diff --git a/service/firewall/interception/nfqueue_linux.go b/service/firewall/interception/nfqueue_linux.go
index 2f83480f..875509b6 100644
--- a/service/firewall/interception/nfqueue_linux.go
+++ b/service/firewall/interception/nfqueue_linux.go
@@ -54,13 +54,22 @@ func init() {
 	}
 
 	v4rules = []string{
+		// stenya: Preserve original packet marks for permanently allowed connections (connmark 1710/AcceptAlways)
+		// to ensure compatibility with other tools that also rely on packet marks.
+		// This rule is placed before `CONNMARK --restore-mark` to prevent overwriting the original mark.
+		// (Example: WireGuard/wg-quick relies on packet marks; changing them would break its routing).
+		"mangle PORTMASTER-INGEST-OUTPUT -m mark ! --mark 0 -m connmark --mark 1710 -j RETURN",
 		"mangle PORTMASTER-INGEST-OUTPUT -j CONNMARK --restore-mark",
 		"mangle PORTMASTER-INGEST-OUTPUT -m mark --mark 0 -j NFQUEUE --queue-num 17040 --queue-bypass",
 
+		// stenya: Preserve original packet marks, similar to the OUTPUT chain (not sure if this is really needed for INPUT).
+		"mangle PORTMASTER-INGEST-INPUT -m mark ! --mark 0 -m connmark --mark 1710 -j RETURN",
 		"mangle PORTMASTER-INGEST-INPUT -j CONNMARK --restore-mark",
 		"mangle PORTMASTER-INGEST-INPUT -m mark --mark 0 -j NFQUEUE --queue-num 17140 --queue-bypass",
 
 		"filter PORTMASTER-FILTER -m mark --mark 0 -j DROP",
+		// stenya: Preserve original packet marks.
+		"filter PORTMASTER-FILTER -m connmark --mark 1710 -j RETURN",
 		"filter PORTMASTER-FILTER -m mark --mark 1700 -j RETURN",
 		// Accepting ICMP packets with mark 1701 is required for rejecting to work,
 		// as the rejection ICMP packet will have the same mark. Blocked ICMP
@@ -100,13 +109,16 @@ func init() {
 	}
 
 	v6rules = []string{
+		"mangle PORTMASTER-INGEST-OUTPUT -m mark ! --mark 0 -m connmark --mark 1710 -j RETURN",
 		"mangle PORTMASTER-INGEST-OUTPUT -j CONNMARK --restore-mark",
 		"mangle PORTMASTER-INGEST-OUTPUT -m mark --mark 0 -j NFQUEUE --queue-num 17060 --queue-bypass",
 
+		"mangle PORTMASTER-INGEST-INPUT -m mark ! --mark 0 -m connmark --mark 1710 -j RETURN",
 		"mangle PORTMASTER-INGEST-INPUT -j CONNMARK --restore-mark",
 		"mangle PORTMASTER-INGEST-INPUT -m mark --mark 0 -j NFQUEUE --queue-num 17160 --queue-bypass",
 
 		"filter PORTMASTER-FILTER -m mark --mark 0 -j DROP",
+		"filter PORTMASTER-FILTER -m connmark --mark 1710 -j RETURN",
 		"filter PORTMASTER-FILTER -m mark --mark 1700 -j RETURN",
 		"filter PORTMASTER-FILTER -m mark --mark 1701 -p icmpv6 -j RETURN",
 		"filter PORTMASTER-FILTER -m mark --mark 1701 -j REJECT --reject-with icmp6-adm-prohibited",