You don't need to be an 'investor' to invest in Singletrack: 6 days left: 95% of target - Find out more
corporate policy Question:
Mrs S has been told that the reason she can not connect to drive shares over her company's VPN from home is that my router's IP scheme (192.168.0.xxx) is the same as her company's.
The fact that it doesnt work because of IP address conflicts I get. But more importantly surely its a pretty shit IT policy that sets up a corporate DHCP server designed to redirect VPN traffic with an IP scheme that conflicts with the vast majority of default domestic schemes (whether 192.168.1 or 0 or 2.xxx)
Surely there's an IT Network Monkey 101 that says set it to 192.168.47.xxx or somesuch or is it a perfectly acceptable bollox-up?
Or am I being precious because I have to redo my DHCP configuration and nursemaid 30+ devices in the house to new IP addresses?
I’m curious for an expert response, sounds fishy to my unexpert mind too....
They have to choose a network range from the private non-routing ranges, see [url= https://tools.ietf.org/html/rfc1918 ]RFC1918[/url].
But they could have chosen something from 10.0.0.0/8 instead, which seems pretty common for corporate networks.
But probably someone many years ago chose the 192.168.1.0/24 network and it's now easier to make you jump through hoops than renumber their networks.
Won't their choice mean they can never hire more than about 250 or so employees?
Sounds like a work IT fail.
I dont really know this stuff.. but I thought it was the VPN server that issued the IP to the remote machine rather than the corporate or local DHCP server.
Sounds like a fairly poor VPN setup - I suspect they have split tunnelling enabled which means Internet traffic will go straight out through your Internet connection whilst traffic for the corporate LAN will go down the VPN tunnel. The other advantage of this is that she'll be able to access local network devices (printer / NAS etc) whilst connected to VPN. The IP conflicts would break stuff.
They could disable split tunnelling which would resolve some of the issues, but cause some other issues (mainly around not being able to use network printers at home) and IP address conflicts cause some very odd behaviour which is difficult to diagnose, let alone remotely.
To change all of their servers IP address range would be a mammoth task, so yes, far easier to tell you to change your home setup.
But probably someone many years ago chose the 192.168.1.0/24 network and it's now easier to make you jump through hoops than renumber their networks.
This +1 - short sighted decision, probably made over 20 years ago.
I dont really know this stuff.. but I thought it was the VPN server that issued the IP to the remote machine rather than the corporate or local DHCP server.
When connected to a VPN at home you'll have both - a "local" IP address for your home network and a "VPN" IP address. If these are in the same range it can cause issues with routing.
To change all of their servers IP address range would be a mammoth task, so yes, far easier to tell you to change your home setup.But probably someone many years ago chose the 192.168.1.0/24 network and it's now easier to make you jump through hoops than renumber their networks.
This +1 - short sighted decision, probably made over 20 years ago.
this was my thinking. A combination of incompetence thrust forth by the inertia of stupidity. Bugger.
RFC1918.
Bloody hell oldnpastit, how old are you?! 😀
yes, 10.0.0.0 would have made much more sense.
Your wife's company's IT dept are idiots - 192.168.0.0/24 must be the most commonly used home IP address range in the world - they must see this constantly, and they need only make a small change to their VPN set up to eliminate this problem.
Likewise a simple key stroke on your router and you can change yours to 192.168.[b]2[/b].xx
Problem averted.
Your wife should have a VPN client on her machine that will connect to the companies external IP address which won't be 192.168.0.x, I guarantee that. This will then allow her into to the corporate VPN where she will be able to access any network resources that she would have access to if she were in the office. Her local / home IP address will be irrelevant. It's the whole point of a VPN.
RFC 1517 and 1519 if I remember rightly. Ah happy times back when I worked for what was then a proper rival to Cisco. Classless Inter-Domain routing was the thing. Next job I had was for a firm who was actually given a real Class A address (of which there were only 63). Brilliant at the time, not so good now.
Anyway Coyote has it for me. There will be some kind of NAT translation on the ingress. I guess the issue might be that 'your' side of the NAT (ie. the 192 address) is imported into a routing table where that subnet already exists.
Whatever it's rubbish. I've not worked on this stuff for about 15 years tho so probably best to ask someone less ancient 😉
Her local / home IP address will be irrelevant. It's the whole point of a VPN.
Their VPN server could well be handing out addresses on the same 192.168.0.0/24 subnet, which will cause the routing to go squiffy.
Yeah it's not a great idea to use 192.168.0.x or 192.168.1.x on a corporate VPN. It's probably not a lot of work their side to change the IP pool but also depends how they do their firewalling. Thing is there's probably no motivation for them to do it so just change your local DHCP range...
Their VPN server could well be handing out addresses on the same 192.168.0.0/24 subnet, which will cause the routing to go squiffy.
No it won't. The VPN server / client relationship will NAT between the external addresses. Most home networks are either 192.168.0.x or 192.168.1.x. You'd be surprised how many corporate networks also use these ranges.
Won't their choice mean they can never hire more than about 250 or so employees?
No. They would use multiple internal subnets.
192.168.1.x
192.168.2.x
192.168.3.x
192.168.4.x
etc...
Your perimeter security will prevent anyone external from seeing what internal network addresses you are using. The only way to [u]legitimately[/u] gain access is via VPN client.
For small organisations with few people needing VPN access it can work if the corporate network works at the upper end of the address range. Does Mrs Stoner work for a smaller corporate with one poor sap responsible for security, HSE and networking? That person will have a bare grasp of the issues and little time to improve their knowledge as a result.
Thing is there's probably no motivation for them to do it
Oh, there might be quite a bit of motivation once Mrs s gets to the office.
No it won't. The VPN server / client relationship will NAT between the external addresses.
The corporate network I'm on right now is not doing NAT (Cisco). And wouldn't that be really annoying if you wanted to use anything like Windows file sharing from machines at the remote offices?
The corporate network I'm on right now is not doing NAT (Cisco). And wouldn't that be really annoying if you wanted to use anything like Windows file sharing from machines at the remote offices?
It won't be doing as it is an internal network, i.e. sitting behind a firewall. On an internal network, all IP ranges must be unique. However if you are VPNing in from an external network, i.e. from home then some form of VPN client using NATing will be in play.
#edit. What is the protocol if you want to access work resources from home / McDonalds / Starbucks etc?
However if you are VPNing in from an external network, i.e. from home then some form of VPN client using NATing will be in play.
That's what I'm doing! I'm VPNing in from home. No NAT going on here.
What is the protocol if you want to access work resources from home / McDonalds / Starbucks etc?
It probably won't work.
So what is the point of VPNing into work from home if you are not going to use networked resources?
So what is the point of VPNing into work from home if you are not going to use networked resources?
They work just fine. Why wouldn't they?
Of course, that relies on the corporate VPN choosing addresses that don't gratuitously conflict with my home network. And/or vice-versa.
As mentioned above, sounds like they have split tunnelling in use.
Either ask them how to swap to full tunnel or change your internal IP range over to use something else.
Yup split tunnel. Friends don't let friends use split tunnelling - if they had that enabled as a general rule I wouldn't want to connect my network to theirs, so I wouldn't faff about changing your private range.
Unless the wife says so of course.
EDIT: The vpn doesn't have to NAT - it can offer a valid internal (to the destination) ip range over dhcp, and route as normal. But split tunnelling will confuse it properly if it can see two valid routes to the same network.. you might be able to weight the local routing table but it's not worth the bother compared with moving the ome network or disabling split tunnelling on the VPN client - bet you can switch it off yourself actually
Whats the VPN client? I like playing hunt the check box 🙂
Yeah, there's no way round about this. Either you readdress internally or they do.
Won't their choice mean they can never hire more than about 250 or so employees?
Nope - you could add additional private Class C/B/A networks, just need a router to interconnect them. (Assuming you mean no more than 250 nodes on the network simultaneously rather than people).
Likewise a simple key stroke on your router and you can change yours to 192.168.2.xxProblem averted.
This.
This.
and if I've allocated static IP addresses and have networked devices book marked by address?
Yes I [i]could[/i] change my router IP address scheme. But Im feeling belligerent. And it's their fault not mine 😛
Just put another NAT router between your precious network and Mrs S laptop 🙂
This is ideal https://www.gl-inet.com/usb150/
interesting idea. Maybe get the Co to pay for it!
and if I've allocated static IP addresses and have networked devices book marked by address?
What you want is a local DNS....
One or other end of the VPN tunnel is in for a whole world of pain and hurt. 😀
What you want is a local DNS....
And reserved IP addresses on the router rather than static addresses.
I suspect the reason is that most routers, whether business or home, out of the box will be set up for 192.168.0.xxx, 192.168.1.xxx internal IP addresses and for a small company at least, plugging in a router, switching it on and changing the default admin password is a standard "lazy" setup procedure.
I suspect the reason is that most routers, whether business or home, out of the box will be set up for 192.168.0.xxx, 192.168.1.xxx internal IP addresses and for a small company at least
That may be true if they're using some cheap consumer-grade DSL router, but enterprise stuff doesn't have a config at all.
Oh, and in answer to the OP, yeah, it's a stupid decision to address it like that. Unless there's a business reason why they've done it I'd suggest that they change it, you can't be the first person to have issues.
Personally, I blame Tim Berners-Lee.
IP addresses should be 64 digits long. Alpha numeric.
And unique to every device ever created in the world. Sorted.
you can't be the first person to have issues.
we're not. And at least I have a vague idea which buttons to jab and boxes to fill on the router config, but I cant imagine Brian from Marketing would be able to sort it out his end.
Personally, I blame Tim Berners-Lee.
What's the Web have to do with anything?
IP addresses should be 64 digits long. Alpha numeric.
And unique to every device ever created in the world. Sorted.
So IPv6 then. (Though that's 128-bit.)
So IPv6 then. (Though that's 128-bit.)
It wont be long before every toothbrush, dildo and cockring have their own IP addresses. 128bit will have run out by Xmas 2021.
If the IP of the server at her workplace doesn't conflict with anything locally, then you may be able to do a route add command to redirect her work server down the VPN rather than looking locally.
Or put her laptop on it's own subnet.
But yes it's a strange subnet to use for Corporate & changing your own isn't ideal if it's quite populated.
IP addresses should be 64 digits long. Alpha numeric.
And unique to every device ever created in the world. Sorted.
What does that do to privacy?
It wont be long before every toothbrush, dildo and cockring have their own IP addresses. 128bit will have run out by Xmas 2021.
Really? there are 340282366920938463463374607431768211456 possible IPv6 addresses, even if you take out the ones which haven't been released to the public there's still 42 undecillion IP's available. I think we'll be ok for a while 🙂
That may be true if they're using some cheap consumer-grade DSL router, but enterprise stuff doesn't have a config at all.
Sensible - how would enterprise IT consultants make money for T5's and nice mountain bikes, if enterprise kit had standard plug and play config 😉
To be fair, the last few (tech) companies i've worked for have only had up to 60 or so employees, and everyone works over wifi on a laptop, so IT infrastructure is to plug in a (flaky) BT business router, change the admin and wifi password and dish out internal IP's via DHCP. No internal servers, all infrastructure in the cloud.
The side walls on the 2.6 arent much different than the 2.3 so its not going to be like a 29er.
(Assuming you are serious about running out) I don't think you understand how ip addressing and the internet work.
Here's your solution, dependant on the capability of your onsite CE router:
On my old Draytek-style unit, it was possible to set up a guest wifi/secondary subnet thing on another SSID. The idea is that this can be shared with transient users. Usefully, it allows the creation of a different RFC1918 scope than from the 'main' one.
So what you need to do is interrogate your router's management pages to see if you have this. You probably will.
If so, set it up with something different to the troublesome range, and when your wife wants to vpn out, get her to use this SSID, or if the router supports it, even a wired connection into this subnet.
I charge £750 per day normally, but if this works, chuck some money in a CF Trust collection tin next time you go past one 🙂
If the IT department are right, presumably many of their other home users have the same issue? Which makes their implementation barmy.
thanks codybrennan - nice try but no facility on Netgear Nighthawk (How cool does that name sound?) to set a different IP scope on the Guest Wifi SSID.
Do you still charge £750 a day if your advice doesnt work? 😉
(Assuming you are serious about running out) I don't think you understand how ip addressing and the internet work.
Wrong on both counts. Probably...
Right, about to send out the 10 minute warning to all children and InternetOfThings within a 50m radius of my desk because the 0 is about to become a 1. This is like passing round the backside of the moon. If I dont make it back, it all went to shit. Tell my wife I love her and bury me with my bikes.
Ach. Well, it was worth a shot. To be accurate- my employer charges the £750 🙁
You'll be reet once you readdress. Catch you on the flipside.
You still there Stoner? Stoner...
ping: 24,000ms
Speedy.
@cody there's a difference between what's invoiced for and what we get paid eh....
Russell96 - Member
@cody there's a difference between what's invoiced for and what we get paid eh....
Absolutely Russ 🙁