diff --git a/core/src/com/cloud/hypervisor/xen/resource/CitrixResourceBase.java b/core/src/com/cloud/hypervisor/xen/resource/CitrixResourceBase.java
index 637ec7063a5..bcff1bc6024 100644
--- a/core/src/com/cloud/hypervisor/xen/resource/CitrixResourceBase.java
+++ b/core/src/com/cloud/hypervisor/xen/resource/CitrixResourceBase.java
@@ -7191,6 +7191,7 @@ public abstract class CitrixResourceBase implements ServerResource, HypervisorRe
             args += " -i " + domrGIP;
             args += " -g " + gw;
             args += " -m " + cidr;
+            args += " -n " + NetUtils.getSubNet(domrGIP, nic.getNetmask());
             if ( dns != null && !dns.isEmpty() ) {
                 args += " -s " + dns;
             }
diff --git a/patches/systemvm/debian/config/opt/cloud/bin/acl.sh b/patches/systemvm/debian/config/opt/cloud/bin/acl.sh
index 525dfe47b0c..71197b86427 100755
--- a/patches/systemvm/debian/config/opt/cloud/bin/acl.sh
+++ b/patches/systemvm/debian/config/opt/cloud/bin/acl.sh
@@ -56,7 +56,7 @@ acl_restore() {
 acl_save() {
   acl_remove_backup
   sudo iptables -E ACL_INBOUND_$ip _ACL_INBOUND_$ip 2>/dev/null
-  sudo iptables -E ACL_OUTBOUND_$ip _ACL_OUTBOUND_$gGW 2>/dev/null
+  sudo iptables -E ACL_OUTBOUND_$ip _ACL_OUTBOUND_$ip 2>/dev/null
 }
 
 acl_chain_for_guest_network () {
@@ -99,19 +99,19 @@ acl_entry_for_guest_network() {
       [ "$sport" == "-1" ] && typecode="any"
       if [ "$inbound" == "1" ]
       then
-        sudo iptables -I ACL_INBOUND_$gGW -p $prot -s $lcidr  \
+        sudo iptables -I ACL_INBOUND_$ip -p $prot -s $lcidr  \
                     --icmp-type $typecode  -j ACCEPT
       else
-        sudo iptables -I ACL_OUTBOUND_$gGW -p $prot -d $lcidr  \
+        sudo iptables -I ACL_OUTBOUND_$ip -p $prot -d $lcidr  \
                     --icmp-type $typecode  -j ACCEPT
       fi
     else
       if [ "$inbound" == "1" ]
       then
-        sudo iptables -I ACL_INBOUND_$gGW -p $prot -s $lcidr \
+        sudo iptables -I ACL_INBOUND_$ip -p $prot -s $lcidr \
                     --dport $sport:$eport -j ACCEPT
       else
-        sudo iptables -I ACL_OUTBOUND_$gGW -p $prot -d $lcidr \
+        sudo iptables -I ACL_OUTBOUND_$ip -p $prot -d $lcidr \
                     --dport $sport:$eport -j ACCEP`T
     fi
     result=$?
diff --git a/patches/systemvm/debian/config/opt/cloud/bin/guestnw.sh b/patches/systemvm/debian/config/opt/cloud/bin/guestnw.sh
index 57071dd7e33..5d437e5f4a2 100755
--- a/patches/systemvm/debian/config/opt/cloud/bin/guestnw.sh
+++ b/patches/systemvm/debian/config/opt/cloud/bin/guestnw.sh
@@ -77,6 +77,8 @@ create_guest_network() {
   # setup rules to allow dhcp/dns request
   sudo iptables -A INPUT -i $dev -p udp -m udp --dport 67 -j ACCEPT
   sudo iptables -A INPUT -i $dev -p udp -m udp --dport 53 -j ACCEPT
+  local tableName="Table_$dev"
+  sudo ip route add $subnet/$mask dev $dev table $tableName proto static
 
   # create inbound acl chain
   if sudo iptables -N ACL_INBOUND_$ip 2>/dev/null
@@ -108,6 +110,9 @@ destroy_guest_network() {
   sudo iptables -D FORWARD -i $dev -s $ip/$mask -j ACL_OUTBOUND_$ip  2>/dev/null
   sudo iptables -X ACL_OUTBOUND_$ip 2>/dev/null
 
+  sudo ip addr del dev $dev $ip/$mask
+  sudo iptables -D INPUT -i $dev -p udp -m udp --dport 67 -j ACCEPT
+  sudo iptables -D INPUT -i $dev -p udp -m udp --dport 53 -j ACCEPT
   desetup_dnsmasq
 }
 
@@ -133,7 +138,7 @@ do
 		op="-D"
 		;;
   n)	nflag=1
-		network="$OPTAGR"
+		subnet="$OPTAGR"
 		;;
   m)	mflag=1
 		mask="$OPTARG"