diff --git a/01-network.tf b/01-network.tf
index ffefc56..f66a307 100644
--- a/01-network.tf
+++ b/01-network.tf
@@ -62,7 +62,7 @@ resource "stackit_network_interface" "wan" {
   security          = true
   name              = "MGMT"
   ipv4              = "10.220.131.10"
-  allowed_addresses  = ["10.220.131.30/32"]
+  allowed_addresses  = ["10.220.131.30/32", "0.0.0.0/0"]
   security_group_ids = [stackit_security_group.paloalto.security_group_id]
 
 }
@@ -87,7 +87,7 @@ resource "stackit_network_interface" "wan2" {
   network_id        = stackit_network.wan_network.network_id
   security          = true
   name              = "WAN2"
-  allowed_addresses  = ["10.220.131.30/32"]
+  allowed_addresses  = ["10.220.131.30/32", "0.0.0.0/0"]
   security_group_ids = [stackit_security_group.paloalto.security_group_id]
 }
 
diff --git a/README.md b/README.md
index d831041..fbc4905 100644
--- a/README.md
+++ b/README.md
@@ -32,8 +32,9 @@ Two firewalls are deployed with identical network interfaces. A virtual IP (VIP)
 - **VIP must not be attached to any instance**  
   The floating IP (VIP) is managed entirely by the Palo Alto HA configuration. Do **not** associate this IP statically with any compute instance via Terraform.
 
-- **Only /32 allowed in `allowed_addresses`**  
+- **Setting CIDRs in `allowed_addresses`**  
   You **must** specify the VIP as a `/32` IP (e.g., `10.220.131.30/32`) — CIDR blocks (e.g., `/24`) are not supported and will be rejected or silently ignored.
+  You **must** specify the CIDR `0.0.0.0/0` as a second string, this is necessary for a working failover scenario.
 
 - **Routing issues if `allowed_addresses` are missing**  
   If the VIP is not explicitly added to `allowed_addresses` on each port where it might be active, network traffic will fail silently due to missing neighbor/ARP entries.