/32 Subnet in WAN and LAN - How do I force the XG to accept the Gateway?

I have the following Problem:


Im trying to deploy a Sophos XG Firewall as a VM from Hetzner Online.

They give me /32 IP Adresses via DHCP.


Here´s a little example:


WAN -> IP: - Netmask: - Gateway:

LAN -> IP - Netmask: - Gateway:


Routing config from Hetzner Privat LAN: (every IP that the Server wants to connect to)-> (Hetzner GW) -> (Sophos XG)


The Problem: If I try to make a Static Route in the XG for the Gateway LAN Interface, it says "The GW IP must be in the same Subnet as the LAN IP" -> But WHY???

I tested it with a PfSense and it worked fine. But I need to run a XG. 


Anybody an idea? 


  • Christopher,

    this is the correct behaviour. Your WAN IP and your gateway IP must be in the same subnet.

    Contact your ISP to modify and give you not a /32 IP address.


  • In reply to lferrara:

    Hi Luk,


    the whole Product of my ISP (Hetzner) is based on /32 IPs. All VMs become an external Gateway out of the Subnet. And It works fine. And, as I said, if I configure a PfSense Firewall with an external Gateway, it works. Even if I go into the BSD Advanced Shell of the XG Firewall and set the Routes manually, it works with the XG Firewall. But after a restart, all setting that I configured in the Shell are gone, and the XG is unreachable again.

    So theoretically it has to work. But is there no way to configure it in the Software of the XG?

  • In reply to Christopher Gertig:

    No, I do not think so. Ips must be in the same subnet. This goes against the network layer concept.

    Yes, you can add routes via advanced shell but they will be deleted after a system restart or when a new firmware is updated.

  • In reply to lferrara:

    .. Years over years... every time the same answer... this is not Consumer friendly.


    We users will use /32 subnets as gateway.... pfsense and other supports this.... but Sophos still says: "This goes against the network layer concept" an do nothing. WTF?



    All Consumer using ISP Solution with /32 Subnets are locked out. Fine. Lets try other NGFW Solutions...

  • In reply to Administrator User14:

    @Administrator User14

    Yes, I agree with you! 

    Meanwhile almost all firewall manufacturers support /32 Subnets. Including pfSense and the other open Source FW's.

    Sophos has a really great firewall. But when it comes to /32 Subnets, and therefore cloud capability for most VPS Hosters, they are currently way behind...

  • In reply to Christopher Gertig:

    Interestingly my ADSL ISPs used to assign a /32 with a gatway in a different subnet and that worked for UTM and XG, but will not work for routing.

    Deleted incorrect answer.



  • In reply to rfcat_vk:

    Try to use SD-WAN Policy Based Routing.

    As far as i know, this should work. You can define the gateway, which has no relation to the Interface. 

    Then you place the SD-WAN policy Based Route for ANY traffic to this direction.