diff --git a/config.yml b/config.yml
index abeb49c..c4a7ab1 100644
--- a/config.yml
+++ b/config.yml
@@ -34,6 +34,10 @@ acls:
     ips:
     - 10.5.1.0/24
     zones: all
+  dmz:
+    ips:
+    - 10.0.0.0/16
+    zones: all
 defaults:
   https: true
   zone: public
diff --git a/index.js b/index.js
index 62b7d85..cfe54f3 100644
--- a/index.js
+++ b/index.js
@@ -256,7 +256,7 @@ async function updateProxy(firstRun) {
         let match = false;
         for (const bNet of bAcl.ips) {
             match = bNet.mask === 0;
-            if (bNet.mask > 0) {
+            if (bNet.mask > 0 && bNet.mask <= aNet.mask) {
                 const netMask = (~0) << (32 - bNet.mask);
                 const aSubnet = aNet.ip & netMask;
                 const bSubnet = bNet.ip & netMask;