Hi all, moving some servers out of an old site into the AWS cloud. Wanting to use a mikrotik NAT instance in front of a VPC connected to the office via IPSEC to extend the LAN into the cloud. Currently can't get either the NAT to work or the IPSEC between the mikrotik boxs. Does anyone have this type of setup working or is it a no go? I realise I can use AWS IPSEC endpoint and NAT device but the MT is much more flexible if I can get it working. Thanks Matt
Hi Matt, The NAT thing is doable, we are doing it - The IPSEC thing is not, you will need to use the inbuilt AWS setup for that. Cheers, Dave ________________________________ From: Matt Chipman [mailto:mrbc42@gmail.com] Sent: June 23, 2017 at 11:49:17 AM GMT+10 To: MikroTik Australia Public List <public@talk.mikrotik.com.au<mailto:public@talk.mikrotik.com.au>> Subject: [MT-AU Public] AWS mikrotik NAT instance Hi all, moving some servers out of an old site into the AWS cloud. Wanting to use a mikrotik NAT instance in front of a VPC connected to the office via IPSEC to extend the LAN into the cloud. Currently can't get either the NAT to work or the IPSEC between the mikrotik boxs. Does anyone have this type of setup working or is it a no go? I realise I can use AWS IPSEC endpoint and NAT device but the MT is much more flexible if I can get it working. Thanks Matt _______________________________________________ Public mailing list Public@talk.mikrotik.com.au<mailto:Public@talk.mikrotik.com.au> http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
Hi Matt, The NAT thing is doable, we are doing it - The IPSEC thing is not, you will need to use the inbuilt AWS setup for that. Cheers, Dave From: Matt Chipman [mailto:mrbc42@gmail.com] Sent: June 23, 2017 at 11:49:17 AM GMT+10 To: MikroTik Australia Public List <public@talk.mikrotik.com.au> Subject: [MT-AU Public] AWS mikrotik NAT instance Hi all, moving some servers out of an old site into the AWS cloud. Wanting to use a mikrotik NAT instance in front of a VPC connected to the office via IPSEC to extend the LAN into the cloud. Currently can't get either the NAT to work or the IPSEC between the mikrotik boxs. Does anyone have this type of setup working or is it a no go? I realise I can use AWS IPSEC endpoint and NAT device but the MT is much more flexible if I can get it working. Thanks Matt _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
I used EoIP (add IPSec to encrypt it) it's easier to deal with routing and you can just use the firewall as normal. AWS also has security that prevents forwarding by default into the virtual network you also have to enable forwarding for the device in the AWS setup to allow the virtual LAN to forward extern IPs to it ( I can't remember the network option but it's a check box). Also check your firewalling as you have multplie levels for this in AWS L2 & L3. I had trouble with this part, captures showed the packets leaving the server but never reaching the Mikrotik on the same LAN so AWS were still filtering on the virtual LAN blocking the external IP's, the forwarding option is suppose to allow this. I ended up using a 1-1 NAT or port forwarding, routing our own IPs down the tunnel using loopbacks NAting onto the LAN to get around the forwading lockout. Darren On 23/06/2017 11:49 AM, Matt Chipman wrote:
Hi all, moving some servers out of an old site into the AWS cloud. Wanting to use a mikrotik NAT instance in front of a VPC connected to the office via IPSEC to extend the LAN into the cloud.
Currently can't get either the NAT to work or the IPSEC between the mikrotik boxs. Does anyone have this type of setup working or is it a no go?
I realise I can use AWS IPSEC endpoint and NAT device but the MT is much more flexible if I can get it working.
Thanks Matt _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
--- This email has been checked for viruses by Avast antivirus software. https://www.avast.com/antivirus
On Fri, 2017-06-23 at 11:49 +1000, Matt Chipman wrote:
Hi all, moving some servers out of an old site into the AWS cloud. Wanting to use a mikrotik NAT instance in front of a VPC connected to the office via IPSEC to extend the LAN into the cloud.
Maybe I misunderstand your intent, but what "flexibility" do you need? If you want any traffic volume, you will pay way more for a suitable instance than the AWS features will cost you. The AWS Hardware VPN works fine to Mikrotik routers (though you don't get the both links due to a Mikroptik limitation, but it basically doesn't matter). Regards, K. -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Karl Auer (kauer@nullarbor.com.au) work +61 2 64957435 http://www.nullarbor.com.au mobile +61 428 957160 GPG fingerprint: 58F8 09D4 97E4 D74A 0940 44BC 8D6D C28C 3BC9 B0CB Old fingerprint: 6D59 8AE6 810D 44E3 7626 7040 4DD6 F89F 3053 4774
On Fri, 2017-06-23 at 11:49 +1000, Matt Chipman wrote:
Hi all, moving some servers out of an old site into the AWS cloud. Wanting to use a mikrotik NAT instance in front of a VPC connected to the office via IPSEC to extend the LAN into the cloud.
The other advantage of a Hardware VPN is that you don't need an Internet Gateway on the VPC. If you don't add one, then the only way in or out of the VPC is via the VPN. Handy if that's what you want. Regards, K. -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Karl Auer (kauer@nullarbor.com.au) work +61 2 64957435 http://www.nullarbor.com.au mobile +61 428 957160 GPG fingerprint: 58F8 09D4 97E4 D74A 0940 44BC 8D6D C28C 3BC9 B0CB Old fingerprint: 6D59 8AE6 810D 44E3 7626 7040 4DD6 F89F 3053 4774
participants (4)
-
Darren Clissold -
Dave Browning -
Karl Auer -
Matt Chipman