Hi, I've got functional tunnels and BGP peering ok. Prefixes are as expected on both sides, so I'm thinking I have an iptables problem. I've played with some of what I've seen on other posts in NAT and Mangle chains, but no dice. Can someone spot the missing piece?
[craigb@MikroTik] /ip/firewall> /ip/ipsec/active-peers/print
Flags: N - NATT-PEER
Columns: ID, STATE, UPTIME, PH2-TOTAL, REMOTE-ADDRESS
# ID STATE UPTIME PH2-TOTAL REMOTE-ADDRESS
;;; AWS-2
0 N 34.239.16.250 established 1h56m46s 1 34.239.16.250
;;; AWS-1
1 N 18.233.233.35 established 1h56m46s 1 18.233.233.35
[craigb@MikroTik] /ip/firewall> /routing/bgp/connection/print
Flags: D - dynamic, X - disabled, I - inactive
0 ;;; AWS-1
name="AWS-1"
remote.address=169.254.79.193 .as=64512
local.address=169.254.79.194 .role=ebgp
connect=yes listen=yes routing-table=main as=65008 hold-time=30s keepalive-time=10s address-families=ip
output.network=LAN-PL
1 X ;;; AWS-2
name="AWS-2"
remote.address=169.254.112.69 .as=64512
local.address=169.254.112.70 .role=ebgp
connect=yes listen=yes routing-table=main as=65008 address-families=ip
output.network=LAN-PL
[craigb@MikroTik] /ip/firewall> /ip/route/print
Flags: D - DYNAMIC; A - ACTIVE; c - CONNECT, b - BGP, o - OSPF, d - DHCP
Columns: DST-ADDRESS, GATEWAY, DISTANCE
DST-ADDRESS GATEWAY DISTANCE
DAd 0.0.0.0/0 76.244.28.1 1
DAo 10.17.38.16/31 192.168.9.0%e2-Transit 110
DAb 10.60.0.0/16 169.254.79.193 20
DAc 76.244.28.0/22 e1-INET1 0
DAc 169.254.79.192/30 e1-INET1 0
DAc 169.254.112.68/30 e1-INET1 0
DAc 192.168.9.0/31 e2-Transit 0
DAo 192.168.10.0/24 192.168.9.0%e2-Transit 110
DAo 192.168.11.0/24 192.168.9.0%e2-Transit 110
DAo 192.168.12.0/24 192.168.9.0%e2-Transit 110
DAc 192.168.20.0/24 BR-20 0
/ip firewall address-list
add address=192.168.10.0/24 comment=LAN-PL list=LAN-PL
add address=192.168.9.0/31 list=LAN-PL
add address=10.60.0.0/16 list=AWS
/ip firewall connection tracking
set udp-timeout=10s
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=drop chain=input connection-state=new in-interface=e1-INET1 log=yes
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" out-interface-list=WAN