Preventing RFC1918 Traffic from Exiting a WAN Interface

RFC1918 addresses are blocks of network IP addresses reserved for private use that are commonly used behind fire- walls to allow a single public IP address to be shared with multiple devices using NAT. The default AZTCO-FW installa- tion assigns the 192.168.1.0/24 address space to the LAN interface, but RFC1918 also defines other CIDR ranges for private use:

  • 10.0.0.0/8
  • 172.16.0.0/12
  • 192.168.0.0/16

As a general rule, it is good practice to prevent network traffic intended for RFC1918 subnets from leaving the firewall via the WAN interface. This avoids unnecessary traffic on the WAN link, and also provides a small security benefit by keeping information about the LAN network behind the firewall.

An example where this rule might be helpful is if a machine on the local LAN (e.g. 192.168.1.5) is configured to access private LAN addresses that are routed across a VPN tunnel (e.g. 192.168.100.0/24). If the VPN link were

to go down,  AZTCO-FW software would no longer have an active route for 192.168.100.0/24,  and a packet intended  for 192.168.100.0/24 will be routed out the WAN interface using the default route. This could potentially provide information about the private LAN to someone with access to the ISP’s WAN network. A malicious user could even set up an imposter machine on the WAN network with a 192.168.100.0/24 address and pretend to be a machine on the inactive VPN link.

While the chance of this being a problem is small, the probability of unintentional RFC1918 traffic routing through the WAN interface will increase for installations with more complex LAN topologies, a large number of users (typos, etc), or routes that may frequently change (VPN, etc). In these scenarios, it may be beneficial to add a firewall rule preventing RFC1918 traffic from being routed out of the WAN interface.

© Copyright 2025 . All Rights Reserved. AZTCO-FW| Developed By AZTCO-FW. Powered by AZTCO.