diff --git a/easytier/src/common/global_ctx.rs b/easytier/src/common/global_ctx.rs
index cd5b194..9026251 100644
--- a/easytier/src/common/global_ctx.rs
+++ b/easytier/src/common/global_ctx.rs
@@ -63,6 +63,8 @@ pub struct GlobalCtx {
     stun_info_collection: Box<dyn StunInfoCollectorTrait>,
 
     running_listeners: Mutex<Vec<url::Url>>,
+
+    enable_exit_node: bool,
 }
 
 impl std::fmt::Debug for GlobalCtx {
@@ -90,6 +92,8 @@ impl GlobalCtx {
 
         let stun_info_collection = Arc::new(StunInfoCollector::new_with_default_servers());
 
+        let enable_exit_node = config_fs.get_flags().enable_exit_node;
+
         GlobalCtx {
             inst_name: config_fs.get_inst_name(),
             id,
@@ -108,6 +112,8 @@ impl GlobalCtx {
             stun_info_collection: Box::new(stun_info_collection),
 
             running_listeners: Mutex::new(Vec::new()),
+
+            enable_exit_node,
         }
     }
 
@@ -224,6 +230,10 @@ impl GlobalCtx {
         hasher.write(&key[0..16]);
         key
     }
+
+    pub fn enable_exit_node(&self) -> bool {
+        self.enable_exit_node
+    }
 }
 
 #[cfg(test)]
diff --git a/easytier/src/gateway/icmp_proxy.rs b/easytier/src/gateway/icmp_proxy.rs
index 5ecdb82..8f3c385 100644
--- a/easytier/src/gateway/icmp_proxy.rs
+++ b/easytier/src/gateway/icmp_proxy.rs
@@ -246,6 +246,10 @@ impl IcmpProxy {
     }
 
     async fn try_handle_peer_packet(&self, packet: &ZCPacket) -> Option<()> {
+        if self.cidr_set.is_empty() && !self.global_ctx.enable_exit_node() {
+            return None;
+        }
+
         let _ = self.global_ctx.get_ipv4()?;
         let hdr = packet.peer_manager_header().unwrap();
         let is_exit_node = hdr.is_exit_node();
diff --git a/easytier/src/gateway/tcp_proxy.rs b/easytier/src/gateway/tcp_proxy.rs
index 8367fc9..926518b 100644
--- a/easytier/src/gateway/tcp_proxy.rs
+++ b/easytier/src/gateway/tcp_proxy.rs
@@ -356,6 +356,10 @@ impl TcpProxy {
     }
 
     async fn try_handle_peer_packet(&self, packet: &mut ZCPacket) -> Option<()> {
+        if self.cidr_set.is_empty() && !self.global_ctx.enable_exit_node() {
+            return None;
+        }
+
         let ipv4_addr = self.global_ctx.get_ipv4()?;
         let hdr = packet.peer_manager_header().unwrap();
         let is_exit_node = hdr.is_exit_node();
diff --git a/easytier/src/gateway/udp_proxy.rs b/easytier/src/gateway/udp_proxy.rs
index 022f633..0714e6a 100644
--- a/easytier/src/gateway/udp_proxy.rs
+++ b/easytier/src/gateway/udp_proxy.rs
@@ -227,7 +227,7 @@ pub struct UdpProxy {
 
 impl UdpProxy {
     async fn try_handle_packet(&self, packet: &ZCPacket) -> Option<()> {
-        if self.cidr_set.is_empty() {
+        if self.cidr_set.is_empty() && !self.global_ctx.enable_exit_node() {
             return None;
         }