Merge remote-tracking branch 'origin/client-ipv6-iptables' into client-ipv6-android-ui

Merge remote-tracking branch 'origin/client-ipv6-nftables' into client-ipv6-iptables
Merge remote-tracking branch 'origin/client-ipv6-routing' into client-ipv6-nftables
2026-04-07 18:04:13 -04:00 · 2026-04-07 18:45:22 +02:00 · 2026-04-07 18:45:13 +02:00 · 2026-04-07 18:45:05 +02:00 · 2026-04-07 18:44:57 +02:00 · 2026-04-07 18:44:49 +02:00
284 changed files with 26398 additions and 5165 deletions
--- a/.github/workflows/check-license-dependencies.yml
+++ b/.github/workflows/check-license-dependencies.yml
@@ -31,7 +31,7 @@ jobs:
          while IFS= read -r dir; do
            echo "=== Checking $dir ==="
            # Search for problematic imports, excluding test files
-            RESULTS=$(grep -r "github.com/netbirdio/netbird/\(management\|signal\|relay\|proxy\)" "$dir" --include="*.go" 2>/dev/null | grep -v "_test.go" | grep -v "test_" | grep -v "/test/" || true)
+            RESULTS=$(grep -r "github.com/netbirdio/netbird/\(management\|signal\|relay\|proxy\)" "$dir" --include="*.go" 2>/dev/null | grep -v "_test.go" | grep -v "test_" | grep -v "/test/" | grep -v "tools/idp-migrate/" || true)
            if [ -n "$RESULTS" ]; then
              echo "❌ Found problematic dependencies:"
              echo "$RESULTS"
@@ -88,7 +88,7 @@ jobs:
              IMPORTERS=$(go list -json -deps ./... 2>/dev/null | jq -r "select(.Imports[]? == \"$package\") | .ImportPath")

              # Check if any importer is NOT in management/signal/relay
-              BSD_IMPORTER=$(echo "$IMPORTERS" | grep -v "github.com/netbirdio/netbird/\(management\|signal\|relay\|proxy\|combined\)" | head -1)
+              BSD_IMPORTER=$(echo "$IMPORTERS" | grep -v "github.com/netbirdio/netbird/\(management\|signal\|relay\|proxy\|combined\|tools/idp-migrate\)" | head -1)

              if [ -n "$BSD_IMPORTER" ]; then
                echo "❌ $package ($license) is imported by BSD-licensed code: $BSD_IMPORTER"
--- a/.github/workflows/golangci-lint.yml
+++ b/.github/workflows/golangci-lint.yml
@@ -19,7 +19,7 @@ jobs:
      - name: codespell
        uses: codespell-project/actions-codespell@v2
        with:
-          ignore_words_list: erro,clienta,hastable,iif,groupd,testin,groupe,cros,ans,deriver,te
+          ignore_words_list: erro,clienta,hastable,iif,groupd,testin,groupe,cros,ans,deriver,te,userA
          skip: go.mod,go.sum,**/proxy/web/**
  golangci:
    strategy:
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -170,6 +170,7 @@ jobs:
        run: sudo apt update && sudo apt install -y -q gcc-arm-linux-gnueabihf gcc-aarch64-linux-gnu

      - name: Decode GPG signing key
+        if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository
        env:
          GPG_RPM_PRIVATE_KEY: ${{ secrets.GPG_RPM_PRIVATE_KEY }}
        run: |
@@ -309,6 +310,7 @@ jobs:
        run: sudo apt update && sudo apt install -y -q libappindicator3-dev gir1.2-appindicator3-0.1 libxxf86vm-dev gcc-mingw-w64-x86-64

      - name: Decode GPG signing key
+        if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository
        env:
          GPG_RPM_PRIVATE_KEY: ${{ secrets.GPG_RPM_PRIVATE_KEY }}
        run: |
--- a/.github/workflows/wasm-build-validation.yml
+++ b/.github/workflows/wasm-build-validation.yml
@@ -61,8 +61,8 @@ jobs:

          echo "Size: ${SIZE} bytes (${SIZE_MB} MB)"

-          if [ ${SIZE} -gt 57671680 ]; then
-            echo "Wasm binary size (${SIZE_MB}MB) exceeds 55MB limit!"
+          if [ ${SIZE} -gt 58720256 ]; then
+            echo "Wasm binary size (${SIZE_MB}MB) exceeds 56MB limit!"
            exit 1
          fi

--- a/.goreleaser.yaml
+++ b/.goreleaser.yaml
@@ -154,6 +154,26 @@ builds:
      - -s -w -X main.Version={{.Version}} -X main.Commit={{.Commit}} -X main.BuildDate={{.CommitDate}}
    mod_timestamp: "{{ .CommitTimestamp }}"

+  - id: netbird-idp-migrate
+    dir: tools/idp-migrate
+    env:
+      - CGO_ENABLED=1
+      - >-
+        {{- if eq .Runtime.Goos "linux" }}
+          {{- if eq .Arch "arm64"}}CC=aarch64-linux-gnu-gcc{{- end }}
+          {{- if eq .Arch "arm"}}CC=arm-linux-gnueabihf-gcc{{- end }}
+        {{- end }}
+    binary: netbird-idp-migrate
+    goos:
+      - linux
+    goarch:
+      - amd64
+      - arm64
+      - arm
+    ldflags:
+      - -s -w -X github.com/netbirdio/netbird/version.version={{.Version}} -X main.commit={{.Commit}} -X main.date={{.CommitDate}} -X main.builtBy=goreleaser
+    mod_timestamp: "{{ .CommitTimestamp }}"
+
 universal_binaries:
  - id: netbird

@@ -166,11 +186,16 @@ archives:
      - netbird-wasm
    name_template: "{{ .ProjectName }}_{{ .Version }}"
    format: binary
+  - id: netbird-idp-migrate
+    builds:
+      - netbird-idp-migrate
+    name_template: "netbird-idp-migrate_{{ .Version }}_{{ .Os }}_{{ .Arch }}"

 nfpms:
  - maintainer: Netbird <dev@netbird.io>
    description: Netbird client.
    homepage: https://netbird.io/
+    license: BSD-3-Clause
    id: netbird_deb
    bindir: /usr/bin
    builds:
@@ -184,6 +209,7 @@ nfpms:
  - maintainer: Netbird <dev@netbird.io>
    description: Netbird client.
    homepage: https://netbird.io/
+    license: BSD-3-Clause
    id: netbird_rpm
    bindir: /usr/bin
    builds:
--- a/CONTRIBUTOR_LICENSE_AGREEMENT.md
+++ b/CONTRIBUTOR_LICENSE_AGREEMENT.md
@@ -1,7 +1,7 @@
 ##  Contributor License Agreement

 This Contributor License Agreement (referred to as the "Agreement") is entered into by the individual 
-submitting this Agreement and NetBird GmbH, c/o Max-Beer-Straße 2-4 Münzstraße 12 10178 Berlin, Germany, 
+submitting this Agreement and NetBird GmbH, Brunnenstraße 196, 10119 Berlin, Germany, 
 referred to as "NetBird" (collectively, the "Parties"). The Agreement outlines the terms and conditions 
 under which NetBird may utilize software contributions provided by the Contributor for inclusion in 
 its software development projects. By submitting this Agreement, the Contributor confirms their acceptance 
--- a/client/android/client.go
+++ b/client/android/client.go
@@ -203,10 +203,11 @@ func (c *Client) PeersList() *PeerInfoArray {
 	peerInfos := make([]PeerInfo, len(fullStatus.Peers))
 	for n, p := range fullStatus.Peers {
 		pi := PeerInfo{
-			p.IP,
-			p.FQDN,
-			p.ConnStatus.String(),
-			PeerRoutes{routes: maps.Keys(p.GetRoutes())},
+			IP:         p.IP,
+			IPv6:       p.IPv6,
+			FQDN:       p.FQDN,
+			ConnStatus: int(p.ConnStatus),
+			Routes:     PeerRoutes{routes: maps.Keys(p.GetRoutes())},
 		}
 		peerInfos[n] = pi
 	}
@@ -237,43 +238,84 @@ func (c *Client) Networks() *NetworkArray {
 		return nil
 	}

+	routesMap := routeManager.GetClientRoutesWithNetID()
+	v6Merged := route.V6ExitMergeSet(routesMap)
+	resolvedDomains := c.recorder.GetResolvedDomainsStates()
+
 	networkArray := &NetworkArray{
 		items: make([]Network, 0),
 	}

-	resolvedDomains := c.recorder.GetResolvedDomainsStates()
-
-	for id, routes := range routeManager.GetClientRoutesWithNetID() {
+	for id, routes := range routesMap {
 		if len(routes) == 0 {
 			continue
 		}
-
-		r := routes[0]
-		domains := c.getNetworkDomainsFromRoute(r, resolvedDomains)
-		netStr := r.Network.String()
-
-		if r.IsDynamic() {
-			netStr = r.Domains.SafeString()
-		}
-
-		routePeer, err := c.recorder.GetPeer(routes[0].Peer)
-		if err != nil {
-			log.Errorf("could not get peer info for %s: %v", routes[0].Peer, err)
+		if _, skip := v6Merged[id]; skip {
 			continue
 		}
-		network := Network{
-			Name:       string(id),
-			Network:    netStr,
-			Peer:       routePeer.FQDN,
-			Status:     routePeer.ConnStatus.String(),
-			IsSelected: routeSelector.IsSelected(id),
-			Domains:    domains,
+
+		network := c.buildNetwork(id, routes, routeSelector.IsSelected(id), resolvedDomains, v6Merged)
+		if network == nil {
+			continue
 		}
-		networkArray.Add(network)
+		networkArray.Add(*network)
 	}
 	return networkArray
 }

+func (c *Client) buildNetwork(id route.NetID, routes []*route.Route, selected bool, resolvedDomains map[domain.Domain]peer.ResolvedDomainInfo, v6Merged map[route.NetID]struct{}) *Network {
+	r := routes[0]
+	netStr := r.Network.String()
+	if r.IsDynamic() {
+		netStr = r.Domains.SafeString()
+	}
+
+	routePeer, err := c.findBestRoutePeer(routes)
+	if err != nil {
+		log.Errorf("could not get peer info for route %s: %v", id, err)
+		return nil
+	}
+
+	network := &Network{
+		Name:       string(id),
+		Network:    netStr,
+		Peer:       routePeer.FQDN,
+		Status:     routePeer.ConnStatus.String(),
+		IsSelected: selected,
+		Domains:    c.getNetworkDomainsFromRoute(r, resolvedDomains),
+	}
+
+	if route.IsV4DefaultRoute(r.Network) && route.HasV6ExitPair(id, v6Merged) {
+		network.Network = "0.0.0.0/0, ::/0"
+	}
+
+	return network
+}
+
+// findBestRoutePeer returns the peer actively routing traffic for the given
+// HA route group. Falls back to the first connected peer, then the first peer.
+func (c *Client) findBestRoutePeer(routes []*route.Route) (peer.State, error) {
+	netStr := routes[0].Network.String()
+
+	fullStatus := c.recorder.GetFullStatus()
+	for _, p := range fullStatus.Peers {
+		if _, ok := p.GetRoutes()[netStr]; ok {
+			return p, nil
+		}
+	}
+
+	for _, r := range routes {
+		p, err := c.recorder.GetPeer(r.Peer)
+		if err != nil {
+			continue
+		}
+		if p.ConnStatus == peer.StatusConnected {
+			return p, nil
+		}
+	}
+	return c.recorder.GetPeer(routes[0].Peer)
+}
+
 // OnUpdatedHostDNS update the DNS servers addresses for root zones
 func (c *Client) OnUpdatedHostDNS(list *DNSList) error {
 	dnsServer, err := dns.GetServerDns()
--- a/client/android/peer_notifier.go
+++ b/client/android/peer_notifier.go
@@ -2,11 +2,21 @@

 package android

+import "github.com/netbirdio/netbird/client/internal/peer"
+
+// Connection status constants exported via gomobile.
+const (
+	ConnStatusIdle       = int(peer.StatusIdle)
+	ConnStatusConnecting = int(peer.StatusConnecting)
+	ConnStatusConnected  = int(peer.StatusConnected)
+)
+
 // PeerInfo describe information about the peers. It designed for the UI usage
 type PeerInfo struct {
 	IP         string
+	IPv6       string
 	FQDN       string
-	ConnStatus string // Todo replace to enum
+	ConnStatus int
 	Routes     PeerRoutes
 }

--- a/client/android/preferences.go
+++ b/client/android/preferences.go
@@ -307,6 +307,24 @@ func (p *Preferences) SetBlockInbound(block bool) {
 	p.configInput.BlockInbound = &block
 }

+// GetDisableIPv6 reads disable IPv6 setting from config file
+func (p *Preferences) GetDisableIPv6() (bool, error) {
+	if p.configInput.DisableIPv6 != nil {
+		return *p.configInput.DisableIPv6, nil
+	}
+
+	cfg, err := profilemanager.ReadConfig(p.configInput.ConfigPath)
+	if err != nil {
+		return false, err
+	}
+	return cfg.DisableIPv6, err
+}
+
+// SetDisableIPv6 stores the given value and waits for commit
+func (p *Preferences) SetDisableIPv6(disable bool) {
+	p.configInput.DisableIPv6 = &disable
+}
+
 // Commit writes out the changes to the config file
 func (p *Preferences) Commit() error {
 	_, err := profilemanager.UpdateOrCreateConfig(p.configInput)
--- a/client/android/route_command.go
+++ b/client/android/route_command.go
@@ -18,9 +18,12 @@ func executeRouteToggle(id string, manager routemanager.Manager,
 	netID := route.NetID(id)
 	routes := []route.NetID{netID}

-	log.Debugf("%s with id: %s", operationName, id)
+	routesMap := manager.GetClientRoutesWithNetID()
+	routes = route.ExpandV6ExitPairs(routes, routesMap)

-	if err := routeOperation(routes, maps.Keys(manager.GetClientRoutesWithNetID())); err != nil {
+	log.Debugf("%s with ids: %v", operationName, routes)
+
+	if err := routeOperation(routes, maps.Keys(routesMap)); err != nil {
 		log.Debugf("error when %s: %s", operationName, err)
 		return fmt.Errorf("error %s: %w", operationName, err)
 	}
--- a/client/anonymize/anonymize.go
+++ b/client/anonymize/anonymize.go
@@ -9,6 +9,7 @@ import (
 	"net/url"
 	"regexp"
 	"slices"
+	"strconv"
 	"strings"
 )

@@ -26,8 +27,9 @@ type Anonymizer struct {
 }

 func DefaultAddresses() (netip.Addr, netip.Addr) {
-	// 198.51.100.0, 100::
-	return netip.AddrFrom4([4]byte{198, 51, 100, 0}), netip.AddrFrom16([16]byte{0x01})
+	// 198.51.100.0 (RFC 5737 TEST-NET-2), 2001:db8:ffff:: (RFC 3849 documentation, last /48)
+	// The old start 100:: (discard, RFC 6666) is now used for fake IPs on Android.
+	return netip.AddrFrom4([4]byte{198, 51, 100, 0}), netip.MustParseAddr("2001:db8:ffff::")
 }

 func NewAnonymizer(startIPv4, startIPv6 netip.Addr) *Anonymizer {
@@ -96,6 +98,11 @@ func (a *Anonymizer) isInAnonymizedRange(ip netip.Addr) bool {
 }

 func (a *Anonymizer) AnonymizeIPString(ip string) string {
+	// Handle CIDR notation (e.g. "2001:db8::/32")
+	if prefix, err := netip.ParsePrefix(ip); err == nil {
+		return a.AnonymizeIP(prefix.Addr()).String() + "/" + strconv.Itoa(prefix.Bits())
+	}
+
 	addr, err := netip.ParseAddr(ip)
 	if err != nil {
 		return ip
--- a/client/anonymize/anonymize_test.go
+++ b/client/anonymize/anonymize_test.go
@@ -13,7 +13,7 @@ import (

 func TestAnonymizeIP(t *testing.T) {
 	startIPv4 := netip.MustParseAddr("198.51.100.0")
-	startIPv6 := netip.MustParseAddr("100::")
+	startIPv6 := netip.MustParseAddr("2001:db8:ffff::")
 	anonymizer := anonymize.NewAnonymizer(startIPv4, startIPv6)

 	tests := []struct {
@@ -26,9 +26,9 @@ func TestAnonymizeIP(t *testing.T) {
 		{"Second Public IPv4", "4.3.2.1", "198.51.100.1"},
 		{"Repeated IPv4", "1.2.3.4", "198.51.100.0"},
 		{"Private IPv4", "192.168.1.1", "192.168.1.1"},
-		{"First Public IPv6", "2607:f8b0:4005:805::200e", "100::"},
-		{"Second Public IPv6", "a::b", "100::1"},
-		{"Repeated IPv6", "2607:f8b0:4005:805::200e", "100::"},
+		{"First Public IPv6", "2607:f8b0:4005:805::200e", "2001:db8:ffff::"},
+		{"Second Public IPv6", "a::b", "2001:db8:ffff::1"},
+		{"Repeated IPv6", "2607:f8b0:4005:805::200e", "2001:db8:ffff::"},
 		{"Private IPv6", "fe80::1", "fe80::1"},
 		{"In Range IPv4", "198.51.100.2", "198.51.100.2"},
 	}
@@ -274,17 +274,17 @@ func TestAnonymizeString_IPAddresses(t *testing.T) {
 		{
 			name:   "IPv6 Address",
 			input:  "Access attempted from 2001:db8::ff00:42",
-			expect: "Access attempted from 100::",
+			expect: "Access attempted from 2001:db8:ffff::",
 		},
 		{
 			name:   "IPv6 Address with Port",
 			input:  "Access attempted from [2001:db8::ff00:42]:8080",
-			expect: "Access attempted from [100::]:8080",
+			expect: "Access attempted from [2001:db8:ffff::]:8080",
 		},
 		{
 			name:   "Both IPv4 and IPv6",
 			input:  "IPv4: 142.108.0.1 and IPv6: 2001:db8::ff00:43",
-			expect: "IPv4: 198.51.100.1 and IPv6: 100::1",
+			expect: "IPv4: 198.51.100.1 and IPv6: 2001:db8:ffff::1",
 		},
 	}

--- a/client/cmd/debug.go
+++ b/client/cmd/debug.go
@@ -181,10 +181,11 @@ func runForDuration(cmd *cobra.Command, args []string) error {

 	if stateWasDown {
 		if _, err := client.Up(cmd.Context(), &proto.UpRequest{}); err != nil {
-			return fmt.Errorf("failed to up: %v", status.Convert(err).Message())
+			cmd.PrintErrf("Failed to bring service up: %v\n", status.Convert(err).Message())
+		} else {
+			cmd.Println("netbird up")
+			time.Sleep(time.Second * 10)
 		}
-		cmd.Println("netbird up")
-		time.Sleep(time.Second * 10)
 	}

 	initialLevelTrace := initialLogLevel.GetLevel() >= proto.LogLevel_TRACE
@@ -199,9 +200,10 @@ func runForDuration(cmd *cobra.Command, args []string) error {
 	}

 	if _, err := client.Down(cmd.Context(), &proto.DownRequest{}); err != nil {
-		return fmt.Errorf("failed to down: %v", status.Convert(err).Message())
+		cmd.PrintErrf("Failed to bring service down: %v\n", status.Convert(err).Message())
+	} else {
+		cmd.Println("netbird down")
 	}
-	cmd.Println("netbird down")

 	time.Sleep(1 * time.Second)

@@ -209,13 +211,14 @@ func runForDuration(cmd *cobra.Command, args []string) error {
 	if _, err := client.SetSyncResponsePersistence(cmd.Context(), &proto.SetSyncResponsePersistenceRequest{
 		Enabled: true,
 	}); err != nil {
-		return fmt.Errorf("failed to enable sync response persistence: %v", status.Convert(err).Message())
+		cmd.PrintErrf("Failed to enable sync response persistence: %v\n", status.Convert(err).Message())
 	}

 	if _, err := client.Up(cmd.Context(), &proto.UpRequest{}); err != nil {
-		return fmt.Errorf("failed to up: %v", status.Convert(err).Message())
+		cmd.PrintErrf("Failed to bring service up: %v\n", status.Convert(err).Message())
+	} else {
+		cmd.Println("netbird up")
 	}
-	cmd.Println("netbird up")

 	time.Sleep(3 * time.Second)

@@ -263,16 +266,18 @@ func runForDuration(cmd *cobra.Command, args []string) error {

 	if stateWasDown {
 		if _, err := client.Down(cmd.Context(), &proto.DownRequest{}); err != nil {
-			return fmt.Errorf("failed to down: %v", status.Convert(err).Message())
+			cmd.PrintErrf("Failed to restore service down state: %v\n", status.Convert(err).Message())
+		} else {
+			cmd.Println("netbird down")
 		}
-		cmd.Println("netbird down")
 	}

 	if !initialLevelTrace {
 		if _, err := client.SetLogLevel(cmd.Context(), &proto.SetLogLevelRequest{Level: initialLogLevel.GetLevel()}); err != nil {
-			return fmt.Errorf("failed to restore log level: %v", status.Convert(err).Message())
+			cmd.PrintErrf("Failed to restore log level: %v\n", status.Convert(err).Message())
+		} else {
+			cmd.Println("Log level restored to", initialLogLevel.GetLevel())
 		}
-		cmd.Println("Log level restored to", initialLogLevel.GetLevel())
 	}

 	cmd.Printf("Local file:\n%s\n", resp.GetPath())
--- a/client/cmd/expose.go
+++ b/client/cmd/expose.go
@@ -14,7 +14,9 @@ import (

 	log "github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
+	"google.golang.org/grpc/status"

+	"github.com/netbirdio/netbird/client/internal/expose"
 	"github.com/netbirdio/netbird/client/proto"
 	"github.com/netbirdio/netbird/util"
 )
@@ -200,7 +202,7 @@ func exposeFn(cmd *cobra.Command, args []string) error {

 	stream, err := client.ExposeService(ctx, req)
 	if err != nil {
-		return fmt.Errorf("expose service: %w", err)
+		return fmt.Errorf("expose service: %v", status.Convert(err).Message())
 	}

 	if err := handleExposeReady(cmd, stream, port); err != nil {
@@ -211,26 +213,31 @@ func exposeFn(cmd *cobra.Command, args []string) error {
 }

 func toExposeProtocol(exposeProtocol string) (proto.ExposeProtocol, error) {
-	switch strings.ToLower(exposeProtocol) {
-	case "http":
+	p, err := expose.ParseProtocolType(exposeProtocol)
+	if err != nil {
+		return 0, fmt.Errorf("invalid protocol: %w", err)
+	}
+
+	switch p {
+	case expose.ProtocolHTTP:
 		return proto.ExposeProtocol_EXPOSE_HTTP, nil
-	case "https":
+	case expose.ProtocolHTTPS:
 		return proto.ExposeProtocol_EXPOSE_HTTPS, nil
-	case "tcp":
+	case expose.ProtocolTCP:
 		return proto.ExposeProtocol_EXPOSE_TCP, nil
-	case "udp":
+	case expose.ProtocolUDP:
 		return proto.ExposeProtocol_EXPOSE_UDP, nil
-	case "tls":
+	case expose.ProtocolTLS:
 		return proto.ExposeProtocol_EXPOSE_TLS, nil
 	default:
-		return 0, fmt.Errorf("unsupported protocol %q: must be http, https, tcp, udp, or tls", exposeProtocol)
+		return 0, fmt.Errorf("unhandled protocol type: %d", p)
 	}
 }

 func handleExposeReady(cmd *cobra.Command, stream proto.DaemonService_ExposeServiceClient, port uint64) error {
 	event, err := stream.Recv()
 	if err != nil {
-		return fmt.Errorf("receive expose event: %w", err)
+		return fmt.Errorf("receive expose event: %v", status.Convert(err).Message())
 	}

 	ready, ok := event.Event.(*proto.ExposeServiceEvent_Ready)
--- a/client/cmd/service.go
+++ b/client/cmd/service.go
@@ -41,7 +41,7 @@ func init() {
 		defaultServiceName = "Netbird"
 	}

-	serviceCmd.AddCommand(runCmd, startCmd, stopCmd, restartCmd, svcStatusCmd, installCmd, uninstallCmd, reconfigureCmd)
+	serviceCmd.AddCommand(runCmd, startCmd, stopCmd, restartCmd, svcStatusCmd, installCmd, uninstallCmd, reconfigureCmd, resetParamsCmd)
 	serviceCmd.PersistentFlags().BoolVar(&profilesDisabled, "disable-profiles", false, "Disables profiles feature. If enabled, the client will not be able to change or edit any profile. To persist this setting, use: netbird service install --disable-profiles")
 	serviceCmd.PersistentFlags().BoolVar(&updateSettingsDisabled, "disable-update-settings", false, "Disables update settings feature. If enabled, the client will not be able to change or edit any settings. To persist this setting, use: netbird service install --disable-update-settings")

--- a/client/cmd/service_installer.go
+++ b/client/cmd/service_installer.go
@@ -119,6 +119,10 @@ var installCmd = &cobra.Command{
 			return err
 		}

+		if err := loadAndApplyServiceParams(cmd); err != nil {
+			cmd.PrintErrf("Warning: failed to load saved service params: %v\n", err)
+		}
+
 		svcConfig, err := createServiceConfigForInstall()
 		if err != nil {
 			return err
@@ -136,6 +140,10 @@ var installCmd = &cobra.Command{
 			return fmt.Errorf("install service: %w", err)
 		}

+		if err := saveServiceParams(currentServiceParams()); err != nil {
+			cmd.PrintErrf("Warning: failed to save service params: %v\n", err)
+		}
+
 		cmd.Println("NetBird service has been installed")
 		return nil
 	},
@@ -187,6 +195,10 @@ This command will temporarily stop the service, update its configuration, and re
 			return err
 		}

+		if err := loadAndApplyServiceParams(cmd); err != nil {
+			cmd.PrintErrf("Warning: failed to load saved service params: %v\n", err)
+		}
+
 		wasRunning, err := isServiceRunning()
 		if err != nil && !errors.Is(err, ErrGetServiceStatus) {
 			return fmt.Errorf("check service status: %w", err)
@@ -222,6 +234,10 @@ This command will temporarily stop the service, update its configuration, and re
 			return fmt.Errorf("install service with new config: %w", err)
 		}

+		if err := saveServiceParams(currentServiceParams()); err != nil {
+			cmd.PrintErrf("Warning: failed to save service params: %v\n", err)
+		}
+
 		if wasRunning {
 			cmd.Println("Starting NetBird service...")
 			if err := s.Start(); err != nil {
--- a/client/cmd/service_params.go
+++ b/client/cmd/service_params.go
@@ -0,0 +1,201 @@
+//go:build !ios && !android
+
+package cmd
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"maps"
+	"os"
+	"path/filepath"
+
+	"github.com/spf13/cobra"
+
+	"github.com/netbirdio/netbird/client/configs"
+	"github.com/netbirdio/netbird/util"
+)
+
+const serviceParamsFile = "service.json"
+
+// serviceParams holds install-time service parameters that persist across
+// uninstall/reinstall cycles. Saved to <stateDir>/service.json.
+type serviceParams struct {
+	LogLevel              string            `json:"log_level"`
+	DaemonAddr            string            `json:"daemon_addr"`
+	ManagementURL         string            `json:"management_url,omitempty"`
+	ConfigPath            string            `json:"config_path,omitempty"`
+	LogFiles              []string          `json:"log_files,omitempty"`
+	DisableProfiles       bool              `json:"disable_profiles,omitempty"`
+	DisableUpdateSettings bool              `json:"disable_update_settings,omitempty"`
+	ServiceEnvVars        map[string]string `json:"service_env_vars,omitempty"`
+}
+
+// serviceParamsPath returns the path to the service params file.
+func serviceParamsPath() string {
+	return filepath.Join(configs.StateDir, serviceParamsFile)
+}
+
+// loadServiceParams reads saved service parameters from disk.
+// Returns nil with no error if the file does not exist.
+func loadServiceParams() (*serviceParams, error) {
+	path := serviceParamsPath()
+
+	data, err := os.ReadFile(path)
+	if err != nil {
+		if os.IsNotExist(err) {
+			return nil, nil //nolint:nilnil
+		}
+		return nil, fmt.Errorf("read service params %s: %w", path, err)
+	}
+
+	var params serviceParams
+	if err := json.Unmarshal(data, &params); err != nil {
+		return nil, fmt.Errorf("parse service params %s: %w", path, err)
+	}
+
+	return &params, nil
+}
+
+// saveServiceParams writes current service parameters to disk atomically
+// with restricted permissions.
+func saveServiceParams(params *serviceParams) error {
+	path := serviceParamsPath()
+	if err := util.WriteJsonWithRestrictedPermission(context.Background(), path, params); err != nil {
+		return fmt.Errorf("save service params: %w", err)
+	}
+	return nil
+}
+
+// currentServiceParams captures the current state of all package-level
+// variables into a serviceParams struct.
+func currentServiceParams() *serviceParams {
+	params := &serviceParams{
+		LogLevel:              logLevel,
+		DaemonAddr:            daemonAddr,
+		ManagementURL:         managementURL,
+		ConfigPath:            configPath,
+		LogFiles:              logFiles,
+		DisableProfiles:       profilesDisabled,
+		DisableUpdateSettings: updateSettingsDisabled,
+	}
+
+	if len(serviceEnvVars) > 0 {
+		parsed, err := parseServiceEnvVars(serviceEnvVars)
+		if err == nil && len(parsed) > 0 {
+			params.ServiceEnvVars = parsed
+		}
+	}
+
+	return params
+}
+
+// loadAndApplyServiceParams loads saved params from disk and applies them
+// to any flags that were not explicitly set.
+func loadAndApplyServiceParams(cmd *cobra.Command) error {
+	params, err := loadServiceParams()
+	if err != nil {
+		return err
+	}
+	applyServiceParams(cmd, params)
+	return nil
+}
+
+// applyServiceParams merges saved parameters into package-level variables
+// for any flag that was not explicitly set by the user (via CLI or env var).
+// Flags that were Changed() are left untouched.
+func applyServiceParams(cmd *cobra.Command, params *serviceParams) {
+	if params == nil {
+		return
+	}
+
+	// For fields with non-empty defaults (log-level, daemon-addr), keep the
+	// != "" guard so that an older service.json missing the field doesn't
+	// clobber the default with an empty string.
+	if !rootCmd.PersistentFlags().Changed("log-level") && params.LogLevel != "" {
+		logLevel = params.LogLevel
+	}
+
+	if !rootCmd.PersistentFlags().Changed("daemon-addr") && params.DaemonAddr != "" {
+		daemonAddr = params.DaemonAddr
+	}
+
+	// For optional fields where empty means "use default", always apply so
+	// that an explicit clear (--management-url "") persists across reinstalls.
+	if !rootCmd.PersistentFlags().Changed("management-url") {
+		managementURL = params.ManagementURL
+	}
+
+	if !rootCmd.PersistentFlags().Changed("config") {
+		configPath = params.ConfigPath
+	}
+
+	if !rootCmd.PersistentFlags().Changed("log-file") {
+		logFiles = params.LogFiles
+	}
+
+	if !serviceCmd.PersistentFlags().Changed("disable-profiles") {
+		profilesDisabled = params.DisableProfiles
+	}
+
+	if !serviceCmd.PersistentFlags().Changed("disable-update-settings") {
+		updateSettingsDisabled = params.DisableUpdateSettings
+	}
+
+	applyServiceEnvParams(cmd, params)
+}
+
+// applyServiceEnvParams merges saved service environment variables.
+// If --service-env was explicitly set, explicit values win on key conflict
+// but saved keys not in the explicit set are carried over.
+// If --service-env was not set, saved env vars are used entirely.
+func applyServiceEnvParams(cmd *cobra.Command, params *serviceParams) {
+	if len(params.ServiceEnvVars) == 0 {
+		return
+	}
+
+	if !cmd.Flags().Changed("service-env") {
+		// No explicit env vars: rebuild serviceEnvVars from saved params.
+		serviceEnvVars = envMapToSlice(params.ServiceEnvVars)
+		return
+	}
+
+	// Explicit env vars were provided: merge saved values underneath.
+	explicit, err := parseServiceEnvVars(serviceEnvVars)
+	if err != nil {
+		cmd.PrintErrf("Warning: parse explicit service env vars for merge: %v\n", err)
+		return
+	}
+
+	merged := make(map[string]string, len(params.ServiceEnvVars)+len(explicit))
+	maps.Copy(merged, params.ServiceEnvVars)
+	maps.Copy(merged, explicit) // explicit wins on conflict
+	serviceEnvVars = envMapToSlice(merged)
+}
+
+var resetParamsCmd = &cobra.Command{
+	Use:   "reset-params",
+	Short: "Remove saved service install parameters",
+	Long:  "Removes the saved service.json file so the next install uses default parameters.",
+	RunE: func(cmd *cobra.Command, args []string) error {
+		path := serviceParamsPath()
+		if err := os.Remove(path); err != nil {
+			if os.IsNotExist(err) {
+				cmd.Println("No saved service parameters found")
+				return nil
+			}
+			return fmt.Errorf("remove service params: %w", err)
+		}
+		cmd.Printf("Removed saved service parameters (%s)\n", path)
+		return nil
+	},
+}
+
+// envMapToSlice converts a map of env vars to a KEY=VALUE slice.
+func envMapToSlice(m map[string]string) []string {
+	s := make([]string, 0, len(m))
+	for k, v := range m {
+		s = append(s, k+"="+v)
+	}
+	return s
+}
--- a/client/cmd/service_params_test.go
+++ b/client/cmd/service_params_test.go
@@ -0,0 +1,523 @@
+//go:build !ios && !android
+
+package cmd
+
+import (
+	"encoding/json"
+	"go/ast"
+	"go/parser"
+	"go/token"
+	"os"
+	"path/filepath"
+	"strings"
+	"testing"
+
+	"github.com/spf13/cobra"
+	"github.com/spf13/pflag"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+
+	"github.com/netbirdio/netbird/client/configs"
+)
+
+func TestServiceParamsPath(t *testing.T) {
+	original := configs.StateDir
+	t.Cleanup(func() { configs.StateDir = original })
+
+	configs.StateDir = "/var/lib/netbird"
+	assert.Equal(t, filepath.Join("/var/lib/netbird", "service.json"), serviceParamsPath())
+
+	configs.StateDir = "/custom/state"
+	assert.Equal(t, filepath.Join("/custom/state", "service.json"), serviceParamsPath())
+}
+
+func TestSaveAndLoadServiceParams(t *testing.T) {
+	tmpDir := t.TempDir()
+
+	original := configs.StateDir
+	t.Cleanup(func() { configs.StateDir = original })
+	configs.StateDir = tmpDir
+
+	params := &serviceParams{
+		LogLevel:              "debug",
+		DaemonAddr:            "unix:///var/run/netbird.sock",
+		ManagementURL:         "https://my.server.com",
+		ConfigPath:            "/etc/netbird/config.json",
+		LogFiles:              []string{"/var/log/netbird/client.log", "console"},
+		DisableProfiles:       true,
+		DisableUpdateSettings: false,
+		ServiceEnvVars:        map[string]string{"NB_LOG_FORMAT": "json", "CUSTOM": "val"},
+	}
+
+	err := saveServiceParams(params)
+	require.NoError(t, err)
+
+	// Verify the file exists and is valid JSON.
+	data, err := os.ReadFile(filepath.Join(tmpDir, "service.json"))
+	require.NoError(t, err)
+	assert.True(t, json.Valid(data))
+
+	loaded, err := loadServiceParams()
+	require.NoError(t, err)
+	require.NotNil(t, loaded)
+
+	assert.Equal(t, params.LogLevel, loaded.LogLevel)
+	assert.Equal(t, params.DaemonAddr, loaded.DaemonAddr)
+	assert.Equal(t, params.ManagementURL, loaded.ManagementURL)
+	assert.Equal(t, params.ConfigPath, loaded.ConfigPath)
+	assert.Equal(t, params.LogFiles, loaded.LogFiles)
+	assert.Equal(t, params.DisableProfiles, loaded.DisableProfiles)
+	assert.Equal(t, params.DisableUpdateSettings, loaded.DisableUpdateSettings)
+	assert.Equal(t, params.ServiceEnvVars, loaded.ServiceEnvVars)
+}
+
+func TestLoadServiceParams_FileNotExists(t *testing.T) {
+	tmpDir := t.TempDir()
+
+	original := configs.StateDir
+	t.Cleanup(func() { configs.StateDir = original })
+	configs.StateDir = tmpDir
+
+	params, err := loadServiceParams()
+	assert.NoError(t, err)
+	assert.Nil(t, params)
+}
+
+func TestLoadServiceParams_InvalidJSON(t *testing.T) {
+	tmpDir := t.TempDir()
+
+	original := configs.StateDir
+	t.Cleanup(func() { configs.StateDir = original })
+	configs.StateDir = tmpDir
+
+	err := os.WriteFile(filepath.Join(tmpDir, "service.json"), []byte("not json"), 0600)
+	require.NoError(t, err)
+
+	params, err := loadServiceParams()
+	assert.Error(t, err)
+	assert.Nil(t, params)
+}
+
+func TestCurrentServiceParams(t *testing.T) {
+	origLogLevel := logLevel
+	origDaemonAddr := daemonAddr
+	origManagementURL := managementURL
+	origConfigPath := configPath
+	origLogFiles := logFiles
+	origProfilesDisabled := profilesDisabled
+	origUpdateSettingsDisabled := updateSettingsDisabled
+	origServiceEnvVars := serviceEnvVars
+	t.Cleanup(func() {
+		logLevel = origLogLevel
+		daemonAddr = origDaemonAddr
+		managementURL = origManagementURL
+		configPath = origConfigPath
+		logFiles = origLogFiles
+		profilesDisabled = origProfilesDisabled
+		updateSettingsDisabled = origUpdateSettingsDisabled
+		serviceEnvVars = origServiceEnvVars
+	})
+
+	logLevel = "trace"
+	daemonAddr = "tcp://127.0.0.1:9999"
+	managementURL = "https://mgmt.example.com"
+	configPath = "/tmp/test-config.json"
+	logFiles = []string{"/tmp/test.log"}
+	profilesDisabled = true
+	updateSettingsDisabled = true
+	serviceEnvVars = []string{"FOO=bar", "BAZ=qux"}
+
+	params := currentServiceParams()
+
+	assert.Equal(t, "trace", params.LogLevel)
+	assert.Equal(t, "tcp://127.0.0.1:9999", params.DaemonAddr)
+	assert.Equal(t, "https://mgmt.example.com", params.ManagementURL)
+	assert.Equal(t, "/tmp/test-config.json", params.ConfigPath)
+	assert.Equal(t, []string{"/tmp/test.log"}, params.LogFiles)
+	assert.True(t, params.DisableProfiles)
+	assert.True(t, params.DisableUpdateSettings)
+	assert.Equal(t, map[string]string{"FOO": "bar", "BAZ": "qux"}, params.ServiceEnvVars)
+}
+
+func TestApplyServiceParams_OnlyUnchangedFlags(t *testing.T) {
+	origLogLevel := logLevel
+	origDaemonAddr := daemonAddr
+	origManagementURL := managementURL
+	origConfigPath := configPath
+	origLogFiles := logFiles
+	origProfilesDisabled := profilesDisabled
+	origUpdateSettingsDisabled := updateSettingsDisabled
+	origServiceEnvVars := serviceEnvVars
+	t.Cleanup(func() {
+		logLevel = origLogLevel
+		daemonAddr = origDaemonAddr
+		managementURL = origManagementURL
+		configPath = origConfigPath
+		logFiles = origLogFiles
+		profilesDisabled = origProfilesDisabled
+		updateSettingsDisabled = origUpdateSettingsDisabled
+		serviceEnvVars = origServiceEnvVars
+	})
+
+	// Reset all flags to defaults.
+	logLevel = "info"
+	daemonAddr = "unix:///var/run/netbird.sock"
+	managementURL = ""
+	configPath = "/etc/netbird/config.json"
+	logFiles = []string{"/var/log/netbird/client.log"}
+	profilesDisabled = false
+	updateSettingsDisabled = false
+	serviceEnvVars = nil
+
+	// Reset Changed state on all relevant flags.
+	rootCmd.PersistentFlags().VisitAll(func(f *pflag.Flag) {
+		f.Changed = false
+	})
+	serviceCmd.PersistentFlags().VisitAll(func(f *pflag.Flag) {
+		f.Changed = false
+	})
+
+	// Simulate user explicitly setting --log-level via CLI.
+	logLevel = "warn"
+	require.NoError(t, rootCmd.PersistentFlags().Set("log-level", "warn"))
+
+	saved := &serviceParams{
+		LogLevel:              "debug",
+		DaemonAddr:            "tcp://127.0.0.1:5555",
+		ManagementURL:         "https://saved.example.com",
+		ConfigPath:            "/saved/config.json",
+		LogFiles:              []string{"/saved/client.log"},
+		DisableProfiles:       true,
+		DisableUpdateSettings: true,
+		ServiceEnvVars:        map[string]string{"SAVED_KEY": "saved_val"},
+	}
+
+	cmd := &cobra.Command{}
+	cmd.Flags().StringSlice("service-env", nil, "")
+	applyServiceParams(cmd, saved)
+
+	// log-level was Changed, so it should keep "warn", not use saved "debug".
+	assert.Equal(t, "warn", logLevel)
+
+	// All other fields were not Changed, so they should use saved values.
+	assert.Equal(t, "tcp://127.0.0.1:5555", daemonAddr)
+	assert.Equal(t, "https://saved.example.com", managementURL)
+	assert.Equal(t, "/saved/config.json", configPath)
+	assert.Equal(t, []string{"/saved/client.log"}, logFiles)
+	assert.True(t, profilesDisabled)
+	assert.True(t, updateSettingsDisabled)
+	assert.Equal(t, []string{"SAVED_KEY=saved_val"}, serviceEnvVars)
+}
+
+func TestApplyServiceParams_BooleanRevertToFalse(t *testing.T) {
+	origProfilesDisabled := profilesDisabled
+	origUpdateSettingsDisabled := updateSettingsDisabled
+	t.Cleanup(func() {
+		profilesDisabled = origProfilesDisabled
+		updateSettingsDisabled = origUpdateSettingsDisabled
+	})
+
+	// Simulate current state where booleans are true (e.g. set by previous install).
+	profilesDisabled = true
+	updateSettingsDisabled = true
+
+	// Reset Changed state so flags appear unset.
+	serviceCmd.PersistentFlags().VisitAll(func(f *pflag.Flag) {
+		f.Changed = false
+	})
+
+	// Saved params have both as false.
+	saved := &serviceParams{
+		DisableProfiles:       false,
+		DisableUpdateSettings: false,
+	}
+
+	cmd := &cobra.Command{}
+	cmd.Flags().StringSlice("service-env", nil, "")
+	applyServiceParams(cmd, saved)
+
+	assert.False(t, profilesDisabled, "saved false should override current true")
+	assert.False(t, updateSettingsDisabled, "saved false should override current true")
+}
+
+func TestApplyServiceParams_ClearManagementURL(t *testing.T) {
+	origManagementURL := managementURL
+	t.Cleanup(func() { managementURL = origManagementURL })
+
+	managementURL = "https://leftover.example.com"
+
+	// Simulate saved params where management URL was explicitly cleared.
+	saved := &serviceParams{
+		LogLevel:   "info",
+		DaemonAddr: "unix:///var/run/netbird.sock",
+		// ManagementURL intentionally empty: was cleared with --management-url "".
+	}
+
+	rootCmd.PersistentFlags().VisitAll(func(f *pflag.Flag) {
+		f.Changed = false
+	})
+
+	cmd := &cobra.Command{}
+	cmd.Flags().StringSlice("service-env", nil, "")
+	applyServiceParams(cmd, saved)
+
+	assert.Equal(t, "", managementURL, "saved empty management URL should clear the current value")
+}
+
+func TestApplyServiceParams_NilParams(t *testing.T) {
+	origLogLevel := logLevel
+	t.Cleanup(func() { logLevel = origLogLevel })
+
+	logLevel = "info"
+	cmd := &cobra.Command{}
+	cmd.Flags().StringSlice("service-env", nil, "")
+
+	// Should be a no-op.
+	applyServiceParams(cmd, nil)
+	assert.Equal(t, "info", logLevel)
+}
+
+func TestApplyServiceEnvParams_MergeExplicitAndSaved(t *testing.T) {
+	origServiceEnvVars := serviceEnvVars
+	t.Cleanup(func() { serviceEnvVars = origServiceEnvVars })
+
+	// Set up a command with --service-env marked as Changed.
+	cmd := &cobra.Command{}
+	cmd.Flags().StringSlice("service-env", nil, "")
+	require.NoError(t, cmd.Flags().Set("service-env", "EXPLICIT=yes,OVERLAP=explicit"))
+
+	serviceEnvVars = []string{"EXPLICIT=yes", "OVERLAP=explicit"}
+
+	saved := &serviceParams{
+		ServiceEnvVars: map[string]string{
+			"SAVED":   "val",
+			"OVERLAP": "saved",
+		},
+	}
+
+	applyServiceEnvParams(cmd, saved)
+
+	// Parse result for easier assertion.
+	result, err := parseServiceEnvVars(serviceEnvVars)
+	require.NoError(t, err)
+
+	assert.Equal(t, "yes", result["EXPLICIT"])
+	assert.Equal(t, "val", result["SAVED"])
+	// Explicit wins on conflict.
+	assert.Equal(t, "explicit", result["OVERLAP"])
+}
+
+func TestApplyServiceEnvParams_NotChanged(t *testing.T) {
+	origServiceEnvVars := serviceEnvVars
+	t.Cleanup(func() { serviceEnvVars = origServiceEnvVars })
+
+	serviceEnvVars = nil
+
+	cmd := &cobra.Command{}
+	cmd.Flags().StringSlice("service-env", nil, "")
+
+	saved := &serviceParams{
+		ServiceEnvVars: map[string]string{"FROM_SAVED": "val"},
+	}
+
+	applyServiceEnvParams(cmd, saved)
+
+	result, err := parseServiceEnvVars(serviceEnvVars)
+	require.NoError(t, err)
+	assert.Equal(t, map[string]string{"FROM_SAVED": "val"}, result)
+}
+
+// TestServiceParams_FieldsCoveredInFunctions ensures that all serviceParams fields are
+// referenced in both currentServiceParams() and applyServiceParams(). If a new field is
+// added to serviceParams but not wired into these functions, this test fails.
+func TestServiceParams_FieldsCoveredInFunctions(t *testing.T) {
+	fset := token.NewFileSet()
+	file, err := parser.ParseFile(fset, "service_params.go", nil, 0)
+	require.NoError(t, err)
+
+	// Collect all JSON field names from the serviceParams struct.
+	structFields := extractStructJSONFields(t, file, "serviceParams")
+	require.NotEmpty(t, structFields, "failed to find serviceParams struct fields")
+
+	// Collect field names referenced in currentServiceParams and applyServiceParams.
+	currentFields := extractFuncFieldRefs(t, file, "currentServiceParams", structFields)
+	applyFields := extractFuncFieldRefs(t, file, "applyServiceParams", structFields)
+	// applyServiceEnvParams handles ServiceEnvVars indirectly.
+	applyEnvFields := extractFuncFieldRefs(t, file, "applyServiceEnvParams", structFields)
+	for k, v := range applyEnvFields {
+		applyFields[k] = v
+	}
+
+	for _, field := range structFields {
+		assert.Contains(t, currentFields, field,
+			"serviceParams field %q is not captured in currentServiceParams()", field)
+		assert.Contains(t, applyFields, field,
+			"serviceParams field %q is not restored in applyServiceParams()/applyServiceEnvParams()", field)
+	}
+}
+
+// TestServiceParams_BuildArgsCoversAllFlags ensures that buildServiceArguments references
+// all serviceParams fields that should become CLI args. ServiceEnvVars is excluded because
+// it flows through newSVCConfig() EnvVars, not CLI args.
+func TestServiceParams_BuildArgsCoversAllFlags(t *testing.T) {
+	fset := token.NewFileSet()
+	file, err := parser.ParseFile(fset, "service_params.go", nil, 0)
+	require.NoError(t, err)
+
+	structFields := extractStructJSONFields(t, file, "serviceParams")
+	require.NotEmpty(t, structFields)
+
+	installerFile, err := parser.ParseFile(fset, "service_installer.go", nil, 0)
+	require.NoError(t, err)
+
+	// Fields that are handled outside of buildServiceArguments (env vars go through newSVCConfig).
+	fieldsNotInArgs := map[string]bool{
+		"ServiceEnvVars": true,
+	}
+
+	buildFields := extractFuncGlobalRefs(t, installerFile, "buildServiceArguments")
+
+	// Forward: every struct field must appear in buildServiceArguments.
+	for _, field := range structFields {
+		if fieldsNotInArgs[field] {
+			continue
+		}
+		globalVar := fieldToGlobalVar(field)
+		assert.Contains(t, buildFields, globalVar,
+			"serviceParams field %q (global %q) is not referenced in buildServiceArguments()", field, globalVar)
+	}
+
+	// Reverse: every service-related global used in buildServiceArguments must
+	// have a corresponding serviceParams field. This catches a developer adding
+	// a new flag to buildServiceArguments without adding it to the struct.
+	globalToField := make(map[string]string, len(structFields))
+	for _, field := range structFields {
+		globalToField[fieldToGlobalVar(field)] = field
+	}
+	// Identifiers in buildServiceArguments that are not service params
+	// (builtins, boilerplate, loop variables).
+	nonParamGlobals := map[string]bool{
+		"args": true, "append": true, "string": true, "_": true,
+		"logFile": true, // range variable over logFiles
+	}
+	for ref := range buildFields {
+		if nonParamGlobals[ref] {
+			continue
+		}
+		_, inStruct := globalToField[ref]
+		assert.True(t, inStruct,
+			"buildServiceArguments() references global %q which has no corresponding serviceParams field", ref)
+	}
+}
+
+// extractStructJSONFields returns field names from a named struct type.
+func extractStructJSONFields(t *testing.T, file *ast.File, structName string) []string {
+	t.Helper()
+	var fields []string
+	ast.Inspect(file, func(n ast.Node) bool {
+		ts, ok := n.(*ast.TypeSpec)
+		if !ok || ts.Name.Name != structName {
+			return true
+		}
+		st, ok := ts.Type.(*ast.StructType)
+		if !ok {
+			return false
+		}
+		for _, f := range st.Fields.List {
+			if len(f.Names) > 0 {
+				fields = append(fields, f.Names[0].Name)
+			}
+		}
+		return false
+	})
+	return fields
+}
+
+// extractFuncFieldRefs returns which of the given field names appear inside the
+// named function, either as selector expressions (params.FieldName) or as
+// composite literal keys (&serviceParams{FieldName: ...}).
+func extractFuncFieldRefs(t *testing.T, file *ast.File, funcName string, fields []string) map[string]bool {
+	t.Helper()
+	fieldSet := make(map[string]bool, len(fields))
+	for _, f := range fields {
+		fieldSet[f] = true
+	}
+
+	found := make(map[string]bool)
+	fn := findFuncDecl(file, funcName)
+	require.NotNil(t, fn, "function %s not found", funcName)
+
+	ast.Inspect(fn.Body, func(n ast.Node) bool {
+		switch v := n.(type) {
+		case *ast.SelectorExpr:
+			if fieldSet[v.Sel.Name] {
+				found[v.Sel.Name] = true
+			}
+		case *ast.KeyValueExpr:
+			if ident, ok := v.Key.(*ast.Ident); ok && fieldSet[ident.Name] {
+				found[ident.Name] = true
+			}
+		}
+		return true
+	})
+	return found
+}
+
+// extractFuncGlobalRefs returns all identifier names referenced in the named function body.
+func extractFuncGlobalRefs(t *testing.T, file *ast.File, funcName string) map[string]bool {
+	t.Helper()
+	fn := findFuncDecl(file, funcName)
+	require.NotNil(t, fn, "function %s not found", funcName)
+
+	refs := make(map[string]bool)
+	ast.Inspect(fn.Body, func(n ast.Node) bool {
+		if ident, ok := n.(*ast.Ident); ok {
+			refs[ident.Name] = true
+		}
+		return true
+	})
+	return refs
+}
+
+func findFuncDecl(file *ast.File, name string) *ast.FuncDecl {
+	for _, decl := range file.Decls {
+		fn, ok := decl.(*ast.FuncDecl)
+		if ok && fn.Name.Name == name {
+			return fn
+		}
+	}
+	return nil
+}
+
+// fieldToGlobalVar maps serviceParams field names to the package-level variable
+// names used in buildServiceArguments and applyServiceParams.
+func fieldToGlobalVar(field string) string {
+	m := map[string]string{
+		"LogLevel":              "logLevel",
+		"DaemonAddr":            "daemonAddr",
+		"ManagementURL":         "managementURL",
+		"ConfigPath":            "configPath",
+		"LogFiles":              "logFiles",
+		"DisableProfiles":       "profilesDisabled",
+		"DisableUpdateSettings": "updateSettingsDisabled",
+		"ServiceEnvVars":        "serviceEnvVars",
+	}
+	if v, ok := m[field]; ok {
+		return v
+	}
+	// Default: lowercase first letter.
+	return strings.ToLower(field[:1]) + field[1:]
+}
+
+func TestEnvMapToSlice(t *testing.T) {
+	m := map[string]string{"A": "1", "B": "2"}
+	s := envMapToSlice(m)
+	assert.Len(t, s, 2)
+	assert.Contains(t, s, "A=1")
+	assert.Contains(t, s, "B=2")
+}
+
+func TestEnvMapToSlice_Empty(t *testing.T) {
+	s := envMapToSlice(map[string]string{})
+	assert.Empty(t, s)
+}
--- a/client/cmd/service_test.go
+++ b/client/cmd/service_test.go
@@ -4,7 +4,9 @@ import (
 	"context"
 	"fmt"
 	"os"
+	"os/signal"
 	"runtime"
+	"syscall"
 	"testing"
 	"time"

@@ -13,6 +15,22 @@ import (
 	"github.com/stretchr/testify/require"
 )

+// TestMain intercepts when this test binary is run as a daemon subprocess.
+// On FreeBSD, the rc.d service script runs the binary via daemon(8) -r with
+// "service run ..." arguments. Since the test binary can't handle cobra CLI
+// args, it exits immediately, causing daemon -r to respawn rapidly until
+// hitting the rate limit and exiting. This makes service restart unreliable.
+// Blocking here keeps the subprocess alive until the init system sends SIGTERM.
+func TestMain(m *testing.M) {
+	if len(os.Args) > 2 && os.Args[1] == "service" && os.Args[2] == "run" {
+		sig := make(chan os.Signal, 1)
+		signal.Notify(sig, syscall.SIGTERM, os.Interrupt)
+		<-sig
+		return
+	}
+	os.Exit(m.Run())
+}
+
 const (
 	serviceStartTimeout = 10 * time.Second
 	serviceStopTimeout  = 5 * time.Second
@@ -79,6 +97,34 @@ func TestServiceLifecycle(t *testing.T) {
 	logLevel = "info"
 	daemonAddr = fmt.Sprintf("unix://%s/netbird-test.sock", tempDir)

+	// Ensure cleanup even if a subtest fails and Stop/Uninstall subtests don't run.
+	t.Cleanup(func() {
+		cfg, err := newSVCConfig()
+		if err != nil {
+			t.Errorf("cleanup: create service config: %v", err)
+			return
+		}
+		ctxSvc, cancel := context.WithCancel(context.Background())
+		defer cancel()
+		s, err := newSVC(newProgram(ctxSvc, cancel), cfg)
+		if err != nil {
+			t.Errorf("cleanup: create service: %v", err)
+			return
+		}
+
+		// If the subtests already cleaned up, there's nothing to do.
+		if _, err := s.Status(); err != nil {
+			return
+		}
+
+		if err := s.Stop(); err != nil {
+			t.Errorf("cleanup: stop service: %v", err)
+		}
+		if err := s.Uninstall(); err != nil {
+			t.Errorf("cleanup: uninstall service: %v", err)
+		}
+	})
+
 	ctx := context.Background()

 	t.Run("Install", func(t *testing.T) {
--- a/client/cmd/ssh.go
+++ b/client/cmd/ssh.go
@@ -787,10 +787,10 @@ func isUnixSocket(path string) bool {
 	return strings.HasPrefix(path, "/") || strings.HasPrefix(path, "./")
 }

-// normalizeLocalHost converts "*" to "0.0.0.0" for binding to all interfaces.
+// normalizeLocalHost converts "*" to "" for binding to all interfaces (dual-stack).
 func normalizeLocalHost(host string) string {
 	if host == "*" {
-		return "0.0.0.0"
+		return ""
 	}
 	return host
 }
--- a/client/cmd/ssh_test.go
+++ b/client/cmd/ssh_test.go
@@ -527,10 +527,10 @@ func TestParsePortForward(t *testing.T) {
 		{
 			name:           "wildcard bind all interfaces",
 			spec:           "*:8080:localhost:80",
-			expectedLocal:  "0.0.0.0:8080",
+			expectedLocal:  ":8080",
 			expectedRemote: "localhost:80",
 			expectError:    false,
-			description:    "Wildcard * should bind to all interfaces (0.0.0.0)",
+			description:    "Wildcard * should bind to all interfaces (dual-stack)",
 		},
 		{
 			name:           "wildcard for port only",
--- a/client/cmd/status.go
+++ b/client/cmd/status.go
@@ -20,6 +20,7 @@ import (
 var (
 	detailFlag           bool
 	ipv4Flag             bool
+	ipv6Flag             bool
 	jsonFlag             bool
 	yamlFlag             bool
 	ipsFilter            []string
@@ -45,8 +46,9 @@ func init() {
 	statusCmd.PersistentFlags().BoolVar(&jsonFlag, "json", false, "display detailed status information in json format")
 	statusCmd.PersistentFlags().BoolVar(&yamlFlag, "yaml", false, "display detailed status information in yaml format")
 	statusCmd.PersistentFlags().BoolVar(&ipv4Flag, "ipv4", false, "display only NetBird IPv4 of this peer, e.g., --ipv4 will output 100.64.0.33")
-	statusCmd.MarkFlagsMutuallyExclusive("detail", "json", "yaml", "ipv4")
-	statusCmd.PersistentFlags().StringSliceVar(&ipsFilter, "filter-by-ips", []string{}, "filters the detailed output by a list of one or more IPs, e.g., --filter-by-ips 100.64.0.100,100.64.0.200")
+	statusCmd.PersistentFlags().BoolVar(&ipv6Flag, "ipv6", false, "display only NetBird IPv6 of this peer")
+	statusCmd.MarkFlagsMutuallyExclusive("detail", "json", "yaml", "ipv4", "ipv6")
+	statusCmd.PersistentFlags().StringSliceVar(&ipsFilter, "filter-by-ips", []string{}, "filters the detailed output by a list of one or more IPs (v4 or v6), e.g., --filter-by-ips 100.64.0.100,fd00::1")
 	statusCmd.PersistentFlags().StringSliceVar(&prefixNamesFilter, "filter-by-names", []string{}, "filters the detailed output by a list of one or more peer FQDN or hostnames, e.g., --filter-by-names peer-a,peer-b.netbird.cloud")
 	statusCmd.PersistentFlags().StringVar(&statusFilter, "filter-by-status", "", "filters the detailed output by connection status(idle|connecting|connected), e.g., --filter-by-status connected")
 	statusCmd.PersistentFlags().StringVar(&connectionTypeFilter, "filter-by-connection-type", "", "filters the detailed output by connection type (P2P|Relayed), e.g., --filter-by-connection-type P2P")
@@ -101,6 +103,14 @@ func statusFunc(cmd *cobra.Command, args []string) error {
 		return nil
 	}

+	if ipv6Flag {
+		ipv6 := resp.GetFullStatus().GetLocalPeerState().GetIpv6()
+		if ipv6 != "" {
+			cmd.Print(parseInterfaceIP(ipv6))
+		}
+		return nil
+	}
+
 	pm := profilemanager.NewProfileManager()
 	var profName string
 	if activeProf, err := pm.GetActiveProfile(); err == nil {
--- a/client/cmd/system.go
+++ b/client/cmd/system.go
@@ -8,6 +8,7 @@ const (
 	disableFirewallFlag     = "disable-firewall"
 	blockLANAccessFlag      = "block-lan-access"
 	blockInboundFlag        = "block-inbound"
+	disableIPv6Flag         = "disable-ipv6"
 )

 var (
@@ -17,6 +18,7 @@ var (
 	disableFirewall     bool
 	blockLANAccess      bool
 	blockInbound        bool
+	disableIPv6         bool
 )

 func init() {
@@ -39,4 +41,7 @@ func init() {
 	upCmd.PersistentFlags().BoolVar(&blockInbound, blockInboundFlag, false,
 		"Block inbound connections. If enabled, the client will not allow any inbound connections to the local machine nor routed networks.\n"+
 			"This overrides any policies received from the management service.")
+
+	upCmd.PersistentFlags().BoolVar(&disableIPv6, disableIPv6Flag, false,
+		"Disable IPv6 overlay. If enabled, the client won't request or use an IPv6 overlay address.")
 }
--- a/client/cmd/up.go
+++ b/client/cmd/up.go
@@ -430,6 +430,10 @@ func setupSetConfigReq(customDNSAddressConverted []byte, cmd *cobra.Command, pro
 		req.BlockInbound = &blockInbound
 	}

+	if cmd.Flag(disableIPv6Flag).Changed {
+		req.DisableIpv6 = &disableIPv6
+	}
+
 	if cmd.Flag(enableLazyConnectionFlag).Changed {
 		req.LazyConnectionEnabled = &lazyConnEnabled
 	}
@@ -547,6 +551,10 @@ func setupConfig(customDNSAddressConverted []byte, cmd *cobra.Command, configFil
 		ic.BlockInbound = &blockInbound
 	}

+	if cmd.Flag(disableIPv6Flag).Changed {
+		ic.DisableIPv6 = &disableIPv6
+	}
+
 	if cmd.Flag(enableLazyConnectionFlag).Changed {
 		ic.LazyConnectionEnabled = &lazyConnEnabled
 	}
@@ -661,6 +669,10 @@ func setupLoginRequest(providedSetupKey string, customDNSAddressConverted []byte
 		loginRequest.BlockInbound = &blockInbound
 	}

+	if cmd.Flag(disableIPv6Flag).Changed {
+		loginRequest.DisableIpv6 = &disableIPv6
+	}
+
 	if cmd.Flag(enableLazyConnectionFlag).Changed {
 		loginRequest.LazyConnectionEnabled = &lazyConnEnabled
 	}
--- a/client/embed/embed.go
+++ b/client/embed/embed.go
@@ -33,14 +33,14 @@ var (
 	ErrConfigNotInitialized = errors.New("config not initialized")
 )

-// PeerConnStatus is a peer's connection status.
-type PeerConnStatus = peer.ConnStatus
-
 const (
 	// PeerStatusConnected indicates the peer is in connected state.
 	PeerStatusConnected = peer.StatusConnected
 )

+// PeerConnStatus is a peer's connection status.
+type PeerConnStatus = peer.ConnStatus
+
 // Client manages a netbird embedded client instance.
 type Client struct {
 	deviceName string
@@ -79,6 +79,8 @@ type Options struct {
 	StatePath string
 	// DisableClientRoutes disables the client routes
 	DisableClientRoutes bool
+	// DisableIPv6 disables IPv6 overlay addressing
+	DisableIPv6 bool
 	// BlockInbound blocks all inbound connections from peers
 	BlockInbound bool
 	// WireguardPort is the port for the WireGuard interface. Use 0 for a random port.
@@ -170,6 +172,7 @@ func New(opts Options) (*Client, error) {
 		PreSharedKey:        &opts.PreSharedKey,
 		DisableServerRoutes: &t,
 		DisableClientRoutes: &opts.DisableClientRoutes,
+		DisableIPv6:         &opts.DisableIPv6,
 		BlockInbound:        &opts.BlockInbound,
 		WireguardPort:       opts.WireguardPort,
 		MTU:                 opts.MTU,
@@ -375,6 +378,32 @@ func (c *Client) NewHTTPClient() *http.Client {
 	}
 }

+// Expose exposes a local service via the NetBird reverse proxy, making it accessible through a public URL.
+// It returns an ExposeSession. Call Wait on the session to keep it alive.
+func (c *Client) Expose(ctx context.Context, req ExposeRequest) (*ExposeSession, error) {
+	engine, err := c.getEngine()
+	if err != nil {
+		return nil, err
+	}
+
+	mgr := engine.GetExposeManager()
+	if mgr == nil {
+		return nil, fmt.Errorf("expose manager not available")
+	}
+
+	resp, err := mgr.Expose(ctx, req)
+	if err != nil {
+		return nil, fmt.Errorf("expose: %w", err)
+	}
+
+	return &ExposeSession{
+		Domain:      resp.Domain,
+		ServiceName: resp.ServiceName,
+		ServiceURL:  resp.ServiceURL,
+		mgr:         mgr,
+	}, nil
+}
+
 // Status returns the current status of the client.
 func (c *Client) Status() (peer.FullStatus, error) {
 	c.mu.Lock()
--- a/client/embed/expose.go
+++ b/client/embed/expose.go
@@ -0,0 +1,45 @@
+package embed
+
+import (
+	"context"
+	"errors"
+
+	"github.com/netbirdio/netbird/client/internal/expose"
+)
+
+const (
+	// ExposeProtocolHTTP exposes the service as HTTP.
+	ExposeProtocolHTTP = expose.ProtocolHTTP
+	// ExposeProtocolHTTPS exposes the service as HTTPS.
+	ExposeProtocolHTTPS = expose.ProtocolHTTPS
+	// ExposeProtocolTCP exposes the service as TCP.
+	ExposeProtocolTCP = expose.ProtocolTCP
+	// ExposeProtocolUDP exposes the service as UDP.
+	ExposeProtocolUDP = expose.ProtocolUDP
+	// ExposeProtocolTLS exposes the service as TLS.
+	ExposeProtocolTLS = expose.ProtocolTLS
+)
+
+// ExposeRequest is a request to expose a local service via the NetBird reverse proxy.
+type ExposeRequest = expose.Request
+
+// ExposeProtocolType represents the protocol used for exposing a service.
+type ExposeProtocolType = expose.ProtocolType
+
+// ExposeSession represents an active expose session. Use Wait to block until the session ends.
+type ExposeSession struct {
+	Domain      string
+	ServiceName string
+	ServiceURL  string
+
+	mgr *expose.Manager
+}
+
+// Wait blocks while keeping the expose session alive.
+// It returns when ctx is cancelled or a keep-alive error occurs, then terminates the session.
+func (s *ExposeSession) Wait(ctx context.Context) error {
+	if s == nil || s.mgr == nil {
+		return errors.New("expose session is not initialized")
+	}
+	return s.mgr.KeepAlive(ctx, s.Domain)
+}
--- a/client/firewall/create_linux.go
+++ b/client/firewall/create_linux.go
@@ -6,7 +6,6 @@ import (
 	"errors"
 	"fmt"
 	"os"
-	"strconv"

 	"github.com/coreos/go-iptables/iptables"
 	"github.com/google/nftables"
@@ -36,27 +35,20 @@ const SKIP_NFTABLES_ENV = "NB_SKIP_NFTABLES_CHECK"
 type FWType int

 func NewFirewall(iface IFaceMapper, stateManager *statemanager.Manager, flowLogger nftypes.FlowLogger, disableServerRoutes bool, mtu uint16) (firewall.Manager, error) {
-	// We run in userspace mode and force userspace firewall was requested. We don't attempt native firewall.
-	if iface.IsUserspaceBind() && forceUserspaceFirewall() {
-		log.Info("forcing userspace firewall")
-		return createUserspaceFirewall(iface, nil, disableServerRoutes, flowLogger, mtu)
-	}
-
-	// Use native firewall for either kernel or userspace, the interface appears identical to netfilter
+	// on the linux system we try to user nftables or iptables
+	// in any case, because we need to allow netbird interface traffic
+	// so we use AllowNetbird traffic from these firewall managers
+	// for the userspace packet filtering firewall
 	fm, err := createNativeFirewall(iface, stateManager, disableServerRoutes, mtu)

-	// Kernel cannot fall back to anything else, need to return error
 	if !iface.IsUserspaceBind() {
 		return fm, err
 	}

-	// Fall back to the userspace packet filter if native is unavailable
 	if err != nil {
 		log.Warnf("failed to create native firewall: %v. Proceeding with userspace", err)
-		return createUserspaceFirewall(iface, nil, disableServerRoutes, flowLogger, mtu)
 	}
-
-	return fm, nil
+	return createUserspaceFirewall(iface, fm, disableServerRoutes, flowLogger, mtu)
 }

 func createNativeFirewall(iface IFaceMapper, stateManager *statemanager.Manager, routes bool, mtu uint16) (firewall.Manager, error) {
@@ -168,17 +160,3 @@ func isIptablesClientAvailable(client *iptables.IPTables) bool {
 	_, err := client.ListChains("filter")
 	return err == nil
 }
-
-func forceUserspaceFirewall() bool {
-	val := os.Getenv(EnvForceUserspaceFirewall)
-	if val == "" {
-		return false
-	}
-
-	force, err := strconv.ParseBool(val)
-	if err != nil {
-		log.Warnf("failed to parse %s: %v", EnvForceUserspaceFirewall, err)
-		return false
-	}
-	return force
-}
--- a/client/firewall/iface.go
+++ b/client/firewall/iface.go
@@ -7,12 +7,6 @@ import (
 	"github.com/netbirdio/netbird/client/iface/wgaddr"
 )

-// EnvForceUserspaceFirewall forces the use of the userspace packet filter even when
-// native iptables/nftables is available. This only applies when the WireGuard interface
-// runs in userspace mode. When set, peer ACLs are handled by USPFilter instead of
-// kernel netfilter rules.
-const EnvForceUserspaceFirewall = "NB_FORCE_USERSPACE_FIREWALL"
-
 // IFaceMapper defines subset methods of interface required for manager
 type IFaceMapper interface {
 	Name() string
--- a/client/firewall/iptables/acl_linux.go
+++ b/client/firewall/iptables/acl_linux.go
@@ -36,6 +36,7 @@ type aclManager struct {
 	entries         aclEntries
 	optionalEntries map[string][]entry
 	ipsetStore      *ipsetStore
+	v6              bool

 	stateManager *statemanager.Manager
 }
@@ -47,6 +48,7 @@ func newAclManager(iptablesClient *iptables.IPTables, wgIface iFaceMapper) (*acl
 		entries:         make(map[string][][]string),
 		optionalEntries: make(map[string][]entry),
 		ipsetStore:      newIpsetStore(),
+		v6:              iptablesClient.Proto() == iptables.ProtocolIPv6,
 	}, nil
 }

@@ -81,7 +83,11 @@ func (m *aclManager) AddPeerFiltering(
 	chain := chainNameInputRules

 	ipsetName = transformIPsetName(ipsetName, sPort, dPort, action)
-	specs := filterRuleSpecs(ip, string(protocol), sPort, dPort, action, ipsetName)
+	if m.v6 && ipsetName != "" {
+		ipsetName += "-v6"
+	}
+	proto := protoForFamily(protocol, m.v6)
+	specs := filterRuleSpecs(ip, proto, sPort, dPort, action, ipsetName)

 	mangleSpecs := slices.Clone(specs)
 	mangleSpecs = append(mangleSpecs,
@@ -105,6 +111,7 @@ func (m *aclManager) AddPeerFiltering(
 				ip:        ip.String(),
 				chain:     chain,
 				specs:     specs,
+				v6:        m.v6,
 			}}, nil
 		}

@@ -157,6 +164,7 @@ func (m *aclManager) AddPeerFiltering(
 		ipsetName:   ipsetName,
 		ip:          ip.String(),
 		chain:       chain,
+		v6:          m.v6,
 	}

 	m.updateState()
@@ -376,8 +384,13 @@ func (m *aclManager) updateState() {
 	currentState.Lock()
 	defer currentState.Unlock()

-	currentState.ACLEntries = m.entries
-	currentState.ACLIPsetStore = m.ipsetStore
+	if m.v6 {
+		currentState.ACLEntries6 = m.entries
+		currentState.ACLIPsetStore6 = m.ipsetStore
+	} else {
+		currentState.ACLEntries = m.entries
+		currentState.ACLIPsetStore = m.ipsetStore
+	}

 	if err := m.stateManager.UpdateState(currentState); err != nil {
 		log.Errorf("failed to update state: %v", err)
@@ -385,6 +398,15 @@ func (m *aclManager) updateState() {
 }

 // filterRuleSpecs returns the specs of a filtering rule
+// protoForFamily translates ICMP to ICMPv6 for ip6tables.
+// ip6tables requires "ipv6-icmp" (or "icmpv6") instead of "icmp".
+func protoForFamily(protocol firewall.Protocol, v6 bool) string {
+	if v6 && protocol == firewall.ProtocolICMP {
+		return "ipv6-icmp"
+	}
+	return string(protocol)
+}
+
 func filterRuleSpecs(ip net.IP, protocol string, sPort, dPort *firewall.Port, action firewall.Action, ipsetName string) (specs []string) {
 	// don't use IP matching if IP is 0.0.0.0
 	matchByIP := !ip.IsUnspecified()
@@ -437,6 +459,9 @@ func (m *aclManager) createIPSet(name string) error {
 	opts := ipset.CreateOptions{
 		Replace: true,
 	}
+	if m.v6 {
+		opts.Family = ipset.FamilyIPV6
+	}

 	if err := ipset.Create(name, ipset.TypeHashNet, opts); err != nil {
 		return fmt.Errorf("create ipset %s: %w", name, err)
--- a/client/firewall/iptables/manager_linux.go
+++ b/client/firewall/iptables/manager_linux.go
@@ -27,12 +27,18 @@ type Manager struct {
 	aclMgr       *aclManager
 	router       *router
 	rawSupported bool
+
+	// IPv6 counterparts, nil when no v6 overlay
+	ipv6Client *iptables.IPTables
+	aclMgr6    *aclManager
+	router6    *router
 }

 // iFaceMapper defines subset methods of interface required for manager
 type iFaceMapper interface {
 	Name() string
 	Address() wgaddr.Address
+	IsUserspaceBind() bool
 }

 // Create iptables firewall manager
@@ -57,15 +63,46 @@ func Create(wgIface iFaceMapper, mtu uint16) (*Manager, error) {
 		return nil, fmt.Errorf("create acl manager: %w", err)
 	}

+	if wgIface.Address().HasIPv6() {
+		if err := m.createIPv6Components(wgIface, mtu); err != nil {
+			return nil, fmt.Errorf("create IPv6 firewall: %w", err)
+		}
+	}
+
 	return m, nil
 }

+func (m *Manager) createIPv6Components(wgIface iFaceMapper, mtu uint16) error {
+	ip6Client, err := iptables.NewWithProtocol(iptables.ProtocolIPv6)
+	if err != nil {
+		return fmt.Errorf("init ip6tables: %w", err)
+	}
+	m.ipv6Client = ip6Client
+
+	m.router6, err = newRouter(ip6Client, wgIface, mtu)
+	if err != nil {
+		return fmt.Errorf("create v6 router: %w", err)
+	}
+
+	m.aclMgr6, err = newAclManager(ip6Client, wgIface)
+	if err != nil {
+		return fmt.Errorf("create v6 acl manager: %w", err)
+	}
+
+	return nil
+}
+
+func (m *Manager) hasIPv6() bool {
+	return m.ipv6Client != nil
+}
+
 func (m *Manager) Init(stateManager *statemanager.Manager) error {
 	state := &ShutdownState{
 		InterfaceState: &InterfaceState{
-			NameStr:   m.wgIface.Name(),
-			WGAddress: m.wgIface.Address(),
-			MTU:       m.router.mtu,
+			NameStr:       m.wgIface.Name(),
+			WGAddress:     m.wgIface.Address(),
+			UserspaceBind: m.wgIface.IsUserspaceBind(),
+			MTU:           m.router.mtu,
 		},
 	}
 	stateManager.RegisterState(state)
@@ -78,10 +115,36 @@ func (m *Manager) Init(stateManager *statemanager.Manager) error {
 	}

 	if err := m.aclMgr.init(stateManager); err != nil {
-		// TODO: cleanup router
+		if err := m.router.Reset(); err != nil {
+			log.Warnf("rollback router after acl init failure: %v", err)
+		}
 		return fmt.Errorf("acl manager init: %w", err)
 	}

+	if m.hasIPv6() {
+		if err := m.router6.init(stateManager); err != nil {
+			if err := m.aclMgr.Reset(); err != nil {
+				log.Warnf("rollback acl after v6 router init failure: %v", err)
+			}
+			if err := m.router.Reset(); err != nil {
+				log.Warnf("rollback router after v6 router init failure: %v", err)
+			}
+			return fmt.Errorf("v6 router init: %w", err)
+		}
+		if err := m.aclMgr6.init(stateManager); err != nil {
+			if err := m.router6.Reset(); err != nil {
+				log.Warnf("rollback v6 router after v6 acl init failure: %v", err)
+			}
+			if err := m.aclMgr.Reset(); err != nil {
+				log.Warnf("rollback acl after v6 acl init failure: %v", err)
+			}
+			if err := m.router.Reset(); err != nil {
+				log.Warnf("rollback router after v6 acl init failure: %v", err)
+			}
+			return fmt.Errorf("v6 acl manager init: %w", err)
+		}
+	}
+
 	if err := m.initNoTrackChain(); err != nil {
 		log.Warnf("raw table not available, notrack rules will be disabled: %v", err)
 	}
@@ -111,7 +174,13 @@ func (m *Manager) AddPeerFiltering(
 	m.mutex.Lock()
 	defer m.mutex.Unlock()

-	return m.aclMgr.AddPeerFiltering(id, ip, proto, sPort, dPort, action, ipsetName)
+	if ip.To4() != nil {
+		return m.aclMgr.AddPeerFiltering(id, ip, proto, sPort, dPort, action, ipsetName)
+	}
+	if !m.hasIPv6() {
+		return nil, fmt.Errorf("IPv6 not initialized, cannot add rule for %s", ip)
+	}
+	return m.aclMgr6.AddPeerFiltering(id, ip, proto, sPort, dPort, action, ipsetName)
 }

 func (m *Manager) AddRouteFiltering(
@@ -125,25 +194,48 @@ func (m *Manager) AddRouteFiltering(
 	m.mutex.Lock()
 	defer m.mutex.Unlock()

-	if destination.IsPrefix() && !destination.Prefix.Addr().Is4() {
-		return nil, fmt.Errorf("unsupported IP version: %s", destination.Prefix.Addr().String())
+	if isIPv6RouteRule(sources, destination) {
+		if !m.hasIPv6() {
+			return nil, fmt.Errorf("IPv6 not initialized, cannot add route rule")
+		}
+		return m.router6.AddRouteFiltering(id, sources, destination, proto, sPort, dPort, action)
 	}

 	return m.router.AddRouteFiltering(id, sources, destination, proto, sPort, dPort, action)
 }

+func isIPv6RouteRule(sources []netip.Prefix, destination firewall.Network) bool {
+	if destination.IsPrefix() {
+		return destination.Prefix.Addr().Is6()
+	}
+	return len(sources) > 0 && sources[0].Addr().Is6()
+}
+
 // DeletePeerRule from the firewall by rule definition
 func (m *Manager) DeletePeerRule(rule firewall.Rule) error {
 	m.mutex.Lock()
 	defer m.mutex.Unlock()

+	if m.hasIPv6() && isIPv6IptRule(rule) {
+		return m.aclMgr6.DeletePeerRule(rule)
+	}
 	return m.aclMgr.DeletePeerRule(rule)
 }

+func isIPv6IptRule(rule firewall.Rule) bool {
+	r, ok := rule.(*Rule)
+	return ok && r.v6
+}
+
+// DeleteRouteRule deletes a routing rule.
+// Route rules are keyed by content hash. Check v4 first, try v6 if not found.
 func (m *Manager) DeleteRouteRule(rule firewall.Rule) error {
 	m.mutex.Lock()
 	defer m.mutex.Unlock()

+	if m.hasIPv6() && !m.router.hasRule(rule.ID()) {
+		return m.router6.DeleteRouteRule(rule)
+	}
 	return m.router.DeleteRouteRule(rule)
 }

@@ -159,18 +251,63 @@ func (m *Manager) AddNatRule(pair firewall.RouterPair) error {
 	m.mutex.Lock()
 	defer m.mutex.Unlock()

-	return m.router.AddNatRule(pair)
+	if pair.Destination.IsPrefix() && pair.Destination.Prefix.Addr().Is6() {
+		if !m.hasIPv6() {
+			return fmt.Errorf("IPv6 not initialized, cannot add NAT rule")
+		}
+		return m.router6.AddNatRule(pair)
+	}
+
+	if err := m.router.AddNatRule(pair); err != nil {
+		return err
+	}
+
+	// Dynamic routes need NAT in both tables
+	if m.hasIPv6() && pair.Destination.IsSet() {
+		v6Pair := pair
+		v6Pair.Source = firewall.Network{Prefix: netip.PrefixFrom(netip.IPv6Unspecified(), 0)}
+		if err := m.router6.AddNatRule(v6Pair); err != nil {
+			return fmt.Errorf("add v6 NAT rule: %w", err)
+		}
+	}
+
+	return nil
 }

 func (m *Manager) RemoveNatRule(pair firewall.RouterPair) error {
 	m.mutex.Lock()
 	defer m.mutex.Unlock()

-	return m.router.RemoveNatRule(pair)
+	if pair.Destination.IsPrefix() && pair.Destination.Prefix.Addr().Is6() {
+		if !m.hasIPv6() {
+			return nil
+		}
+		return m.router6.RemoveNatRule(pair)
+	}
+
+	if err := m.router.RemoveNatRule(pair); err != nil {
+		return err
+	}
+
+	if m.hasIPv6() && pair.Destination.IsSet() {
+		v6Pair := pair
+		v6Pair.Source = firewall.Network{Prefix: netip.PrefixFrom(netip.IPv6Unspecified(), 0)}
+		if err := m.router6.RemoveNatRule(v6Pair); err != nil {
+			return fmt.Errorf("remove v6 NAT rule: %w", err)
+		}
+	}
+
+	return nil
 }

 func (m *Manager) SetLegacyManagement(isLegacy bool) error {
-	return firewall.SetLegacyManagement(m.router, isLegacy)
+	if err := firewall.SetLegacyManagement(m.router, isLegacy); err != nil {
+		return err
+	}
+	if m.hasIPv6() {
+		return firewall.SetLegacyManagement(m.router6, isLegacy)
+	}
+	return nil
 }

 // Reset firewall to the default state
@@ -184,6 +321,15 @@ func (m *Manager) Close(stateManager *statemanager.Manager) error {
 		merr = multierror.Append(merr, fmt.Errorf("cleanup notrack chain: %w", err))
 	}

+	if m.hasIPv6() {
+		if err := m.aclMgr6.Reset(); err != nil {
+			merr = multierror.Append(merr, fmt.Errorf("reset v6 acl manager: %w", err))
+		}
+		if err := m.router6.Reset(); err != nil {
+			merr = multierror.Append(merr, fmt.Errorf("reset v6 router: %w", err))
+		}
+	}
+
 	if err := m.aclMgr.Reset(); err != nil {
 		merr = multierror.Append(merr, fmt.Errorf("reset acl manager: %w", err))
 	}
@@ -201,23 +347,22 @@ func (m *Manager) Close(stateManager *statemanager.Manager) error {
 	return nberrors.FormatErrorOrNil(merr)
 }

-// AllowNetbird allows netbird interface traffic.
-// This is called when USPFilter wraps the native firewall, adding blanket accept
-// rules so that packet filtering is handled in userspace instead of by netfilter.
+// AllowNetbird allows netbird interface traffic
 func (m *Manager) AllowNetbird() error {
-	_, err := m.AddPeerFiltering(
-		nil,
-		net.IP{0, 0, 0, 0},
-		firewall.ProtocolALL,
-		nil,
-		nil,
-		firewall.ActionAccept,
-		"",
-	)
-	if err != nil {
-		return fmt.Errorf("allow netbird interface traffic: %w", err)
+	if !m.wgIface.IsUserspaceBind() {
+		return nil
 	}
-	return nil
+
+	var merr *multierror.Error
+	if _, err := m.aclMgr.AddPeerFiltering(nil, net.IP{0, 0, 0, 0}, firewall.ProtocolALL, nil, nil, firewall.ActionAccept, ""); err != nil {
+		merr = multierror.Append(merr, fmt.Errorf("allow netbird interface traffic: %w", err))
+	}
+	if m.hasIPv6() {
+		if _, err := m.aclMgr6.AddPeerFiltering(nil, net.IPv6zero, firewall.ProtocolALL, nil, nil, firewall.ActionAccept, ""); err != nil {
+			merr = multierror.Append(merr, fmt.Errorf("allow v6 netbird interface traffic: %w", err))
+		}
+	}
+	return nberrors.FormatErrorOrNil(merr)
 }

 // Flush doesn't need to be implemented for this manager
@@ -247,6 +392,9 @@ func (m *Manager) AddDNATRule(rule firewall.ForwardRule) (firewall.Rule, error)
 	m.mutex.Lock()
 	defer m.mutex.Unlock()

+	if m.hasIPv6() && rule.TranslatedAddress.Is6() {
+		return m.router6.AddDNATRule(rule)
+	}
 	return m.router.AddDNATRule(rule)
 }

@@ -255,6 +403,9 @@ func (m *Manager) DeleteDNATRule(rule firewall.Rule) error {
 	m.mutex.Lock()
 	defer m.mutex.Unlock()

+	if m.hasIPv6() && !m.router.hasRule(rule.ID()+dnatSuffix) {
+		return m.router6.DeleteDNATRule(rule)
+	}
 	return m.router.DeleteDNATRule(rule)
 }

@@ -263,7 +414,26 @@ func (m *Manager) UpdateSet(set firewall.Set, prefixes []netip.Prefix) error {
 	m.mutex.Lock()
 	defer m.mutex.Unlock()

-	return m.router.UpdateSet(set, prefixes)
+	var v4Prefixes, v6Prefixes []netip.Prefix
+	for _, p := range prefixes {
+		if p.Addr().Is6() {
+			v6Prefixes = append(v6Prefixes, p)
+		} else {
+			v4Prefixes = append(v4Prefixes, p)
+		}
+	}
+
+	if err := m.router.UpdateSet(set, v4Prefixes); err != nil {
+		return err
+	}
+
+	if m.hasIPv6() && len(v6Prefixes) > 0 {
+		if err := m.router6.UpdateSet(set, v6Prefixes); err != nil {
+			return fmt.Errorf("update v6 set: %w", err)
+		}
+	}
+
+	return nil
 }

 // AddInboundDNAT adds an inbound DNAT rule redirecting traffic from NetBird peers to local services.
@@ -271,6 +441,9 @@ func (m *Manager) AddInboundDNAT(localAddr netip.Addr, protocol firewall.Protoco
 	m.mutex.Lock()
 	defer m.mutex.Unlock()

+	if m.hasIPv6() && localAddr.Is6() {
+		return m.router6.AddInboundDNAT(localAddr, protocol, sourcePort, targetPort)
+	}
 	return m.router.AddInboundDNAT(localAddr, protocol, sourcePort, targetPort)
 }

@@ -279,6 +452,9 @@ func (m *Manager) RemoveInboundDNAT(localAddr netip.Addr, protocol firewall.Prot
 	m.mutex.Lock()
 	defer m.mutex.Unlock()

+	if m.hasIPv6() && localAddr.Is6() {
+		return m.router6.RemoveInboundDNAT(localAddr, protocol, sourcePort, targetPort)
+	}
 	return m.router.RemoveInboundDNAT(localAddr, protocol, sourcePort, targetPort)
 }

--- a/client/firewall/iptables/manager_linux_test.go
+++ b/client/firewall/iptables/manager_linux_test.go
@@ -47,6 +47,8 @@ func (i *iFaceMock) Address() wgaddr.Address {
 	panic("AddressFunc is not set")
 }

+func (i *iFaceMock) IsUserspaceBind() bool { return false }
+
 func TestIptablesManager(t *testing.T) {
 	ipv4Client, err := iptables.NewWithProtocol(iptables.ProtocolIPv4)
 	require.NoError(t, err)
--- a/client/firewall/iptables/router_linux.go
+++ b/client/firewall/iptables/router_linux.go
@@ -52,8 +52,10 @@ const (
 	snatSuffix = "_snat"
 	fwdSuffix  = "_fwd"

-	// ipTCPHeaderMinSize represents minimum IP (20) + TCP (20) header size for MSS calculation
-	ipTCPHeaderMinSize = 40
+	// ipv4TCPHeaderSize is the minimum IPv4 (20) + TCP (20) header size for MSS calculation.
+	ipv4TCPHeaderSize = 40
+	// ipv6TCPHeaderSize is the minimum IPv6 (40) + TCP (20) header size for MSS calculation.
+	ipv6TCPHeaderSize = 60
 )

 type ruleInfo struct {
@@ -84,6 +86,7 @@ type router struct {
 	wgIface          iFaceMapper
 	legacyManagement bool
 	mtu              uint16
+	v6               bool

 	stateManager *statemanager.Manager
 	ipFwdState   *ipfwdstate.IPForwardingState
@@ -95,6 +98,7 @@ func newRouter(iptablesClient *iptables.IPTables, wgIface iFaceMapper, mtu uint1
 		rules:          make(map[string][]string),
 		wgIface:        wgIface,
 		mtu:            mtu,
+		v6:             iptablesClient.Proto() == iptables.ProtocolIPv6,
 		ipFwdState:     ipfwdstate.NewIPForwardingState(),
 	}

@@ -184,6 +188,11 @@ func (r *router) AddRouteFiltering(
 	return ruleKey, nil
 }

+func (r *router) hasRule(id string) bool {
+	_, ok := r.rules[id]
+	return ok
+}
+
 func (r *router) DeleteRouteRule(rule firewall.Rule) error {
 	ruleKey := rule.ID()

@@ -423,6 +432,12 @@ func (r *router) createContainers() error {
 		{chainRTRDR, tableNat},
 		{chainRTMSSCLAMP, tableMangle},
 	} {
+		// Fallback: clear chains that survived an unclean shutdown.
+		if ok, _ := r.iptablesClient.ChainExists(chainInfo.table, chainInfo.chain); ok {
+			if err := r.iptablesClient.ClearAndDeleteChain(chainInfo.table, chainInfo.chain); err != nil {
+				log.Warnf("clear stale chain %s in %s: %v", chainInfo.chain, chainInfo.table, err)
+			}
+		}
 		if err := r.iptablesClient.NewChain(chainInfo.table, chainInfo.chain); err != nil {
 			return fmt.Errorf("create chain %s in table %s: %w", chainInfo.chain, chainInfo.table, err)
 		}
@@ -529,9 +544,12 @@ func (r *router) addPostroutingRules() error {
 }

 // addMSSClampingRules adds MSS clamping rules to prevent fragmentation for forwarded traffic.
-// TODO: Add IPv6 support
 func (r *router) addMSSClampingRules() error {
-	mss := r.mtu - ipTCPHeaderMinSize
+	overhead := uint16(ipv4TCPHeaderSize)
+	if r.v6 {
+		overhead = ipv6TCPHeaderSize
+	}
+	mss := r.mtu - overhead

 	// Add jump rule from FORWARD chain in mangle table to our custom chain
 	jumpRule := []string{
@@ -716,8 +734,13 @@ func (r *router) updateState() {
 	currentState.Lock()
 	defer currentState.Unlock()

-	currentState.RouteRules = r.rules
-	currentState.RouteIPsetCounter = r.ipsetCounter
+	if r.v6 {
+		currentState.RouteRules6 = r.rules
+		currentState.RouteIPsetCounter6 = r.ipsetCounter
+	} else {
+		currentState.RouteRules = r.rules
+		currentState.RouteIPsetCounter = r.ipsetCounter
+	}

 	if err := r.stateManager.UpdateState(currentState); err != nil {
 		log.Errorf("failed to update state: %v", err)
@@ -845,7 +868,7 @@ func (r *router) DeleteDNATRule(rule firewall.Rule) error {
 	}

 	if fwdRule, exists := r.rules[ruleKey+fwdSuffix]; exists {
-		if err := r.iptablesClient.Delete(tableFilter, chainRTFWDIN, fwdRule...); err != nil {
+		if err := r.iptablesClient.Delete(tableFilter, chainRTFWDOUT, fwdRule...); err != nil {
 			merr = multierror.Append(merr, fmt.Errorf("delete forward rule: %w", err))
 		}
 		delete(r.rules, ruleKey+fwdSuffix)
@@ -872,7 +895,7 @@ func (r *router) genRouteRuleSpec(params routeFilteringRuleParams, sources []net
 	rule = append(rule, destExp...)

 	if params.Proto != firewall.ProtocolALL {
-		rule = append(rule, "-p", strings.ToLower(string(params.Proto)))
+		rule = append(rule, "-p", strings.ToLower(protoForFamily(params.Proto, r.v6)))
 		rule = append(rule, applyPort("--sport", params.SPort)...)
 		rule = append(rule, applyPort("--dport", params.DPort)...)
 	}
@@ -889,11 +912,12 @@ func (r *router) applyNetwork(flag string, network firewall.Network, prefixes []
 	}

 	if network.IsSet() {
-		if _, err := r.ipsetCounter.Increment(network.Set.HashedName(), prefixes); err != nil {
+		name := r.ipsetName(network.Set.HashedName())
+		if _, err := r.ipsetCounter.Increment(name, prefixes); err != nil {
 			return nil, fmt.Errorf("create or get ipset: %w", err)
 		}

-		return []string{"-m", "set", matchSet, network.Set.HashedName(), direction}, nil
+		return []string{"-m", "set", matchSet, name, direction}, nil
 	}
 	if network.IsPrefix() {
 		return []string{flag, network.Prefix.String()}, nil
@@ -904,19 +928,15 @@ func (r *router) applyNetwork(flag string, network firewall.Network, prefixes []
 }

 func (r *router) UpdateSet(set firewall.Set, prefixes []netip.Prefix) error {
+	name := r.ipsetName(set.HashedName())
 	var merr *multierror.Error
 	for _, prefix := range prefixes {
-		// TODO: Implement IPv6 support
-		if prefix.Addr().Is6() {
-			log.Tracef("skipping IPv6 prefix %s: IPv6 support not yet implemented", prefix)
-			continue
-		}
-		if err := r.addPrefixToIPSet(set.HashedName(), prefix); err != nil {
+		if err := r.addPrefixToIPSet(name, prefix); err != nil {
 			merr = multierror.Append(merr, fmt.Errorf("add prefix to ipset: %w", err))
 		}
 	}
 	if merr == nil {
-		log.Debugf("updated set %s with prefixes %v", set.HashedName(), prefixes)
+		log.Debugf("updated set %s with prefixes %v", name, prefixes)
 	}

 	return nberrors.FormatErrorOrNil(merr)
@@ -932,7 +952,7 @@ func (r *router) AddInboundDNAT(localAddr netip.Addr, protocol firewall.Protocol

 	dnatRule := []string{
 		"-i", r.wgIface.Name(),
-		"-p", strings.ToLower(string(protocol)),
+		"-p", strings.ToLower(protoForFamily(protocol, r.v6)),
 		"--dport", strconv.Itoa(int(sourcePort)),
 		"-d", localAddr.String(),
 		"-m", "addrtype", "--dst-type", "LOCAL",
@@ -990,10 +1010,22 @@ func applyPort(flag string, port *firewall.Port) []string {
 	return []string{flag, strconv.Itoa(int(port.Values[0]))}
 }

+// ipsetName returns the ipset name, suffixed with "-v6" for the v6 router
+// to avoid collisions since ipsets are global in the kernel.
+func (r *router) ipsetName(name string) string {
+	if r.v6 {
+		return name + "-v6"
+	}
+	return name
+}
+
 func (r *router) createIPSet(name string) error {
 	opts := ipset.CreateOptions{
 		Replace: true,
 	}
+	if r.v6 {
+		opts.Family = ipset.FamilyIPV6
+	}

 	if err := ipset.Create(name, ipset.TypeHashNet, opts); err != nil {
 		return fmt.Errorf("create ipset %s: %w", name, err)
--- a/client/firewall/iptables/rule.go
+++ b/client/firewall/iptables/rule.go
@@ -9,6 +9,7 @@ type Rule struct {
 	mangleSpecs []string
 	ip          string
 	chain       string
+	v6          bool
 }

 // GetRuleID returns the rule id
--- a/client/firewall/iptables/state_linux.go
+++ b/client/firewall/iptables/state_linux.go
@@ -4,14 +4,17 @@ import (
 	"fmt"
 	"sync"

+	log "github.com/sirupsen/logrus"
+
 	"github.com/netbirdio/netbird/client/iface"
 	"github.com/netbirdio/netbird/client/iface/wgaddr"
 )

 type InterfaceState struct {
-	NameStr   string         `json:"name"`
-	WGAddress wgaddr.Address `json:"wg_address"`
-	MTU       uint16         `json:"mtu"`
+	NameStr       string         `json:"name"`
+	WGAddress     wgaddr.Address `json:"wg_address"`
+	UserspaceBind bool           `json:"userspace_bind"`
+	MTU           uint16         `json:"mtu"`
 }

 func (i *InterfaceState) Name() string {
@@ -22,6 +25,10 @@ func (i *InterfaceState) Address() wgaddr.Address {
 	return i.WGAddress
 }

+func (i *InterfaceState) IsUserspaceBind() bool {
+	return i.UserspaceBind
+}
+
 type ShutdownState struct {
 	sync.Mutex

@@ -32,6 +39,12 @@ type ShutdownState struct {

 	ACLEntries    aclEntries  `json:"acl_entries,omitempty"`
 	ACLIPsetStore *ipsetStore `json:"acl_ipset_store,omitempty"`
+
+	// IPv6 counterparts
+	RouteRules6        routeRules    `json:"route_rules_v6,omitempty"`
+	RouteIPsetCounter6 *ipsetCounter `json:"route_ipset_counter_v6,omitempty"`
+	ACLEntries6        aclEntries    `json:"acl_entries_v6,omitempty"`
+	ACLIPsetStore6     *ipsetStore   `json:"acl_ipset_store_v6,omitempty"`
 }

 func (s *ShutdownState) Name() string {
@@ -62,6 +75,28 @@ func (s *ShutdownState) Cleanup() error {
 		ipt.aclMgr.ipsetStore = s.ACLIPsetStore
 	}

+	// Clean up v6 state even if the current run has no IPv6.
+	// The previous run may have left ip6tables rules behind.
+	if !ipt.hasIPv6() {
+		if err := ipt.createIPv6Components(s.InterfaceState, mtu); err != nil {
+			log.Warnf("failed to create v6 components for cleanup: %v", err)
+		}
+	}
+	if ipt.hasIPv6() {
+		if s.RouteRules6 != nil {
+			ipt.router6.rules = s.RouteRules6
+		}
+		if s.RouteIPsetCounter6 != nil {
+			ipt.router6.ipsetCounter.LoadData(s.RouteIPsetCounter6)
+		}
+		if s.ACLEntries6 != nil {
+			ipt.aclMgr6.entries = s.ACLEntries6
+		}
+		if s.ACLIPsetStore6 != nil {
+			ipt.aclMgr6.ipsetStore = s.ACLIPsetStore6
+		}
+	}
+
 	if err := ipt.Close(nil); err != nil {
 		return fmt.Errorf("reset iptables manager: %w", err)
 	}
--- a/client/firewall/nftables/acl_linux.go
+++ b/client/firewall/nftables/acl_linux.go
@@ -33,15 +33,12 @@ const (

 const flushError = "flush: %w"

-var (
-	anyIP = []byte{0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0}
-)
-
 type AclManager struct {
 	rConn              *nftables.Conn
 	sConn              *nftables.Conn
 	wgIface            iFaceMapper
 	routingFwChainName string
+	af                 addrFamily

 	workTable       *nftables.Table
 	chainInputRules *nftables.Chain
@@ -67,6 +64,7 @@ func newAclManager(table *nftables.Table, wgIface iFaceMapper, routingFwChainNam
 		wgIface:            wgIface,
 		workTable:          table,
 		routingFwChainName: routingFwChainName,
+		af:                 familyForAddr(table.Family == nftables.TableFamilyIPv4),

 		ipsetStore: newIpsetStore(),
 		rules:      make(map[string]*Rule),
@@ -145,7 +143,7 @@ func (m *AclManager) DeletePeerRule(rule firewall.Rule) error {
 	}

 	if _, ok := ips[r.ip.String()]; ok {
-		err := m.sConn.SetDeleteElements(r.nftSet, []nftables.SetElement{{Key: r.ip.To4()}})
+		err := m.sConn.SetDeleteElements(r.nftSet, []nftables.SetElement{{Key: ipToBytes(r.ip, m.af)}})
 		if err != nil {
 			log.Errorf("delete elements for set %q: %v", r.nftSet.Name, err)
 		}
@@ -254,11 +252,11 @@ func (m *AclManager) addIOFiltering(
 		expressions = append(expressions, &expr.Payload{
 			DestRegister: 1,
 			Base:         expr.PayloadBaseNetworkHeader,
-			Offset:       uint32(9),
+			Offset:       m.af.protoOffset,
 			Len:          uint32(1),
 		})

-		protoData, err := protoToInt(proto)
+		protoData, err := m.af.protoNum(proto)
 		if err != nil {
 			return nil, fmt.Errorf("convert protocol to number: %v", err)
 		}
@@ -270,19 +268,16 @@ func (m *AclManager) addIOFiltering(
 		})
 	}

-	rawIP := ip.To4()
+	rawIP := ipToBytes(ip, m.af)
 	// check if rawIP contains zeroed IPv4 0.0.0.0 value
 	// in that case not add IP match expression into the rule definition
-	if !bytes.HasPrefix(anyIP, rawIP) {
-		// source address position
-		addrOffset := uint32(12)
-
+	if slices.ContainsFunc(rawIP, func(v byte) bool { return v != 0 }) {
 		expressions = append(expressions,
 			&expr.Payload{
 				DestRegister: 1,
 				Base:         expr.PayloadBaseNetworkHeader,
-				Offset:       addrOffset,
-				Len:          4,
+				Offset:       m.af.srcAddrOffset,
+				Len:          m.af.addrLen,
 			},
 		)
 		// add individual IP for match if no ipset defined
@@ -587,7 +582,7 @@ func (m *AclManager) addJumpRule(chain *nftables.Chain, to string, ifaceKey expr

 func (m *AclManager) addIpToSet(ipsetName string, ip net.IP) (*nftables.Set, error) {
 	ipset, err := m.rConn.GetSetByName(m.workTable, ipsetName)
-	rawIP := ip.To4()
+	rawIP := ipToBytes(ip, m.af)
 	if err != nil {
 		if ipset, err = m.createSet(m.workTable, ipsetName); err != nil {
 			return nil, fmt.Errorf("get set name: %v", err)
@@ -619,7 +614,7 @@ func (m *AclManager) createSet(table *nftables.Table, name string) (*nftables.Se
 		Name:    name,
 		Table:   table,
 		Dynamic: true,
-		KeyType: nftables.TypeIPAddr,
+		KeyType: m.af.setKeyType,
 	}

 	if err := m.rConn.AddSet(ipset, nil); err != nil {
@@ -707,15 +702,12 @@ func ifname(n string) []byte {
 	return b
 }

-func protoToInt(protocol firewall.Protocol) (uint8, error) {
-	switch protocol {
-	case firewall.ProtocolTCP:
-		return unix.IPPROTO_TCP, nil
-	case firewall.ProtocolUDP:
-		return unix.IPPROTO_UDP, nil
-	case firewall.ProtocolICMP:
-		return unix.IPPROTO_ICMP, nil
-	}

-	return 0, fmt.Errorf("unsupported protocol: %s", protocol)
+// ipToBytes converts net.IP to the correct byte length for the address family.
+func ipToBytes(ip net.IP, af addrFamily) []byte {
+	if af.addrLen == 4 {
+		return ip.To4()
+	}
+	return ip.To16()
 }
+
--- a/client/firewall/nftables/addr_family_linux.go
+++ b/client/firewall/nftables/addr_family_linux.go
@@ -0,0 +1,81 @@
+package nftables
+
+import (
+	"fmt"
+	"net"
+
+	"github.com/google/nftables"
+	"golang.org/x/sys/unix"
+
+	firewall "github.com/netbirdio/netbird/client/firewall/manager"
+)
+
+// addrFamily holds protocol-specific constants for nftables expression building.
+type addrFamily struct {
+	// protoOffset is the IP header offset for the protocol/next-header field (9 for v4, 6 for v6)
+	protoOffset uint32
+	// srcAddrOffset is the IP header offset for the source address (12 for v4, 8 for v6)
+	srcAddrOffset uint32
+	// dstAddrOffset is the IP header offset for the destination address (16 for v4, 24 for v6)
+	dstAddrOffset uint32
+	// addrLen is the byte length of addresses (4 for v4, 16 for v6)
+	addrLen uint32
+	// totalBits is the address size in bits (32 for v4, 128 for v6)
+	totalBits int
+	// setKeyType is the nftables set data type for addresses
+	setKeyType nftables.SetDatatype
+	// tableFamily is the nftables table family
+	tableFamily nftables.TableFamily
+	// icmpProto is the ICMP protocol number for this family (1 for v4, 58 for v6)
+	icmpProto uint8
+}
+
+var (
+	// afIPv4 defines IPv4 header layout and nftables types.
+	afIPv4 = addrFamily{
+		protoOffset:   9,
+		srcAddrOffset: 12,
+		dstAddrOffset: 16,
+		addrLen:       net.IPv4len,
+		totalBits:     8 * net.IPv4len,
+		setKeyType:    nftables.TypeIPAddr,
+		tableFamily:   nftables.TableFamilyIPv4,
+		icmpProto:     unix.IPPROTO_ICMP,
+	}
+	// afIPv6 defines IPv6 header layout and nftables types.
+	afIPv6 = addrFamily{
+		protoOffset:   6,
+		srcAddrOffset: 8,
+		dstAddrOffset: 24,
+		addrLen:       net.IPv6len,
+		totalBits:     8 * net.IPv6len,
+		setKeyType:    nftables.TypeIP6Addr,
+		tableFamily:   nftables.TableFamilyIPv6,
+		icmpProto:     unix.IPPROTO_ICMPV6,
+	}
+)
+
+// familyForAddr returns the address family for the given IP.
+func familyForAddr(is4 bool) addrFamily {
+	if is4 {
+		return afIPv4
+	}
+	return afIPv6
+}
+
+// protoNum converts a firewall protocol to the IP protocol number,
+// using the correct ICMP variant for the address family.
+func (af addrFamily) protoNum(protocol firewall.Protocol) (uint8, error) {
+	switch protocol {
+	case firewall.ProtocolTCP:
+		return unix.IPPROTO_TCP, nil
+	case firewall.ProtocolUDP:
+		return unix.IPPROTO_UDP, nil
+	case firewall.ProtocolICMP:
+		return af.icmpProto, nil
+	case firewall.ProtocolALL:
+		return 0, nil
+	default:
+		return 0, fmt.Errorf("unsupported protocol: %s", protocol)
+	}
+}
--- a/client/firewall/nftables/manager_linux.go
+++ b/client/firewall/nftables/manager_linux.go
@@ -11,9 +11,11 @@ import (
 	"github.com/google/nftables"
 	"github.com/google/nftables/binaryutil"
 	"github.com/google/nftables/expr"
+	"github.com/hashicorp/go-multierror"
 	log "github.com/sirupsen/logrus"
 	"golang.org/x/sys/unix"

+	nberrors "github.com/netbirdio/netbird/client/errors"
 	firewall "github.com/netbirdio/netbird/client/firewall/manager"
 	"github.com/netbirdio/netbird/client/iface/wgaddr"
 	"github.com/netbirdio/netbird/client/internal/statemanager"
@@ -40,6 +42,7 @@ func getTableName() string {
 type iFaceMapper interface {
 	Name() string
 	Address() wgaddr.Address
+	IsUserspaceBind() bool
 }

 // Manager of iptables firewall
@@ -48,8 +51,13 @@ type Manager struct {
 	rConn   *nftables.Conn
 	wgIface iFaceMapper

-	router                 *router
-	aclManager             *AclManager
+	router     *router
+	aclManager *AclManager
+
+	// IPv6 counterparts, nil when no v6 overlay
+	router6     *router
+	aclManager6 *AclManager
+
 	notrackOutputChain     *nftables.Chain
 	notrackPreroutingChain *nftables.Chain
 }
@@ -61,7 +69,8 @@ func Create(wgIface iFaceMapper, mtu uint16) (*Manager, error) {
 		wgIface: wgIface,
 	}

-	workTable := &nftables.Table{Name: getTableName(), Family: nftables.TableFamilyIPv4}
+	tableName := getTableName()
+	workTable := &nftables.Table{Name: tableName, Family: nftables.TableFamilyIPv4}

 	var err error
 	m.router, err = newRouter(workTable, wgIface, mtu)
@@ -74,11 +83,66 @@ func Create(wgIface iFaceMapper, mtu uint16) (*Manager, error) {
 		return nil, fmt.Errorf("create acl manager: %w", err)
 	}

+	if wgIface.Address().HasIPv6() {
+		if err := m.createIPv6Components(tableName, wgIface, mtu); err != nil {
+			return nil, fmt.Errorf("create IPv6 firewall: %w", err)
+		}
+	}
+
 	return m, nil
 }

+func (m *Manager) createIPv6Components(tableName string, wgIface iFaceMapper, mtu uint16) error {
+	workTable6 := &nftables.Table{Name: tableName, Family: nftables.TableFamilyIPv6}
+
+	var err error
+	m.router6, err = newRouter(workTable6, wgIface, mtu)
+	if err != nil {
+		return fmt.Errorf("create v6 router: %w", err)
+	}
+
+	m.aclManager6, err = newAclManager(workTable6, wgIface, chainNameRoutingFw)
+	if err != nil {
+		return fmt.Errorf("create v6 acl manager: %w", err)
+	}
+
+	return nil
+}
+
+// hasIPv6 reports whether the manager has IPv6 components initialized.
+func (m *Manager) hasIPv6() bool {
+	return m.router6 != nil
+}
+
+func (m *Manager) initIPv6() error {
+	workTable6, err := m.createWorkTableFamily(nftables.TableFamilyIPv6)
+	if err != nil {
+		return fmt.Errorf("create v6 work table: %w", err)
+	}
+
+	if err := m.router6.init(workTable6); err != nil {
+		return fmt.Errorf("v6 router init: %w", err)
+	}
+
+	if err := m.aclManager6.init(workTable6); err != nil {
+		return fmt.Errorf("v6 acl manager init: %w", err)
+	}
+
+	return nil
+}
+
 // Init nftables firewall manager
 func (m *Manager) Init(stateManager *statemanager.Manager) error {
+	if err := m.initFirewall(); err != nil {
+		return err
+	}
+
+	m.persistState(stateManager)
+
+	return nil
+}
+
+func (m *Manager) initFirewall() error {
 	workTable, err := m.createWorkTable()
 	if err != nil {
 		return fmt.Errorf("create work table: %w", err)
@@ -89,38 +153,61 @@ func (m *Manager) Init(stateManager *statemanager.Manager) error {
 	}

 	if err := m.aclManager.init(workTable); err != nil {
-		// TODO: cleanup router
+		m.rollbackInit()
 		return fmt.Errorf("acl manager init: %w", err)
 	}

+	if m.hasIPv6() {
+		if err := m.initIPv6(); err != nil {
+			// Peer has a v6 address: v6 firewall MUST work or we risk fail-open.
+			m.rollbackInit()
+			return fmt.Errorf("init IPv6 firewall (required because peer has IPv6 address): %w", err)
+		}
+	}
+
 	if err := m.initNoTrackChains(workTable); err != nil {
 		log.Warnf("raw priority chains not available, notrack rules will be disabled: %v", err)
 	}

+	return nil
+}
+
+// persistState saves the current interface state for potential recreation on restart.
+// Unlike iptables, which requires tracking individual rules, nftables maintains
+// a known state (our netbird table plus a few static rules). This allows for easy
+// cleanup using Close() without needing to store specific rules.
+func (m *Manager) persistState(stateManager *statemanager.Manager) {
 	stateManager.RegisterState(&ShutdownState{})

-	// We only need to record minimal interface state for potential recreation.
-	// Unlike iptables, which requires tracking individual rules, nftables maintains
-	// a known state (our netbird table plus a few static rules). This allows for easy
-	// cleanup using Close() without needing to store specific rules.
 	if err := stateManager.UpdateState(&ShutdownState{
 		InterfaceState: &InterfaceState{
-			NameStr:   m.wgIface.Name(),
-			WGAddress: m.wgIface.Address(),
-			MTU:       m.router.mtu,
+			NameStr:       m.wgIface.Name(),
+			WGAddress:     m.wgIface.Address(),
+			UserspaceBind: m.wgIface.IsUserspaceBind(),
+			MTU:           m.router.mtu,
 		},
 	}); err != nil {
 		log.Errorf("failed to update state: %v", err)
 	}

-	// persist early
 	go func() {
 		if err := stateManager.PersistState(context.Background()); err != nil {
 			log.Errorf("failed to persist state: %v", err)
 		}
 	}()
+}

-	return nil
+// rollbackInit performs best-effort cleanup of already-initialized state when Init fails partway through.
+func (m *Manager) rollbackInit() {
+	if err := m.router.Reset(); err != nil {
+		log.Warnf("rollback router: %v", err)
+	}
+	if err := m.cleanupNetbirdTables(); err != nil {
+		log.Warnf("cleanup tables: %v", err)
+	}
+	if err := m.rConn.Flush(); err != nil {
+		log.Warnf("flush: %v", err)
+	}
 }

 // AddPeerFiltering rule to the firewall
@@ -139,12 +226,14 @@ func (m *Manager) AddPeerFiltering(
 	m.mutex.Lock()
 	defer m.mutex.Unlock()

-	rawIP := ip.To4()
-	if rawIP == nil {
-		return nil, fmt.Errorf("unsupported IP version: %s", ip.String())
+	if ip.To4() != nil {
+		return m.aclManager.AddPeerFiltering(id, ip, proto, sPort, dPort, action, ipsetName)
 	}

-	return m.aclManager.AddPeerFiltering(id, ip, proto, sPort, dPort, action, ipsetName)
+	if !m.hasIPv6() {
+		return nil, fmt.Errorf("IPv6 not initialized, cannot add rule for %s", ip)
+	}
+	return m.aclManager6.AddPeerFiltering(id, ip, proto, sPort, dPort, action, ipsetName)
 }

 func (m *Manager) AddRouteFiltering(
@@ -158,8 +247,11 @@ func (m *Manager) AddRouteFiltering(
 	m.mutex.Lock()
 	defer m.mutex.Unlock()

-	if destination.IsPrefix() && !destination.Prefix.Addr().Is4() {
-		return nil, fmt.Errorf("unsupported IP version: %s", destination.Prefix.Addr().String())
+	if isIPv6RouteRule(sources, destination) {
+		if !m.hasIPv6() {
+			return nil, fmt.Errorf("IPv6 not initialized, cannot add route rule")
+		}
+		return m.router6.AddRouteFiltering(id, sources, destination, proto, sPort, dPort, action)
 	}

 	return m.router.AddRouteFiltering(id, sources, destination, proto, sPort, dPort, action)
@@ -170,14 +262,38 @@ func (m *Manager) DeletePeerRule(rule firewall.Rule) error {
 	m.mutex.Lock()
 	defer m.mutex.Unlock()

+	if m.hasIPv6() && isIPv6Rule(rule) {
+		return m.aclManager6.DeletePeerRule(rule)
+	}
 	return m.aclManager.DeletePeerRule(rule)
 }

-// DeleteRouteRule deletes a routing rule
+func isIPv6Rule(rule firewall.Rule) bool {
+	r, ok := rule.(*Rule)
+	return ok && r.nftRule != nil && r.nftRule.Table != nil && r.nftRule.Table.Family == nftables.TableFamilyIPv6
+}
+
+// isIPv6RouteRule determines whether a route rule belongs to the v6 table.
+// For static routes, the destination prefix determines the family. For dynamic
+// routes (DomainSet), the sources determine the family since management
+// duplicates dynamic rules per family.
+func isIPv6RouteRule(sources []netip.Prefix, destination firewall.Network) bool {
+	if destination.IsPrefix() {
+		return destination.Prefix.Addr().Is6()
+	}
+	return len(sources) > 0 && sources[0].Addr().Is6()
+}
+
+// DeleteRouteRule deletes a routing rule.
+// Route rules are keyed by content hash, so the rule exists in exactly one
+// router. We check v4 first; if the key isn't there, try v6.
 func (m *Manager) DeleteRouteRule(rule firewall.Rule) error {
 	m.mutex.Lock()
 	defer m.mutex.Unlock()

+	if m.hasIPv6() && !m.router.hasRule(rule.ID()) {
+		return m.router6.DeleteRouteRule(rule)
+	}
 	return m.router.DeleteRouteRule(rule)
 }

@@ -193,26 +309,79 @@ func (m *Manager) AddNatRule(pair firewall.RouterPair) error {
 	m.mutex.Lock()
 	defer m.mutex.Unlock()

-	return m.router.AddNatRule(pair)
+	if pair.Destination.IsPrefix() && pair.Destination.Prefix.Addr().Is6() {
+		if !m.hasIPv6() {
+			return fmt.Errorf("IPv6 not initialized, cannot add NAT rule")
+		}
+		return m.router6.AddNatRule(pair)
+	}
+
+	if err := m.router.AddNatRule(pair); err != nil {
+		return err
+	}
+
+	// Dynamic routes (DomainSet) need NAT in both tables since resolved IPs
+	// can be either v4 or v6.
+	if m.hasIPv6() && pair.Destination.IsSet() {
+		v6Pair := pair
+		v6Pair.Source = firewall.Network{Prefix: netip.PrefixFrom(netip.IPv6Unspecified(), 0)}
+		if err := m.router6.AddNatRule(v6Pair); err != nil {
+			return fmt.Errorf("add v6 NAT rule: %w", err)
+		}
+	}
+
+	return nil
 }

 func (m *Manager) RemoveNatRule(pair firewall.RouterPair) error {
 	m.mutex.Lock()
 	defer m.mutex.Unlock()

-	return m.router.RemoveNatRule(pair)
+	if pair.Destination.IsPrefix() && pair.Destination.Prefix.Addr().Is6() {
+		if !m.hasIPv6() {
+			return nil
+		}
+		return m.router6.RemoveNatRule(pair)
+	}
+
+	if err := m.router.RemoveNatRule(pair); err != nil {
+		return err
+	}
+
+	if m.hasIPv6() && pair.Destination.IsSet() {
+		v6Pair := pair
+		v6Pair.Source = firewall.Network{Prefix: netip.PrefixFrom(netip.IPv6Unspecified(), 0)}
+		if err := m.router6.RemoveNatRule(v6Pair); err != nil {
+			return fmt.Errorf("remove v6 NAT rule: %w", err)
+		}
+	}
+
+	return nil
 }

 // AllowNetbird allows netbird interface traffic.
-// This is called when USPFilter wraps the native firewall, adding blanket accept
-// rules so that packet filtering is handled in userspace instead of by netfilter.
+// TODO: In USP mode this only adds ACCEPT to the netbird table's own chains,
+// which doesn't override DROP rules in external tables (e.g. firewalld).
+// Should add passthrough rules to external chains (like the native mode router's
+// addExternalChainsRules does) for both the netbird table family and inet tables.
+// The netbird table itself is fine (routing chains already exist there), but
+// non-netbird tables with INPUT/FORWARD hooks can still DROP our WG traffic.
 func (m *Manager) AllowNetbird() error {
+	if !m.wgIface.IsUserspaceBind() {
+		return nil
+	}
+
 	m.mutex.Lock()
 	defer m.mutex.Unlock()

 	if err := m.aclManager.createDefaultAllowRules(); err != nil {
 		return fmt.Errorf("create default allow rules: %w", err)
 	}
+	if m.hasIPv6() {
+		if err := m.aclManager6.createDefaultAllowRules(); err != nil {
+			return fmt.Errorf("create v6 default allow rules: %w", err)
+		}
+	}
 	if err := m.rConn.Flush(); err != nil {
 		return fmt.Errorf("flush allow input netbird rules: %w", err)
 	}
@@ -222,7 +391,13 @@ func (m *Manager) AllowNetbird() error {

 // SetLegacyManagement sets the route manager to use legacy management
 func (m *Manager) SetLegacyManagement(isLegacy bool) error {
-	return firewall.SetLegacyManagement(m.router, isLegacy)
+	if err := firewall.SetLegacyManagement(m.router, isLegacy); err != nil {
+		return err
+	}
+	if m.hasIPv6() {
+		return firewall.SetLegacyManagement(m.router6, isLegacy)
+	}
+	return nil
 }

 // Close closes the firewall manager
@@ -230,23 +405,31 @@ func (m *Manager) Close(stateManager *statemanager.Manager) error {
 	m.mutex.Lock()
 	defer m.mutex.Unlock()

+	var merr *multierror.Error
+
 	if err := m.router.Reset(); err != nil {
-		return fmt.Errorf("reset router: %v", err)
+		merr = multierror.Append(merr, fmt.Errorf("reset router: %v", err))
+	}
+
+	if m.hasIPv6() {
+		if err := m.router6.Reset(); err != nil {
+			merr = multierror.Append(merr, fmt.Errorf("reset v6 router: %v", err))
+		}
 	}

 	if err := m.cleanupNetbirdTables(); err != nil {
-		return fmt.Errorf("cleanup netbird tables: %v", err)
+		merr = multierror.Append(merr, fmt.Errorf("cleanup netbird tables: %v", err))
 	}

 	if err := m.rConn.Flush(); err != nil {
-		return fmt.Errorf(flushError, err)
+		merr = multierror.Append(merr, fmt.Errorf(flushError, err))
 	}

 	if err := stateManager.DeleteState(&ShutdownState{}); err != nil {
-		return fmt.Errorf("delete state: %v", err)
+		merr = multierror.Append(merr, fmt.Errorf("delete state: %v", err))
 	}

-	return nil
+	return nberrors.FormatErrorOrNil(merr)
 }

 func (m *Manager) cleanupNetbirdTables() error {
@@ -295,6 +478,12 @@ func (m *Manager) Flush() error {
 		return err
 	}

+	if m.hasIPv6() {
+		if err := m.aclManager6.Flush(); err != nil {
+			return fmt.Errorf("flush v6 acl: %w", err)
+		}
+	}
+
 	if err := m.refreshNoTrackChains(); err != nil {
 		log.Errorf("failed to refresh notrack chains: %v", err)
 	}
@@ -307,6 +496,9 @@ func (m *Manager) AddDNATRule(rule firewall.ForwardRule) (firewall.Rule, error)
 	m.mutex.Lock()
 	defer m.mutex.Unlock()

+	if m.hasIPv6() && rule.TranslatedAddress.Is6() {
+		return m.router6.AddDNATRule(rule)
+	}
 	return m.router.AddDNATRule(rule)
 }

@@ -315,6 +507,9 @@ func (m *Manager) DeleteDNATRule(rule firewall.Rule) error {
 	m.mutex.Lock()
 	defer m.mutex.Unlock()

+	if m.hasIPv6() && !m.router.hasDNATRule(rule.ID()) {
+		return m.router6.DeleteDNATRule(rule)
+	}
 	return m.router.DeleteDNATRule(rule)
 }

@@ -323,7 +518,26 @@ func (m *Manager) UpdateSet(set firewall.Set, prefixes []netip.Prefix) error {
 	m.mutex.Lock()
 	defer m.mutex.Unlock()

-	return m.router.UpdateSet(set, prefixes)
+	var v4Prefixes, v6Prefixes []netip.Prefix
+	for _, p := range prefixes {
+		if p.Addr().Is6() {
+			v6Prefixes = append(v6Prefixes, p)
+		} else {
+			v4Prefixes = append(v4Prefixes, p)
+		}
+	}
+
+	if err := m.router.UpdateSet(set, v4Prefixes); err != nil {
+		return err
+	}
+
+	if m.hasIPv6() && len(v6Prefixes) > 0 {
+		if err := m.router6.UpdateSet(set, v6Prefixes); err != nil {
+			return fmt.Errorf("update v6 set: %w", err)
+		}
+	}
+
+	return nil
 }

 // AddInboundDNAT adds an inbound DNAT rule redirecting traffic from NetBird peers to local services.
@@ -331,6 +545,9 @@ func (m *Manager) AddInboundDNAT(localAddr netip.Addr, protocol firewall.Protoco
 	m.mutex.Lock()
 	defer m.mutex.Unlock()

+	if m.hasIPv6() && localAddr.Is6() {
+		return m.router6.AddInboundDNAT(localAddr, protocol, sourcePort, targetPort)
+	}
 	return m.router.AddInboundDNAT(localAddr, protocol, sourcePort, targetPort)
 }

@@ -339,6 +556,9 @@ func (m *Manager) RemoveInboundDNAT(localAddr netip.Addr, protocol firewall.Prot
 	m.mutex.Lock()
 	defer m.mutex.Unlock()

+	if m.hasIPv6() && localAddr.Is6() {
+		return m.router6.RemoveInboundDNAT(localAddr, protocol, sourcePort, targetPort)
+	}
 	return m.router.RemoveInboundDNAT(localAddr, protocol, sourcePort, targetPort)
 }

@@ -513,7 +733,11 @@ func (m *Manager) refreshNoTrackChains() error {
 }

 func (m *Manager) createWorkTable() (*nftables.Table, error) {
-	tables, err := m.rConn.ListTablesOfFamily(nftables.TableFamilyIPv4)
+	return m.createWorkTableFamily(nftables.TableFamilyIPv4)
+}
+
+func (m *Manager) createWorkTableFamily(family nftables.TableFamily) (*nftables.Table, error) {
+	tables, err := m.rConn.ListTablesOfFamily(family)
 	if err != nil {
 		return nil, fmt.Errorf("list of tables: %w", err)
 	}
@@ -525,7 +749,7 @@ func (m *Manager) createWorkTable() (*nftables.Table, error) {
 		}
 	}

-	table := m.rConn.AddTable(&nftables.Table{Name: getTableName(), Family: nftables.TableFamilyIPv4})
+	table := m.rConn.AddTable(&nftables.Table{Name: tableName, Family: family})
 	err = m.rConn.Flush()
 	return table, err
 }
--- a/client/firewall/nftables/manager_linux_test.go
+++ b/client/firewall/nftables/manager_linux_test.go
@@ -52,6 +52,8 @@ func (i *iFaceMock) Address() wgaddr.Address {
 	panic("AddressFunc is not set")
 }

+func (i *iFaceMock) IsUserspaceBind() bool { return false }
+
 func TestNftablesManager(t *testing.T) {

 	// just check on the local interface
@@ -383,10 +385,134 @@ func TestNftablesManagerCompatibilityWithIptables(t *testing.T) {
 	err = manager.AddNatRule(pair)
 	require.NoError(t, err, "failed to add NAT rule")

+	dnatRule, err := manager.AddDNATRule(fw.ForwardRule{
+		Protocol:          fw.ProtocolTCP,
+		DestinationPort:   fw.Port{Values: []uint16{8080}},
+		TranslatedAddress: netip.MustParseAddr("100.96.0.2"),
+		TranslatedPort:    fw.Port{Values: []uint16{80}},
+	})
+	require.NoError(t, err, "failed to add DNAT rule")
+
+	t.Cleanup(func() {
+		require.NoError(t, manager.DeleteDNATRule(dnatRule), "failed to delete DNAT rule")
+	})
+
 	stdout, stderr = runIptablesSave(t)
 	verifyIptablesOutput(t, stdout, stderr)
 }

+func TestNftablesManagerIPv6CompatibilityWithIp6tables(t *testing.T) {
+	if check() != NFTABLES {
+		t.Skip("nftables not supported on this system")
+	}
+
+	for _, bin := range []string{"ip6tables", "ip6tables-save", "iptables-save"} {
+		if _, err := exec.LookPath(bin); err != nil {
+			t.Skipf("%s not available on this system: %v", bin, err)
+		}
+	}
+
+	// Seed ip6 tables in the nft backend. Docker may not create them.
+	seedIp6tables(t)
+
+	ifaceMockV6 := &iFaceMock{
+		NameFunc: func() string { return "wt-test" },
+		AddressFunc: func() wgaddr.Address {
+			return wgaddr.Address{
+				IP:      netip.MustParseAddr("100.96.0.1"),
+				Network: netip.MustParsePrefix("100.96.0.0/16"),
+				IPv6:    netip.MustParseAddr("fd00::1"),
+				IPv6Net: netip.MustParsePrefix("fd00::/64"),
+			}
+		},
+	}
+
+	manager, err := Create(ifaceMockV6, iface.DefaultMTU)
+	require.NoError(t, err, "create manager")
+	require.NoError(t, manager.Init(nil))
+
+	t.Cleanup(func() {
+		require.NoError(t, manager.Close(nil), "close manager")
+
+		stdout, stderr := runIp6tablesSave(t)
+		verifyIp6tablesOutput(t, stdout, stderr)
+	})
+
+	ip := netip.MustParseAddr("fd00::2")
+	_, err = manager.AddPeerFiltering(nil, ip.AsSlice(), fw.ProtocolTCP, nil, &fw.Port{Values: []uint16{80}}, fw.ActionAccept, "")
+	require.NoError(t, err, "add v6 peer filtering rule")
+
+	_, err = manager.AddRouteFiltering(
+		nil,
+		[]netip.Prefix{netip.MustParsePrefix("fd00:1::/64")},
+		fw.Network{Prefix: netip.MustParsePrefix("2001:db8::/48")},
+		fw.ProtocolTCP,
+		nil,
+		&fw.Port{Values: []uint16{443}},
+		fw.ActionAccept,
+	)
+	require.NoError(t, err, "add v6 route filtering rule")
+
+	err = manager.AddNatRule(fw.RouterPair{
+		Source:      fw.Network{Prefix: netip.MustParsePrefix("fd00::/64")},
+		Destination: fw.Network{Prefix: netip.MustParsePrefix("2001:db8::/48")},
+		Masquerade:  true,
+	})
+	require.NoError(t, err, "add v6 NAT rule")
+
+	dnatRule, err := manager.AddDNATRule(fw.ForwardRule{
+		Protocol:          fw.ProtocolTCP,
+		DestinationPort:   fw.Port{Values: []uint16{8080}},
+		TranslatedAddress: netip.MustParseAddr("fd00::2"),
+		TranslatedPort:    fw.Port{Values: []uint16{80}},
+	})
+	require.NoError(t, err, "add v6 DNAT rule")
+
+	t.Cleanup(func() {
+		require.NoError(t, manager.DeleteDNATRule(dnatRule), "delete v6 DNAT rule")
+	})
+
+	stdout, stderr := runIptablesSave(t)
+	verifyIptablesOutput(t, stdout, stderr)
+
+	stdout, stderr = runIp6tablesSave(t)
+	verifyIp6tablesOutput(t, stdout, stderr)
+}
+
+func seedIp6tables(t *testing.T) {
+	t.Helper()
+	for _, tc := range []struct{ table, chain string }{
+		{"filter", "FORWARD"},
+		{"nat", "POSTROUTING"},
+		{"mangle", "FORWARD"},
+	} {
+		add := exec.Command("ip6tables", "-t", tc.table, "-A", tc.chain, "-j", "ACCEPT")
+		require.NoError(t, add.Run(), "seed ip6tables -t %s", tc.table)
+		del := exec.Command("ip6tables", "-t", tc.table, "-D", tc.chain, "-j", "ACCEPT")
+		require.NoError(t, del.Run(), "unseed ip6tables -t %s", tc.table)
+	}
+}
+
+func runIp6tablesSave(t *testing.T) (string, string) {
+	t.Helper()
+	var stdout, stderr bytes.Buffer
+	cmd := exec.Command("ip6tables-save")
+	cmd.Stdout = &stdout
+	cmd.Stderr = &stderr
+	require.NoError(t, cmd.Run(), "ip6tables-save failed")
+	return stdout.String(), stderr.String()
+}
+
+func verifyIp6tablesOutput(t *testing.T, stdout, stderr string) {
+	t.Helper()
+	require.NotContains(t, stdout, "Table `nat' is incompatible",
+		"ip6tables-save: nat table incompatible. Full output: %s", stdout)
+	require.NotContains(t, stdout, "Table `mangle' is incompatible",
+		"ip6tables-save: mangle table incompatible. Full output: %s", stdout)
+	require.NotContains(t, stdout, "Table `filter' is incompatible",
+		"ip6tables-save: filter table incompatible. Full output: %s", stdout)
+}
+
 func TestNftablesManagerCompatibilityWithIptablesFor6kPrefixes(t *testing.T) {
 	if check() != NFTABLES {
 		t.Skip("nftables not supported on this system")
--- a/client/firewall/nftables/router_linux.go
+++ b/client/firewall/nftables/router_linux.go
@@ -46,8 +46,10 @@ const (
 	dnatSuffix = "_dnat"
 	snatSuffix = "_snat"

-	// ipTCPHeaderMinSize represents minimum IP (20) + TCP (20) header size for MSS calculation
-	ipTCPHeaderMinSize = 40
+	// ipv4TCPHeaderSize is the minimum IPv4 (20) + TCP (20) header size for MSS calculation.
+	ipv4TCPHeaderSize = 40
+	// ipv6TCPHeaderSize is the minimum IPv6 (40) + TCP (20) header size for MSS calculation.
+	ipv6TCPHeaderSize = 60

 	// maxPrefixesSet 1638 prefixes start to fail, taking some margin
 	maxPrefixesSet       = 1500
@@ -72,6 +74,7 @@ type router struct {
 	rules        map[string]*nftables.Rule
 	ipsetCounter *refcounter.Counter[string, setInput, *nftables.Set]

+	af               addrFamily
 	wgIface          iFaceMapper
 	ipFwdState       *ipfwdstate.IPForwardingState
 	legacyManagement bool
@@ -84,6 +87,7 @@ func newRouter(workTable *nftables.Table, wgIface iFaceMapper, mtu uint16) (*rou
 		workTable:  workTable,
 		chains:     make(map[string]*nftables.Chain),
 		rules:      make(map[string]*nftables.Rule),
+		af:         familyForAddr(workTable.Family == nftables.TableFamilyIPv4),
 		wgIface:    wgIface,
 		ipFwdState: ipfwdstate.NewIPForwardingState(),
 		mtu:        mtu,
@@ -142,7 +146,7 @@ func (r *router) Reset() error {
 func (r *router) removeNatPreroutingRules() error {
 	table := &nftables.Table{
 		Name:   tableNat,
-		Family: nftables.TableFamilyIPv4,
+		Family: r.af.tableFamily,
 	}
 	chain := &nftables.Chain{
 		Name:     chainNameNatPrerouting,
@@ -175,7 +179,7 @@ func (r *router) removeNatPreroutingRules() error {
 }

 func (r *router) loadFilterTable() (*nftables.Table, error) {
-	tables, err := r.conn.ListTablesOfFamily(nftables.TableFamilyIPv4)
+	tables, err := r.conn.ListTablesOfFamily(r.af.tableFamily)
 	if err != nil {
 		return nil, fmt.Errorf("list tables: %w", err)
 	}
@@ -407,7 +411,7 @@ func (r *router) AddRouteFiltering(

 	// Handle protocol
 	if proto != firewall.ProtocolALL {
-		protoNum, err := protoToInt(proto)
+		protoNum, err := r.af.protoNum(proto)
 		if err != nil {
 			return nil, fmt.Errorf("convert protocol to number: %w", err)
 		}
@@ -467,7 +471,24 @@ func (r *router) getIpSet(set firewall.Set, prefixes []netip.Prefix, isSource bo
 		return nil, fmt.Errorf("create or get ipset: %w", err)
 	}

-	return getIpSetExprs(ref, isSource)
+	return r.getIpSetExprs(ref, isSource)
+}
+
+func (r *router) iptablesProto() iptables.Protocol {
+	if r.af.tableFamily == nftables.TableFamilyIPv6 {
+		return iptables.ProtocolIPv6
+	}
+	return iptables.ProtocolIPv4
+}
+
+func (r *router) hasRule(id string) bool {
+	_, ok := r.rules[id]
+	return ok
+}
+
+func (r *router) hasDNATRule(id string) bool {
+	_, ok := r.rules[id+dnatSuffix]
+	return ok
 }

 func (r *router) DeleteRouteRule(rule firewall.Rule) error {
@@ -516,10 +537,10 @@ func (r *router) createIpSet(setName string, input setInput) (*nftables.Set, err
 		Table:   r.workTable,
 		// required for prefixes
 		Interval: true,
-		KeyType:  nftables.TypeIPAddr,
+		KeyType:  r.af.setKeyType,
 	}

-	elements := convertPrefixesToSet(prefixes)
+	elements := r.convertPrefixesToSet(prefixes)
 	nElements := len(elements)

 	maxElements := maxPrefixesSet * 2
@@ -552,23 +573,17 @@ func (r *router) createIpSet(setName string, input setInput) (*nftables.Set, err
 	return nfset, nil
 }

-func convertPrefixesToSet(prefixes []netip.Prefix) []nftables.SetElement {
+func (r *router) convertPrefixesToSet(prefixes []netip.Prefix) []nftables.SetElement {
 	var elements []nftables.SetElement
 	for _, prefix := range prefixes {
-		// TODO: Implement IPv6 support
-		if prefix.Addr().Is6() {
-			log.Tracef("skipping IPv6 prefix %s: IPv6 support not yet implemented", prefix)
-			continue
-		}
-
 		// nftables needs half-open intervals [firstIP, lastIP) for prefixes
 		// e.g. 10.0.0.0/24 becomes [10.0.0.0, 10.0.1.0), 10.1.1.1/32 becomes [10.1.1.1, 10.1.1.2) etc
 		firstIP := prefix.Addr()
 		lastIP := calculateLastIP(prefix).Next()

 		elements = append(elements,
-			// the nft tool also adds a line like this, see https://github.com/google/nftables/issues/247
-			// nftables.SetElement{Key: []byte{0, 0, 0, 0}, IntervalEnd: true},
+			// the nft tool also adds a zero-address IntervalEnd element, see https://github.com/google/nftables/issues/247
+			// nftables.SetElement{Key: make([]byte, r.af.addrLen), IntervalEnd: true},
 			nftables.SetElement{Key: firstIP.AsSlice()},
 			nftables.SetElement{Key: lastIP.AsSlice(), IntervalEnd: true},
 		)
@@ -578,10 +593,20 @@ func convertPrefixesToSet(prefixes []netip.Prefix) []nftables.SetElement {

 // calculateLastIP determines the last IP in a given prefix.
 func calculateLastIP(prefix netip.Prefix) netip.Addr {
-	hostMask := ^uint32(0) >> prefix.Masked().Bits()
-	lastIP := uint32FromNetipAddr(prefix.Addr()) | hostMask
+	masked := prefix.Masked()
+	if masked.Addr().Is4() {
+		hostMask := ^uint32(0) >> masked.Bits()
+		lastIP := uint32FromNetipAddr(masked.Addr()) | hostMask
+		return netip.AddrFrom4(uint32ToBytes(lastIP))
+	}

-	return netip.AddrFrom4(uint32ToBytes(lastIP))
+	// IPv6: set host bits to all 1s
+	b := masked.Addr().As16()
+	bits := masked.Bits()
+	for i := bits; i < 128; i++ {
+		b[i/8] |= 1 << (7 - i%8)
+	}
+	return netip.AddrFrom16(b)
 }

 // Utility function to convert netip.Addr to uint32.
@@ -833,9 +858,12 @@ func (r *router) addPostroutingRules() {
 }

 // addMSSClampingRules adds MSS clamping rules to prevent fragmentation for forwarded traffic.
-// TODO: Add IPv6 support
 func (r *router) addMSSClampingRules() error {
-	mss := r.mtu - ipTCPHeaderMinSize
+	overhead := uint16(ipv4TCPHeaderSize)
+	if r.af.tableFamily == nftables.TableFamilyIPv6 {
+		overhead = ipv6TCPHeaderSize
+	}
+	mss := r.mtu - overhead

 	exprsOut := []expr.Any{
 		&expr.Meta{
@@ -1042,17 +1070,22 @@ func (r *router) acceptFilterTableRules() error {
 		log.Debugf("Used %s to add accept forward and input rules", fw)
 	}()

-	// Try iptables first and fallback to nftables if iptables is not available
-	ipt, err := iptables.New()
+	// Try iptables first and fallback to nftables if iptables is not available.
+	// Use the correct protocol (iptables vs ip6tables) for the address family.
+	ipt, err := iptables.NewWithProtocol(r.iptablesProto())
 	if err != nil {
-		// iptables is not available but the filter table exists
 		log.Warnf("Will use nftables to manipulate the filter table because iptables is not available: %v", err)

 		fw = "nftables"
 		return r.acceptFilterRulesNftables(r.filterTable)
 	}

-	return r.acceptFilterRulesIptables(ipt)
+	if err := r.acceptFilterRulesIptables(ipt); err != nil {
+		log.Warnf("iptables failed (table may be incompatible), falling back to nftables: %v", err)
+		fw = "nftables"
+		return r.acceptFilterRulesNftables(r.filterTable)
+	}
+	return nil
 }

 func (r *router) acceptFilterRulesIptables(ipt *iptables.IPTables) error {
@@ -1221,13 +1254,17 @@ func (r *router) removeFilterTableRules() error {
 		return nil
 	}

-	ipt, err := iptables.New()
+	ipt, err := iptables.NewWithProtocol(r.iptablesProto())
 	if err != nil {
 		log.Debugf("iptables not available, using nftables to remove filter rules: %v", err)
 		return r.removeAcceptRulesFromTable(r.filterTable)
 	}

-	return r.removeAcceptFilterRulesIptables(ipt)
+	if err := r.removeAcceptFilterRulesIptables(ipt); err != nil {
+		log.Debugf("iptables removal failed (table may be incompatible), falling back to nftables: %v", err)
+		return r.removeAcceptRulesFromTable(r.filterTable)
+	}
+	return nil
 }

 func (r *router) removeAcceptRulesFromTable(table *nftables.Table) error {
@@ -1294,7 +1331,7 @@ func (r *router) removeExternalChainsRules() error {
 func (r *router) findExternalChains() []*nftables.Chain {
 	var chains []*nftables.Chain

-	families := []nftables.TableFamily{nftables.TableFamilyIPv4, nftables.TableFamilyINet}
+	families := []nftables.TableFamily{r.af.tableFamily, nftables.TableFamilyINet}

 	for _, family := range families {
 		allChains, err := r.conn.ListChainsOfTableFamily(family)
@@ -1318,8 +1355,8 @@ func (r *router) isExternalChain(chain *nftables.Chain) bool {
 		return false
 	}

-	// Skip all iptables-managed tables in the ip family
-	if chain.Table.Family == nftables.TableFamilyIPv4 && isIptablesTable(chain.Table.Name) {
+	// Skip iptables/ip6tables-managed tables (adding nft-native rules breaks iptables-save compat)
+	if (chain.Table.Family == nftables.TableFamilyIPv4 || chain.Table.Family == nftables.TableFamilyIPv6) && isIptablesTable(chain.Table.Name) {
 		return false
 	}

@@ -1460,7 +1497,7 @@ func (r *router) AddDNATRule(rule firewall.ForwardRule) (firewall.Rule, error) {
 		return rule, nil
 	}

-	protoNum, err := protoToInt(rule.Protocol)
+	protoNum, err := r.af.protoNum(rule.Protocol)
 	if err != nil {
 		return nil, fmt.Errorf("convert protocol to number: %w", err)
 	}
@@ -1523,7 +1560,7 @@ func (r *router) addDnatRedirect(rule firewall.ForwardRule, protoNum uint8, rule
 	dnatExprs = append(dnatExprs,
 		&expr.NAT{
 			Type:        expr.NATTypeDestNAT,
-			Family:      uint32(nftables.TableFamilyIPv4),
+			Family:      uint32(r.af.tableFamily),
 			RegAddrMin:  1,
 			RegProtoMin: regProtoMin,
 			RegProtoMax: regProtoMax,
@@ -1619,7 +1656,7 @@ func (r *router) addXTablesRedirect(dnatExprs []expr.Any, ruleKey string, rule f
 	dnatRule := &nftables.Rule{
 		Table: &nftables.Table{
 			Name:   tableNat,
-			Family: nftables.TableFamilyIPv4,
+			Family: r.af.tableFamily,
 		},
 		Chain: &nftables.Chain{
 			Name:     chainNameNatPrerouting,
@@ -1654,8 +1691,8 @@ func (r *router) addDnatMasq(rule firewall.ForwardRule, protoNum uint8, ruleKey
 		&expr.Payload{
 			DestRegister: 1,
 			Base:         expr.PayloadBaseNetworkHeader,
-			Offset:       16,
-			Len:          4,
+			Offset:       r.af.dstAddrOffset,
+			Len:          r.af.addrLen,
 		},
 		&expr.Cmp{
 			Op:       expr.CmpOpEq,
@@ -1733,7 +1770,7 @@ func (r *router) UpdateSet(set firewall.Set, prefixes []netip.Prefix) error {
 		return fmt.Errorf("get set %s: %w", set.HashedName(), err)
 	}

-	elements := convertPrefixesToSet(prefixes)
+	elements := r.convertPrefixesToSet(prefixes)
 	if err := r.conn.SetAddElements(nfset, elements); err != nil {
 		return fmt.Errorf("add elements to set %s: %w", set.HashedName(), err)
 	}
@@ -1755,7 +1792,7 @@ func (r *router) AddInboundDNAT(localAddr netip.Addr, protocol firewall.Protocol
 		return nil
 	}

-	protoNum, err := protoToInt(protocol)
+	protoNum, err := r.af.protoNum(protocol)
 	if err != nil {
 		return fmt.Errorf("convert protocol to number: %w", err)
 	}
@@ -1786,7 +1823,11 @@ func (r *router) AddInboundDNAT(localAddr netip.Addr, protocol firewall.Protocol
 		},
 	}

-	exprs = append(exprs, applyPrefix(netip.PrefixFrom(localAddr, 32), false)...)
+	bits := 32
+	if localAddr.Is6() {
+		bits = 128
+	}
+	exprs = append(exprs, r.applyPrefix(netip.PrefixFrom(localAddr, bits), false)...)

 	exprs = append(exprs,
 		&expr.Immediate{
@@ -1799,7 +1840,7 @@ func (r *router) AddInboundDNAT(localAddr netip.Addr, protocol firewall.Protocol
 		},
 		&expr.NAT{
 			Type:        expr.NATTypeDestNAT,
-			Family:      uint32(nftables.TableFamilyIPv4),
+			Family:      uint32(r.af.tableFamily),
 			RegAddrMin:  1,
 			RegProtoMin: 2,
 			RegProtoMax: 0,
@@ -1868,45 +1909,44 @@ func (r *router) applyNetwork(
 	}

 	if network.IsPrefix() {
-		return applyPrefix(network.Prefix, isSource), nil
+		return r.applyPrefix(network.Prefix, isSource), nil
 	}

 	return nil, nil
 }

 // applyPrefix generates nftables expressions for a CIDR prefix
-func applyPrefix(prefix netip.Prefix, isSource bool) []expr.Any {
-	// dst offset
-	offset := uint32(16)
+func (r *router) applyPrefix(prefix netip.Prefix, isSource bool) []expr.Any {
+	// dst offset by default
+	offset := r.af.dstAddrOffset
 	if isSource {
 		// src offset
-		offset = 12
+		offset = r.af.srcAddrOffset
 	}

 	ones := prefix.Bits()
-	// 0.0.0.0/0 doesn't need extra expressions
+	// unspecified address (/0) doesn't need extra expressions
 	if ones == 0 {
 		return nil
 	}

-	mask := net.CIDRMask(ones, 32)
+	mask := net.CIDRMask(ones, r.af.totalBits)
+	xor := make([]byte, r.af.addrLen)

 	return []expr.Any{
 		&expr.Payload{
 			DestRegister: 1,
 			Base:         expr.PayloadBaseNetworkHeader,
 			Offset:       offset,
-			Len:          4,
+			Len:          r.af.addrLen,
 		},
-		// netmask
 		&expr.Bitwise{
 			DestRegister:   1,
 			SourceRegister: 1,
-			Len:            4,
+			Len:            r.af.addrLen,
 			Mask:           mask,
-			Xor:            []byte{0, 0, 0, 0},
+			Xor:            xor,
 		},
-		// net address
 		&expr.Cmp{
 			Op:       expr.CmpOpEq,
 			Register: 1,
@@ -1989,13 +2029,12 @@ func getCtNewExprs() []expr.Any {
 	}
 }

-func getIpSetExprs(ref refcounter.Ref[*nftables.Set], isSource bool) ([]expr.Any, error) {
-
-	// dst offset
-	offset := uint32(16)
+func (r *router) getIpSetExprs(ref refcounter.Ref[*nftables.Set], isSource bool) ([]expr.Any, error) {
+	// dst offset by default
+	offset := r.af.dstAddrOffset
 	if isSource {
 		// src offset
-		offset = 12
+		offset = r.af.srcAddrOffset
 	}

 	return []expr.Any{
@@ -2003,7 +2042,7 @@ func getIpSetExprs(ref refcounter.Ref[*nftables.Set], isSource bool) ([]expr.Any
 			DestRegister: 1,
 			Base:         expr.PayloadBaseNetworkHeader,
 			Offset:       offset,
-			Len:          4,
+			Len:          r.af.addrLen,
 		},
 		&expr.Lookup{
 			SourceRegister: 1,
--- a/client/firewall/nftables/router_linux_test.go
+++ b/client/firewall/nftables/router_linux_test.go
@@ -90,8 +90,9 @@ func TestNftablesManager_AddNatRule(t *testing.T) {
 				}

 				// Build CIDR matching expressions
-				sourceExp := applyPrefix(testCase.InputPair.Source.Prefix, true)
-				destExp := applyPrefix(testCase.InputPair.Destination.Prefix, false)
+				testRouter := &router{af: afIPv4}
+				sourceExp := testRouter.applyPrefix(testCase.InputPair.Source.Prefix, true)
+				destExp := testRouter.applyPrefix(testCase.InputPair.Destination.Prefix, false)

 				// Combine all expressions in the correct order
 				// nolint:gocritic
@@ -508,6 +509,136 @@ func TestNftablesCreateIpSet(t *testing.T) {
 	}
 }

+func TestNftablesCreateIpSet_IPv6(t *testing.T) {
+	if check() != NFTABLES {
+		t.Skip("nftables not supported on this system")
+	}
+
+	workTable, err := createWorkTableIPv6()
+	require.NoError(t, err, "Failed to create v6 work table")
+	defer deleteWorkTableIPv6()
+
+	r, err := newRouter(workTable, ifaceMock, iface.DefaultMTU)
+	require.NoError(t, err, "Failed to create router")
+	require.NoError(t, r.init(workTable))
+	defer func() {
+		require.NoError(t, r.Reset(), "Failed to reset router")
+	}()
+
+	tests := []struct {
+		name     string
+		sources  []netip.Prefix
+		expected []netip.Prefix
+	}{
+		{
+			name:    "Single IPv6",
+			sources: []netip.Prefix{netip.MustParsePrefix("2001:db8::1/128")},
+		},
+		{
+			name: "Multiple IPv6 Subnets",
+			sources: []netip.Prefix{
+				netip.MustParsePrefix("fd00::/64"),
+				netip.MustParsePrefix("2001:db8::/48"),
+				netip.MustParsePrefix("fe80::/10"),
+			},
+		},
+		{
+			name: "Overlapping IPv6",
+			sources: []netip.Prefix{
+				netip.MustParsePrefix("fd00::/48"),
+				netip.MustParsePrefix("fd00::/64"),
+				netip.MustParsePrefix("fd00::1/128"),
+			},
+			expected: []netip.Prefix{
+				netip.MustParsePrefix("fd00::/48"),
+			},
+		},
+		{
+			name: "Mixed prefix lengths",
+			sources: []netip.Prefix{
+				netip.MustParsePrefix("2001:db8:1::/48"),
+				netip.MustParsePrefix("2001:db8:2::1/128"),
+				netip.MustParsePrefix("fd00:abcd::/32"),
+			},
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			setName := firewall.NewPrefixSet(tt.sources).HashedName()
+			set, err := r.createIpSet(setName, setInput{prefixes: tt.sources})
+			require.NoError(t, err, "Failed to create IPv6 set")
+			require.NotNil(t, set)
+
+			assert.Equal(t, setName, set.Name)
+			assert.True(t, set.Interval)
+			assert.Equal(t, nftables.TypeIP6Addr, set.KeyType)
+
+			fetchedSet, err := r.conn.GetSetByName(r.workTable, setName)
+			require.NoError(t, err, "Failed to fetch created set")
+
+			elements, err := r.conn.GetSetElements(fetchedSet)
+			require.NoError(t, err, "Failed to get set elements")
+
+			uniquePrefixes := make(map[string]bool)
+			for _, elem := range elements {
+				if !elem.IntervalEnd && len(elem.Key) == 16 {
+					ip := netip.AddrFrom16([16]byte(elem.Key))
+					uniquePrefixes[ip.String()] = true
+				}
+			}
+
+			expectedCount := len(tt.expected)
+			if expectedCount == 0 {
+				expectedCount = len(tt.sources)
+			}
+			assert.Equal(t, expectedCount, len(uniquePrefixes), "unique prefix count mismatch")
+
+			r.conn.DelSet(set)
+			require.NoError(t, r.conn.Flush())
+		})
+	}
+}
+
+func createWorkTableIPv6() (*nftables.Table, error) {
+	sConn, err := nftables.New(nftables.AsLasting())
+	if err != nil {
+		return nil, err
+	}
+
+	tables, err := sConn.ListTablesOfFamily(nftables.TableFamilyIPv6)
+	if err != nil {
+		return nil, err
+	}
+	for _, t := range tables {
+		if t.Name == tableNameNetbird {
+			sConn.DelTable(t)
+		}
+	}
+
+	table := sConn.AddTable(&nftables.Table{Name: tableNameNetbird, Family: nftables.TableFamilyIPv6})
+	err = sConn.Flush()
+	return table, err
+}
+
+func deleteWorkTableIPv6() {
+	sConn, err := nftables.New(nftables.AsLasting())
+	if err != nil {
+		return
+	}
+
+	tables, err := sConn.ListTablesOfFamily(nftables.TableFamilyIPv6)
+	if err != nil {
+		return
+	}
+	for _, t := range tables {
+		if t.Name == tableNameNetbird {
+			sConn.DelTable(t)
+			_ = sConn.Flush()
+		}
+	}
+}
+
 func verifyRule(t *testing.T, rule *nftables.Rule, sources []netip.Prefix, destination netip.Prefix, proto firewall.Protocol, sPort, dPort *firewall.Port, direction firewall.RuleDirection, action firewall.Action, expectSet bool) {
 	t.Helper()

@@ -627,7 +758,7 @@ func containsPort(exprs []expr.Any, port *firewall.Port, isSource bool) bool {

 func containsProtocol(exprs []expr.Any, proto firewall.Protocol) bool {
 	var metaFound, cmpFound bool
-	expectedProto, _ := protoToInt(proto)
+	expectedProto, _ := afIPv4.protoNum(proto)
 	for _, e := range exprs {
 		switch ex := e.(type) {
 		case *expr.Meta:
@@ -854,3 +985,55 @@ func TestRouter_AddNatRule_WithStaleEntry(t *testing.T) {
 	}
 	assert.Equal(t, 1, found, "NAT rule should exist in kernel")
 }
+
+func TestCalculateLastIP(t *testing.T) {
+	tests := []struct {
+		prefix string
+		want   string
+	}{
+		{"10.0.0.0/24", "10.0.0.255"},
+		{"10.0.0.0/32", "10.0.0.0"},
+		{"0.0.0.0/0", "255.255.255.255"},
+		{"192.168.1.0/28", "192.168.1.15"},
+		{"fd00::/64", "fd00::ffff:ffff:ffff:ffff"},
+		{"fd00::/128", "fd00::"},
+		{"2001:db8::/48", "2001:db8:0:ffff:ffff:ffff:ffff:ffff"},
+		{"::/0", "ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff"},
+	}
+	for _, tt := range tests {
+		t.Run(tt.prefix, func(t *testing.T) {
+			prefix := netip.MustParsePrefix(tt.prefix)
+			got := calculateLastIP(prefix)
+			assert.Equal(t, tt.want, got.String())
+		})
+	}
+}
+
+func TestConvertPrefixesToSet_IPv6(t *testing.T) {
+	r := &router{af: afIPv6}
+	prefixes := []netip.Prefix{
+		netip.MustParsePrefix("fd00::/64"),
+		netip.MustParsePrefix("2001:db8::1/128"),
+	}
+
+	elements := r.convertPrefixesToSet(prefixes)
+
+	// Each prefix produces 2 elements (start + end)
+	require.Len(t, elements, 4)
+
+	// fd00::/64 start
+	assert.Equal(t, netip.MustParseAddr("fd00::").As16(), [16]byte(elements[0].Key))
+	assert.False(t, elements[0].IntervalEnd)
+
+	// fd00::/64 end (fd00:0:0:1::, one past the last)
+	assert.Equal(t, netip.MustParseAddr("fd00:0:0:1::").As16(), [16]byte(elements[1].Key))
+	assert.True(t, elements[1].IntervalEnd)
+
+	// 2001:db8::1/128 start
+	assert.Equal(t, netip.MustParseAddr("2001:db8::1").As16(), [16]byte(elements[2].Key))
+	assert.False(t, elements[2].IntervalEnd)
+
+	// 2001:db8::1/128 end (2001:db8::2)
+	assert.Equal(t, netip.MustParseAddr("2001:db8::2").As16(), [16]byte(elements[3].Key))
+	assert.True(t, elements[3].IntervalEnd)
+}
--- a/client/firewall/nftables/state_linux.go
+++ b/client/firewall/nftables/state_linux.go
@@ -8,9 +8,10 @@ import (
 )

 type InterfaceState struct {
-	NameStr   string         `json:"name"`
-	WGAddress wgaddr.Address `json:"wg_address"`
-	MTU       uint16         `json:"mtu"`
+	NameStr       string         `json:"name"`
+	WGAddress     wgaddr.Address `json:"wg_address"`
+	UserspaceBind bool           `json:"userspace_bind"`
+	MTU           uint16         `json:"mtu"`
 }

 func (i *InterfaceState) Name() string {
@@ -21,6 +22,10 @@ func (i *InterfaceState) Address() wgaddr.Address {
 	return i.WGAddress
 }

+func (i *InterfaceState) IsUserspaceBind() bool {
+	return i.UserspaceBind
+}
+
 type ShutdownState struct {
 	InterfaceState *InterfaceState `json:"interface_state,omitempty"`
 }
--- a/client/firewall/uspfilter/allow_netbird_windows.go
+++ b/client/firewall/uspfilter/allow_netbird_windows.go
@@ -5,8 +5,10 @@ import (
 	"os/exec"
 	"syscall"

+	"github.com/hashicorp/go-multierror"
 	log "github.com/sirupsen/logrus"

+	nberrors "github.com/netbirdio/netbird/client/errors"
 	"github.com/netbirdio/netbird/client/internal/statemanager"
 )

@@ -29,15 +31,20 @@ func (m *Manager) Close(*statemanager.Manager) error {
 		return nil
 	}

-	if !isFirewallRuleActive(firewallRuleName) {
-		return nil
+	var merr *multierror.Error
+	if isFirewallRuleActive(firewallRuleName) {
+		if err := manageFirewallRule(firewallRuleName, deleteRule); err != nil {
+			merr = multierror.Append(merr, fmt.Errorf("remove windows firewall rule: %w", err))
+		}
 	}

-	if err := manageFirewallRule(firewallRuleName, deleteRule); err != nil {
-		return fmt.Errorf("couldn't remove windows firewall: %w", err)
+	if isFirewallRuleActive(firewallRuleName + "-v6") {
+		if err := manageFirewallRule(firewallRuleName+"-v6", deleteRule); err != nil {
+			merr = multierror.Append(merr, fmt.Errorf("remove windows v6 firewall rule: %w", err))
+		}
 	}

-	return nil
+	return nberrors.FormatErrorOrNil(merr)
 }

 // AllowNetbird allows netbird interface traffic
@@ -46,17 +53,33 @@ func (m *Manager) AllowNetbird() error {
 		return nil
 	}

-	if isFirewallRuleActive(firewallRuleName) {
-		return nil
+	if !isFirewallRuleActive(firewallRuleName) {
+		if err := manageFirewallRule(firewallRuleName,
+			addRule,
+			"dir=in",
+			"enable=yes",
+			"action=allow",
+			"profile=any",
+			"localip="+m.wgIface.Address().IP.String(),
+		); err != nil {
+			return err
+		}
 	}
-	return manageFirewallRule(firewallRuleName,
-		addRule,
-		"dir=in",
-		"enable=yes",
-		"action=allow",
-		"profile=any",
-		"localip="+m.wgIface.Address().IP.String(),
-	)
+
+	if v6 := m.wgIface.Address().IPv6; v6.IsValid() && !isFirewallRuleActive(firewallRuleName+"-v6") {
+		if err := manageFirewallRule(firewallRuleName+"-v6",
+			addRule,
+			"dir=in",
+			"enable=yes",
+			"action=allow",
+			"profile=any",
+			"localip="+v6.String(),
+		); err != nil {
+			return err
+		}
+	}
+
+	return nil
 }

 func manageFirewallRule(ruleName string, action action, extraArgs ...string) error {
--- a/client/firewall/uspfilter/conntrack/common.go
+++ b/client/firewall/uspfilter/conntrack/common.go
@@ -1,8 +1,9 @@
 package conntrack

 import (
-	"fmt"
+	"net"
 	"net/netip"
+	"strconv"
 	"sync/atomic"
 	"time"

@@ -64,5 +65,7 @@ type ConnKey struct {
 }

 func (c ConnKey) String() string {
-	return fmt.Sprintf("%s:%d → %s:%d", c.SrcIP.Unmap(), c.SrcPort, c.DstIP.Unmap(), c.DstPort)
+	return net.JoinHostPort(c.SrcIP.Unmap().String(), strconv.Itoa(int(c.SrcPort))) +
+		" → " +
+		net.JoinHostPort(c.DstIP.Unmap().String(), strconv.Itoa(int(c.DstPort)))
 }
--- a/client/firewall/uspfilter/conntrack/icmp.go
+++ b/client/firewall/uspfilter/conntrack/icmp.go
@@ -21,9 +21,10 @@ const (
 	// ICMPCleanupInterval is how often we check for stale ICMP connections
 	ICMPCleanupInterval = 15 * time.Second

-	// MaxICMPPayloadLength is the maximum length of ICMP payload we consider for original packet info,
-	// which includes the IP header (20 bytes) and transport header (8 bytes)
-	MaxICMPPayloadLength = 28
+	// MaxICMPPayloadLength is the maximum length of ICMP payload we consider for original packet info.
+	// IPv4: 20-byte header + 8-byte transport = 28 bytes.
+	// IPv6: 40-byte header + 8-byte transport = 48 bytes.
+	MaxICMPPayloadLength = 48
 )

 // ICMPConnKey uniquely identifies an ICMP connection
@@ -74,32 +75,64 @@ func (info ICMPInfo) String() string {
 	return info.TypeCode.String()
 }

-// isErrorMessage returns true if this ICMP type carries original packet info
+// isErrorMessage returns true if this ICMP type carries original packet info.
+// Covers both ICMPv4 and ICMPv6 error types. Without a family field we match
+// both sets; type 3 overlaps (v4 DestUnreachable / v6 TimeExceeded) so it's
+// kept as a literal.
 func (info ICMPInfo) isErrorMessage() bool {
 	typ := info.TypeCode.Type()
-	return typ == 3 || // Destination Unreachable
-		typ == 5 || // Redirect
-		typ == 11 || // Time Exceeded
-		typ == 12 // Parameter Problem
+	// ICMPv4 error types
+	if typ == layers.ICMPv4TypeDestinationUnreachable ||
+		typ == layers.ICMPv4TypeRedirect ||
+		typ == layers.ICMPv4TypeTimeExceeded ||
+		typ == layers.ICMPv4TypeParameterProblem {
+		return true
+	}
+	// ICMPv6 error types (type 3 already matched above as v4 DestUnreachable)
+	if typ == layers.ICMPv6TypeDestinationUnreachable ||
+		typ == layers.ICMPv6TypePacketTooBig ||
+		typ == layers.ICMPv6TypeParameterProblem {
+		return true
+	}
+	return false
 }

 // parseOriginalPacket extracts info about the original packet from ICMP payload
 func (info ICMPInfo) parseOriginalPacket() string {
-	if info.PayloadLen < MaxICMPPayloadLength {
+	if info.PayloadLen == 0 {
 		return ""
 	}

-	// TODO: handle IPv6
-	if version := (info.PayloadData[0] >> 4) & 0xF; version != 4 {
+	version := (info.PayloadData[0] >> 4) & 0xF
+
+	var protocol uint8
+	var srcIP, dstIP net.IP
+	var transportData []byte
+
+	switch version {
+	case 4:
+		// 20-byte IPv4 header + 8-byte transport minimum
+		if info.PayloadLen < 28 {
+			return ""
+		}
+		protocol = info.PayloadData[9]
+		srcIP = net.IP(info.PayloadData[12:16])
+		dstIP = net.IP(info.PayloadData[16:20])
+		transportData = info.PayloadData[20:]
+	case 6:
+		// 40-byte IPv6 header + 8-byte transport minimum
+		if info.PayloadLen < 48 {
+			return ""
+		}
+		// Next Header field in IPv6 header
+		protocol = info.PayloadData[6]
+		srcIP = net.IP(info.PayloadData[8:24])
+		dstIP = net.IP(info.PayloadData[24:40])
+		transportData = info.PayloadData[40:]
+	default:
 		return ""
 	}

-	protocol := info.PayloadData[9]
-	srcIP := net.IP(info.PayloadData[12:16])
-	dstIP := net.IP(info.PayloadData[16:20])
-
-	transportData := info.PayloadData[20:]
-
 	switch nftypes.Protocol(protocol) {
 	case nftypes.TCP:
 		srcPort := uint16(transportData[0])<<8 | uint16(transportData[1])
@@ -247,9 +280,10 @@ func (t *ICMPTracker) track(
 	t.sendEvent(nftypes.TypeStart, conn, ruleId)
 }

-// IsValidInbound checks if an inbound ICMP Echo Reply matches a tracked request
+// IsValidInbound checks if an inbound ICMP Echo Reply matches a tracked request.
+// Accepts both ICMPv4 (type 0) and ICMPv6 (type 129) echo replies.
 func (t *ICMPTracker) IsValidInbound(srcIP netip.Addr, dstIP netip.Addr, id uint16, icmpType uint8, size int) bool {
-	if icmpType != uint8(layers.ICMPv4TypeEchoReply) {
+	if icmpType != uint8(layers.ICMPv4TypeEchoReply) && icmpType != uint8(layers.ICMPv6TypeEchoReply) {
 		return false
 	}

@@ -301,6 +335,13 @@ func (t *ICMPTracker) cleanup() {
 	}
 }

+func icmpProtocolForAddr(ip netip.Addr) nftypes.Protocol {
+	if ip.Is6() {
+		return nftypes.ICMPv6
+	}
+	return nftypes.ICMP
+}
+
 // Close stops the cleanup routine and releases resources
 func (t *ICMPTracker) Close() {
 	t.tickerCancel()
@@ -316,7 +357,7 @@ func (t *ICMPTracker) sendEvent(typ nftypes.Type, conn *ICMPConnTrack, ruleID []
 		Type:      typ,
 		RuleID:    ruleID,
 		Direction: conn.Direction,
-		Protocol:  nftypes.ICMP, // TODO: adjust for IPv6/icmpv6
+		Protocol:  icmpProtocolForAddr(conn.SourceIP),
 		SourceIP:  conn.SourceIP,
 		DestIP:    conn.DestIP,
 		ICMPType:  conn.ICMPType,
@@ -334,7 +375,7 @@ func (t *ICMPTracker) sendStartEvent(direction nftypes.Direction, srcIP netip.Ad
 		Type:      nftypes.TypeStart,
 		RuleID:    ruleID,
 		Direction: direction,
-		Protocol:  nftypes.ICMP,
+		Protocol:  icmpProtocolForAddr(srcIP),
 		SourceIP:  srcIP,
 		DestIP:    dstIP,
 		ICMPType:  typ,
--- a/client/firewall/uspfilter/filter.go
+++ b/client/firewall/uspfilter/filter.go
@@ -35,8 +35,10 @@ import (
 const (
 	layerTypeAll = 255

-	// ipTCPHeaderMinSize represents minimum IP (20) + TCP (20) header size for MSS calculation
-	ipTCPHeaderMinSize = 40
+	// ipv4TCPHeaderMinSize represents minimum IPv4 (20) + TCP (20) header size for MSS calculation
+	ipv4TCPHeaderMinSize = 40
+	// ipv6TCPHeaderMinSize represents minimum IPv6 (40) + TCP (20) header size for MSS calculation
+	ipv6TCPHeaderMinSize = 60
 )

 // serviceKey represents a protocol/port combination for netstack service registry
@@ -137,9 +139,10 @@ type Manager struct {
 	netstackServices     map[serviceKey]struct{}
 	netstackServiceMutex sync.RWMutex

-	mtu             uint16
-	mssClampValue   uint16
-	mssClampEnabled bool
+	mtu               uint16
+	mssClampValueIPv4 uint16
+	mssClampValueIPv6 uint16
+	mssClampEnabled   bool
 }

 // decoder for packages
@@ -152,11 +155,28 @@ type decoder struct {
 	icmp4   layers.ICMPv4
 	icmp6   layers.ICMPv6
 	decoded []gopacket.LayerType
-	parser  *gopacket.DecodingLayerParser
+	parser4 *gopacket.DecodingLayerParser
+	parser6 *gopacket.DecodingLayerParser

 	dnatOrigPort uint16
 }

+// decodePacket decodes packet data using the appropriate parser based on IP version.
+func (d *decoder) decodePacket(data []byte) error {
+	if len(data) == 0 {
+		return errors.New("empty packet")
+	}
+	version := data[0] >> 4
+	switch version {
+	case 4:
+		return d.parser4.DecodeLayers(data, &d.decoded)
+	case 6:
+		return d.parser6.DecodeLayers(data, &d.decoded)
+	default:
+		return fmt.Errorf("unknown IP version %d", version)
+	}
+}
+
 // Create userspace firewall manager constructor
 func Create(iface common.IFaceMapper, disableServerRoutes bool, flowLogger nftypes.FlowLogger, mtu uint16) (*Manager, error) {
 	return create(iface, nil, disableServerRoutes, flowLogger, mtu)
@@ -214,11 +234,17 @@ func create(iface common.IFaceMapper, nativeFirewall firewall.Manager, disableSe
 				d := &decoder{
 					decoded: []gopacket.LayerType{},
 				}
-				d.parser = gopacket.NewDecodingLayerParser(
+				d.parser4 = gopacket.NewDecodingLayerParser(
 					layers.LayerTypeIPv4,
 					&d.eth, &d.ip4, &d.ip6, &d.icmp4, &d.icmp6, &d.tcp, &d.udp,
 				)
-				d.parser.IgnoreUnsupported = true
+				d.parser4.IgnoreUnsupported = true
+
+				d.parser6 = gopacket.NewDecodingLayerParser(
+					layers.LayerTypeIPv6,
+					&d.eth, &d.ip4, &d.ip6, &d.icmp4, &d.icmp6, &d.tcp, &d.udp,
+				)
+				d.parser6.IgnoreUnsupported = true
 				return d
 			},
 		},
@@ -244,7 +270,8 @@ func create(iface common.IFaceMapper, nativeFirewall firewall.Manager, disableSe

 	if !disableMSSClamping {
 		m.mssClampEnabled = true
-		m.mssClampValue = mtu - ipTCPHeaderMinSize
+		m.mssClampValueIPv4 = mtu - ipv4TCPHeaderMinSize
+		m.mssClampValueIPv6 = mtu - ipv6TCPHeaderMinSize
 	}
 	if err := m.localipmanager.UpdateLocalIPs(iface); err != nil {
 		return nil, fmt.Errorf("update local IPs: %w", err)
@@ -271,9 +298,14 @@ func (m *Manager) blockInvalidRouted(iface common.IFaceMapper) (firewall.Rule, e
 	wgPrefix := iface.Address().Network
 	log.Debugf("blocking invalid routed traffic for %s", wgPrefix)

+	sources := []netip.Prefix{netip.PrefixFrom(netip.IPv4Unspecified(), 0)}
+	if v6 := iface.Address().IPv6Net; v6.IsValid() {
+		sources = append(sources, netip.PrefixFrom(netip.IPv6Unspecified(), 0))
+	}
+
 	rule, err := m.addRouteFiltering(
 		nil,
-		[]netip.Prefix{netip.PrefixFrom(netip.IPv4Unspecified(), 0)},
+		sources,
 		firewall.Network{Prefix: wgPrefix},
 		firewall.ProtocolALL,
 		nil,
@@ -281,7 +313,22 @@ func (m *Manager) blockInvalidRouted(iface common.IFaceMapper) (firewall.Rule, e
 		firewall.ActionDrop,
 	)
 	if err != nil {
-		return nil, fmt.Errorf("block wg nte : %w", err)
+		return nil, fmt.Errorf("block wg v4 net: %w", err)
+	}
+
+	if v6Net := iface.Address().IPv6Net; v6Net.IsValid() {
+		log.Debugf("blocking invalid routed traffic for %s", v6Net)
+		if _, err := m.addRouteFiltering(
+			nil,
+			sources,
+			firewall.Network{Prefix: v6Net},
+			firewall.ProtocolALL,
+			nil,
+			nil,
+			firewall.ActionDrop,
+		); err != nil {
+			return nil, fmt.Errorf("block wg v6 net: %w", err)
+		}
 	}

 	// TODO: Block networks that we're a client of
@@ -498,7 +545,7 @@ func (m *Manager) addRouteFiltering(
 		mgmtId:     id,
 		sources:    sources,
 		dstSet:     destination.Set,
-		protoLayer: protoToLayer(proto, layers.LayerTypeIPv4),
+		protoLayer: protoToLayer(proto, ipLayerFromPrefix(destination.Prefix)),
 		srcPort:    sPort,
 		dstPort:    dPort,
 		action:     action,
@@ -650,11 +697,7 @@ func (m *Manager) UpdateSet(set firewall.Set, prefixes []netip.Prefix) error {
 	}

 	destinations := matches[0].destinations
-	for _, prefix := range prefixes {
-		if prefix.Addr().Is4() {
-			destinations = append(destinations, prefix)
-		}
-	}
+	destinations = append(destinations, prefixes...)

 	slices.SortFunc(destinations, func(a, b netip.Prefix) int {
 		cmp := a.Addr().Compare(b.Addr())
@@ -693,7 +736,7 @@ func (m *Manager) filterOutbound(packetData []byte, size int) bool {
 	d := m.decoders.Get().(*decoder)
 	defer m.decoders.Put(d)

-	if err := d.parser.DecodeLayers(packetData, &d.decoded); err != nil {
+	if err := d.decodePacket(packetData); err != nil {
 		return false
 	}

@@ -774,12 +817,28 @@ func (m *Manager) clampTCPMSS(packetData []byte, d *decoder) bool {
 		return false
 	}

+	var mssClampValue uint16
+	var ipHeaderSize int
+	switch d.decoded[0] {
+	case layers.LayerTypeIPv4:
+		mssClampValue = m.mssClampValueIPv4
+		ipHeaderSize = int(d.ip4.IHL) * 4
+		if ipHeaderSize < 20 {
+			return false
+		}
+	case layers.LayerTypeIPv6:
+		mssClampValue = m.mssClampValueIPv6
+		ipHeaderSize = 40
+	default:
+		return false
+	}
+
 	mssOptionIndex := -1
 	var currentMSS uint16
 	for i, opt := range d.tcp.Options {
 		if opt.OptionType == layers.TCPOptionKindMSS && len(opt.OptionData) == 2 {
 			currentMSS = binary.BigEndian.Uint16(opt.OptionData)
-			if currentMSS > m.mssClampValue {
+			if currentMSS > mssClampValue {
 				mssOptionIndex = i
 				break
 			}
@@ -790,20 +849,15 @@ func (m *Manager) clampTCPMSS(packetData []byte, d *decoder) bool {
 		return false
 	}

-	ipHeaderSize := int(d.ip4.IHL) * 4
-	if ipHeaderSize < 20 {
+	if !m.updateMSSOption(packetData, d, mssOptionIndex, mssClampValue, ipHeaderSize) {
 		return false
 	}

-	if !m.updateMSSOption(packetData, d, mssOptionIndex, ipHeaderSize) {
-		return false
-	}
-
-	m.logger.Trace2("Clamped TCP MSS from %d to %d", currentMSS, m.mssClampValue)
+	m.logger.Trace2("Clamped TCP MSS from %d to %d", currentMSS, mssClampValue)
 	return true
 }

-func (m *Manager) updateMSSOption(packetData []byte, d *decoder, mssOptionIndex, ipHeaderSize int) bool {
+func (m *Manager) updateMSSOption(packetData []byte, d *decoder, mssOptionIndex int, mssClampValue uint16, ipHeaderSize int) bool {
 	tcpHeaderStart := ipHeaderSize
 	tcpOptionsStart := tcpHeaderStart + 20

@@ -818,7 +872,7 @@ func (m *Manager) updateMSSOption(packetData []byte, d *decoder, mssOptionIndex,
 	}

 	mssValueOffset := optOffset + 2
-	binary.BigEndian.PutUint16(packetData[mssValueOffset:mssValueOffset+2], m.mssClampValue)
+	binary.BigEndian.PutUint16(packetData[mssValueOffset:mssValueOffset+2], mssClampValue)

 	m.recalculateTCPChecksum(packetData, d, tcpHeaderStart)
 	return true
@@ -828,18 +882,32 @@ func (m *Manager) recalculateTCPChecksum(packetData []byte, d *decoder, tcpHeade
 	tcpLayer := packetData[tcpHeaderStart:]
 	tcpLength := len(packetData) - tcpHeaderStart

+	// Zero out existing checksum
 	tcpLayer[16] = 0
 	tcpLayer[17] = 0

+	// Build pseudo-header checksum based on IP version
 	var pseudoSum uint32
-	pseudoSum += uint32(d.ip4.SrcIP[0])<<8 | uint32(d.ip4.SrcIP[1])
-	pseudoSum += uint32(d.ip4.SrcIP[2])<<8 | uint32(d.ip4.SrcIP[3])
-	pseudoSum += uint32(d.ip4.DstIP[0])<<8 | uint32(d.ip4.DstIP[1])
-	pseudoSum += uint32(d.ip4.DstIP[2])<<8 | uint32(d.ip4.DstIP[3])
-	pseudoSum += uint32(d.ip4.Protocol)
-	pseudoSum += uint32(tcpLength)
+	switch d.decoded[0] {
+	case layers.LayerTypeIPv4:
+		pseudoSum += uint32(d.ip4.SrcIP[0])<<8 | uint32(d.ip4.SrcIP[1])
+		pseudoSum += uint32(d.ip4.SrcIP[2])<<8 | uint32(d.ip4.SrcIP[3])
+		pseudoSum += uint32(d.ip4.DstIP[0])<<8 | uint32(d.ip4.DstIP[1])
+		pseudoSum += uint32(d.ip4.DstIP[2])<<8 | uint32(d.ip4.DstIP[3])
+		pseudoSum += uint32(d.ip4.Protocol)
+		pseudoSum += uint32(tcpLength)
+	case layers.LayerTypeIPv6:
+		for i := 0; i < 16; i += 2 {
+			pseudoSum += uint32(d.ip6.SrcIP[i])<<8 | uint32(d.ip6.SrcIP[i+1])
+		}
+		for i := 0; i < 16; i += 2 {
+			pseudoSum += uint32(d.ip6.DstIP[i])<<8 | uint32(d.ip6.DstIP[i+1])
+		}
+		pseudoSum += uint32(tcpLength)
+		pseudoSum += uint32(layers.IPProtocolTCP)
+	}

-	var sum = pseudoSum
+	sum := pseudoSum
 	for i := 0; i < tcpLength-1; i += 2 {
 		sum += uint32(tcpLayer[i])<<8 | uint32(tcpLayer[i+1])
 	}
@@ -877,6 +945,9 @@ func (m *Manager) trackOutbound(d *decoder, srcIP, dstIP netip.Addr, packetData
 		}
 	case layers.LayerTypeICMPv4:
 		m.icmpTracker.TrackOutbound(srcIP, dstIP, d.icmp4.Id, d.icmp4.TypeCode, d.icmp4.Payload, size)
+	case layers.LayerTypeICMPv6:
+		id, tc := icmpv6EchoFields(d)
+		m.icmpTracker.TrackOutbound(srcIP, dstIP, id, tc, d.icmp6.Payload, size)
 	}
 }

@@ -890,6 +961,9 @@ func (m *Manager) trackInbound(d *decoder, srcIP, dstIP netip.Addr, ruleID []byt
 		m.tcpTracker.TrackInbound(srcIP, dstIP, uint16(d.tcp.SrcPort), uint16(d.tcp.DstPort), flags, ruleID, size, d.dnatOrigPort)
 	case layers.LayerTypeICMPv4:
 		m.icmpTracker.TrackInbound(srcIP, dstIP, d.icmp4.Id, d.icmp4.TypeCode, ruleID, d.icmp4.Payload, size)
+	case layers.LayerTypeICMPv6:
+		id, tc := icmpv6EchoFields(d)
+		m.icmpTracker.TrackInbound(srcIP, dstIP, id, tc, ruleID, d.icmp6.Payload, size)
 	}

 	d.dnatOrigPort = 0
@@ -949,15 +1023,19 @@ func (m *Manager) filterInbound(packetData []byte, size int) bool {

 	// TODO: pass fragments of routed packets to forwarder
 	if fragment {
-		m.logger.Trace4("packet is a fragment: src=%v dst=%v id=%v flags=%v",
-			srcIP, dstIP, d.ip4.Id, d.ip4.Flags)
+		if d.decoded[0] == layers.LayerTypeIPv4 {
+			m.logger.Trace4("packet is a fragment: src=%v dst=%v id=%v flags=%v",
+				srcIP, dstIP, d.ip4.Id, d.ip4.Flags)
+		} else {
+			m.logger.Trace2("packet is an IPv6 fragment: src=%v dst=%v", srcIP, dstIP)
+		}
 		return false
 	}

 	// TODO: optimize port DNAT by caching matched rules in conntrack
 	if translated := m.translateInboundPortDNAT(packetData, d, srcIP, dstIP); translated {
 		// Re-decode after port DNAT translation to update port information
-		if err := d.parser.DecodeLayers(packetData, &d.decoded); err != nil {
+		if err := d.decodePacket(packetData); err != nil {
 			m.logger.Error1("failed to re-decode packet after port DNAT: %v", err)
 			return true
 		}
@@ -966,7 +1044,7 @@ func (m *Manager) filterInbound(packetData []byte, size int) bool {

 	if translated := m.translateInboundReverse(packetData, d); translated {
 		// Re-decode after translation to get original addresses
-		if err := d.parser.DecodeLayers(packetData, &d.decoded); err != nil {
+		if err := d.decodePacket(packetData); err != nil {
 			m.logger.Error1("failed to re-decode packet after reverse DNAT: %v", err)
 			return true
 		}
@@ -1098,6 +1176,48 @@ func (m *Manager) handleRoutedTraffic(d *decoder, srcIP, dstIP netip.Addr, packe
 	return true
 }

+// icmpv6EchoFields extracts the echo identifier from an ICMPv6 packet and maps
+// the ICMPv6 type code to an ICMPv4TypeCode so the ICMP conntrack can handle
+// both families uniformly. The echo ID is in the first two payload bytes.
+func icmpv6EchoFields(d *decoder) (id uint16, tc layers.ICMPv4TypeCode) {
+	if len(d.icmp6.Payload) >= 2 {
+		id = uint16(d.icmp6.Payload[0])<<8 | uint16(d.icmp6.Payload[1])
+	}
+	// Map ICMPv6 echo types to ICMPv4 equivalents for unified tracking.
+	switch d.icmp6.TypeCode.Type() {
+	case layers.ICMPv6TypeEchoRequest:
+		tc = layers.CreateICMPv4TypeCode(layers.ICMPv4TypeEchoRequest, 0)
+	case layers.ICMPv6TypeEchoReply:
+		tc = layers.CreateICMPv4TypeCode(layers.ICMPv4TypeEchoReply, 0)
+	default:
+		tc = layers.CreateICMPv4TypeCode(d.icmp6.TypeCode.Type(), d.icmp6.TypeCode.Code())
+	}
+	return id, tc
+}
+
+// protoLayerMatches checks if a packet's protocol layer matches a rule's expected
+// protocol layer. ICMPv4 and ICMPv6 are treated as equivalent when matching
+// ICMP rules since management sends a single ICMP rule for both families.
+func protoLayerMatches(ruleLayer, packetLayer gopacket.LayerType) bool {
+	if ruleLayer == packetLayer {
+		return true
+	}
+	if ruleLayer == layers.LayerTypeICMPv4 && packetLayer == layers.LayerTypeICMPv6 {
+		return true
+	}
+	if ruleLayer == layers.LayerTypeICMPv6 && packetLayer == layers.LayerTypeICMPv4 {
+		return true
+	}
+	return false
+}
+
+func ipLayerFromPrefix(p netip.Prefix) gopacket.LayerType {
+	if p.Addr().Is6() {
+		return layers.LayerTypeIPv6
+	}
+	return layers.LayerTypeIPv4
+}
+
 func protoToLayer(proto firewall.Protocol, ipLayer gopacket.LayerType) gopacket.LayerType {
 	switch proto {
 	case firewall.ProtocolTCP:
@@ -1121,8 +1241,10 @@ func getProtocolFromPacket(d *decoder) nftypes.Protocol {
 		return nftypes.TCP
 	case layers.LayerTypeUDP:
 		return nftypes.UDP
-	case layers.LayerTypeICMPv4, layers.LayerTypeICMPv6:
+	case layers.LayerTypeICMPv4:
 		return nftypes.ICMP
+	case layers.LayerTypeICMPv6:
+		return nftypes.ICMPv6
 	default:
 		return nftypes.ProtocolUnknown
 	}
@@ -1143,7 +1265,7 @@ func getPortsFromPacket(d *decoder) (srcPort, dstPort uint16) {
 // It returns true, false if the packet is valid and not a fragment.
 // It returns true, true if the packet is a fragment and valid.
 func (m *Manager) isValidPacket(d *decoder, packetData []byte) (bool, bool) {
-	if err := d.parser.DecodeLayers(packetData, &d.decoded); err != nil {
+	if err := d.decodePacket(packetData); err != nil {
 		m.logger.Trace1("couldn't decode packet, err: %s", err)
 		return false, false
 	}
@@ -1156,10 +1278,18 @@ func (m *Manager) isValidPacket(d *decoder, packetData []byte) (bool, bool) {
 	}

 	// Fragments are also valid
-	if l == 1 && d.decoded[0] == layers.LayerTypeIPv4 {
-		ip4 := d.ip4
-		if ip4.Flags&layers.IPv4MoreFragments != 0 || ip4.FragOffset != 0 {
-			return true, true
+	if l == 1 {
+		switch d.decoded[0] {
+		case layers.LayerTypeIPv4:
+			if d.ip4.Flags&layers.IPv4MoreFragments != 0 || d.ip4.FragOffset != 0 {
+				return true, true
+			}
+		case layers.LayerTypeIPv6:
+			// IPv6 uses Fragment extension header (NextHeader=44). If gopacket
+			// only decoded the IPv6 layer, the transport is in a fragment.
+			if d.ip6.NextHeader == layers.IPProtocolIPv6Fragment {
+				return true, true
+			}
 		}
 	}

@@ -1197,21 +1327,34 @@ func (m *Manager) isValidTrackedConnection(d *decoder, srcIP, dstIP netip.Addr,
 			size,
 		)

-		// TODO: ICMPv6
+	case layers.LayerTypeICMPv6:
+		id, _ := icmpv6EchoFields(d)
+		return m.icmpTracker.IsValidInbound(
+			srcIP,
+			dstIP,
+			id,
+			d.icmp6.TypeCode.Type(),
+			size,
+		)
 	}

 	return false
 }

-// isSpecialICMP returns true if the packet is a special ICMP packet that should be allowed
+// isSpecialICMP returns true if the packet is a special ICMP error packet that should be allowed.
 func (m *Manager) isSpecialICMP(d *decoder) bool {
-	if d.decoded[1] != layers.LayerTypeICMPv4 {
-		return false
+	switch d.decoded[1] {
+	case layers.LayerTypeICMPv4:
+		icmpType := d.icmp4.TypeCode.Type()
+		return icmpType == layers.ICMPv4TypeDestinationUnreachable ||
+			icmpType == layers.ICMPv4TypeTimeExceeded
+	case layers.LayerTypeICMPv6:
+		icmpType := d.icmp6.TypeCode.Type()
+		return icmpType == layers.ICMPv6TypeDestinationUnreachable ||
+			icmpType == layers.ICMPv6TypePacketTooBig ||
+			icmpType == layers.ICMPv6TypeTimeExceeded
 	}
-
-	icmpType := d.icmp4.TypeCode.Type()
-	return icmpType == layers.ICMPv4TypeDestinationUnreachable ||
-		icmpType == layers.ICMPv4TypeTimeExceeded
+	return false
 }

 func (m *Manager) peerACLsBlock(srcIP netip.Addr, d *decoder, packetData []byte) ([]byte, bool) {
@@ -1268,7 +1411,7 @@ func validateRule(ip netip.Addr, packetData []byte, rules map[string]PeerRule, d
 			return rule.mgmtId, rule.drop, true
 		}

-		if payloadLayer != rule.protoLayer {
+		if !protoLayerMatches(rule.protoLayer, payloadLayer) {
 			continue
 		}

@@ -1309,8 +1452,7 @@ func (m *Manager) routeACLsPass(srcIP, dstIP netip.Addr, protoLayer gopacket.Lay
 }

 func (m *Manager) ruleMatches(rule *RouteRule, srcAddr, dstAddr netip.Addr, protoLayer gopacket.LayerType, srcPort, dstPort uint16) bool {
-	// TODO: handle ipv6 vs ipv4 icmp rules
-	if rule.protoLayer != layerTypeAll && rule.protoLayer != protoLayer {
+	if rule.protoLayer != layerTypeAll && !protoLayerMatches(rule.protoLayer, protoLayer) {
 		return false
 	}

@@ -1515,7 +1657,8 @@ func (m *Manager) shouldForward(d *decoder, dstIP netip.Addr) bool {
 	}

 	// traffic to our other local interfaces (not NetBird IP) - always forward
-	if dstIP != m.wgIface.Address().IP {
+	addr := m.wgIface.Address()
+	if dstIP != addr.IP && (!addr.IPv6.IsValid() || dstIP != addr.IPv6) {
 		return true
 	}

--- a/client/firewall/uspfilter/filter_bench_test.go
+++ b/client/firewall/uspfilter/filter_bench_test.go
@@ -1023,7 +1023,8 @@ func BenchmarkMSSClamping(b *testing.B) {
 			}()

 			manager.mssClampEnabled = true
-			manager.mssClampValue = 1240
+			manager.mssClampValueIPv4 = 1240
+			manager.mssClampValueIPv6 = 1220

 			srcIP := net.ParseIP("100.64.0.2")
 			dstIP := net.ParseIP("8.8.8.8")
@@ -1088,7 +1089,8 @@ func BenchmarkMSSClampingOverhead(b *testing.B) {

 			manager.mssClampEnabled = sc.enabled
 			if sc.enabled {
-				manager.mssClampValue = 1240
+				manager.mssClampValueIPv4 = 1240
+				manager.mssClampValueIPv6 = 1220
 			}

 			srcIP := net.ParseIP("100.64.0.2")
@@ -1141,7 +1143,8 @@ func BenchmarkMSSClampingMemory(b *testing.B) {
 			}()

 			manager.mssClampEnabled = true
-			manager.mssClampValue = 1240
+			manager.mssClampValueIPv4 = 1240
+			manager.mssClampValueIPv6 = 1220

 			srcIP := net.ParseIP("100.64.0.2")
 			dstIP := net.ParseIP("8.8.8.8")
--- a/client/firewall/uspfilter/filter_filter_test.go
+++ b/client/firewall/uspfilter/filter_filter_test.go
@@ -539,53 +539,236 @@ func TestPeerACLFiltering(t *testing.T) {
 	}
 }

+func TestPeerACLFilteringIPv6(t *testing.T) {
+	localIP := netip.MustParseAddr("100.10.0.100")
+	localIPv6 := netip.MustParseAddr("fd00::100")
+	wgNet := netip.MustParsePrefix("100.10.0.0/16")
+	wgNetV6 := netip.MustParsePrefix("fd00::/64")
+
+	ifaceMock := &IFaceMock{
+		SetFilterFunc: func(device.PacketFilter) error { return nil },
+		AddressFunc: func() wgaddr.Address {
+			return wgaddr.Address{
+				IP:      localIP,
+				Network: wgNet,
+				IPv6:    localIPv6,
+				IPv6Net: wgNetV6,
+			}
+		},
+	}
+
+	manager, err := Create(ifaceMock, false, flowLogger, iface.DefaultMTU)
+	require.NoError(t, err)
+	t.Cleanup(func() { require.NoError(t, manager.Close(nil)) })
+
+	err = manager.UpdateLocalIPs()
+	require.NoError(t, err)
+
+	testCases := []struct {
+		name            string
+		srcIP           string
+		dstIP           string
+		proto           fw.Protocol
+		srcPort         uint16
+		dstPort         uint16
+		ruleIP          string
+		ruleProto       fw.Protocol
+		ruleDstPort     *fw.Port
+		ruleAction      fw.Action
+		shouldBeBlocked bool
+	}{
+		{
+			name:            "IPv6: allow TCP from peer",
+			srcIP:           "fd00::1",
+			dstIP:           "fd00::100",
+			proto:           fw.ProtocolTCP,
+			srcPort:         12345,
+			dstPort:         443,
+			ruleIP:          "fd00::1",
+			ruleProto:       fw.ProtocolTCP,
+			ruleDstPort:     &fw.Port{Values: []uint16{443}},
+			ruleAction:      fw.ActionAccept,
+			shouldBeBlocked: false,
+		},
+		{
+			name:            "IPv6: allow UDP from peer",
+			srcIP:           "fd00::1",
+			dstIP:           "fd00::100",
+			proto:           fw.ProtocolUDP,
+			srcPort:         12345,
+			dstPort:         53,
+			ruleIP:          "fd00::1",
+			ruleProto:       fw.ProtocolUDP,
+			ruleDstPort:     &fw.Port{Values: []uint16{53}},
+			ruleAction:      fw.ActionAccept,
+			shouldBeBlocked: false,
+		},
+		{
+			name:            "IPv6: allow ICMPv6 from peer",
+			srcIP:           "fd00::1",
+			dstIP:           "fd00::100",
+			proto:           fw.ProtocolICMP,
+			ruleIP:          "fd00::1",
+			ruleProto:       fw.ProtocolICMP,
+			ruleAction:      fw.ActionAccept,
+			shouldBeBlocked: false,
+		},
+		{
+			name:            "IPv6: block TCP without rule",
+			srcIP:           "fd00::2",
+			dstIP:           "fd00::100",
+			proto:           fw.ProtocolTCP,
+			srcPort:         12345,
+			dstPort:         443,
+			ruleIP:          "fd00::1",
+			ruleProto:       fw.ProtocolTCP,
+			ruleDstPort:     &fw.Port{Values: []uint16{443}},
+			ruleAction:      fw.ActionAccept,
+			shouldBeBlocked: true,
+		},
+		{
+			name:            "IPv6: drop rule",
+			srcIP:           "fd00::1",
+			dstIP:           "fd00::100",
+			proto:           fw.ProtocolTCP,
+			srcPort:         12345,
+			dstPort:         22,
+			ruleIP:          "fd00::1",
+			ruleProto:       fw.ProtocolTCP,
+			ruleDstPort:     &fw.Port{Values: []uint16{22}},
+			ruleAction:      fw.ActionDrop,
+			shouldBeBlocked: true,
+		},
+		{
+			name:            "IPv6: allow all protocols",
+			srcIP:           "fd00::1",
+			dstIP:           "fd00::100",
+			proto:           fw.ProtocolUDP,
+			srcPort:         12345,
+			dstPort:         9999,
+			ruleIP:          "fd00::1",
+			ruleProto:       fw.ProtocolALL,
+			ruleAction:      fw.ActionAccept,
+			shouldBeBlocked: false,
+		},
+		{
+			name:            "IPv6: v4 wildcard ICMP rule matches ICMPv6 via protoLayerMatches",
+			srcIP:           "fd00::1",
+			dstIP:           "fd00::100",
+			proto:           fw.ProtocolICMP,
+			ruleIP:          "0.0.0.0",
+			ruleProto:       fw.ProtocolICMP,
+			ruleAction:      fw.ActionAccept,
+			shouldBeBlocked: false,
+		},
+	}
+
+	t.Run("IPv6 implicit DROP (no rules)", func(t *testing.T) {
+		packet := createTestPacket(t, "fd00::1", "fd00::100", fw.ProtocolTCP, 12345, 443)
+		isDropped := manager.FilterInbound(packet, 0)
+		require.True(t, isDropped, "IPv6 packet should be dropped when no rules exist")
+	})
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			if tc.ruleAction == fw.ActionDrop {
+				rules, err := manager.AddPeerFiltering(nil, net.ParseIP(tc.ruleIP), fw.ProtocolALL, nil, nil, fw.ActionAccept, "")
+				require.NoError(t, err)
+				t.Cleanup(func() {
+					for _, rule := range rules {
+						require.NoError(t, manager.DeletePeerRule(rule))
+					}
+				})
+			}
+
+			rules, err := manager.AddPeerFiltering(nil, net.ParseIP(tc.ruleIP), tc.ruleProto, nil, tc.ruleDstPort, tc.ruleAction, "")
+			require.NoError(t, err)
+			require.NotEmpty(t, rules)
+			t.Cleanup(func() {
+				for _, rule := range rules {
+					require.NoError(t, manager.DeletePeerRule(rule))
+				}
+			})
+
+			packet := createTestPacket(t, tc.srcIP, tc.dstIP, tc.proto, tc.srcPort, tc.dstPort)
+			isDropped := manager.FilterInbound(packet, 0)
+			require.Equal(t, tc.shouldBeBlocked, isDropped, "packet filter result mismatch")
+		})
+	}
+}
+
 func createTestPacket(t *testing.T, srcIP, dstIP string, proto fw.Protocol, srcPort, dstPort uint16) []byte {
 	t.Helper()

+	src := net.ParseIP(srcIP)
+	dst := net.ParseIP(dstIP)
+
 	buf := gopacket.NewSerializeBuffer()
 	opts := gopacket.SerializeOptions{
 		ComputeChecksums: true,
 		FixLengths:       true,
 	}

-	ipLayer := &layers.IPv4{
-		Version: 4,
-		TTL:     64,
-		SrcIP:   net.ParseIP(srcIP),
-		DstIP:   net.ParseIP(dstIP),
-	}
+	// Detect address family
+	isV6 := src.To4() == nil

 	var err error
-	switch proto {
-	case fw.ProtocolTCP:
-		ipLayer.Protocol = layers.IPProtocolTCP
-		tcp := &layers.TCP{
-			SrcPort: layers.TCPPort(srcPort),
-			DstPort: layers.TCPPort(dstPort),
-		}
-		err = tcp.SetNetworkLayerForChecksum(ipLayer)
-		require.NoError(t, err)
-		err = gopacket.SerializeLayers(buf, opts, ipLayer, tcp)

-	case fw.ProtocolUDP:
-		ipLayer.Protocol = layers.IPProtocolUDP
-		udp := &layers.UDP{
-			SrcPort: layers.UDPPort(srcPort),
-			DstPort: layers.UDPPort(dstPort),
+	if isV6 {
+		ip6 := &layers.IPv6{
+			Version:  6,
+			HopLimit: 64,
+			SrcIP:    src,
+			DstIP:    dst,
 		}
-		err = udp.SetNetworkLayerForChecksum(ipLayer)
-		require.NoError(t, err)
-		err = gopacket.SerializeLayers(buf, opts, ipLayer, udp)

-	case fw.ProtocolICMP:
-		ipLayer.Protocol = layers.IPProtocolICMPv4
-		icmp := &layers.ICMPv4{
-			TypeCode: layers.CreateICMPv4TypeCode(layers.ICMPv4TypeEchoRequest, 0),
+		switch proto {
+		case fw.ProtocolTCP:
+			ip6.NextHeader = layers.IPProtocolTCP
+			tcp := &layers.TCP{SrcPort: layers.TCPPort(srcPort), DstPort: layers.TCPPort(dstPort)}
+			_ = tcp.SetNetworkLayerForChecksum(ip6)
+			err = gopacket.SerializeLayers(buf, opts, ip6, tcp)
+		case fw.ProtocolUDP:
+			ip6.NextHeader = layers.IPProtocolUDP
+			udp := &layers.UDP{SrcPort: layers.UDPPort(srcPort), DstPort: layers.UDPPort(dstPort)}
+			_ = udp.SetNetworkLayerForChecksum(ip6)
+			err = gopacket.SerializeLayers(buf, opts, ip6, udp)
+		case fw.ProtocolICMP:
+			ip6.NextHeader = layers.IPProtocolICMPv6
+			icmp := &layers.ICMPv6{
+				TypeCode: layers.CreateICMPv6TypeCode(layers.ICMPv6TypeEchoRequest, 0),
+			}
+			_ = icmp.SetNetworkLayerForChecksum(ip6)
+			err = gopacket.SerializeLayers(buf, opts, ip6, icmp)
+		default:
+			err = gopacket.SerializeLayers(buf, opts, ip6)
+		}
+	} else {
+		ip4 := &layers.IPv4{
+			Version: 4,
+			TTL:     64,
+			SrcIP:   src,
+			DstIP:   dst,
 		}
-		err = gopacket.SerializeLayers(buf, opts, ipLayer, icmp)

-	default:
-		err = gopacket.SerializeLayers(buf, opts, ipLayer)
+		switch proto {
+		case fw.ProtocolTCP:
+			ip4.Protocol = layers.IPProtocolTCP
+			tcp := &layers.TCP{SrcPort: layers.TCPPort(srcPort), DstPort: layers.TCPPort(dstPort)}
+			_ = tcp.SetNetworkLayerForChecksum(ip4)
+			err = gopacket.SerializeLayers(buf, opts, ip4, tcp)
+		case fw.ProtocolUDP:
+			ip4.Protocol = layers.IPProtocolUDP
+			udp := &layers.UDP{SrcPort: layers.UDPPort(srcPort), DstPort: layers.UDPPort(dstPort)}
+			_ = udp.SetNetworkLayerForChecksum(ip4)
+			err = gopacket.SerializeLayers(buf, opts, ip4, udp)
+		case fw.ProtocolICMP:
+			ip4.Protocol = layers.IPProtocolICMPv4
+			icmp := &layers.ICMPv4{TypeCode: layers.CreateICMPv4TypeCode(layers.ICMPv4TypeEchoRequest, 0)}
+			err = gopacket.SerializeLayers(buf, opts, ip4, icmp)
+		default:
+			err = gopacket.SerializeLayers(buf, opts, ip4)
+		}
 	}

 	require.NoError(t, err)
@@ -1498,3 +1681,103 @@ func TestRouteACLSet(t *testing.T) {
 	_, isAllowed = manager.routeACLsPass(srcIP, dstIP, protoToLayer(fw.ProtocolTCP, layers.LayerTypeIPv4), 12345, 80)
 	require.True(t, isAllowed, "After set update, traffic to the added network should be allowed")
 }
+
+// TestRouteACLFilteringIPv6 tests IPv6 route ACL matching directly via routeACLsPass.
+// Note: full FilterInbound for routed IPv6 traffic drops at the forwarder stage (IPv4-only)
+// but the ACL decision itself is correct.
+func TestRouteACLFilteringIPv6(t *testing.T) {
+	manager := setupRoutedManager(t, "10.10.0.100/16")
+
+	v6Dst := netip.MustParsePrefix("fd00:dead:beef::/48")
+	_, err := manager.AddRouteFiltering(
+		nil,
+		[]netip.Prefix{netip.MustParsePrefix("fd00::/16")},
+		fw.Network{Prefix: v6Dst},
+		fw.ProtocolTCP,
+		nil,
+		&fw.Port{Values: []uint16{80}},
+		fw.ActionAccept,
+	)
+	require.NoError(t, err)
+
+	_, err = manager.AddRouteFiltering(
+		nil,
+		[]netip.Prefix{netip.MustParsePrefix("fd00::/16")},
+		fw.Network{Prefix: netip.MustParsePrefix("fd00:dead:beef:1::/64")},
+		fw.ProtocolALL,
+		nil,
+		nil,
+		fw.ActionDrop,
+	)
+	require.NoError(t, err)
+
+	tests := []struct {
+		name    string
+		srcIP   netip.Addr
+		dstIP   netip.Addr
+		proto   gopacket.LayerType
+		srcPort uint16
+		dstPort uint16
+		allowed bool
+	}{
+		{
+			name:    "IPv6 TCP to allowed dest",
+			srcIP:   netip.MustParseAddr("fd00::1"),
+			dstIP:   netip.MustParseAddr("fd00:dead:beef::80"),
+			proto:   layers.LayerTypeTCP,
+			srcPort: 12345,
+			dstPort: 80,
+			allowed: true,
+		},
+		{
+			name:    "IPv6 TCP wrong port",
+			srcIP:   netip.MustParseAddr("fd00::1"),
+			dstIP:   netip.MustParseAddr("fd00:dead:beef::80"),
+			proto:   layers.LayerTypeTCP,
+			srcPort: 12345,
+			dstPort: 443,
+			allowed: false,
+		},
+		{
+			name:    "IPv6 UDP not matched by TCP rule",
+			srcIP:   netip.MustParseAddr("fd00::1"),
+			dstIP:   netip.MustParseAddr("fd00:dead:beef::80"),
+			proto:   layers.LayerTypeUDP,
+			srcPort: 12345,
+			dstPort: 80,
+			allowed: false,
+		},
+		{
+			name:    "IPv6 ICMPv6 matches ICMP rule via protoLayerMatches",
+			srcIP:   netip.MustParseAddr("fd00::1"),
+			dstIP:   netip.MustParseAddr("fd00:dead:beef::80"),
+			proto:   layers.LayerTypeICMPv6,
+			allowed: false,
+		},
+		{
+			name:    "IPv6 to denied subnet",
+			srcIP:   netip.MustParseAddr("fd00::1"),
+			dstIP:   netip.MustParseAddr("fd00:dead:beef:1::1"),
+			proto:   layers.LayerTypeTCP,
+			srcPort: 12345,
+			dstPort: 80,
+			allowed: false,
+		},
+		{
+			name:    "IPv6 source outside allowed range",
+			srcIP:   netip.MustParseAddr("fe80::1"),
+			dstIP:   netip.MustParseAddr("fd00:dead:beef::80"),
+			proto:   layers.LayerTypeTCP,
+			srcPort: 12345,
+			dstPort: 80,
+			allowed: false,
+		},
+	}
+
+	for _, tc := range tests {
+		t.Run(tc.name, func(t *testing.T) {
+			_, pass := manager.routeACLsPass(tc.srcIP, tc.dstIP, tc.proto, tc.srcPort, tc.dstPort)
+			require.Equal(t, tc.allowed, pass, "route ACL result mismatch")
+		})
+	}
+}
--- a/client/firewall/uspfilter/filter_test.go
+++ b/client/firewall/uspfilter/filter_test.go
@@ -582,11 +582,16 @@ func TestProcessOutgoingHooks(t *testing.T) {
 			d := &decoder{
 				decoded: []gopacket.LayerType{},
 			}
-			d.parser = gopacket.NewDecodingLayerParser(
+			d.parser4 = gopacket.NewDecodingLayerParser(
 				layers.LayerTypeIPv4,
 				&d.eth, &d.ip4, &d.ip6, &d.icmp4, &d.icmp6, &d.tcp, &d.udp,
 			)
-			d.parser.IgnoreUnsupported = true
+			d.parser4.IgnoreUnsupported = true
+			d.parser6 = gopacket.NewDecodingLayerParser(
+				layers.LayerTypeIPv6,
+				&d.eth, &d.ip4, &d.ip6, &d.icmp4, &d.icmp6, &d.tcp, &d.udp,
+			)
+			d.parser6.IgnoreUnsupported = true
 			return d
 		},
 	}
@@ -687,11 +692,16 @@ func TestStatefulFirewall_UDPTracking(t *testing.T) {
 			d := &decoder{
 				decoded: []gopacket.LayerType{},
 			}
-			d.parser = gopacket.NewDecodingLayerParser(
+			d.parser4 = gopacket.NewDecodingLayerParser(
 				layers.LayerTypeIPv4,
 				&d.eth, &d.ip4, &d.ip6, &d.icmp4, &d.icmp6, &d.tcp, &d.udp,
 			)
-			d.parser.IgnoreUnsupported = true
+			d.parser4.IgnoreUnsupported = true
+			d.parser6 = gopacket.NewDecodingLayerParser(
+				layers.LayerTypeIPv6,
+				&d.eth, &d.ip4, &d.ip6, &d.icmp4, &d.icmp6, &d.tcp, &d.udp,
+			)
+			d.parser6.IgnoreUnsupported = true
 			return d
 		},
 	}
@@ -1097,8 +1107,8 @@ func TestMSSClamping(t *testing.T) {
 	}()

 	require.True(t, manager.mssClampEnabled, "MSS clamping should be enabled by default")
-	expectedMSSValue := uint16(1280 - ipTCPHeaderMinSize)
-	require.Equal(t, expectedMSSValue, manager.mssClampValue, "MSS clamp value should be MTU - 40")
+	require.Equal(t, uint16(1280-ipv4TCPHeaderMinSize), manager.mssClampValueIPv4, "IPv4 MSS clamp value should be MTU - 40")
+	require.Equal(t, uint16(1280-ipv6TCPHeaderMinSize), manager.mssClampValueIPv6, "IPv6 MSS clamp value should be MTU - 60")

 	err = manager.UpdateLocalIPs()
 	require.NoError(t, err)
@@ -1116,7 +1126,7 @@ func TestMSSClamping(t *testing.T) {
 		require.Len(t, d.tcp.Options, 1, "Should have MSS option")
 		require.Equal(t, uint8(layers.TCPOptionKindMSS), uint8(d.tcp.Options[0].OptionType))
 		actualMSS := binary.BigEndian.Uint16(d.tcp.Options[0].OptionData)
-		require.Equal(t, expectedMSSValue, actualMSS, "MSS should be clamped to MTU - 40")
+		require.Equal(t, manager.mssClampValueIPv4, actualMSS, "MSS should be clamped to MTU - 40")
 	})

 	t.Run("SYN packet with low MSS unchanged", func(t *testing.T) {
@@ -1140,7 +1150,7 @@ func TestMSSClamping(t *testing.T) {
 		d := parsePacket(t, packet)
 		require.Len(t, d.tcp.Options, 1, "Should have MSS option")
 		actualMSS := binary.BigEndian.Uint16(d.tcp.Options[0].OptionData)
-		require.Equal(t, expectedMSSValue, actualMSS, "MSS in SYN-ACK should be clamped")
+		require.Equal(t, manager.mssClampValueIPv4, actualMSS, "MSS in SYN-ACK should be clamped")
 	})

 	t.Run("Non-SYN packet unchanged", func(t *testing.T) {
@@ -1312,13 +1322,18 @@ func TestShouldForward(t *testing.T) {
 		d := &decoder{
 			decoded: []gopacket.LayerType{},
 		}
-		d.parser = gopacket.NewDecodingLayerParser(
+		d.parser4 = gopacket.NewDecodingLayerParser(
 			layers.LayerTypeIPv4,
 			&d.eth, &d.ip4, &d.ip6, &d.icmp4, &d.icmp6, &d.tcp, &d.udp,
 		)
-		d.parser.IgnoreUnsupported = true
+		d.parser4.IgnoreUnsupported = true
+		d.parser6 = gopacket.NewDecodingLayerParser(
+			layers.LayerTypeIPv6,
+			&d.eth, &d.ip4, &d.ip6, &d.icmp4, &d.icmp6, &d.tcp, &d.udp,
+		)
+		d.parser6.IgnoreUnsupported = true

-		err = d.parser.DecodeLayers(buf.Bytes(), &d.decoded)
+		err = d.decodePacket(buf.Bytes())
 		require.NoError(t, err)

 		return d
@@ -1378,6 +1393,44 @@ func TestShouldForward(t *testing.T) {
 		},
 	}

+	// Add IPv6 to the interface and test dual-stack cases
+	wgIPv6 := netip.MustParseAddr("fd00::1")
+	otherIPv6 := netip.MustParseAddr("fd00::2")
+	ifaceMock.AddressFunc = func() wgaddr.Address {
+		return wgaddr.Address{
+			IP:      wgIP,
+			Network: netip.PrefixFrom(wgIP, 24),
+			IPv6:    wgIPv6,
+			IPv6Net: netip.PrefixFrom(wgIPv6, 64),
+		}
+	}
+
+	// Re-create manager to pick up the new address with IPv6
+	require.NoError(t, manager.Close(nil))
+	manager, err = Create(ifaceMock, false, flowLogger, nbiface.DefaultMTU)
+	require.NoError(t, err)
+
+	v6Cases := []struct {
+		name        string
+		dstIP       netip.Addr
+		expected    bool
+		description string
+	}{
+		{"v6 traffic to other address", otherIPv6, true, "should forward v6 traffic not destined to our v6 address"},
+		{"v6 traffic to our v6 IP", wgIPv6, false, "should not forward traffic destined to our v6 address"},
+		{"v4 traffic to other with v6 configured", otherIP, true, "should forward v4 traffic when v6 configured"},
+		{"v4 traffic to our v4 IP with v6 configured", wgIP, false, "should not forward traffic to our v4 address"},
+	}
+	for _, tt := range v6Cases {
+		t.Run(tt.name, func(t *testing.T) {
+			manager.localForwarding = true
+			manager.netstack = false
+			decoder := createTCPDecoder(8080)
+			result := manager.shouldForward(decoder, tt.dstIP)
+			require.Equal(t, tt.expected, result, tt.description)
+		})
+	}
+
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			// Configure manager
--- a/client/firewall/uspfilter/forwarder/endpoint.go
+++ b/client/firewall/uspfilter/forwarder/endpoint.go
@@ -1,7 +1,8 @@
 package forwarder

 import (
-	"fmt"
+	"net"
+	"strconv"
 	"sync/atomic"

 	wgdevice "golang.zx2c4.com/wireguard/device"
@@ -47,17 +48,23 @@ func (e *endpoint) LinkAddress() tcpip.LinkAddress {
 func (e *endpoint) WritePackets(pkts stack.PacketBufferList) (int, tcpip.Error) {
 	var written int
 	for _, pkt := range pkts.AsSlice() {
-		netHeader := header.IPv4(pkt.NetworkHeader().View().AsSlice())
-
 		data := stack.PayloadSince(pkt.NetworkHeader())
 		if data == nil {
 			continue
 		}

-		// Send the packet through WireGuard
-		address := netHeader.DestinationAddress()
-		err := e.device.CreateOutboundPacket(data.AsSlice(), address.AsSlice())
-		if err != nil {
+		raw := pkt.NetworkHeader().View().AsSlice()
+		if len(raw) == 0 {
+			continue
+		}
+		var address tcpip.Address
+		if raw[0]>>4 == 6 {
+			address = header.IPv6(raw).DestinationAddress()
+		} else {
+			address = header.IPv4(raw).DestinationAddress()
+		}
+
+		if err := e.device.CreateOutboundPacket(data.AsSlice(), address.AsSlice()); err != nil {
 			e.logger.Error1("CreateOutboundPacket: %v", err)
 			continue
 		}
@@ -103,5 +110,7 @@ type epID stack.TransportEndpointID

 func (i epID) String() string {
 	// src and remote is swapped
-	return fmt.Sprintf("%s:%d → %s:%d", i.RemoteAddress, i.RemotePort, i.LocalAddress, i.LocalPort)
+	return net.JoinHostPort(i.RemoteAddress.String(), strconv.Itoa(int(i.RemotePort))) +
+		" → " +
+		net.JoinHostPort(i.LocalAddress.String(), strconv.Itoa(int(i.LocalPort)))
 }
--- a/client/firewall/uspfilter/forwarder/forwarder.go
+++ b/client/firewall/uspfilter/forwarder/forwarder.go
@@ -14,6 +14,7 @@ import (
 	"gvisor.dev/gvisor/pkg/tcpip"
 	"gvisor.dev/gvisor/pkg/tcpip/header"
 	"gvisor.dev/gvisor/pkg/tcpip/network/ipv4"
+	"gvisor.dev/gvisor/pkg/tcpip/network/ipv6"
 	"gvisor.dev/gvisor/pkg/tcpip/stack"
 	"gvisor.dev/gvisor/pkg/tcpip/transport/icmp"
 	"gvisor.dev/gvisor/pkg/tcpip/transport/tcp"
@@ -36,25 +37,31 @@ type Forwarder struct {
 	logger     *nblog.Logger
 	flowLogger nftypes.FlowLogger
 	// ruleIdMap is used to store the rule ID for a given connection
-	ruleIdMap        sync.Map
-	stack            *stack.Stack
-	endpoint         *endpoint
-	udpForwarder     *udpForwarder
-	ctx              context.Context
-	cancel           context.CancelFunc
-	ip               tcpip.Address
-	netstack         bool
-	hasRawICMPAccess bool
-	pingSemaphore    chan struct{}
+	ruleIdMap          sync.Map
+	stack              *stack.Stack
+	endpoint           *endpoint
+	udpForwarder       *udpForwarder
+	ctx                context.Context
+	cancel             context.CancelFunc
+	ip                 tcpip.Address
+	ipv6               tcpip.Address
+	netstack           bool
+	hasRawICMPAccess   bool
+	hasRawICMPv6Access bool
+	pingSemaphore      chan struct{}
 }

 func New(iface common.IFaceMapper, logger *nblog.Logger, flowLogger nftypes.FlowLogger, netstack bool, mtu uint16) (*Forwarder, error) {
 	s := stack.New(stack.Options{
-		NetworkProtocols: []stack.NetworkProtocolFactory{ipv4.NewProtocol},
+		NetworkProtocols: []stack.NetworkProtocolFactory{
+			ipv4.NewProtocol,
+			ipv6.NewProtocol,
+		},
 		TransportProtocols: []stack.TransportProtocolFactory{
 			tcp.NewProtocol,
 			udp.NewProtocol,
 			icmp.NewProtocol4,
+			icmp.NewProtocol6,
 		},
 		HandleLocal: false,
 	})
@@ -73,7 +80,7 @@ func New(iface common.IFaceMapper, logger *nblog.Logger, flowLogger nftypes.Flow
 	protoAddr := tcpip.ProtocolAddress{
 		Protocol: ipv4.ProtocolNumber,
 		AddressWithPrefix: tcpip.AddressWithPrefix{
-			Address:   tcpip.AddrFromSlice(iface.Address().IP.AsSlice()),
+			Address:   tcpip.AddrFrom4(iface.Address().IP.As4()),
 			PrefixLen: iface.Address().Network.Bits(),
 		},
 	}
@@ -82,6 +89,19 @@ func New(iface common.IFaceMapper, logger *nblog.Logger, flowLogger nftypes.Flow
 		return nil, fmt.Errorf("failed to add protocol address: %s", err)
 	}

+	if v6 := iface.Address().IPv6; v6.IsValid() {
+		v6Addr := tcpip.ProtocolAddress{
+			Protocol: ipv6.ProtocolNumber,
+			AddressWithPrefix: tcpip.AddressWithPrefix{
+				Address:   tcpip.AddrFrom16(v6.As16()),
+				PrefixLen: iface.Address().IPv6Net.Bits(),
+			},
+		}
+		if err := s.AddProtocolAddress(nicID, v6Addr, stack.AddressProperties{}); err != nil {
+			return nil, fmt.Errorf("add IPv6 protocol address: %s", err)
+		}
+	}
+
 	defaultSubnet, err := tcpip.NewSubnet(
 		tcpip.AddrFrom4([4]byte{0, 0, 0, 0}),
 		tcpip.MaskFromBytes([]byte{0, 0, 0, 0}),
@@ -90,6 +110,14 @@ func New(iface common.IFaceMapper, logger *nblog.Logger, flowLogger nftypes.Flow
 		return nil, fmt.Errorf("creating default subnet: %w", err)
 	}

+	defaultSubnetV6, err := tcpip.NewSubnet(
+		tcpip.AddrFrom16([16]byte{}),
+		tcpip.MaskFromBytes(make([]byte, 16)),
+	)
+	if err != nil {
+		return nil, fmt.Errorf("creating default v6 subnet: %w", err)
+	}
+
 	if err := s.SetPromiscuousMode(nicID, true); err != nil {
 		return nil, fmt.Errorf("set promiscuous mode: %s", err)
 	}
@@ -98,10 +126,8 @@ func New(iface common.IFaceMapper, logger *nblog.Logger, flowLogger nftypes.Flow
 	}

 	s.SetRouteTable([]tcpip.Route{
-		{
-			Destination: defaultSubnet,
-			NIC:         nicID,
-		},
+		{Destination: defaultSubnet, NIC: nicID},
+		{Destination: defaultSubnetV6, NIC: nicID},
 	})

 	ctx, cancel := context.WithCancel(context.Background())
@@ -114,7 +140,8 @@ func New(iface common.IFaceMapper, logger *nblog.Logger, flowLogger nftypes.Flow
 		ctx:           ctx,
 		cancel:        cancel,
 		netstack:      netstack,
-		ip:            tcpip.AddrFromSlice(iface.Address().IP.AsSlice()),
+		ip:            tcpip.AddrFrom4(iface.Address().IP.As4()),
+		ipv6:          addrFromNetipAddr(iface.Address().IPv6),
 		pingSemaphore: make(chan struct{}, 3),
 	}

@@ -131,7 +158,10 @@ func New(iface common.IFaceMapper, logger *nblog.Logger, flowLogger nftypes.Flow
 	udpForwarder := udp.NewForwarder(s, f.handleUDP)
 	s.SetTransportProtocolHandler(udp.ProtocolNumber, udpForwarder.HandlePacket)

-	s.SetTransportProtocolHandler(icmp.ProtocolNumber4, f.handleICMP)
+	// ICMP is handled directly in InjectIncomingPacket, bypassing gVisor's
+	// network layer. This avoids duplicate echo replies (v4) and the v6
+	// auto-reply bug where gVisor responds at the network layer before
+	// our transport handler fires.

 	f.checkICMPCapability()

@@ -140,8 +170,30 @@ func New(iface common.IFaceMapper, logger *nblog.Logger, flowLogger nftypes.Flow
 }

 func (f *Forwarder) InjectIncomingPacket(payload []byte) error {
-	if len(payload) < header.IPv4MinimumSize {
-		return fmt.Errorf("packet too small: %d bytes", len(payload))
+	if len(payload) == 0 {
+		return fmt.Errorf("empty packet")
+	}
+
+	var protoNum tcpip.NetworkProtocolNumber
+	switch payload[0] >> 4 {
+	case 4:
+		if len(payload) < header.IPv4MinimumSize {
+			return fmt.Errorf("IPv4 packet too small: %d bytes", len(payload))
+		}
+		if f.handleICMPDirect(payload) {
+			return nil
+		}
+		protoNum = ipv4.ProtocolNumber
+	case 6:
+		if len(payload) < header.IPv6MinimumSize {
+			return fmt.Errorf("IPv6 packet too small: %d bytes", len(payload))
+		}
+		if f.handleICMPDirect(payload) {
+			return nil
+		}
+		protoNum = ipv6.ProtocolNumber
+	default:
+		return fmt.Errorf("unknown IP version: %d", payload[0]>>4)
 	}

 	pkt := stack.NewPacketBuffer(stack.PacketBufferOptions{
@@ -150,11 +202,95 @@ func (f *Forwarder) InjectIncomingPacket(payload []byte) error {
 	defer pkt.DecRef()

 	if f.endpoint.dispatcher != nil {
-		f.endpoint.dispatcher.DeliverNetworkPacket(ipv4.ProtocolNumber, pkt)
+		f.endpoint.dispatcher.DeliverNetworkPacket(protoNum, pkt)
 	}
 	return nil
 }

+// handleICMPDirect intercepts ICMP packets from raw IP payloads before they
+// enter gVisor. It synthesizes the TransportEndpointID and PacketBuffer that
+// the existing handlers expect, then dispatches to handleICMP/handleICMPv6.
+// This bypasses gVisor's network layer which causes duplicate v4 echo replies
+// and auto-replies to all v6 echo requests in promiscuous mode.
+//
+// Unlike gVisor's network layer, this does not validate ICMP checksums or
+// reassemble IP fragments. Fragmented ICMP packets fall through to gVisor.
+func parseICMPv4(payload []byte) (ipHdrLen int, src, dst tcpip.Address, ok bool) {
+	ip := header.IPv4(payload)
+	if ip.Protocol() != uint8(header.ICMPv4ProtocolNumber) {
+		return 0, src, dst, false
+	}
+	if ip.FragmentOffset() != 0 || ip.Flags()&header.IPv4FlagMoreFragments != 0 {
+		return 0, src, dst, false
+	}
+	ipHdrLen = int(ip.HeaderLength())
+	if len(payload)-ipHdrLen < header.ICMPv4MinimumSize {
+		return 0, src, dst, false
+	}
+	return ipHdrLen, ip.SourceAddress(), ip.DestinationAddress(), true
+}
+
+func parseICMPv6(payload []byte) (ipHdrLen int, src, dst tcpip.Address, ok bool) {
+	ip := header.IPv6(payload)
+	if ip.NextHeader() != uint8(header.ICMPv6ProtocolNumber) {
+		return 0, src, dst, false
+	}
+	ipHdrLen = header.IPv6MinimumSize
+	if len(payload)-ipHdrLen < header.ICMPv6MinimumSize {
+		return 0, src, dst, false
+	}
+	return ipHdrLen, ip.SourceAddress(), ip.DestinationAddress(), true
+}
+
+func (f *Forwarder) handleICMPDirect(payload []byte) bool {
+	var (
+		ipHdrLen int
+		srcAddr  tcpip.Address
+		dstAddr  tcpip.Address
+		ok       bool
+	)
+	switch payload[0] >> 4 {
+	case 4:
+		ipHdrLen, srcAddr, dstAddr, ok = parseICMPv4(payload)
+	case 6:
+		ipHdrLen, srcAddr, dstAddr, ok = parseICMPv6(payload)
+	}
+	if !ok {
+		return false
+	}
+
+	// Let gVisor handle ICMP destined for our own addresses natively.
+	// Its network-layer auto-reply is correct and efficient for local traffic.
+	if f.ip.Equal(dstAddr) || f.ipv6.Equal(dstAddr) {
+		return false
+	}
+
+	id := stack.TransportEndpointID{
+		LocalAddress:  dstAddr,
+		RemoteAddress: srcAddr,
+	}
+
+	// Build a PacketBuffer with headers consumed the same way gVisor would.
+	pkt := stack.NewPacketBuffer(stack.PacketBufferOptions{
+		Payload: buffer.MakeWithData(payload),
+	})
+	defer pkt.DecRef()
+
+	if _, ok := pkt.NetworkHeader().Consume(ipHdrLen); !ok {
+		return false
+	}
+
+	icmpPayload := payload[ipHdrLen:]
+	if _, ok := pkt.TransportHeader().Consume(len(icmpPayload)); !ok {
+		return false
+	}
+
+	if payload[0]>>4 == 6 {
+		return f.handleICMPv6(id, pkt)
+	}
+	return f.handleICMP(id, pkt)
+}
+
 // Stop gracefully shuts down the forwarder
 func (f *Forwarder) Stop() {
 	f.cancel()
@@ -167,11 +303,14 @@ func (f *Forwarder) Stop() {
 	f.stack.Wait()
 }

-func (f *Forwarder) determineDialAddr(addr tcpip.Address) net.IP {
+func (f *Forwarder) determineDialAddr(addr tcpip.Address) netip.Addr {
 	if f.netstack && f.ip.Equal(addr) {
-		return net.IPv4(127, 0, 0, 1)
+		return netip.AddrFrom4([4]byte{127, 0, 0, 1})
 	}
-	return addr.AsSlice()
+	if f.netstack && f.ipv6.Equal(addr) {
+		return netip.IPv6Loopback()
+	}
+	return addrToNetipAddr(addr)
 }

 func (f *Forwarder) RegisterRuleID(srcIP, dstIP netip.Addr, srcPort, dstPort uint16, ruleID []byte) {
@@ -205,23 +344,50 @@ func buildKey(srcIP, dstIP netip.Addr, srcPort, dstPort uint16) conntrack.ConnKe
 	}
 }

+// addrFromNetipAddr converts a netip.Addr to a gvisor tcpip.Address without allocating.
+func addrFromNetipAddr(addr netip.Addr) tcpip.Address {
+	if !addr.IsValid() {
+		return tcpip.Address{}
+	}
+	if addr.Is4() {
+		return tcpip.AddrFrom4(addr.As4())
+	}
+	return tcpip.AddrFrom16(addr.As16())
+}
+
+// addrToNetipAddr converts a gvisor tcpip.Address to netip.Addr without allocating.
+func addrToNetipAddr(addr tcpip.Address) netip.Addr {
+	switch addr.Len() {
+	case 4:
+		return netip.AddrFrom4(addr.As4())
+	case 16:
+		return netip.AddrFrom16(addr.As16())
+	default:
+		return netip.Addr{}
+	}
+}
+
 // checkICMPCapability tests whether we have raw ICMP socket access at startup.
 func (f *Forwarder) checkICMPCapability() {
+	f.hasRawICMPAccess = probeRawICMP("ip4:icmp", "0.0.0.0", f.logger)
+	f.hasRawICMPv6Access = probeRawICMP("ip6:ipv6-icmp", "::", f.logger)
+}
+
+func probeRawICMP(network, addr string, logger *nblog.Logger) bool {
 	ctx, cancel := context.WithTimeout(context.Background(), 100*time.Millisecond)
 	defer cancel()

 	lc := net.ListenConfig{}
-	conn, err := lc.ListenPacket(ctx, "ip4:icmp", "0.0.0.0")
+	conn, err := lc.ListenPacket(ctx, network, addr)
 	if err != nil {
-		f.hasRawICMPAccess = false
-		f.logger.Debug("forwarder: No raw ICMP socket access, will use ping binary fallback")
-		return
+		logger.Debug1("forwarder: no raw %s socket access, will use ping binary fallback", network)
+		return false
 	}

 	if err := conn.Close(); err != nil {
-		f.logger.Debug1("forwarder: Failed to close ICMP capability test socket: %v", err)
+		logger.Debug2("forwarder: failed to close %s capability test socket: %v", network, err)
 	}

-	f.hasRawICMPAccess = true
-	f.logger.Debug("forwarder: Raw ICMP socket access available")
+	logger.Debug1("forwarder: raw %s socket access available", network)
+	return true
 }
--- a/client/firewall/uspfilter/forwarder/icmp.go
+++ b/client/firewall/uspfilter/forwarder/icmp.go
@@ -35,7 +35,7 @@ func (f *Forwarder) handleICMP(id stack.TransportEndpointID, pkt *stack.PacketBu
 	}

 	icmpData := stack.PayloadSince(pkt.TransportHeader()).AsSlice()
-	conn, err := f.forwardICMPPacket(id, icmpData, uint8(icmpHdr.Type()), uint8(icmpHdr.Code()), 100*time.Millisecond)
+	conn, err := f.forwardICMPPacket(id, icmpData, uint8(icmpHdr.Type()), uint8(icmpHdr.Code()), false, 100*time.Millisecond)
 	if err != nil {
 		f.logger.Error2("forwarder: Failed to forward ICMP packet for %v: %v", epID(id), err)
 		return true
@@ -72,18 +72,23 @@ func (f *Forwarder) handleICMPEcho(flowID uuid.UUID, id stack.TransportEndpointI

 // forwardICMPPacket creates a raw ICMP socket and sends the packet, returning the connection.
 // The caller is responsible for closing the returned connection.
-func (f *Forwarder) forwardICMPPacket(id stack.TransportEndpointID, payload []byte, icmpType, icmpCode uint8, timeout time.Duration) (net.PacketConn, error) {
+func (f *Forwarder) forwardICMPPacket(id stack.TransportEndpointID, payload []byte, icmpType, icmpCode uint8, v6 bool, timeout time.Duration) (net.PacketConn, error) {
 	ctx, cancel := context.WithTimeout(f.ctx, timeout)
 	defer cancel()

+	network, listenAddr := "ip4:icmp", "0.0.0.0"
+	if v6 {
+		network, listenAddr = "ip6:ipv6-icmp", "::"
+	}
+
 	lc := net.ListenConfig{}
-	conn, err := lc.ListenPacket(ctx, "ip4:icmp", "0.0.0.0")
+	conn, err := lc.ListenPacket(ctx, network, listenAddr)
 	if err != nil {
 		return nil, fmt.Errorf("create ICMP socket: %w", err)
 	}

 	dstIP := f.determineDialAddr(id.LocalAddress)
-	dst := &net.IPAddr{IP: dstIP}
+	dst := &net.IPAddr{IP: dstIP.AsSlice()}

 	if _, err = conn.WriteTo(payload, dst); err != nil {
 		if closeErr := conn.Close(); closeErr != nil {
@@ -102,7 +107,7 @@ func (f *Forwarder) forwardICMPPacket(id stack.TransportEndpointID, payload []by
 func (f *Forwarder) handleICMPViaSocket(flowID uuid.UUID, id stack.TransportEndpointID, icmpType, icmpCode uint8, icmpData []byte, rxBytes int) {
 	sendTime := time.Now()

-	conn, err := f.forwardICMPPacket(id, icmpData, icmpType, icmpCode, 5*time.Second)
+	conn, err := f.forwardICMPPacket(id, icmpData, icmpType, icmpCode, false, 5*time.Second)
 	if err != nil {
 		f.logger.Error2("forwarder: Failed to send ICMP packet for %v: %v", epID(id), err)
 		return
@@ -150,19 +155,23 @@ func (f *Forwarder) sendICMPEvent(typ nftypes.Type, flowID uuid.UUID, id stack.T
 		txPackets = 1
 	}

-	srcIp := netip.AddrFrom4(id.RemoteAddress.As4())
-	dstIp := netip.AddrFrom4(id.LocalAddress.As4())
+	srcIp := addrToNetipAddr(id.RemoteAddress)
+	dstIp := addrToNetipAddr(id.LocalAddress)
+
+	proto := nftypes.ICMP
+	if srcIp.Is6() {
+		proto = nftypes.ICMPv6
+	}

 	fields := nftypes.EventFields{
 		FlowID:    flowID,
 		Type:      typ,
 		Direction: nftypes.Ingress,
-		Protocol:  nftypes.ICMP,
-		// TODO: handle ipv6
-		SourceIP: srcIp,
-		DestIP:   dstIp,
-		ICMPType: icmpType,
-		ICMPCode: icmpCode,
+		Protocol:  proto,
+		SourceIP:  srcIp,
+		DestIP:    dstIp,
+		ICMPType:  icmpType,
+		ICMPCode:  icmpCode,

 		RxBytes:   rxBytes,
 		TxBytes:   txBytes,
@@ -209,26 +218,159 @@ func (f *Forwarder) handleICMPViaPing(flowID uuid.UUID, id stack.TransportEndpoi
 	f.sendICMPEvent(nftypes.TypeEnd, flowID, id, icmpType, icmpCode, uint64(rxBytes), uint64(txBytes))
 }

+// handleICMPv6 handles ICMPv6 packets from the network stack.
+func (f *Forwarder) handleICMPv6(id stack.TransportEndpointID, pkt *stack.PacketBuffer) bool {
+	icmpHdr := header.ICMPv6(pkt.TransportHeader().View().AsSlice())
+
+	flowID := uuid.New()
+	f.sendICMPEvent(nftypes.TypeStart, flowID, id, uint8(icmpHdr.Type()), uint8(icmpHdr.Code()), 0, 0)
+
+	if icmpHdr.Type() == header.ICMPv6EchoRequest {
+		return f.handleICMPv6Echo(flowID, id, pkt, uint8(icmpHdr.Type()), uint8(icmpHdr.Code()))
+	}
+
+	// For non-echo types (Destination Unreachable, Packet Too Big, etc), forward without waiting
+	if !f.hasRawICMPv6Access {
+		f.logger.Debug2("forwarder: Cannot handle ICMPv6 type %v without raw socket access for %v", icmpHdr.Type(), epID(id))
+		return false
+	}
+
+	icmpData := stack.PayloadSince(pkt.TransportHeader()).AsSlice()
+	conn, err := f.forwardICMPPacket(id, icmpData, uint8(icmpHdr.Type()), uint8(icmpHdr.Code()), true, 100*time.Millisecond)
+	if err != nil {
+		f.logger.Error2("forwarder: Failed to forward ICMPv6 packet for %v: %v", epID(id), err)
+		return true
+	}
+	if err := conn.Close(); err != nil {
+		f.logger.Debug1("forwarder: Failed to close ICMPv6 socket: %v", err)
+	}
+
+	return true
+}
+
+// handleICMPv6Echo handles ICMPv6 echo requests using the ping binary.
+func (f *Forwarder) handleICMPv6Echo(flowID uuid.UUID, id stack.TransportEndpointID, pkt *stack.PacketBuffer, icmpType, icmpCode uint8) bool {
+	select {
+	case f.pingSemaphore <- struct{}{}:
+		icmpData := stack.PayloadSince(pkt.TransportHeader()).ToSlice()
+		rxBytes := pkt.Size()
+
+		go func() {
+			defer func() { <-f.pingSemaphore }()
+			f.handleICMPv6ViaPing(flowID, id, icmpType, icmpCode, icmpData, rxBytes)
+		}()
+	default:
+		f.logger.Debug3("forwarder: ICMPv6 rate limit exceeded for %v type %v code %v", epID(id), icmpType, icmpCode)
+	}
+	return true
+}
+
+// handleICMPv6ViaPing uses the system ping6 binary for ICMPv6 echo.
+func (f *Forwarder) handleICMPv6ViaPing(flowID uuid.UUID, id stack.TransportEndpointID, icmpType, icmpCode uint8, icmpData []byte, rxBytes int) {
+	ctx, cancel := context.WithTimeout(f.ctx, 5*time.Second)
+	defer cancel()
+
+	dstIP := f.determineDialAddr(id.LocalAddress)
+	cmd := buildPingCommand(ctx, dstIP, 5*time.Second)
+
+	pingStart := time.Now()
+	if err := cmd.Run(); err != nil {
+		f.logger.Warn4("forwarder: Ping6 failed for %v type %v code %v: %v", epID(id), icmpType, icmpCode, err)
+		return
+	}
+	rtt := time.Since(pingStart).Round(10 * time.Microsecond)
+
+	f.logger.Trace3("forwarder: Forwarded ICMPv6 echo request %v type %v code %v",
+		epID(id), icmpType, icmpCode)
+
+	txBytes := f.synthesizeICMPv6EchoReply(id, icmpData)
+
+	f.logger.Trace4("forwarder: Forwarded ICMPv6 echo reply %v type %v code %v (rtt=%v, ping binary)",
+		epID(id), icmpType, icmpCode, rtt)
+
+	f.sendICMPEvent(nftypes.TypeEnd, flowID, id, icmpType, icmpCode, uint64(rxBytes), uint64(txBytes))
+}
+
+// synthesizeICMPv6EchoReply creates an ICMPv6 echo reply and injects it back.
+func (f *Forwarder) synthesizeICMPv6EchoReply(id stack.TransportEndpointID, icmpData []byte) int {
+	replyICMP := make([]byte, len(icmpData))
+	copy(replyICMP, icmpData)
+
+	replyHdr := header.ICMPv6(replyICMP)
+	replyHdr.SetType(header.ICMPv6EchoReply)
+	replyHdr.SetChecksum(0)
+	// ICMPv6Checksum computes the pseudo-header internally from Src/Dst.
+	// Header contains the full ICMP message, so PayloadCsum/PayloadLen are zero.
+	replyHdr.SetChecksum(header.ICMPv6Checksum(header.ICMPv6ChecksumParams{
+		Header: replyHdr,
+		Src:    id.LocalAddress,
+		Dst:    id.RemoteAddress,
+	}))
+
+	return f.injectICMPv6Reply(id, replyICMP)
+}
+
+// injectICMPv6Reply wraps an ICMPv6 payload in an IPv6 header and sends to the peer.
+func (f *Forwarder) injectICMPv6Reply(id stack.TransportEndpointID, icmpPayload []byte) int {
+	ipHdr := make([]byte, header.IPv6MinimumSize)
+	ip := header.IPv6(ipHdr)
+	ip.Encode(&header.IPv6Fields{
+		PayloadLength:     uint16(len(icmpPayload)),
+		TransportProtocol: header.ICMPv6ProtocolNumber,
+		HopLimit:          64,
+		SrcAddr:           id.LocalAddress,
+		DstAddr:           id.RemoteAddress,
+	})
+
+	fullPacket := make([]byte, 0, len(ipHdr)+len(icmpPayload))
+	fullPacket = append(fullPacket, ipHdr...)
+	fullPacket = append(fullPacket, icmpPayload...)
+
+	if err := f.endpoint.device.CreateOutboundPacket(fullPacket, id.RemoteAddress.AsSlice()); err != nil {
+		f.logger.Error1("forwarder: Failed to send ICMPv6 reply to peer: %v", err)
+		return 0
+	}
+
+	return len(fullPacket)
+}
+
+const (
+	pingBin  = "ping"
+	ping6Bin = "ping6"
+)
+
 // buildPingCommand creates a platform-specific ping command.
-func buildPingCommand(ctx context.Context, target net.IP, timeout time.Duration) *exec.Cmd {
+// Most platforms auto-detect IPv6 from raw addresses. macOS/iOS/OpenBSD require ping6.
+func buildPingCommand(ctx context.Context, target netip.Addr, timeout time.Duration) *exec.Cmd {
 	timeoutSec := int(timeout.Seconds())
 	if timeoutSec < 1 {
 		timeoutSec = 1
 	}

+	isV6 := target.Is6()
+	timeoutStr := fmt.Sprintf("%d", timeoutSec)
+
 	switch runtime.GOOS {
 	case "linux", "android":
-		return exec.CommandContext(ctx, "ping", "-c", "1", "-W", fmt.Sprintf("%d", timeoutSec), "-q", target.String())
+		return exec.CommandContext(ctx, pingBin, "-c", "1", "-W", timeoutStr, "-q", target.String())
 	case "darwin", "ios":
-		return exec.CommandContext(ctx, "ping", "-c", "1", "-t", fmt.Sprintf("%d", timeoutSec), "-q", target.String())
+		bin := pingBin
+		if isV6 {
+			bin = ping6Bin
+		}
+		return exec.CommandContext(ctx, bin, "-c", "1", "-t", timeoutStr, "-q", target.String())
 	case "freebsd":
-		return exec.CommandContext(ctx, "ping", "-c", "1", "-t", fmt.Sprintf("%d", timeoutSec), target.String())
+		return exec.CommandContext(ctx, pingBin, "-c", "1", "-t", timeoutStr, target.String())
 	case "openbsd", "netbsd":
-		return exec.CommandContext(ctx, "ping", "-c", "1", "-w", fmt.Sprintf("%d", timeoutSec), target.String())
+		bin := pingBin
+		if isV6 {
+			bin = ping6Bin
+		}
+		return exec.CommandContext(ctx, bin, "-c", "1", "-w", timeoutStr, target.String())
 	case "windows":
-		return exec.CommandContext(ctx, "ping", "-n", "1", "-w", fmt.Sprintf("%d", timeoutSec*1000), target.String())
+		return exec.CommandContext(ctx, pingBin, "-n", "1", "-w", fmt.Sprintf("%d", timeoutSec*1000), target.String())
 	default:
-		return exec.CommandContext(ctx, "ping", "-c", "1", target.String())
+		return exec.CommandContext(ctx, pingBin, "-c", "1", target.String())
 	}
 }

--- a/client/firewall/uspfilter/forwarder/tcp.go
+++ b/client/firewall/uspfilter/forwarder/tcp.go
@@ -2,10 +2,9 @@ package forwarder

 import (
 	"context"
-	"fmt"
 	"io"
 	"net"
-	"net/netip"
+	"strconv"
 	"sync"

 	"github.com/google/uuid"
@@ -33,7 +32,7 @@ func (f *Forwarder) handleTCP(r *tcp.ForwarderRequest) {
 		}
 	}()

-	dialAddr := fmt.Sprintf("%s:%d", f.determineDialAddr(id.LocalAddress), id.LocalPort)
+	dialAddr := net.JoinHostPort(f.determineDialAddr(id.LocalAddress).String(), strconv.Itoa(int(id.LocalPort)))

 	outConn, err := (&net.Dialer{}).DialContext(f.ctx, "tcp", dialAddr)
 	if err != nil {
@@ -133,15 +132,14 @@ func (f *Forwarder) proxyTCP(id stack.TransportEndpointID, inConn *gonet.TCPConn
 }

 func (f *Forwarder) sendTCPEvent(typ nftypes.Type, flowID uuid.UUID, id stack.TransportEndpointID, rxBytes, txBytes, rxPackets, txPackets uint64) {
-	srcIp := netip.AddrFrom4(id.RemoteAddress.As4())
-	dstIp := netip.AddrFrom4(id.LocalAddress.As4())
+	srcIp := addrToNetipAddr(id.RemoteAddress)
+	dstIp := addrToNetipAddr(id.LocalAddress)

 	fields := nftypes.EventFields{
-		FlowID:    flowID,
-		Type:      typ,
-		Direction: nftypes.Ingress,
-		Protocol:  nftypes.TCP,
-		// TODO: handle ipv6
+		FlowID:     flowID,
+		Type:       typ,
+		Direction:  nftypes.Ingress,
+		Protocol:   nftypes.TCP,
 		SourceIP:   srcIp,
 		DestIP:     dstIp,
 		SourcePort: id.RemotePort,
--- a/client/firewall/uspfilter/forwarder/udp.go
+++ b/client/firewall/uspfilter/forwarder/udp.go
@@ -6,7 +6,7 @@ import (
 	"fmt"
 	"io"
 	"net"
-	"net/netip"
+	"strconv"
 	"sync"
 	"sync/atomic"
 	"time"
@@ -158,7 +158,7 @@ func (f *Forwarder) handleUDP(r *udp.ForwarderRequest) bool {
 		}
 	}()

-	dstAddr := fmt.Sprintf("%s:%d", f.determineDialAddr(id.LocalAddress), id.LocalPort)
+	dstAddr := net.JoinHostPort(f.determineDialAddr(id.LocalAddress).String(), strconv.Itoa(int(id.LocalPort)))
 	outConn, err := (&net.Dialer{}).DialContext(f.ctx, "udp", dstAddr)
 	if err != nil {
 		f.logger.Debug2("forwarder: UDP dial error for %v: %v", epID(id), err)
@@ -276,15 +276,14 @@ func (f *Forwarder) proxyUDP(ctx context.Context, pConn *udpPacketConn, id stack

 // sendUDPEvent stores flow events for UDP connections
 func (f *Forwarder) sendUDPEvent(typ nftypes.Type, flowID uuid.UUID, id stack.TransportEndpointID, rxBytes, txBytes, rxPackets, txPackets uint64) {
-	srcIp := netip.AddrFrom4(id.RemoteAddress.As4())
-	dstIp := netip.AddrFrom4(id.LocalAddress.As4())
+	srcIp := addrToNetipAddr(id.RemoteAddress)
+	dstIp := addrToNetipAddr(id.LocalAddress)

 	fields := nftypes.EventFields{
-		FlowID:    flowID,
-		Type:      typ,
-		Direction: nftypes.Ingress,
-		Protocol:  nftypes.UDP,
-		// TODO: handle ipv6
+		FlowID:     flowID,
+		Type:       typ,
+		Direction:  nftypes.Ingress,
+		Protocol:   nftypes.UDP,
 		SourceIP:   srcIp,
 		DestIP:     dstIp,
 		SourcePort: id.RemotePort,
--- a/client/firewall/uspfilter/localip.go
+++ b/client/firewall/uspfilter/localip.go
@@ -4,89 +4,32 @@ import (
 	"fmt"
 	"net"
 	"net/netip"
-	"sync"
+	"sync/atomic"

 	log "github.com/sirupsen/logrus"

 	"github.com/netbirdio/netbird/client/firewall/uspfilter/common"
 )

-type localIPManager struct {
-	mu sync.RWMutex
-
-	// fixed-size high array for upper byte of a IPv4 address
-	ipv4Bitmap [256]*ipv4LowBitmap
+// localIPSnapshot is an immutable snapshot of local IP addresses, swapped
+// atomically so reads are lock-free.
+type localIPSnapshot struct {
+	ips map[netip.Addr]struct{}
 }

-// ipv4LowBitmap is a map for the low 16 bits of a IPv4 address
-type ipv4LowBitmap struct {
-	bitmap [8192]uint32
+type localIPManager struct {
+	snapshot atomic.Pointer[localIPSnapshot]
 }

 func newLocalIPManager() *localIPManager {
-	return &localIPManager{}
+	m := &localIPManager{}
+	m.snapshot.Store(&localIPSnapshot{
+		ips: make(map[netip.Addr]struct{}),
+	})
+	return m
 }

-func (m *localIPManager) setBitmapBit(ip net.IP) {
-	ipv4 := ip.To4()
-	if ipv4 == nil {
-		return
-	}
-	high := uint16(ipv4[0])
-	low := (uint16(ipv4[1]) << 8) | (uint16(ipv4[2]) << 4) | uint16(ipv4[3])
-
-	index := low / 32
-	bit := low % 32
-
-	if m.ipv4Bitmap[high] == nil {
-		m.ipv4Bitmap[high] = &ipv4LowBitmap{}
-	}
-
-	m.ipv4Bitmap[high].bitmap[index] |= 1 << bit
-}
-
-func (m *localIPManager) setBitInBitmap(ip netip.Addr, bitmap *[256]*ipv4LowBitmap, ipv4Set map[netip.Addr]struct{}, ipv4Addresses *[]netip.Addr) {
-	if !ip.Is4() {
-		return
-	}
-	ipv4 := ip.AsSlice()
-
-	high := uint16(ipv4[0])
-	low := (uint16(ipv4[1]) << 8) | (uint16(ipv4[2]) << 4) | uint16(ipv4[3])
-
-	if bitmap[high] == nil {
-		bitmap[high] = &ipv4LowBitmap{}
-	}
-
-	index := low / 32
-	bit := low % 32
-	bitmap[high].bitmap[index] |= 1 << bit
-
-	if _, exists := ipv4Set[ip]; !exists {
-		ipv4Set[ip] = struct{}{}
-		*ipv4Addresses = append(*ipv4Addresses, ip)
-	}
-}
-
-func (m *localIPManager) checkBitmapBit(ip []byte) bool {
-	high := uint16(ip[0])
-	low := (uint16(ip[1]) << 8) | (uint16(ip[2]) << 4) | uint16(ip[3])
-
-	if m.ipv4Bitmap[high] == nil {
-		return false
-	}
-
-	index := low / 32
-	bit := low % 32
-	return (m.ipv4Bitmap[high].bitmap[index] & (1 << bit)) != 0
-}
-
-func (m *localIPManager) processIP(ip netip.Addr, bitmap *[256]*ipv4LowBitmap, ipv4Set map[netip.Addr]struct{}, ipv4Addresses *[]netip.Addr) error {
-	m.setBitInBitmap(ip, bitmap, ipv4Set, ipv4Addresses)
-	return nil
-}
-
-func (m *localIPManager) processInterface(iface net.Interface, bitmap *[256]*ipv4LowBitmap, ipv4Set map[netip.Addr]struct{}, ipv4Addresses *[]netip.Addr) {
+func processInterface(iface net.Interface, ips map[netip.Addr]struct{}, addresses *[]netip.Addr) {
 	addrs, err := iface.Addrs()
 	if err != nil {
 		log.Debugf("get addresses for interface %s failed: %v", iface.Name, err)
@@ -104,18 +47,19 @@ func (m *localIPManager) processInterface(iface net.Interface, bitmap *[256]*ipv
 			continue
 		}

-		addr, ok := netip.AddrFromSlice(ip)
+		parsed, ok := netip.AddrFromSlice(ip)
 		if !ok {
 			log.Warnf("invalid IP address %s in interface %s", ip.String(), iface.Name)
 			continue
 		}

-		if err := m.processIP(addr.Unmap(), bitmap, ipv4Set, ipv4Addresses); err != nil {
-			log.Debugf("process IP failed: %v", err)
-		}
+		parsed = parsed.Unmap()
+		ips[parsed] = struct{}{}
+		*addresses = append(*addresses, parsed)
 	}
 }

+// UpdateLocalIPs rebuilds the local IP snapshot and swaps it in atomically.
 func (m *localIPManager) UpdateLocalIPs(iface common.IFaceMapper) (err error) {
 	defer func() {
 		if r := recover(); r != nil {
@@ -123,20 +67,20 @@ func (m *localIPManager) UpdateLocalIPs(iface common.IFaceMapper) (err error) {
 		}
 	}()

-	var newIPv4Bitmap [256]*ipv4LowBitmap
-	ipv4Set := make(map[netip.Addr]struct{})
-	var ipv4Addresses []netip.Addr
+	ips := make(map[netip.Addr]struct{})
+	var addresses []netip.Addr

-	// 127.0.0.0/8
-	newIPv4Bitmap[127] = &ipv4LowBitmap{}
-	for i := 0; i < 8192; i++ {
-		// #nosec G602 -- bitmap is defined as [8192]uint32, loop range is correct
-		newIPv4Bitmap[127].bitmap[i] = 0xFFFFFFFF
-	}
+	// loopback
+	ips[netip.AddrFrom4([4]byte{127, 0, 0, 1})] = struct{}{}
+	ips[netip.IPv6Loopback()] = struct{}{}

 	if iface != nil {
-		if err := m.processIP(iface.Address().IP, &newIPv4Bitmap, ipv4Set, &ipv4Addresses); err != nil {
-			return err
+		ip := iface.Address().IP
+		ips[ip] = struct{}{}
+		addresses = append(addresses, ip)
+		if v6 := iface.Address().IPv6; v6.IsValid() {
+			ips[v6] = struct{}{}
+			addresses = append(addresses, v6)
 		}
 	}

@@ -144,26 +88,27 @@ func (m *localIPManager) UpdateLocalIPs(iface common.IFaceMapper) (err error) {
 	if err != nil {
 		log.Warnf("failed to get interfaces: %v", err)
 	} else {
+		// TODO: filter out down interfaces (net.FlagUp). Also handle the reverse
+		// case where an interface comes up between refreshes.
 		for _, intf := range interfaces {
-			m.processInterface(intf, &newIPv4Bitmap, ipv4Set, &ipv4Addresses)
+			processInterface(intf, ips, &addresses)
 		}
 	}

-	m.mu.Lock()
-	m.ipv4Bitmap = newIPv4Bitmap
-	m.mu.Unlock()
+	m.snapshot.Store(&localIPSnapshot{ips: ips})

-	log.Debugf("Local IPv4 addresses: %v", ipv4Addresses)
+	log.Debugf("Local IP addresses: %v", addresses)
 	return nil
 }

+// IsLocalIP checks if the given IP is a local address. Lock-free on the read path.
 func (m *localIPManager) IsLocalIP(ip netip.Addr) bool {
-	if !ip.Is4() {
-		return false
+	s := m.snapshot.Load()
+
+	if ip.Is4() && ip.As4()[0] == 127 {
+		return true
 	}

-	m.mu.RLock()
-	defer m.mu.RUnlock()
-
-	return m.checkBitmapBit(ip.AsSlice())
+	_, found := s.ips[ip]
+	return found
 }
--- a/client/firewall/uspfilter/localip_bench_test.go
+++ b/client/firewall/uspfilter/localip_bench_test.go
@@ -0,0 +1,72 @@
+package uspfilter
+
+import (
+	"net/netip"
+	"testing"
+
+	"github.com/netbirdio/netbird/client/iface/wgaddr"
+)
+
+func setupManager(b *testing.B) *localIPManager {
+	b.Helper()
+	m := newLocalIPManager()
+	mock := &IFaceMock{
+		AddressFunc: func() wgaddr.Address {
+			return wgaddr.Address{
+				IP:      netip.MustParseAddr("100.64.0.1"),
+				Network: netip.MustParsePrefix("100.64.0.0/16"),
+				IPv6:    netip.MustParseAddr("fd00::1"),
+				IPv6Net: netip.MustParsePrefix("fd00::/64"),
+			}
+		},
+	}
+	if err := m.UpdateLocalIPs(mock); err != nil {
+		b.Fatalf("UpdateLocalIPs: %v", err)
+	}
+	return m
+}
+
+func BenchmarkIsLocalIP_v4_hit(b *testing.B) {
+	m := setupManager(b)
+	ip := netip.MustParseAddr("100.64.0.1")
+	b.ResetTimer()
+	for i := 0; i < b.N; i++ {
+		m.IsLocalIP(ip)
+	}
+}
+
+func BenchmarkIsLocalIP_v4_miss(b *testing.B) {
+	m := setupManager(b)
+	ip := netip.MustParseAddr("8.8.8.8")
+	b.ResetTimer()
+	for i := 0; i < b.N; i++ {
+		m.IsLocalIP(ip)
+	}
+}
+
+func BenchmarkIsLocalIP_v6_hit(b *testing.B) {
+	m := setupManager(b)
+	ip := netip.MustParseAddr("fd00::1")
+	b.ResetTimer()
+	for i := 0; i < b.N; i++ {
+		m.IsLocalIP(ip)
+	}
+}
+
+func BenchmarkIsLocalIP_v6_miss(b *testing.B) {
+	m := setupManager(b)
+	ip := netip.MustParseAddr("2001:db8::1")
+	b.ResetTimer()
+	for i := 0; i < b.N; i++ {
+		m.IsLocalIP(ip)
+	}
+}
+
+func BenchmarkIsLocalIP_loopback(b *testing.B) {
+	m := setupManager(b)
+	ip := netip.MustParseAddr("127.0.0.1")
+	b.ResetTimer()
+	for i := 0; i < b.N; i++ {
+		m.IsLocalIP(ip)
+	}
+}
--- a/client/firewall/uspfilter/localip_test.go
+++ b/client/firewall/uspfilter/localip_test.go
@@ -72,14 +72,45 @@ func TestLocalIPManager(t *testing.T) {
 			expected: false,
 		},
 		{
-			name: "IPv6 address",
+			name: "IPv6 address matches",
 			setupAddr: wgaddr.Address{
-				IP:      netip.MustParseAddr("fe80::1"),
+				IP:      netip.MustParseAddr("100.64.0.1"),
+				Network: netip.MustParsePrefix("100.64.0.0/16"),
+				IPv6:    netip.MustParseAddr("fd00::1"),
+				IPv6Net: netip.MustParsePrefix("fd00::/64"),
+			},
+			testIP:   netip.MustParseAddr("fd00::1"),
+			expected: true,
+		},
+		{
+			name: "IPv6 address does not match",
+			setupAddr: wgaddr.Address{
+				IP:      netip.MustParseAddr("100.64.0.1"),
+				Network: netip.MustParsePrefix("100.64.0.0/16"),
+				IPv6:    netip.MustParseAddr("fd00::1"),
+				IPv6Net: netip.MustParsePrefix("fd00::/64"),
+			},
+			testIP:   netip.MustParseAddr("fd00::99"),
+			expected: false,
+		},
+		{
+			name: "No aliasing between similar IPs",
+			setupAddr: wgaddr.Address{
+				IP:      netip.MustParseAddr("192.168.1.1"),
 				Network: netip.MustParsePrefix("192.168.1.0/24"),
 			},
-			testIP:   netip.MustParseAddr("fe80::1"),
+			testIP:   netip.MustParseAddr("192.168.0.17"),
 			expected: false,
 		},
+		{
+			name: "IPv6 loopback",
+			setupAddr: wgaddr.Address{
+				IP:      netip.MustParseAddr("100.64.0.1"),
+				Network: netip.MustParsePrefix("100.64.0.0/16"),
+			},
+			testIP:   netip.MustParseAddr("::1"),
+			expected: true,
+		},
 	}

 	for _, tt := range tests {
@@ -171,90 +202,3 @@ func TestLocalIPManager_AllInterfaces(t *testing.T) {
 		})
 	}
 }
-
-// MapImplementation is a version using map[string]struct{}
-type MapImplementation struct {
-	localIPs map[string]struct{}
-}
-
-func BenchmarkIPChecks(b *testing.B) {
-	interfaces := make([]net.IP, 16)
-	for i := range interfaces {
-		interfaces[i] = net.IPv4(10, 0, byte(i>>8), byte(i))
-	}
-
-	// Setup bitmap
-	bitmapManager := newLocalIPManager()
-	for _, ip := range interfaces[:8] { // Add half of IPs
-		bitmapManager.setBitmapBit(ip)
-	}
-
-	// Setup map version
-	mapManager := &MapImplementation{
-		localIPs: make(map[string]struct{}),
-	}
-	for _, ip := range interfaces[:8] {
-		mapManager.localIPs[ip.String()] = struct{}{}
-	}
-
-	b.Run("Bitmap_Hit", func(b *testing.B) {
-		ip := interfaces[4]
-		b.ResetTimer()
-		for i := 0; i < b.N; i++ {
-			bitmapManager.checkBitmapBit(ip)
-		}
-	})
-
-	b.Run("Bitmap_Miss", func(b *testing.B) {
-		ip := interfaces[12]
-		b.ResetTimer()
-		for i := 0; i < b.N; i++ {
-			bitmapManager.checkBitmapBit(ip)
-		}
-	})
-
-	b.Run("Map_Hit", func(b *testing.B) {
-		ip := interfaces[4]
-		b.ResetTimer()
-		for i := 0; i < b.N; i++ {
-			// nolint:gosimple
-			_ = mapManager.localIPs[ip.String()]
-		}
-	})
-
-	b.Run("Map_Miss", func(b *testing.B) {
-		ip := interfaces[12]
-		b.ResetTimer()
-		for i := 0; i < b.N; i++ {
-			// nolint:gosimple
-			_ = mapManager.localIPs[ip.String()]
-		}
-	})
-}
-
-func BenchmarkWGPosition(b *testing.B) {
-	wgIP := net.ParseIP("10.10.0.1")
-
-	// Create two managers - one checks WG IP first, other checks it last
-	b.Run("WG_First", func(b *testing.B) {
-		bm := newLocalIPManager()
-		bm.setBitmapBit(wgIP)
-		b.ResetTimer()
-		for i := 0; i < b.N; i++ {
-			bm.checkBitmapBit(wgIP)
-		}
-	})
-
-	b.Run("WG_Last", func(b *testing.B) {
-		bm := newLocalIPManager()
-		// Fill with other IPs first
-		for i := 0; i < 15; i++ {
-			bm.setBitmapBit(net.IPv4(10, 0, byte(i>>8), byte(i)))
-		}
-		bm.setBitmapBit(wgIP) // Add WG IP last
-		b.ResetTimer()
-		for i := 0; i < b.N; i++ {
-			bm.checkBitmapBit(wgIP)
-		}
-	})
-}
--- a/client/firewall/uspfilter/nat.go
+++ b/client/firewall/uspfilter/nat.go
@@ -13,8 +13,6 @@ import (
 	firewall "github.com/netbirdio/netbird/client/firewall/manager"
 )

-var ErrIPv4Only = errors.New("only IPv4 is supported for DNAT")
-
 var (
 	errInvalidIPHeaderLength = errors.New("invalid IP header length")
 )
@@ -25,10 +23,33 @@ const (
 	destinationPortOffset = 2

 	// IP address offsets in IPv4 header
-	sourceIPOffset      = 12
-	destinationIPOffset = 16
+	ipv4SrcOffset = 12
+	ipv4DstOffset = 16
+
+	// IP address offsets in IPv6 header
+	ipv6SrcOffset = 8
+	ipv6DstOffset = 24
+
+	// IPv6 fixed header length
+	ipv6HeaderLen = 40
 )

+// ipHeaderLen returns the IP header length based on the decoded layer type.
+func ipHeaderLen(d *decoder) (int, error) {
+	switch d.decoded[0] {
+	case layers.LayerTypeIPv4:
+		n := int(d.ip4.IHL) * 4
+		if n < 20 {
+			return 0, errInvalidIPHeaderLength
+		}
+		return n, nil
+	case layers.LayerTypeIPv6:
+		return ipv6HeaderLen, nil
+	default:
+		return 0, fmt.Errorf("unknown IP layer: %v", d.decoded[0])
+	}
+}
+
 // ipv4Checksum calculates IPv4 header checksum.
 func ipv4Checksum(header []byte) uint16 {
 	if len(header) < 20 {
@@ -234,14 +255,13 @@ func (m *Manager) translateOutboundDNAT(packetData []byte, d *decoder) bool {
 		return false
 	}

-	dstIP := netip.AddrFrom4([4]byte{packetData[16], packetData[17], packetData[18], packetData[19]})
-
+	_, dstIP := extractPacketIPs(packetData, d)
 	translatedIP, exists := m.getDNATTranslation(dstIP)
 	if !exists {
 		return false
 	}

-	if err := m.rewritePacketIP(packetData, d, translatedIP, destinationIPOffset); err != nil {
+	if err := m.rewritePacketIP(packetData, d, translatedIP, false); err != nil {
 		m.logger.Error1("failed to rewrite packet destination: %v", err)
 		return false
 	}
@@ -256,14 +276,13 @@ func (m *Manager) translateInboundReverse(packetData []byte, d *decoder) bool {
 		return false
 	}

-	srcIP := netip.AddrFrom4([4]byte{packetData[12], packetData[13], packetData[14], packetData[15]})
-
+	srcIP, _ := extractPacketIPs(packetData, d)
 	originalIP, exists := m.findReverseDNATMapping(srcIP)
 	if !exists {
 		return false
 	}

-	if err := m.rewritePacketIP(packetData, d, originalIP, sourceIPOffset); err != nil {
+	if err := m.rewritePacketIP(packetData, d, originalIP, true); err != nil {
 		m.logger.Error1("failed to rewrite packet source: %v", err)
 		return false
 	}
@@ -272,38 +291,96 @@ func (m *Manager) translateInboundReverse(packetData []byte, d *decoder) bool {
 	return true
 }

-// rewritePacketIP replaces an IP address (source or destination) in the packet and updates checksums.
-func (m *Manager) rewritePacketIP(packetData []byte, d *decoder, newIP netip.Addr, ipOffset int) error {
+// extractPacketIPs extracts src and dst IP addresses directly from raw packet bytes.
+func extractPacketIPs(packetData []byte, d *decoder) (src, dst netip.Addr) {
+	switch d.decoded[0] {
+	case layers.LayerTypeIPv4:
+		src = netip.AddrFrom4([4]byte{packetData[ipv4SrcOffset], packetData[ipv4SrcOffset+1], packetData[ipv4SrcOffset+2], packetData[ipv4SrcOffset+3]})
+		dst = netip.AddrFrom4([4]byte{packetData[ipv4DstOffset], packetData[ipv4DstOffset+1], packetData[ipv4DstOffset+2], packetData[ipv4DstOffset+3]})
+	case layers.LayerTypeIPv6:
+		src = netip.AddrFrom16([16]byte(packetData[ipv6SrcOffset : ipv6SrcOffset+16]))
+		dst = netip.AddrFrom16([16]byte(packetData[ipv6DstOffset : ipv6DstOffset+16]))
+	}
+	return src, dst
+}
+
+// rewritePacketIP replaces a source (isSource=true) or destination IP address in the packet and updates checksums.
+func (m *Manager) rewritePacketIP(packetData []byte, d *decoder, newIP netip.Addr, isSource bool) error {
+	hdrLen, err := ipHeaderLen(d)
+	if err != nil {
+		return err
+	}
+
+	switch d.decoded[0] {
+	case layers.LayerTypeIPv4:
+		return m.rewriteIPv4(packetData, d, newIP, hdrLen, isSource)
+	case layers.LayerTypeIPv6:
+		return m.rewriteIPv6(packetData, d, newIP, hdrLen, isSource)
+	default:
+		return fmt.Errorf("unknown IP layer: %v", d.decoded[0])
+	}
+}
+
+func (m *Manager) rewriteIPv4(packetData []byte, d *decoder, newIP netip.Addr, hdrLen int, isSource bool) error {
 	if !newIP.Is4() {
-		return ErrIPv4Only
+		return fmt.Errorf("cannot write IPv6 address into IPv4 packet")
+	}
+
+	offset := ipv4DstOffset
+	if isSource {
+		offset = ipv4SrcOffset
 	}

 	var oldIP [4]byte
-	copy(oldIP[:], packetData[ipOffset:ipOffset+4])
+	copy(oldIP[:], packetData[offset:offset+4])
 	newIPBytes := newIP.As4()
+	copy(packetData[offset:offset+4], newIPBytes[:])

-	copy(packetData[ipOffset:ipOffset+4], newIPBytes[:])
-
-	ipHeaderLen := int(d.ip4.IHL) * 4
-	if ipHeaderLen < 20 || ipHeaderLen > len(packetData) {
-		return errInvalidIPHeaderLength
-	}
-
+	// Recalculate IPv4 header checksum
 	binary.BigEndian.PutUint16(packetData[10:12], 0)
-	ipChecksum := ipv4Checksum(packetData[:ipHeaderLen])
-	binary.BigEndian.PutUint16(packetData[10:12], ipChecksum)
+	binary.BigEndian.PutUint16(packetData[10:12], ipv4Checksum(packetData[:hdrLen]))

+	// Update transport checksums incrementally
 	if len(d.decoded) > 1 {
 		switch d.decoded[1] {
 		case layers.LayerTypeTCP:
-			m.updateTCPChecksum(packetData, ipHeaderLen, oldIP[:], newIPBytes[:])
+			m.updateTCPChecksum(packetData, hdrLen, oldIP[:], newIPBytes[:])
 		case layers.LayerTypeUDP:
-			m.updateUDPChecksum(packetData, ipHeaderLen, oldIP[:], newIPBytes[:])
+			m.updateUDPChecksum(packetData, hdrLen, oldIP[:], newIPBytes[:])
 		case layers.LayerTypeICMPv4:
-			m.updateICMPChecksum(packetData, ipHeaderLen)
+			m.updateICMPChecksum(packetData, hdrLen)
 		}
 	}
+	return nil
+}

+func (m *Manager) rewriteIPv6(packetData []byte, d *decoder, newIP netip.Addr, hdrLen int, isSource bool) error {
+	if !newIP.Is6() {
+		return fmt.Errorf("cannot write IPv4 address into IPv6 packet")
+	}
+
+	offset := ipv6DstOffset
+	if isSource {
+		offset = ipv6SrcOffset
+	}
+
+	var oldIP [16]byte
+	copy(oldIP[:], packetData[offset:offset+16])
+	newIPBytes := newIP.As16()
+	copy(packetData[offset:offset+16], newIPBytes[:])
+
+	// IPv6 has no header checksum, only update transport checksums
+	if len(d.decoded) > 1 {
+		switch d.decoded[1] {
+		case layers.LayerTypeTCP:
+			m.updateTCPChecksum(packetData, hdrLen, oldIP[:], newIPBytes[:])
+		case layers.LayerTypeUDP:
+			m.updateUDPChecksum(packetData, hdrLen, oldIP[:], newIPBytes[:])
+		case layers.LayerTypeICMPv6:
+			// ICMPv6 checksum includes pseudo-header with addresses, use incremental update
+			m.updateICMPv6Checksum(packetData, hdrLen, oldIP[:], newIPBytes[:])
+		}
+	}
 	return nil
 }

@@ -351,6 +428,20 @@ func (m *Manager) updateICMPChecksum(packetData []byte, ipHeaderLen int) {
 	binary.BigEndian.PutUint16(icmpData[2:4], checksum)
 }

+// updateICMPv6Checksum updates ICMPv6 checksum after address change.
+// ICMPv6 uses a pseudo-header (like TCP/UDP), so incremental update applies.
+func (m *Manager) updateICMPv6Checksum(packetData []byte, ipHeaderLen int, oldIP, newIP []byte) {
+	icmpStart := ipHeaderLen
+	if len(packetData) < icmpStart+4 {
+		return
+	}
+
+	checksumOffset := icmpStart + 2
+	oldChecksum := binary.BigEndian.Uint16(packetData[checksumOffset : checksumOffset+2])
+	newChecksum := incrementalUpdate(oldChecksum, oldIP, newIP)
+	binary.BigEndian.PutUint16(packetData[checksumOffset:checksumOffset+2], newChecksum)
+}
+
 // incrementalUpdate performs incremental checksum update per RFC 1624.
 func incrementalUpdate(oldChecksum uint16, oldBytes, newBytes []byte) uint16 {
 	sum := uint32(^oldChecksum)
@@ -515,12 +606,12 @@ func (m *Manager) applyPortRule(packetData []byte, d *decoder, srcIP, dstIP neti

 // rewriteTCPPort rewrites a TCP port (source or destination) and updates checksum.
 func (m *Manager) rewriteTCPPort(packetData []byte, d *decoder, newPort uint16, portOffset int) error {
-	ipHeaderLen := int(d.ip4.IHL) * 4
-	if ipHeaderLen < 20 || ipHeaderLen > len(packetData) {
-		return errInvalidIPHeaderLength
+	hdrLen, err := ipHeaderLen(d)
+	if err != nil {
+		return err
 	}

-	tcpStart := ipHeaderLen
+	tcpStart := hdrLen
 	if len(packetData) < tcpStart+4 {
 		return fmt.Errorf("packet too short for TCP header")
 	}
@@ -546,12 +637,12 @@ func (m *Manager) rewriteTCPPort(packetData []byte, d *decoder, newPort uint16,

 // rewriteUDPPort rewrites a UDP port (source or destination) and updates checksum.
 func (m *Manager) rewriteUDPPort(packetData []byte, d *decoder, newPort uint16, portOffset int) error {
-	ipHeaderLen := int(d.ip4.IHL) * 4
-	if ipHeaderLen < 20 || ipHeaderLen > len(packetData) {
-		return errInvalidIPHeaderLength
+	hdrLen, err := ipHeaderLen(d)
+	if err != nil {
+		return err
 	}

-	udpStart := ipHeaderLen
+	udpStart := hdrLen
 	if len(packetData) < udpStart+8 {
 		return fmt.Errorf("packet too short for UDP header")
 	}
--- a/client/firewall/uspfilter/nat_bench_test.go
+++ b/client/firewall/uspfilter/nat_bench_test.go
@@ -342,12 +342,17 @@ func BenchmarkDNATMemoryAllocations(b *testing.B) {

 		// Parse the packet fresh each time to get a clean decoder
 		d := &decoder{decoded: []gopacket.LayerType{}}
-		d.parser = gopacket.NewDecodingLayerParser(
+		d.parser4 = gopacket.NewDecodingLayerParser(
 			layers.LayerTypeIPv4,
 			&d.eth, &d.ip4, &d.ip6, &d.icmp4, &d.icmp6, &d.tcp, &d.udp,
 		)
-		d.parser.IgnoreUnsupported = true
-		err = d.parser.DecodeLayers(testPacket, &d.decoded)
+		d.parser4.IgnoreUnsupported = true
+		d.parser6 = gopacket.NewDecodingLayerParser(
+			layers.LayerTypeIPv6,
+			&d.eth, &d.ip4, &d.ip6, &d.icmp4, &d.icmp6, &d.tcp, &d.udp,
+		)
+		d.parser6.IgnoreUnsupported = true
+		err = d.decodePacket(testPacket)
 		assert.NoError(b, err)

 		manager.translateOutboundDNAT(testPacket, d)
@@ -371,12 +376,17 @@ func BenchmarkDirectIPExtraction(b *testing.B) {
 	b.Run("decoder_extraction", func(b *testing.B) {
 		// Create decoder once for comparison
 		d := &decoder{decoded: []gopacket.LayerType{}}
-		d.parser = gopacket.NewDecodingLayerParser(
+		d.parser4 = gopacket.NewDecodingLayerParser(
 			layers.LayerTypeIPv4,
 			&d.eth, &d.ip4, &d.ip6, &d.icmp4, &d.icmp6, &d.tcp, &d.udp,
 		)
-		d.parser.IgnoreUnsupported = true
-		err := d.parser.DecodeLayers(packet, &d.decoded)
+		d.parser4.IgnoreUnsupported = true
+		d.parser6 = gopacket.NewDecodingLayerParser(
+			layers.LayerTypeIPv6,
+			&d.eth, &d.ip4, &d.ip6, &d.icmp4, &d.icmp6, &d.tcp, &d.udp,
+		)
+		d.parser6.IgnoreUnsupported = true
+		err := d.decodePacket(packet)
 		assert.NoError(b, err)

 		for i := 0; i < b.N; i++ {
--- a/client/firewall/uspfilter/nat_test.go
+++ b/client/firewall/uspfilter/nat_test.go
@@ -86,13 +86,18 @@ func parsePacket(t testing.TB, packetData []byte) *decoder {
 	d := &decoder{
 		decoded: []gopacket.LayerType{},
 	}
-	d.parser = gopacket.NewDecodingLayerParser(
+	d.parser4 = gopacket.NewDecodingLayerParser(
 		layers.LayerTypeIPv4,
 		&d.eth, &d.ip4, &d.ip6, &d.icmp4, &d.icmp6, &d.tcp, &d.udp,
 	)
-	d.parser.IgnoreUnsupported = true
+	d.parser4.IgnoreUnsupported = true
+	d.parser6 = gopacket.NewDecodingLayerParser(
+		layers.LayerTypeIPv6,
+		&d.eth, &d.ip4, &d.ip6, &d.icmp4, &d.icmp6, &d.tcp, &d.udp,
+	)
+	d.parser6.IgnoreUnsupported = true

-	err := d.parser.DecodeLayers(packetData, &d.decoded)
+	err := d.decodePacket(packetData)
 	require.NoError(t, err)
 	return d
 }
--- a/client/firewall/uspfilter/tracer.go
+++ b/client/firewall/uspfilter/tracer.go
@@ -112,10 +112,13 @@ func (t *PacketTrace) AddResultWithForwarder(stage PacketStage, message string,
 }

 func (p *PacketBuilder) Build() ([]byte, error) {
-	ip := p.buildIPLayer()
-	pktLayers := []gopacket.SerializableLayer{ip}
+	ipLayer, err := p.buildIPLayer()
+	if err != nil {
+		return nil, err
+	}
+	pktLayers := []gopacket.SerializableLayer{ipLayer}

-	transportLayer, err := p.buildTransportLayer(ip)
+	transportLayer, err := p.buildTransportLayer(ipLayer)
 	if err != nil {
 		return nil, err
 	}
@@ -129,30 +132,43 @@ func (p *PacketBuilder) Build() ([]byte, error) {
 	return serializePacket(pktLayers)
 }

-func (p *PacketBuilder) buildIPLayer() *layers.IPv4 {
+func (p *PacketBuilder) buildIPLayer() (gopacket.SerializableLayer, error) {
+	if p.SrcIP.Is4() != p.DstIP.Is4() {
+		return nil, fmt.Errorf("mixed address families: src=%s dst=%s", p.SrcIP, p.DstIP)
+	}
+	proto := getIPProtocolNumber(p.Protocol, p.SrcIP.Is6())
+	if p.SrcIP.Is6() {
+		return &layers.IPv6{
+			Version:    6,
+			HopLimit:   64,
+			NextHeader: proto,
+			SrcIP:      p.SrcIP.AsSlice(),
+			DstIP:      p.DstIP.AsSlice(),
+		}, nil
+	}
 	return &layers.IPv4{
 		Version:  4,
 		TTL:      64,
-		Protocol: layers.IPProtocol(getIPProtocolNumber(p.Protocol)),
+		Protocol: proto,
 		SrcIP:    p.SrcIP.AsSlice(),
 		DstIP:    p.DstIP.AsSlice(),
-	}
+	}, nil
 }

-func (p *PacketBuilder) buildTransportLayer(ip *layers.IPv4) ([]gopacket.SerializableLayer, error) {
+func (p *PacketBuilder) buildTransportLayer(ipLayer gopacket.SerializableLayer) ([]gopacket.SerializableLayer, error) {
 	switch p.Protocol {
 	case "tcp":
-		return p.buildTCPLayer(ip)
+		return p.buildTCPLayer(ipLayer)
 	case "udp":
-		return p.buildUDPLayer(ip)
+		return p.buildUDPLayer(ipLayer)
 	case "icmp":
-		return p.buildICMPLayer()
+		return p.buildICMPLayer(ipLayer)
 	default:
 		return nil, fmt.Errorf("unsupported protocol: %s", p.Protocol)
 	}
 }

-func (p *PacketBuilder) buildTCPLayer(ip *layers.IPv4) ([]gopacket.SerializableLayer, error) {
+func (p *PacketBuilder) buildTCPLayer(ipLayer gopacket.SerializableLayer) ([]gopacket.SerializableLayer, error) {
 	tcp := &layers.TCP{
 		SrcPort: layers.TCPPort(p.SrcPort),
 		DstPort: layers.TCPPort(p.DstPort),
@@ -164,24 +180,37 @@ func (p *PacketBuilder) buildTCPLayer(ip *layers.IPv4) ([]gopacket.SerializableL
 		PSH:     p.TCPState != nil && p.TCPState.PSH,
 		URG:     p.TCPState != nil && p.TCPState.URG,
 	}
-	if err := tcp.SetNetworkLayerForChecksum(ip); err != nil {
-		return nil, fmt.Errorf("set network layer for TCP checksum: %w", err)
+	if nl, ok := ipLayer.(gopacket.NetworkLayer); ok {
+		if err := tcp.SetNetworkLayerForChecksum(nl); err != nil {
+			return nil, fmt.Errorf("set network layer for TCP checksum: %w", err)
+		}
 	}
 	return []gopacket.SerializableLayer{tcp}, nil
 }

-func (p *PacketBuilder) buildUDPLayer(ip *layers.IPv4) ([]gopacket.SerializableLayer, error) {
+func (p *PacketBuilder) buildUDPLayer(ipLayer gopacket.SerializableLayer) ([]gopacket.SerializableLayer, error) {
 	udp := &layers.UDP{
 		SrcPort: layers.UDPPort(p.SrcPort),
 		DstPort: layers.UDPPort(p.DstPort),
 	}
-	if err := udp.SetNetworkLayerForChecksum(ip); err != nil {
-		return nil, fmt.Errorf("set network layer for UDP checksum: %w", err)
+	if nl, ok := ipLayer.(gopacket.NetworkLayer); ok {
+		if err := udp.SetNetworkLayerForChecksum(nl); err != nil {
+			return nil, fmt.Errorf("set network layer for UDP checksum: %w", err)
+		}
 	}
 	return []gopacket.SerializableLayer{udp}, nil
 }

-func (p *PacketBuilder) buildICMPLayer() ([]gopacket.SerializableLayer, error) {
+func (p *PacketBuilder) buildICMPLayer(ipLayer gopacket.SerializableLayer) ([]gopacket.SerializableLayer, error) {
+	if p.SrcIP.Is6() || p.DstIP.Is6() {
+		icmp := &layers.ICMPv6{
+			TypeCode: layers.CreateICMPv6TypeCode(p.ICMPType, p.ICMPCode),
+		}
+		if nl, ok := ipLayer.(gopacket.NetworkLayer); ok {
+			_ = icmp.SetNetworkLayerForChecksum(nl)
+		}
+		return []gopacket.SerializableLayer{icmp}, nil
+	}
 	icmp := &layers.ICMPv4{
 		TypeCode: layers.CreateICMPv4TypeCode(p.ICMPType, p.ICMPCode),
 	}
@@ -204,14 +233,17 @@ func serializePacket(layers []gopacket.SerializableLayer) ([]byte, error) {
 	return buf.Bytes(), nil
 }

-func getIPProtocolNumber(protocol fw.Protocol) int {
+func getIPProtocolNumber(protocol fw.Protocol, isV6 bool) layers.IPProtocol {
 	switch protocol {
 	case fw.ProtocolTCP:
-		return int(layers.IPProtocolTCP)
+		return layers.IPProtocolTCP
 	case fw.ProtocolUDP:
-		return int(layers.IPProtocolUDP)
+		return layers.IPProtocolUDP
 	case fw.ProtocolICMP:
-		return int(layers.IPProtocolICMPv4)
+		if isV6 {
+			return layers.IPProtocolICMPv6
+		}
+		return layers.IPProtocolICMPv4
 	default:
 		return 0
 	}
@@ -234,7 +266,7 @@ func (m *Manager) TracePacket(packetData []byte, direction fw.RuleDirection) *Pa
 	trace := &PacketTrace{Direction: direction}

 	// Initial packet decoding
-	if err := d.parser.DecodeLayers(packetData, &d.decoded); err != nil {
+	if err := d.decodePacket(packetData); err != nil {
 		trace.AddResult(StageReceived, fmt.Sprintf("Failed to decode packet: %v", err), false)
 		return trace
 	}
@@ -256,6 +288,8 @@ func (m *Manager) TracePacket(packetData []byte, direction fw.RuleDirection) *Pa
 		trace.DestinationPort = uint16(d.udp.DstPort)
 	case layers.LayerTypeICMPv4:
 		trace.Protocol = "ICMP"
+	case layers.LayerTypeICMPv6:
+		trace.Protocol = "ICMPv6"
 	}

 	trace.AddResult(StageReceived, fmt.Sprintf("Received %s packet: %s:%d -> %s:%d",
@@ -415,7 +449,7 @@ func (m *Manager) traceOutbound(packetData []byte, trace *PacketTrace) *PacketTr
 	d := m.decoders.Get().(*decoder)
 	defer m.decoders.Put(d)

-	if err := d.parser.DecodeLayers(packetData, &d.decoded); err != nil {
+	if err := d.decodePacket(packetData); err != nil {
 		trace.AddResult(StageCompleted, "Packet dropped - decode error", false)
 		return trace
 	}
@@ -434,7 +468,7 @@ func (m *Manager) traceOutbound(packetData []byte, trace *PacketTrace) *PacketTr
 func (m *Manager) handleInboundDNAT(trace *PacketTrace, packetData []byte, d *decoder, srcIP, dstIP *netip.Addr) bool {
 	portDNATApplied := m.traceInboundPortDNAT(trace, packetData, d)
 	if portDNATApplied {
-		if err := d.parser.DecodeLayers(packetData, &d.decoded); err != nil {
+		if err := d.decodePacket(packetData); err != nil {
 			trace.AddResult(StageInboundPortDNAT, "Failed to re-decode after port DNAT", false)
 			return true
 		}
@@ -444,7 +478,7 @@ func (m *Manager) handleInboundDNAT(trace *PacketTrace, packetData []byte, d *de

 	nat1to1Applied := m.traceInbound1to1NAT(trace, packetData, d)
 	if nat1to1Applied {
-		if err := d.parser.DecodeLayers(packetData, &d.decoded); err != nil {
+		if err := d.decodePacket(packetData); err != nil {
 			trace.AddResult(StageInbound1to1NAT, "Failed to re-decode after 1:1 NAT", false)
 			return true
 		}
@@ -509,7 +543,7 @@ func (m *Manager) traceInbound1to1NAT(trace *PacketTrace, packetData []byte, d *
 		return false
 	}

-	srcIP := netip.AddrFrom4([4]byte{packetData[12], packetData[13], packetData[14], packetData[15]})
+	srcIP, _ := extractPacketIPs(packetData, d)

 	translated := m.translateInboundReverse(packetData, d)
 	if translated {
@@ -539,7 +573,7 @@ func (m *Manager) traceOutbound1to1NAT(trace *PacketTrace, packetData []byte, d
 		return false
 	}

-	dstIP := netip.AddrFrom4([4]byte{packetData[16], packetData[17], packetData[18], packetData[19]})
+	_, dstIP := extractPacketIPs(packetData, d)

 	translated := m.translateOutboundDNAT(packetData, d)
 	if translated {
--- a/client/iface/configurer/usp.go
+++ b/client/iface/configurer/usp.go
@@ -119,7 +119,7 @@ func (c *WGUSPConfigurer) UpdatePeer(peerKey string, allowedIps []netip.Prefix,
 		if err != nil {
 			return fmt.Errorf("failed to parse endpoint address: %w", err)
 		}
-		addrPort := netip.AddrPortFrom(addr, uint16(endpoint.Port))
+		addrPort := netip.AddrPortFrom(addr.Unmap(), uint16(endpoint.Port))
 		c.activityRecorder.UpsertAddress(peerKey, addrPort)
 	}
 	return nil
--- a/client/iface/device/adapter.go
+++ b/client/iface/device/adapter.go
@@ -2,7 +2,7 @@ package device

 // TunAdapter is an interface for create tun device from external service
 type TunAdapter interface {
-	ConfigureInterface(address string, mtu int, dns string, searchDomains string, routes string) (int, error)
+	ConfigureInterface(address string, addressV6 string, mtu int, dns string, searchDomains string, routes string) (int, error)
 	UpdateAddr(address string) error
 	ProtectSocket(fd int32) bool
 }
--- a/client/iface/device/device_android.go
+++ b/client/iface/device/device_android.go
@@ -63,7 +63,7 @@ func (t *WGTunDevice) Create(routes []string, dns string, searchDomains []string
 		searchDomainsToString = ""
 	}

-	fd, err := t.tunAdapter.ConfigureInterface(t.address.String(), int(t.mtu), dns, searchDomainsToString, routesString)
+	fd, err := t.tunAdapter.ConfigureInterface(t.address.String(), t.address.IPv6String(), int(t.mtu), dns, searchDomainsToString, routesString)
 	if err != nil {
 		log.Errorf("failed to create Android interface: %s", err)
 		return nil, err
--- a/client/iface/device/device_darwin.go
+++ b/client/iface/device/device_darwin.go
@@ -131,23 +131,32 @@ func (t *TunDevice) Device() *device.Device {

 // assignAddr Adds IP address to the tunnel interface and network route based on the range provided
 func (t *TunDevice) assignAddr() error {
-	cmd := exec.Command("ifconfig", t.name, "inet", t.address.IP.String(), t.address.IP.String())
-	if out, err := cmd.CombinedOutput(); err != nil {
-		log.Errorf("adding address command '%v' failed with output: %s", cmd.String(), out)
-		return err
+	if out, err := exec.Command("ifconfig", t.name, "inet", t.address.IP.String(), t.address.IP.String()).CombinedOutput(); err != nil {
+		return fmt.Errorf("add v4 address: %s: %w", string(out), err)
 	}

-	// dummy ipv6 so routing works
-	cmd = exec.Command("ifconfig", t.name, "inet6", "fe80::/64")
-	if out, err := cmd.CombinedOutput(); err != nil {
-		log.Debugf("adding address command '%v' failed with output: %s", cmd.String(), out)
+	// Assign a dummy link-local so macOS enables IPv6 on the tun device.
+	// When a real overlay v6 is present, use that instead.
+	v6Addr := "fe80::/64"
+	if t.address.HasIPv6() {
+		v6Addr = t.address.IPv6String()
+	}
+	if out, err := exec.Command("ifconfig", t.name, "inet6", v6Addr).CombinedOutput(); err != nil {
+		log.Warnf("failed to assign IPv6 address %s, continuing v4-only: %s: %v", v6Addr, string(out), err)
+		t.address.ClearIPv6()
 	}

-	routeCmd := exec.Command("route", "add", "-net", t.address.Network.String(), "-interface", t.name)
-	if out, err := routeCmd.CombinedOutput(); err != nil {
-		log.Errorf("adding route command '%v' failed with output: %s", routeCmd.String(), out)
-		return err
+	if out, err := exec.Command("route", "add", "-net", t.address.Network.String(), "-interface", t.name).CombinedOutput(); err != nil {
+		return fmt.Errorf("add route %s via %s: %s: %w", t.address.Network, t.name, string(out), err)
 	}
+
+	if t.address.HasIPv6() {
+		if out, err := exec.Command("route", "add", "-inet6", "-net", t.address.IPv6Net.String(), "-interface", t.name).CombinedOutput(); err != nil {
+			log.Warnf("failed to add route %s via %s, continuing v4-only: %s: %v", t.address.IPv6Net, t.name, string(out), err)
+			t.address.ClearIPv6()
+		}
+	}
+
 	return nil
 }

--- a/client/iface/device/device_ios.go
+++ b/client/iface/device/device_ios.go
@@ -151,8 +151,11 @@ func (t *TunDevice) MTU() uint16 {
 	return t.mtu
 }

-func (t *TunDevice) UpdateAddr(_ wgaddr.Address) error {
-	// todo implement
+// UpdateAddr updates the device address. On iOS the tunnel is managed by the
+// NetworkExtension, so we only store the new value. The extension picks up the
+// change on the next tunnel reconfiguration.
+func (t *TunDevice) UpdateAddr(addr wgaddr.Address) error {
+	t.address = addr
 	return nil
 }

--- a/client/iface/device/device_kernel_unix.go
+++ b/client/iface/device/device_kernel_unix.go
@@ -173,7 +173,7 @@ func (t *TunKernelDevice) FilteredDevice() *FilteredDevice {

 // assignAddr Adds IP address to the tunnel interface
 func (t *TunKernelDevice) assignAddr() error {
-	return t.link.assignAddr(t.address)
+	return t.link.assignAddr(&t.address)
 }

 func (t *TunKernelDevice) GetNet() *netstack.Net {
--- a/client/iface/device/device_netstack.go
+++ b/client/iface/device/device_netstack.go
@@ -3,6 +3,7 @@ package device
 import (
 	"errors"
 	"fmt"
+	"net/netip"

 	log "github.com/sirupsen/logrus"
 	"golang.zx2c4.com/wireguard/conn"
@@ -63,8 +64,12 @@ func (t *TunNetstackDevice) create() (WGConfigurer, error) {
 		return nil, fmt.Errorf("last ip: %w", err)
 	}

-	log.Debugf("netstack using address: %s", t.address.IP)
-	t.nsTun = nbnetstack.NewNetStackTun(t.listenAddress, t.address.IP, dnsAddr, int(t.mtu))
+	addresses := []netip.Addr{t.address.IP}
+	if t.address.HasIPv6() {
+		addresses = append(addresses, t.address.IPv6)
+	}
+	log.Debugf("netstack using addresses: %v", addresses)
+	t.nsTun = nbnetstack.NewNetStackTun(t.listenAddress, addresses, dnsAddr, int(t.mtu))
 	log.Debugf("netstack using dns address: %s", dnsAddr)
 	tunIface, net, err := t.nsTun.Create()
 	if err != nil {
--- a/client/iface/device/device_usp_unix.go
+++ b/client/iface/device/device_usp_unix.go
@@ -16,7 +16,7 @@ import (
 	"github.com/netbirdio/netbird/client/iface/wgaddr"
 )

-type USPDevice struct {
+type TunDevice struct {
 	name    string
 	address wgaddr.Address
 	port    int
@@ -30,10 +30,10 @@ type USPDevice struct {
 	configurer     WGConfigurer
 }

-func NewUSPDevice(name string, address wgaddr.Address, port int, key string, mtu uint16, iceBind *bind.ICEBind) *USPDevice {
+func NewTunDevice(name string, address wgaddr.Address, port int, key string, mtu uint16, iceBind *bind.ICEBind) *TunDevice {
 	log.Infof("using userspace bind mode")

-	return &USPDevice{
+	return &TunDevice{
 		name:    name,
 		address: address,
 		port:    port,
@@ -43,7 +43,7 @@ func NewUSPDevice(name string, address wgaddr.Address, port int, key string, mtu
 	}
 }

-func (t *USPDevice) Create() (WGConfigurer, error) {
+func (t *TunDevice) Create() (WGConfigurer, error) {
 	log.Info("create tun interface")
 	tunIface, err := tun.CreateTUN(t.name, int(t.mtu))
 	if err != nil {
@@ -75,7 +75,7 @@ func (t *USPDevice) Create() (WGConfigurer, error) {
 	return t.configurer, nil
 }

-func (t *USPDevice) Up() (*udpmux.UniversalUDPMuxDefault, error) {
+func (t *TunDevice) Up() (*udpmux.UniversalUDPMuxDefault, error) {
 	if t.device == nil {
 		return nil, fmt.Errorf("device is not ready yet")
 	}
@@ -95,12 +95,12 @@ func (t *USPDevice) Up() (*udpmux.UniversalUDPMuxDefault, error) {
 	return udpMux, nil
 }

-func (t *USPDevice) UpdateAddr(address wgaddr.Address) error {
+func (t *TunDevice) UpdateAddr(address wgaddr.Address) error {
 	t.address = address
 	return t.assignAddr()
 }

-func (t *USPDevice) Close() error {
+func (t *TunDevice) Close() error {
 	if t.configurer != nil {
 		t.configurer.Close()
 	}
@@ -115,39 +115,39 @@ func (t *USPDevice) Close() error {
 	return nil
 }

-func (t *USPDevice) WgAddress() wgaddr.Address {
+func (t *TunDevice) WgAddress() wgaddr.Address {
 	return t.address
 }

-func (t *USPDevice) MTU() uint16 {
+func (t *TunDevice) MTU() uint16 {
 	return t.mtu
 }

-func (t *USPDevice) DeviceName() string {
+func (t *TunDevice) DeviceName() string {
 	return t.name
 }

-func (t *USPDevice) FilteredDevice() *FilteredDevice {
+func (t *TunDevice) FilteredDevice() *FilteredDevice {
 	return t.filteredDevice
 }

 // Device returns the wireguard device
-func (t *USPDevice) Device() *device.Device {
+func (t *TunDevice) Device() *device.Device {
 	return t.device
 }

 // assignAddr Adds IP address to the tunnel interface
-func (t *USPDevice) assignAddr() error {
+func (t *TunDevice) assignAddr() error {
 	link := newWGLink(t.name)

-	return link.assignAddr(t.address)
+	return link.assignAddr(&t.address)
 }

-func (t *USPDevice) GetNet() *netstack.Net {
+func (t *TunDevice) GetNet() *netstack.Net {
 	return nil
 }

 // GetICEBind returns the ICEBind instance
-func (t *USPDevice) GetICEBind() EndpointManager {
+func (t *TunDevice) GetICEBind() EndpointManager {
 	return t.iceBind
 }
--- a/client/iface/device/device_windows.go
+++ b/client/iface/device/device_windows.go
@@ -87,7 +87,19 @@ func (t *TunDevice) Create() (WGConfigurer, error) {
 	err = nbiface.Set()
 	if err != nil {
 		t.device.Close()
-		return nil, fmt.Errorf("got error when getting setting the interface mtu: %s", err)
+		return nil, fmt.Errorf("set IPv4 interface MTU: %s", err)
+	}
+
+	if t.address.HasIPv6() {
+		nbiface6, err := luid.IPInterface(windows.AF_INET6)
+		if err != nil {
+			log.Warnf("failed to get IPv6 interface for MTU: %v", err)
+		} else {
+			nbiface6.NLMTU = uint32(t.mtu)
+			if err := nbiface6.Set(); err != nil {
+				log.Warnf("failed to set IPv6 interface MTU: %v", err)
+			}
+		}
 	}
 	err = t.assignAddr()
 	if err != nil {
@@ -178,8 +190,21 @@ func (t *TunDevice) GetInterfaceGUIDString() (string, error) {
 // assignAddr Adds IP address to the tunnel interface and network route based on the range provided
 func (t *TunDevice) assignAddr() error {
 	luid := winipcfg.LUID(t.nativeTunDevice.LUID())
-	log.Debugf("adding address %s to interface: %s", t.address.IP, t.name)
-	return luid.SetIPAddresses([]netip.Prefix{netip.MustParsePrefix(t.address.String())})
+
+	v4Prefix := t.address.Prefix()
+	if t.address.HasIPv6() {
+		v6Prefix := t.address.IPv6Prefix()
+		log.Debugf("adding addresses %s, %s to interface: %s", v4Prefix, v6Prefix, t.name)
+		if err := luid.SetIPAddresses([]netip.Prefix{v4Prefix, v6Prefix}); err != nil {
+			log.Warnf("failed to assign dual-stack addresses, retrying v4-only: %v", err)
+			t.address.ClearIPv6()
+			return luid.SetIPAddresses([]netip.Prefix{v4Prefix})
+		}
+		return nil
+	}
+
+	log.Debugf("adding address %s to interface: %s", v4Prefix, t.name)
+	return luid.SetIPAddresses([]netip.Prefix{v4Prefix})
 }

 func (t *TunDevice) GetNet() *netstack.Net {
--- a/client/iface/device/kernel_module.go
+++ b/client/iface/device/kernel_module.go
@@ -1,8 +0,0 @@
-//go:build (!linux && !freebsd) || android
-
-package device
-
-// WireGuardModuleIsLoaded check if we can load WireGuard mod (linux only)
-func WireGuardModuleIsLoaded() bool {
-	return false
-}
--- a/client/iface/device/kernel_module_freebsd.go
+++ b/client/iface/device/kernel_module_freebsd.go
@@ -1,18 +0,0 @@
-package device
-
-// WireGuardModuleIsLoaded check if kernel support wireguard
-func WireGuardModuleIsLoaded() bool {
-	// Despite the fact FreeBSD natively support Wireguard (https://github.com/WireGuard/wireguard-freebsd)
-	//  we are currently do not use it, since it is required to add wireguard kernel support to
-	//   - https://github.com/netbirdio/netbird/tree/main/sharedsock
-	//   - https://github.com/mdlayher/socket
-	// TODO: implement kernel space
-	return false
-}
-
-// ModuleTunIsLoaded check if tun module exist, if is not attempt to load it
-func ModuleTunIsLoaded() bool {
-	// Assume tun supported by freebsd kernel by default
-	// TODO: implement check for module loaded in kernel or build-it
-	return true
-}
--- a/client/iface/device/kernel_module_nonlinux.go
+++ b/client/iface/device/kernel_module_nonlinux.go
@@ -0,0 +1,13 @@
+//go:build !linux || android
+
+package device
+
+// WireGuardModuleIsLoaded reports whether the kernel WireGuard module is available.
+func WireGuardModuleIsLoaded() bool {
+	return false
+}
+
+// ModuleTunIsLoaded reports whether the tun device is available.
+func ModuleTunIsLoaded() bool {
+	return true
+}
--- a/client/iface/device/wg_link_freebsd.go
+++ b/client/iface/device/wg_link_freebsd.go
@@ -2,6 +2,7 @@ package device

 import (
 	"fmt"
+	"os/exec"

 	log "github.com/sirupsen/logrus"

@@ -57,32 +58,32 @@ func (l *wgLink) up() error {
 	return nil
 }

-func (l *wgLink) assignAddr(address wgaddr.Address) error {
+func (l *wgLink) assignAddr(address *wgaddr.Address) error {
 	link, err := freebsd.LinkByName(l.name)
 	if err != nil {
 		return fmt.Errorf("link by name: %w", err)
 	}

-	ip := address.IP.String()
-
-	// Convert prefix length to hex netmask
 	prefixLen := address.Network.Bits()
-	if !address.IP.Is4() {
-		return fmt.Errorf("IPv6 not supported for interface assignment")
-	}
-
 	maskBits := uint32(0xffffffff) << (32 - prefixLen)
 	mask := fmt.Sprintf("0x%08x", maskBits)

-	log.Infof("assign addr %s mask %s to %s interface", ip, mask, l.name)
+	log.Infof("assign addr %s mask %s to %s interface", address.IP, mask, l.name)

-	err = link.AssignAddr(ip, mask)
-	if err != nil {
+	if err := link.AssignAddr(address.IP.String(), mask); err != nil {
 		return fmt.Errorf("assign addr: %w", err)
 	}

-	err = link.Up()
-	if err != nil {
+	if address.HasIPv6() {
+		log.Infof("assign IPv6 addr %s to %s interface", address.IPv6String(), l.name)
+		cmd := exec.Command("ifconfig", l.name, "inet6", address.IPv6String())
+		if out, err := cmd.CombinedOutput(); err != nil {
+			log.Warnf("failed to assign IPv6 address %s to %s, continuing v4-only: %s: %v", address.IPv6String(), l.name, string(out), err)
+			address.ClearIPv6()
+		}
+	}
+
+	if err := link.Up(); err != nil {
 		return fmt.Errorf("up: %w", err)
 	}

--- a/client/iface/device/wg_link_linux.go
+++ b/client/iface/device/wg_link_linux.go
@@ -4,6 +4,8 @@ package device

 import (
 	"fmt"
+	"net"
+	"net/netip"
 	"os"

 	log "github.com/sirupsen/logrus"
@@ -92,7 +94,7 @@ func (l *wgLink) up() error {
 	return nil
 }

-func (l *wgLink) assignAddr(address wgaddr.Address) error {
+func (l *wgLink) assignAddr(address *wgaddr.Address) error {
 	//delete existing addresses
 	list, err := netlink.AddrList(l, 0)
 	if err != nil {
@@ -110,20 +112,16 @@ func (l *wgLink) assignAddr(address wgaddr.Address) error {
 	}

 	name := l.attrs.Name
-	addrStr := address.String()

-	log.Debugf("adding address %s to interface: %s", addrStr, name)
-
-	addr, err := netlink.ParseAddr(addrStr)
-	if err != nil {
-		return fmt.Errorf("parse addr: %w", err)
+	if err := l.addAddr(name, address.Prefix()); err != nil {
+		return err
 	}

-	err = netlink.AddrAdd(l, addr)
-	if os.IsExist(err) {
-		log.Infof("interface %s already has the address: %s", name, addrStr)
-	} else if err != nil {
-		return fmt.Errorf("add addr: %w", err)
+	if address.HasIPv6() {
+		if err := l.addAddr(name, address.IPv6Prefix()); err != nil {
+			log.Warnf("failed to assign IPv6 address %s to %s, continuing v4-only: %v", address.IPv6Prefix(), name, err)
+			address.ClearIPv6()
+		}
 	}

 	// On linux, the link must be brought up
@@ -133,3 +131,22 @@ func (l *wgLink) assignAddr(address wgaddr.Address) error {

 	return nil
 }
+
+func (l *wgLink) addAddr(ifaceName string, prefix netip.Prefix) error {
+	log.Debugf("adding address %s to interface: %s", prefix, ifaceName)
+
+	addr := &netlink.Addr{
+		IPNet: &net.IPNet{
+			IP:   prefix.Addr().AsSlice(),
+			Mask: net.CIDRMask(prefix.Bits(), prefix.Addr().BitLen()),
+		},
+	}
+
+	if err := netlink.AddrAdd(l, addr); os.IsExist(err) {
+		log.Infof("interface %s already has the address: %s", ifaceName, prefix)
+	} else if err != nil {
+		return fmt.Errorf("add addr %s: %w", prefix, err)
+	}
+
+	return nil
+}
--- a/client/iface/iface.go
+++ b/client/iface/iface.go
@@ -57,7 +57,7 @@ type wgProxyFactory interface {

 type WGIFaceOpts struct {
 	IFaceName    string
-	Address      string
+	Address      wgaddr.Address
 	WGPort       int
 	WGPrivKey    string
 	MTU          uint16
@@ -141,16 +141,11 @@ func (w *WGIface) Up() (*udpmux.UniversalUDPMuxDefault, error) {
 }

 // UpdateAddr updates address of the interface
-func (w *WGIface) UpdateAddr(newAddr string) error {
+func (w *WGIface) UpdateAddr(newAddr wgaddr.Address) error {
 	w.mu.Lock()
 	defer w.mu.Unlock()

-	addr, err := wgaddr.ParseWGAddress(newAddr)
-	if err != nil {
-		return err
-	}
-
-	return w.tun.UpdateAddr(addr)
+	return w.tun.UpdateAddr(newAddr)
 }

 // UpdatePeer updates existing Wireguard Peer or creates a new one if doesn't exist
--- a/client/iface/iface_new_windows.go
+++ b/client/iface/iface_new_windows.go
@@ -1,33 +1,28 @@
+//go:build !linux && !ios && !android && !js
+
 package iface

 import (
 	"github.com/netbirdio/netbird/client/iface/bind"
 	"github.com/netbirdio/netbird/client/iface/device"
 	"github.com/netbirdio/netbird/client/iface/netstack"
-	wgaddr "github.com/netbirdio/netbird/client/iface/wgaddr"
 	"github.com/netbirdio/netbird/client/iface/wgproxy"
 )

 // NewWGIFace Creates a new WireGuard interface instance
 func NewWGIFace(opts WGIFaceOpts) (*WGIface, error) {
-	wgAddress, err := wgaddr.ParseWGAddress(opts.Address)
-	if err != nil {
-		return nil, err
-	}
-	iceBind := bind.NewICEBind(opts.TransportNet, opts.FilterFn, wgAddress, opts.MTU)
+	iceBind := bind.NewICEBind(opts.TransportNet, opts.FilterFn, opts.Address, opts.MTU)

 	var tun WGTunDevice
 	if netstack.IsEnabled() {
-		tun = device.NewNetstackDevice(opts.IFaceName, wgAddress, opts.WGPort, opts.WGPrivKey, opts.MTU, iceBind, netstack.ListenAddr())
+		tun = device.NewNetstackDevice(opts.IFaceName, opts.Address, opts.WGPort, opts.WGPrivKey, opts.MTU, iceBind, netstack.ListenAddr())
 	} else {
-		tun = device.NewTunDevice(opts.IFaceName, wgAddress, opts.WGPort, opts.WGPrivKey, opts.MTU, iceBind)
+		tun = device.NewTunDevice(opts.IFaceName, opts.Address, opts.WGPort, opts.WGPrivKey, opts.MTU, iceBind)
 	}

-	wgIFace := &WGIface{
+	return &WGIface{
 		userspaceBind:  true,
 		tun:            tun,
 		wgProxyFactory: wgproxy.NewUSPFactory(iceBind, opts.MTU),
-	}
-	return wgIFace, nil
-
+	}, nil
 }
--- a/client/iface/iface_new_android.go
+++ b/client/iface/iface_new_android.go
@@ -4,23 +4,17 @@ import (
 	"github.com/netbirdio/netbird/client/iface/bind"
 	"github.com/netbirdio/netbird/client/iface/device"
 	"github.com/netbirdio/netbird/client/iface/netstack"
-	"github.com/netbirdio/netbird/client/iface/wgaddr"
 	"github.com/netbirdio/netbird/client/iface/wgproxy"
 )

 // NewWGIFace Creates a new WireGuard interface instance
 func NewWGIFace(opts WGIFaceOpts) (*WGIface, error) {
-	wgAddress, err := wgaddr.ParseWGAddress(opts.Address)
-	if err != nil {
-		return nil, err
-	}
-
-	iceBind := bind.NewICEBind(opts.TransportNet, opts.FilterFn, wgAddress, opts.MTU)
+	iceBind := bind.NewICEBind(opts.TransportNet, opts.FilterFn, opts.Address, opts.MTU)

 	if netstack.IsEnabled() {
 		wgIFace := &WGIface{
 			userspaceBind:  true,
-			tun:            device.NewNetstackDevice(opts.IFaceName, wgAddress, opts.WGPort, opts.WGPrivKey, opts.MTU, iceBind, netstack.ListenAddr()),
+			tun:            device.NewNetstackDevice(opts.IFaceName, opts.Address, opts.WGPort, opts.WGPrivKey, opts.MTU, iceBind, netstack.ListenAddr()),
 			wgProxyFactory: wgproxy.NewUSPFactory(iceBind, opts.MTU),
 		}
 		return wgIFace, nil
@@ -28,7 +22,7 @@ func NewWGIFace(opts WGIFaceOpts) (*WGIface, error) {

 	wgIFace := &WGIface{
 		userspaceBind:  true,
-		tun:            device.NewTunDevice(wgAddress, opts.WGPort, opts.WGPrivKey, opts.MTU, iceBind, opts.MobileArgs.TunAdapter, opts.DisableDNS),
+		tun:            device.NewTunDevice(opts.Address, opts.WGPort, opts.WGPrivKey, opts.MTU, iceBind, opts.MobileArgs.TunAdapter, opts.DisableDNS),
 		wgProxyFactory: wgproxy.NewUSPFactory(iceBind, opts.MTU),
 	}
 	return wgIFace, nil
--- a/client/iface/iface_new_darwin.go
+++ b/client/iface/iface_new_darwin.go
@@ -1,35 +0,0 @@
-//go:build !ios
-
-package iface
-
-import (
-	"github.com/netbirdio/netbird/client/iface/bind"
-	"github.com/netbirdio/netbird/client/iface/device"
-	"github.com/netbirdio/netbird/client/iface/netstack"
-	"github.com/netbirdio/netbird/client/iface/wgaddr"
-	"github.com/netbirdio/netbird/client/iface/wgproxy"
-)
-
-// NewWGIFace Creates a new WireGuard interface instance
-func NewWGIFace(opts WGIFaceOpts) (*WGIface, error) {
-	wgAddress, err := wgaddr.ParseWGAddress(opts.Address)
-	if err != nil {
-		return nil, err
-	}
-
-	iceBind := bind.NewICEBind(opts.TransportNet, opts.FilterFn, wgAddress, opts.MTU)
-
-	var tun WGTunDevice
-	if netstack.IsEnabled() {
-		tun = device.NewNetstackDevice(opts.IFaceName, wgAddress, opts.WGPort, opts.WGPrivKey, opts.MTU, iceBind, netstack.ListenAddr())
-	} else {
-		tun = device.NewTunDevice(opts.IFaceName, wgAddress, opts.WGPort, opts.WGPrivKey, opts.MTU, iceBind)
-	}
-
-	wgIFace := &WGIface{
-		userspaceBind:  true,
-		tun:            tun,
-		wgProxyFactory: wgproxy.NewUSPFactory(iceBind, opts.MTU),
-	}
-	return wgIFace, nil
-}
--- a/client/iface/iface_new_freebsd.go
+++ b/client/iface/iface_new_freebsd.go
@@ -1,41 +0,0 @@
-//go:build freebsd
-
-package iface
-
-import (
-	"fmt"
-
-	"github.com/netbirdio/netbird/client/iface/bind"
-	"github.com/netbirdio/netbird/client/iface/device"
-	"github.com/netbirdio/netbird/client/iface/netstack"
-	"github.com/netbirdio/netbird/client/iface/wgaddr"
-	"github.com/netbirdio/netbird/client/iface/wgproxy"
-)
-
-// NewWGIFace Creates a new WireGuard interface instance
-func NewWGIFace(opts WGIFaceOpts) (*WGIface, error) {
-	wgAddress, err := wgaddr.ParseWGAddress(opts.Address)
-	if err != nil {
-		return nil, err
-	}
-
-	wgIFace := &WGIface{}
-
-	if netstack.IsEnabled() {
-		iceBind := bind.NewICEBind(opts.TransportNet, opts.FilterFn, wgAddress, opts.MTU)
-		wgIFace.tun = device.NewNetstackDevice(opts.IFaceName, wgAddress, opts.WGPort, opts.WGPrivKey, opts.MTU, iceBind, netstack.ListenAddr())
-		wgIFace.userspaceBind = true
-		wgIFace.wgProxyFactory = wgproxy.NewUSPFactory(iceBind, opts.MTU)
-		return wgIFace, nil
-	}
-
-	if device.ModuleTunIsLoaded() {
-		iceBind := bind.NewICEBind(opts.TransportNet, opts.FilterFn, wgAddress, opts.MTU)
-		wgIFace.tun = device.NewUSPDevice(opts.IFaceName, wgAddress, opts.WGPort, opts.WGPrivKey, opts.MTU, iceBind)
-		wgIFace.userspaceBind = true
-		wgIFace.wgProxyFactory = wgproxy.NewUSPFactory(iceBind, opts.MTU)
-		return wgIFace, nil
-	}
-
-	return nil, fmt.Errorf("couldn't check or load tun module")
-}
--- a/client/iface/iface_new_ios.go
+++ b/client/iface/iface_new_ios.go
@@ -5,21 +5,15 @@ package iface
 import (
 	"github.com/netbirdio/netbird/client/iface/bind"
 	"github.com/netbirdio/netbird/client/iface/device"
-	"github.com/netbirdio/netbird/client/iface/wgaddr"
 	"github.com/netbirdio/netbird/client/iface/wgproxy"
 )

 // NewWGIFace Creates a new WireGuard interface instance
 func NewWGIFace(opts WGIFaceOpts) (*WGIface, error) {
-	wgAddress, err := wgaddr.ParseWGAddress(opts.Address)
-	if err != nil {
-		return nil, err
-	}
-
-	iceBind := bind.NewICEBind(opts.TransportNet, opts.FilterFn, wgAddress, opts.MTU)
+	iceBind := bind.NewICEBind(opts.TransportNet, opts.FilterFn, opts.Address, opts.MTU)

 	wgIFace := &WGIface{
-		tun:            device.NewTunDevice(opts.IFaceName, wgAddress, opts.WGPort, opts.WGPrivKey, opts.MTU, iceBind, opts.MobileArgs.TunFd),
+		tun:            device.NewTunDevice(opts.IFaceName, opts.Address, opts.WGPort, opts.WGPrivKey, opts.MTU, iceBind, opts.MobileArgs.TunFd),
 		userspaceBind:  true,
 		wgProxyFactory: wgproxy.NewUSPFactory(iceBind, opts.MTU),
 	}
--- a/client/iface/iface_new_js.go
+++ b/client/iface/iface_new_js.go
@@ -4,21 +4,15 @@ import (
 	"github.com/netbirdio/netbird/client/iface/bind"
 	"github.com/netbirdio/netbird/client/iface/device"
 	"github.com/netbirdio/netbird/client/iface/netstack"
-	"github.com/netbirdio/netbird/client/iface/wgaddr"
 	"github.com/netbirdio/netbird/client/iface/wgproxy"
 )

 // NewWGIFace creates a new WireGuard interface for WASM (always uses netstack mode)
 func NewWGIFace(opts WGIFaceOpts) (*WGIface, error) {
-	wgAddress, err := wgaddr.ParseWGAddress(opts.Address)
-	if err != nil {
-		return nil, err
-	}
-
 	relayBind := bind.NewRelayBindJS()

 	wgIface := &WGIface{
-		tun:            device.NewNetstackDevice(opts.IFaceName, wgAddress, opts.WGPort, opts.WGPrivKey, opts.MTU, relayBind, netstack.ListenAddr()),
+		tun:            device.NewNetstackDevice(opts.IFaceName, opts.Address, opts.WGPort, opts.WGPrivKey, opts.MTU, relayBind, netstack.ListenAddr()),
 		userspaceBind:  true,
 		wgProxyFactory: wgproxy.NewUSPFactory(relayBind, opts.MTU),
 	}
--- a/client/iface/iface_new_linux.go
+++ b/client/iface/iface_new_linux.go
@@ -3,44 +3,40 @@
 package iface

 import (
-	"fmt"
+	"errors"

 	"github.com/netbirdio/netbird/client/iface/bind"
 	"github.com/netbirdio/netbird/client/iface/device"
 	"github.com/netbirdio/netbird/client/iface/netstack"
-	"github.com/netbirdio/netbird/client/iface/wgaddr"
 	"github.com/netbirdio/netbird/client/iface/wgproxy"
 )

 // NewWGIFace Creates a new WireGuard interface instance
 func NewWGIFace(opts WGIFaceOpts) (*WGIface, error) {
-	wgAddress, err := wgaddr.ParseWGAddress(opts.Address)
-	if err != nil {
-		return nil, err
-	}
-
-	wgIFace := &WGIface{}
-
 	if netstack.IsEnabled() {
-		iceBind := bind.NewICEBind(opts.TransportNet, opts.FilterFn, wgAddress, opts.MTU)
-		wgIFace.tun = device.NewNetstackDevice(opts.IFaceName, wgAddress, opts.WGPort, opts.WGPrivKey, opts.MTU, iceBind, netstack.ListenAddr())
-		wgIFace.userspaceBind = true
-		wgIFace.wgProxyFactory = wgproxy.NewUSPFactory(iceBind, opts.MTU)
-		return wgIFace, nil
+		iceBind := bind.NewICEBind(opts.TransportNet, opts.FilterFn, opts.Address, opts.MTU)
+		return &WGIface{
+			tun:            device.NewNetstackDevice(opts.IFaceName, opts.Address, opts.WGPort, opts.WGPrivKey, opts.MTU, iceBind, netstack.ListenAddr()),
+			userspaceBind:  true,
+			wgProxyFactory: wgproxy.NewUSPFactory(iceBind, opts.MTU),
+		}, nil
 	}

 	if device.WireGuardModuleIsLoaded() {
-		wgIFace.tun = device.NewKernelDevice(opts.IFaceName, wgAddress, opts.WGPort, opts.WGPrivKey, opts.MTU, opts.TransportNet)
-		wgIFace.wgProxyFactory = wgproxy.NewKernelFactory(opts.WGPort, opts.MTU)
-		return wgIFace, nil
-	}
-	if device.ModuleTunIsLoaded() {
-		iceBind := bind.NewICEBind(opts.TransportNet, opts.FilterFn, wgAddress, opts.MTU)
-		wgIFace.tun = device.NewUSPDevice(opts.IFaceName, wgAddress, opts.WGPort, opts.WGPrivKey, opts.MTU, iceBind)
-		wgIFace.userspaceBind = true
-		wgIFace.wgProxyFactory = wgproxy.NewUSPFactory(iceBind, opts.MTU)
-		return wgIFace, nil
+		return &WGIface{
+			tun:            device.NewKernelDevice(opts.IFaceName, opts.Address, opts.WGPort, opts.WGPrivKey, opts.MTU, opts.TransportNet),
+			wgProxyFactory: wgproxy.NewKernelFactory(opts.WGPort, opts.MTU),
+		}, nil
 	}

-	return nil, fmt.Errorf("couldn't check or load tun module")
+	if device.ModuleTunIsLoaded() {
+		iceBind := bind.NewICEBind(opts.TransportNet, opts.FilterFn, opts.Address, opts.MTU)
+		return &WGIface{
+			tun:            device.NewTunDevice(opts.IFaceName, opts.Address, opts.WGPort, opts.WGPrivKey, opts.MTU, iceBind),
+			userspaceBind:  true,
+			wgProxyFactory: wgproxy.NewUSPFactory(iceBind, opts.MTU),
+		}, nil
+	}
+
+	return nil, errors.New("tun module not available")
 }
--- a/client/iface/iface_test.go
+++ b/client/iface/iface_test.go
@@ -16,6 +16,7 @@ import (
 	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"

 	"github.com/netbirdio/netbird/client/iface/device"
+	"github.com/netbirdio/netbird/client/iface/wgaddr"
 	"github.com/netbirdio/netbird/client/internal/stdnet"
 )

@@ -48,7 +49,7 @@ func TestWGIface_UpdateAddr(t *testing.T) {

 	opts := WGIFaceOpts{
 		IFaceName:    ifaceName,
-		Address:      addr,
+		Address:      wgaddr.MustParseWGAddress(addr),
 		WGPort:       wgPort,
 		WGPrivKey:    key,
 		MTU:          DefaultMTU,
@@ -84,7 +85,7 @@ func TestWGIface_UpdateAddr(t *testing.T) {

 	//update WireGuard address
 	addr = "100.64.0.2/8"
-	err = iface.UpdateAddr(addr)
+	err = iface.UpdateAddr(wgaddr.MustParseWGAddress(addr))
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -130,7 +131,7 @@ func Test_CreateInterface(t *testing.T) {
 	}
 	opts := WGIFaceOpts{
 		IFaceName:    ifaceName,
-		Address:      wgIP,
+		Address:      wgaddr.MustParseWGAddress(wgIP),
 		WGPort:       33100,
 		WGPrivKey:    key,
 		MTU:          DefaultMTU,
@@ -174,7 +175,7 @@ func Test_Close(t *testing.T) {

 	opts := WGIFaceOpts{
 		IFaceName:    ifaceName,
-		Address:      wgIP,
+		Address:      wgaddr.MustParseWGAddress(wgIP),
 		WGPort:       wgPort,
 		WGPrivKey:    key,
 		MTU:          DefaultMTU,
@@ -219,7 +220,7 @@ func TestRecreation(t *testing.T) {

 			opts := WGIFaceOpts{
 				IFaceName:    ifaceName,
-				Address:      wgIP,
+				Address:      wgaddr.MustParseWGAddress(wgIP),
 				WGPort:       wgPort,
 				WGPrivKey:    key,
 				MTU:          DefaultMTU,
@@ -291,7 +292,7 @@ func Test_ConfigureInterface(t *testing.T) {
 	}
 	opts := WGIFaceOpts{
 		IFaceName:    ifaceName,
-		Address:      wgIP,
+		Address:      wgaddr.MustParseWGAddress(wgIP),
 		WGPort:       wgPort,
 		WGPrivKey:    key,
 		MTU:          DefaultMTU,
@@ -347,7 +348,7 @@ func Test_UpdatePeer(t *testing.T) {

 	opts := WGIFaceOpts{
 		IFaceName:    ifaceName,
-		Address:      wgIP,
+		Address:      wgaddr.MustParseWGAddress(wgIP),
 		WGPort:       33100,
 		WGPrivKey:    key,
 		MTU:          DefaultMTU,
@@ -417,7 +418,7 @@ func Test_RemovePeer(t *testing.T) {

 	opts := WGIFaceOpts{
 		IFaceName:    ifaceName,
-		Address:      wgIP,
+		Address:      wgaddr.MustParseWGAddress(wgIP),
 		WGPort:       33100,
 		WGPrivKey:    key,
 		MTU:          DefaultMTU,
@@ -482,7 +483,7 @@ func Test_ConnectPeers(t *testing.T) {

 	optsPeer1 := WGIFaceOpts{
 		IFaceName:    peer1ifaceName,
-		Address:      peer1wgIP.String(),
+		Address:      wgaddr.MustParseWGAddress(peer1wgIP.String()),
 		WGPort:       peer1wgPort,
 		WGPrivKey:    peer1Key.String(),
 		MTU:          DefaultMTU,
@@ -522,7 +523,7 @@ func Test_ConnectPeers(t *testing.T) {

 	optsPeer2 := WGIFaceOpts{
 		IFaceName:    peer2ifaceName,
-		Address:      peer2wgIP.String(),
+		Address:      wgaddr.MustParseWGAddress(peer2wgIP.String()),
 		WGPort:       peer2wgPort,
 		WGPrivKey:    peer2Key.String(),
 		MTU:          DefaultMTU,
--- a/client/iface/netstack/tun.go
+++ b/client/iface/netstack/tun.go
@@ -13,7 +13,7 @@ import (
 const EnvSkipProxy = "NB_NETSTACK_SKIP_PROXY"

 type NetStackTun struct { //nolint:revive
-	address       netip.Addr
+	addresses     []netip.Addr
 	dnsAddress    netip.Addr
 	mtu           int
 	listenAddress string
@@ -22,9 +22,9 @@ type NetStackTun struct { //nolint:revive
 	tundev tun.Device
 }

-func NewNetStackTun(listenAddress string, address netip.Addr, dnsAddress netip.Addr, mtu int) *NetStackTun {
+func NewNetStackTun(listenAddress string, addresses []netip.Addr, dnsAddress netip.Addr, mtu int) *NetStackTun {
 	return &NetStackTun{
-		address:       address,
+		addresses:     addresses,
 		dnsAddress:    dnsAddress,
 		mtu:           mtu,
 		listenAddress: listenAddress,
@@ -33,7 +33,7 @@ func NewNetStackTun(listenAddress string, address netip.Addr, dnsAddress netip.A

 func (t *NetStackTun) Create() (tun.Device, *netstack.Net, error) {
 	nsTunDev, tunNet, err := netstack.CreateNetTUN(
-		[]netip.Addr{t.address},
+		t.addresses,
 		[]netip.Addr{t.dnsAddress},
 		t.mtu)
 	if err != nil {
--- a/client/iface/wgaddr/address.go
+++ b/client/iface/wgaddr/address.go
@@ -3,12 +3,18 @@ package wgaddr
 import (
 	"fmt"
 	"net/netip"
+
+	"github.com/netbirdio/netbird/shared/netiputil"
 )

 // Address WireGuard parsed address
 type Address struct {
 	IP      netip.Addr
 	Network netip.Prefix
+
+	// IPv6 overlay address, if assigned.
+	IPv6    netip.Addr
+	IPv6Net netip.Prefix
 }

 // ParseWGAddress parse a string ("1.2.3.4/24") address to WG Address
@@ -23,6 +29,60 @@ func ParseWGAddress(address string) (Address, error) {
 	}, nil
 }

-func (addr Address) String() string {
-	return fmt.Sprintf("%s/%d", addr.IP.String(), addr.Network.Bits())
+// HasIPv6 reports whether a v6 overlay address is assigned.
+func (addr Address) HasIPv6() bool {
+	return addr.IPv6.IsValid()
+}
+
+func (addr Address) String() string {
+	return addr.Prefix().String()
+}
+
+// IPv6String returns the v6 address in CIDR notation, or empty string if none.
+func (addr Address) IPv6String() string {
+	if !addr.HasIPv6() {
+		return ""
+	}
+	return addr.IPv6Prefix().String()
+}
+
+// Prefix returns the v4 host address with its network prefix length (e.g. 100.64.0.1/16).
+func (addr Address) Prefix() netip.Prefix {
+	return netip.PrefixFrom(addr.IP, addr.Network.Bits())
+}
+
+// IPv6Prefix returns the v6 host address with its network prefix length, or a zero prefix if none.
+func (addr Address) IPv6Prefix() netip.Prefix {
+	if !addr.HasIPv6() {
+		return netip.Prefix{}
+	}
+	return netip.PrefixFrom(addr.IPv6, addr.IPv6Net.Bits())
+}
+
+// SetIPv6FromCompact decodes a compact prefix (5 or 17 bytes) and sets the IPv6 fields.
+// Returns an error if the bytes are invalid. A nil or empty input is a no-op.
+//
+//nolint:recvcheck
+func (addr *Address) SetIPv6FromCompact(raw []byte) error {
+	if len(raw) == 0 {
+		return nil
+	}
+	prefix, err := netiputil.DecodePrefix(raw)
+	if err != nil {
+		return fmt.Errorf("decode v6 overlay address: %w", err)
+	}
+	if !prefix.Addr().Is6() {
+		return fmt.Errorf("expected IPv6 address, got %s", prefix.Addr())
+	}
+	addr.IPv6 = prefix.Addr()
+	addr.IPv6Net = prefix.Masked()
+	return nil
+}
+
+// ClearIPv6 removes the IPv6 overlay address, leaving only v4.
+//
+//nolint:recvcheck
+func (addr *Address) ClearIPv6() {
+	addr.IPv6 = netip.Addr{}
+	addr.IPv6Net = netip.Prefix{}
 }
--- a/client/iface/wgaddr/address_test_helpers.go
+++ b/client/iface/wgaddr/address_test_helpers.go
@@ -0,0 +1,10 @@
+package wgaddr
+
+// MustParseWGAddress parses and returns a WG Address, panicking on error.
+func MustParseWGAddress(address string) Address {
+	a, err := ParseWGAddress(address)
+	if err != nil {
+		panic(err)
+	}
+	return a
+}
--- a/client/iface/wgproxy/bind/proxy.go
+++ b/client/iface/wgproxy/bind/proxy.go
@@ -6,7 +6,7 @@ import (
 	"fmt"
 	"net"
 	"net/netip"
-	"strings"
+
 	"sync"

 	log "github.com/sirupsen/logrus"
@@ -196,18 +196,22 @@ func (p *ProxyBind) proxyToLocal(ctx context.Context) {
 	}
 }

-// fakeAddress returns a fake address that is used to as an identifier for the peer.
-// The fake address is in the format of 127.1.x.x where x.x is the last two octets of the peer address.
+// fakeAddress returns a fake address that is used as an identifier for the peer.
+// The fake address is in the format of 127.1.x.x where x.x is derived from the
+// last two bytes of the peer address (works for both IPv4 and IPv6).
 func fakeAddress(peerAddress *net.UDPAddr) (*netip.AddrPort, error) {
-	octets := strings.Split(peerAddress.IP.String(), ".")
-	if len(octets) != 4 {
-		return nil, fmt.Errorf("invalid IP format")
+	if peerAddress == nil {
+		return nil, fmt.Errorf("nil peer address")
 	}

-	fakeIP, err := netip.ParseAddr(fmt.Sprintf("127.1.%s.%s", octets[2], octets[3]))
-	if err != nil {
-		return nil, fmt.Errorf("parse new IP: %w", err)
+	addr, ok := netip.AddrFromSlice(peerAddress.IP)
+	if !ok {
+		return nil, fmt.Errorf("invalid IP format")
 	}
+	addr = addr.Unmap()
+
+	raw := addr.As16()
+	fakeIP := netip.AddrFrom4([4]byte{127, 1, raw[14], raw[15]})

 	netipAddr := netip.AddrPortFrom(fakeIP, uint16(peerAddress.Port))
 	return &netipAddr, nil
--- a/client/internal/acl/manager.go
+++ b/client/internal/acl/manager.go
@@ -5,7 +5,6 @@ import (
 	"encoding/hex"
 	"errors"
 	"fmt"
-	"net"
 	"net/netip"
 	"strconv"
 	"sync"
@@ -19,6 +18,7 @@ import (
 	"github.com/netbirdio/netbird/client/internal/acl/id"
 	"github.com/netbirdio/netbird/shared/management/domain"
 	mgmProto "github.com/netbirdio/netbird/shared/management/proto"
+	"github.com/netbirdio/netbird/shared/netiputil"
 )

 var ErrSourceRangesEmpty = errors.New("sources range is empty")
@@ -105,6 +105,10 @@ func (d *DefaultManager) applyPeerACLs(networkMap *mgmProto.NetworkMap) {
 	newRulePairs := make(map[id.RuleID][]firewall.Rule)
 	ipsetByRuleSelectors := make(map[string]string)

+	// TODO: deny rules should be fatal: if a deny rule fails to apply, we must
+	// roll back all allow rules to avoid a fail-open where allowed traffic bypasses
+	// the missing deny. Currently we accumulate errors and continue.
+	var merr *multierror.Error
 	for _, r := range rules {
 		// if this rule is member of rule selection with more than DefaultIPsCountForSet
 		// it's IP address can be used in the ipset for firewall manager which supports it
@@ -117,9 +121,8 @@ func (d *DefaultManager) applyPeerACLs(networkMap *mgmProto.NetworkMap) {
 		}
 		pairID, rulePair, err := d.protoRuleToFirewallRule(r, ipsetName)
 		if err != nil {
-			log.Errorf("failed to apply firewall rule: %+v, %v", r, err)
-			d.rollBack(newRulePairs)
-			break
+			merr = multierror.Append(merr, fmt.Errorf("apply firewall rule: %w", err))
+			continue
 		}
 		if len(rulePair) > 0 {
 			d.peerRulesPairs[pairID] = rulePair
@@ -127,6 +130,10 @@ func (d *DefaultManager) applyPeerACLs(networkMap *mgmProto.NetworkMap) {
 		}
 	}

+	if merr != nil {
+		log.Errorf("failed to apply %d peer ACL rule(s): %v", merr.Len(), nberrors.FormatErrorOrNil(merr))
+	}
+
 	for pairID, rules := range d.peerRulesPairs {
 		if _, ok := newRulePairs[pairID]; !ok {
 			for _, rule := range rules {
@@ -216,9 +223,9 @@ func (d *DefaultManager) protoRuleToFirewallRule(
 	r *mgmProto.FirewallRule,
 	ipsetName string,
 ) (id.RuleID, []firewall.Rule, error) {
-	ip := net.ParseIP(r.PeerIP)
-	if ip == nil {
-		return "", nil, fmt.Errorf("invalid IP address, skipping firewall rule")
+	ip, err := extractRuleIP(r)
+	if err != nil {
+		return "", nil, err
 	}

 	protocol, err := convertToFirewallProtocol(r.Protocol)
@@ -289,13 +296,13 @@ func portInfoEmpty(portInfo *mgmProto.PortInfo) bool {

 func (d *DefaultManager) addInRules(
 	id []byte,
-	ip net.IP,
+	ip netip.Addr,
 	protocol firewall.Protocol,
 	port *firewall.Port,
 	action firewall.Action,
 	ipsetName string,
 ) ([]firewall.Rule, error) {
-	rule, err := d.firewall.AddPeerFiltering(id, ip, protocol, nil, port, action, ipsetName)
+	rule, err := d.firewall.AddPeerFiltering(id, ip.AsSlice(), protocol, nil, port, action, ipsetName)
 	if err != nil {
 		return nil, fmt.Errorf("add firewall rule: %w", err)
 	}
@@ -305,7 +312,7 @@ func (d *DefaultManager) addInRules(

 func (d *DefaultManager) addOutRules(
 	id []byte,
-	ip net.IP,
+	ip netip.Addr,
 	protocol firewall.Protocol,
 	port *firewall.Port,
 	action firewall.Action,
@@ -315,7 +322,7 @@ func (d *DefaultManager) addOutRules(
 		return nil, nil
 	}

-	rule, err := d.firewall.AddPeerFiltering(id, ip, protocol, port, nil, action, ipsetName)
+	rule, err := d.firewall.AddPeerFiltering(id, ip.AsSlice(), protocol, port, nil, action, ipsetName)
 	if err != nil {
 		return nil, fmt.Errorf("add firewall rule: %w", err)
 	}
@@ -323,9 +330,9 @@ func (d *DefaultManager) addOutRules(
 	return rule, nil
 }

-// getPeerRuleID() returns unique ID for the rule based on its parameters.
+// getPeerRuleID returns unique ID for the rule based on its parameters.
 func (d *DefaultManager) getPeerRuleID(
-	ip net.IP,
+	ip netip.Addr,
 	proto firewall.Protocol,
 	direction int,
 	port *firewall.Port,
@@ -344,15 +351,25 @@ func (d *DefaultManager) getRuleGroupingSelector(rule *mgmProto.FirewallRule) st
 	return fmt.Sprintf("%v:%v:%v:%s:%v", strconv.Itoa(int(rule.Direction)), rule.Action, rule.Protocol, rule.Port, rule.PortInfo)
 }

-func (d *DefaultManager) rollBack(newRulePairs map[id.RuleID][]firewall.Rule) {
-	log.Debugf("rollback ACL to previous state")
-	for _, rules := range newRulePairs {
-		for _, rule := range rules {
-			if err := d.firewall.DeletePeerRule(rule); err != nil {
-				log.Errorf("failed to delete new firewall rule (id: %v) during rollback: %v", rule.ID(), err)
-			}
+
+// extractRuleIP extracts the peer IP from a firewall rule.
+// If sourcePrefixes is populated (new management), decode the first entry and use its address.
+// Otherwise fall back to the deprecated PeerIP string field (old management).
+func extractRuleIP(r *mgmProto.FirewallRule) (netip.Addr, error) {
+	if len(r.SourcePrefixes) > 0 {
+		addr, err := netiputil.DecodeAddr(r.SourcePrefixes[0])
+		if err != nil {
+			return netip.Addr{}, fmt.Errorf("decode source prefix: %w", err)
 		}
+		return addr.Unmap(), nil
 	}
+
+	//nolint:staticcheck // PeerIP used for backward compatibility with old management
+	addr, err := netip.ParseAddr(r.PeerIP)
+	if err != nil {
+		return netip.Addr{}, fmt.Errorf("invalid IP address, skipping firewall rule")
+	}
+	return addr.Unmap(), nil
 }

 func convertToFirewallProtocol(protocol mgmProto.RuleProtocol) (firewall.Protocol, error) {
--- a/client/internal/acl/manager_test.go
+++ b/client/internal/acl/manager_test.go
@@ -19,9 +19,6 @@ import (
 var flowLogger = netflow.NewManager(nil, []byte{}, nil).GetLogger()

 func TestDefaultManager(t *testing.T) {
-	t.Setenv("NB_WG_KERNEL_DISABLED", "true")
-	t.Setenv(firewall.EnvForceUserspaceFirewall, "true")
-
 	networkMap := &mgmProto.NetworkMap{
 		FirewallRules: []*mgmProto.FirewallRule{
 			{
@@ -138,7 +135,6 @@ func TestDefaultManager(t *testing.T) {
 func TestDefaultManagerStateless(t *testing.T) {
 	// stateless currently only in userspace, so we have to disable kernel
 	t.Setenv("NB_WG_KERNEL_DISABLED", "true")
-	t.Setenv(firewall.EnvForceUserspaceFirewall, "true")
 	t.Setenv("NB_DISABLE_CONNTRACK", "true")

 	networkMap := &mgmProto.NetworkMap{
@@ -198,7 +194,6 @@ func TestDefaultManagerStateless(t *testing.T) {
 // This tests the full ACL manager -> uspfilter integration.
 func TestDenyRulesNotAccumulatedOnRepeatedApply(t *testing.T) {
 	t.Setenv("NB_WG_KERNEL_DISABLED", "true")
-	t.Setenv(firewall.EnvForceUserspaceFirewall, "true")

 	networkMap := &mgmProto.NetworkMap{
 		FirewallRules: []*mgmProto.FirewallRule{
@@ -263,7 +258,6 @@ func TestDenyRulesNotAccumulatedOnRepeatedApply(t *testing.T) {
 // up when they're removed from the network map in a subsequent update.
 func TestDenyRulesCleanedUpOnRemoval(t *testing.T) {
 	t.Setenv("NB_WG_KERNEL_DISABLED", "true")
-	t.Setenv(firewall.EnvForceUserspaceFirewall, "true")

 	ctrl := gomock.NewController(t)
 	defer ctrl.Finish()
@@ -345,7 +339,6 @@ func TestDenyRulesCleanedUpOnRemoval(t *testing.T) {
 // one added without leaking.
 func TestRuleUpdateChangingAction(t *testing.T) {
 	t.Setenv("NB_WG_KERNEL_DISABLED", "true")
-	t.Setenv(firewall.EnvForceUserspaceFirewall, "true")

 	ctrl := gomock.NewController(t)
 	defer ctrl.Finish()
--- a/client/internal/auth/auth.go
+++ b/client/internal/auth/auth.go
@@ -155,7 +155,7 @@ func (a *Auth) IsLoginRequired(ctx context.Context) (bool, error) {
 	var needsLogin bool

 	err = a.withRetry(ctx, func(client *mgm.GrpcClient) error {
-		_, _, err := a.doMgmLogin(client, ctx, pubSSHKey)
+		err := a.doMgmLogin(client, ctx, pubSSHKey)
 		if isLoginNeeded(err) {
 			needsLogin = true
 			return nil
@@ -179,8 +179,8 @@ func (a *Auth) Login(ctx context.Context, setupKey string, jwtToken string) (err
 	var isAuthError bool

 	err = a.withRetry(ctx, func(client *mgm.GrpcClient) error {
-		serverKey, _, err := a.doMgmLogin(client, ctx, pubSSHKey)
-		if serverKey != nil && isRegistrationNeeded(err) {
+		err := a.doMgmLogin(client, ctx, pubSSHKey)
+		if isRegistrationNeeded(err) {
 			log.Debugf("peer registration required")
 			_, err = a.registerPeer(client, ctx, setupKey, jwtToken, pubSSHKey)
 			if err != nil {
@@ -201,13 +201,7 @@ func (a *Auth) Login(ctx context.Context, setupKey string, jwtToken string) (err

 // getPKCEFlow retrieves PKCE authorization flow configuration and creates a flow instance
 func (a *Auth) getPKCEFlow(client *mgm.GrpcClient) (*PKCEAuthorizationFlow, error) {
-	serverKey, err := client.GetServerPublicKey()
-	if err != nil {
-		log.Errorf("failed while getting Management Service public key: %v", err)
-		return nil, err
-	}
-
-	protoFlow, err := client.GetPKCEAuthorizationFlow(*serverKey)
+	protoFlow, err := client.GetPKCEAuthorizationFlow()
 	if err != nil {
 		if s, ok := status.FromError(err); ok && s.Code() == codes.NotFound {
 			log.Warnf("server couldn't find pkce flow, contact admin: %v", err)
@@ -221,7 +215,7 @@ func (a *Auth) getPKCEFlow(client *mgm.GrpcClient) (*PKCEAuthorizationFlow, erro
 	config := &PKCEAuthProviderConfig{
 		Audience:              protoConfig.GetAudience(),
 		ClientID:              protoConfig.GetClientID(),
-		ClientSecret:          protoConfig.GetClientSecret(),
+		ClientSecret:          protoConfig.GetClientSecret(), //nolint:staticcheck
 		TokenEndpoint:         protoConfig.GetTokenEndpoint(),
 		AuthorizationEndpoint: protoConfig.GetAuthorizationEndpoint(),
 		Scope:                 protoConfig.GetScope(),
@@ -246,13 +240,7 @@ func (a *Auth) getPKCEFlow(client *mgm.GrpcClient) (*PKCEAuthorizationFlow, erro

 // getDeviceFlow retrieves device authorization flow configuration and creates a flow instance
 func (a *Auth) getDeviceFlow(client *mgm.GrpcClient) (*DeviceAuthorizationFlow, error) {
-	serverKey, err := client.GetServerPublicKey()
-	if err != nil {
-		log.Errorf("failed while getting Management Service public key: %v", err)
-		return nil, err
-	}
-
-	protoFlow, err := client.GetDeviceAuthorizationFlow(*serverKey)
+	protoFlow, err := client.GetDeviceAuthorizationFlow()
 	if err != nil {
 		if s, ok := status.FromError(err); ok && s.Code() == codes.NotFound {
 			log.Warnf("server couldn't find device flow, contact admin: %v", err)
@@ -266,7 +254,7 @@ func (a *Auth) getDeviceFlow(client *mgm.GrpcClient) (*DeviceAuthorizationFlow,
 	config := &DeviceAuthProviderConfig{
 		Audience:           protoConfig.GetAudience(),
 		ClientID:           protoConfig.GetClientID(),
-		ClientSecret:       protoConfig.GetClientSecret(),
+		ClientSecret:       protoConfig.GetClientSecret(), //nolint:staticcheck
 		Domain:             protoConfig.Domain,
 		TokenEndpoint:      protoConfig.GetTokenEndpoint(),
 		DeviceAuthEndpoint: protoConfig.GetDeviceAuthEndpoint(),
@@ -292,28 +280,16 @@ func (a *Auth) getDeviceFlow(client *mgm.GrpcClient) (*DeviceAuthorizationFlow,
 }

 // doMgmLogin performs the actual login operation with the management service
-func (a *Auth) doMgmLogin(client *mgm.GrpcClient, ctx context.Context, pubSSHKey []byte) (*wgtypes.Key, *mgmProto.LoginResponse, error) {
-	serverKey, err := client.GetServerPublicKey()
-	if err != nil {
-		log.Errorf("failed while getting Management Service public key: %v", err)
-		return nil, nil, err
-	}
-
+func (a *Auth) doMgmLogin(client *mgm.GrpcClient, ctx context.Context, pubSSHKey []byte) error {
 	sysInfo := system.GetInfo(ctx)
 	a.setSystemInfoFlags(sysInfo)
-	loginResp, err := client.Login(*serverKey, sysInfo, pubSSHKey, a.config.DNSLabels)
-	return serverKey, loginResp, err
+	_, err := client.Login(sysInfo, pubSSHKey, a.config.DNSLabels)
+	return err
 }

 // registerPeer checks whether setupKey was provided via cmd line and if not then it prompts user to enter a key.
 // Otherwise tries to register with the provided setupKey via command line.
 func (a *Auth) registerPeer(client *mgm.GrpcClient, ctx context.Context, setupKey string, jwtToken string, pubSSHKey []byte) (*mgmProto.LoginResponse, error) {
-	serverPublicKey, err := client.GetServerPublicKey()
-	if err != nil {
-		log.Errorf("failed while getting Management Service public key: %v", err)
-		return nil, err
-	}
-
 	validSetupKey, err := uuid.Parse(setupKey)
 	if err != nil && jwtToken == "" {
 		return nil, status.Errorf(codes.InvalidArgument, "invalid setup-key or no sso information provided, err: %v", err)
@@ -322,7 +298,7 @@ func (a *Auth) registerPeer(client *mgm.GrpcClient, ctx context.Context, setupKe
 	log.Debugf("sending peer registration request to Management Service")
 	info := system.GetInfo(ctx)
 	a.setSystemInfoFlags(info)
-	loginResp, err := client.Register(*serverPublicKey, validSetupKey.String(), jwtToken, info, pubSSHKey, a.config.DNSLabels)
+	loginResp, err := client.Register(validSetupKey.String(), jwtToken, info, pubSSHKey, a.config.DNSLabels)
 	if err != nil {
 		log.Errorf("failed registering peer %v", err)
 		return nil, err
@@ -345,6 +321,7 @@ func (a *Auth) setSystemInfoFlags(info *system.Info) {
 		a.config.DisableFirewall,
 		a.config.BlockLANAccess,
 		a.config.BlockInbound,
+		a.config.DisableIPv6,
 		a.config.LazyConnectionEnabled,
 		a.config.EnableSSHRoot,
 		a.config.EnableSSHSFTP,
--- a/client/internal/connect.go
+++ b/client/internal/connect.go
@@ -14,10 +14,13 @@ import (

 	"github.com/cenkalti/backoff/v4"
 	log "github.com/sirupsen/logrus"
+
 	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
 	"google.golang.org/grpc/codes"
 	gstatus "google.golang.org/grpc/status"

+	"github.com/netbirdio/netbird/client/iface/wgaddr"
+
 	"github.com/netbirdio/netbird/client/iface"
 	"github.com/netbirdio/netbird/client/iface/device"
 	"github.com/netbirdio/netbird/client/iface/netstack"
@@ -44,6 +47,10 @@ import (
 	"github.com/netbirdio/netbird/version"
 )

+// androidRunOverride is set on Android to inject mobile dependencies
+// when using embed.Client (which calls Run() with empty MobileDependency).
+var androidRunOverride func(c *ConnectClient, runningChan chan struct{}, logPath string) error
+
 type ConnectClient struct {
 	ctx            context.Context
 	config         *profilemanager.Config
@@ -76,6 +83,9 @@ func (c *ConnectClient) SetUpdateManager(um *updater.Manager) {

 // Run with main logic.
 func (c *ConnectClient) Run(runningChan chan struct{}, logPath string) error {
+	if androidRunOverride != nil {
+		return androidRunOverride(c, runningChan, logPath)
+	}
 	return c.run(MobileDependency{}, runningChan, logPath)
 }

@@ -520,9 +530,20 @@ func createEngineConfig(key wgtypes.Key, config *profilemanager.Config, peerConf
 	if config.NetworkMonitor != nil {
 		nm = *config.NetworkMonitor
 	}
+	wgAddr, err := wgaddr.ParseWGAddress(peerConfig.Address)
+	if err != nil {
+		return nil, fmt.Errorf("parse overlay address %q: %w", peerConfig.Address, err)
+	}
+
+	if !config.DisableIPv6 {
+		if err := wgAddr.SetIPv6FromCompact(peerConfig.GetAddressV6()); err != nil {
+			log.Warn(err)
+		}
+	}
+
 	engineConf := &EngineConfig{
 		WgIfaceName:                   config.WgIface,
-		WgAddr:                        peerConfig.Address,
+		WgAddr:                        wgAddr,
 		IFaceBlackList:                config.IFaceBlackList,
 		DisableIPv6Discovery:          config.DisableIPv6Discovery,
 		WgPrivateKey:                  key,
@@ -547,6 +568,7 @@ func createEngineConfig(key wgtypes.Key, config *profilemanager.Config, peerConf
 		DisableFirewall:     config.DisableFirewall,
 		BlockLANAccess:      config.BlockLANAccess,
 		BlockInbound:        config.BlockInbound,
+		DisableIPv6:         config.DisableIPv6,

 		LazyConnectionEnabled: config.LazyConnectionEnabled,

@@ -610,12 +632,6 @@ func connectToSignal(ctx context.Context, wtConfig *mgmProto.NetbirdConfig, ourP

 // loginToManagement creates Management ServiceDependencies client, establishes a connection, logs-in and gets a global Netbird config (signal, turn, stun hosts, etc)
 func loginToManagement(ctx context.Context, client mgm.Client, pubSSHKey []byte, config *profilemanager.Config) (*mgmProto.LoginResponse, error) {
-
-	serverPublicKey, err := client.GetServerPublicKey()
-	if err != nil {
-		return nil, gstatus.Errorf(codes.FailedPrecondition, "failed while getting Management Service public key: %s", err)
-	}
-
 	sysInfo := system.GetInfo(ctx)
 	sysInfo.SetFlags(
 		config.RosenpassEnabled,
@@ -627,6 +643,7 @@ func loginToManagement(ctx context.Context, client mgm.Client, pubSSHKey []byte,
 		config.DisableFirewall,
 		config.BlockLANAccess,
 		config.BlockInbound,
+		config.DisableIPv6,
 		config.LazyConnectionEnabled,
 		config.EnableSSHRoot,
 		config.EnableSSHSFTP,
@@ -634,12 +651,7 @@ func loginToManagement(ctx context.Context, client mgm.Client, pubSSHKey []byte,
 		config.EnableSSHRemotePortForwarding,
 		config.DisableSSHAuth,
 	)
-	loginResp, err := client.Login(*serverPublicKey, sysInfo, pubSSHKey, config.DNSLabels)
-	if err != nil {
-		return nil, err
-	}
-
-	return loginResp, nil
+	return client.Login(sysInfo, pubSSHKey, config.DNSLabels)
 }

 func statusRecorderToMgmConnStateNotifier(statusRecorder *peer.Status) mgm.ConnStateNotifier {
--- a/client/internal/connect_android_default.go
+++ b/client/internal/connect_android_default.go
@@ -0,0 +1,77 @@
+//go:build android
+
+package internal
+
+import (
+	"net/netip"
+
+	"github.com/netbirdio/netbird/client/internal/dns"
+	"github.com/netbirdio/netbird/client/internal/listener"
+	"github.com/netbirdio/netbird/client/internal/stdnet"
+)
+
+// noopIFaceDiscover is a stub ExternalIFaceDiscover for embed.Client on Android.
+// It returns an empty interface list, which means ICE P2P candidates won't be
+// discovered — connections will fall back to relay. Applications that need P2P
+// should provide a real implementation via runOnAndroidEmbed that uses
+// Android's ConnectivityManager to enumerate network interfaces.
+type noopIFaceDiscover struct{}
+
+func (noopIFaceDiscover) IFaces() (string, error) {
+	// Return empty JSON array — no local interfaces advertised for ICE.
+	// This is intentional: without Android's ConnectivityManager, we cannot
+	// reliably enumerate interfaces (netlink is restricted on Android 11+).
+	// Relay connections still work; only P2P hole-punching is disabled.
+	return "[]", nil
+}
+
+// noopNetworkChangeListener is a stub for embed.Client on Android.
+// Network change events are ignored since the embed client manages its own
+// reconnection logic via the engine's built-in retry mechanism.
+type noopNetworkChangeListener struct{}
+
+func (noopNetworkChangeListener) OnNetworkChanged(string) {
+	// No-op: embed.Client relies on the engine's internal reconnection
+	// logic rather than OS-level network change notifications.
+}
+
+func (noopNetworkChangeListener) SetInterfaceIP(string) {
+	// No-op: in netstack mode, the overlay IP is managed by the userspace
+	// network stack, not by OS-level interface configuration.
+}
+
+func (noopNetworkChangeListener) SetInterfaceIPv6(string) {
+	// No-op: same as SetInterfaceIP, IPv6 overlay is managed by userspace stack.
+}
+
+// noopDnsReadyListener is a stub for embed.Client on Android.
+// DNS readiness notifications are not needed in netstack/embed mode
+// since system DNS is disabled and DNS resolution happens externally.
+type noopDnsReadyListener struct{}
+
+func (noopDnsReadyListener) OnReady() {
+	// No-op: embed.Client does not need DNS readiness notifications.
+	// System DNS is disabled in netstack mode.
+}
+
+var _ stdnet.ExternalIFaceDiscover = noopIFaceDiscover{}
+var _ listener.NetworkChangeListener = noopNetworkChangeListener{}
+var _ dns.ReadyListener = noopDnsReadyListener{}
+
+func init() {
+	// Wire up the default override so embed.Client.Start() works on Android
+	// with netstack mode. Provides complete no-op stubs for all mobile
+	// dependencies so the engine's existing Android code paths work unchanged.
+	// Applications that need P2P ICE or real DNS should replace this by
+	// setting androidRunOverride before calling Start().
+	androidRunOverride = func(c *ConnectClient, runningChan chan struct{}, logPath string) error {
+		return c.runOnAndroidEmbed(
+			noopIFaceDiscover{},
+			noopNetworkChangeListener{},
+			[]netip.AddrPort{},
+			noopDnsReadyListener{},
+			runningChan,
+			logPath,
+		)
+	}
+}
--- a/client/internal/connect_android_embed.go
+++ b/client/internal/connect_android_embed.go
@@ -0,0 +1,32 @@
+//go:build android
+
+package internal
+
+import (
+	"net/netip"
+
+	"github.com/netbirdio/netbird/client/internal/dns"
+	"github.com/netbirdio/netbird/client/internal/listener"
+	"github.com/netbirdio/netbird/client/internal/stdnet"
+)
+
+// runOnAndroidEmbed is like RunOnAndroid but accepts a runningChan
+// so embed.Client.Start() can detect when the engine is ready.
+// It provides complete MobileDependency so the engine's existing
+// Android code paths work unchanged.
+func (c *ConnectClient) runOnAndroidEmbed(
+	iFaceDiscover stdnet.ExternalIFaceDiscover,
+	networkChangeListener listener.NetworkChangeListener,
+	dnsAddresses []netip.AddrPort,
+	dnsReadyListener dns.ReadyListener,
+	runningChan chan struct{},
+	logPath string,
+) error {
+	mobileDependency := MobileDependency{
+		IFaceDiscover:         iFaceDiscover,
+		NetworkChangeListener: networkChangeListener,
+		HostDNSAddresses:      dnsAddresses,
+		DnsReadyListener:      dnsReadyListener,
+	}
+	return c.run(mobileDependency, runningChan, logPath)
+}
--- a/client/internal/debug/debug.go
+++ b/client/internal/debug/debug.go
@@ -522,6 +522,7 @@ func (g *BundleGenerator) addCommonConfigFields(configContent *strings.Builder)
 	configContent.WriteString(fmt.Sprintf("DisableFirewall: %v\n", g.internalConfig.DisableFirewall))
 	configContent.WriteString(fmt.Sprintf("BlockLANAccess: %v\n", g.internalConfig.BlockLANAccess))
 	configContent.WriteString(fmt.Sprintf("BlockInbound: %v\n", g.internalConfig.BlockInbound))
+	configContent.WriteString(fmt.Sprintf("DisableIPv6: %v\n", g.internalConfig.DisableIPv6))

 	if g.internalConfig.DisableNotifications != nil {
 		configContent.WriteString(fmt.Sprintf("DisableNotifications: %v\n", *g.internalConfig.DisableNotifications))
@@ -1270,8 +1271,9 @@ func anonymizeFirewallRule(rule *mgmProto.FirewallRule, anonymizer *anonymize.An
 		return
 	}

+	//nolint:staticcheck // PeerIP used for backward compatibility
 	if addr, err := netip.ParseAddr(rule.PeerIP); err == nil {
-		rule.PeerIP = anonymizer.AnonymizeIP(addr).String()
+		rule.PeerIP = anonymizer.AnonymizeIP(addr).String() //nolint:staticcheck
 	}
 }

--- a/client/internal/debug/debug_test.go
+++ b/client/internal/debug/debug_test.go
@@ -430,8 +430,6 @@ func isInCGNATRange(ip net.IP) bool {
 }

 func TestAnonymizeFirewallRules(t *testing.T) {
-	// TODO: Add ipv6
-
 	// Example iptables-save output
 	iptablesSave := `# Generated by iptables-save v1.8.7 on Thu Dec 19 10:00:00 2024
 *filter
@@ -467,17 +465,31 @@ Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
    pkts bytes target     prot opt in     out     source               destination`

-	// Example nftables output
+	// Example ip6tables-save output
+	ip6tablesSave := `# Generated by ip6tables-save v1.8.7 on Thu Dec 19 10:00:00 2024
+*filter
+:INPUT ACCEPT [0:0]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+-A INPUT -s fd00:1234::1/128 -j ACCEPT
+-A INPUT -s 2607:f8b0:4005::1/128 -j DROP
+-A FORWARD -s 2001:db8::/32 -d 2607:f8b0:4005::200e/128 -j ACCEPT
+COMMIT`
+
+	// Example nftables output with IPv6
 	nftablesRules := `table inet filter {
        chain input {
                type filter hook input priority filter; policy accept;
                ip saddr 192.168.1.1 accept
                ip saddr 44.192.140.1 drop
+                ip6 saddr 2607:f8b0:4005::1 drop
+                ip6 saddr fd00:1234::1 accept
        }
        chain forward {
                type filter hook forward priority filter; policy accept;
                ip saddr 10.0.0.0/8 drop
                ip saddr 44.192.140.0/24 ip daddr 52.84.12.34/24 accept
+                ip6 saddr 2001:db8::/32 ip6 daddr 2607:f8b0:4005::200e/128 accept
        }
    }`

@@ -540,4 +552,35 @@ Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 	assert.Contains(t, anonNftables, "table inet filter {")
 	assert.Contains(t, anonNftables, "chain input {")
 	assert.Contains(t, anonNftables, "type filter hook input priority filter; policy accept;")
+
+	// IPv6 public addresses in nftables should be anonymized
+	assert.NotContains(t, anonNftables, "2607:f8b0:4005::1")
+	assert.NotContains(t, anonNftables, "2607:f8b0:4005::200e")
+	assert.NotContains(t, anonNftables, "2001:db8::")
+	assert.Contains(t, anonNftables, "2001:db8:ffff::") // Default anonymous v6 range
+
+	// ULA addresses in nftables should remain unchanged (private)
+	assert.Contains(t, anonNftables, "fd00:1234::1")
+
+	// IPv6 nftables structure preserved
+	assert.Contains(t, anonNftables, "ip6 saddr")
+	assert.Contains(t, anonNftables, "ip6 daddr")
+
+	// Test ip6tables-save anonymization
+	anonIp6tablesSave := anonymizer.AnonymizeString(ip6tablesSave)
+
+	// ULA (private) IPv6 should remain unchanged
+	assert.Contains(t, anonIp6tablesSave, "fd00:1234::1/128")
+
+	// Public IPv6 addresses should be anonymized
+	assert.NotContains(t, anonIp6tablesSave, "2607:f8b0:4005::1")
+	assert.NotContains(t, anonIp6tablesSave, "2607:f8b0:4005::200e")
+	assert.NotContains(t, anonIp6tablesSave, "2001:db8::")
+	assert.Contains(t, anonIp6tablesSave, "2001:db8:ffff::") // Default anonymous v6 range
+
+	// Structure should be preserved
+	assert.Contains(t, anonIp6tablesSave, "*filter")
+	assert.Contains(t, anonIp6tablesSave, "COMMIT")
+	assert.Contains(t, anonIp6tablesSave, "-j DROP")
+	assert.Contains(t, anonIp6tablesSave, "-j ACCEPT")
 }
--- a/client/internal/dns.go
+++ b/client/internal/dns.go
@@ -12,52 +12,83 @@ import (
 	nbdns "github.com/netbirdio/netbird/dns"
 )

-func createPTRRecord(aRecord nbdns.SimpleRecord, prefix netip.Prefix) (nbdns.SimpleRecord, bool) {
-	ip, err := netip.ParseAddr(aRecord.RData)
+func createPTRRecord(record nbdns.SimpleRecord, prefix netip.Prefix) (nbdns.SimpleRecord, bool) {
+	ip, err := netip.ParseAddr(record.RData)
 	if err != nil {
-		log.Warnf("failed to parse IP address %s: %v", aRecord.RData, err)
+		log.Warnf("failed to parse IP address %s: %v", record.RData, err)
 		return nbdns.SimpleRecord{}, false
 	}

+	ip = ip.Unmap()
 	if !prefix.Contains(ip) {
 		return nbdns.SimpleRecord{}, false
 	}

-	ipOctets := strings.Split(ip.String(), ".")
-	slices.Reverse(ipOctets)
-	rdnsName := dns.Fqdn(strings.Join(ipOctets, ".") + ".in-addr.arpa")
+	var rdnsName string
+	if ip.Is4() {
+		octets := strings.Split(ip.String(), ".")
+		slices.Reverse(octets)
+		rdnsName = dns.Fqdn(strings.Join(octets, ".") + ".in-addr.arpa")
+	} else {
+		// Expand to full 32 nibbles in reverse order (LSB first) per RFC 3596.
+		raw := ip.As16()
+		nibbles := make([]string, 32)
+		for i := 0; i < 16; i++ {
+			nibbles[31-i*2] = fmt.Sprintf("%x", raw[i]>>4)
+			nibbles[31-i*2-1] = fmt.Sprintf("%x", raw[i]&0x0f)
+		}
+		rdnsName = dns.Fqdn(strings.Join(nibbles, ".") + ".ip6.arpa")
+	}

 	return nbdns.SimpleRecord{
 		Name:  rdnsName,
 		Type:  int(dns.TypePTR),
-		Class: aRecord.Class,
-		TTL:   aRecord.TTL,
-		RData: dns.Fqdn(aRecord.Name),
+		Class: record.Class,
+		TTL:   record.TTL,
+		RData: dns.Fqdn(record.Name),
 	}, true
 }

-// generateReverseZoneName creates the reverse DNS zone name for a given network
+// generateReverseZoneName creates the reverse DNS zone name for a given network.
+// For IPv4 it produces an in-addr.arpa name, for IPv6 an ip6.arpa name.
 func generateReverseZoneName(network netip.Prefix) (string, error) {
-	networkIP := network.Masked().Addr()
+	networkIP := network.Masked().Addr().Unmap()
+	bits := network.Bits()

-	if !networkIP.Is4() {
-		return "", fmt.Errorf("reverse DNS is only supported for IPv4 networks, got: %s", networkIP)
+	if networkIP.Is4() {
+		// Round up to nearest byte.
+		octetsToUse := (bits + 7) / 8
+
+		octets := strings.Split(networkIP.String(), ".")
+		if octetsToUse > len(octets) {
+			return "", fmt.Errorf("invalid network mask size for reverse DNS: %d", bits)
+		}
+
+		reverseOctets := make([]string, octetsToUse)
+		for i := 0; i < octetsToUse; i++ {
+			reverseOctets[octetsToUse-1-i] = octets[i]
+		}
+
+		return dns.Fqdn(strings.Join(reverseOctets, ".") + ".in-addr.arpa"), nil
 	}

-	// round up to nearest byte
-	octetsToUse := (network.Bits() + 7) / 8
+	// IPv6: round up to nearest nibble (4-bit boundary).
+	nibblesToUse := (bits + 3) / 4

-	octets := strings.Split(networkIP.String(), ".")
-	if octetsToUse > len(octets) {
-		return "", fmt.Errorf("invalid network mask size for reverse DNS: %d", network.Bits())
+	raw := networkIP.As16()
+	allNibbles := make([]string, 32)
+	for i := 0; i < 16; i++ {
+		allNibbles[i*2] = fmt.Sprintf("%x", raw[i]>>4)
+		allNibbles[i*2+1] = fmt.Sprintf("%x", raw[i]&0x0f)
 	}

-	reverseOctets := make([]string, octetsToUse)
-	for i := 0; i < octetsToUse; i++ {
-		reverseOctets[octetsToUse-1-i] = octets[i]
+	// Take the first nibblesToUse nibbles (network portion), reverse them.
+	used := make([]string, nibblesToUse)
+	for i := 0; i < nibblesToUse; i++ {
+		used[nibblesToUse-1-i] = allNibbles[i]
 	}

-	return dns.Fqdn(strings.Join(reverseOctets, ".") + ".in-addr.arpa"), nil
+	return dns.Fqdn(strings.Join(used, ".") + ".ip6.arpa"), nil
 }

 // zoneExists checks if a zone with the given name already exists in the configuration
@@ -71,7 +102,7 @@ func zoneExists(config *nbdns.Config, zoneName string) bool {
 	return false
 }

-// collectPTRRecords gathers all PTR records for the given network from A records
+// collectPTRRecords gathers all PTR records for the given network from A and AAAA records.
 func collectPTRRecords(config *nbdns.Config, prefix netip.Prefix) []nbdns.SimpleRecord {
 	var records []nbdns.SimpleRecord

@@ -80,7 +111,7 @@ func collectPTRRecords(config *nbdns.Config, prefix netip.Prefix) []nbdns.Simple
 			continue
 		}
 		for _, record := range zone.Records {
-			if record.Type != int(dns.TypeA) {
+			if record.Type != int(dns.TypeA) && record.Type != int(dns.TypeAAAA) {
 				continue
 			}

--- a/client/internal/dns/host_darwin.go
+++ b/client/internal/dns/host_darwin.go
@@ -298,6 +298,7 @@ func (s *systemConfigurator) getSystemDNSSettings() (SystemDNSSettings, error) {
 			if ip, err := netip.ParseAddr(address); err == nil && !ip.IsUnspecified() {
 				ip = ip.Unmap()
 				serverAddresses = append(serverAddresses, ip)
+				// Prefer the first IPv4 server as ServerIP since our DNS listener is IPv4.
 				if !dnsSettings.ServerIP.IsValid() && ip.Is4() {
 					dnsSettings.ServerIP = ip
 				}
--- a/client/internal/dns/mock_server.go
+++ b/client/internal/dns/mock_server.go
@@ -85,6 +85,11 @@ func (m *MockServer) PopulateManagementDomain(mgmtURL *url.URL) error {
 	return nil
 }

+// SetRouteChecker mock implementation of SetRouteChecker from Server interface
+func (m *MockServer) SetRouteChecker(func(netip.Addr) bool) {
+	// Mock implementation - no-op
+}
+
 // BeginBatch mock implementation of BeginBatch from Server interface
 func (m *MockServer) BeginBatch() {
 	// Mock implementation - no-op
--- a/client/internal/dns/network_manager_unix.go
+++ b/client/internal/dns/network_manager_unix.go
@@ -110,8 +110,15 @@ func (n *networkManagerDbusConfigurator) applyDNSConfig(config HostDNSConfig, st

 	connSettings.cleanDeprecatedSettings()

-	convDNSIP := binary.LittleEndian.Uint32(config.ServerIP.AsSlice())
-	connSettings[networkManagerDbusIPv4Key][networkManagerDbusDNSKey] = dbus.MakeVariant([]uint32{convDNSIP})
+	ipKey := networkManagerDbusIPv4Key
+	if config.ServerIP.Is6() {
+		ipKey = networkManagerDbusIPv6Key
+		raw := config.ServerIP.As16()
+		connSettings[ipKey][networkManagerDbusDNSKey] = dbus.MakeVariant([][]byte{raw[:]})
+	} else {
+		convDNSIP := binary.LittleEndian.Uint32(config.ServerIP.AsSlice())
+		connSettings[ipKey][networkManagerDbusDNSKey] = dbus.MakeVariant([]uint32{convDNSIP})
+	}
 	var (
 		searchDomains []string
 		matchDomains  []string
@@ -146,8 +153,8 @@ func (n *networkManagerDbusConfigurator) applyDNSConfig(config HostDNSConfig, st
 		n.routingAll = false
 	}

-	connSettings[networkManagerDbusIPv4Key][networkManagerDbusDNSPriorityKey] = dbus.MakeVariant(priority)
-	connSettings[networkManagerDbusIPv4Key][networkManagerDbusDNSSearchKey] = dbus.MakeVariant(newDomainList)
+	connSettings[ipKey][networkManagerDbusDNSPriorityKey] = dbus.MakeVariant(priority)
+	connSettings[ipKey][networkManagerDbusDNSSearchKey] = dbus.MakeVariant(newDomainList)

 	state := &ShutdownState{
 		ManagerType: networkManager,
--- a/client/internal/dns/server.go
+++ b/client/internal/dns/server.go
@@ -57,6 +57,7 @@ type Server interface {
 	ProbeAvailability()
 	UpdateServerConfig(domains dnsconfig.ServerDomains) error
 	PopulateManagementDomain(mgmtURL *url.URL) error
+	SetRouteChecker(func(netip.Addr) bool)
 }

 type nsGroupsByDomain struct {
@@ -104,6 +105,7 @@ type DefaultServer struct {

 	statusRecorder *peer.Status
 	stateManager   *statemanager.Manager
+	routeMatch     func(netip.Addr) bool

 	probeMu     sync.Mutex
 	probeCancel context.CancelFunc
@@ -229,6 +231,14 @@ func newDefaultServer(
 	return defaultServer
 }

+// SetRouteChecker sets the function used by upstream resolvers to determine
+// whether an IP is routed through the tunnel.
+func (s *DefaultServer) SetRouteChecker(f func(netip.Addr) bool) {
+	s.mux.Lock()
+	defer s.mux.Unlock()
+	s.routeMatch = f
+}
+
 // RegisterHandler registers a handler for the given domains with the given priority.
 // Any previously registered handler for the same domain and priority will be replaced.
 func (s *DefaultServer) RegisterHandler(domains domain.List, handler dns.Handler, priority int) {
@@ -743,6 +753,7 @@ func (s *DefaultServer) registerFallback(config HostDNSConfig) {
 		log.Errorf("failed to create upstream resolver for original nameservers: %v", err)
 		return
 	}
+	handler.routeMatch = s.routeMatch

 	for _, ns := range originalNameservers {
 		if ns == config.ServerIP {
@@ -852,6 +863,7 @@ func (s *DefaultServer) createHandlersForDomainGroup(domainGroup nsGroupsByDomai
 		if err != nil {
 			return nil, fmt.Errorf("create upstream resolver: %v", err)
 		}
+		handler.routeMatch = s.routeMatch

 		for _, ns := range nsGroup.NameServers {
 			if ns.NSType != nbdns.UDPNameServerType {
@@ -1036,6 +1048,7 @@ func (s *DefaultServer) addHostRootZone() {
 		log.Errorf("unable to create a new upstream resolver, error: %v", err)
 		return
 	}
+	handler.routeMatch = s.routeMatch

 	handler.upstreamServers = maps.Keys(hostDNSServers)
 	handler.deactivate = func(error) {}
--- a/Show More
+++ b/Show More