Page 1 of 1

AWS VPC Internet Traffic over VPN

Posted: Thu Jul 05, 2018 11:19 pm
by mark2015
I have a VPN established between my VPC and my Mikrotik router. I am able to connect to my servers and am able to communicate from my servers back to my local network.
What I want to do now is make all the traffic in the VPC route through my Mikrotik router (instead of setting up a NAT in the VPC). Any ideas on how to set this up? I've tried setting up a srcnat rule from <private subnet in vpc> to 0.0.0.0/0, but no luck.
I also have setup on the VPC a static route for 0.0.0.0/0 to point to the vgw.

Re: AWS VPC Internet Traffic over VPN

Posted: Fri Jul 06, 2018 11:40 am
by Anumrak
You need to do NAT Masq rule or source nat on your Mikrotik router of LAN network of your VPC server. After tunnel establish, just add static route to LAN address on other side of Tik. Tik will NAT local network of your VPC and forward VPC packets to Internet.

Re: AWS VPC Internet Traffic over VPN

Posted: Fri Jul 06, 2018 6:20 pm
by mark2015
You need to do NAT Masq rule or source nat on your Mikrotik router of LAN network of your VPC server. After tunnel establish, just add static route to LAN address on other side of Tik. Tik will NAT local network of your VPC and forward VPC packets to Internet.
That what I think I currently have. To give everyone more information... looking at the diagram below I can do the following ping tests. The odd ones are the last 3
LAN -> VPC (ok)
VPC -> LAN (ok) - I can ping machines on my LAN
LAN -> Interwebs (ok)
VPC -> mikrotik router on LAN (ie the x.x.x.1 address) (FAIL)
mikrotik -> VPC (if I ssh onto the mikrotik router and try to ping the VPC, it fails) (FAIL)
VPC -> Interwebs (FAIL)

 +-------+        +------------+
 | VPC   |        | Interwebs  |
 +-------+        +------------+
        |           |
        |           |
        |           |
      +--------------+
      |  MikroTik    |
      +--------------+
              |
              |
          +------+
          | LAN  |
          +------+

Re: AWS VPC Internet Traffic over VPN

Posted: Mon Aug 06, 2018 12:54 am
by mark2015
Bumping this up.

So I've been trying to debug this using firewall rules (both on the nat and filter side) and I cannot see/log any traffic originating from the VPC that is destined for internet (ie curl google.com); however, I can see traffic pinging my LAN servers.

Any recommendations on how to approach solving this problem?

Re: AWS VPC Internet Traffic over VPN

Posted: Sat Aug 11, 2018 3:47 am
by mark2015
I've made some progress... I enabled a prerouting mangle rule to passthrough and log the packet. I see the packet in the log now as follows:

prerouting mangle: prerouting: in:ether1 out:(unknown 0), src-mac <mac> proto ICMP (type 8, code 0), 10.1.0.245->8.8.8.8, len 84

however, I also setup input, forward, output, and postrouting mange rule to passthrough and log the packet; however, none of the other rules log the packet. Any ideas what could be causing the packet to disappear? I'm suspecting it's going to the routing table seeing a route to 0.0.0.0/0 and out on to the internet it goes without letting me src-nat it.

Thoughts? Suggestion on what to do?