diff --git a/pkg/agent/netpol/netpol.go b/pkg/agent/netpol/netpol.go
index 3c85387559..81861d6d2f 100644
--- a/pkg/agent/netpol/netpol.go
+++ b/pkg/agent/netpol/netpol.go
@@ -55,7 +55,7 @@ func Run(ctx context.Context, nodeConfig *config.Node) error {
 
 	krConfig := options.NewKubeRouterConfig()
 	krConfig.ClusterIPCIDR = util.JoinIPNets(nodeConfig.AgentConfig.ServiceCIDRs)
-	krConfig.EnableIPv4 = true
+	krConfig.EnableIPv4 = nodeConfig.AgentConfig.EnableIPv4
 	krConfig.EnableIPv6 = nodeConfig.AgentConfig.EnableIPv6
 	krConfig.NodePortRange = strings.ReplaceAll(nodeConfig.AgentConfig.ServiceNodePortRange.String(), "-", ":")
 	krConfig.HostnameOverride = nodeConfig.AgentConfig.NodeName
diff --git a/pkg/agent/run.go b/pkg/agent/run.go
index 92e0950252..d599ce3663 100644
--- a/pkg/agent/run.go
+++ b/pkg/agent/run.go
@@ -59,15 +59,19 @@ func run(ctx context.Context, cfg cmds.Agent, proxy proxy.Proxy) error {
 	if err != nil {
 		return errors.Wrap(err, "failed to validate node-ip")
 	}
+	serviceIPv4 := utilsnet.IsIPv4CIDR(nodeConfig.AgentConfig.ServiceCIDR)
+	clusterIPv4 := utilsnet.IsIPv4CIDR(nodeConfig.AgentConfig.ClusterCIDR)
 	serviceIPv6 := utilsnet.IsIPv6CIDR(nodeConfig.AgentConfig.ServiceCIDR)
 	clusterIPv6 := utilsnet.IsIPv6CIDR(nodeConfig.AgentConfig.ClusterCIDR)
 
+	enableIPv4 := dualCluster || dualService || dualNode || serviceIPv4 || clusterIPv4
 	enableIPv6 := dualCluster || dualService || dualNode || serviceIPv6 || clusterIPv6
 	conntrackConfig, err := getConntrackConfig(nodeConfig)
 	if err != nil {
 		return errors.Wrap(err, "failed to validate kube-proxy conntrack configuration")
 	}
 	syssetup.Configure(enableIPv6, conntrackConfig)
+	nodeConfig.AgentConfig.EnableIPv4 = enableIPv4
 	nodeConfig.AgentConfig.EnableIPv6 = enableIPv6
 
 	if err := setupCriCtlConfig(cfg, nodeConfig); err != nil {
diff --git a/pkg/daemons/config/types.go b/pkg/daemons/config/types.go
index a3c6c66a97..e38d956c20 100644
--- a/pkg/daemons/config/types.go
+++ b/pkg/daemons/config/types.go
@@ -106,6 +106,7 @@ type Agent struct {
 	Rootless                bool
 	ProtectKernelDefaults   bool
 	DisableServiceLB        bool
+	EnableIPv4              bool
 	EnableIPv6              bool
 }