I found the problem. There was a floating rule that disabled access to the internal network. We never used floating rules, but we did have virtual networks where the rules were for and these networks were removed with the move to the new location. After disabling these rules my test works (a simple webserver with a default page and a NAT-rule to access it from outside)
@ghummantech
Hi, I was able to resole the issue selecting different EC2 instance size, t3 or larger (without bust limit) seems to be resolving the problem. Give it a try and let me know.
I can change the monitoring IP address in the routing>gateways>monitoring to the WAN IP address and the gateway reports good (because it is ping status from the WAN interface).
However, the firewall LAN still report Blue Gateway status and no traffic is routing via the LAN rule.
@divsys
Haha!
And you are right again. I am not touching it. It works now and I need a break from it. ^_^
Thank you for your advice. It is a valid concern. I left the part not saying why the flag was there at the first place since the entire thing is all my fault. I added it upon suggestions from others and then I forgot. I am pretty sure that this is the only thing I messed up under the hood.
I was able to further trace this to Unbound DNS Resolver. Unbound is frequently stopped, and restarting OpenVPN restarts Unbound. So this is not an OpenVPN issue but is an Unbound issue.
i needed to check the box for "Use a random local source port (lport) for traffic from the client. Without this set, two clients may not run concurrently." on the client export plug-in. this option adds lport 0 to the client config.
