diff --git a/Cargo.lock b/Cargo.lock
index f6e51678..6c6fcedb 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -514,7 +514,7 @@ dependencies = [
 
 [[package]]
 name = "defguard-gateway"
-version = "1.6.4"
+version = "1.6.5"
 dependencies = [
  "axum",
  "base64",
@@ -2195,9 +2195,9 @@ dependencies = [
 
 [[package]]
 name = "rustls-webpki"
-version = "0.103.10"
+version = "0.103.12"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "df33b2b81ac578cabaf06b89b0631153a3f416b0a886e8a7a1707fb51abbd1ef"
+checksum = "8279bb85272c9f10811ae6a6c547ff594d6a7f3c6c6b02ee9726d1d0dcfcdd06"
 dependencies = [
  "ring",
  "rustls-pki-types",
diff --git a/Cargo.toml b/Cargo.toml
index bee0126c..ebd756db 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -1,6 +1,6 @@
 [package]
 name = "defguard-gateway"
-version = "1.6.4"
+version = "1.6.5"
 edition = "2024"
 
 [dependencies]
diff --git a/src/enterprise/firewall/nftables/mod.rs b/src/enterprise/firewall/nftables/mod.rs
index 1ce2b007..1ae96787 100644
--- a/src/enterprise/firewall/nftables/mod.rs
+++ b/src/enterprise/firewall/nftables/mod.rs
@@ -269,6 +269,7 @@ impl FirewallManagementApi for FirewallApi {
 
         let mut batch = Batch::new();
         set_nat_rules(&mut batch, &self.ifname, masquerade_enabled, snat_bindings)?;
+        send_batch(&batch.finalize(), &self.socket)?;
 
         debug!("Finished POSTROUTING chain rules setup");
         Ok(())
diff --git a/src/gateway.rs b/src/gateway.rs
index dd876653..e88ddd60 100644
--- a/src/gateway.rs
+++ b/src/gateway.rs
@@ -1,9 +1,3 @@
-use defguard_version::{
-    ComponentInfo, DefguardComponent, Version, client::ClientVersionInterceptor,
-    get_tracing_variables,
-};
-use defguard_wireguard_rs::{WireguardInterfaceApi, net::IpAddrMask};
-use gethostname::gethostname;
 use std::{
     collections::HashMap,
     fs::read_to_string,
@@ -14,6 +8,13 @@ use std::{
     },
     time::{Duration, SystemTime},
 };
+
+use defguard_version::{
+    ComponentInfo, DefguardComponent, Version, client::ClientVersionInterceptor,
+    get_tracing_variables,
+};
+use defguard_wireguard_rs::{WireguardInterfaceApi, net::IpAddrMask};
+use gethostname::gethostname;
 use tokio::{
     select,
     sync::mpsc,