<div dir="ltr">Geordie,<div><br></div><div>Is it possible that you have missed a rule on:</div><div><br></div><div>- The local firewall</div><div>- The security group the instance is defined in (bi-directional in VPC)</div>
<div>- A NACL</div><div>- Configured route on the VPC to actually send the traffic through your VPC's VPN</div><div>- Configured your local VPN endpoint to accept the traffic</div><div>- Configured any other firewalls along the way</div>
<div><br></div><div>There are a lot of layers to the onion that you will need to drill through, and I am more likely to side with AWS not doing the wrong thing here, otherwise you would not be the first to hit this problem...</div>
</div><div class="gmail_extra"><br><br><div class="gmail_quote">On 8 April 2014 12:21, Geordie Guy <span dir="ltr"><<a href="mailto:elomis@gmail.com" target="_blank">elomis@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">I've got a fault raised at the same time as I'm asking the NOG community for a workaround.</div><div class="HOEnZb"><div class="h5"><div class="gmail_extra"><br><br><div class="gmail_quote">On Tue, Apr 8, 2014 at 12:18 PM, Mark Foster <span dir="ltr"><<a href="mailto:blakjak@blakjak.net" target="_blank">blakjak@blakjak.net</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF">
Did you raise a fault with AWS? If they've 'misdefined' RFC1918
perhaps they simply need to ... fix it?<div><div><br>
<br>
<br>
<br>
<div>On 8/04/2014 2:16 p.m., Geordie Guy
wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">Yeah OK let me clarify, you didn't miss something,
I did.
<div><br>
</div>
<div>172.31.1.2 may be inside RFC1918, but I don't think the AWS
systems have a copy of the RFC as text and use it, there's
another set of rules it uses (that may be a subset of RFC1918
- maybe <a href="http://10.0.0.0/8" target="_blank">10.0.0.0/8</a>)
that are the only ones it'll allow for local routing and down
tunnels to on-premise environments. I think *glaring angrlly
at the console*, actually it'll only allow <a href="http://172.16.0.0/16" target="_blank">172.16.0.0/16</a>
down tunnels or locally and sends <a href="http://172.31.0.0/16" target="_blank">172.31.0.0/16</a> to the
Internet.</div>
<div><br>
</div>
<div>Either way, I need to redirect a socket.</div>
</div>
<div class="gmail_extra"><br>
<br>
<div class="gmail_quote">On Tue, Apr 8, 2014 at 12:11 PM, Mark
Foster <span dir="ltr"><<a href="mailto:blakjak@blakjak.net" target="_blank">blakjak@blakjak.net</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF"> Did I miss something?<br>
<br>
<h2><span>Private IPv4 address spaces</span></h2>
<p>The <a href="https://en.wikipedia.org/wiki/Internet_Engineering_Task_Force" title="Internet Engineering Task Force" target="_blank">Internet Engineering Task Force</a>
(IETF) has directed the <a href="https://en.wikipedia.org/wiki/Internet_Assigned_Numbers_Authority" title="Internet Assigned Numbers Authority" target="_blank">Internet Assigned Numbers Authority</a>
(IANA) to reserve the following IPv4 address ranges for
private networks, as published in <a rel="nofollow" href="https://tools.ietf.org/html/rfc1918" target="_blank">RFC 1918</a>:<sup><a href="https://en.wikipedia.org/wiki/Private_network#cite_note-1" target="_blank"><span>[</span>1<span>]</span></a></sup></p>
<table>
<tbody>
<tr>
<th>RFC1918 name</th>
<th>IP address range</th>
<th>number of addresses</th>
<th>largest <a href="https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing" title="Classless Inter-Domain Routing" target="_blank">CIDR</a> block (subnet mask)</th>
<th>host id size</th>
<th>mask bits</th>
<th><i><a href="https://en.wikipedia.org/wiki/Classful_network" title="Classful network" target="_blank">classful</a></i>
description<sup><a href="https://en.wikipedia.org/wiki/Private_network#cite_note-3" target="_blank"><span>[</span>Note 1<span>]</span></a></sup></th>
</tr>
<tr>
<td>24-bit block</td>
<td>10.0.0.0 - 10.255.255.255</td>
<td>16,777,216</td>
<td><a href="http://10.0.0.0/8" target="_blank">10.0.0.0/8</a>
(255.0.0.0)</td>
<td>24 bits</td>
<td>8 bits</td>
<td>single <a href="https://en.wikipedia.org/wiki/Class_A_network" title="Class A network" target="_blank">class A
network</a></td>
</tr>
<tr>
<td>20-bit block</td>
<td>172.16.0.0 - 172.31.255.255</td>
<td>1,048,576</td>
<td><a href="http://172.16.0.0/12" target="_blank">172.16.0.0/12</a>
(255.240.0.0)</td>
<td>20 bits</td>
<td>12 bits</td>
<td>16 contiguous class B networks</td>
</tr>
<tr>
<td>16-bit block</td>
<td>192.168.0.0 - 192.168.255.255</td>
<td>65,536</td>
<td><a href="http://192.168.0.0/16" target="_blank">192.168.0.0/16</a>
(255.255.0.0)</td>
<td>16 bits</td>
<td>16 bits</td>
<td>256 contiguous class C networks</td>
</tr>
</tbody>
</table>
<br>
.... pretty sure that 172.31.1.x IP's fit nicely within
that 20-bit block that encompasses everything from
172.16.0.0 to 172.31.255.255...<br>
<br>
So where you've said 'non-RFC1918' you infact mean
'RFC1918', right? So you're having problems with AWS
routing traffic for these RFC1918 addresses to the
Internet when that's not what you want?<br>
<br>
Mark.
<div>
<div><br>
<br>
<div>On 8/04/2014 2:07 p.m., Geordie Guy wrote:<br>
</div>
</div>
</div>
<blockquote type="cite">
<div>
<div>
<div dir="ltr">Hi Folks,
<div><br>
</div>
<div>Working with a B2B partner who has exposed
non-RFC1918 addresses 172.31.1.2 and 172.31.1.3
through a VPN tunnel to our environment, and
this works fine for hitting a web service down
the tunnel from our local networks. We have a
development footprint in AWS that is shanking at
this, because an overlying abstraction layer for
how AWS S3 instances route means that if it sees
a non-RFC1918 range it sends it out to the
Internet regardless of any host or other level
routes that are specified. I can set route add
<a href="http://172.31.1.0/24" target="_blank">172.31.1.0/24</a>
via a gateway or for that matter the loopback
until I go blue in the face and the server will
merrily continue to try and find the IP on the
Internet.</div>
<div><br>
</div>
<div>What I need to do, other than not allow
design decisions that involve non RFC-1918
addresses for private networks, is redirect a
TCP port (443) from an IP that I *CAN* hit
inside our network, to the 172.31.1.0 range down
the tunnel, so that <span style="line-height:18px;font-size:12px;font-family:Arial,Helvetica,sans-serif"><a href="http://1654287.r.msn.com" target="_blank">1654287.r.msn.com</a> stops
scratching his head at the traffic trying to
hit him from AWS.</span></div>
<div><span style="line-height:18px;font-size:12px;font-family:Arial,Helvetica,sans-serif"><br>
</span></div>
<div><span style="line-height:18px;font-size:12px;font-family:Arial,Helvetica,sans-serif">What
do I do to accomplish this? Netcat? And
before anyone says NAT, there's already been
enough bad decisions made here.</span></div>
<div><span style="line-height:18px;font-size:12px;font-family:Arial,Helvetica,sans-serif"><br>
</span></div>
<div><span style="line-height:18px;font-size:12px;font-family:Arial,Helvetica,sans-serif">Regards,</span></div>
<div><span style="line-height:18px;font-size:12px;font-family:Arial,Helvetica,sans-serif"><br>
</span></div>
<div><span style="line-height:18px;font-size:12px;font-family:Arial,Helvetica,sans-serif">Geordie</span></div>
</div>
<br>
<fieldset></fieldset>
<br>
</div>
</div>
<pre>_______________________________________________
AusNOG mailing list
<a href="mailto:AusNOG@lists.ausnog.net" target="_blank">AusNOG@lists.ausnog.net</a>
<a href="http://lists.ausnog.net/mailman/listinfo/ausnog" target="_blank">http://lists.ausnog.net/mailman/listinfo/ausnog</a>
</pre>
</blockquote>
<br>
</div>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
</div></div></div>
</blockquote></div><br></div>
</div></div><br>_______________________________________________<br>
AusNOG mailing list<br>
<a href="mailto:AusNOG@lists.ausnog.net">AusNOG@lists.ausnog.net</a><br>
<a href="http://lists.ausnog.net/mailman/listinfo/ausnog" target="_blank">http://lists.ausnog.net/mailman/listinfo/ausnog</a><br>
<br></blockquote></div><br><br clear="all"><div><br></div>-- <br><img src="https://lh5.googleusercontent.com/-aWq61wdav6s/UM_3TdCcU9I/AAAAAAAAAEE/JxSBQrF1JzI/w600-h148-p-k/ganderson_footer_small.png"><br>
</div>