Remote IPSEC+BGP network not able to use default route on Mikrotik
Posted: Fri Mar 08, 2019 4:45 pm
Hello,
I have set up a VPC (virtual private cloud) on amazon with a site-to-site VPN connection to our office using IPSEC and BGP. I have an RB3011 in our office to do this.
This is all working: I can access EC2 instances inside the VPC from the office LAN and vice-versa.
Now, I want to be able to use the internet gateway from our office for the VPC. And it seems that somehow, the NAT is not doing his thing...
The overall configuration on amazon is similar to this:
Mikrotik IP firewall configuration:
Note: add action=accept chain=forward log=yes log-prefix=testlog src-address=10.84.0.0/18 >> has no effect, no counter increase during testing
Routing/BGP:
The default-originate is properly advertised towards AWS, I see the route to 0.0.0.0/0 appearing in the route table on VPC.
When testing using the packet sniffer on the IP address of the EC2 instance and performing a WGET of a http page on that EC2 instance, I can see the requests appearing in the sniffer but there's no reply from the web server. For me, this proves that the tunnel and VPC configuration is OK and that there must be something going wrong on the mikrotik. But I can't seem to figure out what.
I have (temporarily) tried to disable all forward filters: no result. Adding various kinds of NAT rules also didn't help.
Obviously, I have internet access from my LAN, hence this post.
I'm a novice when it comes to all of this and something that's not clear to me is the order in which firewall filter - NAT - routing etc is performed to allow me to better debug the issue. I'm not even sure where in the chain the packet sniffer is picking up the packets. E.g. is it impacted by firewall filter?
Anybody with an idea?
Thanks!
I have set up a VPC (virtual private cloud) on amazon with a site-to-site VPN connection to our office using IPSEC and BGP. I have an RB3011 in our office to do this.
This is all working: I can access EC2 instances inside the VPC from the office LAN and vice-versa.
Now, I want to be able to use the internet gateway from our office for the VPC. And it seems that somehow, the NAT is not doing his thing...
The overall configuration on amazon is similar to this:
Mikrotik IP firewall configuration:
Code: Select all
/ip firewall filter
add action=accept chain=input comment="Allow OpenVPN" dst-port=1194 protocol=tcp
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept established,related" connection-state=established,related
add action=drop chain=input comment="defconf: drop all from WAN" in-interface=upstream-telenet log-prefix=drop_wan
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=drop chain=forward comment="prevent access from guest network to other networks" dst-address=10.84.0.0/16 src-address=10.0.0.0/24
add action=accept chain=forward comment="defconf: accept established,related" connection-state=established,related
add action=accept chain=forward comment="accept traffic from VPC" log=yes log-prefix=testlog src-address=10.84.0.0/18
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid log-prefix="drop invalid forward"
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface=upstream-telenet
/ip firewall nat
add action=accept chain=srcnat dst-address=10.84.0.0/18 out-interface=upstream-telenet src-address=10.84.80.0/24
add action=masquerade chain=srcnat comment="defconf: masquerade" log-prefix=masq out-interface=upstream-telenet
add action=accept chain=srcnat comment="was in AWS doc, not needed appareantly" disabled=yes dst-address=169.254.20.193 src-address=169.254.20.194
Routing/BGP:
Code: Select all
/routing bgp instance
set default as=65000 comment="was 65530"
/routing bgp network
add network=10.84.80.0/24 synchronize=no
/routing bgp peer
add default-originate=always hold-time=30s keepalive-time=10s name=BGP-vpn-037fb9882c77380f8-0 remote-address=169.254.20.193 ttl=default
When testing using the packet sniffer on the IP address of the EC2 instance and performing a WGET of a http page on that EC2 instance, I can see the requests appearing in the sniffer but there's no reply from the web server. For me, this proves that the tunnel and VPC configuration is OK and that there must be something going wrong on the mikrotik. But I can't seem to figure out what.
I have (temporarily) tried to disable all forward filters: no result. Adding various kinds of NAT rules also didn't help.
Obviously, I have internet access from my LAN, hence this post.
I'm a novice when it comes to all of this and something that's not clear to me is the order in which firewall filter - NAT - routing etc is performed to allow me to better debug the issue. I'm not even sure where in the chain the packet sniffer is picking up the packets. E.g. is it impacted by firewall filter?
Anybody with an idea?
Thanks!