diff --git a/src/vnm_mad/remotes/lib/security_groups_iptables.rb b/src/vnm_mad/remotes/lib/security_groups_iptables.rb
index d8de93906b..e56dee2b58 100644
--- a/src/vnm_mad/remotes/lib/security_groups_iptables.rb
+++ b/src/vnm_mad/remotes/lib/security_groups_iptables.rb
@@ -14,6 +14,8 @@
 # limitations under the License.                                             #
 #--------------------------------------------------------------------------- #
 
+require 'ipaddr'
+
 module VNMMAD
 
 # This module implements the SecurityGroup abstraction on top of iptables
@@ -288,7 +290,7 @@ module SGIPTables
     #   2.- Forwards the bridge traffic to the GLOBAL_CHAIN
     #   3.- By default ACCEPT all traffic
     #
-    # If inbound packets are routed (not bridged) by the hypervisor OpenNebula 
+    # If inbound packets are routed (not bridged) by the hypervisor OpenNebula
     # process all forwarding traffic.
     def self.global_bootstrap(bridged)
         info = SGIPTables.info
@@ -381,9 +383,12 @@ module SGIPTables
         commands.add :ip6tables, "-N #{chain_out}" # outbound
 
         # Send traffic to the NIC chains
-
         base_br = "-I #{GLOBAL_CHAIN} -m physdev --physdev-is-bridged "
-        nro     = "#{base_br} --physdev-in #{nic[:tap]} -j #{chain_out}"
+        if nic[:alias_id]
+            nro = "#{base_br} --physdev-in #{nic[:parent_nic][:tap]} -s #{nic[:ip]} -j #{chain_out}"
+        else
+            nro = "#{base_br} --physdev-in #{nic[:tap]} -j #{chain_out}"
+        end
 
         if bridged
             if nic[:alias_id]
@@ -395,12 +400,13 @@ module SGIPTables
             nri = "-I #{GLOBAL_CHAIN} -d #{nic[:ip]} -j #{chain_in}"
         end
 
-        #TODO routed traffic is only filtered for IPv4 addressing
-        commands.add :iptables, nri
-        commands.add :iptables, nro
-
-        commands.add :ip6tables, nri if bridged
-        commands.add :ip6tables, nro
+        if IPAddr.new(nic[:ip]).ipv4?
+            commands.add :iptables, nri
+            commands.add :iptables, nro
+        else
+            commands.add :ip6tables, nri
+            commands.add :ip6tables, nro
+        end
 
         # ICMPv6 Neighbor Discovery Protocol (ARP replacement for IPv6)
         ## Allow routers to send router advertisements
diff --git a/src/vnm_mad/remotes/lib/sg_driver.rb b/src/vnm_mad/remotes/lib/sg_driver.rb
index e905734535..3e4f536c67 100644
--- a/src/vnm_mad/remotes/lib/sg_driver.rb
+++ b/src/vnm_mad/remotes/lib/sg_driver.rb
@@ -80,10 +80,13 @@ module VNMMAD
             # Global Bootstrap
             SGIPTables.global_bootstrap(@bridged)
 
-            attach_nic_id = @vm['TEMPLATE/NIC[ATTACH="YES"]/NIC_ID'] if !do_all
+            unless do_all
+               attach_nic_id = @vm['TEMPLATE/NIC[ATTACH="YES"]/NIC_ID']
+               attach_nic_id ||= @vm['TEMPLATE/NIC_ALIAS[ATTACH="YES"]/NIC_ID']
+            end
 
             # Process the rules
-            process do |nic|
+            process_all do |nic|
                 next if attach_nic_id && attach_nic_id != nic[:nic_id]
 
                 if nic[:security_groups].nil?
@@ -124,9 +127,12 @@ module VNMMAD
             lock
 
             begin
-                attach_nic_id = @vm['TEMPLATE/NIC[ATTACH="YES"]/NIC_ID'] if !do_all
+                unless do_all
+                   attach_nic_id = @vm['TEMPLATE/NIC[ATTACH="YES"]/NIC_ID']
+                   attach_nic_id ||= @vm['TEMPLATE/NIC_ALIAS[ATTACH="YES"]/NIC_ID']
+                end
 
-                @vm.nics.each do |nic|
+                process_all do |nic|
                     next if attach_nic_id && attach_nic_id != nic[:nic_id]
 
                     SGIPTables.nic_deactivate(@vm, nic)