Community discussions

MikroTik App
 
User avatar
Watts
just joined
Topic Author
Posts: 10
Joined: Mon Aug 31, 2020 9:07 pm
Location: Dartmouth, NS

Lost all connection to AWS instance

Mon Apr 04, 2022 10:24 pm

Using the Mikrotik AMI for CHR I have created an EC2 instance, but I keep losing connection to the server entirely; no Winbox, no SSH, no console connect from the Instances page. I keep having to spin up a new server and rebuild my work. None of our other AWS servers (mostly Ubuntu AMI's) have this issue. I am assuming there is something about the CHR AMI that I am missing which is causing this issue.

I am attempting to set up a VPN using OpenVPN to connect the field devices my employer creates. A previous VPN project was run last year and that server was up for nearly the full year and we could still connect to it, until I removed the PPTP setup and replaced it with the Mikrotik built-in OpenVPN server.

Has anyone else had a CHR server stop communicating and lose all ability to connect to it?

Here is the config export for the CHR.
# mar/31/2022 17:55:47 by RouterOS 6.44.3
# software id = 
#
#
#
/interface bridge
add arp=local-proxy-arp fast-forward=no name=afads priority=0x8192 \
    transmit-hold-count=1
/interface ethernet
set [ find default-name=ether1 ] disable-running-check=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=afadpool ranges=10.8.0.1-10.8.127.255
/ppp profile
set *0 bridge=afads change-tcp-mss=default local-address=10.8.0.1 only-one=\
    yes use-encryption=yes
add bridge=afads local-address=10.8.0.1 name=SmartFlaggerL3 only-one=yes \
    remote-address=afadpool use-encryption=yes
/interface bridge port
add bridge=afads hw=no interface=ether1
add bridge=afads interface=*F005C9
add bridge=afads interface=*F004E9
add bridge=afads interface=dynamic
/interface ovpn-server server
set auth=sha1 certificate=[ServerCertName] cipher=aes256 default-profile=\
    SmartFlaggerL3 enabled=yes keepalive-timeout=30 netmask=17
/ip firewall address-list
add address=10.8.40.1 list=undeployed
[Removed approx 4000 lines, similar to the one above]
/ip firewall filter
add action=accept chain=forward comment=\
    "Allows units in the Test group to communicate." dst-address-list=test \
    src-address-list=test
add action=accept chain=forward comment=\
    "Allows all traffic from Internal Trusted Servers to units." \
    dst-address-list=!InternalTrustedServers src-address=0.0.0.0 \
    src-address-list=InternalTrustedServers
add action=accept chain=forward comment=\
    "Allows all traffic from units to Internal Trusted Servers." \
    dst-address-list=InternalTrustedServers
add action=accept chain=forward comment="Test of unit to unit communication" \
    disabled=yes dst-address-list=test src-address-list=test
add action=accept chain=forward comment=\
    "Accept Forward for Established and Related Connections" \
    connection-state=established,related,untracked
add action=accept chain=forward comment="Allow Forwarding by OVPN Clients" \
    src-address=192.168.22.128/25
add action=accept chain=input comment=\
    "Accept Input for Established and Related Connections" connection-state=\
    established,related,untracked
add action=accept chain=input comment="Allow OpenVPN Connection" dst-port=\
    1194 protocol=tcp
add action=accept chain=input comment="Allow Input by OVPN Clients" \
    in-interface=all-ppp
add action=accept chain=input comment="Allow Winbox Input" dst-port=8291 \
    protocol=tcp
add action=accept chain=input comment="Allow HTTPS Input" dst-port=443 \
    protocol=tcp
add action=drop chain=input comment="Input drop for all other connection" \
    disabled=yes
add action=drop chain=forward comment="Forward drop for all other connection" \
    disabled=yes
add action=drop chain=forward comment="Invalid drop for all other connection" \
    connection-state=invalid disabled=yes
add action=drop chain=forward comment="PREVENT ALL TALK BETWEEN UNITS." \
    disabled=yes src-address=!10.8.0.5
/ip firewall nat
add action=masquerade chain=srcnat out-interface=all-ppp
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set api-ssl disabled=yes
/ppp secret
add name=AFD0001 password=[Redacted] profile=SmartFlaggerL3 remote-address=\
    10.8.80.1 service=ovpn
[Removed nearly 4000 lines, similar to the one above] 
/system identity
set namep[AWS instance auto-generated name]
/system logging
add topics=ovpn
add topics=debug

Who is online

Users browsing this forum: No registered users and 12 guests