Hello, I'm not implied in wireguard dev, but I thinks that wouldn't match wireguard mechanism. Indeed AllowedIP isn't only about routing, it is used to match a cryptographic fingerprint to a given IP. Also, having multiple peers containing such thing as DisallowedIP could lead to nonsense. What don't you use the firewall to block the IP range instead?