diff --git a/route/access_rules.go b/route/access_rules.go
index d73b3f218..422c85830 100644
--- a/route/access_rules.go
+++ b/route/access_rules.go
@@ -102,8 +102,9 @@ func (t *Target) denyByIP(ip net.IP) bool {
 
 func (t *Target) parseAccessRule(allowDeny string) error {
 	var accessTag string
-	var value string
 	var temps []string
+	var value string
+	var ip net.IP
 
 	// init rules if needed
 	if t.accessRules == nil {
@@ -123,7 +124,14 @@ func (t *Target) parseAccessRule(allowDeny string) error {
 		switch accessTag {
 		case ipAllowTag, ipDenyTag:
 			if value = strings.TrimSpace(temps[1]); !strings.Contains(value, "/") {
-				value = value + "/32"
+				if ip = net.ParseIP(value); ip == nil {
+					return fmt.Errorf("failed to parse IP %s with error", value)
+				}
+				if ip.To4() != nil {
+					value = ip.String() + "/32"
+				} else {
+					value = ip.String() + "/128"
+				}
 			}
 			_, net, err := net.ParseCIDR(value)
 			if err != nil {
diff --git a/route/access_rules_test.go b/route/access_rules_test.go
index 8f5fe9a45..5035606a3 100644
--- a/route/access_rules_test.go
+++ b/route/access_rules_test.go
@@ -32,10 +32,15 @@ func TestAccessRules_parseAccessRule(t *testing.T) {
 			fail:      true,
 		},
 		{
-			desc:      "single ip with no mask",
+			desc:      "single ipv4 with no mask",
 			allowDeny: "ip:1.2.3.4",
 			fail:      false,
 		},
+		{
+			desc:      "single ipv6 with no mask",
+			allowDeny: "ip:fe80::1",
+			fail:      false,
+		},
 	}
 
 	for i, tt := range tests {