diff --git a/network/setup-ip b/network/setup-ip
index 5f4aae0..7bc8375 100755
--- a/network/setup-ip
+++ b/network/setup-ip
@@ -7,9 +7,11 @@
 have_qubesdb || exit 0
 
 ip=$(/usr/bin/qubesdb-read /qubes-ip 2> /dev/null)
+ip6=$(/usr/bin/qubesdb-read /qubes-ip6 2> /dev/null)
 if [ "x$ip" != x ]; then
     #netmask=$(/usr/bin/qubesdb-read /qubes-netmask)
     gateway=$(/usr/bin/qubesdb-read /qubes-gateway)
+    gateway6=$(/usr/bin/qubesdb-read /qubes-gateway6)
     primary_dns=$(/usr/bin/qubesdb-read /qubes-primary-dns 2>/dev/null || echo "$gateway")
     secondary_dns=$(/usr/bin/qubesdb-read /qubes-secondary-dns)
     /sbin/ethtool -K "$INTERFACE" sg off
@@ -28,32 +30,72 @@ mac-address=$(ip l show dev "$INTERFACE" |grep link|awk '{print $2}')
 id=VM uplink $INTERFACE
 uuid=de85f79b-8c3d-405f-a652-cb4c10b4f9ef
 type=802-3-ethernet
-
-[ipv6]
-method=ignore
-
+__EOF__
+        ip4_nm_config=""
+        ip6_nm_config=""
+        if ! qsvc disable-dns-server ; then
+            ip4_nm_config="${ip4_nm_config}
+dns=${primary_dns};${secondary_dns}"
+        fi
+        if ! qsvc disable-default-route ; then
+            ip4_nm_config="${ip4_nm_config}
+addresses1=$ip;32;$gateway"
+            if [ -n "$ip6" ]; then
+                ip6_nm_config="${ip6_nm_config}
+addresses1=$ip6;128;$gateway6"
+            fi
+        else
+            ip4_nm_config="${ip4_nm_config}
+addresses1=$ip;32"
+            if [ -n "$ip6" ]; then
+                ip6_nm_config="${ip6_nm_config}
+addresses1=$ip6;128"
+            fi
+        fi
+        if [ -n "$ip4_nm_config" ]; then
+            cat >> "$nm_config" <<__EOF__
 [ipv4]
 method=manual
 may-fail=false
+$ip4_nm_config
 __EOF__
-        if ! qsvc disable-dns-server ; then
-            echo "dns=$primary_dns;$secondary_dns" >> "$nm_config"
-        fi
-        if ! qsvc disable-default-route ; then
-            echo "addresses1=$ip;32;$gateway" >> "$nm_config"
         else
-            echo "addresses1=$ip;32" >> "$nm_config"
+            cat >> "$nm_config" <<__EOF__
+[ipv4]
+method=ignore
+__EOF__
         fi
+
+        if [ -n "$ip6_nm_config" ]; then
+            cat >> "$nm_config" <<__EOF__
+[ipv6]
+method=manual
+may-fail=false
+$ip6_nm_config
+__EOF__
+        else
+            cat >> "$nm_config" <<__EOF__
+[ipv6]
+method=ignore
+__EOF__
+        fi
+
         chmod 600 "$nm_config"
         # reload connection
         nmcli connection load "$nm_config" || :
     else
         # No NetworkManager enabled, configure the network manually
         /sbin/ifconfig "$INTERFACE" "$ip" netmask 255.255.255.255
+        if [ -n "$ip6" ]; then
+            /sbin/ifconfig "$INTERFACE" add "$ip6"/128
+        fi
         /sbin/ifconfig "$INTERFACE" up
         /sbin/route add -host "$gateway" dev "$INTERFACE"
         if ! qsvc disable-default-route ; then
             /sbin/route add default gw "$gateway"
+            if [ -n "$gateway6" ]; then
+                /sbin/route -6 add default gw "$gateway6" dev "$INTERFACE"
+            fi
         fi
         if ! is_protected_file /etc/resolv.conf ; then
             echo > /etc/resolv.conf
diff --git a/network/vif-route-qubes b/network/vif-route-qubes
index 6412b99..07506b2 100755
--- a/network/vif-route-qubes
+++ b/network/vif-route-qubes
@@ -29,8 +29,16 @@ lockfile=/var/run/xen-hotplug/vif-lock
 
 # shellcheck disable=SC2154
 if [ "${ip}" ]; then
+    # get first IPv4 and first IPv6
+    for addr in ${ip}; do
+        if [ -z "$ip4" ] && [[ "$addr" = *.* ]]; then
+            ip4="$addr"
+        elif [ -z "$ip6" ] && [[ "$addr" = *:* ]]; then
+            ip6="$addr"
+        fi
+    done
     # IPs as seen by this VM
-    netvm_ip="$ip"
+    netvm_ip="$ip4"
     netvm_gw_ip=$(qubesdb-read /qubes-netvm-gateway)
     netvm_dns1_ip=$(qubesdb-read /qubes-netvm-primary-dns)
     netvm_dns2_ip=$(qubesdb-read /qubes-netvm-secondary-dns)
@@ -38,12 +46,14 @@ if [ "${ip}" ]; then
     back_ip="$netvm_gw_ip"
 
     # IPs as seen by the VM - if other than $netvm_ip
-    appvm_gw_ip="$(qubesdb-read "/mapped-ip/$ip/visible-gateway" 2>/dev/null || :)"
-    appvm_ip="$(qubesdb-read "/mapped-ip/$ip/visible-ip" 2>/dev/null || :)"
+    appvm_gw_ip="$(qubesdb-read "/mapped-ip/$ip4/visible-gateway" 2>/dev/null || :)"
+    appvm_ip="$(qubesdb-read "/mapped-ip/$ip4/visible-ip" 2>/dev/null || :)"
 fi
 
 # Apply NAT if IP visible from the VM is different than the "real" one
 # See vif-qubes-nat.sh for details
+# XXX: supported only for the first IPv4 address, IPv6 is dropped if this
+# feature is enabled
 if [ -n "$appvm_ip" ] && [ -n "$appvm_gw_ip" ] && [ "$appvm_ip" != "$netvm_ip" ]; then
     # shellcheck disable=SC2154
     if test "$command" == online; then
@@ -83,9 +93,19 @@ if [ "${ip}" ] ; then
 	# the guest using those addresses.
 	for addr in ${ip} ; do
 		${cmdprefix} ip route "${ipcmd}" "${addr}" dev "${vif}" metric "$metric"
+        if [[ "$addr" = *:* ]]; then
+            ipt=ip6tables-restore
+        else
+            ipt=iptables-restore
+        fi
+        echo -e "*raw\n$iptables_cmd -i ${vif} ! -s ${addr} -j DROP\nCOMMIT" | \
+            ${cmdprefix} flock $lockfile $ipt --noflush
 	done
-	echo -e "*raw\n$iptables_cmd -i ${vif} ! -s ${ip} -j DROP\nCOMMIT" | \
-		${cmdprefix} flock $lockfile iptables-restore --noflush
+    # if no IPv6 is assigned, block all IPv6 traffic on that interface
+    if ! [[ "$ip" = *:* ]]; then
+        echo -e "*raw\n$iptables_cmd -i ${vif} -j DROP\nCOMMIT" | \
+            ${cmdprefix} flock $lockfile ip6tables-restore --noflush
+    fi
 	${cmdprefix} ip addr "${ipcmd}" "${back_ip}/32" dev "${vif}"
 fi