LICOMPGUY
asked on
Gateway conflict - when VPNing in
Small Business gateway IP conflict when VPNing in
We have a client that started out about 18 years ago with 7 employees, and peer to peer. At that time using a VPN client was not that common, at least not for this client and often cost prohibitive. Since then they have grown to 50 employees, 5 virtual servers an vSphere 5.x host, possibly VOIP (I have to find out), and a few devices with static IP addresses. The Internet service providers in the area at the time were not using the same gateway on their devices for the home networks, in fact most individuals had to provide their own routers and the ISP only put the modem in place.
What we have in the office is a gateway of 192.168.1.1. Over the years the hardware provided by the ISPs (their default gateway ip address for the home networks is often the same.
We have been using Netgears FVS-336V series devices for router/and for VPN. We are phasing these out, and no longer supported, going to Sonicwall it looks like.
We have remoted into a few employee’s homes and changed the default gateways on their home network to I would say technically a class B address 172.16.120.1 with a 24-bit mask. When we have done so, it eliminates the conflict with the gateway in the office. Needless to say, VPN works fine when it is changed.
My first question is - is there a way to prevent the routing conflict if both the internal gateway at the office is the same as the home user's gateway? I am thinking not.
That being said would you guys agree with going with say 10.170.1.1 with a 24 bit mask? If we implement a new router Sonicwall, change it to the new addressing scheme, does anyone foresee any issues changing the address on the Windows 2012 Domain controllers, file servers etc DNS/DHCP range,
Thoughts/ideas? Thanks guys!
We have a client that started out about 18 years ago with 7 employees, and peer to peer. At that time using a VPN client was not that common, at least not for this client and often cost prohibitive. Since then they have grown to 50 employees, 5 virtual servers an vSphere 5.x host, possibly VOIP (I have to find out), and a few devices with static IP addresses. The Internet service providers in the area at the time were not using the same gateway on their devices for the home networks, in fact most individuals had to provide their own routers and the ISP only put the modem in place.
What we have in the office is a gateway of 192.168.1.1. Over the years the hardware provided by the ISPs (their default gateway ip address for the home networks is often the same.
We have been using Netgears FVS-336V series devices for router/and for VPN. We are phasing these out, and no longer supported, going to Sonicwall it looks like.
We have remoted into a few employee’s homes and changed the default gateways on their home network to I would say technically a class B address 172.16.120.1 with a 24-bit mask. When we have done so, it eliminates the conflict with the gateway in the office. Needless to say, VPN works fine when it is changed.
My first question is - is there a way to prevent the routing conflict if both the internal gateway at the office is the same as the home user's gateway? I am thinking not.
That being said would you guys agree with going with say 10.170.1.1 with a 24 bit mask? If we implement a new router Sonicwall, change it to the new addressing scheme, does anyone foresee any issues changing the address on the Windows 2012 Domain controllers, file servers etc DNS/DHCP range,
Thoughts/ideas? Thanks guys!
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
In your size of business there should not be any VPN routing options from a home setup
ASKER
Meaning no choice other than to change the network in the office - is that what you mean? Just was concerned about leaving the first two octets the same. I wouldn't want to do this a third time! ;-)
Thanks!!!
Thanks!!!
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Yes for long term convenience and reliability, you want to use a subnet that home routers do not
ASKER
Hey John/Rob
So I guess what John was saying by changing the third octet would work because it changes the ID and would eliminate the conflict as well. I was just thinking based on training from years ago, that it was still going to look at the first two octets on both networks before deciding where the VPN connection would need to go.
Just have to look at changing the esx host IP/vcenter. Can either of you see any reason why changing the ip address of the domain controllers should be an issue at all, as long as I delete DNS cached entries and update DHCP?
Thanks guys! I appreciate your help.
So I guess what John was saying by changing the third octet would work because it changes the ID and would eliminate the conflict as well. I was just thinking based on training from years ago, that it was still going to look at the first two octets on both networks before deciding where the VPN connection would need to go.
Just have to look at changing the esx host IP/vcenter. Can either of you see any reason why changing the ip address of the domain controllers should be an issue at all, as long as I delete DNS cached entries and update DHCP?
Thanks guys! I appreciate your help.
Yes, as John said, change the 3rd octet to something uncommon. First 2 octets really have no bearing here, unless you have a subnet mask of 255.255.0.0 or 255.0.0.0
You can change Domain IPs but make sure DNS updates the servers. It can play havoc with Exchange if you have it.
Any chance you are running Small Business server or Essentials? If so make sure you use the wizards to make the change.
You can change Domain IPs but make sure DNS updates the servers. It can play havoc with Exchange if you have it.
Any chance you are running Small Business server or Essentials? If so make sure you use the wizards to make the change.
If any help, a good article on changing Domain Controller IP
https://www.petri.com/change-ip-address-domain-controller
https://www.petri.com/change-ip-address-domain-controller
For most VPN, the internal subnetting rules are part of the (IPsec) VPN setup and define the endpoints at each end. Normally no additional work for you to do.
ASKER
Rob/John - thank you!!
So John - are you saying then, with a Sonicwall the VPN rules, can be managed internally and would not make a difference if the gateways are the same on each end - or did I misunderstand you? I have Sonicwall I am going to put in place in my office for testing as soon as I can get an outage here.
So John - are you saying then, with a Sonicwall the VPN rules, can be managed internally and would not make a difference if the gateways are the same on each end - or did I misunderstand you? I have Sonicwall I am going to put in place in my office for testing as soon as I can get an outage here.
Sorry, I should be clearer. You have a network that has a subnet (presumably not multiple subnets). It is this subnet that goes in the VPN setup. The VPN and then internal network must be the same.
Keep in mind, it's not just the gateways, though that is usually all that comes into play. Every hop, pc to router, router to modem, every Internet connection between ISP routers, server end modem to router, server end router to other subnets (if any), to server, all must use a different network ID or routing cannot take place. We don't have to worry about conflicts with the Internet as they generally do not use private IP addressing, i.e. 192.168.x.x, 10.x.x.x, 172.16-32.x.x
If you disable Split tunneling on your new configuration, which should be done by default, you "may" be able to work both gateways using the same network ID. Have to be different IPs though. It works in some situations.
If you disable Split tunneling on your new configuration, which should be done by default, you "may" be able to work both gateways using the same network ID. Have to be different IPs though. It works in some situations.
ASKER
Hey Rob
Working in some situations, they are so fed up with the conflicts they are seeing now, I need to make sure it is as rock solid as possible with the fewest problems. So that may not be a good idea. I can't thank you guys for your time and the info.
Working in some situations, they are so fed up with the conflicts they are seeing now, I need to make sure it is as rock solid as possible with the fewest problems. So that may not be a good idea. I can't thank you guys for your time and the info.
So long as subnets are truly difficult there should not be any VPN conflicts . We use VPN at all our clients and there are no conflicts
I agree with John. Just use an odd Subnet.
Good rule of thumb, regardless of VPNs or not, is never set up a network with common subnets. It always comes back to bite you a year or two later :-)
Another good rule is to buy a router that does not have a reset button, like Business Class Cisco's. That way users can't reset to default 192.168.1.x :-)
Good rule of thumb, regardless of VPNs or not, is never set up a network with common subnets. It always comes back to bite you a year or two later :-)
Another good rule is to buy a router that does not have a reset button, like Business Class Cisco's. That way users can't reset to default 192.168.1.x :-)
ASKER
Hey John - which again I guess brings us back to the original issue with having the same gateway/network id
I guess it shouldn't be too bad to redo the network for the whole office. Just need to plan it out a bit.
I know some appliances were able to bind their own IP upon VPN connection, I think that was taking the conflict out of the equation, but I guess that is difficult to find, and I am not sure if it binds it to a virtual adapter and therefore there can still be a conflict.
Thanks
I guess it shouldn't be too bad to redo the network for the whole office. Just need to plan it out a bit.
I know some appliances were able to bind their own IP upon VPN connection, I think that was taking the conflict out of the equation, but I guess that is difficult to find, and I am not sure if it binds it to a virtual adapter and therefore there can still be a conflict.
Thanks
We have a client that started out about 18 years ago with 7 employees, ... then they have grown to 50 employees,
That is a small business (I deal with this daily). Yes, you need to change the business subnet to an odd subnet and then you should have no conflicts.
That is a small business (I deal with this daily). Yes, you need to change the business subnet to an odd subnet and then you should have no conflicts.
ASKER
Gents
Tremendously helpful. Just set up a sonicwall in my office for testing, going forward we will go with 10.160.1.1 internally, and we will put together a plan for the network changes to occur over a long weekend. Thanks again!
Tremendously helpful. Just set up a sonicwall in my office for testing, going forward we will go with 10.160.1.1 internally, and we will put together a plan for the network changes to occur over a long weekend. Thanks again!
ASKER
Sorry for the lack of response - guys both super helpful! Thanks for your time!!
No comment has been added to this question in more than 21 days, so it is now classified as abandoned.
I have recommended this question be closed as follows:
Split:
-- 'John' (https:#a42497732)
-- 'Rob Williams' (https:#a42497759)
If you feel this question should be closed differently, post an objection and the moderators will review all objections and close it as they feel fit. If no one objects, this question will be closed automatically the way described above.
seth2740
Experts-Exchange Cleanup Volunteer
I have recommended this question be closed as follows:
Split:
-- 'John' (https:#a42497732)
-- 'Rob Williams' (https:#a42497759)
If you feel this question should be closed differently, post an objection and the moderators will review all objections and close it as they feel fit. If no one objects, this question will be closed automatically the way described above.
seth2740
Experts-Exchange Cleanup Volunteer
ASKER
Thanks for the reply. Isn't it still going to try to route it that way until it finishes checking the first two octets and therefore may not totally eliminate the problem?
Thanks!!!