Community discussions

MikroTik App
 
edknoch
just joined
Topic Author
Posts: 1
Joined: Tue Mar 31, 2020 10:31 pm

CHR in AWS

Tue Mar 31, 2020 11:22 pm

I have a VPC in the AWS cloud and I am currently testing the Mikrotik CHR. I am able to spin up the CHR and add it to my VPC group as an instance. I then spun up two instances in the VPC, both of which can reach the CHR - routing is working between the devices in the VPC.

At this point, I added a remote router (hap) using an L2TP connection over Cellular (dynamic) to the CHR device on its public interface.

The handshake works and connection is established between the remote and chr router.

In the CHR router, I can ping all devices in the remote network - without issue.

What I cannot do is tunnel through in the VPC on the Outbound Private IP space to the remote router locations.

Network is defined as such:

ether1 --> 192.168.30.250 CHR Router --> L2TP (192.168.77.200) <--> L2TP client (192.168.77.201) --> 10.10.1.1 (Remote Router) --> Edge device (10.10.1.100)

CHR can ping all devices in remote network (10.10.1.0/24) over the L2TP tunnel

VPC Devices in network
Linux Server (192.168.30.30)
Linux Server (192.168.30.31)

Device in VPC in same security network with route created
10.10.1.0/24 ==> Network interface on CHR Router (192.168.30.250)

At this point, I cannot ping or get traffic into the network (on the CHR) over the L2TP VPN.

Is there anyway to resolve this?

Thank you,

Ed
 
HaPe
Member Candidate
Member Candidate
Posts: 239
Joined: Fri Feb 10, 2012 10:24 pm
Location: Poland

Re: CHR in AWS

Tue May 05, 2020 1:29 am

Hello,

have you added routes in VPC to tell servers in your vpc how to reach 192.168.77.x?
Remember to disable Source/Destination Check on the EC2 instance.
 
User avatar
kuz8
just joined
Posts: 16
Joined: Sun Mar 02, 2014 10:08 am
Location: Boston, MA

Re: CHR in AWS

Thu Sep 09, 2021 8:14 am

@HaPe, thanks for the answer, indeed disabling source/destination check helped in my setup.

One problem persists - I use ipsec site-to-site tunnel. I can ping both ways AWS private vpc to on-prem LAN and back with 20-25ms latency, when I connect over the ssh to a linux instance via the tunnel either way aws-onprem or onprem-aws, the typing in remote host console is very laggy, takes seconds for the characters to appear. I've tried src-nat(accept) and src-nat(src-nat) - both are lagging.

On CHR I have a P1 trial license, rebooted CHR after applying it to be clear, the bandwidth UDP test from on-prem to public AWS CHR interface shows the max possible for my line 500Mbit RX, 25Mbit TX. Other tunnels from the same on-prem rb4011 router to other on-prem CCR are showing any ssh terminal lagging.
CHR ec2 instance's CPU is at nearly 0%, rarely spikes to 5%, t3.micro CPU credits are set to unlimited and monitoring chart shows there's more available than being spent.

Any ideas on SSH lagging over the site to site ipsec on AWS CHR?

Thank you,

Who is online

Users browsing this forum: No registered users and 11 guests