By using AWS re:Post, you agree to the Terms of Use

Amazon Linux Routing Challenge

0

Hi Everyone, I have not worked with AWS for some time so pls bear with me.

I have the following topology:

  • VPC 10.10.0.0/16
  • Public subnet 10.10.0.0/24 containing an Amazon Linux instance (call it the 'Firewall') with a single NIC, IP addr = 10.10.0.150 and EIP = 3.45.120.240 (fictitious)
  • Private subnet 10.10.1.0/24 with Windows RDS (10.10.1.10) and Windows AD DS (10.10.1.5)
  • Route table applied to the public subnet routes 0.0.0.0/0 to IGW and 10.10.0.0/16 to local
  • Route table applied to the private subnet routes 0.0.0.0/0 to the firewall NIC and 10.10.0.0/16 to local
  • Kernel routing is enabled (ip_forward=1) and the filter table chains (input/forward/output) are configured to ACCEPT
  • I use iptables on the firewall to DNAT inbound 3.45.120.240:3388 to 10.10.1.10:3389 and masquerade (SNAT) outbound

Basically, any instance in the private subnet routes in/out via the firewall with public IP address 3.45.120.240. I note private instances have a default gateway of 10.10.1.1. I assume this is an IP bound to the VPC?

I recently built a new firewall using Amazon Linux with the same config as the current (old) firewall, except private IP = 10.10.0.254 and EIP = 45.67.3.43 (fictitious). I want to replace this new with the old.

My issue: when I update the target for route 0.0.0.0/0 to the NIC of the new firewall, I do not see any traffic routing thru it (I am connected via SSH running tcpdump). If I start a repeating PING from Windows RDS to 1.1.1.1 and run tcpdump on the old firewall, I can see the ICMP flow, but when I flip the target for 0/0 route to the new firewall I see no packet flow. Both the old and new firewall have a default route 0.0.0.0/0 to 10.10.0.1. I assume this is the VPC router?

Packets from the private subnet do not appear to be reaching the new firewall and I do not know why. How do I troubleshoot further - is there a way to examine packet flow within the VPC? Thank you.

asked 2 months ago43 views
3 Answers
1
Accepted Answer

You don't mention this but just in case: Make sure that the source/destination check for your firewall instance is disabled as per our documentation for NAT instances.

Second: You can see where packets are being routed in a VPC by using VPC Flow Logs.

Third: VPC is an overlay network so doesn't necessarily behave quite the way that an on-premises network will. A good thing to watch here is Another Day Another Billions Flows but because that takes time - one of the things that happens in a VPC is that the flow path is cached so when you change routes you may not see the packets flow along that "new" route immediately. You might try stopping the existing ping or try sending ICMP echo requests to another destination.

EXPERT
answered 2 months ago
0

Thank you for the response. The NAT instances link is helpful. On the old FW I have src/dst check stopped, however, on the new FW it is not stopped (like I said, it's been a while!). I will stop the src/dst check and try tomorrow morning AEST as I have a handful of users now logged on. Thanks again! :-)

answered 2 months ago
0

For testing purposes I added a new route for my public home IP address with target of the new firewall and deployed a new Windows instance. It is working! Happy days.

answered 2 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions