diff --git a/ngd/src/cli.rs b/ngd/src/cli.rs
index bf76e60..5950d1d 100644
--- a/ngd/src/cli.rs
+++ b/ngd/src/cli.rs
@@ -75,6 +75,10 @@ pub(crate) struct Cli {
     #[arg(long, requires("public"), conflicts_with("private"))]
     pub public_without_clients: bool,
 
+    /// When --public is used with a public IPV6, this option will bind the IPV6 to the private interface. This is how DMZ work for IpV6
+    #[arg(long, requires("public"), conflicts_with("no_ipv6"))]
+    pub bind_public_ipv6: bool,
+
     /// Quick config to listen for clients and core brokers on PRIVATE_INTERFACE, behind a DMZ or port forwarding of a public dynamic IP. PORTs defaults to 80
     #[arg(short('y'), long, value_name("PRIVATE_INTERFACE:PORT,PUBLIC_PORT"), default_missing_value("default"), num_args(0..=1), conflicts_with("public"), conflicts_with("core"))]
     pub dynamic: Option<String>,
diff --git a/ngd/src/main.rs b/ngd/src/main.rs
index a58db13..5bdc219 100644
--- a/ngd/src/main.rs
+++ b/ngd/src/main.rs
@@ -645,7 +645,7 @@ async fn main_inner() -> Result<(), ()> {
                 refuse_clients: args.public_without_clients,
                 serve_app: false,
                 accept_direct: false,
-                bind_public_ipv6_to_private_interface: false,
+                bind_public_ipv6: ipv6.is_some() && args.bind_public_ipv6,
                 accept_forward_for: AcceptForwardForV0::PublicStatic((
                     BindAddress {
                         port: public_part.1 .1,
diff --git a/p2p-net/src/types.rs b/p2p-net/src/types.rs
index 7ef3aa8..0a2db6a 100644
--- a/p2p-net/src/types.rs
+++ b/p2p-net/src/types.rs
@@ -274,7 +274,7 @@ pub struct ListenerV0 {
     pub serve_app: bool,
 
     /// when the box is behind a DMZ, and ipv6 is enabled, the private interface will get the external public IpV6. with this option we allow binding to it
-    pub bind_public_ipv6_to_private_interface: bool,
+    pub bind_public_ipv6: bool,
 
     /// default to false. Set to true by --core (use --core-and-clients to override to false). only useful for a public IP listener, if the clients should use another listener like --domain or --domain-private.
     /// do not set it on a --domain or --domain-private, as this will enable the relay_websocket feature, which should not be used except by app.nextgraph.one
@@ -305,9 +305,7 @@ impl ListenerV0 {
         }
         let public_ipv6addr: IpAddr = public_ip.as_ref().unwrap().into();
         return if let IpAddr::V6(v6) = public_ipv6addr {
-            self.bind_public_ipv6_to_private_interface
-                && self.if_type == InterfaceType::Private
-                && ip == v6
+            self.bind_public_ipv6 && self.if_type == InterfaceType::Private && ip == v6
         } else {
             false
         };
@@ -324,7 +322,7 @@ impl ListenerV0 {
             accept_direct: true,
             refuse_clients: false,
             serve_app: true,
-            bind_public_ipv6_to_private_interface: false,
+            bind_public_ipv6: false,
             accept_forward_for: AcceptForwardForV0::No,
         }
     }