diff --git a/client/firewall/uspfilter/forwarder/forwarder.go b/client/firewall/uspfilter/forwarder/forwarder.go
index d4984d495..4ed152b79 100644
--- a/client/firewall/uspfilter/forwarder/forwarder.go
+++ b/client/firewall/uspfilter/forwarder/forwarder.go
@@ -64,12 +64,12 @@ func New(iface common.IFaceMapper, logger *nblog.Logger, netstack bool) (*Forwar
 		return nil, fmt.Errorf("failed to create NIC: %v", err)
 	}
 
-	_, bits := iface.Address().Network.Mask.Size()
+	ones, _ := iface.Address().Network.Mask.Size()
 	protoAddr := tcpip.ProtocolAddress{
 		Protocol: ipv4.ProtocolNumber,
 		AddressWithPrefix: tcpip.AddressWithPrefix{
 			Address:   tcpip.AddrFromSlice(iface.Address().IP.To4()),
-			PrefixLen: bits,
+			PrefixLen: ones,
 		},
 	}
 
diff --git a/client/firewall/uspfilter/localip.go b/client/firewall/uspfilter/localip.go
index 48c45c098..dc0c529be 100644
--- a/client/firewall/uspfilter/localip.go
+++ b/client/firewall/uspfilter/localip.go
@@ -13,7 +13,7 @@ import (
 type localIPManager struct {
 	mu sync.RWMutex
 
-	// Use bitmap for IPv4 (32 bits * 2^16 = 8KB memory)
+	// Use bitmap for IPv4 (32 bits * 2^16 = 256KB memory)
 	ipv4Bitmap [1 << 16]uint32
 }
 
diff --git a/client/firewall/uspfilter/uspfilter.go b/client/firewall/uspfilter/uspfilter.go
index 454089cc3..81efc56ae 100644
--- a/client/firewall/uspfilter/uspfilter.go
+++ b/client/firewall/uspfilter/uspfilter.go
@@ -144,12 +144,42 @@ func create(iface common.IFaceMapper, nativeFirewall firewall.Manager, disableSe
 
 	m.determineRouting(iface, disableServerRoutes)
 
+	if err := m.blockInvalidRouted(iface); err != nil {
+		log.Errorf("failed to block invalid routed traffic: %v", err)
+	}
+
 	if err := iface.SetFilter(m); err != nil {
 		return nil, fmt.Errorf("set filter: %w", err)
 	}
 	return m, nil
 }
 
+func (m *Manager) blockInvalidRouted(iface common.IFaceMapper) error {
+	if m.forwarder == nil {
+		return nil
+	}
+	wgPrefix, err := netip.ParsePrefix(iface.Address().Network.String())
+	if err != nil {
+		return fmt.Errorf("parse wireguard network: %w", err)
+	}
+	log.Debugf("blocking invalid routed traffic for %s", wgPrefix)
+
+	if _, err := m.AddRouteFiltering(
+		[]netip.Prefix{netip.PrefixFrom(netip.IPv4Unspecified(), 0)},
+		wgPrefix,
+		firewall.ProtocolALL,
+		nil,
+		nil,
+		firewall.ActionDrop,
+	); err != nil {
+		return fmt.Errorf("block wg nte : %w", err)
+	}
+
+	// TODO: Block networks that we're a client of
+
+	return nil
+}
+
 func (m *Manager) determineRouting(iface common.IFaceMapper, disableServerRoutes bool) {
 	disableUspRouting, _ := strconv.ParseBool(os.Getenv(EnvDisableUserspaceRouting))
 	forceUserspaceRouter, _ := strconv.ParseBool(os.Getenv(EnvForceUserspaceRouter))