Half working routing



  • I have a AWS site and a Local Office Site. I have OpenVPN setup with working connections, I also have BGP configured for routing.

    Everything is connected. However routing is acting a bit weird.

    I am able to ping From the local office site to AWS just fine…..however I am NOT able to ping from the AWS site to the local office.

    Not sure what I am missing.

    I tried adding a static route on the AWS side and added the right networks to the security groups. Still not able to route.

    Pinging anything in the 173.31.0.0/16 from the 10.0.96.0/19 network works just fine, but pinging anything in the 10.0.96.0/19 from anywhere in the 173.31.0.0/16 network fails.

    Pinging from the AWS PfSense works to anything in the 10.0.96.0/19 network, and pinging from the local Pfsense to 173.31.0.0/16 works as well if done from the PFsense.

    Not sure what I am missing....

    Diagrams attached.

    Any suggestions.....Don't have full AWS support plan yet....thought I would check here first.

    ![AWS to RGB Site Routing - half working.jpg](/public/imported_attachments/1/AWS to RGB Site Routing - half working.jpg)
    ![AWS to RGB Site Routing - half working.jpg_thumb](/public/imported_attachments/1/AWS to RGB Site Routing - half working.jpg_thumb)



  • Once the tunnel is up it should be all about what you allow..  what do yor vpn firewall rules look like?



  • Here are my rules for the AWS (AWS) and Local Site (Site)

    ![AWS FW.PNG](/public/imported_attachments/1/AWS FW.PNG)
    ![AWS FW.PNG_thumb](/public/imported_attachments/1/AWS FW.PNG_thumb)
    ![AWS FW 2.PNG](/public/imported_attachments/1/AWS FW 2.PNG)
    ![AWS FW 2.PNG_thumb](/public/imported_attachments/1/AWS FW 2.PNG_thumb)
    ![Site FW.PNG](/public/imported_attachments/1/Site FW.PNG)
    ![Site FW.PNG_thumb](/public/imported_attachments/1/Site FW.PNG_thumb)
    ![Site FW 2.PNG](/public/imported_attachments/1/Site FW 2.PNG)
    ![Site FW 2.PNG_thumb](/public/imported_attachments/1/Site FW 2.PNG_thumb)
    ![Site FW 3.PNG](/public/imported_attachments/1/Site FW 3.PNG)
    ![Site FW 3.PNG_thumb](/public/imported_attachments/1/Site FW 3.PNG_thumb)



  • Just making a bump….

    Just wondering if anyone has suggestions.



  • Added a Rule to allow all AWS to Remote…..now traffic works but now the issue has flipped....adding a rule to the Remote site has no impact/effect for traffic going the other way.

    AWS to Remote now works.....before it didn't

    Remote to AWS now FAILS.....before it worked.

    All I added was a rule on the AWS Side for each remote site Example..... Allow all traffic source 172.31.0.0/16 destination 10.0.96.0/19

    I am confused I tried adding a static route on the Remote site....(using the same above example) but it won't take the open VPN ip as a gateway (192.168.0.40.1), and using 10.0.96.1 does nothing.

    Not sure if pushing a route via the OpenVPN connection would solve this.


Log in to reply