• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 425
  • Last Modified:

resolving websites when vpn connection

Hello All,

On our work network we have a number of public IP's.  I have placed a Linksys BEFSX41 at one of the public addresses and the other one at home behind another linksys firewall.

I can sucessfully make the vpn tunnel and everything is working fine from the home side of the network.  I have a voip phone that connects perfectly to the ipbx at work, can remote desktop etc perfectly.  here is the problem... once the vpn tunnel is established on the work side of the network local devices can no longer resolve (some) websites.  i can get to google.com etc but not other sites.  https sites seem to work.  what is strange is that it doesn't appear to be a dns issue because even if i go to the ip addresses of the websites they do not appear, can't ping, tracert etc.  I have tried the mtu settings to no avail.  if i disconnect the vpn then the problem dissapears.

i am really confused now.

any help greatly appreciated.

Regards, Charles
0
chcalabro
Asked:
chcalabro
1 Solution
 
Rob WilliamsCommented:
I assume you are using the Windows VPN and client?  If so, there is a security feature in the VPN client that blocks local connections, including local Internet access, to protect the office/remote network. You can disable this if you wish. To do so on the client/connecting PC, go to:
control panel | network connections | right click on the VPN/Virtual adapter and choose properties | Networking | TCP/IP -properties | Advanced | General | un-check  "Use default gateway on remote network"
You may currently be accessing some sites through the corporate network, and being blocked from others either by corporate restrictions or the corporate DNS configuration.
0
 
nitadminCommented:
Hi chcalabro,

You have to configure split horizons feature for your VPN connections.
See if you VPN client has Split Horizons. Also its possible that your office VPN server will not allow you to use Split Horizons.


Cheers!
NITADMIN
0
 
chcalabroAuthor Commented:
Robwill they are not using the vpn client they are just accessing the internet via the router which is their gateway.  once the home vpn router connects to the office vpn router and the tunnel is established then the pc's on the office side of the network fail to connect to the internet properly.

nitaadmin thanks i will check this although i have not heard of it before.

Thanks for posting!
charles
0
SMB Security Just Got a Layer Stronger

WatchGuard acquires Percipient Networks to extend protection to the DNS layer, further increasing the value of Total Security Suite.  Learn more about what this means for you and how you can improve your security with WatchGuard today!

 
Rob WilliamsCommented:
Sorry I misunderstood. So you are saying that at the main office these users loose access to some web sites when a home user connects via VPN. If so, check that the home user is using a different subnet than the office. For example if the office uses 192.168.1.x then the home site must use something else.If they are the same, it is possible there are some routing conflicts if RRAS is set upon the server.
0
 
chcalabroAuthor Commented:
Hi RObwill, the subnet is the same 255.255.255.0 but the office is on a 192.168.1.x range and home is on a 192.168.72.x range does the subnet still need to be different.
0
 
Rob WilliamsCommented:
Subnet = 192.168.1.x or 192.168.72.x
Subnet mask = 255.255.255.0
So you are fine. Subnets need to be different but subnet masks can be the same.
It was just a thought.
0
 
chcalabroAuthor Commented:
again it is only when the tunnel is established that the connections on the 192.168.1.x range go nowhere, the 192.168.72.x machines are fine.
0
 
NTJOCKCommented:
I'd look at a few things:

1) Try to reduce the number of public IPs.  This makes your routing tables simpler.  May not always be practical.    

2) Examine your routing tables.  It may help to write them down and then "trace" by pencil how a packet would go to the outside world.

3) using tracert, see where the packet is going.  This should match what you see in step 2.  If it doesn't go back to step 2 and figure out why your routing is different then what you expect.

4) Look at your DNS client configuration.  I recommend using either a DNS server, or a single gateway (i.e. firewall) that then uses a couple DNS servers.  

5) NSlookup can be very useful for seeing what your machine is seeing.  Google it for more info on how to use it.

I suspect your routing tables are warped.  You may even have circular routing going on.  For the routers to do their job each IP range has to be unique.  So if home is 192.168.72.x and office is 192.168.1.x and shop is 192.168.3.x you're fine.
but if you try to use 192.168.3.x for shop and home you have an issue if there are two routers there.  The routers will get confused.  It helps to think of a routing table the way you think of a tree, with branches.  A branch can only connect to a higher branch or the trunk.  It shouldn't cross levels and touch multiple branches.  There are ways to make this alot more complicated, but I think for what you are doing and describing it's best to make it work and keep it basic.
0
 
chcalabroAuthor Commented:
thanks ntjock, i am giving you the points due to the effort on the comment.  i suspect you are correct and will go down that path.
0

Featured Post

Will You Be GDPR Compliant by 5/28/2018?

GDPR? That's a regulation for the European Union. But, if you collect data from customers or employees within the EU, then you need to know about GDPR and make sure your organization is compliant by May 2018. Check out our preparation checklist to make sure you're on track today!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now