By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Custom NAT instance does not forward requests cross AZ

0

Hello,

I have a custom NAT instance that is supposed to route internet for instances in two subnets.

The instance is set up simply using user data + eth1 with source/destination check off.

  #!/bin/bash
  sysctl -w net.ipv4.ip_forward=1
  iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
  iptables -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
  iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
  • NAT is in AZ-B.
  • Private instance in AZ-B can connect to the internet.
  • Private Instance in AZ-C cannot connect.
  • All instances can SSH to each other.

By further investigation it seems that the problem lays somewhere inside the guest OS. The packets from subnet C are visible on eth1 with tcpdump and Wireshark.

Route table is the same for both private subnets. This is the flow log I collected by curling to google.com. I simplified it, so that B and C = private IPs in respective AZ. Nothing seems to be rejected on any end.

@timesrcAddrsrcPortdstAddrdstPortactioninterfaceId
09:46:11google.com80Public NAT60410ACCEPTPublic NAT
09:46:11Public NAT60410google.com80ACCEPTPublic NAT
09:45:41B60410google.com80ACCEPTPrivate B
09:45:41google.com80B60410ACCEPTPrivate B
09:45:39NAT80B60410ACCEPTPrivate NAT
09:45:39B60410NAT80ACCEPTPrivate NAT
09:41:25C40872google.com80ACCEPTPrivate C
09:41:23C40872NAT80ACCEPTPrivate NAT
09:40:09C48212NAT80ACCEPTPrivate NAT
09:39:52.C48212google.com80ACCEPTPrivate C
Topics
Networking & Content DeliveryCompute
Tags
Amazon VPCAmazon EC2
Language
English
ppab-sp
asked 9 months ago221 views
3 Answers
1
Accepted Answer

Based off your routes provided it makes logical sence to add a new route to the NAT instance as follows for the other subnet

I am assuming eni-04682433028b75d56 is eth1 on the NAT device

10.63.3.0/24 via 10.63.2.1 dev eth1
profile picture
EXPERT
Gary Mclean
answered 9 months ago
  • ppab-sp
    9 months ago

    It indeed worked! Thanks a lot! Is it possible for the instances to somehow deduce it from VPC route tables?

  • Gary Mclean EXPERT
    9 months ago

    You had an asymetric routing issue on your machine because the return traffic was trying to go via eth0 which default routes to the internet. You will have to perform the same steps for any other subnets you add. If you are adding routes manually, the routes will be lost on a reboot. You will need to make these persistant routes by adding to your eth1 config files https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/networking_guide/sec-configuring_static_routes_with_ip_commands https://www.configserverfirewall.com/ubuntu-linux/add-permanent-static-route-ubuntu/

  • Gary Mclean EXPERT
    9 months ago

    You may be able to write some automation script to do this but you would need to enumerate Subnets, Route tables etc.. Theres no automation to do this. Afraid its just how IP Routing works

  • Gary Mclean EXPERT
    9 months ago

    Just had a thought.. You could try and add your CIDR Range instead.. (confirm your CIDR Range)

    10.63.0.0/16 via 10.63.2.1 dev eth1

    The other 2 routes will remain which is good they have a higher preference Then you will not need to make changes for new subnets

  • ppab-sp
    9 months ago

    Thanks again, I added persistence scripts to user data, fortunately with IaC it's not that much effort to make a loop through all subnets :)

1

Please can you provide route tables for the subnets in question.

Can you provide route table inside of the NAT instance also.

Your NAT instance will need a route back to subnet C out of the correct interface too. I’ve a feeling your default route inside your NAT instance my be breaking the return traffic to subnet C. Without seeing all the routes it’s hard to be sure. I assume the instances on subnet b are on the same subnet as the NAT instance. If so then naturally the route table routes subnet b out of the correct interface where as subnet c is taking the default route.

Thanks

profile picture
EXPERT
Gary Mclean
answered 9 months ago
  • ppab-sp
    9 months ago

    Surely, thanks for the suggestion! I added a new answer with formatted response

0

Surely, thanks for the suggestion!

Main rtb:

DestinationTarget
2a05:d014:97d:e000::/56local
10.63.0.0/16local

For public subnet:

DestinationTarget
::/0igw-07ee2278a218a671f
2a05:d014:97d:e000::/56local
0.0.0.0/0igw-07ee2278a218a671f
10.63.0.0/16local

For private subnets (the same for both):

DestinationTarget
::/0eigw-0f26feb7612f0017b
2a05:d014:97d:e000::/56local
0.0.0.0/0eni-04682433028b75d56
10.63.0.0/16local

Routes on Linux - private B

default via 10.63.2.1 dev eth0 
10.63.2.0/24 dev eth0 proto kernel scope link src 10.63.2.164 
169.254.169.254 dev eth0

Routes on Linux - private C

default via 10.63.3.1 dev eth0 
10.63.3.0/24 dev eth0 proto kernel scope link src 10.63.3.135 
169.254.169.254 dev eth0

Routes on Linux - NAT

default via 10.63.1.1 dev eth0 
default via 10.63.2.1 dev eth1 metric 10001 
10.63.1.0/24 dev eth0 proto kernel scope link src 10.63.1.244 
10.63.2.0/24 dev eth1 proto kernel scope link src 10.63.2.159 
169.254.169.254 dev eth0
ppab-sp
answered 9 months ago
  • Gary Mclean EXPERT
    9 months ago

    thanks for that.. is eni-04682433028b75d56 eth1 of the NAT box?

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content