diff --git a/src/packages/fff/fff-gateway/files/usr/lib/firewall.d/10-no-forward-wan b/src/packages/fff/fff-gateway/files/usr/lib/firewall.d/10-no-forward-wan
new file mode 100644
index 00000000..f989d6be
--- /dev/null
+++ b/src/packages/fff/fff-gateway/files/usr/lib/firewall.d/10-no-forward-wan
@@ -0,0 +1,3 @@
+# Ensure nothing is forwarded onto WAN interface
+iptables -A FORWARD -o $IF_WAN -j REJECT --reject-with icmp-net-unreachable
+ip6tables -A FORWARD -o $IF_WAN -j REJECT --reject-with no-route