Add another routed subnet to physical interface


I have a Sophos UTM SW with 3 network interface, eth0 for lan (, two for wan ( eth1 on j.x.y.z/24 and eth2 on n.x.y.0/30).

The two wan are configured with own default gateway, uplink balancing uses either interface and multipath roules states that j.x.y.z/24 is default and n.x.y.0/30 has as source some internal IP, and this configuration works fine.

The focus is on eth2 with sophos ip n.x.y.2, n.x.y.2/30, that has gateway n.x.y.1, since we need to add another subnet on this interface we ask to provider to extend range, but in reply

provider states that added a "routed subnet" (that is n.x.y.80/29, so with disjoined ranges) and routed all traffic regarding this last subnet to the sophos on n.x.y.2 .

I've tried to configure a new vlan interface on the n.x.y.80/29 (with ip .81) , add additional address and a lot of static routes, pbr routed and masquerading with no success.

So, 2 questions:

What's the correct way to configure this kind of "routed subnet" to use (e.g. ping) IP addresses n.x.y.80/29 (so 81-86) from outside?


Why I cannot ping ip address of the interface selecting ip of the vlan just configured? What I'm missing?

Thank you,


  • Ciao Emanuele - first I've seen you here - welcome to the UTM Community!

    I'm having trouble following your notation, so, in the future, please obfuscate IPs like 151.x.y.185, 10.y.z.1, 172.16.z.1 and 192.168.z.1.

    Normally, one would create a DMZ with public IPs, but you didn't say what you want to do with these additional IPs.  Do you intend to DNAT traffic to these IPs to private IPs in the LAN or ???

    Cheers - Bob

  • In reply to BAlfson:

    Hello, Bob,

    I've posted something a long time ago, thank you for welcome!

    I missed the notification, so I see your reply only now.

    With notation you specified, the network involved are those:

    eth0: 192.168.x.253/24 (act as gateway for LAN), 

    eth1 31.y.z.196/24 gateway 31.y.z.193 (wan)

    eth2 on 213.j.k.2/30, network 213.j.k.0/30 gateway 31.y.z.1 (wan)

    eth2.1 on 213.j.k.81, network 213.j.k.80/29 (this is the "new" routed subnet, wan, that has to use eth2 as gateway.)


    The first step (that I cannot achieve) is to reach, also with a simple ping, the ip on the eth2.1 interface, I want use IPs from eth2.1 with DNATs as you state, but I cannot "see" (neither via  ping or traceroute) ip on eth2.1 when the IP of other WAN interfaces pings correctly.

    I engaged the provider, since I have do a lot (also improbable) static routing/pbr/SNAT configuration, also tried with adding eth2.1 subnet as additional IPs instead creating the virtual interface, I have the strong suspect that there is a misconfiguration on the other side (some ports of 213.j.k.81 seems to be opened also if my eth2 and eth2.1 are disabled).

    The question was about what are best practices to configure a situation like this one, that (as I intended) is something like that:

    • Multipath eanbled, with a default rule that use through eth1 (works)
    • Some host outgoing trough eth2 with a specific multipath rule (works)
    • Masquerading lan->eth1 , lan->eth2, eth2.1 -> eth2
    • Policy based route, type interface, with: Source interface: Any, Source network 213.j.k.80/29, service Any, Destination Any, target interface ETH2.

    Doing this, I manage to ping the 213.j.k.1 gateway from interface eth2.1 (I managed to solve my previous question#2 with PBR ).

    Does that seems correct?


  • In reply to Emanuele Monari:

    So, finally, it was an error on provider configuration, DNAT are now working.

    Now I try with some other configuration in order to obtain 213.j.k.81 pingable from outside.

    Thank you for now, Bob, If you want tell me your point of view, I'll listen to it at all.