config firewall address edit "net-RFC1918_10" set allow-routing enable set comment "for blackhole routes" set subnet 10.0.0.0 255.0.0.0 next edit "net-RFC1918_169.254" set allow-routing enable set comment "for blackhole routes" set subnet 169.254.0.0 255.255.0.0 next edit "net-RFC1918_172.16" set allow-routing enable set comment "for blackhole routes" set subnet 172.16.0.0 255.240.0.0 next edit "net-RFC1918_192.168" set allow-routing enable set comment "for blackhole routes" set subnet 192.168.0.0 255.255.0.0 next end config firewall addrgrp edit "nets-RFC1918" set member "net-RFC1918_10" "net-RFC1918_169.254" "net-RFC1918_172.16" "net-RFC1918_192.168" set comment "main private RFC1918 address space, for use in blackhole route" set allow-routing enable next end config router static edit 0 set blackhole enable set distance 254 set dstaddr "nets-RFC1918" set comment "shortens VPN failback & prevents data leak to WAN" next end