Solved

Work VPN and Home LAN on the same subnet

Posted on 2014-07-29
15
8,626 Views
Last Modified: 2014-08-04
I have just been informed by my employers IT department that my home private subnet ( 192.168.0.0/24) is the same as the one they use on the VPN at the other end of the tunnel. What? Doesn't this seem incredibly short-sighted or am the one who should have "known better". My setup is the way it is because of the defaults from the consumer routers most people have. I always thought it was blocked for security reasons and I never had a "business need" for this until now.

Here was my question: "I need to have access to a network printer on my internal LAN. When I am connected to the VPN <on the company machine>I cannot see the rest of my LAN and other devices on the LAN do not see the <company> machine. There is a preference in the Cisco AnyConnect client to "Enable local LAN access (if configured)" and since it is enabled and what I just described is true I am assuming it is not configured.

This is a specialty thermal printer used to print <print format> from <third party vendor> and I have 2 customers that have these printers. I got the manufacturer to send me a loaner to use while developing these output formats."
 

This was their response: "You have a routing issue caused by the IP addressing on your local network.  You are using the IP addressing 192.168.0.X which is the same IP addressing we use inside the firewall.  When you connect to the <company> VPN, all your local network traffic is being routed across the <company> VPN tunnel and any local network devices are unreachable.  To fix this issue, you will need to change your local IP addressing to a different network segment.  Example:  192.168.1.x or 192.168.2.x  You make this change on your local router.    Please let me know if you have any questions."

What? All of my personal traffic was routed through their network? Financial information and other "stuff"?
Changing this will not be as straight forward as they think. I have a small AD domain at home (I like to play...what can i say?) and a small group of both physical and VM servers on static IP addresses. I handle the DHCP "myself" on the server so I guess I just need to change the scope IP range and all of the reservations I just did.

I have a router capable of doing a private and "guest" network but I do not think segregating them will accomplish my goal. Static routes? Probably not.

Ideas?

Edit: I also have a static IP address from my ISP if that helps.
0
Comment
Question by:mike1142
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 5
  • 3
  • +2
15 Comments
 
LVL 77

Expert Comment

by:Rob Williams
ID: 40226546
Unfortunately you have no choice, subnets must be different for routing to take place.  In some cases when all traffic is forced to the VPN server/router you can access corporate resources, but if you disable that you most certainly will not be able to access corporate resources.  This is a common issue.

I will agree the company should have chosen something less common as using defaults like 192.168.0.x, 192.168.1.x, 10.0.0.x  often results in conflicts with home networks and hotels.  However if you are running an AD domain or anything more than your typical 2 PC home network I would suggest you should have done the same and changed yours.  Doing so now will resolve your current problem and possibly other problems you might have in the future, at least for you.
0
 
LVL 95

Expert Comment

by:John Hurst
ID: 40226552
I have been in that situation and I just found it easier for me to change my home office subnet than to convince clients to change theirs.

There is no difference in have a subnet of (say) 192.168.75.x than to have 192.168.0.x . They function the same way.

I just changed mine, moved on, and have no more conflicts.
0
 
LVL 7

Expert Comment

by:tolinrome
ID: 40226588
Agree with the two previous posts.
0
Online Training Solution

Drastically shorten your training time with WalkMe's advanced online training solution that Guides your trainees to action. Forget about retraining and skyrocket knowledge retention rates.

 

Author Comment

by:mike1142
ID: 40226618
Rob,

I agree with what you are saying about I should have changed mine as well. This is what happens when an amateur tries to play with the big-boy toys. The point was for me to learn. I guess I missed that lesson in networking 101 and network security 301 (seriously just took those classes this year) .

Thanks I will leave this open a little while longer. I am hoping for some information that will make me feel more comfortable that they can no longer see any of my private traffic or internal resources. I think I get it but...
0
 
LVL 95

Expert Comment

by:John Hurst
ID: 40226630
The subnet does not change security or how they can (or more likely cannot) view your private resources.

I have static tunnels to key clients for my convenience and no one can get to my machine. The subnet number is the least important variable.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 40226688
If all traffic is forced through the VPN the only thing to which that really refers or they could conceivably monitor, if they have systems in place to do so, is web browsing, while connected to the VPN.  They can't capture passwords from SSL sites like banks and such but they could with a proxy server monitor sites visited.
0
 

Author Comment

by:mike1142
ID: 40226738
All of the traffic does not have to be forced through the VPN. I think that the VPN client on the work machine allows me access to the VPN resources and if I set the option to allow it the other side of the tunnel can see my resources. All of the AD connected devices will need credentials but anything else is fair game.

Here is what I was thinking, put the work machine on a static IP on a separate subnet. Force that traffic to my DC and then static routes to the firewall and any other devices I want to access from that machine.

I am not distrustful but well I am. Corporate America has not exactly been shy about letting employees know that accessing company resources is subject to monitoring. Why should I not return the favor? Quid pro quo.

My work is not quite the same as usual private consulting.
0
 
LVL 95

Assisted Solution

by:John Hurst
John Hurst earned 150 total points
ID: 40226775
I use split tunneling so that Internet and VPN traffic are separate anyway. I use my laptop primarily for VPN work although my desktop computer has the same connection (one hardware VPN router and one subnet).

It has been hooked up this way for years, is very secure, and has never been transgressed by anyone.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 40226808
If you put the work machine on a different subnet how is it going to see the local resources such as server?

Split tunneling as John suggested allows you to access corporate resources as needed and the balance of traffic, LAN and Internet is routed through your local network.  However with Cisco VPN's the VPN administrator usually has to allow/enable e spit tunneling.

The #1 concern with VPN's is you have a very secure tunnel, but wide open to all traffic between a corporate network and a PC over which it has no control.  Personally I prefer remote desktop which only exchanges scree refreshes.
0
 

Author Comment

by:mike1142
ID: 40226820
That was what the static routes were for 192.168.5.1 to 192.168.0.2 (DC is the gateway) on DC static routes to 192.168.0.1 (firewall) and routes to 192.168.0.x and other resources I want to make available?

I know mountain out of a mole hill but me being stupid still smarts right now.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 40226920
The static route on it's own will do nothing.  If you router supports multiple subnets and you put that PC on a port defied with a different subnet and assign the new gateway to the PC you could conceivably do so, however once you define the routes, traffic can travel on it the same as the LAN.  You cannot randomly assign a different subnet to a PC.  Perhaps I do not fully understand.

Is the concern your traffic passing through the VPN or the corporate network accessing your PC?
For the former enable split tunneling, for the latter enable the windows firewall, but this is all a moot point if the subnets are the same at home and work.
0
 

Author Comment

by:mike1142
ID: 40227030
The concern is that they said all of my IP traffic was passing through the VPN through to their servers. I assume that they let that traffic continue on its way. However for this reason I was blocked from seeing my local resources, not because of security reasons as I originally expected.

I would like to see local resources on my LAN while connected to the VPN. Not for convenience but out of necessity. However I do not want the act of accessing these local resources to open up my LAN through their VPN.
0
 
LVL 77

Accepted Solution

by:
Rob Williams earned 350 total points
ID: 40227136
>>"I do not want the act of accessing these local resources to open up my LAN through their VPN."
They won't.

In order to access your local printer, as you have stated, you will need to "Enable local LAN access (if configured)" in the AnyConnect client.  When you do so the VPN connection will stop working because of a routing conflict between the local and remote sites.  This is due to the local systems not knowing where to send the 192.168.0.x packets, should they be kept local or should they be forwarded, where they are the same?  Routing is based on subnets.  There are only 2 choices keep local, when it matches the local subnet, or for anything else forward it to the DEFAULT gateway.  Thus the VPN traffic will be kept local and lost.
Currently all traffic is routed to the corporate network because the default route for 192.168.0.x traffic is the VPN, thus you may be able to access the server.

There are only 2 ways to fix this, change your local subnet or change the corporate LAN.  Though I appreciate the former is not a simple task in your case, I suspect the latter is not an option.  Once you do so and "Enable local LAN access" only 192.168.0.x traffic will be routed to the corporate network and al other will be kept local or in the case of internet traffic, sent you your local remote gateway/router and to the Internet.  All very secure and separated.

As an alternative, with many ISP's you can place a switch between your home router and the modem and add a second router, subnet, and networked PC's.  You could use this for your development network and only change its subnet.
0
 

Author Comment

by:mike1142
ID: 40227148
Got it thank you
0
 
LVL 16

Expert Comment

by:vivigatt
ID: 40231729
While you will change your local subnet, it may be a good idea to set up everything on it with DHCP.
If you need "static IP addresses", you can add DHCP reservations.
This way, you have a central point for managing all your IP addresses... Just in case you have to change your subnet again or for any other reasons...
0

Featured Post

Creating Instructional Tutorials  

For Any Use & On Any Platform

Contextual Guidance at the moment of need helps your employees/users adopt software o& achieve even the most complex tasks instantly. Boost knowledge retention, software adoption & employee engagement with easy solution.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Short answer to this question: there is no effective WiFi manager in iOS devices as seen in Windows WiFi or Macbook OSx WiFi management, but this article will try and provide some amicable solutions to better suite your needs.
This article will inform Clients about common and important expectations from the freelancers (Experts) who are looking at your Gig.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

739 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question