diff --git a/adapter/inbound/auth.go b/adapter/inbound/auth.go
index 984c9bd6..83172746 100644
--- a/adapter/inbound/auth.go
+++ b/adapter/inbound/auth.go
@@ -34,12 +34,5 @@ func SkipAuthRemoteAddress(addr string) bool {
 }
 
 func skipAuth(addr netip.Addr) bool {
-	if addr.IsValid() {
-		for _, prefix := range skipAuthPrefixes {
-			if prefix.Contains(addr.Unmap()) {
-				return true
-			}
-		}
-	}
-	return false
+	return prefixesContains(skipAuthPrefixes, addr)
 }
diff --git a/adapter/inbound/ipfilter.go b/adapter/inbound/ipfilter.go
index 7fa218c1..872d0c85 100644
--- a/adapter/inbound/ipfilter.go
+++ b/adapter/inbound/ipfilter.go
@@ -31,27 +31,17 @@ func IsRemoteAddrDisAllowed(addr net.Addr) bool {
 	if err := m.SetRemoteAddr(addr); err != nil {
 		return false
 	}
-	return isAllowed(m.AddrPort().Addr().Unmap()) && !isDisAllowed(m.AddrPort().Addr().Unmap())
+	ipAddr := m.AddrPort().Addr()
+	if ipAddr.IsValid() {
+		return isAllowed(ipAddr) && !isDisAllowed(ipAddr)
+	}
+	return false
 }
 
 func isAllowed(addr netip.Addr) bool {
-	if addr.IsValid() {
-		for _, prefix := range lanAllowedIPs {
-			if prefix.Contains(addr) {
-				return true
-			}
-		}
-	}
-	return false
+	return prefixesContains(lanAllowedIPs, addr)
 }
 
 func isDisAllowed(addr netip.Addr) bool {
-	if addr.IsValid() {
-		for _, prefix := range lanDisAllowedIPs {
-			if prefix.Contains(addr) {
-				return true
-			}
-		}
-	}
-	return false
+	return prefixesContains(lanDisAllowedIPs, addr)
 }
diff --git a/adapter/inbound/util.go b/adapter/inbound/util.go
index 743337fc..3bcd2808 100644
--- a/adapter/inbound/util.go
+++ b/adapter/inbound/util.go
@@ -61,3 +61,19 @@ func parseHTTPAddr(request *http.Request) *C.Metadata {
 
 	return metadata
 }
+
+func prefixesContains(prefixes []netip.Prefix, addr netip.Addr) bool {
+	if len(prefixes) == 0 {
+		return false
+	}
+	if !addr.IsValid() {
+		return false
+	}
+	addr = addr.Unmap().WithZone("") // netip.Prefix.Contains returns false if ip has an IPv6 zone
+	for _, prefix := range prefixes {
+		if prefix.Contains(addr) {
+			return true
+		}
+	}
+	return false
+}
diff --git a/rules/common/ipcidr.go b/rules/common/ipcidr.go
index 663c9397..9c159502 100644
--- a/rules/common/ipcidr.go
+++ b/rules/common/ipcidr.go
@@ -40,7 +40,7 @@ func (i *IPCIDR) Match(metadata *C.Metadata) (bool, string) {
 	if i.isSourceIP {
 		ip = metadata.SrcIP
 	}
-	return ip.IsValid() && i.ipnet.Contains(ip), i.adapter
+	return ip.IsValid() && i.ipnet.Contains(ip.WithZone("")), i.adapter
 }
 
 func (i *IPCIDR) Adapter() string {