Solved

Work VPN and Home LAN on the same subnet

Posted on 2014-07-29
15
7,446 Views
Last Modified: 2014-08-04
I have just been informed by my employers IT department that my home private subnet ( 192.168.0.0/24) is the same as the one they use on the VPN at the other end of the tunnel. What? Doesn't this seem incredibly short-sighted or am the one who should have "known better". My setup is the way it is because of the defaults from the consumer routers most people have. I always thought it was blocked for security reasons and I never had a "business need" for this until now.

Here was my question: "I need to have access to a network printer on my internal LAN. When I am connected to the VPN <on the company machine>I cannot see the rest of my LAN and other devices on the LAN do not see the <company> machine. There is a preference in the Cisco AnyConnect client to "Enable local LAN access (if configured)" and since it is enabled and what I just described is true I am assuming it is not configured.

This is a specialty thermal printer used to print <print format> from <third party vendor> and I have 2 customers that have these printers. I got the manufacturer to send me a loaner to use while developing these output formats."
 

This was their response: "You have a routing issue caused by the IP addressing on your local network.  You are using the IP addressing 192.168.0.X which is the same IP addressing we use inside the firewall.  When you connect to the <company> VPN, all your local network traffic is being routed across the <company> VPN tunnel and any local network devices are unreachable.  To fix this issue, you will need to change your local IP addressing to a different network segment.  Example:  192.168.1.x or 192.168.2.x  You make this change on your local router.    Please let me know if you have any questions."

What? All of my personal traffic was routed through their network? Financial information and other "stuff"?
Changing this will not be as straight forward as they think. I have a small AD domain at home (I like to play...what can i say?) and a small group of both physical and VM servers on static IP addresses. I handle the DHCP "myself" on the server so I guess I just need to change the scope IP range and all of the reservations I just did.

I have a router capable of doing a private and "guest" network but I do not think segregating them will accomplish my goal. Static routes? Probably not.

Ideas?

Edit: I also have a static IP address from my ISP if that helps.
0
Comment
Question by:mike1142
  • 5
  • 5
  • 3
  • +2
15 Comments
 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
Unfortunately you have no choice, subnets must be different for routing to take place.  In some cases when all traffic is forced to the VPN server/router you can access corporate resources, but if you disable that you most certainly will not be able to access corporate resources.  This is a common issue.

I will agree the company should have chosen something less common as using defaults like 192.168.0.x, 192.168.1.x, 10.0.0.x  often results in conflicts with home networks and hotels.  However if you are running an AD domain or anything more than your typical 2 PC home network I would suggest you should have done the same and changed yours.  Doing so now will resolve your current problem and possibly other problems you might have in the future, at least for you.
0
 
LVL 90

Expert Comment

by:John Hurst
Comment Utility
I have been in that situation and I just found it easier for me to change my home office subnet than to convince clients to change theirs.

There is no difference in have a subnet of (say) 192.168.75.x than to have 192.168.0.x . They function the same way.

I just changed mine, moved on, and have no more conflicts.
0
 
LVL 7

Expert Comment

by:tolinrome
Comment Utility
Agree with the two previous posts.
0
 

Author Comment

by:mike1142
Comment Utility
Rob,

I agree with what you are saying about I should have changed mine as well. This is what happens when an amateur tries to play with the big-boy toys. The point was for me to learn. I guess I missed that lesson in networking 101 and network security 301 (seriously just took those classes this year) .

Thanks I will leave this open a little while longer. I am hoping for some information that will make me feel more comfortable that they can no longer see any of my private traffic or internal resources. I think I get it but...
0
 
LVL 90

Expert Comment

by:John Hurst
Comment Utility
The subnet does not change security or how they can (or more likely cannot) view your private resources.

I have static tunnels to key clients for my convenience and no one can get to my machine. The subnet number is the least important variable.
0
 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
If all traffic is forced through the VPN the only thing to which that really refers or they could conceivably monitor, if they have systems in place to do so, is web browsing, while connected to the VPN.  They can't capture passwords from SSL sites like banks and such but they could with a proxy server monitor sites visited.
0
 

Author Comment

by:mike1142
Comment Utility
All of the traffic does not have to be forced through the VPN. I think that the VPN client on the work machine allows me access to the VPN resources and if I set the option to allow it the other side of the tunnel can see my resources. All of the AD connected devices will need credentials but anything else is fair game.

Here is what I was thinking, put the work machine on a static IP on a separate subnet. Force that traffic to my DC and then static routes to the firewall and any other devices I want to access from that machine.

I am not distrustful but well I am. Corporate America has not exactly been shy about letting employees know that accessing company resources is subject to monitoring. Why should I not return the favor? Quid pro quo.

My work is not quite the same as usual private consulting.
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 90

Assisted Solution

by:John Hurst
John Hurst earned 150 total points
Comment Utility
I use split tunneling so that Internet and VPN traffic are separate anyway. I use my laptop primarily for VPN work although my desktop computer has the same connection (one hardware VPN router and one subnet).

It has been hooked up this way for years, is very secure, and has never been transgressed by anyone.
0
 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
If you put the work machine on a different subnet how is it going to see the local resources such as server?

Split tunneling as John suggested allows you to access corporate resources as needed and the balance of traffic, LAN and Internet is routed through your local network.  However with Cisco VPN's the VPN administrator usually has to allow/enable e spit tunneling.

The #1 concern with VPN's is you have a very secure tunnel, but wide open to all traffic between a corporate network and a PC over which it has no control.  Personally I prefer remote desktop which only exchanges scree refreshes.
0
 

Author Comment

by:mike1142
Comment Utility
That was what the static routes were for 192.168.5.1 to 192.168.0.2 (DC is the gateway) on DC static routes to 192.168.0.1 (firewall) and routes to 192.168.0.x and other resources I want to make available?

I know mountain out of a mole hill but me being stupid still smarts right now.
0
 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
The static route on it's own will do nothing.  If you router supports multiple subnets and you put that PC on a port defied with a different subnet and assign the new gateway to the PC you could conceivably do so, however once you define the routes, traffic can travel on it the same as the LAN.  You cannot randomly assign a different subnet to a PC.  Perhaps I do not fully understand.

Is the concern your traffic passing through the VPN or the corporate network accessing your PC?
For the former enable split tunneling, for the latter enable the windows firewall, but this is all a moot point if the subnets are the same at home and work.
0
 

Author Comment

by:mike1142
Comment Utility
The concern is that they said all of my IP traffic was passing through the VPN through to their servers. I assume that they let that traffic continue on its way. However for this reason I was blocked from seeing my local resources, not because of security reasons as I originally expected.

I would like to see local resources on my LAN while connected to the VPN. Not for convenience but out of necessity. However I do not want the act of accessing these local resources to open up my LAN through their VPN.
0
 
LVL 77

Accepted Solution

by:
Rob Williams earned 350 total points
Comment Utility
>>"I do not want the act of accessing these local resources to open up my LAN through their VPN."
They won't.

In order to access your local printer, as you have stated, you will need to "Enable local LAN access (if configured)" in the AnyConnect client.  When you do so the VPN connection will stop working because of a routing conflict between the local and remote sites.  This is due to the local systems not knowing where to send the 192.168.0.x packets, should they be kept local or should they be forwarded, where they are the same?  Routing is based on subnets.  There are only 2 choices keep local, when it matches the local subnet, or for anything else forward it to the DEFAULT gateway.  Thus the VPN traffic will be kept local and lost.
Currently all traffic is routed to the corporate network because the default route for 192.168.0.x traffic is the VPN, thus you may be able to access the server.

There are only 2 ways to fix this, change your local subnet or change the corporate LAN.  Though I appreciate the former is not a simple task in your case, I suspect the latter is not an option.  Once you do so and "Enable local LAN access" only 192.168.0.x traffic will be routed to the corporate network and al other will be kept local or in the case of internet traffic, sent you your local remote gateway/router and to the Internet.  All very secure and separated.

As an alternative, with many ISP's you can place a switch between your home router and the modem and add a second router, subnet, and networked PC's.  You could use this for your development network and only change its subnet.
0
 

Author Comment

by:mike1142
Comment Utility
Got it thank you
0
 
LVL 16

Expert Comment

by:vivigatt
Comment Utility
While you will change your local subnet, it may be a good idea to set up everything on it with DHCP.
If you need "static IP addresses", you can add DHCP reservations.
This way, you have a central point for managing all your IP addresses... Just in case you have to change your subnet again or for any other reasons...
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Suggested Solutions

If your business is like most, chances are you still need to maintain a fax infrastructure for your staff. It’s hard to believe that a communication technology that was thriving in the mid-80s could still be an essential part of your team’s modern I…
PRTG Network Monitor lets you monitor your bandwidth usage, so you know who is using up your bandwidth, and what they're using it for.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now