diff --git a/systemvm/debian/opt/cloud/bin/configure.py b/systemvm/debian/opt/cloud/bin/configure.py
index b2c0676c65d..a250229ba9e 100755
--- a/systemvm/debian/opt/cloud/bin/configure.py
+++ b/systemvm/debian/opt/cloud/bin/configure.py
@@ -703,12 +703,26 @@ class CsAcl(CsDataBag):
             self.add_routing_rules()
             return
 
+        fw_chains_created = set()
         for item in self.dbag:
             if item == "id":
                  continue
             if self.config.is_vpc() and not ("purpose" in self.dbag[item] and self.dbag[item]["purpose"] == "Firewall"):
                 self.AclDevice(self.dbag[item], self.config).create()
             else:
+                # For VPC firewall rules, create the PREROUTING jump and chain skeleton
+                # once per public IP before adding the individual rule
+                if self.config.is_vpc() and self.dbag[item].get("purpose") == "Firewall":
+                    src_ip = self.dbag[item].get("src_ip")
+                    if src_ip and src_ip not in fw_chains_created:
+                        fw = self.config.get_fw()
+                        fw.append(["mangle", "front",
+                                   "-A PREROUTING -d %s/32 -j FIREWALL_%s" % (src_ip, src_ip)])
+                        fw.append(["mangle", "front",
+                                   "-A FIREWALL_%s -m state --state RELATED,ESTABLISHED -j RETURN" % src_ip])
+                        fw.append(["mangle", "",
+                                   "-A FIREWALL_%s -j DROP" % src_ip])
+                        fw_chains_created.add(src_ip)
                 self.AclIP(self.dbag[item], self.config).create()
 
 class CsIpv6Firewall(CsDataBag):
diff --git a/systemvm/debian/opt/cloud/bin/cs/CsAddress.py b/systemvm/debian/opt/cloud/bin/cs/CsAddress.py
index 1730cae9b32..cf48803cdfc 100755
--- a/systemvm/debian/opt/cloud/bin/cs/CsAddress.py
+++ b/systemvm/debian/opt/cloud/bin/cs/CsAddress.py
@@ -647,17 +647,6 @@ class CsIP:
                                 (self.address['network'], self.address['network'])])
 
         if self.get_type() in ["public"]:
-            # Add PREROUTING firewall chain jump for public IP
-            self.fw.append(["mangle", "front",
-                            "-A PREROUTING " +
-                            "-d %s/32 -j FIREWALL_%s" % (self.address['public_ip'], self.address['public_ip'])])
-
-            # Add the firewall chain with default DROP policy
-            self.fw.append(["mangle", "front",
-                            "-A FIREWALL_%s " % self.address['public_ip'] +
-                            "-m state --state RELATED,ESTABLISHED -j RETURN"])
-            self.fw.append(["mangle", "",
-                            "-A FIREWALL_%s -j DROP" % self.address['public_ip']])
 
             self.fw.append(
                 ["mangle", "", "-A FORWARD -j VPN_STATS_%s" % self.dev])
diff --git a/ui/src/views/network/PublicIpResource.vue b/ui/src/views/network/PublicIpResource.vue
index cbe73d60824..340aec7119f 100644
--- a/ui/src/views/network/PublicIpResource.vue
+++ b/ui/src/views/network/PublicIpResource.vue
@@ -135,33 +135,27 @@ export default {
         return
       }
       if (this.resource && this.resource.vpcid) {
-        const vpc = await this.fetchVpc()
+``        const vpc = await this.fetchVpc()
 
         // VPC IPs with source nat have only VPN when VPC offering conserve mode = false
         if (this.resource.issourcenat && vpc?.vpcofferingconservemode === false) {
           let tabs = this.defaultTabs.concat(this.$route.meta.tabs.filter(tab => tab.name === 'vpn'))
-          if (this.resource.associatednetworkid) {
-            tabs = this.defaultTabs.concat(this.$route.meta.tabs.filter(tab => ['vpn', 'firewall'].includes(tab.name)))
-          }
-          this.tabs = tabs
+          this.tabs = this.addFirewallTab(tabs)
           return
         }
 
-        // VPC IPs with static nat have nothing
+        // VPC IPs with static nat keep existing VPN behavior and always show firewall
         if (this.resource.isstaticnat) {
+          let tabs = this.defaultTabs
           if (this.resource.virtualmachinetype === 'DomainRouter') {
-            this.tabs = this.defaultTabs.concat(this.$route.meta.tabs.filter(tab => ['vpn', 'firewall'].includes(tab.name)))
-          } else {
-            this.tabs = this.defaultTabs
+            tabs = this.defaultTabs.concat(this.$route.meta.tabs.filter(tab => tab.name === 'vpn'))
           }
+          this.tabs = this.addFirewallTab(tabs)
           return
         }
 
-        // VPC IPs have all tabs, but firewall only if associatednetworkid present
+        // VPC IPs have all tabs, and firewall should always be visible
         let tabs = this.$route.meta.tabs
-        if (!this.resource.associatednetworkid) {
-          tabs = tabs.filter(tab => tab.name !== 'firewall')
-        }
 
         const network = await this.fetchNetwork()
         if (network && network.networkofferingconservemode) {
@@ -209,6 +203,13 @@ export default {
     fetchAction () {
       this.actions = this.$route.meta.actions || []
     },
+    addFirewallTab (tabs) {
+      const firewallTab = this.$route.meta.tabs.find(tab => tab.name === 'firewall')
+      if (!firewallTab || tabs.some(tab => tab.name === 'firewall')) {
+        return tabs
+      }
+      return tabs.concat(firewallTab)
+    },
     fetchVpc () {
       if (!this.resource.vpcid) {
         return null