Advisory: Support Portal Maintenance. Login is currently unavailable, more info available here.

Multiple public IP blocks

I have just one internet service provider. From this ISP I have 3 blocks of public IP addresses, which means 3 different gateway addresses.

On the XG firewall I ended up creating 3 WAN interfaces - one for each Public block of IPs where one IP from each block is the gateway.

So now on XG network > WAN Link Manager I have 3 IPv4 Gateways.

I've been creating NAT rules for websites that fall into each of the 3 IP blocks so I know the IPs are working.

However any time I go to the WAN Link Manager page in XG, it always shows a green dot next to gateway 1 but gateways 2 and 3 always have a red dot. Why does XG tell me the gateways are "down"?

From outside, I am able to ping the 3 gateway IPs and as I mentioned, there are public IPs within each subnet that are fully functional.

(And by the way is there another way to get multiple blocks of public IPs into a single interface? From what I can tell XG will let you do this, but you can only have one gateway address. Doesn't the gateway address need to be one of the IPs in the (/27 for example) block?

  • Hi ,

    Thank you for reaching out to the Community! 

     If the gateway failover rule is configured only to ping the gateway, can you try to add one more condition? 

    It could be ping to external IP addresses such as or or TCP connection to on port 80.

    To configure failover conditions, do as follows:

    • Click Add to add a new failover rule. You can also edit an existing rule.
    • Enter the details for the rule.

      This screenshot shows an example rule. The rule states that if XG Firewall can't ping the gateway IP,, or establish a TCP connection on port 80 to, the gateway is considered down.

      Reference document: Configure gateway load balancing and failover



    Harsh Patel (H_Patel)

    Community Support Engineer | Sophos Technical Support
    Support Videos | Product Documentation | @SophosSupport | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' button.

  • In this situation we ask the ISP to route the additional subnets behind the first.(mostly)
    So we can use the second / third subnet within the DMZ behind SG or XG or another FW.
    How do you connect the 3 subnets? There are different options where the interfaces using the same L2 network and the gateways have the same MAC-address. This may create effects or problems ...


    Sophos Solution Partner since 2003
    If a post solves your question click the 'Verify Answer' link.

  • I'm not necessarily looking for any type of failover. The 3 blocks of public IPs come from the same ISP and feed into my colo rack via one Ethernet cable. All I want is to be able to use all 3 blocks of Public IPs.

  • Since there are additional ports on the front of the XG, I used the pre-configured WAN port and called it Gateway1.  Then took 2 more ports, configured them as WAN ports and I assigned one IP from each block, to each of the 3 WAN ports. So WAN port 1 has an IP address from public IP block 1. WAN port 2 has a public IP address from public IP block 2, and WAN port 3 has a public IP address from public IP block 3.  Then on the Configure > Network > WAN Link Manager I created 3 gateways. Each gateway is the gateway IP from each of the 3 blocks. Since all 3 blocks come from the same ISP I am not necessarily looking to create any sort of failover. Instead what I want is the ability to use all of the public IPs in each of the 3 IP blocks.  I have already allocated a handful of IPs from each block to point to public websites and servers and as far as I can tell, those servers never go offline. Yet the XG constantly sends me automated emails telling me Gateway 2 is down, Gateway 3 is down. And maybe 4-5 hours later an email telling me they are up.  It happens all day long.  Maybe I was not supposed to set it up this way but how else can I program all of the IPs from all 3 blocks into the firewall?