diff --git a/server/confpars.c b/server/confpars.c
index 12ab0e6..4454be9 100644
--- a/server/confpars.c
+++ b/server/confpars.c
@@ -3756,6 +3756,19 @@ add_ipv6_pool_to_subnet(struct subnet *subnet, u_int16_t type,
 	share->ipv6_pools[num_pools+1] = NULL;
 }
 
+static void
+check_addr_in_subnet(struct subnet *subnet, struct iaddr *addr) {
+	char lowbuf [INET6_ADDRSTRLEN], netbuf [INET6_ADDRSTRLEN];
+
+	if (!addr_eq(subnet->net, subnet_number(*addr, subnet->netmask))) {
+		strncpy(lowbuf, piaddr(*addr), INET6_ADDRSTRLEN);
+		strncpy(netbuf, piaddr(subnet->net), INET6_ADDRSTRLEN);
+		log_fatal("bad range6, address %s not in subnet6 %s/%d",
+			lowbuf, netbuf, subnet->prefix_len);
+	}
+
+}
+
 /* address-range6-declaration :== ip-address6 ip-address6 SEMI
 			       | ip-address6 SLASH number SEMI
 			       | ip-address6 [SLASH number] TEMPORARY SEMI */
@@ -3788,6 +3801,8 @@ parse_address_range6(struct parse *cfile, struct group *group) {
 		return;
 	}
 
+	check_addr_in_subnet(group->subnet, &lo);
+
 	/* 
 	 * See if we we're using range or CIDR notation or TEMPORARY
 	 */
@@ -3855,6 +3870,8 @@ parse_address_range6(struct parse *cfile, struct group *group) {
 			return;
 		}
 
+		check_addr_in_subnet(group->subnet, &hi);
+
 		/*
 		 * Convert our range to a set of CIDR networks.
 		 */