diff --git a/controllers/ext_client.go b/controllers/ext_client.go
index aabb5103e..874c62576 100644
--- a/controllers/ext_client.go
+++ b/controllers/ext_client.go
@@ -470,8 +470,8 @@ func createExtClient(w http.ResponseWriter, r *http.Request) {
 	extclient.IngressGatewayID = nodeid
 	extclient.Network = node.Network
 	extclient.Tags = make(map[models.TagID]struct{})
-	extclient.Tags[models.TagID(fmt.Sprintf("%s.%s", extclient.Network,
-		models.RemoteAccessTagName))] = struct{}{}
+	// extclient.Tags[models.TagID(fmt.Sprintf("%s.%s", extclient.Network,
+	// 	models.RemoteAccessTagName))] = struct{}{}
 	// set extclient dns to ingressdns if extclient dns is not explicitly set
 	if (extclient.DNS == "") && (node.IngressDNS != "") {
 		extclient.DNS = node.IngressDNS
diff --git a/controllers/server.go b/controllers/server.go
index 10f548280..77b06fcc7 100644
--- a/controllers/server.go
+++ b/controllers/server.go
@@ -140,26 +140,26 @@ func getStatus(w http.ResponseWriter, r *http.Request) {
 	if servercfg.ErrLicenseValidation != nil {
 		licenseErr = servercfg.ErrLicenseValidation.Error()
 	}
-	var trialEndDate time.Time
-	var err error
-	isOnTrial := false
-	if servercfg.IsPro &&
-		(servercfg.GetLicenseKey() == "" || servercfg.GetNetmakerTenantID() == "") {
-		trialEndDate, err = logic.GetTrialEndDate()
-		if err != nil {
-			slog.Error("failed to get trial end date", "error", err)
-		} else {
-			isOnTrial = true
-		}
-	}
+	//var trialEndDate time.Time
+	//var err error
+	// isOnTrial := false
+	// if servercfg.IsPro &&
+	// 	(servercfg.GetLicenseKey() == "" || servercfg.GetNetmakerTenantID() == "") {
+	// 	trialEndDate, err = logic.GetTrialEndDate()
+	// 	if err != nil {
+	// 		slog.Error("failed to get trial end date", "error", err)
+	// 	} else {
+	// 		isOnTrial = true
+	// 	}
+	// }
 	currentServerStatus := status{
 		DB:               database.IsConnected(),
 		Broker:           mq.IsConnected(),
 		IsBrokerConnOpen: mq.IsConnectionOpen(),
 		LicenseError:     licenseErr,
 		IsPro:            servercfg.IsPro,
-		TrialEndDate:     trialEndDate,
-		IsOnTrialLicense: isOnTrial,
+		//TrialEndDate:     trialEndDate,
+		//IsOnTrialLicense: isOnTrial,
 	}
 
 	w.Header().Set("Content-Type", "application/json")
diff --git a/logic/extpeers.go b/logic/extpeers.go
index fcb422243..efcb045ef 100644
--- a/logic/extpeers.go
+++ b/logic/extpeers.go
@@ -802,6 +802,7 @@ func GetStaticNodesByNetwork(network models.NetworkID, onlyWg bool) (staticNode
 	if err != nil {
 		return
 	}
+	SortExtClient(extClients[:])
 	for _, extI := range extClients {
 		if extI.Network == network.String() {
 			if onlyWg && extI.RemoteAccessClientID != "" {
diff --git a/logic/peers.go b/logic/peers.go
index e88f48630..532dc5de5 100644
--- a/logic/peers.go
+++ b/logic/peers.go
@@ -227,6 +227,16 @@ func GetPeerUpdateForHost(network string, host *models.Host, allNodes []models.N
 			} else if host.EndpointIPv6 != nil && peerHost.EndpointIPv6 != nil {
 				peerEndpoint = peerHost.EndpointIPv6
 			}
+			if host.EndpointIP == nil && peerEndpoint == nil {
+				if peerHost.EndpointIP != nil {
+					peerEndpoint = peerHost.EndpointIP
+				}
+			}
+			if host.EndpointIPv6 == nil && peerEndpoint == nil {
+				if peerHost.EndpointIPv6 != nil {
+					peerEndpoint = peerHost.EndpointIPv6
+				}
+			}
 
 			peerConfig.Endpoint = &net.UDPAddr{
 				IP:   peerEndpoint,
diff --git a/migrate/migrate.go b/migrate/migrate.go
index 51e74ab4c..19e9232aa 100644
--- a/migrate/migrate.go
+++ b/migrate/migrate.go
@@ -226,18 +226,6 @@ func updateNodes() {
 			}
 		}
 	}
-	extclients, _ := logic.GetAllExtClients()
-	for _, extclient := range extclients {
-		tagID := models.TagID(fmt.Sprintf("%s.%s", extclient.Network,
-			models.RemoteAccessTagName))
-		if extclient.Tags == nil {
-			extclient.Tags = make(map[models.TagID]struct{})
-		}
-		if _, ok := extclient.Tags[tagID]; !ok {
-			extclient.Tags[tagID] = struct{}{}
-			logic.SaveExtClient(&extclient)
-		}
-	}
 }
 
 func removeInterGw(egressRanges []string) ([]string, bool) {
diff --git a/models/user_mgmt.go b/models/user_mgmt.go
index 7debd6e22..188d7eba3 100644
--- a/models/user_mgmt.go
+++ b/models/user_mgmt.go
@@ -80,7 +80,8 @@ const (
 	AllUserRsrcID           RsrcID = "all_user"
 	AllDnsRsrcID            RsrcID = "all_dns"
 	AllFailOverRsrcID       RsrcID = "all_fail_over"
-	AllAclsRsrcID           RsrcID = "all_acls"
+	AllAclsRsrcID           RsrcID = "all_acl"
+	AllTagsRsrcID           RsrcID = "all_tag"
 )
 
 // Pre-Defined User Roles
diff --git a/pro/controllers/users.go b/pro/controllers/users.go
index 31099d0ce..86787b79b 100644
--- a/pro/controllers/users.go
+++ b/pro/controllers/users.go
@@ -1006,8 +1006,8 @@ func getRemoteAccessGatewayConf(w http.ResponseWriter, r *http.Request) {
 			userConf.Enabled = parentNetwork.DefaultACL == "yes"
 		}
 		userConf.Tags = make(map[models.TagID]struct{})
-		userConf.Tags[models.TagID(fmt.Sprintf("%s.%s", userConf.Network,
-			models.RemoteAccessTagName))] = struct{}{}
+		// userConf.Tags[models.TagID(fmt.Sprintf("%s.%s", userConf.Network,
+		// 	models.RemoteAccessTagName))] = struct{}{}
 		if err = logic.CreateExtClient(&userConf); err != nil {
 			slog.Error(
 				"failed to create extclient",
diff --git a/pro/logic/user_mgmt.go b/pro/logic/user_mgmt.go
index c3a6534ff..2a21a8bdb 100644
--- a/pro/logic/user_mgmt.go
+++ b/pro/logic/user_mgmt.go
@@ -60,6 +60,36 @@ var NetworkUserAllPermissionTemplate = models.UserRolePermissionTemplate{
 				SelfOnly: true,
 			},
 		},
+		models.DnsRsrc: {
+			models.AllDnsRsrcID: models.RsrcPermissionScope{
+				Read: true,
+			},
+		},
+		models.AclRsrc: {
+			models.AllAclsRsrcID: models.RsrcPermissionScope{
+				Read: true,
+			},
+		},
+		models.EgressGwRsrc: {
+			models.AllEgressGwRsrcID: models.RsrcPermissionScope{
+				Read: true,
+			},
+		},
+		models.InetGwRsrc: {
+			models.AllInetGwRsrcID: models.RsrcPermissionScope{
+				Read: true,
+			},
+		},
+		models.RelayRsrc: {
+			models.AllRelayRsrcID: models.RsrcPermissionScope{
+				Read: true,
+			},
+		},
+		models.TagRsrc: {
+			models.AllTagsRsrcID: models.RsrcPermissionScope{
+				Read: true,
+			},
+		},
 	},
 }
 
@@ -147,6 +177,36 @@ func CreateDefaultNetworkRolesAndGroups(netID models.NetworkID) {
 					SelfOnly: true,
 				},
 			},
+			models.DnsRsrc: {
+				models.AllDnsRsrcID: models.RsrcPermissionScope{
+					Read: true,
+				},
+			},
+			models.AclRsrc: {
+				models.AllAclsRsrcID: models.RsrcPermissionScope{
+					Read: true,
+				},
+			},
+			models.EgressGwRsrc: {
+				models.AllEgressGwRsrcID: models.RsrcPermissionScope{
+					Read: true,
+				},
+			},
+			models.InetGwRsrc: {
+				models.AllInetGwRsrcID: models.RsrcPermissionScope{
+					Read: true,
+				},
+			},
+			models.RelayRsrc: {
+				models.AllRelayRsrcID: models.RsrcPermissionScope{
+					Read: true,
+				},
+			},
+			models.TagRsrc: {
+				models.AllTagsRsrcID: models.RsrcPermissionScope{
+					Read: true,
+				},
+			},
 		},
 	}
 	d, _ := json.Marshal(NetworkAdminPermissionTemplate)