Solved

Routing Question

Posted on 2014-09-22
7
245 Views
Last Modified: 2014-10-07
We have a client that is in a bit of a pickle right now. They have two sites. A main location (location A) and a satellite location (location B). They are connected via a Branch VPN tunnel through two watchguard firewalls.

Location A is using a 192.168.10.0/24 network.
Location B is using a 192.168.1.0/24 network.

We are having trouble giving remote (home) users access to a server at site B. Unfortunately these home users are also on a 192.168.1.0 network which I assume is why we are having the problem. The home users vpn into location A via RRAS. Are we completely screwed because the home users are on the same network as location B which is the location with the server they are trying to access remotely? Wouldn't it be possible to create a static route on the home users PC saying that all traffic destined for 192.168.1.15 - use 192.168.10.1 as a gateway? I did try this but it didn't work.

I'm desperate to find a temporary way to get the home users access to the location B. I realize that we will need to re-ip location B - however we can't do that immediately.
0
Comment
Question by:StarfishTech
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
7 Comments
 
LVL 94

Assisted Solution

by:John Hurst
John Hurst earned 100 total points
ID: 40337845
The easiest short term way to fix this is to ask home users to change their subnet from .1 to (say) .25.   Ask them for the make of their router, look up the documentation and give them directions on how to change. I have do this before and it works.
0
 
LVL 28

Accepted Solution

by:
mikebernhardt earned 100 total points
ID: 40337848
The problem isn't just at the home users end, it also at Location B. Location B will NEVER send traffic to 192.168.1.0 anywhere but local because it believes it's local. It never hits a router to be redirected anywhere. Same for the home user.

If your VPN equipment at Location A can support it, I would suggest doing 2-way NAT for the remote users. That way your locations will see user traffic as something other than 192.168.1.x.
0
 
LVL 12

Expert Comment

by:Bryant Schaper
ID: 40337881
What about routing all traffic over the VPN, once the user connects, ie this would be internet and LAN traffic, then 192.168.1.x is all in the same network.

Was looking at assigning a unique DHCP scope to RRAS, but I am not seeing anything yet
0
Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

 
LVL 69

Assisted Solution

by:Qlemo
Qlemo earned 100 total points
ID: 40337882
I'm assuming clients are able to contact any IP in location A.

Since the clients dial in with RRAS, they should get a NATted address of location A anyway (either via DHCP or from a static RAS address pool). Let's assume the client gets 192.168.10.254.
A route of 192.168.1.15 via 192.168.10.1 should work then. The client sends data with a source IP of 192.168.10.254, RRAS listens to all traffic for that IP and acts as a proxy for it to be able to forward traffic back to the RRAS client.

But if you have set up RRAS to use a different network, say 192.168.254.0/24, and not put the correct routes into the default gateway of B, reply traffic cannot flow back to RRAS and hence to the home users.

For diagnostics, set the route on a client while connected, and start a
  tracert -d -w 100 192.168.1.15
to see which way packets go, and which router/devices responds last.
0
 

Author Comment

by:StarfishTech
ID: 40337952
qlemo, you are correct. Clients are able to access anything on the 10.x network. When the client connects in with RRAS, they get a 10.x IP.

Bryant, I do have the "route all traffic over VPN" selected in the VPN settings of their MAC.
0
 
LVL 12

Assisted Solution

by:Bryant Schaper
Bryant Schaper earned 100 total points
ID: 40337968
shot in the dark, check this out.  Seems to fix your problem, and you could use 172.16.1.x 255.255.255.0 for the range, nobody seems to use it at home

http://technet.microsoft.com/en-us/library/dd469667.aspx
0
 
LVL 16

Assisted Solution

by:vivigatt
vivigatt earned 100 total points
ID: 40340280
Basically and if you want to keep things simple, you can't have 2 networks that are interconnected (routing enabled) and that have the same subnet.
The easiest way is for you to use another subnet than 192.168.1.0 for your professional networks, since 192.168.1 (and 192.168.0) are usually used by home users.
This is a good practice when setting a network that users will have to remotely connect to to avoid IP subnets usually used by home users.
Use 192..168.192.0 or a class B (172.16.x.x) and you should usually be safe.
0

Featured Post

Visualize your virtual and backup environments

Create well-organized and polished visualizations of your virtual and backup environments when planning VMware vSphere, Microsoft Hyper-V or Veeam deployments. It helps you to gain better visibility and valuable business insights.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Meet the world's only “Transparent Cloud™” from Superb Internet Corporation. Now, you can experience firsthand a cloud platform that consistently outperforms Amazon Web Services (AWS), IBM’s Softlayer, and Microsoft’s Azure when it comes to CPU and …
When you try to share a printer , you may receive one of the following error messages. Error message when you use the Add Printer Wizard to share a printer: Windows could not share your printer. Operation could not be completed (Error 0x000006…
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question