54343e
diff --git a/server/confpars.c b/server/confpars.c
54343e
index 12ab0e6..4454be9 100644
54343e
--- a/server/confpars.c
54343e
+++ b/server/confpars.c
54343e
@@ -3756,6 +3756,19 @@ add_ipv6_pool_to_subnet(struct subnet *subnet, u_int16_t type,
54343e
 	share->ipv6_pools[num_pools+1] = NULL;
54343e
 }
54343e
 
54343e
+static void
54343e
+check_addr_in_subnet(struct subnet *subnet, struct iaddr *addr) {
54343e
+	char lowbuf [INET6_ADDRSTRLEN], netbuf [INET6_ADDRSTRLEN];
54343e
+
54343e
+	if (!addr_eq(subnet->net, subnet_number(*addr, subnet->netmask))) {
54343e
+		strcpy(lowbuf, piaddr(*addr));
54343e
+		strcpy(netbuf, piaddr(subnet->net));
54343e
+		log_fatal("bad range6, address %s not in subnet6 %s/%d",
54343e
+			lowbuf, netbuf, subnet->prefix_len);
54343e
+	}
54343e
+
54343e
+}
54343e
+
54343e
 /* address-range6-declaration :== ip-address6 ip-address6 SEMI
54343e
 			       | ip-address6 SLASH number SEMI
54343e
 			       | ip-address6 [SLASH number] TEMPORARY SEMI */
54343e
@@ -3788,6 +3801,8 @@ parse_address_range6(struct parse *cfile, struct group *group) {
54343e
 		return;
54343e
 	}
54343e
 
54343e
+	check_addr_in_subnet(group->subnet, &lo);
54343e
+
54343e
 	/* 
54343e
 	 * See if we we're using range or CIDR notation or TEMPORARY
54343e
 	 */
54343e
@@ -3855,6 +3870,8 @@ parse_address_range6(struct parse *cfile, struct group *group) {
54343e
 			return;
54343e
 		}
54343e
 
54343e
+		check_addr_in_subnet(group->subnet, &hi;;
54343e
+
54343e
 		/*
54343e
 		 * Convert our range to a set of CIDR networks.
54343e
 		 */