Steps to block RFC1918 traffic from leaving the WAN interface

For installations where the above scenarios do not apply, an additional firewall rule can be put in place to prevent RFC1918 traffic from leaking out of the WAN interface. This provides a small increase in security and privacy by preventing information about the local LAN from being routed further upstream to the ISP.

To add a block rule for RFC1918 traffic, navigate to Firewall > Aliases:

  • Create an alias for the RFC1918 network ranges. Call it private_networks and include the following ranges:

10.0.0.0/8

172.16.0.0/12

192.168.0.0/16

-(optionally include other non-public CIDR ranges like 169.254.0.0/16 and 127.0.0.0/8)

  • Add a new floating firewall rule under Firewall > Rules, Floating tab
      • Action Reject
      • Quick Checked
      • Interface WAN (optionally select multiple WAN interfaces or interface groups here, do NOT select the local LAN)
      • Direction out
      • TCP/IP version IPv4
      • Protocol any
      • Source any
      • Destination Single host or alias: private_networks
      • Log optional
  • Save the changes and reload the firewall. Verify that local LAN and internet connectivity are still working.
© Copyright 2025 . All Rights Reserved. AZTCO-FW| Developed By AZTCO-FW. Powered by AZTCO.