Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Route default over AWS Transit Gateway VPN over an AWS Direct Connect

    Routing and Multi WAN
    1
    1
    387
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      pgmac
      last edited by

      Hi all,
      We have an XG-7100 configured to make a Direct Connect through to AWS (via Megaport) to a Public VIF. This routes all of AWS's public-facing networks (AS 7224) over the Direct Connect using BGP. This is working quite nicely.
      Over this, we have a Transit Gateway VPN connection. This gives us access to our VPC's in our AWS accounts. The AWS Networks are also advertised via BGP. This is also working quite nicely.

      We'd like to also route our default gateway over the DC+VPN connection.
      We've added the 0.0.0.0/0 network to one of our VPC's attached to the Transit Gateway and is being advertised back to our XG-7100 via BGP.
      We configured the XG-7100 to have no default gateway. Now it uses the BGP advertised 0.0.0.0/0 network as the default gateway.

      There are several VLAN interfaces configured (ix0.800, ix1.20, ix1.21, ix.22. etc) with IP addresses. The base interfaces (ix0, ix1, etc) are NOT configured.
      All configured interfaces have the "Block private networks and loopback addresses" and "Block bogon networks" options disabled.
      The Megaport Direct Connect to AWS Public VIF connection is configured on the ix0.800 interface.
      The AWS VPN link-local addresses are an IP Alias to the lo0 loopback/localhost interface.
      The VPN IPSec Phase 1 is configured on ix0.800 interface.
      The VPN IPSec Phase 2 connections are configured against the link-local addresses and each of the ix1.20, etc interfaces using 0.0.0.0/0 as the remote network.

      Devices behind the XG-7100 can successfully browse the internet.
      However, the XG-7100 itself is unable to access the internet.

      A ping from the XG-7100 Diagnostic page returns the following:

      PING 8.8.8.8 (8.8.8.8): 56 data bytes
36 bytes from localhost (127.0.0.1): Time to live exceeded
Vr HL TOS  Len   ID Flg  off TTL Pro  cks      Src      Dst
 4  5  00 0054 f22c   0 0000  01  01 0000 169.254.33.246  8.8.8.8 

36 bytes from localhost (127.0.0.1): Time to live exceeded
Vr HL TOS  Len   ID Flg  off TTL Pro  cks      Src      Dst
 4  5  00 0054 a7ac   0 0000  01  01 0000 169.254.33.246  8.8.8.8 

36 bytes from localhost (127.0.0.1): Time to live exceeded
Vr HL TOS  Len   ID Flg  off TTL Pro  cks      Src      Dst
 4  5  00 0054 c3e5   0 0000  01  01 0000 169.254.33.246  8.8.8.8 


--- 8.8.8.8 ping statistics ---
3 packets transmitted, 0 packets received, 100.0% packet loss

      A traceroute from the XG-7100 Diagnostic page returns the following message:

      Error: 8.8.8.8 could not be traced/resolved

      A traceroute the XG-7100 command prompt (via ssh), returns the following:

      traceroute: findsaddr: failed to connect to peer for src addr selection.

      Any help getting the XG-7100 configured to access the internet directly would be greatly appreciated.
      Please let me know if you require any further information or details. I can provide some config and logs if/when required, too.

      Kind regards,

      Paul

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.