add todos

2026-04-01 15:14:03 -04:00 · 2024-07-05 11:15:28 +02:00
629 changed files with 20162 additions and 63377 deletions
--- a/.editorconfig
+++ b/.editorconfig
@@ -1,8 +0,0 @@
-root = true
-
-[*]
-end_of_line = lf
-insert_final_newline = true
-
-[*.go]
-indent_style = tab
--- a/.github/FUNDING.yml
+++ b/.github/FUNDING.yml
@@ -1,3 +0,0 @@
-# These are supported funding model platforms
-
-github: [netbirdio]
--- a/.github/ISSUE_TEMPLATE/bug-issue-report.md
+++ b/.github/ISSUE_TEMPLATE/bug-issue-report.md
@@ -31,14 +31,9 @@ Please specify whether you use NetBird Cloud or self-host NetBird's control plan

 `netbird version`

-**NetBird status -dA output:**
+**NetBird status -d output:**

-If applicable, add the `netbird status -dA' command output.
-
-**Do you face any (non-mobile) client issues?**
-
-Please provide the file created by `netbird debug for 1m -AS`.
-We advise reviewing the anonymized files for any remaining PII.
+If applicable, add the `netbird status -d' command output.

 **Screenshots**

--- a/.github/workflows/golang-test-darwin.yml
+++ b/.github/workflows/golang-test-darwin.yml
@@ -18,20 +18,18 @@ jobs:
    runs-on: macos-latest
    steps:
      - name: Install Go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@v4
        with:
-          go-version: "1.23.x"
-          cache: false
+          go-version: "1.21.x"
      - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v3

      - name: Cache Go modules
-        uses: actions/cache@v4
+        uses: actions/cache@v3
        with:
          path: ~/go/pkg/mod
-          key: macos-gotest-${{ hashFiles('**/go.sum') }}
+          key: macos-go-${{ hashFiles('**/go.sum') }}
          restore-keys: |
-            macos-gotest-
            macos-go-

      - name: Install libpcap
@@ -44,4 +42,4 @@ jobs:
        run: git --no-pager diff --exit-code

      - name: Test
-        run: NETBIRD_STORE_ENGINE=${{ matrix.store }} CI=true go test -exec 'sudo --preserve-env=CI,NETBIRD_STORE_ENGINE' -timeout 5m -p 1 $(go list ./... | grep -v /management)
+        run: NETBIRD_STORE_ENGINE=${{ matrix.store }} go test -exec 'sudo --preserve-env=CI,NETBIRD_STORE_ENGINE' -timeout 5m -p 1 ./...
--- a/.github/workflows/golang-test-freebsd.yml
+++ b/.github/workflows/golang-test-freebsd.yml
@@ -13,7 +13,7 @@ concurrency:

 jobs:
  test:
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - name: Test in FreeBSD
@@ -21,26 +21,19 @@ jobs:
        uses: vmactions/freebsd-vm@v1
        with:
          usesh: true
-          copyback: false
-          release: "14.1"
          prepare: |
-            pkg install -y go
+            pkg install -y curl
+            pkg install -y git

-          # -x - to print all executed commands
-          # -e - to faile on first error
          run: |
-            set -e -x
-            time go build -o netbird client/main.go
-            # check all component except management, since we do not support management server on freebsd
-            time go test -timeout 1m -failfast ./base62/...
-            # NOTE: without -p1 `client/internal/dns` will fail becasue of `listen udp4 :33100: bind: address already in use`
-            time go test -timeout 8m -failfast -p 1 ./client/...
-            time go test -timeout 1m -failfast ./dns/...
-            time go test -timeout 1m -failfast ./encryption/...
-            time go test -timeout 1m -failfast ./formatter/...
-            time go test -timeout 1m -failfast ./client/iface/...
-            time go test -timeout 1m -failfast ./route/...
-            time go test -timeout 1m -failfast ./sharedsock/...
-            time go test -timeout 1m -failfast ./signal/...
-            time go test -timeout 1m -failfast ./util/...
-            time go test -timeout 1m -failfast ./version/...
+            set -x
+            curl -o go.tar.gz https://go.dev/dl/go1.21.11.freebsd-amd64.tar.gz -L
+            tar zxf go.tar.gz
+            mv go /usr/local/go
+            ln -s /usr/local/go/bin/go /usr/local/bin/go
+            go mod tidy
+            go test -timeout 5m -p 1 ./iface/...
+            go test -timeout 5m -p 1 ./client/... 
+            cd client
+            go build .
+            cd ..
--- a/.github/workflows/golang-test-linux.yml
+++ b/.github/workflows/golang-test-linux.yml
@@ -11,163 +11,29 @@ concurrency:
  cancel-in-progress: true

 jobs:
-  build-cache:
-    runs-on: ubuntu-22.04
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@v4
-
-      - name: Install Go
-        uses: actions/setup-go@v5
-        with:
-          go-version: "1.23.x"
-          cache: false
-
-      - name: Get Go environment
-        run: |
-          echo "cache=$(go env GOCACHE)" >> $GITHUB_ENV
-          echo "modcache=$(go env GOMODCACHE)" >> $GITHUB_ENV     
-
-      - name: Cache Go modules
-        uses: actions/cache@v4
-        id: cache
-        with:
-          path: |
-            ${{ env.cache }}
-            ${{ env.modcache }}
-          key: ${{ runner.os }}-gotest-cache-${{ hashFiles('**/go.sum') }}
-          restore-keys: |
-            ${{ runner.os }}-gotest-cache-${{ hashFiles('**/go.sum') }}
-            
-
-      - name: Install dependencies
-        if: steps.cache.outputs.cache-hit != 'true'
-        run: sudo apt update && sudo apt install -y -q libgtk-3-dev libayatana-appindicator3-dev libgl1-mesa-dev xorg-dev gcc-multilib libpcap-dev
-
-      - name: Install 32-bit libpcap
-        if: steps.cache.outputs.cache-hit != 'true'
-        run: sudo dpkg --add-architecture i386 && sudo apt update && sudo apt-get install -y libpcap0.8-dev:i386
-
-      - name: Build client
-        if: steps.cache.outputs.cache-hit != 'true'
-        working-directory: client
-        run: CGO_ENABLED=1 go build .
-
-      - name: Build client 386
-        if: steps.cache.outputs.cache-hit != 'true'
-        working-directory: client
-        run: CGO_ENABLED=1 GOARCH=386 go build -o client-386 .
-
-      - name: Build management
-        if: steps.cache.outputs.cache-hit != 'true'
-        working-directory: management
-        run: CGO_ENABLED=1 go build .
-
-      - name: Build management 386
-        if: steps.cache.outputs.cache-hit != 'true'
-        working-directory: management
-        run: CGO_ENABLED=1 GOARCH=386 go build -o management-386 .
-
-      - name: Build signal
-        if: steps.cache.outputs.cache-hit != 'true'
-        working-directory: signal
-        run: CGO_ENABLED=1 go build .
-
-      - name: Build signal 386
-        if: steps.cache.outputs.cache-hit != 'true'
-        working-directory: signal
-        run: CGO_ENABLED=1 GOARCH=386 go build -o signal-386 .
-
-      - name: Build relay
-        if: steps.cache.outputs.cache-hit != 'true'
-        working-directory: relay
-        run: CGO_ENABLED=1 go build .
-
-      - name: Build relay 386
-        if: steps.cache.outputs.cache-hit != 'true'
-        working-directory: relay
-        run: CGO_ENABLED=1 GOARCH=386 go build -o relay-386 .
-
  test:
-    needs: [build-cache]
    strategy:
-      fail-fast: false
-      matrix:
-        arch: [ '386','amd64' ]
-    runs-on: ubuntu-22.04
-    steps:
-      - name: Install Go
-        uses: actions/setup-go@v5
-        with:
-          go-version: "1.23.x"
-          cache: false
-
-      - name: Checkout code
-        uses: actions/checkout@v4
-
-      - name: Get Go environment
-        run: |
-          echo "cache=$(go env GOCACHE)" >> $GITHUB_ENV
-          echo "modcache=$(go env GOMODCACHE)" >> $GITHUB_ENV     
-
-      - name: Cache Go modules
-        uses: actions/cache/restore@v4
-        with:
-          path: |
-            ${{ env.cache }}
-            ${{ env.modcache }}
-          key: ${{ runner.os }}-gotest-cache-${{ hashFiles('**/go.sum') }}
-          restore-keys: |
-            ${{ runner.os }}-gotest-cache-
-
-      - name: Install dependencies
-        run: sudo apt update && sudo apt install -y -q libgtk-3-dev libayatana-appindicator3-dev libgl1-mesa-dev xorg-dev gcc-multilib libpcap-dev
-
-      - name: Install 32-bit libpcap
-        if: matrix.arch == '386'
-        run: sudo dpkg --add-architecture i386 && sudo apt update && sudo apt-get install -y libpcap0.8-dev:i386
-
-      - name: Install modules
-        run: go mod tidy
-
-      - name: check git status
-        run: git --no-pager diff --exit-code
-
-      - name: Test
-        run: CGO_ENABLED=1 GOARCH=${{ matrix.arch }} CI=true go test -exec 'sudo' -timeout 10m -p 1 $(go list ./... | grep -v /management)
-
-  test_management:
-    needs: [ build-cache ]
-    strategy:
-      fail-fast: false
      matrix:
        arch: [ '386','amd64' ]
        store: [ 'sqlite', 'postgres']
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-latest
    steps:
      - name: Install Go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@v4
        with:
-          go-version: "1.23.x"
-          cache: false
+          go-version: "1.21.x"

-      - name: Checkout code
-        uses: actions/checkout@v4
-
-      - name: Get Go environment
-        run: |
-          echo "cache=$(go env GOCACHE)" >> $GITHUB_ENV
-          echo "modcache=$(go env GOMODCACHE)" >> $GITHUB_ENV     

      - name: Cache Go modules
-        uses: actions/cache/restore@v4
+        uses: actions/cache@v3
        with:
-          path: |
-            ${{ env.cache }}
-            ${{ env.modcache }}
-          key: ${{ runner.os }}-gotest-cache-${{ hashFiles('**/go.sum') }}
+          path: ~/go/pkg/mod
+          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
          restore-keys: |
-            ${{ runner.os }}-gotest-cache-
+            ${{ runner.os }}-go-
+
+      - name: Checkout code
+        uses: actions/checkout@v3

      - name: Install dependencies
        run: sudo apt update && sudo apt install -y -q libgtk-3-dev libayatana-appindicator3-dev libgl1-mesa-dev xorg-dev gcc-multilib libpcap-dev
@@ -183,84 +49,26 @@ jobs:
        run: git --no-pager diff --exit-code

      - name: Test
-        run: CGO_ENABLED=1 GOARCH=${{ matrix.arch }} NETBIRD_STORE_ENGINE=${{ matrix.store }} CI=true go test -p 1 -exec 'sudo --preserve-env=CI,NETBIRD_STORE_ENGINE' -timeout 10m $(go list ./... | grep /management)
-
-  benchmark:
-    needs: [ build-cache ]
-    strategy:
-      fail-fast: false
-      matrix:
-        arch: [ '386','amd64' ]
-        store: [ 'sqlite', 'postgres' ]
-    runs-on: ubuntu-22.04
-    steps:
-      - name: Install Go
-        uses: actions/setup-go@v5
-        with:
-          go-version: "1.23.x"
-          cache: false
-
-      - name: Checkout code
-        uses: actions/checkout@v4
-
-      - name: Get Go environment
-        run: |
-          echo "cache=$(go env GOCACHE)" >> $GITHUB_ENV
-          echo "modcache=$(go env GOMODCACHE)" >> $GITHUB_ENV     
-
-      - name: Cache Go modules
-        uses: actions/cache/restore@v4
-        with:
-          path: |
-            ${{ env.cache }}
-            ${{ env.modcache }}
-          key: ${{ runner.os }}-gotest-cache-${{ hashFiles('**/go.sum') }}
-          restore-keys: |
-            ${{ runner.os }}-gotest-cache-
-
-      - name: Install dependencies
-        run: sudo apt update && sudo apt install -y -q libgtk-3-dev libayatana-appindicator3-dev libgl1-mesa-dev xorg-dev gcc-multilib libpcap-dev
-
-      - name: Install 32-bit libpcap
-        if: matrix.arch == '386'
-        run: sudo dpkg --add-architecture i386 && sudo apt update && sudo apt-get install -y libpcap0.8-dev:i386
-
-      - name: Install modules
-        run: go mod tidy
-
-      - name: check git status
-        run: git --no-pager diff --exit-code
-
-      - name: Test
-        run: CGO_ENABLED=1 GOARCH=${{ matrix.arch }} NETBIRD_STORE_ENGINE=${{ matrix.store }} CI=true go test -run=^$ -bench=. -exec 'sudo --preserve-env=CI,NETBIRD_STORE_ENGINE' -timeout 10m -p 1 ./...
+        run: CGO_ENABLED=1 GOARCH=${{ matrix.arch }} NETBIRD_STORE_ENGINE=${{ matrix.store }} go test -exec 'sudo --preserve-env=CI,NETBIRD_STORE_ENGINE' -timeout 5m -p 1 ./...

  test_client_on_docker:
-    needs: [ build-cache ]
    runs-on: ubuntu-20.04
    steps:
      - name: Install Go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@v4
        with:
-          go-version: "1.23.x"
-          cache: false
-
-      - name: Checkout code
-        uses: actions/checkout@v4
-
-      - name: Get Go environment
-        run: |
-          echo "cache=$(go env GOCACHE)" >> $GITHUB_ENV
-          echo "modcache=$(go env GOMODCACHE)" >> $GITHUB_ENV     
+          go-version: "1.21.x"

      - name: Cache Go modules
-        uses: actions/cache/restore@v4
+        uses: actions/cache@v3
        with:
-          path: |
-            ${{ env.cache }}
-            ${{ env.modcache }}
-          key: ${{ runner.os }}-gotest-cache-${{ hashFiles('**/go.sum') }}
+          path: ~/go/pkg/mod
+          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
          restore-keys: |
-            ${{ runner.os }}-gotest-cache-
+            ${{ runner.os }}-go-
+
+      - name: Checkout code
+        uses: actions/checkout@v3

      - name: Install dependencies
        run: sudo apt update && sudo apt install -y -q libgtk-3-dev libayatana-appindicator3-dev libgl1-mesa-dev xorg-dev gcc-multilib libpcap-dev
@@ -271,6 +79,9 @@ jobs:
      - name: check git status
        run: git --no-pager diff --exit-code

+      - name: Generate Iface Test bin
+        run: CGO_ENABLED=0 go test -c -o iface-testing.bin ./iface/
+
      - name: Generate Shared Sock Test bin
        run: CGO_ENABLED=0 go test -c -o sharedsock-testing.bin ./sharedsock

@@ -287,7 +98,7 @@ jobs:
        run: CGO_ENABLED=1 go test -c -o engine-testing.bin ./client/internal

      - name: Generate Peer Test bin
-        run: CGO_ENABLED=0 go test -c -o peer-testing.bin ./client/internal/peer/
+        run: CGO_ENABLED=0 go test -c -o peer-testing.bin ./client/internal/peer/...

      - run: chmod +x *testing.bin

@@ -295,7 +106,7 @@ jobs:
        run: docker run -t --cap-add=NET_ADMIN --privileged --rm -v $PWD:/ci -w /ci/sharedsock --entrypoint /busybox/sh gcr.io/distroless/base:debug -c /ci/sharedsock-testing.bin -test.timeout 5m -test.parallel 1

      - name: Run Iface tests in docker
-        run: docker run -t --cap-add=NET_ADMIN --privileged --rm -v $PWD:/netbird -v /tmp/cache:/tmp/cache -v /tmp/modcache:/tmp/modcache -w /netbird -e GOCACHE=/tmp/cache -e GOMODCACHE=/tmp/modcache -e CGO_ENABLED=0 golang:1.23-alpine go test  -test.timeout 5m -test.parallel 1 ./client/iface/...
+        run: docker run -t --cap-add=NET_ADMIN --privileged --rm -v $PWD:/ci -w /ci/iface --entrypoint /busybox/sh gcr.io/distroless/base:debug -c /ci/iface-testing.bin -test.timeout 5m -test.parallel 1

      - name: Run RouteManager tests in docker
        run: docker run -t --cap-add=NET_ADMIN --privileged --rm -v $PWD:/ci -w /ci/client/internal/routemanager --entrypoint /busybox/sh gcr.io/distroless/base:debug -c /ci/routemanager-testing.bin  -test.timeout 5m -test.parallel 1
@@ -313,4 +124,4 @@ jobs:
        run: docker run -t --cap-add=NET_ADMIN --privileged --rm -v $PWD:/ci -w /ci/client/internal -e NETBIRD_STORE_ENGINE="sqlite" --entrypoint /busybox/sh gcr.io/distroless/base:debug -c /ci/engine-testing.bin  -test.timeout 5m -test.parallel 1

      - name: Run Peer tests in docker
-        run: docker run -t --cap-add=NET_ADMIN --privileged --rm -v $PWD:/ci -w /ci/client/internal/peer  --entrypoint /busybox/sh gcr.io/distroless/base:debug -c /ci/peer-testing.bin  -test.timeout 5m -test.parallel 1
+        run: docker run -t --cap-add=NET_ADMIN --privileged --rm -v $PWD:/ci -w /ci/client/internal/peer  --entrypoint /busybox/sh gcr.io/distroless/base:debug -c /ci/peer-testing.bin  -test.timeout 5m -test.parallel 1
--- a/.github/workflows/golang-test-windows.yml
+++ b/.github/workflows/golang-test-windows.yml
@@ -17,30 +17,13 @@ jobs:
    runs-on: windows-latest
    steps:
      - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v3

      - name: Install Go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@v4
        id: go
        with:
-          go-version: "1.23.x"
-          cache: false
-
-      - name: Get Go environment
-        run: |
-          echo "cache=$(go env GOCACHE)" >> $env:GITHUB_ENV
-          echo "modcache=$(go env GOMODCACHE)" >> $env:GITHUB_ENV
-
-      - name: Cache Go modules
-        uses: actions/cache@v4
-        with:
-          path: |
-            ${{ env.cache }}
-            ${{ env.modcache }}
-          key: ${{ runner.os }}-gotest-${{ hashFiles('**/go.sum') }}
-          restore-keys: |
-            ${{ runner.os }}-gotest-
-            ${{ runner.os }}-go-
+          go-version: "1.21.x"

      - name: Download wintun
        uses: carlosperate/download-file-action@v2
@@ -59,13 +42,11 @@ jobs:
      - run: choco install -y sysinternals --ignore-checksums
      - run: choco install -y mingw

-      - run: PsExec64 -s -w ${{ github.workspace }} C:\hostedtoolcache\windows\go\${{ steps.go.outputs.go-version }}\x64\bin\go.exe env -w GOMODCACHE=${{ env.cache }}
-      - run: PsExec64 -s -w ${{ github.workspace }} C:\hostedtoolcache\windows\go\${{ steps.go.outputs.go-version }}\x64\bin\go.exe env -w GOCACHE=${{ env.modcache }}
-      - run: PsExec64 -s -w ${{ github.workspace }} C:\hostedtoolcache\windows\go\${{ steps.go.outputs.go-version }}\x64\bin\go.exe mod tidy
-      - run: echo "files=$(go list ./... | ForEach-Object { $_ } | Where-Object { $_ -notmatch '/management' })" >> $env:GITHUB_ENV
+      - run: PsExec64 -s -w ${{ github.workspace }} C:\hostedtoolcache\windows\go\${{ steps.go.outputs.go-version }}\x64\bin\go.exe env -w GOMODCACHE=C:\Users\runneradmin\go\pkg\mod
+      - run: PsExec64 -s -w ${{ github.workspace }} C:\hostedtoolcache\windows\go\${{ steps.go.outputs.go-version }}\x64\bin\go.exe env -w GOCACHE=C:\Users\runneradmin\AppData\Local\go-build

      - name: test
-        run: PsExec64 -s -w ${{ github.workspace }} cmd.exe /c "C:\hostedtoolcache\windows\go\${{ steps.go.outputs.go-version }}\x64\bin\go.exe test -timeout 10m -p 1 ${{ env.files }} > test-out.txt 2>&1"
+        run: PsExec64 -s -w ${{ github.workspace }} cmd.exe /c "C:\hostedtoolcache\windows\go\${{ steps.go.outputs.go-version }}\x64\bin\go.exe test -timeout 10m -p 1 ./... > test-out.txt 2>&1"
      - name: test output
        if: ${{ always() }}
        run: Get-Content test-out.txt
--- a/.github/workflows/golangci-lint.yml
+++ b/.github/workflows/golangci-lint.yml
@@ -15,11 +15,11 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v3
      - name: codespell
        uses: codespell-project/actions-codespell@v2
        with:
-          ignore_words_list: erro,clienta,hastable,iif,groupd,testin
+          ignore_words_list: erro,clienta,hastable,
          skip: go.mod,go.sum
          only_warn: 1
  golangci:
@@ -32,21 +32,21 @@ jobs:
    timeout-minutes: 15
    steps:
      - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v3
      - name: Check for duplicate constants
        if: matrix.os == 'ubuntu-latest'
        run: |
          ! awk '/const \(/,/)/{print $0}' management/server/activity/codes.go | grep -o '= [0-9]*' | sort | uniq -d | grep .
      - name: Install Go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@v4
        with:
-          go-version: "1.23.x"
+          go-version: "1.21.x"
          cache: false
      - name: Install dependencies
        if: matrix.os == 'ubuntu-latest'
        run: sudo apt update && sudo apt install -y -q libgtk-3-dev libayatana-appindicator3-dev libgl1-mesa-dev xorg-dev libpcap-dev
      - name: golangci-lint
-        uses: golangci/golangci-lint-action@v4
+        uses: golangci/golangci-lint-action@v3
        with:
          version: latest
-          args: --timeout=12m --out-format colored-line-number
+          args: --timeout=12m
--- a/.github/workflows/install-script-test.yml
+++ b/.github/workflows/install-script-test.yml
@@ -13,7 +13,6 @@ concurrency:
 jobs:
  test-install-script:
    strategy:
-      fail-fast: false
      max-parallel: 2
      matrix:
        os: [ubuntu-latest, macos-latest]
@@ -22,7 +21,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v3

      - name: run install script
        env:
--- a/.github/workflows/mobile-build-validation.yml
+++ b/.github/workflows/mobile-build-validation.yml
@@ -15,23 +15,23 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v3
      - name: Install Go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@v4
        with:
-          go-version: "1.23.x"
+          go-version: "1.21.x"
      - name: Setup Android SDK
        uses: android-actions/setup-android@v3
        with:
          cmdline-tools-version: 8512546
      - name: Setup Java
-        uses: actions/setup-java@v4
+        uses: actions/setup-java@v3
        with:
          java-version: "11"
          distribution: "adopt"
      - name: NDK Cache
        id: ndk-cache
-        uses: actions/cache@v4
+        uses: actions/cache@v3
        with:
          path: /usr/local/lib/android/sdk/ndk
          key: ndk-cache-23.1.7779620
@@ -50,11 +50,11 @@ jobs:
    runs-on: macos-latest
    steps:
      - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v3
      - name: Install Go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@v4
        with:
-          go-version: "1.23.x"
+          go-version: "1.21.x"
      - name: install gomobile
        run: go install golang.org/x/mobile/cmd/gomobile@v0.0.0-20240404231514-09dbf07665ed
      - name: gomobile init
@@ -62,4 +62,4 @@ jobs:
      - name: build iOS netbird lib
        run: PATH=$PATH:$(go env GOPATH) gomobile bind -target=ios -bundleid=io.netbird.framework -ldflags="-X github.com/netbirdio/netbird/version.version=buildtest" -o ./NetBirdSDK.xcframework ./client/ios/NetBirdSDK
        env:
-          CGO_ENABLED: 0
+          CGO_ENABLED: 0
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -3,16 +3,15 @@ name: Release
 on:
  push:
    tags:
-      - "v*"
+      - 'v*'
    branches:
      - main
  pull_request:

+
 env:
-  SIGN_PIPE_VER: "v0.0.17"
-  GORELEASER_VER: "v2.3.2"
-  PRODUCT_NAME: "NetBird"
-  COPYRIGHT: "Wiretrustee UG (haftungsbeschreankt)"
+  SIGN_PIPE_VER: "v0.0.11"
+  GORELEASER_VER: "v1.14.1"

 concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}-${{ github.head_ref || github.actor_id }}
@@ -20,30 +19,26 @@ concurrency:

 jobs:
  release:
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-latest
    env:
      flags: ""
    steps:
-      - name: Parse semver string
-        id: semver_parser
-        uses: booxmedialtd/ws-action-parse-semver@v1
-        with:
-          input_string: ${{ (startsWith(github.ref, 'refs/tags/v') && github.ref) || 'refs/tags/v0.0.0' }}
-          version_extractor_regex: '\/v(.*)$'
-
      - if: ${{ !startsWith(github.ref, 'refs/tags/v') }}
        run: echo "flags=--snapshot" >> $GITHUB_ENV
-      - name: Checkout
-        uses: actions/checkout@v4
+      -
+        name: Checkout
+        uses: actions/checkout@v3
        with:
          fetch-depth: 0 # It is required for GoReleaser to work properly
-      - name: Set up Go
-        uses: actions/setup-go@v5
+      -
+        name: Set up Go
+        uses: actions/setup-go@v4
        with:
-          go-version: "1.23"
+          go-version: "1.21"
          cache: false
-      - name: Cache Go modules
-        uses: actions/cache@v4
+      -
+        name: Cache Go modules
+        uses: actions/cache@v3
        with:
          path: |
            ~/go/pkg/mod
@@ -51,57 +46,73 @@ jobs:
          key: ${{ runner.os }}-go-releaser-${{ hashFiles('**/go.sum') }}
          restore-keys: |
            ${{ runner.os }}-go-releaser-
-      - name: Install modules
+      -
+        name: Install modules
        run: go mod tidy
-      - name: check git status
+      -
+        name: check git status
        run: git --no-pager diff --exit-code
-      - name: Set up QEMU
+      -
+        name: Set up QEMU
        uses: docker/setup-qemu-action@v2
-      - name: Set up Docker Buildx
+      -
+        name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v2
-      - name: Login to Docker hub
+      -
+        name: Login to Docker hub
        if: github.event_name != 'pull_request'
        uses: docker/login-action@v1
        with:
-          username: ${{ secrets.DOCKER_USER }}
+          username: netbirdio
          password: ${{ secrets.DOCKER_TOKEN }}
      - name: Install OS build dependencies
        run: sudo apt update && sudo apt install -y -q gcc-arm-linux-gnueabihf gcc-aarch64-linux-gnu

-      - name: Install goversioninfo
-        run: go install github.com/josephspurrier/goversioninfo/cmd/goversioninfo@233067e
-      - name: Generate windows syso amd64
-        run: goversioninfo  -icon client/ui/netbird.ico -manifest client/manifest.xml -product-name ${{ env.PRODUCT_NAME }} -copyright "${{ env.COPYRIGHT }}" -ver-major ${{ steps.semver_parser.outputs.major }} -ver-minor ${{ steps.semver_parser.outputs.minor }} -ver-patch ${{ steps.semver_parser.outputs.patch }} -ver-build 0 -file-version ${{ steps.semver_parser.outputs.fullversion }}.0 -product-version ${{ steps.semver_parser.outputs.fullversion }}.0 -o client/resources_windows_amd64.syso
-      - name: Run GoReleaser
+      - name: Install rsrc
+        run: go install github.com/akavel/rsrc@v0.10.2
+      - name: Generate windows rsrc amd64
+        run: rsrc -arch amd64 -ico client/ui/netbird.ico -manifest client/manifest.xml -o client/resources_windows_amd64.syso
+      - name: Generate windows rsrc arm64
+        run: rsrc -arch arm64 -ico client/ui/netbird.ico -manifest client/manifest.xml -o client/resources_windows_arm64.syso
+      - name: Generate windows rsrc arm
+        run: rsrc -arch arm -ico client/ui/netbird.ico -manifest client/manifest.xml -o client/resources_windows_arm.syso
+      - name: Generate windows rsrc 386
+        run: rsrc -arch 386 -ico client/ui/netbird.ico -manifest client/manifest.xml -o client/resources_windows_386.syso
+      -
+        name: Run GoReleaser
        uses: goreleaser/goreleaser-action@v4
        with:
          version: ${{ env.GORELEASER_VER }}
-          args: release --clean ${{ env.flags }}
+          args: release --rm-dist ${{ env.flags }}
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          HOMEBREW_TAP_GITHUB_TOKEN: ${{ secrets.HOMEBREW_TAP_GITHUB_TOKEN }}
          UPLOAD_DEBIAN_SECRET: ${{ secrets.PKG_UPLOAD_SECRET }}
          UPLOAD_YUM_SECRET: ${{ secrets.PKG_UPLOAD_SECRET }}
-      - name: upload non tags for debug purposes
-        uses: actions/upload-artifact@v4
+      -
+        name: upload non tags for debug purposes
+        uses: actions/upload-artifact@v3
        with:
          name: release
          path: dist/
          retention-days: 3
-      - name: upload linux packages
-        uses: actions/upload-artifact@v4
+      -
+        name: upload linux packages
+        uses: actions/upload-artifact@v3
        with:
          name: linux-packages
          path: dist/netbird_linux**
          retention-days: 3
-      - name: upload windows packages
-        uses: actions/upload-artifact@v4
+      -
+        name: upload windows packages
+        uses: actions/upload-artifact@v3
        with:
          name: windows-packages
          path: dist/netbird_windows**
          retention-days: 3
-      - name: upload macos packages
-        uses: actions/upload-artifact@v4
+      -
+        name: upload macos packages
+        uses: actions/upload-artifact@v3
        with:
          name: macos-packages
          path: dist/netbird_darwin**
@@ -110,29 +121,22 @@ jobs:
  release_ui:
    runs-on: ubuntu-latest
    steps:
-      - name: Parse semver string
-        id: semver_parser
-        uses: booxmedialtd/ws-action-parse-semver@v1
-        with:
-          input_string: ${{ (startsWith(github.ref, 'refs/tags/v') && github.ref) || 'refs/tags/v0.0.0' }}
-          version_extractor_regex: '\/v(.*)$'
-
      - if: ${{ !startsWith(github.ref, 'refs/tags/v') }}
        run: echo "flags=--snapshot" >> $GITHUB_ENV
      - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v3
        with:
          fetch-depth: 0 # It is required for GoReleaser to work properly

      - name: Set up Go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@v4
        with:
-          go-version: "1.23"
+          go-version: "1.21"
          cache: false
      - name: Cache Go modules
-        uses: actions/cache@v4
+        uses: actions/cache@v3
        with:
-          path: |
+          path: | 
            ~/go/pkg/mod
            ~/.cache/go-build
          key: ${{ runner.os }}-ui-go-releaser-${{ hashFiles('**/go.sum') }}
@@ -147,23 +151,22 @@ jobs:

      - name: Install dependencies
        run: sudo apt update && sudo apt install -y -q libappindicator3-dev gir1.2-appindicator3-0.1 libxxf86vm-dev gcc-mingw-w64-x86-64
-      - name: Install goversioninfo
-        run: go install github.com/josephspurrier/goversioninfo/cmd/goversioninfo@233067e
-      - name: Generate windows syso amd64
-        run: goversioninfo -64 -icon client/ui/netbird.ico -manifest client/ui/manifest.xml -product-name ${{ env.PRODUCT_NAME }}-"UI" -copyright "${{ env.COPYRIGHT }}" -ver-major ${{ steps.semver_parser.outputs.major }} -ver-minor ${{ steps.semver_parser.outputs.minor }} -ver-patch ${{ steps.semver_parser.outputs.patch }} -ver-build 0 -file-version ${{ steps.semver_parser.outputs.fullversion }}.0 -product-version ${{ steps.semver_parser.outputs.fullversion }}.0 -o client/ui/resources_windows_amd64.syso
-
+      - name: Install rsrc
+        run: go install github.com/akavel/rsrc@v0.10.2
+      - name: Generate windows rsrc
+        run: rsrc -arch amd64 -ico client/ui/netbird.ico -manifest client/ui/manifest.xml -o client/ui/resources_windows_amd64.syso
      - name: Run GoReleaser
        uses: goreleaser/goreleaser-action@v4
        with:
          version: ${{ env.GORELEASER_VER }}
-          args: release --config .goreleaser_ui.yaml --clean ${{ env.flags }}
+          args: release --config .goreleaser_ui.yaml --rm-dist ${{ env.flags }}
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          HOMEBREW_TAP_GITHUB_TOKEN: ${{ secrets.HOMEBREW_TAP_GITHUB_TOKEN }}
          UPLOAD_DEBIAN_SECRET: ${{ secrets.PKG_UPLOAD_SECRET }}
          UPLOAD_YUM_SECRET: ${{ secrets.PKG_UPLOAD_SECRET }}
      - name: upload non tags for debug purposes
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v3
        with:
          name: release-ui
          path: dist/
@@ -174,17 +177,20 @@ jobs:
    steps:
      - if: ${{ !startsWith(github.ref, 'refs/tags/v') }}
        run: echo "flags=--snapshot" >> $GITHUB_ENV
-      - name: Checkout
-        uses: actions/checkout@v4
+      -
+        name: Checkout
+        uses: actions/checkout@v3
        with:
          fetch-depth: 0 # It is required for GoReleaser to work properly
-      - name: Set up Go
-        uses: actions/setup-go@v5
+      -
+        name: Set up Go
+        uses: actions/setup-go@v4
        with:
-          go-version: "1.23"
+          go-version: "1.21"
          cache: false
-      - name: Cache Go modules
-        uses: actions/cache@v4
+      -
+        name: Cache Go modules
+        uses: actions/cache@v3
        with:
          path: |
            ~/go/pkg/mod
@@ -192,35 +198,53 @@ jobs:
          key: ${{ runner.os }}-ui-go-releaser-darwin-${{ hashFiles('**/go.sum') }}
          restore-keys: |
            ${{ runner.os }}-ui-go-releaser-darwin-
-      - name: Install modules
+      -
+        name: Install modules
        run: go mod tidy
-      - name: check git status
+      - 
+        name: check git status
        run: git --no-pager diff --exit-code
-      - name: Run GoReleaser
+      -
+        name: Run GoReleaser
        id: goreleaser
        uses: goreleaser/goreleaser-action@v4
        with:
          version: ${{ env.GORELEASER_VER }}
-          args: release --config .goreleaser_ui_darwin.yaml --clean ${{ env.flags }}
+          args: release --config .goreleaser_ui_darwin.yaml --rm-dist ${{ env.flags }}
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-      - name: upload non tags for debug purposes
-        uses: actions/upload-artifact@v4
+      -
+        name: upload non tags for debug purposes
+        uses: actions/upload-artifact@v3
        with:
          name: release-ui-darwin
          path: dist/
          retention-days: 3

-  trigger_signer:
+  trigger_windows_signer:
    runs-on: ubuntu-latest
-    needs: [release, release_ui, release_ui_darwin]
+    needs: [release,release_ui]
    if: startsWith(github.ref, 'refs/tags/')
    steps:
-      - name: Trigger binaries sign pipelines
+      - name: Trigger Windows binaries sign pipeline
        uses: benc-uk/workflow-dispatch@v1
        with:
-          workflow: Sign bin and installer
+          workflow: Sign windows bin and installer
          repo: netbirdio/sign-pipelines
          ref: ${{ env.SIGN_PIPE_VER }}
          token: ${{ secrets.SIGN_GITHUB_TOKEN }}
-          inputs: '{ "tag": "${{ github.ref }}", "skipRelease": false }'
+          inputs: '{ "tag": "${{ github.ref }}" }'
+
+  trigger_darwin_signer:
+    runs-on: ubuntu-latest
+    needs: [release,release_ui_darwin]
+    if: startsWith(github.ref, 'refs/tags/')
+    steps:
+      - name: Trigger Darwin App binaries sign pipeline
+        uses: benc-uk/workflow-dispatch@v1
+        with:
+          workflow: Sign darwin ui app with dispatch
+          repo: netbirdio/sign-pipelines
+          ref: ${{ env.SIGN_PIPE_VER }}
+          token: ${{ secrets.SIGN_GITHUB_TOKEN }}
+          inputs: '{ "tag": "${{ github.ref }}" }'
--- a/.github/workflows/test-infrastructure-files.yml
+++ b/.github/workflows/test-infrastructure-files.yml
@@ -18,31 +18,7 @@ concurrency:
 jobs:
  test-docker-compose:
    runs-on: ubuntu-latest
-    strategy:
-      matrix:
-        store: [ 'sqlite', 'postgres' ]
-    services:
-      postgres:
-        image: ${{ (matrix.store == 'postgres') && 'postgres' || '' }}
-        env:
-          POSTGRES_USER: netbird
-          POSTGRES_PASSWORD: postgres
-          POSTGRES_DB: netbird
-        options: >-
-          --health-cmd pg_isready
-          --health-interval 10s
-          --health-timeout 5s
-        ports:
-          - 5432:5432
    steps:
-      - name: Set Database Connection String
-        run: |
-          if [ "${{ matrix.store }}" == "postgres" ]; then
-            echo "NETBIRD_STORE_ENGINE_POSTGRES_DSN=host=$(hostname -I | awk '{print $1}') user=netbird password=postgres dbname=netbird port=5432" >> $GITHUB_ENV
-          else
-            echo "NETBIRD_STORE_ENGINE_POSTGRES_DSN==" >> $GITHUB_ENV
-          fi
-
      - name: Install jq
        run: sudo apt-get install -y jq

@@ -50,12 +26,12 @@ jobs:
        run: sudo apt-get install -y curl

      - name: Install Go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@v4
        with:
-          go-version: "1.23.x"
+          go-version: "1.21.x"

      - name: Cache Go modules
-        uses: actions/cache@v4
+        uses: actions/cache@v3
        with:
          path: ~/go/pkg/mod
          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
@@ -63,7 +39,7 @@ jobs:
            ${{ runner.os }}-go-

      - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v3

      - name: cp setup.env
        run: cp infrastructure_files/tests/setup.env infrastructure_files/
@@ -82,8 +58,7 @@ jobs:
          CI_NETBIRD_IDP_MGMT_CLIENT_ID: testing.client.id
          CI_NETBIRD_IDP_MGMT_CLIENT_SECRET: testing.client.secret
          CI_NETBIRD_AUTH_SUPPORTED_SCOPES: "openid profile email offline_access api email_verified"
-          CI_NETBIRD_STORE_CONFIG_ENGINE: ${{ matrix.store }}
-          NETBIRD_STORE_ENGINE_POSTGRES_DSN: ${{ env.NETBIRD_STORE_ENGINE_POSTGRES_DSN }}
+          CI_NETBIRD_STORE_CONFIG_ENGINE: "sqlite"
          CI_NETBIRD_MGMT_IDP_SIGNKEY_REFRESH: false

      - name: check values
@@ -110,8 +85,7 @@ jobs:
          CI_NETBIRD_IDP_MGMT_CLIENT_ID: testing.client.id
          CI_NETBIRD_IDP_MGMT_CLIENT_SECRET: testing.client.secret
          CI_NETBIRD_SIGNAL_PORT: 12345
-          CI_NETBIRD_STORE_CONFIG_ENGINE: ${{ matrix.store }}
-          NETBIRD_STORE_ENGINE_POSTGRES_DSN: '${{ env.NETBIRD_STORE_ENGINE_POSTGRES_DSN }}$'
+          CI_NETBIRD_STORE_CONFIG_ENGINE: "sqlite"
          CI_NETBIRD_MGMT_IDP_SIGNKEY_REFRESH: false
          CI_NETBIRD_TURN_EXTERNAL_IP: "1.2.3.4"

@@ -149,14 +123,6 @@ jobs:
          grep -A 10 PKCEAuthorizationFlow management.json | grep -A 10 ProviderConfig | grep Scope | grep "$CI_NETBIRD_AUTH_SUPPORTED_SCOPES"
          grep -A 10 PKCEAuthorizationFlow management.json | grep -A 10 ProviderConfig | grep -A 3 RedirectURLs | grep "http://localhost:53000"
          grep "external-ip" turnserver.conf | grep $CI_NETBIRD_TURN_EXTERNAL_IP
-          grep NETBIRD_STORE_ENGINE_POSTGRES_DSN docker-compose.yml | egrep "$NETBIRD_STORE_ENGINE_POSTGRES_DSN"
-          # check relay values
-          grep "NB_EXPOSED_ADDRESS=$CI_NETBIRD_DOMAIN:33445" docker-compose.yml
-          grep "NB_LISTEN_ADDRESS=:33445" docker-compose.yml
-          grep '33445:33445' docker-compose.yml
-          grep -A 10 'relay:' docker-compose.yml | egrep 'NB_AUTH_SECRET=.+$'
-          grep -A 7 Relay management.json | grep "rel://$CI_NETBIRD_DOMAIN:33445"
-          grep -A 7 Relay management.json | egrep '"Secret": ".+"'

      - name: Install modules
        run: go mod tidy
@@ -182,35 +148,26 @@ jobs:
        run: |
          docker build -t netbirdio/signal:latest .

-      - name: Build relay binary
-        working-directory: relay
-        run: CGO_ENABLED=0 go build -o netbird-relay main.go
-
-      - name: Build relay docker image
-        working-directory: relay
-        run: |
-          docker build -t netbirdio/relay:latest .
-
      - name: run docker compose up
        working-directory: infrastructure_files/artifacts
        run: |
-          docker compose up -d
+          docker-compose up -d
          sleep 5
-          docker compose ps
-          docker compose logs --tail=20
+          docker-compose ps
+          docker-compose logs --tail=20

      - name: test running containers
        run: |
          count=$(docker compose ps --format json | jq '. | select(.Name | contains("artifacts")) | .State' | grep -c running)
-          test $count -eq 5 || docker compose logs
+          test $count -eq 4
        working-directory: infrastructure_files/artifacts

      - name: test geolocation databases
        working-directory: infrastructure_files/artifacts
        run: |
          sleep 30
-          docker compose exec management ls -l /var/lib/netbird/ | grep -i GeoLite2-City_[0-9]*.mmdb
-          docker compose exec management ls -l /var/lib/netbird/ | grep -i geonames_[0-9]*.db
+          docker compose exec management ls -l /var/lib/netbird/ | grep -i GeoLite2-City.mmdb
+          docker compose exec management ls -l /var/lib/netbird/ | grep -i geonames.db

  test-getting-started-script:
    runs-on: ubuntu-latest
@@ -219,7 +176,7 @@ jobs:
        run: sudo apt-get install -y jq

      - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v3

      - name: run script with Zitadel PostgreSQL
        run: NETBIRD_DOMAIN=use-ip bash -x infrastructure_files/getting-started-with-zitadel.sh
@@ -234,7 +191,7 @@ jobs:
        run: test -f management.json

      - name: test turnserver.conf file gen postgres
-        run: |
+        run: | 
          set -x
          test -f turnserver.conf
          grep external-ip turnserver.conf
@@ -245,15 +202,12 @@ jobs:
      - name: test dashboard.env file gen postgres
        run: test -f dashboard.env

-      - name: test relay.env file gen postgres
-        run: test -f relay.env
-
      - name: test zdb.env file gen postgres
        run: test -f zdb.env

      - name: Postgres run cleanup
        run: |
-          docker compose down --volumes --rmi all
+          docker-compose down --volumes --rmi all
          rm -rf docker-compose.yml Caddyfile zitadel.env dashboard.env machinekey/zitadel-admin-sa.token turnserver.conf management.json zdb.env

      - name: run script with Zitadel CockroachDB
@@ -272,7 +226,7 @@ jobs:
        run: test -f management.json

      - name: test turnserver.conf file gen CockroachDB
-        run: |
+        run: | 
          set -x
          test -f turnserver.conf
          grep external-ip turnserver.conf
@@ -283,5 +237,20 @@ jobs:
      - name: test dashboard.env file gen CockroachDB
        run: test -f dashboard.env

-      - name: test relay.env file gen CockroachDB
-        run: test -f relay.env
+  test-download-geolite2-script:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Install jq
+        run: sudo apt-get update && sudo apt-get install -y unzip sqlite3
+
+      - name: Checkout code
+        uses: actions/checkout@v3
+
+      - name: test script
+        run: bash -x infrastructure_files/download-geolite2.sh
+
+      - name: test mmdb file exists
+        run: test -f GeoLite2-City.mmdb
+
+      - name: test geonames file exists
+        run: test -f geonames.db
--- a/.gitignore
+++ b/.gitignore
@@ -29,3 +29,4 @@ infrastructure_files/setup.env
 infrastructure_files/setup-*.env
 .vscode
 .DS_Store
+GeoLite2-City*
--- a/.goreleaser.yaml
+++ b/.goreleaser.yaml
@@ -1,5 +1,3 @@
-version: 2
-
 project_name: netbird
 builds:
  - id: netbird
@@ -24,7 +22,7 @@ builds:
        goarch: 386
    ldflags:
      - -s -w -X github.com/netbirdio/netbird/version.version={{.Version}} -X main.commit={{.Commit}} -X main.date={{.CommitDate}} -X main.builtBy=goreleaser
-    mod_timestamp: "{{ .CommitTimestamp }}"
+    mod_timestamp: '{{ .CommitTimestamp }}'
    tags:
      - load_wgnt_from_rsrc

@@ -44,19 +42,19 @@ builds:
      - softfloat
    ldflags:
      - -s -w -X github.com/netbirdio/netbird/version.version={{.Version}} -X main.commit={{.Commit}} -X main.date={{.CommitDate}} -X main.builtBy=goreleaser
-    mod_timestamp: "{{ .CommitTimestamp }}"
+    mod_timestamp: '{{ .CommitTimestamp }}'
    tags:
      - load_wgnt_from_rsrc

  - id: netbird-mgmt
    dir: management
    env:
-      - CGO_ENABLED=1
-      - >-
-        {{- if eq .Runtime.Goos "linux" }}
-          {{- if eq .Arch "arm64"}}CC=aarch64-linux-gnu-gcc{{- end }}
-          {{- if eq .Arch "arm"}}CC=arm-linux-gnueabihf-gcc{{- end }}
-        {{- end }}
+    - CGO_ENABLED=1
+    - >-
+      {{- if eq .Runtime.Goos "linux" }}
+        {{- if eq .Arch "arm64"}}CC=aarch64-linux-gnu-gcc{{- end }}
+        {{- if eq .Arch "arm"}}CC=arm-linux-gnueabihf-gcc{{- end }}
+      {{- end }}
    binary: netbird-mgmt
    goos:
      - linux
@@ -66,7 +64,7 @@ builds:
      - arm
    ldflags:
      - -s -w -X github.com/netbirdio/netbird/version.version={{.Version}} -X main.commit={{.Commit}} -X main.date={{.CommitDate}} -X main.builtBy=goreleaser
-    mod_timestamp: "{{ .CommitTimestamp }}"
+    mod_timestamp: '{{ .CommitTimestamp }}'

  - id: netbird-signal
    dir: signal
@@ -80,24 +78,7 @@ builds:
      - arm
    ldflags:
      - -s -w -X github.com/netbirdio/netbird/version.version={{.Version}} -X main.commit={{.Commit}} -X main.date={{.CommitDate}} -X main.builtBy=goreleaser
-    mod_timestamp: "{{ .CommitTimestamp }}"
-
-  - id: netbird-relay
-    dir: relay
-    env: [CGO_ENABLED=0]
-    binary: netbird-relay
-    goos:
-      - linux
-    goarch:
-      - amd64
-      - arm64
-      - arm
-    ldflags:
-      - -s -w -X github.com/netbirdio/netbird/version.version={{.Version}} -X main.commit={{.Commit}} -X main.date={{.CommitDate}} -X main.builtBy=goreleaser
-    mod_timestamp: "{{ .CommitTimestamp }}"
-
-universal_binaries:
-  - id: netbird
+    mod_timestamp: '{{ .CommitTimestamp }}'

 archives:
  - builds:
@@ -105,6 +86,7 @@ archives:
      - netbird-static

 nfpms:
+
  - maintainer: Netbird <dev@netbird.io>
    description: Netbird client.
    homepage: https://netbird.io/
@@ -179,52 +161,6 @@ dockers:
      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
      - "--label=org.opencontainers.image.version={{.Version}}"
      - "--label=maintainer=dev@netbird.io"
-  - image_templates:
-      - netbirdio/relay:{{ .Version }}-amd64
-    ids:
-      - netbird-relay
-    goarch: amd64
-    use: buildx
-    dockerfile: relay/Dockerfile
-    build_flag_templates:
-      - "--platform=linux/amd64"
-      - "--label=org.opencontainers.image.created={{.Date}}"
-      - "--label=org.opencontainers.image.title={{.ProjectName}}"
-      - "--label=org.opencontainers.image.version={{.Version}}"
-      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
-      - "--label=org.opencontainers.image.version={{.Version}}"
-      - "--label=maintainer=dev@netbird.io"
-  - image_templates:
-      - netbirdio/relay:{{ .Version }}-arm64v8
-    ids:
-      - netbird-relay
-    goarch: arm64
-    use: buildx
-    dockerfile: relay/Dockerfile
-    build_flag_templates:
-      - "--platform=linux/arm64"
-      - "--label=org.opencontainers.image.created={{.Date}}"
-      - "--label=org.opencontainers.image.title={{.ProjectName}}"
-      - "--label=org.opencontainers.image.version={{.Version}}"
-      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
-      - "--label=org.opencontainers.image.version={{.Version}}"
-      - "--label=maintainer=dev@netbird.io"
-  - image_templates:
-      - netbirdio/relay:{{ .Version }}-arm
-    ids:
-      - netbird-relay
-    goarch: arm
-    goarm: 6
-    use: buildx
-    dockerfile: relay/Dockerfile
-    build_flag_templates:
-      - "--platform=linux/arm"
-      - "--label=org.opencontainers.image.created={{.Date}}"
-      - "--label=org.opencontainers.image.title={{.ProjectName}}"
-      - "--label=org.opencontainers.image.version={{.Version}}"
-      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
-      - "--label=org.opencontainers.image.version={{.Version}}"
-      - "--label=maintainer=dev@netbird.io"
  - image_templates:
      - netbirdio/signal:{{ .Version }}-amd64
    ids:
@@ -377,18 +313,6 @@ docker_manifests:
      - netbirdio/netbird:{{ .Version }}-arm
      - netbirdio/netbird:{{ .Version }}-amd64

-  - name_template: netbirdio/relay:{{ .Version }}
-    image_templates:
-      - netbirdio/relay:{{ .Version }}-arm64v8
-      - netbirdio/relay:{{ .Version }}-arm
-      - netbirdio/relay:{{ .Version }}-amd64
-
-  - name_template: netbirdio/relay:latest
-    image_templates:
-      - netbirdio/relay:{{ .Version }}-arm64v8
-      - netbirdio/relay:{{ .Version }}-arm
-      - netbirdio/relay:{{ .Version }}-amd64
-
  - name_template: netbirdio/signal:{{ .Version }}
    image_templates:
      - netbirdio/signal:{{ .Version }}-arm64v8
@@ -420,9 +344,10 @@ docker_manifests:
      - netbirdio/management:{{ .Version }}-debug-amd64

 brews:
-  - ids:
+  -
+    ids:
      - default
-    repository:
+    tap:
      owner: netbirdio
      name: homebrew-tap
      token: "{{ .Env.HOMEBREW_TAP_GITHUB_TOKEN }}"
@@ -439,7 +364,7 @@ brews:
 uploads:
  - name: debian
    ids:
-      - netbird-deb
+    - netbird-deb
    mode: archive
    target: https://pkgs.wiretrustee.com/debian/pool/{{ .ArtifactName }};deb.distribution=stable;deb.component=main;deb.architecture={{ if .Arm }}armhf{{ else }}{{ .Arch }}{{ end }};deb.package=
    username: dev@wiretrustee.com
@@ -461,4 +386,4 @@ checksum:
 release:
  extra_files:
    - glob: ./infrastructure_files/getting-started-with-zitadel.sh
-    - glob: ./release_files/install.sh
+    - glob: ./release_files/install.sh
--- a/.goreleaser_ui.yaml
+++ b/.goreleaser_ui.yaml
@@ -1,5 +1,3 @@
-version: 2
-
 project_name: netbird-ui
 builds:
  - id: netbird-ui
@@ -13,7 +11,9 @@ builds:
      - amd64
    ldflags:
      - -s -w -X github.com/netbirdio/netbird/version.version={{.Version}} -X main.commit={{.Commit}} -X main.date={{.CommitDate}} -X main.builtBy=goreleaser
-    mod_timestamp: "{{ .CommitTimestamp }}"
+    tags:
+      - legacy_appindicator
+    mod_timestamp: '{{ .CommitTimestamp }}'

  - id: netbird-ui-windows
    dir: client/ui
@@ -28,7 +28,7 @@ builds:
    ldflags:
      - -s -w -X github.com/netbirdio/netbird/version.version={{.Version}} -X main.commit={{.Commit}} -X main.date={{.CommitDate}} -X main.builtBy=goreleaser
      - -H windowsgui
-    mod_timestamp: "{{ .CommitTimestamp }}"
+    mod_timestamp: '{{ .CommitTimestamp }}'

 archives:
  - id: linux-arch
@@ -41,6 +41,7 @@ archives:
      - netbird-ui-windows

 nfpms:
+
  - maintainer: Netbird <dev@netbird.io>
    description: Netbird client UI.
    homepage: https://netbird.io/
@@ -78,7 +79,7 @@ nfpms:
 uploads:
  - name: debian
    ids:
-      - netbird-ui-deb
+    - netbird-ui-deb
    mode: archive
    target: https://pkgs.wiretrustee.com/debian/pool/{{ .ArtifactName }};deb.distribution=stable;deb.component=main;deb.architecture={{ if .Arm }}armhf{{ else }}{{ .Arch }}{{ end }};deb.package=
    username: dev@wiretrustee.com
--- a/.goreleaser_ui_darwin.yaml
+++ b/.goreleaser_ui_darwin.yaml
@@ -1,5 +1,3 @@
-version: 2
-
 project_name: netbird-ui
 builds:
  - id: netbird-ui-darwin
@@ -19,13 +17,10 @@ builds:
      - softfloat
    ldflags:
      - -s -w -X github.com/netbirdio/netbird/version.version={{.Version}} -X main.commit={{.Commit}} -X main.date={{.CommitDate}} -X main.builtBy=goreleaser
-    mod_timestamp: "{{ .CommitTimestamp }}"
+    mod_timestamp: '{{ .CommitTimestamp }}'
    tags:
      - load_wgnt_from_rsrc

-universal_binaries:
-  - id: netbird-ui-darwin
-
 archives:
  - builds:
      - netbird-ui-darwin
@@ -33,4 +28,4 @@ archives:
 checksum:
  name_template: "{{ .ProjectName }}_darwin_checksums.txt"
 changelog:
-  disable: true
+  skip: true
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -96,7 +96,7 @@ They can be executed from the repository root before every push or PR:

 **Goreleaser**
 ```shell
-goreleaser build --snapshot --clean
+goreleaser --snapshot --rm-dist
 ```
 **golangci-lint**
 ```shell
--- a/README.md
+++ b/README.md
@@ -10,19 +10,13 @@
  <img width="234" src="docs/media/logo-full.png"/>
 </p>
  <p>
-   <a href="https://img.shields.io/badge/license-BSD--3-blue)">
-       <img src="https://sonarcloud.io/api/project_badges/measure?project=netbirdio_netbird&metric=alert_status" />
-     </a> 
     <a href="https://github.com/netbirdio/netbird/blob/main/LICENSE">
       <img src="https://img.shields.io/badge/license-BSD--3-blue" />
     </a> 
+   <a href="https://www.codacy.com/gh/netbirdio/netbird/dashboard?utm_source=github.com&amp;utm_medium=referral&amp;utm_content=netbirdio/netbird&amp;utm_campaign=Badge_Grade"><img src="https://app.codacy.com/project/badge/Grade/e3013d046aec44cdb7462c8673b00976"/></a>
    <br>
-    <a href="https://join.slack.com/t/netbirdio/shared_invite/zt-2utg2ncdz-W7LEB6toRBLE1Jca37dYpg">
+    <a href="https://join.slack.com/t/netbirdio/shared_invite/zt-vrahf41g-ik1v7fV8du6t0RwxSrJ96A">
        <img src="https://img.shields.io/badge/slack-@netbird-red.svg?logo=slack"/>
-     </a>  
-     <br>
-    <a href="https://gurubase.io/g/netbird">
-        <img src="https://img.shields.io/badge/Gurubase-Ask%20NetBird%20Guru-006BFF"/>
     </a>    
  </p>
 </div>
@@ -34,7 +28,7 @@
  <br/>
  See <a href="https://netbird.io/docs/">Documentation</a>
  <br/>
-   Join our <a href="https://join.slack.com/t/netbirdio/shared_invite/zt-2utg2ncdz-W7LEB6toRBLE1Jca37dYpg">Slack channel</a>
+   Join our <a href="https://join.slack.com/t/netbirdio/shared_invite/zt-vrahf41g-ik1v7fV8du6t0RwxSrJ96A">Slack channel</a>
  <br/>
 
 </strong>
@@ -53,8 +47,6 @@

 ![netbird_2](https://github.com/netbirdio/netbird/assets/700848/46bc3b73-508d-4a0e-bb9a-f465d68646ab)

-### NetBird on Lawrence Systems (Video)
-[![Watch the video](https://img.youtube.com/vi/Kwrff6h0rEw/0.jpg)](https://www.youtube.com/watch?v=Kwrff6h0rEw)

 ### Key features

@@ -68,7 +60,6 @@
 |                                                                                                                              |                                                                                                          | <ul><li> - \[x] [Quantum-resistance with Rosenpass](https://netbird.io/knowledge-hub/the-first-quantum-resistant-mesh-vpn) </ul></li> |                                                                                                                                          | <ul><li> - \[x] OpenWRT </ul></li>                                                      |
 |                                                                                                                              |                                                                                                          | <ui><li> - \[x] [Periodic re-authentication](https://docs.netbird.io/how-to/enforce-periodic-user-authentication)</ul></li>           |                                                                                                                                          | <ul><li> - \[x] [Serverless](https://docs.netbird.io/how-to/netbird-on-faas) </ul></li> |
 |                                                                                                                              |                                                                                                          |                                                                                                                                       |                                                                                                                                          | <ul><li> - \[x] Docker </ul></li>                                                       |
-
 ### Quickstart with NetBird Cloud

 - Download and install NetBird at [https://app.netbird.io/install](https://app.netbird.io/install)
--- a/client/Dockerfile
+++ b/client/Dockerfile
@@ -1,4 +1,4 @@
-FROM alpine:3.21.0
+FROM alpine:3.19
 RUN apk add --no-cache ca-certificates iptables ip6tables
 ENV NB_FOREGROUND_MODE=true
 ENTRYPOINT [ "/usr/local/bin/netbird","up"]
--- a/client/android/client.go
+++ b/client/android/client.go
@@ -8,7 +8,6 @@ import (

 	log "github.com/sirupsen/logrus"

-	"github.com/netbirdio/netbird/client/iface/device"
 	"github.com/netbirdio/netbird/client/internal"
 	"github.com/netbirdio/netbird/client/internal/dns"
 	"github.com/netbirdio/netbird/client/internal/listener"
@@ -16,6 +15,7 @@ import (
 	"github.com/netbirdio/netbird/client/internal/stdnet"
 	"github.com/netbirdio/netbird/client/system"
 	"github.com/netbirdio/netbird/formatter"
+	"github.com/netbirdio/netbird/iface"
 	"github.com/netbirdio/netbird/util/net"
 )

@@ -26,7 +26,7 @@ type ConnectionListener interface {

 // TunAdapter export internal TunAdapter for mobile
 type TunAdapter interface {
-	device.TunAdapter
+	iface.TunAdapter
 }

 // IFaceDiscover export internal IFaceDiscover for mobile
@@ -51,7 +51,7 @@ func init() {
 // Client struct manage the life circle of background service
 type Client struct {
 	cfgFile               string
-	tunAdapter            device.TunAdapter
+	tunAdapter            iface.TunAdapter
 	iFaceDiscover         IFaceDiscover
 	recorder              *peer.Status
 	ctxCancel             context.CancelFunc
--- a/client/android/login.go
+++ b/client/android/login.go
@@ -84,7 +84,7 @@ func (a *Auth) SaveConfigIfSSOSupported(listener SSOListener) {
 func (a *Auth) saveConfigIfSSOSupported() (bool, error) {
 	supportsSSO := true
 	err := a.withBackOff(a.ctx, func() (err error) {
-		_, err = internal.GetPKCEAuthorizationFlowInfo(a.ctx, a.config.PrivateKey, a.config.ManagementURL, nil)
+		_, err = internal.GetPKCEAuthorizationFlowInfo(a.ctx, a.config.PrivateKey, a.config.ManagementURL)
 		if s, ok := gstatus.FromError(err); ok && (s.Code() == codes.NotFound || s.Code() == codes.Unimplemented) {
 			_, err = internal.GetDeviceAuthorizationFlowInfo(a.ctx, a.config.PrivateKey, a.config.ManagementURL)
 			s, ok := gstatus.FromError(err)
--- a/client/anonymize/anonymize.go
+++ b/client/anonymize/anonymize.go
@@ -12,8 +12,6 @@ import (
 	"strings"
 )

-const anonTLD = ".domain"
-
 type Anonymizer struct {
 	ipAnonymizer     map[netip.Addr]netip.Addr
 	domainAnonymizer map[string]string
@@ -21,8 +19,6 @@ type Anonymizer struct {
 	currentAnonIPv6  netip.Addr
 	startAnonIPv4    netip.Addr
 	startAnonIPv6    netip.Addr
-
-	domainKeyRegex *regexp.Regexp
 }

 func DefaultAddresses() (netip.Addr, netip.Addr) {
@@ -38,8 +34,6 @@ func NewAnonymizer(startIPv4, startIPv6 netip.Addr) *Anonymizer {
 		currentAnonIPv6:  startIPv6,
 		startAnonIPv4:    startIPv4,
 		startAnonIPv6:    startIPv6,
-
-		domainKeyRegex: regexp.MustCompile(`\bdomain=([^\s,:"]+)`),
 	}
 }

@@ -89,39 +83,29 @@ func (a *Anonymizer) AnonymizeIPString(ip string) string {
 }

 func (a *Anonymizer) AnonymizeDomain(domain string) string {
-	baseDomain := domain
-	hasDot := strings.HasSuffix(domain, ".")
-	if hasDot {
-		baseDomain = domain[:len(domain)-1]
-	}
-
-	if strings.HasSuffix(baseDomain, "netbird.io") ||
-		strings.HasSuffix(baseDomain, "netbird.selfhosted") ||
-		strings.HasSuffix(baseDomain, "netbird.cloud") ||
-		strings.HasSuffix(baseDomain, "netbird.stage") ||
-		strings.HasSuffix(baseDomain, anonTLD) {
+	if strings.HasSuffix(domain, "netbird.io") ||
+		strings.HasSuffix(domain, "netbird.selfhosted") ||
+		strings.HasSuffix(domain, "netbird.cloud") ||
+		strings.HasSuffix(domain, "netbird.stage") ||
+		strings.HasSuffix(domain, ".domain") {
 		return domain
 	}

-	parts := strings.Split(baseDomain, ".")
+	parts := strings.Split(domain, ".")
 	if len(parts) < 2 {
 		return domain
 	}

-	baseForLookup := parts[len(parts)-2] + "." + parts[len(parts)-1]
+	baseDomain := parts[len(parts)-2] + "." + parts[len(parts)-1]

-	anonymized, ok := a.domainAnonymizer[baseForLookup]
+	anonymized, ok := a.domainAnonymizer[baseDomain]
 	if !ok {
-		anonymizedBase := "anon-" + generateRandomString(5) + anonTLD
-		a.domainAnonymizer[baseForLookup] = anonymizedBase
+		anonymizedBase := "anon-" + generateRandomString(5) + ".domain"
+		a.domainAnonymizer[baseDomain] = anonymizedBase
 		anonymized = anonymizedBase
 	}

-	result := strings.Replace(baseDomain, baseForLookup, anonymized, 1)
-	if hasDot {
-		result += "."
-	}
-	return result
+	return strings.Replace(domain, baseDomain, anonymized, 1)
 }

 func (a *Anonymizer) AnonymizeURI(uri string) string {
@@ -168,42 +152,32 @@ func (a *Anonymizer) AnonymizeString(str string) string {
 	return str
 }

-// AnonymizeSchemeURI finds and anonymizes URIs with ws, wss, rel, rels, stun, stuns, turn, and turns schemes.
+// AnonymizeSchemeURI finds and anonymizes URIs with stun, stuns, turn, and turns schemes.
 func (a *Anonymizer) AnonymizeSchemeURI(text string) string {
-	re := regexp.MustCompile(`(?i)\b(wss?://|rels?://|stuns?:|turns?:|https?://)\S+\b`)
+	re := regexp.MustCompile(`(?i)\b(stuns?:|turns?:|https?://)\S+\b`)

 	return re.ReplaceAllStringFunc(text, a.AnonymizeURI)
 }

+// AnonymizeDNSLogLine anonymizes domain names in DNS log entries by replacing them with a random string.
 func (a *Anonymizer) AnonymizeDNSLogLine(logEntry string) string {
-	return a.domainKeyRegex.ReplaceAllStringFunc(logEntry, func(match string) string {
-		parts := strings.SplitN(match, "=", 2)
+	domainPattern := `dns\.Question{Name:"([^"]+)",`
+	domainRegex := regexp.MustCompile(domainPattern)
+
+	return domainRegex.ReplaceAllStringFunc(logEntry, func(match string) string {
+		parts := strings.Split(match, `"`)
 		if len(parts) >= 2 {
 			domain := parts[1]
-			if strings.HasSuffix(domain, anonTLD) {
+			if strings.HasSuffix(domain, ".domain") {
 				return match
 			}
-			return "domain=" + a.AnonymizeDomain(domain)
+			randomDomain := generateRandomString(10) + ".domain"
+			return strings.Replace(match, domain, randomDomain, 1)
 		}
 		return match
 	})
 }

-// AnonymizeRoute anonymizes a route string by replacing IP addresses with anonymized versions and
-// domain names with random strings.
-func (a *Anonymizer) AnonymizeRoute(route string) string {
-	prefix, err := netip.ParsePrefix(route)
-	if err == nil {
-		ip := a.AnonymizeIPString(prefix.Addr().String())
-		return fmt.Sprintf("%s/%d", ip, prefix.Bits())
-	}
-	domains := strings.Split(route, ", ")
-	for i, domain := range domains {
-		domains[i] = a.AnonymizeDomain(domain)
-	}
-	return strings.Join(domains, ", ")
-}
-
 func isWellKnown(addr netip.Addr) bool {
 	wellKnown := []string{
 		"8.8.8.8", "8.8.4.4", // Google DNS IPv4
@@ -212,8 +186,6 @@ func isWellKnown(addr netip.Addr) bool {
 		"2606:4700:4700::1111", "2606:4700:4700::1001", // Cloudflare DNS IPv6
 		"9.9.9.9", "149.112.112.112", // Quad9 DNS IPv4
 		"2620:fe::fe", "2620:fe::9", // Quad9 DNS IPv6
-
-		"128.0.0.0", "8000::", // 2nd split subnet for default routes
 	}

 	if slices.Contains(wellKnown, addr.String()) {
--- a/client/anonymize/anonymize_test.go
+++ b/client/anonymize/anonymize_test.go
@@ -46,59 +46,11 @@ func TestAnonymizeIP(t *testing.T) {

 func TestAnonymizeDNSLogLine(t *testing.T) {
 	anonymizer := anonymize.NewAnonymizer(netip.Addr{}, netip.Addr{})
-	tests := []struct {
-		name     string
-		input    string
-		original string
-		expect   string
-	}{
-		{
-			name:     "Basic domain with trailing content",
-			input:    "received DNS request for DNS forwarder: domain=example.com: something happened with code=123",
-			original: "example.com",
-			expect:   `received DNS request for DNS forwarder: domain=anon-[a-zA-Z0-9]+\.domain: something happened with code=123`,
-		},
-		{
-			name:     "Domain with trailing dot",
-			input:    "domain=example.com. processing request with status=pending",
-			original: "example.com",
-			expect:   `domain=anon-[a-zA-Z0-9]+\.domain\. processing request with status=pending`,
-		},
-		{
-			name:     "Multiple domains in log",
-			input:    "forward domain=first.com status=ok, redirect to domain=second.com port=443",
-			original: "first.com", // testing just one is sufficient as AnonymizeDomain is tested separately
-			expect:   `forward domain=anon-[a-zA-Z0-9]+\.domain status=ok, redirect to domain=anon-[a-zA-Z0-9]+\.domain port=443`,
-		},
-		{
-			name:     "Already anonymized domain",
-			input:    "got request domain=anon-xyz123.domain from=client1 to=server2",
-			original: "", // nothing should be anonymized
-			expect:   `got request domain=anon-xyz123\.domain from=client1 to=server2`,
-		},
-		{
-			name:     "Subdomain with trailing dot",
-			input:    "domain=sub.example.com. next_hop=10.0.0.1 proto=udp",
-			original: "example.com",
-			expect:   `domain=sub\.anon-[a-zA-Z0-9]+\.domain\. next_hop=10\.0\.0\.1 proto=udp`,
-		},
-		{
-			name:     "Handler chain pattern log",
-			input:    "pattern: domain=example.com. original: domain=*.example.com. wildcard=true priority=100",
-			original: "example.com",
-			expect:   `pattern: domain=anon-[a-zA-Z0-9]+\.domain\. original: domain=\*\.anon-[a-zA-Z0-9]+\.domain\. wildcard=true priority=100`,
-		},
-	}
+	testLog := `2024-04-23T20:01:11+02:00 TRAC client/internal/dns/local.go:25: received question: dns.Question{Name:"example.com", Qtype:0x1c, Qclass:0x1}`

-	for _, tc := range tests {
-		t.Run(tc.name, func(t *testing.T) {
-			result := anonymizer.AnonymizeDNSLogLine(tc.input)
-			if tc.original != "" {
-				assert.NotContains(t, result, tc.original)
-			}
-			assert.Regexp(t, tc.expect, result)
-		})
-	}
+	result := anonymizer.AnonymizeDNSLogLine(testLog)
+	require.NotEqual(t, testLog, result)
+	assert.NotContains(t, result, "example.com")
 }

 func TestAnonymizeDomain(t *testing.T) {
@@ -115,36 +67,18 @@ func TestAnonymizeDomain(t *testing.T) {
 			`^anon-[a-zA-Z0-9]+\.domain$`,
 			true,
 		},
-		{
-			"Domain with Trailing Dot",
-			"example.com.",
-			`^anon-[a-zA-Z0-9]+\.domain.$`,
-			true,
-		},
 		{
 			"Subdomain",
 			"sub.example.com",
 			`^sub\.anon-[a-zA-Z0-9]+\.domain$`,
 			true,
 		},
-		{
-			"Subdomain with Trailing Dot",
-			"sub.example.com.",
-			`^sub\.anon-[a-zA-Z0-9]+\.domain.$`,
-			true,
-		},
 		{
 			"Protected Domain",
 			"netbird.io",
 			`^netbird\.io$`,
 			false,
 		},
-		{
-			"Protected Domain with Trailing Dot",
-			"netbird.io.",
-			`^netbird\.io.$`,
-			false,
-		},
 	}

 	for _, tc := range tests {
@@ -206,16 +140,8 @@ func TestAnonymizeSchemeURI(t *testing.T) {
 		expect string
 	}{
 		{"STUN URI in text", "Connection made via stun:example.com", `Connection made via stun:anon-[a-zA-Z0-9]+\.domain`},
-		{"STUNS URI in message", "Secure connection to stuns:example.com:443", `Secure connection to stuns:anon-[a-zA-Z0-9]+\.domain:443`},
 		{"TURN URI in log", "Failed attempt turn:some.example.com:3478?transport=tcp: retrying", `Failed attempt turn:some.anon-[a-zA-Z0-9]+\.domain:3478\?transport=tcp: retrying`},
-		{"TURNS URI in message", "Secure connection to turns:example.com:5349", `Secure connection to turns:anon-[a-zA-Z0-9]+\.domain:5349`},
-		{"HTTP URI in text", "Visit http://example.com for more", `Visit http://anon-[a-zA-Z0-9]+\.domain for more`},
-		{"HTTPS URI in CAPS", "Visit HTTPS://example.com for more", `Visit https://anon-[a-zA-Z0-9]+\.domain for more`},
 		{"HTTPS URI in message", "Visit https://example.com for more", `Visit https://anon-[a-zA-Z0-9]+\.domain for more`},
-		{"WS URI in log", "Connection established to ws://example.com:8080", `Connection established to ws://anon-[a-zA-Z0-9]+\.domain:8080`},
-		{"WSS URI in message", "Secure connection to wss://example.com", `Secure connection to wss://anon-[a-zA-Z0-9]+\.domain`},
-		{"Rel URI in text", "Relaying to rel://example.com", `Relaying to rel://anon-[a-zA-Z0-9]+\.domain`},
-		{"Rels URI in message", "Relaying to rels://example.com", `Relaying to rels://anon-[a-zA-Z0-9]+\.domain`},
 	}

 	for _, tc := range tests {
--- a/client/cmd/debug.go
+++ b/client/cmd/debug.go
@@ -3,10 +3,8 @@ package cmd
 import (
 	"context"
 	"fmt"
-	"strings"
 	"time"

-	log "github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
 	"google.golang.org/grpc/status"

@@ -15,8 +13,6 @@ import (
 	"github.com/netbirdio/netbird/client/server"
 )

-const errCloseConnection = "Failed to close connection: %v"
-
 var debugCmd = &cobra.Command{
 	Use:   "debug",
 	Short: "Debugging commands",
@@ -62,31 +58,17 @@ var forCmd = &cobra.Command{
 	RunE:    runForDuration,
 }

-var persistenceCmd = &cobra.Command{
-	Use:     "persistence [on|off]",
-	Short:   "Set network map memory persistence",
-	Long:    `Configure whether the latest network map should persist in memory. When enabled, the last known network map will be kept in memory.`,
-	Example: "  netbird debug persistence on",
-	Args:    cobra.ExactArgs(1),
-	RunE:    setNetworkMapPersistence,
-}
-
 func debugBundle(cmd *cobra.Command, _ []string) error {
 	conn, err := getClient(cmd)
 	if err != nil {
 		return err
 	}
-	defer func() {
-		if err := conn.Close(); err != nil {
-			log.Errorf(errCloseConnection, err)
-		}
-	}()
+	defer conn.Close()

 	client := proto.NewDaemonServiceClient(conn)
 	resp, err := client.DebugBundle(cmd.Context(), &proto.DebugBundleRequest{
-		Anonymize:  anonymizeFlag,
-		Status:     getStatusOutput(cmd),
-		SystemInfo: debugSystemInfoFlag,
+		Anonymize: anonymizeFlag,
+		Status:    getStatusOutput(cmd),
 	})
 	if err != nil {
 		return fmt.Errorf("failed to bundle debug: %v", status.Convert(err).Message())
@@ -102,11 +84,7 @@ func setLogLevel(cmd *cobra.Command, args []string) error {
 	if err != nil {
 		return err
 	}
-	defer func() {
-		if err := conn.Close(); err != nil {
-			log.Errorf(errCloseConnection, err)
-		}
-	}()
+	defer conn.Close()

 	client := proto.NewDaemonServiceClient(conn)
 	level := server.ParseLogLevel(args[0])
@@ -135,11 +113,7 @@ func runForDuration(cmd *cobra.Command, args []string) error {
 	if err != nil {
 		return err
 	}
-	defer func() {
-		if err := conn.Close(); err != nil {
-			log.Errorf(errCloseConnection, err)
-		}
-	}()
+	defer conn.Close()

 	client := proto.NewDaemonServiceClient(conn)

@@ -148,20 +122,17 @@ func runForDuration(cmd *cobra.Command, args []string) error {
 		return fmt.Errorf("failed to get status: %v", status.Convert(err).Message())
 	}

-	stateWasDown := stat.Status != string(internal.StatusConnected) && stat.Status != string(internal.StatusConnecting)
+	restoreUp := stat.Status == string(internal.StatusConnected) || stat.Status == string(internal.StatusConnecting)

 	initialLogLevel, err := client.GetLogLevel(cmd.Context(), &proto.GetLogLevelRequest{})
 	if err != nil {
 		return fmt.Errorf("failed to get log level: %v", status.Convert(err).Message())
 	}

-	if stateWasDown {
-		if _, err := client.Up(cmd.Context(), &proto.UpRequest{}); err != nil {
-			return fmt.Errorf("failed to up: %v", status.Convert(err).Message())
-		}
-		cmd.Println("Netbird up")
-		time.Sleep(time.Second * 10)
+	if _, err := client.Down(cmd.Context(), &proto.DownRequest{}); err != nil {
+		return fmt.Errorf("failed to down: %v", status.Convert(err).Message())
 	}
+	cmd.Println("Netbird down")

 	initialLevelTrace := initialLogLevel.GetLevel() >= proto.LogLevel_TRACE
 	if !initialLevelTrace {
@@ -174,20 +145,8 @@ func runForDuration(cmd *cobra.Command, args []string) error {
 		cmd.Println("Log level set to trace.")
 	}

-	if _, err := client.Down(cmd.Context(), &proto.DownRequest{}); err != nil {
-		return fmt.Errorf("failed to down: %v", status.Convert(err).Message())
-	}
-	cmd.Println("Netbird down")
-
 	time.Sleep(1 * time.Second)

-	// Enable network map persistence before bringing the service up
-	if _, err := client.SetNetworkMapPersistence(cmd.Context(), &proto.SetNetworkMapPersistenceRequest{
-		Enabled: true,
-	}); err != nil {
-		return fmt.Errorf("failed to enable network map persistence: %v", status.Convert(err).Message())
-	}
-
 	if _, err := client.Up(cmd.Context(), &proto.UpRequest{}); err != nil {
 		return fmt.Errorf("failed to up: %v", status.Convert(err).Message())
 	}
@@ -203,32 +162,21 @@ func runForDuration(cmd *cobra.Command, args []string) error {
 	}
 	cmd.Println("\nDuration completed")

-	cmd.Println("Creating debug bundle...")
-
 	headerPreDown := fmt.Sprintf("----- Netbird pre-down - Timestamp: %s - Duration: %s", time.Now().Format(time.RFC3339), duration)
 	statusOutput = fmt.Sprintf("%s\n%s\n%s", statusOutput, headerPreDown, getStatusOutput(cmd))

-	resp, err := client.DebugBundle(cmd.Context(), &proto.DebugBundleRequest{
-		Anonymize:  anonymizeFlag,
-		Status:     statusOutput,
-		SystemInfo: debugSystemInfoFlag,
-	})
-	if err != nil {
-		return fmt.Errorf("failed to bundle debug: %v", status.Convert(err).Message())
+	if _, err := client.Down(cmd.Context(), &proto.DownRequest{}); err != nil {
+		return fmt.Errorf("failed to down: %v", status.Convert(err).Message())
 	}
+	cmd.Println("Netbird down")

-	// Disable network map persistence after creating the debug bundle
-	if _, err := client.SetNetworkMapPersistence(cmd.Context(), &proto.SetNetworkMapPersistenceRequest{
-		Enabled: false,
-	}); err != nil {
-		return fmt.Errorf("failed to disable network map persistence: %v", status.Convert(err).Message())
-	}
+	time.Sleep(1 * time.Second)

-	if stateWasDown {
-		if _, err := client.Down(cmd.Context(), &proto.DownRequest{}); err != nil {
-			return fmt.Errorf("failed to down: %v", status.Convert(err).Message())
+	if restoreUp {
+		if _, err := client.Up(cmd.Context(), &proto.UpRequest{}); err != nil {
+			return fmt.Errorf("failed to up: %v", status.Convert(err).Message())
 		}
-		cmd.Println("Netbird down")
+		cmd.Println("Netbird up")
 	}

 	if !initialLevelTrace {
@@ -238,36 +186,18 @@ func runForDuration(cmd *cobra.Command, args []string) error {
 		cmd.Println("Log level restored to", initialLogLevel.GetLevel())
 	}

-	cmd.Println(resp.GetPath())
+	cmd.Println("Creating debug bundle...")

-	return nil
-}
-
-func setNetworkMapPersistence(cmd *cobra.Command, args []string) error {
-	conn, err := getClient(cmd)
-	if err != nil {
-		return err
-	}
-	defer func() {
-		if err := conn.Close(); err != nil {
-			log.Errorf(errCloseConnection, err)
-		}
-	}()
-
-	persistence := strings.ToLower(args[0])
-	if persistence != "on" && persistence != "off" {
-		return fmt.Errorf("invalid persistence value: %s. Use 'on' or 'off'", args[0])
-	}
-
-	client := proto.NewDaemonServiceClient(conn)
-	_, err = client.SetNetworkMapPersistence(cmd.Context(), &proto.SetNetworkMapPersistenceRequest{
-		Enabled: persistence == "on",
+	resp, err := client.DebugBundle(cmd.Context(), &proto.DebugBundleRequest{
+		Anonymize: anonymizeFlag,
+		Status:    statusOutput,
 	})
 	if err != nil {
-		return fmt.Errorf("failed to set network map persistence: %v", status.Convert(err).Message())
+		return fmt.Errorf("failed to bundle debug: %v", status.Convert(err).Message())
 	}

-	cmd.Printf("Network map persistence set to: %s\n", persistence)
+	cmd.Println(resp.GetPath())
+
 	return nil
 }

--- a/client/cmd/down.go
+++ b/client/cmd/down.go
@@ -26,7 +26,7 @@ var downCmd = &cobra.Command{
 			return err
 		}

-		ctx, cancel := context.WithTimeout(context.Background(), time.Second*7)
+		ctx, cancel := context.WithTimeout(context.Background(), time.Second*3)
 		defer cancel()

 		conn, err := DialClientGRPCServer(ctx, daemonAddr)
@@ -42,8 +42,6 @@ var downCmd = &cobra.Command{
 			log.Errorf("call service down method: %v", err)
 			return err
 		}
-
-		cmd.Println("Disconnected")
 		return nil
 	},
 }
--- a/client/cmd/login.go
+++ b/client/cmd/login.go
@@ -39,11 +39,6 @@ var loginCmd = &cobra.Command{
 			ctx = context.WithValue(ctx, system.DeviceNameCtxKey, hostName)
 		}

-		providedSetupKey, err := getSetupKey()
-		if err != nil {
-			return err
-		}
-
 		// workaround to run without service
 		if logFile == "console" {
 			err = handleRebrand(cmd)
@@ -67,7 +62,7 @@ var loginCmd = &cobra.Command{

 			config, _ = internal.UpdateOldManagementURL(ctx, config, configPath)

-			err = foregroundLogin(ctx, cmd, config, providedSetupKey)
+			err = foregroundLogin(ctx, cmd, config, setupKey)
 			if err != nil {
 				return fmt.Errorf("foreground login failed: %v", err)
 			}
@@ -86,7 +81,7 @@ var loginCmd = &cobra.Command{
 		client := proto.NewDaemonServiceClient(conn)

 		loginRequest := proto.LoginRequest{
-			SetupKey:             providedSetupKey,
+			SetupKey:             setupKey,
 			ManagementUrl:        managementURL,
 			IsLinuxDesktopClient: isLinuxRunningDesktop(),
 			Hostname:             hostName,
--- a/client/cmd/login_test.go
+++ b/client/cmd/login_test.go
@@ -5,8 +5,8 @@ import (
 	"strings"
 	"testing"

-	"github.com/netbirdio/netbird/client/iface"
 	"github.com/netbirdio/netbird/client/internal"
+	"github.com/netbirdio/netbird/iface"
 	"github.com/netbirdio/netbird/util"
 )

--- a/client/cmd/networks.go
+++ b/client/cmd/networks.go
@@ -1,173 +0,0 @@
-package cmd
-
-import (
-	"fmt"
-	"strings"
-
-	"github.com/spf13/cobra"
-	"google.golang.org/grpc/status"
-
-	"github.com/netbirdio/netbird/client/proto"
-)
-
-var appendFlag bool
-
-var networksCMD = &cobra.Command{
-	Use:     "networks",
-	Aliases: []string{"routes"},
-	Short:   "Manage networks",
-	Long:    `Commands to list, select, or deselect networks. Replaces the "routes" command.`,
-}
-
-var routesListCmd = &cobra.Command{
-	Use:     "list",
-	Aliases: []string{"ls"},
-	Short:   "List networks",
-	Example: "  netbird networks list",
-	Long:    "List all available network routes.",
-	RunE:    networksList,
-}
-
-var routesSelectCmd = &cobra.Command{
-	Use:     "select network...|all",
-	Short:   "Select network",
-	Long:    "Select a list of networks by identifiers or 'all' to clear all selections and to accept all (including new) networks.\nDefault mode is replace, use -a to append to already selected networks.",
-	Example: "  netbird networks select all\n  netbird networks select route1 route2\n  netbird routes select -a route3",
-	Args:    cobra.MinimumNArgs(1),
-	RunE:    networksSelect,
-}
-
-var routesDeselectCmd = &cobra.Command{
-	Use:     "deselect network...|all",
-	Short:   "Deselect networks",
-	Long:    "Deselect previously selected networks by identifiers or 'all' to disable accepting any networks.",
-	Example: "  netbird networks deselect all\n  netbird networks deselect route1 route2",
-	Args:    cobra.MinimumNArgs(1),
-	RunE:    networksDeselect,
-}
-
-func init() {
-	routesSelectCmd.PersistentFlags().BoolVarP(&appendFlag, "append", "a", false, "Append to current network selection instead of replacing")
-}
-
-func networksList(cmd *cobra.Command, _ []string) error {
-	conn, err := getClient(cmd)
-	if err != nil {
-		return err
-	}
-	defer conn.Close()
-
-	client := proto.NewDaemonServiceClient(conn)
-	resp, err := client.ListNetworks(cmd.Context(), &proto.ListNetworksRequest{})
-	if err != nil {
-		return fmt.Errorf("failed to list network: %v", status.Convert(err).Message())
-	}
-
-	if len(resp.Routes) == 0 {
-		cmd.Println("No networks available.")
-		return nil
-	}
-
-	printNetworks(cmd, resp)
-
-	return nil
-}
-
-func printNetworks(cmd *cobra.Command, resp *proto.ListNetworksResponse) {
-	cmd.Println("Available Networks:")
-	for _, route := range resp.Routes {
-		printNetwork(cmd, route)
-	}
-}
-
-func printNetwork(cmd *cobra.Command, route *proto.Network) {
-	selectedStatus := getSelectedStatus(route)
-	domains := route.GetDomains()
-
-	if len(domains) > 0 {
-		printDomainRoute(cmd, route, domains, selectedStatus)
-	} else {
-		printNetworkRoute(cmd, route, selectedStatus)
-	}
-}
-
-func getSelectedStatus(route *proto.Network) string {
-	if route.GetSelected() {
-		return "Selected"
-	}
-	return "Not Selected"
-}
-
-func printDomainRoute(cmd *cobra.Command, route *proto.Network, domains []string, selectedStatus string) {
-	cmd.Printf("\n  - ID: %s\n    Domains: %s\n    Status: %s\n", route.GetID(), strings.Join(domains, ", "), selectedStatus)
-	resolvedIPs := route.GetResolvedIPs()
-
-	if len(resolvedIPs) > 0 {
-		printResolvedIPs(cmd, domains, resolvedIPs)
-	} else {
-		cmd.Printf("    Resolved IPs: -\n")
-	}
-}
-
-func printNetworkRoute(cmd *cobra.Command, route *proto.Network, selectedStatus string) {
-	cmd.Printf("\n  - ID: %s\n    Network: %s\n    Status: %s\n", route.GetID(), route.GetRange(), selectedStatus)
-}
-
-func printResolvedIPs(cmd *cobra.Command, _ []string, resolvedIPs map[string]*proto.IPList) {
-	cmd.Printf("    Resolved IPs:\n")
-	for resolvedDomain, ipList := range resolvedIPs {
-		cmd.Printf("      [%s]: %s\n", resolvedDomain, strings.Join(ipList.GetIps(), ", "))
-	}
-}
-
-func networksSelect(cmd *cobra.Command, args []string) error {
-	conn, err := getClient(cmd)
-	if err != nil {
-		return err
-	}
-	defer conn.Close()
-
-	client := proto.NewDaemonServiceClient(conn)
-	req := &proto.SelectNetworksRequest{
-		NetworkIDs: args,
-	}
-
-	if len(args) == 1 && args[0] == "all" {
-		req.All = true
-	} else if appendFlag {
-		req.Append = true
-	}
-
-	if _, err := client.SelectNetworks(cmd.Context(), req); err != nil {
-		return fmt.Errorf("failed to select networks: %v", status.Convert(err).Message())
-	}
-
-	cmd.Println("Networks selected successfully.")
-
-	return nil
-}
-
-func networksDeselect(cmd *cobra.Command, args []string) error {
-	conn, err := getClient(cmd)
-	if err != nil {
-		return err
-	}
-	defer conn.Close()
-
-	client := proto.NewDaemonServiceClient(conn)
-	req := &proto.SelectNetworksRequest{
-		NetworkIDs: args,
-	}
-
-	if len(args) == 1 && args[0] == "all" {
-		req.All = true
-	}
-
-	if _, err := client.DeselectNetworks(cmd.Context(), req); err != nil {
-		return fmt.Errorf("failed to deselect networks: %v", status.Convert(err).Message())
-	}
-
-	cmd.Println("Networks deselected successfully.")
-
-	return nil
-}
--- a/client/cmd/pprof.go
+++ b/client/cmd/pprof.go
@@ -1,33 +0,0 @@
-//go:build pprof
-// +build pprof
-
-package cmd
-
-import (
-	"net/http"
-	_ "net/http/pprof"
-	"os"
-
-	log "github.com/sirupsen/logrus"
-)
-
-func init() {
-	addr := pprofAddr()
-	go pprof(addr)
-}
-
-func pprofAddr() string {
-	listenAddr := os.Getenv("NB_PPROF_ADDR")
-	if listenAddr == "" {
-		return "localhost:6969"
-	}
-
-	return listenAddr
-}
-
-func pprof(listenAddr string) {
-	log.Infof("listening pprof on: %s\n", listenAddr)
-	if err := http.ListenAndServe(listenAddr, nil); err != nil {
-		log.Fatalf("Failed to start pprof: %v", err)
-	}
-}
--- a/client/cmd/root.go
+++ b/client/cmd/root.go
@@ -37,7 +37,6 @@ const (
 	serverSSHAllowedFlag    = "allow-server-ssh"
 	extraIFaceBlackListFlag = "extra-iface-blacklist"
 	dnsRouteIntervalFlag    = "dns-router-interval"
-	systemInfoFlag          = "system-info"
 )

 var (
@@ -56,7 +55,6 @@ var (
 	managementURL           string
 	adminURL                string
 	setupKey                string
-	setupKeyPath            string
 	hostName                string
 	preSharedKey            string
 	natExternalIPs          []string
@@ -71,7 +69,6 @@ var (
 	autoConnectDisabled     bool
 	extraIFaceBlackList     []string
 	anonymizeFlag           bool
-	debugSystemInfoFlag     bool
 	dnsRouteInterval        time.Duration

 	rootCmd = &cobra.Command{
@@ -94,15 +91,12 @@ func init() {
 	oldDefaultConfigPathDir = "/etc/wiretrustee/"
 	oldDefaultLogFileDir = "/var/log/wiretrustee/"

-	switch runtime.GOOS {
-	case "windows":
+	if runtime.GOOS == "windows" {
 		defaultConfigPathDir = os.Getenv("PROGRAMDATA") + "\\Netbird\\"
 		defaultLogFileDir = os.Getenv("PROGRAMDATA") + "\\Netbird\\"

 		oldDefaultConfigPathDir = os.Getenv("PROGRAMDATA") + "\\Wiretrustee\\"
 		oldDefaultLogFileDir = os.Getenv("PROGRAMDATA") + "\\Wiretrustee\\"
-	case "freebsd":
-		defaultConfigPathDir = "/var/db/netbird/"
 	}

 	defaultConfigPath = defaultConfigPathDir + "config.json"
@@ -127,10 +121,8 @@ func init() {
 	rootCmd.PersistentFlags().StringVarP(&serviceName, "service", "s", defaultServiceName, "Netbird system service name")
 	rootCmd.PersistentFlags().StringVarP(&configPath, "config", "c", defaultConfigPath, "Netbird config file location")
 	rootCmd.PersistentFlags().StringVarP(&logLevel, "log-level", "l", "info", "sets Netbird log level")
-	rootCmd.PersistentFlags().StringVar(&logFile, "log-file", defaultLogFile, "sets Netbird log path. If console is specified the log will be output to stdout. If syslog is specified the log will be sent to syslog daemon.")
+	rootCmd.PersistentFlags().StringVar(&logFile, "log-file", defaultLogFile, "sets Netbird log path. If console is specified the log will be output to stdout")
 	rootCmd.PersistentFlags().StringVarP(&setupKey, "setup-key", "k", "", "Setup key obtained from the Management Service Dashboard (used to register peer)")
-	rootCmd.PersistentFlags().StringVar(&setupKeyPath, "setup-key-file", "", "The path to a setup key obtained from the Management Service Dashboard (used to register peer) This is ignored if the setup-key flag is provided.")
-	rootCmd.MarkFlagsMutuallyExclusive("setup-key", "setup-key-file")
 	rootCmd.PersistentFlags().StringVar(&preSharedKey, preSharedKeyFlag, "", "Sets Wireguard PreSharedKey property. If set, then only peers that have the same key can communicate.")
 	rootCmd.PersistentFlags().StringVarP(&hostName, "hostname", "n", "", "Sets a custom hostname for the device")
 	rootCmd.PersistentFlags().BoolVarP(&anonymizeFlag, "anonymize", "A", false, "anonymize IP addresses and non-netbird.io domains in logs and status output")
@@ -142,20 +134,19 @@ func init() {
 	rootCmd.AddCommand(loginCmd)
 	rootCmd.AddCommand(versionCmd)
 	rootCmd.AddCommand(sshCmd)
-	rootCmd.AddCommand(networksCMD)
+	rootCmd.AddCommand(routesCmd)
 	rootCmd.AddCommand(debugCmd)

 	serviceCmd.AddCommand(runCmd, startCmd, stopCmd, restartCmd) // service control commands are subcommands of service
 	serviceCmd.AddCommand(installCmd, uninstallCmd)              // service installer commands are subcommands of service

-	networksCMD.AddCommand(routesListCmd)
-	networksCMD.AddCommand(routesSelectCmd, routesDeselectCmd)
+	routesCmd.AddCommand(routesListCmd)
+	routesCmd.AddCommand(routesSelectCmd, routesDeselectCmd)

 	debugCmd.AddCommand(debugBundleCmd)
 	debugCmd.AddCommand(logCmd)
 	logCmd.AddCommand(logLevelCmd)
 	debugCmd.AddCommand(forCmd)
-	debugCmd.AddCommand(persistenceCmd)

 	upCmd.PersistentFlags().StringSliceVar(&natExternalIPs, externalIPMapFlag, nil,
 		`Sets external IPs maps between local addresses and interfaces.`+
@@ -174,8 +165,6 @@ func init() {
 	upCmd.PersistentFlags().BoolVar(&rosenpassPermissive, rosenpassPermissiveFlag, false, "[Experimental] Enable Rosenpass in permissive mode to allow this peer to accept WireGuard connections without requiring Rosenpass functionality from peers that do not have Rosenpass enabled.")
 	upCmd.PersistentFlags().BoolVar(&serverSSHAllowed, serverSSHAllowedFlag, false, "Allow SSH server on peer. If enabled, the SSH server will be permitted")
 	upCmd.PersistentFlags().BoolVar(&autoConnectDisabled, disableAutoConnectFlag, false, "Disables auto-connect feature. If enabled, then the client won't connect automatically when the service starts.")
-
-	debugCmd.PersistentFlags().BoolVarP(&debugSystemInfoFlag, systemInfoFlag, "S", false, "Adds system information to the debug bundle")
 }

 // SetupCloseHandler handles SIGTERM signal and exits with success
@@ -257,21 +246,6 @@ var CLIBackOffSettings = &backoff.ExponentialBackOff{
 	Clock:               backoff.SystemClock,
 }

-func getSetupKey() (string, error) {
-	if setupKeyPath != "" && setupKey == "" {
-		return getSetupKeyFromFile(setupKeyPath)
-	}
-	return setupKey, nil
-}
-
-func getSetupKeyFromFile(setupKeyPath string) (string, error) {
-	data, err := os.ReadFile(setupKeyPath)
-	if err != nil {
-		return "", fmt.Errorf("failed to read setup key file: %v", err)
-	}
-	return strings.TrimSpace(string(data)), nil
-}
-
 func handleRebrand(cmd *cobra.Command) error {
 	var err error
 	if logFile == defaultLogFile {
--- a/client/cmd/root_test.go
+++ b/client/cmd/root_test.go
@@ -4,10 +4,6 @@ import (
 	"fmt"
 	"io"
 	"testing"
-
-	"github.com/spf13/cobra"
-
-	"github.com/netbirdio/netbird/client/iface"
 )

 func TestInitCommands(t *testing.T) {
@@ -38,44 +34,3 @@ func TestInitCommands(t *testing.T) {
 		})
 	}
 }
-
-func TestSetFlagsFromEnvVars(t *testing.T) {
-	var cmd = &cobra.Command{
-		Use:          "netbird",
-		Long:         "test",
-		SilenceUsage: true,
-		Run: func(cmd *cobra.Command, args []string) {
-			SetFlagsFromEnvVars(cmd)
-		},
-	}
-
-	cmd.PersistentFlags().StringSliceVar(&natExternalIPs, externalIPMapFlag, nil,
-		`comma separated list of external IPs to map to the Wireguard interface`)
-	cmd.PersistentFlags().StringVar(&interfaceName, interfaceNameFlag, iface.WgInterfaceDefault, "Wireguard interface name")
-	cmd.PersistentFlags().BoolVar(&rosenpassEnabled, enableRosenpassFlag, false, "Enable Rosenpass feature Rosenpass.")
-	cmd.PersistentFlags().Uint16Var(&wireguardPort, wireguardPortFlag, iface.DefaultWgPort, "Wireguard interface listening port")
-
-	t.Setenv("NB_EXTERNAL_IP_MAP", "abc,dec")
-	t.Setenv("NB_INTERFACE_NAME", "test-name")
-	t.Setenv("NB_ENABLE_ROSENPASS", "true")
-	t.Setenv("NB_WIREGUARD_PORT", "10000")
-	err := cmd.Execute()
-	if err != nil {
-		t.Fatalf("expected no error while running netbird command, got %v", err)
-	}
-	if len(natExternalIPs) != 2 {
-		t.Errorf("expected 2 external ips, got %d", len(natExternalIPs))
-	}
-	if natExternalIPs[0] != "abc" || natExternalIPs[1] != "dec" {
-		t.Errorf("expected abc,dec, got %s,%s", natExternalIPs[0], natExternalIPs[1])
-	}
-	if interfaceName != "test-name" {
-		t.Errorf("expected test-name, got %s", interfaceName)
-	}
-	if !rosenpassEnabled {
-		t.Errorf("expected rosenpassEnabled to be true, got false")
-	}
-	if wireguardPort != 10000 {
-		t.Errorf("expected wireguardPort to be 10000, got %d", wireguardPort)
-	}
-}
--- a/client/cmd/route.go
+++ b/client/cmd/route.go
@@ -0,0 +1,174 @@
+package cmd
+
+import (
+	"fmt"
+	"strings"
+
+	"github.com/spf13/cobra"
+	"google.golang.org/grpc/status"
+
+	"github.com/netbirdio/netbird/client/proto"
+)
+
+var appendFlag bool
+
+var routesCmd = &cobra.Command{
+	Use:   "routes",
+	Short: "Manage network routes",
+	Long:  `Commands to list, select, or deselect network routes.`,
+}
+
+var routesListCmd = &cobra.Command{
+	Use:     "list",
+	Aliases: []string{"ls"},
+	Short:   "List routes",
+	Example: "  netbird routes list",
+	Long:    "List all available network routes.",
+	RunE:    routesList,
+}
+
+var routesSelectCmd = &cobra.Command{
+	Use:     "select route...|all",
+	Short:   "Select routes",
+	Long:    "Select a list of routes by identifiers or 'all' to clear all selections and to accept all (including new) routes.\nDefault mode is replace, use -a to append to already selected routes.",
+	Example: "  netbird routes select all\n  netbird routes select route1 route2\n  netbird routes select -a route3",
+	Args:    cobra.MinimumNArgs(1),
+	RunE:    routesSelect,
+}
+
+var routesDeselectCmd = &cobra.Command{
+	Use:     "deselect route...|all",
+	Short:   "Deselect routes",
+	Long:    "Deselect previously selected routes by identifiers or 'all' to disable accepting any routes.",
+	Example: "  netbird routes deselect all\n  netbird routes deselect route1 route2",
+	Args:    cobra.MinimumNArgs(1),
+	RunE:    routesDeselect,
+}
+
+func init() {
+	routesSelectCmd.PersistentFlags().BoolVarP(&appendFlag, "append", "a", false, "Append to current route selection instead of replacing")
+}
+
+func routesList(cmd *cobra.Command, _ []string) error {
+	conn, err := getClient(cmd)
+	if err != nil {
+		return err
+	}
+	defer conn.Close()
+
+	client := proto.NewDaemonServiceClient(conn)
+	resp, err := client.ListRoutes(cmd.Context(), &proto.ListRoutesRequest{})
+	if err != nil {
+		return fmt.Errorf("failed to list routes: %v", status.Convert(err).Message())
+	}
+
+	if len(resp.Routes) == 0 {
+		cmd.Println("No routes available.")
+		return nil
+	}
+
+	printRoutes(cmd, resp)
+
+	return nil
+}
+
+func printRoutes(cmd *cobra.Command, resp *proto.ListRoutesResponse) {
+	cmd.Println("Available Routes:")
+	for _, route := range resp.Routes {
+		printRoute(cmd, route)
+	}
+}
+
+func printRoute(cmd *cobra.Command, route *proto.Route) {
+	selectedStatus := getSelectedStatus(route)
+	domains := route.GetDomains()
+
+	if len(domains) > 0 {
+		printDomainRoute(cmd, route, domains, selectedStatus)
+	} else {
+		printNetworkRoute(cmd, route, selectedStatus)
+	}
+}
+
+func getSelectedStatus(route *proto.Route) string {
+	if route.GetSelected() {
+		return "Selected"
+	}
+	return "Not Selected"
+}
+
+func printDomainRoute(cmd *cobra.Command, route *proto.Route, domains []string, selectedStatus string) {
+	cmd.Printf("\n  - ID: %s\n    Domains: %s\n    Status: %s\n", route.GetID(), strings.Join(domains, ", "), selectedStatus)
+	resolvedIPs := route.GetResolvedIPs()
+
+	if len(resolvedIPs) > 0 {
+		printResolvedIPs(cmd, domains, resolvedIPs)
+	} else {
+		cmd.Printf("    Resolved IPs: -\n")
+	}
+}
+
+func printNetworkRoute(cmd *cobra.Command, route *proto.Route, selectedStatus string) {
+	cmd.Printf("\n  - ID: %s\n    Network: %s\n    Status: %s\n", route.GetID(), route.GetNetwork(), selectedStatus)
+}
+
+func printResolvedIPs(cmd *cobra.Command, domains []string, resolvedIPs map[string]*proto.IPList) {
+	cmd.Printf("    Resolved IPs:\n")
+	for _, domain := range domains {
+		if ipList, exists := resolvedIPs[domain]; exists {
+			cmd.Printf("      [%s]: %s\n", domain, strings.Join(ipList.GetIps(), ", "))
+		}
+	}
+}
+
+func routesSelect(cmd *cobra.Command, args []string) error {
+	conn, err := getClient(cmd)
+	if err != nil {
+		return err
+	}
+	defer conn.Close()
+
+	client := proto.NewDaemonServiceClient(conn)
+	req := &proto.SelectRoutesRequest{
+		RouteIDs: args,
+	}
+
+	if len(args) == 1 && args[0] == "all" {
+		req.All = true
+	} else if appendFlag {
+		req.Append = true
+	}
+
+	if _, err := client.SelectRoutes(cmd.Context(), req); err != nil {
+		return fmt.Errorf("failed to select routes: %v", status.Convert(err).Message())
+	}
+
+	cmd.Println("Routes selected successfully.")
+
+	return nil
+}
+
+func routesDeselect(cmd *cobra.Command, args []string) error {
+	conn, err := getClient(cmd)
+	if err != nil {
+		return err
+	}
+	defer conn.Close()
+
+	client := proto.NewDaemonServiceClient(conn)
+	req := &proto.SelectRoutesRequest{
+		RouteIDs: args,
+	}
+
+	if len(args) == 1 && args[0] == "all" {
+		req.All = true
+	}
+
+	if _, err := client.DeselectRoutes(cmd.Context(), req); err != nil {
+		return fmt.Errorf("failed to deselect routes: %v", status.Convert(err).Message())
+	}
+
+	cmd.Println("Routes deselected successfully.")
+
+	return nil
+}
--- a/client/cmd/service.go
+++ b/client/cmd/service.go
@@ -2,23 +2,18 @@ package cmd

 import (
 	"context"
-	"sync"
-
 	"github.com/kardianos/service"
 	log "github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
 	"google.golang.org/grpc"

 	"github.com/netbirdio/netbird/client/internal"
-	"github.com/netbirdio/netbird/client/server"
 )

 type program struct {
-	ctx              context.Context
-	cancel           context.CancelFunc
-	serv             *grpc.Server
-	serverInstance   *server.Server
-	serverInstanceMu sync.Mutex
+	ctx    context.Context
+	cancel context.CancelFunc
+	serv   *grpc.Server
 }

 func newProgram(ctx context.Context, cancel context.CancelFunc) *program {
--- a/client/cmd/service_controller.go
+++ b/client/cmd/service_controller.go
@@ -61,10 +61,6 @@ func (p *program) Start(svc service.Service) error {
 		}
 		proto.RegisterDaemonServiceServer(p.serv, serverInstance)

-		p.serverInstanceMu.Lock()
-		p.serverInstance = serverInstance
-		p.serverInstanceMu.Unlock()
-
 		log.Printf("started daemon server: %v", split[1])
 		if err := p.serv.Serve(listen); err != nil {
 			log.Errorf("failed to serve daemon requests: %v", err)
@@ -74,16 +70,6 @@ func (p *program) Start(svc service.Service) error {
 }

 func (p *program) Stop(srv service.Service) error {
-	p.serverInstanceMu.Lock()
-	if p.serverInstance != nil {
-		in := new(proto.DownRequest)
-		_, err := p.serverInstance.Down(p.ctx, in)
-		if err != nil {
-			log.Errorf("failed to stop daemon: %v", err)
-		}
-	}
-	p.serverInstanceMu.Unlock()
-
 	p.cancel()

 	if p.serv != nil {
--- a/client/cmd/service_installer.go
+++ b/client/cmd/service_installer.go
@@ -31,8 +31,6 @@ var installCmd = &cobra.Command{
 			configPath,
 			"--log-level",
 			logLevel,
-			"--daemon-addr",
-			daemonAddr,
 		}

 		if managementURL != "" {
--- a/client/cmd/state.go
+++ b/client/cmd/state.go
@@ -1,181 +0,0 @@
-package cmd
-
-import (
-	"fmt"
-
-	log "github.com/sirupsen/logrus"
-	"github.com/spf13/cobra"
-	"google.golang.org/grpc/status"
-
-	"github.com/netbirdio/netbird/client/proto"
-)
-
-var (
-	allFlag bool
-)
-
-var stateCmd = &cobra.Command{
-	Use:   "state",
-	Short: "Manage daemon state",
-	Long:  "Provides commands for managing and inspecting the Netbird daemon state.",
-}
-
-var stateListCmd = &cobra.Command{
-	Use:     "list",
-	Aliases: []string{"ls"},
-	Short:   "List all stored states",
-	Long:    "Lists all registered states with their status and basic information.",
-	Example: "  netbird state list",
-	RunE:    stateList,
-}
-
-var stateCleanCmd = &cobra.Command{
-	Use:   "clean [state-name]",
-	Short: "Clean stored states",
-	Long: `Clean specific state or all states. The daemon must not be running.
-This will perform cleanup operations and remove the state.`,
-	Example: `  netbird state clean dns_state
-  netbird state clean --all`,
-	RunE: stateClean,
-	PreRunE: func(cmd *cobra.Command, args []string) error {
-		// Check mutual exclusivity between --all flag and state-name argument
-		if allFlag && len(args) > 0 {
-			return fmt.Errorf("cannot specify both --all flag and state name")
-		}
-		if !allFlag && len(args) != 1 {
-			return fmt.Errorf("requires a state name argument or --all flag")
-		}
-		return nil
-	},
-}
-
-var stateDeleteCmd = &cobra.Command{
-	Use:   "delete [state-name]",
-	Short: "Delete stored states",
-	Long: `Delete specific state or all states from storage. The daemon must not be running.
-This will remove the state without performing any cleanup operations.`,
-	Example: `  netbird state delete dns_state
-  netbird state delete --all`,
-	RunE: stateDelete,
-	PreRunE: func(cmd *cobra.Command, args []string) error {
-		// Check mutual exclusivity between --all flag and state-name argument
-		if allFlag && len(args) > 0 {
-			return fmt.Errorf("cannot specify both --all flag and state name")
-		}
-		if !allFlag && len(args) != 1 {
-			return fmt.Errorf("requires a state name argument or --all flag")
-		}
-		return nil
-	},
-}
-
-func init() {
-	rootCmd.AddCommand(stateCmd)
-	stateCmd.AddCommand(stateListCmd, stateCleanCmd, stateDeleteCmd)
-
-	stateCleanCmd.Flags().BoolVarP(&allFlag, "all", "a", false, "Clean all states")
-	stateDeleteCmd.Flags().BoolVarP(&allFlag, "all", "a", false, "Delete all states")
-}
-
-func stateList(cmd *cobra.Command, _ []string) error {
-	conn, err := getClient(cmd)
-	if err != nil {
-		return err
-	}
-	defer func() {
-		if err := conn.Close(); err != nil {
-			log.Errorf(errCloseConnection, err)
-		}
-	}()
-
-	client := proto.NewDaemonServiceClient(conn)
-	resp, err := client.ListStates(cmd.Context(), &proto.ListStatesRequest{})
-	if err != nil {
-		return fmt.Errorf("failed to list states: %v", status.Convert(err).Message())
-	}
-
-	cmd.Printf("\nStored states:\n\n")
-	for _, state := range resp.States {
-		cmd.Printf("- %s\n", state.Name)
-	}
-
-	return nil
-}
-
-func stateClean(cmd *cobra.Command, args []string) error {
-	var stateName string
-	if !allFlag {
-		stateName = args[0]
-	}
-
-	conn, err := getClient(cmd)
-	if err != nil {
-		return err
-	}
-	defer func() {
-		if err := conn.Close(); err != nil {
-			log.Errorf(errCloseConnection, err)
-		}
-	}()
-
-	client := proto.NewDaemonServiceClient(conn)
-	resp, err := client.CleanState(cmd.Context(), &proto.CleanStateRequest{
-		StateName: stateName,
-		All:       allFlag,
-	})
-	if err != nil {
-		return fmt.Errorf("failed to clean state: %v", status.Convert(err).Message())
-	}
-
-	if resp.CleanedStates == 0 {
-		cmd.Println("No states were cleaned")
-		return nil
-	}
-
-	if allFlag {
-		cmd.Printf("Successfully cleaned %d states\n", resp.CleanedStates)
-	} else {
-		cmd.Printf("Successfully cleaned state %q\n", stateName)
-	}
-
-	return nil
-}
-
-func stateDelete(cmd *cobra.Command, args []string) error {
-	var stateName string
-	if !allFlag {
-		stateName = args[0]
-	}
-
-	conn, err := getClient(cmd)
-	if err != nil {
-		return err
-	}
-	defer func() {
-		if err := conn.Close(); err != nil {
-			log.Errorf(errCloseConnection, err)
-		}
-	}()
-
-	client := proto.NewDaemonServiceClient(conn)
-	resp, err := client.DeleteState(cmd.Context(), &proto.DeleteStateRequest{
-		StateName: stateName,
-		All:       allFlag,
-	})
-	if err != nil {
-		return fmt.Errorf("failed to delete state: %v", status.Convert(err).Message())
-	}
-
-	if resp.DeletedStates == 0 {
-		cmd.Println("No states were deleted")
-		return nil
-	}
-
-	if allFlag {
-		cmd.Printf("Successfully deleted %d states\n", resp.DeletedStates)
-	} else {
-		cmd.Printf("Successfully deleted state %q\n", stateName)
-	}
-
-	return nil
-}
--- a/client/cmd/status.go
+++ b/client/cmd/status.go
@@ -31,16 +31,15 @@ type peerStateDetailOutput struct {
 	Status                 string           `json:"status" yaml:"status"`
 	LastStatusUpdate       time.Time        `json:"lastStatusUpdate" yaml:"lastStatusUpdate"`
 	ConnType               string           `json:"connectionType" yaml:"connectionType"`
+	Direct                 bool             `json:"direct" yaml:"direct"`
 	IceCandidateType       iceCandidateType `json:"iceCandidateType" yaml:"iceCandidateType"`
 	IceCandidateEndpoint   iceCandidateType `json:"iceCandidateEndpoint" yaml:"iceCandidateEndpoint"`
-	RelayAddress           string           `json:"relayAddress" yaml:"relayAddress"`
 	LastWireguardHandshake time.Time        `json:"lastWireguardHandshake" yaml:"lastWireguardHandshake"`
 	TransferReceived       int64            `json:"transferReceived" yaml:"transferReceived"`
 	TransferSent           int64            `json:"transferSent" yaml:"transferSent"`
 	Latency                time.Duration    `json:"latency" yaml:"latency"`
 	RosenpassEnabled       bool             `json:"quantumResistance" yaml:"quantumResistance"`
 	Routes                 []string         `json:"routes" yaml:"routes"`
-	Networks               []string         `json:"networks" yaml:"networks"`
 }

 type peersStateOutput struct {
@@ -99,7 +98,6 @@ type statusOutputOverview struct {
 	RosenpassEnabled    bool                       `json:"quantumResistance" yaml:"quantumResistance"`
 	RosenpassPermissive bool                       `json:"quantumResistancePermissive" yaml:"quantumResistancePermissive"`
 	Routes              []string                   `json:"routes" yaml:"routes"`
-	Networks            []string                   `json:"networks" yaml:"networks"`
 	NSServerGroups      []nsServerGroupStateOutput `json:"dnsServers" yaml:"dnsServers"`
 }

@@ -284,8 +282,7 @@ func convertToStatusOutputOverview(resp *proto.StatusResponse) statusOutputOverv
 		FQDN:                pbFullStatus.GetLocalPeerState().GetFqdn(),
 		RosenpassEnabled:    pbFullStatus.GetLocalPeerState().GetRosenpassEnabled(),
 		RosenpassPermissive: pbFullStatus.GetLocalPeerState().GetRosenpassPermissive(),
-		Routes:              pbFullStatus.GetLocalPeerState().GetNetworks(),
-		Networks:            pbFullStatus.GetLocalPeerState().GetNetworks(),
+		Routes:              pbFullStatus.GetLocalPeerState().GetRoutes(),
 		NSServerGroups:      mapNSGroups(pbFullStatus.GetDnsServers()),
 	}

@@ -338,18 +335,16 @@ func mapNSGroups(servers []*proto.NSGroupState) []nsServerGroupStateOutput {

 func mapPeers(peers []*proto.PeerState) peersStateOutput {
 	var peersStateDetail []peerStateDetailOutput
+	localICE := ""
+	remoteICE := ""
+	localICEEndpoint := ""
+	remoteICEEndpoint := ""
+	connType := ""
 	peersConnected := 0
+	lastHandshake := time.Time{}
+	transferReceived := int64(0)
+	transferSent := int64(0)
 	for _, pbPeerState := range peers {
-		localICE := ""
-		remoteICE := ""
-		localICEEndpoint := ""
-		remoteICEEndpoint := ""
-		relayServerAddress := ""
-		connType := ""
-		lastHandshake := time.Time{}
-		transferReceived := int64(0)
-		transferSent := int64(0)
-
 		isPeerConnected := pbPeerState.ConnStatus == peer.StatusConnected.String()
 		if skipDetailByFilters(pbPeerState, isPeerConnected) {
 			continue
@@ -365,7 +360,6 @@ func mapPeers(peers []*proto.PeerState) peersStateOutput {
 			if pbPeerState.Relayed {
 				connType = "Relayed"
 			}
-			relayServerAddress = pbPeerState.GetRelayAddress()
 			lastHandshake = pbPeerState.GetLastWireguardHandshake().AsTime().Local()
 			transferReceived = pbPeerState.GetBytesRx()
 			transferSent = pbPeerState.GetBytesTx()
@@ -378,6 +372,7 @@ func mapPeers(peers []*proto.PeerState) peersStateOutput {
 			Status:           pbPeerState.GetConnStatus(),
 			LastStatusUpdate: timeLocal,
 			ConnType:         connType,
+			Direct:           pbPeerState.GetDirect(),
 			IceCandidateType: iceCandidateType{
 				Local:  localICE,
 				Remote: remoteICE,
@@ -386,15 +381,13 @@ func mapPeers(peers []*proto.PeerState) peersStateOutput {
 				Local:  localICEEndpoint,
 				Remote: remoteICEEndpoint,
 			},
-			RelayAddress:           relayServerAddress,
 			FQDN:                   pbPeerState.GetFqdn(),
 			LastWireguardHandshake: lastHandshake,
 			TransferReceived:       transferReceived,
 			TransferSent:           transferSent,
 			Latency:                pbPeerState.GetLatency().AsDuration(),
 			RosenpassEnabled:       pbPeerState.GetRosenpassEnabled(),
-			Routes:                 pbPeerState.GetNetworks(),
-			Networks:               pbPeerState.GetNetworks(),
+			Routes:                 pbPeerState.GetRoutes(),
 		}

 		peersStateDetail = append(peersStateDetail, peerState)
@@ -495,10 +488,10 @@ func parseGeneralSummary(overview statusOutputOverview, showURL bool, showRelays
 		relaysString = fmt.Sprintf("%d/%d Available", overview.Relays.Available, overview.Relays.Total)
 	}

-	networks := "-"
-	if len(overview.Networks) > 0 {
-		sort.Strings(overview.Networks)
-		networks = strings.Join(overview.Networks, ", ")
+	routes := "-"
+	if len(overview.Routes) > 0 {
+		sort.Strings(overview.Routes)
+		routes = strings.Join(overview.Routes, ", ")
 	}

 	var dnsServersString string
@@ -560,7 +553,6 @@ func parseGeneralSummary(overview statusOutputOverview, showURL bool, showRelays
 			"Interface type: %s\n"+
 			"Quantum resistance: %s\n"+
 			"Routes: %s\n"+
-			"Networks: %s\n"+
 			"Peers count: %s\n",
 		fmt.Sprintf("%s/%s%s", goos, goarch, goarm),
 		overview.DaemonVersion,
@@ -573,8 +565,7 @@ func parseGeneralSummary(overview statusOutputOverview, showURL bool, showRelays
 		interfaceIP,
 		interfaceTypeString,
 		rosenpassEnabledStatus,
-		networks,
-		networks,
+		routes,
 		peersCountString,
 	)
 	return summary
@@ -637,10 +628,10 @@ func parsePeers(peers peersStateOutput, rosenpassEnabled, rosenpassPermissive bo
 			}
 		}

-		networks := "-"
-		if len(peerState.Networks) > 0 {
-			sort.Strings(peerState.Networks)
-			networks = strings.Join(peerState.Networks, ", ")
+		routes := "-"
+		if len(peerState.Routes) > 0 {
+			sort.Strings(peerState.Routes)
+			routes = strings.Join(peerState.Routes, ", ")
 		}

 		peerString := fmt.Sprintf(
@@ -650,33 +641,31 @@ func parsePeers(peers peersStateOutput, rosenpassEnabled, rosenpassPermissive bo
 				"  Status: %s\n"+
 				"  -- detail --\n"+
 				"  Connection type: %s\n"+
+				"  Direct: %t\n"+
 				"  ICE candidate (Local/Remote): %s/%s\n"+
 				"  ICE candidate endpoints (Local/Remote): %s/%s\n"+
-				"  Relay server address: %s\n"+
 				"  Last connection update: %s\n"+
 				"  Last WireGuard handshake: %s\n"+
 				"  Transfer status (received/sent) %s/%s\n"+
 				"  Quantum resistance: %s\n"+
 				"  Routes: %s\n"+
-				"  Networks: %s\n"+
 				"  Latency: %s\n",
 			peerState.FQDN,
 			peerState.IP,
 			peerState.PubKey,
 			peerState.Status,
 			peerState.ConnType,
+			peerState.Direct,
 			localICE,
 			remoteICE,
 			localICEEndpoint,
 			remoteICEEndpoint,
-			peerState.RelayAddress,
 			timeAgo(peerState.LastStatusUpdate),
 			timeAgo(peerState.LastWireguardHandshake),
 			toIEC(peerState.TransferReceived),
 			toIEC(peerState.TransferSent),
 			rosenpassEnabledStatus,
-			networks,
-			networks,
+			routes,
 			peerState.Latency.String(),
 		)

@@ -688,7 +677,7 @@ func parsePeers(peers peersStateOutput, rosenpassEnabled, rosenpassPermissive bo
 func skipDetailByFilters(peerState *proto.PeerState, isConnected bool) bool {
 	statusEval := false
 	ipEval := false
-	nameEval := true
+	nameEval := false

 	if statusFilter != "" {
 		lowerStatusFilter := strings.ToLower(statusFilter)
@@ -708,13 +697,11 @@ func skipDetailByFilters(peerState *proto.PeerState, isConnected bool) bool {

 	if len(prefixNamesFilter) > 0 {
 		for prefixNameFilter := range prefixNamesFilterMap {
-			if strings.HasPrefix(peerState.Fqdn, prefixNameFilter) {
-				nameEval = false
+			if !strings.HasPrefix(peerState.Fqdn, prefixNameFilter) {
+				nameEval = true
 				break
 			}
 		}
-	} else {
-		nameEval = false
 	}

 	return statusEval || ipEval || nameEval
@@ -815,23 +802,12 @@ func anonymizePeerDetail(a *anonymize.Anonymizer, peer *peerStateDetailOutput) {
 	if remoteIP, port, err := net.SplitHostPort(peer.IceCandidateEndpoint.Remote); err == nil {
 		peer.IceCandidateEndpoint.Remote = fmt.Sprintf("%s:%s", a.AnonymizeIPString(remoteIP), port)
 	}
-
-	peer.RelayAddress = a.AnonymizeURI(peer.RelayAddress)
-
-	for i, route := range peer.Networks {
-		peer.Networks[i] = a.AnonymizeIPString(route)
-	}
-
-	for i, route := range peer.Networks {
-		peer.Networks[i] = a.AnonymizeRoute(route)
-	}
-
 	for i, route := range peer.Routes {
 		peer.Routes[i] = a.AnonymizeIPString(route)
 	}

 	for i, route := range peer.Routes {
-		peer.Routes[i] = a.AnonymizeRoute(route)
+		peer.Routes[i] = anonymizeRoute(a, route)
 	}
 }

@@ -866,13 +842,22 @@ func anonymizeOverview(a *anonymize.Anonymizer, overview *statusOutputOverview)
 		}
 	}

-	for i, route := range overview.Networks {
-		overview.Networks[i] = a.AnonymizeRoute(route)
-	}
-
 	for i, route := range overview.Routes {
-		overview.Routes[i] = a.AnonymizeRoute(route)
+		overview.Routes[i] = anonymizeRoute(a, route)
 	}

 	overview.FQDN = a.AnonymizeDomain(overview.FQDN)
 }
+
+func anonymizeRoute(a *anonymize.Anonymizer, route string) string {
+	prefix, err := netip.ParsePrefix(route)
+	if err == nil {
+		ip := a.AnonymizeIPString(prefix.Addr().String())
+		return fmt.Sprintf("%s/%d", ip, prefix.Bits())
+	}
+	domains := strings.Split(route, ", ")
+	for i, domain := range domains {
+		domains[i] = a.AnonymizeDomain(domain)
+	}
+	return strings.Join(domains, ", ")
+}
--- a/client/cmd/status_test.go
+++ b/client/cmd/status_test.go
@@ -37,6 +37,7 @@ var resp = &proto.StatusResponse{
 				ConnStatus:                 "Connected",
 				ConnStatusUpdate:           timestamppb.New(time.Date(2001, time.Month(1), 1, 1, 1, 1, 0, time.UTC)),
 				Relayed:                    false,
+				Direct:                     true,
 				LocalIceCandidateType:      "",
 				RemoteIceCandidateType:     "",
 				LocalIceCandidateEndpoint:  "",
@@ -44,7 +45,7 @@ var resp = &proto.StatusResponse{
 				LastWireguardHandshake:     timestamppb.New(time.Date(2001, time.Month(1), 1, 1, 1, 2, 0, time.UTC)),
 				BytesRx:                    200,
 				BytesTx:                    100,
-				Networks: []string{
+				Routes: []string{
 					"10.1.0.0/24",
 				},
 				Latency: durationpb.New(time.Duration(10000000)),
@@ -56,6 +57,7 @@ var resp = &proto.StatusResponse{
 				ConnStatus:                 "Connected",
 				ConnStatusUpdate:           timestamppb.New(time.Date(2002, time.Month(2), 2, 2, 2, 2, 0, time.UTC)),
 				Relayed:                    true,
+				Direct:                     false,
 				LocalIceCandidateType:      "relay",
 				RemoteIceCandidateType:     "prflx",
 				LocalIceCandidateEndpoint:  "10.0.0.1:10001",
@@ -93,7 +95,7 @@ var resp = &proto.StatusResponse{
 			PubKey:          "Some-Pub-Key",
 			KernelInterface: true,
 			Fqdn:            "some-localhost.awesome-domain.com",
-			Networks: []string{
+			Routes: []string{
 				"10.10.0.0/24",
 			},
 		},
@@ -135,6 +137,7 @@ var overview = statusOutputOverview{
 				Status:           "Connected",
 				LastStatusUpdate: time.Date(2001, 1, 1, 1, 1, 1, 0, time.UTC),
 				ConnType:         "P2P",
+				Direct:           true,
 				IceCandidateType: iceCandidateType{
 					Local:  "",
 					Remote: "",
@@ -149,9 +152,6 @@ var overview = statusOutputOverview{
 				Routes: []string{
 					"10.1.0.0/24",
 				},
-				Networks: []string{
-					"10.1.0.0/24",
-				},
 				Latency: time.Duration(10000000),
 			},
 			{
@@ -161,6 +161,7 @@ var overview = statusOutputOverview{
 				Status:           "Connected",
 				LastStatusUpdate: time.Date(2002, 2, 2, 2, 2, 2, 0, time.UTC),
 				ConnType:         "Relayed",
+				Direct:           false,
 				IceCandidateType: iceCandidateType{
 					Local:  "relay",
 					Remote: "prflx",
@@ -233,9 +234,6 @@ var overview = statusOutputOverview{
 	Routes: []string{
 		"10.10.0.0/24",
 	},
-	Networks: []string{
-		"10.10.0.0/24",
-	},
 }

 func TestConversionFromFullStatusToOutputOverview(t *testing.T) {
@@ -285,6 +283,7 @@ func TestParsingToJSON(t *testing.T) {
                "status": "Connected",
                "lastStatusUpdate": "2001-01-01T01:01:01Z",
                "connectionType": "P2P",
+                "direct": true,
                "iceCandidateType": {
                  "local": "",
                  "remote": ""
@@ -293,7 +292,6 @@ func TestParsingToJSON(t *testing.T) {
                  "local": "",
                  "remote": ""
                },
-				"relayAddress": "",
                "lastWireguardHandshake": "2001-01-01T01:01:02Z",
                "transferReceived": 200,
                "transferSent": 100,
@@ -301,9 +299,6 @@ func TestParsingToJSON(t *testing.T) {
                "quantumResistance": false,
                "routes": [
                  "10.1.0.0/24"
-                ],
-                "networks": [
-                  "10.1.0.0/24"
                ]
              },
              {
@@ -313,6 +308,7 @@ func TestParsingToJSON(t *testing.T) {
                "status": "Connected",
                "lastStatusUpdate": "2002-02-02T02:02:02Z",
                "connectionType": "Relayed",
+                "direct": false,
                "iceCandidateType": {
                  "local": "relay",
                  "remote": "prflx"
@@ -321,14 +317,12 @@ func TestParsingToJSON(t *testing.T) {
                  "local": "10.0.0.1:10001",
                  "remote": "10.0.10.1:10002"
                },
-				"relayAddress": "",
                "lastWireguardHandshake": "2002-02-02T02:02:03Z",
                "transferReceived": 2000,
                "transferSent": 1000,
 				"latency": 10000000,
                "quantumResistance": false,
-                "routes": null,
-                "networks": null
+                "routes": null
              }
            ]
          },
@@ -369,9 +363,6 @@ func TestParsingToJSON(t *testing.T) {
          "routes": [
            "10.10.0.0/24"
          ],
-          "networks": [
-            "10.10.0.0/24"
-          ],
          "dnsServers": [
            {
              "servers": [
@@ -417,13 +408,13 @@ func TestParsingToYAML(t *testing.T) {
          status: Connected
          lastStatusUpdate: 2001-01-01T01:01:01Z
          connectionType: P2P
+          direct: true
          iceCandidateType:
            local: ""
            remote: ""
          iceCandidateEndpoint:
            local: ""
            remote: ""
-          relayAddress: ""
          lastWireguardHandshake: 2001-01-01T01:01:02Z
          transferReceived: 200
          transferSent: 100
@@ -431,28 +422,25 @@ func TestParsingToYAML(t *testing.T) {
          quantumResistance: false
          routes:
            - 10.1.0.0/24
-          networks:
-            - 10.1.0.0/24
        - fqdn: peer-2.awesome-domain.com
          netbirdIp: 192.168.178.102
          publicKey: Pubkey2
          status: Connected
          lastStatusUpdate: 2002-02-02T02:02:02Z
          connectionType: Relayed
+          direct: false
          iceCandidateType:
            local: relay
            remote: prflx
          iceCandidateEndpoint:
            local: 10.0.0.1:10001
            remote: 10.0.10.1:10002
-          relayAddress: ""
          lastWireguardHandshake: 2002-02-02T02:02:03Z
          transferReceived: 2000
          transferSent: 1000
          latency: 10ms
          quantumResistance: false
          routes: []
-          networks: []
 cliVersion: development
 daemonVersion: 0.14.1
 management:
@@ -481,8 +469,6 @@ quantumResistance: false
 quantumResistancePermissive: false
 routes:
    - 10.10.0.0/24
-networks:
-    - 10.10.0.0/24
 dnsServers:
    - servers:
        - 8.8.8.8:53
@@ -519,15 +505,14 @@ func TestParsingToDetail(t *testing.T) {
  Status: Connected
  -- detail --
  Connection type: P2P
+  Direct: true
  ICE candidate (Local/Remote): -/-
  ICE candidate endpoints (Local/Remote): -/-
-  Relay server address: 
  Last connection update: %s
  Last WireGuard handshake: %s
  Transfer status (received/sent) 200 B/100 B
  Quantum resistance: false
  Routes: 10.1.0.0/24
-  Networks: 10.1.0.0/24
  Latency: 10ms

 peer-2.awesome-domain.com:
@@ -536,15 +521,14 @@ func TestParsingToDetail(t *testing.T) {
  Status: Connected
  -- detail --
  Connection type: Relayed
+  Direct: false
  ICE candidate (Local/Remote): relay/prflx
  ICE candidate endpoints (Local/Remote): 10.0.0.1:10001/10.0.10.1:10002
-  Relay server address: 
  Last connection update: %s
  Last WireGuard handshake: %s
  Transfer status (received/sent) 2.0 KiB/1000 B
  Quantum resistance: false
  Routes: -
-  Networks: -
  Latency: 10ms

 OS: %s/%s
@@ -563,7 +547,6 @@ NetBird IP: 192.168.178.100/16
 Interface type: Kernel
 Quantum resistance: false
 Routes: 10.10.0.0/24
-Networks: 10.10.0.0/24
 Peers count: 2/2 Connected
 `, lastConnectionUpdate1, lastHandshake1, lastConnectionUpdate2, lastHandshake2, runtime.GOOS, runtime.GOARCH, overview.CliVersion)

@@ -585,7 +568,6 @@ NetBird IP: 192.168.178.100/16
 Interface type: Kernel
 Quantum resistance: false
 Routes: 10.10.0.0/24
-Networks: 10.10.0.0/24
 Peers count: 2/2 Connected
 `

--- a/client/cmd/testutil_test.go
+++ b/client/cmd/testutil_test.go
@@ -3,6 +3,7 @@ package cmd
 import (
 	"context"
 	"net"
+	"path/filepath"
 	"testing"
 	"time"

@@ -10,9 +11,6 @@ import (
 	"go.opentelemetry.io/otel"

 	"github.com/netbirdio/netbird/management/server/activity"
-	"github.com/netbirdio/netbird/management/server/settings"
-	"github.com/netbirdio/netbird/management/server/store"
-	"github.com/netbirdio/netbird/management/server/telemetry"

 	"github.com/netbirdio/netbird/util"

@@ -35,12 +33,18 @@ func startTestingServices(t *testing.T) string {
 	if err != nil {
 		t.Fatal(err)
 	}
+	testDir := t.TempDir()
+	config.Datadir = testDir
+	err = util.CopyFileContents("../testdata/store.json", filepath.Join(testDir, "store.json"))
+	if err != nil {
+		t.Fatal(err)
+	}

 	_, signalLis := startSignal(t)
 	signalAddr := signalLis.Addr().String()
 	config.Signal.URI = signalAddr

-	_, mgmLis := startManagement(t, config, "../testdata/store.sql")
+	_, mgmLis := startManagement(t, config)
 	mgmAddr := mgmLis.Addr().String()
 	return mgmAddr
 }
@@ -52,7 +56,7 @@ func startSignal(t *testing.T) (*grpc.Server, net.Listener) {
 		t.Fatal(err)
 	}
 	s := grpc.NewServer()
-	srv, err := sig.NewServer(context.Background(), otel.Meter(""))
+	srv, err := sig.NewServer(otel.Meter(""))
 	require.NoError(t, err)

 	sigProto.RegisterSignalExchangeServer(s, srv)
@@ -65,15 +69,14 @@ func startSignal(t *testing.T) (*grpc.Server, net.Listener) {
 	return s, lis
 }

-func startManagement(t *testing.T, config *mgmt.Config, testFile string) (*grpc.Server, net.Listener) {
+func startManagement(t *testing.T, config *mgmt.Config) (*grpc.Server, net.Listener) {
 	t.Helper()
-
 	lis, err := net.Listen("tcp", ":0")
 	if err != nil {
 		t.Fatal(err)
 	}
 	s := grpc.NewServer()
-	store, cleanUp, err := store.NewTestStoreFromSQL(context.Background(), testFile, t.TempDir())
+	store, cleanUp, err := mgmt.NewTestStoreFromJson(context.Background(), config.Datadir)
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -85,17 +88,12 @@ func startManagement(t *testing.T, config *mgmt.Config, testFile string) (*grpc.
 		return nil, nil
 	}
 	iv, _ := integrations.NewIntegratedValidator(context.Background(), eventStore)
-
-	metrics, err := telemetry.NewDefaultAppMetrics(context.Background())
-	require.NoError(t, err)
-
-	accountManager, err := mgmt.BuildManager(context.Background(), store, peersUpdateManager, nil, "", "netbird.selfhosted", eventStore, nil, false, iv, metrics)
+	accountManager, err := mgmt.BuildManager(context.Background(), store, peersUpdateManager, nil, "", "netbird.selfhosted", eventStore, nil, false, iv)
 	if err != nil {
 		t.Fatal(err)
 	}
-
-	secretsManager := mgmt.NewTimeBasedAuthSecretsManager(peersUpdateManager, config.TURNConfig, config.Relay)
-	mgmtServer, err := mgmt.NewServer(context.Background(), config, accountManager, settings.NewManager(store), peersUpdateManager, secretsManager, nil, nil)
+	turnManager := mgmt.NewTimeBasedAuthSecretsManager(peersUpdateManager, config.TURNConfig)
+	mgmtServer, err := mgmt.NewServer(context.Background(), config, accountManager, peersUpdateManager, turnManager, nil, nil)
 	if err != nil {
 		t.Fatal(err)
 	}
--- a/client/cmd/up.go
+++ b/client/cmd/up.go
@@ -15,11 +15,11 @@ import (
 	gstatus "google.golang.org/grpc/status"
 	"google.golang.org/protobuf/types/known/durationpb"

-	"github.com/netbirdio/netbird/client/iface"
 	"github.com/netbirdio/netbird/client/internal"
 	"github.com/netbirdio/netbird/client/internal/peer"
 	"github.com/netbirdio/netbird/client/proto"
 	"github.com/netbirdio/netbird/client/system"
+	"github.com/netbirdio/netbird/iface"
 	"github.com/netbirdio/netbird/util"
 )

@@ -147,11 +147,6 @@ func runInForegroundMode(ctx context.Context, cmd *cobra.Command) error {
 		ic.DNSRouteInterval = &dnsRouteInterval
 	}

-	providedSetupKey, err := getSetupKey()
-	if err != nil {
-		return err
-	}
-
 	config, err := internal.UpdateOrCreateConfig(ic)
 	if err != nil {
 		return fmt.Errorf("get config file: %v", err)
@@ -159,7 +154,7 @@ func runInForegroundMode(ctx context.Context, cmd *cobra.Command) error {

 	config, _ = internal.UpdateOldManagementURL(ctx, config, configPath)

-	err = foregroundLogin(ctx, cmd, config, providedSetupKey)
+	err = foregroundLogin(ctx, cmd, config, setupKey)
 	if err != nil {
 		return fmt.Errorf("foreground login failed: %v", err)
 	}
@@ -168,10 +163,7 @@ func runInForegroundMode(ctx context.Context, cmd *cobra.Command) error {
 	ctx, cancel = context.WithCancel(ctx)
 	SetupCloseHandler(ctx, cancel)

-	r := peer.NewRecorder(config.ManagementURL.String())
-	r.GetFullStatus()
-
-	connectClient := internal.NewConnectClient(ctx, config, r)
+	connectClient := internal.NewConnectClient(ctx, config, peer.NewRecorder(config.ManagementURL.String()))
 	return connectClient.Run()
 }

@@ -207,13 +199,8 @@ func runInDaemonMode(ctx context.Context, cmd *cobra.Command) error {
 		return nil
 	}

-	providedSetupKey, err := getSetupKey()
-	if err != nil {
-		return err
-	}
-
 	loginRequest := proto.LoginRequest{
-		SetupKey:             providedSetupKey,
+		SetupKey:             setupKey,
 		ManagementUrl:        managementURL,
 		AdminURL:             adminURL,
 		NatExternalIPs:       natExternalIPs,
--- a/client/cmd/up_daemon_test.go
+++ b/client/cmd/up_daemon_test.go
@@ -2,7 +2,6 @@ package cmd

 import (
 	"context"
-	"os"
 	"testing"
 	"time"

@@ -41,36 +40,6 @@ func TestUpDaemon(t *testing.T) {
 		return
 	}

-	// Test the setup-key-file flag.
-	tempFile, err := os.CreateTemp("", "setup-key")
-	if err != nil {
-		t.Errorf("could not create temp file, got error %v", err)
-		return
-	}
-	defer os.Remove(tempFile.Name())
-	if _, err := tempFile.Write([]byte("A2C8E62B-38F5-4553-B31E-DD66C696CEBB")); err != nil {
-		t.Errorf("could not write to temp file, got error %v", err)
-		return
-	}
-	if err := tempFile.Close(); err != nil {
-		t.Errorf("unable to close file, got error %v", err)
-	}
-	rootCmd.SetArgs([]string{
-		"login",
-		"--daemon-addr", "tcp://" + cliAddr,
-		"--setup-key-file", tempFile.Name(),
-		"--log-file", "",
-	})
-	if err := rootCmd.Execute(); err != nil {
-		t.Errorf("expected no error while running up command, got %v", err)
-		return
-	}
-	time.Sleep(time.Second * 3)
-	if status, err := state.Status(); err != nil && status != internal.StatusIdle {
-		t.Errorf("wrong status after login: %s, %v", internal.StatusIdle, err)
-		return
-	}
-
 	rootCmd.SetArgs([]string{
 		"up",
 		"--daemon-addr", "tcp://" + cliAddr,
--- a/client/errors/errors.go
+++ b/client/errors/errors.go
@@ -8,8 +8,8 @@ import (
 )

 func formatError(es []error) string {
-	if len(es) == 1 {
-		return fmt.Sprintf("1 error occurred:\n\t* %s", es[0])
+	if len(es) == 0 {
+		return fmt.Sprintf("0 error occurred:\n\t* %s", es[0])
 	}

 	points := make([]string, len(es))
--- a/client/firewall/create.go
+++ b/client/firewall/create.go
@@ -3,6 +3,7 @@
 package firewall

 import (
+	"context"
 	"fmt"
 	"runtime"

@@ -10,11 +11,10 @@ import (

 	firewall "github.com/netbirdio/netbird/client/firewall/manager"
 	"github.com/netbirdio/netbird/client/firewall/uspfilter"
-	"github.com/netbirdio/netbird/client/internal/statemanager"
 )

 // NewFirewall creates a firewall manager instance
-func NewFirewall(iface IFaceMapper, _ *statemanager.Manager) (firewall.Manager, error) {
+func NewFirewall(context context.Context, iface IFaceMapper) (firewall.Manager, error) {
 	if !iface.IsUserspaceBind() {
 		return nil, fmt.Errorf("not implemented for this OS: %s", runtime.GOOS)
 	}
--- a/client/firewall/create_linux.go
+++ b/client/firewall/create_linux.go
@@ -3,7 +3,7 @@
 package firewall

 import (
-	"errors"
+	"context"
 	"fmt"
 	"os"

@@ -15,7 +15,6 @@ import (
 	firewall "github.com/netbirdio/netbird/client/firewall/manager"
 	nbnftables "github.com/netbirdio/netbird/client/firewall/nftables"
 	"github.com/netbirdio/netbird/client/firewall/uspfilter"
-	"github.com/netbirdio/netbird/client/internal/statemanager"
 )

 const (
@@ -33,65 +32,54 @@ const SKIP_NFTABLES_ENV = "NB_SKIP_NFTABLES_CHECK"
 // FWType is the type for the firewall type
 type FWType int

-func NewFirewall(iface IFaceMapper, stateManager *statemanager.Manager) (firewall.Manager, error) {
+func NewFirewall(context context.Context, iface IFaceMapper) (firewall.Manager, error) {
 	// on the linux system we try to user nftables or iptables
 	// in any case, because we need to allow netbird interface traffic
 	// so we use AllowNetbird traffic from these firewall managers
 	// for the userspace packet filtering firewall
-	fm, err := createNativeFirewall(iface, stateManager)
+	var fm firewall.Manager
+	var errFw error

-	if !iface.IsUserspaceBind() {
-		return fm, err
-	}
-
-	if err != nil {
-		log.Warnf("failed to create native firewall: %v. Proceeding with userspace", err)
-	}
-	return createUserspaceFirewall(iface, fm)
-}
-
-func createNativeFirewall(iface IFaceMapper, stateManager *statemanager.Manager) (firewall.Manager, error) {
-	fm, err := createFW(iface)
-	if err != nil {
-		return nil, fmt.Errorf("create firewall: %s", err)
-	}
-
-	if err = fm.Init(stateManager); err != nil {
-		return nil, fmt.Errorf("init firewall: %s", err)
-	}
-
-	return fm, nil
-}
-
-func createFW(iface IFaceMapper) (firewall.Manager, error) {
 	switch check() {
 	case IPTABLES:
 		log.Info("creating an iptables firewall manager")
-		return nbiptables.Create(iface)
+		fm, errFw = nbiptables.Create(context, iface)
+		if errFw != nil {
+			log.Errorf("failed to create iptables manager: %s", errFw)
+		}
 	case NFTABLES:
 		log.Info("creating an nftables firewall manager")
-		return nbnftables.Create(iface)
+		fm, errFw = nbnftables.Create(context, iface)
+		if errFw != nil {
+			log.Errorf("failed to create nftables manager: %s", errFw)
+		}
 	default:
+		errFw = fmt.Errorf("no firewall manager found")
 		log.Info("no firewall manager found, trying to use userspace packet filtering firewall")
-		return nil, errors.New("no firewall manager found")
-	}
-}
-
-func createUserspaceFirewall(iface IFaceMapper, fm firewall.Manager) (firewall.Manager, error) {
-	var errUsp error
-	if fm != nil {
-		fm, errUsp = uspfilter.CreateWithNativeFirewall(iface, fm)
-	} else {
-		fm, errUsp = uspfilter.Create(iface)
 	}

-	if errUsp != nil {
-		return nil, fmt.Errorf("create userspace firewall: %s", errUsp)
+	if iface.IsUserspaceBind() {
+		var errUsp error
+		if errFw == nil {
+			fm, errUsp = uspfilter.CreateWithNativeFirewall(iface, fm)
+		} else {
+			fm, errUsp = uspfilter.Create(iface)
+		}
+		if errUsp != nil {
+			log.Debugf("failed to create userspace filtering firewall: %s", errUsp)
+			return nil, errUsp
+		}
+
+		if err := fm.AllowNetbird(); err != nil {
+			log.Errorf("failed to allow netbird interface traffic: %v", err)
+		}
+		return fm, nil
 	}

-	if err := fm.AllowNetbird(); err != nil {
-		log.Errorf("failed to allow netbird interface traffic: %v", err)
+	if errFw != nil {
+		return nil, errFw
 	}
+
 	return fm, nil
 }

--- a/client/firewall/iface.go
+++ b/client/firewall/iface.go
@@ -1,13 +1,11 @@
 package firewall

-import (
-	"github.com/netbirdio/netbird/client/iface/device"
-)
+import "github.com/netbirdio/netbird/iface"

 // IFaceMapper defines subset methods of interface required for manager
 type IFaceMapper interface {
 	Name() string
-	Address() device.WGAddress
+	Address() iface.WGAddress
 	IsUserspaceBind() bool
-	SetFilter(device.PacketFilter) error
+	SetFilter(iface.PacketFilter) error
 }
--- a/client/firewall/iptables/acl_linux.go
+++ b/client/firewall/iptables/acl_linux.go
@@ -11,8 +11,6 @@ import (
 	log "github.com/sirupsen/logrus"

 	firewall "github.com/netbirdio/netbird/client/firewall/manager"
-	"github.com/netbirdio/netbird/client/internal/statemanager"
-	nbnet "github.com/netbirdio/netbird/util/net"
 )

 const (
@@ -21,65 +19,49 @@ const (
 	// rules chains contains the effective ACL rules
 	chainNameInputRules  = "NETBIRD-ACL-INPUT"
 	chainNameOutputRules = "NETBIRD-ACL-OUTPUT"
+
+	postRoutingMark = "0x000007e4"
 )

-type aclEntries map[string][][]string
-
-type entry struct {
-	spec     []string
-	position int
-}
-
 type aclManager struct {
-	iptablesClient     *iptables.IPTables
-	wgIface            iFaceMapper
-	routingFwChainName string
+	iptablesClient      *iptables.IPTables
+	wgIface             iFaceMapper
+	routeingFwChainName string

-	entries         aclEntries
-	optionalEntries map[string][]entry
-	ipsetStore      *ipsetStore
-
-	stateManager *statemanager.Manager
+	entries    map[string][][]string
+	ipsetStore *ipsetStore
 }

-func newAclManager(iptablesClient *iptables.IPTables, wgIface iFaceMapper, routingFwChainName string) (*aclManager, error) {
+func newAclManager(iptablesClient *iptables.IPTables, wgIface iFaceMapper, routeingFwChainName string) (*aclManager, error) {
 	m := &aclManager{
-		iptablesClient:     iptablesClient,
-		wgIface:            wgIface,
-		routingFwChainName: routingFwChainName,
+		iptablesClient:      iptablesClient,
+		wgIface:             wgIface,
+		routeingFwChainName: routeingFwChainName,

-		entries:         make(map[string][][]string),
-		optionalEntries: make(map[string][]entry),
-		ipsetStore:      newIpsetStore(),
+		entries:    make(map[string][][]string),
+		ipsetStore: newIpsetStore(),
 	}

-	if err := ipset.Init(); err != nil {
-		return nil, fmt.Errorf("init ipset: %w", err)
+	err := ipset.Init()
+	if err != nil {
+		return nil, fmt.Errorf("failed to init ipset: %w", err)
 	}

+	m.seedInitialEntries()
+
+	err = m.cleanChains()
+	if err != nil {
+		return nil, err
+	}
+
+	err = m.createDefaultChains()
+	if err != nil {
+		return nil, err
+	}
 	return m, nil
 }

-func (m *aclManager) init(stateManager *statemanager.Manager) error {
-	m.stateManager = stateManager
-
-	m.seedInitialEntries()
-	m.seedInitialOptionalEntries()
-
-	if err := m.cleanChains(); err != nil {
-		return fmt.Errorf("clean chains: %w", err)
-	}
-
-	if err := m.createDefaultChains(); err != nil {
-		return fmt.Errorf("create default chains: %w", err)
-	}
-
-	m.updateState()
-
-	return nil
-}
-
-func (m *aclManager) AddPeerFiltering(
+func (m *aclManager) AddFiltering(
 	ip net.IP,
 	protocol firewall.Protocol,
 	sPort *firewall.Port,
@@ -145,7 +127,7 @@ func (m *aclManager) AddPeerFiltering(
 		return nil, fmt.Errorf("rule already exists")
 	}

-	if err := m.iptablesClient.Append("filter", chain, specs...); err != nil {
+	if err := m.iptablesClient.Insert("filter", chain, 1, specs...); err != nil {
 		return nil, err
 	}

@@ -157,18 +139,28 @@ func (m *aclManager) AddPeerFiltering(
 		chain:     chain,
 	}

-	m.updateState()
+	if !shouldAddToPrerouting(protocol, dPort, direction) {
+		return []firewall.Rule{rule}, nil
+	}

-	return []firewall.Rule{rule}, nil
+	rulePrerouting, err := m.addPreroutingFilter(ipsetName, string(protocol), dPortVal, ip)
+	if err != nil {
+		return []firewall.Rule{rule}, err
+	}
+	return []firewall.Rule{rule, rulePrerouting}, nil
 }

-// DeletePeerRule from the firewall by rule definition
-func (m *aclManager) DeletePeerRule(rule firewall.Rule) error {
+// DeleteRule from the firewall by rule definition
+func (m *aclManager) DeleteRule(rule firewall.Rule) error {
 	r, ok := rule.(*Rule)
 	if !ok {
 		return fmt.Errorf("invalid rule type")
 	}

+	if r.chain == "PREROUTING" {
+		goto DELETERULE
+	}
+
 	if ipsetList, ok := m.ipsetStore.ipset(r.ipsetName); ok {
 		// delete IP from ruleset IPs list and ipset
 		if _, ok := ipsetList.ips[r.ip]; ok {
@@ -193,23 +185,60 @@ func (m *aclManager) DeletePeerRule(rule firewall.Rule) error {
 		}
 	}

-	if err := m.iptablesClient.Delete(tableName, r.chain, r.specs...); err != nil {
-		return fmt.Errorf("failed to delete rule: %s, %v: %w", r.chain, r.specs, err)
+DELETERULE:
+	var table string
+	if r.chain == "PREROUTING" {
+		table = "mangle"
+	} else {
+		table = "filter"
 	}
-
-	m.updateState()
-
-	return nil
+	err := m.iptablesClient.Delete(table, r.chain, r.specs...)
+	if err != nil {
+		log.Debugf("failed to delete rule, %s, %v: %s", r.chain, r.specs, err)
+	}
+	return err
 }

 func (m *aclManager) Reset() error {
-	if err := m.cleanChains(); err != nil {
-		return fmt.Errorf("clean chains: %w", err)
+	return m.cleanChains()
+}
+
+func (m *aclManager) addPreroutingFilter(ipsetName string, protocol string, port string, ip net.IP) (*Rule, error) {
+	var src []string
+	if ipsetName != "" {
+		src = []string{"-m", "set", "--set", ipsetName, "src"}
+	} else {
+		src = []string{"-s", ip.String()}
+	}
+	specs := []string{
+		"-d", m.wgIface.Address().IP.String(),
+		"-p", protocol,
+		"--dport", port,
+		"-j", "MARK", "--set-mark", postRoutingMark,
 	}

-	m.updateState()
+	specs = append(src, specs...)

-	return nil
+	ok, err := m.iptablesClient.Exists("mangle", "PREROUTING", specs...)
+	if err != nil {
+		return nil, fmt.Errorf("failed to check rule: %w", err)
+	}
+	if ok {
+		return nil, fmt.Errorf("rule already exists")
+	}
+
+	if err := m.iptablesClient.Insert("mangle", "PREROUTING", 1, specs...); err != nil {
+		return nil, err
+	}
+
+	rule := &Rule{
+		ruleID:    uuid.New().String(),
+		specs:     specs,
+		ipsetName: ipsetName,
+		ip:        ip.String(),
+		chain:     "PREROUTING",
+	}
+	return rule, nil
 }

 // todo write less destructive cleanup mechanism
@@ -264,7 +293,8 @@ func (m *aclManager) cleanChains() error {

 	ok, err = m.iptablesClient.ChainExists("mangle", "PREROUTING")
 	if err != nil {
-		return fmt.Errorf("list chains: %w", err)
+		log.Debugf("failed to list chains: %s", err)
+		return err
 	}
 	if ok {
 		for _, rule := range m.entries["PREROUTING"] {
@@ -273,6 +303,11 @@ func (m *aclManager) cleanChains() error {
 				log.Errorf("failed to delete rule: %v, %s", rule, err)
 			}
 		}
+		err = m.iptablesClient.ClearChain("mangle", "PREROUTING")
+		if err != nil {
+			log.Debugf("failed to clear %s chain: %s", "PREROUTING", err)
+			return err
+		}
 	}

 	for _, ipsetName := range m.ipsetStore.ipsetNames() {
@@ -303,92 +338,64 @@ func (m *aclManager) createDefaultChains() error {

 	for chainName, rules := range m.entries {
 		for _, rule := range rules {
-			if err := m.iptablesClient.InsertUnique(tableName, chainName, 1, rule...); err != nil {
-				log.Debugf("failed to create input chain jump rule: %s", err)
-				return err
+			if chainName == "FORWARD" {
+				// position 2 because we add it after router's, jump rule
+				if err := m.iptablesClient.InsertUnique(tableName, "FORWARD", 2, rule...); err != nil {
+					log.Debugf("failed to create input chain jump rule: %s", err)
+					return err
+				}
+			} else {
+				if err := m.iptablesClient.AppendUnique(tableName, chainName, rule...); err != nil {
+					log.Debugf("failed to create input chain jump rule: %s", err)
+					return err
+				}
 			}
 		}
 	}

-	for chainName, entries := range m.optionalEntries {
-		for _, entry := range entries {
-			if err := m.iptablesClient.InsertUnique(tableName, chainName, entry.position, entry.spec...); err != nil {
-				log.Errorf("failed to insert optional entry %v: %v", entry.spec, err)
-				continue
-			}
-			m.entries[chainName] = append(m.entries[chainName], entry.spec)
-		}
-	}
-	clear(m.optionalEntries)
-
 	return nil
 }

-// seedInitialEntries adds default rules to the entries map, rules are inserted on pos 1, hence the order is reversed.
-// We want to make sure our traffic is not dropped by existing rules.
-
-// The existing FORWARD rules/policies decide outbound traffic towards our interface.
-// In case the FORWARD policy is set to "drop", we add an established/related rule to allow return traffic for the inbound rule.
-
-// The OUTPUT chain gets an extra rule to allow traffic to any set up routes, the return traffic is handled by the INPUT related/established rule.
 func (m *aclManager) seedInitialEntries() {
-	established := getConntrackEstablished()
+	m.appendToEntries("INPUT",
+		[]string{"-i", m.wgIface.Name(), "!", "-s", m.wgIface.Address().String(), "-d", m.wgIface.Address().String(), "-j", "ACCEPT"})
+
+	m.appendToEntries("INPUT",
+		[]string{"-i", m.wgIface.Name(), "-s", m.wgIface.Address().String(), "!", "-d", m.wgIface.Address().String(), "-j", "ACCEPT"})
+
+	m.appendToEntries("INPUT",
+		[]string{"-i", m.wgIface.Name(), "-s", m.wgIface.Address().String(), "-d", m.wgIface.Address().String(), "-j", chainNameInputRules})

 	m.appendToEntries("INPUT", []string{"-i", m.wgIface.Name(), "-j", "DROP"})
-	m.appendToEntries("INPUT", []string{"-i", m.wgIface.Name(), "-j", chainNameInputRules})
-	m.appendToEntries("INPUT", append([]string{"-i", m.wgIface.Name()}, established...))
+
+	m.appendToEntries("OUTPUT",
+		[]string{"-o", m.wgIface.Name(), "!", "-s", m.wgIface.Address().String(), "-d", m.wgIface.Address().String(), "-j", "ACCEPT"})
+
+	m.appendToEntries("OUTPUT",
+		[]string{"-o", m.wgIface.Name(), "-s", m.wgIface.Address().String(), "!", "-d", m.wgIface.Address().String(), "-j", "ACCEPT"})
+
+	m.appendToEntries("OUTPUT",
+		[]string{"-o", m.wgIface.Name(), "-s", m.wgIface.Address().String(), "-d", m.wgIface.Address().String(), "-j", chainNameOutputRules})
+
+	m.appendToEntries("OUTPUT", []string{"-o", m.wgIface.Name(), "-j", "DROP"})

 	m.appendToEntries("FORWARD", []string{"-i", m.wgIface.Name(), "-j", "DROP"})
-	m.appendToEntries("FORWARD", []string{"-i", m.wgIface.Name(), "-j", m.routingFwChainName})
-	m.appendToEntries("FORWARD", append([]string{"-o", m.wgIface.Name()}, established...))
-}
+	m.appendToEntries("FORWARD", []string{"-i", m.wgIface.Name(), "-j", chainNameInputRules})
+	m.appendToEntries("FORWARD",
+		[]string{"-o", m.wgIface.Name(), "-m", "mark", "--mark", postRoutingMark, "-j", "ACCEPT"})
+	m.appendToEntries("FORWARD",
+		[]string{"-i", m.wgIface.Name(), "-m", "mark", "--mark", postRoutingMark, "-j", "ACCEPT"})
+	m.appendToEntries("FORWARD", []string{"-o", m.wgIface.Name(), "-j", m.routeingFwChainName})
+	m.appendToEntries("FORWARD", []string{"-i", m.wgIface.Name(), "-j", m.routeingFwChainName})

-func (m *aclManager) seedInitialOptionalEntries() {
-	m.optionalEntries["FORWARD"] = []entry{
-		{
-			spec:     []string{"-m", "mark", "--mark", fmt.Sprintf("%#x", nbnet.PreroutingFwmarkRedirected), "-j", chainNameInputRules},
-			position: 2,
-		},
-	}
-
-	m.optionalEntries["PREROUTING"] = []entry{
-		{
-			spec:     []string{"-t", "mangle", "-i", m.wgIface.Name(), "-m", "addrtype", "--dst-type", "LOCAL", "-j", "MARK", "--set-mark", fmt.Sprintf("%#x", nbnet.PreroutingFwmarkRedirected)},
-			position: 1,
-		},
-	}
+	m.appendToEntries("PREROUTING",
+		[]string{"-t", "mangle", "-i", m.wgIface.Name(), "!", "-s", m.wgIface.Address().String(), "-d", m.wgIface.Address().IP.String(), "-m", "mark", "--mark", postRoutingMark})
 }

 func (m *aclManager) appendToEntries(chainName string, spec []string) {
 	m.entries[chainName] = append(m.entries[chainName], spec)
 }

-func (m *aclManager) updateState() {
-	if m.stateManager == nil {
-		return
-	}
-
-	var currentState *ShutdownState
-	if existing := m.stateManager.GetState(currentState); existing != nil {
-		if existingState, ok := existing.(*ShutdownState); ok {
-			currentState = existingState
-		}
-	}
-	if currentState == nil {
-		currentState = &ShutdownState{}
-	}
-
-	currentState.Lock()
-	defer currentState.Unlock()
-
-	currentState.ACLEntries = m.entries
-	currentState.ACLIPsetStore = m.ipsetStore
-
-	if err := m.stateManager.UpdateState(currentState); err != nil {
-		log.Errorf("failed to update state: %v", err)
-	}
-}
-
 // filterRuleSpecs returns the specs of a filtering rule
 func filterRuleSpecs(
 	ip net.IP, protocol string, sPort, dPort string, direction firewall.RuleDirection, action firewall.Action, ipsetName string,
@@ -449,3 +456,18 @@ func transformIPsetName(ipsetName string, sPort, dPort string) string {
 		return ipsetName
 	}
 }
+
+func shouldAddToPrerouting(proto firewall.Protocol, dPort *firewall.Port, direction firewall.RuleDirection) bool {
+	if proto == "all" {
+		return false
+	}
+
+	if direction != firewall.RuleDirectionIN {
+		return false
+	}
+
+	if dPort == nil {
+		return false
+	}
+	return true
+}
--- a/client/firewall/iptables/manager_linux.go
+++ b/client/firewall/iptables/manager_linux.go
@@ -4,17 +4,13 @@ import (
 	"context"
 	"fmt"
 	"net"
-	"net/netip"
 	"sync"

 	"github.com/coreos/go-iptables/iptables"
-	"github.com/hashicorp/go-multierror"
 	log "github.com/sirupsen/logrus"

-	nberrors "github.com/netbirdio/netbird/client/errors"
 	firewall "github.com/netbirdio/netbird/client/firewall/manager"
-	"github.com/netbirdio/netbird/client/iface"
-	"github.com/netbirdio/netbird/client/internal/statemanager"
+	"github.com/netbirdio/netbird/iface"
 )

 // Manager of iptables firewall
@@ -25,7 +21,7 @@ type Manager struct {

 	ipv4Client *iptables.IPTables
 	aclMgr     *aclManager
-	router     *router
+	router     *routerManager
 }

 // iFaceMapper defines subset methods of interface required for manager
@@ -36,10 +32,10 @@ type iFaceMapper interface {
 }

 // Create iptables firewall manager
-func Create(wgIface iFaceMapper) (*Manager, error) {
+func Create(context context.Context, wgIface iFaceMapper) (*Manager, error) {
 	iptablesClient, err := iptables.NewWithProtocol(iptables.ProtocolIPv4)
 	if err != nil {
-		return nil, fmt.Errorf("init iptables: %w", err)
+		return nil, fmt.Errorf("iptables is not installed in the system or not supported")
 	}

 	m := &Manager{
@@ -47,55 +43,24 @@ func Create(wgIface iFaceMapper) (*Manager, error) {
 		ipv4Client: iptablesClient,
 	}

-	m.router, err = newRouter(iptablesClient, wgIface)
+	m.router, err = newRouterManager(context, iptablesClient)
 	if err != nil {
-		return nil, fmt.Errorf("create router: %w", err)
+		log.Debugf("failed to initialize route related chains: %s", err)
+		return nil, err
 	}
-
-	m.aclMgr, err = newAclManager(iptablesClient, wgIface, chainRTFWD)
+	m.aclMgr, err = newAclManager(iptablesClient, wgIface, m.router.RouteingFwChainName())
 	if err != nil {
-		return nil, fmt.Errorf("create acl manager: %w", err)
+		log.Debugf("failed to initialize ACL manager: %s", err)
+		return nil, err
 	}

 	return m, nil
 }

-func (m *Manager) Init(stateManager *statemanager.Manager) error {
-	state := &ShutdownState{
-		InterfaceState: &InterfaceState{
-			NameStr:       m.wgIface.Name(),
-			WGAddress:     m.wgIface.Address(),
-			UserspaceBind: m.wgIface.IsUserspaceBind(),
-		},
-	}
-	stateManager.RegisterState(state)
-	if err := stateManager.UpdateState(state); err != nil {
-		log.Errorf("failed to update state: %v", err)
-	}
-
-	if err := m.router.init(stateManager); err != nil {
-		return fmt.Errorf("router init: %w", err)
-	}
-
-	if err := m.aclMgr.init(stateManager); err != nil {
-		// TODO: cleanup router
-		return fmt.Errorf("acl manager init: %w", err)
-	}
-
-	// persist early to ensure cleanup of chains
-	go func() {
-		if err := stateManager.PersistState(context.Background()); err != nil {
-			log.Errorf("failed to persist state: %v", err)
-		}
-	}()
-
-	return nil
-}
-
-// AddPeerFiltering adds a rule to the firewall
+// AddFiltering rule to the firewall
 //
 // Comment will be ignored because some system this feature is not supported
-func (m *Manager) AddPeerFiltering(
+func (m *Manager) AddFiltering(
 	ip net.IP,
 	protocol firewall.Protocol,
 	sPort *firewall.Port,
@@ -108,86 +73,50 @@ func (m *Manager) AddPeerFiltering(
 	m.mutex.Lock()
 	defer m.mutex.Unlock()

-	return m.aclMgr.AddPeerFiltering(ip, protocol, sPort, dPort, direction, action, ipsetName)
+	return m.aclMgr.AddFiltering(ip, protocol, sPort, dPort, direction, action, ipsetName)
 }

-func (m *Manager) AddRouteFiltering(
-	sources []netip.Prefix,
-	destination netip.Prefix,
-	proto firewall.Protocol,
-	sPort *firewall.Port,
-	dPort *firewall.Port,
-	action firewall.Action,
-) (firewall.Rule, error) {
+// DeleteRule from the firewall by rule definition
+func (m *Manager) DeleteRule(rule firewall.Rule) error {
 	m.mutex.Lock()
 	defer m.mutex.Unlock()

-	if !destination.Addr().Is4() {
-		return nil, fmt.Errorf("unsupported IP version: %s", destination.Addr().String())
-	}
-
-	return m.router.AddRouteFiltering(sources, destination, proto, sPort, dPort, action)
-}
-
-// DeletePeerRule from the firewall by rule definition
-func (m *Manager) DeletePeerRule(rule firewall.Rule) error {
-	m.mutex.Lock()
-	defer m.mutex.Unlock()
-
-	return m.aclMgr.DeletePeerRule(rule)
-}
-
-func (m *Manager) DeleteRouteRule(rule firewall.Rule) error {
-	m.mutex.Lock()
-	defer m.mutex.Unlock()
-
-	return m.router.DeleteRouteRule(rule)
+	return m.aclMgr.DeleteRule(rule)
 }

 func (m *Manager) IsServerRouteSupported() bool {
 	return true
 }

-func (m *Manager) AddNatRule(pair firewall.RouterPair) error {
+func (m *Manager) InsertRoutingRules(pair firewall.RouterPair) error {
 	m.mutex.Lock()
 	defer m.mutex.Unlock()

-	return m.router.AddNatRule(pair)
+	return m.router.InsertRoutingRules(pair)
 }

-func (m *Manager) RemoveNatRule(pair firewall.RouterPair) error {
+func (m *Manager) RemoveRoutingRules(pair firewall.RouterPair) error {
 	m.mutex.Lock()
 	defer m.mutex.Unlock()

-	return m.router.RemoveNatRule(pair)
-}
-
-func (m *Manager) SetLegacyManagement(isLegacy bool) error {
-	return firewall.SetLegacyManagement(m.router, isLegacy)
+	return m.router.RemoveRoutingRules(pair)
 }

 // Reset firewall to the default state
-func (m *Manager) Reset(stateManager *statemanager.Manager) error {
+func (m *Manager) Reset() error {
 	m.mutex.Lock()
 	defer m.mutex.Unlock()

-	var merr *multierror.Error
-
-	if err := m.aclMgr.Reset(); err != nil {
-		merr = multierror.Append(merr, fmt.Errorf("reset acl manager: %w", err))
+	errAcl := m.aclMgr.Reset()
+	if errAcl != nil {
+		log.Errorf("failed to clean up ACL rules from firewall: %s", errAcl)
 	}
-	if err := m.router.Reset(); err != nil {
-		merr = multierror.Append(merr, fmt.Errorf("reset router: %w", err))
+	errMgr := m.router.Reset()
+	if errMgr != nil {
+		log.Errorf("failed to clean up router rules from firewall: %s", errMgr)
+		return errMgr
 	}
-
-	// attempt to delete state only if all other operations succeeded
-	if merr == nil {
-		if err := stateManager.DeleteState(&ShutdownState{}); err != nil {
-			merr = multierror.Append(merr, fmt.Errorf("delete state: %w", err))
-		}
-	}
-
-	return nberrors.FormatErrorOrNil(merr)
+	return errAcl
 }

 // AllowNetbird allows netbird interface traffic
@@ -196,8 +125,8 @@ func (m *Manager) AllowNetbird() error {
 		return nil
 	}

-	_, err := m.AddPeerFiltering(
-		net.IP{0, 0, 0, 0},
+	_, err := m.AddFiltering(
+		net.ParseIP("0.0.0.0"),
 		"all",
 		nil,
 		nil,
@@ -207,14 +136,20 @@ func (m *Manager) AllowNetbird() error {
 		"",
 	)
 	if err != nil {
-		return fmt.Errorf("allow netbird interface traffic: %w", err)
+		return fmt.Errorf("failed to allow netbird interface traffic: %w", err)
 	}
-	return nil
+	_, err = m.AddFiltering(
+		net.ParseIP("0.0.0.0"),
+		"all",
+		nil,
+		nil,
+		firewall.RuleDirectionOUT,
+		firewall.ActionAccept,
+		"",
+		"",
+	)
+	return err
 }

 // Flush doesn't need to be implemented for this manager
 func (m *Manager) Flush() error { return nil }
-
-func getConntrackEstablished() []string {
-	return []string{"-m", "conntrack", "--ctstate", "RELATED,ESTABLISHED", "-j", "ACCEPT"}
-}
--- a/client/firewall/iptables/manager_linux_test.go
+++ b/client/firewall/iptables/manager_linux_test.go
@@ -1,6 +1,7 @@
 package iptables

 import (
+	"context"
 	"fmt"
 	"net"
 	"testing"
@@ -10,24 +11,9 @@ import (
 	"github.com/stretchr/testify/require"

 	fw "github.com/netbirdio/netbird/client/firewall/manager"
-	"github.com/netbirdio/netbird/client/iface"
+	"github.com/netbirdio/netbird/iface"
 )

-var ifaceMock = &iFaceMock{
-	NameFunc: func() string {
-		return "lo"
-	},
-	AddressFunc: func() iface.WGAddress {
-		return iface.WGAddress{
-			IP: net.ParseIP("10.20.0.1"),
-			Network: &net.IPNet{
-				IP:   net.ParseIP("10.20.0.0"),
-				Mask: net.IPv4Mask(255, 255, 255, 0),
-			},
-		}
-	},
-}
-
 // iFaceMapper defines subset methods of interface required for manager
 type iFaceMock struct {
 	NameFunc    func() string
@@ -54,15 +40,29 @@ func TestIptablesManager(t *testing.T) {
 	ipv4Client, err := iptables.NewWithProtocol(iptables.ProtocolIPv4)
 	require.NoError(t, err)

+	mock := &iFaceMock{
+		NameFunc: func() string {
+			return "lo"
+		},
+		AddressFunc: func() iface.WGAddress {
+			return iface.WGAddress{
+				IP: net.ParseIP("10.20.0.1"),
+				Network: &net.IPNet{
+					IP:   net.ParseIP("10.20.0.0"),
+					Mask: net.IPv4Mask(255, 255, 255, 0),
+				},
+			}
+		},
+	}
+
 	// just check on the local interface
-	manager, err := Create(ifaceMock)
+	manager, err := Create(context.Background(), mock)
 	require.NoError(t, err)
-	require.NoError(t, manager.Init(nil))

 	time.Sleep(time.Second)

 	defer func() {
-		err := manager.Reset(nil)
+		err := manager.Reset()
 		require.NoError(t, err, "clear the manager state")

 		time.Sleep(time.Second)
@@ -72,7 +72,7 @@ func TestIptablesManager(t *testing.T) {
 	t.Run("add first rule", func(t *testing.T) {
 		ip := net.ParseIP("10.20.0.2")
 		port := &fw.Port{Values: []int{8080}}
-		rule1, err = manager.AddPeerFiltering(ip, "tcp", nil, port, fw.RuleDirectionOUT, fw.ActionAccept, "", "accept HTTP traffic")
+		rule1, err = manager.AddFiltering(ip, "tcp", nil, port, fw.RuleDirectionOUT, fw.ActionAccept, "", "accept HTTP traffic")
 		require.NoError(t, err, "failed to add rule")

 		for _, r := range rule1 {
@@ -87,7 +87,7 @@ func TestIptablesManager(t *testing.T) {
 		port := &fw.Port{
 			Values: []int{8043: 8046},
 		}
-		rule2, err = manager.AddPeerFiltering(
+		rule2, err = manager.AddFiltering(
 			ip, "tcp", port, nil, fw.RuleDirectionIN, fw.ActionAccept, "", "accept HTTPS traffic from ports range")
 		require.NoError(t, err, "failed to add rule")

@@ -99,7 +99,7 @@ func TestIptablesManager(t *testing.T) {

 	t.Run("delete first rule", func(t *testing.T) {
 		for _, r := range rule1 {
-			err := manager.DeletePeerRule(r)
+			err := manager.DeleteRule(r)
 			require.NoError(t, err, "failed to delete rule")

 			checkRuleSpecs(t, ipv4Client, chainNameOutputRules, false, r.(*Rule).specs...)
@@ -108,7 +108,7 @@ func TestIptablesManager(t *testing.T) {

 	t.Run("delete second rule", func(t *testing.T) {
 		for _, r := range rule2 {
-			err := manager.DeletePeerRule(r)
+			err := manager.DeleteRule(r)
 			require.NoError(t, err, "failed to delete rule")
 		}

@@ -119,10 +119,10 @@ func TestIptablesManager(t *testing.T) {
 		// add second rule
 		ip := net.ParseIP("10.20.0.3")
 		port := &fw.Port{Values: []int{5353}}
-		_, err = manager.AddPeerFiltering(ip, "udp", nil, port, fw.RuleDirectionOUT, fw.ActionAccept, "", "accept Fake DNS traffic")
+		_, err = manager.AddFiltering(ip, "udp", nil, port, fw.RuleDirectionOUT, fw.ActionAccept, "", "accept Fake DNS traffic")
 		require.NoError(t, err, "failed to add rule")

-		err = manager.Reset(nil)
+		err = manager.Reset()
 		require.NoError(t, err, "failed to reset")

 		ok, err := ipv4Client.ChainExists("filter", chainNameInputRules)
@@ -154,14 +154,13 @@ func TestIptablesManagerIPSet(t *testing.T) {
 	}

 	// just check on the local interface
-	manager, err := Create(mock)
+	manager, err := Create(context.Background(), mock)
 	require.NoError(t, err)
-	require.NoError(t, manager.Init(nil))

 	time.Sleep(time.Second)

 	defer func() {
-		err := manager.Reset(nil)
+		err := manager.Reset()
 		require.NoError(t, err, "clear the manager state")

 		time.Sleep(time.Second)
@@ -171,7 +170,7 @@ func TestIptablesManagerIPSet(t *testing.T) {
 	t.Run("add first rule with set", func(t *testing.T) {
 		ip := net.ParseIP("10.20.0.2")
 		port := &fw.Port{Values: []int{8080}}
-		rule1, err = manager.AddPeerFiltering(
+		rule1, err = manager.AddFiltering(
 			ip, "tcp", nil, port, fw.RuleDirectionOUT,
 			fw.ActionAccept, "default", "accept HTTP traffic",
 		)
@@ -190,7 +189,7 @@ func TestIptablesManagerIPSet(t *testing.T) {
 		port := &fw.Port{
 			Values: []int{443},
 		}
-		rule2, err = manager.AddPeerFiltering(
+		rule2, err = manager.AddFiltering(
 			ip, "tcp", port, nil, fw.RuleDirectionIN, fw.ActionAccept,
 			"default", "accept HTTPS traffic from ports range",
 		)
@@ -203,7 +202,7 @@ func TestIptablesManagerIPSet(t *testing.T) {

 	t.Run("delete first rule", func(t *testing.T) {
 		for _, r := range rule1 {
-			err := manager.DeletePeerRule(r)
+			err := manager.DeleteRule(r)
 			require.NoError(t, err, "failed to delete rule")

 			require.NotContains(t, manager.aclMgr.ipsetStore.ipsets, r.(*Rule).ruleID, "rule must be removed form the ruleset index")
@@ -212,7 +211,7 @@ func TestIptablesManagerIPSet(t *testing.T) {

 	t.Run("delete second rule", func(t *testing.T) {
 		for _, r := range rule2 {
-			err := manager.DeletePeerRule(r)
+			err := manager.DeleteRule(r)
 			require.NoError(t, err, "failed to delete rule")

 			require.Empty(t, manager.aclMgr.ipsetStore.ipsets, "rulesets index after removed second rule must be empty")
@@ -220,7 +219,7 @@ func TestIptablesManagerIPSet(t *testing.T) {
 	})

 	t.Run("reset check", func(t *testing.T) {
-		err = manager.Reset(nil)
+		err = manager.Reset()
 		require.NoError(t, err, "failed to reset")
 	})
 }
@@ -252,13 +251,12 @@ func TestIptablesCreatePerformance(t *testing.T) {
 	for _, testMax := range []int{10, 20, 30, 40, 50, 60, 70, 80, 90, 100, 200, 300, 400, 500, 600, 700, 800, 900, 1000} {
 		t.Run(fmt.Sprintf("Testing %d rules", testMax), func(t *testing.T) {
 			// just check on the local interface
-			manager, err := Create(mock)
+			manager, err := Create(context.Background(), mock)
 			require.NoError(t, err)
-			require.NoError(t, manager.Init(nil))
 			time.Sleep(time.Second)

 			defer func() {
-				err := manager.Reset(nil)
+				err := manager.Reset()
 				require.NoError(t, err, "clear the manager state")

 				time.Sleep(time.Second)
@@ -271,9 +269,9 @@ func TestIptablesCreatePerformance(t *testing.T) {
 			for i := 0; i < testMax; i++ {
 				port := &fw.Port{Values: []int{1000 + i}}
 				if i%2 == 0 {
-					_, err = manager.AddPeerFiltering(ip, "tcp", nil, port, fw.RuleDirectionOUT, fw.ActionAccept, "", "accept HTTP traffic")
+					_, err = manager.AddFiltering(ip, "tcp", nil, port, fw.RuleDirectionOUT, fw.ActionAccept, "", "accept HTTP traffic")
 				} else {
-					_, err = manager.AddPeerFiltering(ip, "tcp", nil, port, fw.RuleDirectionIN, fw.ActionAccept, "", "accept HTTP traffic")
+					_, err = manager.AddFiltering(ip, "tcp", nil, port, fw.RuleDirectionIN, fw.ActionAccept, "", "accept HTTP traffic")
 				}

 				require.NoError(t, err, "failed to add rule")
--- a/client/firewall/iptables/router_linux.go
+++ b/client/firewall/iptables/router_linux.go
@@ -3,597 +3,370 @@
 package iptables

 import (
+	"context"
 	"fmt"
-	"net/netip"
-	"strconv"
 	"strings"

 	"github.com/coreos/go-iptables/iptables"
-	"github.com/hashicorp/go-multierror"
-	"github.com/nadoo/ipset"
 	log "github.com/sirupsen/logrus"

-	nberrors "github.com/netbirdio/netbird/client/errors"
 	firewall "github.com/netbirdio/netbird/client/firewall/manager"
-	"github.com/netbirdio/netbird/client/internal/acl/id"
-	"github.com/netbirdio/netbird/client/internal/routemanager/refcounter"
-	"github.com/netbirdio/netbird/client/internal/statemanager"
-	nbnet "github.com/netbirdio/netbird/util/net"
+)
+
+const (
+	Ipv4Forwarding = "netbird-rt-forwarding"
+	ipv4Nat        = "netbird-rt-nat"
 )

 // constants needed to manage and create iptable rules
 const (
 	tableFilter             = "filter"
 	tableNat                = "nat"
-	tableMangle             = "mangle"
+	chainFORWARD            = "FORWARD"
 	chainPOSTROUTING        = "POSTROUTING"
-	chainPREROUTING         = "PREROUTING"
 	chainRTNAT              = "NETBIRD-RT-NAT"
 	chainRTFWD              = "NETBIRD-RT-FWD"
-	chainRTPRE              = "NETBIRD-RT-PRE"
 	routingFinalForwardJump = "ACCEPT"
 	routingFinalNatJump     = "MASQUERADE"
-
-	jumpPre  = "jump-pre"
-	jumpNat  = "jump-nat"
-	matchSet = "--match-set"
 )

-type routeFilteringRuleParams struct {
-	Sources     []netip.Prefix
-	Destination netip.Prefix
-	Proto       firewall.Protocol
-	SPort       *firewall.Port
-	DPort       *firewall.Port
-	Direction   firewall.RuleDirection
-	Action      firewall.Action
-	SetName     string
+type routerManager struct {
+	ctx            context.Context
+	stop           context.CancelFunc
+	iptablesClient *iptables.IPTables
+	rules          map[string][]string
 }

-type routeRules map[string][]string
-
-type ipsetCounter = refcounter.Counter[string, []netip.Prefix, struct{}]
-
-type router struct {
-	iptablesClient   *iptables.IPTables
-	rules            routeRules
-	ipsetCounter     *ipsetCounter
-	wgIface          iFaceMapper
-	legacyManagement bool
-
-	stateManager *statemanager.Manager
-}
-
-func newRouter(iptablesClient *iptables.IPTables, wgIface iFaceMapper) (*router, error) {
-	r := &router{
+func newRouterManager(parentCtx context.Context, iptablesClient *iptables.IPTables) (*routerManager, error) {
+	ctx, cancel := context.WithCancel(parentCtx)
+	m := &routerManager{
+		ctx:            ctx,
+		stop:           cancel,
 		iptablesClient: iptablesClient,
 		rules:          make(map[string][]string),
-		wgIface:        wgIface,
 	}

-	r.ipsetCounter = refcounter.New(
-		func(name string, sources []netip.Prefix) (struct{}, error) {
-			return struct{}{}, r.createIpSet(name, sources)
-		},
-		func(name string, _ struct{}) error {
-			return r.deleteIpSet(name)
-		},
-	)
-
-	if err := ipset.Init(); err != nil {
-		return nil, fmt.Errorf("init ipset: %w", err)
+	err := m.cleanUpDefaultForwardRules()
+	if err != nil {
+		log.Errorf("failed to cleanup routing rules: %s", err)
+		return nil, err
 	}
-
-	return r, nil
+	err = m.createContainers()
+	if err != nil {
+		log.Errorf("failed to create containers for route: %s", err)
+	}
+	return m, err
 }

-func (r *router) init(stateManager *statemanager.Manager) error {
-	r.stateManager = stateManager
-
-	if err := r.cleanUpDefaultForwardRules(); err != nil {
-		log.Errorf("failed to clean up rules from FORWARD chain: %s", err)
+// InsertRoutingRules inserts an iptables rule pair to the forwarding chain and if enabled, to the nat chain
+func (i *routerManager) InsertRoutingRules(pair firewall.RouterPair) error {
+	err := i.insertRoutingRule(firewall.ForwardingFormat, tableFilter, chainRTFWD, routingFinalForwardJump, pair)
+	if err != nil {
+		return err
 	}

-	if err := r.createContainers(); err != nil {
-		return fmt.Errorf("create containers: %w", err)
-	}
-
-	r.updateState()
-
-	return nil
-}
-
-func (r *router) AddRouteFiltering(
-	sources []netip.Prefix,
-	destination netip.Prefix,
-	proto firewall.Protocol,
-	sPort *firewall.Port,
-	dPort *firewall.Port,
-	action firewall.Action,
-) (firewall.Rule, error) {
-	ruleKey := id.GenerateRouteRuleKey(sources, destination, proto, sPort, dPort, action)
-	if _, ok := r.rules[string(ruleKey)]; ok {
-		return ruleKey, nil
-	}
-
-	var setName string
-	if len(sources) > 1 {
-		setName = firewall.GenerateSetName(sources)
-		if _, err := r.ipsetCounter.Increment(setName, sources); err != nil {
-			return nil, fmt.Errorf("create or get ipset: %w", err)
-		}
-	}
-
-	params := routeFilteringRuleParams{
-		Sources:     sources,
-		Destination: destination,
-		Proto:       proto,
-		SPort:       sPort,
-		DPort:       dPort,
-		Action:      action,
-		SetName:     setName,
-	}
-
-	rule := genRouteFilteringRuleSpec(params)
-	if err := r.iptablesClient.Append(tableFilter, chainRTFWD, rule...); err != nil {
-		return nil, fmt.Errorf("add route rule: %v", err)
-	}
-
-	r.rules[string(ruleKey)] = rule
-
-	r.updateState()
-
-	return ruleKey, nil
-}
-
-func (r *router) DeleteRouteRule(rule firewall.Rule) error {
-	ruleKey := rule.GetRuleID()
-
-	if rule, exists := r.rules[ruleKey]; exists {
-		setName := r.findSetNameInRule(rule)
-
-		if err := r.iptablesClient.Delete(tableFilter, chainRTFWD, rule...); err != nil {
-			return fmt.Errorf("delete route rule: %v", err)
-		}
-		delete(r.rules, ruleKey)
-
-		if setName != "" {
-			if _, err := r.ipsetCounter.Decrement(setName); err != nil {
-				return fmt.Errorf("failed to remove ipset: %w", err)
-			}
-		}
-	} else {
-		log.Debugf("route rule %s not found", ruleKey)
-	}
-
-	r.updateState()
-
-	return nil
-}
-
-func (r *router) findSetNameInRule(rule []string) string {
-	for i, arg := range rule {
-		if arg == "-m" && i+3 < len(rule) && rule[i+1] == "set" && rule[i+2] == matchSet {
-			return rule[i+3]
-		}
-	}
-	return ""
-}
-
-func (r *router) createIpSet(setName string, sources []netip.Prefix) error {
-	if err := ipset.Create(setName, ipset.OptTimeout(0)); err != nil {
-		return fmt.Errorf("create set %s: %w", setName, err)
-	}
-
-	for _, prefix := range sources {
-		if err := ipset.AddPrefix(setName, prefix); err != nil {
-			return fmt.Errorf("add element to set %s: %w", setName, err)
-		}
-	}
-
-	return nil
-}
-
-func (r *router) deleteIpSet(setName string) error {
-	if err := ipset.Destroy(setName); err != nil {
-		return fmt.Errorf("destroy set %s: %w", setName, err)
-	}
-	return nil
-}
-
-// AddNatRule inserts an iptables rule pair into the nat chain
-func (r *router) AddNatRule(pair firewall.RouterPair) error {
-	if r.legacyManagement {
-		log.Warnf("This peer is connected to a NetBird Management service with an older version. Allowing all traffic for %s", pair.Destination)
-		if err := r.addLegacyRouteRule(pair); err != nil {
-			return fmt.Errorf("add legacy routing rule: %w", err)
-		}
+	err = i.insertRoutingRule(firewall.InForwardingFormat, tableFilter, chainRTFWD, routingFinalForwardJump, firewall.GetInPair(pair))
+	if err != nil {
+		return err
 	}

 	if !pair.Masquerade {
 		return nil
 	}

-	if err := r.addNatRule(pair); err != nil {
-		return fmt.Errorf("add nat rule: %w", err)
-	}
-
-	if err := r.addNatRule(firewall.GetInversePair(pair)); err != nil {
-		return fmt.Errorf("add inverse nat rule: %w", err)
-	}
-
-	r.updateState()
-
-	return nil
-}
-
-// RemoveNatRule removes an iptables rule pair from forwarding and nat chains
-func (r *router) RemoveNatRule(pair firewall.RouterPair) error {
-	if err := r.removeNatRule(pair); err != nil {
-		return fmt.Errorf("remove nat rule: %w", err)
-	}
-
-	if err := r.removeNatRule(firewall.GetInversePair(pair)); err != nil {
-		return fmt.Errorf("remove inverse nat rule: %w", err)
-	}
-
-	if err := r.removeLegacyRouteRule(pair); err != nil {
-		return fmt.Errorf("remove legacy routing rule: %w", err)
-	}
-
-	r.updateState()
-
-	return nil
-}
-
-// addLegacyRouteRule adds a legacy routing rule for mgmt servers pre route acls
-func (r *router) addLegacyRouteRule(pair firewall.RouterPair) error {
-	ruleKey := firewall.GenKey(firewall.ForwardingFormat, pair)
-
-	if err := r.removeLegacyRouteRule(pair); err != nil {
+	err = i.addNATRule(firewall.NatFormat, tableNat, chainRTNAT, routingFinalNatJump, pair)
+	if err != nil {
 		return err
 	}

-	rule := []string{"-s", pair.Source.String(), "-d", pair.Destination.String(), "-j", routingFinalForwardJump}
-	if err := r.iptablesClient.Append(tableFilter, chainRTFWD, rule...); err != nil {
-		return fmt.Errorf("add legacy forwarding rule %s -> %s: %v", pair.Source, pair.Destination, err)
-	}
-
-	r.rules[ruleKey] = rule
-
-	return nil
-}
-
-func (r *router) removeLegacyRouteRule(pair firewall.RouterPair) error {
-	ruleKey := firewall.GenKey(firewall.ForwardingFormat, pair)
-
-	if rule, exists := r.rules[ruleKey]; exists {
-		if err := r.iptablesClient.DeleteIfExists(tableFilter, chainRTFWD, rule...); err != nil {
-			return fmt.Errorf("remove legacy forwarding rule %s -> %s: %v", pair.Source, pair.Destination, err)
-		}
-		delete(r.rules, ruleKey)
-	} else {
-		log.Debugf("legacy forwarding rule %s not found", ruleKey)
-	}
-
-	return nil
-}
-
-// GetLegacyManagement returns the current legacy management mode
-func (r *router) GetLegacyManagement() bool {
-	return r.legacyManagement
-}
-
-// SetLegacyManagement sets the route manager to use legacy management mode
-func (r *router) SetLegacyManagement(isLegacy bool) {
-	r.legacyManagement = isLegacy
-}
-
-// RemoveAllLegacyRouteRules removes all legacy routing rules for mgmt servers pre route acls
-func (r *router) RemoveAllLegacyRouteRules() error {
-	var merr *multierror.Error
-	for k, rule := range r.rules {
-		if !strings.HasPrefix(k, firewall.ForwardingFormatPrefix) {
-			continue
-		}
-		if err := r.iptablesClient.DeleteIfExists(tableFilter, chainRTFWD, rule...); err != nil {
-			merr = multierror.Append(merr, fmt.Errorf("remove legacy forwarding rule: %v", err))
-		} else {
-			delete(r.rules, k)
-		}
-	}
-
-	r.updateState()
-
-	return nberrors.FormatErrorOrNil(merr)
-}
-
-func (r *router) Reset() error {
-	var merr *multierror.Error
-	if err := r.cleanUpDefaultForwardRules(); err != nil {
-		merr = multierror.Append(merr, err)
-	}
-	r.rules = make(map[string][]string)
-
-	if err := r.ipsetCounter.Flush(); err != nil {
-		merr = multierror.Append(merr, err)
-	}
-
-	r.updateState()
-
-	return nberrors.FormatErrorOrNil(merr)
-}
-
-func (r *router) cleanUpDefaultForwardRules() error {
-	if err := r.cleanJumpRules(); err != nil {
-		return fmt.Errorf("clean jump rules: %w", err)
-	}
-
-	log.Debug("flushing routing related tables")
-	for _, chainInfo := range []struct {
-		chain string
-		table string
-	}{
-		{chainRTFWD, tableFilter},
-		{chainRTNAT, tableNat},
-		{chainRTPRE, tableMangle},
-	} {
-		ok, err := r.iptablesClient.ChainExists(chainInfo.table, chainInfo.chain)
-		if err != nil {
-			return fmt.Errorf("check chain %s in table %s: %w", chainInfo.chain, chainInfo.table, err)
-		} else if ok {
-			if err = r.iptablesClient.ClearAndDeleteChain(chainInfo.table, chainInfo.chain); err != nil {
-				return fmt.Errorf("clear and delete chain %s in table %s: %w", chainInfo.chain, chainInfo.table, err)
-			}
-		}
-	}
-
-	return nil
-}
-
-func (r *router) createContainers() error {
-	for _, chainInfo := range []struct {
-		chain string
-		table string
-	}{
-		{chainRTFWD, tableFilter},
-		{chainRTPRE, tableMangle},
-		{chainRTNAT, tableNat},
-	} {
-		if err := r.createAndSetupChain(chainInfo.chain); err != nil {
-			return fmt.Errorf("create chain %s in table %s: %w", chainInfo.chain, chainInfo.table, err)
-		}
-	}
-
-	if err := r.insertEstablishedRule(chainRTFWD); err != nil {
-		return fmt.Errorf("insert established rule: %w", err)
-	}
-
-	if err := r.addPostroutingRules(); err != nil {
-		return fmt.Errorf("add static nat rules: %w", err)
-	}
-
-	if err := r.addJumpRules(); err != nil {
-		return fmt.Errorf("add jump rules: %w", err)
-	}
-
-	return nil
-}
-
-func (r *router) addPostroutingRules() error {
-	// First rule for outbound masquerade
-	rule1 := []string{
-		"-m", "mark", "--mark", fmt.Sprintf("%#x", nbnet.PreroutingFwmarkMasquerade),
-		"!", "-o", "lo",
-		"-j", routingFinalNatJump,
-	}
-	if err := r.iptablesClient.Append(tableNat, chainRTNAT, rule1...); err != nil {
-		return fmt.Errorf("add outbound masquerade rule: %v", err)
-	}
-	r.rules["static-nat-outbound"] = rule1
-
-	// Second rule for return traffic masquerade
-	rule2 := []string{
-		"-m", "mark", "--mark", fmt.Sprintf("%#x", nbnet.PreroutingFwmarkMasqueradeReturn),
-		"-o", r.wgIface.Name(),
-		"-j", routingFinalNatJump,
-	}
-	if err := r.iptablesClient.Append(tableNat, chainRTNAT, rule2...); err != nil {
-		return fmt.Errorf("add return masquerade rule: %v", err)
-	}
-	r.rules["static-nat-return"] = rule2
-
-	return nil
-}
-
-func (r *router) createAndSetupChain(chain string) error {
-	table := r.getTableForChain(chain)
-
-	if err := r.iptablesClient.NewChain(table, chain); err != nil {
-		return fmt.Errorf("failed creating chain %s, error: %v", chain, err)
-	}
-
-	return nil
-}
-
-func (r *router) getTableForChain(chain string) string {
-	switch chain {
-	case chainRTNAT:
-		return tableNat
-	case chainRTPRE:
-		return tableMangle
-	default:
-		return tableFilter
-	}
-}
-
-func (r *router) insertEstablishedRule(chain string) error {
-	establishedRule := getConntrackEstablished()
-
-	err := r.iptablesClient.Insert(tableFilter, chain, 1, establishedRule...)
+	err = i.addNATRule(firewall.InNatFormat, tableNat, chainRTNAT, routingFinalNatJump, firewall.GetInPair(pair))
 	if err != nil {
-		return fmt.Errorf("failed to insert established rule: %v", err)
+		return err
 	}

-	ruleKey := "established-" + chain
-	r.rules[ruleKey] = establishedRule
-
 	return nil
 }

-func (r *router) addJumpRules() error {
-	// Jump to NAT chain
-	natRule := []string{"-j", chainRTNAT}
-	if err := r.iptablesClient.Insert(tableNat, chainPOSTROUTING, 1, natRule...); err != nil {
-		return fmt.Errorf("add nat jump rule: %v", err)
-	}
-	r.rules[jumpNat] = natRule
+// insertRoutingRule inserts an iptables rule
+func (i *routerManager) insertRoutingRule(keyFormat, table, chain, jump string, pair firewall.RouterPair) error {
+	var err error

-	// Jump to prerouting chain
-	preRule := []string{"-j", chainRTPRE}
-	if err := r.iptablesClient.Insert(tableMangle, chainPREROUTING, 1, preRule...); err != nil {
-		return fmt.Errorf("add prerouting jump rule: %v", err)
-	}
-	r.rules[jumpPre] = preRule
-
-	return nil
-}
-
-func (r *router) cleanJumpRules() error {
-	for _, ruleKey := range []string{jumpNat, jumpPre} {
-		if rule, exists := r.rules[ruleKey]; exists {
-			table := tableNat
-			chain := chainPOSTROUTING
-			if ruleKey == jumpPre {
-				table = tableMangle
-				chain = chainPREROUTING
-			}
-
-			if err := r.iptablesClient.DeleteIfExists(table, chain, rule...); err != nil {
-				return fmt.Errorf("delete rule from chain %s in table %s, err: %v", chain, table, err)
-			}
-			delete(r.rules, ruleKey)
+	ruleKey := firewall.GenKey(keyFormat, pair.ID)
+	rule := genRuleSpec(jump, pair.Source, pair.Destination)
+	existingRule, found := i.rules[ruleKey]
+	if found {
+		err = i.iptablesClient.DeleteIfExists(table, chain, existingRule...)
+		if err != nil {
+			return fmt.Errorf("error while removing existing %s rule for %s: %v", getIptablesRuleType(table), pair.Destination, err)
 		}
-	}
-	return nil
-}
-
-func (r *router) addNatRule(pair firewall.RouterPair) error {
-	ruleKey := firewall.GenKey(firewall.NatFormat, pair)
-
-	if rule, exists := r.rules[ruleKey]; exists {
-		if err := r.iptablesClient.DeleteIfExists(tableMangle, chainRTPRE, rule...); err != nil {
-			return fmt.Errorf("error while removing existing marking rule for %s: %v", pair.Destination, err)
-		}
-		delete(r.rules, ruleKey)
+		delete(i.rules, ruleKey)
 	}

-	markValue := nbnet.PreroutingFwmarkMasquerade
-	if pair.Inverse {
-		markValue = nbnet.PreroutingFwmarkMasqueradeReturn
+	err = i.iptablesClient.Insert(table, chain, 1, rule...)
+	if err != nil {
+		return fmt.Errorf("error while adding new %s rule for %s: %v", getIptablesRuleType(table), pair.Destination, err)
 	}

-	rule := []string{"-i", r.wgIface.Name()}
-	if pair.Inverse {
-		rule = []string{"!", "-i", r.wgIface.Name()}
-	}
-
-	rule = append(rule,
-		"-m", "conntrack",
-		"--ctstate", "NEW",
-		"-s", pair.Source.String(),
-		"-d", pair.Destination.String(),
-		"-j", "MARK", "--set-mark", fmt.Sprintf("%#x", markValue),
-	)
-
-	if err := r.iptablesClient.Append(tableMangle, chainRTPRE, rule...); err != nil {
-		return fmt.Errorf("error while adding marking rule for %s: %v", pair.Destination, err)
-	}
-
-	r.rules[ruleKey] = rule
-	return nil
-}
-
-func (r *router) removeNatRule(pair firewall.RouterPair) error {
-	ruleKey := firewall.GenKey(firewall.NatFormat, pair)
-
-	if rule, exists := r.rules[ruleKey]; exists {
-		if err := r.iptablesClient.DeleteIfExists(tableMangle, chainRTPRE, rule...); err != nil {
-			return fmt.Errorf("error while removing marking rule for %s: %v", pair.Destination, err)
-		}
-		delete(r.rules, ruleKey)
-	} else {
-		log.Debugf("marking rule %s not found", ruleKey)
-	}
+	i.rules[ruleKey] = rule

 	return nil
 }

-func (r *router) updateState() {
-	if r.stateManager == nil {
-		return
+// RemoveRoutingRules removes an iptables rule pair from forwarding and nat chains
+func (i *routerManager) RemoveRoutingRules(pair firewall.RouterPair) error {
+	err := i.removeRoutingRule(firewall.ForwardingFormat, tableFilter, chainRTFWD, pair)
+	if err != nil {
+		return err
 	}

-	var currentState *ShutdownState
-	if existing := r.stateManager.GetState(currentState); existing != nil {
-		if existingState, ok := existing.(*ShutdownState); ok {
-			currentState = existingState
-		}
-	}
-	if currentState == nil {
-		currentState = &ShutdownState{}
+	err = i.removeRoutingRule(firewall.InForwardingFormat, tableFilter, chainRTFWD, firewall.GetInPair(pair))
+	if err != nil {
+		return err
 	}

-	currentState.Lock()
-	defer currentState.Unlock()
-
-	currentState.RouteRules = r.rules
-	currentState.RouteIPsetCounter = r.ipsetCounter
-
-	if err := r.stateManager.UpdateState(currentState); err != nil {
-		log.Errorf("failed to update state: %v", err)
-	}
-}
-
-func genRouteFilteringRuleSpec(params routeFilteringRuleParams) []string {
-	var rule []string
-
-	if params.SetName != "" {
-		rule = append(rule, "-m", "set", matchSet, params.SetName, "src")
-	} else if len(params.Sources) > 0 {
-		source := params.Sources[0]
-		rule = append(rule, "-s", source.String())
-	}
-
-	rule = append(rule, "-d", params.Destination.String())
-
-	if params.Proto != firewall.ProtocolALL {
-		rule = append(rule, "-p", strings.ToLower(string(params.Proto)))
-		rule = append(rule, applyPort("--sport", params.SPort)...)
-		rule = append(rule, applyPort("--dport", params.DPort)...)
-	}
-
-	rule = append(rule, "-j", actionToStr(params.Action))
-
-	return rule
-}
-
-func applyPort(flag string, port *firewall.Port) []string {
-	if port == nil {
+	if !pair.Masquerade {
 		return nil
 	}

-	if port.IsRange && len(port.Values) == 2 {
-		return []string{flag, fmt.Sprintf("%d:%d", port.Values[0], port.Values[1])}
+	err = i.removeRoutingRule(firewall.NatFormat, tableNat, chainRTNAT, pair)
+	if err != nil {
+		return err
 	}

-	if len(port.Values) > 1 {
-		portList := make([]string, len(port.Values))
-		for i, p := range port.Values {
-			portList[i] = strconv.Itoa(p)
-		}
-		return []string{"-m", "multiport", flag, strings.Join(portList, ",")}
+	err = i.removeRoutingRule(firewall.InNatFormat, tableNat, chainRTNAT, firewall.GetInPair(pair))
+	if err != nil {
+		return err
 	}

-	return []string{flag, strconv.Itoa(port.Values[0])}
+	return nil
+}
+
+func (i *routerManager) removeRoutingRule(keyFormat, table, chain string, pair firewall.RouterPair) error {
+	var err error
+
+	ruleKey := firewall.GenKey(keyFormat, pair.ID)
+	existingRule, found := i.rules[ruleKey]
+	if found {
+		err = i.iptablesClient.DeleteIfExists(table, chain, existingRule...)
+		if err != nil {
+			return fmt.Errorf("error while removing existing %s rule for %s: %v", getIptablesRuleType(table), pair.Destination, err)
+		}
+	}
+	delete(i.rules, ruleKey)
+
+	return nil
+}
+
+func (i *routerManager) RouteingFwChainName() string {
+	return chainRTFWD
+}
+
+func (i *routerManager) Reset() error {
+	err := i.cleanUpDefaultForwardRules()
+	if err != nil {
+		return err
+	}
+	i.rules = make(map[string][]string)
+	return nil
+}
+
+func (i *routerManager) cleanUpDefaultForwardRules() error {
+	err := i.cleanJumpRules()
+	if err != nil {
+		return err
+	}
+
+	log.Debug("flushing routing related tables")
+	ok, err := i.iptablesClient.ChainExists(tableFilter, chainRTFWD)
+	if err != nil {
+		log.Errorf("failed check chain %s,error: %v", chainRTFWD, err)
+		return err
+	} else if ok {
+		err = i.iptablesClient.ClearAndDeleteChain(tableFilter, chainRTFWD)
+		if err != nil {
+			log.Errorf("failed cleaning chain %s,error: %v", chainRTFWD, err)
+			return err
+		}
+	}
+
+	ok, err = i.iptablesClient.ChainExists(tableNat, chainRTNAT)
+	if err != nil {
+		log.Errorf("failed check chain %s,error: %v", chainRTNAT, err)
+		return err
+	} else if ok {
+		err = i.iptablesClient.ClearAndDeleteChain(tableNat, chainRTNAT)
+		if err != nil {
+			log.Errorf("failed cleaning chain %s,error: %v", chainRTNAT, err)
+			return err
+		}
+	}
+	return nil
+}
+
+func (i *routerManager) createContainers() error {
+	if i.rules[Ipv4Forwarding] != nil {
+		return nil
+	}
+
+	errMSGFormat := "failed creating chain %s,error: %v"
+	err := i.createChain(tableFilter, chainRTFWD)
+	if err != nil {
+		return fmt.Errorf(errMSGFormat, chainRTFWD, err)
+	}
+
+	err = i.createChain(tableNat, chainRTNAT)
+	if err != nil {
+		return fmt.Errorf(errMSGFormat, chainRTNAT, err)
+	}
+
+	err = i.addJumpRules()
+	if err != nil {
+		return fmt.Errorf("error while creating jump rules: %v", err)
+	}
+
+	return nil
+}
+
+// addJumpRules create jump rules to send packets to NetBird chains
+func (i *routerManager) addJumpRules() error {
+	rule := []string{"-j", chainRTFWD}
+	err := i.iptablesClient.Insert(tableFilter, chainFORWARD, 1, rule...)
+	if err != nil {
+		return err
+	}
+	i.rules[Ipv4Forwarding] = rule
+
+	rule = []string{"-j", chainRTNAT}
+	err = i.iptablesClient.Insert(tableNat, chainPOSTROUTING, 1, rule...)
+	if err != nil {
+		return err
+	}
+	i.rules[ipv4Nat] = rule
+
+	return nil
+}
+
+// cleanJumpRules cleans jump rules that was sending packets to NetBird chains
+func (i *routerManager) cleanJumpRules() error {
+	var err error
+	errMSGFormat := "failed cleaning rule from chain %s,err: %v"
+	rule, found := i.rules[Ipv4Forwarding]
+	if found {
+		err = i.iptablesClient.DeleteIfExists(tableFilter, chainFORWARD, rule...)
+		if err != nil {
+			return fmt.Errorf(errMSGFormat, chainFORWARD, err)
+		}
+	}
+	rule, found = i.rules[ipv4Nat]
+	if found {
+		err = i.iptablesClient.DeleteIfExists(tableNat, chainPOSTROUTING, rule...)
+		if err != nil {
+			return fmt.Errorf(errMSGFormat, chainPOSTROUTING, err)
+		}
+	}
+
+	rules, err := i.iptablesClient.List("nat", "POSTROUTING")
+	if err != nil {
+		return fmt.Errorf("failed to list rules: %s", err)
+	}
+
+	for _, ruleString := range rules {
+		if !strings.Contains(ruleString, "NETBIRD") {
+			continue
+		}
+		rule := strings.Fields(ruleString)
+		err := i.iptablesClient.DeleteIfExists("nat", "POSTROUTING", rule[2:]...)
+		if err != nil {
+			return fmt.Errorf("failed to delete postrouting jump rule: %s", err)
+		}
+	}
+
+	rules, err = i.iptablesClient.List(tableFilter, "FORWARD")
+	if err != nil {
+		return fmt.Errorf("failed to list rules in FORWARD chain: %s", err)
+	}
+
+	for _, ruleString := range rules {
+		if !strings.Contains(ruleString, "NETBIRD") {
+			continue
+		}
+		rule := strings.Fields(ruleString)
+		err := i.iptablesClient.DeleteIfExists(tableFilter, "FORWARD", rule[2:]...)
+		if err != nil {
+			return fmt.Errorf("failed to delete FORWARD jump rule: %s", err)
+		}
+	}
+	return nil
+}
+
+func (i *routerManager) createChain(table, newChain string) error {
+	chains, err := i.iptablesClient.ListChains(table)
+	if err != nil {
+		return fmt.Errorf("couldn't get %s table chains, error: %v", table, err)
+	}
+
+	shouldCreateChain := true
+	for _, chain := range chains {
+		if chain == newChain {
+			shouldCreateChain = false
+		}
+	}
+
+	if shouldCreateChain {
+		err = i.iptablesClient.NewChain(table, newChain)
+		if err != nil {
+			return fmt.Errorf("couldn't create chain %s in %s table, error: %v", newChain, table, err)
+		}
+
+		// Add the loopback return rule to the NAT chain
+		loopbackRule := []string{"-o", "lo", "-j", "RETURN"}
+		err = i.iptablesClient.Insert(table, newChain, 1, loopbackRule...)
+		if err != nil {
+			return fmt.Errorf("failed to add loopback return rule to %s: %v", chainRTNAT, err)
+		}
+
+		err = i.iptablesClient.Append(table, newChain, "-j", "RETURN")
+		if err != nil {
+			return fmt.Errorf("couldn't create chain %s default rule, error: %v", newChain, err)
+		}
+
+	}
+	return nil
+}
+
+// addNATRule appends an iptables rule pair to the nat chain
+func (i *routerManager) addNATRule(keyFormat, table, chain, jump string, pair firewall.RouterPair) error {
+	ruleKey := firewall.GenKey(keyFormat, pair.ID)
+	rule := genRuleSpec(jump, pair.Source, pair.Destination)
+	existingRule, found := i.rules[ruleKey]
+	if found {
+		err := i.iptablesClient.DeleteIfExists(table, chain, existingRule...)
+		if err != nil {
+			return fmt.Errorf("error while removing existing NAT rule for %s: %v", pair.Destination, err)
+		}
+		delete(i.rules, ruleKey)
+	}
+
+	// inserting after loopback ignore rule
+	err := i.iptablesClient.Insert(table, chain, 2, rule...)
+	if err != nil {
+		return fmt.Errorf("error while appending new NAT rule for %s: %v", pair.Destination, err)
+	}
+
+	i.rules[ruleKey] = rule
+
+	return nil
+}
+
+// genRuleSpec generates rule specification
+func genRuleSpec(jump, source, destination string) []string {
+	return []string{"-s", source, "-d", destination, "-j", jump}
+}
+
+func getIptablesRuleType(table string) string {
+	ruleType := "forwarding"
+	if table == tableNat {
+		ruleType = "nat"
+	}
+	return ruleType
 }
--- a/client/firewall/iptables/router_linux_test.go
+++ b/client/firewall/iptables/router_linux_test.go
@@ -3,18 +3,16 @@
 package iptables

 import (
-	"fmt"
-	"net/netip"
+	"context"
 	"os/exec"
 	"testing"

 	"github.com/coreos/go-iptables/iptables"
-	"github.com/stretchr/testify/assert"
+	log "github.com/sirupsen/logrus"
 	"github.com/stretchr/testify/require"

 	firewall "github.com/netbirdio/netbird/client/firewall/manager"
 	"github.com/netbirdio/netbird/client/firewall/test"
-	nbnet "github.com/netbirdio/netbird/util/net"
 )

 func isIptablesSupported() bool {
@@ -30,45 +28,45 @@ func TestIptablesManager_RestoreOrCreateContainers(t *testing.T) {
 	iptablesClient, err := iptables.NewWithProtocol(iptables.ProtocolIPv4)
 	require.NoError(t, err, "failed to init iptables client")

-	manager, err := newRouter(iptablesClient, ifaceMock)
+	manager, err := newRouterManager(context.TODO(), iptablesClient)
 	require.NoError(t, err, "should return a valid iptables manager")
-	require.NoError(t, manager.init(nil))

 	defer func() {
-		assert.NoError(t, manager.Reset(), "shouldn't return error")
+		_ = manager.Reset()
 	}()

-	// Now 5 rules:
-	// 1. established rule in forward chain
-	// 2. jump rule to NAT chain
-	// 3. jump rule to PRE chain
-	// 4. static outbound masquerade rule
-	// 5. static return masquerade rule
-	require.Len(t, manager.rules, 5, "should have created rules map")
+	require.Len(t, manager.rules, 2, "should have created rules map")

-	exists, err := manager.iptablesClient.Exists(tableNat, chainPOSTROUTING, "-j", chainRTNAT)
+	exists, err := manager.iptablesClient.Exists(tableFilter, chainFORWARD, manager.rules[Ipv4Forwarding]...)
+	require.NoError(t, err, "should be able to query the iptables %s table and %s chain", tableFilter, chainFORWARD)
+	require.True(t, exists, "forwarding rule should exist")
+
+	exists, err = manager.iptablesClient.Exists(tableNat, chainPOSTROUTING, manager.rules[ipv4Nat]...)
 	require.NoError(t, err, "should be able to query the iptables %s table and %s chain", tableNat, chainPOSTROUTING)
-	require.True(t, exists, "postrouting jump rule should exist")
-
-	exists, err = manager.iptablesClient.Exists(tableMangle, chainPREROUTING, "-j", chainRTPRE)
-	require.NoError(t, err, "should be able to query the iptables %s table and %s chain", tableMangle, chainPREROUTING)
-	require.True(t, exists, "prerouting jump rule should exist")
+	require.True(t, exists, "postrouting rule should exist")

 	pair := firewall.RouterPair{
 		ID:          "abc",
-		Source:      netip.MustParsePrefix("100.100.100.1/32"),
-		Destination: netip.MustParsePrefix("100.100.100.0/24"),
+		Source:      "100.100.100.1/32",
+		Destination: "100.100.100.0/24",
 		Masquerade:  true,
 	}
+	forward4Rule := genRuleSpec(routingFinalForwardJump, pair.Source, pair.Destination)

-	err = manager.AddNatRule(pair)
-	require.NoError(t, err, "adding NAT rule should not return error")
+	err = manager.iptablesClient.Insert(tableFilter, chainRTFWD, 1, forward4Rule...)
+	require.NoError(t, err, "inserting rule should not return error")
+
+	nat4Rule := genRuleSpec(routingFinalNatJump, pair.Source, pair.Destination)
+
+	err = manager.iptablesClient.Insert(tableNat, chainRTNAT, 1, nat4Rule...)
+	require.NoError(t, err, "inserting rule should not return error")

 	err = manager.Reset()
 	require.NoError(t, err, "shouldn't return error")
 }

-func TestIptablesManager_AddNatRule(t *testing.T) {
+func TestIptablesManager_InsertRoutingRules(t *testing.T) {
+
 	if !isIptablesSupported() {
 		t.SkipNow()
 	}
@@ -78,71 +76,78 @@ func TestIptablesManager_AddNatRule(t *testing.T) {
 			iptablesClient, err := iptables.NewWithProtocol(iptables.ProtocolIPv4)
 			require.NoError(t, err, "failed to init iptables client")

-			manager, err := newRouter(iptablesClient, ifaceMock)
+			manager, err := newRouterManager(context.TODO(), iptablesClient)
 			require.NoError(t, err, "shouldn't return error")
-			require.NoError(t, manager.init(nil))

 			defer func() {
-				assert.NoError(t, manager.Reset(), "shouldn't return error")
+				err := manager.Reset()
+				if err != nil {
+					log.Errorf("failed to reset iptables manager: %s", err)
+				}
 			}()

-			err = manager.AddNatRule(testCase.InputPair)
-			require.NoError(t, err, "marking rule should be inserted")
+			err = manager.InsertRoutingRules(testCase.InputPair)
+			require.NoError(t, err, "forwarding pair should be inserted")

-			natRuleKey := firewall.GenKey(firewall.NatFormat, testCase.InputPair)
-			markingRule := []string{
-				"-i", ifaceMock.Name(),
-				"-m", "conntrack",
-				"--ctstate", "NEW",
-				"-s", testCase.InputPair.Source.String(),
-				"-d", testCase.InputPair.Destination.String(),
-				"-j", "MARK", "--set-mark",
-				fmt.Sprintf("%#x", nbnet.PreroutingFwmarkMasquerade),
-			}
+			forwardRuleKey := firewall.GenKey(firewall.ForwardingFormat, testCase.InputPair.ID)
+			forwardRule := genRuleSpec(routingFinalForwardJump, testCase.InputPair.Source, testCase.InputPair.Destination)

-			exists, err := iptablesClient.Exists(tableMangle, chainRTPRE, markingRule...)
-			require.NoError(t, err, "should be able to query the iptables %s table and %s chain", tableMangle, chainRTPRE)
+			exists, err := iptablesClient.Exists(tableFilter, chainRTFWD, forwardRule...)
+			require.NoError(t, err, "should be able to query the iptables %s table and %s chain", tableFilter, chainRTFWD)
+			require.True(t, exists, "forwarding rule should exist")
+
+			foundRule, found := manager.rules[forwardRuleKey]
+			require.True(t, found, "forwarding rule should exist in the manager map")
+			require.Equal(t, forwardRule[:4], foundRule[:4], "stored forwarding rule should match")
+
+			inForwardRuleKey := firewall.GenKey(firewall.InForwardingFormat, testCase.InputPair.ID)
+			inForwardRule := genRuleSpec(routingFinalForwardJump, firewall.GetInPair(testCase.InputPair).Source, firewall.GetInPair(testCase.InputPair).Destination)
+
+			exists, err = iptablesClient.Exists(tableFilter, chainRTFWD, inForwardRule...)
+			require.NoError(t, err, "should be able to query the iptables %s table and %s chain", tableFilter, chainRTFWD)
+			require.True(t, exists, "income forwarding rule should exist")
+
+			foundRule, found = manager.rules[inForwardRuleKey]
+			require.True(t, found, "income forwarding rule should exist in the manager map")
+			require.Equal(t, inForwardRule[:4], foundRule[:4], "stored income forwarding rule should match")
+
+			natRuleKey := firewall.GenKey(firewall.NatFormat, testCase.InputPair.ID)
+			natRule := genRuleSpec(routingFinalNatJump, testCase.InputPair.Source, testCase.InputPair.Destination)
+
+			exists, err = iptablesClient.Exists(tableNat, chainRTNAT, natRule...)
+			require.NoError(t, err, "should be able to query the iptables %s table and %s chain", tableNat, chainRTNAT)
 			if testCase.InputPair.Masquerade {
-				require.True(t, exists, "marking rule should be created")
-				foundRule, found := manager.rules[natRuleKey]
-				require.True(t, found, "marking rule should exist in the map")
-				require.Equal(t, markingRule, foundRule, "stored marking rule should match")
+				require.True(t, exists, "nat rule should be created")
+				foundNatRule, foundNat := manager.rules[natRuleKey]
+				require.True(t, foundNat, "nat rule should exist in the map")
+				require.Equal(t, natRule[:4], foundNatRule[:4], "stored nat rule should match")
 			} else {
-				require.False(t, exists, "marking rule should not be created")
-				_, found := manager.rules[natRuleKey]
-				require.False(t, found, "marking rule should not exist in the map")
+				require.False(t, exists, "nat rule should not be created")
+				_, foundNat := manager.rules[natRuleKey]
+				require.False(t, foundNat, "nat rule should not exist in the map")
 			}

-			// Check inverse rule
-			inversePair := firewall.GetInversePair(testCase.InputPair)
-			inverseRuleKey := firewall.GenKey(firewall.NatFormat, inversePair)
-			inverseMarkingRule := []string{
-				"!", "-i", ifaceMock.Name(),
-				"-m", "conntrack",
-				"--ctstate", "NEW",
-				"-s", inversePair.Source.String(),
-				"-d", inversePair.Destination.String(),
-				"-j", "MARK", "--set-mark",
-				fmt.Sprintf("%#x", nbnet.PreroutingFwmarkMasqueradeReturn),
-			}
+			inNatRuleKey := firewall.GenKey(firewall.InNatFormat, testCase.InputPair.ID)
+			inNatRule := genRuleSpec(routingFinalNatJump, firewall.GetInPair(testCase.InputPair).Source, firewall.GetInPair(testCase.InputPair).Destination)

-			exists, err = iptablesClient.Exists(tableMangle, chainRTPRE, inverseMarkingRule...)
-			require.NoError(t, err, "should be able to query the iptables %s table and %s chain", tableMangle, chainRTPRE)
+			exists, err = iptablesClient.Exists(tableNat, chainRTNAT, inNatRule...)
+			require.NoError(t, err, "should be able to query the iptables %s table and %s chain", tableNat, chainRTNAT)
 			if testCase.InputPair.Masquerade {
-				require.True(t, exists, "inverse marking rule should be created")
-				foundRule, found := manager.rules[inverseRuleKey]
-				require.True(t, found, "inverse marking rule should exist in the map")
-				require.Equal(t, inverseMarkingRule, foundRule, "stored inverse marking rule should match")
+				require.True(t, exists, "income nat rule should be created")
+				foundNatRule, foundNat := manager.rules[inNatRuleKey]
+				require.True(t, foundNat, "income nat rule should exist in the map")
+				require.Equal(t, inNatRule[:4], foundNatRule[:4], "stored income nat rule should match")
 			} else {
-				require.False(t, exists, "inverse marking rule should not be created")
-				_, found := manager.rules[inverseRuleKey]
-				require.False(t, found, "inverse marking rule should not exist in the map")
+				require.False(t, exists, "nat rule should not be created")
+				_, foundNat := manager.rules[inNatRuleKey]
+				require.False(t, foundNat, "income nat rule should not exist in the map")
 			}
 		})
 	}
 }

-func TestIptablesManager_RemoveNatRule(t *testing.T) {
+func TestIptablesManager_RemoveRoutingRules(t *testing.T) {
+
 	if !isIptablesSupported() {
 		t.SkipNow()
 	}
@@ -151,226 +156,72 @@ func TestIptablesManager_RemoveNatRule(t *testing.T) {
 		t.Run(testCase.Name, func(t *testing.T) {
 			iptablesClient, _ := iptables.NewWithProtocol(iptables.ProtocolIPv4)

-			manager, err := newRouter(iptablesClient, ifaceMock)
+			manager, err := newRouterManager(context.TODO(), iptablesClient)
 			require.NoError(t, err, "shouldn't return error")
-			require.NoError(t, manager.init(nil))
 			defer func() {
-				assert.NoError(t, manager.Reset(), "shouldn't return error")
+				_ = manager.Reset()
 			}()

-			err = manager.AddNatRule(testCase.InputPair)
-			require.NoError(t, err, "should add NAT rule without error")
-
-			err = manager.RemoveNatRule(testCase.InputPair)
 			require.NoError(t, err, "shouldn't return error")

-			natRuleKey := firewall.GenKey(firewall.NatFormat, testCase.InputPair)
-			markingRule := []string{
-				"-i", ifaceMock.Name(),
-				"-m", "conntrack",
-				"--ctstate", "NEW",
-				"-s", testCase.InputPair.Source.String(),
-				"-d", testCase.InputPair.Destination.String(),
-				"-j", "MARK", "--set-mark",
-				fmt.Sprintf("%#x", nbnet.PreroutingFwmarkMasquerade),
-			}
+			forwardRuleKey := firewall.GenKey(firewall.ForwardingFormat, testCase.InputPair.ID)
+			forwardRule := genRuleSpec(routingFinalForwardJump, testCase.InputPair.Source, testCase.InputPair.Destination)

-			exists, err := iptablesClient.Exists(tableMangle, chainRTPRE, markingRule...)
-			require.NoError(t, err, "should be able to query the iptables %s table and %s chain", tableMangle, chainRTPRE)
-			require.False(t, exists, "marking rule should not exist")
+			err = iptablesClient.Insert(tableFilter, chainRTFWD, 1, forwardRule...)
+			require.NoError(t, err, "inserting rule should not return error")

-			_, found := manager.rules[natRuleKey]
-			require.False(t, found, "marking rule should not exist in the manager map")
+			inForwardRuleKey := firewall.GenKey(firewall.InForwardingFormat, testCase.InputPair.ID)
+			inForwardRule := genRuleSpec(routingFinalForwardJump, firewall.GetInPair(testCase.InputPair).Source, firewall.GetInPair(testCase.InputPair).Destination)

-			// Check inverse rule removal
-			inversePair := firewall.GetInversePair(testCase.InputPair)
-			inverseRuleKey := firewall.GenKey(firewall.NatFormat, inversePair)
-			inverseMarkingRule := []string{
-				"!", "-i", ifaceMock.Name(),
-				"-m", "conntrack",
-				"--ctstate", "NEW",
-				"-s", inversePair.Source.String(),
-				"-d", inversePair.Destination.String(),
-				"-j", "MARK", "--set-mark",
-				fmt.Sprintf("%#x", nbnet.PreroutingFwmarkMasqueradeReturn),
-			}
+			err = iptablesClient.Insert(tableFilter, chainRTFWD, 1, inForwardRule...)
+			require.NoError(t, err, "inserting rule should not return error")

-			exists, err = iptablesClient.Exists(tableMangle, chainRTPRE, inverseMarkingRule...)
-			require.NoError(t, err, "should be able to query the iptables %s table and %s chain", tableMangle, chainRTPRE)
-			require.False(t, exists, "inverse marking rule should not exist")
+			natRuleKey := firewall.GenKey(firewall.NatFormat, testCase.InputPair.ID)
+			natRule := genRuleSpec(routingFinalNatJump, testCase.InputPair.Source, testCase.InputPair.Destination)
+
+			err = iptablesClient.Insert(tableNat, chainRTNAT, 1, natRule...)
+			require.NoError(t, err, "inserting rule should not return error")
+
+			inNatRuleKey := firewall.GenKey(firewall.InNatFormat, testCase.InputPair.ID)
+			inNatRule := genRuleSpec(routingFinalNatJump, firewall.GetInPair(testCase.InputPair).Source, firewall.GetInPair(testCase.InputPair).Destination)
+
+			err = iptablesClient.Insert(tableNat, chainRTNAT, 1, inNatRule...)
+			require.NoError(t, err, "inserting rule should not return error")
+
+			err = manager.Reset()
+			require.NoError(t, err, "shouldn't return error")
+
+			err = manager.RemoveRoutingRules(testCase.InputPair)
+			require.NoError(t, err, "shouldn't return error")
+
+			exists, err := iptablesClient.Exists(tableFilter, chainRTFWD, forwardRule...)
+			require.NoError(t, err, "should be able to query the iptables %s table and %s chain", tableFilter, chainRTFWD)
+			require.False(t, exists, "forwarding rule should not exist")
+
+			_, found := manager.rules[forwardRuleKey]
+			require.False(t, found, "forwarding rule should exist in the manager map")
+
+			exists, err = iptablesClient.Exists(tableFilter, chainRTFWD, inForwardRule...)
+			require.NoError(t, err, "should be able to query the iptables %s table and %s chain", tableFilter, chainRTFWD)
+			require.False(t, exists, "income forwarding rule should not exist")
+
+			_, found = manager.rules[inForwardRuleKey]
+			require.False(t, found, "income forwarding rule should exist in the manager map")
+
+			exists, err = iptablesClient.Exists(tableNat, chainRTNAT, natRule...)
+			require.NoError(t, err, "should be able to query the iptables %s table and %s chain", tableNat, chainRTNAT)
+			require.False(t, exists, "nat rule should not exist")
+
+			_, found = manager.rules[natRuleKey]
+			require.False(t, found, "nat rule should exist in the manager map")
+
+			exists, err = iptablesClient.Exists(tableNat, chainRTNAT, inNatRule...)
+			require.NoError(t, err, "should be able to query the iptables %s table and %s chain", tableNat, chainRTNAT)
+			require.False(t, exists, "income nat rule should not exist")
+
+			_, found = manager.rules[inNatRuleKey]
+			require.False(t, found, "income nat rule should exist in the manager map")

-			_, found = manager.rules[inverseRuleKey]
-			require.False(t, found, "inverse marking rule should not exist in the map")
-		})
-	}
-}
-
-func TestRouter_AddRouteFiltering(t *testing.T) {
-	if !isIptablesSupported() {
-		t.Skip("iptables not supported on this system")
-	}
-
-	iptablesClient, err := iptables.NewWithProtocol(iptables.ProtocolIPv4)
-	require.NoError(t, err, "Failed to create iptables client")
-
-	r, err := newRouter(iptablesClient, ifaceMock)
-	require.NoError(t, err, "Failed to create router manager")
-	require.NoError(t, r.init(nil))
-
-	defer func() {
-		err := r.Reset()
-		require.NoError(t, err, "Failed to reset router")
-	}()
-
-	tests := []struct {
-		name        string
-		sources     []netip.Prefix
-		destination netip.Prefix
-		proto       firewall.Protocol
-		sPort       *firewall.Port
-		dPort       *firewall.Port
-		direction   firewall.RuleDirection
-		action      firewall.Action
-		expectSet   bool
-	}{
-		{
-			name:        "Basic TCP rule with single source",
-			sources:     []netip.Prefix{netip.MustParsePrefix("192.168.1.0/24")},
-			destination: netip.MustParsePrefix("10.0.0.0/24"),
-			proto:       firewall.ProtocolTCP,
-			sPort:       nil,
-			dPort:       &firewall.Port{Values: []int{80}},
-			direction:   firewall.RuleDirectionIN,
-			action:      firewall.ActionAccept,
-			expectSet:   false,
-		},
-		{
-			name: "UDP rule with multiple sources",
-			sources: []netip.Prefix{
-				netip.MustParsePrefix("172.16.0.0/16"),
-				netip.MustParsePrefix("192.168.0.0/16"),
-			},
-			destination: netip.MustParsePrefix("10.0.0.0/8"),
-			proto:       firewall.ProtocolUDP,
-			sPort:       &firewall.Port{Values: []int{1024, 2048}, IsRange: true},
-			dPort:       nil,
-			direction:   firewall.RuleDirectionOUT,
-			action:      firewall.ActionDrop,
-			expectSet:   true,
-		},
-		{
-			name:        "All protocols rule",
-			sources:     []netip.Prefix{netip.MustParsePrefix("10.0.0.0/8")},
-			destination: netip.MustParsePrefix("0.0.0.0/0"),
-			proto:       firewall.ProtocolALL,
-			sPort:       nil,
-			dPort:       nil,
-			direction:   firewall.RuleDirectionIN,
-			action:      firewall.ActionAccept,
-			expectSet:   false,
-		},
-		{
-			name:        "ICMP rule",
-			sources:     []netip.Prefix{netip.MustParsePrefix("192.168.0.0/16")},
-			destination: netip.MustParsePrefix("10.0.0.0/8"),
-			proto:       firewall.ProtocolICMP,
-			sPort:       nil,
-			dPort:       nil,
-			direction:   firewall.RuleDirectionIN,
-			action:      firewall.ActionAccept,
-			expectSet:   false,
-		},
-		{
-			name:        "TCP rule with multiple source ports",
-			sources:     []netip.Prefix{netip.MustParsePrefix("172.16.0.0/12")},
-			destination: netip.MustParsePrefix("192.168.0.0/16"),
-			proto:       firewall.ProtocolTCP,
-			sPort:       &firewall.Port{Values: []int{80, 443, 8080}},
-			dPort:       nil,
-			direction:   firewall.RuleDirectionOUT,
-			action:      firewall.ActionAccept,
-			expectSet:   false,
-		},
-		{
-			name:        "UDP rule with single IP and port range",
-			sources:     []netip.Prefix{netip.MustParsePrefix("192.168.1.1/32")},
-			destination: netip.MustParsePrefix("10.0.0.0/24"),
-			proto:       firewall.ProtocolUDP,
-			sPort:       nil,
-			dPort:       &firewall.Port{Values: []int{5000, 5100}, IsRange: true},
-			direction:   firewall.RuleDirectionIN,
-			action:      firewall.ActionDrop,
-			expectSet:   false,
-		},
-		{
-			name:        "TCP rule with source and destination ports",
-			sources:     []netip.Prefix{netip.MustParsePrefix("10.0.0.0/24")},
-			destination: netip.MustParsePrefix("172.16.0.0/16"),
-			proto:       firewall.ProtocolTCP,
-			sPort:       &firewall.Port{Values: []int{1024, 65535}, IsRange: true},
-			dPort:       &firewall.Port{Values: []int{22}},
-			direction:   firewall.RuleDirectionOUT,
-			action:      firewall.ActionAccept,
-			expectSet:   false,
-		},
-		{
-			name:        "Drop all incoming traffic",
-			sources:     []netip.Prefix{netip.MustParsePrefix("0.0.0.0/0")},
-			destination: netip.MustParsePrefix("192.168.0.0/24"),
-			proto:       firewall.ProtocolALL,
-			sPort:       nil,
-			dPort:       nil,
-			direction:   firewall.RuleDirectionIN,
-			action:      firewall.ActionDrop,
-			expectSet:   false,
-		},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			ruleKey, err := r.AddRouteFiltering(tt.sources, tt.destination, tt.proto, tt.sPort, tt.dPort, tt.action)
-			require.NoError(t, err, "AddRouteFiltering failed")
-
-			// Check if the rule is in the internal map
-			rule, ok := r.rules[ruleKey.GetRuleID()]
-			assert.True(t, ok, "Rule not found in internal map")
-
-			// Log the internal rule
-			t.Logf("Internal rule: %v", rule)
-
-			// Check if the rule exists in iptables
-			exists, err := iptablesClient.Exists(tableFilter, chainRTFWD, rule...)
-			assert.NoError(t, err, "Failed to check rule existence")
-			assert.True(t, exists, "Rule not found in iptables")
-
-			// Verify rule content
-			params := routeFilteringRuleParams{
-				Sources:     tt.sources,
-				Destination: tt.destination,
-				Proto:       tt.proto,
-				SPort:       tt.sPort,
-				DPort:       tt.dPort,
-				Action:      tt.action,
-				SetName:     "",
-			}
-
-			expectedRule := genRouteFilteringRuleSpec(params)
-
-			if tt.expectSet {
-				setName := firewall.GenerateSetName(tt.sources)
-				params.SetName = setName
-				expectedRule = genRouteFilteringRuleSpec(params)
-
-				// Check if the set was created
-				_, exists := r.ipsetCounter.Get(setName)
-				assert.True(t, exists, "IPSet not created")
-			}
-
-			assert.Equal(t, expectedRule, rule, "Rule content mismatch")
-
-			// Clean up
-			err = r.DeleteRouteRule(ruleKey)
-			require.NoError(t, err, "Failed to delete rule")
 		})
 	}
 }
--- a/client/firewall/iptables/rulestore_linux.go
+++ b/client/firewall/iptables/rulestore_linux.go
@@ -1,16 +1,14 @@
 package iptables

-import "encoding/json"
-
 type ipList struct {
 	ips map[string]struct{}
 }

-func newIpList(ip string) *ipList {
+func newIpList(ip string) ipList {
 	ips := make(map[string]struct{})
 	ips[ip] = struct{}{}

-	return &ipList{
+	return ipList{
 		ips: ips,
 	}
 }
@@ -19,52 +17,27 @@ func (s *ipList) addIP(ip string) {
 	s.ips[ip] = struct{}{}
 }

-// MarshalJSON implements json.Marshaler
-func (s *ipList) MarshalJSON() ([]byte, error) {
-	return json.Marshal(struct {
-		IPs map[string]struct{} `json:"ips"`
-	}{
-		IPs: s.ips,
-	})
-}
-
-// UnmarshalJSON implements json.Unmarshaler
-func (s *ipList) UnmarshalJSON(data []byte) error {
-	temp := struct {
-		IPs map[string]struct{} `json:"ips"`
-	}{}
-	if err := json.Unmarshal(data, &temp); err != nil {
-		return err
-	}
-	s.ips = temp.IPs
-
-	if temp.IPs == nil {
-		temp.IPs = make(map[string]struct{})
-	}
-
-	return nil
-}
-
 type ipsetStore struct {
-	ipsets map[string]*ipList
+	ipsets map[string]ipList // ipsetName -> ruleset
 }

 func newIpsetStore() *ipsetStore {
 	return &ipsetStore{
-		ipsets: make(map[string]*ipList),
+		ipsets: make(map[string]ipList),
 	}
 }

-func (s *ipsetStore) ipset(ipsetName string) (*ipList, bool) {
+func (s *ipsetStore) ipset(ipsetName string) (ipList, bool) {
 	r, ok := s.ipsets[ipsetName]
 	return r, ok
 }

-func (s *ipsetStore) addIpList(ipsetName string, list *ipList) {
+func (s *ipsetStore) addIpList(ipsetName string, list ipList) {
 	s.ipsets[ipsetName] = list
 }

 func (s *ipsetStore) deleteIpset(ipsetName string) {
+	s.ipsets[ipsetName] = ipList{}
 	delete(s.ipsets, ipsetName)
 }

@@ -75,29 +48,3 @@ func (s *ipsetStore) ipsetNames() []string {
 	}
 	return names
 }
-
-// MarshalJSON implements json.Marshaler
-func (s *ipsetStore) MarshalJSON() ([]byte, error) {
-	return json.Marshal(struct {
-		IPSets map[string]*ipList `json:"ipsets"`
-	}{
-		IPSets: s.ipsets,
-	})
-}
-
-// UnmarshalJSON implements json.Unmarshaler
-func (s *ipsetStore) UnmarshalJSON(data []byte) error {
-	temp := struct {
-		IPSets map[string]*ipList `json:"ipsets"`
-	}{}
-	if err := json.Unmarshal(data, &temp); err != nil {
-		return err
-	}
-	s.ipsets = temp.IPSets
-
-	if temp.IPSets == nil {
-		temp.IPSets = make(map[string]*ipList)
-	}
-
-	return nil
-}
--- a/client/firewall/iptables/state_linux.go
+++ b/client/firewall/iptables/state_linux.go
@@ -1,70 +0,0 @@
-package iptables
-
-import (
-	"fmt"
-	"sync"
-
-	"github.com/netbirdio/netbird/client/iface"
-	"github.com/netbirdio/netbird/client/iface/device"
-)
-
-type InterfaceState struct {
-	NameStr       string          `json:"name"`
-	WGAddress     iface.WGAddress `json:"wg_address"`
-	UserspaceBind bool            `json:"userspace_bind"`
-}
-
-func (i *InterfaceState) Name() string {
-	return i.NameStr
-}
-
-func (i *InterfaceState) Address() device.WGAddress {
-	return i.WGAddress
-}
-
-func (i *InterfaceState) IsUserspaceBind() bool {
-	return i.UserspaceBind
-}
-
-type ShutdownState struct {
-	sync.Mutex
-
-	InterfaceState *InterfaceState `json:"interface_state,omitempty"`
-
-	RouteRules        routeRules    `json:"route_rules,omitempty"`
-	RouteIPsetCounter *ipsetCounter `json:"route_ipset_counter,omitempty"`
-
-	ACLEntries    aclEntries  `json:"acl_entries,omitempty"`
-	ACLIPsetStore *ipsetStore `json:"acl_ipset_store,omitempty"`
-}
-
-func (s *ShutdownState) Name() string {
-	return "iptables_state"
-}
-
-func (s *ShutdownState) Cleanup() error {
-	ipt, err := Create(s.InterfaceState)
-	if err != nil {
-		return fmt.Errorf("create iptables manager: %w", err)
-	}
-
-	if s.RouteRules != nil {
-		ipt.router.rules = s.RouteRules
-	}
-	if s.RouteIPsetCounter != nil {
-		ipt.router.ipsetCounter.LoadData(s.RouteIPsetCounter)
-	}
-
-	if s.ACLEntries != nil {
-		ipt.aclMgr.entries = s.ACLEntries
-	}
-	if s.ACLIPsetStore != nil {
-		ipt.aclMgr.ipsetStore = s.ACLIPsetStore
-	}
-
-	if err := ipt.Reset(nil); err != nil {
-		return fmt.Errorf("reset iptables manager: %w", err)
-	}
-
-	return nil
-}
--- a/client/firewall/manager/firewall.go
+++ b/client/firewall/manager/firewall.go
@@ -1,24 +1,15 @@
 package manager

 import (
-	"crypto/sha256"
-	"encoding/hex"
 	"fmt"
 	"net"
-	"net/netip"
-	"sort"
-	"strings"
-
-	log "github.com/sirupsen/logrus"
-
-	"github.com/netbirdio/netbird/client/internal/statemanager"
 )

 const (
-	ForwardingFormatPrefix = "netbird-fwd-"
-	ForwardingFormat       = "netbird-fwd-%s-%t"
-	PreroutingFormat       = "netbird-prerouting-%s-%t"
-	NatFormat              = "netbird-nat-%s-%t"
+	NatFormat          = "netbird-nat-%s"
+	ForwardingFormat   = "netbird-fwd-%s"
+	InNatFormat        = "netbird-nat-in-%s"
+	InForwardingFormat = "netbird-fwd-in-%s"
 )

 // Rule abstraction should be implemented by each firewall manager
@@ -55,16 +46,14 @@ const (
 // It declares methods which handle actions required by the
 // Netbird client for ACL and routing functionality
 type Manager interface {
-	Init(stateManager *statemanager.Manager) error
-
 	// AllowNetbird allows netbird interface traffic
 	AllowNetbird() error

-	// AddPeerFiltering adds a rule to the firewall
+	// AddFiltering rule to the firewall
 	//
 	// If comment argument is empty firewall manager should set
 	// rule ID as comment for the rule
-	AddPeerFiltering(
+	AddFiltering(
 		ip net.IP,
 		proto Protocol,
 		sPort *Port,
@@ -75,116 +64,25 @@ type Manager interface {
 		comment string,
 	) ([]Rule, error)

-	// DeletePeerRule from the firewall by rule definition
-	DeletePeerRule(rule Rule) error
+	// DeleteRule from the firewall by rule definition
+	DeleteRule(rule Rule) error

 	// IsServerRouteSupported returns true if the firewall supports server side routing operations
 	IsServerRouteSupported() bool

-	AddRouteFiltering(source []netip.Prefix, destination netip.Prefix, proto Protocol, sPort *Port, dPort *Port, action Action) (Rule, error)
+	// InsertRoutingRules inserts a routing firewall rule
+	InsertRoutingRules(pair RouterPair) error

-	// DeleteRouteRule deletes a routing rule
-	DeleteRouteRule(rule Rule) error
-
-	// AddNatRule inserts a routing NAT rule
-	AddNatRule(pair RouterPair) error
-
-	// RemoveNatRule removes a routing NAT rule
-	RemoveNatRule(pair RouterPair) error
-
-	// SetLegacyManagement sets the legacy management mode
-	SetLegacyManagement(legacy bool) error
+	// RemoveRoutingRules removes a routing firewall rule
+	RemoveRoutingRules(pair RouterPair) error

 	// Reset firewall to the default state
-	Reset(stateManager *statemanager.Manager) error
+	Reset() error

 	// Flush the changes to firewall controller
 	Flush() error
 }

-func GenKey(format string, pair RouterPair) string {
-	return fmt.Sprintf(format, pair.ID, pair.Inverse)
-}
-
-// LegacyManager defines the interface for legacy management operations
-type LegacyManager interface {
-	RemoveAllLegacyRouteRules() error
-	GetLegacyManagement() bool
-	SetLegacyManagement(bool)
-}
-
-// SetLegacyManagement sets the route manager to use legacy management
-func SetLegacyManagement(router LegacyManager, isLegacy bool) error {
-	oldLegacy := router.GetLegacyManagement()
-
-	if oldLegacy != isLegacy {
-		router.SetLegacyManagement(isLegacy)
-		log.Debugf("Set legacy management to %v", isLegacy)
-	}
-
-	// client reconnected to a newer mgmt, we need to clean up the legacy rules
-	if !isLegacy && oldLegacy {
-		if err := router.RemoveAllLegacyRouteRules(); err != nil {
-			return fmt.Errorf("remove legacy routing rules: %v", err)
-		}
-
-		log.Debugf("Legacy routing rules removed")
-	}
-
-	return nil
-}
-
-// GenerateSetName generates a unique name for an ipset based on the given sources.
-func GenerateSetName(sources []netip.Prefix) string {
-	// sort for consistent naming
-	SortPrefixes(sources)
-
-	var sourcesStr strings.Builder
-	for _, src := range sources {
-		sourcesStr.WriteString(src.String())
-	}
-
-	hash := sha256.Sum256([]byte(sourcesStr.String()))
-	shortHash := hex.EncodeToString(hash[:])[:8]
-
-	return fmt.Sprintf("nb-%s", shortHash)
-}
-
-// MergeIPRanges merges overlapping IP ranges and returns a slice of non-overlapping netip.Prefix
-func MergeIPRanges(prefixes []netip.Prefix) []netip.Prefix {
-	if len(prefixes) == 0 {
-		return prefixes
-	}
-
-	merged := []netip.Prefix{prefixes[0]}
-	for _, prefix := range prefixes[1:] {
-		last := merged[len(merged)-1]
-		if last.Contains(prefix.Addr()) {
-			// If the current prefix is contained within the last merged prefix, skip it
-			continue
-		}
-		if prefix.Contains(last.Addr()) {
-			// If the current prefix contains the last merged prefix, replace it
-			merged[len(merged)-1] = prefix
-		} else {
-			// Otherwise, add the current prefix to the merged list
-			merged = append(merged, prefix)
-		}
-	}
-
-	return merged
-}
-
-// SortPrefixes sorts the given slice of netip.Prefix in place.
-// It sorts first by IP address, then by prefix length (most specific to least specific).
-func SortPrefixes(prefixes []netip.Prefix) {
-	sort.Slice(prefixes, func(i, j int) bool {
-		addrCmp := prefixes[i].Addr().Compare(prefixes[j].Addr())
-		if addrCmp != 0 {
-			return addrCmp < 0
-		}
-
-		// If IP addresses are the same, compare prefix lengths (longer prefixes first)
-		return prefixes[i].Bits() > prefixes[j].Bits()
-	})
+func GenKey(format string, input string) string {
+	return fmt.Sprintf(format, input)
 }
--- a/client/firewall/manager/firewall_test.go
+++ b/client/firewall/manager/firewall_test.go
@@ -1,192 +0,0 @@
-package manager_test
-
-import (
-	"net/netip"
-	"reflect"
-	"regexp"
-	"testing"
-
-	"github.com/netbirdio/netbird/client/firewall/manager"
-)
-
-func TestGenerateSetName(t *testing.T) {
-	t.Run("Different orders result in same hash", func(t *testing.T) {
-		prefixes1 := []netip.Prefix{
-			netip.MustParsePrefix("192.168.1.0/24"),
-			netip.MustParsePrefix("10.0.0.0/8"),
-		}
-		prefixes2 := []netip.Prefix{
-			netip.MustParsePrefix("10.0.0.0/8"),
-			netip.MustParsePrefix("192.168.1.0/24"),
-		}
-
-		result1 := manager.GenerateSetName(prefixes1)
-		result2 := manager.GenerateSetName(prefixes2)
-
-		if result1 != result2 {
-			t.Errorf("Different orders produced different hashes: %s != %s", result1, result2)
-		}
-	})
-
-	t.Run("Result format is correct", func(t *testing.T) {
-		prefixes := []netip.Prefix{
-			netip.MustParsePrefix("192.168.1.0/24"),
-			netip.MustParsePrefix("10.0.0.0/8"),
-		}
-
-		result := manager.GenerateSetName(prefixes)
-
-		matched, err := regexp.MatchString(`^nb-[0-9a-f]{8}$`, result)
-		if err != nil {
-			t.Fatalf("Error matching regex: %v", err)
-		}
-		if !matched {
-			t.Errorf("Result format is incorrect: %s", result)
-		}
-	})
-
-	t.Run("Empty input produces consistent result", func(t *testing.T) {
-		result1 := manager.GenerateSetName([]netip.Prefix{})
-		result2 := manager.GenerateSetName([]netip.Prefix{})
-
-		if result1 != result2 {
-			t.Errorf("Empty input produced inconsistent results: %s != %s", result1, result2)
-		}
-	})
-
-	t.Run("IPv4 and IPv6 mixing", func(t *testing.T) {
-		prefixes1 := []netip.Prefix{
-			netip.MustParsePrefix("192.168.1.0/24"),
-			netip.MustParsePrefix("2001:db8::/32"),
-		}
-		prefixes2 := []netip.Prefix{
-			netip.MustParsePrefix("2001:db8::/32"),
-			netip.MustParsePrefix("192.168.1.0/24"),
-		}
-
-		result1 := manager.GenerateSetName(prefixes1)
-		result2 := manager.GenerateSetName(prefixes2)
-
-		if result1 != result2 {
-			t.Errorf("Different orders of IPv4 and IPv6 produced different hashes: %s != %s", result1, result2)
-		}
-	})
-}
-
-func TestMergeIPRanges(t *testing.T) {
-	tests := []struct {
-		name     string
-		input    []netip.Prefix
-		expected []netip.Prefix
-	}{
-		{
-			name:     "Empty input",
-			input:    []netip.Prefix{},
-			expected: []netip.Prefix{},
-		},
-		{
-			name: "Single range",
-			input: []netip.Prefix{
-				netip.MustParsePrefix("192.168.1.0/24"),
-			},
-			expected: []netip.Prefix{
-				netip.MustParsePrefix("192.168.1.0/24"),
-			},
-		},
-		{
-			name: "Two non-overlapping ranges",
-			input: []netip.Prefix{
-				netip.MustParsePrefix("192.168.1.0/24"),
-				netip.MustParsePrefix("10.0.0.0/8"),
-			},
-			expected: []netip.Prefix{
-				netip.MustParsePrefix("192.168.1.0/24"),
-				netip.MustParsePrefix("10.0.0.0/8"),
-			},
-		},
-		{
-			name: "One range containing another",
-			input: []netip.Prefix{
-				netip.MustParsePrefix("192.168.0.0/16"),
-				netip.MustParsePrefix("192.168.1.0/24"),
-			},
-			expected: []netip.Prefix{
-				netip.MustParsePrefix("192.168.0.0/16"),
-			},
-		},
-		{
-			name: "One range containing another (different order)",
-			input: []netip.Prefix{
-				netip.MustParsePrefix("192.168.1.0/24"),
-				netip.MustParsePrefix("192.168.0.0/16"),
-			},
-			expected: []netip.Prefix{
-				netip.MustParsePrefix("192.168.0.0/16"),
-			},
-		},
-		{
-			name: "Overlapping ranges",
-			input: []netip.Prefix{
-				netip.MustParsePrefix("192.168.1.0/24"),
-				netip.MustParsePrefix("192.168.1.128/25"),
-			},
-			expected: []netip.Prefix{
-				netip.MustParsePrefix("192.168.1.0/24"),
-			},
-		},
-		{
-			name: "Overlapping ranges (different order)",
-			input: []netip.Prefix{
-				netip.MustParsePrefix("192.168.1.128/25"),
-				netip.MustParsePrefix("192.168.1.0/24"),
-			},
-			expected: []netip.Prefix{
-				netip.MustParsePrefix("192.168.1.0/24"),
-			},
-		},
-		{
-			name: "Multiple overlapping ranges",
-			input: []netip.Prefix{
-				netip.MustParsePrefix("192.168.0.0/16"),
-				netip.MustParsePrefix("192.168.1.0/24"),
-				netip.MustParsePrefix("192.168.2.0/24"),
-				netip.MustParsePrefix("192.168.1.128/25"),
-			},
-			expected: []netip.Prefix{
-				netip.MustParsePrefix("192.168.0.0/16"),
-			},
-		},
-		{
-			name: "Partially overlapping ranges",
-			input: []netip.Prefix{
-				netip.MustParsePrefix("192.168.0.0/23"),
-				netip.MustParsePrefix("192.168.1.0/24"),
-				netip.MustParsePrefix("192.168.2.0/25"),
-			},
-			expected: []netip.Prefix{
-				netip.MustParsePrefix("192.168.0.0/23"),
-				netip.MustParsePrefix("192.168.2.0/25"),
-			},
-		},
-		{
-			name: "IPv6 ranges",
-			input: []netip.Prefix{
-				netip.MustParsePrefix("2001:db8::/32"),
-				netip.MustParsePrefix("2001:db8:1::/48"),
-				netip.MustParsePrefix("2001:db8:2::/48"),
-			},
-			expected: []netip.Prefix{
-				netip.MustParsePrefix("2001:db8::/32"),
-			},
-		},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			result := manager.MergeIPRanges(tt.input)
-			if !reflect.DeepEqual(result, tt.expected) {
-				t.Errorf("MergeIPRanges() = %v, want %v", result, tt.expected)
-			}
-		})
-	}
-}
--- a/client/firewall/manager/routerpair.go
+++ b/client/firewall/manager/routerpair.go
@@ -1,26 +1,18 @@
 package manager

-import (
-	"net/netip"
-
-	"github.com/netbirdio/netbird/route"
-)
-
 type RouterPair struct {
-	ID          route.ID
-	Source      netip.Prefix
-	Destination netip.Prefix
+	ID          string
+	Source      string
+	Destination string
 	Masquerade  bool
-	Inverse     bool
 }

-func GetInversePair(pair RouterPair) RouterPair {
+func GetInPair(pair RouterPair) RouterPair {
 	return RouterPair{
 		ID: pair.ID,
 		// invert Source/Destination
 		Source:      pair.Destination,
 		Destination: pair.Source,
 		Masquerade:  pair.Masquerade,
-		Inverse:     true,
 	}
 }
--- a/client/firewall/nftables/acl_linux.go
+++ b/client/firewall/nftables/acl_linux.go
@@ -5,18 +5,18 @@ import (
 	"encoding/binary"
 	"fmt"
 	"net"
+	"net/netip"
 	"strconv"
 	"strings"
 	"time"

 	"github.com/google/nftables"
-	"github.com/google/nftables/binaryutil"
 	"github.com/google/nftables/expr"
 	log "github.com/sirupsen/logrus"
 	"golang.org/x/sys/unix"

 	firewall "github.com/netbirdio/netbird/client/firewall/manager"
-	nbnet "github.com/netbirdio/netbird/util/net"
+	"github.com/netbirdio/netbird/iface"
 )

 const (
@@ -27,64 +27,74 @@ const (

 	// filter chains contains the rules that jump to the rules chains
 	chainNameInputFilter   = "netbird-acl-input-filter"
+	chainNameOutputFilter  = "netbird-acl-output-filter"
 	chainNameForwardFilter = "netbird-acl-forward-filter"
-	chainNamePrerouting    = "netbird-rt-prerouting"

 	allowNetbirdInputRuleID = "allow Netbird incoming traffic"
 )

-const flushError = "flush: %w"
-
 var (
-	anyIP = []byte{0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0}
+	anyIP           = []byte{0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0}
+	postroutingMark = []byte{0xe4, 0x7, 0x0, 0x00}
 )

 type AclManager struct {
-	rConn              *nftables.Conn
-	sConn              *nftables.Conn
-	wgIface            iFaceMapper
-	routingFwChainName string
+	rConn               *nftables.Conn
+	sConn               *nftables.Conn
+	wgIface             iFaceMapper
+	routeingFwChainName string

 	workTable        *nftables.Table
 	chainInputRules  *nftables.Chain
 	chainOutputRules *nftables.Chain
+	chainFwFilter    *nftables.Chain
+	chainPrerouting  *nftables.Chain

 	ipsetStore *ipsetStore
 	rules      map[string]*Rule
 }

-func newAclManager(table *nftables.Table, wgIface iFaceMapper, routingFwChainName string) (*AclManager, error) {
+// iFaceMapper defines subset methods of interface required for manager
+type iFaceMapper interface {
+	Name() string
+	Address() iface.WGAddress
+	IsUserspaceBind() bool
+}
+
+func newAclManager(table *nftables.Table, wgIface iFaceMapper, routeingFwChainName string) (*AclManager, error) {
 	// sConn is used for creating sets and adding/removing elements from them
 	// it's differ then rConn (which does create new conn for each flush operation)
-	// and is permanent. Using same connection for both type of operations
+	// and is permanent. Using same connection for booth type of operations
 	// overloads netlink with high amount of rules ( > 10000)
 	sConn, err := nftables.New(nftables.AsLasting())
 	if err != nil {
-		return nil, fmt.Errorf("create nf conn: %w", err)
+		return nil, err
 	}

-	return &AclManager{
-		rConn:              &nftables.Conn{},
-		sConn:              sConn,
-		wgIface:            wgIface,
-		workTable:          table,
-		routingFwChainName: routingFwChainName,
+	m := &AclManager{
+		rConn:               &nftables.Conn{},
+		sConn:               sConn,
+		wgIface:             wgIface,
+		workTable:           table,
+		routeingFwChainName: routeingFwChainName,

 		ipsetStore: newIpsetStore(),
 		rules:      make(map[string]*Rule),
-	}, nil
+	}
+
+	err = m.createDefaultChains()
+	if err != nil {
+		return nil, err
+	}
+
+	return m, nil
 }

-func (m *AclManager) init(workTable *nftables.Table) error {
-	m.workTable = workTable
-	return m.createDefaultChains()
-}
-
-// AddPeerFiltering rule to the firewall
+// AddFiltering rule to the firewall
 //
 // If comment argument is empty firewall manager should set
 // rule ID as comment for the rule
-func (m *AclManager) AddPeerFiltering(
+func (m *AclManager) AddFiltering(
 	ip net.IP,
 	proto firewall.Protocol,
 	sPort *firewall.Port,
@@ -110,11 +120,20 @@ func (m *AclManager) AddPeerFiltering(
 	}

 	newRules = append(newRules, ioRule)
+	if !shouldAddToPrerouting(proto, dPort, direction) {
+		return newRules, nil
+	}
+
+	preroutingRule, err := m.addPreroutingFiltering(ipset, proto, dPort, ip)
+	if err != nil {
+		return newRules, err
+	}
+	newRules = append(newRules, preroutingRule)
 	return newRules, nil
 }

-// DeletePeerRule from the firewall by rule definition
-func (m *AclManager) DeletePeerRule(rule firewall.Rule) error {
+// DeleteRule from the firewall by rule definition
+func (m *AclManager) DeleteRule(rule firewall.Rule) error {
 	r, ok := rule.(*Rule)
 	if !ok {
 		return fmt.Errorf("invalid rule type")
@@ -180,7 +199,8 @@ func (m *AclManager) DeletePeerRule(rule firewall.Rule) error {
 	return nil
 }

-// createDefaultAllowRules creates default allow rules for the input and output chains
+// createDefaultAllowRules In case if the USP firewall manager can use the native firewall manager we must to create allow rules for
+// input and output chains
 func (m *AclManager) createDefaultAllowRules() error {
 	expIn := []expr.Any{
 		&expr.Payload{
@@ -194,13 +214,13 @@ func (m *AclManager) createDefaultAllowRules() error {
 			SourceRegister: 1,
 			DestRegister:   1,
 			Len:            4,
-			Mask:           []byte{0, 0, 0, 0},
-			Xor:            []byte{0, 0, 0, 0},
+			Mask:           []byte{0x00, 0x00, 0x00, 0x00},
+			Xor:            zeroXor,
 		},
 		// net address
 		&expr.Cmp{
 			Register: 1,
-			Data:     []byte{0, 0, 0, 0},
+			Data:     []byte{0x00, 0x00, 0x00, 0x00},
 		},
 		&expr.Verdict{
 			Kind: expr.VerdictAccept,
@@ -226,13 +246,13 @@ func (m *AclManager) createDefaultAllowRules() error {
 			SourceRegister: 1,
 			DestRegister:   1,
 			Len:            4,
-			Mask:           []byte{0, 0, 0, 0},
-			Xor:            []byte{0, 0, 0, 0},
+			Mask:           []byte{0x00, 0x00, 0x00, 0x00},
+			Xor:            zeroXor,
 		},
 		// net address
 		&expr.Cmp{
 			Register: 1,
-			Data:     []byte{0, 0, 0, 0},
+			Data:     []byte{0x00, 0x00, 0x00, 0x00},
 		},
 		&expr.Verdict{
 			Kind: expr.VerdictAccept,
@@ -246,8 +266,10 @@ func (m *AclManager) createDefaultAllowRules() error {
 		Exprs:    expOut,
 	})

-	if err := m.rConn.Flush(); err != nil {
-		return fmt.Errorf(flushError, err)
+	err := m.rConn.Flush()
+	if err != nil {
+		log.Debugf("failed to create default allow rules: %s", err)
+		return err
 	}
 	return nil
 }
@@ -268,11 +290,15 @@ func (m *AclManager) Flush() error {
 		log.Errorf("failed to refresh rule handles IPv4 output chain: %v", err)
 	}

+	if err := m.refreshRuleHandles(m.chainPrerouting); err != nil {
+		log.Errorf("failed to refresh rule handles IPv4 prerouting chain: %v", err)
+	}
+
 	return nil
 }

 func (m *AclManager) addIOFiltering(ip net.IP, proto firewall.Protocol, sPort *firewall.Port, dPort *firewall.Port, direction firewall.RuleDirection, action firewall.Action, ipset *nftables.Set, comment string) (*Rule, error) {
-	ruleId := generatePeerRuleId(ip, sPort, dPort, direction, action, ipset)
+	ruleId := generateRuleId(ip, sPort, dPort, direction, action, ipset)
 	if r, ok := m.rules[ruleId]; ok {
 		return &Rule{
 			r.nftRule,
@@ -282,7 +308,18 @@ func (m *AclManager) addIOFiltering(ip net.IP, proto firewall.Protocol, sPort *f
 		}, nil
 	}

-	var expressions []expr.Any
+	ifaceKey := expr.MetaKeyIIFNAME
+	if direction == firewall.RuleDirectionOUT {
+		ifaceKey = expr.MetaKeyOIFNAME
+	}
+	expressions := []expr.Any{
+		&expr.Meta{Key: ifaceKey, Register: 1},
+		&expr.Cmp{
+			Op:       expr.CmpOpEq,
+			Register: 1,
+			Data:     ifname(m.wgIface.Name()),
+		},
+	}

 	if proto != firewall.ProtocolALL {
 		expressions = append(expressions, &expr.Payload{
@@ -292,15 +329,21 @@ func (m *AclManager) addIOFiltering(ip net.IP, proto firewall.Protocol, sPort *f
 			Len:          uint32(1),
 		})

-		protoData, err := protoToInt(proto)
-		if err != nil {
-			return nil, fmt.Errorf("convert protocol to number: %v", err)
+		var protoData []byte
+		switch proto {
+		case firewall.ProtocolTCP:
+			protoData = []byte{unix.IPPROTO_TCP}
+		case firewall.ProtocolUDP:
+			protoData = []byte{unix.IPPROTO_UDP}
+		case firewall.ProtocolICMP:
+			protoData = []byte{unix.IPPROTO_ICMP}
+		default:
+			return nil, fmt.Errorf("unsupported protocol: %s", proto)
 		}
-
 		expressions = append(expressions, &expr.Cmp{
 			Register: 1,
 			Op:       expr.CmpOpEq,
-			Data:     []byte{protoData},
+			Data:     protoData,
 		})
 	}

@@ -389,9 +432,10 @@ func (m *AclManager) addIOFiltering(ip net.IP, proto firewall.Protocol, sPort *f
 	} else {
 		chain = m.chainOutputRules
 	}
-	nftRule := m.rConn.AddRule(&nftables.Rule{
+	nftRule := m.rConn.InsertRule(&nftables.Rule{
 		Table:    m.workTable,
 		Chain:    chain,
+		Position: 0,
 		Exprs:    expressions,
 		UserData: userData,
 	})
@@ -409,13 +453,139 @@ func (m *AclManager) addIOFiltering(ip net.IP, proto firewall.Protocol, sPort *f
 	return rule, nil
 }

+func (m *AclManager) addPreroutingFiltering(ipset *nftables.Set, proto firewall.Protocol, port *firewall.Port, ip net.IP) (*Rule, error) {
+	var protoData []byte
+	switch proto {
+	case firewall.ProtocolTCP:
+		protoData = []byte{unix.IPPROTO_TCP}
+	case firewall.ProtocolUDP:
+		protoData = []byte{unix.IPPROTO_UDP}
+	case firewall.ProtocolICMP:
+		protoData = []byte{unix.IPPROTO_ICMP}
+	default:
+		return nil, fmt.Errorf("unsupported protocol: %s", proto)
+	}
+
+	ruleId := generateRuleIdForMangle(ipset, ip, proto, port)
+	if r, ok := m.rules[ruleId]; ok {
+		return &Rule{
+			r.nftRule,
+			r.nftSet,
+			r.ruleID,
+			ip,
+		}, nil
+	}
+
+	var ipExpression expr.Any
+	// add individual IP for match if no ipset defined
+	rawIP := ip.To4()
+	if ipset == nil {
+		ipExpression = &expr.Cmp{
+			Op:       expr.CmpOpEq,
+			Register: 1,
+			Data:     rawIP,
+		}
+	} else {
+		ipExpression = &expr.Lookup{
+			SourceRegister: 1,
+			SetName:        ipset.Name,
+			SetID:          ipset.ID,
+		}
+	}
+
+	expressions := []expr.Any{
+		&expr.Payload{
+			DestRegister: 1,
+			Base:         expr.PayloadBaseNetworkHeader,
+			Offset:       12,
+			Len:          4,
+		},
+		ipExpression,
+		&expr.Payload{
+			DestRegister: 1,
+			Base:         expr.PayloadBaseNetworkHeader,
+			Offset:       16,
+			Len:          4,
+		},
+		&expr.Cmp{
+			Op:       expr.CmpOpEq,
+			Register: 1,
+			Data:     m.wgIface.Address().IP.To4(),
+		},
+		&expr.Payload{
+			DestRegister: 1,
+			Base:         expr.PayloadBaseNetworkHeader,
+			Offset:       uint32(9),
+			Len:          uint32(1),
+		},
+		&expr.Cmp{
+			Register: 1,
+			Op:       expr.CmpOpEq,
+			Data:     protoData,
+		},
+	}
+
+	if port != nil {
+		expressions = append(expressions,
+			&expr.Payload{
+				DestRegister: 1,
+				Base:         expr.PayloadBaseTransportHeader,
+				Offset:       2,
+				Len:          2,
+			},
+			&expr.Cmp{
+				Op:       expr.CmpOpEq,
+				Register: 1,
+				Data:     encodePort(*port),
+			},
+		)
+	}
+
+	expressions = append(expressions,
+		&expr.Immediate{
+			Register: 1,
+			Data:     postroutingMark,
+		},
+		&expr.Meta{
+			Key:            expr.MetaKeyMARK,
+			SourceRegister: true,
+			Register:       1,
+		},
+	)
+
+	nftRule := m.rConn.InsertRule(&nftables.Rule{
+		Table:    m.workTable,
+		Chain:    m.chainPrerouting,
+		Position: 0,
+		Exprs:    expressions,
+		UserData: []byte(ruleId),
+	})
+
+	if err := m.rConn.Flush(); err != nil {
+		return nil, fmt.Errorf("flush insert rule: %v", err)
+	}
+
+	rule := &Rule{
+		nftRule: nftRule,
+		nftSet:  ipset,
+		ruleID:  ruleId,
+		ip:      ip,
+	}
+
+	m.rules[ruleId] = rule
+	if ipset != nil {
+		m.ipsetStore.AddReferenceToIpset(ipset.Name)
+	}
+	return rule, nil
+}
+
 func (m *AclManager) createDefaultChains() (err error) {
 	// chainNameInputRules
 	chain := m.createChain(chainNameInputRules)
 	err = m.rConn.Flush()
 	if err != nil {
 		log.Debugf("failed to create chain (%s): %s", chain.Name, err)
-		return fmt.Errorf(flushError, err)
+		return err
 	}
 	m.chainInputRules = chain

@@ -431,6 +601,9 @@ func (m *AclManager) createDefaultChains() (err error) {
 	// netbird-acl-input-filter
 	// type filter hook input priority filter; policy accept;
 	chain = m.createFilterChainWithHook(chainNameInputFilter, nftables.ChainHookInput)
+	//netbird-acl-input-filter iifname "wt0" ip saddr 100.72.0.0/16 ip daddr != 100.72.0.0/16 accept
+	m.addRouteAllowRule(chain, expr.MetaKeyIIFNAME)
+	m.addFwdAllow(chain, expr.MetaKeyIIFNAME)
 	m.addJumpRule(chain, m.chainInputRules.Name, expr.MetaKeyIIFNAME) // to netbird-acl-input-rules
 	m.addDropExpressions(chain, expr.MetaKeyIIFNAME)
 	err = m.rConn.Flush()
@@ -439,107 +612,43 @@ func (m *AclManager) createDefaultChains() (err error) {
 		return err
 	}

-	// netbird-acl-forward-filter
-	chainFwFilter := m.createFilterChainWithHook(chainNameForwardFilter, nftables.ChainHookForward)
-	m.addJumpRulesToRtForward(chainFwFilter) // to netbird-rt-fwd
-	m.addDropExpressions(chainFwFilter, expr.MetaKeyIIFNAME)
+	// netbird-acl-output-filter
+	// type filter hook output priority filter; policy accept;
+	chain = m.createFilterChainWithHook(chainNameOutputFilter, nftables.ChainHookOutput)
+	m.addRouteAllowRule(chain, expr.MetaKeyOIFNAME)
+	m.addFwdAllow(chain, expr.MetaKeyOIFNAME)
+	m.addJumpRule(chain, m.chainOutputRules.Name, expr.MetaKeyOIFNAME) // to netbird-acl-output-rules
+	m.addDropExpressions(chain, expr.MetaKeyOIFNAME)
+	err = m.rConn.Flush()
+	if err != nil {
+		log.Debugf("failed to create chain (%s): %s", chainNameOutputFilter, err)
+		return err
+	}

+	// netbird-acl-forward-filter
+	m.chainFwFilter = m.createFilterChainWithHook(chainNameForwardFilter, nftables.ChainHookForward)
+	m.addJumpRulesToRtForward() // to
+	m.addMarkAccept()
+	m.addJumpRuleToInputChain() // to netbird-acl-input-rules
+	m.addDropExpressions(m.chainFwFilter, expr.MetaKeyIIFNAME)
 	err = m.rConn.Flush()
 	if err != nil {
 		log.Debugf("failed to create chain (%s): %s", chainNameForwardFilter, err)
-		return fmt.Errorf(flushError, err)
+		return err
 	}

-	if err := m.allowRedirectedTraffic(chainFwFilter); err != nil {
-		log.Errorf("failed to allow redirected traffic: %s", err)
+	// netbird-acl-output-filter
+	// type filter hook output priority filter; policy accept;
+	m.chainPrerouting = m.createPreroutingMangle()
+	err = m.rConn.Flush()
+	if err != nil {
+		log.Debugf("failed to create chain (%s): %s", m.chainPrerouting.Name, err)
+		return err
 	}
-
 	return nil
 }

-// Makes redirected traffic originally destined for the host itself (now subject to the forward filter)
-// go through the input filter as well. This will enable e.g. Docker services to keep working by accessing the
-// netbird peer IP.
-func (m *AclManager) allowRedirectedTraffic(chainFwFilter *nftables.Chain) error {
-	preroutingChain := m.rConn.AddChain(&nftables.Chain{
-		Name:     chainNamePrerouting,
-		Table:    m.workTable,
-		Type:     nftables.ChainTypeFilter,
-		Hooknum:  nftables.ChainHookPrerouting,
-		Priority: nftables.ChainPriorityMangle,
-	})
-
-	m.addPreroutingRule(preroutingChain)
-
-	m.addFwmarkToForward(chainFwFilter)
-
-	if err := m.rConn.Flush(); err != nil {
-		return fmt.Errorf(flushError, err)
-	}
-
-	return nil
-}
-
-func (m *AclManager) addPreroutingRule(preroutingChain *nftables.Chain) {
-	m.rConn.AddRule(&nftables.Rule{
-		Table: m.workTable,
-		Chain: preroutingChain,
-		Exprs: []expr.Any{
-			&expr.Meta{
-				Key:      expr.MetaKeyIIFNAME,
-				Register: 1,
-			},
-			&expr.Cmp{
-				Op:       expr.CmpOpEq,
-				Register: 1,
-				Data:     ifname(m.wgIface.Name()),
-			},
-			&expr.Fib{
-				Register:       1,
-				ResultADDRTYPE: true,
-				FlagDADDR:      true,
-			},
-			&expr.Cmp{
-				Op:       expr.CmpOpEq,
-				Register: 1,
-				Data:     binaryutil.NativeEndian.PutUint32(unix.RTN_LOCAL),
-			},
-			&expr.Immediate{
-				Register: 1,
-				Data:     binaryutil.NativeEndian.PutUint32(nbnet.PreroutingFwmarkRedirected),
-			},
-			&expr.Meta{
-				Key:            expr.MetaKeyMARK,
-				Register:       1,
-				SourceRegister: true,
-			},
-		},
-	})
-}
-
-func (m *AclManager) addFwmarkToForward(chainFwFilter *nftables.Chain) {
-	m.rConn.InsertRule(&nftables.Rule{
-		Table: m.workTable,
-		Chain: chainFwFilter,
-		Exprs: []expr.Any{
-			&expr.Meta{
-				Key:      expr.MetaKeyMARK,
-				Register: 1,
-			},
-			&expr.Cmp{
-				Op:       expr.CmpOpEq,
-				Register: 1,
-				Data:     binaryutil.NativeEndian.PutUint32(nbnet.PreroutingFwmarkRedirected),
-			},
-			&expr.Verdict{
-				Kind:  expr.VerdictJump,
-				Chain: m.chainInputRules.Name,
-			},
-		},
-	})
-}
-
-func (m *AclManager) addJumpRulesToRtForward(chainFwFilter *nftables.Chain) {
+func (m *AclManager) addJumpRulesToRtForward() {
 	expressions := []expr.Any{
 		&expr.Meta{Key: expr.MetaKeyIIFNAME, Register: 1},
 		&expr.Cmp{
@@ -549,15 +658,68 @@ func (m *AclManager) addJumpRulesToRtForward(chainFwFilter *nftables.Chain) {
 		},
 		&expr.Verdict{
 			Kind:  expr.VerdictJump,
-			Chain: m.routingFwChainName,
+			Chain: m.routeingFwChainName,
 		},
 	}

 	_ = m.rConn.AddRule(&nftables.Rule{
 		Table: m.workTable,
-		Chain: chainFwFilter,
+		Chain: m.chainFwFilter,
 		Exprs: expressions,
 	})
+
+	expressions = []expr.Any{
+		&expr.Meta{Key: expr.MetaKeyOIFNAME, Register: 1},
+		&expr.Cmp{
+			Op:       expr.CmpOpEq,
+			Register: 1,
+			Data:     ifname(m.wgIface.Name()),
+		},
+		&expr.Verdict{
+			Kind:  expr.VerdictJump,
+			Chain: m.routeingFwChainName,
+		},
+	}
+
+	_ = m.rConn.AddRule(&nftables.Rule{
+		Table: m.workTable,
+		Chain: m.chainFwFilter,
+		Exprs: expressions,
+	})
+}
+
+func (m *AclManager) addMarkAccept() {
+	// oifname "wt0" meta mark 0x000007e4 accept
+	// iifname "wt0" meta mark 0x000007e4 accept
+	ifaces := []expr.MetaKey{expr.MetaKeyIIFNAME, expr.MetaKeyOIFNAME}
+	for _, iface := range ifaces {
+		expressions := []expr.Any{
+			&expr.Meta{Key: iface, Register: 1},
+			&expr.Cmp{
+				Op:       expr.CmpOpEq,
+				Register: 1,
+				Data:     ifname(m.wgIface.Name()),
+			},
+			&expr.Meta{
+				Key:      expr.MetaKeyMARK,
+				Register: 1,
+			},
+			&expr.Cmp{
+				Op:       expr.CmpOpEq,
+				Register: 1,
+				Data:     postroutingMark,
+			},
+			&expr.Verdict{
+				Kind: expr.VerdictAccept,
+			},
+		}
+
+		_ = m.rConn.AddRule(&nftables.Rule{
+			Table: m.workTable,
+			Chain: m.chainFwFilter,
+			Exprs: expressions,
+		})
+	}
 }

 func (m *AclManager) createChain(name string) *nftables.Chain {
@@ -567,13 +729,10 @@ func (m *AclManager) createChain(name string) *nftables.Chain {
 	}

 	chain = m.rConn.AddChain(chain)
-
-	insertReturnTrafficRule(m.rConn, m.workTable, chain)
-
 	return chain
 }

-func (m *AclManager) createFilterChainWithHook(name string, hookNum *nftables.ChainHook) *nftables.Chain {
+func (m *AclManager) createFilterChainWithHook(name string, hookNum nftables.ChainHook) *nftables.Chain {
 	polAccept := nftables.ChainPolicyAccept
 	chain := &nftables.Chain{
 		Name:     name,
@@ -587,6 +746,74 @@ func (m *AclManager) createFilterChainWithHook(name string, hookNum *nftables.Ch
 	return m.rConn.AddChain(chain)
 }

+func (m *AclManager) createPreroutingMangle() *nftables.Chain {
+	polAccept := nftables.ChainPolicyAccept
+	chain := &nftables.Chain{
+		Name:     "netbird-acl-prerouting-filter",
+		Table:    m.workTable,
+		Hooknum:  nftables.ChainHookPrerouting,
+		Priority: nftables.ChainPriorityMangle,
+		Type:     nftables.ChainTypeFilter,
+		Policy:   &polAccept,
+	}
+
+	chain = m.rConn.AddChain(chain)
+
+	ip, _ := netip.AddrFromSlice(m.wgIface.Address().Network.IP.To4())
+	expressions := []expr.Any{
+		&expr.Meta{Key: expr.MetaKeyIIFNAME, Register: 1},
+		&expr.Cmp{
+			Op:       expr.CmpOpEq,
+			Register: 1,
+			Data:     ifname(m.wgIface.Name()),
+		},
+		&expr.Payload{
+			DestRegister: 2,
+			Base:         expr.PayloadBaseNetworkHeader,
+			Offset:       12,
+			Len:          4,
+		},
+		&expr.Bitwise{
+			SourceRegister: 2,
+			DestRegister:   2,
+			Len:            4,
+			Xor:            []byte{0x0, 0x0, 0x0, 0x0},
+			Mask:           m.wgIface.Address().Network.Mask,
+		},
+		&expr.Cmp{
+			Op:       expr.CmpOpNeq,
+			Register: 2,
+			Data:     ip.Unmap().AsSlice(),
+		},
+		&expr.Payload{
+			DestRegister: 1,
+			Base:         expr.PayloadBaseNetworkHeader,
+			Offset:       16,
+			Len:          4,
+		},
+		&expr.Cmp{
+			Op:       expr.CmpOpEq,
+			Register: 1,
+			Data:     m.wgIface.Address().IP.To4(),
+		},
+		&expr.Immediate{
+			Register: 1,
+			Data:     postroutingMark,
+		},
+		&expr.Meta{
+			Key:            expr.MetaKeyMARK,
+			SourceRegister: true,
+			Register:       1,
+		},
+	}
+	_ = m.rConn.AddRule(&nftables.Rule{
+		Table: m.workTable,
+		Chain: chain,
+		Exprs: expressions,
+	})
+	return chain
+}
+
 func (m *AclManager) addDropExpressions(chain *nftables.Chain, ifaceKey expr.MetaKey) []expr.Any {
 	expressions := []expr.Any{
 		&expr.Meta{Key: ifaceKey, Register: 1},
@@ -605,9 +832,9 @@ func (m *AclManager) addDropExpressions(chain *nftables.Chain, ifaceKey expr.Met
 	return nil
 }

-func (m *AclManager) addJumpRule(chain *nftables.Chain, to string, ifaceKey expr.MetaKey) {
+func (m *AclManager) addJumpRuleToInputChain() {
 	expressions := []expr.Any{
-		&expr.Meta{Key: ifaceKey, Register: 1},
+		&expr.Meta{Key: expr.MetaKeyIIFNAME, Register: 1},
 		&expr.Cmp{
 			Op:       expr.CmpOpEq,
 			Register: 1,
@@ -615,10 +842,195 @@ func (m *AclManager) addJumpRule(chain *nftables.Chain, to string, ifaceKey expr
 		},
 		&expr.Verdict{
 			Kind:  expr.VerdictJump,
-			Chain: to,
+			Chain: m.chainInputRules.Name,
 		},
 	}

+	_ = m.rConn.AddRule(&nftables.Rule{
+		Table: m.workTable,
+		Chain: m.chainFwFilter,
+		Exprs: expressions,
+	})
+}
+
+func (m *AclManager) addRouteAllowRule(chain *nftables.Chain, netIfName expr.MetaKey) {
+	ip, _ := netip.AddrFromSlice(m.wgIface.Address().Network.IP.To4())
+	var srcOp, dstOp expr.CmpOp
+	if netIfName == expr.MetaKeyIIFNAME {
+		srcOp = expr.CmpOpEq
+		dstOp = expr.CmpOpNeq
+	} else {
+		srcOp = expr.CmpOpNeq
+		dstOp = expr.CmpOpEq
+	}
+	expressions := []expr.Any{
+		&expr.Meta{Key: netIfName, Register: 1},
+		&expr.Cmp{
+			Op:       expr.CmpOpEq,
+			Register: 1,
+			Data:     ifname(m.wgIface.Name()),
+		},
+		&expr.Payload{
+			DestRegister: 2,
+			Base:         expr.PayloadBaseNetworkHeader,
+			Offset:       12,
+			Len:          4,
+		},
+		&expr.Bitwise{
+			SourceRegister: 2,
+			DestRegister:   2,
+			Len:            4,
+			Xor:            []byte{0x0, 0x0, 0x0, 0x0},
+			Mask:           m.wgIface.Address().Network.Mask,
+		},
+		&expr.Cmp{
+			Op:       srcOp,
+			Register: 2,
+			Data:     ip.Unmap().AsSlice(),
+		},
+		&expr.Payload{
+			DestRegister: 2,
+			Base:         expr.PayloadBaseNetworkHeader,
+			Offset:       16,
+			Len:          4,
+		},
+		&expr.Bitwise{
+			SourceRegister: 2,
+			DestRegister:   2,
+			Len:            4,
+			Xor:            []byte{0x0, 0x0, 0x0, 0x0},
+			Mask:           m.wgIface.Address().Network.Mask,
+		},
+		&expr.Cmp{
+			Op:       dstOp,
+			Register: 2,
+			Data:     ip.Unmap().AsSlice(),
+		},
+		&expr.Verdict{
+			Kind: expr.VerdictAccept,
+		},
+	}
+	_ = m.rConn.AddRule(&nftables.Rule{
+		Table: chain.Table,
+		Chain: chain,
+		Exprs: expressions,
+	})
+}
+
+func (m *AclManager) addFwdAllow(chain *nftables.Chain, iifname expr.MetaKey) {
+	ip, _ := netip.AddrFromSlice(m.wgIface.Address().Network.IP.To4())
+	var srcOp, dstOp expr.CmpOp
+	if iifname == expr.MetaKeyIIFNAME {
+		srcOp = expr.CmpOpNeq
+		dstOp = expr.CmpOpEq
+	} else {
+		srcOp = expr.CmpOpEq
+		dstOp = expr.CmpOpNeq
+	}
+	expressions := []expr.Any{
+		&expr.Meta{Key: iifname, Register: 1},
+		&expr.Cmp{
+			Op:       expr.CmpOpEq,
+			Register: 1,
+			Data:     ifname(m.wgIface.Name()),
+		},
+		&expr.Payload{
+			DestRegister: 2,
+			Base:         expr.PayloadBaseNetworkHeader,
+			Offset:       12,
+			Len:          4,
+		},
+		&expr.Bitwise{
+			SourceRegister: 2,
+			DestRegister:   2,
+			Len:            4,
+			Xor:            []byte{0x0, 0x0, 0x0, 0x0},
+			Mask:           m.wgIface.Address().Network.Mask,
+		},
+		&expr.Cmp{
+			Op:       srcOp,
+			Register: 2,
+			Data:     ip.Unmap().AsSlice(),
+		},
+		&expr.Payload{
+			DestRegister: 2,
+			Base:         expr.PayloadBaseNetworkHeader,
+			Offset:       16,
+			Len:          4,
+		},
+		&expr.Bitwise{
+			SourceRegister: 2,
+			DestRegister:   2,
+			Len:            4,
+			Xor:            []byte{0x0, 0x0, 0x0, 0x0},
+			Mask:           m.wgIface.Address().Network.Mask,
+		},
+		&expr.Cmp{
+			Op:       dstOp,
+			Register: 2,
+			Data:     ip.Unmap().AsSlice(),
+		},
+		&expr.Verdict{
+			Kind: expr.VerdictAccept,
+		},
+	}
+	_ = m.rConn.AddRule(&nftables.Rule{
+		Table: chain.Table,
+		Chain: chain,
+		Exprs: expressions,
+	})
+}
+
+func (m *AclManager) addJumpRule(chain *nftables.Chain, to string, ifaceKey expr.MetaKey) {
+	ip, _ := netip.AddrFromSlice(m.wgIface.Address().Network.IP.To4())
+	expressions := []expr.Any{
+		&expr.Meta{Key: ifaceKey, Register: 1},
+		&expr.Cmp{
+			Op:       expr.CmpOpEq,
+			Register: 1,
+			Data:     ifname(m.wgIface.Name()),
+		},
+		&expr.Payload{
+			DestRegister: 2,
+			Base:         expr.PayloadBaseNetworkHeader,
+			Offset:       12,
+			Len:          4,
+		},
+		&expr.Bitwise{
+			SourceRegister: 2,
+			DestRegister:   2,
+			Len:            4,
+			Xor:            []byte{0x0, 0x0, 0x0, 0x0},
+			Mask:           m.wgIface.Address().Network.Mask,
+		},
+		&expr.Cmp{
+			Op:       expr.CmpOpEq,
+			Register: 2,
+			Data:     ip.Unmap().AsSlice(),
+		},
+		&expr.Payload{
+			DestRegister: 2,
+			Base:         expr.PayloadBaseNetworkHeader,
+			Offset:       16,
+			Len:          4,
+		},
+		&expr.Bitwise{
+			SourceRegister: 2,
+			DestRegister:   2,
+			Len:            4,
+			Xor:            []byte{0x0, 0x0, 0x0, 0x0},
+			Mask:           m.wgIface.Address().Network.Mask,
+		},
+		&expr.Cmp{
+			Op:       expr.CmpOpEq,
+			Register: 2,
+			Data:     ip.Unmap().AsSlice(),
+		},
+		&expr.Verdict{
+			Kind:  expr.VerdictJump,
+			Chain: to,
+		},
+	}
 	_ = m.rConn.AddRule(&nftables.Rule{
 		Table: chain.Table,
 		Chain: chain,
@@ -720,7 +1132,7 @@ func (m *AclManager) refreshRuleHandles(chain *nftables.Chain) error {
 	return nil
 }

-func generatePeerRuleId(
+func generateRuleId(
 	ip net.IP,
 	sPort *firewall.Port,
 	dPort *firewall.Port,
@@ -743,6 +1155,33 @@ func generatePeerRuleId(
 	}
 	return "set:" + ipset.Name + rulesetID
 }
+func generateRuleIdForMangle(ipset *nftables.Set, ip net.IP, proto firewall.Protocol, port *firewall.Port) string {
+	// case of icmp port is empty
+	var p string
+	if port != nil {
+		p = port.String()
+	}
+	if ipset != nil {
+		return fmt.Sprintf("p:set:%s:%s:%v", ipset.Name, proto, p)
+	} else {
+		return fmt.Sprintf("p:ip:%s:%s:%v", ip.String(), proto, p)
+	}
+}
+
+func shouldAddToPrerouting(proto firewall.Protocol, dPort *firewall.Port, direction firewall.RuleDirection) bool {
+	if proto == "all" {
+		return false
+	}
+
+	if direction != firewall.RuleDirectionIN {
+		return false
+	}
+
+	if dPort == nil && proto != firewall.ProtocolICMP {
+		return false
+	}
+	return true
+}

 func encodePort(port firewall.Port) []byte {
 	bs := make([]byte, 2)
@@ -752,19 +1191,6 @@ func encodePort(port firewall.Port) []byte {

 func ifname(n string) []byte {
 	b := make([]byte, 16)
-	copy(b, n+"\x00")
+	copy(b, []byte(n+"\x00"))
 	return b
 }
-
-func protoToInt(protocol firewall.Protocol) (uint8, error) {
-	switch protocol {
-	case firewall.ProtocolTCP:
-		return unix.IPPROTO_TCP, nil
-	case firewall.ProtocolUDP:
-		return unix.IPPROTO_UDP, nil
-	case firewall.ProtocolICMP:
-		return unix.IPPROTO_ICMP, nil
-	}
-
-	return 0, fmt.Errorf("unsupported protocol: %s", protocol)
-}
--- a/client/firewall/nftables/manager_linux.go
+++ b/client/firewall/nftables/manager_linux.go
@@ -5,34 +5,20 @@ import (
 	"context"
 	"fmt"
 	"net"
-	"net/netip"
 	"sync"

 	"github.com/google/nftables"
-	"github.com/google/nftables/binaryutil"
 	"github.com/google/nftables/expr"
 	log "github.com/sirupsen/logrus"

 	firewall "github.com/netbirdio/netbird/client/firewall/manager"
-	"github.com/netbirdio/netbird/client/iface"
-	"github.com/netbirdio/netbird/client/internal/statemanager"
 )

 const (
-	// tableNameNetbird is the name of the table that is used for filtering by the Netbird client
-	tableNameNetbird = "netbird"
-
-	tableNameFilter = "filter"
-	chainNameInput  = "INPUT"
+	// tableName is the name of the table that is used for filtering by the Netbird client
+	tableName = "netbird"
 )

-// iFaceMapper defines subset methods of interface required for manager
-type iFaceMapper interface {
-	Name() string
-	Address() iface.WGAddress
-	IsUserspaceBind() bool
-}
-
 // Manager of iptables firewall
 type Manager struct {
 	mutex   sync.Mutex
@@ -44,75 +30,35 @@ type Manager struct {
 }

 // Create nftables firewall manager
-func Create(wgIface iFaceMapper) (*Manager, error) {
+func Create(context context.Context, wgIface iFaceMapper) (*Manager, error) {
 	m := &Manager{
 		rConn:   &nftables.Conn{},
 		wgIface: wgIface,
 	}

-	workTable := &nftables.Table{Name: tableNameNetbird, Family: nftables.TableFamilyIPv4}
-
-	var err error
-	m.router, err = newRouter(workTable, wgIface)
+	workTable, err := m.createWorkTable()
 	if err != nil {
-		return nil, fmt.Errorf("create router: %w", err)
+		return nil, err
 	}

-	m.aclManager, err = newAclManager(workTable, wgIface, chainNameRoutingFw)
+	m.router, err = newRouter(context, workTable)
 	if err != nil {
-		return nil, fmt.Errorf("create acl manager: %w", err)
+		return nil, err
+	}
+
+	m.aclManager, err = newAclManager(workTable, wgIface, m.router.RouteingFwChainName())
+	if err != nil {
+		return nil, err
 	}

 	return m, nil
 }

-// Init nftables firewall manager
-func (m *Manager) Init(stateManager *statemanager.Manager) error {
-	workTable, err := m.createWorkTable()
-	if err != nil {
-		return fmt.Errorf("create work table: %w", err)
-	}
-
-	if err := m.router.init(workTable); err != nil {
-		return fmt.Errorf("router init: %w", err)
-	}
-
-	if err := m.aclManager.init(workTable); err != nil {
-		// TODO: cleanup router
-		return fmt.Errorf("acl manager init: %w", err)
-	}
-
-	stateManager.RegisterState(&ShutdownState{})
-
-	// We only need to record minimal interface state for potential recreation.
-	// Unlike iptables, which requires tracking individual rules, nftables maintains
-	// a known state (our netbird table plus a few static rules). This allows for easy
-	// cleanup using Reset() without needing to store specific rules.
-	if err := stateManager.UpdateState(&ShutdownState{
-		InterfaceState: &InterfaceState{
-			NameStr:       m.wgIface.Name(),
-			WGAddress:     m.wgIface.Address(),
-			UserspaceBind: m.wgIface.IsUserspaceBind(),
-		},
-	}); err != nil {
-		log.Errorf("failed to update state: %v", err)
-	}
-
-	// persist early
-	go func() {
-		if err := stateManager.PersistState(context.Background()); err != nil {
-			log.Errorf("failed to persist state: %v", err)
-		}
-	}()
-
-	return nil
-}
-
-// AddPeerFiltering rule to the firewall
+// AddFiltering rule to the firewall
 //
 // If comment argument is empty firewall manager should set
 // rule ID as comment for the rule
-func (m *Manager) AddPeerFiltering(
+func (m *Manager) AddFiltering(
 	ip net.IP,
 	proto firewall.Protocol,
 	sPort *firewall.Port,
@@ -130,52 +76,33 @@ func (m *Manager) AddPeerFiltering(
 		return nil, fmt.Errorf("unsupported IP version: %s", ip.String())
 	}

-	return m.aclManager.AddPeerFiltering(ip, proto, sPort, dPort, direction, action, ipsetName, comment)
+	return m.aclManager.AddFiltering(ip, proto, sPort, dPort, direction, action, ipsetName, comment)
 }

-func (m *Manager) AddRouteFiltering(sources []netip.Prefix, destination netip.Prefix, proto firewall.Protocol, sPort *firewall.Port, dPort *firewall.Port, action firewall.Action) (firewall.Rule, error) {
+// DeleteRule from the firewall by rule definition
+func (m *Manager) DeleteRule(rule firewall.Rule) error {
 	m.mutex.Lock()
 	defer m.mutex.Unlock()

-	if !destination.Addr().Is4() {
-		return nil, fmt.Errorf("unsupported IP version: %s", destination.Addr().String())
-	}
-
-	return m.router.AddRouteFiltering(sources, destination, proto, sPort, dPort, action)
-}
-
-// DeletePeerRule from the firewall by rule definition
-func (m *Manager) DeletePeerRule(rule firewall.Rule) error {
-	m.mutex.Lock()
-	defer m.mutex.Unlock()
-
-	return m.aclManager.DeletePeerRule(rule)
-}
-
-// DeleteRouteRule deletes a routing rule
-func (m *Manager) DeleteRouteRule(rule firewall.Rule) error {
-	m.mutex.Lock()
-	defer m.mutex.Unlock()
-
-	return m.router.DeleteRouteRule(rule)
+	return m.aclManager.DeleteRule(rule)
 }

 func (m *Manager) IsServerRouteSupported() bool {
 	return true
 }

-func (m *Manager) AddNatRule(pair firewall.RouterPair) error {
+func (m *Manager) InsertRoutingRules(pair firewall.RouterPair) error {
 	m.mutex.Lock()
 	defer m.mutex.Unlock()

-	return m.router.AddNatRule(pair)
+	return m.router.AddRoutingRules(pair)
 }

-func (m *Manager) RemoveNatRule(pair firewall.RouterPair) error {
+func (m *Manager) RemoveRoutingRules(pair firewall.RouterPair) error {
 	m.mutex.Lock()
 	defer m.mutex.Unlock()

-	return m.router.RemoveNatRule(pair)
+	return m.router.RemoveRoutingRules(pair)
 }

 // AllowNetbird allows netbird interface traffic
@@ -199,7 +126,7 @@ func (m *Manager) AllowNetbird() error {

 	var chain *nftables.Chain
 	for _, c := range chains {
-		if c.Table.Name == tableNameFilter && c.Name == chainNameInput {
+		if c.Table.Name == "filter" && c.Name == "INPUT" {
 			chain = c
 			break
 		}
@@ -230,86 +157,47 @@ func (m *Manager) AllowNetbird() error {
 	return nil
 }

-// SetLegacyManagement sets the route manager to use legacy management
-func (m *Manager) SetLegacyManagement(isLegacy bool) error {
-	return firewall.SetLegacyManagement(m.router, isLegacy)
-}
-
 // Reset firewall to the default state
-func (m *Manager) Reset(stateManager *statemanager.Manager) error {
+func (m *Manager) Reset() error {
 	m.mutex.Lock()
 	defer m.mutex.Unlock()

-	if err := m.resetNetbirdInputRules(); err != nil {
-		return fmt.Errorf("reset netbird input rules: %v", err)
-	}
-
-	if err := m.router.Reset(); err != nil {
-		return fmt.Errorf("reset router: %v", err)
-	}
-
-	if err := m.cleanupNetbirdTables(); err != nil {
-		return fmt.Errorf("cleanup netbird tables: %v", err)
-	}
-
-	if err := m.rConn.Flush(); err != nil {
-		return fmt.Errorf(flushError, err)
-	}
-
-	if err := stateManager.DeleteState(&ShutdownState{}); err != nil {
-		return fmt.Errorf("delete state: %v", err)
-	}
-
-	return nil
-}
-
-func (m *Manager) resetNetbirdInputRules() error {
 	chains, err := m.rConn.ListChains()
 	if err != nil {
-		return fmt.Errorf("list chains: %w", err)
+		return fmt.Errorf("list of chains: %w", err)
 	}

-	m.deleteNetbirdInputRules(chains)
-
-	return nil
-}
-
-func (m *Manager) deleteNetbirdInputRules(chains []*nftables.Chain) {
 	for _, c := range chains {
-		if c.Table.Name == tableNameFilter && c.Name == chainNameInput {
+		// delete Netbird allow input traffic rule if it exists
+		if c.Table.Name == "filter" && c.Name == "INPUT" {
 			rules, err := m.rConn.GetRules(c.Table, c)
 			if err != nil {
 				log.Errorf("get rules for chain %q: %v", c.Name, err)
 				continue
 			}
-
-			m.deleteMatchingRules(rules)
-		}
-	}
-}
-
-func (m *Manager) deleteMatchingRules(rules []*nftables.Rule) {
-	for _, r := range rules {
-		if bytes.Equal(r.UserData, []byte(allowNetbirdInputRuleID)) {
-			if err := m.rConn.DelRule(r); err != nil {
-				log.Errorf("delete rule: %v", err)
+			for _, r := range rules {
+				if bytes.Equal(r.UserData, []byte(allowNetbirdInputRuleID)) {
+					if err := m.rConn.DelRule(r); err != nil {
+						log.Errorf("delete rule: %v", err)
+					}
+				}
 			}
 		}
 	}
-}

-func (m *Manager) cleanupNetbirdTables() error {
+	m.router.ResetForwardRules()
+
 	tables, err := m.rConn.ListTables()
 	if err != nil {
-		return fmt.Errorf("list tables: %w", err)
+		return fmt.Errorf("list of tables: %w", err)
 	}
-
 	for _, t := range tables {
-		if t.Name == tableNameNetbird {
+		if t.Name == tableName {
 			m.rConn.DelTable(t)
 		}
 	}
-	return nil
+
+	return m.rConn.Flush()
 }

 // Flush rule/chain/set operations from the buffer
@@ -330,12 +218,12 @@ func (m *Manager) createWorkTable() (*nftables.Table, error) {
 	}

 	for _, t := range tables {
-		if t.Name == tableNameNetbird {
+		if t.Name == tableName {
 			m.rConn.DelTable(t)
 		}
 	}

-	table := m.rConn.AddTable(&nftables.Table{Name: tableNameNetbird, Family: nftables.TableFamilyIPv4})
+	table := m.rConn.AddTable(&nftables.Table{Name: tableName, Family: nftables.TableFamilyIPv4})
 	err = m.rConn.Flush()
 	return table, err
 }
@@ -363,7 +251,7 @@ func (m *Manager) applyAllowNetbirdRules(chain *nftables.Chain) {
 func (m *Manager) detectAllowNetbirdRule(existedRules []*nftables.Rule) *nftables.Rule {
 	ifName := ifname(m.wgIface.Name())
 	for _, rule := range existedRules {
-		if rule.Table.Name == tableNameFilter && rule.Chain.Name == chainNameInput {
+		if rule.Table.Name == "filter" && rule.Chain.Name == "INPUT" {
 			if len(rule.Exprs) < 4 {
 				if e, ok := rule.Exprs[0].(*expr.Meta); !ok || e.Key != expr.MetaKeyIIFNAME {
 					continue
@@ -377,38 +265,3 @@ func (m *Manager) detectAllowNetbirdRule(existedRules []*nftables.Rule) *nftable
 	}
 	return nil
 }
-
-func insertReturnTrafficRule(conn *nftables.Conn, table *nftables.Table, chain *nftables.Chain) {
-	rule := &nftables.Rule{
-		Table: table,
-		Chain: chain,
-		Exprs: getEstablishedExprs(1),
-	}
-
-	conn.InsertRule(rule)
-}
-
-func getEstablishedExprs(register uint32) []expr.Any {
-	return []expr.Any{
-		&expr.Ct{
-			Key:      expr.CtKeySTATE,
-			Register: register,
-		},
-		&expr.Bitwise{
-			SourceRegister: register,
-			DestRegister:   register,
-			Len:            4,
-			Mask:           binaryutil.NativeEndian.PutUint32(expr.CtStateBitESTABLISHED | expr.CtStateBitRELATED),
-			Xor:            binaryutil.NativeEndian.PutUint32(0),
-		},
-		&expr.Cmp{
-			Op:       expr.CmpOpNeq,
-			Register: register,
-			Data:     []byte{0, 0, 0, 0},
-		},
-		&expr.Counter{},
-		&expr.Verdict{
-			Kind: expr.VerdictAccept,
-		},
-	}
-}
--- a/client/firewall/nftables/manager_linux_test.go
+++ b/client/firewall/nftables/manager_linux_test.go
@@ -1,39 +1,22 @@
 package nftables

 import (
-	"bytes"
+	"context"
 	"fmt"
 	"net"
 	"net/netip"
-	"os/exec"
 	"testing"
 	"time"

 	"github.com/google/nftables"
-	"github.com/google/nftables/binaryutil"
 	"github.com/google/nftables/expr"
 	"github.com/stretchr/testify/require"
 	"golang.org/x/sys/unix"

 	fw "github.com/netbirdio/netbird/client/firewall/manager"
-	"github.com/netbirdio/netbird/client/iface"
+	"github.com/netbirdio/netbird/iface"
 )

-var ifaceMock = &iFaceMock{
-	NameFunc: func() string {
-		return "lo"
-	},
-	AddressFunc: func() iface.WGAddress {
-		return iface.WGAddress{
-			IP: net.ParseIP("100.96.0.1"),
-			Network: &net.IPNet{
-				IP:   net.ParseIP("100.96.0.0"),
-				Mask: net.IPv4Mask(255, 255, 255, 0),
-			},
-		}
-	},
-}
-
 // iFaceMapper defines subset methods of interface required for manager
 type iFaceMock struct {
 	NameFunc    func() string
@@ -57,15 +40,28 @@ func (i *iFaceMock) Address() iface.WGAddress {
 func (i *iFaceMock) IsUserspaceBind() bool { return false }

 func TestNftablesManager(t *testing.T) {
+	mock := &iFaceMock{
+		NameFunc: func() string {
+			return "lo"
+		},
+		AddressFunc: func() iface.WGAddress {
+			return iface.WGAddress{
+				IP: net.ParseIP("100.96.0.1"),
+				Network: &net.IPNet{
+					IP:   net.ParseIP("100.96.0.0"),
+					Mask: net.IPv4Mask(255, 255, 255, 0),
+				},
+			}
+		},
+	}

 	// just check on the local interface
-	manager, err := Create(ifaceMock)
+	manager, err := Create(context.Background(), mock)
 	require.NoError(t, err)
-	require.NoError(t, manager.Init(nil))
 	time.Sleep(time.Second * 3)

 	defer func() {
-		err = manager.Reset(nil)
+		err = manager.Reset()
 		require.NoError(t, err, "failed to reset")
 		time.Sleep(time.Second)
 	}()
@@ -74,7 +70,7 @@ func TestNftablesManager(t *testing.T) {

 	testClient := &nftables.Conn{}

-	rule, err := manager.AddPeerFiltering(
+	rule, err := manager.AddFiltering(
 		ip,
 		fw.ProtocolTCP,
 		nil,
@@ -92,35 +88,17 @@ func TestNftablesManager(t *testing.T) {
 	rules, err := testClient.GetRules(manager.aclManager.workTable, manager.aclManager.chainInputRules)
 	require.NoError(t, err, "failed to get rules")

-	require.Len(t, rules, 2, "expected 2 rules")
-
-	expectedExprs1 := []expr.Any{
-		&expr.Ct{
-			Key:      expr.CtKeySTATE,
-			Register: 1,
-		},
-		&expr.Bitwise{
-			SourceRegister: 1,
-			DestRegister:   1,
-			Len:            4,
-			Mask:           binaryutil.NativeEndian.PutUint32(expr.CtStateBitESTABLISHED | expr.CtStateBitRELATED),
-			Xor:            binaryutil.NativeEndian.PutUint32(0),
-		},
-		&expr.Cmp{
-			Op:       expr.CmpOpNeq,
-			Register: 1,
-			Data:     []byte{0, 0, 0, 0},
-		},
-		&expr.Counter{},
-		&expr.Verdict{
-			Kind: expr.VerdictAccept,
-		},
-	}
-	require.ElementsMatch(t, rules[0].Exprs, expectedExprs1, "expected the same expressions")
+	require.Len(t, rules, 1, "expected 1 rules")

 	ipToAdd, _ := netip.AddrFromSlice(ip)
 	add := ipToAdd.Unmap()
-	expectedExprs2 := []expr.Any{
+	expectedExprs := []expr.Any{
+		&expr.Meta{Key: expr.MetaKeyIIFNAME, Register: 1},
+		&expr.Cmp{
+			Op:       expr.CmpOpEq,
+			Register: 1,
+			Data:     ifname("lo"),
+		},
 		&expr.Payload{
 			DestRegister: 1,
 			Base:         expr.PayloadBaseNetworkHeader,
@@ -156,10 +134,10 @@ func TestNftablesManager(t *testing.T) {
 		},
 		&expr.Verdict{Kind: expr.VerdictDrop},
 	}
-	require.ElementsMatch(t, rules[1].Exprs, expectedExprs2, "expected the same expressions")
+	require.ElementsMatch(t, rules[0].Exprs, expectedExprs, "expected the same expressions")

 	for _, r := range rule {
-		err = manager.DeletePeerRule(r)
+		err = manager.DeleteRule(r)
 		require.NoError(t, err, "failed to delete rule")
 	}

@@ -168,10 +146,9 @@ func TestNftablesManager(t *testing.T) {

 	rules, err = testClient.GetRules(manager.aclManager.workTable, manager.aclManager.chainInputRules)
 	require.NoError(t, err, "failed to get rules")
-	// established rule remains
-	require.Len(t, rules, 1, "expected 1 rules after deletion")
+	require.Len(t, rules, 0, "expected 0 rules after deletion")

-	err = manager.Reset(nil)
+	err = manager.Reset()
 	require.NoError(t, err, "failed to reset")
 }

@@ -194,13 +171,12 @@ func TestNFtablesCreatePerformance(t *testing.T) {
 	for _, testMax := range []int{10, 20, 30, 40, 50, 60, 70, 80, 90, 100, 200, 300, 400, 500, 600, 700, 800, 900, 1000} {
 		t.Run(fmt.Sprintf("Testing %d rules", testMax), func(t *testing.T) {
 			// just check on the local interface
-			manager, err := Create(mock)
+			manager, err := Create(context.Background(), mock)
 			require.NoError(t, err)
-			require.NoError(t, manager.Init(nil))
 			time.Sleep(time.Second * 3)

 			defer func() {
-				if err := manager.Reset(nil); err != nil {
+				if err := manager.Reset(); err != nil {
 					t.Errorf("clear the manager state: %v", err)
 				}
 				time.Sleep(time.Second)
@@ -211,9 +187,9 @@ func TestNFtablesCreatePerformance(t *testing.T) {
 			for i := 0; i < testMax; i++ {
 				port := &fw.Port{Values: []int{1000 + i}}
 				if i%2 == 0 {
-					_, err = manager.AddPeerFiltering(ip, "tcp", nil, port, fw.RuleDirectionOUT, fw.ActionAccept, "", "accept HTTP traffic")
+					_, err = manager.AddFiltering(ip, "tcp", nil, port, fw.RuleDirectionOUT, fw.ActionAccept, "", "accept HTTP traffic")
 				} else {
-					_, err = manager.AddPeerFiltering(ip, "tcp", nil, port, fw.RuleDirectionIN, fw.ActionAccept, "", "accept HTTP traffic")
+					_, err = manager.AddFiltering(ip, "tcp", nil, port, fw.RuleDirectionIN, fw.ActionAccept, "", "accept HTTP traffic")
 				}
 				require.NoError(t, err, "failed to add rule")

@@ -227,105 +203,3 @@ func TestNFtablesCreatePerformance(t *testing.T) {
 		})
 	}
 }
-
-func runIptablesSave(t *testing.T) (string, string) {
-	t.Helper()
-	var stdout, stderr bytes.Buffer
-	cmd := exec.Command("iptables-save")
-	cmd.Stdout = &stdout
-	cmd.Stderr = &stderr
-
-	err := cmd.Run()
-	require.NoError(t, err, "iptables-save failed to run")
-
-	return stdout.String(), stderr.String()
-}
-
-func verifyIptablesOutput(t *testing.T, stdout, stderr string) {
-	t.Helper()
-	// Check for any incompatibility warnings
-	require.NotContains(t,
-		stderr,
-		"incompatible",
-		"iptables-save produced compatibility warning. Full stderr: %s",
-		stderr,
-	)
-
-	// Verify standard tables are present
-	expectedTables := []string{
-		"*filter",
-		"*nat",
-		"*mangle",
-	}
-
-	for _, table := range expectedTables {
-		require.Contains(t,
-			stdout,
-			table,
-			"iptables-save output missing expected table: %s\nFull stdout: %s",
-			table,
-			stdout,
-		)
-	}
-}
-
-func TestNftablesManagerCompatibilityWithIptables(t *testing.T) {
-	if check() != NFTABLES {
-		t.Skip("nftables not supported on this system")
-	}
-
-	if _, err := exec.LookPath("iptables-save"); err != nil {
-		t.Skipf("iptables-save not available on this system: %v", err)
-	}
-
-	// First ensure iptables-nft tables exist by running iptables-save
-	stdout, stderr := runIptablesSave(t)
-	verifyIptablesOutput(t, stdout, stderr)
-
-	manager, err := Create(ifaceMock)
-	require.NoError(t, err, "failed to create manager")
-	require.NoError(t, manager.Init(nil))
-
-	t.Cleanup(func() {
-		err := manager.Reset(nil)
-		require.NoError(t, err, "failed to reset manager state")
-
-		// Verify iptables output after reset
-		stdout, stderr := runIptablesSave(t)
-		verifyIptablesOutput(t, stdout, stderr)
-	})
-
-	ip := net.ParseIP("100.96.0.1")
-	_, err = manager.AddPeerFiltering(
-		ip,
-		fw.ProtocolTCP,
-		nil,
-		&fw.Port{Values: []int{80}},
-		fw.RuleDirectionIN,
-		fw.ActionAccept,
-		"",
-		"test rule",
-	)
-	require.NoError(t, err, "failed to add peer filtering rule")
-
-	_, err = manager.AddRouteFiltering(
-		[]netip.Prefix{netip.MustParsePrefix("192.168.2.0/24")},
-		netip.MustParsePrefix("10.1.0.0/24"),
-		fw.ProtocolTCP,
-		nil,
-		&fw.Port{Values: []int{443}},
-		fw.ActionAccept,
-	)
-	require.NoError(t, err, "failed to add route filtering rule")
-
-	pair := fw.RouterPair{
-		Source:      netip.MustParsePrefix("192.168.1.0/24"),
-		Destination: netip.MustParsePrefix("10.0.0.0/24"),
-		Masquerade:  true,
-	}
-	err = manager.AddNatRule(pair)
-	require.NoError(t, err, "failed to add NAT rule")
-
-	stdout, stderr = runIptablesSave(t)
-	verifyIptablesOutput(t, stdout, stderr)
-}
--- a/client/firewall/nftables/route_linux.go
+++ b/client/firewall/nftables/route_linux.go
@@ -0,0 +1,431 @@
+package nftables
+
+import (
+	"bytes"
+	"context"
+	"errors"
+	"fmt"
+	"net"
+	"net/netip"
+
+	"github.com/google/nftables"
+	"github.com/google/nftables/binaryutil"
+	"github.com/google/nftables/expr"
+	log "github.com/sirupsen/logrus"
+
+	"github.com/netbirdio/netbird/client/firewall/manager"
+)
+
+const (
+	chainNameRouteingFw = "netbird-rt-fwd"
+	chainNameRoutingNat = "netbird-rt-nat"
+
+	userDataAcceptForwardRuleSrc = "frwacceptsrc"
+	userDataAcceptForwardRuleDst = "frwacceptdst"
+
+	loopbackInterface = "lo\x00"
+)
+
+// some presets for building nftable rules
+var (
+	zeroXor = binaryutil.NativeEndian.PutUint32(0)
+
+	exprCounterAccept = []expr.Any{
+		&expr.Counter{},
+		&expr.Verdict{
+			Kind: expr.VerdictAccept,
+		},
+	}
+
+	errFilterTableNotFound = fmt.Errorf("nftables: 'filter' table not found")
+)
+
+type router struct {
+	ctx         context.Context
+	stop        context.CancelFunc
+	conn        *nftables.Conn
+	workTable   *nftables.Table
+	filterTable *nftables.Table
+	chains      map[string]*nftables.Chain
+	// rules is useful to avoid duplicates and to get missing attributes that we don't have when adding new rules
+	rules                    map[string]*nftables.Rule
+	isDefaultFwdRulesEnabled bool
+}
+
+func newRouter(parentCtx context.Context, workTable *nftables.Table) (*router, error) {
+	ctx, cancel := context.WithCancel(parentCtx)
+
+	r := &router{
+		ctx:       ctx,
+		stop:      cancel,
+		conn:      &nftables.Conn{},
+		workTable: workTable,
+		chains:    make(map[string]*nftables.Chain),
+		rules:     make(map[string]*nftables.Rule),
+	}
+
+	var err error
+	r.filterTable, err = r.loadFilterTable()
+	if err != nil {
+		if errors.Is(err, errFilterTableNotFound) {
+			log.Warnf("table 'filter' not found for forward rules")
+		} else {
+			return nil, err
+		}
+	}
+
+	err = r.cleanUpDefaultForwardRules()
+	if err != nil {
+		log.Errorf("failed to clean up rules from FORWARD chain: %s", err)
+	}
+
+	err = r.createContainers()
+	if err != nil {
+		log.Errorf("failed to create containers for route: %s", err)
+	}
+	return r, err
+}
+
+func (r *router) RouteingFwChainName() string {
+	return chainNameRouteingFw
+}
+
+// ResetForwardRules cleans existing nftables default forward rules from the system
+func (r *router) ResetForwardRules() {
+	err := r.cleanUpDefaultForwardRules()
+	if err != nil {
+		log.Errorf("failed to reset forward rules: %s", err)
+	}
+}
+
+func (r *router) loadFilterTable() (*nftables.Table, error) {
+	tables, err := r.conn.ListTablesOfFamily(nftables.TableFamilyIPv4)
+	if err != nil {
+		return nil, fmt.Errorf("nftables: unable to list tables: %v", err)
+	}
+
+	for _, table := range tables {
+		if table.Name == "filter" {
+			return table, nil
+		}
+	}
+
+	return nil, errFilterTableNotFound
+}
+
+func (r *router) createContainers() error {
+
+	r.chains[chainNameRouteingFw] = r.conn.AddChain(&nftables.Chain{
+		Name:  chainNameRouteingFw,
+		Table: r.workTable,
+	})
+
+	r.chains[chainNameRoutingNat] = r.conn.AddChain(&nftables.Chain{
+		Name:     chainNameRoutingNat,
+		Table:    r.workTable,
+		Hooknum:  nftables.ChainHookPostrouting,
+		Priority: nftables.ChainPriorityNATSource - 1,
+		Type:     nftables.ChainTypeNAT,
+	})
+
+	// Add RETURN rule for loopback interface
+	loRule := &nftables.Rule{
+		Table: r.workTable,
+		Chain: r.chains[chainNameRoutingNat],
+		Exprs: []expr.Any{
+			&expr.Meta{Key: expr.MetaKeyOIFNAME, Register: 1},
+			&expr.Cmp{
+				Op:       expr.CmpOpEq,
+				Register: 1,
+				Data:     []byte(loopbackInterface),
+			},
+			&expr.Verdict{Kind: expr.VerdictReturn},
+		},
+	}
+	r.conn.InsertRule(loRule)
+
+	err := r.refreshRulesMap()
+	if err != nil {
+		log.Errorf("failed to clean up rules from FORWARD chain: %s", err)
+	}
+
+	err = r.conn.Flush()
+	if err != nil {
+		return fmt.Errorf("nftables: unable to initialize table: %v", err)
+	}
+	return nil
+}
+
+// AddRoutingRules appends a nftable rule pair to the forwarding chain and if enabled, to the nat chain
+func (r *router) AddRoutingRules(pair manager.RouterPair) error {
+	err := r.refreshRulesMap()
+	if err != nil {
+		return err
+	}
+
+	err = r.addRoutingRule(manager.ForwardingFormat, chainNameRouteingFw, pair, false)
+	if err != nil {
+		return err
+	}
+	err = r.addRoutingRule(manager.InForwardingFormat, chainNameRouteingFw, manager.GetInPair(pair), false)
+	if err != nil {
+		return err
+	}
+
+	if pair.Masquerade {
+		err = r.addRoutingRule(manager.NatFormat, chainNameRoutingNat, pair, true)
+		if err != nil {
+			return err
+		}
+		err = r.addRoutingRule(manager.InNatFormat, chainNameRoutingNat, manager.GetInPair(pair), true)
+		if err != nil {
+			return err
+		}
+	}
+
+	if r.filterTable != nil && !r.isDefaultFwdRulesEnabled {
+		log.Debugf("add default accept forward rule")
+		r.acceptForwardRule(pair.Source)
+	}
+
+	err = r.conn.Flush()
+	if err != nil {
+		return fmt.Errorf("nftables: unable to insert rules for %s: %v", pair.Destination, err)
+	}
+	return nil
+}
+
+// addRoutingRule inserts a nftable rule to the conn client flush queue
+func (r *router) addRoutingRule(format, chainName string, pair manager.RouterPair, isNat bool) error {
+	sourceExp := generateCIDRMatcherExpressions(true, pair.Source)
+	destExp := generateCIDRMatcherExpressions(false, pair.Destination)
+
+	var expression []expr.Any
+	if isNat {
+		expression = append(sourceExp, append(destExp, &expr.Counter{}, &expr.Masq{})...) // nolint:gocritic
+	} else {
+		expression = append(sourceExp, append(destExp, exprCounterAccept...)...) // nolint:gocritic
+	}
+
+	ruleKey := manager.GenKey(format, pair.ID)
+
+	_, exists := r.rules[ruleKey]
+	if exists {
+		err := r.removeRoutingRule(format, pair)
+		if err != nil {
+			return err
+		}
+	}
+
+	r.rules[ruleKey] = r.conn.AddRule(&nftables.Rule{
+		Table:    r.workTable,
+		Chain:    r.chains[chainName],
+		Exprs:    expression,
+		UserData: []byte(ruleKey),
+	})
+	return nil
+}
+
+func (r *router) acceptForwardRule(sourceNetwork string) {
+	src := generateCIDRMatcherExpressions(true, sourceNetwork)
+	dst := generateCIDRMatcherExpressions(false, "0.0.0.0/0")
+
+	var exprs []expr.Any
+	exprs = append(src, append(dst, &expr.Verdict{ // nolint:gocritic
+		Kind: expr.VerdictAccept,
+	})...)
+
+	rule := &nftables.Rule{
+		Table: r.filterTable,
+		Chain: &nftables.Chain{
+			Name:     "FORWARD",
+			Table:    r.filterTable,
+			Type:     nftables.ChainTypeFilter,
+			Hooknum:  nftables.ChainHookForward,
+			Priority: nftables.ChainPriorityFilter,
+		},
+		Exprs:    exprs,
+		UserData: []byte(userDataAcceptForwardRuleSrc),
+	}
+
+	r.conn.AddRule(rule)
+
+	src = generateCIDRMatcherExpressions(true, "0.0.0.0/0")
+	dst = generateCIDRMatcherExpressions(false, sourceNetwork)
+
+	exprs = append(src, append(dst, &expr.Verdict{ //nolint:gocritic
+		Kind: expr.VerdictAccept,
+	})...)
+
+	rule = &nftables.Rule{
+		Table: r.filterTable,
+		Chain: &nftables.Chain{
+			Name:     "FORWARD",
+			Table:    r.filterTable,
+			Type:     nftables.ChainTypeFilter,
+			Hooknum:  nftables.ChainHookForward,
+			Priority: nftables.ChainPriorityFilter,
+		},
+		Exprs:    exprs,
+		UserData: []byte(userDataAcceptForwardRuleDst),
+	}
+	r.conn.AddRule(rule)
+	r.isDefaultFwdRulesEnabled = true
+}
+
+// RemoveRoutingRules removes a nftable rule pair from forwarding and nat chains
+func (r *router) RemoveRoutingRules(pair manager.RouterPair) error {
+	err := r.refreshRulesMap()
+	if err != nil {
+		return err
+	}
+
+	err = r.removeRoutingRule(manager.ForwardingFormat, pair)
+	if err != nil {
+		return err
+	}
+
+	err = r.removeRoutingRule(manager.InForwardingFormat, manager.GetInPair(pair))
+	if err != nil {
+		return err
+	}
+
+	err = r.removeRoutingRule(manager.NatFormat, pair)
+	if err != nil {
+		return err
+	}
+
+	err = r.removeRoutingRule(manager.InNatFormat, manager.GetInPair(pair))
+	if err != nil {
+		return err
+	}
+
+	if len(r.rules) == 0 {
+		err := r.cleanUpDefaultForwardRules()
+		if err != nil {
+			log.Errorf("failed to clean up rules from FORWARD chain: %s", err)
+		}
+	}
+
+	err = r.conn.Flush()
+	if err != nil {
+		return fmt.Errorf("nftables: received error while applying rule removal for %s: %v", pair.Destination, err)
+	}
+	log.Debugf("nftables: removed rules for %s", pair.Destination)
+	return nil
+}
+
+// removeRoutingRule add a nftable rule to the removal queue and delete from rules map
+func (r *router) removeRoutingRule(format string, pair manager.RouterPair) error {
+	ruleKey := manager.GenKey(format, pair.ID)
+
+	rule, found := r.rules[ruleKey]
+	if found {
+		ruleType := "forwarding"
+		if rule.Chain.Type == nftables.ChainTypeNAT {
+			ruleType = "nat"
+		}
+
+		err := r.conn.DelRule(rule)
+		if err != nil {
+			return fmt.Errorf("nftables: unable to remove %s rule for %s: %v", ruleType, pair.Destination, err)
+		}
+
+		log.Debugf("nftables: removing %s rule for %s", ruleType, pair.Destination)
+
+		delete(r.rules, ruleKey)
+	}
+	return nil
+}
+
+// refreshRulesMap refreshes the rule map with the latest rules. this is useful to avoid
+// duplicates and to get missing attributes that we don't have when adding new rules
+func (r *router) refreshRulesMap() error {
+	for _, chain := range r.chains {
+		rules, err := r.conn.GetRules(chain.Table, chain)
+		if err != nil {
+			return fmt.Errorf("nftables: unable to list rules: %v", err)
+		}
+		for _, rule := range rules {
+			if len(rule.UserData) > 0 {
+				r.rules[string(rule.UserData)] = rule
+			}
+		}
+	}
+	return nil
+}
+
+func (r *router) cleanUpDefaultForwardRules() error {
+	if r.filterTable == nil {
+		r.isDefaultFwdRulesEnabled = false
+		return nil
+	}
+
+	chains, err := r.conn.ListChainsOfTableFamily(nftables.TableFamilyIPv4)
+	if err != nil {
+		return err
+	}
+
+	var rules []*nftables.Rule
+	for _, chain := range chains {
+		if chain.Table.Name != r.filterTable.Name {
+			continue
+		}
+		if chain.Name != "FORWARD" {
+			continue
+		}
+
+		rules, err = r.conn.GetRules(r.filterTable, chain)
+		if err != nil {
+			return err
+		}
+	}
+
+	for _, rule := range rules {
+		if bytes.Equal(rule.UserData, []byte(userDataAcceptForwardRuleSrc)) || bytes.Equal(rule.UserData, []byte(userDataAcceptForwardRuleDst)) {
+			err := r.conn.DelRule(rule)
+			if err != nil {
+				return err
+			}
+		}
+	}
+	r.isDefaultFwdRulesEnabled = false
+	return r.conn.Flush()
+}
+
+// generateCIDRMatcherExpressions generates nftables expressions that matches a CIDR
+func generateCIDRMatcherExpressions(source bool, cidr string) []expr.Any {
+	ip, network, _ := net.ParseCIDR(cidr)
+	ipToAdd, _ := netip.AddrFromSlice(ip)
+	add := ipToAdd.Unmap()
+
+	var offSet uint32
+	if source {
+		offSet = 12 // src offset
+	} else {
+		offSet = 16 // dst offset
+	}
+
+	return []expr.Any{
+		// fetch src add
+		&expr.Payload{
+			DestRegister: 1,
+			Base:         expr.PayloadBaseNetworkHeader,
+			Offset:       offSet,
+			Len:          4,
+		},
+		// net mask
+		&expr.Bitwise{
+			DestRegister:   1,
+			SourceRegister: 1,
+			Len:            4,
+			Mask:           network.Mask,
+			Xor:            zeroXor,
+		},
+		// net address
+		&expr.Cmp{
+			Register: 1,
+			Data:     add.AsSlice(),
+		},
+	}
+}
--- a/client/firewall/nftables/router_linux.go
+++ b/client/firewall/nftables/router_linux.go
@@ -1,989 +0,0 @@
-package nftables
-
-import (
-	"bytes"
-	"encoding/binary"
-	"errors"
-	"fmt"
-	"net"
-	"net/netip"
-	"strings"
-
-	"github.com/coreos/go-iptables/iptables"
-	"github.com/davecgh/go-spew/spew"
-	"github.com/google/nftables"
-	"github.com/google/nftables/binaryutil"
-	"github.com/google/nftables/expr"
-	"github.com/hashicorp/go-multierror"
-	log "github.com/sirupsen/logrus"
-
-	nberrors "github.com/netbirdio/netbird/client/errors"
-	firewall "github.com/netbirdio/netbird/client/firewall/manager"
-	"github.com/netbirdio/netbird/client/internal/acl/id"
-	"github.com/netbirdio/netbird/client/internal/routemanager/refcounter"
-	nbnet "github.com/netbirdio/netbird/util/net"
-)
-
-const (
-	chainNameRoutingFw  = "netbird-rt-fwd"
-	chainNameRoutingNat = "netbird-rt-postrouting"
-	chainNameForward    = "FORWARD"
-
-	userDataAcceptForwardRuleIif = "frwacceptiif"
-	userDataAcceptForwardRuleOif = "frwacceptoif"
-)
-
-const refreshRulesMapError = "refresh rules map: %w"
-
-var (
-	errFilterTableNotFound = fmt.Errorf("nftables: 'filter' table not found")
-)
-
-type router struct {
-	conn        *nftables.Conn
-	workTable   *nftables.Table
-	filterTable *nftables.Table
-	chains      map[string]*nftables.Chain
-	// rules is useful to avoid duplicates and to get missing attributes that we don't have when adding new rules
-	rules        map[string]*nftables.Rule
-	ipsetCounter *refcounter.Counter[string, []netip.Prefix, *nftables.Set]
-
-	wgIface          iFaceMapper
-	legacyManagement bool
-}
-
-func newRouter(workTable *nftables.Table, wgIface iFaceMapper) (*router, error) {
-	r := &router{
-		conn:      &nftables.Conn{},
-		workTable: workTable,
-		chains:    make(map[string]*nftables.Chain),
-		rules:     make(map[string]*nftables.Rule),
-		wgIface:   wgIface,
-	}
-
-	r.ipsetCounter = refcounter.New(
-		r.createIpSet,
-		r.deleteIpSet,
-	)
-
-	var err error
-	r.filterTable, err = r.loadFilterTable()
-	if err != nil {
-		if errors.Is(err, errFilterTableNotFound) {
-			log.Warnf("table 'filter' not found for forward rules")
-		} else {
-			return nil, fmt.Errorf("load filter table: %w", err)
-		}
-	}
-
-	return r, nil
-}
-
-func (r *router) init(workTable *nftables.Table) error {
-	r.workTable = workTable
-
-	if err := r.removeAcceptForwardRules(); err != nil {
-		log.Errorf("failed to clean up rules from FORWARD chain: %s", err)
-	}
-
-	if err := r.createContainers(); err != nil {
-		return fmt.Errorf("create containers: %w", err)
-	}
-
-	return nil
-}
-
-// Reset cleans existing nftables default forward rules from the system
-func (r *router) Reset() error {
-	// clear without deleting the ipsets, the nf table will be deleted by the caller
-	r.ipsetCounter.Clear()
-
-	return r.removeAcceptForwardRules()
-}
-
-func (r *router) loadFilterTable() (*nftables.Table, error) {
-	tables, err := r.conn.ListTablesOfFamily(nftables.TableFamilyIPv4)
-	if err != nil {
-		return nil, fmt.Errorf("nftables: unable to list tables: %v", err)
-	}
-
-	for _, table := range tables {
-		if table.Name == "filter" {
-			return table, nil
-		}
-	}
-
-	return nil, errFilterTableNotFound
-}
-
-func (r *router) createContainers() error {
-	r.chains[chainNameRoutingFw] = r.conn.AddChain(&nftables.Chain{
-		Name:  chainNameRoutingFw,
-		Table: r.workTable,
-	})
-
-	insertReturnTrafficRule(r.conn, r.workTable, r.chains[chainNameRoutingFw])
-
-	prio := *nftables.ChainPriorityNATSource - 1
-	r.chains[chainNameRoutingNat] = r.conn.AddChain(&nftables.Chain{
-		Name:     chainNameRoutingNat,
-		Table:    r.workTable,
-		Hooknum:  nftables.ChainHookPostrouting,
-		Priority: &prio,
-		Type:     nftables.ChainTypeNAT,
-	})
-
-	// Chain is created by acl manager
-	// TODO: move creation to a common place
-	r.chains[chainNamePrerouting] = &nftables.Chain{
-		Name:     chainNamePrerouting,
-		Table:    r.workTable,
-		Type:     nftables.ChainTypeFilter,
-		Hooknum:  nftables.ChainHookPrerouting,
-		Priority: nftables.ChainPriorityMangle,
-	}
-
-	// Add the single NAT rule that matches on mark
-	if err := r.addPostroutingRules(); err != nil {
-		return fmt.Errorf("add single nat rule: %v", err)
-	}
-
-	if err := r.acceptForwardRules(); err != nil {
-		log.Errorf("failed to add accept rules for the forward chain: %s", err)
-	}
-
-	if err := r.refreshRulesMap(); err != nil {
-		log.Errorf("failed to clean up rules from FORWARD chain: %s", err)
-	}
-
-	if err := r.conn.Flush(); err != nil {
-		return fmt.Errorf("nftables: unable to initialize table: %v", err)
-	}
-
-	return nil
-}
-
-// AddRouteFiltering appends a nftables rule to the routing chain
-func (r *router) AddRouteFiltering(
-	sources []netip.Prefix,
-	destination netip.Prefix,
-	proto firewall.Protocol,
-	sPort *firewall.Port,
-	dPort *firewall.Port,
-	action firewall.Action,
-) (firewall.Rule, error) {
-
-	ruleKey := id.GenerateRouteRuleKey(sources, destination, proto, sPort, dPort, action)
-	if _, ok := r.rules[string(ruleKey)]; ok {
-		return ruleKey, nil
-	}
-
-	chain := r.chains[chainNameRoutingFw]
-	var exprs []expr.Any
-
-	switch {
-	case len(sources) == 1 && sources[0].Bits() == 0:
-		// If it's 0.0.0.0/0, we don't need to add any source matching
-	case len(sources) == 1:
-		// If there's only one source, we can use it directly
-		exprs = append(exprs, generateCIDRMatcherExpressions(true, sources[0])...)
-	default:
-		// If there are multiple sources, create or get an ipset
-		var err error
-		exprs, err = r.getIpSetExprs(sources, exprs)
-		if err != nil {
-			return nil, fmt.Errorf("get ipset expressions: %w", err)
-		}
-	}
-
-	// Handle destination
-	exprs = append(exprs, generateCIDRMatcherExpressions(false, destination)...)
-
-	// Handle protocol
-	if proto != firewall.ProtocolALL {
-		protoNum, err := protoToInt(proto)
-		if err != nil {
-			return nil, fmt.Errorf("convert protocol to number: %w", err)
-		}
-		exprs = append(exprs, &expr.Meta{Key: expr.MetaKeyL4PROTO, Register: 1})
-		exprs = append(exprs, &expr.Cmp{
-			Op:       expr.CmpOpEq,
-			Register: 1,
-			Data:     []byte{protoNum},
-		})
-
-		exprs = append(exprs, applyPort(sPort, true)...)
-		exprs = append(exprs, applyPort(dPort, false)...)
-	}
-
-	exprs = append(exprs, &expr.Counter{})
-
-	var verdict expr.VerdictKind
-	if action == firewall.ActionAccept {
-		verdict = expr.VerdictAccept
-	} else {
-		verdict = expr.VerdictDrop
-	}
-	exprs = append(exprs, &expr.Verdict{Kind: verdict})
-
-	rule := &nftables.Rule{
-		Table:    r.workTable,
-		Chain:    chain,
-		Exprs:    exprs,
-		UserData: []byte(ruleKey),
-	}
-
-	rule = r.conn.AddRule(rule)
-
-	log.Tracef("Adding route rule %s", spew.Sdump(rule))
-	if err := r.conn.Flush(); err != nil {
-		return nil, fmt.Errorf(flushError, err)
-	}
-
-	r.rules[string(ruleKey)] = rule
-
-	log.Debugf("nftables: added route rule: sources=%v, destination=%v, proto=%v, sPort=%v, dPort=%v, action=%v", sources, destination, proto, sPort, dPort, action)
-
-	return ruleKey, nil
-}
-
-func (r *router) getIpSetExprs(sources []netip.Prefix, exprs []expr.Any) ([]expr.Any, error) {
-	setName := firewall.GenerateSetName(sources)
-	ref, err := r.ipsetCounter.Increment(setName, sources)
-	if err != nil {
-		return nil, fmt.Errorf("create or get ipset for sources: %w", err)
-	}
-
-	exprs = append(exprs,
-		&expr.Payload{
-			DestRegister: 1,
-			Base:         expr.PayloadBaseNetworkHeader,
-			Offset:       12,
-			Len:          4,
-		},
-		&expr.Lookup{
-			SourceRegister: 1,
-			SetName:        ref.Out.Name,
-			SetID:          ref.Out.ID,
-		},
-	)
-	return exprs, nil
-}
-
-func (r *router) DeleteRouteRule(rule firewall.Rule) error {
-	if err := r.refreshRulesMap(); err != nil {
-		return fmt.Errorf(refreshRulesMapError, err)
-	}
-
-	ruleKey := rule.GetRuleID()
-	nftRule, exists := r.rules[ruleKey]
-	if !exists {
-		log.Debugf("route rule %s not found", ruleKey)
-		return nil
-	}
-
-	if nftRule.Handle == 0 {
-		return fmt.Errorf("route rule %s has no handle", ruleKey)
-	}
-
-	setName := r.findSetNameInRule(nftRule)
-
-	if err := r.deleteNftRule(nftRule, ruleKey); err != nil {
-		return fmt.Errorf("delete: %w", err)
-	}
-
-	if setName != "" {
-		if _, err := r.ipsetCounter.Decrement(setName); err != nil {
-			return fmt.Errorf("decrement ipset reference: %w", err)
-		}
-	}
-
-	if err := r.conn.Flush(); err != nil {
-		return fmt.Errorf(flushError, err)
-	}
-
-	return nil
-}
-
-func (r *router) createIpSet(setName string, sources []netip.Prefix) (*nftables.Set, error) {
-	// overlapping prefixes will result in an error, so we need to merge them
-	sources = firewall.MergeIPRanges(sources)
-
-	set := &nftables.Set{
-		Name:  setName,
-		Table: r.workTable,
-		// required for prefixes
-		Interval: true,
-		KeyType:  nftables.TypeIPAddr,
-	}
-
-	var elements []nftables.SetElement
-	for _, prefix := range sources {
-		// TODO: Implement IPv6 support
-		if prefix.Addr().Is6() {
-			log.Printf("Skipping IPv6 prefix %s: IPv6 support not yet implemented", prefix)
-			continue
-		}
-
-		// nftables needs half-open intervals [firstIP, lastIP) for prefixes
-		// e.g. 10.0.0.0/24 becomes [10.0.0.0, 10.0.1.0), 10.1.1.1/32 becomes [10.1.1.1, 10.1.1.2) etc
-		firstIP := prefix.Addr()
-		lastIP := calculateLastIP(prefix).Next()
-
-		elements = append(elements,
-			// the nft tool also adds a line like this, see https://github.com/google/nftables/issues/247
-			// nftables.SetElement{Key: []byte{0, 0, 0, 0}, IntervalEnd: true},
-			nftables.SetElement{Key: firstIP.AsSlice()},
-			nftables.SetElement{Key: lastIP.AsSlice(), IntervalEnd: true},
-		)
-	}
-
-	if err := r.conn.AddSet(set, elements); err != nil {
-		return nil, fmt.Errorf("error adding elements to set %s: %w", setName, err)
-	}
-
-	if err := r.conn.Flush(); err != nil {
-		return nil, fmt.Errorf("flush error: %w", err)
-	}
-
-	log.Printf("Created new ipset: %s with %d elements", setName, len(elements)/2)
-
-	return set, nil
-}
-
-// calculateLastIP determines the last IP in a given prefix.
-func calculateLastIP(prefix netip.Prefix) netip.Addr {
-	hostMask := ^uint32(0) >> prefix.Masked().Bits()
-	lastIP := uint32FromNetipAddr(prefix.Addr()) | hostMask
-
-	return netip.AddrFrom4(uint32ToBytes(lastIP))
-}
-
-// Utility function to convert netip.Addr to uint32.
-func uint32FromNetipAddr(addr netip.Addr) uint32 {
-	b := addr.As4()
-	return binary.BigEndian.Uint32(b[:])
-}
-
-// Utility function to convert uint32 to a netip-compatible byte slice.
-func uint32ToBytes(ip uint32) [4]byte {
-	var b [4]byte
-	binary.BigEndian.PutUint32(b[:], ip)
-	return b
-}
-
-func (r *router) deleteIpSet(setName string, set *nftables.Set) error {
-	r.conn.DelSet(set)
-	if err := r.conn.Flush(); err != nil {
-		return fmt.Errorf(flushError, err)
-	}
-
-	log.Debugf("Deleted unused ipset %s", setName)
-	return nil
-}
-
-func (r *router) findSetNameInRule(rule *nftables.Rule) string {
-	for _, e := range rule.Exprs {
-		if lookup, ok := e.(*expr.Lookup); ok {
-			return lookup.SetName
-		}
-	}
-	return ""
-}
-
-func (r *router) deleteNftRule(rule *nftables.Rule, ruleKey string) error {
-	if err := r.conn.DelRule(rule); err != nil {
-		return fmt.Errorf("delete rule %s: %w", ruleKey, err)
-	}
-	delete(r.rules, ruleKey)
-
-	log.Debugf("removed route rule %s", ruleKey)
-
-	return nil
-}
-
-// AddNatRule appends a nftables rule pair to the nat chain
-func (r *router) AddNatRule(pair firewall.RouterPair) error {
-	if err := r.refreshRulesMap(); err != nil {
-		return fmt.Errorf(refreshRulesMapError, err)
-	}
-
-	if r.legacyManagement {
-		log.Warnf("This peer is connected to a NetBird Management service with an older version. Allowing all traffic for %s", pair.Destination)
-		if err := r.addLegacyRouteRule(pair); err != nil {
-			return fmt.Errorf("add legacy routing rule: %w", err)
-		}
-	}
-
-	if pair.Masquerade {
-		if err := r.addNatRule(pair); err != nil {
-			return fmt.Errorf("add nat rule: %w", err)
-		}
-
-		if err := r.addNatRule(firewall.GetInversePair(pair)); err != nil {
-			return fmt.Errorf("add inverse nat rule: %w", err)
-		}
-	}
-
-	if err := r.conn.Flush(); err != nil {
-		return fmt.Errorf("nftables: insert rules for %s: %v", pair.Destination, err)
-	}
-
-	return nil
-}
-
-// addNatRule inserts a nftables rule to the conn client flush queue
-func (r *router) addNatRule(pair firewall.RouterPair) error {
-	sourceExp := generateCIDRMatcherExpressions(true, pair.Source)
-	destExp := generateCIDRMatcherExpressions(false, pair.Destination)
-
-	op := expr.CmpOpEq
-	if pair.Inverse {
-		op = expr.CmpOpNeq
-	}
-
-	exprs := []expr.Any{
-		// We only care about NEW connections to mark them and later identify them in the postrouting chain for masquerading.
-		// Masquerading will take care of the conntrack state, which means we won't need to mark established connections.
-		&expr.Ct{
-			Key:      expr.CtKeySTATE,
-			Register: 1,
-		},
-		&expr.Bitwise{
-			SourceRegister: 1,
-			DestRegister:   1,
-			Len:            4,
-			Mask:           binaryutil.NativeEndian.PutUint32(expr.CtStateBitNEW),
-			Xor:            binaryutil.NativeEndian.PutUint32(0),
-		},
-		&expr.Cmp{
-			Op:       expr.CmpOpNeq,
-			Register: 1,
-			Data:     []byte{0, 0, 0, 0},
-		},
-
-		// interface matching
-		&expr.Meta{
-			Key:      expr.MetaKeyIIFNAME,
-			Register: 1,
-		},
-		&expr.Cmp{
-			Op:       op,
-			Register: 1,
-			Data:     ifname(r.wgIface.Name()),
-		},
-	}
-
-	exprs = append(exprs, sourceExp...)
-	exprs = append(exprs, destExp...)
-
-	var markValue uint32 = nbnet.PreroutingFwmarkMasquerade
-	if pair.Inverse {
-		markValue = nbnet.PreroutingFwmarkMasqueradeReturn
-	}
-
-	exprs = append(exprs,
-		&expr.Immediate{
-			Register: 1,
-			Data:     binaryutil.NativeEndian.PutUint32(markValue),
-		},
-		&expr.Meta{
-			Key:            expr.MetaKeyMARK,
-			SourceRegister: true,
-			Register:       1,
-		},
-	)
-
-	ruleKey := firewall.GenKey(firewall.PreroutingFormat, pair)
-
-	if _, exists := r.rules[ruleKey]; exists {
-		if err := r.removeNatRule(pair); err != nil {
-			return fmt.Errorf("remove prerouting rule: %w", err)
-		}
-	}
-
-	r.rules[ruleKey] = r.conn.AddRule(&nftables.Rule{
-		Table:    r.workTable,
-		Chain:    r.chains[chainNamePrerouting],
-		Exprs:    exprs,
-		UserData: []byte(ruleKey),
-	})
-
-	return nil
-}
-
-// addPostroutingRules adds the masquerade rules
-func (r *router) addPostroutingRules() error {
-	// First masquerade rule for traffic coming in from WireGuard interface
-	exprs := []expr.Any{
-		// Match on the first fwmark
-		&expr.Meta{
-			Key:      expr.MetaKeyMARK,
-			Register: 1,
-		},
-		&expr.Cmp{
-			Op:       expr.CmpOpEq,
-			Register: 1,
-			Data:     binaryutil.NativeEndian.PutUint32(nbnet.PreroutingFwmarkMasquerade),
-		},
-
-		// We need to exclude the loopback interface as this changes the ebpf proxy port
-		&expr.Meta{
-			Key:      expr.MetaKeyOIFNAME,
-			Register: 1,
-		},
-		&expr.Cmp{
-			Op:       expr.CmpOpNeq,
-			Register: 1,
-			Data:     ifname("lo"),
-		},
-		&expr.Counter{},
-		&expr.Masq{},
-	}
-
-	r.conn.AddRule(&nftables.Rule{
-		Table: r.workTable,
-		Chain: r.chains[chainNameRoutingNat],
-		Exprs: exprs,
-	})
-
-	// Second masquerade rule for traffic going out through WireGuard interface
-	exprs2 := []expr.Any{
-		// Match on the second fwmark
-		&expr.Meta{
-			Key:      expr.MetaKeyMARK,
-			Register: 1,
-		},
-		&expr.Cmp{
-			Op:       expr.CmpOpEq,
-			Register: 1,
-			Data:     binaryutil.NativeEndian.PutUint32(nbnet.PreroutingFwmarkMasqueradeReturn),
-		},
-
-		// Match WireGuard interface
-		&expr.Meta{
-			Key:      expr.MetaKeyOIFNAME,
-			Register: 1,
-		},
-		&expr.Cmp{
-			Op:       expr.CmpOpEq,
-			Register: 1,
-			Data:     ifname(r.wgIface.Name()),
-		},
-		&expr.Counter{},
-		&expr.Masq{},
-	}
-
-	r.conn.AddRule(&nftables.Rule{
-		Table: r.workTable,
-		Chain: r.chains[chainNameRoutingNat],
-		Exprs: exprs2,
-	})
-
-	return nil
-}
-
-// addLegacyRouteRule adds a legacy routing rule for mgmt servers pre route acls
-func (r *router) addLegacyRouteRule(pair firewall.RouterPair) error {
-	sourceExp := generateCIDRMatcherExpressions(true, pair.Source)
-	destExp := generateCIDRMatcherExpressions(false, pair.Destination)
-
-	exprs := []expr.Any{
-		&expr.Counter{},
-		&expr.Verdict{
-			Kind: expr.VerdictAccept,
-		},
-	}
-
-	expression := append(sourceExp, append(destExp, exprs...)...) // nolint:gocritic
-
-	ruleKey := firewall.GenKey(firewall.ForwardingFormat, pair)
-
-	if _, exists := r.rules[ruleKey]; exists {
-		if err := r.removeLegacyRouteRule(pair); err != nil {
-			return fmt.Errorf("remove legacy routing rule: %w", err)
-		}
-	}
-
-	r.rules[ruleKey] = r.conn.AddRule(&nftables.Rule{
-		Table:    r.workTable,
-		Chain:    r.chains[chainNameRoutingFw],
-		Exprs:    expression,
-		UserData: []byte(ruleKey),
-	})
-	return nil
-}
-
-// removeLegacyRouteRule removes a legacy routing rule for mgmt servers pre route acls
-func (r *router) removeLegacyRouteRule(pair firewall.RouterPair) error {
-	ruleKey := firewall.GenKey(firewall.ForwardingFormat, pair)
-
-	if rule, exists := r.rules[ruleKey]; exists {
-		if err := r.conn.DelRule(rule); err != nil {
-			return fmt.Errorf("remove legacy forwarding rule %s -> %s: %v", pair.Source, pair.Destination, err)
-		}
-
-		log.Debugf("nftables: removed legacy forwarding rule %s -> %s", pair.Source, pair.Destination)
-
-		delete(r.rules, ruleKey)
-	} else {
-		log.Debugf("nftables: legacy forwarding rule %s not found", ruleKey)
-	}
-
-	return nil
-}
-
-// GetLegacyManagement returns the route manager's legacy management mode
-func (r *router) GetLegacyManagement() bool {
-	return r.legacyManagement
-}
-
-// SetLegacyManagement sets the route manager to use legacy management mode
-func (r *router) SetLegacyManagement(isLegacy bool) {
-	r.legacyManagement = isLegacy
-}
-
-// RemoveAllLegacyRouteRules removes all legacy routing rules for mgmt servers pre route acls
-func (r *router) RemoveAllLegacyRouteRules() error {
-	if err := r.refreshRulesMap(); err != nil {
-		return fmt.Errorf(refreshRulesMapError, err)
-	}
-
-	var merr *multierror.Error
-	for k, rule := range r.rules {
-		if !strings.HasPrefix(k, firewall.ForwardingFormatPrefix) {
-			continue
-		}
-		if err := r.conn.DelRule(rule); err != nil {
-			merr = multierror.Append(merr, fmt.Errorf("remove legacy forwarding rule: %v", err))
-		} else {
-			delete(r.rules, k)
-		}
-
-	}
-	return nberrors.FormatErrorOrNil(merr)
-}
-
-// acceptForwardRules adds iif/oif rules in the filter table/forward chain to make sure
-// that our traffic is not dropped by existing rules there.
-// The existing FORWARD rules/policies decide outbound traffic towards our interface.
-// In case the FORWARD policy is set to "drop", we add an established/related rule to allow return traffic for the inbound rule.
-func (r *router) acceptForwardRules() error {
-	if r.filterTable == nil {
-		log.Debugf("table 'filter' not found for forward rules, skipping accept rules")
-		return nil
-	}
-
-	fw := "iptables"
-
-	defer func() {
-		log.Debugf("Used %s to add accept forward rules", fw)
-	}()
-
-	// Try iptables first and fallback to nftables if iptables is not available
-	ipt, err := iptables.New()
-	if err != nil {
-		// filter table exists but iptables is not
-		log.Warnf("Will use nftables to manipulate the filter table because iptables is not available: %v", err)
-
-		fw = "nftables"
-		return r.acceptForwardRulesNftables()
-	}
-
-	return r.acceptForwardRulesIptables(ipt)
-}
-
-func (r *router) acceptForwardRulesIptables(ipt *iptables.IPTables) error {
-	var merr *multierror.Error
-	for _, rule := range r.getAcceptForwardRules() {
-		if err := ipt.Insert("filter", chainNameForward, 1, rule...); err != nil {
-			merr = multierror.Append(err, fmt.Errorf("add iptables rule: %v", err))
-		} else {
-			log.Debugf("added iptables rule: %v", rule)
-		}
-	}
-
-	return nberrors.FormatErrorOrNil(merr)
-}
-
-func (r *router) getAcceptForwardRules() [][]string {
-	intf := r.wgIface.Name()
-	return [][]string{
-		{"-i", intf, "-j", "ACCEPT"},
-		{"-o", intf, "-m", "conntrack", "--ctstate", "RELATED,ESTABLISHED", "-j", "ACCEPT"},
-	}
-}
-
-func (r *router) acceptForwardRulesNftables() error {
-	intf := ifname(r.wgIface.Name())
-
-	// Rule for incoming interface (iif) with counter
-	iifRule := &nftables.Rule{
-		Table: r.filterTable,
-		Chain: &nftables.Chain{
-			Name:     chainNameForward,
-			Table:    r.filterTable,
-			Type:     nftables.ChainTypeFilter,
-			Hooknum:  nftables.ChainHookForward,
-			Priority: nftables.ChainPriorityFilter,
-		},
-		Exprs: []expr.Any{
-			&expr.Meta{Key: expr.MetaKeyIIFNAME, Register: 1},
-			&expr.Cmp{
-				Op:       expr.CmpOpEq,
-				Register: 1,
-				Data:     intf,
-			},
-			&expr.Counter{},
-			&expr.Verdict{Kind: expr.VerdictAccept},
-		},
-		UserData: []byte(userDataAcceptForwardRuleIif),
-	}
-	r.conn.InsertRule(iifRule)
-
-	oifExprs := []expr.Any{
-		&expr.Meta{Key: expr.MetaKeyOIFNAME, Register: 1},
-		&expr.Cmp{
-			Op:       expr.CmpOpEq,
-			Register: 1,
-			Data:     intf,
-		},
-	}
-
-	// Rule for outgoing interface (oif) with counter
-	oifRule := &nftables.Rule{
-		Table: r.filterTable,
-		Chain: &nftables.Chain{
-			Name:     "FORWARD",
-			Table:    r.filterTable,
-			Type:     nftables.ChainTypeFilter,
-			Hooknum:  nftables.ChainHookForward,
-			Priority: nftables.ChainPriorityFilter,
-		},
-		Exprs:    append(oifExprs, getEstablishedExprs(2)...),
-		UserData: []byte(userDataAcceptForwardRuleOif),
-	}
-
-	r.conn.InsertRule(oifRule)
-
-	return nil
-}
-
-func (r *router) removeAcceptForwardRules() error {
-	if r.filterTable == nil {
-		return nil
-	}
-
-	// Try iptables first and fallback to nftables if iptables is not available
-	ipt, err := iptables.New()
-	if err != nil {
-		log.Warnf("Will use nftables to manipulate the filter table because iptables is not available: %v", err)
-		return r.removeAcceptForwardRulesNftables()
-	}
-
-	return r.removeAcceptForwardRulesIptables(ipt)
-}
-
-func (r *router) removeAcceptForwardRulesNftables() error {
-	chains, err := r.conn.ListChainsOfTableFamily(nftables.TableFamilyIPv4)
-	if err != nil {
-		return fmt.Errorf("list chains: %v", err)
-	}
-
-	for _, chain := range chains {
-		if chain.Table.Name != r.filterTable.Name || chain.Name != chainNameForward {
-			continue
-		}
-
-		rules, err := r.conn.GetRules(r.filterTable, chain)
-		if err != nil {
-			return fmt.Errorf("get rules: %v", err)
-		}
-
-		for _, rule := range rules {
-			if bytes.Equal(rule.UserData, []byte(userDataAcceptForwardRuleIif)) ||
-				bytes.Equal(rule.UserData, []byte(userDataAcceptForwardRuleOif)) {
-				if err := r.conn.DelRule(rule); err != nil {
-					return fmt.Errorf("delete rule: %v", err)
-				}
-			}
-		}
-	}
-
-	if err := r.conn.Flush(); err != nil {
-		return fmt.Errorf(flushError, err)
-	}
-
-	return nil
-}
-
-func (r *router) removeAcceptForwardRulesIptables(ipt *iptables.IPTables) error {
-	var merr *multierror.Error
-	for _, rule := range r.getAcceptForwardRules() {
-		if err := ipt.DeleteIfExists("filter", chainNameForward, rule...); err != nil {
-			merr = multierror.Append(err, fmt.Errorf("remove iptables rule: %v", err))
-		}
-	}
-
-	return nberrors.FormatErrorOrNil(merr)
-}
-
-// RemoveNatRule removes the prerouting mark rule
-func (r *router) RemoveNatRule(pair firewall.RouterPair) error {
-	if err := r.refreshRulesMap(); err != nil {
-		return fmt.Errorf(refreshRulesMapError, err)
-	}
-
-	if err := r.removeNatRule(pair); err != nil {
-		return fmt.Errorf("remove prerouting rule: %w", err)
-	}
-
-	if err := r.removeNatRule(firewall.GetInversePair(pair)); err != nil {
-		return fmt.Errorf("remove inverse prerouting rule: %w", err)
-	}
-
-	if err := r.removeLegacyRouteRule(pair); err != nil {
-		return fmt.Errorf("remove legacy routing rule: %w", err)
-	}
-
-	if err := r.conn.Flush(); err != nil {
-		return fmt.Errorf("nftables: received error while applying rule removal for %s: %v", pair.Destination, err)
-	}
-
-	log.Debugf("nftables: removed nat rules for %s", pair.Destination)
-	return nil
-}
-
-func (r *router) removeNatRule(pair firewall.RouterPair) error {
-	ruleKey := firewall.GenKey(firewall.PreroutingFormat, pair)
-
-	if rule, exists := r.rules[ruleKey]; exists {
-		err := r.conn.DelRule(rule)
-		if err != nil {
-			return fmt.Errorf("remove prerouting rule %s -> %s: %v", pair.Source, pair.Destination, err)
-		}
-
-		log.Debugf("nftables: removed prerouting rule %s -> %s", pair.Source, pair.Destination)
-
-		delete(r.rules, ruleKey)
-	} else {
-		log.Debugf("nftables: prerouting rule %s not found", ruleKey)
-	}
-
-	return nil
-}
-
-// refreshRulesMap refreshes the rule map with the latest rules. this is useful to avoid
-// duplicates and to get missing attributes that we don't have when adding new rules
-func (r *router) refreshRulesMap() error {
-	for _, chain := range r.chains {
-		rules, err := r.conn.GetRules(chain.Table, chain)
-		if err != nil {
-			return fmt.Errorf("nftables: unable to list rules: %v", err)
-		}
-		for _, rule := range rules {
-			if len(rule.UserData) > 0 {
-				r.rules[string(rule.UserData)] = rule
-			}
-		}
-	}
-	return nil
-}
-
-// generateCIDRMatcherExpressions generates nftables expressions that matches a CIDR
-func generateCIDRMatcherExpressions(source bool, prefix netip.Prefix) []expr.Any {
-	var offset uint32
-	if source {
-		offset = 12 // src offset
-	} else {
-		offset = 16 // dst offset
-	}
-
-	ones := prefix.Bits()
-	// 0.0.0.0/0 doesn't need extra expressions
-	if ones == 0 {
-		return nil
-	}
-
-	mask := net.CIDRMask(ones, 32)
-
-	return []expr.Any{
-		&expr.Payload{
-			DestRegister: 1,
-			Base:         expr.PayloadBaseNetworkHeader,
-			Offset:       offset,
-			Len:          4,
-		},
-		// netmask
-		&expr.Bitwise{
-			DestRegister:   1,
-			SourceRegister: 1,
-			Len:            4,
-			Mask:           mask,
-			Xor:            []byte{0, 0, 0, 0},
-		},
-		// net address
-		&expr.Cmp{
-			Op:       expr.CmpOpEq,
-			Register: 1,
-			Data:     prefix.Masked().Addr().AsSlice(),
-		},
-	}
-}
-
-func applyPort(port *firewall.Port, isSource bool) []expr.Any {
-	if port == nil {
-		return nil
-	}
-
-	var exprs []expr.Any
-
-	offset := uint32(2) // Default offset for destination port
-	if isSource {
-		offset = 0 // Offset for source port
-	}
-
-	exprs = append(exprs, &expr.Payload{
-		DestRegister: 1,
-		Base:         expr.PayloadBaseTransportHeader,
-		Offset:       offset,
-		Len:          2,
-	})
-
-	if port.IsRange && len(port.Values) == 2 {
-		// Handle port range
-		exprs = append(exprs,
-			&expr.Cmp{
-				Op:       expr.CmpOpGte,
-				Register: 1,
-				Data:     binaryutil.BigEndian.PutUint16(uint16(port.Values[0])),
-			},
-			&expr.Cmp{
-				Op:       expr.CmpOpLte,
-				Register: 1,
-				Data:     binaryutil.BigEndian.PutUint16(uint16(port.Values[1])),
-			},
-		)
-	} else {
-		// Handle single port or multiple ports
-		for i, p := range port.Values {
-			if i > 0 {
-				// Add a bitwise OR operation between port checks
-				exprs = append(exprs, &expr.Bitwise{
-					SourceRegister: 1,
-					DestRegister:   1,
-					Len:            4,
-					Mask:           []byte{0x00, 0x00, 0xff, 0xff},
-					Xor:            []byte{0x00, 0x00, 0x00, 0x00},
-				})
-			}
-			exprs = append(exprs, &expr.Cmp{
-				Op:       expr.CmpOpEq,
-				Register: 1,
-				Data:     binaryutil.BigEndian.PutUint16(uint16(p)),
-			})
-		}
-	}
-
-	return exprs
-}
--- a/client/firewall/nftables/router_linux_test.go
+++ b/client/firewall/nftables/router_linux_test.go
@@ -3,16 +3,12 @@
 package nftables

 import (
-	"encoding/binary"
-	"net/netip"
-	"os/exec"
+	"context"
 	"testing"

 	"github.com/coreos/go-iptables/iptables"
 	"github.com/google/nftables"
-	"github.com/google/nftables/binaryutil"
 	"github.com/google/nftables/expr"
-	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"

 	firewall "github.com/netbirdio/netbird/client/firewall/manager"
@@ -28,627 +24,195 @@ const (
 	NFTABLES
 )

-func TestNftablesManager_AddNatRule(t *testing.T) {
+func TestNftablesManager_InsertRoutingRules(t *testing.T) {
 	if check() != NFTABLES {
 		t.Skip("nftables not supported on this OS")
 	}

+	table, err := createWorkTable()
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	defer deleteWorkTable()
+
 	for _, testCase := range test.InsertRuleTestCases {
 		t.Run(testCase.Name, func(t *testing.T) {
-			// need fw manager to init both acl mgr and router for all chains to be present
-			manager, err := Create(ifaceMock)
-			t.Cleanup(func() {
-				require.NoError(t, manager.Reset(nil))
-			})
-			require.NoError(t, err)
-			require.NoError(t, manager.Init(nil))
+			manager, err := newRouter(context.TODO(), table)
+			require.NoError(t, err, "failed to create router")

 			nftablesTestingClient := &nftables.Conn{}

-			rtr := manager.router
-			err = rtr.AddNatRule(testCase.InputPair)
-			require.NoError(t, err, "pair should be inserted")
+			defer manager.ResetForwardRules()

-			t.Cleanup(func() {
-				require.NoError(t, rtr.RemoveNatRule(testCase.InputPair), "failed to remove rule")
-			})
+			require.NoError(t, err, "shouldn't return error")
+
+			err = manager.AddRoutingRules(testCase.InputPair)
+			defer func() {
+				_ = manager.RemoveRoutingRules(testCase.InputPair)
+			}()
+			require.NoError(t, err, "forwarding pair should be inserted")
+
+			sourceExp := generateCIDRMatcherExpressions(true, testCase.InputPair.Source)
+			destExp := generateCIDRMatcherExpressions(false, testCase.InputPair.Destination)
+			testingExpression := append(sourceExp, destExp...) //nolint:gocritic
+			fwdRuleKey := firewall.GenKey(firewall.ForwardingFormat, testCase.InputPair.ID)
+
+			found := 0
+			for _, chain := range manager.chains {
+				rules, err := nftablesTestingClient.GetRules(chain.Table, chain)
+				require.NoError(t, err, "should list rules for %s table and %s chain", chain.Table.Name, chain.Name)
+				for _, rule := range rules {
+					if len(rule.UserData) > 0 && string(rule.UserData) == fwdRuleKey {
+						require.ElementsMatchf(t, rule.Exprs[:len(testingExpression)], testingExpression, "forwarding rule elements should match")
+						found = 1
+					}
+				}
+			}
+
+			require.Equal(t, 1, found, "should find at least 1 rule to test")

 			if testCase.InputPair.Masquerade {
-				// Build expected expressions for connection tracking
-				conntrackExprs := []expr.Any{
-					&expr.Ct{
-						Key:      expr.CtKeySTATE,
-						Register: 1,
-					},
-					&expr.Bitwise{
-						SourceRegister: 1,
-						DestRegister:   1,
-						Len:            4,
-						Mask:           binaryutil.NativeEndian.PutUint32(expr.CtStateBitNEW),
-						Xor:            binaryutil.NativeEndian.PutUint32(0),
-					},
-					&expr.Cmp{
-						Op:       expr.CmpOpNeq,
-						Register: 1,
-						Data:     []byte{0, 0, 0, 0},
-					},
-				}
-
-				// Build interface matching expression
-				ifaceExprs := []expr.Any{
-					&expr.Meta{
-						Key:      expr.MetaKeyIIFNAME,
-						Register: 1,
-					},
-					&expr.Cmp{
-						Op:       expr.CmpOpEq,
-						Register: 1,
-						Data:     ifname(ifaceMock.Name()),
-					},
-				}
-
-				// Build CIDR matching expressions
-				sourceExp := generateCIDRMatcherExpressions(true, testCase.InputPair.Source)
-				destExp := generateCIDRMatcherExpressions(false, testCase.InputPair.Destination)
-
-				// Combine all expressions in the correct order
-				// nolint:gocritic
-				testingExpression := append(conntrackExprs, ifaceExprs...)
-				testingExpression = append(testingExpression, sourceExp...)
-				testingExpression = append(testingExpression, destExp...)
-
-				natRuleKey := firewall.GenKey(firewall.PreroutingFormat, testCase.InputPair)
+				natRuleKey := firewall.GenKey(firewall.NatFormat, testCase.InputPair.ID)
 				found := 0
-				for _, chain := range rtr.chains {
-					if chain.Name == chainNamePrerouting {
-						rules, err := nftablesTestingClient.GetRules(chain.Table, chain)
-						require.NoError(t, err, "should list rules for %s table and %s chain", chain.Table.Name, chain.Name)
-						for _, rule := range rules {
-							if len(rule.UserData) > 0 && string(rule.UserData) == natRuleKey {
-								// Compare expressions up to the mark setting expressions
-								require.ElementsMatchf(t, rule.Exprs[:len(testingExpression)], testingExpression, "prerouting nat rule elements should match")
-								found = 1
-							}
+				for _, chain := range manager.chains {
+					rules, err := nftablesTestingClient.GetRules(chain.Table, chain)
+					require.NoError(t, err, "should list rules for %s table and %s chain", chain.Table.Name, chain.Name)
+					for _, rule := range rules {
+						if len(rule.UserData) > 0 && string(rule.UserData) == natRuleKey {
+							require.ElementsMatchf(t, rule.Exprs[:len(testingExpression)], testingExpression, "nat rule elements should match")
+							found = 1
 						}
 					}
 				}
-				require.Equal(t, 1, found, "should find at least 1 rule in prerouting chain")
+				require.Equal(t, 1, found, "should find at least 1 rule to test")
+			}
+
+			sourceExp = generateCIDRMatcherExpressions(true, firewall.GetInPair(testCase.InputPair).Source)
+			destExp = generateCIDRMatcherExpressions(false, firewall.GetInPair(testCase.InputPair).Destination)
+			testingExpression = append(sourceExp, destExp...) //nolint:gocritic
+			inFwdRuleKey := firewall.GenKey(firewall.InForwardingFormat, testCase.InputPair.ID)
+
+			found = 0
+			for _, chain := range manager.chains {
+				rules, err := nftablesTestingClient.GetRules(chain.Table, chain)
+				require.NoError(t, err, "should list rules for %s table and %s chain", chain.Table.Name, chain.Name)
+				for _, rule := range rules {
+					if len(rule.UserData) > 0 && string(rule.UserData) == inFwdRuleKey {
+						require.ElementsMatchf(t, rule.Exprs[:len(testingExpression)], testingExpression, "income forwarding rule elements should match")
+						found = 1
+					}
+				}
+			}
+
+			require.Equal(t, 1, found, "should find at least 1 rule to test")
+
+			if testCase.InputPair.Masquerade {
+				inNatRuleKey := firewall.GenKey(firewall.InNatFormat, testCase.InputPair.ID)
+				found := 0
+				for _, chain := range manager.chains {
+					rules, err := nftablesTestingClient.GetRules(chain.Table, chain)
+					require.NoError(t, err, "should list rules for %s table and %s chain", chain.Table.Name, chain.Name)
+					for _, rule := range rules {
+						if len(rule.UserData) > 0 && string(rule.UserData) == inNatRuleKey {
+							require.ElementsMatchf(t, rule.Exprs[:len(testingExpression)], testingExpression, "income nat rule elements should match")
+							found = 1
+						}
+					}
+				}
+				require.Equal(t, 1, found, "should find at least 1 rule to test")
 			}
 		})
 	}
 }

-func TestNftablesManager_RemoveNatRule(t *testing.T) {
+func TestNftablesManager_RemoveRoutingRules(t *testing.T) {
 	if check() != NFTABLES {
 		t.Skip("nftables not supported on this OS")
 	}

+	table, err := createWorkTable()
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	defer deleteWorkTable()
+
 	for _, testCase := range test.RemoveRuleTestCases {
 		t.Run(testCase.Name, func(t *testing.T) {
-			manager, err := Create(ifaceMock)
-			t.Cleanup(func() {
-				require.NoError(t, manager.Reset(nil))
-			})
-			require.NoError(t, err)
-			require.NoError(t, manager.Init(nil))
+			manager, err := newRouter(context.TODO(), table)
+			require.NoError(t, err, "failed to create router")

-			rtr := manager.router
+			nftablesTestingClient := &nftables.Conn{}

-			// First add the NAT rule using the router's method
-			err = rtr.AddNatRule(testCase.InputPair)
-			require.NoError(t, err, "should add NAT rule")
+			defer manager.ResetForwardRules()

-			// Verify the rule was added
-			natRuleKey := firewall.GenKey(firewall.PreroutingFormat, testCase.InputPair)
-			found := false
-			rules, err := rtr.conn.GetRules(rtr.workTable, rtr.chains[chainNamePrerouting])
-			require.NoError(t, err, "should list rules")
-			for _, rule := range rules {
-				if len(rule.UserData) > 0 && string(rule.UserData) == natRuleKey {
-					found = true
-					break
-				}
-			}
-			require.True(t, found, "NAT rule should exist before removal")
+			sourceExp := generateCIDRMatcherExpressions(true, testCase.InputPair.Source)
+			destExp := generateCIDRMatcherExpressions(false, testCase.InputPair.Destination)

-			// Now remove the rule
-			err = rtr.RemoveNatRule(testCase.InputPair)
-			require.NoError(t, err, "shouldn't return error when removing rule")
-
-			// Verify the rule was removed
-			found = false
-			rules, err = rtr.conn.GetRules(rtr.workTable, rtr.chains[chainNamePrerouting])
-			require.NoError(t, err, "should list rules after removal")
-			for _, rule := range rules {
-				if len(rule.UserData) > 0 && string(rule.UserData) == natRuleKey {
-					found = true
-					break
-				}
-			}
-			require.False(t, found, "NAT rule should not exist after removal")
-
-			// Verify the static postrouting rules still exist
-			rules, err = rtr.conn.GetRules(rtr.workTable, rtr.chains[chainNameRoutingNat])
-			require.NoError(t, err, "should list postrouting rules")
-			foundCounter := false
-			for _, rule := range rules {
-				for _, e := range rule.Exprs {
-					if _, ok := e.(*expr.Counter); ok {
-						foundCounter = true
-						break
-					}
-				}
-				if foundCounter {
-					break
-				}
-			}
-			require.True(t, foundCounter, "static postrouting rule should remain")
-		})
-	}
-}
-
-func TestRouter_AddRouteFiltering(t *testing.T) {
-	if check() != NFTABLES {
-		t.Skip("nftables not supported on this system")
-	}
-
-	workTable, err := createWorkTable()
-	require.NoError(t, err, "Failed to create work table")
-
-	defer deleteWorkTable()
-
-	r, err := newRouter(workTable, ifaceMock)
-	require.NoError(t, err, "Failed to create router")
-	require.NoError(t, r.init(workTable))
-
-	defer func(r *router) {
-		require.NoError(t, r.Reset(), "Failed to reset rules")
-	}(r)
-
-	tests := []struct {
-		name        string
-		sources     []netip.Prefix
-		destination netip.Prefix
-		proto       firewall.Protocol
-		sPort       *firewall.Port
-		dPort       *firewall.Port
-		direction   firewall.RuleDirection
-		action      firewall.Action
-		expectSet   bool
-	}{
-		{
-			name:        "Basic TCP rule with single source",
-			sources:     []netip.Prefix{netip.MustParsePrefix("192.168.1.0/24")},
-			destination: netip.MustParsePrefix("10.0.0.0/24"),
-			proto:       firewall.ProtocolTCP,
-			sPort:       nil,
-			dPort:       &firewall.Port{Values: []int{80}},
-			direction:   firewall.RuleDirectionIN,
-			action:      firewall.ActionAccept,
-			expectSet:   false,
-		},
-		{
-			name: "UDP rule with multiple sources",
-			sources: []netip.Prefix{
-				netip.MustParsePrefix("172.16.0.0/16"),
-				netip.MustParsePrefix("192.168.0.0/16"),
-			},
-			destination: netip.MustParsePrefix("10.0.0.0/8"),
-			proto:       firewall.ProtocolUDP,
-			sPort:       &firewall.Port{Values: []int{1024, 2048}, IsRange: true},
-			dPort:       nil,
-			direction:   firewall.RuleDirectionOUT,
-			action:      firewall.ActionDrop,
-			expectSet:   true,
-		},
-		{
-			name:        "All protocols rule",
-			sources:     []netip.Prefix{netip.MustParsePrefix("10.0.0.0/8")},
-			destination: netip.MustParsePrefix("0.0.0.0/0"),
-			proto:       firewall.ProtocolALL,
-			sPort:       nil,
-			dPort:       nil,
-			direction:   firewall.RuleDirectionIN,
-			action:      firewall.ActionAccept,
-			expectSet:   false,
-		},
-		{
-			name:        "ICMP rule",
-			sources:     []netip.Prefix{netip.MustParsePrefix("192.168.0.0/16")},
-			destination: netip.MustParsePrefix("10.0.0.0/8"),
-			proto:       firewall.ProtocolICMP,
-			sPort:       nil,
-			dPort:       nil,
-			direction:   firewall.RuleDirectionIN,
-			action:      firewall.ActionAccept,
-			expectSet:   false,
-		},
-		{
-			name:        "TCP rule with multiple source ports",
-			sources:     []netip.Prefix{netip.MustParsePrefix("172.16.0.0/12")},
-			destination: netip.MustParsePrefix("192.168.0.0/16"),
-			proto:       firewall.ProtocolTCP,
-			sPort:       &firewall.Port{Values: []int{80, 443, 8080}},
-			dPort:       nil,
-			direction:   firewall.RuleDirectionOUT,
-			action:      firewall.ActionAccept,
-			expectSet:   false,
-		},
-		{
-			name:        "UDP rule with single IP and port range",
-			sources:     []netip.Prefix{netip.MustParsePrefix("192.168.1.1/32")},
-			destination: netip.MustParsePrefix("10.0.0.0/24"),
-			proto:       firewall.ProtocolUDP,
-			sPort:       nil,
-			dPort:       &firewall.Port{Values: []int{5000, 5100}, IsRange: true},
-			direction:   firewall.RuleDirectionIN,
-			action:      firewall.ActionDrop,
-			expectSet:   false,
-		},
-		{
-			name:        "TCP rule with source and destination ports",
-			sources:     []netip.Prefix{netip.MustParsePrefix("10.0.0.0/24")},
-			destination: netip.MustParsePrefix("172.16.0.0/16"),
-			proto:       firewall.ProtocolTCP,
-			sPort:       &firewall.Port{Values: []int{1024, 65535}, IsRange: true},
-			dPort:       &firewall.Port{Values: []int{22}},
-			direction:   firewall.RuleDirectionOUT,
-			action:      firewall.ActionAccept,
-			expectSet:   false,
-		},
-		{
-			name:        "Drop all incoming traffic",
-			sources:     []netip.Prefix{netip.MustParsePrefix("0.0.0.0/0")},
-			destination: netip.MustParsePrefix("192.168.0.0/24"),
-			proto:       firewall.ProtocolALL,
-			sPort:       nil,
-			dPort:       nil,
-			direction:   firewall.RuleDirectionIN,
-			action:      firewall.ActionDrop,
-			expectSet:   false,
-		},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			ruleKey, err := r.AddRouteFiltering(tt.sources, tt.destination, tt.proto, tt.sPort, tt.dPort, tt.action)
-			require.NoError(t, err, "AddRouteFiltering failed")
-
-			t.Cleanup(func() {
-				require.NoError(t, r.DeleteRouteRule(ruleKey), "Failed to delete rule")
+			forwardExp := append(sourceExp, append(destExp, exprCounterAccept...)...) //nolint:gocritic
+			forwardRuleKey := firewall.GenKey(firewall.ForwardingFormat, testCase.InputPair.ID)
+			insertedForwarding := nftablesTestingClient.InsertRule(&nftables.Rule{
+				Table:    manager.workTable,
+				Chain:    manager.chains[chainNameRouteingFw],
+				Exprs:    forwardExp,
+				UserData: []byte(forwardRuleKey),
 			})

-			// Check if the rule is in the internal map
-			rule, ok := r.rules[ruleKey.GetRuleID()]
-			assert.True(t, ok, "Rule not found in internal map")
+			natExp := append(sourceExp, append(destExp, &expr.Counter{}, &expr.Masq{})...) //nolint:gocritic
+			natRuleKey := firewall.GenKey(firewall.NatFormat, testCase.InputPair.ID)

-			t.Log("Internal rule expressions:")
-			for i, expr := range rule.Exprs {
-				t.Logf("  [%d] %T: %+v", i, expr, expr)
-			}
+			insertedNat := nftablesTestingClient.InsertRule(&nftables.Rule{
+				Table:    manager.workTable,
+				Chain:    manager.chains[chainNameRoutingNat],
+				Exprs:    natExp,
+				UserData: []byte(natRuleKey),
+			})

-			// Verify internal rule content
-			verifyRule(t, rule, tt.sources, tt.destination, tt.proto, tt.sPort, tt.dPort, tt.direction, tt.action, tt.expectSet)
+			sourceExp = generateCIDRMatcherExpressions(true, firewall.GetInPair(testCase.InputPair).Source)
+			destExp = generateCIDRMatcherExpressions(false, firewall.GetInPair(testCase.InputPair).Destination)

-			// Check if the rule exists in nftables and verify its content
-			rules, err := r.conn.GetRules(r.workTable, r.chains[chainNameRoutingFw])
-			require.NoError(t, err, "Failed to get rules from nftables")
+			forwardExp = append(sourceExp, append(destExp, exprCounterAccept...)...) //nolint:gocritic
+			inForwardRuleKey := firewall.GenKey(firewall.InForwardingFormat, testCase.InputPair.ID)
+			insertedInForwarding := nftablesTestingClient.InsertRule(&nftables.Rule{
+				Table:    manager.workTable,
+				Chain:    manager.chains[chainNameRouteingFw],
+				Exprs:    forwardExp,
+				UserData: []byte(inForwardRuleKey),
+			})

-			var nftRule *nftables.Rule
-			for _, rule := range rules {
-				if string(rule.UserData) == ruleKey.GetRuleID() {
-					nftRule = rule
-					break
-				}
-			}
+			natExp = append(sourceExp, append(destExp, &expr.Counter{}, &expr.Masq{})...) //nolint:gocritic
+			inNatRuleKey := firewall.GenKey(firewall.InNatFormat, testCase.InputPair.ID)

-			require.NotNil(t, nftRule, "Rule not found in nftables")
-			t.Log("Actual nftables rule expressions:")
-			for i, expr := range nftRule.Exprs {
-				t.Logf("  [%d] %T: %+v", i, expr, expr)
-			}
+			insertedInNat := nftablesTestingClient.InsertRule(&nftables.Rule{
+				Table:    manager.workTable,
+				Chain:    manager.chains[chainNameRoutingNat],
+				Exprs:    natExp,
+				UserData: []byte(inNatRuleKey),
+			})

-			// Verify actual nftables rule content
-			verifyRule(t, nftRule, tt.sources, tt.destination, tt.proto, tt.sPort, tt.dPort, tt.direction, tt.action, tt.expectSet)
-		})
-	}
-}
+			err = nftablesTestingClient.Flush()
+			require.NoError(t, err, "shouldn't return error")

-func TestNftablesCreateIpSet(t *testing.T) {
-	if check() != NFTABLES {
-		t.Skip("nftables not supported on this system")
-	}
+			manager.ResetForwardRules()

-	workTable, err := createWorkTable()
-	require.NoError(t, err, "Failed to create work table")
+			err = manager.RemoveRoutingRules(testCase.InputPair)
+			require.NoError(t, err, "shouldn't return error")

-	defer deleteWorkTable()
-
-	r, err := newRouter(workTable, ifaceMock)
-	require.NoError(t, err, "Failed to create router")
-	require.NoError(t, r.init(workTable))
-
-	defer func() {
-		require.NoError(t, r.Reset(), "Failed to reset router")
-	}()
-
-	tests := []struct {
-		name     string
-		sources  []netip.Prefix
-		expected []netip.Prefix
-	}{
-		{
-			name:    "Single IP",
-			sources: []netip.Prefix{netip.MustParsePrefix("192.168.1.1/32")},
-		},
-		{
-			name: "Multiple IPs",
-			sources: []netip.Prefix{
-				netip.MustParsePrefix("192.168.1.1/32"),
-				netip.MustParsePrefix("10.0.0.1/32"),
-				netip.MustParsePrefix("172.16.0.1/32"),
-			},
-		},
-		{
-			name:    "Single Subnet",
-			sources: []netip.Prefix{netip.MustParsePrefix("192.168.0.0/24")},
-		},
-		{
-			name: "Multiple Subnets with Various Prefix Lengths",
-			sources: []netip.Prefix{
-				netip.MustParsePrefix("10.0.0.0/8"),
-				netip.MustParsePrefix("172.16.0.0/16"),
-				netip.MustParsePrefix("192.168.1.0/24"),
-				netip.MustParsePrefix("203.0.113.0/26"),
-			},
-		},
-		{
-			name: "Mix of Single IPs and Subnets in Different Positions",
-			sources: []netip.Prefix{
-				netip.MustParsePrefix("192.168.1.1/32"),
-				netip.MustParsePrefix("10.0.0.0/16"),
-				netip.MustParsePrefix("172.16.0.1/32"),
-				netip.MustParsePrefix("203.0.113.0/24"),
-			},
-		},
-		{
-			name: "Overlapping IPs/Subnets",
-			sources: []netip.Prefix{
-				netip.MustParsePrefix("10.0.0.0/8"),
-				netip.MustParsePrefix("10.0.0.0/16"),
-				netip.MustParsePrefix("10.0.0.1/32"),
-				netip.MustParsePrefix("192.168.0.0/16"),
-				netip.MustParsePrefix("192.168.1.0/24"),
-				netip.MustParsePrefix("192.168.1.1/32"),
-			},
-			expected: []netip.Prefix{
-				netip.MustParsePrefix("10.0.0.0/8"),
-				netip.MustParsePrefix("192.168.0.0/16"),
-			},
-		},
-	}
-
-	// Add this helper function inside TestNftablesCreateIpSet
-	printNftSets := func() {
-		cmd := exec.Command("nft", "list", "sets")
-		output, err := cmd.CombinedOutput()
-		if err != nil {
-			t.Logf("Failed to run 'nft list sets': %v", err)
-		} else {
-			t.Logf("Current nft sets:\n%s", output)
-		}
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			setName := firewall.GenerateSetName(tt.sources)
-			set, err := r.createIpSet(setName, tt.sources)
-			if err != nil {
-				t.Logf("Failed to create IP set: %v", err)
-				printNftSets()
-				require.NoError(t, err, "Failed to create IP set")
-			}
-			require.NotNil(t, set, "Created set is nil")
-
-			// Verify set properties
-			assert.Equal(t, setName, set.Name, "Set name mismatch")
-			assert.Equal(t, r.workTable, set.Table, "Set table mismatch")
-			assert.True(t, set.Interval, "Set interval property should be true")
-			assert.Equal(t, nftables.TypeIPAddr, set.KeyType, "Set key type mismatch")
-
-			// Fetch the created set from nftables
-			fetchedSet, err := r.conn.GetSetByName(r.workTable, setName)
-			require.NoError(t, err, "Failed to fetch created set")
-			require.NotNil(t, fetchedSet, "Fetched set is nil")
-
-			// Verify set elements
-			elements, err := r.conn.GetSetElements(fetchedSet)
-			require.NoError(t, err, "Failed to get set elements")
-
-			// Count the number of unique prefixes (excluding interval end markers)
-			uniquePrefixes := make(map[string]bool)
-			for _, elem := range elements {
-				if !elem.IntervalEnd {
-					ip := netip.AddrFrom4(*(*[4]byte)(elem.Key))
-					uniquePrefixes[ip.String()] = true
-				}
-			}
-
-			// Check against expected merged prefixes
-			expectedCount := len(tt.expected)
-			if expectedCount == 0 {
-				expectedCount = len(tt.sources)
-			}
-			assert.Equal(t, expectedCount, len(uniquePrefixes), "Number of unique prefixes in set doesn't match expected")
-
-			// Verify each expected prefix is in the set
-			for _, expected := range tt.expected {
-				found := false
-				for _, elem := range elements {
-					if !elem.IntervalEnd {
-						ip := netip.AddrFrom4(*(*[4]byte)(elem.Key))
-						if expected.Contains(ip) {
-							found = true
-							break
-						}
-					}
-				}
-				assert.True(t, found, "Expected prefix %s not found in set", expected)
-			}
-
-			r.conn.DelSet(set)
-			if err := r.conn.Flush(); err != nil {
-				t.Logf("Failed to delete set: %v", err)
-				printNftSets()
-			}
-			require.NoError(t, err, "Failed to delete set")
-		})
-	}
-}
-
-func verifyRule(t *testing.T, rule *nftables.Rule, sources []netip.Prefix, destination netip.Prefix, proto firewall.Protocol, sPort, dPort *firewall.Port, direction firewall.RuleDirection, action firewall.Action, expectSet bool) {
-	t.Helper()
-
-	assert.NotNil(t, rule, "Rule should not be nil")
-
-	// Verify sources and destination
-	if expectSet {
-		assert.True(t, containsSetLookup(rule.Exprs), "Rule should contain set lookup for multiple sources")
-	} else if len(sources) == 1 && sources[0].Bits() != 0 {
-		if direction == firewall.RuleDirectionIN {
-			assert.True(t, containsCIDRMatcher(rule.Exprs, sources[0], true), "Rule should contain source CIDR matcher for %s", sources[0])
-		} else {
-			assert.True(t, containsCIDRMatcher(rule.Exprs, sources[0], false), "Rule should contain destination CIDR matcher for %s", sources[0])
-		}
-	}
-
-	if direction == firewall.RuleDirectionIN {
-		assert.True(t, containsCIDRMatcher(rule.Exprs, destination, false), "Rule should contain destination CIDR matcher for %s", destination)
-	} else {
-		assert.True(t, containsCIDRMatcher(rule.Exprs, destination, true), "Rule should contain source CIDR matcher for %s", destination)
-	}
-
-	// Verify protocol
-	if proto != firewall.ProtocolALL {
-		assert.True(t, containsProtocol(rule.Exprs, proto), "Rule should contain protocol matcher for %s", proto)
-	}
-
-	// Verify ports
-	if sPort != nil {
-		assert.True(t, containsPort(rule.Exprs, sPort, true), "Rule should contain source port matcher for %v", sPort)
-	}
-	if dPort != nil {
-		assert.True(t, containsPort(rule.Exprs, dPort, false), "Rule should contain destination port matcher for %v", dPort)
-	}
-
-	// Verify action
-	assert.True(t, containsAction(rule.Exprs, action), "Rule should contain correct action: %s", action)
-}
-
-func containsSetLookup(exprs []expr.Any) bool {
-	for _, e := range exprs {
-		if _, ok := e.(*expr.Lookup); ok {
-			return true
-		}
-	}
-	return false
-}
-
-func containsCIDRMatcher(exprs []expr.Any, prefix netip.Prefix, isSource bool) bool {
-	var offset uint32
-	if isSource {
-		offset = 12 // src offset
-	} else {
-		offset = 16 // dst offset
-	}
-
-	var payloadFound, bitwiseFound, cmpFound bool
-	for _, e := range exprs {
-		switch ex := e.(type) {
-		case *expr.Payload:
-			if ex.Base == expr.PayloadBaseNetworkHeader && ex.Offset == offset && ex.Len == 4 {
-				payloadFound = true
-			}
-		case *expr.Bitwise:
-			if ex.Len == 4 && len(ex.Mask) == 4 && len(ex.Xor) == 4 {
-				bitwiseFound = true
-			}
-		case *expr.Cmp:
-			if ex.Op == expr.CmpOpEq && len(ex.Data) == 4 {
-				cmpFound = true
-			}
-		}
-	}
-	return (payloadFound && bitwiseFound && cmpFound) || prefix.Bits() == 0
-}
-
-func containsPort(exprs []expr.Any, port *firewall.Port, isSource bool) bool {
-	var offset uint32 = 2 // Default offset for destination port
-	if isSource {
-		offset = 0 // Offset for source port
-	}
-
-	var payloadFound, portMatchFound bool
-	for _, e := range exprs {
-		switch ex := e.(type) {
-		case *expr.Payload:
-			if ex.Base == expr.PayloadBaseTransportHeader && ex.Offset == offset && ex.Len == 2 {
-				payloadFound = true
-			}
-		case *expr.Cmp:
-			if port.IsRange {
-				if ex.Op == expr.CmpOpGte || ex.Op == expr.CmpOpLte {
-					portMatchFound = true
-				}
-			} else {
-				if ex.Op == expr.CmpOpEq && len(ex.Data) == 2 {
-					portValue := binary.BigEndian.Uint16(ex.Data)
-					for _, p := range port.Values {
-						if uint16(p) == portValue {
-							portMatchFound = true
-							break
-						}
+			for _, chain := range manager.chains {
+				rules, err := nftablesTestingClient.GetRules(chain.Table, chain)
+				require.NoError(t, err, "should list rules for %s table and %s chain", chain.Table.Name, chain.Name)
+				for _, rule := range rules {
+					if len(rule.UserData) > 0 {
+						require.NotEqual(t, insertedForwarding.UserData, rule.UserData, "forwarding rule should not exist")
+						require.NotEqual(t, insertedNat.UserData, rule.UserData, "nat rule should not exist")
+						require.NotEqual(t, insertedInForwarding.UserData, rule.UserData, "income forwarding rule should not exist")
+						require.NotEqual(t, insertedInNat.UserData, rule.UserData, "income nat rule should not exist")
 					}
 				}
 			}
-		}
-		if payloadFound && portMatchFound {
-			return true
-		}
+		})
 	}
-	return false
-}
-
-func containsProtocol(exprs []expr.Any, proto firewall.Protocol) bool {
-	var metaFound, cmpFound bool
-	expectedProto, _ := protoToInt(proto)
-	for _, e := range exprs {
-		switch ex := e.(type) {
-		case *expr.Meta:
-			if ex.Key == expr.MetaKeyL4PROTO {
-				metaFound = true
-			}
-		case *expr.Cmp:
-			if ex.Op == expr.CmpOpEq && len(ex.Data) == 1 && ex.Data[0] == expectedProto {
-				cmpFound = true
-			}
-		}
-	}
-	return metaFound && cmpFound
-}
-
-func containsAction(exprs []expr.Any, action firewall.Action) bool {
-	for _, e := range exprs {
-		if verdict, ok := e.(*expr.Verdict); ok {
-			switch action {
-			case firewall.ActionAccept:
-				return verdict.Kind == expr.VerdictAccept
-			case firewall.ActionDrop:
-				return verdict.Kind == expr.VerdictDrop
-			}
-		}
-	}
-	return false
 }

 // check returns the firewall type based on common lib checks. It returns UNKNOWN if no firewall is found.
@@ -686,12 +250,12 @@ func createWorkTable() (*nftables.Table, error) {
 	}

 	for _, t := range tables {
-		if t.Name == tableNameNetbird {
+		if t.Name == tableName {
 			sConn.DelTable(t)
 		}
 	}

-	table := sConn.AddTable(&nftables.Table{Name: tableNameNetbird, Family: nftables.TableFamilyIPv4})
+	table := sConn.AddTable(&nftables.Table{Name: tableName, Family: nftables.TableFamilyIPv4})
 	err = sConn.Flush()

 	return table, err
@@ -709,7 +273,7 @@ func deleteWorkTable() {
 	}

 	for _, t := range tables {
-		if t.Name == tableNameNetbird {
+		if t.Name == tableName {
 			sConn.DelTable(t)
 		}
 	}
--- a/client/firewall/nftables/state_linux.go
+++ b/client/firewall/nftables/state_linux.go
@@ -1,47 +0,0 @@
-package nftables
-
-import (
-	"fmt"
-
-	"github.com/netbirdio/netbird/client/iface"
-	"github.com/netbirdio/netbird/client/iface/device"
-)
-
-type InterfaceState struct {
-	NameStr       string          `json:"name"`
-	WGAddress     iface.WGAddress `json:"wg_address"`
-	UserspaceBind bool            `json:"userspace_bind"`
-}
-
-func (i *InterfaceState) Name() string {
-	return i.NameStr
-}
-
-func (i *InterfaceState) Address() device.WGAddress {
-	return i.WGAddress
-}
-
-func (i *InterfaceState) IsUserspaceBind() bool {
-	return i.UserspaceBind
-}
-
-type ShutdownState struct {
-	InterfaceState *InterfaceState `json:"interface_state,omitempty"`
-}
-
-func (s *ShutdownState) Name() string {
-	return "nftables_state"
-}
-
-func (s *ShutdownState) Cleanup() error {
-	nft, err := Create(s.InterfaceState)
-	if err != nil {
-		return fmt.Errorf("create nftables manager: %w", err)
-	}
-
-	if err := nft.Reset(nil); err != nil {
-		return fmt.Errorf("reset nftables manager: %w", err)
-	}
-
-	return nil
-}
--- a/client/firewall/test/cases_linux.go
+++ b/client/firewall/test/cases_linux.go
@@ -1,10 +1,8 @@
+//go:build !android
+
 package test

-import (
-	"net/netip"
-
-	firewall "github.com/netbirdio/netbird/client/firewall/manager"
-)
+import firewall "github.com/netbirdio/netbird/client/firewall/manager"

 var (
 	InsertRuleTestCases = []struct {
@@ -15,8 +13,8 @@ var (
 			Name: "Insert Forwarding IPV4 Rule",
 			InputPair: firewall.RouterPair{
 				ID:          "zxa",
-				Source:      netip.MustParsePrefix("100.100.100.1/32"),
-				Destination: netip.MustParsePrefix("100.100.200.0/24"),
+				Source:      "100.100.100.1/32",
+				Destination: "100.100.200.0/24",
 				Masquerade:  false,
 			},
 		},
@@ -24,8 +22,8 @@ var (
 			Name: "Insert Forwarding And Nat IPV4 Rules",
 			InputPair: firewall.RouterPair{
 				ID:          "zxa",
-				Source:      netip.MustParsePrefix("100.100.100.1/32"),
-				Destination: netip.MustParsePrefix("100.100.200.0/24"),
+				Source:      "100.100.100.1/32",
+				Destination: "100.100.200.0/24",
 				Masquerade:  true,
 			},
 		},
@@ -40,8 +38,8 @@ var (
 			Name: "Remove Forwarding And Nat IPV4 Rules",
 			InputPair: firewall.RouterPair{
 				ID:          "zxa",
-				Source:      netip.MustParsePrefix("100.100.100.1/32"),
-				Destination: netip.MustParsePrefix("100.100.200.0/24"),
+				Source:      "100.100.100.1/32",
+				Destination: "100.100.200.0/24",
 				Masquerade:  true,
 			},
 		},
--- a/client/firewall/uspfilter/allow_netbird.go
+++ b/client/firewall/uspfilter/allow_netbird.go
@@ -2,36 +2,16 @@

 package uspfilter

-import (
-	"github.com/netbirdio/netbird/client/firewall/uspfilter/conntrack"
-	"github.com/netbirdio/netbird/client/internal/statemanager"
-)
-
 // Reset firewall to the default state
-func (m *Manager) Reset(stateManager *statemanager.Manager) error {
+func (m *Manager) Reset() error {
 	m.mutex.Lock()
 	defer m.mutex.Unlock()

 	m.outgoingRules = make(map[string]RuleSet)
 	m.incomingRules = make(map[string]RuleSet)

-	if m.udpTracker != nil {
-		m.udpTracker.Close()
-		m.udpTracker = conntrack.NewUDPTracker(conntrack.DefaultUDPTimeout)
-	}
-
-	if m.icmpTracker != nil {
-		m.icmpTracker.Close()
-		m.icmpTracker = conntrack.NewICMPTracker(conntrack.DefaultICMPTimeout)
-	}
-
-	if m.tcpTracker != nil {
-		m.tcpTracker.Close()
-		m.tcpTracker = conntrack.NewTCPTracker(conntrack.DefaultTCPTimeout)
-	}
-
 	if m.nativeFirewall != nil {
-		return m.nativeFirewall.Reset(stateManager)
+		return m.nativeFirewall.Reset()
 	}
 	return nil
 }
--- a/client/firewall/uspfilter/allow_netbird_windows.go
+++ b/client/firewall/uspfilter/allow_netbird_windows.go
@@ -6,9 +6,6 @@ import (
 	"syscall"

 	log "github.com/sirupsen/logrus"
-
-	"github.com/netbirdio/netbird/client/firewall/uspfilter/conntrack"
-	"github.com/netbirdio/netbird/client/internal/statemanager"
 )

 type action string
@@ -20,28 +17,13 @@ const (
 )

 // Reset firewall to the default state
-func (m *Manager) Reset(*statemanager.Manager) error {
+func (m *Manager) Reset() error {
 	m.mutex.Lock()
 	defer m.mutex.Unlock()

 	m.outgoingRules = make(map[string]RuleSet)
 	m.incomingRules = make(map[string]RuleSet)

-	if m.udpTracker != nil {
-		m.udpTracker.Close()
-		m.udpTracker = conntrack.NewUDPTracker(conntrack.DefaultUDPTimeout)
-	}
-
-	if m.icmpTracker != nil {
-		m.icmpTracker.Close()
-		m.icmpTracker = conntrack.NewICMPTracker(conntrack.DefaultICMPTimeout)
-	}
-
-	if m.tcpTracker != nil {
-		m.tcpTracker.Close()
-		m.tcpTracker = conntrack.NewTCPTracker(conntrack.DefaultTCPTimeout)
-	}
-
 	if !isWindowsFirewallReachable() {
 		return nil
 	}
--- a/client/firewall/uspfilter/conntrack/common.go
+++ b/client/firewall/uspfilter/conntrack/common.go
@@ -1,137 +0,0 @@
-// common.go
-package conntrack
-
-import (
-	"net"
-	"sync"
-	"sync/atomic"
-	"time"
-)
-
-// BaseConnTrack provides common fields and locking for all connection types
-type BaseConnTrack struct {
-	SourceIP    net.IP
-	DestIP      net.IP
-	SourcePort  uint16
-	DestPort    uint16
-	lastSeen    atomic.Int64 // Unix nano for atomic access
-	established atomic.Bool
-}
-
-// these small methods will be inlined by the compiler
-
-// UpdateLastSeen safely updates the last seen timestamp
-func (b *BaseConnTrack) UpdateLastSeen() {
-	b.lastSeen.Store(time.Now().UnixNano())
-}
-
-// IsEstablished safely checks if connection is established
-func (b *BaseConnTrack) IsEstablished() bool {
-	return b.established.Load()
-}
-
-// SetEstablished safely sets the established state
-func (b *BaseConnTrack) SetEstablished(state bool) {
-	b.established.Store(state)
-}
-
-// GetLastSeen safely gets the last seen timestamp
-func (b *BaseConnTrack) GetLastSeen() time.Time {
-	return time.Unix(0, b.lastSeen.Load())
-}
-
-// timeoutExceeded checks if the connection has exceeded the given timeout
-func (b *BaseConnTrack) timeoutExceeded(timeout time.Duration) bool {
-	lastSeen := time.Unix(0, b.lastSeen.Load())
-	return time.Since(lastSeen) > timeout
-}
-
-// IPAddr is a fixed-size IP address to avoid allocations
-type IPAddr [16]byte
-
-// MakeIPAddr creates an IPAddr from net.IP
-func MakeIPAddr(ip net.IP) (addr IPAddr) {
-	// Optimization: check for v4 first as it's more common
-	if ip4 := ip.To4(); ip4 != nil {
-		copy(addr[12:], ip4)
-	} else {
-		copy(addr[:], ip.To16())
-	}
-	return addr
-}
-
-// ConnKey uniquely identifies a connection
-type ConnKey struct {
-	SrcIP   IPAddr
-	DstIP   IPAddr
-	SrcPort uint16
-	DstPort uint16
-}
-
-// makeConnKey creates a connection key
-func makeConnKey(srcIP net.IP, dstIP net.IP, srcPort uint16, dstPort uint16) ConnKey {
-	return ConnKey{
-		SrcIP:   MakeIPAddr(srcIP),
-		DstIP:   MakeIPAddr(dstIP),
-		SrcPort: srcPort,
-		DstPort: dstPort,
-	}
-}
-
-// ValidateIPs checks if IPs match without allocation
-func ValidateIPs(connIP IPAddr, pktIP net.IP) bool {
-	if ip4 := pktIP.To4(); ip4 != nil {
-		// Compare IPv4 addresses (last 4 bytes)
-		for i := 0; i < 4; i++ {
-			if connIP[12+i] != ip4[i] {
-				return false
-			}
-		}
-		return true
-	}
-	// Compare full IPv6 addresses
-	ip6 := pktIP.To16()
-	for i := 0; i < 16; i++ {
-		if connIP[i] != ip6[i] {
-			return false
-		}
-	}
-	return true
-}
-
-// PreallocatedIPs is a pool of IP byte slices to reduce allocations
-type PreallocatedIPs struct {
-	sync.Pool
-}
-
-// NewPreallocatedIPs creates a new IP pool
-func NewPreallocatedIPs() *PreallocatedIPs {
-	return &PreallocatedIPs{
-		Pool: sync.Pool{
-			New: func() interface{} {
-				ip := make(net.IP, 16)
-				return &ip
-			},
-		},
-	}
-}
-
-// Get retrieves an IP from the pool
-func (p *PreallocatedIPs) Get() net.IP {
-	return *p.Pool.Get().(*net.IP)
-}
-
-// Put returns an IP to the pool
-func (p *PreallocatedIPs) Put(ip net.IP) {
-	p.Pool.Put(&ip)
-}
-
-// copyIP copies an IP address efficiently
-func copyIP(dst, src net.IP) {
-	if len(src) == 16 {
-		copy(dst, src)
-	} else {
-		// Handle IPv4
-		copy(dst[12:], src.To4())
-	}
-}
--- a/client/firewall/uspfilter/conntrack/common_test.go
+++ b/client/firewall/uspfilter/conntrack/common_test.go
@@ -1,115 +0,0 @@
-package conntrack
-
-import (
-	"net"
-	"testing"
-)
-
-func BenchmarkIPOperations(b *testing.B) {
-	b.Run("MakeIPAddr", func(b *testing.B) {
-		ip := net.ParseIP("192.168.1.1")
-		b.ResetTimer()
-		for i := 0; i < b.N; i++ {
-			_ = MakeIPAddr(ip)
-		}
-	})
-
-	b.Run("ValidateIPs", func(b *testing.B) {
-		ip1 := net.ParseIP("192.168.1.1")
-		ip2 := net.ParseIP("192.168.1.1")
-		addr := MakeIPAddr(ip1)
-		b.ResetTimer()
-		for i := 0; i < b.N; i++ {
-			_ = ValidateIPs(addr, ip2)
-		}
-	})
-
-	b.Run("IPPool", func(b *testing.B) {
-		pool := NewPreallocatedIPs()
-		b.ResetTimer()
-		for i := 0; i < b.N; i++ {
-			ip := pool.Get()
-			pool.Put(ip)
-		}
-	})
-
-}
-func BenchmarkAtomicOperations(b *testing.B) {
-	conn := &BaseConnTrack{}
-	b.Run("UpdateLastSeen", func(b *testing.B) {
-		for i := 0; i < b.N; i++ {
-			conn.UpdateLastSeen()
-		}
-	})
-
-	b.Run("IsEstablished", func(b *testing.B) {
-		for i := 0; i < b.N; i++ {
-			_ = conn.IsEstablished()
-		}
-	})
-
-	b.Run("SetEstablished", func(b *testing.B) {
-		for i := 0; i < b.N; i++ {
-			conn.SetEstablished(i%2 == 0)
-		}
-	})
-
-	b.Run("GetLastSeen", func(b *testing.B) {
-		for i := 0; i < b.N; i++ {
-			_ = conn.GetLastSeen()
-		}
-	})
-}
-
-// Memory pressure tests
-func BenchmarkMemoryPressure(b *testing.B) {
-	b.Run("TCPHighLoad", func(b *testing.B) {
-		tracker := NewTCPTracker(DefaultTCPTimeout)
-		defer tracker.Close()
-
-		// Generate different IPs
-		srcIPs := make([]net.IP, 100)
-		dstIPs := make([]net.IP, 100)
-		for i := 0; i < 100; i++ {
-			srcIPs[i] = net.IPv4(192, 168, byte(i/256), byte(i%256))
-			dstIPs[i] = net.IPv4(10, 0, byte(i/256), byte(i%256))
-		}
-
-		b.ResetTimer()
-		for i := 0; i < b.N; i++ {
-			srcIdx := i % len(srcIPs)
-			dstIdx := (i + 1) % len(dstIPs)
-			tracker.TrackOutbound(srcIPs[srcIdx], dstIPs[dstIdx], uint16(i%65535), 80, TCPSyn)
-
-			// Simulate some valid inbound packets
-			if i%3 == 0 {
-				tracker.IsValidInbound(dstIPs[dstIdx], srcIPs[srcIdx], 80, uint16(i%65535), TCPAck)
-			}
-		}
-	})
-
-	b.Run("UDPHighLoad", func(b *testing.B) {
-		tracker := NewUDPTracker(DefaultUDPTimeout)
-		defer tracker.Close()
-
-		// Generate different IPs
-		srcIPs := make([]net.IP, 100)
-		dstIPs := make([]net.IP, 100)
-		for i := 0; i < 100; i++ {
-			srcIPs[i] = net.IPv4(192, 168, byte(i/256), byte(i%256))
-			dstIPs[i] = net.IPv4(10, 0, byte(i/256), byte(i%256))
-		}
-
-		b.ResetTimer()
-		for i := 0; i < b.N; i++ {
-			srcIdx := i % len(srcIPs)
-			dstIdx := (i + 1) % len(dstIPs)
-			tracker.TrackOutbound(srcIPs[srcIdx], dstIPs[dstIdx], uint16(i%65535), 80)
-
-			// Simulate some valid inbound packets
-			if i%3 == 0 {
-				tracker.IsValidInbound(dstIPs[dstIdx], srcIPs[srcIdx], 80, uint16(i%65535))
-			}
-		}
-	})
-}
--- a/client/firewall/uspfilter/conntrack/icmp.go
+++ b/client/firewall/uspfilter/conntrack/icmp.go
@@ -1,170 +0,0 @@
-package conntrack
-
-import (
-	"net"
-	"sync"
-	"time"
-
-	"github.com/google/gopacket/layers"
-)
-
-const (
-	// DefaultICMPTimeout is the default timeout for ICMP connections
-	DefaultICMPTimeout = 30 * time.Second
-	// ICMPCleanupInterval is how often we check for stale ICMP connections
-	ICMPCleanupInterval = 15 * time.Second
-)
-
-// ICMPConnKey uniquely identifies an ICMP connection
-type ICMPConnKey struct {
-	// Supports both IPv4 and IPv6
-	SrcIP    [16]byte
-	DstIP    [16]byte
-	Sequence uint16 // ICMP sequence number
-	ID       uint16 // ICMP identifier
-}
-
-// ICMPConnTrack represents an ICMP connection state
-type ICMPConnTrack struct {
-	BaseConnTrack
-	Sequence uint16
-	ID       uint16
-}
-
-// ICMPTracker manages ICMP connection states
-type ICMPTracker struct {
-	connections   map[ICMPConnKey]*ICMPConnTrack
-	timeout       time.Duration
-	cleanupTicker *time.Ticker
-	mutex         sync.RWMutex
-	done          chan struct{}
-	ipPool        *PreallocatedIPs
-}
-
-// NewICMPTracker creates a new ICMP connection tracker
-func NewICMPTracker(timeout time.Duration) *ICMPTracker {
-	if timeout == 0 {
-		timeout = DefaultICMPTimeout
-	}
-
-	tracker := &ICMPTracker{
-		connections:   make(map[ICMPConnKey]*ICMPConnTrack),
-		timeout:       timeout,
-		cleanupTicker: time.NewTicker(ICMPCleanupInterval),
-		done:          make(chan struct{}),
-		ipPool:        NewPreallocatedIPs(),
-	}
-
-	go tracker.cleanupRoutine()
-	return tracker
-}
-
-// TrackOutbound records an outbound ICMP Echo Request
-func (t *ICMPTracker) TrackOutbound(srcIP net.IP, dstIP net.IP, id uint16, seq uint16) {
-	key := makeICMPKey(srcIP, dstIP, id, seq)
-	now := time.Now().UnixNano()
-
-	t.mutex.Lock()
-	conn, exists := t.connections[key]
-	if !exists {
-		srcIPCopy := t.ipPool.Get()
-		dstIPCopy := t.ipPool.Get()
-		copyIP(srcIPCopy, srcIP)
-		copyIP(dstIPCopy, dstIP)
-
-		conn = &ICMPConnTrack{
-			BaseConnTrack: BaseConnTrack{
-				SourceIP: srcIPCopy,
-				DestIP:   dstIPCopy,
-			},
-			ID:       id,
-			Sequence: seq,
-		}
-		conn.lastSeen.Store(now)
-		conn.established.Store(true)
-		t.connections[key] = conn
-	}
-	t.mutex.Unlock()
-
-	conn.lastSeen.Store(now)
-}
-
-// IsValidInbound checks if an inbound ICMP Echo Reply matches a tracked request
-func (t *ICMPTracker) IsValidInbound(srcIP net.IP, dstIP net.IP, id uint16, seq uint16, icmpType uint8) bool {
-	switch icmpType {
-	case uint8(layers.ICMPv4TypeDestinationUnreachable),
-		uint8(layers.ICMPv4TypeTimeExceeded):
-		return true
-	case uint8(layers.ICMPv4TypeEchoReply):
-		// continue processing
-	default:
-		return false
-	}
-
-	key := makeICMPKey(dstIP, srcIP, id, seq)
-
-	t.mutex.RLock()
-	conn, exists := t.connections[key]
-	t.mutex.RUnlock()
-
-	if !exists {
-		return false
-	}
-
-	if conn.timeoutExceeded(t.timeout) {
-		return false
-	}
-
-	return conn.IsEstablished() &&
-		ValidateIPs(MakeIPAddr(srcIP), conn.DestIP) &&
-		ValidateIPs(MakeIPAddr(dstIP), conn.SourceIP) &&
-		conn.ID == id &&
-		conn.Sequence == seq
-}
-
-func (t *ICMPTracker) cleanupRoutine() {
-	for {
-		select {
-		case <-t.cleanupTicker.C:
-			t.cleanup()
-		case <-t.done:
-			return
-		}
-	}
-}
-func (t *ICMPTracker) cleanup() {
-	t.mutex.Lock()
-	defer t.mutex.Unlock()
-
-	for key, conn := range t.connections {
-		if conn.timeoutExceeded(t.timeout) {
-			t.ipPool.Put(conn.SourceIP)
-			t.ipPool.Put(conn.DestIP)
-			delete(t.connections, key)
-		}
-	}
-}
-
-// Close stops the cleanup routine and releases resources
-func (t *ICMPTracker) Close() {
-	t.cleanupTicker.Stop()
-	close(t.done)
-
-	t.mutex.Lock()
-	for _, conn := range t.connections {
-		t.ipPool.Put(conn.SourceIP)
-		t.ipPool.Put(conn.DestIP)
-	}
-	t.connections = nil
-	t.mutex.Unlock()
-}
-
-// makeICMPKey creates an ICMP connection key
-func makeICMPKey(srcIP net.IP, dstIP net.IP, id uint16, seq uint16) ICMPConnKey {
-	return ICMPConnKey{
-		SrcIP:    MakeIPAddr(srcIP),
-		DstIP:    MakeIPAddr(dstIP),
-		ID:       id,
-		Sequence: seq,
-	}
-}
--- a/client/firewall/uspfilter/conntrack/icmp_test.go
+++ b/client/firewall/uspfilter/conntrack/icmp_test.go
@@ -1,39 +0,0 @@
-package conntrack
-
-import (
-	"net"
-	"testing"
-)
-
-func BenchmarkICMPTracker(b *testing.B) {
-	b.Run("TrackOutbound", func(b *testing.B) {
-		tracker := NewICMPTracker(DefaultICMPTimeout)
-		defer tracker.Close()
-
-		srcIP := net.ParseIP("192.168.1.1")
-		dstIP := net.ParseIP("192.168.1.2")
-
-		b.ResetTimer()
-		for i := 0; i < b.N; i++ {
-			tracker.TrackOutbound(srcIP, dstIP, uint16(i%65535), uint16(i%65535))
-		}
-	})
-
-	b.Run("IsValidInbound", func(b *testing.B) {
-		tracker := NewICMPTracker(DefaultICMPTimeout)
-		defer tracker.Close()
-
-		srcIP := net.ParseIP("192.168.1.1")
-		dstIP := net.ParseIP("192.168.1.2")
-
-		// Pre-populate some connections
-		for i := 0; i < 1000; i++ {
-			tracker.TrackOutbound(srcIP, dstIP, uint16(i), uint16(i))
-		}
-
-		b.ResetTimer()
-		for i := 0; i < b.N; i++ {
-			tracker.IsValidInbound(dstIP, srcIP, uint16(i%1000), uint16(i%1000), 0)
-		}
-	})
-}
--- a/client/firewall/uspfilter/conntrack/tcp.go
+++ b/client/firewall/uspfilter/conntrack/tcp.go
@@ -1,352 +0,0 @@
-package conntrack
-
-// TODO: Send RST packets for invalid/timed-out connections
-
-import (
-	"net"
-	"sync"
-	"time"
-)
-
-const (
-	// MSL (Maximum Segment Lifetime) is typically 2 minutes
-	MSL = 2 * time.Minute
-	// TimeWaitTimeout (TIME-WAIT) should last 2*MSL
-	TimeWaitTimeout = 2 * MSL
-)
-
-const (
-	TCPSyn  uint8 = 0x02
-	TCPAck  uint8 = 0x10
-	TCPFin  uint8 = 0x01
-	TCPRst  uint8 = 0x04
-	TCPPush uint8 = 0x08
-	TCPUrg  uint8 = 0x20
-)
-
-const (
-	// DefaultTCPTimeout is the default timeout for established TCP connections
-	DefaultTCPTimeout = 3 * time.Hour
-	// TCPHandshakeTimeout is timeout for TCP handshake completion
-	TCPHandshakeTimeout = 60 * time.Second
-	// TCPCleanupInterval is how often we check for stale connections
-	TCPCleanupInterval = 5 * time.Minute
-)
-
-// TCPState represents the state of a TCP connection
-type TCPState int
-
-const (
-	TCPStateNew TCPState = iota
-	TCPStateSynSent
-	TCPStateSynReceived
-	TCPStateEstablished
-	TCPStateFinWait1
-	TCPStateFinWait2
-	TCPStateClosing
-	TCPStateTimeWait
-	TCPStateCloseWait
-	TCPStateLastAck
-	TCPStateClosed
-)
-
-// TCPConnKey uniquely identifies a TCP connection
-type TCPConnKey struct {
-	SrcIP   [16]byte
-	DstIP   [16]byte
-	SrcPort uint16
-	DstPort uint16
-}
-
-// TCPConnTrack represents a TCP connection state
-type TCPConnTrack struct {
-	BaseConnTrack
-	State TCPState
-	sync.RWMutex
-}
-
-// TCPTracker manages TCP connection states
-type TCPTracker struct {
-	connections   map[ConnKey]*TCPConnTrack
-	mutex         sync.RWMutex
-	cleanupTicker *time.Ticker
-	done          chan struct{}
-	timeout       time.Duration
-	ipPool        *PreallocatedIPs
-}
-
-// NewTCPTracker creates a new TCP connection tracker
-func NewTCPTracker(timeout time.Duration) *TCPTracker {
-	tracker := &TCPTracker{
-		connections:   make(map[ConnKey]*TCPConnTrack),
-		cleanupTicker: time.NewTicker(TCPCleanupInterval),
-		done:          make(chan struct{}),
-		timeout:       timeout,
-		ipPool:        NewPreallocatedIPs(),
-	}
-
-	go tracker.cleanupRoutine()
-	return tracker
-}
-
-// TrackOutbound processes an outbound TCP packet and updates connection state
-func (t *TCPTracker) TrackOutbound(srcIP net.IP, dstIP net.IP, srcPort uint16, dstPort uint16, flags uint8) {
-	// Create key before lock
-	key := makeConnKey(srcIP, dstIP, srcPort, dstPort)
-	now := time.Now().UnixNano()
-
-	t.mutex.Lock()
-	conn, exists := t.connections[key]
-	if !exists {
-		// Use preallocated IPs
-		srcIPCopy := t.ipPool.Get()
-		dstIPCopy := t.ipPool.Get()
-		copyIP(srcIPCopy, srcIP)
-		copyIP(dstIPCopy, dstIP)
-
-		conn = &TCPConnTrack{
-			BaseConnTrack: BaseConnTrack{
-				SourceIP:   srcIPCopy,
-				DestIP:     dstIPCopy,
-				SourcePort: srcPort,
-				DestPort:   dstPort,
-			},
-			State: TCPStateNew,
-		}
-		conn.lastSeen.Store(now)
-		conn.established.Store(false)
-		t.connections[key] = conn
-	}
-	t.mutex.Unlock()
-
-	// Lock individual connection for state update
-	conn.Lock()
-	t.updateState(conn, flags, true)
-	conn.Unlock()
-	conn.lastSeen.Store(now)
-}
-
-// IsValidInbound checks if an inbound TCP packet matches a tracked connection
-func (t *TCPTracker) IsValidInbound(srcIP net.IP, dstIP net.IP, srcPort uint16, dstPort uint16, flags uint8) bool {
-	if !isValidFlagCombination(flags) {
-		return false
-	}
-
-	key := makeConnKey(dstIP, srcIP, dstPort, srcPort)
-
-	t.mutex.RLock()
-	conn, exists := t.connections[key]
-	t.mutex.RUnlock()
-
-	if !exists {
-		return false
-	}
-
-	// Handle RST packets
-	if flags&TCPRst != 0 {
-		conn.Lock()
-		if conn.IsEstablished() || conn.State == TCPStateSynSent || conn.State == TCPStateSynReceived {
-			conn.State = TCPStateClosed
-			conn.SetEstablished(false)
-			conn.Unlock()
-			return true
-		}
-		conn.Unlock()
-		return false
-	}
-
-	conn.Lock()
-	t.updateState(conn, flags, false)
-	conn.UpdateLastSeen()
-	isEstablished := conn.IsEstablished()
-	isValidState := t.isValidStateForFlags(conn.State, flags)
-	conn.Unlock()
-
-	return isEstablished || isValidState
-}
-
-// updateState updates the TCP connection state based on flags
-func (t *TCPTracker) updateState(conn *TCPConnTrack, flags uint8, isOutbound bool) {
-	// Handle RST flag specially - it always causes transition to closed
-	if flags&TCPRst != 0 {
-		conn.State = TCPStateClosed
-		conn.SetEstablished(false)
-		return
-	}
-
-	switch conn.State {
-	case TCPStateNew:
-		if flags&TCPSyn != 0 && flags&TCPAck == 0 {
-			conn.State = TCPStateSynSent
-		}
-
-	case TCPStateSynSent:
-		if flags&TCPSyn != 0 && flags&TCPAck != 0 {
-			if isOutbound {
-				conn.State = TCPStateSynReceived
-			} else {
-				// Simultaneous open
-				conn.State = TCPStateEstablished
-				conn.SetEstablished(true)
-			}
-		}
-
-	case TCPStateSynReceived:
-		if flags&TCPAck != 0 && flags&TCPSyn == 0 {
-			conn.State = TCPStateEstablished
-			conn.SetEstablished(true)
-		}
-
-	case TCPStateEstablished:
-		if flags&TCPFin != 0 {
-			if isOutbound {
-				conn.State = TCPStateFinWait1
-			} else {
-				conn.State = TCPStateCloseWait
-			}
-			conn.SetEstablished(false)
-		}
-
-	case TCPStateFinWait1:
-		switch {
-		case flags&TCPFin != 0 && flags&TCPAck != 0:
-			// Simultaneous close - both sides sent FIN
-			conn.State = TCPStateClosing
-		case flags&TCPFin != 0:
-			conn.State = TCPStateFinWait2
-		case flags&TCPAck != 0:
-			conn.State = TCPStateFinWait2
-		}
-
-	case TCPStateFinWait2:
-		if flags&TCPFin != 0 {
-			conn.State = TCPStateTimeWait
-		}
-
-	case TCPStateClosing:
-		if flags&TCPAck != 0 {
-			conn.State = TCPStateTimeWait
-			// Keep established = false from previous state
-		}
-
-	case TCPStateCloseWait:
-		if flags&TCPFin != 0 {
-			conn.State = TCPStateLastAck
-		}
-
-	case TCPStateLastAck:
-		if flags&TCPAck != 0 {
-			conn.State = TCPStateClosed
-		}
-
-	case TCPStateTimeWait:
-		// Stay in TIME-WAIT for 2MSL before transitioning to closed
-		// This is handled by the cleanup routine
-	}
-}
-
-// isValidStateForFlags checks if the TCP flags are valid for the current connection state
-func (t *TCPTracker) isValidStateForFlags(state TCPState, flags uint8) bool {
-	if !isValidFlagCombination(flags) {
-		return false
-	}
-
-	switch state {
-	case TCPStateNew:
-		return flags&TCPSyn != 0 && flags&TCPAck == 0
-	case TCPStateSynSent:
-		return flags&TCPSyn != 0 && flags&TCPAck != 0
-	case TCPStateSynReceived:
-		return flags&TCPAck != 0
-	case TCPStateEstablished:
-		if flags&TCPRst != 0 {
-			return true
-		}
-		return flags&TCPAck != 0
-	case TCPStateFinWait1:
-		return flags&TCPFin != 0 || flags&TCPAck != 0
-	case TCPStateFinWait2:
-		return flags&TCPFin != 0 || flags&TCPAck != 0
-	case TCPStateClosing:
-		// In CLOSING state, we should accept the final ACK
-		return flags&TCPAck != 0
-	case TCPStateTimeWait:
-		// In TIME_WAIT, we might see retransmissions
-		return flags&TCPAck != 0
-	case TCPStateCloseWait:
-		return flags&TCPFin != 0 || flags&TCPAck != 0
-	case TCPStateLastAck:
-		return flags&TCPAck != 0
-	case TCPStateClosed:
-		// Accept retransmitted ACKs in closed state
-		// This is important because the final ACK might be lost
-		// and the peer will retransmit their FIN-ACK
-		return flags&TCPAck != 0
-	}
-	return false
-}
-
-func (t *TCPTracker) cleanupRoutine() {
-	for {
-		select {
-		case <-t.cleanupTicker.C:
-			t.cleanup()
-		case <-t.done:
-			return
-		}
-	}
-}
-
-func (t *TCPTracker) cleanup() {
-	t.mutex.Lock()
-	defer t.mutex.Unlock()
-
-	for key, conn := range t.connections {
-		var timeout time.Duration
-		switch {
-		case conn.State == TCPStateTimeWait:
-			timeout = TimeWaitTimeout
-		case conn.IsEstablished():
-			timeout = t.timeout
-		default:
-			timeout = TCPHandshakeTimeout
-		}
-
-		lastSeen := conn.GetLastSeen()
-		if time.Since(lastSeen) > timeout {
-			// Return IPs to pool
-			t.ipPool.Put(conn.SourceIP)
-			t.ipPool.Put(conn.DestIP)
-			delete(t.connections, key)
-		}
-	}
-}
-
-// Close stops the cleanup routine and releases resources
-func (t *TCPTracker) Close() {
-	t.cleanupTicker.Stop()
-	close(t.done)
-
-	// Clean up all remaining IPs
-	t.mutex.Lock()
-	for _, conn := range t.connections {
-		t.ipPool.Put(conn.SourceIP)
-		t.ipPool.Put(conn.DestIP)
-	}
-	t.connections = nil
-	t.mutex.Unlock()
-}
-
-func isValidFlagCombination(flags uint8) bool {
-	// Invalid: SYN+FIN
-	if flags&TCPSyn != 0 && flags&TCPFin != 0 {
-		return false
-	}
-
-	// Invalid: RST with SYN or FIN
-	if flags&TCPRst != 0 && (flags&TCPSyn != 0 || flags&TCPFin != 0) {
-		return false
-	}
-
-	return true
-}
--- a/client/firewall/uspfilter/conntrack/tcp_test.go
+++ b/client/firewall/uspfilter/conntrack/tcp_test.go
@@ -1,308 +0,0 @@
-package conntrack
-
-import (
-	"net"
-	"testing"
-	"time"
-
-	"github.com/stretchr/testify/require"
-)
-
-func TestTCPStateMachine(t *testing.T) {
-	tracker := NewTCPTracker(DefaultTCPTimeout)
-	defer tracker.Close()
-
-	srcIP := net.ParseIP("100.64.0.1")
-	dstIP := net.ParseIP("100.64.0.2")
-	srcPort := uint16(12345)
-	dstPort := uint16(80)
-
-	t.Run("Security Tests", func(t *testing.T) {
-		tests := []struct {
-			name     string
-			flags    uint8
-			wantDrop bool
-			desc     string
-		}{
-			{
-				name:     "Block unsolicited SYN-ACK",
-				flags:    TCPSyn | TCPAck,
-				wantDrop: true,
-				desc:     "Should block SYN-ACK without prior SYN",
-			},
-			{
-				name:     "Block invalid SYN-FIN",
-				flags:    TCPSyn | TCPFin,
-				wantDrop: true,
-				desc:     "Should block invalid SYN-FIN combination",
-			},
-			{
-				name:     "Block unsolicited RST",
-				flags:    TCPRst,
-				wantDrop: true,
-				desc:     "Should block RST without connection",
-			},
-			{
-				name:     "Block unsolicited ACK",
-				flags:    TCPAck,
-				wantDrop: true,
-				desc:     "Should block ACK without connection",
-			},
-			{
-				name:     "Block data without connection",
-				flags:    TCPAck | TCPPush,
-				wantDrop: true,
-				desc:     "Should block data without established connection",
-			},
-		}
-
-		for _, tt := range tests {
-			t.Run(tt.name, func(t *testing.T) {
-				isValid := tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, tt.flags)
-				require.Equal(t, !tt.wantDrop, isValid, tt.desc)
-			})
-		}
-	})
-
-	t.Run("Connection Flow Tests", func(t *testing.T) {
-		tests := []struct {
-			name string
-			test func(*testing.T)
-			desc string
-		}{
-			{
-				name: "Normal Handshake",
-				test: func(t *testing.T) {
-					t.Helper()
-
-					// Send initial SYN
-					tracker.TrackOutbound(srcIP, dstIP, srcPort, dstPort, TCPSyn)
-
-					// Receive SYN-ACK
-					valid := tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPSyn|TCPAck)
-					require.True(t, valid, "SYN-ACK should be allowed")
-
-					// Send ACK
-					tracker.TrackOutbound(srcIP, dstIP, srcPort, dstPort, TCPAck)
-
-					// Test data transfer
-					valid = tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPPush|TCPAck)
-					require.True(t, valid, "Data should be allowed after handshake")
-				},
-			},
-			{
-				name: "Normal Close",
-				test: func(t *testing.T) {
-					t.Helper()
-
-					// First establish connection
-					establishConnection(t, tracker, srcIP, dstIP, srcPort, dstPort)
-
-					// Send FIN
-					tracker.TrackOutbound(srcIP, dstIP, srcPort, dstPort, TCPFin|TCPAck)
-
-					// Receive ACK for FIN
-					valid := tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPAck)
-					require.True(t, valid, "ACK for FIN should be allowed")
-
-					// Receive FIN from other side
-					valid = tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPFin|TCPAck)
-					require.True(t, valid, "FIN should be allowed")
-
-					// Send final ACK
-					tracker.TrackOutbound(srcIP, dstIP, srcPort, dstPort, TCPAck)
-				},
-			},
-			{
-				name: "RST During Connection",
-				test: func(t *testing.T) {
-					t.Helper()
-
-					// First establish connection
-					establishConnection(t, tracker, srcIP, dstIP, srcPort, dstPort)
-
-					// Receive RST
-					valid := tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPRst)
-					require.True(t, valid, "RST should be allowed for established connection")
-
-					// Connection is logically dead but we don't enforce blocking subsequent packets
-					// The connection will be cleaned up by timeout
-				},
-			},
-			{
-				name: "Simultaneous Close",
-				test: func(t *testing.T) {
-					t.Helper()
-
-					// First establish connection
-					establishConnection(t, tracker, srcIP, dstIP, srcPort, dstPort)
-
-					// Both sides send FIN+ACK
-					tracker.TrackOutbound(srcIP, dstIP, srcPort, dstPort, TCPFin|TCPAck)
-					valid := tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPFin|TCPAck)
-					require.True(t, valid, "Simultaneous FIN should be allowed")
-
-					// Both sides send final ACK
-					tracker.TrackOutbound(srcIP, dstIP, srcPort, dstPort, TCPAck)
-					valid = tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPAck)
-					require.True(t, valid, "Final ACKs should be allowed")
-				},
-			},
-		}
-
-		for _, tt := range tests {
-			t.Run(tt.name, func(t *testing.T) {
-				t.Helper()
-
-				tracker = NewTCPTracker(DefaultTCPTimeout)
-				tt.test(t)
-			})
-		}
-	})
-}
-
-func TestRSTHandling(t *testing.T) {
-	tracker := NewTCPTracker(DefaultTCPTimeout)
-	defer tracker.Close()
-
-	srcIP := net.ParseIP("100.64.0.1")
-	dstIP := net.ParseIP("100.64.0.2")
-	srcPort := uint16(12345)
-	dstPort := uint16(80)
-
-	tests := []struct {
-		name       string
-		setupState func()
-		sendRST    func()
-		wantValid  bool
-		desc       string
-	}{
-		{
-			name: "RST in established",
-			setupState: func() {
-				// Establish connection first
-				tracker.TrackOutbound(srcIP, dstIP, srcPort, dstPort, TCPSyn)
-				tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPSyn|TCPAck)
-				tracker.TrackOutbound(srcIP, dstIP, srcPort, dstPort, TCPAck)
-			},
-			sendRST: func() {
-				tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPRst)
-			},
-			wantValid: true,
-			desc:      "Should accept RST for established connection",
-		},
-		{
-			name:       "RST without connection",
-			setupState: func() {},
-			sendRST: func() {
-				tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPRst)
-			},
-			wantValid: false,
-			desc:      "Should reject RST without connection",
-		},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			tt.setupState()
-			tt.sendRST()
-
-			// Verify connection state is as expected
-			key := makeConnKey(srcIP, dstIP, srcPort, dstPort)
-			conn := tracker.connections[key]
-			if tt.wantValid {
-				require.NotNil(t, conn)
-				require.Equal(t, TCPStateClosed, conn.State)
-				require.False(t, conn.IsEstablished())
-			}
-		})
-	}
-}
-
-// Helper to establish a TCP connection
-func establishConnection(t *testing.T, tracker *TCPTracker, srcIP, dstIP net.IP, srcPort, dstPort uint16) {
-	t.Helper()
-
-	tracker.TrackOutbound(srcIP, dstIP, srcPort, dstPort, TCPSyn)
-
-	valid := tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPSyn|TCPAck)
-	require.True(t, valid, "SYN-ACK should be allowed")
-
-	tracker.TrackOutbound(srcIP, dstIP, srcPort, dstPort, TCPAck)
-}
-
-func BenchmarkTCPTracker(b *testing.B) {
-	b.Run("TrackOutbound", func(b *testing.B) {
-		tracker := NewTCPTracker(DefaultTCPTimeout)
-		defer tracker.Close()
-
-		srcIP := net.ParseIP("192.168.1.1")
-		dstIP := net.ParseIP("192.168.1.2")
-
-		b.ResetTimer()
-		for i := 0; i < b.N; i++ {
-			tracker.TrackOutbound(srcIP, dstIP, uint16(i%65535), 80, TCPSyn)
-		}
-	})
-
-	b.Run("IsValidInbound", func(b *testing.B) {
-		tracker := NewTCPTracker(DefaultTCPTimeout)
-		defer tracker.Close()
-
-		srcIP := net.ParseIP("192.168.1.1")
-		dstIP := net.ParseIP("192.168.1.2")
-
-		// Pre-populate some connections
-		for i := 0; i < 1000; i++ {
-			tracker.TrackOutbound(srcIP, dstIP, uint16(i), 80, TCPSyn)
-		}
-
-		b.ResetTimer()
-		for i := 0; i < b.N; i++ {
-			tracker.IsValidInbound(dstIP, srcIP, 80, uint16(i%1000), TCPAck)
-		}
-	})
-
-	b.Run("ConcurrentAccess", func(b *testing.B) {
-		tracker := NewTCPTracker(DefaultTCPTimeout)
-		defer tracker.Close()
-
-		srcIP := net.ParseIP("192.168.1.1")
-		dstIP := net.ParseIP("192.168.1.2")
-
-		b.RunParallel(func(pb *testing.PB) {
-			i := 0
-			for pb.Next() {
-				if i%2 == 0 {
-					tracker.TrackOutbound(srcIP, dstIP, uint16(i%65535), 80, TCPSyn)
-				} else {
-					tracker.IsValidInbound(dstIP, srcIP, 80, uint16(i%65535), TCPAck)
-				}
-				i++
-			}
-		})
-	})
-}
-
-// Benchmark connection cleanup
-func BenchmarkCleanup(b *testing.B) {
-	b.Run("TCPCleanup", func(b *testing.B) {
-		tracker := NewTCPTracker(100 * time.Millisecond) // Short timeout for testing
-		defer tracker.Close()
-
-		// Pre-populate with expired connections
-		srcIP := net.ParseIP("192.168.1.1")
-		dstIP := net.ParseIP("192.168.1.2")
-		for i := 0; i < 10000; i++ {
-			tracker.TrackOutbound(srcIP, dstIP, uint16(i), 80, TCPSyn)
-		}
-
-		// Wait for connections to expire
-		time.Sleep(200 * time.Millisecond)
-
-		b.ResetTimer()
-		for i := 0; i < b.N; i++ {
-			tracker.cleanup()
-		}
-	})
-}
--- a/client/firewall/uspfilter/conntrack/udp.go
+++ b/client/firewall/uspfilter/conntrack/udp.go
@@ -1,158 +0,0 @@
-package conntrack
-
-import (
-	"net"
-	"sync"
-	"time"
-)
-
-const (
-	// DefaultUDPTimeout is the default timeout for UDP connections
-	DefaultUDPTimeout = 30 * time.Second
-	// UDPCleanupInterval is how often we check for stale connections
-	UDPCleanupInterval = 15 * time.Second
-)
-
-// UDPConnTrack represents a UDP connection state
-type UDPConnTrack struct {
-	BaseConnTrack
-}
-
-// UDPTracker manages UDP connection states
-type UDPTracker struct {
-	connections   map[ConnKey]*UDPConnTrack
-	timeout       time.Duration
-	cleanupTicker *time.Ticker
-	mutex         sync.RWMutex
-	done          chan struct{}
-	ipPool        *PreallocatedIPs
-}
-
-// NewUDPTracker creates a new UDP connection tracker
-func NewUDPTracker(timeout time.Duration) *UDPTracker {
-	if timeout == 0 {
-		timeout = DefaultUDPTimeout
-	}
-
-	tracker := &UDPTracker{
-		connections:   make(map[ConnKey]*UDPConnTrack),
-		timeout:       timeout,
-		cleanupTicker: time.NewTicker(UDPCleanupInterval),
-		done:          make(chan struct{}),
-		ipPool:        NewPreallocatedIPs(),
-	}
-
-	go tracker.cleanupRoutine()
-	return tracker
-}
-
-// TrackOutbound records an outbound UDP connection
-func (t *UDPTracker) TrackOutbound(srcIP net.IP, dstIP net.IP, srcPort uint16, dstPort uint16) {
-	key := makeConnKey(srcIP, dstIP, srcPort, dstPort)
-	now := time.Now().UnixNano()
-
-	t.mutex.Lock()
-	conn, exists := t.connections[key]
-	if !exists {
-		srcIPCopy := t.ipPool.Get()
-		dstIPCopy := t.ipPool.Get()
-		copyIP(srcIPCopy, srcIP)
-		copyIP(dstIPCopy, dstIP)
-
-		conn = &UDPConnTrack{
-			BaseConnTrack: BaseConnTrack{
-				SourceIP:   srcIPCopy,
-				DestIP:     dstIPCopy,
-				SourcePort: srcPort,
-				DestPort:   dstPort,
-			},
-		}
-		conn.lastSeen.Store(now)
-		conn.established.Store(true)
-		t.connections[key] = conn
-	}
-	t.mutex.Unlock()
-
-	conn.lastSeen.Store(now)
-}
-
-// IsValidInbound checks if an inbound packet matches a tracked connection
-func (t *UDPTracker) IsValidInbound(srcIP net.IP, dstIP net.IP, srcPort uint16, dstPort uint16) bool {
-	key := makeConnKey(dstIP, srcIP, dstPort, srcPort)
-
-	t.mutex.RLock()
-	conn, exists := t.connections[key]
-	t.mutex.RUnlock()
-
-	if !exists {
-		return false
-	}
-
-	if conn.timeoutExceeded(t.timeout) {
-		return false
-	}
-
-	return conn.IsEstablished() &&
-		ValidateIPs(MakeIPAddr(srcIP), conn.DestIP) &&
-		ValidateIPs(MakeIPAddr(dstIP), conn.SourceIP) &&
-		conn.DestPort == srcPort &&
-		conn.SourcePort == dstPort
-}
-
-// cleanupRoutine periodically removes stale connections
-func (t *UDPTracker) cleanupRoutine() {
-	for {
-		select {
-		case <-t.cleanupTicker.C:
-			t.cleanup()
-		case <-t.done:
-			return
-		}
-	}
-}
-
-func (t *UDPTracker) cleanup() {
-	t.mutex.Lock()
-	defer t.mutex.Unlock()
-
-	for key, conn := range t.connections {
-		if conn.timeoutExceeded(t.timeout) {
-			t.ipPool.Put(conn.SourceIP)
-			t.ipPool.Put(conn.DestIP)
-			delete(t.connections, key)
-		}
-	}
-}
-
-// Close stops the cleanup routine and releases resources
-func (t *UDPTracker) Close() {
-	t.cleanupTicker.Stop()
-	close(t.done)
-
-	t.mutex.Lock()
-	for _, conn := range t.connections {
-		t.ipPool.Put(conn.SourceIP)
-		t.ipPool.Put(conn.DestIP)
-	}
-	t.connections = nil
-	t.mutex.Unlock()
-}
-
-// GetConnection safely retrieves a connection state
-func (t *UDPTracker) GetConnection(srcIP net.IP, srcPort uint16, dstIP net.IP, dstPort uint16) (*UDPConnTrack, bool) {
-	t.mutex.RLock()
-	defer t.mutex.RUnlock()
-
-	key := makeConnKey(srcIP, dstIP, srcPort, dstPort)
-	conn, exists := t.connections[key]
-	if !exists {
-		return nil, false
-	}
-
-	return conn, true
-}
-
-// Timeout returns the configured timeout duration for the tracker
-func (t *UDPTracker) Timeout() time.Duration {
-	return t.timeout
-}
--- a/client/firewall/uspfilter/conntrack/udp_test.go
+++ b/client/firewall/uspfilter/conntrack/udp_test.go
@@ -1,243 +0,0 @@
-package conntrack
-
-import (
-	"net"
-	"testing"
-	"time"
-
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
-)
-
-func TestNewUDPTracker(t *testing.T) {
-	tests := []struct {
-		name        string
-		timeout     time.Duration
-		wantTimeout time.Duration
-	}{
-		{
-			name:        "with custom timeout",
-			timeout:     1 * time.Minute,
-			wantTimeout: 1 * time.Minute,
-		},
-		{
-			name:        "with zero timeout uses default",
-			timeout:     0,
-			wantTimeout: DefaultUDPTimeout,
-		},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			tracker := NewUDPTracker(tt.timeout)
-			assert.NotNil(t, tracker)
-			assert.Equal(t, tt.wantTimeout, tracker.timeout)
-			assert.NotNil(t, tracker.connections)
-			assert.NotNil(t, tracker.cleanupTicker)
-			assert.NotNil(t, tracker.done)
-		})
-	}
-}
-
-func TestUDPTracker_TrackOutbound(t *testing.T) {
-	tracker := NewUDPTracker(DefaultUDPTimeout)
-	defer tracker.Close()
-
-	srcIP := net.ParseIP("192.168.1.2")
-	dstIP := net.ParseIP("192.168.1.3")
-	srcPort := uint16(12345)
-	dstPort := uint16(53)
-
-	tracker.TrackOutbound(srcIP, dstIP, srcPort, dstPort)
-
-	// Verify connection was tracked
-	key := makeConnKey(srcIP, dstIP, srcPort, dstPort)
-	conn, exists := tracker.connections[key]
-	require.True(t, exists)
-	assert.True(t, conn.SourceIP.Equal(srcIP))
-	assert.True(t, conn.DestIP.Equal(dstIP))
-	assert.Equal(t, srcPort, conn.SourcePort)
-	assert.Equal(t, dstPort, conn.DestPort)
-	assert.True(t, conn.IsEstablished())
-	assert.WithinDuration(t, time.Now(), conn.GetLastSeen(), 1*time.Second)
-}
-
-func TestUDPTracker_IsValidInbound(t *testing.T) {
-	tracker := NewUDPTracker(1 * time.Second)
-	defer tracker.Close()
-
-	srcIP := net.ParseIP("192.168.1.2")
-	dstIP := net.ParseIP("192.168.1.3")
-	srcPort := uint16(12345)
-	dstPort := uint16(53)
-
-	// Track outbound connection
-	tracker.TrackOutbound(srcIP, dstIP, srcPort, dstPort)
-
-	tests := []struct {
-		name    string
-		srcIP   net.IP
-		dstIP   net.IP
-		srcPort uint16
-		dstPort uint16
-		sleep   time.Duration
-		want    bool
-	}{
-		{
-			name:    "valid inbound response",
-			srcIP:   dstIP,   // Original destination is now source
-			dstIP:   srcIP,   // Original source is now destination
-			srcPort: dstPort, // Original destination port is now source
-			dstPort: srcPort, // Original source port is now destination
-			sleep:   0,
-			want:    true,
-		},
-		{
-			name:    "invalid source IP",
-			srcIP:   net.ParseIP("192.168.1.4"),
-			dstIP:   srcIP,
-			srcPort: dstPort,
-			dstPort: srcPort,
-			sleep:   0,
-			want:    false,
-		},
-		{
-			name:    "invalid destination IP",
-			srcIP:   dstIP,
-			dstIP:   net.ParseIP("192.168.1.4"),
-			srcPort: dstPort,
-			dstPort: srcPort,
-			sleep:   0,
-			want:    false,
-		},
-		{
-			name:    "invalid source port",
-			srcIP:   dstIP,
-			dstIP:   srcIP,
-			srcPort: 54321,
-			dstPort: srcPort,
-			sleep:   0,
-			want:    false,
-		},
-		{
-			name:    "invalid destination port",
-			srcIP:   dstIP,
-			dstIP:   srcIP,
-			srcPort: dstPort,
-			dstPort: 54321,
-			sleep:   0,
-			want:    false,
-		},
-		{
-			name:    "expired connection",
-			srcIP:   dstIP,
-			dstIP:   srcIP,
-			srcPort: dstPort,
-			dstPort: srcPort,
-			sleep:   2 * time.Second, // Longer than tracker timeout
-			want:    false,
-		},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			if tt.sleep > 0 {
-				time.Sleep(tt.sleep)
-			}
-			got := tracker.IsValidInbound(tt.srcIP, tt.dstIP, tt.srcPort, tt.dstPort)
-			assert.Equal(t, tt.want, got)
-		})
-	}
-}
-
-func TestUDPTracker_Cleanup(t *testing.T) {
-	// Use shorter intervals for testing
-	timeout := 50 * time.Millisecond
-	cleanupInterval := 25 * time.Millisecond
-
-	// Create tracker with custom cleanup interval
-	tracker := &UDPTracker{
-		connections:   make(map[ConnKey]*UDPConnTrack),
-		timeout:       timeout,
-		cleanupTicker: time.NewTicker(cleanupInterval),
-		done:          make(chan struct{}),
-		ipPool:        NewPreallocatedIPs(),
-	}
-
-	// Start cleanup routine
-	go tracker.cleanupRoutine()
-
-	// Add some connections
-	connections := []struct {
-		srcIP   net.IP
-		dstIP   net.IP
-		srcPort uint16
-		dstPort uint16
-	}{
-		{
-			srcIP:   net.ParseIP("192.168.1.2"),
-			dstIP:   net.ParseIP("192.168.1.3"),
-			srcPort: 12345,
-			dstPort: 53,
-		},
-		{
-			srcIP:   net.ParseIP("192.168.1.4"),
-			dstIP:   net.ParseIP("192.168.1.5"),
-			srcPort: 12346,
-			dstPort: 53,
-		},
-	}
-
-	for _, conn := range connections {
-		tracker.TrackOutbound(conn.srcIP, conn.dstIP, conn.srcPort, conn.dstPort)
-	}
-
-	// Verify initial connections
-	assert.Len(t, tracker.connections, 2)
-
-	// Wait for connection timeout and cleanup interval
-	time.Sleep(timeout + 2*cleanupInterval)
-
-	tracker.mutex.RLock()
-	connCount := len(tracker.connections)
-	tracker.mutex.RUnlock()
-
-	// Verify connections were cleaned up
-	assert.Equal(t, 0, connCount, "Expected all connections to be cleaned up")
-
-	// Properly close the tracker
-	tracker.Close()
-}
-
-func BenchmarkUDPTracker(b *testing.B) {
-	b.Run("TrackOutbound", func(b *testing.B) {
-		tracker := NewUDPTracker(DefaultUDPTimeout)
-		defer tracker.Close()
-
-		srcIP := net.ParseIP("192.168.1.1")
-		dstIP := net.ParseIP("192.168.1.2")
-
-		b.ResetTimer()
-		for i := 0; i < b.N; i++ {
-			tracker.TrackOutbound(srcIP, dstIP, uint16(i%65535), 80)
-		}
-	})
-
-	b.Run("IsValidInbound", func(b *testing.B) {
-		tracker := NewUDPTracker(DefaultUDPTimeout)
-		defer tracker.Close()
-
-		srcIP := net.ParseIP("192.168.1.1")
-		dstIP := net.ParseIP("192.168.1.2")
-
-		// Pre-populate some connections
-		for i := 0; i < 1000; i++ {
-			tracker.TrackOutbound(srcIP, dstIP, uint16(i), 80)
-		}
-
-		b.ResetTimer()
-		for i := 0; i < b.N; i++ {
-			tracker.IsValidInbound(dstIP, srcIP, 80, uint16(i%1000))
-		}
-	})
-}
--- a/client/firewall/uspfilter/uspfilter.go
+++ b/client/firewall/uspfilter/uspfilter.go
@@ -3,9 +3,6 @@ package uspfilter
 import (
 	"fmt"
 	"net"
-	"net/netip"
-	"os"
-	"strconv"
 	"sync"

 	"github.com/google/gopacket"
@@ -14,23 +11,18 @@ import (
 	log "github.com/sirupsen/logrus"

 	firewall "github.com/netbirdio/netbird/client/firewall/manager"
-	"github.com/netbirdio/netbird/client/firewall/uspfilter/conntrack"
-	"github.com/netbirdio/netbird/client/iface"
-	"github.com/netbirdio/netbird/client/iface/device"
-	"github.com/netbirdio/netbird/client/internal/statemanager"
+	"github.com/netbirdio/netbird/iface"
 )

 const layerTypeAll = 0

-const EnvDisableConntrack = "NB_DISABLE_CONNTRACK"
-
 var (
 	errRouteNotSupported = fmt.Errorf("route not supported with userspace firewall")
 )

 // IFaceMapper defines subset methods of interface required for manager
 type IFaceMapper interface {
-	SetFilter(device.PacketFilter) error
+	SetFilter(iface.PacketFilter) error
 	Address() iface.WGAddress
 }

@@ -47,11 +39,6 @@ type Manager struct {
 	nativeFirewall firewall.Manager

 	mutex sync.RWMutex
-
-	stateful    bool
-	udpTracker  *conntrack.UDPTracker
-	icmpTracker *conntrack.ICMPTracker
-	tcpTracker  *conntrack.TCPTracker
 }

 // decoder for packages
@@ -83,8 +70,6 @@ func CreateWithNativeFirewall(iface IFaceMapper, nativeFirewall firewall.Manager
 }

 func create(iface IFaceMapper) (*Manager, error) {
-	disableConntrack, _ := strconv.ParseBool(os.Getenv(EnvDisableConntrack))
-
 	m := &Manager{
 		decoders: sync.Pool{
 			New: func() any {
@@ -102,16 +87,6 @@ func create(iface IFaceMapper) (*Manager, error) {
 		outgoingRules: make(map[string]RuleSet),
 		incomingRules: make(map[string]RuleSet),
 		wgIface:       iface,
-		stateful:      !disableConntrack,
-	}
-
-	// Only initialize trackers if stateful mode is enabled
-	if disableConntrack {
-		log.Info("conntrack is disabled")
-	} else {
-		m.udpTracker = conntrack.NewUDPTracker(conntrack.DefaultUDPTimeout)
-		m.icmpTracker = conntrack.NewICMPTracker(conntrack.DefaultICMPTimeout)
-		m.tcpTracker = conntrack.NewTCPTracker(conntrack.DefaultTCPTimeout)
 	}

 	if err := iface.SetFilter(m); err != nil {
@@ -120,10 +95,6 @@ func create(iface IFaceMapper) (*Manager, error) {
 	return m, nil
 }

-func (m *Manager) Init(*statemanager.Manager) error {
-	return nil
-}
-
 func (m *Manager) IsServerRouteSupported() bool {
 	if m.nativeFirewall == nil {
 		return false
@@ -132,26 +103,26 @@ func (m *Manager) IsServerRouteSupported() bool {
 	}
 }

-func (m *Manager) AddNatRule(pair firewall.RouterPair) error {
+func (m *Manager) InsertRoutingRules(pair firewall.RouterPair) error {
 	if m.nativeFirewall == nil {
 		return errRouteNotSupported
 	}
-	return m.nativeFirewall.AddNatRule(pair)
+	return m.nativeFirewall.InsertRoutingRules(pair)
 }

-// RemoveNatRule removes a routing firewall rule
-func (m *Manager) RemoveNatRule(pair firewall.RouterPair) error {
+// RemoveRoutingRules removes a routing firewall rule
+func (m *Manager) RemoveRoutingRules(pair firewall.RouterPair) error {
 	if m.nativeFirewall == nil {
 		return errRouteNotSupported
 	}
-	return m.nativeFirewall.RemoveNatRule(pair)
+	return m.nativeFirewall.RemoveRoutingRules(pair)
 }

-// AddPeerFiltering rule to the firewall
+// AddFiltering rule to the firewall
 //
 // If comment argument is empty firewall manager should set
 // rule ID as comment for the rule
-func (m *Manager) AddPeerFiltering(
+func (m *Manager) AddFiltering(
 	ip net.IP,
 	proto firewall.Protocol,
 	sPort *firewall.Port,
@@ -217,22 +188,8 @@ func (m *Manager) AddPeerFiltering(
 	return []firewall.Rule{&r}, nil
 }

-func (m *Manager) AddRouteFiltering(sources []netip.Prefix, destination netip.Prefix, proto firewall.Protocol, sPort *firewall.Port, dPort *firewall.Port, action firewall.Action) (firewall.Rule, error) {
-	if m.nativeFirewall == nil {
-		return nil, errRouteNotSupported
-	}
-	return m.nativeFirewall.AddRouteFiltering(sources, destination, proto, sPort, dPort, action)
-}
-
-func (m *Manager) DeleteRouteRule(rule firewall.Rule) error {
-	if m.nativeFirewall == nil {
-		return errRouteNotSupported
-	}
-	return m.nativeFirewall.DeleteRouteRule(rule)
-}
-
-// DeletePeerRule from the firewall by rule definition
-func (m *Manager) DeletePeerRule(rule firewall.Rule) error {
+// DeleteRule from the firewall by rule definition
+func (m *Manager) DeleteRule(rule firewall.Rule) error {
 	m.mutex.Lock()
 	defer m.mutex.Unlock()

@@ -258,243 +215,83 @@ func (m *Manager) DeletePeerRule(rule firewall.Rule) error {
 	return nil
 }

-// SetLegacyManagement doesn't need to be implemented for this manager
-func (m *Manager) SetLegacyManagement(isLegacy bool) error {
-	if m.nativeFirewall == nil {
-		return nil
-	}
-	return m.nativeFirewall.SetLegacyManagement(isLegacy)
-}
-
 // Flush doesn't need to be implemented for this manager
 func (m *Manager) Flush() error { return nil }

 // DropOutgoing filter outgoing packets
 func (m *Manager) DropOutgoing(packetData []byte) bool {
-	return m.processOutgoingHooks(packetData)
+	return m.dropFilter(packetData, m.outgoingRules, false)
 }

 // DropIncoming filter incoming packets
 func (m *Manager) DropIncoming(packetData []byte) bool {
-	return m.dropFilter(packetData, m.incomingRules)
+	return m.dropFilter(packetData, m.incomingRules, true)
 }

-// processOutgoingHooks processes UDP hooks for outgoing packets and tracks TCP/UDP/ICMP
-func (m *Manager) processOutgoingHooks(packetData []byte) bool {
+// dropFilter implements same logic for booth direction of the traffic
+func (m *Manager) dropFilter(packetData []byte, rules map[string]RuleSet, isIncomingPacket bool) bool {
 	m.mutex.RLock()
 	defer m.mutex.RUnlock()

 	d := m.decoders.Get().(*decoder)
 	defer m.decoders.Put(d)

-	if err := d.parser.DecodeLayers(packetData, &d.decoded); err != nil {
-		return false
-	}
-
-	if len(d.decoded) < 2 {
-		return false
-	}
-
-	srcIP, dstIP := m.extractIPs(d)
-	if srcIP == nil {
-		return false
-	}
-
-	// Always process UDP hooks
-	if d.decoded[1] == layers.LayerTypeUDP {
-		// Track UDP state only if enabled
-		if m.stateful {
-			m.trackUDPOutbound(d, srcIP, dstIP)
-		}
-		return m.checkUDPHooks(d, dstIP, packetData)
-	}
-
-	// Track other protocols only if stateful mode is enabled
-	if m.stateful {
-		switch d.decoded[1] {
-		case layers.LayerTypeTCP:
-			m.trackTCPOutbound(d, srcIP, dstIP)
-		case layers.LayerTypeICMPv4:
-			m.trackICMPOutbound(d, srcIP, dstIP)
-		}
-	}
-
-	return false
-}
-
-func (m *Manager) extractIPs(d *decoder) (srcIP, dstIP net.IP) {
-	switch d.decoded[0] {
-	case layers.LayerTypeIPv4:
-		return d.ip4.SrcIP, d.ip4.DstIP
-	case layers.LayerTypeIPv6:
-		return d.ip6.SrcIP, d.ip6.DstIP
-	default:
-		return nil, nil
-	}
-}
-
-func (m *Manager) trackTCPOutbound(d *decoder, srcIP, dstIP net.IP) {
-	flags := getTCPFlags(&d.tcp)
-	m.tcpTracker.TrackOutbound(
-		srcIP,
-		dstIP,
-		uint16(d.tcp.SrcPort),
-		uint16(d.tcp.DstPort),
-		flags,
-	)
-}
-
-func getTCPFlags(tcp *layers.TCP) uint8 {
-	var flags uint8
-	if tcp.SYN {
-		flags |= conntrack.TCPSyn
-	}
-	if tcp.ACK {
-		flags |= conntrack.TCPAck
-	}
-	if tcp.FIN {
-		flags |= conntrack.TCPFin
-	}
-	if tcp.RST {
-		flags |= conntrack.TCPRst
-	}
-	if tcp.PSH {
-		flags |= conntrack.TCPPush
-	}
-	if tcp.URG {
-		flags |= conntrack.TCPUrg
-	}
-	return flags
-}
-
-func (m *Manager) trackUDPOutbound(d *decoder, srcIP, dstIP net.IP) {
-	m.udpTracker.TrackOutbound(
-		srcIP,
-		dstIP,
-		uint16(d.udp.SrcPort),
-		uint16(d.udp.DstPort),
-	)
-}
-
-func (m *Manager) checkUDPHooks(d *decoder, dstIP net.IP, packetData []byte) bool {
-	for _, ipKey := range []string{dstIP.String(), "0.0.0.0", "::"} {
-		if rules, exists := m.outgoingRules[ipKey]; exists {
-			for _, rule := range rules {
-				if rule.udpHook != nil && (rule.dPort == 0 || rule.dPort == uint16(d.udp.DstPort)) {
-					return rule.udpHook(packetData)
-				}
-			}
-		}
-	}
-	return false
-}
-
-func (m *Manager) trackICMPOutbound(d *decoder, srcIP, dstIP net.IP) {
-	if d.icmp4.TypeCode.Type() == layers.ICMPv4TypeEchoRequest {
-		m.icmpTracker.TrackOutbound(
-			srcIP,
-			dstIP,
-			d.icmp4.Id,
-			d.icmp4.Seq,
-		)
-	}
-}
-
-// dropFilter implements filtering logic for incoming packets
-func (m *Manager) dropFilter(packetData []byte, rules map[string]RuleSet) bool {
-	m.mutex.RLock()
-	defer m.mutex.RUnlock()
-
-	d := m.decoders.Get().(*decoder)
-	defer m.decoders.Put(d)
-
-	if !m.isValidPacket(d, packetData) {
-		return true
-	}
-
-	srcIP, dstIP := m.extractIPs(d)
-	if srcIP == nil {
-		log.Errorf("unknown layer: %v", d.decoded[0])
-		return true
-	}
-
-	if !m.isWireguardTraffic(srcIP, dstIP) {
-		return false
-	}
-
-	// Check connection state only if enabled
-	if m.stateful && m.isValidTrackedConnection(d, srcIP, dstIP) {
-		return false
-	}
-
-	return m.applyRules(srcIP, packetData, rules, d)
-}
-
-func (m *Manager) isValidPacket(d *decoder, packetData []byte) bool {
 	if err := d.parser.DecodeLayers(packetData, &d.decoded); err != nil {
 		log.Tracef("couldn't decode layer, err: %s", err)
-		return false
+		return true
 	}

 	if len(d.decoded) < 2 {
 		log.Tracef("not enough levels in network packet")
-		return false
-	}
-	return true
-}
-
-func (m *Manager) isWireguardTraffic(srcIP, dstIP net.IP) bool {
-	return m.wgNetwork.Contains(srcIP) && m.wgNetwork.Contains(dstIP)
-}
-
-func (m *Manager) isValidTrackedConnection(d *decoder, srcIP, dstIP net.IP) bool {
-	switch d.decoded[1] {
-	case layers.LayerTypeTCP:
-		return m.tcpTracker.IsValidInbound(
-			srcIP,
-			dstIP,
-			uint16(d.tcp.SrcPort),
-			uint16(d.tcp.DstPort),
-			getTCPFlags(&d.tcp),
-		)
-
-	case layers.LayerTypeUDP:
-		return m.udpTracker.IsValidInbound(
-			srcIP,
-			dstIP,
-			uint16(d.udp.SrcPort),
-			uint16(d.udp.DstPort),
-		)
-
-	case layers.LayerTypeICMPv4:
-		return m.icmpTracker.IsValidInbound(
-			srcIP,
-			dstIP,
-			d.icmp4.Id,
-			d.icmp4.Seq,
-			d.icmp4.TypeCode.Type(),
-		)
-
-		// TODO: ICMPv6
+		return true
 	}

-	return false
-}
+	ipLayer := d.decoded[0]

-func (m *Manager) applyRules(srcIP net.IP, packetData []byte, rules map[string]RuleSet, d *decoder) bool {
-	if filter, ok := validateRule(srcIP, packetData, rules[srcIP.String()], d); ok {
+	switch ipLayer {
+	case layers.LayerTypeIPv4:
+		if !m.wgNetwork.Contains(d.ip4.SrcIP) || !m.wgNetwork.Contains(d.ip4.DstIP) {
+			return false
+		}
+	case layers.LayerTypeIPv6:
+		if !m.wgNetwork.Contains(d.ip6.SrcIP) || !m.wgNetwork.Contains(d.ip6.DstIP) {
+			return false
+		}
+	default:
+		log.Errorf("unknown layer: %v", d.decoded[0])
+		return true
+	}
+
+	var ip net.IP
+	switch ipLayer {
+	case layers.LayerTypeIPv4:
+		if isIncomingPacket {
+			ip = d.ip4.SrcIP
+		} else {
+			ip = d.ip4.DstIP
+		}
+	case layers.LayerTypeIPv6:
+		if isIncomingPacket {
+			ip = d.ip6.SrcIP
+		} else {
+			ip = d.ip6.DstIP
+		}
+	}
+
+	filter, ok := validateRule(ip, packetData, rules[ip.String()], d)
+	if ok {
+		return filter
+	}
+	filter, ok = validateRule(ip, packetData, rules["0.0.0.0"], d)
+	if ok {
+		return filter
+	}
+	filter, ok = validateRule(ip, packetData, rules["::"], d)
+	if ok {
 		return filter
 	}

-	if filter, ok := validateRule(srcIP, packetData, rules["0.0.0.0"], d); ok {
-		return filter
-	}
-
-	if filter, ok := validateRule(srcIP, packetData, rules["::"], d); ok {
-		return filter
-	}
-
-	// Default policy: DROP ALL
+	// default policy is DROP ALL
 	return true
 }

@@ -540,6 +337,7 @@ func validateRule(ip net.IP, packetData []byte, rules map[string]Rule, d *decode
 			if rule.dPort != 0 && rule.dPort == uint16(d.udp.DstPort) {
 				return rule.drop, true
 			}
+			return rule.drop, true
 		case layers.LayerTypeICMPv4, layers.LayerTypeICMPv6:
 			return rule.drop, true
 		}
@@ -598,7 +396,7 @@ func (m *Manager) RemovePacketHook(hookID string) error {
 		for _, r := range arr {
 			if r.id == hookID {
 				rule := r
-				return m.DeletePeerRule(&rule)
+				return m.DeleteRule(&rule)
 			}
 		}
 	}
@@ -606,7 +404,7 @@ func (m *Manager) RemovePacketHook(hookID string) error {
 		for _, r := range arr {
 			if r.id == hookID {
 				rule := r
-				return m.DeletePeerRule(&rule)
+				return m.DeleteRule(&rule)
 			}
 		}
 	}
--- a/client/firewall/uspfilter/uspfilter_bench_test.go
+++ b/client/firewall/uspfilter/uspfilter_bench_test.go
@@ -1,998 +0,0 @@
-package uspfilter
-
-import (
-	"fmt"
-	"math/rand"
-	"net"
-	"os"
-	"strings"
-	"testing"
-
-	"github.com/google/gopacket"
-	"github.com/google/gopacket/layers"
-	"github.com/stretchr/testify/require"
-
-	fw "github.com/netbirdio/netbird/client/firewall/manager"
-	"github.com/netbirdio/netbird/client/firewall/uspfilter/conntrack"
-	"github.com/netbirdio/netbird/client/iface/device"
-)
-
-// generateRandomIPs generates n different random IPs in the 100.64.0.0/10 range
-func generateRandomIPs(n int) []net.IP {
-	ips := make([]net.IP, n)
-	seen := make(map[string]bool)
-
-	for i := 0; i < n; {
-		ip := make(net.IP, 4)
-		ip[0] = 100
-		ip[1] = byte(64 + rand.Intn(63)) // 64-126
-		ip[2] = byte(rand.Intn(256))
-		ip[3] = byte(1 + rand.Intn(254)) // avoid .0 and .255
-
-		key := ip.String()
-		if !seen[key] {
-			ips[i] = ip
-			seen[key] = true
-			i++
-		}
-	}
-	return ips
-}
-
-func generatePacket(b *testing.B, srcIP, dstIP net.IP, srcPort, dstPort uint16, protocol layers.IPProtocol) []byte {
-	b.Helper()
-
-	ipv4 := &layers.IPv4{
-		TTL:      64,
-		Version:  4,
-		SrcIP:    srcIP,
-		DstIP:    dstIP,
-		Protocol: protocol,
-	}
-
-	var transportLayer gopacket.SerializableLayer
-	switch protocol {
-	case layers.IPProtocolTCP:
-		tcp := &layers.TCP{
-			SrcPort: layers.TCPPort(srcPort),
-			DstPort: layers.TCPPort(dstPort),
-			SYN:     true,
-		}
-		require.NoError(b, tcp.SetNetworkLayerForChecksum(ipv4))
-		transportLayer = tcp
-	case layers.IPProtocolUDP:
-		udp := &layers.UDP{
-			SrcPort: layers.UDPPort(srcPort),
-			DstPort: layers.UDPPort(dstPort),
-		}
-		require.NoError(b, udp.SetNetworkLayerForChecksum(ipv4))
-		transportLayer = udp
-	}
-
-	buf := gopacket.NewSerializeBuffer()
-	opts := gopacket.SerializeOptions{ComputeChecksums: true, FixLengths: true}
-	err := gopacket.SerializeLayers(buf, opts, ipv4, transportLayer, gopacket.Payload("test"))
-	require.NoError(b, err)
-	return buf.Bytes()
-}
-
-// BenchmarkCoreFiltering focuses on the essential performance comparisons between
-// stateful and stateless filtering approaches
-func BenchmarkCoreFiltering(b *testing.B) {
-	scenarios := []struct {
-		name      string
-		stateful  bool
-		setupFunc func(*Manager)
-		desc      string
-	}{
-		{
-			name:     "stateless_single_allow_all",
-			stateful: false,
-			setupFunc: func(m *Manager) {
-				// Single rule allowing all traffic
-				_, err := m.AddPeerFiltering(net.ParseIP("0.0.0.0"), fw.ProtocolALL, nil, nil,
-					fw.RuleDirectionIN, fw.ActionAccept, "", "allow all")
-				require.NoError(b, err)
-			},
-			desc: "Baseline: Single 'allow all' rule without connection tracking",
-		},
-		{
-			name:     "stateful_no_rules",
-			stateful: true,
-			setupFunc: func(m *Manager) {
-				// No explicit rules - rely purely on connection tracking
-			},
-			desc: "Pure connection tracking without any rules",
-		},
-		{
-			name:     "stateless_explicit_return",
-			stateful: false,
-			setupFunc: func(m *Manager) {
-				// Add explicit rules matching return traffic pattern
-				for i := 0; i < 1000; i++ { // Simulate realistic ruleset size
-					ip := generateRandomIPs(1)[0]
-					_, err := m.AddPeerFiltering(ip, fw.ProtocolTCP,
-						&fw.Port{Values: []int{1024 + i}},
-						&fw.Port{Values: []int{80}},
-						fw.RuleDirectionIN, fw.ActionAccept, "", "explicit return")
-					require.NoError(b, err)
-				}
-			},
-			desc: "Explicit rules matching return traffic patterns without state",
-		},
-		{
-			name:     "stateful_with_established",
-			stateful: true,
-			setupFunc: func(m *Manager) {
-				// Add some basic rules but rely on state for established connections
-				_, err := m.AddPeerFiltering(net.ParseIP("0.0.0.0"), fw.ProtocolTCP, nil, nil,
-					fw.RuleDirectionIN, fw.ActionDrop, "", "default drop")
-				require.NoError(b, err)
-			},
-			desc: "Connection tracking with established connections",
-		},
-	}
-
-	// Test both TCP and UDP
-	protocols := []struct {
-		name  string
-		proto layers.IPProtocol
-	}{
-		{"TCP", layers.IPProtocolTCP},
-		{"UDP", layers.IPProtocolUDP},
-	}
-
-	for _, sc := range scenarios {
-		for _, proto := range protocols {
-			b.Run(fmt.Sprintf("%s_%s", sc.name, proto.name), func(b *testing.B) {
-				// Configure stateful/stateless mode
-				if !sc.stateful {
-					require.NoError(b, os.Setenv("NB_DISABLE_CONNTRACK", "1"))
-				} else {
-					require.NoError(b, os.Setenv("NB_CONNTRACK_TIMEOUT", "1m"))
-				}
-
-				// Create manager and basic setup
-				manager, _ := Create(&IFaceMock{
-					SetFilterFunc: func(device.PacketFilter) error { return nil },
-				})
-				defer b.Cleanup(func() {
-					require.NoError(b, manager.Reset(nil))
-				})
-
-				manager.wgNetwork = &net.IPNet{
-					IP:   net.ParseIP("100.64.0.0"),
-					Mask: net.CIDRMask(10, 32),
-				}
-
-				// Apply scenario-specific setup
-				sc.setupFunc(manager)
-
-				// Generate test packets
-				srcIP := generateRandomIPs(1)[0]
-				dstIP := generateRandomIPs(1)[0]
-				srcPort := uint16(1024 + b.N%60000)
-				dstPort := uint16(80)
-
-				outbound := generatePacket(b, srcIP, dstIP, srcPort, dstPort, proto.proto)
-				inbound := generatePacket(b, dstIP, srcIP, dstPort, srcPort, proto.proto)
-
-				// For stateful scenarios, establish the connection
-				if sc.stateful {
-					manager.processOutgoingHooks(outbound)
-				}
-
-				// Measure inbound packet processing
-				b.ResetTimer()
-				for i := 0; i < b.N; i++ {
-					manager.dropFilter(inbound, manager.incomingRules)
-				}
-			})
-		}
-	}
-}
-
-// BenchmarkStateScaling measures how performance scales with connection table size
-func BenchmarkStateScaling(b *testing.B) {
-	connCounts := []int{100, 1000, 10000, 100000}
-
-	for _, count := range connCounts {
-		b.Run(fmt.Sprintf("conns_%d", count), func(b *testing.B) {
-			manager, _ := Create(&IFaceMock{
-				SetFilterFunc: func(device.PacketFilter) error { return nil },
-			})
-			b.Cleanup(func() {
-				require.NoError(b, manager.Reset(nil))
-			})
-
-			manager.wgNetwork = &net.IPNet{
-				IP:   net.ParseIP("100.64.0.0"),
-				Mask: net.CIDRMask(10, 32),
-			}
-
-			// Pre-populate connection table
-			srcIPs := generateRandomIPs(count)
-			dstIPs := generateRandomIPs(count)
-			for i := 0; i < count; i++ {
-				outbound := generatePacket(b, srcIPs[i], dstIPs[i],
-					uint16(1024+i), 80, layers.IPProtocolTCP)
-				manager.processOutgoingHooks(outbound)
-			}
-
-			// Test packet
-			testOut := generatePacket(b, srcIPs[0], dstIPs[0], 1024, 80, layers.IPProtocolTCP)
-			testIn := generatePacket(b, dstIPs[0], srcIPs[0], 80, 1024, layers.IPProtocolTCP)
-
-			// First establish our test connection
-			manager.processOutgoingHooks(testOut)
-
-			b.ResetTimer()
-			for i := 0; i < b.N; i++ {
-				manager.dropFilter(testIn, manager.incomingRules)
-			}
-		})
-	}
-}
-
-// BenchmarkEstablishmentOverhead measures the overhead of connection establishment
-func BenchmarkEstablishmentOverhead(b *testing.B) {
-	scenarios := []struct {
-		name        string
-		established bool
-	}{
-		{"established", true},
-		{"new", false},
-	}
-
-	for _, sc := range scenarios {
-		b.Run(sc.name, func(b *testing.B) {
-			manager, _ := Create(&IFaceMock{
-				SetFilterFunc: func(device.PacketFilter) error { return nil },
-			})
-			b.Cleanup(func() {
-				require.NoError(b, manager.Reset(nil))
-			})
-
-			manager.wgNetwork = &net.IPNet{
-				IP:   net.ParseIP("100.64.0.0"),
-				Mask: net.CIDRMask(10, 32),
-			}
-
-			srcIP := generateRandomIPs(1)[0]
-			dstIP := generateRandomIPs(1)[0]
-			outbound := generatePacket(b, srcIP, dstIP, 1024, 80, layers.IPProtocolTCP)
-			inbound := generatePacket(b, dstIP, srcIP, 80, 1024, layers.IPProtocolTCP)
-
-			if sc.established {
-				manager.processOutgoingHooks(outbound)
-			}
-
-			b.ResetTimer()
-			for i := 0; i < b.N; i++ {
-				manager.dropFilter(inbound, manager.incomingRules)
-			}
-		})
-	}
-}
-
-// BenchmarkRoutedNetworkReturn compares approaches for handling routed network return traffic
-func BenchmarkRoutedNetworkReturn(b *testing.B) {
-	scenarios := []struct {
-		name       string
-		proto      layers.IPProtocol
-		state      string // "new", "established", "post_handshake" (TCP only)
-		setupFunc  func(*Manager)
-		genPackets func(net.IP, net.IP) ([]byte, []byte) // generates appropriate packets for the scenario
-		desc       string
-	}{
-		{
-			name:  "allow_non_wg_tcp_new",
-			proto: layers.IPProtocolTCP,
-			state: "new",
-			setupFunc: func(m *Manager) {
-				m.wgNetwork = &net.IPNet{
-					IP:   net.ParseIP("100.64.0.0"),
-					Mask: net.CIDRMask(10, 32),
-				}
-				b.Setenv("NB_DISABLE_CONNTRACK", "1")
-			},
-			genPackets: func(srcIP, dstIP net.IP) ([]byte, []byte) {
-				return generatePacket(b, srcIP, dstIP, 1024, 80, layers.IPProtocolTCP),
-					generatePacket(b, dstIP, srcIP, 80, 1024, layers.IPProtocolTCP)
-			},
-			desc: "Allow non-WG: TCP new connection",
-		},
-		{
-			name:  "allow_non_wg_tcp_established",
-			proto: layers.IPProtocolTCP,
-			state: "established",
-			setupFunc: func(m *Manager) {
-				m.wgNetwork = &net.IPNet{
-					IP:   net.ParseIP("100.64.0.0"),
-					Mask: net.CIDRMask(10, 32),
-				}
-				b.Setenv("NB_DISABLE_CONNTRACK", "1")
-			},
-			genPackets: func(srcIP, dstIP net.IP) ([]byte, []byte) {
-				// Generate packets with ACK flag for established connection
-				return generateTCPPacketWithFlags(b, srcIP, dstIP, 1024, 80, uint16(conntrack.TCPAck)),
-					generateTCPPacketWithFlags(b, dstIP, srcIP, 80, 1024, uint16(conntrack.TCPAck))
-			},
-			desc: "Allow non-WG: TCP established connection",
-		},
-		{
-			name:  "allow_non_wg_udp_new",
-			proto: layers.IPProtocolUDP,
-			state: "new",
-			setupFunc: func(m *Manager) {
-				m.wgNetwork = &net.IPNet{
-					IP:   net.ParseIP("100.64.0.0"),
-					Mask: net.CIDRMask(10, 32),
-				}
-				b.Setenv("NB_DISABLE_CONNTRACK", "1")
-			},
-			genPackets: func(srcIP, dstIP net.IP) ([]byte, []byte) {
-				return generatePacket(b, srcIP, dstIP, 1024, 80, layers.IPProtocolUDP),
-					generatePacket(b, dstIP, srcIP, 80, 1024, layers.IPProtocolUDP)
-			},
-			desc: "Allow non-WG: UDP new connection",
-		},
-		{
-			name:  "allow_non_wg_udp_established",
-			proto: layers.IPProtocolUDP,
-			state: "established",
-			setupFunc: func(m *Manager) {
-				m.wgNetwork = &net.IPNet{
-					IP:   net.ParseIP("100.64.0.0"),
-					Mask: net.CIDRMask(10, 32),
-				}
-				b.Setenv("NB_DISABLE_CONNTRACK", "1")
-			},
-			genPackets: func(srcIP, dstIP net.IP) ([]byte, []byte) {
-				return generatePacket(b, srcIP, dstIP, 1024, 80, layers.IPProtocolUDP),
-					generatePacket(b, dstIP, srcIP, 80, 1024, layers.IPProtocolUDP)
-			},
-			desc: "Allow non-WG: UDP established connection",
-		},
-		{
-			name:  "stateful_tcp_new",
-			proto: layers.IPProtocolTCP,
-			state: "new",
-			setupFunc: func(m *Manager) {
-				m.wgNetwork = &net.IPNet{
-					IP:   net.ParseIP("0.0.0.0"),
-					Mask: net.CIDRMask(0, 32),
-				}
-				require.NoError(b, os.Unsetenv("NB_DISABLE_CONNTRACK"))
-			},
-			genPackets: func(srcIP, dstIP net.IP) ([]byte, []byte) {
-				return generatePacket(b, srcIP, dstIP, 1024, 80, layers.IPProtocolTCP),
-					generatePacket(b, dstIP, srcIP, 80, 1024, layers.IPProtocolTCP)
-			},
-			desc: "Stateful: TCP new connection",
-		},
-		{
-			name:  "stateful_tcp_established",
-			proto: layers.IPProtocolTCP,
-			state: "established",
-			setupFunc: func(m *Manager) {
-				m.wgNetwork = &net.IPNet{
-					IP:   net.ParseIP("0.0.0.0"),
-					Mask: net.CIDRMask(0, 32),
-				}
-				require.NoError(b, os.Unsetenv("NB_DISABLE_CONNTRACK"))
-			},
-			genPackets: func(srcIP, dstIP net.IP) ([]byte, []byte) {
-				// Generate established TCP packets (ACK flag)
-				return generateTCPPacketWithFlags(b, srcIP, dstIP, 1024, 80, uint16(conntrack.TCPAck)),
-					generateTCPPacketWithFlags(b, dstIP, srcIP, 80, 1024, uint16(conntrack.TCPAck))
-			},
-			desc: "Stateful: TCP established connection",
-		},
-		{
-			name:  "stateful_tcp_post_handshake",
-			proto: layers.IPProtocolTCP,
-			state: "post_handshake",
-			setupFunc: func(m *Manager) {
-				m.wgNetwork = &net.IPNet{
-					IP:   net.ParseIP("0.0.0.0"),
-					Mask: net.CIDRMask(0, 32),
-				}
-				require.NoError(b, os.Unsetenv("NB_DISABLE_CONNTRACK"))
-			},
-			genPackets: func(srcIP, dstIP net.IP) ([]byte, []byte) {
-				// Generate packets with PSH+ACK flags for data transfer
-				return generateTCPPacketWithFlags(b, srcIP, dstIP, 1024, 80, uint16(conntrack.TCPPush|conntrack.TCPAck)),
-					generateTCPPacketWithFlags(b, dstIP, srcIP, 80, 1024, uint16(conntrack.TCPPush|conntrack.TCPAck))
-			},
-			desc: "Stateful: TCP post-handshake data transfer",
-		},
-		{
-			name:  "stateful_udp_new",
-			proto: layers.IPProtocolUDP,
-			state: "new",
-			setupFunc: func(m *Manager) {
-				m.wgNetwork = &net.IPNet{
-					IP:   net.ParseIP("0.0.0.0"),
-					Mask: net.CIDRMask(0, 32),
-				}
-				require.NoError(b, os.Unsetenv("NB_DISABLE_CONNTRACK"))
-			},
-			genPackets: func(srcIP, dstIP net.IP) ([]byte, []byte) {
-				return generatePacket(b, srcIP, dstIP, 1024, 80, layers.IPProtocolUDP),
-					generatePacket(b, dstIP, srcIP, 80, 1024, layers.IPProtocolUDP)
-			},
-			desc: "Stateful: UDP new connection",
-		},
-		{
-			name:  "stateful_udp_established",
-			proto: layers.IPProtocolUDP,
-			state: "established",
-			setupFunc: func(m *Manager) {
-				m.wgNetwork = &net.IPNet{
-					IP:   net.ParseIP("0.0.0.0"),
-					Mask: net.CIDRMask(0, 32),
-				}
-				require.NoError(b, os.Unsetenv("NB_DISABLE_CONNTRACK"))
-			},
-			genPackets: func(srcIP, dstIP net.IP) ([]byte, []byte) {
-				return generatePacket(b, srcIP, dstIP, 1024, 80, layers.IPProtocolUDP),
-					generatePacket(b, dstIP, srcIP, 80, 1024, layers.IPProtocolUDP)
-			},
-			desc: "Stateful: UDP established connection",
-		},
-	}
-
-	for _, sc := range scenarios {
-		b.Run(sc.name, func(b *testing.B) {
-			manager, _ := Create(&IFaceMock{
-				SetFilterFunc: func(device.PacketFilter) error { return nil },
-			})
-			b.Cleanup(func() {
-				require.NoError(b, manager.Reset(nil))
-			})
-
-			// Setup scenario
-			sc.setupFunc(manager)
-
-			// Use IPs outside WG range for routed network simulation
-			srcIP := net.ParseIP("192.168.1.2")
-			dstIP := net.ParseIP("8.8.8.8")
-			outbound, inbound := sc.genPackets(srcIP, dstIP)
-
-			// For stateful cases and established connections
-			if !strings.Contains(sc.name, "allow_non_wg") ||
-				(strings.Contains(sc.state, "established") || sc.state == "post_handshake") {
-				manager.processOutgoingHooks(outbound)
-
-				// For TCP post-handshake, simulate full handshake
-				if sc.state == "post_handshake" {
-					// SYN
-					syn := generateTCPPacketWithFlags(b, srcIP, dstIP, 1024, 80, uint16(conntrack.TCPSyn))
-					manager.processOutgoingHooks(syn)
-					// SYN-ACK
-					synack := generateTCPPacketWithFlags(b, dstIP, srcIP, 80, 1024, uint16(conntrack.TCPSyn|conntrack.TCPAck))
-					manager.dropFilter(synack, manager.incomingRules)
-					// ACK
-					ack := generateTCPPacketWithFlags(b, srcIP, dstIP, 1024, 80, uint16(conntrack.TCPAck))
-					manager.processOutgoingHooks(ack)
-				}
-			}
-
-			b.ResetTimer()
-			for i := 0; i < b.N; i++ {
-				manager.dropFilter(inbound, manager.incomingRules)
-			}
-		})
-	}
-}
-
-var scenarios = []struct {
-	name      string
-	stateful  bool // Whether conntrack is enabled
-	rules     bool // Whether to add return traffic rules
-	routed    bool // Whether to test routed network traffic
-	connCount int  // Number of concurrent connections
-	desc      string
-}{
-	{
-		name:      "stateless_with_rules_100conns",
-		stateful:  false,
-		rules:     true,
-		routed:    false,
-		connCount: 100,
-		desc:      "Pure stateless with return traffic rules, 100 conns",
-	},
-	{
-		name:      "stateless_with_rules_1000conns",
-		stateful:  false,
-		rules:     true,
-		routed:    false,
-		connCount: 1000,
-		desc:      "Pure stateless with return traffic rules, 1000 conns",
-	},
-	{
-		name:      "stateful_no_rules_100conns",
-		stateful:  true,
-		rules:     false,
-		routed:    false,
-		connCount: 100,
-		desc:      "Pure stateful tracking without rules, 100 conns",
-	},
-	{
-		name:      "stateful_no_rules_1000conns",
-		stateful:  true,
-		rules:     false,
-		routed:    false,
-		connCount: 1000,
-		desc:      "Pure stateful tracking without rules, 1000 conns",
-	},
-	{
-		name:      "stateful_with_rules_100conns",
-		stateful:  true,
-		rules:     true,
-		routed:    false,
-		connCount: 100,
-		desc:      "Combined stateful + rules (current implementation), 100 conns",
-	},
-	{
-		name:      "stateful_with_rules_1000conns",
-		stateful:  true,
-		rules:     true,
-		routed:    false,
-		connCount: 1000,
-		desc:      "Combined stateful + rules (current implementation), 1000 conns",
-	},
-	{
-		name:      "routed_network_100conns",
-		stateful:  true,
-		rules:     false,
-		routed:    true,
-		connCount: 100,
-		desc:      "Routed network traffic (non-WG), 100 conns",
-	},
-	{
-		name:      "routed_network_1000conns",
-		stateful:  true,
-		rules:     false,
-		routed:    true,
-		connCount: 1000,
-		desc:      "Routed network traffic (non-WG), 1000 conns",
-	},
-}
-
-// BenchmarkLongLivedConnections tests performance with realistic TCP traffic patterns
-func BenchmarkLongLivedConnections(b *testing.B) {
-	for _, sc := range scenarios {
-		b.Run(sc.name, func(b *testing.B) {
-			// Configure stateful/stateless mode
-			if !sc.stateful {
-				b.Setenv("NB_DISABLE_CONNTRACK", "1")
-			} else {
-				require.NoError(b, os.Unsetenv("NB_DISABLE_CONNTRACK"))
-			}
-
-			manager, _ := Create(&IFaceMock{
-				SetFilterFunc: func(device.PacketFilter) error { return nil },
-			})
-			defer b.Cleanup(func() {
-				require.NoError(b, manager.Reset(nil))
-			})
-
-			manager.SetNetwork(&net.IPNet{
-				IP:   net.ParseIP("100.64.0.0"),
-				Mask: net.CIDRMask(10, 32),
-			})
-
-			// Setup initial state based on scenario
-			if sc.rules {
-				// Single rule to allow all return traffic from port 80
-				_, err := manager.AddPeerFiltering(net.ParseIP("0.0.0.0"), fw.ProtocolTCP,
-					&fw.Port{Values: []int{80}},
-					nil,
-					fw.RuleDirectionIN, fw.ActionAccept, "", "return traffic")
-				require.NoError(b, err)
-			}
-
-			// Generate IPs for connections
-			srcIPs := make([]net.IP, sc.connCount)
-			dstIPs := make([]net.IP, sc.connCount)
-
-			for i := 0; i < sc.connCount; i++ {
-				if sc.routed {
-					srcIPs[i] = net.IPv4(192, 168, 1, byte(2+(i%250))).To4()
-					dstIPs[i] = net.IPv4(8, 8, byte((i/250)%255), byte(2+(i%250))).To4()
-				} else {
-					srcIPs[i] = generateRandomIPs(1)[0]
-					dstIPs[i] = generateRandomIPs(1)[0]
-				}
-			}
-
-			// Create established connections
-			for i := 0; i < sc.connCount; i++ {
-				// Initial SYN
-				syn := generateTCPPacketWithFlags(b, srcIPs[i], dstIPs[i],
-					uint16(1024+i), 80, uint16(conntrack.TCPSyn))
-				manager.processOutgoingHooks(syn)
-
-				// SYN-ACK
-				synack := generateTCPPacketWithFlags(b, dstIPs[i], srcIPs[i],
-					80, uint16(1024+i), uint16(conntrack.TCPSyn|conntrack.TCPAck))
-				manager.dropFilter(synack, manager.incomingRules)
-
-				// ACK
-				ack := generateTCPPacketWithFlags(b, srcIPs[i], dstIPs[i],
-					uint16(1024+i), 80, uint16(conntrack.TCPAck))
-				manager.processOutgoingHooks(ack)
-			}
-
-			// Prepare test packets simulating bidirectional traffic
-			inPackets := make([][]byte, sc.connCount)
-			outPackets := make([][]byte, sc.connCount)
-			for i := 0; i < sc.connCount; i++ {
-				// Server -> Client (inbound)
-				inPackets[i] = generateTCPPacketWithFlags(b, dstIPs[i], srcIPs[i],
-					80, uint16(1024+i), uint16(conntrack.TCPPush|conntrack.TCPAck))
-				// Client -> Server (outbound)
-				outPackets[i] = generateTCPPacketWithFlags(b, srcIPs[i], dstIPs[i],
-					uint16(1024+i), 80, uint16(conntrack.TCPPush|conntrack.TCPAck))
-			}
-
-			b.ResetTimer()
-			for i := 0; i < b.N; i++ {
-				connIdx := i % sc.connCount
-
-				// Simulate bidirectional traffic
-				// First outbound data
-				manager.processOutgoingHooks(outPackets[connIdx])
-				// Then inbound response - this is what we're actually measuring
-				manager.dropFilter(inPackets[connIdx], manager.incomingRules)
-			}
-		})
-	}
-}
-
-// BenchmarkShortLivedConnections tests performance with many short-lived connections
-func BenchmarkShortLivedConnections(b *testing.B) {
-	for _, sc := range scenarios {
-		b.Run(sc.name, func(b *testing.B) {
-			// Configure stateful/stateless mode
-			if !sc.stateful {
-				b.Setenv("NB_DISABLE_CONNTRACK", "1")
-			} else {
-				require.NoError(b, os.Unsetenv("NB_DISABLE_CONNTRACK"))
-			}
-
-			manager, _ := Create(&IFaceMock{
-				SetFilterFunc: func(device.PacketFilter) error { return nil },
-			})
-			defer b.Cleanup(func() {
-				require.NoError(b, manager.Reset(nil))
-			})
-
-			manager.SetNetwork(&net.IPNet{
-				IP:   net.ParseIP("100.64.0.0"),
-				Mask: net.CIDRMask(10, 32),
-			})
-
-			// Setup initial state based on scenario
-			if sc.rules {
-				// Single rule to allow all return traffic from port 80
-				_, err := manager.AddPeerFiltering(net.ParseIP("0.0.0.0"), fw.ProtocolTCP,
-					&fw.Port{Values: []int{80}},
-					nil,
-					fw.RuleDirectionIN, fw.ActionAccept, "", "return traffic")
-				require.NoError(b, err)
-			}
-
-			// Generate IPs for connections
-			srcIPs := make([]net.IP, sc.connCount)
-			dstIPs := make([]net.IP, sc.connCount)
-
-			for i := 0; i < sc.connCount; i++ {
-				if sc.routed {
-					srcIPs[i] = net.IPv4(192, 168, 1, byte(2+(i%250))).To4()
-					dstIPs[i] = net.IPv4(8, 8, byte((i/250)%255), byte(2+(i%250))).To4()
-				} else {
-					srcIPs[i] = generateRandomIPs(1)[0]
-					dstIPs[i] = generateRandomIPs(1)[0]
-				}
-			}
-
-			// Create packet patterns for a complete HTTP-like short connection:
-			// 1. Initial handshake (SYN, SYN-ACK, ACK)
-			// 2. HTTP Request (PSH+ACK from client)
-			// 3. HTTP Response (PSH+ACK from server)
-			// 4. Connection teardown (FIN+ACK, ACK, FIN+ACK, ACK)
-			type connPackets struct {
-				syn       []byte
-				synAck    []byte
-				ack       []byte
-				request   []byte
-				response  []byte
-				finClient []byte
-				ackServer []byte
-				finServer []byte
-				ackClient []byte
-			}
-
-			// Generate all possible connection patterns
-			patterns := make([]connPackets, sc.connCount)
-			for i := 0; i < sc.connCount; i++ {
-				patterns[i] = connPackets{
-					// Handshake
-					syn: generateTCPPacketWithFlags(b, srcIPs[i], dstIPs[i],
-						uint16(1024+i), 80, uint16(conntrack.TCPSyn)),
-					synAck: generateTCPPacketWithFlags(b, dstIPs[i], srcIPs[i],
-						80, uint16(1024+i), uint16(conntrack.TCPSyn|conntrack.TCPAck)),
-					ack: generateTCPPacketWithFlags(b, srcIPs[i], dstIPs[i],
-						uint16(1024+i), 80, uint16(conntrack.TCPAck)),
-
-					// Data transfer
-					request: generateTCPPacketWithFlags(b, srcIPs[i], dstIPs[i],
-						uint16(1024+i), 80, uint16(conntrack.TCPPush|conntrack.TCPAck)),
-					response: generateTCPPacketWithFlags(b, dstIPs[i], srcIPs[i],
-						80, uint16(1024+i), uint16(conntrack.TCPPush|conntrack.TCPAck)),
-
-					// Connection teardown
-					finClient: generateTCPPacketWithFlags(b, srcIPs[i], dstIPs[i],
-						uint16(1024+i), 80, uint16(conntrack.TCPFin|conntrack.TCPAck)),
-					ackServer: generateTCPPacketWithFlags(b, dstIPs[i], srcIPs[i],
-						80, uint16(1024+i), uint16(conntrack.TCPAck)),
-					finServer: generateTCPPacketWithFlags(b, dstIPs[i], srcIPs[i],
-						80, uint16(1024+i), uint16(conntrack.TCPFin|conntrack.TCPAck)),
-					ackClient: generateTCPPacketWithFlags(b, srcIPs[i], dstIPs[i],
-						uint16(1024+i), 80, uint16(conntrack.TCPAck)),
-				}
-			}
-
-			b.ResetTimer()
-			for i := 0; i < b.N; i++ {
-				// Each iteration creates a new short-lived connection
-				connIdx := i % sc.connCount
-				p := patterns[connIdx]
-
-				// Connection establishment
-				manager.processOutgoingHooks(p.syn)
-				manager.dropFilter(p.synAck, manager.incomingRules)
-				manager.processOutgoingHooks(p.ack)
-
-				// Data transfer
-				manager.processOutgoingHooks(p.request)
-				manager.dropFilter(p.response, manager.incomingRules)
-
-				// Connection teardown
-				manager.processOutgoingHooks(p.finClient)
-				manager.dropFilter(p.ackServer, manager.incomingRules)
-				manager.dropFilter(p.finServer, manager.incomingRules)
-				manager.processOutgoingHooks(p.ackClient)
-			}
-		})
-	}
-}
-
-// BenchmarkParallelLongLivedConnections tests performance with realistic TCP traffic patterns in parallel
-func BenchmarkParallelLongLivedConnections(b *testing.B) {
-	for _, sc := range scenarios {
-		b.Run(sc.name, func(b *testing.B) {
-			// Configure stateful/stateless mode
-			if !sc.stateful {
-				b.Setenv("NB_DISABLE_CONNTRACK", "1")
-			} else {
-				require.NoError(b, os.Unsetenv("NB_DISABLE_CONNTRACK"))
-			}
-
-			manager, _ := Create(&IFaceMock{
-				SetFilterFunc: func(device.PacketFilter) error { return nil },
-			})
-			defer b.Cleanup(func() {
-				require.NoError(b, manager.Reset(nil))
-			})
-
-			manager.SetNetwork(&net.IPNet{
-				IP:   net.ParseIP("100.64.0.0"),
-				Mask: net.CIDRMask(10, 32),
-			})
-
-			// Setup initial state based on scenario
-			if sc.rules {
-				_, err := manager.AddPeerFiltering(net.ParseIP("0.0.0.0"), fw.ProtocolTCP,
-					&fw.Port{Values: []int{80}},
-					nil,
-					fw.RuleDirectionIN, fw.ActionAccept, "", "return traffic")
-				require.NoError(b, err)
-			}
-
-			// Generate IPs for connections
-			srcIPs := make([]net.IP, sc.connCount)
-			dstIPs := make([]net.IP, sc.connCount)
-
-			for i := 0; i < sc.connCount; i++ {
-				if sc.routed {
-					srcIPs[i] = net.IPv4(192, 168, 1, byte(2+(i%250))).To4()
-					dstIPs[i] = net.IPv4(8, 8, byte((i/250)%255), byte(2+(i%250))).To4()
-				} else {
-					srcIPs[i] = generateRandomIPs(1)[0]
-					dstIPs[i] = generateRandomIPs(1)[0]
-				}
-			}
-
-			// Create established connections
-			for i := 0; i < sc.connCount; i++ {
-				syn := generateTCPPacketWithFlags(b, srcIPs[i], dstIPs[i],
-					uint16(1024+i), 80, uint16(conntrack.TCPSyn))
-				manager.processOutgoingHooks(syn)
-
-				synack := generateTCPPacketWithFlags(b, dstIPs[i], srcIPs[i],
-					80, uint16(1024+i), uint16(conntrack.TCPSyn|conntrack.TCPAck))
-				manager.dropFilter(synack, manager.incomingRules)
-
-				ack := generateTCPPacketWithFlags(b, srcIPs[i], dstIPs[i],
-					uint16(1024+i), 80, uint16(conntrack.TCPAck))
-				manager.processOutgoingHooks(ack)
-			}
-
-			// Pre-generate test packets
-			inPackets := make([][]byte, sc.connCount)
-			outPackets := make([][]byte, sc.connCount)
-			for i := 0; i < sc.connCount; i++ {
-				inPackets[i] = generateTCPPacketWithFlags(b, dstIPs[i], srcIPs[i],
-					80, uint16(1024+i), uint16(conntrack.TCPPush|conntrack.TCPAck))
-				outPackets[i] = generateTCPPacketWithFlags(b, srcIPs[i], dstIPs[i],
-					uint16(1024+i), 80, uint16(conntrack.TCPPush|conntrack.TCPAck))
-			}
-
-			b.ResetTimer()
-			b.RunParallel(func(pb *testing.PB) {
-				// Each goroutine gets its own counter to distribute load
-				counter := 0
-				for pb.Next() {
-					connIdx := counter % sc.connCount
-					counter++
-
-					// Simulate bidirectional traffic
-					manager.processOutgoingHooks(outPackets[connIdx])
-					manager.dropFilter(inPackets[connIdx], manager.incomingRules)
-				}
-			})
-		})
-	}
-}
-
-// BenchmarkParallelShortLivedConnections tests performance with many short-lived connections in parallel
-func BenchmarkParallelShortLivedConnections(b *testing.B) {
-	for _, sc := range scenarios {
-		b.Run(sc.name, func(b *testing.B) {
-			// Configure stateful/stateless mode
-			if !sc.stateful {
-				b.Setenv("NB_DISABLE_CONNTRACK", "1")
-			} else {
-				require.NoError(b, os.Unsetenv("NB_DISABLE_CONNTRACK"))
-			}
-
-			manager, _ := Create(&IFaceMock{
-				SetFilterFunc: func(device.PacketFilter) error { return nil },
-			})
-			defer b.Cleanup(func() {
-				require.NoError(b, manager.Reset(nil))
-			})
-
-			manager.SetNetwork(&net.IPNet{
-				IP:   net.ParseIP("100.64.0.0"),
-				Mask: net.CIDRMask(10, 32),
-			})
-
-			if sc.rules {
-				_, err := manager.AddPeerFiltering(net.ParseIP("0.0.0.0"), fw.ProtocolTCP,
-					&fw.Port{Values: []int{80}},
-					nil,
-					fw.RuleDirectionIN, fw.ActionAccept, "", "return traffic")
-				require.NoError(b, err)
-			}
-
-			// Generate IPs and pre-generate all packet patterns
-			srcIPs := make([]net.IP, sc.connCount)
-			dstIPs := make([]net.IP, sc.connCount)
-			for i := 0; i < sc.connCount; i++ {
-				if sc.routed {
-					srcIPs[i] = net.IPv4(192, 168, 1, byte(2+(i%250))).To4()
-					dstIPs[i] = net.IPv4(8, 8, byte((i/250)%255), byte(2+(i%250))).To4()
-				} else {
-					srcIPs[i] = generateRandomIPs(1)[0]
-					dstIPs[i] = generateRandomIPs(1)[0]
-				}
-			}
-
-			type connPackets struct {
-				syn       []byte
-				synAck    []byte
-				ack       []byte
-				request   []byte
-				response  []byte
-				finClient []byte
-				ackServer []byte
-				finServer []byte
-				ackClient []byte
-			}
-
-			patterns := make([]connPackets, sc.connCount)
-			for i := 0; i < sc.connCount; i++ {
-				patterns[i] = connPackets{
-					syn: generateTCPPacketWithFlags(b, srcIPs[i], dstIPs[i],
-						uint16(1024+i), 80, uint16(conntrack.TCPSyn)),
-					synAck: generateTCPPacketWithFlags(b, dstIPs[i], srcIPs[i],
-						80, uint16(1024+i), uint16(conntrack.TCPSyn|conntrack.TCPAck)),
-					ack: generateTCPPacketWithFlags(b, srcIPs[i], dstIPs[i],
-						uint16(1024+i), 80, uint16(conntrack.TCPAck)),
-					request: generateTCPPacketWithFlags(b, srcIPs[i], dstIPs[i],
-						uint16(1024+i), 80, uint16(conntrack.TCPPush|conntrack.TCPAck)),
-					response: generateTCPPacketWithFlags(b, dstIPs[i], srcIPs[i],
-						80, uint16(1024+i), uint16(conntrack.TCPPush|conntrack.TCPAck)),
-					finClient: generateTCPPacketWithFlags(b, srcIPs[i], dstIPs[i],
-						uint16(1024+i), 80, uint16(conntrack.TCPFin|conntrack.TCPAck)),
-					ackServer: generateTCPPacketWithFlags(b, dstIPs[i], srcIPs[i],
-						80, uint16(1024+i), uint16(conntrack.TCPAck)),
-					finServer: generateTCPPacketWithFlags(b, dstIPs[i], srcIPs[i],
-						80, uint16(1024+i), uint16(conntrack.TCPFin|conntrack.TCPAck)),
-					ackClient: generateTCPPacketWithFlags(b, srcIPs[i], dstIPs[i],
-						uint16(1024+i), 80, uint16(conntrack.TCPAck)),
-				}
-			}
-
-			b.ResetTimer()
-			b.RunParallel(func(pb *testing.PB) {
-				counter := 0
-				for pb.Next() {
-					connIdx := counter % sc.connCount
-					counter++
-					p := patterns[connIdx]
-
-					// Full connection lifecycle
-					manager.processOutgoingHooks(p.syn)
-					manager.dropFilter(p.synAck, manager.incomingRules)
-					manager.processOutgoingHooks(p.ack)
-
-					manager.processOutgoingHooks(p.request)
-					manager.dropFilter(p.response, manager.incomingRules)
-
-					manager.processOutgoingHooks(p.finClient)
-					manager.dropFilter(p.ackServer, manager.incomingRules)
-					manager.dropFilter(p.finServer, manager.incomingRules)
-					manager.processOutgoingHooks(p.ackClient)
-				}
-			})
-		})
-	}
-}
-
-// generateTCPPacketWithFlags creates a TCP packet with specific flags
-func generateTCPPacketWithFlags(b *testing.B, srcIP, dstIP net.IP, srcPort, dstPort, flags uint16) []byte {
-	b.Helper()
-
-	ipv4 := &layers.IPv4{
-		TTL:      64,
-		Version:  4,
-		SrcIP:    srcIP,
-		DstIP:    dstIP,
-		Protocol: layers.IPProtocolTCP,
-	}
-
-	tcp := &layers.TCP{
-		SrcPort: layers.TCPPort(srcPort),
-		DstPort: layers.TCPPort(dstPort),
-	}
-
-	// Set TCP flags
-	tcp.SYN = (flags & uint16(conntrack.TCPSyn)) != 0
-	tcp.ACK = (flags & uint16(conntrack.TCPAck)) != 0
-	tcp.PSH = (flags & uint16(conntrack.TCPPush)) != 0
-	tcp.RST = (flags & uint16(conntrack.TCPRst)) != 0
-	tcp.FIN = (flags & uint16(conntrack.TCPFin)) != 0
-
-	require.NoError(b, tcp.SetNetworkLayerForChecksum(ipv4))
-
-	buf := gopacket.NewSerializeBuffer()
-	opts := gopacket.SerializeOptions{ComputeChecksums: true, FixLengths: true}
-	require.NoError(b, gopacket.SerializeLayers(buf, opts, ipv4, tcp, gopacket.Payload("test")))
-	return buf.Bytes()
-}
--- a/client/firewall/uspfilter/uspfilter_test.go
+++ b/client/firewall/uspfilter/uspfilter_test.go
@@ -3,7 +3,6 @@ package uspfilter
 import (
 	"fmt"
 	"net"
-	"sync"
 	"testing"
 	"time"

@@ -12,17 +11,15 @@ import (
 	"github.com/stretchr/testify/require"

 	fw "github.com/netbirdio/netbird/client/firewall/manager"
-	"github.com/netbirdio/netbird/client/firewall/uspfilter/conntrack"
-	"github.com/netbirdio/netbird/client/iface"
-	"github.com/netbirdio/netbird/client/iface/device"
+	"github.com/netbirdio/netbird/iface"
 )

 type IFaceMock struct {
-	SetFilterFunc func(device.PacketFilter) error
+	SetFilterFunc func(iface.PacketFilter) error
 	AddressFunc   func() iface.WGAddress
 }

-func (i *IFaceMock) SetFilter(iface device.PacketFilter) error {
+func (i *IFaceMock) SetFilter(iface iface.PacketFilter) error {
 	if i.SetFilterFunc == nil {
 		return fmt.Errorf("not implemented")
 	}
@@ -38,7 +35,7 @@ func (i *IFaceMock) Address() iface.WGAddress {

 func TestManagerCreate(t *testing.T) {
 	ifaceMock := &IFaceMock{
-		SetFilterFunc: func(device.PacketFilter) error { return nil },
+		SetFilterFunc: func(iface.PacketFilter) error { return nil },
 	}

 	m, err := Create(ifaceMock)
@@ -52,10 +49,10 @@ func TestManagerCreate(t *testing.T) {
 	}
 }

-func TestManagerAddPeerFiltering(t *testing.T) {
+func TestManagerAddFiltering(t *testing.T) {
 	isSetFilterCalled := false
 	ifaceMock := &IFaceMock{
-		SetFilterFunc: func(device.PacketFilter) error {
+		SetFilterFunc: func(iface.PacketFilter) error {
 			isSetFilterCalled = true
 			return nil
 		},
@@ -74,7 +71,7 @@ func TestManagerAddPeerFiltering(t *testing.T) {
 	action := fw.ActionDrop
 	comment := "Test rule"

-	rule, err := m.AddPeerFiltering(ip, proto, nil, port, direction, action, "", comment)
+	rule, err := m.AddFiltering(ip, proto, nil, port, direction, action, "", comment)
 	if err != nil {
 		t.Errorf("failed to add filtering: %v", err)
 		return
@@ -93,7 +90,7 @@ func TestManagerAddPeerFiltering(t *testing.T) {

 func TestManagerDeleteRule(t *testing.T) {
 	ifaceMock := &IFaceMock{
-		SetFilterFunc: func(device.PacketFilter) error { return nil },
+		SetFilterFunc: func(iface.PacketFilter) error { return nil },
 	}

 	m, err := Create(ifaceMock)
@@ -109,7 +106,7 @@ func TestManagerDeleteRule(t *testing.T) {
 	action := fw.ActionDrop
 	comment := "Test rule"

-	rule, err := m.AddPeerFiltering(ip, proto, nil, port, direction, action, "", comment)
+	rule, err := m.AddFiltering(ip, proto, nil, port, direction, action, "", comment)
 	if err != nil {
 		t.Errorf("failed to add filtering: %v", err)
 		return
@@ -122,14 +119,14 @@ func TestManagerDeleteRule(t *testing.T) {
 	action = fw.ActionDrop
 	comment = "Test rule 2"

-	rule2, err := m.AddPeerFiltering(ip, proto, nil, port, direction, action, "", comment)
+	rule2, err := m.AddFiltering(ip, proto, nil, port, direction, action, "", comment)
 	if err != nil {
 		t.Errorf("failed to add filtering: %v", err)
 		return
 	}

 	for _, r := range rule {
-		err = m.DeletePeerRule(r)
+		err = m.DeleteRule(r)
 		if err != nil {
 			t.Errorf("failed to delete rule: %v", err)
 			return
@@ -143,7 +140,7 @@ func TestManagerDeleteRule(t *testing.T) {
 	}

 	for _, r := range rule2 {
-		err = m.DeletePeerRule(r)
+		err = m.DeleteRule(r)
 		if err != nil {
 			t.Errorf("failed to delete rule: %v", err)
 			return
@@ -187,10 +184,10 @@ func TestAddUDPPacketHook(t *testing.T) {

 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			manager, err := Create(&IFaceMock{
-				SetFilterFunc: func(device.PacketFilter) error { return nil },
-			})
-			require.NoError(t, err)
+			manager := &Manager{
+				incomingRules: map[string]RuleSet{},
+				outgoingRules: map[string]RuleSet{},
+			}

 			manager.AddUDPPacketHook(tt.in, tt.ip, tt.dPort, tt.hook)

@@ -239,7 +236,7 @@ func TestAddUDPPacketHook(t *testing.T) {

 func TestManagerReset(t *testing.T) {
 	ifaceMock := &IFaceMock{
-		SetFilterFunc: func(device.PacketFilter) error { return nil },
+		SetFilterFunc: func(iface.PacketFilter) error { return nil },
 	}

 	m, err := Create(ifaceMock)
@@ -255,13 +252,13 @@ func TestManagerReset(t *testing.T) {
 	action := fw.ActionDrop
 	comment := "Test rule"

-	_, err = m.AddPeerFiltering(ip, proto, nil, port, direction, action, "", comment)
+	_, err = m.AddFiltering(ip, proto, nil, port, direction, action, "", comment)
 	if err != nil {
 		t.Errorf("failed to add filtering: %v", err)
 		return
 	}

-	err = m.Reset(nil)
+	err = m.Reset()
 	if err != nil {
 		t.Errorf("failed to reset Manager: %v", err)
 		return
@@ -274,7 +271,7 @@ func TestManagerReset(t *testing.T) {

 func TestNotMatchByIP(t *testing.T) {
 	ifaceMock := &IFaceMock{
-		SetFilterFunc: func(device.PacketFilter) error { return nil },
+		SetFilterFunc: func(iface.PacketFilter) error { return nil },
 	}

 	m, err := Create(ifaceMock)
@@ -293,7 +290,7 @@ func TestNotMatchByIP(t *testing.T) {
 	action := fw.ActionAccept
 	comment := "Test rule"

-	_, err = m.AddPeerFiltering(ip, proto, nil, nil, direction, action, "", comment)
+	_, err = m.AddFiltering(ip, proto, nil, nil, direction, action, "", comment)
 	if err != nil {
 		t.Errorf("failed to add filtering: %v", err)
 		return
@@ -315,7 +312,7 @@ func TestNotMatchByIP(t *testing.T) {
 		t.Errorf("failed to set network layer for checksum: %v", err)
 		return
 	}
-	payload := gopacket.Payload("test")
+	payload := gopacket.Payload([]byte("test"))

 	buf := gopacket.NewSerializeBuffer()
 	opts := gopacket.SerializeOptions{
@@ -327,12 +324,12 @@ func TestNotMatchByIP(t *testing.T) {
 		return
 	}

-	if m.dropFilter(buf.Bytes(), m.outgoingRules) {
+	if m.dropFilter(buf.Bytes(), m.outgoingRules, false) {
 		t.Errorf("expected packet to be accepted")
 		return
 	}

-	if err = m.Reset(nil); err != nil {
+	if err = m.Reset(); err != nil {
 		t.Errorf("failed to reset Manager: %v", err)
 		return
 	}
@@ -342,7 +339,7 @@ func TestNotMatchByIP(t *testing.T) {
 func TestRemovePacketHook(t *testing.T) {
 	// creating mock iface
 	iface := &IFaceMock{
-		SetFilterFunc: func(device.PacketFilter) error { return nil },
+		SetFilterFunc: func(iface.PacketFilter) error { return nil },
 	}

 	// creating manager instance
@@ -350,9 +347,6 @@ func TestRemovePacketHook(t *testing.T) {
 	if err != nil {
 		t.Fatalf("Failed to create Manager: %s", err)
 	}
-	defer func() {
-		require.NoError(t, manager.Reset(nil))
-	}()

 	// Add a UDP packet hook
 	hookFunc := func(data []byte) bool { return true }
@@ -389,101 +383,19 @@ func TestRemovePacketHook(t *testing.T) {
 	}
 }

-func TestProcessOutgoingHooks(t *testing.T) {
-	manager, err := Create(&IFaceMock{
-		SetFilterFunc: func(device.PacketFilter) error { return nil },
-	})
-	require.NoError(t, err)
-
-	manager.wgNetwork = &net.IPNet{
-		IP:   net.ParseIP("100.10.0.0"),
-		Mask: net.CIDRMask(16, 32),
-	}
-	manager.udpTracker.Close()
-	manager.udpTracker = conntrack.NewUDPTracker(100 * time.Millisecond)
-	defer func() {
-		require.NoError(t, manager.Reset(nil))
-	}()
-
-	manager.decoders = sync.Pool{
-		New: func() any {
-			d := &decoder{
-				decoded: []gopacket.LayerType{},
-			}
-			d.parser = gopacket.NewDecodingLayerParser(
-				layers.LayerTypeIPv4,
-				&d.eth, &d.ip4, &d.ip6, &d.icmp4, &d.icmp6, &d.tcp, &d.udp,
-			)
-			d.parser.IgnoreUnsupported = true
-			return d
-		},
-	}
-
-	hookCalled := false
-	hookID := manager.AddUDPPacketHook(
-		false,
-		net.ParseIP("100.10.0.100"),
-		53,
-		func([]byte) bool {
-			hookCalled = true
-			return true
-		},
-	)
-	require.NotEmpty(t, hookID)
-
-	// Create test UDP packet
-	ipv4 := &layers.IPv4{
-		TTL:      64,
-		Version:  4,
-		SrcIP:    net.ParseIP("100.10.0.1"),
-		DstIP:    net.ParseIP("100.10.0.100"),
-		Protocol: layers.IPProtocolUDP,
-	}
-	udp := &layers.UDP{
-		SrcPort: 51334,
-		DstPort: 53,
-	}
-
-	err = udp.SetNetworkLayerForChecksum(ipv4)
-	require.NoError(t, err)
-	payload := gopacket.Payload("test")
-
-	buf := gopacket.NewSerializeBuffer()
-	opts := gopacket.SerializeOptions{
-		ComputeChecksums: true,
-		FixLengths:       true,
-	}
-	err = gopacket.SerializeLayers(buf, opts, ipv4, udp, payload)
-	require.NoError(t, err)
-
-	// Test hook gets called
-	result := manager.processOutgoingHooks(buf.Bytes())
-	require.True(t, result)
-	require.True(t, hookCalled)
-
-	// Test non-UDP packet is ignored
-	ipv4.Protocol = layers.IPProtocolTCP
-	buf = gopacket.NewSerializeBuffer()
-	err = gopacket.SerializeLayers(buf, opts, ipv4)
-	require.NoError(t, err)
-
-	result = manager.processOutgoingHooks(buf.Bytes())
-	require.False(t, result)
-}
-
 func TestUSPFilterCreatePerformance(t *testing.T) {
 	for _, testMax := range []int{10, 20, 30, 40, 50, 60, 70, 80, 90, 100, 200, 300, 400, 500, 600, 700, 800, 900, 1000} {
 		t.Run(fmt.Sprintf("Testing %d rules", testMax), func(t *testing.T) {
 			// just check on the local interface
 			ifaceMock := &IFaceMock{
-				SetFilterFunc: func(device.PacketFilter) error { return nil },
+				SetFilterFunc: func(iface.PacketFilter) error { return nil },
 			}
 			manager, err := Create(ifaceMock)
 			require.NoError(t, err)
 			time.Sleep(time.Second)

 			defer func() {
-				if err := manager.Reset(nil); err != nil {
+				if err := manager.Reset(); err != nil {
 					t.Errorf("clear the manager state: %v", err)
 				}
 				time.Sleep(time.Second)
@@ -494,9 +406,9 @@ func TestUSPFilterCreatePerformance(t *testing.T) {
 			for i := 0; i < testMax; i++ {
 				port := &fw.Port{Values: []int{1000 + i}}
 				if i%2 == 0 {
-					_, err = manager.AddPeerFiltering(ip, "tcp", nil, port, fw.RuleDirectionOUT, fw.ActionAccept, "", "accept HTTP traffic")
+					_, err = manager.AddFiltering(ip, "tcp", nil, port, fw.RuleDirectionOUT, fw.ActionAccept, "", "accept HTTP traffic")
 				} else {
-					_, err = manager.AddPeerFiltering(ip, "tcp", nil, port, fw.RuleDirectionIN, fw.ActionAccept, "", "accept HTTP traffic")
+					_, err = manager.AddFiltering(ip, "tcp", nil, port, fw.RuleDirectionIN, fw.ActionAccept, "", "accept HTTP traffic")
 				}

 				require.NoError(t, err, "failed to add rule")
@@ -505,213 +417,3 @@ func TestUSPFilterCreatePerformance(t *testing.T) {
 		})
 	}
 }
-
-func TestStatefulFirewall_UDPTracking(t *testing.T) {
-	manager, err := Create(&IFaceMock{
-		SetFilterFunc: func(device.PacketFilter) error { return nil },
-	})
-	require.NoError(t, err)
-
-	manager.wgNetwork = &net.IPNet{
-		IP:   net.ParseIP("100.10.0.0"),
-		Mask: net.CIDRMask(16, 32),
-	}
-
-	manager.udpTracker.Close() // Close the existing tracker
-	manager.udpTracker = conntrack.NewUDPTracker(200 * time.Millisecond)
-	manager.decoders = sync.Pool{
-		New: func() any {
-			d := &decoder{
-				decoded: []gopacket.LayerType{},
-			}
-			d.parser = gopacket.NewDecodingLayerParser(
-				layers.LayerTypeIPv4,
-				&d.eth, &d.ip4, &d.ip6, &d.icmp4, &d.icmp6, &d.tcp, &d.udp,
-			)
-			d.parser.IgnoreUnsupported = true
-			return d
-		},
-	}
-	defer func() {
-		require.NoError(t, manager.Reset(nil))
-	}()
-
-	// Set up packet parameters
-	srcIP := net.ParseIP("100.10.0.1")
-	dstIP := net.ParseIP("100.10.0.100")
-	srcPort := uint16(51334)
-	dstPort := uint16(53)
-
-	// Create outbound packet
-	outboundIPv4 := &layers.IPv4{
-		TTL:      64,
-		Version:  4,
-		SrcIP:    srcIP,
-		DstIP:    dstIP,
-		Protocol: layers.IPProtocolUDP,
-	}
-	outboundUDP := &layers.UDP{
-		SrcPort: layers.UDPPort(srcPort),
-		DstPort: layers.UDPPort(dstPort),
-	}
-
-	err = outboundUDP.SetNetworkLayerForChecksum(outboundIPv4)
-	require.NoError(t, err)
-
-	outboundBuf := gopacket.NewSerializeBuffer()
-	opts := gopacket.SerializeOptions{
-		ComputeChecksums: true,
-		FixLengths:       true,
-	}
-
-	err = gopacket.SerializeLayers(outboundBuf, opts,
-		outboundIPv4,
-		outboundUDP,
-		gopacket.Payload("test"),
-	)
-	require.NoError(t, err)
-
-	// Process outbound packet and verify connection tracking
-	drop := manager.DropOutgoing(outboundBuf.Bytes())
-	require.False(t, drop, "Initial outbound packet should not be dropped")
-
-	// Verify connection was tracked
-	conn, exists := manager.udpTracker.GetConnection(srcIP, srcPort, dstIP, dstPort)
-
-	require.True(t, exists, "Connection should be tracked after outbound packet")
-	require.True(t, conntrack.ValidateIPs(conntrack.MakeIPAddr(srcIP), conn.SourceIP), "Source IP should match")
-	require.True(t, conntrack.ValidateIPs(conntrack.MakeIPAddr(dstIP), conn.DestIP), "Destination IP should match")
-	require.Equal(t, srcPort, conn.SourcePort, "Source port should match")
-	require.Equal(t, dstPort, conn.DestPort, "Destination port should match")
-
-	// Create valid inbound response packet
-	inboundIPv4 := &layers.IPv4{
-		TTL:      64,
-		Version:  4,
-		SrcIP:    dstIP, // Original destination is now source
-		DstIP:    srcIP, // Original source is now destination
-		Protocol: layers.IPProtocolUDP,
-	}
-	inboundUDP := &layers.UDP{
-		SrcPort: layers.UDPPort(dstPort), // Original destination port is now source
-		DstPort: layers.UDPPort(srcPort), // Original source port is now destination
-	}
-
-	err = inboundUDP.SetNetworkLayerForChecksum(inboundIPv4)
-	require.NoError(t, err)
-
-	inboundBuf := gopacket.NewSerializeBuffer()
-	err = gopacket.SerializeLayers(inboundBuf, opts,
-		inboundIPv4,
-		inboundUDP,
-		gopacket.Payload("response"),
-	)
-	require.NoError(t, err)
-	// Test roundtrip response handling over time
-	checkPoints := []struct {
-		sleep       time.Duration
-		shouldAllow bool
-		description string
-	}{
-		{
-			sleep:       0,
-			shouldAllow: true,
-			description: "Immediate response should be allowed",
-		},
-		{
-			sleep:       50 * time.Millisecond,
-			shouldAllow: true,
-			description: "Response within timeout should be allowed",
-		},
-		{
-			sleep:       100 * time.Millisecond,
-			shouldAllow: true,
-			description: "Response at half timeout should be allowed",
-		},
-		{
-			// tracker hasn't updated conn for 250ms -> greater than 200ms timeout
-			sleep:       250 * time.Millisecond,
-			shouldAllow: false,
-			description: "Response after timeout should be dropped",
-		},
-	}
-
-	for _, cp := range checkPoints {
-		time.Sleep(cp.sleep)
-
-		drop = manager.dropFilter(inboundBuf.Bytes(), manager.incomingRules)
-		require.Equal(t, cp.shouldAllow, !drop, cp.description)
-
-		// If the connection should still be valid, verify it exists
-		if cp.shouldAllow {
-			conn, exists := manager.udpTracker.GetConnection(srcIP, srcPort, dstIP, dstPort)
-			require.True(t, exists, "Connection should still exist during valid window")
-			require.True(t, time.Since(conn.GetLastSeen()) < manager.udpTracker.Timeout(),
-				"LastSeen should be updated for valid responses")
-		}
-	}
-
-	// Test invalid response packets (while connection is expired)
-	invalidCases := []struct {
-		name        string
-		modifyFunc  func(*layers.IPv4, *layers.UDP)
-		description string
-	}{
-		{
-			name: "wrong source IP",
-			modifyFunc: func(ip *layers.IPv4, udp *layers.UDP) {
-				ip.SrcIP = net.ParseIP("100.10.0.101")
-			},
-			description: "Response from wrong IP should be dropped",
-		},
-		{
-			name: "wrong destination IP",
-			modifyFunc: func(ip *layers.IPv4, udp *layers.UDP) {
-				ip.DstIP = net.ParseIP("100.10.0.2")
-			},
-			description: "Response to wrong IP should be dropped",
-		},
-		{
-			name: "wrong source port",
-			modifyFunc: func(ip *layers.IPv4, udp *layers.UDP) {
-				udp.SrcPort = 54
-			},
-			description: "Response from wrong port should be dropped",
-		},
-		{
-			name: "wrong destination port",
-			modifyFunc: func(ip *layers.IPv4, udp *layers.UDP) {
-				udp.DstPort = 51335
-			},
-			description: "Response to wrong port should be dropped",
-		},
-	}
-
-	// Create a new outbound connection for invalid tests
-	drop = manager.processOutgoingHooks(outboundBuf.Bytes())
-	require.False(t, drop, "Second outbound packet should not be dropped")
-
-	for _, tc := range invalidCases {
-		t.Run(tc.name, func(t *testing.T) {
-			testIPv4 := *inboundIPv4
-			testUDP := *inboundUDP
-
-			tc.modifyFunc(&testIPv4, &testUDP)
-
-			err = testUDP.SetNetworkLayerForChecksum(&testIPv4)
-			require.NoError(t, err)
-
-			testBuf := gopacket.NewSerializeBuffer()
-			err = gopacket.SerializeLayers(testBuf, opts,
-				&testIPv4,
-				&testUDP,
-				gopacket.Payload("response"),
-			)
-			require.NoError(t, err)
-
-			// Verify the invalid packet is dropped
-			drop = manager.dropFilter(testBuf.Bytes(), manager.incomingRules)
-			require.True(t, drop, tc.description)
-		})
-	}
-}
--- a/client/iface/bind/control_android.go
+++ b/client/iface/bind/control_android.go
@@ -1,12 +0,0 @@
-package bind
-
-import (
-	wireguard "golang.zx2c4.com/wireguard/conn"
-
-	nbnet "github.com/netbirdio/netbird/util/net"
-)
-
-func init() {
-	// ControlFns is not thread safe and should only be modified during init.
-	*wireguard.ControlFns = append(*wireguard.ControlFns, nbnet.ControlProtectSocket)
-}
--- a/client/iface/bind/endpoint.go
+++ b/client/iface/bind/endpoint.go
@@ -1,5 +0,0 @@
-package bind
-
-import wgConn "golang.zx2c4.com/wireguard/conn"
-
-type Endpoint = wgConn.StdNetEndpoint
--- a/client/iface/bind/ice_bind.go
+++ b/client/iface/bind/ice_bind.go
@@ -1,303 +0,0 @@
-package bind
-
-import (
-	"fmt"
-	"net"
-	"net/netip"
-	"runtime"
-	"strings"
-	"sync"
-
-	"github.com/pion/stun/v2"
-	"github.com/pion/transport/v3"
-	log "github.com/sirupsen/logrus"
-	"golang.org/x/net/ipv4"
-	"golang.org/x/net/ipv6"
-	wgConn "golang.zx2c4.com/wireguard/conn"
-)
-
-type RecvMessage struct {
-	Endpoint *Endpoint
-	Buffer   []byte
-}
-
-type receiverCreator struct {
-	iceBind *ICEBind
-}
-
-func (rc receiverCreator) CreateIPv4ReceiverFn(pc *ipv4.PacketConn, conn *net.UDPConn, rxOffload bool, msgPool *sync.Pool) wgConn.ReceiveFunc {
-	return rc.iceBind.createIPv4ReceiverFn(pc, conn, rxOffload, msgPool)
-}
-
-// ICEBind is a bind implementation with two main features:
-// 1. filter out STUN messages and handle them
-// 2. forward the received packets to the WireGuard interface from the relayed connection
-//
-// ICEBind.endpoints var is a map that stores the connection for each relayed peer. Fake address is just an IP address
-// without port, in the format of 127.1.x.x where x.x is the last two octets of the peer address. We try to avoid to
-// use the port because in the Send function the wgConn.Endpoint the port info is not exported.
-type ICEBind struct {
-	*wgConn.StdNetBind
-	RecvChan chan RecvMessage
-
-	transportNet transport.Net
-	filterFn     FilterFn
-	endpoints    map[netip.Addr]net.Conn
-	endpointsMu  sync.Mutex
-	// every time when Close() is called (i.e. BindUpdate()) we need to close exit from the receiveRelayed and create a
-	// new closed channel. With the closedChanMu we can safely close the channel and create a new one
-	closedChan   chan struct{}
-	closedChanMu sync.RWMutex // protect the closeChan recreation from reading from it.
-	closed       bool
-
-	muUDPMux sync.Mutex
-	udpMux   *UniversalUDPMuxDefault
-}
-
-func NewICEBind(transportNet transport.Net, filterFn FilterFn) *ICEBind {
-	b, _ := wgConn.NewStdNetBind().(*wgConn.StdNetBind)
-	ib := &ICEBind{
-		StdNetBind:   b,
-		RecvChan:     make(chan RecvMessage, 1),
-		transportNet: transportNet,
-		filterFn:     filterFn,
-		endpoints:    make(map[netip.Addr]net.Conn),
-		closedChan:   make(chan struct{}),
-		closed:       true,
-	}
-
-	rc := receiverCreator{
-		ib,
-	}
-	ib.StdNetBind = wgConn.NewStdNetBindWithReceiverCreator(rc)
-	return ib
-}
-
-func (s *ICEBind) Open(uport uint16) ([]wgConn.ReceiveFunc, uint16, error) {
-	s.closed = false
-	s.closedChanMu.Lock()
-	s.closedChan = make(chan struct{})
-	s.closedChanMu.Unlock()
-	fns, port, err := s.StdNetBind.Open(uport)
-	if err != nil {
-		return nil, 0, err
-	}
-	fns = append(fns, s.receiveRelayed)
-	return fns, port, nil
-}
-
-func (s *ICEBind) Close() error {
-	if s.closed {
-		return nil
-	}
-	s.closed = true
-
-	close(s.closedChan)
-
-	return s.StdNetBind.Close()
-}
-
-// GetICEMux returns the ICE UDPMux that was created and used by ICEBind
-func (s *ICEBind) GetICEMux() (*UniversalUDPMuxDefault, error) {
-	s.muUDPMux.Lock()
-	defer s.muUDPMux.Unlock()
-	if s.udpMux == nil {
-		return nil, fmt.Errorf("ICEBind has not been initialized yet")
-	}
-
-	return s.udpMux, nil
-}
-
-func (b *ICEBind) SetEndpoint(peerAddress *net.UDPAddr, conn net.Conn) (*net.UDPAddr, error) {
-	fakeUDPAddr, err := fakeAddress(peerAddress)
-	if err != nil {
-		return nil, err
-	}
-
-	// force IPv4
-	fakeAddr, ok := netip.AddrFromSlice(fakeUDPAddr.IP.To4())
-	if !ok {
-		return nil, fmt.Errorf("failed to convert IP to netip.Addr")
-	}
-
-	b.endpointsMu.Lock()
-	b.endpoints[fakeAddr] = conn
-	b.endpointsMu.Unlock()
-
-	return fakeUDPAddr, nil
-}
-
-func (b *ICEBind) RemoveEndpoint(fakeUDPAddr *net.UDPAddr) {
-	fakeAddr, ok := netip.AddrFromSlice(fakeUDPAddr.IP.To4())
-	if !ok {
-		log.Warnf("failed to convert IP to netip.Addr")
-		return
-	}
-
-	b.endpointsMu.Lock()
-	defer b.endpointsMu.Unlock()
-	delete(b.endpoints, fakeAddr)
-}
-
-func (b *ICEBind) Send(bufs [][]byte, ep wgConn.Endpoint) error {
-	b.endpointsMu.Lock()
-	conn, ok := b.endpoints[ep.DstIP()]
-	b.endpointsMu.Unlock()
-	if !ok {
-		return b.StdNetBind.Send(bufs, ep)
-	}
-
-	for _, buf := range bufs {
-		if _, err := conn.Write(buf); err != nil {
-			return err
-		}
-	}
-	return nil
-}
-
-func (s *ICEBind) createIPv4ReceiverFn(pc *ipv4.PacketConn, conn *net.UDPConn, rxOffload bool, msgsPool *sync.Pool) wgConn.ReceiveFunc {
-	s.muUDPMux.Lock()
-	defer s.muUDPMux.Unlock()
-
-	s.udpMux = NewUniversalUDPMuxDefault(
-		UniversalUDPMuxParams{
-			UDPConn:  conn,
-			Net:      s.transportNet,
-			FilterFn: s.filterFn,
-		},
-	)
-	return func(bufs [][]byte, sizes []int, eps []wgConn.Endpoint) (n int, err error) {
-		msgs := getMessages(msgsPool)
-		for i := range bufs {
-			(*msgs)[i].Buffers[0] = bufs[i]
-			(*msgs)[i].OOB = (*msgs)[i].OOB[:cap((*msgs)[i].OOB)]
-		}
-		defer putMessages(msgs, msgsPool)
-		var numMsgs int
-		if runtime.GOOS == "linux" || runtime.GOOS == "android" {
-			if rxOffload {
-				readAt := len(*msgs) - (wgConn.IdealBatchSize / wgConn.UdpSegmentMaxDatagrams)
-				//nolint
-				numMsgs, err = pc.ReadBatch((*msgs)[readAt:], 0)
-				if err != nil {
-					return 0, err
-				}
-				numMsgs, err = wgConn.SplitCoalescedMessages(*msgs, readAt, wgConn.GetGSOSize)
-				if err != nil {
-					return 0, err
-				}
-			} else {
-				numMsgs, err = pc.ReadBatch(*msgs, 0)
-				if err != nil {
-					return 0, err
-				}
-			}
-		} else {
-			msg := &(*msgs)[0]
-			msg.N, msg.NN, _, msg.Addr, err = conn.ReadMsgUDP(msg.Buffers[0], msg.OOB)
-			if err != nil {
-				return 0, err
-			}
-			numMsgs = 1
-		}
-		for i := 0; i < numMsgs; i++ {
-			msg := &(*msgs)[i]
-
-			// todo: handle err
-			ok, _ := s.filterOutStunMessages(msg.Buffers, msg.N, msg.Addr)
-			if ok {
-				continue
-			}
-			sizes[i] = msg.N
-			if sizes[i] == 0 {
-				continue
-			}
-			addrPort := msg.Addr.(*net.UDPAddr).AddrPort()
-			ep := &wgConn.StdNetEndpoint{AddrPort: addrPort} // TODO: remove allocation
-			wgConn.GetSrcFromControl(msg.OOB[:msg.NN], ep)
-			eps[i] = ep
-		}
-		return numMsgs, nil
-	}
-}
-
-func (s *ICEBind) filterOutStunMessages(buffers [][]byte, n int, addr net.Addr) (bool, error) {
-	for i := range buffers {
-		if !stun.IsMessage(buffers[i]) {
-			continue
-		}
-
-		msg, err := s.parseSTUNMessage(buffers[i][:n])
-		if err != nil {
-			buffers[i] = []byte{}
-			return true, err
-		}
-
-		muxErr := s.udpMux.HandleSTUNMessage(msg, addr)
-		if muxErr != nil {
-			log.Warnf("failed to handle STUN packet")
-		}
-
-		buffers[i] = []byte{}
-		return true, nil
-	}
-	return false, nil
-}
-
-func (s *ICEBind) parseSTUNMessage(raw []byte) (*stun.Message, error) {
-	msg := &stun.Message{
-		Raw: raw,
-	}
-	if err := msg.Decode(); err != nil {
-		return nil, err
-	}
-
-	return msg, nil
-}
-
-// receiveRelayed is a receive function that is used to receive packets from the relayed connection and forward to the
-// WireGuard. Critical part is do not block if the Closed() has been called.
-func (c *ICEBind) receiveRelayed(buffs [][]byte, sizes []int, eps []wgConn.Endpoint) (int, error) {
-	c.closedChanMu.RLock()
-	defer c.closedChanMu.RUnlock()
-
-	select {
-	case <-c.closedChan:
-		return 0, net.ErrClosed
-	case msg, ok := <-c.RecvChan:
-		if !ok {
-			return 0, net.ErrClosed
-		}
-		copy(buffs[0], msg.Buffer)
-		sizes[0] = len(msg.Buffer)
-		eps[0] = wgConn.Endpoint(msg.Endpoint)
-		return 1, nil
-	}
-}
-
-// fakeAddress returns a fake address that is used to as an identifier for the peer.
-// The fake address is in the format of 127.1.x.x where x.x is the last two octets of the peer address.
-func fakeAddress(peerAddress *net.UDPAddr) (*net.UDPAddr, error) {
-	octets := strings.Split(peerAddress.IP.String(), ".")
-	if len(octets) != 4 {
-		return nil, fmt.Errorf("invalid IP format")
-	}
-
-	newAddr := &net.UDPAddr{
-		IP:   net.ParseIP(fmt.Sprintf("127.1.%s.%s", octets[2], octets[3])),
-		Port: peerAddress.Port,
-	}
-	return newAddr, nil
-}
-
-func getMessages(msgsPool *sync.Pool) *[]ipv6.Message {
-	return msgsPool.Get().(*[]ipv6.Message)
-}
-
-func putMessages(msgs *[]ipv6.Message, msgsPool *sync.Pool) {
-	for i := range *msgs {
-		(*msgs)[i].OOB = (*msgs)[i].OOB[:0]
-		(*msgs)[i] = ipv6.Message{Buffers: (*msgs)[i].Buffers, OOB: (*msgs)[i].OOB}
-	}
-	msgsPool.Put(msgs)
-}
--- a/client/iface/configurer/err.go
+++ b/client/iface/configurer/err.go
@@ -1,5 +0,0 @@
-package configurer
-
-import "errors"
-
-var ErrPeerNotFound = errors.New("peer not found")
--- a/client/iface/configurer/wgstats.go
+++ b/client/iface/configurer/wgstats.go
@@ -1,9 +0,0 @@
-package configurer
-
-import "time"
-
-type WGStats struct {
-	LastHandshake time.Time
-	TxBytes       int64
-	RxBytes       int64
-}
--- a/client/iface/device.go
+++ b/client/iface/device.go
@@ -1,18 +0,0 @@
-//go:build !android
-
-package iface
-
-import (
-	"github.com/netbirdio/netbird/client/iface/bind"
-	"github.com/netbirdio/netbird/client/iface/device"
-)
-
-type WGTunDevice interface {
-	Create() (device.WGConfigurer, error)
-	Up() (*bind.UniversalUDPMuxDefault, error)
-	UpdateAddr(address WGAddress) error
-	WgAddress() WGAddress
-	DeviceName() string
-	Close() error
-	FilteredDevice() *device.FilteredDevice
-}
--- a/client/iface/device/device_netstack.go
+++ b/client/iface/device/device_netstack.go
@@ -1,119 +0,0 @@
-//go:build !android
-// +build !android
-
-package device
-
-import (
-	"fmt"
-
-	log "github.com/sirupsen/logrus"
-	"golang.zx2c4.com/wireguard/device"
-
-	"github.com/netbirdio/netbird/client/iface/bind"
-	"github.com/netbirdio/netbird/client/iface/configurer"
-	"github.com/netbirdio/netbird/client/iface/netstack"
-)
-
-type TunNetstackDevice struct {
-	name          string
-	address       WGAddress
-	port          int
-	key           string
-	mtu           int
-	listenAddress string
-	iceBind       *bind.ICEBind
-
-	device         *device.Device
-	filteredDevice *FilteredDevice
-	nsTun          *netstack.NetStackTun
-	udpMux         *bind.UniversalUDPMuxDefault
-	configurer     WGConfigurer
-}
-
-func NewNetstackDevice(name string, address WGAddress, wgPort int, key string, mtu int, iceBind *bind.ICEBind, listenAddress string) *TunNetstackDevice {
-	return &TunNetstackDevice{
-		name:          name,
-		address:       address,
-		port:          wgPort,
-		key:           key,
-		mtu:           mtu,
-		listenAddress: listenAddress,
-		iceBind:       iceBind,
-	}
-}
-
-func (t *TunNetstackDevice) Create() (WGConfigurer, error) {
-	log.Info("create netstack tun interface")
-	t.nsTun = netstack.NewNetStackTun(t.listenAddress, t.address.IP.String(), t.mtu)
-	tunIface, err := t.nsTun.Create()
-	if err != nil {
-		return nil, fmt.Errorf("error creating tun device: %s", err)
-	}
-	t.filteredDevice = newDeviceFilter(tunIface)
-
-	t.device = device.NewDevice(
-		t.filteredDevice,
-		t.iceBind,
-		device.NewLogger(wgLogLevel(), "[netbird] "),
-	)
-
-	t.configurer = configurer.NewUSPConfigurer(t.device, t.name)
-	err = t.configurer.ConfigureInterface(t.key, t.port)
-	if err != nil {
-		_ = tunIface.Close()
-		return nil, fmt.Errorf("error configuring interface: %s", err)
-	}
-
-	log.Debugf("device has been created: %s", t.name)
-	return t.configurer, nil
-}
-
-func (t *TunNetstackDevice) Up() (*bind.UniversalUDPMuxDefault, error) {
-	if t.device == nil {
-		return nil, fmt.Errorf("device is not ready yet")
-	}
-
-	err := t.device.Up()
-	if err != nil {
-		return nil, err
-	}
-
-	udpMux, err := t.iceBind.GetICEMux()
-	if err != nil {
-		return nil, err
-	}
-	t.udpMux = udpMux
-	log.Debugf("netstack device is ready to use")
-	return udpMux, nil
-}
-
-func (t *TunNetstackDevice) UpdateAddr(WGAddress) error {
-	return nil
-}
-
-func (t *TunNetstackDevice) Close() error {
-	if t.configurer != nil {
-		t.configurer.Close()
-	}
-
-	if t.device != nil {
-		t.device.Close()
-	}
-
-	if t.udpMux != nil {
-		return t.udpMux.Close()
-	}
-	return nil
-}
-
-func (t *TunNetstackDevice) WgAddress() WGAddress {
-	return t.address
-}
-
-func (t *TunNetstackDevice) DeviceName() string {
-	return t.name
-}
-
-func (t *TunNetstackDevice) FilteredDevice() *FilteredDevice {
-	return t.filteredDevice
-}
--- a/client/iface/device/interface.go
+++ b/client/iface/device/interface.go
@@ -1,20 +0,0 @@
-package device
-
-import (
-	"net"
-	"time"
-
-	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
-
-	"github.com/netbirdio/netbird/client/iface/configurer"
-)
-
-type WGConfigurer interface {
-	ConfigureInterface(privateKey string, port int) error
-	UpdatePeer(peerKey string, allowedIps string, keepAlive time.Duration, endpoint *net.UDPAddr, preSharedKey *wgtypes.Key) error
-	RemovePeer(peerKey string) error
-	AddAllowedIP(peerKey string, allowedIP string) error
-	RemoveAllowedIP(peerKey string, allowedIP string) error
-	Close()
-	GetStats(peerKey string) (configurer.WGStats, error)
-}
--- a/client/iface/device/wg_log.go
+++ b/client/iface/device/wg_log.go
@@ -1,15 +0,0 @@
-package device
-
-import (
-	"os"
-
-	"golang.zx2c4.com/wireguard/device"
-)
-
-func wgLogLevel() int {
-	if os.Getenv("NB_WG_DEBUG") == "true" {
-		return device.LogLevelVerbose
-	} else {
-		return device.LogLevelSilent
-	}
-}
--- a/client/iface/device/windows_guid.go
+++ b/client/iface/device/windows_guid.go
@@ -1,4 +0,0 @@
-package device
-
-// CustomWindowsGUIDString is a custom GUID string for the interface
-var CustomWindowsGUIDString string
--- a/client/iface/device_android.go
+++ b/client/iface/device_android.go
@@ -1,16 +0,0 @@
-package iface
-
-import (
-	"github.com/netbirdio/netbird/client/iface/bind"
-	"github.com/netbirdio/netbird/client/iface/device"
-)
-
-type WGTunDevice interface {
-	Create(routes []string, dns string, searchDomains []string) (device.WGConfigurer, error)
-	Up() (*bind.UniversalUDPMuxDefault, error)
-	UpdateAddr(address WGAddress) error
-	WgAddress() WGAddress
-	DeviceName() string
-	Close() error
-	FilteredDevice() *device.FilteredDevice
-}
--- a/client/iface/iface_create_android.go
+++ b/client/iface/iface_create_android.go
@@ -1,24 +0,0 @@
-package iface
-
-import (
-	"fmt"
-)
-
-// CreateOnAndroid creates a new Wireguard interface, sets a given IP and brings it up.
-// Will reuse an existing one.
-func (w *WGIface) CreateOnAndroid(routes []string, dns string, searchDomains []string) error {
-	w.mu.Lock()
-	defer w.mu.Unlock()
-
-	cfgr, err := w.tun.Create(routes, dns, searchDomains)
-	if err != nil {
-		return err
-	}
-	w.configurer = cfgr
-	return nil
-}
-
-// Create this function make sense on mobile only
-func (w *WGIface) Create() error {
-	return fmt.Errorf("this function has not implemented on this platform")
-}
--- a/client/iface/iface_create_darwin.go
+++ b/client/iface/iface_create_darwin.go
@@ -1,41 +0,0 @@
-//go:build !ios
-
-package iface
-
-import (
-	"fmt"
-	"time"
-
-	"github.com/cenkalti/backoff/v4"
-)
-
-// Create creates a new Wireguard interface, sets a given IP and brings it up.
-// Will reuse an existing one.
-// this function is different on Android
-func (w *WGIface) Create() error {
-	w.mu.Lock()
-	defer w.mu.Unlock()
-
-	backOff := &backoff.ExponentialBackOff{
-		InitialInterval: 20 * time.Millisecond,
-		MaxElapsedTime:  500 * time.Millisecond,
-		Stop:            backoff.Stop,
-		Clock:           backoff.SystemClock,
-	}
-
-	operation := func() error {
-		cfgr, err := w.tun.Create()
-		if err != nil {
-			return err
-		}
-		w.configurer = cfgr
-		return nil
-	}
-
-	return backoff.Retry(operation, backOff)
-}
-
-// CreateOnAndroid this function make sense on mobile only
-func (w *WGIface) CreateOnAndroid([]string, string, []string) error {
-	return fmt.Errorf("this function has not implemented on this platform")
-}
--- a/client/iface/iface_destroy_bsd.go
+++ b/client/iface/iface_destroy_bsd.go
@@ -1,17 +0,0 @@
-//go:build darwin || dragonfly || freebsd || netbsd || openbsd
-
-package iface
-
-import (
-	"fmt"
-	"os/exec"
-)
-
-func (w *WGIface) Destroy() error {
-	out, err := exec.Command("ifconfig", w.Name(), "destroy").CombinedOutput()
-	if err != nil {
-		return fmt.Errorf("failed to remove interface %s: %w - %s", w.Name(), err, out)
-	}
-
-	return nil
-}
--- a/client/iface/iface_destroy_linux.go
+++ b/client/iface/iface_destroy_linux.go
@@ -1,22 +0,0 @@
-//go:build linux && !android
-
-package iface
-
-import (
-	"fmt"
-
-	"github.com/vishvananda/netlink"
-)
-
-func (w *WGIface) Destroy() error {
-	link, err := netlink.LinkByName(w.Name())
-	if err != nil {
-		return fmt.Errorf("failed to get link by name %s: %w", w.Name(), err)
-	}
-
-	if err := netlink.LinkDel(link); err != nil {
-		return fmt.Errorf("failed to delete link %s: %w", w.Name(), err)
-	}
-
-	return nil
-}
--- a/client/iface/iface_destroy_mobile.go
+++ b/client/iface/iface_destroy_mobile.go
@@ -1,9 +0,0 @@
-//go:build android || (ios && !darwin)
-
-package iface
-
-import "errors"
-
-func (w *WGIface) Destroy() error {
-	return errors.New("not supported on mobile")
-}
--- a/client/iface/iface_destroy_windows.go
+++ b/client/iface/iface_destroy_windows.go
@@ -1,32 +0,0 @@
-//go:build windows
-
-package iface
-
-import (
-	"fmt"
-	"os/exec"
-
-	log "github.com/sirupsen/logrus"
-)
-
-func (w *WGIface) Destroy() error {
-	netshCmd := GetSystem32Command("netsh")
-	out, err := exec.Command(netshCmd, "interface", "set", "interface", w.Name(), "admin=disable").CombinedOutput()
-	if err != nil {
-		return fmt.Errorf("failed to remove interface %s: %w - %s", w.Name(), err, out)
-	}
-	return nil
-}
-
-// GetSystem32Command checks if a command can be found in the system path and returns it. In case it can't find it
-// in the path it will return the full path of a command assuming C:\windows\system32 as the base path.
-func GetSystem32Command(command string) string {
-	_, err := exec.LookPath(command)
-	if err == nil {
-		return command
-	}
-
-	log.Tracef("Command %s not found in PATH, using C:\\windows\\system32\\%s.exe path", command, command)
-
-	return "C:\\windows\\system32\\" + command + ".exe"
-}
--- a/client/iface/iface_guid_windows.go
+++ b/client/iface/iface_guid_windows.go
@@ -1,10 +0,0 @@
-package iface
-
-import (
-	"github.com/netbirdio/netbird/client/iface/device"
-)
-
-// GetInterfaceGUIDString returns an interface GUID. This is useful on Windows only
-func (w *WGIface) GetInterfaceGUIDString() (string, error) {
-	return w.tun.(*device.TunDevice).GetInterfaceGUIDString()
-}
--- a/client/iface/iface_moc.go
+++ b/client/iface/iface_moc.go
@@ -1,112 +0,0 @@
-package iface
-
-import (
-	"net"
-	"time"
-
-	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
-
-	"github.com/netbirdio/netbird/client/iface/bind"
-	"github.com/netbirdio/netbird/client/iface/configurer"
-	"github.com/netbirdio/netbird/client/iface/device"
-	"github.com/netbirdio/netbird/client/iface/wgproxy"
-)
-
-type MockWGIface struct {
-	CreateFunc                 func() error
-	CreateOnAndroidFunc        func(routeRange []string, ip string, domains []string) error
-	IsUserspaceBindFunc        func() bool
-	NameFunc                   func() string
-	AddressFunc                func() device.WGAddress
-	ToInterfaceFunc            func() *net.Interface
-	UpFunc                     func() (*bind.UniversalUDPMuxDefault, error)
-	UpdateAddrFunc             func(newAddr string) error
-	UpdatePeerFunc             func(peerKey string, allowedIps string, keepAlive time.Duration, endpoint *net.UDPAddr, preSharedKey *wgtypes.Key) error
-	RemovePeerFunc             func(peerKey string) error
-	AddAllowedIPFunc           func(peerKey string, allowedIP string) error
-	RemoveAllowedIPFunc        func(peerKey string, allowedIP string) error
-	CloseFunc                  func() error
-	SetFilterFunc              func(filter device.PacketFilter) error
-	GetFilterFunc              func() device.PacketFilter
-	GetDeviceFunc              func() *device.FilteredDevice
-	GetStatsFunc               func(peerKey string) (configurer.WGStats, error)
-	GetInterfaceGUIDStringFunc func() (string, error)
-	GetProxyFunc               func() wgproxy.Proxy
-}
-
-func (m *MockWGIface) GetInterfaceGUIDString() (string, error) {
-	return m.GetInterfaceGUIDStringFunc()
-}
-
-func (m *MockWGIface) Create() error {
-	return m.CreateFunc()
-}
-
-func (m *MockWGIface) CreateOnAndroid(routeRange []string, ip string, domains []string) error {
-	return m.CreateOnAndroidFunc(routeRange, ip, domains)
-}
-
-func (m *MockWGIface) IsUserspaceBind() bool {
-	return m.IsUserspaceBindFunc()
-}
-
-func (m *MockWGIface) Name() string {
-	return m.NameFunc()
-}
-
-func (m *MockWGIface) Address() device.WGAddress {
-	return m.AddressFunc()
-}
-
-func (m *MockWGIface) ToInterface() *net.Interface {
-	return m.ToInterfaceFunc()
-}
-
-func (m *MockWGIface) Up() (*bind.UniversalUDPMuxDefault, error) {
-	return m.UpFunc()
-}
-
-func (m *MockWGIface) UpdateAddr(newAddr string) error {
-	return m.UpdateAddrFunc(newAddr)
-}
-
-func (m *MockWGIface) UpdatePeer(peerKey string, allowedIps string, keepAlive time.Duration, endpoint *net.UDPAddr, preSharedKey *wgtypes.Key) error {
-	return m.UpdatePeerFunc(peerKey, allowedIps, keepAlive, endpoint, preSharedKey)
-}
-
-func (m *MockWGIface) RemovePeer(peerKey string) error {
-	return m.RemovePeerFunc(peerKey)
-}
-
-func (m *MockWGIface) AddAllowedIP(peerKey string, allowedIP string) error {
-	return m.AddAllowedIPFunc(peerKey, allowedIP)
-}
-
-func (m *MockWGIface) RemoveAllowedIP(peerKey string, allowedIP string) error {
-	return m.RemoveAllowedIPFunc(peerKey, allowedIP)
-}
-
-func (m *MockWGIface) Close() error {
-	return m.CloseFunc()
-}
-
-func (m *MockWGIface) SetFilter(filter device.PacketFilter) error {
-	return m.SetFilterFunc(filter)
-}
-
-func (m *MockWGIface) GetFilter() device.PacketFilter {
-	return m.GetFilterFunc()
-}
-
-func (m *MockWGIface) GetDevice() *device.FilteredDevice {
-	return m.GetDeviceFunc()
-}
-
-func (m *MockWGIface) GetStats(peerKey string) (configurer.WGStats, error) {
-	return m.GetStatsFunc(peerKey)
-}
-
-func (m *MockWGIface) GetProxy() wgproxy.Proxy {
-	//TODO implement me
-	panic("implement me")
-}
--- a/client/iface/iface_new_android.go
+++ b/client/iface/iface_new_android.go
@@ -1,24 +0,0 @@
-package iface
-
-import (
-	"github.com/netbirdio/netbird/client/iface/bind"
-	"github.com/netbirdio/netbird/client/iface/device"
-	"github.com/netbirdio/netbird/client/iface/wgproxy"
-)
-
-// NewWGIFace Creates a new WireGuard interface instance
-func NewWGIFace(opts WGIFaceOpts) (*WGIface, error) {
-	wgAddress, err := device.ParseWGAddress(opts.Address)
-	if err != nil {
-		return nil, err
-	}
-
-	iceBind := bind.NewICEBind(opts.TransportNet, opts.FilterFn)
-
-	wgIFace := &WGIface{
-		userspaceBind:  true,
-		tun:            device.NewTunDevice(wgAddress, opts.WGPort, opts.WGPrivKey, opts.MTU, iceBind, opts.MobileArgs.TunAdapter),
-		wgProxyFactory: wgproxy.NewUSPFactory(iceBind),
-	}
-	return wgIFace, nil
-}
--- a/client/iface/iface_new_darwin.go
+++ b/client/iface/iface_new_darwin.go
@@ -1,34 +0,0 @@
-//go:build !ios
-
-package iface
-
-import (
-	"github.com/netbirdio/netbird/client/iface/bind"
-	"github.com/netbirdio/netbird/client/iface/device"
-	"github.com/netbirdio/netbird/client/iface/netstack"
-	"github.com/netbirdio/netbird/client/iface/wgproxy"
-)
-
-// NewWGIFace Creates a new WireGuard interface instance
-func NewWGIFace(opts WGIFaceOpts) (*WGIface, error) {
-	wgAddress, err := device.ParseWGAddress(opts.Address)
-	if err != nil {
-		return nil, err
-	}
-
-	iceBind := bind.NewICEBind(opts.TransportNet, opts.FilterFn)
-
-	var tun WGTunDevice
-	if netstack.IsEnabled() {
-		tun = device.NewNetstackDevice(opts.IFaceName, wgAddress, opts.WGPort, opts.WGPrivKey, opts.MTU, iceBind, netstack.ListenAddr())
-	} else {
-		tun = device.NewTunDevice(opts.IFaceName, wgAddress, opts.WGPort, opts.WGPrivKey, opts.MTU, iceBind)
-	}
-
-	wgIFace := &WGIface{
-		userspaceBind:  true,
-		tun:            tun,
-		wgProxyFactory: wgproxy.NewUSPFactory(iceBind),
-	}
-	return wgIFace, nil
-}
--- a/client/iface/iface_new_ios.go
+++ b/client/iface/iface_new_ios.go
@@ -1,26 +0,0 @@
-//go:build ios
-
-package iface
-
-import (
-	"github.com/netbirdio/netbird/client/iface/bind"
-	"github.com/netbirdio/netbird/client/iface/device"
-	"github.com/netbirdio/netbird/client/iface/wgproxy"
-)
-
-// NewWGIFace Creates a new WireGuard interface instance
-func NewWGIFace(opts WGIFaceOpts) (*WGIface, error) {
-	wgAddress, err := device.ParseWGAddress(opts.Address)
-	if err != nil {
-		return nil, err
-	}
-
-	iceBind := bind.NewICEBind(opts.TransportNet, opts.FilterFn)
-
-	wgIFace := &WGIface{
-		tun:            device.NewTunDevice(opts.IFaceName, wgAddress, opts.WGPort, opts.WGPrivKey, iceBind, opts.MobileArgs.TunFd),
-		userspaceBind:  true,
-		wgProxyFactory: wgproxy.NewUSPFactory(iceBind),
-	}
-	return wgIFace, nil
-}
--- a/client/iface/iface_new_unix.go
+++ b/client/iface/iface_new_unix.go
@@ -1,45 +0,0 @@
-//go:build (linux && !android) || freebsd
-
-package iface
-
-import (
-	"fmt"
-
-	"github.com/netbirdio/netbird/client/iface/bind"
-	"github.com/netbirdio/netbird/client/iface/device"
-	"github.com/netbirdio/netbird/client/iface/netstack"
-	"github.com/netbirdio/netbird/client/iface/wgproxy"
-)
-
-// NewWGIFace Creates a new WireGuard interface instance
-func NewWGIFace(opts WGIFaceOpts) (*WGIface, error) {
-	wgAddress, err := device.ParseWGAddress(opts.Address)
-	if err != nil {
-		return nil, err
-	}
-
-	wgIFace := &WGIface{}
-
-	if netstack.IsEnabled() {
-		iceBind := bind.NewICEBind(opts.TransportNet, opts.FilterFn)
-		wgIFace.tun = device.NewNetstackDevice(opts.IFaceName, wgAddress, opts.WGPort, opts.WGPrivKey, opts.MTU, iceBind, netstack.ListenAddr())
-		wgIFace.userspaceBind = true
-		wgIFace.wgProxyFactory = wgproxy.NewUSPFactory(iceBind)
-		return wgIFace, nil
-	}
-
-	if device.WireGuardModuleIsLoaded() {
-		wgIFace.tun = device.NewKernelDevice(opts.IFaceName, wgAddress, opts.WGPort, opts.WGPrivKey, opts.MTU, opts.TransportNet)
-		wgIFace.wgProxyFactory = wgproxy.NewKernelFactory(opts.WGPort)
-		return wgIFace, nil
-	}
-	if device.ModuleTunIsLoaded() {
-		iceBind := bind.NewICEBind(opts.TransportNet, opts.FilterFn)
-		wgIFace.tun = device.NewUSPDevice(opts.IFaceName, wgAddress, opts.WGPort, opts.WGPrivKey, opts.MTU, iceBind)
-		wgIFace.userspaceBind = true
-		wgIFace.wgProxyFactory = wgproxy.NewUSPFactory(iceBind)
-		return wgIFace, nil
-	}
-
-	return nil, fmt.Errorf("couldn't check or load tun module")
-}
--- a/client/iface/iface_new_windows.go
+++ b/client/iface/iface_new_windows.go
@@ -1,32 +0,0 @@
-package iface
-
-import (
-	"github.com/netbirdio/netbird/client/iface/bind"
-	"github.com/netbirdio/netbird/client/iface/device"
-	"github.com/netbirdio/netbird/client/iface/netstack"
-	"github.com/netbirdio/netbird/client/iface/wgproxy"
-)
-
-// NewWGIFace Creates a new WireGuard interface instance
-func NewWGIFace(opts WGIFaceOpts) (*WGIface, error) {
-	wgAddress, err := device.ParseWGAddress(opts.Address)
-	if err != nil {
-		return nil, err
-	}
-	iceBind := bind.NewICEBind(opts.TransportNet, opts.FilterFn)
-
-	var tun WGTunDevice
-	if netstack.IsEnabled() {
-		tun = device.NewNetstackDevice(opts.IFaceName, wgAddress, opts.WGPort, opts.WGPrivKey, opts.MTU, iceBind, netstack.ListenAddr())
-	} else {
-		tun = device.NewTunDevice(opts.IFaceName, wgAddress, opts.WGPort, opts.WGPrivKey, opts.MTU, iceBind)
-	}
-
-	wgIFace := &WGIface{
-		userspaceBind:  true,
-		tun:            tun,
-		wgProxyFactory: wgproxy.NewUSPFactory(iceBind),
-	}
-	return wgIFace, nil
-
-}
--- a/Show More
+++ b/Show More