5 files changed, 7 insertions, 4 deletions

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 3a4022d8d9..b77ae029fa 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -28,6 +28,9 @@ Line wrap the file at 100 chars.                                              Th
 - Add WireGuard MTU setting.
 
 ### Changed
+- Allow `fc00::/7` instead of `fd00::/8` in the firewall when local network sharing is enabled.
+  Should unblock all unique local addresses.
+
 #### Windows
 - Windows 7 only: Address packet loss issues with OpenVPN on some systems by reverting the TAP
   adapter driver to an older NDIS 5 driver.
diff --git a/docs/security.md b/docs/security.md
index bcd1723177..6ec2547bba 100644
--- a/docs/security.md
+++ b/docs/security.md
@@ -76,7 +76,7 @@ The following network traffic is allowed or blocked independent of state:
      * `192.168.0.0/16`
      * `169.254.0.0/16` (Link-local IPv4 range)
      * `fe80::/10` (Link-local IPv6 range)
-     * `fd00::/8` (Unique-local range)
+     * `fc00::/7` (Unique local address (ULA) range)
    * Outgoing to any IP in a local, unroutable, multicast network, meaning these:
      * `224.0.0.0/24` (Local subnet IPv4 multicast)
      * `239.255.0.0/16` (IPv4 local scope. eg. SSDP and mDNS)
diff --git a/talpid-core/src/firewall/mod.rs b/talpid-core/src/firewall/mod.rs
index 1ac58070f8..110b0bb2a1 100644
--- a/talpid-core/src/firewall/mod.rs
+++ b/talpid-core/src/firewall/mod.rs
@@ -37,7 +37,7 @@ lazy_static! {
         IpNetwork::V4(Ipv4Network::new(Ipv4Addr::new(192, 168, 0, 0), 16).unwrap()),
         IpNetwork::V4(Ipv4Network::new(Ipv4Addr::new(169, 254, 0, 0), 16).unwrap()),
         IpNetwork::V6(Ipv6Network::new(Ipv6Addr::new(0xfe80, 0, 0, 0, 0, 0, 0, 0), 10).unwrap()),
-        IpNetwork::V6(Ipv6Network::new(Ipv6Addr::new(0xfd00, 0, 0, 0, 0, 0, 0, 0), 8).unwrap()),
+        IpNetwork::V6(Ipv6Network::new(Ipv6Addr::new(0xfc00, 0, 0, 0, 0, 0, 0, 0), 7).unwrap()),
     ];
     /// When "allow local network" is enabled the app will allow traffic to these networks.
     pub(crate) static ref ALLOWED_LAN_MULTICAST_NETS: [IpNetwork; 8] = [
diff --git a/windows/winfw/src/winfw/rules/baseline/permitlan.cpp b/windows/winfw/src/winfw/rules/baseline/permitlan.cpp
index e655020287..2397c78cdd 100644
--- a/windows/winfw/src/winfw/rules/baseline/permitlan.cpp
+++ b/windows/winfw/src/winfw/rules/baseline/permitlan.cpp
@@ -90,7 +90,7 @@ bool PermitLan::applyIpv6(IObjectInstaller &objectInstaller) const
 	wfp::ConditionBuilder conditionBuilder(FWPM_LAYER_ALE_AUTH_CONNECT_V6);
 
 	const wfp::IpNetwork linkLocal(wfp::IpAddress::Literal6({ 0xFE80, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0 }), 10);
-	const wfp::IpNetwork uniqueLocal(wfp::IpAddress::Literal6({ 0xFD00, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0 }), 8);
+	const wfp::IpNetwork uniqueLocal(wfp::IpAddress::Literal6({ 0xFC00, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0 }), 7);
 
 	conditionBuilder.add_condition(ConditionIp::Remote(linkLocal));
 	conditionBuilder.add_condition(ConditionIp::Remote(uniqueLocal));
diff --git a/windows/winfw/src/winfw/rules/baseline/permitlanservice.cpp b/windows/winfw/src/winfw/rules/baseline/permitlanservice.cpp
index 041afd5492..d729b4ad52 100644
--- a/windows/winfw/src/winfw/rules/baseline/permitlanservice.cpp
+++ b/windows/winfw/src/winfw/rules/baseline/permitlanservice.cpp
@@ -66,7 +66,7 @@ bool PermitLanService::applyIpv6(IObjectInstaller &objectInstaller) const
 	wfp::ConditionBuilder conditionBuilder(FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V6);
 
 	const wfp::IpNetwork linkLocal(wfp::IpAddress::Literal6{ 0xFE80, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0 }, 10);
-	const wfp::IpNetwork uniqueLocal(wfp::IpAddress::Literal6({ 0xFD00, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0 }), 8);
+	const wfp::IpNetwork uniqueLocal(wfp::IpAddress::Literal6({ 0xFC00, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0 }), 7);
 
 	conditionBuilder.add_condition(ConditionIp::Remote(linkLocal));
 	conditionBuilder.add_condition(ConditionIp::Remote(uniqueLocal));