Hi everyone,
I’m running a MikroTik RouterOS instance on AWS to route traffic from a virtual LAN (10.1.2.0/23) to the Internet. The setup is as follows:
WAN interface (ether1): 10.1.0.4 with a public IP
LAN interface (ether2): 10.1.3.1/23
DHCP server active on LAN
NAT (masquerade) active on ether1
DNS is correctly configured (allow-remote-requests=yes and 8.8.8.8, 1.1.1.1)
LAN VMs (e.g., Issabel server at 10.1.3.5) receive IP, gateway, and DNS correctly
MikroTik can ping 8.8.8.8 via src-address=10.1.0.4
ICMP between Issabel and MikroTik works
/ip firewall connection print shows connections being established from 10.1.3.5
However, LAN VMs have no Internet access
traceroute from Issabel returns only * * *
MikroTik doesn’t seem to forward NATed traffic from LAN
AWS-side:
The route table for the LAN subnet has:
10.1.0.0/22 → local
0.0.0.0/0 → eni-0550b93ccf21c591b → 
This route shows as blackhole
The ENI (eni-0550b93ccf21c591b) is attached to the MikroTik instance and has IP 10.1.3.1
Source/Destination Check is disabled on the MikroTik WAN ENI
I’ve tried:
Adding an explicit src-nat to-addresses=10.1.0.4
Moving NAT rules to the top
Reattaching ENIs
Confirming traffic arrives and leaves using /tool sniffer
Has anyone run into this blackhole issue on AWS even though the MikroTik instance and ENI are clearly active and correctly assigned?
Any suggestions are welcome — I’m stuck on this one. Thanks in advance!