Multipath Issues


I am having issues getting multiple external subnets working with multiple internal subnets. I have bounced between static routes and multipath rules and currently going in circles with neither method working. Hoping for some advice or direction...

We have 2 static IP blocks on fibre (other external IPs are aliased between the 2 external interfaces) and 2 internal subnets. First subnet works fine but adding the second subnet has no outbound traffic past the firewall.

Eth0: External 24.222.100.x

Eth1: Internal: 192.168.3.x

Eth2: External: 24.222.200.x

Eth3: Internal: 192.168.10.x

(rules are disabled for testing)



  • You need at least one "allow any" firewall rule ... for firewall-traffic.
    And a masquerading rule may be missing.
    Which traffic do you try to send over the different external interfaces?
    Possible the proxy catch your traffic...
    How looks your problem?
    Try a traceroute over the different interfaces. post the result.
    Check the used ecternal ip:
    Also seen ... the ISP-specific DNS server don#t answer to requests from other ISP-IP's.


    Sophos Solution Partner since 2003
    If a post solves your question click the 'Verify Answer' link.

  • To clarify both external connections are on the same fibre switch (same ISP) but they are bound to 2 different IP blocks.

    Eth0: External 24.222.100.x

    Eth1: Internal: 192.168.3.x

    Eth2: External LCDC: 24.222.200.x

    Eth3: Internal LCDC: 192.168.10.x

    All internal 192.168.3.x traffic should route to External 24.222.100.x

    All Internal 192.168.10.x traffic should route to External 24.222.200.x

    - Internal (eth1) to External (eth0) is working and is the initial configuration.

    - Internal LCDC 3CX (eth3) to External LCDC (eth2) I'm trying to add and is not working.

    - I have mirrored the working masq rule for the new connection previously.

    If I use 192.168.3.x gateway on a 192.168.10.x device it will connect to the internet via the Eth0 interface/IP.


  • and the second ISP connection is really working..?
    First i would try to disconnect Eth0: External 24.222.100.x and direct all to the remaining gateway at eth2.
    Try to bing both gateways.
    next check if router use different MAC's for both gateway addresses.


    Sophos Solution Partner since 2003
    If a post solves your question click the 'Verify Answer' link.

  • Hi Dirk,

    The 2nd IP block appears to be working, all IPs on the 2nd block are bound to an adapter in Sophos and pingable from outside network. I am limited in what I can do with the Eth0 connection because it is in production so any changes to that connection would need to be scheduled outside of office hours.

    With the multipath rules enabled I can ping the 2nd connection gateway (eg from internal device but no further.

    There is no ISP router on site, just a fibre bundle into the datacenter fibre switch.

  • No more ideas ...

    May be something like ... no masquerading (double check this) ... MAC-address conflict (network-segments/Vlans not completely segmented) ... or something similar
    PS: which network mask do you use externally


    Sophos Solution Partner since 2003
    If a post solves your question click the 'Verify Answer' link.

  • Turns out all the configuration was correct and we had a cabling issue with the additional network.

    I appreciate the help!

  • I found the same thing on my website for the coin master game and I wasn't able to implement the correct functions.

    Community building is indeed the great thing in every industry. Similar to the coin master free spins gaming community, which helps everyone who is playing the Coin Master game.