Permit traffic to unique local addresses with "Allow LAN" enabled

2 files changed, 4 insertions, 0 deletions

diff --git a/windows/winfw/src/winfw/rules/baseline/permitlan.cpp b/windows/winfw/src/winfw/rules/baseline/permitlan.cpp
index b9a24cf038..f0038f2421 100644
--- a/windows/winfw/src/winfw/rules/baseline/permitlan.cpp
+++ b/windows/winfw/src/winfw/rules/baseline/permitlan.cpp
@@ -90,8 +90,10 @@ bool PermitLan::applyIpv6(IObjectInstaller &objectInstaller) const
 	wfp::ConditionBuilder conditionBuilder(FWPM_LAYER_ALE_AUTH_CONNECT_V6);
 
 	const wfp::IpNetwork linkLocal(wfp::IpAddress::Literal6({ 0xFE80, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0 }), 10);
+	const wfp::IpNetwork uniqueLocal(wfp::IpAddress::Literal6({ 0xFD00, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0 }), 8);
 
 	conditionBuilder.add_condition(ConditionIp::Remote(linkLocal));
+	conditionBuilder.add_condition(ConditionIp::Remote(uniqueLocal));
 
 	if (!objectInstaller.addFilter(filterBuilder, conditionBuilder))
 	{
diff --git a/windows/winfw/src/winfw/rules/baseline/permitlanservice.cpp b/windows/winfw/src/winfw/rules/baseline/permitlanservice.cpp
index 7534e08462..041afd5492 100644
--- a/windows/winfw/src/winfw/rules/baseline/permitlanservice.cpp
+++ b/windows/winfw/src/winfw/rules/baseline/permitlanservice.cpp
@@ -66,8 +66,10 @@ bool PermitLanService::applyIpv6(IObjectInstaller &objectInstaller) const
 	wfp::ConditionBuilder conditionBuilder(FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V6);
 
 	const wfp::IpNetwork linkLocal(wfp::IpAddress::Literal6{ 0xFE80, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0 }, 10);
+	const wfp::IpNetwork uniqueLocal(wfp::IpAddress::Literal6({ 0xFD00, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0 }), 8);
 
 	conditionBuilder.add_condition(ConditionIp::Remote(linkLocal));
+	conditionBuilder.add_condition(ConditionIp::Remote(uniqueLocal));
 
 	return objectInstaller.addFilter(filterBuilder, conditionBuilder);
 }