AWS VPC Internet Traffic over VPN

mark2015 · July 5, 2018, 8:19pm

I have a VPN established between my VPC and my Mikrotik router. I am able to connect to my servers and am able to communicate from my servers back to my local network.
What I want to do now is make all the traffic in the VPC route through my Mikrotik router (instead of setting up a NAT in the VPC). Any ideas on how to set this up? I’ve tried setting up a srcnat rule from to 0.0.0.0/0, but no luck.
I also have setup on the VPC a static route for 0.0.0.0/0 to point to the vgw.

Anumrak · July 6, 2018, 8:40am

You need to do NAT Masq rule or source nat on your Mikrotik router of LAN network of your VPC server. After tunnel establish, just add static route to LAN address on other side of Tik. Tik will NAT local network of your VPC and forward VPC packets to Internet.

mark2015 · July 6, 2018, 3:20pm

That what I think I currently have. To give everyone more information… looking at the diagram below I can do the following ping tests. The odd ones are the last 3
LAN → VPC (ok)
VPC → LAN (ok) - I can ping machines on my LAN
LAN → Interwebs (ok)
VPC → mikrotik router on LAN (ie the x.x.x.1 address) (FAIL)
mikrotik → VPC (if I ssh onto the mikrotik router and try to ping the VPC, it fails) (FAIL)
VPC → Interwebs (FAIL)

 +-------+        +------------+
 | VPC   |        | Interwebs  |
 +-------+        +------------+
        |           |
        |           |
        |           |
      +--------------+
      |  MikroTik    |
      +--------------+
              |
              |
          +------+
          | LAN  |
          +------+

mark2015 · August 5, 2018, 9:54pm

Bumping this up.

So I’ve been trying to debug this using firewall rules (both on the nat and filter side) and I cannot see/log any traffic originating from the VPC that is destined for internet (ie curl google.com); however, I can see traffic pinging my LAN servers.

Any recommendations on how to approach solving this problem?

mark2015 · August 11, 2018, 12:47am

I’ve made some progress… I enabled a prerouting mangle rule to passthrough and log the packet. I see the packet in the log now as follows:

prerouting mangle: prerouting: in:ether1 out:(unknown 0), src-mac proto ICMP (type 8, code 0), 10.1.0.245->8.8.8.8, len 84

however, I also setup input, forward, output, and postrouting mange rule to passthrough and log the packet; however, none of the other rules log the packet. Any ideas what could be causing the packet to disappear? I’m suspecting it’s going to the routing table seeing a route to 0.0.0.0/0 and out on to the internet it goes without letting me src-nat it.

Thoughts? Suggestion on what to do?