@Gertjan Fixed it. I had on the interface address both an IPv6 address and an "IPv4 address embedded in the IPv6 address (this is known as IPv6-mapped IPv4 addresses or IPv6 embedded IPv4 addresses)" before that is normally not for interfaces only the static device assignments so that is corrected my Pv6-mapped IPv4 addresses or IPv6 embedded IPv4 addresses are now only on the Lan devices and not on the firewall interfaces. [image: 1752100262620-screenshot-2025-07-09-at-15.29.37-resized.png]

[image: 1686865232828-screenshot-2023-06-15-at-2.40.04-pm-resized.png] (Blocked IPV6 as my ISP does not hand out IPV6 addresses only IPv4) Per Netgate docs "Ethernet rules can use Aliases for L3 source/destination matching but there is no support for MAC Address aliases at this time." This works and shows traffic. Each IP has its MAC recorded into the rule. Working config, Squid, Squidguard, Snort, Lightsquid, Auth-NTP, DNS over port 853, Clam-AV, UpNp for xbox alongside floating Queue CODEL this is functional and other ACLs are still working with this version. I have set the top line to block out all IPV6 Test now running for 24 hours no issues.

@madtrick The IP variable is the same, but you have to set up a special IPv6 update client so that pfSense takes the IPv6 interface address. https://dyndns.inwx.com/nic/update?myipv6=%IP%

@leonroy said in Can't create IPv4+IPv6 Firewall rule with an alias: What I ended up doing was sticking my PiHole IP address in an Alias as well and setting that as the Source alias. Not sure if that's the best way of doing it but it worked... If your PiHole should answer IPv6 and work with IPv6 it needs an IPv6 address. Without that makes no sense, then you can simply block all IPv6 alltogether. If your Pi has IPv4 and IPv6 then that's the right way, put both into the alias and use it in rules. That said I wouldn't work with invert rules but that's my approach.