diff --git a/config/config.go b/config/config.go
index 061eeba3..71dd0e44 100644
--- a/config/config.go
+++ b/config/config.go
@@ -69,6 +69,7 @@ type ServerConfig struct {
 	MQPort                string `yaml:"mqport"`
 	MQServerPort          string `yaml:"mqserverport"`
 	Server                string `yaml:"server"`
+	PublicIPService       string `yaml:"publicipservice"`
 }
 
 // SQLConfig - Generic SQL Config
diff --git a/config/environments/dev.yaml b/config/environments/dev.yaml
index 10d7d54f..8142423c 100644
--- a/config/environments/dev.yaml
+++ b/config/environments/dev.yaml
@@ -11,3 +11,4 @@ server:
   disableremoteipcheck: "" # defaults to "false" or DISABLE_REMOTE_IP_CHECK (if set)
   version: "" # version of server
   rce: "" # defaults to "off"
+  publicipservice: "" # defaults to "" or PUBLIC_IP_SERVICE (if set)
diff --git a/logic/peers.go b/logic/peers.go
index fd40a783..7dad5d7d 100644
--- a/logic/peers.go
+++ b/logic/peers.go
@@ -324,6 +324,16 @@ func GetAllowedIPs(node, peer *models.Node) []net.IPNet {
 				extAllowedIPs := getEgressIPs(node, relayedNode)
 				allowedips = append(allowedips, extAllowedIPs...)
 			}
+			if relayedNode.IsIngressGateway == "yes" {
+				extPeers, err := getExtPeers(relayedNode)
+				if err == nil {
+					for _, extPeer := range extPeers {
+						allowedips = append(allowedips, extPeer.AllowedIPs...)
+					}
+				} else {
+					logger.Log(0, "failed to retrieve extclients from relayed ingress", err.Error())
+				}
+			}
 		}
 	}
 	return allowedips
@@ -413,6 +423,14 @@ func GetPeerUpdateForRelayedNode(node *models.Node, udppeers map[string]string)
 			}
 		}
 	}
+	//delete extclients from allowedip if we are ingress gateway
+	if node.IsIngressGateway == "yes" {
+		for i := len(allowedips) - 1; i >= 0; i-- {
+			if strings.Contains(node.IngressGatewayRange, allowedips[i].IP.String()) {
+				allowedips = append(allowedips[:i], allowedips[i+1:]...)
+			}
+		}
+	}
 
 	pubkey, err := wgtypes.ParseKey(relay.PublicKey)
 	if err != nil {
@@ -458,6 +476,15 @@ func GetPeerUpdateForRelayedNode(node *models.Node, udppeers map[string]string)
 	if relay.IsServer == "yes" {
 		serverNodeAddresses = append(serverNodeAddresses, models.ServerAddr{IsLeader: IsLeader(relay), Address: relay.Address})
 	}
+	//if ingress add extclients
+	if node.IsIngressGateway == "yes" {
+		extPeers, err := getExtPeers(node)
+		if err == nil {
+			peers = append(peers, extPeers...)
+		} else {
+			logger.Log(2, "could not retrieve ext peers for ", node.Name, err.Error())
+		}
+	}
 	peerUpdate.Network = node.Network
 	peerUpdate.ServerVersion = servercfg.Version
 	peerUpdate.Peers = peers
diff --git a/servercfg/serverconf.go b/servercfg/serverconf.go
index ea2c8434..b611973d 100644
--- a/servercfg/serverconf.go
+++ b/servercfg/serverconf.go
@@ -430,7 +430,13 @@ func GetPublicIP() (string, error) {
 	iplist := []string{"https://ip.server.gravitl.com", "https://ifconfig.me", "https://api.ipify.org", "https://ipinfo.io/ip"}
 	publicIpService := os.Getenv("PUBLIC_IP_SERVICE")
 	if publicIpService != "" {
-		logger.Log(3, "User provided public IP service is", publicIpService)
+		logger.Log(3, "User (environment variable) provided public IP service is", publicIpService)
+
+		// prepend the user-specified service so it's checked first
+		iplist = append([]string{publicIpService}, iplist...)
+	} else if config.Config.Server.PublicIPService != "" {
+		publicIpService = config.Config.Server.PublicIPService
+		logger.Log(3, "User (config file) provided public IP service is", publicIpService)
 
 		// prepend the user-specified service so it's checked first
 		iplist = append([]string{publicIpService}, iplist...)