diff --git a/wgengine/filter/filter.go b/wgengine/filter/filter.go
index 8821bcbbf..2388f0ac8 100644
--- a/wgengine/filter/filter.go
+++ b/wgengine/filter/filter.go
@@ -371,6 +371,10 @@ func (f *Filter) pre(q *packet.ParsedPacket, rf RunFlags, dir direction) Respons
 		f.logRateLimit(rf, q, dir, Drop, "multicast")
 		return Drop
 	}
+	if q.DstIP.IsLinkLocalUnicast() {
+		f.logRateLimit(rf, q, dir, Drop, "link-local-unicast")
+		return Drop
+	}
 
 	switch q.IPProto {
 	case packet.Unknown:
@@ -414,7 +418,7 @@ func omitDropLogging(p *packet.ParsedPacket, dir direction) bool {
 			if ipProto == packet.IGMP {
 				return true
 			}
-			if p.DstIP.IsMulticast() {
+			if p.DstIP.IsMulticast() || p.DstIP.IsLinkLocalUnicast() {
 				return true
 			}
 		case 6:
diff --git a/wgengine/filter/filter_test.go b/wgengine/filter/filter_test.go
index dfab282b2..b15b2729c 100644
--- a/wgengine/filter/filter_test.go
+++ b/wgengine/filter/filter_test.go
@@ -380,17 +380,23 @@ func TestOmitDropLogging(t *testing.T) {
 			want: true,
 		},
 		{
-			name: "v6_multicast_out_low",
+			name: "v4_multicast_out_low",
 			pkt:  &packet.ParsedPacket{IPVersion: 4, DstIP: packet.NewIP(net.ParseIP("224.0.0.0"))},
 			dir:  out,
 			want: true,
 		},
 		{
-			name: "v6_multicast_out_high",
+			name: "v4_multicast_out_high",
 			pkt:  &packet.ParsedPacket{IPVersion: 4, DstIP: packet.NewIP(net.ParseIP("239.255.255.255"))},
 			dir:  out,
 			want: true,
 		},
+		{
+			name: "v4_link_local_unicast",
+			pkt:  &packet.ParsedPacket{IPVersion: 4, DstIP: packet.NewIP(net.ParseIP("169.254.1.2"))},
+			dir:  out,
+			want: true,
+		},
 	}
 
 	for _, tt := range tests {
diff --git a/wgengine/packet/ip.go b/wgengine/packet/ip.go
index 7ab3c90e8..f26ce2626 100644
--- a/wgengine/packet/ip.go
+++ b/wgengine/packet/ip.go
@@ -43,6 +43,10 @@ func (ip IP) IsMulticast() bool {
 	return byte(ip>>24)&0xf0 == 0xe0
 }
 
+func (ip IP) IsLinkLocalUnicast() bool {
+	return byte(ip>>24) == 169 && byte(ip>>16) == 254
+}
+
 // IPProto is either a real IP protocol (ITCP, UDP, ...) or an special value like Unknown.
 // If it is a real IP protocol, its value corresponds to its IP protocol number.
 type IPProto uint8