diff --git a/Shorewall/Perl/Shorewall/Providers.pm b/Shorewall/Perl/Shorewall/Providers.pm
index 7960cfe57..db5588bb6 100644
--- a/Shorewall/Perl/Shorewall/Providers.pm
+++ b/Shorewall/Perl/Shorewall/Providers.pm
@@ -648,8 +648,10 @@ sub add_an_rtrule( ) {
 sub setup_null_routing() {
     save_progress_message "Null Routing the RFC 1918 subnets";
     for ( rfc1918_networks ) {
-	emit( qq(run_ip route replace unreachable $_) );
-	emit( qq(echo "qt \$IP -$family route del unreachable $_" >> \${VARDIR}/undo_routing) );
+	emit( qq(if ! \$IP -4 route ls | grep -q '^$_.* dev '; then),
+	      qq(    run_ip route replace unreachable $_),
+	      qq(    echo "qt \$IP -4 route del unreachable $_" >> \${VARDIR}/undo_routing),
+	      qq(fi\n) );
     }
 }
 
diff --git a/Shorewall/changelog.txt b/Shorewall/changelog.txt
index 75f18fb65..ee7d499ad 100644
--- a/Shorewall/changelog.txt
+++ b/Shorewall/changelog.txt
@@ -2,6 +2,8 @@ Changes in Shorewall 4.4.14.1
 
 None.
 
+3)  Fix NULL_ROUTE_RFC1918
+
 Changes in Shorewall 4.4.14
 
 1)  Support ipset lists.
diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt
index 20f231d3b..52fb2b9b7 100644
--- a/Shorewall/releasenotes.txt
+++ b/Shorewall/releasenotes.txt
@@ -111,6 +111,11 @@ None.
 13) If the current environment exported the VERBOSITY variable with a
     non-zero value, startup would fail.
 
+2)  If a route exists for an entire RFC1918 network (10.0.0.0/24,
+    172.20.0.0/12 or 192.168.0.0/16) then setting
+    NULL_ROUTE_RFC1918=Yes would cause the route to replace with a
+    'unreachable' one.
+
 ----------------------------------------------------------------------------
            I I.  K N O W N   P R O B L E M S   R E M A I N I N G
 ----------------------------------------------------------------------------