AWS ENI source/destination checking
Posted: Thu Jun 22, 2017 9:46 pm
I've spent an embarrassing amount of time messing with network settings of all sorts, reading forum threads here and elsewhere, reading AWS docs and help pages, and howling at the moon. I just finally figured this out / stumbled upon the answer.
I have a typical AWS VPC, with one of the instances on that VPC running OpenVPN from the AWS Linux repo. For the life of me, I have not been able to connect from my client to anything other than the VPN gateway machine. It's like IP forwarding is disabled, except I've checked that about a thousand times in the last couple of days.
Well, here is the answer: The config for an AWS elastic network interface (ie, eth0) has a setting called "Source/dest. check", and it's true by default. The network interface will discard packets that don't have a source or destination address corresponding to that interface. It's like an extra layer of disabling IP forwarding. Change that setting to false, and your pings will sing.
I have a typical AWS VPC, with one of the instances on that VPC running OpenVPN from the AWS Linux repo. For the life of me, I have not been able to connect from my client to anything other than the VPN gateway machine. It's like IP forwarding is disabled, except I've checked that about a thousand times in the last couple of days.
Well, here is the answer: The config for an AWS elastic network interface (ie, eth0) has a setting called "Source/dest. check", and it's true by default. The network interface will discard packets that don't have a source or destination address corresponding to that interface. It's like an extra layer of disabling IP forwarding. Change that setting to false, and your pings will sing.