Work VPN and Home LAN on the same subnet
Posted on 2014-07-29
I have just been informed by my employers IT department that my home private subnet ( 192.168.0.0/24) is the same as the one they use on the VPN at the other end of the tunnel. What? Doesn't this seem incredibly short-sighted or am the one who should have "known better". My setup is the way it is because of the defaults from the consumer routers most people have. I always thought it was blocked for security reasons and I never had a "business need" for this until now.
Here was my question: "I need to have access to a network printer on my internal LAN. When I am connected to the VPN <on the company machine>I cannot see the rest of my LAN and other devices on the LAN do not see the <company> machine. There is a preference in the Cisco AnyConnect client to "Enable local LAN access (if configured)" and since it is enabled and what I just described is true I am assuming it is not configured.
This is a specialty thermal printer used to print <print format> from <third party vendor> and I have 2 customers that have these printers. I got the manufacturer to send me a loaner to use while developing these output formats."
This was their response: "You have a routing issue caused by the IP addressing on your local network. You are using the IP addressing 192.168.0.X which is the same IP addressing we use inside the firewall. When you connect to the <company> VPN, all your local network traffic is being routed across the <company> VPN tunnel and any local network devices are unreachable. To fix this issue, you will need to change your local IP addressing to a different network segment. Example: 192.168.1.x or 192.168.2.x You make this change on your local router. Please let me know if you have any questions."
What? All of my personal traffic was routed through their network? Financial information and other "stuff"?
Changing this will not be as straight forward as they think. I have a small AD domain at home (I like to play...what can i say?) and a small group of both physical and VM servers on static IP addresses. I handle the DHCP "myself" on the server so I guess I just need to change the scope IP range and all of the reservations I just did.
I have a router capable of doing a private and "guest" network but I do not think segregating them will accomplish my goal. Static routes? Probably not.
Edit: I also have a static IP address from my ISP if that helps.