Warning about internal IP Range

Kevin 4

When I was adding an allow rule to my OpenVPN interface, I received a message that indicated my internal network address range was very common and may conflict with an "internet cafe",so I may want to change my IP ranges?

If I was to use a public internet source, It'd be over wifi and possibly sent through my VPN. Why would my internal network be an issue?

Thank you for any input.

johnpoz

@kevin-4 the problem is say your at some cafe and the IP range is 192.168.0/24 and your home network is also 192.168.0/24 -- its quite possible in their you could get an IP from the cafe wifi of 192.168.0.42 and that might be the exact address your trying to access on your home network..

But the problem is not just random chance you get the same exact IP, but if your trying to go to 192.168.0.x and your also on 192.168.0 on your remote device.. Why should he send traffic down the vpn, for from the clients point of view that 192.168.0.x address is local to it already.

To reduce the possibility of that happening its normally a good idea not to use the most common network ranges that lots of cafe, starbucks, restaurants that just fire up the wifi router at the location with the default IP range which is 192.168.0 or say 192.168.1/24

So if you used some not so common IP range on your home network, say for example 172.29.12/24 its less likely to run into an issue. Someone mentioned using 10.month.day/24 of your birthday which is great idea I think.. or 10.day.month etc.. only issue run into is if the remote site uses just 10/8 -- which I have seen..

I use 192.168.9 as my local lan, and then 192.2-8 for other networks.. Its rare that I would ever need/want access to my other vlans, and only really ever need access to my main PC via rdp, and I can do anything I need to do on my network.

I have never ran into an issue that I recall - most of those places use 192.168.0 or 192.168.1, so you should stay away from those. Don't use those as you tunnel network either, I have 2 different instances of openvpn running - for the tunnels I use 10.0.200 and 10.0.8/24

JKnott

@kevin-4

If you pick one of those common address ranges and it's also used where you want to use your VPN, you will have an address conflict and won't be able to use the VPN. I ran into this several years ago, when I did a lot of travelling with my work. I'd find the hotel LAN was the same as I used at home. Because of this, I moved my home LAN to 172.16.0.0. I have only once seen anything starting with 172.16 used anywhere else.

daduls

@johnpoz said in Warning about internal IP Range:

Someone mentioned using 10.month.day/24 of your birthday which is great idea I think.. or 10.day.month etc..

I thought this was a good idea before I knew the private IP 'norms', so I used my birthday (Jan 27) in the first octet. As you can imagine it caused me a few problems. Lesson learned local host ......

johnpoz

@daduls said in Warning about internal IP Range:

birthday (Jan 27) in the first octet.

yeah that won't work out very well ;)

127 is localhost ;) if that is what you used 127.x.x.x

Kevin 4

Thank you all for the information and great advice. I think I'll move my internet network to the 172. address sets and use the 10. address sets for my VPN to avoid any future conflicts.

This is a wonderful community!

daduls

@johnpoz said in Warning about internal IP Range:

127 is localhost ;) if that is what you used 127.x.x.x

That's what I thought I was going to use. My PFSense journey has been fun, I had no clue about RFC 1918 networks. Thought I could use any address I wanted.
My second choice ended with my Roku TV telling me it couldn't connect with the IP assigned. That's when I learned about RFC 1918. Teaching
myself is rewarding bit can be time consuming.

In racing they say crashing is learning. I've learned a couple things......

johnpoz

@daduls said in Warning about internal IP Range:

Thought I could use any address I wanted.

Well technically that is almost true, 127/8 is all local host addresses though - can't talk to anything but yourself with 127.x.x.x, you could just randomly pick some public IP space and use it internally - just hope you don't actually ever want to go somewhere that is on that space..

Its bad practice, but technically there is nothing saying you couldn't use some of space that MS owns for example - but have a hard time actually talking to their services that might really be on some of that space.

There is plenty of rfc1918 space to choose from ;)

mer

I had an interesting variant of this, related to $WORK.

openvpn client to server at work, server at work pushed down all it's data, routes.
Well slap me silly, a bunch of work pushed stuff overlapped my local home network, pretty much mucking up my default routes.
Solution? Change my local network from 192.168.x.0/24 to something like 192.168.251.0/24.

Pick oddballs; 137, 237, 159, etc. Everyone picks 1-10 or 254.

JKnott

@johnpoz said in Warning about internal IP Range:

There is plenty of rfc1918 space to choose from ;)

Today I was doing some work at my ISP's head end and I noticed a lot of addresses in 172.16.24.x. While I have seen it lately, years ago traceroute showed 10.x.y.z on their internal network.

AndyRH

I always pick even subnets, that way I can change from /24 to /23 and not affect anything.
For the VPNs I always use 172.16 addresses.

JKnott

@andyrh said in Warning about internal IP Range:

For the VPNs I always use 172.16 addresses.

I have a /56 IPv6 prefix, which gives me 256 /64s. I match up the 3rd octet, in 172.16.x.y, with the prefix ID

Kevin 4

@daduls
Very time consuming!! Took all day to convert, but I moved to a 172.16.0.0 address setup.

daduls

@kevin-4 But very rewarding when things work out. Hope your new setup stands the test of time.

Kevin 4

@johnpoz
Well, everything was working fine overnight with the 172.16.0.0 and then it broke. Currently, I cannot seem to get the internet to pass to the network after the address change. The pfSense diagnostics can ping the internet and all the interfaces show working, but no internet.

After getting frustrated troubleshooting, I reloaded a config file to reset everything and I was able to connect to the internet again. So I changed a single interface to one of the new address again (172.16.10.1/24) and updated the DHCP pool. I then reconnected to the pfSense via a cable using the new address and the computer won't connect to the internet. When I login to the pfSense using an interface with an old IP setup I can connect to the internet on the computer.

I have no idea what setting I'm doing wrong...

FSC830

If you are using 172.16.0.0 and the client uses 172.16.10.1/24, these two will never connect.
The client needs too a netmask which allows to reach the 172.16.0.0 network, use a /16 (255.255.0.0) and reduce step by step if needed.

Regards

Kevin 4

@fsc830
Appreciate the input, but that address is just an example. I've changed all the IP's on my switches and routers to the new address so they will connect. Everything was up and running, so I'm not sure if there was a slow setting change or what?

I did try a /16 instead of the /24, but it was the same deal.

daduls

@kevin-4 Have you updated all your firewall rules, aliases and NAT?

Kevin 4

@daduls
As far as firewall rules, I added a new 'allow all' rule to the top of the interface rule set to test it, but I haven't done anything to the aliases, but I'll try disabling them Do the rules need to be recreated when an interface changes IP?

When it comes to working with NAT, I wouldn't know what to check, I'm clueless...

Kevin 4

@kevin-4
I went ahead and deleted the firewall rules and aliases and now only have an allow all for testing. I also looked at the NAT and it shows an automatic entry for the new IP address.