Move IPv6 blackhole from notifier to platform tun (java/swift)

* chores: fix lint error on google workspace

* chores: updated google api dependency

* update google golang api sdk to latest

.github/workflows/proto-version-check.yml

@@ -0,0 +1,62 @@
+name: Proto Version Check
+
+on:
+  pull_request:
+    paths:
+      - "**/*.pb.go"
+
+jobs:
+  check-proto-versions:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check for proto tool version changes
+        uses: actions/github-script@v7
+        with:
+          script: |
+            const files = await github.paginate(github.rest.pulls.listFiles, {
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              pull_number: context.issue.number,
+              per_page: 100,
+            });
+
+            const pbFiles = files.filter(f => f.filename.endsWith('.pb.go'));
+            const missingPatch = pbFiles.filter(f => !f.patch).map(f => f.filename);
+            if (missingPatch.length > 0) {
+              core.setFailed(
+                `Cannot inspect patch data for:\n` +
+                missingPatch.map(f => `- ${f}`).join('\n') +
+                `\nThis can happen with very large PRs. Verify proto versions manually.`
+              );
+              return;
+            }
+            const versionPattern = /^[+-]\s*\/\/\s+protoc(?:-gen-go)?\s+v[\d.]+/;
+            const violations = [];
+
+            for (const file of pbFiles) {
+              const changed = file.patch
+                .split('\n')
+                .filter(line => versionPattern.test(line));
+              if (changed.length > 0) {
+                violations.push({
+                  file: file.filename,
+                  lines: changed,
+                });
+              }
+            }
+
+            if (violations.length > 0) {
+              const details = violations.map(v =>
+                `${v.file}:\n${v.lines.map(l => '  ' + l).join('\n')}`
+              ).join('\n\n');
+
+              core.setFailed(
+                `Proto version strings changed in generated files.\n` +
+                `This usually means the wrong protoc or protoc-gen-go version was used.\n` +
+                `Regenerate with the matching tool versions.\n\n` +
+                details
+              );
+              return;
+            }
+
+            console.log('No proto version string changes detected');

.github/workflows/release.yml

@@ -9,7 +9,7 @@ on:
   pull_request:
 
 env:
-  SIGN_PIPE_VER: "v0.1.1"
+  SIGN_PIPE_VER: "v0.1.2"
   GORELEASER_VER: "v2.14.3"
   PRODUCT_NAME: "NetBird"
   COPYRIGHT: "NetBird GmbH"

.gitignore

@@ -33,3 +33,4 @@ infrastructure_files/setup-*.env
 vendor/
 /netbird
 client/netbird-electron/
+management/server/types/testdata/

client/android/client.go

@@ -203,10 +203,11 @@ func (c *Client) PeersList() *PeerInfoArray {
 	peerInfos := make([]PeerInfo, len(fullStatus.Peers))
 	for n, p := range fullStatus.Peers {
 		pi := PeerInfo{
-			p.IP,
+			IP:         p.IP,
-			p.FQDN,
+			IPv6:       p.IPv6,
-			int(p.ConnStatus),
+			FQDN:       p.FQDN,
-			PeerRoutes{routes: maps.Keys(p.GetRoutes())},
+			ConnStatus: int(p.ConnStatus),
+			Routes:     PeerRoutes{routes: maps.Keys(p.GetRoutes())},
 		}
 		peerInfos[n] = pi
 	}
@@ -237,43 +238,84 @@ func (c *Client) Networks() *NetworkArray {
 		return nil
 	}
 
+	routesMap := routeManager.GetClientRoutesWithNetID()
+	v6Merged := route.V6ExitMergeSet(routesMap)
+	resolvedDomains := c.recorder.GetResolvedDomainsStates()
+
 	networkArray := &NetworkArray{
 		items: make([]Network, 0),
 	}
 
-	resolvedDomains := c.recorder.GetResolvedDomainsStates()
+	for id, routes := range routesMap {
-
-	for id, routes := range routeManager.GetClientRoutesWithNetID() {
 		if len(routes) == 0 {
 			continue
 		}
-
+		if _, skip := v6Merged[id]; skip {
-		r := routes[0]
-		domains := c.getNetworkDomainsFromRoute(r, resolvedDomains)
-		netStr := r.Network.String()
-
-		if r.IsDynamic() {
-			netStr = r.Domains.SafeString()
-		}
-
-		routePeer, err := c.recorder.GetPeer(routes[0].Peer)
-		if err != nil {
-			log.Errorf("could not get peer info for %s: %v", routes[0].Peer, err)
 			continue
 		}
-		network := Network{
+
-			Name:       string(id),
+		network := c.buildNetwork(id, routes, routeSelector.IsSelected(id), resolvedDomains, v6Merged)
-			Network:    netStr,
+		if network == nil {
-			Peer:       routePeer.FQDN,
+			continue
-			Status:     routePeer.ConnStatus.String(),
-			IsSelected: routeSelector.IsSelected(id),
-			Domains:    domains,
 		}
-		networkArray.Add(network)
+		networkArray.Add(*network)
 	}
 	return networkArray
 }
 
+func (c *Client) buildNetwork(id route.NetID, routes []*route.Route, selected bool, resolvedDomains map[domain.Domain]peer.ResolvedDomainInfo, v6Merged map[route.NetID]struct{}) *Network {
+	r := routes[0]
+	netStr := r.Network.String()
+	if r.IsDynamic() {
+		netStr = r.Domains.SafeString()
+	}
+
+	routePeer, err := c.findBestRoutePeer(routes)
+	if err != nil {
+		log.Errorf("could not get peer info for route %s: %v", id, err)
+		return nil
+	}
+
+	network := &Network{
+		Name:       string(id),
+		Network:    netStr,
+		Peer:       routePeer.FQDN,
+		Status:     routePeer.ConnStatus.String(),
+		IsSelected: selected,
+		Domains:    c.getNetworkDomainsFromRoute(r, resolvedDomains),
+	}
+
+	if route.IsV4DefaultRoute(r.Network) && route.HasV6ExitPair(id, v6Merged) {
+		network.Network = "0.0.0.0/0, ::/0"
+	}
+
+	return network
+}
+
+// findBestRoutePeer returns the peer actively routing traffic for the given
+// HA route group. Falls back to the first connected peer, then the first peer.
+func (c *Client) findBestRoutePeer(routes []*route.Route) (peer.State, error) {
+	netStr := routes[0].Network.String()
+
+	fullStatus := c.recorder.GetFullStatus()
+	for _, p := range fullStatus.Peers {
+		if _, ok := p.GetRoutes()[netStr]; ok {
+			return p, nil
+		}
+	}
+
+	for _, r := range routes {
+		p, err := c.recorder.GetPeer(r.Peer)
+		if err != nil {
+			continue
+		}
+		if p.ConnStatus == peer.StatusConnected {
+			return p, nil
+		}
+	}
+	return c.recorder.GetPeer(routes[0].Peer)
+}
+
 // OnUpdatedHostDNS update the DNS servers addresses for root zones
 func (c *Client) OnUpdatedHostDNS(list *DNSList) error {
 	dnsServer, err := dns.GetServerDns()

client/android/peer_notifier.go

@@ -14,6 +14,7 @@ const (
 // PeerInfo describe information about the peers. It designed for the UI usage
 type PeerInfo struct {
 	IP         string
+	IPv6       string
 	FQDN       string
 	ConnStatus int
 	Routes     PeerRoutes

client/android/preferences.go

@@ -307,6 +307,24 @@ func (p *Preferences) SetBlockInbound(block bool) {
 	p.configInput.BlockInbound = &block
 }
 
+// GetDisableIPv6 reads disable IPv6 setting from config file
+func (p *Preferences) GetDisableIPv6() (bool, error) {
+	if p.configInput.DisableIPv6 != nil {
+		return *p.configInput.DisableIPv6, nil
+	}
+
+	cfg, err := profilemanager.ReadConfig(p.configInput.ConfigPath)
+	if err != nil {
+		return false, err
+	}
+	return cfg.DisableIPv6, err
+}
+
+// SetDisableIPv6 stores the given value and waits for commit
+func (p *Preferences) SetDisableIPv6(disable bool) {
+	p.configInput.DisableIPv6 = &disable
+}
+
 // Commit writes out the changes to the config file
 func (p *Preferences) Commit() error {
 	_, err := profilemanager.UpdateOrCreateConfig(p.configInput)

client/android/route_command.go

@@ -18,9 +18,12 @@ func executeRouteToggle(id string, manager routemanager.Manager,
 	netID := route.NetID(id)
 	routes := []route.NetID{netID}
 
-	log.Debugf("%s with id: %s", operationName, id)
+	routesMap := manager.GetClientRoutesWithNetID()
+	routes = route.ExpandV6ExitPairs(routes, routesMap)
 
-	if err := routeOperation(routes, maps.Keys(manager.GetClientRoutesWithNetID())); err != nil {
+	log.Debugf("%s with ids: %v", operationName, routes)
+
+	if err := routeOperation(routes, maps.Keys(routesMap)); err != nil {
 		log.Debugf("error when %s: %s", operationName, err)
 		return fmt.Errorf("error %s: %w", operationName, err)
 	}

client/anonymize/anonymize.go

@@ -9,6 +9,7 @@ import (
 	"net/url"
 	"regexp"
 	"slices"
+	"strconv"
 	"strings"
 )
 
@@ -26,8 +27,9 @@ type Anonymizer struct {
 }
 
 func DefaultAddresses() (netip.Addr, netip.Addr) {
-	// 198.51.100.0, 100::
+	// 198.51.100.0 (RFC 5737 TEST-NET-2), 2001:db8:ffff:: (RFC 3849 documentation, last /48)
-	return netip.AddrFrom4([4]byte{198, 51, 100, 0}), netip.AddrFrom16([16]byte{0x01})
+	// The old start 100:: (discard, RFC 6666) is now used for fake IPs on Android.
+	return netip.AddrFrom4([4]byte{198, 51, 100, 0}), netip.MustParseAddr("2001:db8:ffff::")
 }
 
 func NewAnonymizer(startIPv4, startIPv6 netip.Addr) *Anonymizer {
@@ -48,7 +50,7 @@ func (a *Anonymizer) AnonymizeIP(ip netip.Addr) netip.Addr {
 		ip.IsLinkLocalUnicast() ||
 		ip.IsLinkLocalMulticast() ||
 		ip.IsInterfaceLocalMulticast() ||
-		ip.IsPrivate() ||
+		(ip.Is4() && ip.IsPrivate()) ||
 		ip.IsUnspecified() ||
 		ip.IsMulticast() ||
 		isWellKnown(ip) ||
@@ -96,6 +98,11 @@ func (a *Anonymizer) isInAnonymizedRange(ip netip.Addr) bool {
 }
 
 func (a *Anonymizer) AnonymizeIPString(ip string) string {
+	// Handle CIDR notation (e.g. "2001:db8::/32")
+	if prefix, err := netip.ParsePrefix(ip); err == nil {
+		return a.AnonymizeIP(prefix.Addr()).String() + "/" + strconv.Itoa(prefix.Bits())
+	}
+
 	addr, err := netip.ParseAddr(ip)
 	if err != nil {
 		return ip
@@ -150,7 +157,7 @@ func (a *Anonymizer) AnonymizeURI(uri string) string {
 	if u.Opaque != "" {
 		host, port, err := net.SplitHostPort(u.Opaque)
 		if err == nil {
-			anonymizedHost = fmt.Sprintf("%s:%s", a.AnonymizeDomain(host), port)
+			anonymizedHost = net.JoinHostPort(a.AnonymizeDomain(host), port)
 		} else {
 			anonymizedHost = a.AnonymizeDomain(u.Opaque)
 		}
@@ -158,7 +165,7 @@ func (a *Anonymizer) AnonymizeURI(uri string) string {
 	} else if u.Host != "" {
 		host, port, err := net.SplitHostPort(u.Host)
 		if err == nil {
-			anonymizedHost = fmt.Sprintf("%s:%s", a.AnonymizeDomain(host), port)
+			anonymizedHost = net.JoinHostPort(a.AnonymizeDomain(host), port)
 		} else {
 			anonymizedHost = a.AnonymizeDomain(u.Host)
 		}

client/anonymize/anonymize_test.go

@@ -13,7 +13,7 @@ import (
 
 func TestAnonymizeIP(t *testing.T) {
 	startIPv4 := netip.MustParseAddr("198.51.100.0")
-	startIPv6 := netip.MustParseAddr("100::")
+	startIPv6 := netip.MustParseAddr("2001:db8:ffff::")
 	anonymizer := anonymize.NewAnonymizer(startIPv4, startIPv6)
 
 	tests := []struct {
@@ -26,9 +26,9 @@ func TestAnonymizeIP(t *testing.T) {
 		{"Second Public IPv4", "4.3.2.1", "198.51.100.1"},
 		{"Repeated IPv4", "1.2.3.4", "198.51.100.0"},
 		{"Private IPv4", "192.168.1.1", "192.168.1.1"},
-		{"First Public IPv6", "2607:f8b0:4005:805::200e", "100::"},
+		{"First Public IPv6", "2607:f8b0:4005:805::200e", "2001:db8:ffff::"},
-		{"Second Public IPv6", "a::b", "100::1"},
+		{"Second Public IPv6", "a::b", "2001:db8:ffff::1"},
-		{"Repeated IPv6", "2607:f8b0:4005:805::200e", "100::"},
+		{"Repeated IPv6", "2607:f8b0:4005:805::200e", "2001:db8:ffff::"},
 		{"Private IPv6", "fe80::1", "fe80::1"},
 		{"In Range IPv4", "198.51.100.2", "198.51.100.2"},
 	}
@@ -274,17 +274,27 @@ func TestAnonymizeString_IPAddresses(t *testing.T) {
 		{
 			name:   "IPv6 Address",
 			input:  "Access attempted from 2001:db8::ff00:42",
-			expect: "Access attempted from 100::",
+			expect: "Access attempted from 2001:db8:ffff::",
 		},
 		{
 			name:   "IPv6 Address with Port",
 			input:  "Access attempted from [2001:db8::ff00:42]:8080",
-			expect: "Access attempted from [100::]:8080",
+			expect: "Access attempted from [2001:db8:ffff::]:8080",
 		},
 		{
 			name:   "Both IPv4 and IPv6",
 			input:  "IPv4: 142.108.0.1 and IPv6: 2001:db8::ff00:43",
-			expect: "IPv4: 198.51.100.1 and IPv6: 100::1",
+			expect: "IPv4: 198.51.100.1 and IPv6: 2001:db8:ffff::1",
+		},
+		{
+			name:   "STUN URI with IPv6",
+			input:  "Connecting to stun:[2001:db8::ff00:42]:3478",
+			expect: "Connecting to stun:[2001:db8:ffff::]:3478",
+		},
+		{
+			name:   "HTTPS URI with IPv6",
+			input:  "Visit https://[2001:db8::ff00:42]:443/path",
+			expect: "Visit https://[2001:db8:ffff::]:443/path",
 		},
 	}
 

client/cmd/root.go

@@ -75,6 +75,7 @@ var (
 	mtu                     uint16
 	profilesDisabled        bool
 	updateSettingsDisabled  bool
+	networksDisabled        bool
 
 	rootCmd = &cobra.Command{
 		Use:          "netbird",

client/cmd/service.go

@@ -44,10 +44,13 @@ func init() {
 	serviceCmd.AddCommand(runCmd, startCmd, stopCmd, restartCmd, svcStatusCmd, installCmd, uninstallCmd, reconfigureCmd, resetParamsCmd)
 	serviceCmd.PersistentFlags().BoolVar(&profilesDisabled, "disable-profiles", false, "Disables profiles feature. If enabled, the client will not be able to change or edit any profile. To persist this setting, use: netbird service install --disable-profiles")
 	serviceCmd.PersistentFlags().BoolVar(&updateSettingsDisabled, "disable-update-settings", false, "Disables update settings feature. If enabled, the client will not be able to change or edit any settings. To persist this setting, use: netbird service install --disable-update-settings")
+	serviceCmd.PersistentFlags().BoolVar(&networksDisabled, "disable-networks", false, "Disables network selection. If enabled, the client will not allow listing, selecting, or deselecting networks. To persist, use: netbird service install --disable-networks")
 
 	rootCmd.PersistentFlags().StringVarP(&serviceName, "service", "s", defaultServiceName, "Netbird system service name")
 	serviceEnvDesc := `Sets extra environment variables for the service. ` +
 		`You can specify a comma-separated list of KEY=VALUE pairs. ` +
+		`New keys are merged with previously saved env vars; existing keys are overwritten. ` +
+		`Use --service-env "" to clear all saved env vars. ` +
 		`E.g. --service-env NB_LOG_LEVEL=debug,CUSTOM_VAR=value`
 
 	installCmd.Flags().StringSliceVar(&serviceEnvVars, "service-env", nil, serviceEnvDesc)

client/cmd/service_controller.go

@@ -61,7 +61,7 @@ func (p *program) Start(svc service.Service) error {
 			}
 		}
 
-		serverInstance := server.New(p.ctx, util.FindFirstLogPath(logFiles), configPath, profilesDisabled, updateSettingsDisabled)
+		serverInstance := server.New(p.ctx, util.FindFirstLogPath(logFiles), configPath, profilesDisabled, updateSettingsDisabled, networksDisabled)
 		if err := serverInstance.Start(); err != nil {
 			log.Fatalf("failed to start daemon: %v", err)
 		}

client/cmd/service_installer.go

@@ -59,6 +59,10 @@ func buildServiceArguments() []string {
 		args = append(args, "--disable-update-settings")
 	}
 
+	if networksDisabled {
+		args = append(args, "--disable-networks")
+	}
+
 	return args
 }
 

client/cmd/service_params.go

@@ -28,6 +28,7 @@ type serviceParams struct {
 	LogFiles              []string          `json:"log_files,omitempty"`
 	DisableProfiles       bool              `json:"disable_profiles,omitempty"`
 	DisableUpdateSettings bool              `json:"disable_update_settings,omitempty"`
+	DisableNetworks       bool              `json:"disable_networks,omitempty"`
 	ServiceEnvVars        map[string]string `json:"service_env_vars,omitempty"`
 }
 
@@ -78,11 +79,12 @@ func currentServiceParams() *serviceParams {
 		LogFiles:              logFiles,
 		DisableProfiles:       profilesDisabled,
 		DisableUpdateSettings: updateSettingsDisabled,
+		DisableNetworks:       networksDisabled,
 	}
 
 	if len(serviceEnvVars) > 0 {
 		parsed, err := parseServiceEnvVars(serviceEnvVars)
-		if err == nil && len(parsed) > 0 {
+		if err == nil {
 			params.ServiceEnvVars = parsed
 		}
 	}
@@ -142,31 +144,46 @@ func applyServiceParams(cmd *cobra.Command, params *serviceParams) {
 		updateSettingsDisabled = params.DisableUpdateSettings
 	}
 
+	if !serviceCmd.PersistentFlags().Changed("disable-networks") {
+		networksDisabled = params.DisableNetworks
+	}
+
 	applyServiceEnvParams(cmd, params)
 }
 
 // applyServiceEnvParams merges saved service environment variables.
-// If --service-env was explicitly set, explicit values win on key conflict
+// If --service-env was explicitly set with values, explicit values win on key
-// but saved keys not in the explicit set are carried over.
+// conflict but saved keys not in the explicit set are carried over.
+// If --service-env was explicitly set to empty, all saved env vars are cleared.
 // If --service-env was not set, saved env vars are used entirely.
 func applyServiceEnvParams(cmd *cobra.Command, params *serviceParams) {
-	if len(params.ServiceEnvVars) == 0 {
-		return
-	}
-
 	if !cmd.Flags().Changed("service-env") {
-		// No explicit env vars: rebuild serviceEnvVars from saved params.
+		if len(params.ServiceEnvVars) > 0 {
-		serviceEnvVars = envMapToSlice(params.ServiceEnvVars)
+			// No explicit env vars: rebuild serviceEnvVars from saved params.
+			serviceEnvVars = envMapToSlice(params.ServiceEnvVars)
+		}
 		return
 	}
 
-	// Explicit env vars were provided: merge saved values underneath.
+	// Flag was explicitly set: parse what the user provided.
 	explicit, err := parseServiceEnvVars(serviceEnvVars)
 	if err != nil {
 		cmd.PrintErrf("Warning: parse explicit service env vars for merge: %v\n", err)
 		return
 	}
 
+	// If the user passed an empty value (e.g. --service-env ""), clear all
+	// saved env vars rather than merging.
+	if len(explicit) == 0 {
+		serviceEnvVars = nil
+		return
+	}
+
+	if len(params.ServiceEnvVars) == 0 {
+		return
+	}
+
+	// Merge saved values underneath explicit ones.
 	merged := make(map[string]string, len(params.ServiceEnvVars)+len(explicit))
 	maps.Copy(merged, params.ServiceEnvVars)
 	maps.Copy(merged, explicit) // explicit wins on conflict

client/cmd/service_params_test.go

@@ -327,6 +327,41 @@ func TestApplyServiceEnvParams_NotChanged(t *testing.T) {
 	assert.Equal(t, map[string]string{"FROM_SAVED": "val"}, result)
 }
 
+func TestApplyServiceEnvParams_ExplicitEmptyClears(t *testing.T) {
+	origServiceEnvVars := serviceEnvVars
+	t.Cleanup(func() { serviceEnvVars = origServiceEnvVars })
+
+	// Simulate --service-env "" which produces [""] in the slice.
+	serviceEnvVars = []string{""}
+
+	cmd := &cobra.Command{}
+	cmd.Flags().StringSlice("service-env", nil, "")
+	require.NoError(t, cmd.Flags().Set("service-env", ""))
+
+	saved := &serviceParams{
+		ServiceEnvVars: map[string]string{"OLD_VAR": "should_be_cleared"},
+	}
+
+	applyServiceEnvParams(cmd, saved)
+
+	assert.Nil(t, serviceEnvVars, "explicit empty --service-env should clear all saved env vars")
+}
+
+func TestCurrentServiceParams_EmptyEnvVarsAfterParse(t *testing.T) {
+	origServiceEnvVars := serviceEnvVars
+	t.Cleanup(func() { serviceEnvVars = origServiceEnvVars })
+
+	// Simulate --service-env "" which produces [""] in the slice.
+	serviceEnvVars = []string{""}
+
+	params := currentServiceParams()
+
+	// After parsing, the empty string is skipped, resulting in an empty map.
+	// The map should still be set (not nil) so it overwrites saved values.
+	assert.NotNil(t, params.ServiceEnvVars, "empty env vars should produce empty map, not nil")
+	assert.Empty(t, params.ServiceEnvVars, "no valid env vars should be parsed from empty string")
+}
+
 // TestServiceParams_FieldsCoveredInFunctions ensures that all serviceParams fields are
 // referenced in both currentServiceParams() and applyServiceParams(). If a new field is
 // added to serviceParams but not wired into these functions, this test fails.
@@ -500,6 +535,7 @@ func fieldToGlobalVar(field string) string {
 		"LogFiles":              "logFiles",
 		"DisableProfiles":       "profilesDisabled",
 		"DisableUpdateSettings": "updateSettingsDisabled",
+		"DisableNetworks":       "networksDisabled",
 		"ServiceEnvVars":        "serviceEnvVars",
 	}
 	if v, ok := m[field]; ok {

client/cmd/ssh.go

@@ -523,7 +523,7 @@ func parseHostnameAndCommand(args []string) error {
 }
 
 func runSSH(ctx context.Context, addr string, cmd *cobra.Command) error {
-	target := fmt.Sprintf("%s:%d", addr, port)
+	target := net.JoinHostPort(strings.Trim(addr, "[]"), strconv.Itoa(port))
 	c, err := sshclient.Dial(ctx, target, username, sshclient.DialOptions{
 		KnownHostsFile:     knownHostsFile,
 		IdentityFile:       identityFile,
@@ -787,10 +787,10 @@ func isUnixSocket(path string) bool {
 	return strings.HasPrefix(path, "/") || strings.HasPrefix(path, "./")
 }
 
-// normalizeLocalHost converts "*" to "0.0.0.0" for binding to all interfaces.
+// normalizeLocalHost converts "*" to "" for binding to all interfaces (dual-stack).
 func normalizeLocalHost(host string) string {
 	if host == "*" {
-		return "0.0.0.0"
+		return ""
 	}
 	return host
 }

client/cmd/ssh_test.go

@@ -527,10 +527,10 @@ func TestParsePortForward(t *testing.T) {
 		{
 			name:           "wildcard bind all interfaces",
 			spec:           "*:8080:localhost:80",
-			expectedLocal:  "0.0.0.0:8080",
+			expectedLocal:  ":8080",
 			expectedRemote: "localhost:80",
 			expectError:    false,
-			description:    "Wildcard * should bind to all interfaces (0.0.0.0)",
+			description:    "Wildcard * should bind to all interfaces (dual-stack)",
 		},
 		{
 			name:           "wildcard for port only",

client/cmd/status.go

@@ -20,6 +20,7 @@ import (
 var (
 	detailFlag           bool
 	ipv4Flag             bool
+	ipv6Flag             bool
 	jsonFlag             bool
 	yamlFlag             bool
 	ipsFilter            []string
@@ -45,8 +46,9 @@ func init() {
 	statusCmd.PersistentFlags().BoolVar(&jsonFlag, "json", false, "display detailed status information in json format")
 	statusCmd.PersistentFlags().BoolVar(&yamlFlag, "yaml", false, "display detailed status information in yaml format")
 	statusCmd.PersistentFlags().BoolVar(&ipv4Flag, "ipv4", false, "display only NetBird IPv4 of this peer, e.g., --ipv4 will output 100.64.0.33")
-	statusCmd.MarkFlagsMutuallyExclusive("detail", "json", "yaml", "ipv4")
+	statusCmd.PersistentFlags().BoolVar(&ipv6Flag, "ipv6", false, "display only NetBird IPv6 of this peer")
-	statusCmd.PersistentFlags().StringSliceVar(&ipsFilter, "filter-by-ips", []string{}, "filters the detailed output by a list of one or more IPs, e.g., --filter-by-ips 100.64.0.100,100.64.0.200")
+	statusCmd.MarkFlagsMutuallyExclusive("detail", "json", "yaml", "ipv4", "ipv6")
+	statusCmd.PersistentFlags().StringSliceVar(&ipsFilter, "filter-by-ips", []string{}, "filters the detailed output by a list of one or more IPs (v4 or v6), e.g., --filter-by-ips 100.64.0.100,fd00::1")
 	statusCmd.PersistentFlags().StringSliceVar(&prefixNamesFilter, "filter-by-names", []string{}, "filters the detailed output by a list of one or more peer FQDN or hostnames, e.g., --filter-by-names peer-a,peer-b.netbird.cloud")
 	statusCmd.PersistentFlags().StringVar(&statusFilter, "filter-by-status", "", "filters the detailed output by connection status(idle|connecting|connected), e.g., --filter-by-status connected")
 	statusCmd.PersistentFlags().StringVar(&connectionTypeFilter, "filter-by-connection-type", "", "filters the detailed output by connection type (P2P|Relayed), e.g., --filter-by-connection-type P2P")
@@ -101,6 +103,14 @@ func statusFunc(cmd *cobra.Command, args []string) error {
 		return nil
 	}
 
+	if ipv6Flag {
+		ipv6 := resp.GetFullStatus().GetLocalPeerState().GetIpv6()
+		if ipv6 != "" {
+			cmd.Print(parseInterfaceIP(ipv6))
+		}
+		return nil
+	}
+
 	pm := profilemanager.NewProfileManager()
 	var profName string
 	if activeProf, err := pm.GetActiveProfile(); err == nil {

client/cmd/system.go

@@ -8,6 +8,7 @@ const (
 	disableFirewallFlag     = "disable-firewall"
 	blockLANAccessFlag      = "block-lan-access"
 	blockInboundFlag        = "block-inbound"
+	disableIPv6Flag         = "disable-ipv6"
 )
 
 var (
@@ -17,6 +18,7 @@ var (
 	disableFirewall     bool
 	blockLANAccess      bool
 	blockInbound        bool
+	disableIPv6         bool
 )
 
 func init() {
@@ -39,4 +41,7 @@ func init() {
 	upCmd.PersistentFlags().BoolVar(&blockInbound, blockInboundFlag, false,
 		"Block inbound connections. If enabled, the client will not allow any inbound connections to the local machine nor routed networks.\n"+
 			"This overrides any policies received from the management service.")
+
+	upCmd.PersistentFlags().BoolVar(&disableIPv6, disableIPv6Flag, false,
+		"Disable IPv6 overlay. If enabled, the client won't request or use an IPv6 overlay address.")
 }

client/cmd/testutil_test.go

@@ -13,6 +13,8 @@ import (
 
 	"github.com/netbirdio/management-integrations/integrations"
 
+	nbcache "github.com/netbirdio/netbird/management/server/cache"
+
 	"github.com/netbirdio/netbird/management/internals/controllers/network_map/controller"
 	"github.com/netbirdio/netbird/management/internals/controllers/network_map/update_channel"
 	"github.com/netbirdio/netbird/management/internals/modules/peers"
@@ -100,9 +102,16 @@ func startManagement(t *testing.T, config *config.Config, testFile string) (*grp
 
 	jobManager := job.NewJobManager(nil, store, peersmanager)
 
-	iv, _ := integrations.NewIntegratedValidator(context.Background(), peersmanager, settingsManagerMock, eventStore)
+	ctx := context.Background()
 
-	metrics, err := telemetry.NewDefaultAppMetrics(context.Background())
+	cacheStore, err := nbcache.NewStore(ctx, 100*time.Millisecond, 300*time.Millisecond, 100)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	iv, _ := integrations.NewIntegratedValidator(ctx, peersmanager, settingsManagerMock, eventStore, cacheStore)
+
+	metrics, err := telemetry.NewDefaultAppMetrics(ctx)
 	require.NoError(t, err)
 
 	settingsMockManager := settings.NewMockManager(ctrl)
@@ -113,12 +122,11 @@ func startManagement(t *testing.T, config *config.Config, testFile string) (*grp
 		Return(&types.Settings{}, nil).
 		AnyTimes()
 
-	ctx := context.Background()
 	updateManager := update_channel.NewPeersUpdateManager(metrics)
 	requestBuffer := mgmt.NewAccountRequestBuffer(ctx, store)
 	networkMapController := controller.NewController(ctx, store, metrics, updateManager, requestBuffer, mgmt.MockIntegratedValidator{}, settingsMockManager, "netbird.cloud", port_forwarding.NewControllerMock(), manager.NewEphemeralManager(store, peersmanager), config)
 
-	accountManager, err := mgmt.BuildManager(context.Background(), config, store, networkMapController, jobManager, nil, "", eventStore, nil, false, iv, metrics, port_forwarding.NewControllerMock(), settingsMockManager, permissionsManagerMock, false)
+	accountManager, err := mgmt.BuildManager(ctx, config, store, networkMapController, jobManager, nil, "", eventStore, nil, false, iv, metrics, port_forwarding.NewControllerMock(), settingsMockManager, permissionsManagerMock, false, cacheStore)
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -152,7 +160,7 @@ func startClientDaemon(
 	s := grpc.NewServer()
 
 	server := client.New(ctx,
-		"", "", false, false)
+		"", "", false, false, false)
 	if err := server.Start(); err != nil {
 		t.Fatal(err)
 	}

client/cmd/up.go

@@ -430,6 +430,10 @@ func setupSetConfigReq(customDNSAddressConverted []byte, cmd *cobra.Command, pro
 		req.BlockInbound = &blockInbound
 	}
 
+	if cmd.Flag(disableIPv6Flag).Changed {
+		req.DisableIpv6 = &disableIPv6
+	}
+
 	if cmd.Flag(enableLazyConnectionFlag).Changed {
 		req.LazyConnectionEnabled = &lazyConnEnabled
 	}
@@ -547,6 +551,10 @@ func setupConfig(customDNSAddressConverted []byte, cmd *cobra.Command, configFil
 		ic.BlockInbound = &blockInbound
 	}
 
+	if cmd.Flag(disableIPv6Flag).Changed {
+		ic.DisableIPv6 = &disableIPv6
+	}
+
 	if cmd.Flag(enableLazyConnectionFlag).Changed {
 		ic.LazyConnectionEnabled = &lazyConnEnabled
 	}
@@ -661,6 +669,10 @@ func setupLoginRequest(providedSetupKey string, customDNSAddressConverted []byte
 		loginRequest.BlockInbound = &blockInbound
 	}
 
+	if cmd.Flag(disableIPv6Flag).Changed {
+		loginRequest.DisableIpv6 = &disableIPv6
+	}
+
 	if cmd.Flag(enableLazyConnectionFlag).Changed {
 		loginRequest.LazyConnectionEnabled = &lazyConnEnabled
 	}

client/embed/embed.go

@@ -79,6 +79,8 @@ type Options struct {
 	StatePath string
 	// DisableClientRoutes disables the client routes
 	DisableClientRoutes bool
+	// DisableIPv6 disables IPv6 overlay addressing
+	DisableIPv6 bool
 	// BlockInbound blocks all inbound connections from peers
 	BlockInbound bool
 	// WireguardPort is the port for the WireGuard interface. Use 0 for a random port.
@@ -170,6 +172,7 @@ func New(opts Options) (*Client, error) {
 		PreSharedKey:        &opts.PreSharedKey,
 		DisableServerRoutes: &t,
 		DisableClientRoutes: &opts.DisableClientRoutes,
+		DisableIPv6:         &opts.DisableIPv6,
 		BlockInbound:        &opts.BlockInbound,
 		WireguardPort:       opts.WireguardPort,
 		MTU:                 opts.MTU,

client/firewall/iptables/acl_linux.go

@@ -21,6 +21,10 @@ const (
 
 	// rules chains contains the effective ACL rules
 	chainNameInputRules = "NETBIRD-ACL-INPUT"
+
+	// mangleFwdKey is the entries map key for mangle FORWARD guard rules that prevent
+	// external DNAT from bypassing ACL rules.
+	mangleFwdKey = "MANGLE-FORWARD"
 )
 
 type aclEntries map[string][][]string
@@ -36,6 +40,7 @@ type aclManager struct {
 	entries         aclEntries
 	optionalEntries map[string][]entry
 	ipsetStore      *ipsetStore
+	v6              bool
 
 	stateManager *statemanager.Manager
 }
@@ -47,6 +52,7 @@ func newAclManager(iptablesClient *iptables.IPTables, wgIface iFaceMapper) (*acl
 		entries:         make(map[string][][]string),
 		optionalEntries: make(map[string][]entry),
 		ipsetStore:      newIpsetStore(),
+		v6:              iptablesClient.Proto() == iptables.ProtocolIPv6,
 	}, nil
 }
 
@@ -81,7 +87,11 @@ func (m *aclManager) AddPeerFiltering(
 	chain := chainNameInputRules
 
 	ipsetName = transformIPsetName(ipsetName, sPort, dPort, action)
-	specs := filterRuleSpecs(ip, string(protocol), sPort, dPort, action, ipsetName)
+	if m.v6 && ipsetName != "" {
+		ipsetName += "-v6"
+	}
+	proto := protoForFamily(protocol, m.v6)
+	specs := filterRuleSpecs(ip, proto, sPort, dPort, action, ipsetName)
 
 	mangleSpecs := slices.Clone(specs)
 	mangleSpecs = append(mangleSpecs,
@@ -105,6 +115,7 @@ func (m *aclManager) AddPeerFiltering(
 				ip:        ip.String(),
 				chain:     chain,
 				specs:     specs,
+				v6:        m.v6,
 			}}, nil
 		}
 
@@ -157,6 +168,7 @@ func (m *aclManager) AddPeerFiltering(
 		ipsetName:   ipsetName,
 		ip:          ip.String(),
 		chain:       chain,
+		v6:          m.v6,
 	}
 
 	m.updateState()
@@ -274,6 +286,12 @@ func (m *aclManager) cleanChains() error {
 		}
 	}
 
+	for _, rule := range m.entries[mangleFwdKey] {
+		if err := m.iptablesClient.DeleteIfExists(tableMangle, chainFORWARD, rule...); err != nil {
+			log.Errorf("failed to delete mangle FORWARD guard rule: %v, %s", rule, err)
+		}
+	}
+
 	for _, ipsetName := range m.ipsetStore.ipsetNames() {
 		if err := m.flushIPSet(ipsetName); err != nil {
 			if errors.Is(err, ipset.ErrSetNotExist) {
@@ -303,6 +321,10 @@ func (m *aclManager) createDefaultChains() error {
 	}
 
 	for chainName, rules := range m.entries {
+		// mangle FORWARD guard rules are handled separately below
+		if chainName == mangleFwdKey {
+			continue
+		}
 		for _, rule := range rules {
 			if err := m.iptablesClient.InsertUnique(tableName, chainName, 1, rule...); err != nil {
 				log.Debugf("failed to create input chain jump rule: %s", err)
@@ -322,6 +344,13 @@ func (m *aclManager) createDefaultChains() error {
 	}
 	clear(m.optionalEntries)
 
+	// Insert mangle FORWARD guard rules to prevent external DNAT bypass.
+	for _, rule := range m.entries[mangleFwdKey] {
+		if err := m.iptablesClient.AppendUnique(tableMangle, chainFORWARD, rule...); err != nil {
+			log.Errorf("failed to add mangle FORWARD guard rule: %v", err)
+		}
+	}
+
 	return nil
 }
 
@@ -343,6 +372,22 @@ func (m *aclManager) seedInitialEntries() {
 
 	m.appendToEntries("FORWARD", []string{"-o", m.wgIface.Name(), "-j", chainRTFWDOUT})
 	m.appendToEntries("FORWARD", []string{"-i", m.wgIface.Name(), "-j", chainRTFWDIN})
+
+	// Mangle FORWARD guard: when external DNAT redirects traffic from the wg interface, it
+	// traverses FORWARD instead of INPUT, bypassing ACL rules. ACCEPT rules in filter FORWARD
+	// can be inserted above ours. Mangle runs before filter, so these guard rules enforce the
+	// ACL mark check where it cannot be overridden.
+	m.appendToEntries(mangleFwdKey, []string{
+		"-i", m.wgIface.Name(),
+		"-m", "conntrack", "--ctstate", "RELATED,ESTABLISHED",
+		"-j", "ACCEPT",
+	})
+	m.appendToEntries(mangleFwdKey, []string{
+		"-i", m.wgIface.Name(),
+		"-m", "conntrack", "--ctstate", "DNAT",
+		"-m", "mark", "!", "--mark", fmt.Sprintf("%#x", nbnet.PreroutingFwmarkRedirected),
+		"-j", "DROP",
+	})
 }
 
 func (m *aclManager) seedInitialOptionalEntries() {
@@ -376,8 +421,13 @@ func (m *aclManager) updateState() {
 	currentState.Lock()
 	defer currentState.Unlock()
 
-	currentState.ACLEntries = m.entries
+	if m.v6 {
-	currentState.ACLIPsetStore = m.ipsetStore
+		currentState.ACLEntries6 = m.entries
+		currentState.ACLIPsetStore6 = m.ipsetStore
+	} else {
+		currentState.ACLEntries = m.entries
+		currentState.ACLIPsetStore = m.ipsetStore
+	}
 
 	if err := m.stateManager.UpdateState(currentState); err != nil {
 		log.Errorf("failed to update state: %v", err)
@@ -385,6 +435,15 @@ func (m *aclManager) updateState() {
 }
 
 // filterRuleSpecs returns the specs of a filtering rule
+// protoForFamily translates ICMP to ICMPv6 for ip6tables.
+// ip6tables requires "ipv6-icmp" (or "icmpv6") instead of "icmp".
+func protoForFamily(protocol firewall.Protocol, v6 bool) string {
+	if v6 && protocol == firewall.ProtocolICMP {
+		return "ipv6-icmp"
+	}
+	return string(protocol)
+}
+
 func filterRuleSpecs(ip net.IP, protocol string, sPort, dPort *firewall.Port, action firewall.Action, ipsetName string) (specs []string) {
 	// don't use IP matching if IP is 0.0.0.0
 	matchByIP := !ip.IsUnspecified()
@@ -437,6 +496,9 @@ func (m *aclManager) createIPSet(name string) error {
 	opts := ipset.CreateOptions{
 		Replace: true,
 	}
+	if m.v6 {
+		opts.Family = ipset.FamilyIPV6
+	}
 
 	if err := ipset.Create(name, ipset.TypeHashNet, opts); err != nil {
 		return fmt.Errorf("create ipset %s: %w", name, err)

client/firewall/iptables/manager_linux.go

@@ -17,6 +17,10 @@ import (
 	"github.com/netbirdio/netbird/client/internal/statemanager"
 )
 
+type resetter interface {
+	Reset() error
+}
+
 // Manager of iptables firewall
 type Manager struct {
 	mutex sync.Mutex
@@ -27,6 +31,11 @@ type Manager struct {
 	aclMgr       *aclManager
 	router       *router
 	rawSupported bool
+
+	// IPv6 counterparts, nil when no v6 overlay
+	ipv6Client *iptables.IPTables
+	aclMgr6    *aclManager
+	router6    *router
 }
 
 // iFaceMapper defines subset methods of interface required for manager
@@ -57,9 +66,43 @@ func Create(wgIface iFaceMapper, mtu uint16) (*Manager, error) {
 		return nil, fmt.Errorf("create acl manager: %w", err)
 	}
 
+	if wgIface.Address().HasIPv6() {
+		if err := m.createIPv6Components(wgIface, mtu); err != nil {
+			return nil, fmt.Errorf("create IPv6 firewall: %w", err)
+		}
+	}
+
 	return m, nil
 }
 
+func (m *Manager) createIPv6Components(wgIface iFaceMapper, mtu uint16) error {
+	ip6Client, err := iptables.NewWithProtocol(iptables.ProtocolIPv6)
+	if err != nil {
+		return fmt.Errorf("init ip6tables: %w", err)
+	}
+	m.ipv6Client = ip6Client
+
+	m.router6, err = newRouter(ip6Client, wgIface, mtu)
+	if err != nil {
+		return fmt.Errorf("create v6 router: %w", err)
+	}
+
+	// Share the same IP forwarding state with the v4 router, since
+	// EnableIPForwarding controls both v4 and v6 sysctls.
+	m.router6.ipFwdState = m.router.ipFwdState
+
+	m.aclMgr6, err = newAclManager(ip6Client, wgIface)
+	if err != nil {
+		return fmt.Errorf("create v6 acl manager: %w", err)
+	}
+
+	return nil
+}
+
+func (m *Manager) hasIPv6() bool {
+	return m.ipv6Client != nil
+}
+
 func (m *Manager) Init(stateManager *statemanager.Manager) error {
 	state := &ShutdownState{
 		InterfaceState: &InterfaceState{
@@ -73,13 +116,8 @@ func (m *Manager) Init(stateManager *statemanager.Manager) error {
 		log.Errorf("failed to update state: %v", err)
 	}
 
-	if err := m.router.init(stateManager); err != nil {
+	if err := m.initChains(stateManager); err != nil {
-		return fmt.Errorf("router init: %w", err)
+		return err
-	}
-
-	if err := m.aclMgr.init(stateManager); err != nil {
-		// TODO: cleanup router
-		return fmt.Errorf("acl manager init: %w", err)
 	}
 
 	if err := m.initNoTrackChain(); err != nil {
@@ -96,6 +134,41 @@ func (m *Manager) Init(stateManager *statemanager.Manager) error {
 	return nil
 }
 
+// initChains initializes router and ACL chains for both address families,
+// rolling back on failure.
+func (m *Manager) initChains(stateManager *statemanager.Manager) error {
+	type initStep struct {
+		name string
+		init func(*statemanager.Manager) error
+		mgr  resetter
+	}
+
+	steps := []initStep{
+		{"router", m.router.init, m.router},
+		{"acl manager", m.aclMgr.init, m.aclMgr},
+	}
+	if m.hasIPv6() {
+		steps = append(steps,
+			initStep{"v6 router", m.router6.init, m.router6},
+			initStep{"v6 acl manager", m.aclMgr6.init, m.aclMgr6},
+		)
+	}
+
+	var initialized []initStep
+	for _, s := range steps {
+		if err := s.init(stateManager); err != nil {
+			for i := len(initialized) - 1; i >= 0; i-- {
+				if rerr := initialized[i].mgr.Reset(); rerr != nil {
+					log.Warnf("rollback %s: %v", initialized[i].name, rerr)
+				}
+			}
+			return fmt.Errorf("%s init: %w", s.name, err)
+		}
+		initialized = append(initialized, s)
+	}
+	return nil
+}
+
 // AddPeerFiltering adds a rule to the firewall
 //
 // Comment will be ignored because some system this feature is not supported
@@ -111,7 +184,13 @@ func (m *Manager) AddPeerFiltering(
 	m.mutex.Lock()
 	defer m.mutex.Unlock()
 
-	return m.aclMgr.AddPeerFiltering(id, ip, proto, sPort, dPort, action, ipsetName)
+	if ip.To4() != nil {
+		return m.aclMgr.AddPeerFiltering(id, ip, proto, sPort, dPort, action, ipsetName)
+	}
+	if !m.hasIPv6() {
+		return nil, fmt.Errorf("add peer filtering for %s: %w", ip, firewall.ErrIPv6NotInitialized)
+	}
+	return m.aclMgr6.AddPeerFiltering(id, ip, proto, sPort, dPort, action, ipsetName)
 }
 
 func (m *Manager) AddRouteFiltering(
@@ -125,25 +204,48 @@ func (m *Manager) AddRouteFiltering(
 	m.mutex.Lock()
 	defer m.mutex.Unlock()
 
-	if destination.IsPrefix() && !destination.Prefix.Addr().Is4() {
+	if isIPv6RouteRule(sources, destination) {
-		return nil, fmt.Errorf("unsupported IP version: %s", destination.Prefix.Addr().String())
+		if !m.hasIPv6() {
+			return nil, fmt.Errorf("add route filtering: %w", firewall.ErrIPv6NotInitialized)
+		}
+		return m.router6.AddRouteFiltering(id, sources, destination, proto, sPort, dPort, action)
 	}
 
 	return m.router.AddRouteFiltering(id, sources, destination, proto, sPort, dPort, action)
 }
 
+func isIPv6RouteRule(sources []netip.Prefix, destination firewall.Network) bool {
+	if destination.IsPrefix() {
+		return destination.Prefix.Addr().Is6()
+	}
+	return len(sources) > 0 && sources[0].Addr().Is6()
+}
+
 // DeletePeerRule from the firewall by rule definition
 func (m *Manager) DeletePeerRule(rule firewall.Rule) error {
 	m.mutex.Lock()
 	defer m.mutex.Unlock()
 
+	if m.hasIPv6() && isIPv6IptRule(rule) {
+		return m.aclMgr6.DeletePeerRule(rule)
+	}
 	return m.aclMgr.DeletePeerRule(rule)
 }
 
+func isIPv6IptRule(rule firewall.Rule) bool {
+	r, ok := rule.(*Rule)
+	return ok && r.v6
+}
+
+// DeleteRouteRule deletes a routing rule.
+// Route rules are keyed by content hash. Check v4 first, try v6 if not found.
 func (m *Manager) DeleteRouteRule(rule firewall.Rule) error {
 	m.mutex.Lock()
 	defer m.mutex.Unlock()
 
+	if m.hasIPv6() && !m.router.hasRule(rule.ID()) {
+		return m.router6.DeleteRouteRule(rule)
+	}
 	return m.router.DeleteRouteRule(rule)
 }
 
@@ -159,18 +261,65 @@ func (m *Manager) AddNatRule(pair firewall.RouterPair) error {
 	m.mutex.Lock()
 	defer m.mutex.Unlock()
 
-	return m.router.AddNatRule(pair)
+	if pair.Destination.IsPrefix() && pair.Destination.Prefix.Addr().Is6() {
+		if !m.hasIPv6() {
+			return fmt.Errorf("add NAT rule: %w", firewall.ErrIPv6NotInitialized)
+		}
+		return m.router6.AddNatRule(pair)
+	}
+
+	if err := m.router.AddNatRule(pair); err != nil {
+		return err
+	}
+
+	// Dynamic routes need NAT in both tables since resolved IPs can be
+	// either v4 or v6. This covers both DomainSet (modern) and the legacy
+	// wildcard 0.0.0.0/0 destination where the client resolves DNS.
+	if m.hasIPv6() && pair.Dynamic {
+		v6Pair := firewall.ToV6NatPair(pair)
+		if err := m.router6.AddNatRule(v6Pair); err != nil {
+			return fmt.Errorf("add v6 NAT rule: %w", err)
+		}
+	}
+
+	return nil
 }
 
 func (m *Manager) RemoveNatRule(pair firewall.RouterPair) error {
 	m.mutex.Lock()
 	defer m.mutex.Unlock()
 
-	return m.router.RemoveNatRule(pair)
+	if pair.Destination.IsPrefix() && pair.Destination.Prefix.Addr().Is6() {
+		if !m.hasIPv6() {
+			return nil
+		}
+		return m.router6.RemoveNatRule(pair)
+	}
+
+	var merr *multierror.Error
+
+	if err := m.router.RemoveNatRule(pair); err != nil {
+		merr = multierror.Append(merr, fmt.Errorf("remove v4 NAT rule: %w", err))
+	}
+
+	if m.hasIPv6() && pair.Dynamic {
+		v6Pair := firewall.ToV6NatPair(pair)
+		if err := m.router6.RemoveNatRule(v6Pair); err != nil {
+			merr = multierror.Append(merr, fmt.Errorf("remove v6 NAT rule: %w", err))
+		}
+	}
+
+	return nberrors.FormatErrorOrNil(merr)
 }
 
 func (m *Manager) SetLegacyManagement(isLegacy bool) error {
-	return firewall.SetLegacyManagement(m.router, isLegacy)
+	if err := firewall.SetLegacyManagement(m.router, isLegacy); err != nil {
+		return err
+	}
+	if m.hasIPv6() {
+		return firewall.SetLegacyManagement(m.router6, isLegacy)
+	}
+	return nil
 }
 
 // Reset firewall to the default state
@@ -184,6 +333,15 @@ func (m *Manager) Close(stateManager *statemanager.Manager) error {
 		merr = multierror.Append(merr, fmt.Errorf("cleanup notrack chain: %w", err))
 	}
 
+	if m.hasIPv6() {
+		if err := m.aclMgr6.Reset(); err != nil {
+			merr = multierror.Append(merr, fmt.Errorf("reset v6 acl manager: %w", err))
+		}
+		if err := m.router6.Reset(); err != nil {
+			merr = multierror.Append(merr, fmt.Errorf("reset v6 router: %w", err))
+		}
+	}
+
 	if err := m.aclMgr.Reset(); err != nil {
 		merr = multierror.Append(merr, fmt.Errorf("reset acl manager: %w", err))
 	}
@@ -205,19 +363,16 @@ func (m *Manager) Close(stateManager *statemanager.Manager) error {
 // This is called when USPFilter wraps the native firewall, adding blanket accept
 // rules so that packet filtering is handled in userspace instead of by netfilter.
 func (m *Manager) AllowNetbird() error {
-	_, err := m.AddPeerFiltering(
+	var merr *multierror.Error
-		nil,
+	if _, err := m.AddPeerFiltering(nil, net.IP{0, 0, 0, 0}, firewall.ProtocolALL, nil, nil, firewall.ActionAccept, ""); err != nil {
-		net.IP{0, 0, 0, 0},
+		merr = multierror.Append(merr, fmt.Errorf("allow netbird v4 interface traffic: %w", err))
-		firewall.ProtocolALL,
-		nil,
-		nil,
-		firewall.ActionAccept,
-		"",
-	)
-	if err != nil {
-		return fmt.Errorf("allow netbird interface traffic: %w", err)
 	}
-	return nil
+	if m.hasIPv6() {
+		if _, err := m.AddPeerFiltering(nil, net.IPv6zero, firewall.ProtocolALL, nil, nil, firewall.ActionAccept, ""); err != nil {
+			merr = multierror.Append(merr, fmt.Errorf("allow netbird v6 interface traffic: %w", err))
+		}
+	}
+	return nberrors.FormatErrorOrNil(merr)
 }
 
 // Flush doesn't need to be implemented for this manager
@@ -247,6 +402,12 @@ func (m *Manager) AddDNATRule(rule firewall.ForwardRule) (firewall.Rule, error)
 	m.mutex.Lock()
 	defer m.mutex.Unlock()
 
+	if rule.TranslatedAddress.Is6() {
+		if !m.hasIPv6() {
+			return nil, fmt.Errorf("add DNAT rule: %w", firewall.ErrIPv6NotInitialized)
+		}
+		return m.router6.AddDNATRule(rule)
+	}
 	return m.router.AddDNATRule(rule)
 }
 
@@ -255,6 +416,9 @@ func (m *Manager) DeleteDNATRule(rule firewall.Rule) error {
 	m.mutex.Lock()
 	defer m.mutex.Unlock()
 
+	if m.hasIPv6() && !m.router.hasRule(rule.ID()+dnatSuffix) {
+		return m.router6.DeleteDNATRule(rule)
+	}
 	return m.router.DeleteDNATRule(rule)
 }
 
@@ -263,39 +427,82 @@ func (m *Manager) UpdateSet(set firewall.Set, prefixes []netip.Prefix) error {
 	m.mutex.Lock()
 	defer m.mutex.Unlock()
 
-	return m.router.UpdateSet(set, prefixes)
+	var v4Prefixes, v6Prefixes []netip.Prefix
+	for _, p := range prefixes {
+		if p.Addr().Is6() {
+			v6Prefixes = append(v6Prefixes, p)
+		} else {
+			v4Prefixes = append(v4Prefixes, p)
+		}
+	}
+
+	if err := m.router.UpdateSet(set, v4Prefixes); err != nil {
+		return err
+	}
+
+	if m.hasIPv6() && len(v6Prefixes) > 0 {
+		if err := m.router6.UpdateSet(set, v6Prefixes); err != nil {
+			return fmt.Errorf("update v6 set: %w", err)
+		}
+	}
+
+	return nil
 }
 
 // AddInboundDNAT adds an inbound DNAT rule redirecting traffic from NetBird peers to local services.
-func (m *Manager) AddInboundDNAT(localAddr netip.Addr, protocol firewall.Protocol, sourcePort, targetPort uint16) error {
+func (m *Manager) AddInboundDNAT(localAddr netip.Addr, protocol firewall.Protocol, originalPort, translatedPort uint16) error {
 	m.mutex.Lock()
 	defer m.mutex.Unlock()
 
-	return m.router.AddInboundDNAT(localAddr, protocol, sourcePort, targetPort)
+	if localAddr.Is6() {
+		if !m.hasIPv6() {
+			return fmt.Errorf("add inbound DNAT: %w", firewall.ErrIPv6NotInitialized)
+		}
+		return m.router6.AddInboundDNAT(localAddr, protocol, originalPort, translatedPort)
+	}
+	return m.router.AddInboundDNAT(localAddr, protocol, originalPort, translatedPort)
 }
 
 // RemoveInboundDNAT removes an inbound DNAT rule.
-func (m *Manager) RemoveInboundDNAT(localAddr netip.Addr, protocol firewall.Protocol, sourcePort, targetPort uint16) error {
+func (m *Manager) RemoveInboundDNAT(localAddr netip.Addr, protocol firewall.Protocol, originalPort, translatedPort uint16) error {
 	m.mutex.Lock()
 	defer m.mutex.Unlock()
 
-	return m.router.RemoveInboundDNAT(localAddr, protocol, sourcePort, targetPort)
+	if localAddr.Is6() {
+		if !m.hasIPv6() {
+			return fmt.Errorf("remove inbound DNAT: %w", firewall.ErrIPv6NotInitialized)
+		}
+		return m.router6.RemoveInboundDNAT(localAddr, protocol, originalPort, translatedPort)
+	}
+	return m.router.RemoveInboundDNAT(localAddr, protocol, originalPort, translatedPort)
 }
 
 // AddOutputDNAT adds an OUTPUT chain DNAT rule for locally-generated traffic.
-func (m *Manager) AddOutputDNAT(localAddr netip.Addr, protocol firewall.Protocol, sourcePort, targetPort uint16) error {
+func (m *Manager) AddOutputDNAT(localAddr netip.Addr, protocol firewall.Protocol, originalPort, translatedPort uint16) error {
 	m.mutex.Lock()
 	defer m.mutex.Unlock()
 
-	return m.router.AddOutputDNAT(localAddr, protocol, sourcePort, targetPort)
+	if localAddr.Is6() {
+		if !m.hasIPv6() {
+			return fmt.Errorf("add output DNAT: %w", firewall.ErrIPv6NotInitialized)
+		}
+		return m.router6.AddOutputDNAT(localAddr, protocol, originalPort, translatedPort)
+	}
+	return m.router.AddOutputDNAT(localAddr, protocol, originalPort, translatedPort)
 }
 
 // RemoveOutputDNAT removes an OUTPUT chain DNAT rule.
-func (m *Manager) RemoveOutputDNAT(localAddr netip.Addr, protocol firewall.Protocol, sourcePort, targetPort uint16) error {
+func (m *Manager) RemoveOutputDNAT(localAddr netip.Addr, protocol firewall.Protocol, originalPort, translatedPort uint16) error {
 	m.mutex.Lock()
 	defer m.mutex.Unlock()
 
-	return m.router.RemoveOutputDNAT(localAddr, protocol, sourcePort, targetPort)
+	if localAddr.Is6() {
+		if !m.hasIPv6() {
+			return fmt.Errorf("remove output DNAT: %w", firewall.ErrIPv6NotInitialized)
+		}
+		return m.router6.RemoveOutputDNAT(localAddr, protocol, originalPort, translatedPort)
+	}
+	return m.router.RemoveOutputDNAT(localAddr, protocol, originalPort, translatedPort)
 }
 
 const (

client/firewall/iptables/router_linux.go

@@ -54,8 +54,10 @@ const (
 	snatSuffix = "_snat"
 	fwdSuffix  = "_fwd"
 
-	// ipTCPHeaderMinSize represents minimum IP (20) + TCP (20) header size for MSS calculation
+	// ipv4TCPHeaderSize is the minimum IPv4 (20) + TCP (20) header size for MSS calculation.
-	ipTCPHeaderMinSize = 40
+	ipv4TCPHeaderSize = 40
+	// ipv6TCPHeaderSize is the minimum IPv6 (40) + TCP (20) header size for MSS calculation.
+	ipv6TCPHeaderSize = 60
 )
 
 type ruleInfo struct {
@@ -86,6 +88,7 @@ type router struct {
 	wgIface          iFaceMapper
 	legacyManagement bool
 	mtu              uint16
+	v6               bool
 
 	stateManager *statemanager.Manager
 	ipFwdState   *ipfwdstate.IPForwardingState
@@ -97,6 +100,7 @@ func newRouter(iptablesClient *iptables.IPTables, wgIface iFaceMapper, mtu uint1
 		rules:          make(map[string][]string),
 		wgIface:        wgIface,
 		mtu:            mtu,
+		v6:             iptablesClient.Proto() == iptables.ProtocolIPv6,
 		ipFwdState:     ipfwdstate.NewIPForwardingState(),
 	}
 
@@ -186,6 +190,11 @@ func (r *router) AddRouteFiltering(
 	return ruleKey, nil
 }
 
+func (r *router) hasRule(id string) bool {
+	_, ok := r.rules[id]
+	return ok
+}
+
 func (r *router) DeleteRouteRule(rule firewall.Rule) error {
 	ruleKey := rule.ID()
 
@@ -392,9 +401,13 @@ func (r *router) cleanUpDefaultForwardRules() error {
 
 	// Remove jump rules from built-in chains before deleting custom chains,
 	// otherwise the chain deletion fails with "device or resource busy".
-	jumpRule := []string{"-j", chainNATOutput}
+	if ok, err := r.iptablesClient.ChainExists(tableNat, chainNATOutput); err != nil {
-	if err := r.iptablesClient.Delete(tableNat, "OUTPUT", jumpRule...); err != nil {
+		return fmt.Errorf("check chain %s: %w", chainNATOutput, err)
-		log.Debugf("clean OUTPUT jump rule: %v", err)
+	} else if ok {
+		jumpRule := []string{"-j", chainNATOutput}
+		if err := r.iptablesClient.Delete(tableNat, "OUTPUT", jumpRule...); err != nil {
+			log.Debugf("clean OUTPUT jump rule: %v", err)
+		}
 	}
 
 	for _, chainInfo := range []struct {
@@ -434,6 +447,12 @@ func (r *router) createContainers() error {
 		{chainRTRDR, tableNat},
 		{chainRTMSSCLAMP, tableMangle},
 	} {
+		// Fallback: clear chains that survived an unclean shutdown.
+		if ok, _ := r.iptablesClient.ChainExists(chainInfo.table, chainInfo.chain); ok {
+			if err := r.iptablesClient.ClearAndDeleteChain(chainInfo.table, chainInfo.chain); err != nil {
+				log.Warnf("clear stale chain %s in %s: %v", chainInfo.chain, chainInfo.table, err)
+			}
+		}
 		if err := r.iptablesClient.NewChain(chainInfo.table, chainInfo.chain); err != nil {
 			return fmt.Errorf("create chain %s in table %s: %w", chainInfo.chain, chainInfo.table, err)
 		}
@@ -540,9 +559,12 @@ func (r *router) addPostroutingRules() error {
 }
 
 // addMSSClampingRules adds MSS clamping rules to prevent fragmentation for forwarded traffic.
-// TODO: Add IPv6 support
 func (r *router) addMSSClampingRules() error {
-	mss := r.mtu - ipTCPHeaderMinSize
+	overhead := uint16(ipv4TCPHeaderSize)
+	if r.v6 {
+		overhead = ipv6TCPHeaderSize
+	}
+	mss := r.mtu - overhead
 
 	// Add jump rule from FORWARD chain in mangle table to our custom chain
 	jumpRule := []string{
@@ -727,8 +749,13 @@ func (r *router) updateState() {
 	currentState.Lock()
 	defer currentState.Unlock()
 
-	currentState.RouteRules = r.rules
+	if r.v6 {
-	currentState.RouteIPsetCounter = r.ipsetCounter
+		currentState.RouteRules6 = r.rules
+		currentState.RouteIPsetCounter6 = r.ipsetCounter
+	} else {
+		currentState.RouteRules = r.rules
+		currentState.RouteIPsetCounter = r.ipsetCounter
+	}
 
 	if err := r.stateManager.UpdateState(currentState); err != nil {
 		log.Errorf("failed to update state: %v", err)
@@ -856,7 +883,7 @@ func (r *router) DeleteDNATRule(rule firewall.Rule) error {
 	}
 
 	if fwdRule, exists := r.rules[ruleKey+fwdSuffix]; exists {
-		if err := r.iptablesClient.Delete(tableFilter, chainRTFWDIN, fwdRule...); err != nil {
+		if err := r.iptablesClient.Delete(tableFilter, chainRTFWDOUT, fwdRule...); err != nil {
 			merr = multierror.Append(merr, fmt.Errorf("delete forward rule: %w", err))
 		}
 		delete(r.rules, ruleKey+fwdSuffix)
@@ -883,7 +910,7 @@ func (r *router) genRouteRuleSpec(params routeFilteringRuleParams, sources []net
 	rule = append(rule, destExp...)
 
 	if params.Proto != firewall.ProtocolALL {
-		rule = append(rule, "-p", strings.ToLower(string(params.Proto)))
+		rule = append(rule, "-p", strings.ToLower(protoForFamily(params.Proto, r.v6)))
 		rule = append(rule, applyPort("--sport", params.SPort)...)
 		rule = append(rule, applyPort("--dport", params.DPort)...)
 	}
@@ -900,11 +927,12 @@ func (r *router) applyNetwork(flag string, network firewall.Network, prefixes []
 	}
 
 	if network.IsSet() {
-		if _, err := r.ipsetCounter.Increment(network.Set.HashedName(), prefixes); err != nil {
+		name := r.ipsetName(network.Set.HashedName())
+		if _, err := r.ipsetCounter.Increment(name, prefixes); err != nil {
 			return nil, fmt.Errorf("create or get ipset: %w", err)
 		}
 
-		return []string{"-m", "set", matchSet, network.Set.HashedName(), direction}, nil
+		return []string{"-m", "set", matchSet, name, direction}, nil
 	}
 	if network.IsPrefix() {
 		return []string{flag, network.Prefix.String()}, nil
@@ -915,27 +943,23 @@ func (r *router) applyNetwork(flag string, network firewall.Network, prefixes []
 }
 
 func (r *router) UpdateSet(set firewall.Set, prefixes []netip.Prefix) error {
+	name := r.ipsetName(set.HashedName())
 	var merr *multierror.Error
 	for _, prefix := range prefixes {
-		// TODO: Implement IPv6 support
+		if err := r.addPrefixToIPSet(name, prefix); err != nil {
-		if prefix.Addr().Is6() {
-			log.Tracef("skipping IPv6 prefix %s: IPv6 support not yet implemented", prefix)
-			continue
-		}
-		if err := r.addPrefixToIPSet(set.HashedName(), prefix); err != nil {
 			merr = multierror.Append(merr, fmt.Errorf("add prefix to ipset: %w", err))
 		}
 	}
 	if merr == nil {
-		log.Debugf("updated set %s with prefixes %v", set.HashedName(), prefixes)
+		log.Debugf("updated set %s with prefixes %v", name, prefixes)
 	}
 
 	return nberrors.FormatErrorOrNil(merr)
 }
 
 // AddInboundDNAT adds an inbound DNAT rule redirecting traffic from NetBird peers to local services.
-func (r *router) AddInboundDNAT(localAddr netip.Addr, protocol firewall.Protocol, sourcePort, targetPort uint16) error {
+func (r *router) AddInboundDNAT(localAddr netip.Addr, protocol firewall.Protocol, originalPort, translatedPort uint16) error {
-	ruleID := fmt.Sprintf("inbound-dnat-%s-%s-%d-%d", localAddr.String(), protocol, sourcePort, targetPort)
+	ruleID := fmt.Sprintf("inbound-dnat-%s-%s-%d-%d", localAddr.String(), protocol, originalPort, translatedPort)
 
 	if _, exists := r.rules[ruleID]; exists {
 		return nil
@@ -943,12 +967,12 @@ func (r *router) AddInboundDNAT(localAddr netip.Addr, protocol firewall.Protocol
 
 	dnatRule := []string{
 		"-i", r.wgIface.Name(),
-		"-p", strings.ToLower(string(protocol)),
+		"-p", strings.ToLower(protoForFamily(protocol, r.v6)),
-		"--dport", strconv.Itoa(int(sourcePort)),
+		"--dport", strconv.Itoa(int(originalPort)),
 		"-d", localAddr.String(),
 		"-m", "addrtype", "--dst-type", "LOCAL",
 		"-j", "DNAT",
-		"--to-destination", ":" + strconv.Itoa(int(targetPort)),
+		"--to-destination", ":" + strconv.Itoa(int(translatedPort)),
 	}
 
 	ruleInfo := ruleInfo{
@@ -967,8 +991,8 @@ func (r *router) AddInboundDNAT(localAddr netip.Addr, protocol firewall.Protocol
 }
 
 // RemoveInboundDNAT removes an inbound DNAT rule.
-func (r *router) RemoveInboundDNAT(localAddr netip.Addr, protocol firewall.Protocol, sourcePort, targetPort uint16) error {
+func (r *router) RemoveInboundDNAT(localAddr netip.Addr, protocol firewall.Protocol, originalPort, translatedPort uint16) error {
-	ruleID := fmt.Sprintf("inbound-dnat-%s-%s-%d-%d", localAddr.String(), protocol, sourcePort, targetPort)
+	ruleID := fmt.Sprintf("inbound-dnat-%s-%s-%d-%d", localAddr.String(), protocol, originalPort, translatedPort)
 
 	if dnatRule, exists := r.rules[ruleID]; exists {
 		if err := r.iptablesClient.Delete(tableNat, chainRTRDR, dnatRule...); err != nil {
@@ -1013,8 +1037,8 @@ func (r *router) ensureNATOutputChain() error {
 }
 
 // AddOutputDNAT adds an OUTPUT chain DNAT rule for locally-generated traffic.
-func (r *router) AddOutputDNAT(localAddr netip.Addr, protocol firewall.Protocol, sourcePort, targetPort uint16) error {
+func (r *router) AddOutputDNAT(localAddr netip.Addr, protocol firewall.Protocol, originalPort, translatedPort uint16) error {
-	ruleID := fmt.Sprintf("output-dnat-%s-%s-%d-%d", localAddr.String(), protocol, sourcePort, targetPort)
+	ruleID := fmt.Sprintf("output-dnat-%s-%s-%d-%d", localAddr.String(), protocol, originalPort, translatedPort)
 
 	if _, exists := r.rules[ruleID]; exists {
 		return nil
@@ -1026,10 +1050,10 @@ func (r *router) AddOutputDNAT(localAddr netip.Addr, protocol firewall.Protocol,
 
 	dnatRule := []string{
 		"-p", strings.ToLower(string(protocol)),
-		"--dport", strconv.Itoa(int(sourcePort)),
+		"--dport", strconv.Itoa(int(originalPort)),
 		"-d", localAddr.String(),
 		"-j", "DNAT",
-		"--to-destination", ":" + strconv.Itoa(int(targetPort)),
+		"--to-destination", ":" + strconv.Itoa(int(translatedPort)),
 	}
 
 	if err := r.iptablesClient.Append(tableNat, chainNATOutput, dnatRule...); err != nil {
@@ -1042,8 +1066,8 @@ func (r *router) AddOutputDNAT(localAddr netip.Addr, protocol firewall.Protocol,
 }
 
 // RemoveOutputDNAT removes an OUTPUT chain DNAT rule.
-func (r *router) RemoveOutputDNAT(localAddr netip.Addr, protocol firewall.Protocol, sourcePort, targetPort uint16) error {
+func (r *router) RemoveOutputDNAT(localAddr netip.Addr, protocol firewall.Protocol, originalPort, translatedPort uint16) error {
-	ruleID := fmt.Sprintf("output-dnat-%s-%s-%d-%d", localAddr.String(), protocol, sourcePort, targetPort)
+	ruleID := fmt.Sprintf("output-dnat-%s-%s-%d-%d", localAddr.String(), protocol, originalPort, translatedPort)
 
 	if dnatRule, exists := r.rules[ruleID]; exists {
 		if err := r.iptablesClient.Delete(tableNat, chainNATOutput, dnatRule...); err != nil {
@@ -1076,10 +1100,22 @@ func applyPort(flag string, port *firewall.Port) []string {
 	return []string{flag, strconv.Itoa(int(port.Values[0]))}
 }
 
+// ipsetName returns the ipset name, suffixed with "-v6" for the v6 router
+// to avoid collisions since ipsets are global in the kernel.
+func (r *router) ipsetName(name string) string {
+	if r.v6 {
+		return name + "-v6"
+	}
+	return name
+}
+
 func (r *router) createIPSet(name string) error {
 	opts := ipset.CreateOptions{
 		Replace: true,
 	}
+	if r.v6 {
+		opts.Family = ipset.FamilyIPV6
+	}
 
 	if err := ipset.Create(name, ipset.TypeHashNet, opts); err != nil {
 		return fmt.Errorf("create ipset %s: %w", name, err)

client/firewall/iptables/rule.go

@@ -9,6 +9,7 @@ type Rule struct {
 	mangleSpecs []string
 	ip          string
 	chain       string
+	v6          bool
 }
 
 // GetRuleID returns the rule id

client/firewall/iptables/state_linux.go

@@ -4,6 +4,8 @@ import (
 	"fmt"
 	"sync"
 
+	log "github.com/sirupsen/logrus"
+
 	"github.com/netbirdio/netbird/client/iface"
 	"github.com/netbirdio/netbird/client/iface/wgaddr"
 )
@@ -32,6 +34,12 @@ type ShutdownState struct {
 
 	ACLEntries    aclEntries  `json:"acl_entries,omitempty"`
 	ACLIPsetStore *ipsetStore `json:"acl_ipset_store,omitempty"`
+
+	// IPv6 counterparts
+	RouteRules6        routeRules    `json:"route_rules_v6,omitempty"`
+	RouteIPsetCounter6 *ipsetCounter `json:"route_ipset_counter_v6,omitempty"`
+	ACLEntries6        aclEntries    `json:"acl_entries_v6,omitempty"`
+	ACLIPsetStore6     *ipsetStore   `json:"acl_ipset_store_v6,omitempty"`
 }
 
 func (s *ShutdownState) Name() string {
@@ -62,6 +70,28 @@ func (s *ShutdownState) Cleanup() error {
 		ipt.aclMgr.ipsetStore = s.ACLIPsetStore
 	}
 
+	// Clean up v6 state even if the current run has no IPv6.
+	// The previous run may have left ip6tables rules behind.
+	if !ipt.hasIPv6() {
+		if err := ipt.createIPv6Components(s.InterfaceState, mtu); err != nil {
+			log.Warnf("failed to create v6 components for cleanup: %v", err)
+		}
+	}
+	if ipt.hasIPv6() {
+		if s.RouteRules6 != nil {
+			ipt.router6.rules = s.RouteRules6
+		}
+		if s.RouteIPsetCounter6 != nil {
+			ipt.router6.ipsetCounter.LoadData(s.RouteIPsetCounter6)
+		}
+		if s.ACLEntries6 != nil {
+			ipt.aclMgr6.entries = s.ACLEntries6
+		}
+		if s.ACLIPsetStore6 != nil {
+			ipt.aclMgr6.ipsetStore = s.ACLIPsetStore6
+		}
+	}
+
 	if err := ipt.Close(nil); err != nil {
 		return fmt.Errorf("reset iptables manager: %w", err)
 	}

client/firewall/manager/firewall.go

@@ -1,6 +1,7 @@
 package manager
 
 import (
+	"errors"
 	"fmt"
 	"net"
 	"net/netip"
@@ -11,6 +12,10 @@ import (
 	"github.com/netbirdio/netbird/client/internal/statemanager"
 )
 
+// ErrIPv6NotInitialized is returned when an IPv6 address is passed to a firewall
+// method but the IPv6 firewall components were not initialized.
+var ErrIPv6NotInitialized = errors.New("IPv6 firewall not initialized")
+
 const (
 	ForwardingFormatPrefix = "netbird-fwd-"
 	ForwardingFormat       = "netbird-fwd-%s-%t"
@@ -164,18 +169,16 @@ type Manager interface {
 	UpdateSet(hash Set, prefixes []netip.Prefix) error
 
 	// AddInboundDNAT adds an inbound DNAT rule redirecting traffic from NetBird peers to local services
-	AddInboundDNAT(localAddr netip.Addr, protocol Protocol, sourcePort, targetPort uint16) error
+	AddInboundDNAT(localAddr netip.Addr, protocol Protocol, originalPort, translatedPort uint16) error
 
 	// RemoveInboundDNAT removes inbound DNAT rule
-	RemoveInboundDNAT(localAddr netip.Addr, protocol Protocol, sourcePort, targetPort uint16) error
+	RemoveInboundDNAT(localAddr netip.Addr, protocol Protocol, originalPort, translatedPort uint16) error
 
 	// AddOutputDNAT adds an OUTPUT chain DNAT rule for locally-generated traffic.
-	// localAddr must be IPv4; the underlying iptables/nftables backends are IPv4-only.
+	AddOutputDNAT(localAddr netip.Addr, protocol Protocol, originalPort, translatedPort uint16) error
-	AddOutputDNAT(localAddr netip.Addr, protocol Protocol, sourcePort, targetPort uint16) error
 
 	// RemoveOutputDNAT removes an OUTPUT chain DNAT rule.
-	// localAddr must be IPv4; the underlying iptables/nftables backends are IPv4-only.
+	RemoveOutputDNAT(localAddr netip.Addr, protocol Protocol, originalPort, translatedPort uint16) error
-	RemoveOutputDNAT(localAddr netip.Addr, protocol Protocol, sourcePort, targetPort uint16) error
 
 	// SetupEBPFProxyNoTrack creates static notrack rules for eBPF proxy loopback traffic.
 	// This prevents conntrack from interfering with WireGuard proxy communication.

client/firewall/manager/routerpair.go

@@ -1,6 +1,8 @@
 package manager
 
 import (
+	"net/netip"
+
 	"github.com/netbirdio/netbird/route"
 )
 
@@ -10,6 +12,10 @@ type RouterPair struct {
 	Destination Network
 	Masquerade  bool
 	Inverse     bool
+	// Dynamic indicates the route is domain-based. NAT rules for dynamic
+	// routes are duplicated to the v6 table so that resolved AAAA records
+	// are masqueraded correctly.
+	Dynamic bool
 }
 
 func GetInversePair(pair RouterPair) RouterPair {
@@ -20,5 +26,17 @@ func GetInversePair(pair RouterPair) RouterPair {
 		Destination: pair.Source,
 		Masquerade:  pair.Masquerade,
 		Inverse:     true,
+		Dynamic:     pair.Dynamic,
 	}
 }
+
+// ToV6NatPair creates a v6 counterpart of a v4 NAT pair with `::/0` source
+// and, for prefix destinations, `::/0` destination.
+func ToV6NatPair(pair RouterPair) RouterPair {
+	v6 := pair
+	v6.Source = Network{Prefix: netip.PrefixFrom(netip.IPv6Unspecified(), 0)}
+	if v6.Destination.IsPrefix() {
+		v6.Destination = Network{Prefix: netip.PrefixFrom(netip.IPv6Unspecified(), 0)}
+	}
+	return v6
+}

client/firewall/nftables/acl_linux.go

@@ -33,15 +33,12 @@ const (
 
 const flushError = "flush: %w"
 
-var (
-	anyIP = []byte{0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0}
-)
-
 type AclManager struct {
 	rConn              *nftables.Conn
 	sConn              *nftables.Conn
 	wgIface            iFaceMapper
 	routingFwChainName string
+	af                 addrFamily
 
 	workTable       *nftables.Table
 	chainInputRules *nftables.Chain
@@ -67,6 +64,7 @@ func newAclManager(table *nftables.Table, wgIface iFaceMapper, routingFwChainNam
 		wgIface:            wgIface,
 		workTable:          table,
 		routingFwChainName: routingFwChainName,
+		af:                 familyForAddr(table.Family == nftables.TableFamilyIPv4),
 
 		ipsetStore: newIpsetStore(),
 		rules:      make(map[string]*Rule),
@@ -145,7 +143,7 @@ func (m *AclManager) DeletePeerRule(rule firewall.Rule) error {
 	}
 
 	if _, ok := ips[r.ip.String()]; ok {
-		err := m.sConn.SetDeleteElements(r.nftSet, []nftables.SetElement{{Key: r.ip.To4()}})
+		err := m.sConn.SetDeleteElements(r.nftSet, []nftables.SetElement{{Key: ipToBytes(r.ip, m.af)}})
 		if err != nil {
 			log.Errorf("delete elements for set %q: %v", r.nftSet.Name, err)
 		}
@@ -254,11 +252,11 @@ func (m *AclManager) addIOFiltering(
 		expressions = append(expressions, &expr.Payload{
 			DestRegister: 1,
 			Base:         expr.PayloadBaseNetworkHeader,
-			Offset:       uint32(9),
+			Offset:       m.af.protoOffset,
 			Len:          uint32(1),
 		})
 
-		protoData, err := protoToInt(proto)
+		protoData, err := m.af.protoNum(proto)
 		if err != nil {
 			return nil, fmt.Errorf("convert protocol to number: %v", err)
 		}
@@ -270,19 +268,16 @@ func (m *AclManager) addIOFiltering(
 		})
 	}
 
-	rawIP := ip.To4()
+	rawIP := ipToBytes(ip, m.af)
 	// check if rawIP contains zeroed IPv4 0.0.0.0 value
 	// in that case not add IP match expression into the rule definition
-	if !bytes.HasPrefix(anyIP, rawIP) {
+	if slices.ContainsFunc(rawIP, func(v byte) bool { return v != 0 }) {
-		// source address position
-		addrOffset := uint32(12)
-
 		expressions = append(expressions,
 			&expr.Payload{
 				DestRegister: 1,
 				Base:         expr.PayloadBaseNetworkHeader,
-				Offset:       addrOffset,
+				Offset:       m.af.srcAddrOffset,
-				Len:          4,
+				Len:          m.af.addrLen,
 			},
 		)
 		// add individual IP for match if no ipset defined
@@ -587,7 +582,7 @@ func (m *AclManager) addJumpRule(chain *nftables.Chain, to string, ifaceKey expr
 
 func (m *AclManager) addIpToSet(ipsetName string, ip net.IP) (*nftables.Set, error) {
 	ipset, err := m.rConn.GetSetByName(m.workTable, ipsetName)
-	rawIP := ip.To4()
+	rawIP := ipToBytes(ip, m.af)
 	if err != nil {
 		if ipset, err = m.createSet(m.workTable, ipsetName); err != nil {
 			return nil, fmt.Errorf("get set name: %v", err)
@@ -619,7 +614,7 @@ func (m *AclManager) createSet(table *nftables.Table, name string) (*nftables.Se
 		Name:    name,
 		Table:   table,
 		Dynamic: true,
-		KeyType: nftables.TypeIPAddr,
+		KeyType: m.af.setKeyType,
 	}
 
 	if err := m.rConn.AddSet(ipset, nil); err != nil {
@@ -707,15 +702,12 @@ func ifname(n string) []byte {
 	return b
 }
 
-func protoToInt(protocol firewall.Protocol) (uint8, error) {
-	switch protocol {
-	case firewall.ProtocolTCP:
-		return unix.IPPROTO_TCP, nil
-	case firewall.ProtocolUDP:
-		return unix.IPPROTO_UDP, nil
-	case firewall.ProtocolICMP:
-		return unix.IPPROTO_ICMP, nil
-	}
 
-	return 0, fmt.Errorf("unsupported protocol: %s", protocol)
+// ipToBytes converts net.IP to the correct byte length for the address family.
+func ipToBytes(ip net.IP, af addrFamily) []byte {
+	if af.addrLen == 4 {
+		return ip.To4()
+	}
+	return ip.To16()
 }
+

client/firewall/nftables/addr_family_linux.go

@@ -0,0 +1,81 @@
+package nftables
+
+import (
+	"fmt"
+	"net"
+
+	"github.com/google/nftables"
+	"golang.org/x/sys/unix"
+
+	firewall "github.com/netbirdio/netbird/client/firewall/manager"
+)
+
+var (
+	// afIPv4 defines IPv4 header layout and nftables types.
+	afIPv4 = addrFamily{
+		protoOffset:   9,
+		srcAddrOffset: 12,
+		dstAddrOffset: 16,
+		addrLen:       net.IPv4len,
+		totalBits:     8 * net.IPv4len,
+		setKeyType:    nftables.TypeIPAddr,
+		tableFamily:   nftables.TableFamilyIPv4,
+		icmpProto:     unix.IPPROTO_ICMP,
+	}
+	// afIPv6 defines IPv6 header layout and nftables types.
+	afIPv6 = addrFamily{
+		protoOffset:   6,
+		srcAddrOffset: 8,
+		dstAddrOffset: 24,
+		addrLen:       net.IPv6len,
+		totalBits:     8 * net.IPv6len,
+		setKeyType:    nftables.TypeIP6Addr,
+		tableFamily:   nftables.TableFamilyIPv6,
+		icmpProto:     unix.IPPROTO_ICMPV6,
+	}
+)
+
+// addrFamily holds protocol-specific constants for nftables expression building.
+type addrFamily struct {
+	// protoOffset is the IP header offset for the protocol/next-header field (9 for v4, 6 for v6)
+	protoOffset uint32
+	// srcAddrOffset is the IP header offset for the source address (12 for v4, 8 for v6)
+	srcAddrOffset uint32
+	// dstAddrOffset is the IP header offset for the destination address (16 for v4, 24 for v6)
+	dstAddrOffset uint32
+	// addrLen is the byte length of addresses (4 for v4, 16 for v6)
+	addrLen uint32
+	// totalBits is the address size in bits (32 for v4, 128 for v6)
+	totalBits int
+	// setKeyType is the nftables set data type for addresses
+	setKeyType nftables.SetDatatype
+	// tableFamily is the nftables table family
+	tableFamily nftables.TableFamily
+	// icmpProto is the ICMP protocol number for this family (1 for v4, 58 for v6)
+	icmpProto uint8
+}
+
+// familyForAddr returns the address family for the given IP.
+func familyForAddr(is4 bool) addrFamily {
+	if is4 {
+		return afIPv4
+	}
+	return afIPv6
+}
+
+// protoNum converts a firewall protocol to the IP protocol number,
+// using the correct ICMP variant for the address family.
+func (af addrFamily) protoNum(protocol firewall.Protocol) (uint8, error) {
+	switch protocol {
+	case firewall.ProtocolTCP:
+		return unix.IPPROTO_TCP, nil
+	case firewall.ProtocolUDP:
+		return unix.IPPROTO_UDP, nil
+	case firewall.ProtocolICMP:
+		return af.icmpProto, nil
+	case firewall.ProtocolALL:
+		return 0, nil
+	default:
+		return 0, fmt.Errorf("unsupported protocol: %s", protocol)
+	}
+}

client/firewall/nftables/manager_linux.go

@@ -11,9 +11,11 @@ import (
 	"github.com/google/nftables"
 	"github.com/google/nftables/binaryutil"
 	"github.com/google/nftables/expr"
+	"github.com/hashicorp/go-multierror"
 	log "github.com/sirupsen/logrus"
 	"golang.org/x/sys/unix"
 
+	nberrors "github.com/netbirdio/netbird/client/errors"
 	firewall "github.com/netbirdio/netbird/client/firewall/manager"
 	"github.com/netbirdio/netbird/client/iface/wgaddr"
 	"github.com/netbirdio/netbird/client/internal/statemanager"
@@ -48,8 +50,13 @@ type Manager struct {
 	rConn   *nftables.Conn
 	wgIface iFaceMapper
 
-	router                 *router
+	router     *router
-	aclManager             *AclManager
+	aclManager *AclManager
+
+	// IPv6 counterparts, nil when no v6 overlay
+	router6     *router
+	aclManager6 *AclManager
+
 	notrackOutputChain     *nftables.Chain
 	notrackPreroutingChain *nftables.Chain
 }
@@ -61,7 +68,8 @@ func Create(wgIface iFaceMapper, mtu uint16) (*Manager, error) {
 		wgIface: wgIface,
 	}
 
-	workTable := &nftables.Table{Name: getTableName(), Family: nftables.TableFamilyIPv4}
+	tableName := getTableName()
+	workTable := &nftables.Table{Name: tableName, Family: nftables.TableFamilyIPv4}
 
 	var err error
 	m.router, err = newRouter(workTable, wgIface, mtu)
@@ -74,11 +82,70 @@ func Create(wgIface iFaceMapper, mtu uint16) (*Manager, error) {
 		return nil, fmt.Errorf("create acl manager: %w", err)
 	}
 
+	if wgIface.Address().HasIPv6() {
+		if err := m.createIPv6Components(tableName, wgIface, mtu); err != nil {
+			return nil, fmt.Errorf("create IPv6 firewall: %w", err)
+		}
+	}
+
 	return m, nil
 }
 
+func (m *Manager) createIPv6Components(tableName string, wgIface iFaceMapper, mtu uint16) error {
+	workTable6 := &nftables.Table{Name: tableName, Family: nftables.TableFamilyIPv6}
+
+	var err error
+	m.router6, err = newRouter(workTable6, wgIface, mtu)
+	if err != nil {
+		return fmt.Errorf("create v6 router: %w", err)
+	}
+
+	// Share the same IP forwarding state with the v4 router, since
+	// EnableIPForwarding controls both v4 and v6 sysctls.
+	m.router6.ipFwdState = m.router.ipFwdState
+
+	m.aclManager6, err = newAclManager(workTable6, wgIface, chainNameRoutingFw)
+	if err != nil {
+		return fmt.Errorf("create v6 acl manager: %w", err)
+	}
+
+	return nil
+}
+
+// hasIPv6 reports whether the manager has IPv6 components initialized.
+func (m *Manager) hasIPv6() bool {
+	return m.router6 != nil
+}
+
+func (m *Manager) initIPv6() error {
+	workTable6, err := m.createWorkTableFamily(nftables.TableFamilyIPv6)
+	if err != nil {
+		return fmt.Errorf("create v6 work table: %w", err)
+	}
+
+	if err := m.router6.init(workTable6); err != nil {
+		return fmt.Errorf("v6 router init: %w", err)
+	}
+
+	if err := m.aclManager6.init(workTable6); err != nil {
+		return fmt.Errorf("v6 acl manager init: %w", err)
+	}
+
+	return nil
+}
+
 // Init nftables firewall manager
 func (m *Manager) Init(stateManager *statemanager.Manager) error {
+	if err := m.initFirewall(); err != nil {
+		return err
+	}
+
+	m.persistState(stateManager)
+
+	return nil
+}
+
+func (m *Manager) initFirewall() error {
 	workTable, err := m.createWorkTable()
 	if err != nil {
 		return fmt.Errorf("create work table: %w", err)
@@ -89,20 +156,32 @@ func (m *Manager) Init(stateManager *statemanager.Manager) error {
 	}
 
 	if err := m.aclManager.init(workTable); err != nil {
-		// TODO: cleanup router
+		m.rollbackInit()
 		return fmt.Errorf("acl manager init: %w", err)
 	}
 
+	if m.hasIPv6() {
+		if err := m.initIPv6(); err != nil {
+			// Peer has a v6 address: v6 firewall MUST work or we risk fail-open.
+			m.rollbackInit()
+			return fmt.Errorf("init IPv6 firewall (required because peer has IPv6 address): %w", err)
+		}
+	}
+
 	if err := m.initNoTrackChains(workTable); err != nil {
 		log.Warnf("raw priority chains not available, notrack rules will be disabled: %v", err)
 	}
 
+	return nil
+}
+
+// persistState saves the current interface state for potential recreation on restart.
+// Unlike iptables, which requires tracking individual rules, nftables maintains
+// a known state (our netbird table plus a few static rules). This allows for easy
+// cleanup using Close() without needing to store specific rules.
+func (m *Manager) persistState(stateManager *statemanager.Manager) {
 	stateManager.RegisterState(&ShutdownState{})
 
-	// We only need to record minimal interface state for potential recreation.
-	// Unlike iptables, which requires tracking individual rules, nftables maintains
-	// a known state (our netbird table plus a few static rules). This allows for easy
-	// cleanup using Close() without needing to store specific rules.
 	if err := stateManager.UpdateState(&ShutdownState{
 		InterfaceState: &InterfaceState{
 			NameStr:   m.wgIface.Name(),
@@ -113,14 +192,29 @@ func (m *Manager) Init(stateManager *statemanager.Manager) error {
 		log.Errorf("failed to update state: %v", err)
 	}
 
-	// persist early
 	go func() {
 		if err := stateManager.PersistState(context.Background()); err != nil {
 			log.Errorf("failed to persist state: %v", err)
 		}
 	}()
+}
 
-	return nil
+// rollbackInit performs best-effort cleanup of already-initialized state when Init fails partway through.
+func (m *Manager) rollbackInit() {
+	if err := m.router.Reset(); err != nil {
+		log.Warnf("rollback router: %v", err)
+	}
+	if m.hasIPv6() {
+		if err := m.router6.Reset(); err != nil {
+			log.Warnf("rollback v6 router: %v", err)
+		}
+	}
+	if err := m.cleanupNetbirdTables(); err != nil {
+		log.Warnf("cleanup tables: %v", err)
+	}
+	if err := m.rConn.Flush(); err != nil {
+		log.Warnf("flush: %v", err)
+	}
 }
 
 // AddPeerFiltering rule to the firewall
@@ -139,12 +233,14 @@ func (m *Manager) AddPeerFiltering(
 	m.mutex.Lock()
 	defer m.mutex.Unlock()
 
-	rawIP := ip.To4()
+	if ip.To4() != nil {
-	if rawIP == nil {
+		return m.aclManager.AddPeerFiltering(id, ip, proto, sPort, dPort, action, ipsetName)
-		return nil, fmt.Errorf("unsupported IP version: %s", ip.String())
 	}
 
-	return m.aclManager.AddPeerFiltering(id, ip, proto, sPort, dPort, action, ipsetName)
+	if !m.hasIPv6() {
+		return nil, fmt.Errorf("add peer filtering for %s: %w", ip, firewall.ErrIPv6NotInitialized)
+	}
+	return m.aclManager6.AddPeerFiltering(id, ip, proto, sPort, dPort, action, ipsetName)
 }
 
 func (m *Manager) AddRouteFiltering(
@@ -158,8 +254,11 @@ func (m *Manager) AddRouteFiltering(
 	m.mutex.Lock()
 	defer m.mutex.Unlock()
 
-	if destination.IsPrefix() && !destination.Prefix.Addr().Is4() {
+	if isIPv6RouteRule(sources, destination) {
-		return nil, fmt.Errorf("unsupported IP version: %s", destination.Prefix.Addr().String())
+		if !m.hasIPv6() {
+			return nil, fmt.Errorf("add route filtering: %w", firewall.ErrIPv6NotInitialized)
+		}
+		return m.router6.AddRouteFiltering(id, sources, destination, proto, sPort, dPort, action)
 	}
 
 	return m.router.AddRouteFiltering(id, sources, destination, proto, sPort, dPort, action)
@@ -170,14 +269,38 @@ func (m *Manager) DeletePeerRule(rule firewall.Rule) error {
 	m.mutex.Lock()
 	defer m.mutex.Unlock()
 
+	if m.hasIPv6() && isIPv6Rule(rule) {
+		return m.aclManager6.DeletePeerRule(rule)
+	}
 	return m.aclManager.DeletePeerRule(rule)
 }
 
-// DeleteRouteRule deletes a routing rule
+func isIPv6Rule(rule firewall.Rule) bool {
+	r, ok := rule.(*Rule)
+	return ok && r.nftRule != nil && r.nftRule.Table != nil && r.nftRule.Table.Family == nftables.TableFamilyIPv6
+}
+
+// isIPv6RouteRule determines whether a route rule belongs to the v6 table.
+// For static routes, the destination prefix determines the family. For dynamic
+// routes (DomainSet), the sources determine the family since management
+// duplicates dynamic rules per family.
+func isIPv6RouteRule(sources []netip.Prefix, destination firewall.Network) bool {
+	if destination.IsPrefix() {
+		return destination.Prefix.Addr().Is6()
+	}
+	return len(sources) > 0 && sources[0].Addr().Is6()
+}
+
+// DeleteRouteRule deletes a routing rule.
+// Route rules are keyed by content hash, so the rule exists in exactly one
+// router. We check v4 first; if the key isn't there, try v6.
 func (m *Manager) DeleteRouteRule(rule firewall.Rule) error {
 	m.mutex.Lock()
 	defer m.mutex.Unlock()
 
+	if m.hasIPv6() && !m.router.hasRule(rule.ID()) {
+		return m.router6.DeleteRouteRule(rule)
+	}
 	return m.router.DeleteRouteRule(rule)
 }
 
@@ -193,19 +316,67 @@ func (m *Manager) AddNatRule(pair firewall.RouterPair) error {
 	m.mutex.Lock()
 	defer m.mutex.Unlock()
 
-	return m.router.AddNatRule(pair)
+	if pair.Destination.IsPrefix() && pair.Destination.Prefix.Addr().Is6() {
+		if !m.hasIPv6() {
+			return fmt.Errorf("add NAT rule: %w", firewall.ErrIPv6NotInitialized)
+		}
+		return m.router6.AddNatRule(pair)
+	}
+
+	if err := m.router.AddNatRule(pair); err != nil {
+		return err
+	}
+
+	// Dynamic routes need NAT in both tables since resolved IPs can be
+	// either v4 or v6. This covers both DomainSet (modern) and the legacy
+	// wildcard 0.0.0.0/0 destination where the client resolves DNS.
+	if m.hasIPv6() && pair.Dynamic {
+		v6Pair := firewall.ToV6NatPair(pair)
+		if err := m.router6.AddNatRule(v6Pair); err != nil {
+			return fmt.Errorf("add v6 NAT rule: %w", err)
+		}
+	}
+
+	return nil
 }
 
 func (m *Manager) RemoveNatRule(pair firewall.RouterPair) error {
 	m.mutex.Lock()
 	defer m.mutex.Unlock()
 
-	return m.router.RemoveNatRule(pair)
+	if pair.Destination.IsPrefix() && pair.Destination.Prefix.Addr().Is6() {
+		if !m.hasIPv6() {
+			return nil
+		}
+		return m.router6.RemoveNatRule(pair)
+	}
+
+	var merr *multierror.Error
+
+	if err := m.router.RemoveNatRule(pair); err != nil {
+		merr = multierror.Append(merr, fmt.Errorf("remove v4 NAT rule: %w", err))
+	}
+
+	if m.hasIPv6() && pair.Dynamic {
+		v6Pair := firewall.ToV6NatPair(pair)
+		if err := m.router6.RemoveNatRule(v6Pair); err != nil {
+			merr = multierror.Append(merr, fmt.Errorf("remove v6 NAT rule: %w", err))
+		}
+	}
+
+	return nberrors.FormatErrorOrNil(merr)
 }
 
 // AllowNetbird allows netbird interface traffic.
 // This is called when USPFilter wraps the native firewall, adding blanket accept
 // rules so that packet filtering is handled in userspace instead of by netfilter.
+//
+// TODO: In USP mode this only adds ACCEPT to the netbird table's own chains,
+// which doesn't override DROP rules in external tables (e.g. firewalld).
+// Should add passthrough rules to external chains (like the native mode router's
+// addExternalChainsRules does) for both the netbird table family and inet tables.
+// The netbird table itself is fine (routing chains already exist there), but
+// non-netbird tables with INPUT/FORWARD hooks can still DROP our WG traffic.
 func (m *Manager) AllowNetbird() error {
 	m.mutex.Lock()
 	defer m.mutex.Unlock()
@@ -213,6 +384,11 @@ func (m *Manager) AllowNetbird() error {
 	if err := m.aclManager.createDefaultAllowRules(); err != nil {
 		return fmt.Errorf("create default allow rules: %w", err)
 	}
+	if m.hasIPv6() {
+		if err := m.aclManager6.createDefaultAllowRules(); err != nil {
+			return fmt.Errorf("create v6 default allow rules: %w", err)
+		}
+	}
 	if err := m.rConn.Flush(); err != nil {
 		return fmt.Errorf("flush allow input netbird rules: %w", err)
 	}
@@ -222,7 +398,13 @@ func (m *Manager) AllowNetbird() error {
 
 // SetLegacyManagement sets the route manager to use legacy management
 func (m *Manager) SetLegacyManagement(isLegacy bool) error {
-	return firewall.SetLegacyManagement(m.router, isLegacy)
+	if err := firewall.SetLegacyManagement(m.router, isLegacy); err != nil {
+		return err
+	}
+	if m.hasIPv6() {
+		return firewall.SetLegacyManagement(m.router6, isLegacy)
+	}
+	return nil
 }
 
 // Close closes the firewall manager
@@ -230,23 +412,31 @@ func (m *Manager) Close(stateManager *statemanager.Manager) error {
 	m.mutex.Lock()
 	defer m.mutex.Unlock()
 
+	var merr *multierror.Error
+
 	if err := m.router.Reset(); err != nil {
-		return fmt.Errorf("reset router: %v", err)
+		merr = multierror.Append(merr, fmt.Errorf("reset router: %v", err))
+	}
+
+	if m.hasIPv6() {
+		if err := m.router6.Reset(); err != nil {
+			merr = multierror.Append(merr, fmt.Errorf("reset v6 router: %v", err))
+		}
 	}
 
 	if err := m.cleanupNetbirdTables(); err != nil {
-		return fmt.Errorf("cleanup netbird tables: %v", err)
+		merr = multierror.Append(merr, fmt.Errorf("cleanup netbird tables: %v", err))
 	}
 
 	if err := m.rConn.Flush(); err != nil {
-		return fmt.Errorf(flushError, err)
+		merr = multierror.Append(merr, fmt.Errorf(flushError, err))
 	}
 
 	if err := stateManager.DeleteState(&ShutdownState{}); err != nil {
-		return fmt.Errorf("delete state: %v", err)
+		merr = multierror.Append(merr, fmt.Errorf("delete state: %v", err))
 	}
 
-	return nil
+	return nberrors.FormatErrorOrNil(merr)
 }
 
 func (m *Manager) cleanupNetbirdTables() error {
@@ -295,6 +485,12 @@ func (m *Manager) Flush() error {
 		return err
 	}
 
+	if m.hasIPv6() {
+		if err := m.aclManager6.Flush(); err != nil {
+			return fmt.Errorf("flush v6 acl: %w", err)
+		}
+	}
+
 	if err := m.refreshNoTrackChains(); err != nil {
 		log.Errorf("failed to refresh notrack chains: %v", err)
 	}
@@ -307,6 +503,12 @@ func (m *Manager) AddDNATRule(rule firewall.ForwardRule) (firewall.Rule, error)
 	m.mutex.Lock()
 	defer m.mutex.Unlock()
 
+	if rule.TranslatedAddress.Is6() {
+		if !m.hasIPv6() {
+			return nil, fmt.Errorf("add DNAT rule: %w", firewall.ErrIPv6NotInitialized)
+		}
+		return m.router6.AddDNATRule(rule)
+	}
 	return m.router.AddDNATRule(rule)
 }
 
@@ -315,6 +517,9 @@ func (m *Manager) DeleteDNATRule(rule firewall.Rule) error {
 	m.mutex.Lock()
 	defer m.mutex.Unlock()
 
+	if m.hasIPv6() && !m.router.hasDNATRule(rule.ID()) {
+		return m.router6.DeleteDNATRule(rule)
+	}
 	return m.router.DeleteDNATRule(rule)
 }
 
@@ -323,39 +528,82 @@ func (m *Manager) UpdateSet(set firewall.Set, prefixes []netip.Prefix) error {
 	m.mutex.Lock()
 	defer m.mutex.Unlock()
 
-	return m.router.UpdateSet(set, prefixes)
+	var v4Prefixes, v6Prefixes []netip.Prefix
+	for _, p := range prefixes {
+		if p.Addr().Is6() {
+			v6Prefixes = append(v6Prefixes, p)
+		} else {
+			v4Prefixes = append(v4Prefixes, p)
+		}
+	}
+
+	if err := m.router.UpdateSet(set, v4Prefixes); err != nil {
+		return err
+	}
+
+	if m.hasIPv6() && len(v6Prefixes) > 0 {
+		if err := m.router6.UpdateSet(set, v6Prefixes); err != nil {
+			return fmt.Errorf("update v6 set: %w", err)
+		}
+	}
+
+	return nil
 }
 
 // AddInboundDNAT adds an inbound DNAT rule redirecting traffic from NetBird peers to local services.
-func (m *Manager) AddInboundDNAT(localAddr netip.Addr, protocol firewall.Protocol, sourcePort, targetPort uint16) error {
+func (m *Manager) AddInboundDNAT(localAddr netip.Addr, protocol firewall.Protocol, originalPort, translatedPort uint16) error {
 	m.mutex.Lock()
 	defer m.mutex.Unlock()
 
-	return m.router.AddInboundDNAT(localAddr, protocol, sourcePort, targetPort)
+	if localAddr.Is6() {
+		if !m.hasIPv6() {
+			return fmt.Errorf("add inbound DNAT: %w", firewall.ErrIPv6NotInitialized)
+		}
+		return m.router6.AddInboundDNAT(localAddr, protocol, originalPort, translatedPort)
+	}
+	return m.router.AddInboundDNAT(localAddr, protocol, originalPort, translatedPort)
 }
 
 // RemoveInboundDNAT removes an inbound DNAT rule.
-func (m *Manager) RemoveInboundDNAT(localAddr netip.Addr, protocol firewall.Protocol, sourcePort, targetPort uint16) error {
+func (m *Manager) RemoveInboundDNAT(localAddr netip.Addr, protocol firewall.Protocol, originalPort, translatedPort uint16) error {
 	m.mutex.Lock()
 	defer m.mutex.Unlock()
 
-	return m.router.RemoveInboundDNAT(localAddr, protocol, sourcePort, targetPort)
+	if localAddr.Is6() {
+		if !m.hasIPv6() {
+			return fmt.Errorf("remove inbound DNAT: %w", firewall.ErrIPv6NotInitialized)
+		}
+		return m.router6.RemoveInboundDNAT(localAddr, protocol, originalPort, translatedPort)
+	}
+	return m.router.RemoveInboundDNAT(localAddr, protocol, originalPort, translatedPort)
 }
 
 // AddOutputDNAT adds an OUTPUT chain DNAT rule for locally-generated traffic.
-func (m *Manager) AddOutputDNAT(localAddr netip.Addr, protocol firewall.Protocol, sourcePort, targetPort uint16) error {
+func (m *Manager) AddOutputDNAT(localAddr netip.Addr, protocol firewall.Protocol, originalPort, translatedPort uint16) error {
 	m.mutex.Lock()
 	defer m.mutex.Unlock()
 
-	return m.router.AddOutputDNAT(localAddr, protocol, sourcePort, targetPort)
+	if localAddr.Is6() {
+		if !m.hasIPv6() {
+			return fmt.Errorf("add output DNAT: %w", firewall.ErrIPv6NotInitialized)
+		}
+		return m.router6.AddOutputDNAT(localAddr, protocol, originalPort, translatedPort)
+	}
+	return m.router.AddOutputDNAT(localAddr, protocol, originalPort, translatedPort)
 }
 
 // RemoveOutputDNAT removes an OUTPUT chain DNAT rule.
-func (m *Manager) RemoveOutputDNAT(localAddr netip.Addr, protocol firewall.Protocol, sourcePort, targetPort uint16) error {
+func (m *Manager) RemoveOutputDNAT(localAddr netip.Addr, protocol firewall.Protocol, originalPort, translatedPort uint16) error {
 	m.mutex.Lock()
 	defer m.mutex.Unlock()
 
-	return m.router.RemoveOutputDNAT(localAddr, protocol, sourcePort, targetPort)
+	if localAddr.Is6() {
+		if !m.hasIPv6() {
+			return fmt.Errorf("remove output DNAT: %w", firewall.ErrIPv6NotInitialized)
+		}
+		return m.router6.RemoveOutputDNAT(localAddr, protocol, originalPort, translatedPort)
+	}
+	return m.router.RemoveOutputDNAT(localAddr, protocol, originalPort, translatedPort)
 }
 
 const (
@@ -529,7 +777,11 @@ func (m *Manager) refreshNoTrackChains() error {
 }
 
 func (m *Manager) createWorkTable() (*nftables.Table, error) {
-	tables, err := m.rConn.ListTablesOfFamily(nftables.TableFamilyIPv4)
+	return m.createWorkTableFamily(nftables.TableFamilyIPv4)
+}
+
+func (m *Manager) createWorkTableFamily(family nftables.TableFamily) (*nftables.Table, error) {
+	tables, err := m.rConn.ListTablesOfFamily(family)
 	if err != nil {
 		return nil, fmt.Errorf("list of tables: %w", err)
 	}
@@ -541,7 +793,7 @@ func (m *Manager) createWorkTable() (*nftables.Table, error) {
 		}
 	}
 
-	table := m.rConn.AddTable(&nftables.Table{Name: getTableName(), Family: nftables.TableFamilyIPv4})
+	table := m.rConn.AddTable(&nftables.Table{Name: tableName, Family: family})
 	err = m.rConn.Flush()
 	return table, err
 }

client/firewall/nftables/manager_linux_test.go

@@ -383,10 +383,134 @@ func TestNftablesManagerCompatibilityWithIptables(t *testing.T) {
 	err = manager.AddNatRule(pair)
 	require.NoError(t, err, "failed to add NAT rule")
 
+	dnatRule, err := manager.AddDNATRule(fw.ForwardRule{
+		Protocol:          fw.ProtocolTCP,
+		DestinationPort:   fw.Port{Values: []uint16{8080}},
+		TranslatedAddress: netip.MustParseAddr("100.96.0.2"),
+		TranslatedPort:    fw.Port{Values: []uint16{80}},
+	})
+	require.NoError(t, err, "failed to add DNAT rule")
+
+	t.Cleanup(func() {
+		require.NoError(t, manager.DeleteDNATRule(dnatRule), "failed to delete DNAT rule")
+	})
+
 	stdout, stderr = runIptablesSave(t)
 	verifyIptablesOutput(t, stdout, stderr)
 }
 
+func TestNftablesManagerIPv6CompatibilityWithIp6tables(t *testing.T) {
+	if check() != NFTABLES {
+		t.Skip("nftables not supported on this system")
+	}
+
+	for _, bin := range []string{"ip6tables", "ip6tables-save", "iptables-save"} {
+		if _, err := exec.LookPath(bin); err != nil {
+			t.Skipf("%s not available on this system: %v", bin, err)
+		}
+	}
+
+	// Seed ip6 tables in the nft backend. Docker may not create them.
+	seedIp6tables(t)
+
+	ifaceMockV6 := &iFaceMock{
+		NameFunc: func() string { return "wt-test" },
+		AddressFunc: func() wgaddr.Address {
+			return wgaddr.Address{
+				IP:      netip.MustParseAddr("100.96.0.1"),
+				Network: netip.MustParsePrefix("100.96.0.0/16"),
+				IPv6:    netip.MustParseAddr("fd00::1"),
+				IPv6Net: netip.MustParsePrefix("fd00::/64"),
+			}
+		},
+	}
+
+	manager, err := Create(ifaceMockV6, iface.DefaultMTU)
+	require.NoError(t, err, "create manager")
+	require.NoError(t, manager.Init(nil))
+
+	t.Cleanup(func() {
+		require.NoError(t, manager.Close(nil), "close manager")
+
+		stdout, stderr := runIp6tablesSave(t)
+		verifyIp6tablesOutput(t, stdout, stderr)
+	})
+
+	ip := netip.MustParseAddr("fd00::2")
+	_, err = manager.AddPeerFiltering(nil, ip.AsSlice(), fw.ProtocolTCP, nil, &fw.Port{Values: []uint16{80}}, fw.ActionAccept, "")
+	require.NoError(t, err, "add v6 peer filtering rule")
+
+	_, err = manager.AddRouteFiltering(
+		nil,
+		[]netip.Prefix{netip.MustParsePrefix("fd00:1::/64")},
+		fw.Network{Prefix: netip.MustParsePrefix("2001:db8::/48")},
+		fw.ProtocolTCP,
+		nil,
+		&fw.Port{Values: []uint16{443}},
+		fw.ActionAccept,
+	)
+	require.NoError(t, err, "add v6 route filtering rule")
+
+	err = manager.AddNatRule(fw.RouterPair{
+		Source:      fw.Network{Prefix: netip.MustParsePrefix("fd00::/64")},
+		Destination: fw.Network{Prefix: netip.MustParsePrefix("2001:db8::/48")},
+		Masquerade:  true,
+	})
+	require.NoError(t, err, "add v6 NAT rule")
+
+	dnatRule, err := manager.AddDNATRule(fw.ForwardRule{
+		Protocol:          fw.ProtocolTCP,
+		DestinationPort:   fw.Port{Values: []uint16{8080}},
+		TranslatedAddress: netip.MustParseAddr("fd00::2"),
+		TranslatedPort:    fw.Port{Values: []uint16{80}},
+	})
+	require.NoError(t, err, "add v6 DNAT rule")
+
+	t.Cleanup(func() {
+		require.NoError(t, manager.DeleteDNATRule(dnatRule), "delete v6 DNAT rule")
+	})
+
+	stdout, stderr := runIptablesSave(t)
+	verifyIptablesOutput(t, stdout, stderr)
+
+	stdout, stderr = runIp6tablesSave(t)
+	verifyIp6tablesOutput(t, stdout, stderr)
+}
+
+func seedIp6tables(t *testing.T) {
+	t.Helper()
+	for _, tc := range []struct{ table, chain string }{
+		{"filter", "FORWARD"},
+		{"nat", "POSTROUTING"},
+		{"mangle", "FORWARD"},
+	} {
+		add := exec.Command("ip6tables", "-t", tc.table, "-A", tc.chain, "-j", "ACCEPT")
+		require.NoError(t, add.Run(), "seed ip6tables -t %s", tc.table)
+		del := exec.Command("ip6tables", "-t", tc.table, "-D", tc.chain, "-j", "ACCEPT")
+		require.NoError(t, del.Run(), "unseed ip6tables -t %s", tc.table)
+	}
+}
+
+func runIp6tablesSave(t *testing.T) (string, string) {
+	t.Helper()
+	var stdout, stderr bytes.Buffer
+	cmd := exec.Command("ip6tables-save")
+	cmd.Stdout = &stdout
+	cmd.Stderr = &stderr
+	require.NoError(t, cmd.Run(), "ip6tables-save failed")
+	return stdout.String(), stderr.String()
+}
+
+func verifyIp6tablesOutput(t *testing.T, stdout, stderr string) {
+	t.Helper()
+	require.NotContains(t, stdout, "Table `nat' is incompatible",
+		"ip6tables-save: nat table incompatible. Full output: %s", stdout)
+	require.NotContains(t, stdout, "Table `mangle' is incompatible",
+		"ip6tables-save: mangle table incompatible. Full output: %s", stdout)
+	require.NotContains(t, stdout, "Table `filter' is incompatible",
+		"ip6tables-save: filter table incompatible. Full output: %s", stdout)
+}
+
 func TestNftablesManagerCompatibilityWithIptablesFor6kPrefixes(t *testing.T) {
 	if check() != NFTABLES {
 		t.Skip("nftables not supported on this system")

client/firewall/nftables/router_linux.go

@@ -47,8 +47,10 @@ const (
 	dnatSuffix = "_dnat"
 	snatSuffix = "_snat"
 
-	// ipTCPHeaderMinSize represents minimum IP (20) + TCP (20) header size for MSS calculation
+	// ipv4TCPHeaderSize is the minimum IPv4 (20) + TCP (20) header size for MSS calculation.
-	ipTCPHeaderMinSize = 40
+	ipv4TCPHeaderSize = 40
+	// ipv6TCPHeaderSize is the minimum IPv6 (40) + TCP (20) header size for MSS calculation.
+	ipv6TCPHeaderSize = 60
 
 	// maxPrefixesSet 1638 prefixes start to fail, taking some margin
 	maxPrefixesSet       = 1500
@@ -73,6 +75,7 @@ type router struct {
 	rules        map[string]*nftables.Rule
 	ipsetCounter *refcounter.Counter[string, setInput, *nftables.Set]
 
+	af               addrFamily
 	wgIface          iFaceMapper
 	ipFwdState       *ipfwdstate.IPForwardingState
 	legacyManagement bool
@@ -85,6 +88,7 @@ func newRouter(workTable *nftables.Table, wgIface iFaceMapper, mtu uint16) (*rou
 		workTable:  workTable,
 		chains:     make(map[string]*nftables.Chain),
 		rules:      make(map[string]*nftables.Rule),
+		af:         familyForAddr(workTable.Family == nftables.TableFamilyIPv4),
 		wgIface:    wgIface,
 		ipFwdState: ipfwdstate.NewIPForwardingState(),
 		mtu:        mtu,
@@ -143,7 +147,7 @@ func (r *router) Reset() error {
 func (r *router) removeNatPreroutingRules() error {
 	table := &nftables.Table{
 		Name:   tableNat,
-		Family: nftables.TableFamilyIPv4,
+		Family: r.af.tableFamily,
 	}
 	chain := &nftables.Chain{
 		Name:     chainNameNatPrerouting,
@@ -176,7 +180,7 @@ func (r *router) removeNatPreroutingRules() error {
 }
 
 func (r *router) loadFilterTable() (*nftables.Table, error) {
-	tables, err := r.conn.ListTablesOfFamily(nftables.TableFamilyIPv4)
+	tables, err := r.conn.ListTablesOfFamily(r.af.tableFamily)
 	if err != nil {
 		return nil, fmt.Errorf("list tables: %w", err)
 	}
@@ -408,7 +412,7 @@ func (r *router) AddRouteFiltering(
 
 	// Handle protocol
 	if proto != firewall.ProtocolALL {
-		protoNum, err := protoToInt(proto)
+		protoNum, err := r.af.protoNum(proto)
 		if err != nil {
 			return nil, fmt.Errorf("convert protocol to number: %w", err)
 		}
@@ -468,7 +472,24 @@ func (r *router) getIpSet(set firewall.Set, prefixes []netip.Prefix, isSource bo
 		return nil, fmt.Errorf("create or get ipset: %w", err)
 	}
 
-	return getIpSetExprs(ref, isSource)
+	return r.getIpSetExprs(ref, isSource)
+}
+
+func (r *router) iptablesProto() iptables.Protocol {
+	if r.af.tableFamily == nftables.TableFamilyIPv6 {
+		return iptables.ProtocolIPv6
+	}
+	return iptables.ProtocolIPv4
+}
+
+func (r *router) hasRule(id string) bool {
+	_, ok := r.rules[id]
+	return ok
+}
+
+func (r *router) hasDNATRule(id string) bool {
+	_, ok := r.rules[id+dnatSuffix]
+	return ok
 }
 
 func (r *router) DeleteRouteRule(rule firewall.Rule) error {
@@ -517,10 +538,10 @@ func (r *router) createIpSet(setName string, input setInput) (*nftables.Set, err
 		Table:   r.workTable,
 		// required for prefixes
 		Interval: true,
-		KeyType:  nftables.TypeIPAddr,
+		KeyType:  r.af.setKeyType,
 	}
 
-	elements := convertPrefixesToSet(prefixes)
+	elements := r.convertPrefixesToSet(prefixes)
 	nElements := len(elements)
 
 	maxElements := maxPrefixesSet * 2
@@ -553,23 +574,17 @@ func (r *router) createIpSet(setName string, input setInput) (*nftables.Set, err
 	return nfset, nil
 }
 
-func convertPrefixesToSet(prefixes []netip.Prefix) []nftables.SetElement {
+func (r *router) convertPrefixesToSet(prefixes []netip.Prefix) []nftables.SetElement {
 	var elements []nftables.SetElement
 	for _, prefix := range prefixes {
-		// TODO: Implement IPv6 support
-		if prefix.Addr().Is6() {
-			log.Tracef("skipping IPv6 prefix %s: IPv6 support not yet implemented", prefix)
-			continue
-		}
-
 		// nftables needs half-open intervals [firstIP, lastIP) for prefixes
 		// e.g. 10.0.0.0/24 becomes [10.0.0.0, 10.0.1.0), 10.1.1.1/32 becomes [10.1.1.1, 10.1.1.2) etc
 		firstIP := prefix.Addr()
 		lastIP := calculateLastIP(prefix).Next()
 
 		elements = append(elements,
-			// the nft tool also adds a line like this, see https://github.com/google/nftables/issues/247
+			// the nft tool also adds a zero-address IntervalEnd element, see https://github.com/google/nftables/issues/247
-			// nftables.SetElement{Key: []byte{0, 0, 0, 0}, IntervalEnd: true},
+			// nftables.SetElement{Key: make([]byte, r.af.addrLen), IntervalEnd: true},
 			nftables.SetElement{Key: firstIP.AsSlice()},
 			nftables.SetElement{Key: lastIP.AsSlice(), IntervalEnd: true},
 		)
@@ -579,10 +594,20 @@ func convertPrefixesToSet(prefixes []netip.Prefix) []nftables.SetElement {
 
 // calculateLastIP determines the last IP in a given prefix.
 func calculateLastIP(prefix netip.Prefix) netip.Addr {
-	hostMask := ^uint32(0) >> prefix.Masked().Bits()
+	masked := prefix.Masked()
-	lastIP := uint32FromNetipAddr(prefix.Addr()) | hostMask
+	if masked.Addr().Is4() {
+		hostMask := ^uint32(0) >> masked.Bits()
+		lastIP := uint32FromNetipAddr(masked.Addr()) | hostMask
+		return netip.AddrFrom4(uint32ToBytes(lastIP))
+	}
 
-	return netip.AddrFrom4(uint32ToBytes(lastIP))
+	// IPv6: set host bits to all 1s
+	b := masked.Addr().As16()
+	bits := masked.Bits()
+	for i := bits; i < 128; i++ {
+		b[i/8] |= 1 << (7 - i%8)
+	}
+	return netip.AddrFrom16(b)
 }
 
 // Utility function to convert netip.Addr to uint32.
@@ -834,9 +859,12 @@ func (r *router) addPostroutingRules() {
 }
 
 // addMSSClampingRules adds MSS clamping rules to prevent fragmentation for forwarded traffic.
-// TODO: Add IPv6 support
 func (r *router) addMSSClampingRules() error {
-	mss := r.mtu - ipTCPHeaderMinSize
+	overhead := uint16(ipv4TCPHeaderSize)
+	if r.af.tableFamily == nftables.TableFamilyIPv6 {
+		overhead = ipv6TCPHeaderSize
+	}
+	mss := r.mtu - overhead
 
 	exprsOut := []expr.Any{
 		&expr.Meta{
@@ -1043,17 +1071,22 @@ func (r *router) acceptFilterTableRules() error {
 		log.Debugf("Used %s to add accept forward and input rules", fw)
 	}()
 
-	// Try iptables first and fallback to nftables if iptables is not available
+	// Try iptables first and fallback to nftables if iptables is not available.
-	ipt, err := iptables.New()
+	// Use the correct protocol (iptables vs ip6tables) for the address family.
+	ipt, err := iptables.NewWithProtocol(r.iptablesProto())
 	if err != nil {
-		// iptables is not available but the filter table exists
 		log.Warnf("Will use nftables to manipulate the filter table because iptables is not available: %v", err)
 
 		fw = "nftables"
 		return r.acceptFilterRulesNftables(r.filterTable)
 	}
 
-	return r.acceptFilterRulesIptables(ipt)
+	if err := r.acceptFilterRulesIptables(ipt); err != nil {
+		log.Warnf("iptables failed (table may be incompatible), falling back to nftables: %v", err)
+		fw = "nftables"
+		return r.acceptFilterRulesNftables(r.filterTable)
+	}
+	return nil
 }
 
 func (r *router) acceptFilterRulesIptables(ipt *iptables.IPTables) error {
@@ -1222,13 +1255,17 @@ func (r *router) removeFilterTableRules() error {
 		return nil
 	}
 
-	ipt, err := iptables.New()
+	ipt, err := iptables.NewWithProtocol(r.iptablesProto())
 	if err != nil {
 		log.Debugf("iptables not available, using nftables to remove filter rules: %v", err)
 		return r.removeAcceptRulesFromTable(r.filterTable)
 	}
 
-	return r.removeAcceptFilterRulesIptables(ipt)
+	if err := r.removeAcceptFilterRulesIptables(ipt); err != nil {
+		log.Debugf("iptables removal failed (table may be incompatible), falling back to nftables: %v", err)
+		return r.removeAcceptRulesFromTable(r.filterTable)
+	}
+	return nil
 }
 
 func (r *router) removeAcceptRulesFromTable(table *nftables.Table) error {
@@ -1295,7 +1332,7 @@ func (r *router) removeExternalChainsRules() error {
 func (r *router) findExternalChains() []*nftables.Chain {
 	var chains []*nftables.Chain
 
-	families := []nftables.TableFamily{nftables.TableFamilyIPv4, nftables.TableFamilyINet}
+	families := []nftables.TableFamily{r.af.tableFamily, nftables.TableFamilyINet}
 
 	for _, family := range families {
 		allChains, err := r.conn.ListChainsOfTableFamily(family)
@@ -1319,8 +1356,8 @@ func (r *router) isExternalChain(chain *nftables.Chain) bool {
 		return false
 	}
 
-	// Skip all iptables-managed tables in the ip family
+	// Skip iptables/ip6tables-managed tables (adding nft-native rules breaks iptables-save compat)
-	if chain.Table.Family == nftables.TableFamilyIPv4 && isIptablesTable(chain.Table.Name) {
+	if (chain.Table.Family == nftables.TableFamilyIPv4 || chain.Table.Family == nftables.TableFamilyIPv6) && isIptablesTable(chain.Table.Name) {
 		return false
 	}
 
@@ -1461,7 +1498,7 @@ func (r *router) AddDNATRule(rule firewall.ForwardRule) (firewall.Rule, error) {
 		return rule, nil
 	}
 
-	protoNum, err := protoToInt(rule.Protocol)
+	protoNum, err := r.af.protoNum(rule.Protocol)
 	if err != nil {
 		return nil, fmt.Errorf("convert protocol to number: %w", err)
 	}
@@ -1524,7 +1561,7 @@ func (r *router) addDnatRedirect(rule firewall.ForwardRule, protoNum uint8, rule
 	dnatExprs = append(dnatExprs,
 		&expr.NAT{
 			Type:        expr.NATTypeDestNAT,
-			Family:      uint32(nftables.TableFamilyIPv4),
+			Family:      uint32(r.af.tableFamily),
 			RegAddrMin:  1,
 			RegProtoMin: regProtoMin,
 			RegProtoMax: regProtoMax,
@@ -1620,7 +1657,7 @@ func (r *router) addXTablesRedirect(dnatExprs []expr.Any, ruleKey string, rule f
 	dnatRule := &nftables.Rule{
 		Table: &nftables.Table{
 			Name:   tableNat,
-			Family: nftables.TableFamilyIPv4,
+			Family: r.af.tableFamily,
 		},
 		Chain: &nftables.Chain{
 			Name:     chainNameNatPrerouting,
@@ -1655,8 +1692,8 @@ func (r *router) addDnatMasq(rule firewall.ForwardRule, protoNum uint8, ruleKey
 		&expr.Payload{
 			DestRegister: 1,
 			Base:         expr.PayloadBaseNetworkHeader,
-			Offset:       16,
+			Offset:       r.af.dstAddrOffset,
-			Len:          4,
+			Len:          r.af.addrLen,
 		},
 		&expr.Cmp{
 			Op:       expr.CmpOpEq,
@@ -1734,7 +1771,7 @@ func (r *router) UpdateSet(set firewall.Set, prefixes []netip.Prefix) error {
 		return fmt.Errorf("get set %s: %w", set.HashedName(), err)
 	}
 
-	elements := convertPrefixesToSet(prefixes)
+	elements := r.convertPrefixesToSet(prefixes)
 	if err := r.conn.SetAddElements(nfset, elements); err != nil {
 		return fmt.Errorf("add elements to set %s: %w", set.HashedName(), err)
 	}
@@ -1749,14 +1786,14 @@ func (r *router) UpdateSet(set firewall.Set, prefixes []netip.Prefix) error {
 }
 
 // AddInboundDNAT adds an inbound DNAT rule redirecting traffic from NetBird peers to local services.
-func (r *router) AddInboundDNAT(localAddr netip.Addr, protocol firewall.Protocol, sourcePort, targetPort uint16) error {
+func (r *router) AddInboundDNAT(localAddr netip.Addr, protocol firewall.Protocol, originalPort, translatedPort uint16) error {
-	ruleID := fmt.Sprintf("inbound-dnat-%s-%s-%d-%d", localAddr.String(), protocol, sourcePort, targetPort)
+	ruleID := fmt.Sprintf("inbound-dnat-%s-%s-%d-%d", localAddr.String(), protocol, originalPort, translatedPort)
 
 	if _, exists := r.rules[ruleID]; exists {
 		return nil
 	}
 
-	protoNum, err := protoToInt(protocol)
+	protoNum, err := r.af.protoNum(protocol)
 	if err != nil {
 		return fmt.Errorf("convert protocol to number: %w", err)
 	}
@@ -1783,11 +1820,15 @@ func (r *router) AddInboundDNAT(localAddr netip.Addr, protocol firewall.Protocol
 		&expr.Cmp{
 			Op:       expr.CmpOpEq,
 			Register: 3,
-			Data:     binaryutil.BigEndian.PutUint16(sourcePort),
+			Data:     binaryutil.BigEndian.PutUint16(originalPort),
 		},
 	}
 
-	exprs = append(exprs, applyPrefix(netip.PrefixFrom(localAddr, 32), false)...)
+	bits := 32
+	if localAddr.Is6() {
+		bits = 128
+	}
+	exprs = append(exprs, r.applyPrefix(netip.PrefixFrom(localAddr, bits), false)...)
 
 	exprs = append(exprs,
 		&expr.Immediate{
@@ -1796,11 +1837,11 @@ func (r *router) AddInboundDNAT(localAddr netip.Addr, protocol firewall.Protocol
 		},
 		&expr.Immediate{
 			Register: 2,
-			Data:     binaryutil.BigEndian.PutUint16(targetPort),
+			Data:     binaryutil.BigEndian.PutUint16(translatedPort),
 		},
 		&expr.NAT{
 			Type:        expr.NATTypeDestNAT,
-			Family:      uint32(nftables.TableFamilyIPv4),
+			Family:      uint32(r.af.tableFamily),
 			RegAddrMin:  1,
 			RegProtoMin: 2,
 			RegProtoMax: 0,
@@ -1825,12 +1866,12 @@ func (r *router) AddInboundDNAT(localAddr netip.Addr, protocol firewall.Protocol
 }
 
 // RemoveInboundDNAT removes an inbound DNAT rule.
-func (r *router) RemoveInboundDNAT(localAddr netip.Addr, protocol firewall.Protocol, sourcePort, targetPort uint16) error {
+func (r *router) RemoveInboundDNAT(localAddr netip.Addr, protocol firewall.Protocol, originalPort, translatedPort uint16) error {
 	if err := r.refreshRulesMap(); err != nil {
 		return fmt.Errorf(refreshRulesMapError, err)
 	}
 
-	ruleID := fmt.Sprintf("inbound-dnat-%s-%s-%d-%d", localAddr.String(), protocol, sourcePort, targetPort)
+	ruleID := fmt.Sprintf("inbound-dnat-%s-%s-%d-%d", localAddr.String(), protocol, originalPort, translatedPort)
 
 	rule, exists := r.rules[ruleID]
 	if !exists {
@@ -1876,8 +1917,8 @@ func (r *router) ensureNATOutputChain() error {
 }
 
 // AddOutputDNAT adds an OUTPUT chain DNAT rule for locally-generated traffic.
-func (r *router) AddOutputDNAT(localAddr netip.Addr, protocol firewall.Protocol, sourcePort, targetPort uint16) error {
+func (r *router) AddOutputDNAT(localAddr netip.Addr, protocol firewall.Protocol, originalPort, translatedPort uint16) error {
-	ruleID := fmt.Sprintf("output-dnat-%s-%s-%d-%d", localAddr.String(), protocol, sourcePort, targetPort)
+	ruleID := fmt.Sprintf("output-dnat-%s-%s-%d-%d", localAddr.String(), protocol, originalPort, translatedPort)
 
 	if _, exists := r.rules[ruleID]; exists {
 		return nil
@@ -1887,7 +1928,7 @@ func (r *router) AddOutputDNAT(localAddr netip.Addr, protocol firewall.Protocol,
 		return err
 	}
 
-	protoNum, err := protoToInt(protocol)
+	protoNum, err := r.af.protoNum(protocol)
 	if err != nil {
 		return fmt.Errorf("convert protocol to number: %w", err)
 	}
@@ -1908,11 +1949,15 @@ func (r *router) AddOutputDNAT(localAddr netip.Addr, protocol firewall.Protocol,
 		&expr.Cmp{
 			Op:       expr.CmpOpEq,
 			Register: 2,
-			Data:     binaryutil.BigEndian.PutUint16(sourcePort),
+			Data:     binaryutil.BigEndian.PutUint16(originalPort),
 		},
 	}
 
-	exprs = append(exprs, applyPrefix(netip.PrefixFrom(localAddr, 32), false)...)
+	bits := 32
+	if localAddr.Is6() {
+		bits = 128
+	}
+	exprs = append(exprs, r.applyPrefix(netip.PrefixFrom(localAddr, bits), false)...)
 
 	exprs = append(exprs,
 		&expr.Immediate{
@@ -1921,11 +1966,11 @@ func (r *router) AddOutputDNAT(localAddr netip.Addr, protocol firewall.Protocol,
 		},
 		&expr.Immediate{
 			Register: 2,
-			Data:     binaryutil.BigEndian.PutUint16(targetPort),
+			Data:     binaryutil.BigEndian.PutUint16(translatedPort),
 		},
 		&expr.NAT{
 			Type:        expr.NATTypeDestNAT,
-			Family:      uint32(nftables.TableFamilyIPv4),
+			Family:      uint32(r.af.tableFamily),
 			RegAddrMin:  1,
 			RegProtoMin: 2,
 		},
@@ -1949,12 +1994,12 @@ func (r *router) AddOutputDNAT(localAddr netip.Addr, protocol firewall.Protocol,
 }
 
 // RemoveOutputDNAT removes an OUTPUT chain DNAT rule.
-func (r *router) RemoveOutputDNAT(localAddr netip.Addr, protocol firewall.Protocol, sourcePort, targetPort uint16) error {
+func (r *router) RemoveOutputDNAT(localAddr netip.Addr, protocol firewall.Protocol, originalPort, translatedPort uint16) error {
 	if err := r.refreshRulesMap(); err != nil {
 		return fmt.Errorf(refreshRulesMapError, err)
 	}
 
-	ruleID := fmt.Sprintf("output-dnat-%s-%s-%d-%d", localAddr.String(), protocol, sourcePort, targetPort)
+	ruleID := fmt.Sprintf("output-dnat-%s-%s-%d-%d", localAddr.String(), protocol, originalPort, translatedPort)
 
 	rule, exists := r.rules[ruleID]
 	if !exists {
@@ -1993,45 +2038,44 @@ func (r *router) applyNetwork(
 	}
 
 	if network.IsPrefix() {
-		return applyPrefix(network.Prefix, isSource), nil
+		return r.applyPrefix(network.Prefix, isSource), nil
 	}
 
 	return nil, nil
 }
 
 // applyPrefix generates nftables expressions for a CIDR prefix
-func applyPrefix(prefix netip.Prefix, isSource bool) []expr.Any {
+func (r *router) applyPrefix(prefix netip.Prefix, isSource bool) []expr.Any {
-	// dst offset
+	// dst offset by default
-	offset := uint32(16)
+	offset := r.af.dstAddrOffset
 	if isSource {
 		// src offset
-		offset = 12
+		offset = r.af.srcAddrOffset
 	}
 
 	ones := prefix.Bits()
-	// 0.0.0.0/0 doesn't need extra expressions
+	// unspecified address (/0) doesn't need extra expressions
 	if ones == 0 {
 		return nil
 	}
 
-	mask := net.CIDRMask(ones, 32)
+	mask := net.CIDRMask(ones, r.af.totalBits)
+	xor := make([]byte, r.af.addrLen)
 
 	return []expr.Any{
 		&expr.Payload{
 			DestRegister: 1,
 			Base:         expr.PayloadBaseNetworkHeader,
 			Offset:       offset,
-			Len:          4,
+			Len:          r.af.addrLen,
 		},
-		// netmask
 		&expr.Bitwise{
 			DestRegister:   1,
 			SourceRegister: 1,
-			Len:            4,
+			Len:            r.af.addrLen,
 			Mask:           mask,
-			Xor:            []byte{0, 0, 0, 0},
+			Xor:            xor,
 		},
-		// net address
 		&expr.Cmp{
 			Op:       expr.CmpOpEq,
 			Register: 1,
@@ -2114,13 +2158,12 @@ func getCtNewExprs() []expr.Any {
 	}
 }
 
-func getIpSetExprs(ref refcounter.Ref[*nftables.Set], isSource bool) ([]expr.Any, error) {
+func (r *router) getIpSetExprs(ref refcounter.Ref[*nftables.Set], isSource bool) ([]expr.Any, error) {
-
+	// dst offset by default
-	// dst offset
+	offset := r.af.dstAddrOffset
-	offset := uint32(16)
 	if isSource {
 		// src offset
-		offset = 12
+		offset = r.af.srcAddrOffset
 	}
 
 	return []expr.Any{
@@ -2128,7 +2171,7 @@ func getIpSetExprs(ref refcounter.Ref[*nftables.Set], isSource bool) ([]expr.Any
 			DestRegister: 1,
 			Base:         expr.PayloadBaseNetworkHeader,
 			Offset:       offset,
-			Len:          4,
+			Len:          r.af.addrLen,
 		},
 		&expr.Lookup{
 			SourceRegister: 1,

client/firewall/nftables/router_linux_test.go

@@ -90,8 +90,9 @@ func TestNftablesManager_AddNatRule(t *testing.T) {
 				}
 
 				// Build CIDR matching expressions
-				sourceExp := applyPrefix(testCase.InputPair.Source.Prefix, true)
+				testRouter := &router{af: afIPv4}
-				destExp := applyPrefix(testCase.InputPair.Destination.Prefix, false)
+				sourceExp := testRouter.applyPrefix(testCase.InputPair.Source.Prefix, true)
+				destExp := testRouter.applyPrefix(testCase.InputPair.Destination.Prefix, false)
 
 				// Combine all expressions in the correct order
 				// nolint:gocritic
@@ -508,6 +509,136 @@ func TestNftablesCreateIpSet(t *testing.T) {
 	}
 }
 
+func TestNftablesCreateIpSet_IPv6(t *testing.T) {
+	if check() != NFTABLES {
+		t.Skip("nftables not supported on this system")
+	}
+
+	workTable, err := createWorkTableIPv6()
+	require.NoError(t, err, "Failed to create v6 work table")
+	defer deleteWorkTableIPv6()
+
+	r, err := newRouter(workTable, ifaceMock, iface.DefaultMTU)
+	require.NoError(t, err, "Failed to create router")
+	require.NoError(t, r.init(workTable))
+	defer func() {
+		require.NoError(t, r.Reset(), "Failed to reset router")
+	}()
+
+	tests := []struct {
+		name     string
+		sources  []netip.Prefix
+		expected []netip.Prefix
+	}{
+		{
+			name:    "Single IPv6",
+			sources: []netip.Prefix{netip.MustParsePrefix("2001:db8::1/128")},
+		},
+		{
+			name: "Multiple IPv6 Subnets",
+			sources: []netip.Prefix{
+				netip.MustParsePrefix("fd00::/64"),
+				netip.MustParsePrefix("2001:db8::/48"),
+				netip.MustParsePrefix("fe80::/10"),
+			},
+		},
+		{
+			name: "Overlapping IPv6",
+			sources: []netip.Prefix{
+				netip.MustParsePrefix("fd00::/48"),
+				netip.MustParsePrefix("fd00::/64"),
+				netip.MustParsePrefix("fd00::1/128"),
+			},
+			expected: []netip.Prefix{
+				netip.MustParsePrefix("fd00::/48"),
+			},
+		},
+		{
+			name: "Mixed prefix lengths",
+			sources: []netip.Prefix{
+				netip.MustParsePrefix("2001:db8:1::/48"),
+				netip.MustParsePrefix("2001:db8:2::1/128"),
+				netip.MustParsePrefix("fd00:abcd::/32"),
+			},
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			setName := firewall.NewPrefixSet(tt.sources).HashedName()
+			set, err := r.createIpSet(setName, setInput{prefixes: tt.sources})
+			require.NoError(t, err, "Failed to create IPv6 set")
+			require.NotNil(t, set)
+
+			assert.Equal(t, setName, set.Name)
+			assert.True(t, set.Interval)
+			assert.Equal(t, nftables.TypeIP6Addr, set.KeyType)
+
+			fetchedSet, err := r.conn.GetSetByName(r.workTable, setName)
+			require.NoError(t, err, "Failed to fetch created set")
+
+			elements, err := r.conn.GetSetElements(fetchedSet)
+			require.NoError(t, err, "Failed to get set elements")
+
+			uniquePrefixes := make(map[string]bool)
+			for _, elem := range elements {
+				if !elem.IntervalEnd && len(elem.Key) == 16 {
+					ip := netip.AddrFrom16([16]byte(elem.Key))
+					uniquePrefixes[ip.String()] = true
+				}
+			}
+
+			expectedCount := len(tt.expected)
+			if expectedCount == 0 {
+				expectedCount = len(tt.sources)
+			}
+			assert.Equal(t, expectedCount, len(uniquePrefixes), "unique prefix count mismatch")
+
+			r.conn.DelSet(set)
+			require.NoError(t, r.conn.Flush())
+		})
+	}
+}
+
+func createWorkTableIPv6() (*nftables.Table, error) {
+	sConn, err := nftables.New(nftables.AsLasting())
+	if err != nil {
+		return nil, err
+	}
+
+	tables, err := sConn.ListTablesOfFamily(nftables.TableFamilyIPv6)
+	if err != nil {
+		return nil, err
+	}
+	for _, t := range tables {
+		if t.Name == tableNameNetbird {
+			sConn.DelTable(t)
+		}
+	}
+
+	table := sConn.AddTable(&nftables.Table{Name: tableNameNetbird, Family: nftables.TableFamilyIPv6})
+	err = sConn.Flush()
+	return table, err
+}
+
+func deleteWorkTableIPv6() {
+	sConn, err := nftables.New(nftables.AsLasting())
+	if err != nil {
+		return
+	}
+
+	tables, err := sConn.ListTablesOfFamily(nftables.TableFamilyIPv6)
+	if err != nil {
+		return
+	}
+	for _, t := range tables {
+		if t.Name == tableNameNetbird {
+			sConn.DelTable(t)
+			_ = sConn.Flush()
+		}
+	}
+}
+
 func verifyRule(t *testing.T, rule *nftables.Rule, sources []netip.Prefix, destination netip.Prefix, proto firewall.Protocol, sPort, dPort *firewall.Port, direction firewall.RuleDirection, action firewall.Action, expectSet bool) {
 	t.Helper()
 
@@ -627,7 +758,7 @@ func containsPort(exprs []expr.Any, port *firewall.Port, isSource bool) bool {
 
 func containsProtocol(exprs []expr.Any, proto firewall.Protocol) bool {
 	var metaFound, cmpFound bool
-	expectedProto, _ := protoToInt(proto)
+	expectedProto, _ := afIPv4.protoNum(proto)
 	for _, e := range exprs {
 		switch ex := e.(type) {
 		case *expr.Meta:
@@ -854,3 +985,55 @@ func TestRouter_AddNatRule_WithStaleEntry(t *testing.T) {
 	}
 	assert.Equal(t, 1, found, "NAT rule should exist in kernel")
 }
+
+func TestCalculateLastIP(t *testing.T) {
+	tests := []struct {
+		prefix string
+		want   string
+	}{
+		{"10.0.0.0/24", "10.0.0.255"},
+		{"10.0.0.0/32", "10.0.0.0"},
+		{"0.0.0.0/0", "255.255.255.255"},
+		{"192.168.1.0/28", "192.168.1.15"},
+		{"fd00::/64", "fd00::ffff:ffff:ffff:ffff"},
+		{"fd00::/128", "fd00::"},
+		{"2001:db8::/48", "2001:db8:0:ffff:ffff:ffff:ffff:ffff"},
+		{"::/0", "ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff"},
+	}
+	for _, tt := range tests {
+		t.Run(tt.prefix, func(t *testing.T) {
+			prefix := netip.MustParsePrefix(tt.prefix)
+			got := calculateLastIP(prefix)
+			assert.Equal(t, tt.want, got.String())
+		})
+	}
+}
+
+func TestConvertPrefixesToSet_IPv6(t *testing.T) {
+	r := &router{af: afIPv6}
+	prefixes := []netip.Prefix{
+		netip.MustParsePrefix("fd00::/64"),
+		netip.MustParsePrefix("2001:db8::1/128"),
+	}
+
+	elements := r.convertPrefixesToSet(prefixes)
+
+	// Each prefix produces 2 elements (start + end)
+	require.Len(t, elements, 4)
+
+	// fd00::/64 start
+	assert.Equal(t, netip.MustParseAddr("fd00::").As16(), [16]byte(elements[0].Key))
+	assert.False(t, elements[0].IntervalEnd)
+
+	// fd00::/64 end (fd00:0:0:1::, one past the last)
+	assert.Equal(t, netip.MustParseAddr("fd00:0:0:1::").As16(), [16]byte(elements[1].Key))
+	assert.True(t, elements[1].IntervalEnd)
+
+	// 2001:db8::1/128 start
+	assert.Equal(t, netip.MustParseAddr("2001:db8::1").As16(), [16]byte(elements[2].Key))
+	assert.False(t, elements[2].IntervalEnd)
+
+	// 2001:db8::1/128 end (2001:db8::2)
+	assert.Equal(t, netip.MustParseAddr("2001:db8::2").As16(), [16]byte(elements[3].Key))
+	assert.True(t, elements[3].IntervalEnd)
+}

client/firewall/uspfilter/allow_netbird_windows.go

@@ -5,8 +5,10 @@ import (
 	"os/exec"
 	"syscall"
 
+	"github.com/hashicorp/go-multierror"
 	log "github.com/sirupsen/logrus"
 
+	nberrors "github.com/netbirdio/netbird/client/errors"
 	"github.com/netbirdio/netbird/client/internal/statemanager"
 )
 
@@ -29,15 +31,20 @@ func (m *Manager) Close(*statemanager.Manager) error {
 		return nil
 	}
 
-	if !isFirewallRuleActive(firewallRuleName) {
+	var merr *multierror.Error
-		return nil
+	if isFirewallRuleActive(firewallRuleName) {
+		if err := manageFirewallRule(firewallRuleName, deleteRule); err != nil {
+			merr = multierror.Append(merr, fmt.Errorf("remove windows firewall rule: %w", err))
+		}
 	}
 
-	if err := manageFirewallRule(firewallRuleName, deleteRule); err != nil {
+	if isFirewallRuleActive(firewallRuleName + "-v6") {
-		return fmt.Errorf("couldn't remove windows firewall: %w", err)
+		if err := manageFirewallRule(firewallRuleName+"-v6", deleteRule); err != nil {
+			merr = multierror.Append(merr, fmt.Errorf("remove windows v6 firewall rule: %w", err))
+		}
 	}
 
-	return nil
+	return nberrors.FormatErrorOrNil(merr)
 }
 
 // AllowNetbird allows netbird interface traffic
@@ -46,17 +53,33 @@ func (m *Manager) AllowNetbird() error {
 		return nil
 	}
 
-	if isFirewallRuleActive(firewallRuleName) {
+	if !isFirewallRuleActive(firewallRuleName) {
-		return nil
+		if err := manageFirewallRule(firewallRuleName,
+			addRule,
+			"dir=in",
+			"enable=yes",
+			"action=allow",
+			"profile=any",
+			"localip="+m.wgIface.Address().IP.String(),
+		); err != nil {
+			return err
+		}
 	}
-	return manageFirewallRule(firewallRuleName,
+
-		addRule,
+	if v6 := m.wgIface.Address().IPv6; v6.IsValid() && !isFirewallRuleActive(firewallRuleName+"-v6") {
-		"dir=in",
+		if err := manageFirewallRule(firewallRuleName+"-v6",
-		"enable=yes",
+			addRule,
-		"action=allow",
+			"dir=in",
-		"profile=any",
+			"enable=yes",
-		"localip="+m.wgIface.Address().IP.String(),
+			"action=allow",
-	)
+			"profile=any",
+			"localip="+v6.String(),
+		); err != nil {
+			return err
+		}
+	}
+
+	return nil
 }
 
 func manageFirewallRule(ruleName string, action action, extraArgs ...string) error {

client/firewall/uspfilter/conntrack/common.go

@@ -1,8 +1,9 @@
 package conntrack
 
 import (
-	"fmt"
+	"net"
 	"net/netip"
+	"strconv"
 	"sync/atomic"
 	"time"
 
@@ -64,5 +65,7 @@ type ConnKey struct {
 }
 
 func (c ConnKey) String() string {
-	return fmt.Sprintf("%s:%d → %s:%d", c.SrcIP.Unmap(), c.SrcPort, c.DstIP.Unmap(), c.DstPort)
+	return net.JoinHostPort(c.SrcIP.Unmap().String(), strconv.Itoa(int(c.SrcPort))) +
+		" → " +
+		net.JoinHostPort(c.DstIP.Unmap().String(), strconv.Itoa(int(c.DstPort)))
 }

client/firewall/uspfilter/conntrack/common_test.go

@@ -13,6 +13,54 @@ import (
 var logger = log.NewFromLogrus(logrus.StandardLogger())
 var flowLogger = netflow.NewManager(nil, []byte{}, nil).GetLogger()
 
+func TestConnKey_String(t *testing.T) {
+	tests := []struct {
+		name   string
+		key    ConnKey
+		expect string
+	}{
+		{
+			name: "IPv4",
+			key: ConnKey{
+				SrcIP:   netip.MustParseAddr("192.168.1.1"),
+				DstIP:   netip.MustParseAddr("10.0.0.1"),
+				SrcPort: 12345,
+				DstPort: 80,
+			},
+			expect: "192.168.1.1:12345 → 10.0.0.1:80",
+		},
+		{
+			name: "IPv6",
+			key: ConnKey{
+				SrcIP:   netip.MustParseAddr("2001:db8::1"),
+				DstIP:   netip.MustParseAddr("2001:db8::2"),
+				SrcPort: 54321,
+				DstPort: 443,
+			},
+			expect: "[2001:db8::1]:54321 → [2001:db8::2]:443",
+		},
+		{
+			name: "IPv4-mapped IPv6 unmaps",
+			key: ConnKey{
+				SrcIP:   netip.MustParseAddr("::ffff:10.0.0.1"),
+				DstIP:   netip.MustParseAddr("::ffff:10.0.0.2"),
+				SrcPort: 1000,
+				DstPort: 2000,
+			},
+			expect: "10.0.0.1:1000 → 10.0.0.2:2000",
+		},
+	}
+
+	for _, tc := range tests {
+		t.Run(tc.name, func(t *testing.T) {
+			got := tc.key.String()
+			if got != tc.expect {
+				t.Errorf("got %q, want %q", got, tc.expect)
+			}
+		})
+	}
+}
+
 // Memory pressure tests
 func BenchmarkMemoryPressure(b *testing.B) {
 	b.Run("TCPHighLoad", func(b *testing.B) {

client/firewall/uspfilter/conntrack/icmp.go

@@ -5,6 +5,7 @@ import (
 	"fmt"
 	"net"
 	"net/netip"
+	"strconv"
 	"sync"
 	"time"
 
@@ -21,9 +22,10 @@ const (
 	// ICMPCleanupInterval is how often we check for stale ICMP connections
 	ICMPCleanupInterval = 15 * time.Second
 
-	// MaxICMPPayloadLength is the maximum length of ICMP payload we consider for original packet info,
+	// MaxICMPPayloadLength is the maximum length of ICMP payload we consider for original packet info.
-	// which includes the IP header (20 bytes) and transport header (8 bytes)
+	// IPv4: 20-byte header + 8-byte transport = 28 bytes.
-	MaxICMPPayloadLength = 28
+	// IPv6: 40-byte header + 8-byte transport = 48 bytes.
+	MaxICMPPayloadLength = 48
 )
 
 // ICMPConnKey uniquely identifies an ICMP connection
@@ -74,42 +76,74 @@ func (info ICMPInfo) String() string {
 	return info.TypeCode.String()
 }
 
-// isErrorMessage returns true if this ICMP type carries original packet info
+// isErrorMessage returns true if this ICMP type carries original packet info.
+// Covers both ICMPv4 and ICMPv6 error types. Without a family field we match
+// both sets; type 3 overlaps (v4 DestUnreachable / v6 TimeExceeded) so it's
+// kept as a literal.
 func (info ICMPInfo) isErrorMessage() bool {
 	typ := info.TypeCode.Type()
-	return typ == 3 || // Destination Unreachable
+	// ICMPv4 error types
-		typ == 5 || // Redirect
+	if typ == layers.ICMPv4TypeDestinationUnreachable ||
-		typ == 11 || // Time Exceeded
+		typ == layers.ICMPv4TypeRedirect ||
-		typ == 12 // Parameter Problem
+		typ == layers.ICMPv4TypeTimeExceeded ||
+		typ == layers.ICMPv4TypeParameterProblem {
+		return true
+	}
+	// ICMPv6 error types (type 3 already matched above as v4 DestUnreachable)
+	if typ == layers.ICMPv6TypeDestinationUnreachable ||
+		typ == layers.ICMPv6TypePacketTooBig ||
+		typ == layers.ICMPv6TypeParameterProblem {
+		return true
+	}
+	return false
 }
 
 // parseOriginalPacket extracts info about the original packet from ICMP payload
 func (info ICMPInfo) parseOriginalPacket() string {
-	if info.PayloadLen < MaxICMPPayloadLength {
+	if info.PayloadLen == 0 {
 		return ""
 	}
 
-	// TODO: handle IPv6
+	version := (info.PayloadData[0] >> 4) & 0xF
-	if version := (info.PayloadData[0] >> 4) & 0xF; version != 4 {
+
+	var protocol uint8
+	var srcIP, dstIP net.IP
+	var transportData []byte
+
+	switch version {
+	case 4:
+		// 20-byte IPv4 header + 8-byte transport minimum
+		if info.PayloadLen < 28 {
+			return ""
+		}
+		protocol = info.PayloadData[9]
+		srcIP = net.IP(info.PayloadData[12:16])
+		dstIP = net.IP(info.PayloadData[16:20])
+		transportData = info.PayloadData[20:]
+	case 6:
+		// 40-byte IPv6 header + 8-byte transport minimum
+		if info.PayloadLen < 48 {
+			return ""
+		}
+		// Next Header field in IPv6 header
+		protocol = info.PayloadData[6]
+		srcIP = net.IP(info.PayloadData[8:24])
+		dstIP = net.IP(info.PayloadData[24:40])
+		transportData = info.PayloadData[40:]
+	default:
 		return ""
 	}
 
-	protocol := info.PayloadData[9]
-	srcIP := net.IP(info.PayloadData[12:16])
-	dstIP := net.IP(info.PayloadData[16:20])
-
-	transportData := info.PayloadData[20:]
-
 	switch nftypes.Protocol(protocol) {
 	case nftypes.TCP:
 		srcPort := uint16(transportData[0])<<8 | uint16(transportData[1])
 		dstPort := uint16(transportData[2])<<8 | uint16(transportData[3])
-		return fmt.Sprintf("TCP %s:%d → %s:%d", srcIP, srcPort, dstIP, dstPort)
+		return "TCP " + net.JoinHostPort(srcIP.String(), strconv.Itoa(int(srcPort))) + " → " + net.JoinHostPort(dstIP.String(), strconv.Itoa(int(dstPort)))
 
 	case nftypes.UDP:
 		srcPort := uint16(transportData[0])<<8 | uint16(transportData[1])
 		dstPort := uint16(transportData[2])<<8 | uint16(transportData[3])
-		return fmt.Sprintf("UDP %s:%d → %s:%d", srcIP, srcPort, dstIP, dstPort)
+		return "UDP " + net.JoinHostPort(srcIP.String(), strconv.Itoa(int(srcPort))) + " → " + net.JoinHostPort(dstIP.String(), strconv.Itoa(int(dstPort)))
 
 	case nftypes.ICMP:
 		icmpType := transportData[0]
@@ -247,9 +281,10 @@ func (t *ICMPTracker) track(
 	t.sendEvent(nftypes.TypeStart, conn, ruleId)
 }
 
-// IsValidInbound checks if an inbound ICMP Echo Reply matches a tracked request
+// IsValidInbound checks if an inbound ICMP Echo Reply matches a tracked request.
+// Accepts both ICMPv4 (type 0) and ICMPv6 (type 129) echo replies.
 func (t *ICMPTracker) IsValidInbound(srcIP netip.Addr, dstIP netip.Addr, id uint16, icmpType uint8, size int) bool {
-	if icmpType != uint8(layers.ICMPv4TypeEchoReply) {
+	if icmpType != uint8(layers.ICMPv4TypeEchoReply) && icmpType != uint8(layers.ICMPv6TypeEchoReply) {
 		return false
 	}
 
@@ -301,6 +336,13 @@ func (t *ICMPTracker) cleanup() {
 	}
 }
 
+func icmpProtocolForAddr(ip netip.Addr) nftypes.Protocol {
+	if ip.Is6() {
+		return nftypes.ICMPv6
+	}
+	return nftypes.ICMP
+}
+
 // Close stops the cleanup routine and releases resources
 func (t *ICMPTracker) Close() {
 	t.tickerCancel()
@@ -316,7 +358,7 @@ func (t *ICMPTracker) sendEvent(typ nftypes.Type, conn *ICMPConnTrack, ruleID []
 		Type:      typ,
 		RuleID:    ruleID,
 		Direction: conn.Direction,
-		Protocol:  nftypes.ICMP, // TODO: adjust for IPv6/icmpv6
+		Protocol:  icmpProtocolForAddr(conn.SourceIP),
 		SourceIP:  conn.SourceIP,
 		DestIP:    conn.DestIP,
 		ICMPType:  conn.ICMPType,
@@ -334,7 +376,7 @@ func (t *ICMPTracker) sendStartEvent(direction nftypes.Direction, srcIP netip.Ad
 		Type:      nftypes.TypeStart,
 		RuleID:    ruleID,
 		Direction: direction,
-		Protocol:  nftypes.ICMP,
+		Protocol:  icmpProtocolForAddr(srcIP),
 		SourceIP:  srcIP,
 		DestIP:    dstIP,
 		ICMPType:  typ,

client/firewall/uspfilter/conntrack/icmp_test.go

@@ -5,6 +5,42 @@ import (
 	"testing"
 )
 
+func TestICMPConnKey_String(t *testing.T) {
+	tests := []struct {
+		name   string
+		key    ICMPConnKey
+		expect string
+	}{
+		{
+			name: "IPv4",
+			key: ICMPConnKey{
+				SrcIP: netip.MustParseAddr("192.168.1.1"),
+				DstIP: netip.MustParseAddr("10.0.0.1"),
+				ID:    1234,
+			},
+			expect: "192.168.1.1 → 10.0.0.1 (id 1234)",
+		},
+		{
+			name: "IPv6",
+			key: ICMPConnKey{
+				SrcIP: netip.MustParseAddr("2001:db8::1"),
+				DstIP: netip.MustParseAddr("2001:db8::2"),
+				ID:    5678,
+			},
+			expect: "2001:db8::1 → 2001:db8::2 (id 5678)",
+		},
+	}
+
+	for _, tc := range tests {
+		t.Run(tc.name, func(t *testing.T) {
+			got := tc.key.String()
+			if got != tc.expect {
+				t.Errorf("got %q, want %q", got, tc.expect)
+			}
+		})
+	}
+}
+
 func BenchmarkICMPTracker(b *testing.B) {
 	b.Run("TrackOutbound", func(b *testing.B) {
 		tracker := NewICMPTracker(DefaultICMPTimeout, logger, flowLogger)

client/firewall/uspfilter/filter.go

@@ -35,8 +35,10 @@ import (
 const (
 	layerTypeAll = 255
 
-	// ipTCPHeaderMinSize represents minimum IP (20) + TCP (20) header size for MSS calculation
+	// ipv4TCPHeaderMinSize represents minimum IPv4 (20) + TCP (20) header size for MSS calculation
-	ipTCPHeaderMinSize = 40
+	ipv4TCPHeaderMinSize = 40
+	// ipv6TCPHeaderMinSize represents minimum IPv6 (40) + TCP (20) header size for MSS calculation
+	ipv6TCPHeaderMinSize = 60
 )
 
 // serviceKey represents a protocol/port combination for netstack service registry
@@ -137,9 +139,10 @@ type Manager struct {
 	netstackServices     map[serviceKey]struct{}
 	netstackServiceMutex sync.RWMutex
 
-	mtu             uint16
+	mtu               uint16
-	mssClampValue   uint16
+	mssClampValueIPv4 uint16
-	mssClampEnabled bool
+	mssClampValueIPv6 uint16
+	mssClampEnabled   bool
 
 	// Only one hook per protocol is supported. Outbound direction only.
 	udpHookOut atomic.Pointer[common.PacketHook]
@@ -156,11 +159,28 @@ type decoder struct {
 	icmp4   layers.ICMPv4
 	icmp6   layers.ICMPv6
 	decoded []gopacket.LayerType
-	parser  *gopacket.DecodingLayerParser
+	parser4 *gopacket.DecodingLayerParser
+	parser6 *gopacket.DecodingLayerParser
 
 	dnatOrigPort uint16
 }
 
+// decodePacket decodes packet data using the appropriate parser based on IP version.
+func (d *decoder) decodePacket(data []byte) error {
+	if len(data) == 0 {
+		return errors.New("empty packet")
+	}
+	version := data[0] >> 4
+	switch version {
+	case 4:
+		return d.parser4.DecodeLayers(data, &d.decoded)
+	case 6:
+		return d.parser6.DecodeLayers(data, &d.decoded)
+	default:
+		return fmt.Errorf("unknown IP version %d", version)
+	}
+}
+
 // Create userspace firewall manager constructor
 func Create(iface common.IFaceMapper, disableServerRoutes bool, flowLogger nftypes.FlowLogger, mtu uint16) (*Manager, error) {
 	return create(iface, nil, disableServerRoutes, flowLogger, mtu)
@@ -218,11 +238,17 @@ func create(iface common.IFaceMapper, nativeFirewall firewall.Manager, disableSe
 				d := &decoder{
 					decoded: []gopacket.LayerType{},
 				}
-				d.parser = gopacket.NewDecodingLayerParser(
+				d.parser4 = gopacket.NewDecodingLayerParser(
 					layers.LayerTypeIPv4,
 					&d.eth, &d.ip4, &d.ip6, &d.icmp4, &d.icmp6, &d.tcp, &d.udp,
 				)
-				d.parser.IgnoreUnsupported = true
+				d.parser4.IgnoreUnsupported = true
+
+				d.parser6 = gopacket.NewDecodingLayerParser(
+					layers.LayerTypeIPv6,
+					&d.eth, &d.ip4, &d.ip6, &d.icmp4, &d.icmp6, &d.tcp, &d.udp,
+				)
+				d.parser6.IgnoreUnsupported = true
 				return d
 			},
 		},
@@ -248,7 +274,8 @@ func create(iface common.IFaceMapper, nativeFirewall firewall.Manager, disableSe
 
 	if !disableMSSClamping {
 		m.mssClampEnabled = true
-		m.mssClampValue = mtu - ipTCPHeaderMinSize
+		m.mssClampValueIPv4 = mtu - ipv4TCPHeaderMinSize
+		m.mssClampValueIPv6 = mtu - ipv6TCPHeaderMinSize
 	}
 	if err := m.localipmanager.UpdateLocalIPs(iface); err != nil {
 		return nil, fmt.Errorf("update local IPs: %w", err)
@@ -275,9 +302,14 @@ func (m *Manager) blockInvalidRouted(iface common.IFaceMapper) (firewall.Rule, e
 	wgPrefix := iface.Address().Network
 	log.Debugf("blocking invalid routed traffic for %s", wgPrefix)
 
+	sources := []netip.Prefix{netip.PrefixFrom(netip.IPv4Unspecified(), 0)}
+	if v6 := iface.Address().IPv6Net; v6.IsValid() {
+		sources = append(sources, netip.PrefixFrom(netip.IPv6Unspecified(), 0))
+	}
+
 	rule, err := m.addRouteFiltering(
 		nil,
-		[]netip.Prefix{netip.PrefixFrom(netip.IPv4Unspecified(), 0)},
+		sources,
 		firewall.Network{Prefix: wgPrefix},
 		firewall.ProtocolALL,
 		nil,
@@ -285,7 +317,22 @@ func (m *Manager) blockInvalidRouted(iface common.IFaceMapper) (firewall.Rule, e
 		firewall.ActionDrop,
 	)
 	if err != nil {
-		return nil, fmt.Errorf("block wg nte : %w", err)
+		return nil, fmt.Errorf("block wg v4 net: %w", err)
+	}
+
+	if v6Net := iface.Address().IPv6Net; v6Net.IsValid() {
+		log.Debugf("blocking invalid routed traffic for %s", v6Net)
+		if _, err := m.addRouteFiltering(
+			nil,
+			sources,
+			firewall.Network{Prefix: v6Net},
+			firewall.ProtocolALL,
+			nil,
+			nil,
+			firewall.ActionDrop,
+		); err != nil {
+			return nil, fmt.Errorf("block wg v6 net: %w", err)
+		}
 	}
 
 	// TODO: Block networks that we're a client of
@@ -502,7 +549,7 @@ func (m *Manager) addRouteFiltering(
 		mgmtId:     id,
 		sources:    sources,
 		dstSet:     destination.Set,
-		protoLayer: protoToLayer(proto, layers.LayerTypeIPv4),
+		protoLayer: protoToLayer(proto, ipLayerFromPrefix(destination.Prefix)),
 		srcPort:    sPort,
 		dstPort:    dPort,
 		action:     action,
@@ -656,11 +703,7 @@ func (m *Manager) UpdateSet(set firewall.Set, prefixes []netip.Prefix) error {
 	}
 
 	destinations := matches[0].destinations
-	for _, prefix := range prefixes {
+	destinations = append(destinations, prefixes...)
-		if prefix.Addr().Is4() {
-			destinations = append(destinations, prefix)
-		}
-	}
 
 	slices.SortFunc(destinations, func(a, b netip.Prefix) int {
 		cmp := a.Addr().Compare(b.Addr())
@@ -699,7 +742,7 @@ func (m *Manager) filterOutbound(packetData []byte, size int) bool {
 	d := m.decoders.Get().(*decoder)
 	defer m.decoders.Put(d)
 
-	if err := d.parser.DecodeLayers(packetData, &d.decoded); err != nil {
+	if err := d.decodePacket(packetData); err != nil {
 		return false
 	}
 
@@ -783,12 +826,28 @@ func (m *Manager) clampTCPMSS(packetData []byte, d *decoder) bool {
 		return false
 	}
 
+	var mssClampValue uint16
+	var ipHeaderSize int
+	switch d.decoded[0] {
+	case layers.LayerTypeIPv4:
+		mssClampValue = m.mssClampValueIPv4
+		ipHeaderSize = int(d.ip4.IHL) * 4
+		if ipHeaderSize < 20 {
+			return false
+		}
+	case layers.LayerTypeIPv6:
+		mssClampValue = m.mssClampValueIPv6
+		ipHeaderSize = 40
+	default:
+		return false
+	}
+
 	mssOptionIndex := -1
 	var currentMSS uint16
 	for i, opt := range d.tcp.Options {
 		if opt.OptionType == layers.TCPOptionKindMSS && len(opt.OptionData) == 2 {
 			currentMSS = binary.BigEndian.Uint16(opt.OptionData)
-			if currentMSS > m.mssClampValue {
+			if currentMSS > mssClampValue {
 				mssOptionIndex = i
 				break
 			}
@@ -799,20 +858,15 @@ func (m *Manager) clampTCPMSS(packetData []byte, d *decoder) bool {
 		return false
 	}
 
-	ipHeaderSize := int(d.ip4.IHL) * 4
+	if !m.updateMSSOption(packetData, d, mssOptionIndex, mssClampValue, ipHeaderSize) {
-	if ipHeaderSize < 20 {
 		return false
 	}
 
-	if !m.updateMSSOption(packetData, d, mssOptionIndex, ipHeaderSize) {
+	m.logger.Trace2("Clamped TCP MSS from %d to %d", currentMSS, mssClampValue)
-		return false
-	}
-
-	m.logger.Trace2("Clamped TCP MSS from %d to %d", currentMSS, m.mssClampValue)
 	return true
 }
 
-func (m *Manager) updateMSSOption(packetData []byte, d *decoder, mssOptionIndex, ipHeaderSize int) bool {
+func (m *Manager) updateMSSOption(packetData []byte, d *decoder, mssOptionIndex int, mssClampValue uint16, ipHeaderSize int) bool {
 	tcpHeaderStart := ipHeaderSize
 	tcpOptionsStart := tcpHeaderStart + 20
 
@@ -827,7 +881,7 @@ func (m *Manager) updateMSSOption(packetData []byte, d *decoder, mssOptionIndex,
 	}
 
 	mssValueOffset := optOffset + 2
-	binary.BigEndian.PutUint16(packetData[mssValueOffset:mssValueOffset+2], m.mssClampValue)
+	binary.BigEndian.PutUint16(packetData[mssValueOffset:mssValueOffset+2], mssClampValue)
 
 	m.recalculateTCPChecksum(packetData, d, tcpHeaderStart)
 	return true
@@ -837,18 +891,32 @@ func (m *Manager) recalculateTCPChecksum(packetData []byte, d *decoder, tcpHeade
 	tcpLayer := packetData[tcpHeaderStart:]
 	tcpLength := len(packetData) - tcpHeaderStart
 
+	// Zero out existing checksum
 	tcpLayer[16] = 0
 	tcpLayer[17] = 0
 
+	// Build pseudo-header checksum based on IP version
 	var pseudoSum uint32
-	pseudoSum += uint32(d.ip4.SrcIP[0])<<8 | uint32(d.ip4.SrcIP[1])
+	switch d.decoded[0] {
-	pseudoSum += uint32(d.ip4.SrcIP[2])<<8 | uint32(d.ip4.SrcIP[3])
+	case layers.LayerTypeIPv4:
-	pseudoSum += uint32(d.ip4.DstIP[0])<<8 | uint32(d.ip4.DstIP[1])
+		pseudoSum += uint32(d.ip4.SrcIP[0])<<8 | uint32(d.ip4.SrcIP[1])
-	pseudoSum += uint32(d.ip4.DstIP[2])<<8 | uint32(d.ip4.DstIP[3])
+		pseudoSum += uint32(d.ip4.SrcIP[2])<<8 | uint32(d.ip4.SrcIP[3])
-	pseudoSum += uint32(d.ip4.Protocol)
+		pseudoSum += uint32(d.ip4.DstIP[0])<<8 | uint32(d.ip4.DstIP[1])
-	pseudoSum += uint32(tcpLength)
+		pseudoSum += uint32(d.ip4.DstIP[2])<<8 | uint32(d.ip4.DstIP[3])
+		pseudoSum += uint32(d.ip4.Protocol)
+		pseudoSum += uint32(tcpLength)
+	case layers.LayerTypeIPv6:
+		for i := 0; i < 16; i += 2 {
+			pseudoSum += uint32(d.ip6.SrcIP[i])<<8 | uint32(d.ip6.SrcIP[i+1])
+		}
+		for i := 0; i < 16; i += 2 {
+			pseudoSum += uint32(d.ip6.DstIP[i])<<8 | uint32(d.ip6.DstIP[i+1])
+		}
+		pseudoSum += uint32(tcpLength)
+		pseudoSum += uint32(layers.IPProtocolTCP)
+	}
 
-	var sum = pseudoSum
+	sum := pseudoSum
 	for i := 0; i < tcpLength-1; i += 2 {
 		sum += uint32(tcpLayer[i])<<8 | uint32(tcpLayer[i+1])
 	}
@@ -886,6 +954,9 @@ func (m *Manager) trackOutbound(d *decoder, srcIP, dstIP netip.Addr, packetData
 		}
 	case layers.LayerTypeICMPv4:
 		m.icmpTracker.TrackOutbound(srcIP, dstIP, d.icmp4.Id, d.icmp4.TypeCode, d.icmp4.Payload, size)
+	case layers.LayerTypeICMPv6:
+		id, tc := icmpv6EchoFields(d)
+		m.icmpTracker.TrackOutbound(srcIP, dstIP, id, tc, d.icmp6.Payload, size)
 	}
 }
 
@@ -899,6 +970,9 @@ func (m *Manager) trackInbound(d *decoder, srcIP, dstIP netip.Addr, ruleID []byt
 		m.tcpTracker.TrackInbound(srcIP, dstIP, uint16(d.tcp.SrcPort), uint16(d.tcp.DstPort), flags, ruleID, size, d.dnatOrigPort)
 	case layers.LayerTypeICMPv4:
 		m.icmpTracker.TrackInbound(srcIP, dstIP, d.icmp4.Id, d.icmp4.TypeCode, ruleID, d.icmp4.Payload, size)
+	case layers.LayerTypeICMPv6:
+		id, tc := icmpv6EchoFields(d)
+		m.icmpTracker.TrackInbound(srcIP, dstIP, id, tc, ruleID, d.icmp6.Payload, size)
 	}
 
 	d.dnatOrigPort = 0
@@ -931,15 +1005,19 @@ func (m *Manager) filterInbound(packetData []byte, size int) bool {
 
 	// TODO: pass fragments of routed packets to forwarder
 	if fragment {
-		m.logger.Trace4("packet is a fragment: src=%v dst=%v id=%v flags=%v",
+		if d.decoded[0] == layers.LayerTypeIPv4 {
-			srcIP, dstIP, d.ip4.Id, d.ip4.Flags)
+			m.logger.Trace4("packet is a fragment: src=%v dst=%v id=%v flags=%v",
+				srcIP, dstIP, d.ip4.Id, d.ip4.Flags)
+		} else {
+			m.logger.Trace2("packet is an IPv6 fragment: src=%v dst=%v", srcIP, dstIP)
+		}
 		return false
 	}
 
 	// TODO: optimize port DNAT by caching matched rules in conntrack
 	if translated := m.translateInboundPortDNAT(packetData, d, srcIP, dstIP); translated {
 		// Re-decode after port DNAT translation to update port information
-		if err := d.parser.DecodeLayers(packetData, &d.decoded); err != nil {
+		if err := d.decodePacket(packetData); err != nil {
 			m.logger.Error1("failed to re-decode packet after port DNAT: %v", err)
 			return true
 		}
@@ -948,7 +1026,7 @@ func (m *Manager) filterInbound(packetData []byte, size int) bool {
 
 	if translated := m.translateInboundReverse(packetData, d); translated {
 		// Re-decode after translation to get original addresses
-		if err := d.parser.DecodeLayers(packetData, &d.decoded); err != nil {
+		if err := d.decodePacket(packetData); err != nil {
 			m.logger.Error1("failed to re-decode packet after reverse DNAT: %v", err)
 			return true
 		}
@@ -1080,6 +1158,48 @@ func (m *Manager) handleRoutedTraffic(d *decoder, srcIP, dstIP netip.Addr, packe
 	return true
 }
 
+// icmpv6EchoFields extracts the echo identifier from an ICMPv6 packet and maps
+// the ICMPv6 type code to an ICMPv4TypeCode so the ICMP conntrack can handle
+// both families uniformly. The echo ID is in the first two payload bytes.
+func icmpv6EchoFields(d *decoder) (id uint16, tc layers.ICMPv4TypeCode) {
+	if len(d.icmp6.Payload) >= 2 {
+		id = uint16(d.icmp6.Payload[0])<<8 | uint16(d.icmp6.Payload[1])
+	}
+	// Map ICMPv6 echo types to ICMPv4 equivalents for unified tracking.
+	switch d.icmp6.TypeCode.Type() {
+	case layers.ICMPv6TypeEchoRequest:
+		tc = layers.CreateICMPv4TypeCode(layers.ICMPv4TypeEchoRequest, 0)
+	case layers.ICMPv6TypeEchoReply:
+		tc = layers.CreateICMPv4TypeCode(layers.ICMPv4TypeEchoReply, 0)
+	default:
+		tc = layers.CreateICMPv4TypeCode(d.icmp6.TypeCode.Type(), d.icmp6.TypeCode.Code())
+	}
+	return id, tc
+}
+
+// protoLayerMatches checks if a packet's protocol layer matches a rule's expected
+// protocol layer. ICMPv4 and ICMPv6 are treated as equivalent when matching
+// ICMP rules since management sends a single ICMP rule for both families.
+func protoLayerMatches(ruleLayer, packetLayer gopacket.LayerType) bool {
+	if ruleLayer == packetLayer {
+		return true
+	}
+	if ruleLayer == layers.LayerTypeICMPv4 && packetLayer == layers.LayerTypeICMPv6 {
+		return true
+	}
+	if ruleLayer == layers.LayerTypeICMPv6 && packetLayer == layers.LayerTypeICMPv4 {
+		return true
+	}
+	return false
+}
+
+func ipLayerFromPrefix(p netip.Prefix) gopacket.LayerType {
+	if p.Addr().Is6() {
+		return layers.LayerTypeIPv6
+	}
+	return layers.LayerTypeIPv4
+}
+
 func protoToLayer(proto firewall.Protocol, ipLayer gopacket.LayerType) gopacket.LayerType {
 	switch proto {
 	case firewall.ProtocolTCP:
@@ -1103,8 +1223,10 @@ func getProtocolFromPacket(d *decoder) nftypes.Protocol {
 		return nftypes.TCP
 	case layers.LayerTypeUDP:
 		return nftypes.UDP
-	case layers.LayerTypeICMPv4, layers.LayerTypeICMPv6:
+	case layers.LayerTypeICMPv4:
 		return nftypes.ICMP
+	case layers.LayerTypeICMPv6:
+		return nftypes.ICMPv6
 	default:
 		return nftypes.ProtocolUnknown
 	}
@@ -1125,7 +1247,7 @@ func getPortsFromPacket(d *decoder) (srcPort, dstPort uint16) {
 // It returns true, false if the packet is valid and not a fragment.
 // It returns true, true if the packet is a fragment and valid.
 func (m *Manager) isValidPacket(d *decoder, packetData []byte) (bool, bool) {
-	if err := d.parser.DecodeLayers(packetData, &d.decoded); err != nil {
+	if err := d.decodePacket(packetData); err != nil {
 		m.logger.Trace1("couldn't decode packet, err: %s", err)
 		return false, false
 	}
@@ -1138,10 +1260,18 @@ func (m *Manager) isValidPacket(d *decoder, packetData []byte) (bool, bool) {
 	}
 
 	// Fragments are also valid
-	if l == 1 && d.decoded[0] == layers.LayerTypeIPv4 {
+	if l == 1 {
-		ip4 := d.ip4
+		switch d.decoded[0] {
-		if ip4.Flags&layers.IPv4MoreFragments != 0 || ip4.FragOffset != 0 {
+		case layers.LayerTypeIPv4:
-			return true, true
+			if d.ip4.Flags&layers.IPv4MoreFragments != 0 || d.ip4.FragOffset != 0 {
+				return true, true
+			}
+		case layers.LayerTypeIPv6:
+			// IPv6 uses Fragment extension header (NextHeader=44). If gopacket
+			// only decoded the IPv6 layer, the transport is in a fragment.
+			if d.ip6.NextHeader == layers.IPProtocolIPv6Fragment {
+				return true, true
+			}
 		}
 	}
 
@@ -1179,21 +1309,34 @@ func (m *Manager) isValidTrackedConnection(d *decoder, srcIP, dstIP netip.Addr,
 			size,
 		)
 
-		// TODO: ICMPv6
+	case layers.LayerTypeICMPv6:
+		id, _ := icmpv6EchoFields(d)
+		return m.icmpTracker.IsValidInbound(
+			srcIP,
+			dstIP,
+			id,
+			d.icmp6.TypeCode.Type(),
+			size,
+		)
 	}
 
 	return false
 }
 
-// isSpecialICMP returns true if the packet is a special ICMP packet that should be allowed
+// isSpecialICMP returns true if the packet is a special ICMP error packet that should be allowed.
 func (m *Manager) isSpecialICMP(d *decoder) bool {
-	if d.decoded[1] != layers.LayerTypeICMPv4 {
+	switch d.decoded[1] {
-		return false
+	case layers.LayerTypeICMPv4:
+		icmpType := d.icmp4.TypeCode.Type()
+		return icmpType == layers.ICMPv4TypeDestinationUnreachable ||
+			icmpType == layers.ICMPv4TypeTimeExceeded
+	case layers.LayerTypeICMPv6:
+		icmpType := d.icmp6.TypeCode.Type()
+		return icmpType == layers.ICMPv6TypeDestinationUnreachable ||
+			icmpType == layers.ICMPv6TypePacketTooBig ||
+			icmpType == layers.ICMPv6TypeTimeExceeded
 	}
-
+	return false
-	icmpType := d.icmp4.TypeCode.Type()
-	return icmpType == layers.ICMPv4TypeDestinationUnreachable ||
-		icmpType == layers.ICMPv4TypeTimeExceeded
 }
 
 func (m *Manager) peerACLsBlock(srcIP netip.Addr, d *decoder, packetData []byte) ([]byte, bool) {
@@ -1250,7 +1393,7 @@ func validateRule(ip netip.Addr, packetData []byte, rules map[string]PeerRule, d
 			return rule.mgmtId, rule.drop, true
 		}
 
-		if payloadLayer != rule.protoLayer {
+		if !protoLayerMatches(rule.protoLayer, payloadLayer) {
 			continue
 		}
 
@@ -1285,8 +1428,7 @@ func (m *Manager) routeACLsPass(srcIP, dstIP netip.Addr, protoLayer gopacket.Lay
 }
 
 func (m *Manager) ruleMatches(rule *RouteRule, srcAddr, dstAddr netip.Addr, protoLayer gopacket.LayerType, srcPort, dstPort uint16) bool {
-	// TODO: handle ipv6 vs ipv4 icmp rules
+	if rule.protoLayer != layerTypeAll && !protoLayerMatches(rule.protoLayer, protoLayer) {
-	if rule.protoLayer != layerTypeAll && rule.protoLayer != protoLayer {
 		return false
 	}
 
@@ -1440,7 +1582,8 @@ func (m *Manager) shouldForward(d *decoder, dstIP netip.Addr) bool {
 	}
 
 	// traffic to our other local interfaces (not NetBird IP) - always forward
-	if dstIP != m.wgIface.Address().IP {
+	addr := m.wgIface.Address()
+	if dstIP != addr.IP && (!addr.IPv6.IsValid() || dstIP != addr.IPv6) {
 		return true
 	}
 

client/firewall/uspfilter/filter_bench_test.go

@@ -1023,7 +1023,8 @@ func BenchmarkMSSClamping(b *testing.B) {
 			}()
 
 			manager.mssClampEnabled = true
-			manager.mssClampValue = 1240
+			manager.mssClampValueIPv4 = 1240
+			manager.mssClampValueIPv6 = 1220
 
 			srcIP := net.ParseIP("100.64.0.2")
 			dstIP := net.ParseIP("8.8.8.8")
@@ -1088,7 +1089,8 @@ func BenchmarkMSSClampingOverhead(b *testing.B) {
 
 			manager.mssClampEnabled = sc.enabled
 			if sc.enabled {
-				manager.mssClampValue = 1240
+				manager.mssClampValueIPv4 = 1240
+				manager.mssClampValueIPv6 = 1220
 			}
 
 			srcIP := net.ParseIP("100.64.0.2")
@@ -1141,7 +1143,8 @@ func BenchmarkMSSClampingMemory(b *testing.B) {
 			}()
 
 			manager.mssClampEnabled = true
-			manager.mssClampValue = 1240
+			manager.mssClampValueIPv4 = 1240
+			manager.mssClampValueIPv6 = 1220
 
 			srcIP := net.ParseIP("100.64.0.2")
 			dstIP := net.ParseIP("8.8.8.8")

client/firewall/uspfilter/filter_filter_test.go

@@ -539,53 +539,236 @@ func TestPeerACLFiltering(t *testing.T) {
 	}
 }
 
+func TestPeerACLFilteringIPv6(t *testing.T) {
+	localIP := netip.MustParseAddr("100.10.0.100")
+	localIPv6 := netip.MustParseAddr("fd00::100")
+	wgNet := netip.MustParsePrefix("100.10.0.0/16")
+	wgNetV6 := netip.MustParsePrefix("fd00::/64")
+
+	ifaceMock := &IFaceMock{
+		SetFilterFunc: func(device.PacketFilter) error { return nil },
+		AddressFunc: func() wgaddr.Address {
+			return wgaddr.Address{
+				IP:      localIP,
+				Network: wgNet,
+				IPv6:    localIPv6,
+				IPv6Net: wgNetV6,
+			}
+		},
+	}
+
+	manager, err := Create(ifaceMock, false, flowLogger, iface.DefaultMTU)
+	require.NoError(t, err)
+	t.Cleanup(func() { require.NoError(t, manager.Close(nil)) })
+
+	err = manager.UpdateLocalIPs()
+	require.NoError(t, err)
+
+	testCases := []struct {
+		name            string
+		srcIP           string
+		dstIP           string
+		proto           fw.Protocol
+		srcPort         uint16
+		dstPort         uint16
+		ruleIP          string
+		ruleProto       fw.Protocol
+		ruleDstPort     *fw.Port
+		ruleAction      fw.Action
+		shouldBeBlocked bool
+	}{
+		{
+			name:            "IPv6: allow TCP from peer",
+			srcIP:           "fd00::1",
+			dstIP:           "fd00::100",
+			proto:           fw.ProtocolTCP,
+			srcPort:         12345,
+			dstPort:         443,
+			ruleIP:          "fd00::1",
+			ruleProto:       fw.ProtocolTCP,
+			ruleDstPort:     &fw.Port{Values: []uint16{443}},
+			ruleAction:      fw.ActionAccept,
+			shouldBeBlocked: false,
+		},
+		{
+			name:            "IPv6: allow UDP from peer",
+			srcIP:           "fd00::1",
+			dstIP:           "fd00::100",
+			proto:           fw.ProtocolUDP,
+			srcPort:         12345,
+			dstPort:         53,
+			ruleIP:          "fd00::1",
+			ruleProto:       fw.ProtocolUDP,
+			ruleDstPort:     &fw.Port{Values: []uint16{53}},
+			ruleAction:      fw.ActionAccept,
+			shouldBeBlocked: false,
+		},
+		{
+			name:            "IPv6: allow ICMPv6 from peer",
+			srcIP:           "fd00::1",
+			dstIP:           "fd00::100",
+			proto:           fw.ProtocolICMP,
+			ruleIP:          "fd00::1",
+			ruleProto:       fw.ProtocolICMP,
+			ruleAction:      fw.ActionAccept,
+			shouldBeBlocked: false,
+		},
+		{
+			name:            "IPv6: block TCP without rule",
+			srcIP:           "fd00::2",
+			dstIP:           "fd00::100",
+			proto:           fw.ProtocolTCP,
+			srcPort:         12345,
+			dstPort:         443,
+			ruleIP:          "fd00::1",
+			ruleProto:       fw.ProtocolTCP,
+			ruleDstPort:     &fw.Port{Values: []uint16{443}},
+			ruleAction:      fw.ActionAccept,
+			shouldBeBlocked: true,
+		},
+		{
+			name:            "IPv6: drop rule",
+			srcIP:           "fd00::1",
+			dstIP:           "fd00::100",
+			proto:           fw.ProtocolTCP,
+			srcPort:         12345,
+			dstPort:         22,
+			ruleIP:          "fd00::1",
+			ruleProto:       fw.ProtocolTCP,
+			ruleDstPort:     &fw.Port{Values: []uint16{22}},
+			ruleAction:      fw.ActionDrop,
+			shouldBeBlocked: true,
+		},
+		{
+			name:            "IPv6: allow all protocols",
+			srcIP:           "fd00::1",
+			dstIP:           "fd00::100",
+			proto:           fw.ProtocolUDP,
+			srcPort:         12345,
+			dstPort:         9999,
+			ruleIP:          "fd00::1",
+			ruleProto:       fw.ProtocolALL,
+			ruleAction:      fw.ActionAccept,
+			shouldBeBlocked: false,
+		},
+		{
+			name:            "IPv6: v4 wildcard ICMP rule matches ICMPv6 via protoLayerMatches",
+			srcIP:           "fd00::1",
+			dstIP:           "fd00::100",
+			proto:           fw.ProtocolICMP,
+			ruleIP:          "0.0.0.0",
+			ruleProto:       fw.ProtocolICMP,
+			ruleAction:      fw.ActionAccept,
+			shouldBeBlocked: false,
+		},
+	}
+
+	t.Run("IPv6 implicit DROP (no rules)", func(t *testing.T) {
+		packet := createTestPacket(t, "fd00::1", "fd00::100", fw.ProtocolTCP, 12345, 443)
+		isDropped := manager.FilterInbound(packet, 0)
+		require.True(t, isDropped, "IPv6 packet should be dropped when no rules exist")
+	})
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			if tc.ruleAction == fw.ActionDrop {
+				rules, err := manager.AddPeerFiltering(nil, net.ParseIP(tc.ruleIP), fw.ProtocolALL, nil, nil, fw.ActionAccept, "")
+				require.NoError(t, err)
+				t.Cleanup(func() {
+					for _, rule := range rules {
+						require.NoError(t, manager.DeletePeerRule(rule))
+					}
+				})
+			}
+
+			rules, err := manager.AddPeerFiltering(nil, net.ParseIP(tc.ruleIP), tc.ruleProto, nil, tc.ruleDstPort, tc.ruleAction, "")
+			require.NoError(t, err)
+			require.NotEmpty(t, rules)
+			t.Cleanup(func() {
+				for _, rule := range rules {
+					require.NoError(t, manager.DeletePeerRule(rule))
+				}
+			})
+
+			packet := createTestPacket(t, tc.srcIP, tc.dstIP, tc.proto, tc.srcPort, tc.dstPort)
+			isDropped := manager.FilterInbound(packet, 0)
+			require.Equal(t, tc.shouldBeBlocked, isDropped, "packet filter result mismatch")
+		})
+	}
+}
+
 func createTestPacket(t *testing.T, srcIP, dstIP string, proto fw.Protocol, srcPort, dstPort uint16) []byte {
 	t.Helper()
 
+	src := net.ParseIP(srcIP)
+	dst := net.ParseIP(dstIP)
+
 	buf := gopacket.NewSerializeBuffer()
 	opts := gopacket.SerializeOptions{
 		ComputeChecksums: true,
 		FixLengths:       true,
 	}
 
-	ipLayer := &layers.IPv4{
+	// Detect address family
-		Version: 4,
+	isV6 := src.To4() == nil
-		TTL:     64,
-		SrcIP:   net.ParseIP(srcIP),
-		DstIP:   net.ParseIP(dstIP),
-	}
 
 	var err error
-	switch proto {
-	case fw.ProtocolTCP:
-		ipLayer.Protocol = layers.IPProtocolTCP
-		tcp := &layers.TCP{
-			SrcPort: layers.TCPPort(srcPort),
-			DstPort: layers.TCPPort(dstPort),
-		}
-		err = tcp.SetNetworkLayerForChecksum(ipLayer)
-		require.NoError(t, err)
-		err = gopacket.SerializeLayers(buf, opts, ipLayer, tcp)
 
-	case fw.ProtocolUDP:
+	if isV6 {
-		ipLayer.Protocol = layers.IPProtocolUDP
+		ip6 := &layers.IPv6{
-		udp := &layers.UDP{
+			Version:  6,
-			SrcPort: layers.UDPPort(srcPort),
+			HopLimit: 64,
-			DstPort: layers.UDPPort(dstPort),
+			SrcIP:    src,
+			DstIP:    dst,
 		}
-		err = udp.SetNetworkLayerForChecksum(ipLayer)
-		require.NoError(t, err)
-		err = gopacket.SerializeLayers(buf, opts, ipLayer, udp)
 
-	case fw.ProtocolICMP:
+		switch proto {
-		ipLayer.Protocol = layers.IPProtocolICMPv4
+		case fw.ProtocolTCP:
-		icmp := &layers.ICMPv4{
+			ip6.NextHeader = layers.IPProtocolTCP
-			TypeCode: layers.CreateICMPv4TypeCode(layers.ICMPv4TypeEchoRequest, 0),
+			tcp := &layers.TCP{SrcPort: layers.TCPPort(srcPort), DstPort: layers.TCPPort(dstPort)}
+			_ = tcp.SetNetworkLayerForChecksum(ip6)
+			err = gopacket.SerializeLayers(buf, opts, ip6, tcp)
+		case fw.ProtocolUDP:
+			ip6.NextHeader = layers.IPProtocolUDP
+			udp := &layers.UDP{SrcPort: layers.UDPPort(srcPort), DstPort: layers.UDPPort(dstPort)}
+			_ = udp.SetNetworkLayerForChecksum(ip6)
+			err = gopacket.SerializeLayers(buf, opts, ip6, udp)
+		case fw.ProtocolICMP:
+			ip6.NextHeader = layers.IPProtocolICMPv6
+			icmp := &layers.ICMPv6{
+				TypeCode: layers.CreateICMPv6TypeCode(layers.ICMPv6TypeEchoRequest, 0),
+			}
+			_ = icmp.SetNetworkLayerForChecksum(ip6)
+			err = gopacket.SerializeLayers(buf, opts, ip6, icmp)
+		default:
+			err = gopacket.SerializeLayers(buf, opts, ip6)
+		}
+	} else {
+		ip4 := &layers.IPv4{
+			Version: 4,
+			TTL:     64,
+			SrcIP:   src,
+			DstIP:   dst,
 		}
-		err = gopacket.SerializeLayers(buf, opts, ipLayer, icmp)
 
-	default:
+		switch proto {
-		err = gopacket.SerializeLayers(buf, opts, ipLayer)
+		case fw.ProtocolTCP:
+			ip4.Protocol = layers.IPProtocolTCP
+			tcp := &layers.TCP{SrcPort: layers.TCPPort(srcPort), DstPort: layers.TCPPort(dstPort)}
+			_ = tcp.SetNetworkLayerForChecksum(ip4)
+			err = gopacket.SerializeLayers(buf, opts, ip4, tcp)
+		case fw.ProtocolUDP:
+			ip4.Protocol = layers.IPProtocolUDP
+			udp := &layers.UDP{SrcPort: layers.UDPPort(srcPort), DstPort: layers.UDPPort(dstPort)}
+			_ = udp.SetNetworkLayerForChecksum(ip4)
+			err = gopacket.SerializeLayers(buf, opts, ip4, udp)
+		case fw.ProtocolICMP:
+			ip4.Protocol = layers.IPProtocolICMPv4
+			icmp := &layers.ICMPv4{TypeCode: layers.CreateICMPv4TypeCode(layers.ICMPv4TypeEchoRequest, 0)}
+			err = gopacket.SerializeLayers(buf, opts, ip4, icmp)
+		default:
+			err = gopacket.SerializeLayers(buf, opts, ip4)
+		}
 	}
 
 	require.NoError(t, err)
@@ -1498,3 +1681,103 @@ func TestRouteACLSet(t *testing.T) {
 	_, isAllowed = manager.routeACLsPass(srcIP, dstIP, protoToLayer(fw.ProtocolTCP, layers.LayerTypeIPv4), 12345, 80)
 	require.True(t, isAllowed, "After set update, traffic to the added network should be allowed")
 }
+
+// TestRouteACLFilteringIPv6 tests IPv6 route ACL matching directly via routeACLsPass.
+// Note: full FilterInbound for routed IPv6 traffic drops at the forwarder stage (IPv4-only)
+// but the ACL decision itself is correct.
+func TestRouteACLFilteringIPv6(t *testing.T) {
+	manager := setupRoutedManager(t, "10.10.0.100/16")
+
+	v6Dst := netip.MustParsePrefix("fd00:dead:beef::/48")
+	_, err := manager.AddRouteFiltering(
+		nil,
+		[]netip.Prefix{netip.MustParsePrefix("fd00::/16")},
+		fw.Network{Prefix: v6Dst},
+		fw.ProtocolTCP,
+		nil,
+		&fw.Port{Values: []uint16{80}},
+		fw.ActionAccept,
+	)
+	require.NoError(t, err)
+
+	_, err = manager.AddRouteFiltering(
+		nil,
+		[]netip.Prefix{netip.MustParsePrefix("fd00::/16")},
+		fw.Network{Prefix: netip.MustParsePrefix("fd00:dead:beef:1::/64")},
+		fw.ProtocolALL,
+		nil,
+		nil,
+		fw.ActionDrop,
+	)
+	require.NoError(t, err)
+
+	tests := []struct {
+		name    string
+		srcIP   netip.Addr
+		dstIP   netip.Addr
+		proto   gopacket.LayerType
+		srcPort uint16
+		dstPort uint16
+		allowed bool
+	}{
+		{
+			name:    "IPv6 TCP to allowed dest",
+			srcIP:   netip.MustParseAddr("fd00::1"),
+			dstIP:   netip.MustParseAddr("fd00:dead:beef::80"),
+			proto:   layers.LayerTypeTCP,
+			srcPort: 12345,
+			dstPort: 80,
+			allowed: true,
+		},
+		{
+			name:    "IPv6 TCP wrong port",
+			srcIP:   netip.MustParseAddr("fd00::1"),
+			dstIP:   netip.MustParseAddr("fd00:dead:beef::80"),
+			proto:   layers.LayerTypeTCP,
+			srcPort: 12345,
+			dstPort: 443,
+			allowed: false,
+		},
+		{
+			name:    "IPv6 UDP not matched by TCP rule",
+			srcIP:   netip.MustParseAddr("fd00::1"),
+			dstIP:   netip.MustParseAddr("fd00:dead:beef::80"),
+			proto:   layers.LayerTypeUDP,
+			srcPort: 12345,
+			dstPort: 80,
+			allowed: false,
+		},
+		{
+			name:    "IPv6 ICMPv6 matches ICMP rule via protoLayerMatches",
+			srcIP:   netip.MustParseAddr("fd00::1"),
+			dstIP:   netip.MustParseAddr("fd00:dead:beef::80"),
+			proto:   layers.LayerTypeICMPv6,
+			allowed: false,
+		},
+		{
+			name:    "IPv6 to denied subnet",
+			srcIP:   netip.MustParseAddr("fd00::1"),
+			dstIP:   netip.MustParseAddr("fd00:dead:beef:1::1"),
+			proto:   layers.LayerTypeTCP,
+			srcPort: 12345,
+			dstPort: 80,
+			allowed: false,
+		},
+		{
+			name:    "IPv6 source outside allowed range",
+			srcIP:   netip.MustParseAddr("fe80::1"),
+			dstIP:   netip.MustParseAddr("fd00:dead:beef::80"),
+			proto:   layers.LayerTypeTCP,
+			srcPort: 12345,
+			dstPort: 80,
+			allowed: false,
+		},
+	}
+
+	for _, tc := range tests {
+		t.Run(tc.name, func(t *testing.T) {
+			_, pass := manager.routeACLsPass(tc.srcIP, tc.dstIP, tc.proto, tc.srcPort, tc.dstPort)
+			require.Equal(t, tc.allowed, pass, "route ACL result mismatch")
+		})
+	}
+}

client/firewall/uspfilter/filter_test.go

@@ -527,11 +527,16 @@ func TestProcessOutgoingHooks(t *testing.T) {
 			d := &decoder{
 				decoded: []gopacket.LayerType{},
 			}
-			d.parser = gopacket.NewDecodingLayerParser(
+			d.parser4 = gopacket.NewDecodingLayerParser(
 				layers.LayerTypeIPv4,
 				&d.eth, &d.ip4, &d.ip6, &d.icmp4, &d.icmp6, &d.tcp, &d.udp,
 			)
-			d.parser.IgnoreUnsupported = true
+			d.parser4.IgnoreUnsupported = true
+			d.parser6 = gopacket.NewDecodingLayerParser(
+				layers.LayerTypeIPv6,
+				&d.eth, &d.ip4, &d.ip6, &d.icmp4, &d.icmp6, &d.tcp, &d.udp,
+			)
+			d.parser6.IgnoreUnsupported = true
 			return d
 		},
 	}
@@ -630,11 +635,16 @@ func TestStatefulFirewall_UDPTracking(t *testing.T) {
 			d := &decoder{
 				decoded: []gopacket.LayerType{},
 			}
-			d.parser = gopacket.NewDecodingLayerParser(
+			d.parser4 = gopacket.NewDecodingLayerParser(
 				layers.LayerTypeIPv4,
 				&d.eth, &d.ip4, &d.ip6, &d.icmp4, &d.icmp6, &d.tcp, &d.udp,
 			)
-			d.parser.IgnoreUnsupported = true
+			d.parser4.IgnoreUnsupported = true
+			d.parser6 = gopacket.NewDecodingLayerParser(
+				layers.LayerTypeIPv6,
+				&d.eth, &d.ip4, &d.ip6, &d.icmp4, &d.icmp6, &d.tcp, &d.udp,
+			)
+			d.parser6.IgnoreUnsupported = true
 			return d
 		},
 	}
@@ -1040,8 +1050,8 @@ func TestMSSClamping(t *testing.T) {
 	}()
 
 	require.True(t, manager.mssClampEnabled, "MSS clamping should be enabled by default")
-	expectedMSSValue := uint16(1280 - ipTCPHeaderMinSize)
+	require.Equal(t, uint16(1280-ipv4TCPHeaderMinSize), manager.mssClampValueIPv4, "IPv4 MSS clamp value should be MTU - 40")
-	require.Equal(t, expectedMSSValue, manager.mssClampValue, "MSS clamp value should be MTU - 40")
+	require.Equal(t, uint16(1280-ipv6TCPHeaderMinSize), manager.mssClampValueIPv6, "IPv6 MSS clamp value should be MTU - 60")
 
 	err = manager.UpdateLocalIPs()
 	require.NoError(t, err)
@@ -1059,7 +1069,7 @@ func TestMSSClamping(t *testing.T) {
 		require.Len(t, d.tcp.Options, 1, "Should have MSS option")
 		require.Equal(t, uint8(layers.TCPOptionKindMSS), uint8(d.tcp.Options[0].OptionType))
 		actualMSS := binary.BigEndian.Uint16(d.tcp.Options[0].OptionData)
-		require.Equal(t, expectedMSSValue, actualMSS, "MSS should be clamped to MTU - 40")
+		require.Equal(t, manager.mssClampValueIPv4, actualMSS, "MSS should be clamped to MTU - 40")
 	})
 
 	t.Run("SYN packet with low MSS unchanged", func(t *testing.T) {
@@ -1083,7 +1093,7 @@ func TestMSSClamping(t *testing.T) {
 		d := parsePacket(t, packet)
 		require.Len(t, d.tcp.Options, 1, "Should have MSS option")
 		actualMSS := binary.BigEndian.Uint16(d.tcp.Options[0].OptionData)
-		require.Equal(t, expectedMSSValue, actualMSS, "MSS in SYN-ACK should be clamped")
+		require.Equal(t, manager.mssClampValueIPv4, actualMSS, "MSS in SYN-ACK should be clamped")
 	})
 
 	t.Run("Non-SYN packet unchanged", func(t *testing.T) {
@@ -1255,13 +1265,18 @@ func TestShouldForward(t *testing.T) {
 		d := &decoder{
 			decoded: []gopacket.LayerType{},
 		}
-		d.parser = gopacket.NewDecodingLayerParser(
+		d.parser4 = gopacket.NewDecodingLayerParser(
 			layers.LayerTypeIPv4,
 			&d.eth, &d.ip4, &d.ip6, &d.icmp4, &d.icmp6, &d.tcp, &d.udp,
 		)
-		d.parser.IgnoreUnsupported = true
+		d.parser4.IgnoreUnsupported = true
+		d.parser6 = gopacket.NewDecodingLayerParser(
+			layers.LayerTypeIPv6,
+			&d.eth, &d.ip4, &d.ip6, &d.icmp4, &d.icmp6, &d.tcp, &d.udp,
+		)
+		d.parser6.IgnoreUnsupported = true
 
-		err = d.parser.DecodeLayers(buf.Bytes(), &d.decoded)
+		err = d.decodePacket(buf.Bytes())
 		require.NoError(t, err)
 
 		return d
@@ -1321,6 +1336,44 @@ func TestShouldForward(t *testing.T) {
 		},
 	}
 
+	// Add IPv6 to the interface and test dual-stack cases
+	wgIPv6 := netip.MustParseAddr("fd00::1")
+	otherIPv6 := netip.MustParseAddr("fd00::2")
+	ifaceMock.AddressFunc = func() wgaddr.Address {
+		return wgaddr.Address{
+			IP:      wgIP,
+			Network: netip.PrefixFrom(wgIP, 24),
+			IPv6:    wgIPv6,
+			IPv6Net: netip.PrefixFrom(wgIPv6, 64),
+		}
+	}
+
+	// Re-create manager to pick up the new address with IPv6
+	require.NoError(t, manager.Close(nil))
+	manager, err = Create(ifaceMock, false, flowLogger, nbiface.DefaultMTU)
+	require.NoError(t, err)
+
+	v6Cases := []struct {
+		name        string
+		dstIP       netip.Addr
+		expected    bool
+		description string
+	}{
+		{"v6 traffic to other address", otherIPv6, true, "should forward v6 traffic not destined to our v6 address"},
+		{"v6 traffic to our v6 IP", wgIPv6, false, "should not forward traffic destined to our v6 address"},
+		{"v4 traffic to other with v6 configured", otherIP, true, "should forward v4 traffic when v6 configured"},
+		{"v4 traffic to our v4 IP with v6 configured", wgIP, false, "should not forward traffic to our v4 address"},
+	}
+	for _, tt := range v6Cases {
+		t.Run(tt.name, func(t *testing.T) {
+			manager.localForwarding = true
+			manager.netstack = false
+			decoder := createTCPDecoder(8080)
+			result := manager.shouldForward(decoder, tt.dstIP)
+			require.Equal(t, tt.expected, result, tt.description)
+		})
+	}
+
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			// Configure manager

client/firewall/uspfilter/forwarder/endpoint.go

@@ -1,7 +1,8 @@
 package forwarder
 
 import (
-	"fmt"
+	"net"
+	"strconv"
 	"sync/atomic"
 
 	wgdevice "golang.zx2c4.com/wireguard/device"
@@ -47,17 +48,23 @@ func (e *endpoint) LinkAddress() tcpip.LinkAddress {
 func (e *endpoint) WritePackets(pkts stack.PacketBufferList) (int, tcpip.Error) {
 	var written int
 	for _, pkt := range pkts.AsSlice() {
-		netHeader := header.IPv4(pkt.NetworkHeader().View().AsSlice())
-
 		data := stack.PayloadSince(pkt.NetworkHeader())
 		if data == nil {
 			continue
 		}
 
-		// Send the packet through WireGuard
+		raw := pkt.NetworkHeader().View().AsSlice()
-		address := netHeader.DestinationAddress()
+		if len(raw) == 0 {
-		err := e.device.CreateOutboundPacket(data.AsSlice(), address.AsSlice())
+			continue
-		if err != nil {
+		}
+		var address tcpip.Address
+		if raw[0]>>4 == 6 {
+			address = header.IPv6(raw).DestinationAddress()
+		} else {
+			address = header.IPv4(raw).DestinationAddress()
+		}
+
+		if err := e.device.CreateOutboundPacket(data.AsSlice(), address.AsSlice()); err != nil {
 			e.logger.Error1("CreateOutboundPacket: %v", err)
 			continue
 		}
@@ -103,5 +110,7 @@ type epID stack.TransportEndpointID
 
 func (i epID) String() string {
 	// src and remote is swapped
-	return fmt.Sprintf("%s:%d → %s:%d", i.RemoteAddress, i.RemotePort, i.LocalAddress, i.LocalPort)
+	return net.JoinHostPort(i.RemoteAddress.String(), strconv.Itoa(int(i.RemotePort))) +
+		" → " +
+		net.JoinHostPort(i.LocalAddress.String(), strconv.Itoa(int(i.LocalPort)))
 }

client/firewall/uspfilter/forwarder/forwarder.go

@@ -14,6 +14,7 @@ import (
 	"gvisor.dev/gvisor/pkg/tcpip"
 	"gvisor.dev/gvisor/pkg/tcpip/header"
 	"gvisor.dev/gvisor/pkg/tcpip/network/ipv4"
+	"gvisor.dev/gvisor/pkg/tcpip/network/ipv6"
 	"gvisor.dev/gvisor/pkg/tcpip/stack"
 	"gvisor.dev/gvisor/pkg/tcpip/transport/icmp"
 	"gvisor.dev/gvisor/pkg/tcpip/transport/tcp"
@@ -36,25 +37,31 @@ type Forwarder struct {
 	logger     *nblog.Logger
 	flowLogger nftypes.FlowLogger
 	// ruleIdMap is used to store the rule ID for a given connection
-	ruleIdMap        sync.Map
+	ruleIdMap          sync.Map
-	stack            *stack.Stack
+	stack              *stack.Stack
-	endpoint         *endpoint
+	endpoint           *endpoint
-	udpForwarder     *udpForwarder
+	udpForwarder       *udpForwarder
-	ctx              context.Context
+	ctx                context.Context
-	cancel           context.CancelFunc
+	cancel             context.CancelFunc
-	ip               tcpip.Address
+	ip                 tcpip.Address
-	netstack         bool
+	ipv6               tcpip.Address
-	hasRawICMPAccess bool
+	netstack           bool
-	pingSemaphore    chan struct{}
+	hasRawICMPAccess   bool
+	hasRawICMPv6Access bool
+	pingSemaphore      chan struct{}
 }
 
 func New(iface common.IFaceMapper, logger *nblog.Logger, flowLogger nftypes.FlowLogger, netstack bool, mtu uint16) (*Forwarder, error) {
 	s := stack.New(stack.Options{
-		NetworkProtocols: []stack.NetworkProtocolFactory{ipv4.NewProtocol},
+		NetworkProtocols: []stack.NetworkProtocolFactory{
+			ipv4.NewProtocol,
+			ipv6.NewProtocol,
+		},
 		TransportProtocols: []stack.TransportProtocolFactory{
 			tcp.NewProtocol,
 			udp.NewProtocol,
 			icmp.NewProtocol4,
+			icmp.NewProtocol6,
 		},
 		HandleLocal: false,
 	})
@@ -73,7 +80,7 @@ func New(iface common.IFaceMapper, logger *nblog.Logger, flowLogger nftypes.Flow
 	protoAddr := tcpip.ProtocolAddress{
 		Protocol: ipv4.ProtocolNumber,
 		AddressWithPrefix: tcpip.AddressWithPrefix{
-			Address:   tcpip.AddrFromSlice(iface.Address().IP.AsSlice()),
+			Address:   tcpip.AddrFrom4(iface.Address().IP.As4()),
 			PrefixLen: iface.Address().Network.Bits(),
 		},
 	}
@@ -82,6 +89,19 @@ func New(iface common.IFaceMapper, logger *nblog.Logger, flowLogger nftypes.Flow
 		return nil, fmt.Errorf("failed to add protocol address: %s", err)
 	}
 
+	if v6 := iface.Address().IPv6; v6.IsValid() {
+		v6Addr := tcpip.ProtocolAddress{
+			Protocol: ipv6.ProtocolNumber,
+			AddressWithPrefix: tcpip.AddressWithPrefix{
+				Address:   tcpip.AddrFrom16(v6.As16()),
+				PrefixLen: iface.Address().IPv6Net.Bits(),
+			},
+		}
+		if err := s.AddProtocolAddress(nicID, v6Addr, stack.AddressProperties{}); err != nil {
+			return nil, fmt.Errorf("add IPv6 protocol address: %s", err)
+		}
+	}
+
 	defaultSubnet, err := tcpip.NewSubnet(
 		tcpip.AddrFrom4([4]byte{0, 0, 0, 0}),
 		tcpip.MaskFromBytes([]byte{0, 0, 0, 0}),
@@ -90,6 +110,14 @@ func New(iface common.IFaceMapper, logger *nblog.Logger, flowLogger nftypes.Flow
 		return nil, fmt.Errorf("creating default subnet: %w", err)
 	}
 
+	defaultSubnetV6, err := tcpip.NewSubnet(
+		tcpip.AddrFrom16([16]byte{}),
+		tcpip.MaskFromBytes(make([]byte, 16)),
+	)
+	if err != nil {
+		return nil, fmt.Errorf("creating default v6 subnet: %w", err)
+	}
+
 	if err := s.SetPromiscuousMode(nicID, true); err != nil {
 		return nil, fmt.Errorf("set promiscuous mode: %s", err)
 	}
@@ -98,10 +126,8 @@ func New(iface common.IFaceMapper, logger *nblog.Logger, flowLogger nftypes.Flow
 	}
 
 	s.SetRouteTable([]tcpip.Route{
-		{
+		{Destination: defaultSubnet, NIC: nicID},
-			Destination: defaultSubnet,
+		{Destination: defaultSubnetV6, NIC: nicID},
-			NIC:         nicID,
-		},
 	})
 
 	ctx, cancel := context.WithCancel(context.Background())
@@ -114,7 +140,8 @@ func New(iface common.IFaceMapper, logger *nblog.Logger, flowLogger nftypes.Flow
 		ctx:           ctx,
 		cancel:        cancel,
 		netstack:      netstack,
-		ip:            tcpip.AddrFromSlice(iface.Address().IP.AsSlice()),
+		ip:            tcpip.AddrFrom4(iface.Address().IP.As4()),
+		ipv6:          addrFromNetipAddr(iface.Address().IPv6),
 		pingSemaphore: make(chan struct{}, 3),
 	}
 
@@ -131,7 +158,10 @@ func New(iface common.IFaceMapper, logger *nblog.Logger, flowLogger nftypes.Flow
 	udpForwarder := udp.NewForwarder(s, f.handleUDP)
 	s.SetTransportProtocolHandler(udp.ProtocolNumber, udpForwarder.HandlePacket)
 
-	s.SetTransportProtocolHandler(icmp.ProtocolNumber4, f.handleICMP)
+	// ICMP is handled directly in InjectIncomingPacket, bypassing gVisor's
+	// network layer. This avoids duplicate echo replies (v4) and the v6
+	// auto-reply bug where gVisor responds at the network layer before
+	// our transport handler fires.
 
 	f.checkICMPCapability()
 
@@ -140,8 +170,30 @@ func New(iface common.IFaceMapper, logger *nblog.Logger, flowLogger nftypes.Flow
 }
 
 func (f *Forwarder) InjectIncomingPacket(payload []byte) error {
-	if len(payload) < header.IPv4MinimumSize {
+	if len(payload) == 0 {
-		return fmt.Errorf("packet too small: %d bytes", len(payload))
+		return fmt.Errorf("empty packet")
+	}
+
+	var protoNum tcpip.NetworkProtocolNumber
+	switch payload[0] >> 4 {
+	case 4:
+		if len(payload) < header.IPv4MinimumSize {
+			return fmt.Errorf("IPv4 packet too small: %d bytes", len(payload))
+		}
+		if f.handleICMPDirect(payload) {
+			return nil
+		}
+		protoNum = ipv4.ProtocolNumber
+	case 6:
+		if len(payload) < header.IPv6MinimumSize {
+			return fmt.Errorf("IPv6 packet too small: %d bytes", len(payload))
+		}
+		if f.handleICMPDirect(payload) {
+			return nil
+		}
+		protoNum = ipv6.ProtocolNumber
+	default:
+		return fmt.Errorf("unknown IP version: %d", payload[0]>>4)
 	}
 
 	pkt := stack.NewPacketBuffer(stack.PacketBufferOptions{
@@ -150,11 +202,95 @@ func (f *Forwarder) InjectIncomingPacket(payload []byte) error {
 	defer pkt.DecRef()
 
 	if f.endpoint.dispatcher != nil {
-		f.endpoint.dispatcher.DeliverNetworkPacket(ipv4.ProtocolNumber, pkt)
+		f.endpoint.dispatcher.DeliverNetworkPacket(protoNum, pkt)
 	}
 	return nil
 }
 
+// handleICMPDirect intercepts ICMP packets from raw IP payloads before they
+// enter gVisor. It synthesizes the TransportEndpointID and PacketBuffer that
+// the existing handlers expect, then dispatches to handleICMP/handleICMPv6.
+// This bypasses gVisor's network layer which causes duplicate v4 echo replies
+// and auto-replies to all v6 echo requests in promiscuous mode.
+//
+// Unlike gVisor's network layer, this does not validate ICMP checksums or
+// reassemble IP fragments. Fragmented ICMP packets fall through to gVisor.
+func parseICMPv4(payload []byte) (ipHdrLen int, src, dst tcpip.Address, ok bool) {
+	ip := header.IPv4(payload)
+	if ip.Protocol() != uint8(header.ICMPv4ProtocolNumber) {
+		return 0, src, dst, false
+	}
+	if ip.FragmentOffset() != 0 || ip.Flags()&header.IPv4FlagMoreFragments != 0 {
+		return 0, src, dst, false
+	}
+	ipHdrLen = int(ip.HeaderLength())
+	if len(payload)-ipHdrLen < header.ICMPv4MinimumSize {
+		return 0, src, dst, false
+	}
+	return ipHdrLen, ip.SourceAddress(), ip.DestinationAddress(), true
+}
+
+func parseICMPv6(payload []byte) (ipHdrLen int, src, dst tcpip.Address, ok bool) {
+	ip := header.IPv6(payload)
+	if ip.NextHeader() != uint8(header.ICMPv6ProtocolNumber) {
+		return 0, src, dst, false
+	}
+	ipHdrLen = header.IPv6MinimumSize
+	if len(payload)-ipHdrLen < header.ICMPv6MinimumSize {
+		return 0, src, dst, false
+	}
+	return ipHdrLen, ip.SourceAddress(), ip.DestinationAddress(), true
+}
+
+func (f *Forwarder) handleICMPDirect(payload []byte) bool {
+	var (
+		ipHdrLen int
+		srcAddr  tcpip.Address
+		dstAddr  tcpip.Address
+		ok       bool
+	)
+	switch payload[0] >> 4 {
+	case 4:
+		ipHdrLen, srcAddr, dstAddr, ok = parseICMPv4(payload)
+	case 6:
+		ipHdrLen, srcAddr, dstAddr, ok = parseICMPv6(payload)
+	}
+	if !ok {
+		return false
+	}
+
+	// Let gVisor handle ICMP destined for our own addresses natively.
+	// Its network-layer auto-reply is correct and efficient for local traffic.
+	if f.ip.Equal(dstAddr) || f.ipv6.Equal(dstAddr) {
+		return false
+	}
+
+	id := stack.TransportEndpointID{
+		LocalAddress:  dstAddr,
+		RemoteAddress: srcAddr,
+	}
+
+	// Build a PacketBuffer with headers consumed the same way gVisor would.
+	pkt := stack.NewPacketBuffer(stack.PacketBufferOptions{
+		Payload: buffer.MakeWithData(payload),
+	})
+	defer pkt.DecRef()
+
+	if _, ok := pkt.NetworkHeader().Consume(ipHdrLen); !ok {
+		return false
+	}
+
+	icmpPayload := payload[ipHdrLen:]
+	if _, ok := pkt.TransportHeader().Consume(len(icmpPayload)); !ok {
+		return false
+	}
+
+	if payload[0]>>4 == 6 {
+		return f.handleICMPv6(id, pkt)
+	}
+	return f.handleICMP(id, pkt)
+}
+
 // Stop gracefully shuts down the forwarder
 func (f *Forwarder) Stop() {
 	f.cancel()
@@ -167,11 +303,14 @@ func (f *Forwarder) Stop() {
 	f.stack.Wait()
 }
 
-func (f *Forwarder) determineDialAddr(addr tcpip.Address) net.IP {
+func (f *Forwarder) determineDialAddr(addr tcpip.Address) netip.Addr {
 	if f.netstack && f.ip.Equal(addr) {
-		return net.IPv4(127, 0, 0, 1)
+		return netip.AddrFrom4([4]byte{127, 0, 0, 1})
 	}
-	return addr.AsSlice()
+	if f.netstack && f.ipv6.Equal(addr) {
+		return netip.IPv6Loopback()
+	}
+	return addrToNetipAddr(addr)
 }
 
 func (f *Forwarder) RegisterRuleID(srcIP, dstIP netip.Addr, srcPort, dstPort uint16, ruleID []byte) {
@@ -205,23 +344,50 @@ func buildKey(srcIP, dstIP netip.Addr, srcPort, dstPort uint16) conntrack.ConnKe
 	}
 }
 
+// addrFromNetipAddr converts a netip.Addr to a gvisor tcpip.Address without allocating.
+func addrFromNetipAddr(addr netip.Addr) tcpip.Address {
+	if !addr.IsValid() {
+		return tcpip.Address{}
+	}
+	if addr.Is4() {
+		return tcpip.AddrFrom4(addr.As4())
+	}
+	return tcpip.AddrFrom16(addr.As16())
+}
+
+// addrToNetipAddr converts a gvisor tcpip.Address to netip.Addr without allocating.
+func addrToNetipAddr(addr tcpip.Address) netip.Addr {
+	switch addr.Len() {
+	case 4:
+		return netip.AddrFrom4(addr.As4())
+	case 16:
+		return netip.AddrFrom16(addr.As16())
+	default:
+		return netip.Addr{}
+	}
+}
+
 // checkICMPCapability tests whether we have raw ICMP socket access at startup.
 func (f *Forwarder) checkICMPCapability() {
+	f.hasRawICMPAccess = probeRawICMP("ip4:icmp", "0.0.0.0", f.logger)
+	f.hasRawICMPv6Access = probeRawICMP("ip6:ipv6-icmp", "::", f.logger)
+}
+
+func probeRawICMP(network, addr string, logger *nblog.Logger) bool {
 	ctx, cancel := context.WithTimeout(context.Background(), 100*time.Millisecond)
 	defer cancel()
 
 	lc := net.ListenConfig{}
-	conn, err := lc.ListenPacket(ctx, "ip4:icmp", "0.0.0.0")
+	conn, err := lc.ListenPacket(ctx, network, addr)
 	if err != nil {
-		f.hasRawICMPAccess = false
+		logger.Debug1("forwarder: no raw %s socket access, will use ping binary fallback", network)
-		f.logger.Debug("forwarder: No raw ICMP socket access, will use ping binary fallback")
+		return false
-		return
 	}
 
 	if err := conn.Close(); err != nil {
-		f.logger.Debug1("forwarder: Failed to close ICMP capability test socket: %v", err)
+		logger.Debug2("forwarder: failed to close %s capability test socket: %v", network, err)
 	}
 
-	f.hasRawICMPAccess = true
+	logger.Debug1("forwarder: raw %s socket access available", network)
-	f.logger.Debug("forwarder: Raw ICMP socket access available")
+	return true
 }

client/firewall/uspfilter/forwarder/icmp.go

@@ -35,7 +35,7 @@ func (f *Forwarder) handleICMP(id stack.TransportEndpointID, pkt *stack.PacketBu
 	}
 
 	icmpData := stack.PayloadSince(pkt.TransportHeader()).AsSlice()
-	conn, err := f.forwardICMPPacket(id, icmpData, uint8(icmpHdr.Type()), uint8(icmpHdr.Code()), 100*time.Millisecond)
+	conn, err := f.forwardICMPPacket(id, icmpData, uint8(icmpHdr.Type()), uint8(icmpHdr.Code()), false, 100*time.Millisecond)
 	if err != nil {
 		f.logger.Error2("forwarder: Failed to forward ICMP packet for %v: %v", epID(id), err)
 		return true
@@ -58,7 +58,7 @@ func (f *Forwarder) handleICMPEcho(flowID uuid.UUID, id stack.TransportEndpointI
 			defer func() { <-f.pingSemaphore }()
 
 			if f.hasRawICMPAccess {
-				f.handleICMPViaSocket(flowID, id, icmpType, icmpCode, icmpData, rxBytes)
+				f.handleICMPViaSocket(flowID, id, icmpType, icmpCode, icmpData, rxBytes, false)
 			} else {
 				f.handleICMPViaPing(flowID, id, icmpType, icmpCode, icmpData, rxBytes)
 			}
@@ -72,18 +72,23 @@ func (f *Forwarder) handleICMPEcho(flowID uuid.UUID, id stack.TransportEndpointI
 
 // forwardICMPPacket creates a raw ICMP socket and sends the packet, returning the connection.
 // The caller is responsible for closing the returned connection.
-func (f *Forwarder) forwardICMPPacket(id stack.TransportEndpointID, payload []byte, icmpType, icmpCode uint8, timeout time.Duration) (net.PacketConn, error) {
+func (f *Forwarder) forwardICMPPacket(id stack.TransportEndpointID, payload []byte, icmpType, icmpCode uint8, v6 bool, timeout time.Duration) (net.PacketConn, error) {
 	ctx, cancel := context.WithTimeout(f.ctx, timeout)
 	defer cancel()
 
+	network, listenAddr := "ip4:icmp", "0.0.0.0"
+	if v6 {
+		network, listenAddr = "ip6:ipv6-icmp", "::"
+	}
+
 	lc := net.ListenConfig{}
-	conn, err := lc.ListenPacket(ctx, "ip4:icmp", "0.0.0.0")
+	conn, err := lc.ListenPacket(ctx, network, listenAddr)
 	if err != nil {
 		return nil, fmt.Errorf("create ICMP socket: %w", err)
 	}
 
 	dstIP := f.determineDialAddr(id.LocalAddress)
-	dst := &net.IPAddr{IP: dstIP}
+	dst := &net.IPAddr{IP: dstIP.AsSlice()}
 
 	if _, err = conn.WriteTo(payload, dst); err != nil {
 		if closeErr := conn.Close(); closeErr != nil {
@@ -98,11 +103,11 @@ func (f *Forwarder) forwardICMPPacket(id stack.TransportEndpointID, payload []by
 	return conn, nil
 }
 
-// handleICMPViaSocket handles ICMP echo requests using raw sockets.
+// handleICMPViaSocket handles ICMP echo requests using raw sockets for both v4 and v6.
-func (f *Forwarder) handleICMPViaSocket(flowID uuid.UUID, id stack.TransportEndpointID, icmpType, icmpCode uint8, icmpData []byte, rxBytes int) {
+func (f *Forwarder) handleICMPViaSocket(flowID uuid.UUID, id stack.TransportEndpointID, icmpType, icmpCode uint8, icmpData []byte, rxBytes int, v6 bool) {
 	sendTime := time.Now()
 
-	conn, err := f.forwardICMPPacket(id, icmpData, icmpType, icmpCode, 5*time.Second)
+	conn, err := f.forwardICMPPacket(id, icmpData, icmpType, icmpCode, v6, 5*time.Second)
 	if err != nil {
 		f.logger.Error2("forwarder: Failed to send ICMP packet for %v: %v", epID(id), err)
 		return
@@ -113,16 +118,20 @@ func (f *Forwarder) handleICMPViaSocket(flowID uuid.UUID, id stack.TransportEndp
 		}
 	}()
 
-	txBytes := f.handleEchoResponse(conn, id)
+	txBytes := f.handleEchoResponse(conn, id, v6)
 	rtt := time.Since(sendTime).Round(10 * time.Microsecond)
 
-	f.logger.Trace4("forwarder: Forwarded ICMP echo reply %v type %v code %v (rtt=%v, raw socket)",
+	proto := "ICMP"
-		epID(id), icmpType, icmpCode, rtt)
+	if v6 {
+		proto = "ICMPv6"
+	}
+	f.logger.Trace5("forwarder: Forwarded %s echo reply %v type %v code %v (rtt=%v, raw socket)",
+		proto, epID(id), icmpType, icmpCode, rtt)
 
 	f.sendICMPEvent(nftypes.TypeEnd, flowID, id, icmpType, icmpCode, uint64(rxBytes), uint64(txBytes))
 }
 
-func (f *Forwarder) handleEchoResponse(conn net.PacketConn, id stack.TransportEndpointID) int {
+func (f *Forwarder) handleEchoResponse(conn net.PacketConn, id stack.TransportEndpointID, v6 bool) int {
 	if err := conn.SetReadDeadline(time.Now().Add(5 * time.Second)); err != nil {
 		f.logger.Error1("forwarder: Failed to set read deadline for ICMP response: %v", err)
 		return 0
@@ -137,6 +146,19 @@ func (f *Forwarder) handleEchoResponse(conn net.PacketConn, id stack.TransportEn
 		return 0
 	}
 
+	if v6 {
+		// Recompute checksum: the raw socket response has a checksum computed
+		// over the real endpoint addresses, but we inject with overlay addresses.
+		icmpHdr := header.ICMPv6(response[:n])
+		icmpHdr.SetChecksum(0)
+		icmpHdr.SetChecksum(header.ICMPv6Checksum(header.ICMPv6ChecksumParams{
+			Header: icmpHdr,
+			Src:    id.LocalAddress,
+			Dst:    id.RemoteAddress,
+		}))
+		return f.injectICMPv6Reply(id, response[:n])
+	}
+
 	return f.injectICMPReply(id, response[:n])
 }
 
@@ -150,19 +172,23 @@ func (f *Forwarder) sendICMPEvent(typ nftypes.Type, flowID uuid.UUID, id stack.T
 		txPackets = 1
 	}
 
-	srcIp := netip.AddrFrom4(id.RemoteAddress.As4())
+	srcIp := addrToNetipAddr(id.RemoteAddress)
-	dstIp := netip.AddrFrom4(id.LocalAddress.As4())
+	dstIp := addrToNetipAddr(id.LocalAddress)
+
+	proto := nftypes.ICMP
+	if srcIp.Is6() {
+		proto = nftypes.ICMPv6
+	}
 
 	fields := nftypes.EventFields{
 		FlowID:    flowID,
 		Type:      typ,
 		Direction: nftypes.Ingress,
-		Protocol:  nftypes.ICMP,
+		Protocol:  proto,
-		// TODO: handle ipv6
+		SourceIP:  srcIp,
-		SourceIP: srcIp,
+		DestIP:    dstIp,
-		DestIP:   dstIp,
+		ICMPType:  icmpType,
-		ICMPType: icmpType,
+		ICMPCode:  icmpCode,
-		ICMPCode: icmpCode,
 
 		RxBytes:   rxBytes,
 		TxBytes:   txBytes,
@@ -209,26 +235,164 @@ func (f *Forwarder) handleICMPViaPing(flowID uuid.UUID, id stack.TransportEndpoi
 	f.sendICMPEvent(nftypes.TypeEnd, flowID, id, icmpType, icmpCode, uint64(rxBytes), uint64(txBytes))
 }
 
+// handleICMPv6 handles ICMPv6 packets from the network stack.
+func (f *Forwarder) handleICMPv6(id stack.TransportEndpointID, pkt *stack.PacketBuffer) bool {
+	icmpHdr := header.ICMPv6(pkt.TransportHeader().View().AsSlice())
+
+	flowID := uuid.New()
+	f.sendICMPEvent(nftypes.TypeStart, flowID, id, uint8(icmpHdr.Type()), uint8(icmpHdr.Code()), 0, 0)
+
+	if icmpHdr.Type() == header.ICMPv6EchoRequest {
+		return f.handleICMPv6Echo(flowID, id, pkt, uint8(icmpHdr.Type()), uint8(icmpHdr.Code()))
+	}
+
+	// For non-echo types (Destination Unreachable, Packet Too Big, etc), forward without waiting
+	if !f.hasRawICMPv6Access {
+		f.logger.Debug2("forwarder: Cannot handle ICMPv6 type %v without raw socket access for %v", icmpHdr.Type(), epID(id))
+		return false
+	}
+
+	icmpData := stack.PayloadSince(pkt.TransportHeader()).AsSlice()
+	conn, err := f.forwardICMPPacket(id, icmpData, uint8(icmpHdr.Type()), uint8(icmpHdr.Code()), true, 100*time.Millisecond)
+	if err != nil {
+		f.logger.Error2("forwarder: Failed to forward ICMPv6 packet for %v: %v", epID(id), err)
+		return true
+	}
+	if err := conn.Close(); err != nil {
+		f.logger.Debug1("forwarder: Failed to close ICMPv6 socket: %v", err)
+	}
+
+	return true
+}
+
+// handleICMPv6Echo handles ICMPv6 echo requests via raw socket or ping binary fallback.
+func (f *Forwarder) handleICMPv6Echo(flowID uuid.UUID, id stack.TransportEndpointID, pkt *stack.PacketBuffer, icmpType, icmpCode uint8) bool {
+	select {
+	case f.pingSemaphore <- struct{}{}:
+		icmpData := stack.PayloadSince(pkt.TransportHeader()).ToSlice()
+		rxBytes := pkt.Size()
+
+		go func() {
+			defer func() { <-f.pingSemaphore }()
+
+			if f.hasRawICMPv6Access {
+				f.handleICMPViaSocket(flowID, id, icmpType, icmpCode, icmpData, rxBytes, true)
+			} else {
+				f.handleICMPv6ViaPing(flowID, id, icmpType, icmpCode, icmpData, rxBytes)
+			}
+		}()
+	default:
+		f.logger.Debug3("forwarder: ICMPv6 rate limit exceeded for %v type %v code %v", epID(id), icmpType, icmpCode)
+	}
+	return true
+}
+
+// handleICMPv6ViaPing uses the system ping6 binary for ICMPv6 echo.
+func (f *Forwarder) handleICMPv6ViaPing(flowID uuid.UUID, id stack.TransportEndpointID, icmpType, icmpCode uint8, icmpData []byte, rxBytes int) {
+	ctx, cancel := context.WithTimeout(f.ctx, 5*time.Second)
+	defer cancel()
+
+	dstIP := f.determineDialAddr(id.LocalAddress)
+	cmd := buildPingCommand(ctx, dstIP, 5*time.Second)
+
+	pingStart := time.Now()
+	if err := cmd.Run(); err != nil {
+		f.logger.Warn4("forwarder: Ping6 failed for %v type %v code %v: %v", epID(id), icmpType, icmpCode, err)
+		return
+	}
+	rtt := time.Since(pingStart).Round(10 * time.Microsecond)
+
+	f.logger.Trace3("forwarder: Forwarded ICMPv6 echo request %v type %v code %v",
+		epID(id), icmpType, icmpCode)
+
+	txBytes := f.synthesizeICMPv6EchoReply(id, icmpData)
+
+	f.logger.Trace4("forwarder: Forwarded ICMPv6 echo reply %v type %v code %v (rtt=%v, ping binary)",
+		epID(id), icmpType, icmpCode, rtt)
+
+	f.sendICMPEvent(nftypes.TypeEnd, flowID, id, icmpType, icmpCode, uint64(rxBytes), uint64(txBytes))
+}
+
+// synthesizeICMPv6EchoReply creates an ICMPv6 echo reply and injects it back.
+func (f *Forwarder) synthesizeICMPv6EchoReply(id stack.TransportEndpointID, icmpData []byte) int {
+	replyICMP := make([]byte, len(icmpData))
+	copy(replyICMP, icmpData)
+
+	replyHdr := header.ICMPv6(replyICMP)
+	replyHdr.SetType(header.ICMPv6EchoReply)
+	replyHdr.SetChecksum(0)
+	// ICMPv6Checksum computes the pseudo-header internally from Src/Dst.
+	// Header contains the full ICMP message, so PayloadCsum/PayloadLen are zero.
+	replyHdr.SetChecksum(header.ICMPv6Checksum(header.ICMPv6ChecksumParams{
+		Header: replyHdr,
+		Src:    id.LocalAddress,
+		Dst:    id.RemoteAddress,
+	}))
+
+	return f.injectICMPv6Reply(id, replyICMP)
+}
+
+// injectICMPv6Reply wraps an ICMPv6 payload in an IPv6 header and sends to the peer.
+func (f *Forwarder) injectICMPv6Reply(id stack.TransportEndpointID, icmpPayload []byte) int {
+	ipHdr := make([]byte, header.IPv6MinimumSize)
+	ip := header.IPv6(ipHdr)
+	ip.Encode(&header.IPv6Fields{
+		PayloadLength:     uint16(len(icmpPayload)),
+		TransportProtocol: header.ICMPv6ProtocolNumber,
+		HopLimit:          64,
+		SrcAddr:           id.LocalAddress,
+		DstAddr:           id.RemoteAddress,
+	})
+
+	fullPacket := make([]byte, 0, len(ipHdr)+len(icmpPayload))
+	fullPacket = append(fullPacket, ipHdr...)
+	fullPacket = append(fullPacket, icmpPayload...)
+
+	if err := f.endpoint.device.CreateOutboundPacket(fullPacket, id.RemoteAddress.AsSlice()); err != nil {
+		f.logger.Error1("forwarder: Failed to send ICMPv6 reply to peer: %v", err)
+		return 0
+	}
+
+	return len(fullPacket)
+}
+
+const (
+	pingBin  = "ping"
+	ping6Bin = "ping6"
+)
+
 // buildPingCommand creates a platform-specific ping command.
-func buildPingCommand(ctx context.Context, target net.IP, timeout time.Duration) *exec.Cmd {
+// Most platforms auto-detect IPv6 from raw addresses. macOS/iOS/OpenBSD require ping6.
+func buildPingCommand(ctx context.Context, target netip.Addr, timeout time.Duration) *exec.Cmd {
 	timeoutSec := int(timeout.Seconds())
 	if timeoutSec < 1 {
 		timeoutSec = 1
 	}
 
+	isV6 := target.Is6()
+	timeoutStr := fmt.Sprintf("%d", timeoutSec)
+
 	switch runtime.GOOS {
 	case "linux", "android":
-		return exec.CommandContext(ctx, "ping", "-c", "1", "-W", fmt.Sprintf("%d", timeoutSec), "-q", target.String())
+		return exec.CommandContext(ctx, pingBin, "-c", "1", "-W", timeoutStr, "-q", target.String())
 	case "darwin", "ios":
-		return exec.CommandContext(ctx, "ping", "-c", "1", "-t", fmt.Sprintf("%d", timeoutSec), "-q", target.String())
+		bin := pingBin
+		if isV6 {
+			bin = ping6Bin
+		}
+		return exec.CommandContext(ctx, bin, "-c", "1", "-t", timeoutStr, "-q", target.String())
 	case "freebsd":
-		return exec.CommandContext(ctx, "ping", "-c", "1", "-t", fmt.Sprintf("%d", timeoutSec), target.String())
+		return exec.CommandContext(ctx, pingBin, "-c", "1", "-t", timeoutStr, target.String())
 	case "openbsd", "netbsd":
-		return exec.CommandContext(ctx, "ping", "-c", "1", "-w", fmt.Sprintf("%d", timeoutSec), target.String())
+		bin := pingBin
+		if isV6 {
+			bin = ping6Bin
+		}
+		return exec.CommandContext(ctx, bin, "-c", "1", "-w", timeoutStr, target.String())
 	case "windows":
-		return exec.CommandContext(ctx, "ping", "-n", "1", "-w", fmt.Sprintf("%d", timeoutSec*1000), target.String())
+		return exec.CommandContext(ctx, pingBin, "-n", "1", "-w", fmt.Sprintf("%d", timeoutSec*1000), target.String())
 	default:
-		return exec.CommandContext(ctx, "ping", "-c", "1", target.String())
+		return exec.CommandContext(ctx, pingBin, "-c", "1", target.String())
 	}
 }
 

client/firewall/uspfilter/forwarder/tcp.go

@@ -2,10 +2,9 @@ package forwarder
 
 import (
 	"context"
-	"fmt"
 	"io"
 	"net"
-	"net/netip"
+	"strconv"
 	"sync"
 
 	"github.com/google/uuid"
@@ -33,7 +32,7 @@ func (f *Forwarder) handleTCP(r *tcp.ForwarderRequest) {
 		}
 	}()
 
-	dialAddr := fmt.Sprintf("%s:%d", f.determineDialAddr(id.LocalAddress), id.LocalPort)
+	dialAddr := net.JoinHostPort(f.determineDialAddr(id.LocalAddress).String(), strconv.Itoa(int(id.LocalPort)))
 
 	outConn, err := (&net.Dialer{}).DialContext(f.ctx, "tcp", dialAddr)
 	if err != nil {
@@ -133,15 +132,14 @@ func (f *Forwarder) proxyTCP(id stack.TransportEndpointID, inConn *gonet.TCPConn
 }
 
 func (f *Forwarder) sendTCPEvent(typ nftypes.Type, flowID uuid.UUID, id stack.TransportEndpointID, rxBytes, txBytes, rxPackets, txPackets uint64) {
-	srcIp := netip.AddrFrom4(id.RemoteAddress.As4())
+	srcIp := addrToNetipAddr(id.RemoteAddress)
-	dstIp := netip.AddrFrom4(id.LocalAddress.As4())
+	dstIp := addrToNetipAddr(id.LocalAddress)
 
 	fields := nftypes.EventFields{
-		FlowID:    flowID,
+		FlowID:     flowID,
-		Type:      typ,
+		Type:       typ,
-		Direction: nftypes.Ingress,
+		Direction:  nftypes.Ingress,
-		Protocol:  nftypes.TCP,
+		Protocol:   nftypes.TCP,
-		// TODO: handle ipv6
 		SourceIP:   srcIp,
 		DestIP:     dstIp,
 		SourcePort: id.RemotePort,

client/firewall/uspfilter/forwarder/udp.go

@@ -6,7 +6,7 @@ import (
 	"fmt"
 	"io"
 	"net"
-	"net/netip"
+	"strconv"
 	"sync"
 	"sync/atomic"
 	"time"
@@ -158,7 +158,7 @@ func (f *Forwarder) handleUDP(r *udp.ForwarderRequest) bool {
 		}
 	}()
 
-	dstAddr := fmt.Sprintf("%s:%d", f.determineDialAddr(id.LocalAddress), id.LocalPort)
+	dstAddr := net.JoinHostPort(f.determineDialAddr(id.LocalAddress).String(), strconv.Itoa(int(id.LocalPort)))
 	outConn, err := (&net.Dialer{}).DialContext(f.ctx, "udp", dstAddr)
 	if err != nil {
 		f.logger.Debug2("forwarder: UDP dial error for %v: %v", epID(id), err)
@@ -276,15 +276,14 @@ func (f *Forwarder) proxyUDP(ctx context.Context, pConn *udpPacketConn, id stack
 
 // sendUDPEvent stores flow events for UDP connections
 func (f *Forwarder) sendUDPEvent(typ nftypes.Type, flowID uuid.UUID, id stack.TransportEndpointID, rxBytes, txBytes, rxPackets, txPackets uint64) {
-	srcIp := netip.AddrFrom4(id.RemoteAddress.As4())
+	srcIp := addrToNetipAddr(id.RemoteAddress)
-	dstIp := netip.AddrFrom4(id.LocalAddress.As4())
+	dstIp := addrToNetipAddr(id.LocalAddress)
 
 	fields := nftypes.EventFields{
-		FlowID:    flowID,
+		FlowID:     flowID,
-		Type:      typ,
+		Type:       typ,
-		Direction: nftypes.Ingress,
+		Direction:  nftypes.Ingress,
-		Protocol:  nftypes.UDP,
+		Protocol:   nftypes.UDP,
-		// TODO: handle ipv6
 		SourceIP:   srcIp,
 		DestIP:     dstIp,
 		SourcePort: id.RemotePort,

client/firewall/uspfilter/hooks_filter.go

@@ -13,7 +13,6 @@ const (
 	ipv4HeaderMinLen = 20
 	ipv4ProtoOffset  = 9
 	ipv4FlagsOffset  = 6
-	ipv4DstOffset    = 16
 	ipProtoUDP       = 17
 	ipProtoTCP       = 6
 	ipv4FragOffMask  = 0x1fff

client/firewall/uspfilter/localip.go

@@ -4,89 +4,32 @@ import (
 	"fmt"
 	"net"
 	"net/netip"
-	"sync"
+	"sync/atomic"
 
 	log "github.com/sirupsen/logrus"
 
 	"github.com/netbirdio/netbird/client/firewall/uspfilter/common"
 )
 
-type localIPManager struct {
+// localIPSnapshot is an immutable snapshot of local IP addresses, swapped
-	mu sync.RWMutex
+// atomically so reads are lock-free.
-
+type localIPSnapshot struct {
-	// fixed-size high array for upper byte of a IPv4 address
+	ips map[netip.Addr]struct{}
-	ipv4Bitmap [256]*ipv4LowBitmap
 }
 
-// ipv4LowBitmap is a map for the low 16 bits of a IPv4 address
+type localIPManager struct {
-type ipv4LowBitmap struct {
+	snapshot atomic.Pointer[localIPSnapshot]
-	bitmap [8192]uint32
 }
 
 func newLocalIPManager() *localIPManager {
-	return &localIPManager{}
+	m := &localIPManager{}
+	m.snapshot.Store(&localIPSnapshot{
+		ips: make(map[netip.Addr]struct{}),
+	})
+	return m
 }
 
-func (m *localIPManager) setBitmapBit(ip net.IP) {
+func processInterface(iface net.Interface, ips map[netip.Addr]struct{}, addresses *[]netip.Addr) {
-	ipv4 := ip.To4()
-	if ipv4 == nil {
-		return
-	}
-	high := uint16(ipv4[0])
-	low := (uint16(ipv4[1]) << 8) | (uint16(ipv4[2]) << 4) | uint16(ipv4[3])
-
-	index := low / 32
-	bit := low % 32
-
-	if m.ipv4Bitmap[high] == nil {
-		m.ipv4Bitmap[high] = &ipv4LowBitmap{}
-	}
-
-	m.ipv4Bitmap[high].bitmap[index] |= 1 << bit
-}
-
-func (m *localIPManager) setBitInBitmap(ip netip.Addr, bitmap *[256]*ipv4LowBitmap, ipv4Set map[netip.Addr]struct{}, ipv4Addresses *[]netip.Addr) {
-	if !ip.Is4() {
-		return
-	}
-	ipv4 := ip.AsSlice()
-
-	high := uint16(ipv4[0])
-	low := (uint16(ipv4[1]) << 8) | (uint16(ipv4[2]) << 4) | uint16(ipv4[3])
-
-	if bitmap[high] == nil {
-		bitmap[high] = &ipv4LowBitmap{}
-	}
-
-	index := low / 32
-	bit := low % 32
-	bitmap[high].bitmap[index] |= 1 << bit
-
-	if _, exists := ipv4Set[ip]; !exists {
-		ipv4Set[ip] = struct{}{}
-		*ipv4Addresses = append(*ipv4Addresses, ip)
-	}
-}
-
-func (m *localIPManager) checkBitmapBit(ip []byte) bool {
-	high := uint16(ip[0])
-	low := (uint16(ip[1]) << 8) | (uint16(ip[2]) << 4) | uint16(ip[3])
-
-	if m.ipv4Bitmap[high] == nil {
-		return false
-	}
-
-	index := low / 32
-	bit := low % 32
-	return (m.ipv4Bitmap[high].bitmap[index] & (1 << bit)) != 0
-}
-
-func (m *localIPManager) processIP(ip netip.Addr, bitmap *[256]*ipv4LowBitmap, ipv4Set map[netip.Addr]struct{}, ipv4Addresses *[]netip.Addr) error {
-	m.setBitInBitmap(ip, bitmap, ipv4Set, ipv4Addresses)
-	return nil
-}
-
-func (m *localIPManager) processInterface(iface net.Interface, bitmap *[256]*ipv4LowBitmap, ipv4Set map[netip.Addr]struct{}, ipv4Addresses *[]netip.Addr) {
 	addrs, err := iface.Addrs()
 	if err != nil {
 		log.Debugf("get addresses for interface %s failed: %v", iface.Name, err)
@@ -104,18 +47,19 @@ func (m *localIPManager) processInterface(iface net.Interface, bitmap *[256]*ipv
 			continue
 		}
 
-		addr, ok := netip.AddrFromSlice(ip)
+		parsed, ok := netip.AddrFromSlice(ip)
 		if !ok {
 			log.Warnf("invalid IP address %s in interface %s", ip.String(), iface.Name)
 			continue
 		}
 
-		if err := m.processIP(addr.Unmap(), bitmap, ipv4Set, ipv4Addresses); err != nil {
+		parsed = parsed.Unmap()
-			log.Debugf("process IP failed: %v", err)
+		ips[parsed] = struct{}{}
-		}
+		*addresses = append(*addresses, parsed)
 	}
 }
 
+// UpdateLocalIPs rebuilds the local IP snapshot and swaps it in atomically.
 func (m *localIPManager) UpdateLocalIPs(iface common.IFaceMapper) (err error) {
 	defer func() {
 		if r := recover(); r != nil {
@@ -123,20 +67,20 @@ func (m *localIPManager) UpdateLocalIPs(iface common.IFaceMapper) (err error) {
 		}
 	}()
 
-	var newIPv4Bitmap [256]*ipv4LowBitmap
+	ips := make(map[netip.Addr]struct{})
-	ipv4Set := make(map[netip.Addr]struct{})
+	var addresses []netip.Addr
-	var ipv4Addresses []netip.Addr
 
-	// 127.0.0.0/8
+	// loopback
-	newIPv4Bitmap[127] = &ipv4LowBitmap{}
+	ips[netip.AddrFrom4([4]byte{127, 0, 0, 1})] = struct{}{}
-	for i := 0; i < 8192; i++ {
+	ips[netip.IPv6Loopback()] = struct{}{}
-		// #nosec G602 -- bitmap is defined as [8192]uint32, loop range is correct
-		newIPv4Bitmap[127].bitmap[i] = 0xFFFFFFFF
-	}
 
 	if iface != nil {
-		if err := m.processIP(iface.Address().IP, &newIPv4Bitmap, ipv4Set, &ipv4Addresses); err != nil {
+		ip := iface.Address().IP
-			return err
+		ips[ip] = struct{}{}
+		addresses = append(addresses, ip)
+		if v6 := iface.Address().IPv6; v6.IsValid() {
+			ips[v6] = struct{}{}
+			addresses = append(addresses, v6)
 		}
 	}
 
@@ -147,25 +91,24 @@ func (m *localIPManager) UpdateLocalIPs(iface common.IFaceMapper) (err error) {
 		// TODO: filter out down interfaces (net.FlagUp). Also handle the reverse
 		// case where an interface comes up between refreshes.
 		for _, intf := range interfaces {
-			m.processInterface(intf, &newIPv4Bitmap, ipv4Set, &ipv4Addresses)
+			processInterface(intf, ips, &addresses)
 		}
 	}
 
-	m.mu.Lock()
+	m.snapshot.Store(&localIPSnapshot{ips: ips})
-	m.ipv4Bitmap = newIPv4Bitmap
-	m.mu.Unlock()
 
-	log.Debugf("Local IPv4 addresses: %v", ipv4Addresses)
+	log.Debugf("Local IP addresses: %v", addresses)
 	return nil
 }
 
+// IsLocalIP checks if the given IP is a local address. Lock-free on the read path.
 func (m *localIPManager) IsLocalIP(ip netip.Addr) bool {
-	if !ip.Is4() {
+	s := m.snapshot.Load()
-		return false
+
+	if ip.Is4() && ip.As4()[0] == 127 {
+		return true
 	}
 
-	m.mu.RLock()
+	_, found := s.ips[ip]
-	defer m.mu.RUnlock()
+	return found
-
-	return m.checkBitmapBit(ip.AsSlice())
 }

client/firewall/uspfilter/localip_bench_test.go

@@ -0,0 +1,72 @@
+package uspfilter
+
+import (
+	"net/netip"
+	"testing"
+
+	"github.com/netbirdio/netbird/client/iface/wgaddr"
+)
+
+func setupManager(b *testing.B) *localIPManager {
+	b.Helper()
+	m := newLocalIPManager()
+	mock := &IFaceMock{
+		AddressFunc: func() wgaddr.Address {
+			return wgaddr.Address{
+				IP:      netip.MustParseAddr("100.64.0.1"),
+				Network: netip.MustParsePrefix("100.64.0.0/16"),
+				IPv6:    netip.MustParseAddr("fd00::1"),
+				IPv6Net: netip.MustParsePrefix("fd00::/64"),
+			}
+		},
+	}
+	if err := m.UpdateLocalIPs(mock); err != nil {
+		b.Fatalf("UpdateLocalIPs: %v", err)
+	}
+	return m
+}
+
+func BenchmarkIsLocalIP_v4_hit(b *testing.B) {
+	m := setupManager(b)
+	ip := netip.MustParseAddr("100.64.0.1")
+	b.ResetTimer()
+	for i := 0; i < b.N; i++ {
+		m.IsLocalIP(ip)
+	}
+}
+
+func BenchmarkIsLocalIP_v4_miss(b *testing.B) {
+	m := setupManager(b)
+	ip := netip.MustParseAddr("8.8.8.8")
+	b.ResetTimer()
+	for i := 0; i < b.N; i++ {
+		m.IsLocalIP(ip)
+	}
+}
+
+func BenchmarkIsLocalIP_v6_hit(b *testing.B) {
+	m := setupManager(b)
+	ip := netip.MustParseAddr("fd00::1")
+	b.ResetTimer()
+	for i := 0; i < b.N; i++ {
+		m.IsLocalIP(ip)
+	}
+}
+
+func BenchmarkIsLocalIP_v6_miss(b *testing.B) {
+	m := setupManager(b)
+	ip := netip.MustParseAddr("2001:db8::1")
+	b.ResetTimer()
+	for i := 0; i < b.N; i++ {
+		m.IsLocalIP(ip)
+	}
+}
+
+func BenchmarkIsLocalIP_loopback(b *testing.B) {
+	m := setupManager(b)
+	ip := netip.MustParseAddr("127.0.0.1")
+	b.ResetTimer()
+	for i := 0; i < b.N; i++ {
+		m.IsLocalIP(ip)
+	}
+}

client/firewall/uspfilter/localip_test.go

@@ -72,14 +72,45 @@ func TestLocalIPManager(t *testing.T) {
 			expected: false,
 		},
 		{
-			name: "IPv6 address",
+			name: "IPv6 address matches",
 			setupAddr: wgaddr.Address{
-				IP:      netip.MustParseAddr("fe80::1"),
+				IP:      netip.MustParseAddr("100.64.0.1"),
+				Network: netip.MustParsePrefix("100.64.0.0/16"),
+				IPv6:    netip.MustParseAddr("fd00::1"),
+				IPv6Net: netip.MustParsePrefix("fd00::/64"),
+			},
+			testIP:   netip.MustParseAddr("fd00::1"),
+			expected: true,
+		},
+		{
+			name: "IPv6 address does not match",
+			setupAddr: wgaddr.Address{
+				IP:      netip.MustParseAddr("100.64.0.1"),
+				Network: netip.MustParsePrefix("100.64.0.0/16"),
+				IPv6:    netip.MustParseAddr("fd00::1"),
+				IPv6Net: netip.MustParsePrefix("fd00::/64"),
+			},
+			testIP:   netip.MustParseAddr("fd00::99"),
+			expected: false,
+		},
+		{
+			name: "No aliasing between similar IPs",
+			setupAddr: wgaddr.Address{
+				IP:      netip.MustParseAddr("192.168.1.1"),
 				Network: netip.MustParsePrefix("192.168.1.0/24"),
 			},
-			testIP:   netip.MustParseAddr("fe80::1"),
+			testIP:   netip.MustParseAddr("192.168.0.17"),
 			expected: false,
 		},
+		{
+			name: "IPv6 loopback",
+			setupAddr: wgaddr.Address{
+				IP:      netip.MustParseAddr("100.64.0.1"),
+				Network: netip.MustParsePrefix("100.64.0.0/16"),
+			},
+			testIP:   netip.MustParseAddr("::1"),
+			expected: true,
+		},
 	}
 
 	for _, tt := range tests {
@@ -171,90 +202,3 @@ func TestLocalIPManager_AllInterfaces(t *testing.T) {
 		})
 	}
 }
-
-// MapImplementation is a version using map[string]struct{}
-type MapImplementation struct {
-	localIPs map[string]struct{}
-}
-
-func BenchmarkIPChecks(b *testing.B) {
-	interfaces := make([]net.IP, 16)
-	for i := range interfaces {
-		interfaces[i] = net.IPv4(10, 0, byte(i>>8), byte(i))
-	}
-
-	// Setup bitmap
-	bitmapManager := newLocalIPManager()
-	for _, ip := range interfaces[:8] { // Add half of IPs
-		bitmapManager.setBitmapBit(ip)
-	}
-
-	// Setup map version
-	mapManager := &MapImplementation{
-		localIPs: make(map[string]struct{}),
-	}
-	for _, ip := range interfaces[:8] {
-		mapManager.localIPs[ip.String()] = struct{}{}
-	}
-
-	b.Run("Bitmap_Hit", func(b *testing.B) {
-		ip := interfaces[4]
-		b.ResetTimer()
-		for i := 0; i < b.N; i++ {
-			bitmapManager.checkBitmapBit(ip)
-		}
-	})
-
-	b.Run("Bitmap_Miss", func(b *testing.B) {
-		ip := interfaces[12]
-		b.ResetTimer()
-		for i := 0; i < b.N; i++ {
-			bitmapManager.checkBitmapBit(ip)
-		}
-	})
-
-	b.Run("Map_Hit", func(b *testing.B) {
-		ip := interfaces[4]
-		b.ResetTimer()
-		for i := 0; i < b.N; i++ {
-			// nolint:gosimple
-			_ = mapManager.localIPs[ip.String()]
-		}
-	})
-
-	b.Run("Map_Miss", func(b *testing.B) {
-		ip := interfaces[12]
-		b.ResetTimer()
-		for i := 0; i < b.N; i++ {
-			// nolint:gosimple
-			_ = mapManager.localIPs[ip.String()]
-		}
-	})
-}
-
-func BenchmarkWGPosition(b *testing.B) {
-	wgIP := net.ParseIP("10.10.0.1")
-
-	// Create two managers - one checks WG IP first, other checks it last
-	b.Run("WG_First", func(b *testing.B) {
-		bm := newLocalIPManager()
-		bm.setBitmapBit(wgIP)
-		b.ResetTimer()
-		for i := 0; i < b.N; i++ {
-			bm.checkBitmapBit(wgIP)
-		}
-	})
-
-	b.Run("WG_Last", func(b *testing.B) {
-		bm := newLocalIPManager()
-		// Fill with other IPs first
-		for i := 0; i < 15; i++ {
-			bm.setBitmapBit(net.IPv4(10, 0, byte(i>>8), byte(i)))
-		}
-		bm.setBitmapBit(wgIP) // Add WG IP last
-		b.ResetTimer()
-		for i := 0; i < b.N; i++ {
-			bm.checkBitmapBit(wgIP)
-		}
-	})
-}

client/firewall/uspfilter/nat.go

@@ -13,8 +13,6 @@ import (
 	firewall "github.com/netbirdio/netbird/client/firewall/manager"
 )
 
-var ErrIPv4Only = errors.New("only IPv4 is supported for DNAT")
-
 var (
 	errInvalidIPHeaderLength = errors.New("invalid IP header length")
 )
@@ -25,10 +23,33 @@ const (
 	destinationPortOffset = 2
 
 	// IP address offsets in IPv4 header
-	sourceIPOffset      = 12
+	ipv4SrcOffset = 12
-	destinationIPOffset = 16
+	ipv4DstOffset = 16
+
+	// IP address offsets in IPv6 header
+	ipv6SrcOffset = 8
+	ipv6DstOffset = 24
+
+	// IPv6 fixed header length
+	ipv6HeaderLen = 40
 )
 
+// ipHeaderLen returns the IP header length based on the decoded layer type.
+func ipHeaderLen(d *decoder) (int, error) {
+	switch d.decoded[0] {
+	case layers.LayerTypeIPv4:
+		n := int(d.ip4.IHL) * 4
+		if n < 20 {
+			return 0, errInvalidIPHeaderLength
+		}
+		return n, nil
+	case layers.LayerTypeIPv6:
+		return ipv6HeaderLen, nil
+	default:
+		return 0, fmt.Errorf("unknown IP layer: %v", d.decoded[0])
+	}
+}
+
 // ipv4Checksum calculates IPv4 header checksum.
 func ipv4Checksum(header []byte) uint16 {
 	if len(header) < 20 {
@@ -234,14 +255,13 @@ func (m *Manager) translateOutboundDNAT(packetData []byte, d *decoder) bool {
 		return false
 	}
 
-	dstIP := netip.AddrFrom4([4]byte{packetData[16], packetData[17], packetData[18], packetData[19]})
+	_, dstIP := extractPacketIPs(packetData, d)
-
 	translatedIP, exists := m.getDNATTranslation(dstIP)
 	if !exists {
 		return false
 	}
 
-	if err := m.rewritePacketIP(packetData, d, translatedIP, destinationIPOffset); err != nil {
+	if err := m.rewritePacketIP(packetData, d, translatedIP, false); err != nil {
 		m.logger.Error1("failed to rewrite packet destination: %v", err)
 		return false
 	}
@@ -256,14 +276,13 @@ func (m *Manager) translateInboundReverse(packetData []byte, d *decoder) bool {
 		return false
 	}
 
-	srcIP := netip.AddrFrom4([4]byte{packetData[12], packetData[13], packetData[14], packetData[15]})
+	srcIP, _ := extractPacketIPs(packetData, d)
-
 	originalIP, exists := m.findReverseDNATMapping(srcIP)
 	if !exists {
 		return false
 	}
 
-	if err := m.rewritePacketIP(packetData, d, originalIP, sourceIPOffset); err != nil {
+	if err := m.rewritePacketIP(packetData, d, originalIP, true); err != nil {
 		m.logger.Error1("failed to rewrite packet source: %v", err)
 		return false
 	}
@@ -272,38 +291,96 @@ func (m *Manager) translateInboundReverse(packetData []byte, d *decoder) bool {
 	return true
 }
 
-// rewritePacketIP replaces an IP address (source or destination) in the packet and updates checksums.
+// extractPacketIPs extracts src and dst IP addresses directly from raw packet bytes.
-func (m *Manager) rewritePacketIP(packetData []byte, d *decoder, newIP netip.Addr, ipOffset int) error {
+func extractPacketIPs(packetData []byte, d *decoder) (src, dst netip.Addr) {
+	switch d.decoded[0] {
+	case layers.LayerTypeIPv4:
+		src = netip.AddrFrom4([4]byte{packetData[ipv4SrcOffset], packetData[ipv4SrcOffset+1], packetData[ipv4SrcOffset+2], packetData[ipv4SrcOffset+3]})
+		dst = netip.AddrFrom4([4]byte{packetData[ipv4DstOffset], packetData[ipv4DstOffset+1], packetData[ipv4DstOffset+2], packetData[ipv4DstOffset+3]})
+	case layers.LayerTypeIPv6:
+		src = netip.AddrFrom16([16]byte(packetData[ipv6SrcOffset : ipv6SrcOffset+16]))
+		dst = netip.AddrFrom16([16]byte(packetData[ipv6DstOffset : ipv6DstOffset+16]))
+	}
+	return src, dst
+}
+
+// rewritePacketIP replaces a source (isSource=true) or destination IP address in the packet and updates checksums.
+func (m *Manager) rewritePacketIP(packetData []byte, d *decoder, newIP netip.Addr, isSource bool) error {
+	hdrLen, err := ipHeaderLen(d)
+	if err != nil {
+		return err
+	}
+
+	switch d.decoded[0] {
+	case layers.LayerTypeIPv4:
+		return m.rewriteIPv4(packetData, d, newIP, hdrLen, isSource)
+	case layers.LayerTypeIPv6:
+		return m.rewriteIPv6(packetData, d, newIP, hdrLen, isSource)
+	default:
+		return fmt.Errorf("unknown IP layer: %v", d.decoded[0])
+	}
+}
+
+func (m *Manager) rewriteIPv4(packetData []byte, d *decoder, newIP netip.Addr, hdrLen int, isSource bool) error {
 	if !newIP.Is4() {
-		return ErrIPv4Only
+		return fmt.Errorf("cannot write IPv6 address into IPv4 packet")
+	}
+
+	offset := ipv4DstOffset
+	if isSource {
+		offset = ipv4SrcOffset
 	}
 
 	var oldIP [4]byte
-	copy(oldIP[:], packetData[ipOffset:ipOffset+4])
+	copy(oldIP[:], packetData[offset:offset+4])
 	newIPBytes := newIP.As4()
+	copy(packetData[offset:offset+4], newIPBytes[:])
 
-	copy(packetData[ipOffset:ipOffset+4], newIPBytes[:])
+	// Recalculate IPv4 header checksum
-
-	ipHeaderLen := int(d.ip4.IHL) * 4
-	if ipHeaderLen < 20 || ipHeaderLen > len(packetData) {
-		return errInvalidIPHeaderLength
-	}
-
 	binary.BigEndian.PutUint16(packetData[10:12], 0)
-	ipChecksum := ipv4Checksum(packetData[:ipHeaderLen])
+	binary.BigEndian.PutUint16(packetData[10:12], ipv4Checksum(packetData[:hdrLen]))
-	binary.BigEndian.PutUint16(packetData[10:12], ipChecksum)
 
+	// Update transport checksums incrementally
 	if len(d.decoded) > 1 {
 		switch d.decoded[1] {
 		case layers.LayerTypeTCP:
-			m.updateTCPChecksum(packetData, ipHeaderLen, oldIP[:], newIPBytes[:])
+			m.updateTCPChecksum(packetData, hdrLen, oldIP[:], newIPBytes[:])
 		case layers.LayerTypeUDP:
-			m.updateUDPChecksum(packetData, ipHeaderLen, oldIP[:], newIPBytes[:])
+			m.updateUDPChecksum(packetData, hdrLen, oldIP[:], newIPBytes[:])
 		case layers.LayerTypeICMPv4:
-			m.updateICMPChecksum(packetData, ipHeaderLen)
+			m.updateICMPChecksum(packetData, hdrLen)
 		}
 	}
+	return nil
+}
 
+func (m *Manager) rewriteIPv6(packetData []byte, d *decoder, newIP netip.Addr, hdrLen int, isSource bool) error {
+	if !newIP.Is6() {
+		return fmt.Errorf("cannot write IPv4 address into IPv6 packet")
+	}
+
+	offset := ipv6DstOffset
+	if isSource {
+		offset = ipv6SrcOffset
+	}
+
+	var oldIP [16]byte
+	copy(oldIP[:], packetData[offset:offset+16])
+	newIPBytes := newIP.As16()
+	copy(packetData[offset:offset+16], newIPBytes[:])
+
+	// IPv6 has no header checksum, only update transport checksums
+	if len(d.decoded) > 1 {
+		switch d.decoded[1] {
+		case layers.LayerTypeTCP:
+			m.updateTCPChecksum(packetData, hdrLen, oldIP[:], newIPBytes[:])
+		case layers.LayerTypeUDP:
+			m.updateUDPChecksum(packetData, hdrLen, oldIP[:], newIPBytes[:])
+		case layers.LayerTypeICMPv6:
+			// ICMPv6 checksum includes pseudo-header with addresses, use incremental update
+			m.updateICMPv6Checksum(packetData, hdrLen, oldIP[:], newIPBytes[:])
+		}
+	}
 	return nil
 }
 
@@ -351,6 +428,20 @@ func (m *Manager) updateICMPChecksum(packetData []byte, ipHeaderLen int) {
 	binary.BigEndian.PutUint16(icmpData[2:4], checksum)
 }
 
+// updateICMPv6Checksum updates ICMPv6 checksum after address change.
+// ICMPv6 uses a pseudo-header (like TCP/UDP), so incremental update applies.
+func (m *Manager) updateICMPv6Checksum(packetData []byte, ipHeaderLen int, oldIP, newIP []byte) {
+	icmpStart := ipHeaderLen
+	if len(packetData) < icmpStart+4 {
+		return
+	}
+
+	checksumOffset := icmpStart + 2
+	oldChecksum := binary.BigEndian.Uint16(packetData[checksumOffset : checksumOffset+2])
+	newChecksum := incrementalUpdate(oldChecksum, oldIP, newIP)
+	binary.BigEndian.PutUint16(packetData[checksumOffset:checksumOffset+2], newChecksum)
+}
+
 // incrementalUpdate performs incremental checksum update per RFC 1624.
 func incrementalUpdate(oldChecksum uint16, oldBytes, newBytes []byte) uint16 {
 	sum := uint32(^oldChecksum)
@@ -403,14 +494,14 @@ func (m *Manager) DeleteDNATRule(rule firewall.Rule) error {
 }
 
 // addPortRedirection adds a port redirection rule.
-func (m *Manager) addPortRedirection(targetIP netip.Addr, protocol gopacket.LayerType, sourcePort, targetPort uint16) error {
+func (m *Manager) addPortRedirection(targetIP netip.Addr, protocol gopacket.LayerType, originalPort, translatedPort uint16) error {
 	m.portDNATMutex.Lock()
 	defer m.portDNATMutex.Unlock()
 
 	rule := portDNATRule{
 		protocol:   protocol,
-		origPort:   sourcePort,
+		origPort:   originalPort,
-		targetPort: targetPort,
+		targetPort: translatedPort,
 		targetIP:   targetIP,
 	}
 
@@ -422,7 +513,7 @@ func (m *Manager) addPortRedirection(targetIP netip.Addr, protocol gopacket.Laye
 
 // AddInboundDNAT adds an inbound DNAT rule redirecting traffic from NetBird peers to local services.
 // TODO: also delegate to nativeFirewall when available for kernel WG mode
-func (m *Manager) AddInboundDNAT(localAddr netip.Addr, protocol firewall.Protocol, sourcePort, targetPort uint16) error {
+func (m *Manager) AddInboundDNAT(localAddr netip.Addr, protocol firewall.Protocol, originalPort, translatedPort uint16) error {
 	var layerType gopacket.LayerType
 	switch protocol {
 	case firewall.ProtocolTCP:
@@ -433,16 +524,16 @@ func (m *Manager) AddInboundDNAT(localAddr netip.Addr, protocol firewall.Protoco
 		return fmt.Errorf("unsupported protocol: %s", protocol)
 	}
 
-	return m.addPortRedirection(localAddr, layerType, sourcePort, targetPort)
+	return m.addPortRedirection(localAddr, layerType, originalPort, translatedPort)
 }
 
 // removePortRedirection removes a port redirection rule.
-func (m *Manager) removePortRedirection(targetIP netip.Addr, protocol gopacket.LayerType, sourcePort, targetPort uint16) error {
+func (m *Manager) removePortRedirection(targetIP netip.Addr, protocol gopacket.LayerType, originalPort, translatedPort uint16) error {
 	m.portDNATMutex.Lock()
 	defer m.portDNATMutex.Unlock()
 
 	m.portDNATRules = slices.DeleteFunc(m.portDNATRules, func(rule portDNATRule) bool {
-		return rule.protocol == protocol && rule.origPort == sourcePort && rule.targetPort == targetPort && rule.targetIP.Compare(targetIP) == 0
+		return rule.protocol == protocol && rule.origPort == originalPort && rule.targetPort == translatedPort && rule.targetIP.Compare(targetIP) == 0
 	})
 
 	if len(m.portDNATRules) == 0 {
@@ -453,7 +544,7 @@ func (m *Manager) removePortRedirection(targetIP netip.Addr, protocol gopacket.L
 }
 
 // RemoveInboundDNAT removes an inbound DNAT rule.
-func (m *Manager) RemoveInboundDNAT(localAddr netip.Addr, protocol firewall.Protocol, sourcePort, targetPort uint16) error {
+func (m *Manager) RemoveInboundDNAT(localAddr netip.Addr, protocol firewall.Protocol, originalPort, translatedPort uint16) error {
 	var layerType gopacket.LayerType
 	switch protocol {
 	case firewall.ProtocolTCP:
@@ -464,23 +555,23 @@ func (m *Manager) RemoveInboundDNAT(localAddr netip.Addr, protocol firewall.Prot
 		return fmt.Errorf("unsupported protocol: %s", protocol)
 	}
 
-	return m.removePortRedirection(localAddr, layerType, sourcePort, targetPort)
+	return m.removePortRedirection(localAddr, layerType, originalPort, translatedPort)
 }
 
 // AddOutputDNAT delegates to the native firewall if available.
-func (m *Manager) AddOutputDNAT(localAddr netip.Addr, protocol firewall.Protocol, sourcePort, targetPort uint16) error {
+func (m *Manager) AddOutputDNAT(localAddr netip.Addr, protocol firewall.Protocol, originalPort, translatedPort uint16) error {
 	if m.nativeFirewall == nil {
 		return fmt.Errorf("output DNAT not supported without native firewall")
 	}
-	return m.nativeFirewall.AddOutputDNAT(localAddr, protocol, sourcePort, targetPort)
+	return m.nativeFirewall.AddOutputDNAT(localAddr, protocol, originalPort, translatedPort)
 }
 
 // RemoveOutputDNAT delegates to the native firewall if available.
-func (m *Manager) RemoveOutputDNAT(localAddr netip.Addr, protocol firewall.Protocol, sourcePort, targetPort uint16) error {
+func (m *Manager) RemoveOutputDNAT(localAddr netip.Addr, protocol firewall.Protocol, originalPort, translatedPort uint16) error {
 	if m.nativeFirewall == nil {
 		return nil
 	}
-	return m.nativeFirewall.RemoveOutputDNAT(localAddr, protocol, sourcePort, targetPort)
+	return m.nativeFirewall.RemoveOutputDNAT(localAddr, protocol, originalPort, translatedPort)
 }
 
 // translateInboundPortDNAT applies port-specific DNAT translation to inbound packets.
@@ -532,12 +623,12 @@ func (m *Manager) applyPortRule(packetData []byte, d *decoder, srcIP, dstIP neti
 
 // rewriteTCPPort rewrites a TCP port (source or destination) and updates checksum.
 func (m *Manager) rewriteTCPPort(packetData []byte, d *decoder, newPort uint16, portOffset int) error {
-	ipHeaderLen := int(d.ip4.IHL) * 4
+	hdrLen, err := ipHeaderLen(d)
-	if ipHeaderLen < 20 || ipHeaderLen > len(packetData) {
+	if err != nil {
-		return errInvalidIPHeaderLength
+		return err
 	}
 
-	tcpStart := ipHeaderLen
+	tcpStart := hdrLen
 	if len(packetData) < tcpStart+4 {
 		return fmt.Errorf("packet too short for TCP header")
 	}
@@ -563,12 +654,12 @@ func (m *Manager) rewriteTCPPort(packetData []byte, d *decoder, newPort uint16,
 
 // rewriteUDPPort rewrites a UDP port (source or destination) and updates checksum.
 func (m *Manager) rewriteUDPPort(packetData []byte, d *decoder, newPort uint16, portOffset int) error {
-	ipHeaderLen := int(d.ip4.IHL) * 4
+	hdrLen, err := ipHeaderLen(d)
-	if ipHeaderLen < 20 || ipHeaderLen > len(packetData) {
+	if err != nil {
-		return errInvalidIPHeaderLength
+		return err
 	}
 
-	udpStart := ipHeaderLen
+	udpStart := hdrLen
 	if len(packetData) < udpStart+8 {
 		return fmt.Errorf("packet too short for UDP header")
 	}

client/firewall/uspfilter/nat_bench_test.go

@@ -342,12 +342,17 @@ func BenchmarkDNATMemoryAllocations(b *testing.B) {
 
 		// Parse the packet fresh each time to get a clean decoder
 		d := &decoder{decoded: []gopacket.LayerType{}}
-		d.parser = gopacket.NewDecodingLayerParser(
+		d.parser4 = gopacket.NewDecodingLayerParser(
 			layers.LayerTypeIPv4,
 			&d.eth, &d.ip4, &d.ip6, &d.icmp4, &d.icmp6, &d.tcp, &d.udp,
 		)
-		d.parser.IgnoreUnsupported = true
+		d.parser4.IgnoreUnsupported = true
-		err = d.parser.DecodeLayers(testPacket, &d.decoded)
+		d.parser6 = gopacket.NewDecodingLayerParser(
+			layers.LayerTypeIPv6,
+			&d.eth, &d.ip4, &d.ip6, &d.icmp4, &d.icmp6, &d.tcp, &d.udp,
+		)
+		d.parser6.IgnoreUnsupported = true
+		err = d.decodePacket(testPacket)
 		assert.NoError(b, err)
 
 		manager.translateOutboundDNAT(testPacket, d)
@@ -371,12 +376,17 @@ func BenchmarkDirectIPExtraction(b *testing.B) {
 	b.Run("decoder_extraction", func(b *testing.B) {
 		// Create decoder once for comparison
 		d := &decoder{decoded: []gopacket.LayerType{}}
-		d.parser = gopacket.NewDecodingLayerParser(
+		d.parser4 = gopacket.NewDecodingLayerParser(
 			layers.LayerTypeIPv4,
 			&d.eth, &d.ip4, &d.ip6, &d.icmp4, &d.icmp6, &d.tcp, &d.udp,
 		)
-		d.parser.IgnoreUnsupported = true
+		d.parser4.IgnoreUnsupported = true
-		err := d.parser.DecodeLayers(packet, &d.decoded)
+		d.parser6 = gopacket.NewDecodingLayerParser(
+			layers.LayerTypeIPv6,
+			&d.eth, &d.ip4, &d.ip6, &d.icmp4, &d.icmp6, &d.tcp, &d.udp,
+		)
+		d.parser6.IgnoreUnsupported = true
+		err := d.decodePacket(packet)
 		assert.NoError(b, err)
 
 		for i := 0; i < b.N; i++ {

client/firewall/uspfilter/nat_test.go

@@ -86,13 +86,18 @@ func parsePacket(t testing.TB, packetData []byte) *decoder {
 	d := &decoder{
 		decoded: []gopacket.LayerType{},
 	}
-	d.parser = gopacket.NewDecodingLayerParser(
+	d.parser4 = gopacket.NewDecodingLayerParser(
 		layers.LayerTypeIPv4,
 		&d.eth, &d.ip4, &d.ip6, &d.icmp4, &d.icmp6, &d.tcp, &d.udp,
 	)
-	d.parser.IgnoreUnsupported = true
+	d.parser4.IgnoreUnsupported = true
+	d.parser6 = gopacket.NewDecodingLayerParser(
+		layers.LayerTypeIPv6,
+		&d.eth, &d.ip4, &d.ip6, &d.icmp4, &d.icmp6, &d.tcp, &d.udp,
+	)
+	d.parser6.IgnoreUnsupported = true
 
-	err := d.parser.DecodeLayers(packetData, &d.decoded)
+	err := d.decodePacket(packetData)
 	require.NoError(t, err)
 	return d
 }

client/firewall/uspfilter/tracer.go

@@ -2,7 +2,9 @@ package uspfilter
 
 import (
 	"fmt"
+	"net"
 	"net/netip"
+	"strconv"
 	"time"
 
 	"github.com/google/gopacket"
@@ -112,10 +114,13 @@ func (t *PacketTrace) AddResultWithForwarder(stage PacketStage, message string,
 }
 
 func (p *PacketBuilder) Build() ([]byte, error) {
-	ip := p.buildIPLayer()
+	ipLayer, err := p.buildIPLayer()
-	pktLayers := []gopacket.SerializableLayer{ip}
+	if err != nil {
+		return nil, err
+	}
+	pktLayers := []gopacket.SerializableLayer{ipLayer}
 
-	transportLayer, err := p.buildTransportLayer(ip)
+	transportLayer, err := p.buildTransportLayer(ipLayer)
 	if err != nil {
 		return nil, err
 	}
@@ -129,30 +134,43 @@ func (p *PacketBuilder) Build() ([]byte, error) {
 	return serializePacket(pktLayers)
 }
 
-func (p *PacketBuilder) buildIPLayer() *layers.IPv4 {
+func (p *PacketBuilder) buildIPLayer() (gopacket.SerializableLayer, error) {
+	if p.SrcIP.Is4() != p.DstIP.Is4() {
+		return nil, fmt.Errorf("mixed address families: src=%s dst=%s", p.SrcIP, p.DstIP)
+	}
+	proto := getIPProtocolNumber(p.Protocol, p.SrcIP.Is6())
+	if p.SrcIP.Is6() {
+		return &layers.IPv6{
+			Version:    6,
+			HopLimit:   64,
+			NextHeader: proto,
+			SrcIP:      p.SrcIP.AsSlice(),
+			DstIP:      p.DstIP.AsSlice(),
+		}, nil
+	}
 	return &layers.IPv4{
 		Version:  4,
 		TTL:      64,
-		Protocol: layers.IPProtocol(getIPProtocolNumber(p.Protocol)),
+		Protocol: proto,
 		SrcIP:    p.SrcIP.AsSlice(),
 		DstIP:    p.DstIP.AsSlice(),
-	}
+	}, nil
 }
 
-func (p *PacketBuilder) buildTransportLayer(ip *layers.IPv4) ([]gopacket.SerializableLayer, error) {
+func (p *PacketBuilder) buildTransportLayer(ipLayer gopacket.SerializableLayer) ([]gopacket.SerializableLayer, error) {
 	switch p.Protocol {
 	case "tcp":
-		return p.buildTCPLayer(ip)
+		return p.buildTCPLayer(ipLayer)
 	case "udp":
-		return p.buildUDPLayer(ip)
+		return p.buildUDPLayer(ipLayer)
 	case "icmp":
-		return p.buildICMPLayer()
+		return p.buildICMPLayer(ipLayer)
 	default:
 		return nil, fmt.Errorf("unsupported protocol: %s", p.Protocol)
 	}
 }
 
-func (p *PacketBuilder) buildTCPLayer(ip *layers.IPv4) ([]gopacket.SerializableLayer, error) {
+func (p *PacketBuilder) buildTCPLayer(ipLayer gopacket.SerializableLayer) ([]gopacket.SerializableLayer, error) {
 	tcp := &layers.TCP{
 		SrcPort: layers.TCPPort(p.SrcPort),
 		DstPort: layers.TCPPort(p.DstPort),
@@ -164,24 +182,44 @@ func (p *PacketBuilder) buildTCPLayer(ip *layers.IPv4) ([]gopacket.SerializableL
 		PSH:     p.TCPState != nil && p.TCPState.PSH,
 		URG:     p.TCPState != nil && p.TCPState.URG,
 	}
-	if err := tcp.SetNetworkLayerForChecksum(ip); err != nil {
+	if nl, ok := ipLayer.(gopacket.NetworkLayer); ok {
-		return nil, fmt.Errorf("set network layer for TCP checksum: %w", err)
+		if err := tcp.SetNetworkLayerForChecksum(nl); err != nil {
+			return nil, fmt.Errorf("set network layer for TCP checksum: %w", err)
+		}
 	}
 	return []gopacket.SerializableLayer{tcp}, nil
 }
 
-func (p *PacketBuilder) buildUDPLayer(ip *layers.IPv4) ([]gopacket.SerializableLayer, error) {
+func (p *PacketBuilder) buildUDPLayer(ipLayer gopacket.SerializableLayer) ([]gopacket.SerializableLayer, error) {
 	udp := &layers.UDP{
 		SrcPort: layers.UDPPort(p.SrcPort),
 		DstPort: layers.UDPPort(p.DstPort),
 	}
-	if err := udp.SetNetworkLayerForChecksum(ip); err != nil {
+	if nl, ok := ipLayer.(gopacket.NetworkLayer); ok {
-		return nil, fmt.Errorf("set network layer for UDP checksum: %w", err)
+		if err := udp.SetNetworkLayerForChecksum(nl); err != nil {
+			return nil, fmt.Errorf("set network layer for UDP checksum: %w", err)
+		}
 	}
 	return []gopacket.SerializableLayer{udp}, nil
 }
 
-func (p *PacketBuilder) buildICMPLayer() ([]gopacket.SerializableLayer, error) {
+func (p *PacketBuilder) buildICMPLayer(ipLayer gopacket.SerializableLayer) ([]gopacket.SerializableLayer, error) {
+	if p.SrcIP.Is6() || p.DstIP.Is6() {
+		icmp := &layers.ICMPv6{
+			TypeCode: layers.CreateICMPv6TypeCode(p.ICMPType, p.ICMPCode),
+		}
+		if nl, ok := ipLayer.(gopacket.NetworkLayer); ok {
+			_ = icmp.SetNetworkLayerForChecksum(nl)
+		}
+		if p.ICMPType == layers.ICMPv6TypeEchoRequest || p.ICMPType == layers.ICMPv6TypeEchoReply {
+			echo := &layers.ICMPv6Echo{
+				Identifier: 1,
+				SeqNumber:  1,
+			}
+			return []gopacket.SerializableLayer{icmp, echo}, nil
+		}
+		return []gopacket.SerializableLayer{icmp}, nil
+	}
 	icmp := &layers.ICMPv4{
 		TypeCode: layers.CreateICMPv4TypeCode(p.ICMPType, p.ICMPCode),
 	}
@@ -204,14 +242,17 @@ func serializePacket(layers []gopacket.SerializableLayer) ([]byte, error) {
 	return buf.Bytes(), nil
 }
 
-func getIPProtocolNumber(protocol fw.Protocol) int {
+func getIPProtocolNumber(protocol fw.Protocol, isV6 bool) layers.IPProtocol {
 	switch protocol {
 	case fw.ProtocolTCP:
-		return int(layers.IPProtocolTCP)
+		return layers.IPProtocolTCP
 	case fw.ProtocolUDP:
-		return int(layers.IPProtocolUDP)
+		return layers.IPProtocolUDP
 	case fw.ProtocolICMP:
-		return int(layers.IPProtocolICMPv4)
+		if isV6 {
+			return layers.IPProtocolICMPv6
+		}
+		return layers.IPProtocolICMPv4
 	default:
 		return 0
 	}
@@ -234,7 +275,7 @@ func (m *Manager) TracePacket(packetData []byte, direction fw.RuleDirection) *Pa
 	trace := &PacketTrace{Direction: direction}
 
 	// Initial packet decoding
-	if err := d.parser.DecodeLayers(packetData, &d.decoded); err != nil {
+	if err := d.decodePacket(packetData); err != nil {
 		trace.AddResult(StageReceived, fmt.Sprintf("Failed to decode packet: %v", err), false)
 		return trace
 	}
@@ -256,6 +297,8 @@ func (m *Manager) TracePacket(packetData []byte, direction fw.RuleDirection) *Pa
 		trace.DestinationPort = uint16(d.udp.DstPort)
 	case layers.LayerTypeICMPv4:
 		trace.Protocol = "ICMP"
+	case layers.LayerTypeICMPv6:
+		trace.Protocol = "ICMPv6"
 	}
 
 	trace.AddResult(StageReceived, fmt.Sprintf("Received %s packet: %s:%d -> %s:%d",
@@ -319,6 +362,13 @@ func (m *Manager) buildConntrackStateMessage(d *decoder) string {
 			flags&conntrack.TCPFin != 0)
 	case layers.LayerTypeICMPv4:
 		msg += fmt.Sprintf(" (ICMP ID=%d, Seq=%d)", d.icmp4.Id, d.icmp4.Seq)
+	case layers.LayerTypeICMPv6:
+		var id, seq uint16
+		if len(d.icmp6.Payload) >= 4 {
+			id = uint16(d.icmp6.Payload[0])<<8 | uint16(d.icmp6.Payload[1])
+			seq = uint16(d.icmp6.Payload[2])<<8 | uint16(d.icmp6.Payload[3])
+		}
+		msg += fmt.Sprintf(" (ICMPv6 ID=%d, Seq=%d)", id, seq)
 	}
 	return msg
 }
@@ -395,7 +445,7 @@ func (m *Manager) handleRouteACLs(trace *PacketTrace, d *decoder, srcIP, dstIP n
 	trace.AddResult(StageRouteACL, msg, allowed)
 
 	if allowed && m.forwarder.Load() != nil {
-		m.addForwardingResult(trace, "proxy-remote", fmt.Sprintf("%s:%d", dstIP, dstPort), true)
+		m.addForwardingResult(trace, "proxy-remote", net.JoinHostPort(dstIP.String(), strconv.Itoa(int(dstPort))), true)
 	}
 
 	trace.AddResult(StageCompleted, msgProcessingCompleted, allowed)
@@ -415,7 +465,7 @@ func (m *Manager) traceOutbound(packetData []byte, trace *PacketTrace) *PacketTr
 	d := m.decoders.Get().(*decoder)
 	defer m.decoders.Put(d)
 
-	if err := d.parser.DecodeLayers(packetData, &d.decoded); err != nil {
+	if err := d.decodePacket(packetData); err != nil {
 		trace.AddResult(StageCompleted, "Packet dropped - decode error", false)
 		return trace
 	}
@@ -434,7 +484,7 @@ func (m *Manager) traceOutbound(packetData []byte, trace *PacketTrace) *PacketTr
 func (m *Manager) handleInboundDNAT(trace *PacketTrace, packetData []byte, d *decoder, srcIP, dstIP *netip.Addr) bool {
 	portDNATApplied := m.traceInboundPortDNAT(trace, packetData, d)
 	if portDNATApplied {
-		if err := d.parser.DecodeLayers(packetData, &d.decoded); err != nil {
+		if err := d.decodePacket(packetData); err != nil {
 			trace.AddResult(StageInboundPortDNAT, "Failed to re-decode after port DNAT", false)
 			return true
 		}
@@ -444,7 +494,7 @@ func (m *Manager) handleInboundDNAT(trace *PacketTrace, packetData []byte, d *de
 
 	nat1to1Applied := m.traceInbound1to1NAT(trace, packetData, d)
 	if nat1to1Applied {
-		if err := d.parser.DecodeLayers(packetData, &d.decoded); err != nil {
+		if err := d.decodePacket(packetData); err != nil {
 			trace.AddResult(StageInbound1to1NAT, "Failed to re-decode after 1:1 NAT", false)
 			return true
 		}
@@ -509,7 +559,7 @@ func (m *Manager) traceInbound1to1NAT(trace *PacketTrace, packetData []byte, d *
 		return false
 	}
 
-	srcIP := netip.AddrFrom4([4]byte{packetData[12], packetData[13], packetData[14], packetData[15]})
+	srcIP, _ := extractPacketIPs(packetData, d)
 
 	translated := m.translateInboundReverse(packetData, d)
 	if translated {
@@ -539,7 +589,7 @@ func (m *Manager) traceOutbound1to1NAT(trace *PacketTrace, packetData []byte, d
 		return false
 	}
 
-	dstIP := netip.AddrFrom4([4]byte{packetData[16], packetData[17], packetData[18], packetData[19]})
+	_, dstIP := extractPacketIPs(packetData, d)
 
 	translated := m.translateOutboundDNAT(packetData, d)
 	if translated {

client/iface/configurer/usp.go

@@ -119,7 +119,7 @@ func (c *WGUSPConfigurer) UpdatePeer(peerKey string, allowedIps []netip.Prefix,
 		if err != nil {
 			return fmt.Errorf("failed to parse endpoint address: %w", err)
 		}
-		addrPort := netip.AddrPortFrom(addr, uint16(endpoint.Port))
+		addrPort := netip.AddrPortFrom(addr.Unmap(), uint16(endpoint.Port))
 		c.activityRecorder.UpsertAddress(peerKey, addrPort)
 	}
 	return nil

client/iface/device/adapter.go

@@ -2,7 +2,7 @@ package device
 
 // TunAdapter is an interface for create tun device from external service
 type TunAdapter interface {
-	ConfigureInterface(address string, mtu int, dns string, searchDomains string, routes string) (int, error)
+	ConfigureInterface(address string, addressV6 string, mtu int, dns string, searchDomains string, routes string) (int, error)
 	UpdateAddr(address string) error
 	ProtectSocket(fd int32) bool
 }

client/iface/device/device_android.go

@@ -63,7 +63,7 @@ func (t *WGTunDevice) Create(routes []string, dns string, searchDomains []string
 		searchDomainsToString = ""
 	}
 
-	fd, err := t.tunAdapter.ConfigureInterface(t.address.String(), int(t.mtu), dns, searchDomainsToString, routesString)
+	fd, err := t.tunAdapter.ConfigureInterface(t.address.String(), t.address.IPv6String(), int(t.mtu), dns, searchDomainsToString, routesString)
 	if err != nil {
 		log.Errorf("failed to create Android interface: %s", err)
 		return nil, err

client/iface/device/device_darwin.go

@@ -131,23 +131,32 @@ func (t *TunDevice) Device() *device.Device {
 
 // assignAddr Adds IP address to the tunnel interface and network route based on the range provided
 func (t *TunDevice) assignAddr() error {
-	cmd := exec.Command("ifconfig", t.name, "inet", t.address.IP.String(), t.address.IP.String())
+	if out, err := exec.Command("ifconfig", t.name, "inet", t.address.IP.String(), t.address.IP.String()).CombinedOutput(); err != nil {
-	if out, err := cmd.CombinedOutput(); err != nil {
+		return fmt.Errorf("add v4 address: %s: %w", string(out), err)
-		log.Errorf("adding address command '%v' failed with output: %s", cmd.String(), out)
-		return err
 	}
 
-	// dummy ipv6 so routing works
+	// Assign a dummy link-local so macOS enables IPv6 on the tun device.
-	cmd = exec.Command("ifconfig", t.name, "inet6", "fe80::/64")
+	// When a real overlay v6 is present, use that instead.
-	if out, err := cmd.CombinedOutput(); err != nil {
+	v6Addr := "fe80::/64"
-		log.Debugf("adding address command '%v' failed with output: %s", cmd.String(), out)
+	if t.address.HasIPv6() {
+		v6Addr = t.address.IPv6String()
+	}
+	if out, err := exec.Command("ifconfig", t.name, "inet6", v6Addr).CombinedOutput(); err != nil {
+		log.Warnf("failed to assign IPv6 address %s, continuing v4-only: %s: %v", v6Addr, string(out), err)
+		t.address.ClearIPv6()
 	}
 
-	routeCmd := exec.Command("route", "add", "-net", t.address.Network.String(), "-interface", t.name)
+	if out, err := exec.Command("route", "add", "-net", t.address.Network.String(), "-interface", t.name).CombinedOutput(); err != nil {
-	if out, err := routeCmd.CombinedOutput(); err != nil {
+		return fmt.Errorf("add route %s via %s: %s: %w", t.address.Network, t.name, string(out), err)
-		log.Errorf("adding route command '%v' failed with output: %s", routeCmd.String(), out)
-		return err
 	}
+
+	if t.address.HasIPv6() {
+		if out, err := exec.Command("route", "add", "-inet6", "-net", t.address.IPv6Net.String(), "-interface", t.name).CombinedOutput(); err != nil {
+			log.Warnf("failed to add route %s via %s, continuing v4-only: %s: %v", t.address.IPv6Net, t.name, string(out), err)
+			t.address.ClearIPv6()
+		}
+	}
+
 	return nil
 }
 

client/iface/device/device_ios.go

@@ -151,8 +151,11 @@ func (t *TunDevice) MTU() uint16 {
 	return t.mtu
 }
 
-func (t *TunDevice) UpdateAddr(_ wgaddr.Address) error {
+// UpdateAddr updates the device address. On iOS the tunnel is managed by the
-	// todo implement
+// NetworkExtension, so we only store the new value. The extension picks up the
+// change on the next tunnel reconfiguration.
+func (t *TunDevice) UpdateAddr(addr wgaddr.Address) error {
+	t.address = addr
 	return nil
 }
 

client/iface/device/device_kernel_unix.go

@@ -173,7 +173,7 @@ func (t *TunKernelDevice) FilteredDevice() *FilteredDevice {
 
 // assignAddr Adds IP address to the tunnel interface
 func (t *TunKernelDevice) assignAddr() error {
-	return t.link.assignAddr(t.address)
+	return t.link.assignAddr(&t.address)
 }
 
 func (t *TunKernelDevice) GetNet() *netstack.Net {

client/iface/device/device_netstack.go

@@ -3,6 +3,7 @@ package device
 import (
 	"errors"
 	"fmt"
+	"net/netip"
 
 	log "github.com/sirupsen/logrus"
 	"golang.zx2c4.com/wireguard/conn"
@@ -63,8 +64,12 @@ func (t *TunNetstackDevice) create() (WGConfigurer, error) {
 		return nil, fmt.Errorf("last ip: %w", err)
 	}
 
-	log.Debugf("netstack using address: %s", t.address.IP)
+	addresses := []netip.Addr{t.address.IP}
-	t.nsTun = nbnetstack.NewNetStackTun(t.listenAddress, t.address.IP, dnsAddr, int(t.mtu))
+	if t.address.HasIPv6() {
+		addresses = append(addresses, t.address.IPv6)
+	}
+	log.Debugf("netstack using addresses: %v", addresses)
+	t.nsTun = nbnetstack.NewNetStackTun(t.listenAddress, addresses, dnsAddr, int(t.mtu))
 	log.Debugf("netstack using dns address: %s", dnsAddr)
 	tunIface, net, err := t.nsTun.Create()
 	if err != nil {

client/iface/device/device_usp_unix.go

@@ -16,7 +16,7 @@ import (
 	"github.com/netbirdio/netbird/client/iface/wgaddr"
 )
 
-type USPDevice struct {
+type TunDevice struct {
 	name    string
 	address wgaddr.Address
 	port    int
@@ -30,10 +30,10 @@ type USPDevice struct {
 	configurer     WGConfigurer
 }
 
-func NewUSPDevice(name string, address wgaddr.Address, port int, key string, mtu uint16, iceBind *bind.ICEBind) *USPDevice {
+func NewTunDevice(name string, address wgaddr.Address, port int, key string, mtu uint16, iceBind *bind.ICEBind) *TunDevice {
 	log.Infof("using userspace bind mode")
 
-	return &USPDevice{
+	return &TunDevice{
 		name:    name,
 		address: address,
 		port:    port,
@@ -43,7 +43,7 @@ func NewUSPDevice(name string, address wgaddr.Address, port int, key string, mtu
 	}
 }
 
-func (t *USPDevice) Create() (WGConfigurer, error) {
+func (t *TunDevice) Create() (WGConfigurer, error) {
 	log.Info("create tun interface")
 	tunIface, err := tun.CreateTUN(t.name, int(t.mtu))
 	if err != nil {
@@ -75,7 +75,7 @@ func (t *USPDevice) Create() (WGConfigurer, error) {
 	return t.configurer, nil
 }
 
-func (t *USPDevice) Up() (*udpmux.UniversalUDPMuxDefault, error) {
+func (t *TunDevice) Up() (*udpmux.UniversalUDPMuxDefault, error) {
 	if t.device == nil {
 		return nil, fmt.Errorf("device is not ready yet")
 	}
@@ -95,12 +95,12 @@ func (t *USPDevice) Up() (*udpmux.UniversalUDPMuxDefault, error) {
 	return udpMux, nil
 }
 
-func (t *USPDevice) UpdateAddr(address wgaddr.Address) error {
+func (t *TunDevice) UpdateAddr(address wgaddr.Address) error {
 	t.address = address
 	return t.assignAddr()
 }
 
-func (t *USPDevice) Close() error {
+func (t *TunDevice) Close() error {
 	if t.configurer != nil {
 		t.configurer.Close()
 	}
@@ -115,39 +115,39 @@ func (t *USPDevice) Close() error {
 	return nil
 }
 
-func (t *USPDevice) WgAddress() wgaddr.Address {
+func (t *TunDevice) WgAddress() wgaddr.Address {
 	return t.address
 }
 
-func (t *USPDevice) MTU() uint16 {
+func (t *TunDevice) MTU() uint16 {
 	return t.mtu
 }
 
-func (t *USPDevice) DeviceName() string {
+func (t *TunDevice) DeviceName() string {
 	return t.name
 }
 
-func (t *USPDevice) FilteredDevice() *FilteredDevice {
+func (t *TunDevice) FilteredDevice() *FilteredDevice {
 	return t.filteredDevice
 }
 
 // Device returns the wireguard device
-func (t *USPDevice) Device() *device.Device {
+func (t *TunDevice) Device() *device.Device {
 	return t.device
 }
 
 // assignAddr Adds IP address to the tunnel interface
-func (t *USPDevice) assignAddr() error {
+func (t *TunDevice) assignAddr() error {
 	link := newWGLink(t.name)
 
-	return link.assignAddr(t.address)
+	return link.assignAddr(&t.address)
 }
 
-func (t *USPDevice) GetNet() *netstack.Net {
+func (t *TunDevice) GetNet() *netstack.Net {
 	return nil
 }
 
 // GetICEBind returns the ICEBind instance
-func (t *USPDevice) GetICEBind() EndpointManager {
+func (t *TunDevice) GetICEBind() EndpointManager {
 	return t.iceBind
 }

client/iface/device/device_windows.go

@@ -87,7 +87,21 @@ func (t *TunDevice) Create() (WGConfigurer, error) {
 	err = nbiface.Set()
 	if err != nil {
 		t.device.Close()
-		return nil, fmt.Errorf("got error when getting setting the interface mtu: %s", err)
+		return nil, fmt.Errorf("set IPv4 interface MTU: %s", err)
+	}
+
+	if t.address.HasIPv6() {
+		nbiface6, err := luid.IPInterface(windows.AF_INET6)
+		if err != nil {
+			log.Warnf("failed to get IPv6 interface for MTU, continuing v4-only: %v", err)
+			t.address.ClearIPv6()
+		} else {
+			nbiface6.NLMTU = uint32(t.mtu)
+			if err := nbiface6.Set(); err != nil {
+				log.Warnf("failed to set IPv6 interface MTU, continuing v4-only: %v", err)
+				t.address.ClearIPv6()
+			}
+		}
 	}
 	err = t.assignAddr()
 	if err != nil {
@@ -178,8 +192,21 @@ func (t *TunDevice) GetInterfaceGUIDString() (string, error) {
 // assignAddr Adds IP address to the tunnel interface and network route based on the range provided
 func (t *TunDevice) assignAddr() error {
 	luid := winipcfg.LUID(t.nativeTunDevice.LUID())
-	log.Debugf("adding address %s to interface: %s", t.address.IP, t.name)
+
-	return luid.SetIPAddresses([]netip.Prefix{netip.MustParsePrefix(t.address.String())})
+	v4Prefix := t.address.Prefix()
+	if t.address.HasIPv6() {
+		v6Prefix := t.address.IPv6Prefix()
+		log.Debugf("adding addresses %s, %s to interface: %s", v4Prefix, v6Prefix, t.name)
+		if err := luid.SetIPAddresses([]netip.Prefix{v4Prefix, v6Prefix}); err != nil {
+			log.Warnf("failed to assign dual-stack addresses, retrying v4-only: %v", err)
+			t.address.ClearIPv6()
+			return luid.SetIPAddresses([]netip.Prefix{v4Prefix})
+		}
+		return nil
+	}
+
+	log.Debugf("adding address %s to interface: %s", v4Prefix, t.name)
+	return luid.SetIPAddresses([]netip.Prefix{v4Prefix})
 }
 
 func (t *TunDevice) GetNet() *netstack.Net {

client/iface/device/kernel_module.go

@@ -1,8 +0,0 @@
-//go:build (!linux && !freebsd) || android
-
-package device
-
-// WireGuardModuleIsLoaded check if we can load WireGuard mod (linux only)
-func WireGuardModuleIsLoaded() bool {
-	return false
-}

client/iface/device/kernel_module_freebsd.go

@@ -1,18 +0,0 @@
-package device
-
-// WireGuardModuleIsLoaded check if kernel support wireguard
-func WireGuardModuleIsLoaded() bool {
-	// Despite the fact FreeBSD natively support Wireguard (https://github.com/WireGuard/wireguard-freebsd)
-	//  we are currently do not use it, since it is required to add wireguard kernel support to
-	//   - https://github.com/netbirdio/netbird/tree/main/sharedsock
-	//   - https://github.com/mdlayher/socket
-	// TODO: implement kernel space
-	return false
-}
-
-// ModuleTunIsLoaded check if tun module exist, if is not attempt to load it
-func ModuleTunIsLoaded() bool {
-	// Assume tun supported by freebsd kernel by default
-	// TODO: implement check for module loaded in kernel or build-it
-	return true
-}

client/iface/device/kernel_module_nonlinux.go

@@ -0,0 +1,13 @@
+//go:build !linux || android
+
+package device
+
+// WireGuardModuleIsLoaded reports whether the kernel WireGuard module is available.
+func WireGuardModuleIsLoaded() bool {
+	return false
+}
+
+// ModuleTunIsLoaded reports whether the tun device is available.
+func ModuleTunIsLoaded() bool {
+	return true
+}

client/iface/device/wg_link_freebsd.go

@@ -2,6 +2,7 @@ package device
 
 import (
 	"fmt"
+	"os/exec"
 
 	log "github.com/sirupsen/logrus"
 
@@ -57,32 +58,32 @@ func (l *wgLink) up() error {
 	return nil
 }
 
-func (l *wgLink) assignAddr(address wgaddr.Address) error {
+func (l *wgLink) assignAddr(address *wgaddr.Address) error {
 	link, err := freebsd.LinkByName(l.name)
 	if err != nil {
 		return fmt.Errorf("link by name: %w", err)
 	}
 
-	ip := address.IP.String()
-
-	// Convert prefix length to hex netmask
 	prefixLen := address.Network.Bits()
-	if !address.IP.Is4() {
-		return fmt.Errorf("IPv6 not supported for interface assignment")
-	}
-
 	maskBits := uint32(0xffffffff) << (32 - prefixLen)
 	mask := fmt.Sprintf("0x%08x", maskBits)
 
-	log.Infof("assign addr %s mask %s to %s interface", ip, mask, l.name)
+	log.Infof("assign addr %s mask %s to %s interface", address.IP, mask, l.name)
 
-	err = link.AssignAddr(ip, mask)
+	if err := link.AssignAddr(address.IP.String(), mask); err != nil {
-	if err != nil {
 		return fmt.Errorf("assign addr: %w", err)
 	}
 
-	err = link.Up()
+	if address.HasIPv6() {
-	if err != nil {
+		log.Infof("assign IPv6 addr %s to %s interface", address.IPv6String(), l.name)
+		cmd := exec.Command("ifconfig", l.name, "inet6", address.IPv6String())
+		if out, err := cmd.CombinedOutput(); err != nil {
+			log.Warnf("failed to assign IPv6 address %s to %s, continuing v4-only: %s: %v", address.IPv6String(), l.name, string(out), err)
+			address.ClearIPv6()
+		}
+	}
+
+	if err := link.Up(); err != nil {
 		return fmt.Errorf("up: %w", err)
 	}
 

client/iface/device/wg_link_linux.go

@@ -4,6 +4,8 @@ package device
 
 import (
 	"fmt"
+	"net"
+	"net/netip"
 	"os"
 
 	log "github.com/sirupsen/logrus"
@@ -92,7 +94,7 @@ func (l *wgLink) up() error {
 	return nil
 }
 
-func (l *wgLink) assignAddr(address wgaddr.Address) error {
+func (l *wgLink) assignAddr(address *wgaddr.Address) error {
 	//delete existing addresses
 	list, err := netlink.AddrList(l, 0)
 	if err != nil {
@@ -110,20 +112,16 @@ func (l *wgLink) assignAddr(address wgaddr.Address) error {
 	}
 
 	name := l.attrs.Name
-	addrStr := address.String()
 
-	log.Debugf("adding address %s to interface: %s", addrStr, name)
+	if err := l.addAddr(name, address.Prefix()); err != nil {
-
+		return err
-	addr, err := netlink.ParseAddr(addrStr)
-	if err != nil {
-		return fmt.Errorf("parse addr: %w", err)
 	}
 
-	err = netlink.AddrAdd(l, addr)
+	if address.HasIPv6() {
-	if os.IsExist(err) {
+		if err := l.addAddr(name, address.IPv6Prefix()); err != nil {
-		log.Infof("interface %s already has the address: %s", name, addrStr)
+			log.Warnf("failed to assign IPv6 address %s to %s, continuing v4-only: %v", address.IPv6Prefix(), name, err)
-	} else if err != nil {
+			address.ClearIPv6()
-		return fmt.Errorf("add addr: %w", err)
+		}
 	}
 
 	// On linux, the link must be brought up
@@ -133,3 +131,22 @@ func (l *wgLink) assignAddr(address wgaddr.Address) error {
 
 	return nil
 }
+
+func (l *wgLink) addAddr(ifaceName string, prefix netip.Prefix) error {
+	log.Debugf("adding address %s to interface: %s", prefix, ifaceName)
+
+	addr := &netlink.Addr{
+		IPNet: &net.IPNet{
+			IP:   prefix.Addr().AsSlice(),
+			Mask: net.CIDRMask(prefix.Bits(), prefix.Addr().BitLen()),
+		},
+	}
+
+	if err := netlink.AddrAdd(l, addr); os.IsExist(err) {
+		log.Infof("interface %s already has the address: %s", ifaceName, prefix)
+	} else if err != nil {
+		return fmt.Errorf("add addr %s: %w", prefix, err)
+	}
+
+	return nil
+}

client/iface/iface.go

@@ -57,7 +57,7 @@ type wgProxyFactory interface {
 
 type WGIFaceOpts struct {
 	IFaceName    string
-	Address      string
+	Address      wgaddr.Address
 	WGPort       int
 	WGPrivKey    string
 	MTU          uint16
@@ -141,16 +141,11 @@ func (w *WGIface) Up() (*udpmux.UniversalUDPMuxDefault, error) {
 }
 
 // UpdateAddr updates address of the interface
-func (w *WGIface) UpdateAddr(newAddr string) error {
+func (w *WGIface) UpdateAddr(newAddr wgaddr.Address) error {
 	w.mu.Lock()
 	defer w.mu.Unlock()
 
-	addr, err := wgaddr.ParseWGAddress(newAddr)
+	return w.tun.UpdateAddr(newAddr)
-	if err != nil {
-		return err
-	}
-
-	return w.tun.UpdateAddr(addr)
 }
 
 // UpdatePeer updates existing Wireguard Peer or creates a new one if doesn't exist

client/iface/iface_new.go

@@ -1,33 +1,28 @@
+//go:build !linux && !ios && !android && !js
+
 package iface
 
 import (
 	"github.com/netbirdio/netbird/client/iface/bind"
 	"github.com/netbirdio/netbird/client/iface/device"
 	"github.com/netbirdio/netbird/client/iface/netstack"
-	wgaddr "github.com/netbirdio/netbird/client/iface/wgaddr"
 	"github.com/netbirdio/netbird/client/iface/wgproxy"
 )
 
 // NewWGIFace Creates a new WireGuard interface instance
 func NewWGIFace(opts WGIFaceOpts) (*WGIface, error) {
-	wgAddress, err := wgaddr.ParseWGAddress(opts.Address)
+	iceBind := bind.NewICEBind(opts.TransportNet, opts.FilterFn, opts.Address, opts.MTU)
-	if err != nil {
-		return nil, err
-	}
-	iceBind := bind.NewICEBind(opts.TransportNet, opts.FilterFn, wgAddress, opts.MTU)
 
 	var tun WGTunDevice
 	if netstack.IsEnabled() {
-		tun = device.NewNetstackDevice(opts.IFaceName, wgAddress, opts.WGPort, opts.WGPrivKey, opts.MTU, iceBind, netstack.ListenAddr())
+		tun = device.NewNetstackDevice(opts.IFaceName, opts.Address, opts.WGPort, opts.WGPrivKey, opts.MTU, iceBind, netstack.ListenAddr())
 	} else {
-		tun = device.NewTunDevice(opts.IFaceName, wgAddress, opts.WGPort, opts.WGPrivKey, opts.MTU, iceBind)
+		tun = device.NewTunDevice(opts.IFaceName, opts.Address, opts.WGPort, opts.WGPrivKey, opts.MTU, iceBind)
 	}
 
-	wgIFace := &WGIface{
+	return &WGIface{
 		userspaceBind:  true,
 		tun:            tun,
 		wgProxyFactory: wgproxy.NewUSPFactory(iceBind, opts.MTU),
-	}
+	}, nil
-	return wgIFace, nil
-
 }

client/iface/iface_new_android.go

@@ -4,23 +4,17 @@ import (
 	"github.com/netbirdio/netbird/client/iface/bind"
 	"github.com/netbirdio/netbird/client/iface/device"
 	"github.com/netbirdio/netbird/client/iface/netstack"
-	"github.com/netbirdio/netbird/client/iface/wgaddr"
 	"github.com/netbirdio/netbird/client/iface/wgproxy"
 )
 
 // NewWGIFace Creates a new WireGuard interface instance
 func NewWGIFace(opts WGIFaceOpts) (*WGIface, error) {
-	wgAddress, err := wgaddr.ParseWGAddress(opts.Address)
+	iceBind := bind.NewICEBind(opts.TransportNet, opts.FilterFn, opts.Address, opts.MTU)
-	if err != nil {
-		return nil, err
-	}
-
-	iceBind := bind.NewICEBind(opts.TransportNet, opts.FilterFn, wgAddress, opts.MTU)
 
 	if netstack.IsEnabled() {
 		wgIFace := &WGIface{
 			userspaceBind:  true,
-			tun:            device.NewNetstackDevice(opts.IFaceName, wgAddress, opts.WGPort, opts.WGPrivKey, opts.MTU, iceBind, netstack.ListenAddr()),
+			tun:            device.NewNetstackDevice(opts.IFaceName, opts.Address, opts.WGPort, opts.WGPrivKey, opts.MTU, iceBind, netstack.ListenAddr()),
 			wgProxyFactory: wgproxy.NewUSPFactory(iceBind, opts.MTU),
 		}
 		return wgIFace, nil
@@ -28,7 +22,7 @@ func NewWGIFace(opts WGIFaceOpts) (*WGIface, error) {
 
 	wgIFace := &WGIface{
 		userspaceBind:  true,
-		tun:            device.NewTunDevice(wgAddress, opts.WGPort, opts.WGPrivKey, opts.MTU, iceBind, opts.MobileArgs.TunAdapter, opts.DisableDNS),
+		tun:            device.NewTunDevice(opts.Address, opts.WGPort, opts.WGPrivKey, opts.MTU, iceBind, opts.MobileArgs.TunAdapter, opts.DisableDNS),
 		wgProxyFactory: wgproxy.NewUSPFactory(iceBind, opts.MTU),
 	}
 	return wgIFace, nil

client/iface/iface_new_darwin.go

@@ -1,35 +0,0 @@
-//go:build !ios
-
-package iface
-
-import (
-	"github.com/netbirdio/netbird/client/iface/bind"
-	"github.com/netbirdio/netbird/client/iface/device"
-	"github.com/netbirdio/netbird/client/iface/netstack"
-	"github.com/netbirdio/netbird/client/iface/wgaddr"
-	"github.com/netbirdio/netbird/client/iface/wgproxy"
-)
-
-// NewWGIFace Creates a new WireGuard interface instance
-func NewWGIFace(opts WGIFaceOpts) (*WGIface, error) {
-	wgAddress, err := wgaddr.ParseWGAddress(opts.Address)
-	if err != nil {
-		return nil, err
-	}
-
-	iceBind := bind.NewICEBind(opts.TransportNet, opts.FilterFn, wgAddress, opts.MTU)
-
-	var tun WGTunDevice
-	if netstack.IsEnabled() {
-		tun = device.NewNetstackDevice(opts.IFaceName, wgAddress, opts.WGPort, opts.WGPrivKey, opts.MTU, iceBind, netstack.ListenAddr())
-	} else {
-		tun = device.NewTunDevice(opts.IFaceName, wgAddress, opts.WGPort, opts.WGPrivKey, opts.MTU, iceBind)
-	}
-
-	wgIFace := &WGIface{
-		userspaceBind:  true,
-		tun:            tun,
-		wgProxyFactory: wgproxy.NewUSPFactory(iceBind, opts.MTU),
-	}
-	return wgIFace, nil
-}

client/iface/iface_new_freebsd.go

@@ -1,41 +0,0 @@
-//go:build freebsd
-
-package iface
-
-import (
-	"fmt"
-
-	"github.com/netbirdio/netbird/client/iface/bind"
-	"github.com/netbirdio/netbird/client/iface/device"
-	"github.com/netbirdio/netbird/client/iface/netstack"
-	"github.com/netbirdio/netbird/client/iface/wgaddr"
-	"github.com/netbirdio/netbird/client/iface/wgproxy"
-)
-
-// NewWGIFace Creates a new WireGuard interface instance
-func NewWGIFace(opts WGIFaceOpts) (*WGIface, error) {
-	wgAddress, err := wgaddr.ParseWGAddress(opts.Address)
-	if err != nil {
-		return nil, err
-	}
-
-	wgIFace := &WGIface{}
-
-	if netstack.IsEnabled() {
-		iceBind := bind.NewICEBind(opts.TransportNet, opts.FilterFn, wgAddress, opts.MTU)
-		wgIFace.tun = device.NewNetstackDevice(opts.IFaceName, wgAddress, opts.WGPort, opts.WGPrivKey, opts.MTU, iceBind, netstack.ListenAddr())
-		wgIFace.userspaceBind = true
-		wgIFace.wgProxyFactory = wgproxy.NewUSPFactory(iceBind, opts.MTU)
-		return wgIFace, nil
-	}
-
-	if device.ModuleTunIsLoaded() {
-		iceBind := bind.NewICEBind(opts.TransportNet, opts.FilterFn, wgAddress, opts.MTU)
-		wgIFace.tun = device.NewUSPDevice(opts.IFaceName, wgAddress, opts.WGPort, opts.WGPrivKey, opts.MTU, iceBind)
-		wgIFace.userspaceBind = true
-		wgIFace.wgProxyFactory = wgproxy.NewUSPFactory(iceBind, opts.MTU)
-		return wgIFace, nil
-	}
-
-	return nil, fmt.Errorf("couldn't check or load tun module")
-}

client/iface/iface_new_ios.go

@@ -5,21 +5,15 @@ package iface
 import (
 	"github.com/netbirdio/netbird/client/iface/bind"
 	"github.com/netbirdio/netbird/client/iface/device"
-	"github.com/netbirdio/netbird/client/iface/wgaddr"
 	"github.com/netbirdio/netbird/client/iface/wgproxy"
 )
 
 // NewWGIFace Creates a new WireGuard interface instance
 func NewWGIFace(opts WGIFaceOpts) (*WGIface, error) {
-	wgAddress, err := wgaddr.ParseWGAddress(opts.Address)
+	iceBind := bind.NewICEBind(opts.TransportNet, opts.FilterFn, opts.Address, opts.MTU)
-	if err != nil {
-		return nil, err
-	}
-
-	iceBind := bind.NewICEBind(opts.TransportNet, opts.FilterFn, wgAddress, opts.MTU)
 
 	wgIFace := &WGIface{
-		tun:            device.NewTunDevice(opts.IFaceName, wgAddress, opts.WGPort, opts.WGPrivKey, opts.MTU, iceBind, opts.MobileArgs.TunFd),
+		tun:            device.NewTunDevice(opts.IFaceName, opts.Address, opts.WGPort, opts.WGPrivKey, opts.MTU, iceBind, opts.MobileArgs.TunFd),
 		userspaceBind:  true,
 		wgProxyFactory: wgproxy.NewUSPFactory(iceBind, opts.MTU),
 	}

client/iface/iface_new_js.go

@@ -4,21 +4,15 @@ import (
 	"github.com/netbirdio/netbird/client/iface/bind"
 	"github.com/netbirdio/netbird/client/iface/device"
 	"github.com/netbirdio/netbird/client/iface/netstack"
-	"github.com/netbirdio/netbird/client/iface/wgaddr"
 	"github.com/netbirdio/netbird/client/iface/wgproxy"
 )
 
 // NewWGIFace creates a new WireGuard interface for WASM (always uses netstack mode)
 func NewWGIFace(opts WGIFaceOpts) (*WGIface, error) {
-	wgAddress, err := wgaddr.ParseWGAddress(opts.Address)
-	if err != nil {
-		return nil, err
-	}
-
 	relayBind := bind.NewRelayBindJS()
 
 	wgIface := &WGIface{
-		tun:            device.NewNetstackDevice(opts.IFaceName, wgAddress, opts.WGPort, opts.WGPrivKey, opts.MTU, relayBind, netstack.ListenAddr()),
+		tun:            device.NewNetstackDevice(opts.IFaceName, opts.Address, opts.WGPort, opts.WGPrivKey, opts.MTU, relayBind, netstack.ListenAddr()),
 		userspaceBind:  true,
 		wgProxyFactory: wgproxy.NewUSPFactory(relayBind, opts.MTU),
 	}

client/iface/iface_new_linux.go

@@ -3,44 +3,40 @@
 package iface
 
 import (
-	"fmt"
+	"errors"
 
 	"github.com/netbirdio/netbird/client/iface/bind"
 	"github.com/netbirdio/netbird/client/iface/device"
 	"github.com/netbirdio/netbird/client/iface/netstack"
-	"github.com/netbirdio/netbird/client/iface/wgaddr"
 	"github.com/netbirdio/netbird/client/iface/wgproxy"
 )
 
 // NewWGIFace Creates a new WireGuard interface instance
 func NewWGIFace(opts WGIFaceOpts) (*WGIface, error) {
-	wgAddress, err := wgaddr.ParseWGAddress(opts.Address)
-	if err != nil {
-		return nil, err
-	}
-
-	wgIFace := &WGIface{}
-
 	if netstack.IsEnabled() {
-		iceBind := bind.NewICEBind(opts.TransportNet, opts.FilterFn, wgAddress, opts.MTU)
+		iceBind := bind.NewICEBind(opts.TransportNet, opts.FilterFn, opts.Address, opts.MTU)
-		wgIFace.tun = device.NewNetstackDevice(opts.IFaceName, wgAddress, opts.WGPort, opts.WGPrivKey, opts.MTU, iceBind, netstack.ListenAddr())
+		return &WGIface{
-		wgIFace.userspaceBind = true
+			tun:            device.NewNetstackDevice(opts.IFaceName, opts.Address, opts.WGPort, opts.WGPrivKey, opts.MTU, iceBind, netstack.ListenAddr()),
-		wgIFace.wgProxyFactory = wgproxy.NewUSPFactory(iceBind, opts.MTU)
+			userspaceBind:  true,
-		return wgIFace, nil
+			wgProxyFactory: wgproxy.NewUSPFactory(iceBind, opts.MTU),
+		}, nil
 	}
 
 	if device.WireGuardModuleIsLoaded() {
-		wgIFace.tun = device.NewKernelDevice(opts.IFaceName, wgAddress, opts.WGPort, opts.WGPrivKey, opts.MTU, opts.TransportNet)
+		return &WGIface{
-		wgIFace.wgProxyFactory = wgproxy.NewKernelFactory(opts.WGPort, opts.MTU)
+			tun:            device.NewKernelDevice(opts.IFaceName, opts.Address, opts.WGPort, opts.WGPrivKey, opts.MTU, opts.TransportNet),
-		return wgIFace, nil
+			wgProxyFactory: wgproxy.NewKernelFactory(opts.WGPort, opts.MTU),
-	}
+		}, nil
-	if device.ModuleTunIsLoaded() {
-		iceBind := bind.NewICEBind(opts.TransportNet, opts.FilterFn, wgAddress, opts.MTU)
-		wgIFace.tun = device.NewUSPDevice(opts.IFaceName, wgAddress, opts.WGPort, opts.WGPrivKey, opts.MTU, iceBind)
-		wgIFace.userspaceBind = true
-		wgIFace.wgProxyFactory = wgproxy.NewUSPFactory(iceBind, opts.MTU)
-		return wgIFace, nil
 	}
 
-	return nil, fmt.Errorf("couldn't check or load tun module")
+	if device.ModuleTunIsLoaded() {
+		iceBind := bind.NewICEBind(opts.TransportNet, opts.FilterFn, opts.Address, opts.MTU)
+		return &WGIface{
+			tun:            device.NewTunDevice(opts.IFaceName, opts.Address, opts.WGPort, opts.WGPrivKey, opts.MTU, iceBind),
+			userspaceBind:  true,
+			wgProxyFactory: wgproxy.NewUSPFactory(iceBind, opts.MTU),
+		}, nil
+	}
+
+	return nil, errors.New("tun module not available")
 }

client/iface/iface_test.go

@@ -16,6 +16,7 @@ import (
 	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
 
 	"github.com/netbirdio/netbird/client/iface/device"
+	"github.com/netbirdio/netbird/client/iface/wgaddr"
 	"github.com/netbirdio/netbird/client/internal/stdnet"
 )
 
@@ -48,7 +49,7 @@ func TestWGIface_UpdateAddr(t *testing.T) {
 
 	opts := WGIFaceOpts{
 		IFaceName:    ifaceName,
-		Address:      addr,
+		Address:      wgaddr.MustParseWGAddress(addr),
 		WGPort:       wgPort,
 		WGPrivKey:    key,
 		MTU:          DefaultMTU,
@@ -84,7 +85,7 @@ func TestWGIface_UpdateAddr(t *testing.T) {
 
 	//update WireGuard address
 	addr = "100.64.0.2/8"
-	err = iface.UpdateAddr(addr)
+	err = iface.UpdateAddr(wgaddr.MustParseWGAddress(addr))
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -130,7 +131,7 @@ func Test_CreateInterface(t *testing.T) {
 	}
 	opts := WGIFaceOpts{
 		IFaceName:    ifaceName,
-		Address:      wgIP,
+		Address:      wgaddr.MustParseWGAddress(wgIP),
 		WGPort:       33100,
 		WGPrivKey:    key,
 		MTU:          DefaultMTU,
@@ -174,7 +175,7 @@ func Test_Close(t *testing.T) {
 
 	opts := WGIFaceOpts{
 		IFaceName:    ifaceName,
-		Address:      wgIP,
+		Address:      wgaddr.MustParseWGAddress(wgIP),
 		WGPort:       wgPort,
 		WGPrivKey:    key,
 		MTU:          DefaultMTU,
@@ -219,7 +220,7 @@ func TestRecreation(t *testing.T) {
 
 			opts := WGIFaceOpts{
 				IFaceName:    ifaceName,
-				Address:      wgIP,
+				Address:      wgaddr.MustParseWGAddress(wgIP),
 				WGPort:       wgPort,
 				WGPrivKey:    key,
 				MTU:          DefaultMTU,
@@ -291,7 +292,7 @@ func Test_ConfigureInterface(t *testing.T) {
 	}
 	opts := WGIFaceOpts{
 		IFaceName:    ifaceName,
-		Address:      wgIP,
+		Address:      wgaddr.MustParseWGAddress(wgIP),
 		WGPort:       wgPort,
 		WGPrivKey:    key,
 		MTU:          DefaultMTU,
@@ -347,7 +348,7 @@ func Test_UpdatePeer(t *testing.T) {
 
 	opts := WGIFaceOpts{
 		IFaceName:    ifaceName,
-		Address:      wgIP,
+		Address:      wgaddr.MustParseWGAddress(wgIP),
 		WGPort:       33100,
 		WGPrivKey:    key,
 		MTU:          DefaultMTU,
@@ -417,7 +418,7 @@ func Test_RemovePeer(t *testing.T) {
 
 	opts := WGIFaceOpts{
 		IFaceName:    ifaceName,
-		Address:      wgIP,
+		Address:      wgaddr.MustParseWGAddress(wgIP),
 		WGPort:       33100,
 		WGPrivKey:    key,
 		MTU:          DefaultMTU,
@@ -482,7 +483,7 @@ func Test_ConnectPeers(t *testing.T) {
 
 	optsPeer1 := WGIFaceOpts{
 		IFaceName:    peer1ifaceName,
-		Address:      peer1wgIP.String(),
+		Address:      wgaddr.MustParseWGAddress(peer1wgIP.String()),
 		WGPort:       peer1wgPort,
 		WGPrivKey:    peer1Key.String(),
 		MTU:          DefaultMTU,
@@ -522,7 +523,7 @@ func Test_ConnectPeers(t *testing.T) {
 
 	optsPeer2 := WGIFaceOpts{
 		IFaceName:    peer2ifaceName,
-		Address:      peer2wgIP.String(),
+		Address:      wgaddr.MustParseWGAddress(peer2wgIP.String()),
 		WGPort:       peer2wgPort,
 		WGPrivKey:    peer2Key.String(),
 		MTU:          DefaultMTU,

client/iface/netstack/tun.go

@@ -13,7 +13,7 @@ import (
 const EnvSkipProxy = "NB_NETSTACK_SKIP_PROXY"
 
 type NetStackTun struct { //nolint:revive
-	address       netip.Addr
+	addresses     []netip.Addr
 	dnsAddress    netip.Addr
 	mtu           int
 	listenAddress string
@@ -22,9 +22,9 @@ type NetStackTun struct { //nolint:revive
 	tundev tun.Device
 }
 
-func NewNetStackTun(listenAddress string, address netip.Addr, dnsAddress netip.Addr, mtu int) *NetStackTun {
+func NewNetStackTun(listenAddress string, addresses []netip.Addr, dnsAddress netip.Addr, mtu int) *NetStackTun {
 	return &NetStackTun{
-		address:       address,
+		addresses:     addresses,
 		dnsAddress:    dnsAddress,
 		mtu:           mtu,
 		listenAddress: listenAddress,
@@ -33,7 +33,7 @@ func NewNetStackTun(listenAddress string, address netip.Addr, dnsAddress netip.A
 
 func (t *NetStackTun) Create() (tun.Device, *netstack.Net, error) {
 	nsTunDev, tunNet, err := netstack.CreateNetTUN(
-		[]netip.Addr{t.address},
+		t.addresses,
 		[]netip.Addr{t.dnsAddress},
 		t.mtu)
 	if err != nil {

client/iface/wgaddr/address.go

@@ -3,12 +3,18 @@ package wgaddr
 import (
 	"fmt"
 	"net/netip"
+
+	"github.com/netbirdio/netbird/shared/netiputil"
 )
 
 // Address WireGuard parsed address
 type Address struct {
 	IP      netip.Addr
 	Network netip.Prefix
+
+	// IPv6 overlay address, if assigned.
+	IPv6    netip.Addr
+	IPv6Net netip.Prefix
 }
 
 // ParseWGAddress parse a string ("1.2.3.4/24") address to WG Address
@@ -23,6 +29,60 @@ func ParseWGAddress(address string) (Address, error) {
 	}, nil
 }
 
-func (addr Address) String() string {
+// HasIPv6 reports whether a v6 overlay address is assigned.
-	return fmt.Sprintf("%s/%d", addr.IP.String(), addr.Network.Bits())
+func (addr Address) HasIPv6() bool {
+	return addr.IPv6.IsValid()
+}
+
+func (addr Address) String() string {
+	return addr.Prefix().String()
+}
+
+// IPv6String returns the v6 address in CIDR notation, or empty string if none.
+func (addr Address) IPv6String() string {
+	if !addr.HasIPv6() {
+		return ""
+	}
+	return addr.IPv6Prefix().String()
+}
+
+// Prefix returns the v4 host address with its network prefix length (e.g. 100.64.0.1/16).
+func (addr Address) Prefix() netip.Prefix {
+	return netip.PrefixFrom(addr.IP, addr.Network.Bits())
+}
+
+// IPv6Prefix returns the v6 host address with its network prefix length, or a zero prefix if none.
+func (addr Address) IPv6Prefix() netip.Prefix {
+	if !addr.HasIPv6() {
+		return netip.Prefix{}
+	}
+	return netip.PrefixFrom(addr.IPv6, addr.IPv6Net.Bits())
+}
+
+// SetIPv6FromCompact decodes a compact prefix (5 or 17 bytes) and sets the IPv6 fields.
+// Returns an error if the bytes are invalid. A nil or empty input is a no-op.
+//
+//nolint:recvcheck
+func (addr *Address) SetIPv6FromCompact(raw []byte) error {
+	if len(raw) == 0 {
+		return nil
+	}
+	prefix, err := netiputil.DecodePrefix(raw)
+	if err != nil {
+		return fmt.Errorf("decode v6 overlay address: %w", err)
+	}
+	if !prefix.Addr().Is6() {
+		return fmt.Errorf("expected IPv6 address, got %s", prefix.Addr())
+	}
+	addr.IPv6 = prefix.Addr()
+	addr.IPv6Net = prefix.Masked()
+	return nil
+}
+
+// ClearIPv6 removes the IPv6 overlay address, leaving only v4.
+//
+//nolint:recvcheck
+func (addr *Address) ClearIPv6() {
+	addr.IPv6 = netip.Addr{}
+	addr.IPv6Net = netip.Prefix{}
 }

client/iface/wgaddr/address_test_helpers.go

@@ -0,0 +1,10 @@
+package wgaddr
+
+// MustParseWGAddress parses and returns a WG Address, panicking on error.
+func MustParseWGAddress(address string) Address {
+	a, err := ParseWGAddress(address)
+	if err != nil {
+		panic(err)
+	}
+	return a
+}

client/iface/wgproxy/bind/proxy.go

@@ -6,7 +6,7 @@ import (
 	"fmt"
 	"net"
 	"net/netip"
-	"strings"
+
 	"sync"
 
 	log "github.com/sirupsen/logrus"
@@ -196,18 +196,22 @@ func (p *ProxyBind) proxyToLocal(ctx context.Context) {
 	}
 }
 
-// fakeAddress returns a fake address that is used to as an identifier for the peer.
+// fakeAddress returns a fake address that is used as an identifier for the peer.
-// The fake address is in the format of 127.1.x.x where x.x is the last two octets of the peer address.
+// The fake address is in the format of 127.1.x.x where x.x is derived from the
+// last two bytes of the peer address (works for both IPv4 and IPv6).
 func fakeAddress(peerAddress *net.UDPAddr) (*netip.AddrPort, error) {
-	octets := strings.Split(peerAddress.IP.String(), ".")
+	if peerAddress == nil {
-	if len(octets) != 4 {
+		return nil, fmt.Errorf("nil peer address")
-		return nil, fmt.Errorf("invalid IP format")
 	}
 
-	fakeIP, err := netip.ParseAddr(fmt.Sprintf("127.1.%s.%s", octets[2], octets[3]))
+	addr, ok := netip.AddrFromSlice(peerAddress.IP)
-	if err != nil {
+	if !ok {
-		return nil, fmt.Errorf("parse new IP: %w", err)
+		return nil, fmt.Errorf("invalid IP format")
 	}
+	addr = addr.Unmap()
+
+	raw := addr.As16()
+	fakeIP := netip.AddrFrom4([4]byte{127, 1, raw[14], raw[15]})
 
 	netipAddr := netip.AddrPortFrom(fakeIP, uint16(peerAddress.Port))
 	return &netipAddr, nil

client/internal/acl/manager.go

@@ -5,7 +5,6 @@ import (
 	"encoding/hex"
 	"errors"
 	"fmt"
-	"net"
 	"net/netip"
 	"strconv"
 	"sync"
@@ -19,6 +18,7 @@ import (
 	"github.com/netbirdio/netbird/client/internal/acl/id"
 	"github.com/netbirdio/netbird/shared/management/domain"
 	mgmProto "github.com/netbirdio/netbird/shared/management/proto"
+	"github.com/netbirdio/netbird/shared/netiputil"
 )
 
 var ErrSourceRangesEmpty = errors.New("sources range is empty")
@@ -105,6 +105,10 @@ func (d *DefaultManager) applyPeerACLs(networkMap *mgmProto.NetworkMap) {
 	newRulePairs := make(map[id.RuleID][]firewall.Rule)
 	ipsetByRuleSelectors := make(map[string]string)
 
+	// TODO: deny rules should be fatal: if a deny rule fails to apply, we must
+	// roll back all allow rules to avoid a fail-open where allowed traffic bypasses
+	// the missing deny. Currently we accumulate errors and continue.
+	var merr *multierror.Error
 	for _, r := range rules {
 		// if this rule is member of rule selection with more than DefaultIPsCountForSet
 		// it's IP address can be used in the ipset for firewall manager which supports it
@@ -117,9 +121,8 @@ func (d *DefaultManager) applyPeerACLs(networkMap *mgmProto.NetworkMap) {
 		}
 		pairID, rulePair, err := d.protoRuleToFirewallRule(r, ipsetName)
 		if err != nil {
-			log.Errorf("failed to apply firewall rule: %+v, %v", r, err)
+			merr = multierror.Append(merr, fmt.Errorf("apply firewall rule: %w", err))
-			d.rollBack(newRulePairs)
+			continue
-			break
 		}
 		if len(rulePair) > 0 {
 			d.peerRulesPairs[pairID] = rulePair
@@ -127,6 +130,10 @@ func (d *DefaultManager) applyPeerACLs(networkMap *mgmProto.NetworkMap) {
 		}
 	}
 
+	if merr != nil {
+		log.Errorf("failed to apply %d peer ACL rule(s): %v", merr.Len(), nberrors.FormatErrorOrNil(merr))
+	}
+
 	for pairID, rules := range d.peerRulesPairs {
 		if _, ok := newRulePairs[pairID]; !ok {
 			for _, rule := range rules {
@@ -216,9 +223,9 @@ func (d *DefaultManager) protoRuleToFirewallRule(
 	r *mgmProto.FirewallRule,
 	ipsetName string,
 ) (id.RuleID, []firewall.Rule, error) {
-	ip := net.ParseIP(r.PeerIP)
+	ip, err := extractRuleIP(r)
-	if ip == nil {
+	if err != nil {
-		return "", nil, fmt.Errorf("invalid IP address, skipping firewall rule")
+		return "", nil, err
 	}
 
 	protocol, err := convertToFirewallProtocol(r.Protocol)
@@ -289,13 +296,13 @@ func portInfoEmpty(portInfo *mgmProto.PortInfo) bool {
 
 func (d *DefaultManager) addInRules(
 	id []byte,
-	ip net.IP,
+	ip netip.Addr,
 	protocol firewall.Protocol,
 	port *firewall.Port,
 	action firewall.Action,
 	ipsetName string,
 ) ([]firewall.Rule, error) {
-	rule, err := d.firewall.AddPeerFiltering(id, ip, protocol, nil, port, action, ipsetName)
+	rule, err := d.firewall.AddPeerFiltering(id, ip.AsSlice(), protocol, nil, port, action, ipsetName)
 	if err != nil {
 		return nil, fmt.Errorf("add firewall rule: %w", err)
 	}
@@ -305,7 +312,7 @@ func (d *DefaultManager) addInRules(
 
 func (d *DefaultManager) addOutRules(
 	id []byte,
-	ip net.IP,
+	ip netip.Addr,
 	protocol firewall.Protocol,
 	port *firewall.Port,
 	action firewall.Action,
@@ -315,7 +322,7 @@ func (d *DefaultManager) addOutRules(
 		return nil, nil
 	}
 
-	rule, err := d.firewall.AddPeerFiltering(id, ip, protocol, port, nil, action, ipsetName)
+	rule, err := d.firewall.AddPeerFiltering(id, ip.AsSlice(), protocol, port, nil, action, ipsetName)
 	if err != nil {
 		return nil, fmt.Errorf("add firewall rule: %w", err)
 	}
@@ -323,9 +330,9 @@ func (d *DefaultManager) addOutRules(
 	return rule, nil
 }
 
-// getPeerRuleID() returns unique ID for the rule based on its parameters.
+// getPeerRuleID returns unique ID for the rule based on its parameters.
 func (d *DefaultManager) getPeerRuleID(
-	ip net.IP,
+	ip netip.Addr,
 	proto firewall.Protocol,
 	direction int,
 	port *firewall.Port,
@@ -344,15 +351,25 @@ func (d *DefaultManager) getRuleGroupingSelector(rule *mgmProto.FirewallRule) st
 	return fmt.Sprintf("%v:%v:%v:%s:%v", strconv.Itoa(int(rule.Direction)), rule.Action, rule.Protocol, rule.Port, rule.PortInfo)
 }
 
-func (d *DefaultManager) rollBack(newRulePairs map[id.RuleID][]firewall.Rule) {
+
-	log.Debugf("rollback ACL to previous state")
+// extractRuleIP extracts the peer IP from a firewall rule.
-	for _, rules := range newRulePairs {
+// If sourcePrefixes is populated (new management), decode the first entry and use its address.
-		for _, rule := range rules {
+// Otherwise fall back to the deprecated PeerIP string field (old management).
-			if err := d.firewall.DeletePeerRule(rule); err != nil {
+func extractRuleIP(r *mgmProto.FirewallRule) (netip.Addr, error) {
-				log.Errorf("failed to delete new firewall rule (id: %v) during rollback: %v", rule.ID(), err)
+	if len(r.SourcePrefixes) > 0 {
-			}
+		addr, err := netiputil.DecodeAddr(r.SourcePrefixes[0])
+		if err != nil {
+			return netip.Addr{}, fmt.Errorf("decode source prefix: %w", err)
 		}
+		return addr.Unmap(), nil
 	}
+
+	//nolint:staticcheck // PeerIP used for backward compatibility with old management
+	addr, err := netip.ParseAddr(r.PeerIP)
+	if err != nil {
+		return netip.Addr{}, fmt.Errorf("invalid IP address, skipping firewall rule")
+	}
+	return addr.Unmap(), nil
 }
 
 func convertToFirewallProtocol(protocol mgmProto.RuleProtocol) (firewall.Protocol, error) {

client/internal/auth/auth.go

@@ -321,6 +321,7 @@ func (a *Auth) setSystemInfoFlags(info *system.Info) {
 		a.config.DisableFirewall,
 		a.config.BlockLANAccess,
 		a.config.BlockInbound,
+		a.config.DisableIPv6,
 		a.config.LazyConnectionEnabled,
 		a.config.EnableSSHRoot,
 		a.config.EnableSSHSFTP,

client/internal/connect.go

@@ -14,10 +14,13 @@ import (
 
 	"github.com/cenkalti/backoff/v4"
 	log "github.com/sirupsen/logrus"
+
 	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
 	"google.golang.org/grpc/codes"
 	gstatus "google.golang.org/grpc/status"
 
+	"github.com/netbirdio/netbird/client/iface/wgaddr"
+
 	"github.com/netbirdio/netbird/client/iface"
 	"github.com/netbirdio/netbird/client/iface/device"
 	"github.com/netbirdio/netbird/client/iface/netstack"
@@ -529,9 +532,20 @@ func createEngineConfig(key wgtypes.Key, config *profilemanager.Config, peerConf
 	if config.NetworkMonitor != nil {
 		nm = *config.NetworkMonitor
 	}
+	wgAddr, err := wgaddr.ParseWGAddress(peerConfig.Address)
+	if err != nil {
+		return nil, fmt.Errorf("parse overlay address %q: %w", peerConfig.Address, err)
+	}
+
+	if !config.DisableIPv6 {
+		if err := wgAddr.SetIPv6FromCompact(peerConfig.GetAddressV6()); err != nil {
+			log.Warn(err)
+		}
+	}
+
 	engineConf := &EngineConfig{
 		WgIfaceName:                   config.WgIface,
-		WgAddr:                        peerConfig.Address,
+		WgAddr:                        wgAddr,
 		IFaceBlackList:                config.IFaceBlackList,
 		DisableIPv6Discovery:          config.DisableIPv6Discovery,
 		WgPrivateKey:                  key,
@@ -556,6 +570,7 @@ func createEngineConfig(key wgtypes.Key, config *profilemanager.Config, peerConf
 		DisableFirewall:     config.DisableFirewall,
 		BlockLANAccess:      config.BlockLANAccess,
 		BlockInbound:        config.BlockInbound,
+		DisableIPv6:         config.DisableIPv6,
 
 		LazyConnectionEnabled: config.LazyConnectionEnabled,
 
@@ -630,6 +645,7 @@ func loginToManagement(ctx context.Context, client mgm.Client, pubSSHKey []byte,
 		config.DisableFirewall,
 		config.BlockLANAccess,
 		config.BlockInbound,
+		config.DisableIPv6,
 		config.LazyConnectionEnabled,
 		config.EnableSSHRoot,
 		config.EnableSSHSFTP,

client/internal/connect_android_default.go

@@ -40,6 +40,10 @@ func (noopNetworkChangeListener) SetInterfaceIP(string) {
 	// network stack, not by OS-level interface configuration.
 }
 
+func (noopNetworkChangeListener) SetInterfaceIPv6(string) {
+	// No-op: same as SetInterfaceIP, IPv6 overlay is managed by userspace stack.
+}
+
 // noopDnsReadyListener is a stub for embed.Client on Android.
 // DNS readiness notifications are not needed in netstack/embed mode
 // since system DNS is disabled and DNS resolution happens externally.

client/internal/debug/debug.go

@@ -31,6 +31,7 @@ import (
 	"github.com/netbirdio/netbird/client/internal/updater/installer"
 	nbstatus "github.com/netbirdio/netbird/client/status"
 	mgmProto "github.com/netbirdio/netbird/shared/management/proto"
+	"github.com/netbirdio/netbird/shared/netiputil"
 	"github.com/netbirdio/netbird/util"
 )
 
@@ -612,6 +613,7 @@ func (g *BundleGenerator) addCommonConfigFields(configContent *strings.Builder)
 	configContent.WriteString(fmt.Sprintf("DisableFirewall: %v\n", g.internalConfig.DisableFirewall))
 	configContent.WriteString(fmt.Sprintf("BlockLANAccess: %v\n", g.internalConfig.BlockLANAccess))
 	configContent.WriteString(fmt.Sprintf("BlockInbound: %v\n", g.internalConfig.BlockInbound))
+	configContent.WriteString(fmt.Sprintf("DisableIPv6: %v\n", g.internalConfig.DisableIPv6))
 
 	if g.internalConfig.DisableNotifications != nil {
 		configContent.WriteString(fmt.Sprintf("DisableNotifications: %v\n", *g.internalConfig.DisableNotifications))
@@ -1258,6 +1260,13 @@ func anonymizePeerConfig(config *mgmProto.PeerConfig, anonymizer *anonymize.Anon
 		config.Address = anonymizer.AnonymizeIP(addr).String()
 	}
 
+	if v6Prefix, err := netiputil.DecodePrefix(config.GetAddressV6()); err == nil {
+		anonV6 := anonymizer.AnonymizeIP(v6Prefix.Addr())
+		if b, err := netiputil.EncodePrefix(netip.PrefixFrom(anonV6, v6Prefix.Bits())); err == nil {
+			config.AddressV6 = b
+		}
+	}
+
 	anonymizeSSHConfig(config.SshConfig)
 
 	config.Dns = anonymizer.AnonymizeString(config.Dns)
@@ -1360,8 +1369,20 @@ func anonymizeFirewallRule(rule *mgmProto.FirewallRule, anonymizer *anonymize.An
 		return
 	}
 
+	//nolint:staticcheck // PeerIP used for backward compatibility
 	if addr, err := netip.ParseAddr(rule.PeerIP); err == nil {
-		rule.PeerIP = anonymizer.AnonymizeIP(addr).String()
+		rule.PeerIP = anonymizer.AnonymizeIP(addr).String() //nolint:staticcheck
+	}
+
+	for i, raw := range rule.GetSourcePrefixes() {
+		p, err := netiputil.DecodePrefix(raw)
+		if err != nil {
+			continue
+		}
+		anonAddr := anonymizer.AnonymizeIP(p.Addr())
+		if b, err := netiputil.EncodePrefix(netip.PrefixFrom(anonAddr, p.Bits())); err == nil {
+			rule.SourcePrefixes[i] = b
+		}
 	}
 }
 

client/internal/debug/debug_test.go

@@ -5,6 +5,7 @@ import (
 	"bytes"
 	"encoding/json"
 	"net"
+	"net/netip"
 	"os"
 	"path/filepath"
 	"strings"
@@ -16,8 +17,16 @@ import (
 	"github.com/netbirdio/netbird/client/anonymize"
 	"github.com/netbirdio/netbird/client/configs"
 	mgmProto "github.com/netbirdio/netbird/shared/management/proto"
+	"github.com/netbirdio/netbird/shared/netiputil"
 )
 
+func mustEncodePrefix(t *testing.T, p netip.Prefix) []byte {
+	t.Helper()
+	b, err := netiputil.EncodePrefix(p)
+	require.NoError(t, err)
+	return b
+}
+
 func TestAnonymizeStateFile(t *testing.T) {
 	testState := map[string]json.RawMessage{
 		"null_state": json.RawMessage("null"),
@@ -168,7 +177,7 @@ func TestAnonymizeStateFile(t *testing.T) {
 	assert.Equal(t, "100.64.0.1", state["protected_ip"]) // Protected IP unchanged
 	assert.Equal(t, "8.8.8.8", state["well_known_ip"])   // Well-known IP unchanged
 	assert.NotEqual(t, "2001:db8::1", state["ipv6_addr"])
-	assert.Equal(t, "fd00::1", state["private_ipv6"]) // Private IPv6 unchanged
+	assert.NotEqual(t, "fd00::1", state["private_ipv6"]) // ULA IPv6 anonymized (global ID is a fingerprint)
 	assert.NotEqual(t, "test.example.com", state["domain"])
 	assert.True(t, strings.HasSuffix(state["domain"].(string), ".domain"))
 	assert.Equal(t, "device.netbird.cloud", state["netbird_domain"]) // Netbird domain unchanged
@@ -272,11 +281,13 @@ func mustMarshal(v any) json.RawMessage {
 }
 
 func TestAnonymizeNetworkMap(t *testing.T) {
+	origV6Prefix := netip.MustParsePrefix("2001:db8:abcd::5/64")
 	networkMap := &mgmProto.NetworkMap{
 		PeerConfig: &mgmProto.PeerConfig{
-			Address: "203.0.113.5",
+			Address:   "203.0.113.5",
-			Dns:     "1.2.3.4",
+			AddressV6: mustEncodePrefix(t, origV6Prefix),
-			Fqdn:    "peer1.corp.example.com",
+			Dns:       "1.2.3.4",
+			Fqdn:      "peer1.corp.example.com",
 			SshConfig: &mgmProto.SSHConfig{
 				SshPubKey: []byte("ssh-rsa AAAAB3NzaC1..."),
 			},
@@ -350,6 +361,12 @@ func TestAnonymizeNetworkMap(t *testing.T) {
 	require.NotEqual(t, "peer1.corp.example.com", peerCfg.Fqdn)
 	require.True(t, strings.HasSuffix(peerCfg.Fqdn, ".domain"))
 
+	// Verify AddressV6 is anonymized but preserves prefix length
+	anonV6Prefix, err := netiputil.DecodePrefix(peerCfg.AddressV6)
+	require.NoError(t, err)
+	assert.Equal(t, origV6Prefix.Bits(), anonV6Prefix.Bits(), "prefix length must be preserved")
+	assert.NotEqual(t, origV6Prefix.Addr(), anonV6Prefix.Addr(), "IPv6 address must be anonymized")
+
 	// Verify SSH key is replaced
 	require.Equal(t, []byte("ssh-placeholder-key"), peerCfg.SshConfig.SshPubKey)
 
@@ -655,8 +672,6 @@ func isInCGNATRange(ip net.IP) bool {
 }
 
 func TestAnonymizeFirewallRules(t *testing.T) {
-	// TODO: Add ipv6
-
 	// Example iptables-save output
 	iptablesSave := `# Generated by iptables-save v1.8.7 on Thu Dec 19 10:00:00 2024
 *filter
@@ -692,17 +707,31 @@ Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
     pkts bytes target     prot opt in     out     source               destination`
 
-	// Example nftables output
+	// Example ip6tables-save output
+	ip6tablesSave := `# Generated by ip6tables-save v1.8.7 on Thu Dec 19 10:00:00 2024
+*filter
+:INPUT ACCEPT [0:0]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+-A INPUT -s fd00:1234::1/128 -j ACCEPT
+-A INPUT -s 2607:f8b0:4005::1/128 -j DROP
+-A FORWARD -s 2001:db8::/32 -d 2607:f8b0:4005::200e/128 -j ACCEPT
+COMMIT`
+
+	// Example nftables output with IPv6
 	nftablesRules := `table inet filter {
         chain input {
                 type filter hook input priority filter; policy accept;
                 ip saddr 192.168.1.1 accept
                 ip saddr 44.192.140.1 drop
+                ip6 saddr 2607:f8b0:4005::1 drop
+                ip6 saddr fd00:1234::1 accept
         }
         chain forward {
                 type filter hook forward priority filter; policy accept;
                 ip saddr 10.0.0.0/8 drop
                 ip saddr 44.192.140.0/24 ip daddr 52.84.12.34/24 accept
+                ip6 saddr 2001:db8::/32 ip6 daddr 2607:f8b0:4005::200e/128 accept
         }
     }`
 
@@ -765,4 +794,35 @@ Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 	assert.Contains(t, anonNftables, "table inet filter {")
 	assert.Contains(t, anonNftables, "chain input {")
 	assert.Contains(t, anonNftables, "type filter hook input priority filter; policy accept;")
+
+	// IPv6 public addresses in nftables should be anonymized
+	assert.NotContains(t, anonNftables, "2607:f8b0:4005::1")
+	assert.NotContains(t, anonNftables, "2607:f8b0:4005::200e")
+	assert.NotContains(t, anonNftables, "2001:db8::")
+	assert.Contains(t, anonNftables, "2001:db8:ffff::") // Default anonymous v6 range
+
+	// ULA addresses in nftables should be anonymized (global ID is a fingerprint)
+	assert.NotContains(t, anonNftables, "fd00:1234::1")
+
+	// IPv6 nftables structure preserved
+	assert.Contains(t, anonNftables, "ip6 saddr")
+	assert.Contains(t, anonNftables, "ip6 daddr")
+
+	// Test ip6tables-save anonymization
+	anonIp6tablesSave := anonymizer.AnonymizeString(ip6tablesSave)
+
+	// ULA IPv6 should be anonymized (global ID is a fingerprint)
+	assert.NotContains(t, anonIp6tablesSave, "fd00:1234::1/128")
+
+	// Public IPv6 addresses should be anonymized
+	assert.NotContains(t, anonIp6tablesSave, "2607:f8b0:4005::1")
+	assert.NotContains(t, anonIp6tablesSave, "2607:f8b0:4005::200e")
+	assert.NotContains(t, anonIp6tablesSave, "2001:db8::")
+	assert.Contains(t, anonIp6tablesSave, "2001:db8:ffff::") // Default anonymous v6 range
+
+	// Structure should be preserved
+	assert.Contains(t, anonIp6tablesSave, "*filter")
+	assert.Contains(t, anonIp6tablesSave, "COMMIT")
+	assert.Contains(t, anonIp6tablesSave, "-j DROP")
+	assert.Contains(t, anonIp6tablesSave, "-j ACCEPT")
 }

client/internal/dns.go

@@ -12,52 +12,83 @@ import (
 	nbdns "github.com/netbirdio/netbird/dns"
 )
 
-func createPTRRecord(aRecord nbdns.SimpleRecord, prefix netip.Prefix) (nbdns.SimpleRecord, bool) {
+func createPTRRecord(record nbdns.SimpleRecord, prefix netip.Prefix) (nbdns.SimpleRecord, bool) {
-	ip, err := netip.ParseAddr(aRecord.RData)
+	ip, err := netip.ParseAddr(record.RData)
 	if err != nil {
-		log.Warnf("failed to parse IP address %s: %v", aRecord.RData, err)
+		log.Warnf("failed to parse IP address %s: %v", record.RData, err)
 		return nbdns.SimpleRecord{}, false
 	}
 
+	ip = ip.Unmap()
 	if !prefix.Contains(ip) {
 		return nbdns.SimpleRecord{}, false
 	}
 
-	ipOctets := strings.Split(ip.String(), ".")
+	var rdnsName string
-	slices.Reverse(ipOctets)
+	if ip.Is4() {
-	rdnsName := dns.Fqdn(strings.Join(ipOctets, ".") + ".in-addr.arpa")
+		octets := strings.Split(ip.String(), ".")
+		slices.Reverse(octets)
+		rdnsName = dns.Fqdn(strings.Join(octets, ".") + ".in-addr.arpa")
+	} else {
+		// Expand to full 32 nibbles in reverse order (LSB first) per RFC 3596.
+		raw := ip.As16()
+		nibbles := make([]string, 32)
+		for i := 0; i < 16; i++ {
+			nibbles[31-i*2] = fmt.Sprintf("%x", raw[i]>>4)
+			nibbles[31-i*2-1] = fmt.Sprintf("%x", raw[i]&0x0f)
+		}
+		rdnsName = dns.Fqdn(strings.Join(nibbles, ".") + ".ip6.arpa")
+	}
 
 	return nbdns.SimpleRecord{
 		Name:  rdnsName,
 		Type:  int(dns.TypePTR),
-		Class: aRecord.Class,
+		Class: record.Class,
-		TTL:   aRecord.TTL,
+		TTL:   record.TTL,
-		RData: dns.Fqdn(aRecord.Name),
+		RData: dns.Fqdn(record.Name),
 	}, true
 }
 
-// generateReverseZoneName creates the reverse DNS zone name for a given network
+// generateReverseZoneName creates the reverse DNS zone name for a given network.
+// For IPv4 it produces an in-addr.arpa name, for IPv6 an ip6.arpa name.
 func generateReverseZoneName(network netip.Prefix) (string, error) {
-	networkIP := network.Masked().Addr()
+	networkIP := network.Masked().Addr().Unmap()
+	bits := network.Bits()
 
-	if !networkIP.Is4() {
+	if networkIP.Is4() {
-		return "", fmt.Errorf("reverse DNS is only supported for IPv4 networks, got: %s", networkIP)
+		// Round up to nearest byte.
+		octetsToUse := (bits + 7) / 8
+
+		octets := strings.Split(networkIP.String(), ".")
+		if octetsToUse > len(octets) {
+			return "", fmt.Errorf("invalid network mask size for reverse DNS: %d", bits)
+		}
+
+		reverseOctets := make([]string, octetsToUse)
+		for i := 0; i < octetsToUse; i++ {
+			reverseOctets[octetsToUse-1-i] = octets[i]
+		}
+
+		return dns.Fqdn(strings.Join(reverseOctets, ".") + ".in-addr.arpa"), nil
 	}
 
-	// round up to nearest byte
+	// IPv6: round up to nearest nibble (4-bit boundary).
-	octetsToUse := (network.Bits() + 7) / 8
+	nibblesToUse := (bits + 3) / 4
 
-	octets := strings.Split(networkIP.String(), ".")
+	raw := networkIP.As16()
-	if octetsToUse > len(octets) {
+	allNibbles := make([]string, 32)
-		return "", fmt.Errorf("invalid network mask size for reverse DNS: %d", network.Bits())
+	for i := 0; i < 16; i++ {
+		allNibbles[i*2] = fmt.Sprintf("%x", raw[i]>>4)
+		allNibbles[i*2+1] = fmt.Sprintf("%x", raw[i]&0x0f)
 	}
 
-	reverseOctets := make([]string, octetsToUse)
+	// Take the first nibblesToUse nibbles (network portion), reverse them.
-	for i := 0; i < octetsToUse; i++ {
+	used := make([]string, nibblesToUse)
-		reverseOctets[octetsToUse-1-i] = octets[i]
+	for i := 0; i < nibblesToUse; i++ {
+		used[nibblesToUse-1-i] = allNibbles[i]
 	}
 
-	return dns.Fqdn(strings.Join(reverseOctets, ".") + ".in-addr.arpa"), nil
+	return dns.Fqdn(strings.Join(used, ".") + ".ip6.arpa"), nil
 }
 
 // zoneExists checks if a zone with the given name already exists in the configuration
@@ -71,7 +102,7 @@ func zoneExists(config *nbdns.Config, zoneName string) bool {
 	return false
 }
 
-// collectPTRRecords gathers all PTR records for the given network from A records
+// collectPTRRecords gathers all PTR records for the given network from A and AAAA records.
 func collectPTRRecords(config *nbdns.Config, prefix netip.Prefix) []nbdns.SimpleRecord {
 	var records []nbdns.SimpleRecord
 
@@ -80,7 +111,7 @@ func collectPTRRecords(config *nbdns.Config, prefix netip.Prefix) []nbdns.Simple
 			continue
 		}
 		for _, record := range zone.Records {
-			if record.Type != int(dns.TypeA) {
+			if record.Type != int(dns.TypeA) && record.Type != int(dns.TypeAAAA) {
 				continue
 			}
 

client/internal/dns/host_darwin.go

@@ -298,6 +298,7 @@ func (s *systemConfigurator) getSystemDNSSettings() (SystemDNSSettings, error) {
 			if ip, err := netip.ParseAddr(address); err == nil && !ip.IsUnspecified() {
 				ip = ip.Unmap()
 				serverAddresses = append(serverAddresses, ip)
+				// Prefer the first IPv4 server as ServerIP since our DNS listener is IPv4.
 				if !dnsSettings.ServerIP.IsValid() && ip.Is4() {
 					dnsSettings.ServerIP = ip
 				}

client/internal/dns/network_manager_unix.go

@@ -110,8 +110,25 @@ func (n *networkManagerDbusConfigurator) applyDNSConfig(config HostDNSConfig, st
 
 	connSettings.cleanDeprecatedSettings()
 
-	convDNSIP := binary.LittleEndian.Uint32(config.ServerIP.AsSlice())
+	ipKey := networkManagerDbusIPv4Key
-	connSettings[networkManagerDbusIPv4Key][networkManagerDbusDNSKey] = dbus.MakeVariant([]uint32{convDNSIP})
+	staleKey := networkManagerDbusIPv6Key
+	if config.ServerIP.Is6() {
+		ipKey = networkManagerDbusIPv6Key
+		staleKey = networkManagerDbusIPv4Key
+		raw := config.ServerIP.As16()
+		connSettings[ipKey][networkManagerDbusDNSKey] = dbus.MakeVariant([][]byte{raw[:]})
+	} else {
+		convDNSIP := binary.LittleEndian.Uint32(config.ServerIP.AsSlice())
+		connSettings[ipKey][networkManagerDbusDNSKey] = dbus.MakeVariant([]uint32{convDNSIP})
+	}
+
+	// Clear stale DNS settings from the opposite address family to avoid
+	// leftover entries if the server IP family changed.
+	if staleSettings, ok := connSettings[staleKey]; ok {
+		delete(staleSettings, networkManagerDbusDNSKey)
+		delete(staleSettings, networkManagerDbusDNSPriorityKey)
+		delete(staleSettings, networkManagerDbusDNSSearchKey)
+	}
 	var (
 		searchDomains []string
 		matchDomains  []string
@@ -146,8 +163,8 @@ func (n *networkManagerDbusConfigurator) applyDNSConfig(config HostDNSConfig, st
 		n.routingAll = false
 	}
 
-	connSettings[networkManagerDbusIPv4Key][networkManagerDbusDNSPriorityKey] = dbus.MakeVariant(priority)
+	connSettings[ipKey][networkManagerDbusDNSPriorityKey] = dbus.MakeVariant(priority)
-	connSettings[networkManagerDbusIPv4Key][networkManagerDbusDNSSearchKey] = dbus.MakeVariant(newDomainList)
+	connSettings[ipKey][networkManagerDbusDNSSearchKey] = dbus.MakeVariant(newDomainList)
 
 	state := &ShutdownState{
 		ManagerType: networkManager,

client/internal/dns/server_test.go

@@ -347,7 +347,7 @@ func TestUpdateDNSServer(t *testing.T) {
 
 			opts := iface.WGIFaceOpts{
 				IFaceName:    fmt.Sprintf("utun230%d", n),
-				Address:      fmt.Sprintf("100.66.100.%d/32", n+1),
+				Address:      wgaddr.MustParseWGAddress(fmt.Sprintf("100.66.100.%d/32", n+1)),
 				WGPort:       33100,
 				WGPrivKey:    privKey.String(),
 				MTU:          iface.DefaultMTU,
@@ -448,7 +448,7 @@ func TestDNSFakeResolverHandleUpdates(t *testing.T) {
 	privKey, _ := wgtypes.GeneratePrivateKey()
 	opts := iface.WGIFaceOpts{
 		IFaceName:    "utun2301",
-		Address:      "100.66.100.1/32",
+		Address:      wgaddr.MustParseWGAddress("100.66.100.1/32"),
 		WGPort:       33100,
 		WGPrivKey:    privKey.String(),
 		MTU:          iface.DefaultMTU,
@@ -929,7 +929,7 @@ func createWgInterfaceWithBind(t *testing.T) (*iface.WGIface, error) {
 
 	opts := iface.WGIFaceOpts{
 		IFaceName:    "utun2301",
-		Address:      "100.66.100.2/24",
+		Address:      wgaddr.MustParseWGAddress("100.66.100.2/24"),
 		WGPort:       33100,
 		WGPrivKey:    privKey.String(),
 		MTU:          iface.DefaultMTU,

client/internal/dns/service.go

@@ -16,8 +16,8 @@ const (
 // This is used when the DNS server cannot bind port 53 directly
 // and needs firewall rules to redirect traffic.
 type Firewall interface {
-	AddOutputDNAT(localAddr netip.Addr, protocol firewall.Protocol, sourcePort, targetPort uint16) error
+	AddOutputDNAT(localAddr netip.Addr, protocol firewall.Protocol, originalPort, translatedPort uint16) error
-	RemoveOutputDNAT(localAddr netip.Addr, protocol firewall.Protocol, sourcePort, targetPort uint16) error
+	RemoveOutputDNAT(localAddr netip.Addr, protocol firewall.Protocol, originalPort, translatedPort uint16) error
 }
 
 type service interface {

client/internal/dns/service_listener.go

@@ -188,11 +188,10 @@ func (s *serviceViaListener) RuntimeIP() netip.Addr {
 	return s.listenIP
 }
 
-
+// evalListenAddress figures out the listen address for the DNS server.
-// evalListenAddress figure out the listen address for the DNS server
+// IPv4-only: all peers have a v4 overlay address, and DNS config points to v4.
-// first check the 53 port availability on WG interface or lo, if not success
+// First checks port 53 on WG interface or lo, then tries eBPF on a random port,
-// pick a random port on WG interface for eBPF, if not success
+// then falls back to port 5053.
-// check the 5053 port availability on WG interface or lo without eBPF usage,
 func (s *serviceViaListener) evalListenAddress() (netip.Addr, uint16, error) {
 	if s.customAddr != nil {
 		return s.customAddr.Addr(), s.customAddr.Port(), nil
@@ -278,7 +277,7 @@ func (s *serviceViaListener) tryToUseeBPF() (ebpfMgr.Manager, uint16, bool) {
 	}
 
 	ebpfSrv := ebpf.GetEbpfManagerInstance()
-	err = ebpfSrv.LoadDNSFwd(s.wgInterface.Address().IP.String(), int(port))
+	err = ebpfSrv.LoadDNSFwd(s.wgInterface.Address().IP, int(port))
 	if err != nil {
 		log.Warnf("failed to load DNS forwarder eBPF program, error: %s", err)
 		return nil, 0, false

client/internal/dns/systemd_linux.go

@@ -90,8 +90,12 @@ func (s *systemdDbusConfigurator) supportCustomPort() bool {
 }
 
 func (s *systemdDbusConfigurator) applyDNSConfig(config HostDNSConfig, stateManager *statemanager.Manager) error {
+	family := int32(unix.AF_INET)
+	if config.ServerIP.Is6() {
+		family = unix.AF_INET6
+	}
 	defaultLinkInput := systemdDbusDNSInput{
-		Family:  unix.AF_INET,
+		Family:  family,
 		Address: config.ServerIP.AsSlice(),
 	}
 	if err := s.callLinkMethod(systemdDbusSetDNSMethodSuffix, []systemdDbusDNSInput{defaultLinkInput}); err != nil {

client/internal/dns/upstream.go

@@ -21,6 +21,7 @@ import (
 	"golang.zx2c4.com/wireguard/tun/netstack"
 
 	"github.com/netbirdio/netbird/client/iface"
+	"github.com/netbirdio/netbird/client/iface/wgaddr"
 	"github.com/netbirdio/netbird/client/internal/dns/resutil"
 	"github.com/netbirdio/netbird/client/internal/dns/types"
 	"github.com/netbirdio/netbird/client/internal/peer"
@@ -29,6 +30,12 @@ import (
 
 var currentMTU uint16 = iface.DefaultMTU
 
+// privateClientIface is the subset of the WireGuard interface needed by GetClientPrivate.
+type privateClientIface interface {
+	Name() string
+	Address() wgaddr.Address
+}
+
 func SetCurrentMTU(mtu uint16) {
 	currentMTU = mtu
 }

client/internal/dns/upstream_android.go

@@ -86,7 +86,7 @@ func (u *upstreamResolver) isLocalResolver(upstream string) bool {
 	return false
 }
 
-func GetClientPrivate(ip netip.Addr, interfaceName string, dialTimeout time.Duration) (*dns.Client, error) {
+func GetClientPrivate(_ privateClientIface, _ netip.Addr, dialTimeout time.Duration) (*dns.Client, error) {
 	return &dns.Client{
 		Timeout: dialTimeout,
 		Net:     "udp",

client/internal/dns/upstream_general.go

@@ -52,7 +52,7 @@ func (u *upstreamResolver) exchange(ctx context.Context, upstream string, r *dns
 	return ExchangeWithFallback(ctx, client, r, upstream)
 }
 
-func GetClientPrivate(ip netip.Addr, interfaceName string, dialTimeout time.Duration) (*dns.Client, error) {
+func GetClientPrivate(_ privateClientIface, _ netip.Addr, dialTimeout time.Duration) (*dns.Client, error) {
 	return &dns.Client{
 		Timeout: dialTimeout,
 		Net:     "udp",