Solved

Routing Question

Posted on 2014-09-22
7
229 Views
Last Modified: 2014-10-07
We have a client that is in a bit of a pickle right now. They have two sites. A main location (location A) and a satellite location (location B). They are connected via a Branch VPN tunnel through two watchguard firewalls.

Location A is using a 192.168.10.0/24 network.
Location B is using a 192.168.1.0/24 network.

We are having trouble giving remote (home) users access to a server at site B. Unfortunately these home users are also on a 192.168.1.0 network which I assume is why we are having the problem. The home users vpn into location A via RRAS. Are we completely screwed because the home users are on the same network as location B which is the location with the server they are trying to access remotely? Wouldn't it be possible to create a static route on the home users PC saying that all traffic destined for 192.168.1.15 - use 192.168.10.1 as a gateway? I did try this but it didn't work.

I'm desperate to find a temporary way to get the home users access to the location B. I realize that we will need to re-ip location B - however we can't do that immediately.
0
Comment
Question by:StarfishTech
7 Comments
 
LVL 90

Assisted Solution

by:John Hurst
John Hurst earned 100 total points
Comment Utility
The easiest short term way to fix this is to ask home users to change their subnet from .1 to (say) .25.   Ask them for the make of their router, look up the documentation and give them directions on how to change. I have do this before and it works.
0
 
LVL 28

Accepted Solution

by:
mikebernhardt earned 100 total points
Comment Utility
The problem isn't just at the home users end, it also at Location B. Location B will NEVER send traffic to 192.168.1.0 anywhere but local because it believes it's local. It never hits a router to be redirected anywhere. Same for the home user.

If your VPN equipment at Location A can support it, I would suggest doing 2-way NAT for the remote users. That way your locations will see user traffic as something other than 192.168.1.x.
0
 
LVL 11

Expert Comment

by:Bryant Schaper
Comment Utility
What about routing all traffic over the VPN, once the user connects, ie this would be internet and LAN traffic, then 192.168.1.x is all in the same network.

Was looking at assigning a unique DHCP scope to RRAS, but I am not seeing anything yet
0
What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

 
LVL 68

Assisted Solution

by:Qlemo
Qlemo earned 100 total points
Comment Utility
I'm assuming clients are able to contact any IP in location A.

Since the clients dial in with RRAS, they should get a NATted address of location A anyway (either via DHCP or from a static RAS address pool). Let's assume the client gets 192.168.10.254.
A route of 192.168.1.15 via 192.168.10.1 should work then. The client sends data with a source IP of 192.168.10.254, RRAS listens to all traffic for that IP and acts as a proxy for it to be able to forward traffic back to the RRAS client.

But if you have set up RRAS to use a different network, say 192.168.254.0/24, and not put the correct routes into the default gateway of B, reply traffic cannot flow back to RRAS and hence to the home users.

For diagnostics, set the route on a client while connected, and start a
  tracert -d -w 100 192.168.1.15
to see which way packets go, and which router/devices responds last.
0
 

Author Comment

by:StarfishTech
Comment Utility
qlemo, you are correct. Clients are able to access anything on the 10.x network. When the client connects in with RRAS, they get a 10.x IP.

Bryant, I do have the "route all traffic over VPN" selected in the VPN settings of their MAC.
0
 
LVL 11

Assisted Solution

by:Bryant Schaper
Bryant Schaper earned 100 total points
Comment Utility
shot in the dark, check this out.  Seems to fix your problem, and you could use 172.16.1.x 255.255.255.0 for the range, nobody seems to use it at home

http://technet.microsoft.com/en-us/library/dd469667.aspx
0
 
LVL 16

Assisted Solution

by:vivigatt
vivigatt earned 100 total points
Comment Utility
Basically and if you want to keep things simple, you can't have 2 networks that are interconnected (routing enabled) and that have the same subnet.
The easiest way is for you to use another subnet than 192.168.1.0 for your professional networks, since 192.168.1 (and 192.168.0) are usually used by home users.
This is a good practice when setting a network that users will have to remotely connect to to avoid IP subnets usually used by home users.
Use 192..168.192.0 or a class B (172.16.x.x) and you should usually be safe.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

#Citrix #Citrix Netscaler #HTTP Compression #Load Balance
If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now