[GH-ISSUE #4990] Support access lists in dynamc IPv6 prefix delegation scenarios #3087

New issue

Open

opened 2026-02-26 07:37:48 +03:00 by kerem · 0 comments

kerem commented

2026-02-26 07:37:48 +03:00

Owner

Originally created by @deviantintegral on GitHub (Nov 25, 2025).
Original GitHub issue: https://github.com/NginxProxyManager/nginx-proxy-manager/issues/4990

Is your feature request related to a problem? Please describe.

My ISP provisions dynamic addresses for IPv6 that can change. What that means is that the IPv6 addresses of my hosts in my LAN can change over time.

Before I set up IPv6 fully, I had access lists to limit access to a few backend apps so they would require being on the LAN or connected over a VPN. Doing this with IPv6 has turned out to be very difficult, because the prefix I'm delegated changes.

At best, I can limit access by IP to any IP address owned by my ISP based on their prefix which won't change.

Describe the solution you'd like

My firewall (OPNSense) has a feature where you can define rules based on a dynamic prefix.

https://docs.opnsense.org/manual/aliases.html#dynamic-ipv6-host

Something like this could work. However, it's also difficult because the Docker container may not have the public IP address visible. I think to determine that you'd have to do a remote curl call to a service to get the IP, and periodically update it.

Describe alternatives you've considered

If I add a rule at the firewall for this, it will limit all nginx hosts and not just the few I want. Since I want to limit by host, the only place in the stack to do it is at the nginx-proxy-manager level.

Originally created by @deviantintegral on GitHub (Nov 25, 2025). Original GitHub issue: https://github.com/NginxProxyManager/nginx-proxy-manager/issues/4990 **Is your feature request related to a problem? Please describe.** My ISP provisions dynamic addresses for IPv6 that can change. What that means is that the IPv6 addresses of my hosts in my LAN can change over time. Before I set up IPv6 fully, I had access lists to limit access to a few backend apps so they would require being on the LAN or connected over a VPN. Doing this with IPv6 has turned out to be very difficult, because the prefix I'm delegated changes. At best, I can limit access by IP to any IP address owned by my ISP based on their prefix which won't change. **Describe the solution you'd like** My firewall (OPNSense) has a feature where you can define rules based on a dynamic prefix. https://docs.opnsense.org/manual/aliases.html#dynamic-ipv6-host Something like this could work. However, it's also difficult because the Docker container may not have the public IP address visible. I think to determine that you'd have to do a remote curl call to a service to get the IP, and periodically update it. **Describe alternatives you've considered** If I add a rule at the firewall for this, it will limit all nginx hosts and not just the few I want. Since I want to limit by host, the only place in the stack to do it is at the nginx-proxy-manager level.

kerem added the

enhancement

label

2026-02-26 07:37:48 +03:00

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/nginx-proxy-manager-NginxProxyManager#3087

No description provided.

Rows
Columns