diff --git a/src/opnsense/mvc/app/models/OPNsense/Base/FieldTypes/NetworkField.php b/src/opnsense/mvc/app/models/OPNsense/Base/FieldTypes/NetworkField.php
index 8a7b1fc16..076cab79c 100644
--- a/src/opnsense/mvc/app/models/OPNsense/Base/FieldTypes/NetworkField.php
+++ b/src/opnsense/mvc/app/models/OPNsense/Base/FieldTypes/NetworkField.php
@@ -51,6 +51,11 @@ class NetworkField extends BaseField
      */
     protected $internalNetMaskRequired = false;
 
+    /**
+     * @var bool marks if net mask is (dis)allowed
+     */
+    protected $internalNetMaskAllowed = true;
+
     /**
      * @var null when multiple values could be provided at once, specify the split character
      */
@@ -93,6 +98,15 @@ class NetworkField extends BaseField
         }
     }
 
+    /**
+     * setter for net mask required
+     * @param integer $value
+     */
+    public function setNetMaskAllowed($value)
+    {
+        $this->internalNetMaskAllowed = (trim(strtoupper($value)) == "Y");
+    }
+
     /**
      * setter for address family
      * @param $value address family [ipv4, ipv6, empty for all]
@@ -170,6 +184,7 @@ class NetworkField extends BaseField
                     'message' => $this->internalValidationMessage,
                     'split' => $this->internalFieldSeparator,
                     'netMaskRequired' => $this->internalNetMaskRequired,
+                    'netMaskAllowed' => $this->internalNetMaskAllowed,
                     'version' => $this->internalAddressFamily
                     ));
             }
diff --git a/src/opnsense/mvc/app/models/OPNsense/Base/Validators/NetworkValidator.php b/src/opnsense/mvc/app/models/OPNsense/Base/Validators/NetworkValidator.php
index 67460b350..4c532b1f6 100644
--- a/src/opnsense/mvc/app/models/OPNsense/Base/Validators/NetworkValidator.php
+++ b/src/opnsense/mvc/app/models/OPNsense/Base/Validators/NetworkValidator.php
@@ -86,22 +86,26 @@ class NetworkValidator extends Validator implements ValidatorInterface
 
             // split network
             if (strpos($value, "/") !== false) {
-                $parts = explode("/", $value);
-                if (count($parts) > 2 || !ctype_digit($parts[1])) {
-                    // more parts then expected or second part is not numeric
+                if ($this->getOption('netMaskAllowed') === false) {
                     $result = false;
                 } else {
-                    $mask = $parts[1];
-                    $value = $parts[0];
-                    if (strpos($parts[0], ".")) {
-                        // most likely ipv4 address, mask must be between 0..32
-                        if ($mask < 0 || $mask > 32) {
-                            $result = false;
-                        }
+                    $parts = explode("/", $value);
+                    if (count($parts) > 2 || !ctype_digit($parts[1])) {
+                        // more parts then expected or second part is not numeric
+                        $result = false;
                     } else {
-                        // probably ipv6, mask must be between 0..128
-                        if ($mask < 0 || $mask > 128) {
-                            $result = false;
+                        $mask = $parts[1];
+                        $value = $parts[0];
+                        if (strpos($parts[0], ".")) {
+                            // most likely ipv4 address, mask must be between 0..32
+                            if ($mask < 0 || $mask > 32) {
+                                $result = false;
+                            }
+                        } else {
+                            // probably ipv6, mask must be between 0..128
+                            if ($mask < 0 || $mask > 128) {
+                                $result = false;
+                            }
                         }
                     }
                 }