Hi - I have a RUT951 that is configured for AWS S2S VPN, and is learning routes correctly via BGP.
I want the router to be able to reach remote hosts included in the BGP routes, however routes default to a source interface of the VPN tunnel interface, I want this traffic to instead be sourced from the LAN IP of the router.
Is there a way to accomplish this? I’ve read that this can be achieved using a separate route table and then configuring FRR to use this when populating routes?
Thanks!
Hello,
Could you please clarify your intended end goal a bit further? Specifically, do you want to forward VPN traffic originating from the LAN interface, or are you aiming to send traffic through the tunnel with the LAN IP as the source?
To better understand and assist you, it would be very helpful if you could share:
route -n in CLI or checking Status → Routes → Static / Dynamic . Note: Make sure to redact any public IPs.Additionally, there was a similar topic with the AWS S2S VPN topic discussed here: AWS VPN is it posible?, which might be useful to check or bring any insights.
Thank you.
Best regards,
Thanks for the response - yes no problem, here’s a rough diagram of our configuration:
I followed the AWS article which was really useful, our only difference is that we ended up having to use route-based IPSec.
End to end connectivity is working fine between clients connected to the Teltonika LAN (172.16.1.0/24) and the VPC subnet (10.0.0.0/24). We want to configure the router itself to be able to resolve DNS queries, however it can’t reach the DNS server in the 10.0.0.0/8 network.
I think the reason is that traffic is being sourced from the link-local IPsec Tunnel Inside IP address (169.254.x.x).
The target VPC has a route for the Teltonika LAN, so we are looking a way to force all traffic destined for hosts on BGP-learned routes to use the Teltonika LAN interface IP (172.16.1.1).
Hope that helps explain the situation a bit better!
Thank you for the update.
Could you try adding the following iptables postrouting rule via the Network → Firewall → Custom Rules page on the router:
iptables -t nat -I POSTROUTING -d 10.0.0.0/24 -j SNAT --to-source 172.16.1.1
and pressing Save? This way, traffic from the router itself destined for the 10.0.0.0/24 network should be source NATed to the router’s LAN IP 172.16.1.1, rather than the tunnel’s link-local address (168.254.X.X)
Let me know if that makes any change.
Best regards,
Hi Martynas - this worked a treat thanks - I added -s 169.254.x.x so that it only NAT’d traffic that was sourced from the tunnel inside IPs.
Thanks for your help 
Hello,
Thank you for the update and for sharing the method that worked for you. I’m glad to hear it’s sorted.
If you need any assistance in the future, feel free to reach out anytime.
Best regards,
This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.