Wan trying to route RFC 1918 networks?

Hi folks,

I recently got a new device (TPLINK Archer C7 AC 1750; v5.0) and installed openwrt. It's connected as follow:

  • Wan ( -> To internet provider box (
  • Lan (Switch ports 1-3) ->
  • Testing (Vlan on port 4) ->

While doing some debugs, I found that if a client from Lan Or Testing tries to reach any private subnets (excluding those directly connected to the router of course), the packets are sent over Wan. I though that wan was not supposed to forward any packet whose destination IP belongs to any of the networks.

Is this because i addressed Wan using a private range?

The default route is for any traffic that doesn't have a defined route. So that includes all RFC1918 networks that aren't otherwise set up. It will forward them to the ISP, which will then drop them.

You can install firewall rules to prevent this, though it really doesn't do any damage.


Thank for the quick reply.

That's what I've done (dropping everything from lan/test to wan if dest belongs to rfc1918). Since the provider's equipment seems to be easily overwhelmed and my test zone is used a scanning labs (among others things), it's better to drop this trafic. I would have expect the wan to do.

There are bcp38 packages in OpenWrt, but not installed or enabled by default.


ISPs often use private address space for CGNAT and exclusive services like IPTV, VoIP, billing, etc.


Thanks for the hints and replies.I didn't knew this BCP. However I don't think this would work in my case since IPS box and openwrt are on a private subnet.

You would implement the block on the border device facing the Internet interface/zone only. I don't use the BCP package specifically, but I do implement an ipset Bogon list and enable it to firewall forwarding and input on WANs/VPN tunnels/etc.

1 Like