DNAT UDP redirect from L2TP VPN Zone return packets going down the wrong interface

I have set up a DNAT UDP port forward from a L2TP VPN tunnel to the LAN zone.

config redirect '29'
	option src_dport '51820'
	option dest_ip '192.168.21.2'
	option name 'WireGuard'
	option target 'DNAT'
	option priority '1'
	option dest 'lan'
	option enabled '1'
	list proto 'udp'
	option src 'vpn'

The problem is the return packets go down the WAN interface and not the VPN interface

root@remote:~# tcpdump -i any port 51820
tcpdump: data link type LINUX_SLL2
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144 bytes
12:28:12.551954 l2tp-VPN In  IP 31.94.72.223.45647 > 40.71.52.25.in-addr.arpa.51820: UDP, length 148
12:28:12.552140 br-lan Out IP 31.94.72.223.45647 > gateway-pro.lan.51820: UDP, length 148
12:28:12.552170 eth0  Out IP 31.94.72.223.45647 > gateway-pro.lan.51820: UDP, length 148
12:28:12.553929 eth0  In  IP gateway-pro.lan.51820 > 31.94.72.223.45647: UDP, length 92
12:28:12.553929 br-lan In  IP gateway-pro.lan.51820 > 31.94.72.223.45647: UDP, length 92
12:28:12.554900 rmnet_data0 Out IP 40.71.52.25.in-addr.arpa.51820 > 31.94.72.223.45647: UDP, length 92

Probably because the default route is via the WAN and return packets will use the default route.
So make a return route back via the VPN interface.
If it all comes from one IP address (the VPNs adddress) you can just use that otherwise you have to use Policy Based routing to make a table and rules.

Thank you for replying.

I tried to create a route based

config table '1'
	option id '1'
	option name 'vpn'

config route '2'
	option table '1'
	option netmask '0.0.0.0'
	option target '0.0.0.0'
	option interface 'vpn'

config rule '3'
	option action_group 'lookup'
	option tos '0'
	option src '25.52.71.40/32'
	option invert '0'
	option lookup '1'

The problem seems to be that it looks like the routing rules are applied and the source IP at this point is a LAN ip. Then the DNAT changes the src ip and the interface is already chosen.

Thoughts?

I do not know what build you are on but modern syntax is like this:

config route
	option interface 'vpn'
	option table '1'
	option target '0.0.0.0/0'

config rule
	# for ip destination
	option dest '25.52.71.40/32'
	# for interface
	#option in 'lan'
	option lookup '1'

The src is a source IP on you LAN so I assume 25.52.71.40/32 is the destination, so try that (dest which will make from all to 'dest')

Thanks again.

Sorry I made a mistake I corrected to but it does not make a difference. The problem is I am struggling to identify the packets for the VPN since it looks like the src ip is rewritten after the routing decision is made.

config rule
	# for ip destination
	option src '25.52.71.40/32'
	# for interface
	#option in 'vpn'
	option lookup '1'

Here is the version is below

BusyBox v1.34.1 (2024-11-28 08:20:07 UTC) built-in shell (ash)

     ____        _    ___  ____
    |  _ \ _   _| |_ / _ \/ ___|
    | |_) | | | | __| | | \___ \
    |  _ <| |_| | |_| |_| |___) |
    |_| \_\\__,_|\__|\___/|____/
--------------------------------------
     Teltonika TRB500 series 2024
--------------------------------------
   Device:     TRB500
   Kernel:     4.14.336
   Firmware:   TRB500_R_00.07.11.1
   Build:      66c12082e5f
   Build date: 2024-11-28 12:43:43
--------------------------------------
root@TRB500:~# cat /etc/openwrt_release
DISTRIB_ID='OpenWrt'
DISTRIB_RELEASE='21.02.0'
DISTRIB_REVISION='r16279-5cc0535800'
DISTRIB_TARGET='sdxprairie/generic'
DISTRIB_ARCH='arm_cortex-a7_neon-vfpv4'
DISTRIB_DESCRIPTION='OpenWrt 21.02.0 r16279-5cc0535800'
DISTRIB_TAINTS='no-all busybox'

No idea how you set up l2tp alg on teltonika rutos, you have to ask them

Closing this thread because the firmware on the device is not from the official OpenWrt project. The OP will need to ask the maintainers/providers of the firmware that is running on that device.