-	}
-
-	tcpStart := ipHeaderLen
-	if len(packetData) < tcpStart+4 {
-		return fmt.Errorf("packet too short for TCP header")
-	}
-
-	portStart := tcpStart + portOffset
-	oldPort := binary.BigEndian.Uint16(packetData[portStart : portStart+2])
-	binary.BigEndian.PutUint16(packetData[portStart:portStart+2], newPort)
-
-	if len(packetData) >= tcpStart+18 {
-		checksumOffset := tcpStart + 16
-		oldChecksum := binary.BigEndian.Uint16(packetData[checksumOffset : checksumOffset+2])
-
-		var oldPortBytes, newPortBytes [2]byte
-		binary.BigEndian.PutUint16(oldPortBytes[:], oldPort)
-		binary.BigEndian.PutUint16(newPortBytes[:], newPort)
-
-		newChecksum := incrementalUpdate(oldChecksum, oldPortBytes[:], newPortBytes[:])
-		binary.BigEndian.PutUint16(packetData[checksumOffset:checksumOffset+2], newChecksum)
-	}
-
-	return nil
-}
-
-// rewriteUDPPort rewrites a UDP port (source or destination) and updates checksum.
-func (m *Manager) rewriteUDPPort(packetData []byte, d *decoder, newPort uint16, portOffset int) error {
-	ipHeaderLen := int(d.ip4.IHL) * 4
-	if ipHeaderLen < 20 || ipHeaderLen > len(packetData) {
-		return errInvalidIPHeaderLength
-	}
-
-	udpStart := ipHeaderLen
-	if len(packetData) < udpStart+8 {
-		return fmt.Errorf("packet too short for UDP header")
-	}
-
-	portStart := udpStart + portOffset
-	oldPort := binary.BigEndian.Uint16(packetData[portStart : portStart+2])
-	binary.BigEndian.PutUint16(packetData[portStart:portStart+2], newPort)
-
-	checksumOffset := udpStart + 6
-	if len(packetData) >= udpStart+8 {
-		oldChecksum := binary.BigEndian.Uint16(packetData[checksumOffset : checksumOffset+2])
-		if oldChecksum != 0 {
-			var oldPortBytes, newPortBytes [2]byte
-			binary.BigEndian.PutUint16(oldPortBytes[:], oldPort)
-			binary.BigEndian.PutUint16(newPortBytes[:], newPort)
-
-			newChecksum := incrementalUpdate(oldChecksum, oldPortBytes[:], newPortBytes[:])
-			binary.BigEndian.PutUint16(packetData[checksumOffset:checksumOffset+2], newChecksum)
-		}
-	}
-
-	return nil
-}
--- a/client/firewall/uspfilter/nat_bench_test.go
+++ b/client/firewall/uspfilter/nat_bench_test.go
@@ -414,127 +414,3 @@ func BenchmarkChecksumOptimizations(b *testing.B) {
 		}
 	})
 }
-
-// BenchmarkPortDNAT measures the performance of port DNAT operations
-func BenchmarkPortDNAT(b *testing.B) {
-	scenarios := []struct {
-		name         string
-		proto        layers.IPProtocol
-		setupDNAT    bool
-		useMatchPort bool
-		description  string
-	}{
-		{
-			name:         "tcp_inbound_dnat_match",
-			proto:        layers.IPProtocolTCP,
-			setupDNAT:    true,
-			useMatchPort: true,
-			description:  "TCP inbound port DNAT translation (22 → 22022)",
-		},
-		{
-			name:         "tcp_inbound_dnat_nomatch",
-			proto:        layers.IPProtocolTCP,
-			setupDNAT:    true,
-			useMatchPort: false,
-			description:  "TCP inbound with DNAT configured but no port match",
-		},
-		{
-			name:         "tcp_inbound_no_dnat",
-			proto:        layers.IPProtocolTCP,
-			setupDNAT:    false,
-			useMatchPort: false,
-			description:  "TCP inbound without DNAT (baseline)",
-		},
-		{
-			name:         "udp_inbound_dnat_match",
-			proto:        layers.IPProtocolUDP,
-			setupDNAT:    true,
-			useMatchPort: true,
-			description:  "UDP inbound port DNAT translation (5353 → 22054)",
-		},
-		{
-			name:         "udp_inbound_dnat_nomatch",
-			proto:        layers.IPProtocolUDP,
-			setupDNAT:    true,
-			useMatchPort: false,
-			description:  "UDP inbound with DNAT configured but no port match",
-		},
-		{
-			name:         "udp_inbound_no_dnat",
-			proto:        layers.IPProtocolUDP,
-			setupDNAT:    false,
-			useMatchPort: false,
-			description:  "UDP inbound without DNAT (baseline)",
-		},
-	}
-
-	for _, sc := range scenarios {
-		b.Run(sc.name, func(b *testing.B) {
-			manager, err := Create(&IFaceMock{
-				SetFilterFunc: func(device.PacketFilter) error { return nil },
-			}, false, flowLogger)
-			require.NoError(b, err)
-			defer func() {
-				require.NoError(b, manager.Close(nil))
-			}()
-
-			// Set logger to error level to reduce noise during benchmarking
-			manager.SetLogLevel(log.ErrorLevel)
-			defer func() {
-				// Restore to info level after benchmark
-				manager.SetLogLevel(log.InfoLevel)
-			}()
-
-			localAddr := netip.MustParseAddr("100.0.2.175")
-			clientIP := netip.MustParseAddr("100.0.169.249")
-
-			var origPort, targetPort, testPort uint16
-			if sc.proto == layers.IPProtocolTCP {
-				origPort, targetPort = 22, 22022
-			} else {
-				origPort, targetPort = 5353, 22054
-			}
-
-			if sc.useMatchPort {
-				testPort = origPort
-			} else {
-				testPort = 443 // Different port
-			}
-
-			// Setup port DNAT mapping if needed
-			if sc.setupDNAT {
-				err := manager.AddInboundDNAT(localAddr, protocolToFirewall(sc.proto), origPort, targetPort)
-				require.NoError(b, err)
-			}
-
-			// Pre-establish inbound connection for outbound reverse test
-			if sc.setupDNAT && sc.useMatchPort {
-				inboundPacket := generateDNATTestPacket(b, clientIP, localAddr, sc.proto, 54321, origPort)
-				manager.filterInbound(inboundPacket, 0)
-			}
-
-			b.ResetTimer()
-			b.ReportAllocs()
-
-			// Benchmark inbound DNAT translation
-			b.Run("inbound", func(b *testing.B) {
-				for i := 0; i < b.N; i++ {
-					// Create fresh packet each time
-					packet := generateDNATTestPacket(b, clientIP, localAddr, sc.proto, 54321, testPort)
-					manager.filterInbound(packet, 0)
-				}
-			})
-
-			// Benchmark outbound reverse DNAT translation (only if DNAT is set up and port matches)
-			if sc.setupDNAT && sc.useMatchPort {
-				b.Run("outbound_reverse", func(b *testing.B) {
-					for i := 0; i < b.N; i++ {
-						// Create fresh return packet (from target port)
-						packet := generateDNATTestPacket(b, localAddr, clientIP, sc.proto, targetPort, 54321)
-						manager.filterOutbound(packet, 0)
-					}
-				})
-			}
-		})
-	}
-}
--- a/client/firewall/uspfilter/nat_test.go
+++ b/client/firewall/uspfilter/nat_test.go
@@ -8,7 +8,6 @@ import (
 	"github.com/google/gopacket/layers"
 	"github.com/stretchr/testify/require"

-	firewall "github.com/netbirdio/netbird/client/firewall/manager"
 	"github.com/netbirdio/netbird/client/iface/device"
 )

@@ -144,111 +143,3 @@ func TestDNATMappingManagement(t *testing.T) {
 	err = manager.RemoveInternalDNATMapping(originalIP)
 	require.Error(t, err, "Should error when removing non-existent mapping")
 }
-
-func TestInboundPortDNAT(t *testing.T) {
-	manager, err := Create(&IFaceMock{
-		SetFilterFunc: func(device.PacketFilter) error { return nil },
-	}, false, flowLogger)
-	require.NoError(t, err)
-	defer func() {
-		require.NoError(t, manager.Close(nil))
-	}()
-
-	localAddr := netip.MustParseAddr("100.0.2.175")
-	clientIP := netip.MustParseAddr("100.0.169.249")
-
-	testCases := []struct {
-		name       string
-		protocol   layers.IPProtocol
-		sourcePort uint16
-		targetPort uint16
-	}{
-		{"TCP SSH", layers.IPProtocolTCP, 22, 22022},
-		{"UDP DNS", layers.IPProtocolUDP, 5353, 22054},
-	}
-
-	for _, tc := range testCases {
-		t.Run(tc.name, func(t *testing.T) {
-			err := manager.AddInboundDNAT(localAddr, protocolToFirewall(tc.protocol), tc.sourcePort, tc.targetPort)
-			require.NoError(t, err)
-
-			inboundPacket := generateDNATTestPacket(t, clientIP, localAddr, tc.protocol, 54321, tc.sourcePort)
-			d := parsePacket(t, inboundPacket)
-
-			translated := manager.translateInboundPortDNAT(inboundPacket, d, clientIP, localAddr)
-			require.True(t, translated, "Inbound packet should be translated")
-
-			d = parsePacket(t, inboundPacket)
-			var dstPort uint16
-			switch tc.protocol {
-			case layers.IPProtocolTCP:
-				dstPort = uint16(d.tcp.DstPort)
-			case layers.IPProtocolUDP:
-				dstPort = uint16(d.udp.DstPort)
-			}
-
-			require.Equal(t, tc.targetPort, dstPort, "Destination port should be rewritten to target port")
-
-			err = manager.RemoveInboundDNAT(localAddr, protocolToFirewall(tc.protocol), tc.sourcePort, tc.targetPort)
-			require.NoError(t, err)
-		})
-	}
-}
-
-func TestInboundPortDNATNegative(t *testing.T) {
-	manager, err := Create(&IFaceMock{
-		SetFilterFunc: func(device.PacketFilter) error { return nil },
-	}, false, flowLogger)
-	require.NoError(t, err)
-	defer func() {
-		require.NoError(t, manager.Close(nil))
-	}()
-
-	localAddr := netip.MustParseAddr("100.0.2.175")
-	clientIP := netip.MustParseAddr("100.0.169.249")
-
-	err = manager.AddInboundDNAT(localAddr, firewall.ProtocolTCP, 22, 22022)
-	require.NoError(t, err)
-
-	testCases := []struct {
-		name     string
-		protocol layers.IPProtocol
-		srcIP    netip.Addr
-		dstIP    netip.Addr
-		srcPort  uint16
-		dstPort  uint16
-	}{
-		{"Wrong port", layers.IPProtocolTCP, clientIP, localAddr, 54321, 80},
-		{"Wrong IP", layers.IPProtocolTCP, clientIP, netip.MustParseAddr("100.64.0.99"), 54321, 22},
-		{"Wrong protocol", layers.IPProtocolUDP, clientIP, localAddr, 54321, 22},
-		{"ICMP", layers.IPProtocolICMPv4, clientIP, localAddr, 0, 0},
-	}
-
-	for _, tc := range testCases {
-		t.Run(tc.name, func(t *testing.T) {
-			packet := generateDNATTestPacket(t, tc.srcIP, tc.dstIP, tc.protocol, tc.srcPort, tc.dstPort)
-			d := parsePacket(t, packet)
-
-			translated := manager.translateInboundPortDNAT(packet, d, tc.srcIP, tc.dstIP)
-			require.False(t, translated, "Packet should NOT be translated for %s", tc.name)
-
-			d = parsePacket(t, packet)
-			if tc.protocol == layers.IPProtocolTCP {
-				require.Equal(t, tc.dstPort, uint16(d.tcp.DstPort), "Port should remain unchanged")
-			} else if tc.protocol == layers.IPProtocolUDP {
-				require.Equal(t, tc.dstPort, uint16(d.udp.DstPort), "Port should remain unchanged")
-			}
-		})
-	}
-}
-
-func protocolToFirewall(proto layers.IPProtocol) firewall.Protocol {
-	switch proto {
-	case layers.IPProtocolTCP:
-		return firewall.ProtocolTCP
-	case layers.IPProtocolUDP:
-		return firewall.ProtocolUDP
-	default:
-		return firewall.ProtocolALL
-	}
-}
--- a/client/firewall/uspfilter/tracer.go
+++ b/client/firewall/uspfilter/tracer.go
@@ -16,33 +16,25 @@ type PacketStage int

 const (
 	StageReceived PacketStage = iota
-	StageInboundPortDNAT
-	StageInbound1to1NAT
 	StageConntrack
 	StagePeerACL
 	StageRouting
 	StageRouteACL
 	StageForwarding
 	StageCompleted
-	StageOutbound1to1NAT
-	StageOutboundPortReverse
 )

 const msgProcessingCompleted = "Processing completed"

 func (s PacketStage) String() string {
 	return map[PacketStage]string{
-		StageReceived:            "Received",
-		StageInboundPortDNAT:     "Inbound Port DNAT",
-		StageInbound1to1NAT:      "Inbound 1:1 NAT",
-		StageConntrack:           "Connection Tracking",
-		StagePeerACL:             "Peer ACL",
-		StageRouting:             "Routing",
-		StageRouteACL:            "Route ACL",
-		StageForwarding:          "Forwarding",
-		StageCompleted:           "Completed",
-		StageOutbound1to1NAT:     "Outbound 1:1 NAT",
-		StageOutboundPortReverse: "Outbound DNAT Reverse",
+		StageReceived:   "Received",
+		StageConntrack:  "Connection Tracking",
+		StagePeerACL:    "Peer ACL",
+		StageRouting:    "Routing",
+		StageRouteACL:   "Route ACL",
+		StageForwarding: "Forwarding",
+		StageCompleted:  "Completed",
 	}[s]
 }

@@ -269,10 +261,6 @@ func (m *Manager) TracePacket(packetData []byte, direction fw.RuleDirection) *Pa
 }

 func (m *Manager) traceInbound(packetData []byte, trace *PacketTrace, d *decoder, srcIP netip.Addr, dstIP netip.Addr) *PacketTrace {
-	if m.handleInboundDNAT(trace, packetData, d, &srcIP, &dstIP) {
-		return trace
-	}
-
 	if m.stateful && m.handleConntrackState(trace, d, srcIP, dstIP) {
 		return trace
 	}
@@ -412,16 +400,7 @@ func (m *Manager) addForwardingResult(trace *PacketTrace, action, remoteAddr str
 }

 func (m *Manager) traceOutbound(packetData []byte, trace *PacketTrace) *PacketTrace {
-	d := m.decoders.Get().(*decoder)
-	defer m.decoders.Put(d)
-
-	if err := d.parser.DecodeLayers(packetData, &d.decoded); err != nil {
-		trace.AddResult(StageCompleted, "Packet dropped - decode error", false)
-		return trace
-	}
-
-	m.handleOutboundDNAT(trace, packetData, d)
-
+	// will create or update the connection state
 	dropped := m.filterOutbound(packetData, 0)
 	if dropped {
 		trace.AddResult(StageCompleted, "Packet dropped by outgoing hook", false)
@@ -430,199 +409,3 @@ func (m *Manager) traceOutbound(packetData []byte, trace *PacketTrace) *PacketTr
 	}
 	return trace
 }
-
-func (m *Manager) handleInboundDNAT(trace *PacketTrace, packetData []byte, d *decoder, srcIP, dstIP *netip.Addr) bool {
-	portDNATApplied := m.traceInboundPortDNAT(trace, packetData, d)
-	if portDNATApplied {
-		if err := d.parser.DecodeLayers(packetData, &d.decoded); err != nil {
-			trace.AddResult(StageInboundPortDNAT, "Failed to re-decode after port DNAT", false)
-			return true
-		}
-		*srcIP, *dstIP = m.extractIPs(d)
-		trace.DestinationPort = m.getDestPort(d)
-	}
-
-	nat1to1Applied := m.traceInbound1to1NAT(trace, packetData, d)
-	if nat1to1Applied {
-		if err := d.parser.DecodeLayers(packetData, &d.decoded); err != nil {
-			trace.AddResult(StageInbound1to1NAT, "Failed to re-decode after 1:1 NAT", false)
-			return true
-		}
-		*srcIP, *dstIP = m.extractIPs(d)
-	}
-
-	return false
-}
-
-func (m *Manager) traceInboundPortDNAT(trace *PacketTrace, packetData []byte, d *decoder) bool {
-	if !m.portDNATEnabled.Load() {
-		trace.AddResult(StageInboundPortDNAT, "Port DNAT not enabled", true)
-		return false
-	}
-
-	if len(packetData) < 20 || d.decoded[0] != layers.LayerTypeIPv4 {
-		trace.AddResult(StageInboundPortDNAT, "Not IPv4, skipping port DNAT", true)
-		return false
-	}
-
-	if len(d.decoded) < 2 {
-		trace.AddResult(StageInboundPortDNAT, "No transport layer, skipping port DNAT", true)
-		return false
-	}
-
-	protocol := d.decoded[1]
-	if protocol != layers.LayerTypeTCP && protocol != layers.LayerTypeUDP {
-		trace.AddResult(StageInboundPortDNAT, "Not TCP/UDP, skipping port DNAT", true)
-		return false
-	}
-
-	srcIP := netip.AddrFrom4([4]byte{packetData[12], packetData[13], packetData[14], packetData[15]})
-	dstIP := netip.AddrFrom4([4]byte{packetData[16], packetData[17], packetData[18], packetData[19]})
-	var originalPort uint16
-	if protocol == layers.LayerTypeTCP {
-		originalPort = uint16(d.tcp.DstPort)
-	} else {
-		originalPort = uint16(d.udp.DstPort)
-	}
-
-	translated := m.translateInboundPortDNAT(packetData, d, srcIP, dstIP)
-	if translated {
-		ipHeaderLen := int((packetData[0] & 0x0F) * 4)
-		translatedPort := uint16(packetData[ipHeaderLen+2])<<8 | uint16(packetData[ipHeaderLen+3])
-
-		protoStr := "TCP"
-		if protocol == layers.LayerTypeUDP {
-			protoStr = "UDP"
-		}
-		msg := fmt.Sprintf("%s port DNAT applied: %s:%d -> %s:%d", protoStr, dstIP, originalPort, dstIP, translatedPort)
-		trace.AddResult(StageInboundPortDNAT, msg, true)
-		return true
-	}
-
-	trace.AddResult(StageInboundPortDNAT, "No matching port DNAT rule", true)
-	return false
-}
-
-func (m *Manager) traceInbound1to1NAT(trace *PacketTrace, packetData []byte, d *decoder) bool {
-	if !m.dnatEnabled.Load() {
-		trace.AddResult(StageInbound1to1NAT, "1:1 NAT not enabled", true)
-		return false
-	}
-
-	srcIP := netip.AddrFrom4([4]byte{packetData[12], packetData[13], packetData[14], packetData[15]})
-
-	translated := m.translateInboundReverse(packetData, d)
-	if translated {
-		m.dnatMutex.RLock()
-		translatedIP, exists := m.dnatBiMap.getOriginal(srcIP)
-		m.dnatMutex.RUnlock()
-
-		if exists {
-			msg := fmt.Sprintf("1:1 NAT reverse applied: %s -> %s", srcIP, translatedIP)
-			trace.AddResult(StageInbound1to1NAT, msg, true)
-			return true
-		}
-	}
-
-	trace.AddResult(StageInbound1to1NAT, "No matching 1:1 NAT rule", true)
-	return false
-}
-
-func (m *Manager) handleOutboundDNAT(trace *PacketTrace, packetData []byte, d *decoder) {
-	m.traceOutbound1to1NAT(trace, packetData, d)
-	m.traceOutboundPortReverse(trace, packetData, d)
-}
-
-func (m *Manager) traceOutbound1to1NAT(trace *PacketTrace, packetData []byte, d *decoder) bool {
-	if !m.dnatEnabled.Load() {
-		trace.AddResult(StageOutbound1to1NAT, "1:1 NAT not enabled", true)
-		return false
-	}
-
-	dstIP := netip.AddrFrom4([4]byte{packetData[16], packetData[17], packetData[18], packetData[19]})
-
-	translated := m.translateOutboundDNAT(packetData, d)
-	if translated {
-		m.dnatMutex.RLock()
-		translatedIP, exists := m.dnatMappings[dstIP]
-		m.dnatMutex.RUnlock()
-
-		if exists {
-			msg := fmt.Sprintf("1:1 NAT applied: %s -> %s", dstIP, translatedIP)
-			trace.AddResult(StageOutbound1to1NAT, msg, true)
-			return true
-		}
-	}
-
-	trace.AddResult(StageOutbound1to1NAT, "No matching 1:1 NAT rule", true)
-	return false
-}
-
-func (m *Manager) traceOutboundPortReverse(trace *PacketTrace, packetData []byte, d *decoder) bool {
-	if !m.portDNATEnabled.Load() {
-		trace.AddResult(StageOutboundPortReverse, "Port DNAT not enabled", true)
-		return false
-	}
-
-	if len(packetData) < 20 || d.decoded[0] != layers.LayerTypeIPv4 {
-		trace.AddResult(StageOutboundPortReverse, "Not IPv4, skipping port reverse", true)
-		return false
-	}
-
-	if len(d.decoded) < 2 {
-		trace.AddResult(StageOutboundPortReverse, "No transport layer, skipping port reverse", true)
-		return false
-	}
-
-	srcIP := netip.AddrFrom4([4]byte{packetData[12], packetData[13], packetData[14], packetData[15]})
-	dstIP := netip.AddrFrom4([4]byte{packetData[16], packetData[17], packetData[18], packetData[19]})
-
-	var origPort uint16
-	transport := d.decoded[1]
-	switch transport {
-	case layers.LayerTypeTCP:
-		srcPort := uint16(d.tcp.SrcPort)
-		dstPort := uint16(d.tcp.DstPort)
-		conn, exists := m.tcpTracker.GetConnection(dstIP, dstPort, srcIP, srcPort)
-		if exists {
-			origPort = uint16(conn.DNATOrigPort.Load())
-		}
-		if origPort != 0 {
-			msg := fmt.Sprintf("TCP DNAT reverse (tracked connection): %s:%d -> %s:%d", srcIP, srcPort, srcIP, origPort)
-			trace.AddResult(StageOutboundPortReverse, msg, true)
-			return true
-		}
-	case layers.LayerTypeUDP:
-		srcPort := uint16(d.udp.SrcPort)
-		dstPort := uint16(d.udp.DstPort)
-		conn, exists := m.udpTracker.GetConnection(dstIP, dstPort, srcIP, srcPort)
-		if exists {
-			origPort = uint16(conn.DNATOrigPort.Load())
-		}
-		if origPort != 0 {
-			msg := fmt.Sprintf("UDP DNAT reverse (tracked connection): %s:%d -> %s:%d", srcIP, srcPort, srcIP, origPort)
-			trace.AddResult(StageOutboundPortReverse, msg, true)
-			return true
-		}
-	default:
-		trace.AddResult(StageOutboundPortReverse, "Not TCP/UDP, skipping port reverse", true)
-		return false
-	}
-
-	trace.AddResult(StageOutboundPortReverse, "No tracked connection for DNAT reverse", true)
-	return false
-}
-
-func (m *Manager) getDestPort(d *decoder) uint16 {
-	if len(d.decoded) < 2 {
-		return 0
-	}
-	switch d.decoded[1] {
-	case layers.LayerTypeTCP:
-		return uint16(d.tcp.DstPort)
-	case layers.LayerTypeUDP:
-		return uint16(d.udp.DstPort)
-	default:
-		return 0
-	}
-}
--- a/client/firewall/uspfilter/tracer_test.go
+++ b/client/firewall/uspfilter/tracer_test.go
@@ -104,8 +104,6 @@ func TestTracePacket(t *testing.T) {
 			},
 			expectedStages: []PacketStage{
 				StageReceived,
-				StageInboundPortDNAT,
-				StageInbound1to1NAT,
 				StageConntrack,
 				StageRouting,
 				StagePeerACL,
@@ -128,8 +126,6 @@ func TestTracePacket(t *testing.T) {
 			},
 			expectedStages: []PacketStage{
 				StageReceived,
-				StageInboundPortDNAT,
-				StageInbound1to1NAT,
 				StageConntrack,
 				StageRouting,
 				StagePeerACL,
@@ -157,8 +153,6 @@ func TestTracePacket(t *testing.T) {
 			},
 			expectedStages: []PacketStage{
 				StageReceived,
-				StageInboundPortDNAT,
-				StageInbound1to1NAT,
 				StageConntrack,
 				StageRouting,
 				StagePeerACL,
@@ -185,8 +179,6 @@ func TestTracePacket(t *testing.T) {
 			},
 			expectedStages: []PacketStage{
 				StageReceived,
-				StageInboundPortDNAT,
-				StageInbound1to1NAT,
 				StageConntrack,
 				StageRouting,
 				StagePeerACL,
@@ -212,8 +204,6 @@ func TestTracePacket(t *testing.T) {
 			},
 			expectedStages: []PacketStage{
 				StageReceived,
-				StageInboundPortDNAT,
-				StageInbound1to1NAT,
 				StageConntrack,
 				StageRouting,
 				StageRouteACL,
@@ -238,8 +228,6 @@ func TestTracePacket(t *testing.T) {
 			},
 			expectedStages: []PacketStage{
 				StageReceived,
-				StageInboundPortDNAT,
-				StageInbound1to1NAT,
 				StageConntrack,
 				StageRouting,
 				StageRouteACL,
@@ -258,8 +246,6 @@ func TestTracePacket(t *testing.T) {
 			},
 			expectedStages: []PacketStage{
 				StageReceived,
-				StageInboundPortDNAT,
-				StageInbound1to1NAT,
 				StageConntrack,
 				StageRouting,
 				StageRouteACL,
@@ -278,8 +264,6 @@ func TestTracePacket(t *testing.T) {
 			},
 			expectedStages: []PacketStage{
 				StageReceived,
-				StageInboundPortDNAT,
-				StageInbound1to1NAT,
 				StageConntrack,
 				StageRouting,
 				StageCompleted,
@@ -303,8 +287,6 @@ func TestTracePacket(t *testing.T) {
 			},
 			expectedStages: []PacketStage{
 				StageReceived,
-				StageInboundPortDNAT,
-				StageInbound1to1NAT,
 				StageConntrack,
 				StageCompleted,
 			},
@@ -319,8 +301,6 @@ func TestTracePacket(t *testing.T) {
 			},
 			expectedStages: []PacketStage{
 				StageReceived,
-				StageOutbound1to1NAT,
-				StageOutboundPortReverse,
 				StageCompleted,
 			},
 			expectedAllow: true,
@@ -339,8 +319,6 @@ func TestTracePacket(t *testing.T) {
 			},
 			expectedStages: []PacketStage{
 				StageReceived,
-				StageInboundPortDNAT,
-				StageInbound1to1NAT,
 				StageConntrack,
 				StageRouting,
 				StagePeerACL,
@@ -362,8 +340,6 @@ func TestTracePacket(t *testing.T) {
 			},
 			expectedStages: []PacketStage{
 				StageReceived,
-				StageInboundPortDNAT,
-				StageInbound1to1NAT,
 				StageConntrack,
 				StageRouting,
 				StagePeerACL,
@@ -386,8 +362,6 @@ func TestTracePacket(t *testing.T) {
 			},
 			expectedStages: []PacketStage{
 				StageReceived,
-				StageInboundPortDNAT,
-				StageInbound1to1NAT,
 				StageConntrack,
 				StageRouting,
 				StagePeerACL,
@@ -408,8 +382,6 @@ func TestTracePacket(t *testing.T) {
 			},
 			expectedStages: []PacketStage{
 				StageReceived,
-				StageInboundPortDNAT,
-				StageInbound1to1NAT,
 				StageConntrack,
 				StageRouting,
 				StagePeerACL,
@@ -434,8 +406,6 @@ func TestTracePacket(t *testing.T) {
 			},
 			expectedStages: []PacketStage{
 				StageReceived,
-				StageInboundPortDNAT,
-				StageInbound1to1NAT,
 				StageRouting,
 				StagePeerACL,
 				StageCompleted,
--- a/client/grpc/dialer.go
+++ b/client/grpc/dialer.go
@@ -1,93 +0,0 @@
-package grpc
-
-import (
-	"context"
-	"crypto/tls"
-	"crypto/x509"
-	"errors"
-	"fmt"
-	"runtime"
-	"time"
-
-	"github.com/cenkalti/backoff/v4"
-	log "github.com/sirupsen/logrus"
-	"google.golang.org/grpc"
-	"google.golang.org/grpc/connectivity"
-	"google.golang.org/grpc/credentials"
-	"google.golang.org/grpc/credentials/insecure"
-	"google.golang.org/grpc/keepalive"
-
-	"github.com/netbirdio/netbird/util/embeddedroots"
-)
-
-// ErrConnectionShutdown indicates that the connection entered shutdown state before becoming ready
-var ErrConnectionShutdown = errors.New("connection shutdown before ready")
-
-// Backoff returns a backoff configuration for gRPC calls
-func Backoff(ctx context.Context) backoff.BackOff {
-	b := backoff.NewExponentialBackOff()
-	b.MaxElapsedTime = 10 * time.Second
-	b.Clock = backoff.SystemClock
-	return backoff.WithContext(b, ctx)
-}
-
-// waitForConnectionReady blocks until the connection becomes ready or fails.
-// Returns an error if the connection times out, is cancelled, or enters shutdown state.
-func waitForConnectionReady(ctx context.Context, conn *grpc.ClientConn) error {
-	conn.Connect()
-
-	state := conn.GetState()
-	for state != connectivity.Ready && state != connectivity.Shutdown {
-		if !conn.WaitForStateChange(ctx, state) {
-			return fmt.Errorf("wait state change from %s: %w", state, ctx.Err())
-		}
-		state = conn.GetState()
-	}
-
-	if state == connectivity.Shutdown {
-		return ErrConnectionShutdown
-	}
-
-	return nil
-}
-
-// CreateConnection creates a gRPC client connection with the appropriate transport options.
-// The component parameter specifies the WebSocket proxy component path (e.g., "/management", "/signal").
-func CreateConnection(ctx context.Context, addr string, tlsEnabled bool, component string) (*grpc.ClientConn, error) {
-	transportOption := grpc.WithTransportCredentials(insecure.NewCredentials())
-	// for js, the outer websocket layer takes care of tls
-	if tlsEnabled && runtime.GOOS != "js" {
-		certPool, err := x509.SystemCertPool()
-		if err != nil || certPool == nil {
-			log.Debugf("System cert pool not available; falling back to embedded cert, error: %v", err)
-			certPool = embeddedroots.Get()
-		}
-
-		transportOption = grpc.WithTransportCredentials(credentials.NewTLS(&tls.Config{
-			RootCAs: certPool,
-		}))
-	}
-
-	conn, err := grpc.NewClient(
-		addr,
-		transportOption,
-		WithCustomDialer(tlsEnabled, component),
-		grpc.WithKeepaliveParams(keepalive.ClientParameters{
-			Time:    30 * time.Second,
-			Timeout: 10 * time.Second,
-		}),
-	)
-	if err != nil {
-		return nil, fmt.Errorf("new client: %w", err)
-	}
-
-	ctx, cancel := context.WithTimeout(ctx, 30*time.Second)
-	defer cancel()
-
-	if err := waitForConnectionReady(ctx, conn); err != nil {
-		_ = conn.Close()
-		return nil, err
-	}
-
-	return conn, nil
-}
--- a/client/grpc/dialer_generic.go
+++ b/client/grpc/dialer_generic.go
@@ -1,43 +0,0 @@
-//go:build !js
-
-package grpc
-
-import (
-	"context"
-	"fmt"
-	"net"
-	"os/user"
-	"runtime"
-
-	"google.golang.org/grpc/codes"
-	"google.golang.org/grpc/status"
-
-	log "github.com/sirupsen/logrus"
-	"google.golang.org/grpc"
-
-	nbnet "github.com/netbirdio/netbird/client/net"
-)
-
-func WithCustomDialer(_ bool, _ string) grpc.DialOption {
-	return grpc.WithContextDialer(func(ctx context.Context, addr string) (net.Conn, error) {
-		if runtime.GOOS == "linux" {
-			currentUser, err := user.Current()
-			if err != nil {
-				return nil, status.Errorf(codes.FailedPrecondition, "failed to get current user: %v", err)
-			}
-
-			// the custom dialer requires root permissions which are not required for use cases run as non-root
-			if currentUser.Uid != "0" {
-				log.Debug("Not running as root, using standard dialer")
-				dialer := &net.Dialer{}
-				return dialer.DialContext(ctx, "tcp", addr)
-			}
-		}
-
-		conn, err := nbnet.NewDialer().DialContext(ctx, "tcp", addr)
-		if err != nil {
-			return nil, fmt.Errorf("nbnet.NewDialer().DialContext: %w", err)
-		}
-		return conn, nil
-	})
-}
--- a/client/grpc/dialer_js.go
+++ b/client/grpc/dialer_js.go
@@ -1,13 +0,0 @@
-package grpc
-
-import (
-	"google.golang.org/grpc"
-
-	"github.com/netbirdio/netbird/util/wsproxy/client"
-)
-
-// WithCustomDialer returns a gRPC dial option that uses WebSocket transport for WASM/JS environments.
-// The component parameter specifies the WebSocket proxy component path (e.g., "/management", "/signal").
-func WithCustomDialer(tlsEnabled bool, component string) grpc.DialOption {
-	return client.WithWebSocketDialer(tlsEnabled, component)
-}
--- a/client/iface/bind/control.go
+++ b/client/iface/bind/control.go
@@ -3,7 +3,7 @@ package bind
 import (
 	wireguard "golang.zx2c4.com/wireguard/conn"

-	nbnet "github.com/netbirdio/netbird/client/net"
+	nbnet "github.com/netbirdio/netbird/util/net"
 )

 // TODO: This is most likely obsolete since the control fns should be called by the wrapped udpconn (ice_bind.go)
--- a/client/iface/bind/endpoint.go
+++ b/client/iface/bind/endpoint.go
@@ -1,17 +1,5 @@
 package bind

-import (
-	"net"
-
-	wgConn "golang.zx2c4.com/wireguard/conn"
-)
+import wgConn "golang.zx2c4.com/wireguard/conn"

 type Endpoint = wgConn.StdNetEndpoint
-
-func EndpointToUDPAddr(e Endpoint) *net.UDPAddr {
-	return &net.UDPAddr{
-		IP:   e.Addr().AsSlice(),
-		Port: int(e.Port()),
-		Zone: e.Addr().Zone(),
-	}
-}
--- a/client/iface/bind/error.go
+++ b/client/iface/bind/error.go
@@ -1,7 +0,0 @@
-package bind
-
-import "fmt"
-
-var (
-	ErrUDPMUXNotSupported = fmt.Errorf("UDPMUX is not supported in WASM")
-)
--- a/client/iface/bind/ice_bind.go
+++ b/client/iface/bind/ice_bind.go
@@ -1,9 +1,6 @@
-//go:build !js
-
 package bind

 import (
-	"context"
 	"encoding/binary"
 	"fmt"
 	"net"
@@ -20,9 +17,14 @@ import (

 	"github.com/netbirdio/netbird/client/iface/udpmux"
 	"github.com/netbirdio/netbird/client/iface/wgaddr"
-	nbnet "github.com/netbirdio/netbird/client/net"
+	nbnet "github.com/netbirdio/netbird/util/net"
 )

+type RecvMessage struct {
+	Endpoint *Endpoint
+	Buffer   []byte
+}
+
 type receiverCreator struct {
 	iceBind *ICEBind
 }
@@ -40,38 +42,37 @@ func (rc receiverCreator) CreateIPv4ReceiverFn(pc *ipv4.PacketConn, conn *net.UD
 // use the port because in the Send function the wgConn.Endpoint the port info is not exported.
 type ICEBind struct {
 	*wgConn.StdNetBind
+	RecvChan chan RecvMessage

 	transportNet transport.Net
 	filterFn     udpmux.FilterFn
-	address      wgaddr.Address
-	mtu          uint16
-
-	endpoints   map[netip.Addr]net.Conn
-	endpointsMu sync.Mutex
-	recvChan    chan recvMessage
+	endpoints    map[netip.Addr]net.Conn
+	endpointsMu  sync.Mutex
 	// every time when Close() is called (i.e. BindUpdate()) we need to close exit from the receiveRelayed and create a
 	// new closed channel. With the closedChanMu we can safely close the channel and create a new one
-	closedChan       chan struct{}
-	closedChanMu     sync.RWMutex // protect the closeChan recreation from reading from it.
-	closed           bool
-	activityRecorder *ActivityRecorder
+	closedChan   chan struct{}
+	closedChanMu sync.RWMutex // protect the closeChan recreation from reading from it.
+	closed       bool

-	muUDPMux sync.Mutex
-	udpMux   *udpmux.UniversalUDPMuxDefault
+	muUDPMux         sync.Mutex
+	udpMux           *udpmux.UniversalUDPMuxDefault
+	address          wgaddr.Address
+	mtu              uint16
+	activityRecorder *ActivityRecorder
 }

 func NewICEBind(transportNet transport.Net, filterFn udpmux.FilterFn, address wgaddr.Address, mtu uint16) *ICEBind {
 	b, _ := wgConn.NewStdNetBind().(*wgConn.StdNetBind)
 	ib := &ICEBind{
 		StdNetBind:       b,
+		RecvChan:         make(chan RecvMessage, 1),
 		transportNet:     transportNet,
 		filterFn:         filterFn,
-		address:          address,
-		mtu:              mtu,
 		endpoints:        make(map[netip.Addr]net.Conn),
-		recvChan:         make(chan recvMessage, 1),
 		closedChan:       make(chan struct{}),
 		closed:           true,
+		mtu:              mtu,
+		address:          address,
 		activityRecorder: NewActivityRecorder(),
 	}

@@ -82,6 +83,10 @@ func NewICEBind(transportNet transport.Net, filterFn udpmux.FilterFn, address wg
 	return ib
 }

+func (s *ICEBind) MTU() uint16 {
+	return s.mtu
+}
+
 func (s *ICEBind) Open(uport uint16) ([]wgConn.ReceiveFunc, uint16, error) {
 	s.closed = false
 	s.closedChanMu.Lock()
@@ -134,16 +139,6 @@ func (b *ICEBind) RemoveEndpoint(fakeIP netip.Addr) {
 	delete(b.endpoints, fakeIP)
 }

-func (b *ICEBind) ReceiveFromEndpoint(ctx context.Context, ep *Endpoint, buf []byte) {
-	select {
-	case <-b.closedChan:
-		return
-	case <-ctx.Done():
-		return
-	case b.recvChan <- recvMessage{ep, buf}:
-	}
-}
-
 func (b *ICEBind) Send(bufs [][]byte, ep wgConn.Endpoint) error {
 	b.endpointsMu.Lock()
 	conn, ok := b.endpoints[ep.DstIP()]
@@ -276,7 +271,7 @@ func (c *ICEBind) receiveRelayed(buffs [][]byte, sizes []int, eps []wgConn.Endpo
 	select {
 	case <-c.closedChan:
 		return 0, net.ErrClosed
-	case msg, ok := <-c.recvChan:
+	case msg, ok := <-c.RecvChan:
 		if !ok {
 			return 0, net.ErrClosed
 		}
--- a/client/iface/bind/recv_msg.go
+++ b/client/iface/bind/recv_msg.go
@@ -1,6 +0,0 @@
-package bind
-
-type recvMessage struct {
-	Endpoint *Endpoint
-	Buffer   []byte
-}
--- a/client/iface/bind/relay_bind.go
+++ b/client/iface/bind/relay_bind.go
@@ -1,125 +0,0 @@
-package bind
-
-import (
-	"context"
-	"net"
-	"net/netip"
-	"sync"
-
-	log "github.com/sirupsen/logrus"
-	"golang.zx2c4.com/wireguard/conn"
-
-	"github.com/netbirdio/netbird/client/iface/udpmux"
-)
-
-// RelayBindJS is a conn.Bind implementation for WebAssembly environments.
-// Do not limit to build only js, because we want to be able to run tests
-type RelayBindJS struct {
-	*conn.StdNetBind
-
-	recvChan         chan recvMessage
-	endpoints        map[netip.Addr]net.Conn
-	endpointsMu      sync.Mutex
-	activityRecorder *ActivityRecorder
-	ctx              context.Context
-	cancel           context.CancelFunc
-}
-
-func NewRelayBindJS() *RelayBindJS {
-	return &RelayBindJS{
-		recvChan:         make(chan recvMessage, 100),
-		endpoints:        make(map[netip.Addr]net.Conn),
-		activityRecorder: NewActivityRecorder(),
-	}
-}
-
-// Open creates a receive function for handling relay packets in WASM.
-func (s *RelayBindJS) Open(uport uint16) ([]conn.ReceiveFunc, uint16, error) {
-	log.Debugf("Open: creating receive function for port %d", uport)
-
-	s.ctx, s.cancel = context.WithCancel(context.Background())
-
-	receiveFn := func(bufs [][]byte, sizes []int, eps []conn.Endpoint) (int, error) {
-		select {
-		case <-s.ctx.Done():
-			return 0, net.ErrClosed
-		case msg, ok := <-s.recvChan:
-			if !ok {
-				return 0, net.ErrClosed
-			}
-			copy(bufs[0], msg.Buffer)
-			sizes[0] = len(msg.Buffer)
-			eps[0] = conn.Endpoint(msg.Endpoint)
-			return 1, nil
-		}
-	}
-
-	log.Debugf("Open: receive function created, returning port %d", uport)
-	return []conn.ReceiveFunc{receiveFn}, uport, nil
-}
-
-func (s *RelayBindJS) Close() error {
-	if s.cancel == nil {
-		return nil
-	}
-	log.Debugf("close RelayBindJS")
-	s.cancel()
-	return nil
-}
-
-func (s *RelayBindJS) ReceiveFromEndpoint(ctx context.Context, ep *Endpoint, buf []byte) {
-	select {
-	case <-s.ctx.Done():
-		return
-	case <-ctx.Done():
-		return
-	case s.recvChan <- recvMessage{ep, buf}:
-	}
-}
-
-// Send forwards packets through the relay connection for WASM.
-func (s *RelayBindJS) Send(bufs [][]byte, ep conn.Endpoint) error {
-	if ep == nil {
-		return nil
-	}
-
-	fakeIP := ep.DstIP()
-
-	s.endpointsMu.Lock()
-	relayConn, ok := s.endpoints[fakeIP]
-	s.endpointsMu.Unlock()
-
-	if !ok {
-		return nil
-	}
-
-	for _, buf := range bufs {
-		if _, err := relayConn.Write(buf); err != nil {
-			return err
-		}
-	}
-
-	return nil
-}
-
-func (b *RelayBindJS) SetEndpoint(fakeIP netip.Addr, conn net.Conn) {
-	b.endpointsMu.Lock()
-	b.endpoints[fakeIP] = conn
-	b.endpointsMu.Unlock()
-}
-
-func (s *RelayBindJS) RemoveEndpoint(fakeIP netip.Addr) {
-	s.endpointsMu.Lock()
-	defer s.endpointsMu.Unlock()
-
-	delete(s.endpoints, fakeIP)
-}
-
-// GetICEMux returns the ICE UDPMux that was created and used by ICEBind
-func (s *RelayBindJS) GetICEMux() (*udpmux.UniversalUDPMuxDefault, error) {
-	return nil, ErrUDPMUXNotSupported
-}
-
-func (s *RelayBindJS) ActivityRecorder() *ActivityRecorder {
-	return s.activityRecorder
-}
--- a/client/iface/configurer/kernel_unix.go
+++ b/client/iface/configurer/kernel_unix.go
@@ -73,44 +73,6 @@ func (c *KernelConfigurer) UpdatePeer(peerKey string, allowedIps []netip.Prefix,
 	return nil
 }

-func (c *KernelConfigurer) RemoveEndpointAddress(peerKey string) error {
-	peerKeyParsed, err := wgtypes.ParseKey(peerKey)
-	if err != nil {
-		return err
-	}
-
-	// Get the existing peer to preserve its allowed IPs
-	existingPeer, err := c.getPeer(c.deviceName, peerKey)
-	if err != nil {
-		return fmt.Errorf("get peer: %w", err)
-	}
-
-	removePeerCfg := wgtypes.PeerConfig{
-		PublicKey: peerKeyParsed,
-		Remove:    true,
-	}
-
-	if err := c.configure(wgtypes.Config{Peers: []wgtypes.PeerConfig{removePeerCfg}}); err != nil {
-		return fmt.Errorf(`error removing peer %s from interface %s: %w`, peerKey, c.deviceName, err)
-	}
-
-	//Re-add the peer without the endpoint but same AllowedIPs
-	reAddPeerCfg := wgtypes.PeerConfig{
-		PublicKey:         peerKeyParsed,
-		AllowedIPs:        existingPeer.AllowedIPs,
-		ReplaceAllowedIPs: true,
-	}
-
-	if err := c.configure(wgtypes.Config{Peers: []wgtypes.PeerConfig{reAddPeerCfg}}); err != nil {
-		return fmt.Errorf(
-			`error re-adding peer %s to interface %s with allowed IPs %v: %w`,
-			peerKey, c.deviceName, existingPeer.AllowedIPs, err,
-		)
-	}
-
-	return nil
-}
-
 func (c *KernelConfigurer) RemovePeer(peerKey string) error {
 	peerKeyParsed, err := wgtypes.ParseKey(peerKey)
 	if err != nil {
--- a/client/iface/configurer/name.go
+++ b/client/iface/configurer/name.go
@@ -1,4 +1,4 @@
-//go:build linux || windows || freebsd || js || wasip1
+//go:build linux || windows || freebsd

 package configurer

--- a/client/iface/configurer/uapi.go
+++ b/client/iface/configurer/uapi.go
@@ -1,4 +1,4 @@
-//go:build !windows && !js
+//go:build !windows

 package configurer

--- a/client/iface/configurer/uapi_js.go
+++ b/client/iface/configurer/uapi_js.go
@@ -1,23 +0,0 @@
-package configurer
-
-import (
-	"net"
-)
-
-type noopListener struct{}
-
-func (n *noopListener) Accept() (net.Conn, error) {
-	return nil, net.ErrClosed
-}
-
-func (n *noopListener) Close() error {
-	return nil
-}
-
-func (n *noopListener) Addr() net.Addr {
-	return nil
-}
-
-func openUAPI(deviceName string) (net.Listener, error) {
-	return &noopListener{}, nil
-}
--- a/client/iface/configurer/usp.go
+++ b/client/iface/configurer/usp.go
@@ -17,8 +17,8 @@ import (
 	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"

 	"github.com/netbirdio/netbird/client/iface/bind"
-	nbnet "github.com/netbirdio/netbird/client/net"
 	"github.com/netbirdio/netbird/monotime"
+	nbnet "github.com/netbirdio/netbird/util/net"
 )

 const (
@@ -106,67 +106,6 @@ func (c *WGUSPConfigurer) UpdatePeer(peerKey string, allowedIps []netip.Prefix,
 	return nil
 }

-func (c *WGUSPConfigurer) RemoveEndpointAddress(peerKey string) error {
-	peerKeyParsed, err := wgtypes.ParseKey(peerKey)
-	if err != nil {
-		return fmt.Errorf("parse peer key: %w", err)
-	}
-
-	ipcStr, err := c.device.IpcGet()
-	if err != nil {
-		return fmt.Errorf("get IPC config: %w", err)
-	}
-
-	// Parse current status to get allowed IPs for the peer
-	stats, err := parseStatus(c.deviceName, ipcStr)
-	if err != nil {
-		return fmt.Errorf("parse IPC config: %w", err)
-	}
-
-	var allowedIPs []net.IPNet
-	found := false
-	for _, peer := range stats.Peers {
-		if peer.PublicKey == peerKey {
-			allowedIPs = peer.AllowedIPs
-			found = true
-			break
-		}
-	}
-	if !found {
-		return fmt.Errorf("peer %s not found", peerKey)
-	}
-
-	// remove the peer from the WireGuard configuration
-	peer := wgtypes.PeerConfig{
-		PublicKey: peerKeyParsed,
-		Remove:    true,
-	}
-
-	config := wgtypes.Config{
-		Peers: []wgtypes.PeerConfig{peer},
-	}
-	if ipcErr := c.device.IpcSet(toWgUserspaceString(config)); ipcErr != nil {
-		return fmt.Errorf("failed to remove peer: %s", ipcErr)
-	}
-
-	// Build the peer config
-	peer = wgtypes.PeerConfig{
-		PublicKey:         peerKeyParsed,
-		ReplaceAllowedIPs: true,
-		AllowedIPs:        allowedIPs,
-	}
-
-	config = wgtypes.Config{
-		Peers: []wgtypes.PeerConfig{peer},
-	}
-
-	if err := c.device.IpcSet(toWgUserspaceString(config)); err != nil {
-		return fmt.Errorf("remove endpoint address: %w", err)
-	}
-
-	return nil
-}
-
 func (c *WGUSPConfigurer) RemovePeer(peerKey string) error {
 	peerKeyParsed, err := wgtypes.ParseKey(peerKey)
 	if err != nil {
@@ -470,7 +409,7 @@ func toBytes(s string) (int64, error) {
 }

 func getFwmark() int {
-	if nbnet.AdvancedRouting() && runtime.GOOS == "linux" {
+	if nbnet.AdvancedRouting() {
 		return nbnet.ControlPlaneMark
 	}
 	return 0
--- a/client/iface/device.go
+++ b/client/iface/device.go
@@ -23,5 +23,4 @@ type WGTunDevice interface {
 	FilteredDevice() *device.FilteredDevice
 	Device() *wgdevice.Device
 	GetNet() *netstack.Net
-	GetICEBind() device.EndpointManager
 }
--- a/client/iface/device/device_android.go
+++ b/client/iface/device/device_android.go
@@ -150,11 +150,6 @@ func (t *WGTunDevice) GetNet() *netstack.Net {
 	return nil
 }

-// GetICEBind returns the ICEBind instance
-func (t *WGTunDevice) GetICEBind() EndpointManager {
-	return t.iceBind
-}
-
 func routesToString(routes []string) string {
 	return strings.Join(routes, ";")
 }
--- a/client/iface/device/device_darwin.go
+++ b/client/iface/device/device_darwin.go
@@ -154,8 +154,3 @@ func (t *TunDevice) assignAddr() error {
 func (t *TunDevice) GetNet() *netstack.Net {
 	return nil
 }
-
-// GetICEBind returns the ICEBind instance
-func (t *TunDevice) GetICEBind() EndpointManager {
-	return t.iceBind
-}
--- a/client/iface/device/device_ios.go
+++ b/client/iface/device/device_ios.go
@@ -144,8 +144,3 @@ func (t *TunDevice) FilteredDevice() *FilteredDevice {
 func (t *TunDevice) GetNet() *netstack.Net {
 	return nil
 }
-
-// GetICEBind returns the ICEBind instance
-func (t *TunDevice) GetICEBind() EndpointManager {
-	return t.iceBind
-}
--- a/client/iface/device/device_kernel_unix.go
+++ b/client/iface/device/device_kernel_unix.go
@@ -15,8 +15,8 @@ import (
 	"github.com/netbirdio/netbird/client/iface/configurer"
 	"github.com/netbirdio/netbird/client/iface/udpmux"
 	"github.com/netbirdio/netbird/client/iface/wgaddr"
-	nbnet "github.com/netbirdio/netbird/client/net"
 	"github.com/netbirdio/netbird/sharedsock"
+	nbnet "github.com/netbirdio/netbird/util/net"
 )

 type TunKernelDevice struct {
@@ -101,8 +101,13 @@ func (t *TunKernelDevice) Up() (*udpmux.UniversalUDPMuxDefault, error) {
 		return nil, err
 	}

+	var udpConn net.PacketConn = rawSock
+	if !nbnet.AdvancedRouting() {
+		udpConn = nbnet.WrapPacketConn(rawSock)
+	}
+
 	bindParams := udpmux.UniversalUDPMuxParams{
-		UDPConn:   nbnet.WrapPacketConn(rawSock),
+		UDPConn:   udpConn,
 		Net:       t.transportNet,
 		FilterFn:  t.filterFn,
 		WGAddress: t.address,
@@ -179,8 +184,3 @@ func (t *TunKernelDevice) assignAddr() error {
 func (t *TunKernelDevice) GetNet() *netstack.Net {
 	return nil
 }
-
-// GetICEBind returns nil for kernel mode devices
-func (t *TunKernelDevice) GetICEBind() EndpointManager {
-	return nil
-}
--- a/client/iface/device/device_netstack.go
+++ b/client/iface/device/device_netstack.go
@@ -1,11 +1,9 @@
 package device

 import (
-	"errors"
 	"fmt"

 	log "github.com/sirupsen/logrus"
-	"golang.zx2c4.com/wireguard/conn"
 	"golang.zx2c4.com/wireguard/device"
 	"golang.zx2c4.com/wireguard/tun/netstack"

@@ -14,16 +12,9 @@ import (
 	nbnetstack "github.com/netbirdio/netbird/client/iface/netstack"
 	"github.com/netbirdio/netbird/client/iface/udpmux"
 	"github.com/netbirdio/netbird/client/iface/wgaddr"
-	nbnet "github.com/netbirdio/netbird/client/net"
+	nbnet "github.com/netbirdio/netbird/util/net"
 )

-type Bind interface {
-	conn.Bind
-	GetICEMux() (*udpmux.UniversalUDPMuxDefault, error)
-	ActivityRecorder() *bind.ActivityRecorder
-	EndpointManager
-}
-
 type TunNetstackDevice struct {
 	name          string
 	address       wgaddr.Address
@@ -31,7 +22,7 @@ type TunNetstackDevice struct {
 	key           string
 	mtu           uint16
 	listenAddress string
-	bind          Bind
+	iceBind       *bind.ICEBind

 	device         *device.Device
 	filteredDevice *FilteredDevice
@@ -42,7 +33,7 @@ type TunNetstackDevice struct {
 	net *netstack.Net
 }

-func NewNetstackDevice(name string, address wgaddr.Address, wgPort int, key string, mtu uint16, bind Bind, listenAddress string) *TunNetstackDevice {
+func NewNetstackDevice(name string, address wgaddr.Address, wgPort int, key string, mtu uint16, iceBind *bind.ICEBind, listenAddress string) *TunNetstackDevice {
 	return &TunNetstackDevice{
 		name:          name,
 		address:       address,
@@ -50,7 +41,7 @@ func NewNetstackDevice(name string, address wgaddr.Address, wgPort int, key stri
 		key:           key,
 		mtu:           mtu,
 		listenAddress: listenAddress,
-		bind:          bind,
+		iceBind:       iceBind,
 	}
 }

@@ -75,11 +66,11 @@ func (t *TunNetstackDevice) create() (WGConfigurer, error) {

 	t.device = device.NewDevice(
 		t.filteredDevice,
-		t.bind,
+		t.iceBind,
 		device.NewLogger(wgLogLevel(), "[netbird] "),
 	)

-	t.configurer = configurer.NewUSPConfigurer(t.device, t.name, t.bind.ActivityRecorder())
+	t.configurer = configurer.NewUSPConfigurer(t.device, t.name, t.iceBind.ActivityRecorder())
 	err = t.configurer.ConfigureInterface(t.key, t.port)
 	if err != nil {
 		_ = tunIface.Close()
@@ -100,15 +91,11 @@ func (t *TunNetstackDevice) Up() (*udpmux.UniversalUDPMuxDefault, error) {
 		return nil, err
 	}

-	udpMux, err := t.bind.GetICEMux()
-	if err != nil && !errors.Is(err, bind.ErrUDPMUXNotSupported) {
+	udpMux, err := t.iceBind.GetICEMux()
+	if err != nil {
 		return nil, err
 	}
-
-	if udpMux != nil {
-		t.udpMux = udpMux
-	}
-
+	t.udpMux = udpMux
 	log.Debugf("netstack device is ready to use")
 	return udpMux, nil
 }
@@ -156,8 +143,3 @@ func (t *TunNetstackDevice) Device() *device.Device {
 func (t *TunNetstackDevice) GetNet() *netstack.Net {
 	return t.net
 }
-
-// GetICEBind returns the bind instance
-func (t *TunNetstackDevice) GetICEBind() EndpointManager {
-	return t.bind
-}
--- a/client/iface/device/device_netstack_test.go
+++ b/client/iface/device/device_netstack_test.go
@@ -1,27 +0,0 @@
-package device
-
-import (
-	"testing"
-
-	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
-
-	"github.com/netbirdio/netbird/client/iface/bind"
-	"github.com/netbirdio/netbird/client/iface/netstack"
-	"github.com/netbirdio/netbird/client/iface/wgaddr"
-)
-
-func TestNewNetstackDevice(t *testing.T) {
-	privateKey, _ := wgtypes.GeneratePrivateKey()
-	wgAddress, _ := wgaddr.ParseWGAddress("1.2.3.4/24")
-
-	relayBind := bind.NewRelayBindJS()
-	nsTun := NewNetstackDevice("wtx", wgAddress, 1234, privateKey.String(), 1500, relayBind, netstack.ListenAddr())
-
-	cfgr, err := nsTun.Create()
-	if err != nil {
-		t.Fatalf("failed to create netstack device: %v", err)
-	}
-	if cfgr == nil {
-		t.Fatal("expected non-nil configurer")
-	}
-}
--- a/client/iface/device/device_usp_unix.go
+++ b/client/iface/device/device_usp_unix.go
@@ -146,8 +146,3 @@ func (t *USPDevice) assignAddr() error {
 func (t *USPDevice) GetNet() *netstack.Net {
 	return nil
 }
-
-// GetICEBind returns the ICEBind instance
-func (t *USPDevice) GetICEBind() EndpointManager {
-	return t.iceBind
-}
--- a/client/iface/device/device_windows.go
+++ b/client/iface/device/device_windows.go
@@ -185,8 +185,3 @@ func (t *TunDevice) assignAddr() error {
 func (t *TunDevice) GetNet() *netstack.Net {
 	return nil
 }
-
-// GetICEBind returns the ICEBind instance
-func (t *TunDevice) GetICEBind() EndpointManager {
-	return t.iceBind
-}
--- a/client/iface/device/endpoint_manager.go
+++ b/client/iface/device/endpoint_manager.go
@@ -1,13 +0,0 @@
-package device
-
-import (
-	"net"
-	"net/netip"
-)
-
-// EndpointManager manages fake IP to connection mappings for userspace bind implementations.
-// Implemented by bind.ICEBind and bind.RelayBindJS.
-type EndpointManager interface {
-	SetEndpoint(fakeIP netip.Addr, conn net.Conn)
-	RemoveEndpoint(fakeIP netip.Addr)
-}
--- a/client/iface/device/interface.go
+++ b/client/iface/device/interface.go
@@ -21,5 +21,4 @@ type WGConfigurer interface {
 	GetStats() (map[string]configurer.WGStats, error)
 	FullStats() (*configurer.Stats, error)
 	LastActivities() map[string]monotime.Time
-	RemoveEndpointAddress(peerKey string) error
 }
--- a/client/iface/device_android.go
+++ b/client/iface/device_android.go
@@ -21,5 +21,4 @@ type WGTunDevice interface {
 	FilteredDevice() *device.FilteredDevice
 	Device() *wgdevice.Device
 	GetNet() *netstack.Net
-	GetICEBind() device.EndpointManager
 }
--- a/client/iface/iface.go
+++ b/client/iface/iface.go
@@ -80,17 +80,6 @@ func (w *WGIface) GetProxy() wgproxy.Proxy {
 	return w.wgProxyFactory.GetProxy()
 }

-// GetBind returns the EndpointManager userspace bind mode.
-func (w *WGIface) GetBind() device.EndpointManager {
-	w.mu.Lock()
-	defer w.mu.Unlock()
-
-	if w.tun == nil {
-		return nil
-	}
-	return w.tun.GetICEBind()
-}
-
 // IsUserspaceBind indicates whether this interfaces is userspace with bind.ICEBind
 func (w *WGIface) IsUserspaceBind() bool {
 	return w.userspaceBind
@@ -159,17 +148,6 @@ func (w *WGIface) UpdatePeer(peerKey string, allowedIps []netip.Prefix, keepAliv
 	return w.configurer.UpdatePeer(peerKey, allowedIps, keepAlive, endpoint, preSharedKey)
 }

-func (w *WGIface) RemoveEndpointAddress(peerKey string) error {
-	w.mu.Lock()
-	defer w.mu.Unlock()
-	if w.configurer == nil {
-		return ErrIfaceNotFound
-	}
-
-	log.Debugf("Removing endpoint address: %s", peerKey)
-	return w.configurer.RemoveEndpointAddress(peerKey)
-}
-
 // RemovePeer removes a Wireguard Peer from the interface iface
 func (w *WGIface) RemovePeer(peerKey string) error {
 	w.mu.Lock()
--- a/client/iface/iface_destroy_js.go
+++ b/client/iface/iface_destroy_js.go
@@ -1,6 +0,0 @@
-package iface
-
-// Destroy is a no-op on WASM
-func (w *WGIface) Destroy() error {
-	return nil
-}
--- a/client/iface/iface_new_android.go
+++ b/client/iface/iface_new_android.go
@@ -21,7 +21,7 @@ func NewWGIFace(opts WGIFaceOpts) (*WGIface, error) {
 		wgIFace := &WGIface{
 			userspaceBind:  true,
 			tun:            device.NewNetstackDevice(opts.IFaceName, wgAddress, opts.WGPort, opts.WGPrivKey, opts.MTU, iceBind, netstack.ListenAddr()),
-			wgProxyFactory: wgproxy.NewUSPFactory(iceBind, opts.MTU),
+			wgProxyFactory: wgproxy.NewUSPFactory(iceBind),
 		}
 		return wgIFace, nil
 	}
@@ -29,7 +29,7 @@ func NewWGIFace(opts WGIFaceOpts) (*WGIface, error) {
 	wgIFace := &WGIface{
 		userspaceBind:  true,
 		tun:            device.NewTunDevice(wgAddress, opts.WGPort, opts.WGPrivKey, opts.MTU, iceBind, opts.MobileArgs.TunAdapter, opts.DisableDNS),
-		wgProxyFactory: wgproxy.NewUSPFactory(iceBind, opts.MTU),
+		wgProxyFactory: wgproxy.NewUSPFactory(iceBind),
 	}
 	return wgIFace, nil
 }
--- a/client/iface/iface_new_darwin.go
+++ b/client/iface/iface_new_darwin.go
@@ -29,7 +29,7 @@ func NewWGIFace(opts WGIFaceOpts) (*WGIface, error) {
 	wgIFace := &WGIface{
 		userspaceBind:  true,
 		tun:            tun,
-		wgProxyFactory: wgproxy.NewUSPFactory(iceBind, opts.MTU),
+		wgProxyFactory: wgproxy.NewUSPFactory(iceBind),
 	}
 	return wgIFace, nil
 }
--- a/client/iface/iface_new_freebsd.go
+++ b/client/iface/iface_new_freebsd.go
@@ -1,41 +0,0 @@
-//go:build freebsd
-
-package iface
-
-import (
-	"fmt"
-
-	"github.com/netbirdio/netbird/client/iface/bind"
-	"github.com/netbirdio/netbird/client/iface/device"
-	"github.com/netbirdio/netbird/client/iface/netstack"
-	"github.com/netbirdio/netbird/client/iface/wgaddr"
-	"github.com/netbirdio/netbird/client/iface/wgproxy"
-)
-
-// NewWGIFace Creates a new WireGuard interface instance
-func NewWGIFace(opts WGIFaceOpts) (*WGIface, error) {
-	wgAddress, err := wgaddr.ParseWGAddress(opts.Address)
-	if err != nil {
-		return nil, err
-	}
-
-	wgIFace := &WGIface{}
-
-	if netstack.IsEnabled() {
-		iceBind := bind.NewICEBind(opts.TransportNet, opts.FilterFn, wgAddress, opts.MTU)
-		wgIFace.tun = device.NewNetstackDevice(opts.IFaceName, wgAddress, opts.WGPort, opts.WGPrivKey, opts.MTU, iceBind, netstack.ListenAddr())
-		wgIFace.userspaceBind = true
-		wgIFace.wgProxyFactory = wgproxy.NewUSPFactory(iceBind, opts.MTU)
-		return wgIFace, nil
-	}
-
-	if device.ModuleTunIsLoaded() {
-		iceBind := bind.NewICEBind(opts.TransportNet, opts.FilterFn, wgAddress, opts.MTU)
-		wgIFace.tun = device.NewUSPDevice(opts.IFaceName, wgAddress, opts.WGPort, opts.WGPrivKey, opts.MTU, iceBind)
-		wgIFace.userspaceBind = true
-		wgIFace.wgProxyFactory = wgproxy.NewUSPFactory(iceBind, opts.MTU)
-		return wgIFace, nil
-	}
-
-	return nil, fmt.Errorf("couldn't check or load tun module")
-}
--- a/client/iface/iface_new_ios.go
+++ b/client/iface/iface_new_ios.go
@@ -21,7 +21,7 @@ func NewWGIFace(opts WGIFaceOpts) (*WGIface, error) {
 	wgIFace := &WGIface{
 		tun:            device.NewTunDevice(opts.IFaceName, wgAddress, opts.WGPort, opts.WGPrivKey, opts.MTU, iceBind, opts.MobileArgs.TunFd),
 		userspaceBind:  true,
-		wgProxyFactory: wgproxy.NewUSPFactory(iceBind, opts.MTU),
+		wgProxyFactory: wgproxy.NewUSPFactory(iceBind),
 	}
 	return wgIFace, nil
 }
--- a/client/iface/iface_new_js.go
+++ b/client/iface/iface_new_js.go
@@ -1,27 +0,0 @@
-package iface
-
-import (
-	"github.com/netbirdio/netbird/client/iface/bind"
-	"github.com/netbirdio/netbird/client/iface/device"
-	"github.com/netbirdio/netbird/client/iface/netstack"
-	"github.com/netbirdio/netbird/client/iface/wgaddr"
-	"github.com/netbirdio/netbird/client/iface/wgproxy"
-)
-
-// NewWGIFace creates a new WireGuard interface for WASM (always uses netstack mode)
-func NewWGIFace(opts WGIFaceOpts) (*WGIface, error) {
-	wgAddress, err := wgaddr.ParseWGAddress(opts.Address)
-	if err != nil {
-		return nil, err
-	}
-
-	relayBind := bind.NewRelayBindJS()
-
-	wgIface := &WGIface{
-		tun:            device.NewNetstackDevice(opts.IFaceName, wgAddress, opts.WGPort, opts.WGPrivKey, opts.MTU, relayBind, netstack.ListenAddr()),
-		userspaceBind:  true,
-		wgProxyFactory: wgproxy.NewUSPFactory(relayBind, opts.MTU),
-	}
-
-	return wgIface, nil
-}
--- a/client/iface/iface_new_linux.go
+++ b/client/iface/iface_new_linux.go
@@ -1,4 +1,4 @@
-//go:build linux && !android
+//go:build (linux && !android) || freebsd

 package iface

@@ -25,7 +25,7 @@ func NewWGIFace(opts WGIFaceOpts) (*WGIface, error) {
 		iceBind := bind.NewICEBind(opts.TransportNet, opts.FilterFn, wgAddress, opts.MTU)
 		wgIFace.tun = device.NewNetstackDevice(opts.IFaceName, wgAddress, opts.WGPort, opts.WGPrivKey, opts.MTU, iceBind, netstack.ListenAddr())
 		wgIFace.userspaceBind = true
-		wgIFace.wgProxyFactory = wgproxy.NewUSPFactory(iceBind, opts.MTU)
+		wgIFace.wgProxyFactory = wgproxy.NewUSPFactory(iceBind)
 		return wgIFace, nil
 	}

@@ -38,7 +38,7 @@ func NewWGIFace(opts WGIFaceOpts) (*WGIface, error) {
 		iceBind := bind.NewICEBind(opts.TransportNet, opts.FilterFn, wgAddress, opts.MTU)
 		wgIFace.tun = device.NewUSPDevice(opts.IFaceName, wgAddress, opts.WGPort, opts.WGPrivKey, opts.MTU, iceBind)
 		wgIFace.userspaceBind = true
-		wgIFace.wgProxyFactory = wgproxy.NewUSPFactory(iceBind, opts.MTU)
+		wgIFace.wgProxyFactory = wgproxy.NewUSPFactory(iceBind)
 		return wgIFace, nil
 	}

--- a/client/iface/iface_new_windows.go
+++ b/client/iface/iface_new_windows.go
@@ -26,7 +26,7 @@ func NewWGIFace(opts WGIFaceOpts) (*WGIface, error) {
 	wgIFace := &WGIface{
 		userspaceBind:  true,
 		tun:            tun,
-		wgProxyFactory: wgproxy.NewUSPFactory(iceBind, opts.MTU),
+		wgProxyFactory: wgproxy.NewUSPFactory(iceBind),
 	}
 	return wgIFace, nil

--- a/client/iface/netstack/env.go
+++ b/client/iface/netstack/env.go
@@ -1,5 +1,3 @@
-//go:build !js
-
 package netstack

 import (
--- a/client/iface/netstack/env_js.go
+++ b/client/iface/netstack/env_js.go
@@ -1,12 +0,0 @@
-package netstack
-
-const EnvUseNetstackMode = "NB_USE_NETSTACK_MODE"
-
-// IsEnabled always returns true for js since it's the only mode available
-func IsEnabled() bool {
-	return true
-}
-
-func ListenAddr() string {
-	return ""
-}
--- a/client/iface/udpmux/mux_generic.go
+++ b/client/iface/udpmux/mux_generic.go
@@ -3,7 +3,7 @@
 package udpmux

 import (
-	nbnet "github.com/netbirdio/netbird/client/net"
+	nbnet "github.com/netbirdio/netbird/util/net"
 )

 func (m *SingleSocketUDPMux) notifyAddressRemoval(addr string) {
--- a/client/iface/wgproxy/bind/proxy.go
+++ b/client/iface/wgproxy/bind/proxy.go
@@ -16,38 +16,28 @@ import (
 	"github.com/netbirdio/netbird/client/iface/wgproxy/listener"
 )

-type Bind interface {
-	SetEndpoint(addr netip.Addr, conn net.Conn)
-	RemoveEndpoint(addr netip.Addr)
-	ReceiveFromEndpoint(ctx context.Context, ep *bind.Endpoint, buf []byte)
-}
-
 type ProxyBind struct {
-	bind Bind
+	Bind *bind.ICEBind

-	// wgRelayedEndpoint is a fake address that generated by the Bind.SetEndpoint based on the remote NetBird peer address
-	wgRelayedEndpoint *bind.Endpoint
-	wgCurrentUsed     *bind.Endpoint
-	remoteConn        net.Conn
-	ctx               context.Context
-	cancel            context.CancelFunc
-	closeMu           sync.Mutex
-	closed            bool
+	fakeNetIP      *netip.AddrPort
+	wgBindEndpoint *bind.Endpoint
+	remoteConn     net.Conn
+	ctx            context.Context
+	cancel         context.CancelFunc
+	closeMu        sync.Mutex
+	closed         bool

-	paused     bool
-	pausedCond *sync.Cond
-	isStarted  bool
+	pausedMu  sync.Mutex
+	paused    bool
+	isStarted bool

 	closeListener *listener.CloseListener
-	mtu           uint16
 }

-func NewProxyBind(bind Bind, mtu uint16) *ProxyBind {
+func NewProxyBind(bind *bind.ICEBind) *ProxyBind {
 	p := &ProxyBind{
-		bind:          bind,
+		Bind:          bind,
 		closeListener: listener.NewCloseListener(),
-		pausedCond:    sync.NewCond(&sync.Mutex{}),
-		mtu:           mtu + bufsize.WGBufferOverhead,
 	}

 	return p
@@ -56,25 +46,25 @@ func NewProxyBind(bind Bind, mtu uint16) *ProxyBind {
 // AddTurnConn adds a new connection to the bind.
 // endpoint is the NetBird address of the remote peer. The SetEndpoint return with the address what will be used in the
 // WireGuard configuration.
-//
-// Parameters:
-//   - ctx: Context is used for proxyToLocal to avoid unnecessary error messages
-//   - nbAddr: The NetBird UDP address of the remote peer, it required to generate fake address
-//   - remoteConn: The established TURN connection to the remote peer
 func (p *ProxyBind) AddTurnConn(ctx context.Context, nbAddr *net.UDPAddr, remoteConn net.Conn) error {
 	fakeNetIP, err := fakeAddress(nbAddr)
 	if err != nil {
 		return err
 	}
-	p.wgRelayedEndpoint = &bind.Endpoint{AddrPort: *fakeNetIP}
+
+	p.fakeNetIP = fakeNetIP
+	p.wgBindEndpoint = &bind.Endpoint{AddrPort: *fakeNetIP}
 	p.remoteConn = remoteConn
 	p.ctx, p.cancel = context.WithCancel(ctx)
 	return nil

 }
-
 func (p *ProxyBind) EndpointAddr() *net.UDPAddr {
-	return bind.EndpointToUDPAddr(*p.wgRelayedEndpoint)
+	return &net.UDPAddr{
+		IP:   p.fakeNetIP.Addr().AsSlice(),
+		Port: int(p.fakeNetIP.Port()),
+		Zone: p.fakeNetIP.Addr().Zone(),
+	}
 }

 func (p *ProxyBind) SetDisconnectListener(disconnected func()) {
@@ -86,21 +76,17 @@ func (p *ProxyBind) Work() {
 		return
 	}

-	p.bind.SetEndpoint(p.wgRelayedEndpoint.Addr(), p.remoteConn)
+	p.Bind.SetEndpoint(p.fakeNetIP.Addr(), p.remoteConn)

-	p.pausedCond.L.Lock()
+	p.pausedMu.Lock()
 	p.paused = false
-
-	p.wgCurrentUsed = p.wgRelayedEndpoint
+	p.pausedMu.Unlock()

 	// Start the proxy only once
 	if !p.isStarted {
 		p.isStarted = true
 		go p.proxyToLocal(p.ctx)
 	}
-
-	p.pausedCond.Signal()
-	p.pausedCond.L.Unlock()
 }

 func (p *ProxyBind) Pause() {
@@ -108,25 +94,9 @@ func (p *ProxyBind) Pause() {
 		return
 	}

-	p.pausedCond.L.Lock()
+	p.pausedMu.Lock()
 	p.paused = true
-	p.pausedCond.L.Unlock()
-}
-
-func (p *ProxyBind) RedirectAs(endpoint *net.UDPAddr) {
-	p.pausedCond.L.Lock()
-	p.paused = false
-
-	p.wgCurrentUsed = addrToEndpoint(endpoint)
-
-	p.pausedCond.Signal()
-	p.pausedCond.L.Unlock()
-}
-
-func addrToEndpoint(addr *net.UDPAddr) *bind.Endpoint {
-	ip, _ := netip.AddrFromSlice(addr.IP.To4())
-	addrPort := netip.AddrPortFrom(ip, uint16(addr.Port))
-	return &bind.Endpoint{AddrPort: addrPort}
+	p.pausedMu.Unlock()
 }

 func (p *ProxyBind) CloseConn() error {
@@ -137,10 +107,6 @@ func (p *ProxyBind) CloseConn() error {
 }

 func (p *ProxyBind) close() error {
-	if p.remoteConn == nil {
-		return nil
-	}
-
 	p.closeMu.Lock()
 	defer p.closeMu.Unlock()

@@ -154,12 +120,7 @@ func (p *ProxyBind) close() error {

 	p.cancel()

-	p.pausedCond.L.Lock()
-	p.paused = false
-	p.pausedCond.Signal()
-	p.pausedCond.L.Unlock()
-
-	p.bind.RemoveEndpoint(p.wgRelayedEndpoint.Addr())
+	p.Bind.RemoveEndpoint(p.fakeNetIP.Addr())

 	if rErr := p.remoteConn.Close(); rErr != nil && !errors.Is(rErr, net.ErrClosed) {
 		return rErr
@@ -175,7 +136,7 @@ func (p *ProxyBind) proxyToLocal(ctx context.Context) {
 	}()

 	for {
-		buf := make([]byte, p.mtu)
+		buf := make([]byte, p.Bind.MTU()+bufsize.WGBufferOverhead)
 		n, err := p.remoteConn.Read(buf)
 		if err != nil {
 			if ctx.Err() != nil {
@@ -186,13 +147,18 @@ func (p *ProxyBind) proxyToLocal(ctx context.Context) {
 			return
 		}

-		p.pausedCond.L.Lock()
-		for p.paused {
-			p.pausedCond.Wait()
+		p.pausedMu.Lock()
+		if p.paused {
+			p.pausedMu.Unlock()
+			continue
 		}

-		p.bind.ReceiveFromEndpoint(ctx, p.wgCurrentUsed, buf[:n])
-		p.pausedCond.L.Unlock()
+		msg := bind.RecvMessage{
+			Endpoint: p.wgBindEndpoint,
+			Buffer:   buf[:n],
+		}
+		p.Bind.RecvChan <- msg
+		p.pausedMu.Unlock()
 	}
 }

--- a/client/iface/wgproxy/ebpf/proxy.go
+++ b/client/iface/wgproxy/ebpf/proxy.go
@@ -6,7 +6,9 @@ import (
 	"context"
 	"fmt"
 	"net"
+	"os"
 	"sync"
+	"syscall"

 	"github.com/google/gopacket"
 	"github.com/google/gopacket/layers"
@@ -16,20 +18,15 @@ import (

 	nberrors "github.com/netbirdio/netbird/client/errors"
 	"github.com/netbirdio/netbird/client/iface/bufsize"
-	"github.com/netbirdio/netbird/client/iface/wgproxy/rawsocket"
 	"github.com/netbirdio/netbird/client/internal/ebpf"
 	ebpfMgr "github.com/netbirdio/netbird/client/internal/ebpf/manager"
-	nbnet "github.com/netbirdio/netbird/client/net"
+	nbnet "github.com/netbirdio/netbird/util/net"
 )

 const (
 	loopbackAddr = "127.0.0.1"
 )

-var (
-	localHostNetIP = net.ParseIP("127.0.0.1")
-)
-
 // WGEBPFProxy definition for proxy with EBPF support
 type WGEBPFProxy struct {
 	localWGListenPort int
@@ -67,7 +64,7 @@ func (p *WGEBPFProxy) Listen() error {
 		return err
 	}

-	p.rawConn, err = rawsocket.PrepareSenderRawSocket()
+	p.rawConn, err = p.prepareSenderRawSocket()
 	if err != nil {
 		return err
 	}
@@ -217,17 +214,57 @@ generatePort:
 	return p.lastUsedPort, nil
 }

-func (p *WGEBPFProxy) sendPkg(data []byte, endpointAddr *net.UDPAddr) error {
+func (p *WGEBPFProxy) prepareSenderRawSocket() (net.PacketConn, error) {
+	// Create a raw socket.
+	fd, err := syscall.Socket(syscall.AF_INET, syscall.SOCK_RAW, syscall.IPPROTO_RAW)
+	if err != nil {
+		return nil, fmt.Errorf("creating raw socket failed: %w", err)
+	}
+
+	// Set the IP_HDRINCL option on the socket to tell the kernel that headers are included in the packet.
+	err = syscall.SetsockoptInt(fd, syscall.IPPROTO_IP, syscall.IP_HDRINCL, 1)
+	if err != nil {
+		return nil, fmt.Errorf("setting IP_HDRINCL failed: %w", err)
+	}
+
+	// Bind the socket to the "lo" interface.
+	err = syscall.SetsockoptString(fd, syscall.SOL_SOCKET, syscall.SO_BINDTODEVICE, "lo")
+	if err != nil {
+		return nil, fmt.Errorf("binding to lo interface failed: %w", err)
+	}
+
+	// Set the fwmark on the socket.
+	err = nbnet.SetSocketOpt(fd)
+	if err != nil {
+		return nil, fmt.Errorf("setting fwmark failed: %w", err)
+	}
+
+	// Convert the file descriptor to a PacketConn.
+	file := os.NewFile(uintptr(fd), fmt.Sprintf("fd %d", fd))
+	if file == nil {
+		return nil, fmt.Errorf("converting fd to file failed")
+	}
+	packetConn, err := net.FilePacketConn(file)
+	if err != nil {
+		return nil, fmt.Errorf("converting file to packet conn failed: %w", err)
+	}
+
+	return packetConn, nil
+}
+
+func (p *WGEBPFProxy) sendPkg(data []byte, port int) error {
+	localhost := net.ParseIP("127.0.0.1")
+
 	payload := gopacket.Payload(data)
 	ipH := &layers.IPv4{
-		DstIP:    localHostNetIP,
-		SrcIP:    endpointAddr.IP,
+		DstIP:    localhost,
+		SrcIP:    localhost,
 		Version:  4,
 		TTL:      64,
 		Protocol: layers.IPProtocolUDP,
 	}
 	udpH := &layers.UDP{
-		SrcPort: layers.UDPPort(endpointAddr.Port),
+		SrcPort: layers.UDPPort(port),
 		DstPort: layers.UDPPort(p.localWGListenPort),
 	}

@@ -242,7 +279,7 @@ func (p *WGEBPFProxy) sendPkg(data []byte, endpointAddr *net.UDPAddr) error {
 	if err != nil {
 		return fmt.Errorf("serialize layers: %w", err)
 	}
-	if _, err = p.rawConn.WriteTo(layerBuffer.Bytes(), &net.IPAddr{IP: localHostNetIP}); err != nil {
+	if _, err = p.rawConn.WriteTo(layerBuffer.Bytes(), &net.IPAddr{IP: localhost}); err != nil {
 		return fmt.Errorf("write to raw conn: %w", err)
 	}
 	return nil
--- a/client/iface/wgproxy/ebpf/wrapper.go
+++ b/client/iface/wgproxy/ebpf/wrapper.go
@@ -18,42 +18,41 @@ import (

 // ProxyWrapper help to keep the remoteConn instance for net.Conn.Close function call
 type ProxyWrapper struct {
-	wgeBPFProxy *WGEBPFProxy
+	WgeBPFProxy *WGEBPFProxy

 	remoteConn net.Conn
 	ctx        context.Context
 	cancel     context.CancelFunc

-	wgRelayedEndpointAddr     *net.UDPAddr
-	wgEndpointCurrentUsedAddr *net.UDPAddr
+	wgEndpointAddr *net.UDPAddr

-	paused     bool
-	pausedCond *sync.Cond
-	isStarted  bool
+	pausedMu  sync.Mutex
+	paused    bool
+	isStarted bool

 	closeListener *listener.CloseListener
 }

-func NewProxyWrapper(proxy *WGEBPFProxy) *ProxyWrapper {
+func NewProxyWrapper(WgeBPFProxy *WGEBPFProxy) *ProxyWrapper {
 	return &ProxyWrapper{
-		wgeBPFProxy:   proxy,
-		pausedCond:    sync.NewCond(&sync.Mutex{}),
+		WgeBPFProxy:   WgeBPFProxy,
 		closeListener: listener.NewCloseListener(),
 	}
 }
+
 func (p *ProxyWrapper) AddTurnConn(ctx context.Context, endpoint *net.UDPAddr, remoteConn net.Conn) error {
-	addr, err := p.wgeBPFProxy.AddTurnConn(remoteConn)
+	addr, err := p.WgeBPFProxy.AddTurnConn(remoteConn)
 	if err != nil {
 		return fmt.Errorf("add turn conn: %w", err)
 	}
 	p.remoteConn = remoteConn
 	p.ctx, p.cancel = context.WithCancel(ctx)
-	p.wgRelayedEndpointAddr = addr
+	p.wgEndpointAddr = addr
 	return err
 }

 func (p *ProxyWrapper) EndpointAddr() *net.UDPAddr {
-	return p.wgRelayedEndpointAddr
+	return p.wgEndpointAddr
 }

 func (p *ProxyWrapper) SetDisconnectListener(disconnected func()) {
@@ -65,18 +64,14 @@ func (p *ProxyWrapper) Work() {
 		return
 	}

-	p.pausedCond.L.Lock()
+	p.pausedMu.Lock()
 	p.paused = false
-
-	p.wgEndpointCurrentUsedAddr = p.wgRelayedEndpointAddr
+	p.pausedMu.Unlock()

 	if !p.isStarted {
 		p.isStarted = true
 		go p.proxyToLocal(p.ctx)
 	}
-
-	p.pausedCond.Signal()
-	p.pausedCond.L.Unlock()
 }

 func (p *ProxyWrapper) Pause() {
@@ -85,59 +80,45 @@ func (p *ProxyWrapper) Pause() {
 	}

 	log.Tracef("pause proxy reading from: %s", p.remoteConn.RemoteAddr())
-	p.pausedCond.L.Lock()
+	p.pausedMu.Lock()
 	p.paused = true
-	p.pausedCond.L.Unlock()
-}
-
-func (p *ProxyWrapper) RedirectAs(endpoint *net.UDPAddr) {
-	p.pausedCond.L.Lock()
-	p.paused = false
-
-	p.wgEndpointCurrentUsedAddr = endpoint
-
-	p.pausedCond.Signal()
-	p.pausedCond.L.Unlock()
+	p.pausedMu.Unlock()
 }

 // CloseConn close the remoteConn and automatically remove the conn instance from the map
-func (p *ProxyWrapper) CloseConn() error {
-	if p.cancel == nil {
+func (e *ProxyWrapper) CloseConn() error {
+	if e.cancel == nil {
 		return fmt.Errorf("proxy not started")
 	}

-	p.cancel()
+	e.cancel()

-	p.closeListener.SetCloseListener(nil)
+	e.closeListener.SetCloseListener(nil)

-	p.pausedCond.L.Lock()
-	p.paused = false
-	p.pausedCond.Signal()
-	p.pausedCond.L.Unlock()
-
-	if err := p.remoteConn.Close(); err != nil && !errors.Is(err, net.ErrClosed) {
-		return fmt.Errorf("failed to close remote conn: %w", err)
+	if err := e.remoteConn.Close(); err != nil && !errors.Is(err, net.ErrClosed) {
+		return fmt.Errorf("close remote conn: %w", err)
 	}
 	return nil
 }

 func (p *ProxyWrapper) proxyToLocal(ctx context.Context) {
-	defer p.wgeBPFProxy.removeTurnConn(uint16(p.wgRelayedEndpointAddr.Port))
+	defer p.WgeBPFProxy.removeTurnConn(uint16(p.wgEndpointAddr.Port))

-	buf := make([]byte, p.wgeBPFProxy.mtu+bufsize.WGBufferOverhead)
+	buf := make([]byte, p.WgeBPFProxy.mtu+bufsize.WGBufferOverhead)
 	for {
 		n, err := p.readFromRemote(ctx, buf)
 		if err != nil {
 			return
 		}

-		p.pausedCond.L.Lock()
-		for p.paused {
-			p.pausedCond.Wait()
+		p.pausedMu.Lock()
+		if p.paused {
+			p.pausedMu.Unlock()
+			continue
 		}

-		err = p.wgeBPFProxy.sendPkg(buf[:n], p.wgEndpointCurrentUsedAddr)
-		p.pausedCond.L.Unlock()
+		err = p.WgeBPFProxy.sendPkg(buf[:n], p.wgEndpointAddr.Port)
+		p.pausedMu.Unlock()

 		if err != nil {
 			if ctx.Err() != nil {
@@ -156,7 +137,7 @@ func (p *ProxyWrapper) readFromRemote(ctx context.Context, buf []byte) (int, err
 		}
 		p.closeListener.Notify()
 		if !errors.Is(err, io.EOF) {
-			log.Errorf("failed to read from turn conn (endpoint: :%d): %s", p.wgRelayedEndpointAddr.Port, err)
+			log.Errorf("failed to read from turn conn (endpoint: :%d): %s", p.wgEndpointAddr.Port, err)
 		}
 		return 0, err
 	}
--- a/client/iface/wgproxy/factory_kernel.go
+++ b/client/iface/wgproxy/factory_kernel.go
@@ -39,6 +39,7 @@ func (w *KernelFactory) GetProxy() Proxy {
 	}

 	return ebpf.NewProxyWrapper(w.ebpfProxy)
+
 }

 func (w *KernelFactory) Free() error {
--- a/client/iface/wgproxy/factory_kernel_freebsd.go
+++ b/client/iface/wgproxy/factory_kernel_freebsd.go
@@ -0,0 +1,31 @@
+package wgproxy
+
+import (
+	log "github.com/sirupsen/logrus"
+
+	udpProxy "github.com/netbirdio/netbird/client/iface/wgproxy/udp"
+)
+
+// KernelFactory todo: check eBPF support on FreeBSD
+type KernelFactory struct {
+	wgPort int
+	mtu    uint16
+}
+
+func NewKernelFactory(wgPort int, mtu uint16) *KernelFactory {
+	log.Infof("WireGuard Proxy Factory will produce UDP proxy")
+	f := &KernelFactory{
+		wgPort: wgPort,
+		mtu:    mtu,
+	}
+
+	return f
+}
+
+func (w *KernelFactory) GetProxy() Proxy {
+	return udpProxy.NewWGUDPProxy(w.wgPort, w.mtu)
+}
+
+func (w *KernelFactory) Free() error {
+	return nil
+}
--- a/client/iface/wgproxy/factory_usp.go
+++ b/client/iface/wgproxy/factory_usp.go
@@ -3,25 +3,24 @@ package wgproxy
 import (
 	log "github.com/sirupsen/logrus"

+	"github.com/netbirdio/netbird/client/iface/bind"
 	proxyBind "github.com/netbirdio/netbird/client/iface/wgproxy/bind"
 )

 type USPFactory struct {
-	bind proxyBind.Bind
-	mtu  uint16
+	bind *bind.ICEBind
 }

-func NewUSPFactory(bind proxyBind.Bind, mtu uint16) *USPFactory {
+func NewUSPFactory(iceBind *bind.ICEBind) *USPFactory {
 	log.Infof("WireGuard Proxy Factory will produce bind proxy")
 	f := &USPFactory{
-		bind: bind,
-		mtu:  mtu,
+		bind: iceBind,
 	}
 	return f
 }

 func (w *USPFactory) GetProxy() Proxy {
-	return proxyBind.NewProxyBind(w.bind, w.mtu)
+	return proxyBind.NewProxyBind(w.bind)
 }

 func (w *USPFactory) Free() error {
--- a/client/iface/wgproxy/proxy.go
+++ b/client/iface/wgproxy/proxy.go
@@ -11,11 +11,6 @@ type Proxy interface {
 	EndpointAddr() *net.UDPAddr // EndpointAddr returns the address of the WireGuard peer endpoint
 	Work()                      // Work start or resume the proxy
 	Pause()                     // Pause to forward the packages from remote connection to WireGuard. The opposite way still works.
-
-	//RedirectAs resume the forwarding the packages from relayed connection to WireGuard interface if it was paused
-	//and rewrite the src address to the endpoint address.
-	//With this logic can avoid the package loss from relayed connections.
-	RedirectAs(endpoint *net.UDPAddr)
 	CloseConn() error
 	SetDisconnectListener(disconnected func())
 }
--- a/client/iface/wgproxy/proxy_linux_test.go
+++ b/client/iface/wgproxy/proxy_linux_test.go
@@ -3,82 +3,54 @@
 package wgproxy

 import (
-	"fmt"
-	"net"
+	"context"
+	"os"
+	"testing"

-	"github.com/netbirdio/netbird/client/iface/bind"
-	"github.com/netbirdio/netbird/client/iface/wgaddr"
-	bindproxy "github.com/netbirdio/netbird/client/iface/wgproxy/bind"
 	"github.com/netbirdio/netbird/client/iface/wgproxy/ebpf"
-	"github.com/netbirdio/netbird/client/iface/wgproxy/udp"
 )

-func seedProxies() ([]proxyInstance, error) {
-	pl := make([]proxyInstance, 0)
+func TestProxyCloseByRemoteConnEBPF(t *testing.T) {
+	if os.Getenv("GITHUB_ACTIONS") != "true" {
+		t.Skip("Skipping test as it requires root privileges")
+	}
+	ctx := context.Background()

 	ebpfProxy := ebpf.NewWGEBPFProxy(51831, 1280)
 	if err := ebpfProxy.Listen(); err != nil {
-		return nil, fmt.Errorf("failed to initialize ebpf proxy: %s", err)
+		t.Fatalf("failed to initialize ebpf proxy: %s", err)
 	}

-	pEbpf := proxyInstance{
-		name:    "ebpf kernel proxy",
-		proxy:   ebpf.NewProxyWrapper(ebpfProxy),
-		wgPort:  51831,
-		closeFn: ebpfProxy.Free,
-	}
-	pl = append(pl, pEbpf)
+	defer func() {
+		if err := ebpfProxy.Free(); err != nil {
+			t.Errorf("failed to free ebpf proxy: %s", err)
+		}
+	}()

-	pUDP := proxyInstance{
-		name:    "udp kernel proxy",
-		proxy:   udp.NewWGUDPProxy(51832, 1280),
-		wgPort:  51832,
-		closeFn: func() error { return nil },
+	tests := []struct {
+		name  string
+		proxy Proxy
+	}{
+		{
+			name: "ebpf proxy",
+			proxy: &ebpf.ProxyWrapper{
+				WgeBPFProxy: ebpfProxy,
+			},
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			relayedConn := newMockConn()
+			err := tt.proxy.AddTurnConn(ctx, nil, relayedConn)
+			if err != nil {
+				t.Errorf("error: %v", err)
+			}
+
+			_ = relayedConn.Close()
+			if err := tt.proxy.CloseConn(); err != nil {
+				t.Errorf("error: %v", err)
+			}
+		})
 	}
-	pl = append(pl, pUDP)
-	return pl, nil
-}
-
-func seedProxyForProxyCloseByRemoteConn() ([]proxyInstance, error) {
-	pl := make([]proxyInstance, 0)
-
-	ebpfProxy := ebpf.NewWGEBPFProxy(51831, 1280)
-	if err := ebpfProxy.Listen(); err != nil {
-		return nil, fmt.Errorf("failed to initialize ebpf proxy: %s", err)
-	}
-
-	pEbpf := proxyInstance{
-		name:    "ebpf kernel proxy",
-		proxy:   ebpf.NewProxyWrapper(ebpfProxy),
-		wgPort:  51831,
-		closeFn: ebpfProxy.Free,
-	}
-	pl = append(pl, pEbpf)
-
-	pUDP := proxyInstance{
-		name:    "udp kernel proxy",
-		proxy:   udp.NewWGUDPProxy(51832, 1280),
-		wgPort:  51832,
-		closeFn: func() error { return nil },
-	}
-	pl = append(pl, pUDP)
-	wgAddress, err := wgaddr.ParseWGAddress("10.0.0.1/32")
-	if err != nil {
-		return nil, err
-	}
-	iceBind := bind.NewICEBind(nil, nil, wgAddress, 1280)
-	endpointAddress := &net.UDPAddr{
-		IP:   net.IPv4(10, 0, 0, 1),
-		Port: 1234,
-	}
-
-	pBind := proxyInstance{
-		name:         "bind proxy",
-		proxy:        bindproxy.NewProxyBind(iceBind, 0),
-		endpointAddr: endpointAddress,
-		closeFn:      func() error { return nil },
-	}
-	pl = append(pl, pBind)
-
-	return pl, nil
 }
--- a/client/iface/wgproxy/proxy_seed_test.go
+++ b/client/iface/wgproxy/proxy_seed_test.go
@@ -1,39 +0,0 @@
-//go:build !linux
-
-package wgproxy
-
-import (
-	"net"
-
-	"github.com/netbirdio/netbird/client/iface/bind"
-	"github.com/netbirdio/netbird/client/iface/wgaddr"
-	bindproxy "github.com/netbirdio/netbird/client/iface/wgproxy/bind"
-)
-
-func seedProxies() ([]proxyInstance, error) {
-	// todo extend with Bind proxy
-	pl := make([]proxyInstance, 0)
-	return pl, nil
-}
-
-func seedProxyForProxyCloseByRemoteConn() ([]proxyInstance, error) {
-	pl := make([]proxyInstance, 0)
-	wgAddress, err := wgaddr.ParseWGAddress("10.0.0.1/32")
-	if err != nil {
-		return nil, err
-	}
-	iceBind := bind.NewICEBind(nil, nil, wgAddress, 1280)
-	endpointAddress := &net.UDPAddr{
-		IP:   net.IPv4(10, 0, 0, 1),
-		Port: 1234,
-	}
-
-	pBind := proxyInstance{
-		name:         "bind proxy",
-		proxy:        bindproxy.NewProxyBind(iceBind, 0),
-		endpointAddr: endpointAddress,
-		closeFn:      func() error { return nil },
-	}
-	pl = append(pl, pBind)
-	return pl, nil
-}
--- a/client/iface/wgproxy/proxy_test.go
+++ b/client/iface/wgproxy/proxy_test.go
@@ -1,3 +1,5 @@
+//go:build linux
+
 package wgproxy

 import (
@@ -5,9 +7,12 @@ import (
 	"io"
 	"net"
 	"os"
+	"runtime"
 	"testing"
 	"time"

+	"github.com/netbirdio/netbird/client/iface/wgproxy/ebpf"
+	udpProxy "github.com/netbirdio/netbird/client/iface/wgproxy/udp"
 	"github.com/netbirdio/netbird/util"
 )

@@ -17,14 +22,6 @@ func TestMain(m *testing.M) {
 	os.Exit(code)
 }

-type proxyInstance struct {
-	name         string
-	proxy        Proxy
-	wgPort       int
-	endpointAddr *net.UDPAddr
-	closeFn      func() error
-}
-
 type mocConn struct {
 	closeChan chan struct{}
 	closed    bool
@@ -81,21 +78,41 @@ func (m *mocConn) SetWriteDeadline(t time.Time) error {
 func TestProxyCloseByRemoteConn(t *testing.T) {
 	ctx := context.Background()

-	tests, err := seedProxyForProxyCloseByRemoteConn()
-	if err != nil {
-		t.Fatalf("error: %v", err)
+	tests := []struct {
+		name  string
+		proxy Proxy
+	}{
+		{
+			name:  "userspace proxy",
+			proxy: udpProxy.NewWGUDPProxy(51830, 1280),
+		},
 	}

-	relayedConn, _ := net.Dial("udp", "127.0.0.1:1234")
-	defer func() {
-		_ = relayedConn.Close()
-	}()
+	if runtime.GOOS == "linux" && os.Getenv("GITHUB_ACTIONS") != "true" {
+		ebpfProxy := ebpf.NewWGEBPFProxy(51831, 1280)
+		if err := ebpfProxy.Listen(); err != nil {
+			t.Fatalf("failed to initialize ebpf proxy: %s", err)
+		}
+		defer func() {
+			if err := ebpfProxy.Free(); err != nil {
+				t.Errorf("failed to free ebpf proxy: %s", err)
+			}
+		}()
+		proxyWrapper := ebpf.NewProxyWrapper(ebpfProxy)
+
+		tests = append(tests, struct {
+			name  string
+			proxy Proxy
+		}{
+			name:  "ebpf proxy",
+			proxy: proxyWrapper,
+		})
+	}

 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			addr, _ := net.ResolveUDPAddr("udp", "100.108.135.221:51892")
 			relayedConn := newMockConn()
-			err := tt.proxy.AddTurnConn(ctx, addr, relayedConn)
+			err := tt.proxy.AddTurnConn(ctx, nil, relayedConn)
 			if err != nil {
 				t.Errorf("error: %v", err)
 			}
@@ -107,104 +124,3 @@ func TestProxyCloseByRemoteConn(t *testing.T) {
 		})
 	}
 }
-
-// TestProxyRedirect todo extend the proxies with Bind proxy
-func TestProxyRedirect(t *testing.T) {
-	tests, err := seedProxies()
-	if err != nil {
-		t.Fatalf("error: %v", err)
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			redirectTraffic(t, tt.proxy, tt.wgPort, tt.endpointAddr)
-			if err := tt.closeFn(); err != nil {
-				t.Errorf("error: %v", err)
-			}
-		})
-	}
-}
-
-func redirectTraffic(t *testing.T, proxy Proxy, wgPort int, endPointAddr *net.UDPAddr) {
-	t.Helper()
-
-	msgHelloFromRelay := []byte("hello from relay")
-	msgRedirected := [][]byte{
-		[]byte("hello 1. to p2p"),
-		[]byte("hello 2. to p2p"),
-		[]byte("hello 3. to p2p"),
-	}
-
-	dummyWgListener, err := net.ListenUDP("udp", &net.UDPAddr{
-		IP:   net.IPv4(127, 0, 0, 1),
-		Port: wgPort})
-	if err != nil {
-		t.Fatalf("failed to listen on udp port: %s", err)
-	}
-
-	relayedServer, _ := net.ListenUDP("udp",
-		&net.UDPAddr{
-			IP:   net.IPv4(127, 0, 0, 1),
-			Port: 1234,
-		},
-	)
-
-	relayedConn, _ := net.Dial("udp", "127.0.0.1:1234")
-
-	defer func() {
-		_ = dummyWgListener.Close()
-		_ = relayedConn.Close()
-		_ = relayedServer.Close()
-	}()
-
-	if err := proxy.AddTurnConn(context.Background(), endPointAddr, relayedConn); err != nil {
-		t.Errorf("error: %v", err)
-	}
-	defer func() {
-		if err := proxy.CloseConn(); err != nil {
-			t.Errorf("error: %v", err)
-		}
-	}()
-
-	proxy.Work()
-
-	if _, err := relayedServer.WriteTo(msgHelloFromRelay, relayedConn.LocalAddr()); err != nil {
-		t.Errorf("error relayedServer.Write(msgHelloFromRelay): %v", err)
-	}
-
-	n, err := dummyWgListener.Read(make([]byte, 1024))
-	if err != nil {
-		t.Errorf("error: %v", err)
-	}
-
-	if n != len(msgHelloFromRelay) {
-		t.Errorf("expected %d bytes, got %d", len(msgHelloFromRelay), n)
-	}
-
-	p2pEndpointAddr := &net.UDPAddr{
-		IP:   net.IPv4(192, 168, 0, 56),
-		Port: 1234,
-	}
-	proxy.RedirectAs(p2pEndpointAddr)
-
-	for _, msg := range msgRedirected {
-		if _, err := relayedServer.WriteTo(msg, relayedConn.LocalAddr()); err != nil {
-			t.Errorf("error: %v", err)
-		}
-	}
-
-	for i := 0; i < len(msgRedirected); i++ {
-		buf := make([]byte, 1024)
-		n, rAddr, err := dummyWgListener.ReadFrom(buf)
-		if err != nil {
-			t.Errorf("error: %v", err)
-		}
-
-		if rAddr.String() != p2pEndpointAddr.String() {
-			t.Errorf("expected %s, got %s", p2pEndpointAddr.String(), rAddr.String())
-		}
-		if string(buf[:n]) != string(msgRedirected[i]) {
-			t.Errorf("expected %s, got %s", string(msgRedirected[i]), string(buf[:n]))
-		}
-	}
-}
--- a/client/iface/wgproxy/rawsocket/rawsocket.go
+++ b/client/iface/wgproxy/rawsocket/rawsocket.go
@@ -1,50 +0,0 @@
-//go:build linux && !android
-
-package rawsocket
-
-import (
-	"fmt"
-	"net"
-	"os"
-	"syscall"
-
-	nbnet "github.com/netbirdio/netbird/client/net"
-)
-
-func PrepareSenderRawSocket() (net.PacketConn, error) {
-	// Create a raw socket.
-	fd, err := syscall.Socket(syscall.AF_INET, syscall.SOCK_RAW, syscall.IPPROTO_RAW)
-	if err != nil {
-		return nil, fmt.Errorf("creating raw socket failed: %w", err)
-	}
-
-	// Set the IP_HDRINCL option on the socket to tell the kernel that headers are included in the packet.
-	err = syscall.SetsockoptInt(fd, syscall.IPPROTO_IP, syscall.IP_HDRINCL, 1)
-	if err != nil {
-		return nil, fmt.Errorf("setting IP_HDRINCL failed: %w", err)
-	}
-
-	// Bind the socket to the "lo" interface.
-	err = syscall.SetsockoptString(fd, syscall.SOL_SOCKET, syscall.SO_BINDTODEVICE, "lo")
-	if err != nil {
-		return nil, fmt.Errorf("binding to lo interface failed: %w", err)
-	}
-
-	// Set the fwmark on the socket.
-	err = nbnet.SetSocketOpt(fd)
-	if err != nil {
-		return nil, fmt.Errorf("setting fwmark failed: %w", err)
-	}
-
-	// Convert the file descriptor to a PacketConn.
-	file := os.NewFile(uintptr(fd), fmt.Sprintf("fd %d", fd))
-	if file == nil {
-		return nil, fmt.Errorf("converting fd to file failed")
-	}
-	packetConn, err := net.FilePacketConn(file)
-	if err != nil {
-		return nil, fmt.Errorf("converting file to packet conn failed: %w", err)
-	}
-
-	return packetConn, nil
-}
--- a/client/iface/wgproxy/udp/proxy.go
+++ b/client/iface/wgproxy/udp/proxy.go
@@ -1,5 +1,3 @@
-//go:build linux && !android
-
 package udp

 import (
@@ -23,18 +21,16 @@ type WGUDPProxy struct {
 	localWGListenPort int
 	mtu               uint16

-	remoteConn   net.Conn
-	localConn    net.Conn
-	srcFakerConn *SrcFaker
-	sendPkg      func(data []byte) (int, error)
-	ctx          context.Context
-	cancel       context.CancelFunc
-	closeMu      sync.Mutex
-	closed       bool
+	remoteConn net.Conn
+	localConn  net.Conn
+	ctx        context.Context
+	cancel     context.CancelFunc
+	closeMu    sync.Mutex
+	closed     bool

-	paused     bool
-	pausedCond *sync.Cond
-	isStarted  bool
+	pausedMu  sync.Mutex
+	paused    bool
+	isStarted bool

 	closeListener *listener.CloseListener
 }
@@ -45,7 +41,6 @@ func NewWGUDPProxy(wgPort int, mtu uint16) *WGUDPProxy {
 	p := &WGUDPProxy{
 		localWGListenPort: wgPort,
 		mtu:               mtu,
-		pausedCond:        sync.NewCond(&sync.Mutex{}),
 		closeListener:     listener.NewCloseListener(),
 	}
 	return p
@@ -66,7 +61,6 @@ func (p *WGUDPProxy) AddTurnConn(ctx context.Context, endpoint *net.UDPAddr, rem

 	p.ctx, p.cancel = context.WithCancel(ctx)
 	p.localConn = localConn
-	p.sendPkg = p.localConn.Write
 	p.remoteConn = remoteConn

 	return err
@@ -90,24 +84,15 @@ func (p *WGUDPProxy) Work() {
 		return
 	}

-	p.pausedCond.L.Lock()
+	p.pausedMu.Lock()
 	p.paused = false
-	p.sendPkg = p.localConn.Write
-
-	if p.srcFakerConn != nil {
-		if err := p.srcFakerConn.Close(); err != nil {
-			log.Errorf("failed to close src faker conn: %s", err)
-		}
-		p.srcFakerConn = nil
-	}
+	p.pausedMu.Unlock()

 	if !p.isStarted {
 		p.isStarted = true
 		go p.proxyToRemote(p.ctx)
 		go p.proxyToLocal(p.ctx)
 	}
-	p.pausedCond.Signal()
-	p.pausedCond.L.Unlock()
 }

 // Pause pauses the proxy from receiving data from the remote peer
@@ -116,35 +101,9 @@ func (p *WGUDPProxy) Pause() {
 		return
 	}

-	p.pausedCond.L.Lock()
+	p.pausedMu.Lock()
 	p.paused = true
-	p.pausedCond.L.Unlock()
-}
-
-// RedirectAs start to use the fake sourced raw socket as package sender
-func (p *WGUDPProxy) RedirectAs(endpoint *net.UDPAddr) {
-	p.pausedCond.L.Lock()
-	defer func() {
-		p.pausedCond.Signal()
-		p.pausedCond.L.Unlock()
-	}()
-
-	p.paused = false
-	if p.srcFakerConn != nil {
-		if err := p.srcFakerConn.Close(); err != nil {
-			log.Errorf("failed to close src faker conn: %s", err)
-		}
-		p.srcFakerConn = nil
-	}
-	srcFakerConn, err := NewSrcFaker(p.localWGListenPort, endpoint)
-	if err != nil {
-		log.Errorf("failed to create src faker conn: %s", err)
-		// fallback to continue without redirecting
-		p.paused = true
-		return
-	}
-	p.srcFakerConn = srcFakerConn
-	p.sendPkg = p.srcFakerConn.SendPkg
+	p.pausedMu.Unlock()
 }

 // CloseConn close the localConn
@@ -156,8 +115,6 @@ func (p *WGUDPProxy) CloseConn() error {
 }

 func (p *WGUDPProxy) close() error {
-	var result *multierror.Error
-
 	p.closeMu.Lock()
 	defer p.closeMu.Unlock()

@@ -171,11 +128,7 @@ func (p *WGUDPProxy) close() error {

 	p.cancel()

-	p.pausedCond.L.Lock()
-	p.paused = false
-	p.pausedCond.Signal()
-	p.pausedCond.L.Unlock()
-
+	var result *multierror.Error
 	if err := p.remoteConn.Close(); err != nil && !errors.Is(err, net.ErrClosed) {
 		result = multierror.Append(result, fmt.Errorf("remote conn: %s", err))
 	}
@@ -183,13 +136,6 @@ func (p *WGUDPProxy) close() error {
 	if err := p.localConn.Close(); err != nil {
 		result = multierror.Append(result, fmt.Errorf("local conn: %s", err))
 	}
-
-	if p.srcFakerConn != nil {
-		if err := p.srcFakerConn.Close(); err != nil {
-			result = multierror.Append(result, fmt.Errorf("src faker raw conn: %s", err))
-		}
-	}
-
 	return cerrors.FormatErrorOrNil(result)
 }

@@ -248,12 +194,14 @@ func (p *WGUDPProxy) proxyToLocal(ctx context.Context) {
 			return
 		}

-		p.pausedCond.L.Lock()
-		for p.paused {
-			p.pausedCond.Wait()
+		p.pausedMu.Lock()
+		if p.paused {
+			p.pausedMu.Unlock()
+			continue
 		}
-		_, err = p.sendPkg(buf[:n])
-		p.pausedCond.L.Unlock()
+
+		_, err = p.localConn.Write(buf[:n])
+		p.pausedMu.Unlock()

 		if err != nil {
 			if ctx.Err() != nil {
--- a/client/iface/wgproxy/udp/rawsocket.go
+++ b/client/iface/wgproxy/udp/rawsocket.go
@@ -1,101 +0,0 @@
-//go:build linux && !android
-
-package udp
-
-import (
-	"fmt"
-	"net"
-
-	"github.com/google/gopacket"
-	"github.com/google/gopacket/layers"
-	log "github.com/sirupsen/logrus"
-
-	"github.com/netbirdio/netbird/client/iface/wgproxy/rawsocket"
-)
-
-var (
-	serializeOpts = gopacket.SerializeOptions{
-		ComputeChecksums: true,
-		FixLengths:       true,
-	}
-
-	localHostNetIPAddr = &net.IPAddr{
-		IP: net.ParseIP("127.0.0.1"),
-	}
-)
-
-type SrcFaker struct {
-	srcAddr *net.UDPAddr
-
-	rawSocket   net.PacketConn
-	ipH         gopacket.SerializableLayer
-	udpH        gopacket.SerializableLayer
-	layerBuffer gopacket.SerializeBuffer
-}
-
-func NewSrcFaker(dstPort int, srcAddr *net.UDPAddr) (*SrcFaker, error) {
-	rawSocket, err := rawsocket.PrepareSenderRawSocket()
-	if err != nil {
-		return nil, err
-	}
-
-	ipH, udpH, err := prepareHeaders(dstPort, srcAddr)
-	if err != nil {
-		return nil, err
-	}
-
-	f := &SrcFaker{
-		srcAddr:     srcAddr,
-		rawSocket:   rawSocket,
-		ipH:         ipH,
-		udpH:        udpH,
-		layerBuffer: gopacket.NewSerializeBuffer(),
-	}
-
-	return f, nil
-}
-
-func (f *SrcFaker) Close() error {
-	return f.rawSocket.Close()
-}
-
-func (f *SrcFaker) SendPkg(data []byte) (int, error) {
-	defer func() {
-		if err := f.layerBuffer.Clear(); err != nil {
-			log.Errorf("failed to clear layer buffer: %s", err)
-		}
-	}()
-
-	payload := gopacket.Payload(data)
-
-	err := gopacket.SerializeLayers(f.layerBuffer, serializeOpts, f.ipH, f.udpH, payload)
-	if err != nil {
-		return 0, fmt.Errorf("serialize layers: %w", err)
-	}
-	n, err := f.rawSocket.WriteTo(f.layerBuffer.Bytes(), localHostNetIPAddr)
-	if err != nil {
-		return 0, fmt.Errorf("write to raw conn: %w", err)
-	}
-	return n, nil
-}
-
-func prepareHeaders(dstPort int, srcAddr *net.UDPAddr) (gopacket.SerializableLayer, gopacket.SerializableLayer, error) {
-	ipH := &layers.IPv4{
-		DstIP:    net.ParseIP("127.0.0.1"),
-		SrcIP:    srcAddr.IP,
-		Version:  4,
-		TTL:      64,
-		Protocol: layers.IPProtocolUDP,
-	}
-	udpH := &layers.UDP{
-		SrcPort: layers.UDPPort(srcAddr.Port),
-		DstPort: layers.UDPPort(dstPort), // dst is the localhost WireGuard port
-	}
-
-	err := udpH.SetNetworkLayerForChecksum(ipH)
-	if err != nil {
-		return nil, nil, fmt.Errorf("set network layer for checksum: %w", err)
-	}
-
-	return ipH, udpH, nil
-}
--- a/client/internal/acl/manager.go
+++ b/client/internal/acl/manager.go
@@ -29,6 +29,11 @@ type Manager interface {
 	ApplyFiltering(networkMap *mgmProto.NetworkMap, dnsRouteFeatureFlag bool)
 }

+type protoMatch struct {
+	ips      map[string]int
+	policyID []byte
+}
+
 // DefaultManager uses firewall manager to handle
 type DefaultManager struct {
 	firewall       firewall.Manager
@@ -81,14 +86,21 @@ func (d *DefaultManager) ApplyFiltering(networkMap *mgmProto.NetworkMap, dnsRout
 }

 func (d *DefaultManager) applyPeerACLs(networkMap *mgmProto.NetworkMap) {
-	rules := networkMap.FirewallRules
+	rules, squashedProtocols := d.squashAcceptRules(networkMap)

 	enableSSH := networkMap.PeerConfig != nil &&
 		networkMap.PeerConfig.SshConfig != nil &&
 		networkMap.PeerConfig.SshConfig.SshEnabled
+	if _, ok := squashedProtocols[mgmProto.RuleProtocol_ALL]; ok {
+		enableSSH = enableSSH && !ok
+	}
+	if _, ok := squashedProtocols[mgmProto.RuleProtocol_TCP]; ok {
+		enableSSH = enableSSH && !ok
+	}

-	// If SSH enabled, add default firewall rule which accepts connection to any peer
-	// in the network by SSH (TCP port defined by ssh.DefaultSSHPort).
+	// if TCP protocol rules not squashed and SSH enabled
+	// we add default firewall rule which accepts connection to any peer
+	// in the network by SSH (TCP 22 port).
 	if enableSSH {
 		rules = append(rules, &mgmProto.FirewallRule{
 			PeerIP:    "0.0.0.0",
@@ -356,6 +368,145 @@ func (d *DefaultManager) getPeerRuleID(
 	return id.RuleID(hex.EncodeToString(md5.New().Sum([]byte(idStr))))
 }

+// squashAcceptRules does complex logic to convert many rules which allows connection by traffic type
+// to all peers in the network map to one rule which just accepts that type of the traffic.
+//
+// NOTE: It will not squash two rules for same protocol if one covers all peers in the network,
+// but other has port definitions or has drop policy.
+func (d *DefaultManager) squashAcceptRules(
+	networkMap *mgmProto.NetworkMap,
+) ([]*mgmProto.FirewallRule, map[mgmProto.RuleProtocol]struct{}) {
+	totalIPs := 0
+	for _, p := range append(networkMap.RemotePeers, networkMap.OfflinePeers...) {
+		for range p.AllowedIps {
+			totalIPs++
+		}
+	}
+
+	in := map[mgmProto.RuleProtocol]*protoMatch{}
+	out := map[mgmProto.RuleProtocol]*protoMatch{}
+
+	// trace which type of protocols was squashed
+	squashedRules := []*mgmProto.FirewallRule{}
+	squashedProtocols := map[mgmProto.RuleProtocol]struct{}{}
+
+	// this function we use to do calculation, can we squash the rules by protocol or not.
+	// We summ amount of Peers IP for given protocol we found in original rules list.
+	// But we zeroed the IP's for protocol if:
+	// 1. Any of the rule has DROP action type.
+	// 2. Any of rule contains Port.
+	//
+	// We zeroed this to notify squash function that this protocol can't be squashed.
+	addRuleToCalculationMap := func(i int, r *mgmProto.FirewallRule, protocols map[mgmProto.RuleProtocol]*protoMatch) {
+		hasPortRestrictions := r.Action == mgmProto.RuleAction_DROP ||
+			r.Port != "" || !portInfoEmpty(r.PortInfo)
+
+		if hasPortRestrictions {
+			// Don't squash rules with port restrictions
+			protocols[r.Protocol] = &protoMatch{ips: map[string]int{}}
+			return
+		}
+
+		if _, ok := protocols[r.Protocol]; !ok {
+			protocols[r.Protocol] = &protoMatch{
+				ips: map[string]int{},
+				// store the first encountered PolicyID for this protocol
+				policyID: r.PolicyID,
+			}
+		}
+
+		// special case, when we receive this all network IP address
+		// it means that rules for that protocol was already optimized on the
+		// management side
+		if r.PeerIP == "0.0.0.0" {
+			squashedRules = append(squashedRules, r)
+			squashedProtocols[r.Protocol] = struct{}{}
+			return
+		}
+
+		ipset := protocols[r.Protocol].ips
+
+		if _, ok := ipset[r.PeerIP]; ok {
+			return
+		}
+		ipset[r.PeerIP] = i
+	}
+
+	for i, r := range networkMap.FirewallRules {
+		// calculate squash for different directions
+		if r.Direction == mgmProto.RuleDirection_IN {
+			addRuleToCalculationMap(i, r, in)
+		} else {
+			addRuleToCalculationMap(i, r, out)
+		}
+	}
+
+	// order of squashing by protocol is important
+	// only for their first element ALL, it must be done first
+	protocolOrders := []mgmProto.RuleProtocol{
+		mgmProto.RuleProtocol_ALL,
+		mgmProto.RuleProtocol_ICMP,
+		mgmProto.RuleProtocol_TCP,
+		mgmProto.RuleProtocol_UDP,
+	}
+
+	squash := func(matches map[mgmProto.RuleProtocol]*protoMatch, direction mgmProto.RuleDirection) {
+		for _, protocol := range protocolOrders {
+			match, ok := matches[protocol]
+			if !ok || len(match.ips) != totalIPs || len(match.ips) < 2 {
+				// don't squash if :
+				// 1. Rules not cover all peers in the network
+				// 2. Rules cover only one peer in the network.
+				continue
+			}
+
+			// add special rule 0.0.0.0 which allows all IP's in our firewall implementations
+			squashedRules = append(squashedRules, &mgmProto.FirewallRule{
+				PeerIP:    "0.0.0.0",
+				Direction: direction,
+				Action:    mgmProto.RuleAction_ACCEPT,
+				Protocol:  protocol,
+				PolicyID:  match.policyID,
+			})
+			squashedProtocols[protocol] = struct{}{}
+
+			if protocol == mgmProto.RuleProtocol_ALL {
+				// if we have ALL traffic type squashed rule
+				// it allows all other type of traffic, so we can stop processing
+				break
+			}
+		}
+	}
+
+	squash(in, mgmProto.RuleDirection_IN)
+	squash(out, mgmProto.RuleDirection_OUT)
+
+	// if all protocol was squashed everything is allow and we can ignore all other rules
+	if _, ok := squashedProtocols[mgmProto.RuleProtocol_ALL]; ok {
+		return squashedRules, squashedProtocols
+	}
+
+	if len(squashedRules) == 0 {
+		return networkMap.FirewallRules, squashedProtocols
+	}
+
+	var rules []*mgmProto.FirewallRule
+	// filter out rules which was squashed from final list
+	// if we also have other not squashed rules.
+	for i, r := range networkMap.FirewallRules {
+		if _, ok := squashedProtocols[r.Protocol]; ok {
+			if m, ok := in[r.Protocol]; ok && m.ips[r.PeerIP] == i {
+				continue
+			} else if m, ok := out[r.Protocol]; ok && m.ips[r.PeerIP] == i {
+				continue
+			}
+		}
+		rules = append(rules, r)
+	}
+
+	return append(rules, squashedRules...), squashedProtocols
+}
+
 // getRuleGroupingSelector takes all rule properties except IP address to build selector
 func (d *DefaultManager) getRuleGroupingSelector(rule *mgmProto.FirewallRule) string {
 	return fmt.Sprintf("%v:%v:%v:%s:%v", strconv.Itoa(int(rule.Direction)), rule.Action, rule.Protocol, rule.Port, rule.PortInfo)
--- a/client/internal/acl/manager_test.go
+++ b/client/internal/acl/manager_test.go
@@ -188,6 +188,492 @@ func TestDefaultManagerStateless(t *testing.T) {
 	})
 }

+func TestDefaultManagerSquashRules(t *testing.T) {
+	networkMap := &mgmProto.NetworkMap{
+		RemotePeers: []*mgmProto.RemotePeerConfig{
+			{AllowedIps: []string{"10.93.0.1"}},
+			{AllowedIps: []string{"10.93.0.2"}},
+			{AllowedIps: []string{"10.93.0.3"}},
+			{AllowedIps: []string{"10.93.0.4"}},
+		},
+		FirewallRules: []*mgmProto.FirewallRule{
+			{
+				PeerIP:    "10.93.0.1",
+				Direction: mgmProto.RuleDirection_IN,
+				Action:    mgmProto.RuleAction_ACCEPT,
+				Protocol:  mgmProto.RuleProtocol_ALL,
+			},
+			{
+				PeerIP:    "10.93.0.2",
+				Direction: mgmProto.RuleDirection_IN,
+				Action:    mgmProto.RuleAction_ACCEPT,
+				Protocol:  mgmProto.RuleProtocol_ALL,
+			},
+			{
+				PeerIP:    "10.93.0.3",
+				Direction: mgmProto.RuleDirection_IN,
+				Action:    mgmProto.RuleAction_ACCEPT,
+				Protocol:  mgmProto.RuleProtocol_ALL,
+			},
+			{
+				PeerIP:    "10.93.0.4",
+				Direction: mgmProto.RuleDirection_IN,
+				Action:    mgmProto.RuleAction_ACCEPT,
+				Protocol:  mgmProto.RuleProtocol_ALL,
+			},
+			{
+				PeerIP:    "10.93.0.1",
+				Direction: mgmProto.RuleDirection_OUT,
+				Action:    mgmProto.RuleAction_ACCEPT,
+				Protocol:  mgmProto.RuleProtocol_ALL,
+			},
+			{
+				PeerIP:    "10.93.0.2",
+				Direction: mgmProto.RuleDirection_OUT,
+				Action:    mgmProto.RuleAction_ACCEPT,
+				Protocol:  mgmProto.RuleProtocol_ALL,
+			},
+			{
+				PeerIP:    "10.93.0.3",
+				Direction: mgmProto.RuleDirection_OUT,
+				Action:    mgmProto.RuleAction_ACCEPT,
+				Protocol:  mgmProto.RuleProtocol_ALL,
+			},
+			{
+				PeerIP:    "10.93.0.4",
+				Direction: mgmProto.RuleDirection_OUT,
+				Action:    mgmProto.RuleAction_ACCEPT,
+				Protocol:  mgmProto.RuleProtocol_ALL,
+			},
+		},
+	}
+
+	manager := &DefaultManager{}
+	rules, _ := manager.squashAcceptRules(networkMap)
+	assert.Equal(t, 2, len(rules))
+
+	r := rules[0]
+	assert.Equal(t, "0.0.0.0", r.PeerIP)
+	assert.Equal(t, mgmProto.RuleDirection_IN, r.Direction)
+	assert.Equal(t, mgmProto.RuleProtocol_ALL, r.Protocol)
+	assert.Equal(t, mgmProto.RuleAction_ACCEPT, r.Action)
+
+	r = rules[1]
+	assert.Equal(t, "0.0.0.0", r.PeerIP)
+	assert.Equal(t, mgmProto.RuleDirection_OUT, r.Direction)
+	assert.Equal(t, mgmProto.RuleProtocol_ALL, r.Protocol)
+	assert.Equal(t, mgmProto.RuleAction_ACCEPT, r.Action)
+}
+
+func TestDefaultManagerSquashRulesNoAffect(t *testing.T) {
+	networkMap := &mgmProto.NetworkMap{
+		RemotePeers: []*mgmProto.RemotePeerConfig{
+			{AllowedIps: []string{"10.93.0.1"}},
+			{AllowedIps: []string{"10.93.0.2"}},
+			{AllowedIps: []string{"10.93.0.3"}},
+			{AllowedIps: []string{"10.93.0.4"}},
+		},
+		FirewallRules: []*mgmProto.FirewallRule{
+			{
+				PeerIP:    "10.93.0.1",
+				Direction: mgmProto.RuleDirection_IN,
+				Action:    mgmProto.RuleAction_ACCEPT,
+				Protocol:  mgmProto.RuleProtocol_ALL,
+			},
+			{
+				PeerIP:    "10.93.0.2",
+				Direction: mgmProto.RuleDirection_IN,
+				Action:    mgmProto.RuleAction_ACCEPT,
+				Protocol:  mgmProto.RuleProtocol_ALL,
+			},
+			{
+				PeerIP:    "10.93.0.3",
+				Direction: mgmProto.RuleDirection_IN,
+				Action:    mgmProto.RuleAction_ACCEPT,
+				Protocol:  mgmProto.RuleProtocol_ALL,
+			},
+			{
+				PeerIP:    "10.93.0.4",
+				Direction: mgmProto.RuleDirection_IN,
+				Action:    mgmProto.RuleAction_ACCEPT,
+				Protocol:  mgmProto.RuleProtocol_TCP,
+			},
+			{
+				PeerIP:    "10.93.0.1",
+				Direction: mgmProto.RuleDirection_OUT,
+				Action:    mgmProto.RuleAction_ACCEPT,
+				Protocol:  mgmProto.RuleProtocol_ALL,
+			},
+			{
+				PeerIP:    "10.93.0.2",
+				Direction: mgmProto.RuleDirection_OUT,
+				Action:    mgmProto.RuleAction_ACCEPT,
+				Protocol:  mgmProto.RuleProtocol_ALL,
+			},
+			{
+				PeerIP:    "10.93.0.3",
+				Direction: mgmProto.RuleDirection_OUT,
+				Action:    mgmProto.RuleAction_ACCEPT,
+				Protocol:  mgmProto.RuleProtocol_ALL,
+			},
+			{
+				PeerIP:    "10.93.0.4",
+				Direction: mgmProto.RuleDirection_OUT,
+				Action:    mgmProto.RuleAction_ACCEPT,
+				Protocol:  mgmProto.RuleProtocol_UDP,
+			},
+		},
+	}
+
+	manager := &DefaultManager{}
+	rules, _ := manager.squashAcceptRules(networkMap)
+	assert.Equal(t, len(networkMap.FirewallRules), len(rules))
+}
+
+func TestDefaultManagerSquashRulesWithPortRestrictions(t *testing.T) {
+	tests := []struct {
+		name          string
+		rules         []*mgmProto.FirewallRule
+		expectedCount int
+		description   string
+	}{
+		{
+			name: "should not squash rules with port ranges",
+			rules: []*mgmProto.FirewallRule{
+				{
+					PeerIP:    "10.93.0.1",
+					Direction: mgmProto.RuleDirection_IN,
+					Action:    mgmProto.RuleAction_ACCEPT,
+					Protocol:  mgmProto.RuleProtocol_TCP,
+					PortInfo: &mgmProto.PortInfo{
+						PortSelection: &mgmProto.PortInfo_Range_{
+							Range: &mgmProto.PortInfo_Range{
+								Start: 8080,
+								End:   8090,
+							},
+						},
+					},
+				},
+				{
+					PeerIP:    "10.93.0.2",
+					Direction: mgmProto.RuleDirection_IN,
+					Action:    mgmProto.RuleAction_ACCEPT,
+					Protocol:  mgmProto.RuleProtocol_TCP,
+					PortInfo: &mgmProto.PortInfo{
+						PortSelection: &mgmProto.PortInfo_Range_{
+							Range: &mgmProto.PortInfo_Range{
+								Start: 8080,
+								End:   8090,
+							},
+						},
+					},
+				},
+				{
+					PeerIP:    "10.93.0.3",
+					Direction: mgmProto.RuleDirection_IN,
+					Action:    mgmProto.RuleAction_ACCEPT,
+					Protocol:  mgmProto.RuleProtocol_TCP,
+					PortInfo: &mgmProto.PortInfo{
+						PortSelection: &mgmProto.PortInfo_Range_{
+							Range: &mgmProto.PortInfo_Range{
+								Start: 8080,
+								End:   8090,
+							},
+						},
+					},
+				},
+				{
+					PeerIP:    "10.93.0.4",
+					Direction: mgmProto.RuleDirection_IN,
+					Action:    mgmProto.RuleAction_ACCEPT,
+					Protocol:  mgmProto.RuleProtocol_TCP,
+					PortInfo: &mgmProto.PortInfo{
+						PortSelection: &mgmProto.PortInfo_Range_{
+							Range: &mgmProto.PortInfo_Range{
+								Start: 8080,
+								End:   8090,
+							},
+						},
+					},
+				},
+			},
+			expectedCount: 4,
+			description:   "Rules with port ranges should not be squashed even if they cover all peers",
+		},
+		{
+			name: "should not squash rules with specific ports",
+			rules: []*mgmProto.FirewallRule{
+				{
+					PeerIP:    "10.93.0.1",
+					Direction: mgmProto.RuleDirection_IN,
+					Action:    mgmProto.RuleAction_ACCEPT,
+					Protocol:  mgmProto.RuleProtocol_TCP,
+					PortInfo: &mgmProto.PortInfo{
+						PortSelection: &mgmProto.PortInfo_Port{
+							Port: 80,
+						},
+					},
+				},
+				{
+					PeerIP:    "10.93.0.2",
+					Direction: mgmProto.RuleDirection_IN,
+					Action:    mgmProto.RuleAction_ACCEPT,
+					Protocol:  mgmProto.RuleProtocol_TCP,
+					PortInfo: &mgmProto.PortInfo{
+						PortSelection: &mgmProto.PortInfo_Port{
+							Port: 80,
+						},
+					},
+				},
+				{
+					PeerIP:    "10.93.0.3",
+					Direction: mgmProto.RuleDirection_IN,
+					Action:    mgmProto.RuleAction_ACCEPT,
+					Protocol:  mgmProto.RuleProtocol_TCP,
+					PortInfo: &mgmProto.PortInfo{
+						PortSelection: &mgmProto.PortInfo_Port{
+							Port: 80,
+						},
+					},
+				},
+				{
+					PeerIP:    "10.93.0.4",
+					Direction: mgmProto.RuleDirection_IN,
+					Action:    mgmProto.RuleAction_ACCEPT,
+					Protocol:  mgmProto.RuleProtocol_TCP,
+					PortInfo: &mgmProto.PortInfo{
+						PortSelection: &mgmProto.PortInfo_Port{
+							Port: 80,
+						},
+					},
+				},
+			},
+			expectedCount: 4,
+			description:   "Rules with specific ports should not be squashed even if they cover all peers",
+		},
+		{
+			name: "should not squash rules with legacy port field",
+			rules: []*mgmProto.FirewallRule{
+				{
+					PeerIP:    "10.93.0.1",
+					Direction: mgmProto.RuleDirection_IN,
+					Action:    mgmProto.RuleAction_ACCEPT,
+					Protocol:  mgmProto.RuleProtocol_TCP,
+					Port:      "443",
+				},
+				{
+					PeerIP:    "10.93.0.2",
+					Direction: mgmProto.RuleDirection_IN,
+					Action:    mgmProto.RuleAction_ACCEPT,
+					Protocol:  mgmProto.RuleProtocol_TCP,
+					Port:      "443",
+				},
+				{
+					PeerIP:    "10.93.0.3",
+					Direction: mgmProto.RuleDirection_IN,
+					Action:    mgmProto.RuleAction_ACCEPT,
+					Protocol:  mgmProto.RuleProtocol_TCP,
+					Port:      "443",
+				},
+				{
+					PeerIP:    "10.93.0.4",
+					Direction: mgmProto.RuleDirection_IN,
+					Action:    mgmProto.RuleAction_ACCEPT,
+					Protocol:  mgmProto.RuleProtocol_TCP,
+					Port:      "443",
+				},
+			},
+			expectedCount: 4,
+			description:   "Rules with legacy port field should not be squashed",
+		},
+		{
+			name: "should not squash rules with DROP action",
+			rules: []*mgmProto.FirewallRule{
+				{
+					PeerIP:    "10.93.0.1",
+					Direction: mgmProto.RuleDirection_IN,
+					Action:    mgmProto.RuleAction_DROP,
+					Protocol:  mgmProto.RuleProtocol_TCP,
+				},
+				{
+					PeerIP:    "10.93.0.2",
+					Direction: mgmProto.RuleDirection_IN,
+					Action:    mgmProto.RuleAction_DROP,
+					Protocol:  mgmProto.RuleProtocol_TCP,
+				},
+				{
+					PeerIP:    "10.93.0.3",
+					Direction: mgmProto.RuleDirection_IN,
+					Action:    mgmProto.RuleAction_DROP,
+					Protocol:  mgmProto.RuleProtocol_TCP,
+				},
+				{
+					PeerIP:    "10.93.0.4",
+					Direction: mgmProto.RuleDirection_IN,
+					Action:    mgmProto.RuleAction_DROP,
+					Protocol:  mgmProto.RuleProtocol_TCP,
+				},
+			},
+			expectedCount: 4,
+			description:   "Rules with DROP action should not be squashed",
+		},
+		{
+			name: "should squash rules without port restrictions",
+			rules: []*mgmProto.FirewallRule{
+				{
+					PeerIP:    "10.93.0.1",
+					Direction: mgmProto.RuleDirection_IN,
+					Action:    mgmProto.RuleAction_ACCEPT,
+					Protocol:  mgmProto.RuleProtocol_TCP,
+				},
+				{
+					PeerIP:    "10.93.0.2",
+					Direction: mgmProto.RuleDirection_IN,
+					Action:    mgmProto.RuleAction_ACCEPT,
+					Protocol:  mgmProto.RuleProtocol_TCP,
+				},
+				{
+					PeerIP:    "10.93.0.3",
+					Direction: mgmProto.RuleDirection_IN,
+					Action:    mgmProto.RuleAction_ACCEPT,
+					Protocol:  mgmProto.RuleProtocol_TCP,
+				},
+				{
+					PeerIP:    "10.93.0.4",
+					Direction: mgmProto.RuleDirection_IN,
+					Action:    mgmProto.RuleAction_ACCEPT,
+					Protocol:  mgmProto.RuleProtocol_TCP,
+				},
+			},
+			expectedCount: 1,
+			description:   "Rules without port restrictions should be squashed into a single 0.0.0.0 rule",
+		},
+		{
+			name: "mixed rules should not squash protocol with port restrictions",
+			rules: []*mgmProto.FirewallRule{
+				{
+					PeerIP:    "10.93.0.1",
+					Direction: mgmProto.RuleDirection_IN,
+					Action:    mgmProto.RuleAction_ACCEPT,
+					Protocol:  mgmProto.RuleProtocol_TCP,
+				},
+				{
+					PeerIP:    "10.93.0.2",
+					Direction: mgmProto.RuleDirection_IN,
+					Action:    mgmProto.RuleAction_ACCEPT,
+					Protocol:  mgmProto.RuleProtocol_TCP,
+					PortInfo: &mgmProto.PortInfo{
+						PortSelection: &mgmProto.PortInfo_Port{
+							Port: 80,
+						},
+					},
+				},
+				{
+					PeerIP:    "10.93.0.3",
+					Direction: mgmProto.RuleDirection_IN,
+					Action:    mgmProto.RuleAction_ACCEPT,
+					Protocol:  mgmProto.RuleProtocol_TCP,
+				},
+				{
+					PeerIP:    "10.93.0.4",
+					Direction: mgmProto.RuleDirection_IN,
+					Action:    mgmProto.RuleAction_ACCEPT,
+					Protocol:  mgmProto.RuleProtocol_TCP,
+				},
+			},
+			expectedCount: 4,
+			description:   "TCP should not be squashed because one rule has port restrictions",
+		},
+		{
+			name: "should squash UDP but not TCP when TCP has port restrictions",
+			rules: []*mgmProto.FirewallRule{
+				// TCP rules with port restrictions - should NOT be squashed
+				{
+					PeerIP:    "10.93.0.1",
+					Direction: mgmProto.RuleDirection_IN,
+					Action:    mgmProto.RuleAction_ACCEPT,
+					Protocol:  mgmProto.RuleProtocol_TCP,
+					Port:      "443",
+				},
+				{
+					PeerIP:    "10.93.0.2",
+					Direction: mgmProto.RuleDirection_IN,
+					Action:    mgmProto.RuleAction_ACCEPT,
+					Protocol:  mgmProto.RuleProtocol_TCP,
+					Port:      "443",
+				},
+				{
+					PeerIP:    "10.93.0.3",
+					Direction: mgmProto.RuleDirection_IN,
+					Action:    mgmProto.RuleAction_ACCEPT,
+					Protocol:  mgmProto.RuleProtocol_TCP,
+					Port:      "443",
+				},
+				{
+					PeerIP:    "10.93.0.4",
+					Direction: mgmProto.RuleDirection_IN,
+					Action:    mgmProto.RuleAction_ACCEPT,
+					Protocol:  mgmProto.RuleProtocol_TCP,
+					Port:      "443",
+				},
+				// UDP rules without port restrictions - SHOULD be squashed
+				{
+					PeerIP:    "10.93.0.1",
+					Direction: mgmProto.RuleDirection_IN,
+					Action:    mgmProto.RuleAction_ACCEPT,
+					Protocol:  mgmProto.RuleProtocol_UDP,
+				},
+				{
+					PeerIP:    "10.93.0.2",
+					Direction: mgmProto.RuleDirection_IN,
+					Action:    mgmProto.RuleAction_ACCEPT,
+					Protocol:  mgmProto.RuleProtocol_UDP,
+				},
+				{
+					PeerIP:    "10.93.0.3",
+					Direction: mgmProto.RuleDirection_IN,
+					Action:    mgmProto.RuleAction_ACCEPT,
+					Protocol:  mgmProto.RuleProtocol_UDP,
+				},
+				{
+					PeerIP:    "10.93.0.4",
+					Direction: mgmProto.RuleDirection_IN,
+					Action:    mgmProto.RuleAction_ACCEPT,
+					Protocol:  mgmProto.RuleProtocol_UDP,
+				},
+			},
+			expectedCount: 5, // 4 TCP rules + 1 squashed UDP rule (0.0.0.0)
+			description:   "UDP should be squashed to 0.0.0.0 rule, but TCP should remain as individual rules due to port restrictions",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			networkMap := &mgmProto.NetworkMap{
+				RemotePeers: []*mgmProto.RemotePeerConfig{
+					{AllowedIps: []string{"10.93.0.1"}},
+					{AllowedIps: []string{"10.93.0.2"}},
+					{AllowedIps: []string{"10.93.0.3"}},
+					{AllowedIps: []string{"10.93.0.4"}},
+				},
+				FirewallRules: tt.rules,
+			}
+
+			manager := &DefaultManager{}
+			rules, _ := manager.squashAcceptRules(networkMap)
+
+			assert.Equal(t, tt.expectedCount, len(rules), tt.description)
+
+			// For squashed rules, verify we get the expected 0.0.0.0 rule
+			if tt.expectedCount == 1 {
+				assert.Equal(t, "0.0.0.0", rules[0].PeerIP)
+				assert.Equal(t, mgmProto.RuleDirection_IN, rules[0].Direction)
+				assert.Equal(t, mgmProto.RuleAction_ACCEPT, rules[0].Action)
+			}
+		})
+	}
+}
+
 func TestPortInfoEmpty(t *testing.T) {
 	tests := []struct {
 		name     string
--- a/client/internal/connect.go
+++ b/client/internal/connect.go
@@ -34,7 +34,7 @@ import (
 	relayClient "github.com/netbirdio/netbird/shared/relay/client"
 	signal "github.com/netbirdio/netbird/shared/signal/client"
 	"github.com/netbirdio/netbird/util"
-	nbnet "github.com/netbirdio/netbird/client/net"
+	nbnet "github.com/netbirdio/netbird/util/net"
 	"github.com/netbirdio/netbird/version"
 )

--- a/client/internal/debug/debug.go
+++ b/client/internal/debug/debug.go
@@ -47,7 +47,7 @@ nftables.txt: Anonymized nftables rules with packet counters, if --system-info f
 resolved_domains.txt: Anonymized resolved domain IP addresses from the status recorder.
 config.txt: Anonymized configuration information of the NetBird client.
 network_map.json: Anonymized sync response containing peer configurations, routes, DNS settings, and firewall rules.
-state.json: Anonymized client state dump containing netbird states for the active profile.
+state.json: Anonymized client state dump containing netbird states.
 mutex.prof: Mutex profiling information.
 goroutine.prof: Goroutine profiling information.
 block.prof: Block profiling information.
@@ -564,8 +564,6 @@ func (g *BundleGenerator) addStateFile() error {
 		return nil
 	}

-	log.Debugf("Adding state file from: %s", path)
-
 	data, err := os.ReadFile(path)
 	if err != nil {
 		if errors.Is(err, fs.ErrNotExist) {
--- a/client/internal/debug/wgshow.go
+++ b/client/internal/debug/wgshow.go
@@ -14,9 +14,6 @@ type WGIface interface {
 }

 func (g *BundleGenerator) addWgShow() error {
-	if g.statusRecorder == nil {
-		return fmt.Errorf("no status recorder available for wg show")
-	}
 	result, err := g.statusRecorder.PeersStatus()
 	if err != nil {
 		return err
--- a/client/internal/dns/host_darwin.go
+++ b/client/internal/dns/host_darwin.go
@@ -13,7 +13,6 @@ import (
 	"strings"

 	log "github.com/sirupsen/logrus"
-	"golang.org/x/exp/maps"

 	"github.com/netbirdio/netbird/client/internal/statemanager"
 )
@@ -51,21 +50,28 @@ func (s *systemConfigurator) supportCustomPort() bool {
 }

 func (s *systemConfigurator) applyDNSConfig(config HostDNSConfig, stateManager *statemanager.Manager) error {
+	var err error
+
+	if err := stateManager.UpdateState(&ShutdownState{}); err != nil {
+		log.Errorf("failed to update shutdown state: %s", err)
+	}
+
 	var (
 		searchDomains []string
 		matchDomains  []string
 	)

-	if err := s.recordSystemDNSSettings(true); err != nil {
+	err = s.recordSystemDNSSettings(true)
+	if err != nil {
 		log.Errorf("unable to update record of System's DNS config: %s", err.Error())
 	}

 	if config.RouteAll {
 		searchDomains = append(searchDomains, "\"\"")
-		if err := s.addLocalDNS(); err != nil {
-			log.Warnf("failed to add local DNS: %v", err)
+		err = s.addLocalDNS()
+		if err != nil {
+			log.Infof("failed to enable split DNS")
 		}
-		s.updateState(stateManager)
 	}

 	for _, dConf := range config.Domains {
@@ -80,7 +86,6 @@ func (s *systemConfigurator) applyDNSConfig(config HostDNSConfig, stateManager *
 	}

 	matchKey := getKeyWithInput(netbirdDNSStateKeyFormat, matchSuffix)
-	var err error
 	if len(matchDomains) != 0 {
 		err = s.addMatchDomains(matchKey, strings.Join(matchDomains, " "), config.ServerIP, config.ServerPort)
 	} else {
@@ -90,7 +95,6 @@ func (s *systemConfigurator) applyDNSConfig(config HostDNSConfig, stateManager *
 	if err != nil {
 		return fmt.Errorf("add match domains: %w", err)
 	}
-	s.updateState(stateManager)

 	searchKey := getKeyWithInput(netbirdDNSStateKeyFormat, searchSuffix)
 	if len(searchDomains) != 0 {
@@ -102,7 +106,6 @@ func (s *systemConfigurator) applyDNSConfig(config HostDNSConfig, stateManager *
 	if err != nil {
 		return fmt.Errorf("add search domains: %w", err)
 	}
-	s.updateState(stateManager)

 	if err := s.flushDNSCache(); err != nil {
 		log.Errorf("failed to flush DNS cache: %v", err)
@@ -111,12 +114,6 @@ func (s *systemConfigurator) applyDNSConfig(config HostDNSConfig, stateManager *
 	return nil
 }

-func (s *systemConfigurator) updateState(stateManager *statemanager.Manager) {
-	if err := stateManager.UpdateState(&ShutdownState{CreatedKeys: maps.Keys(s.createdKeys)}); err != nil {
-		log.Errorf("failed to update shutdown state: %s", err)
-	}
-}
-
 func (s *systemConfigurator) string() string {
 	return "scutil"
 }
@@ -170,20 +167,18 @@ func (s *systemConfigurator) removeKeyFromSystemConfig(key string) error {
 func (s *systemConfigurator) addLocalDNS() error {
 	if !s.systemDNSSettings.ServerIP.IsValid() || len(s.systemDNSSettings.Domains) == 0 {
 		if err := s.recordSystemDNSSettings(true); err != nil {
+			log.Errorf("Unable to get system DNS configuration")
 			return fmt.Errorf("recordSystemDNSSettings(): %w", err)
 		}
 	}
 	localKey := getKeyWithInput(netbirdDNSStateKeyFormat, localSuffix)
-	if !s.systemDNSSettings.ServerIP.IsValid() || len(s.systemDNSSettings.Domains) == 0 {
+	if s.systemDNSSettings.ServerIP.IsValid() && len(s.systemDNSSettings.Domains) != 0 {
+		err := s.addSearchDomains(localKey, strings.Join(s.systemDNSSettings.Domains, " "), s.systemDNSSettings.ServerIP, s.systemDNSSettings.ServerPort)
+		if err != nil {
+			return fmt.Errorf("couldn't add local network DNS conf: %w", err)
+		}
+	} else {
 		log.Info("Not enabling local DNS server")
-		return nil
-	}
-
-	if err := s.addSearchDomains(
-		localKey,
-		strings.Join(s.systemDNSSettings.Domains, " "), s.systemDNSSettings.ServerIP, s.systemDNSSettings.ServerPort,
-	); err != nil {
-		return fmt.Errorf("add search domains: %w", err)
 	}

 	return nil
--- a/client/internal/dns/host_darwin_test.go
+++ b/client/internal/dns/host_darwin_test.go
@@ -1,111 +0,0 @@
-//go:build !ios
-
-package dns
-
-import (
-	"context"
-	"net/netip"
-	"os/exec"
-	"path/filepath"
-	"strings"
-	"testing"
-
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
-
-	"github.com/netbirdio/netbird/client/internal/statemanager"
-)
-
-func TestDarwinDNSUncleanShutdownCleanup(t *testing.T) {
-	if testing.Short() {
-		t.Skip("skipping scutil integration test in short mode")
-	}
-
-	tmpDir := t.TempDir()
-	stateFile := filepath.Join(tmpDir, "state.json")
-
-	sm := statemanager.New(stateFile)
-	sm.RegisterState(&ShutdownState{})
-	sm.Start()
-	defer func() {
-		require.NoError(t, sm.Stop(context.Background()))
-	}()
-
-	configurator := &systemConfigurator{
-		createdKeys: make(map[string]struct{}),
-	}
-
-	config := HostDNSConfig{
-		ServerIP:   netip.MustParseAddr("100.64.0.1"),
-		ServerPort: 53,
-		RouteAll:   true,
-		Domains: []DomainConfig{
-			{Domain: "example.com", MatchOnly: true},
-		},
-	}
-
-	err := configurator.applyDNSConfig(config, sm)
-	require.NoError(t, err)
-
-	require.NoError(t, sm.PersistState(context.Background()))
-
-	searchKey := getKeyWithInput(netbirdDNSStateKeyFormat, searchSuffix)
-	matchKey := getKeyWithInput(netbirdDNSStateKeyFormat, matchSuffix)
-	localKey := getKeyWithInput(netbirdDNSStateKeyFormat, localSuffix)
-
-	defer func() {
-		for _, key := range []string{searchKey, matchKey, localKey} {
-			_ = removeTestDNSKey(key)
-		}
-	}()
-
-	for _, key := range []string{searchKey, matchKey, localKey} {
-		exists, err := checkDNSKeyExists(key)
-		require.NoError(t, err)
-		if exists {
-			t.Logf("Key %s exists before cleanup", key)
-		}
-	}
-
-	sm2 := statemanager.New(stateFile)
-	sm2.RegisterState(&ShutdownState{})
-	err = sm2.LoadState(&ShutdownState{})
-	require.NoError(t, err)
-
-	state := sm2.GetState(&ShutdownState{})
-	if state == nil {
-		t.Skip("State not saved, skipping cleanup test")
-	}
-
-	shutdownState, ok := state.(*ShutdownState)
-	require.True(t, ok)
-
-	err = shutdownState.Cleanup()
-	require.NoError(t, err)
-
-	for _, key := range []string{searchKey, matchKey, localKey} {
-		exists, err := checkDNSKeyExists(key)
-		require.NoError(t, err)
-		assert.False(t, exists, "Key %s should NOT exist after cleanup", key)
-	}
-}
-
-func checkDNSKeyExists(key string) (bool, error) {
-	cmd := exec.Command(scutilPath)
-	cmd.Stdin = strings.NewReader("show " + key + "\nquit\n")
-	output, err := cmd.CombinedOutput()
-	if err != nil {
-		if strings.Contains(string(output), "No such key") {
-			return false, nil
-		}
-		return false, err
-	}
-	return !strings.Contains(string(output), "No such key"), nil
-}
-
-func removeTestDNSKey(key string) error {
-	cmd := exec.Command(scutilPath)
-	cmd.Stdin = strings.NewReader("remove " + key + "\nquit\n")
-	_, err := cmd.CombinedOutput()
-	return err
-}
--- a/client/internal/dns/host_windows.go
+++ b/client/internal/dns/host_windows.go
@@ -17,7 +17,6 @@ import (

 	nberrors "github.com/netbirdio/netbird/client/errors"
 	"github.com/netbirdio/netbird/client/internal/statemanager"
-	"github.com/netbirdio/netbird/client/internal/winregistry"
 )

 var (
@@ -179,7 +178,13 @@ func (r *registryConfigurator) applyDNSConfig(config HostDNSConfig, stateManager
 		log.Infof("removed %s as main DNS forwarder for this peer", config.ServerIP)
 	}

-	r.updateState(stateManager)
+	if err := stateManager.UpdateState(&ShutdownState{
+		Guid:           r.guid,
+		GPO:            r.gpo,
+		NRPTEntryCount: r.nrptEntryCount,
+	}); err != nil {
+		log.Errorf("failed to update shutdown state: %s", err)
+	}

 	var searchDomains, matchDomains []string
 	for _, dConf := range config.Domains {
@@ -192,10 +197,6 @@ func (r *registryConfigurator) applyDNSConfig(config HostDNSConfig, stateManager
 		matchDomains = append(matchDomains, "."+strings.TrimSuffix(dConf.Domain, "."))
 	}

-	if err := r.removeDNSMatchPolicies(); err != nil {
-		log.Errorf("cleanup old dns match policies: %s", err)
-	}
-
 	if len(matchDomains) != 0 {
 		count, err := r.addDNSMatchPolicy(matchDomains, config.ServerIP)
 		if err != nil {
@@ -203,10 +204,19 @@ func (r *registryConfigurator) applyDNSConfig(config HostDNSConfig, stateManager
 		}
 		r.nrptEntryCount = count
 	} else {
+		if err := r.removeDNSMatchPolicies(); err != nil {
+			return fmt.Errorf("remove dns match policies: %w", err)
+		}
 		r.nrptEntryCount = 0
 	}

-	r.updateState(stateManager)
+	if err := stateManager.UpdateState(&ShutdownState{
+		Guid:           r.guid,
+		GPO:            r.gpo,
+		NRPTEntryCount: r.nrptEntryCount,
+	}); err != nil {
+		log.Errorf("failed to update shutdown state: %s", err)
+	}

 	if err := r.updateSearchDomains(searchDomains); err != nil {
 		return fmt.Errorf("update search domains: %w", err)
@@ -217,16 +227,6 @@ func (r *registryConfigurator) applyDNSConfig(config HostDNSConfig, stateManager
 	return nil
 }

-func (r *registryConfigurator) updateState(stateManager *statemanager.Manager) {
-	if err := stateManager.UpdateState(&ShutdownState{
-		Guid:           r.guid,
-		GPO:            r.gpo,
-		NRPTEntryCount: r.nrptEntryCount,
-	}); err != nil {
-		log.Errorf("failed to update shutdown state: %s", err)
-	}
-}
-
 func (r *registryConfigurator) addDNSSetupForAll(ip netip.Addr) error {
 	if err := r.setInterfaceRegistryKeyStringValue(interfaceConfigNameServerKey, ip.String()); err != nil {
 		return fmt.Errorf("adding dns setup for all failed: %w", err)
@@ -240,19 +240,15 @@ func (r *registryConfigurator) addDNSMatchPolicy(domains []string, ip netip.Addr
 	// if the gpo key is present, we need to put our DNS settings there, otherwise our config might be ignored
 	// see https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-gpnrpt/8cc31cb9-20cb-4140-9e85-3e08703b4745
 	for i, domain := range domains {
-		localPath := fmt.Sprintf("%s-%d", dnsPolicyConfigMatchPath, i)
-		gpoPath := fmt.Sprintf("%s-%d", gpoDnsPolicyConfigMatchPath, i)
+		policyPath := fmt.Sprintf("%s-%d", dnsPolicyConfigMatchPath, i)
+		if r.gpo {
+			policyPath = fmt.Sprintf("%s-%d", gpoDnsPolicyConfigMatchPath, i)
+		}

 		singleDomain := []string{domain}

-		if err := r.configureDNSPolicy(localPath, singleDomain, ip); err != nil {
-			return i, fmt.Errorf("configure DNS Local policy for domain %s: %w", domain, err)
-		}
-
-		if r.gpo {
-			if err := r.configureDNSPolicy(gpoPath, singleDomain, ip); err != nil {
-				return i, fmt.Errorf("configure gpo DNS policy: %w", err)
-			}
+		if err := r.configureDNSPolicy(policyPath, singleDomain, ip); err != nil {
+			return i, fmt.Errorf("configure DNS policy for domain %s: %w", domain, err)
 		}

 		log.Debugf("added NRPT entry for domain: %s", domain)
@@ -273,9 +269,9 @@ func (r *registryConfigurator) configureDNSPolicy(policyPath string, domains []s
 		return fmt.Errorf("remove existing dns policy: %w", err)
 	}

-	regKey, _, err := winregistry.CreateVolatileKey(registry.LOCAL_MACHINE, policyPath, registry.SET_VALUE)
+	regKey, _, err := registry.CreateKey(registry.LOCAL_MACHINE, policyPath, registry.SET_VALUE)
 	if err != nil {
-		return fmt.Errorf("create volatile registry key HKEY_LOCAL_MACHINE\\%s: %w", policyPath, err)
+		return fmt.Errorf("create registry key HKEY_LOCAL_MACHINE\\%s: %w", policyPath, err)
 	}
 	defer closer(regKey)

@@ -405,7 +401,6 @@ func (r *registryConfigurator) removeDNSMatchPolicies() error {
 	if err := removeRegistryKeyFromDNSPolicyConfig(dnsPolicyConfigMatchPath); err != nil {
 		merr = multierror.Append(merr, fmt.Errorf("remove local base entry: %w", err))
 	}
-
 	if err := removeRegistryKeyFromDNSPolicyConfig(gpoDnsPolicyConfigMatchPath); err != nil {
 		merr = multierror.Append(merr, fmt.Errorf("remove GPO base entry: %w", err))
 	}
@@ -417,7 +412,6 @@ func (r *registryConfigurator) removeDNSMatchPolicies() error {
 		if err := removeRegistryKeyFromDNSPolicyConfig(localPath); err != nil {
 			merr = multierror.Append(merr, fmt.Errorf("remove local entry %d: %w", i, err))
 		}
-
 		if err := removeRegistryKeyFromDNSPolicyConfig(gpoPath); err != nil {
 			merr = multierror.Append(merr, fmt.Errorf("remove GPO entry %d: %w", i, err))
 		}
--- a/client/internal/dns/host_windows_test.go
+++ b/client/internal/dns/host_windows_test.go
@@ -1,102 +0,0 @@
-package dns
-
-import (
-	"fmt"
-	"net/netip"
-	"testing"
-
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
-	"golang.org/x/sys/windows/registry"
-)
-
-// TestNRPTEntriesCleanupOnConfigChange tests that old NRPT entries are properly cleaned up
-// when the number of match domains decreases between configuration changes.
-func TestNRPTEntriesCleanupOnConfigChange(t *testing.T) {
-	if testing.Short() {
-		t.Skip("skipping registry integration test in short mode")
-	}
-
-	defer cleanupRegistryKeys(t)
-	cleanupRegistryKeys(t)
-
-	testIP := netip.MustParseAddr("100.64.0.1")
-
-	// Create a test interface registry key so updateSearchDomains doesn't fail
-	testGUID := "{12345678-1234-1234-1234-123456789ABC}"
-	interfacePath := `SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\` + testGUID
-	testKey, _, err := registry.CreateKey(registry.LOCAL_MACHINE, interfacePath, registry.SET_VALUE)
-	require.NoError(t, err, "Should create test interface registry key")
-	testKey.Close()
-	defer func() {
-		_ = registry.DeleteKey(registry.LOCAL_MACHINE, interfacePath)
-	}()
-
-	cfg := &registryConfigurator{
-		guid: testGUID,
-		gpo:  false,
-	}
-
-	config5 := HostDNSConfig{
-		ServerIP: testIP,
-		Domains: []DomainConfig{
-			{Domain: "domain1.com", MatchOnly: true},
-			{Domain: "domain2.com", MatchOnly: true},
-			{Domain: "domain3.com", MatchOnly: true},
-			{Domain: "domain4.com", MatchOnly: true},
-			{Domain: "domain5.com", MatchOnly: true},
-		},
-	}
-
-	err = cfg.applyDNSConfig(config5, nil)
-	require.NoError(t, err)
-
-	// Verify all 5 entries exist
-	for i := 0; i < 5; i++ {
-		exists, err := registryKeyExists(fmt.Sprintf("%s-%d", dnsPolicyConfigMatchPath, i))
-		require.NoError(t, err)
-		assert.True(t, exists, "Entry %d should exist after first config", i)
-	}
-
-	config2 := HostDNSConfig{
-		ServerIP: testIP,
-		Domains: []DomainConfig{
-			{Domain: "domain1.com", MatchOnly: true},
-			{Domain: "domain2.com", MatchOnly: true},
-		},
-	}
-
-	err = cfg.applyDNSConfig(config2, nil)
-	require.NoError(t, err)
-
-	// Verify first 2 entries exist
-	for i := 0; i < 2; i++ {
-		exists, err := registryKeyExists(fmt.Sprintf("%s-%d", dnsPolicyConfigMatchPath, i))
-		require.NoError(t, err)
-		assert.True(t, exists, "Entry %d should exist after second config", i)
-	}
-
-	// Verify entries 2-4 are cleaned up
-	for i := 2; i < 5; i++ {
-		exists, err := registryKeyExists(fmt.Sprintf("%s-%d", dnsPolicyConfigMatchPath, i))
-		require.NoError(t, err)
-		assert.False(t, exists, "Entry %d should NOT exist after reducing to 2 domains", i)
-	}
-}
-
-func registryKeyExists(path string) (bool, error) {
-	k, err := registry.OpenKey(registry.LOCAL_MACHINE, path, registry.QUERY_VALUE)
-	if err != nil {
-		if err == registry.ErrNotExist {
-			return false, nil
-		}
-		return false, err
-	}
-	k.Close()
-	return true, nil
-}
-
-func cleanupRegistryKeys(*testing.T) {
-	cfg := &registryConfigurator{nrptEntryCount: 10}
-	_ = cfg.removeDNSMatchPolicies()
-}
--- a/client/internal/dns/server_js.go
+++ b/client/internal/dns/server_js.go
@@ -1,5 +0,0 @@
-package dns
-
-func (s *DefaultServer) initialize() (hostManager, error) {
-	return &noopHostConfigurator{}, nil
-}
--- a/client/internal/dns/service_memory.go
+++ b/client/internal/dns/service_memory.go
@@ -10,7 +10,7 @@ import (
 	"github.com/miekg/dns"
 	log "github.com/sirupsen/logrus"

-	nbnet "github.com/netbirdio/netbird/client/net"
+	nbnet "github.com/netbirdio/netbird/util/net"
 )

 type ServiceViaMemory struct {
--- a/client/internal/dns/systemd_linux.go
+++ b/client/internal/dns/systemd_linux.go
@@ -31,7 +31,6 @@ const (
 	systemdDbusSetDefaultRouteMethodSuffix = systemdDbusLinkInterface + ".SetDefaultRoute"
 	systemdDbusSetDomainsMethodSuffix      = systemdDbusLinkInterface + ".SetDomains"
 	systemdDbusSetDNSSECMethodSuffix       = systemdDbusLinkInterface + ".SetDNSSEC"
-	systemdDbusSetDNSOverTLSMethodSuffix   = systemdDbusLinkInterface + ".SetDNSOverTLS"
 	systemdDbusResolvConfModeForeign       = "foreign"

 	dbusErrorUnknownObject = "org.freedesktop.DBus.Error.UnknownObject"
@@ -103,11 +102,6 @@ func (s *systemdDbusConfigurator) applyDNSConfig(config HostDNSConfig, stateMana
 		log.Warnf("failed to set DNSSEC to 'no': %v", err)
 	}

-	// We don't support DNSOverTLS. On some machines this is default on so we explicitly set it to off
-	if err := s.callLinkMethod(systemdDbusSetDNSOverTLSMethodSuffix, dnsSecDisabled); err != nil {
-		log.Warnf("failed to set DNSOverTLS to 'no': %v", err)
-	}
-
 	var (
 		searchDomains []string
 		matchDomains  []string
--- a/client/internal/dns/unclean_shutdown_darwin.go
+++ b/client/internal/dns/unclean_shutdown_darwin.go
@@ -7,7 +7,6 @@ import (
 )

 type ShutdownState struct {
-	CreatedKeys []string
 }

 func (s *ShutdownState) Name() string {
@@ -20,10 +19,6 @@ func (s *ShutdownState) Cleanup() error {
 		return fmt.Errorf("create host manager: %w", err)
 	}

-	for _, key := range s.CreatedKeys {
-		manager.createdKeys[key] = struct{}{}
-	}
-
 	if err := manager.restoreUncleanShutdownDNS(); err != nil {
 		return fmt.Errorf("restore unclean shutdown dns: %w", err)
 	}
--- a/client/internal/dns/unclean_shutdown_js.go
+++ b/client/internal/dns/unclean_shutdown_js.go
@@ -1,19 +0,0 @@
-package dns
-
-import (
-	"context"
-)
-
-type ShutdownState struct{}
-
-func (s *ShutdownState) Name() string {
-	return "dns_state"
-}
-
-func (s *ShutdownState) Cleanup() error {
-	return nil
-}
-
-func (s *ShutdownState) RestoreUncleanShutdownConfigs(context.Context) error {
-	return nil
-}
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Maycon Santos	55d8b4e42c	cli client timeout	2025-09-19 11:47:32 +02:00
Maycon Santos	9b8f7d75b3	add some logs	2025-09-19 11:05:44 +02:00
Maycon Santos	57f3af57f4	add waitForConnectingShift and wait for it to change	2025-09-19 09:40:43 +02:00