IP Conflicts on LAN of VPN Client… Advice?
-
Hi,
We have been using OpenVPN via pfSense for a year or two now, but I'm no expert.
I have a piece of industrial machinery that has its own small 192.168.1.0 / 24 private network.
It connects to wifi and VPN's "back home" to our pfSense implementation, and gets a 10.0.8.0 address.
All is well, like any other client, however, when the machine is connected up, it cannot communicate with any other 192.168.1.x devices. I think this is because it has a route through the 10.0.8.x adapter and it can't find its local network devices since it it looking on the remote network. Right?
Any idea how I can fix this? I don't need access to the remote office network, but I'd like the office network to have access to the vpn client's 10.0.8.x address to remote debug… is it possible to have it both ways?
Is there other information out there on how to deal with this local network conflict?
Thanks for helping out a newb :)
-
You'll have to NAT between them to eliminate the conflict.
-
Well, the 'industrial equipment' is behind a NAT router, but the VPN hops right across that and undoes my NAT basically, right?
I may just have to change the LAN network over on the equipment end so the conflict is resolved that way instead. I'd still like to know what the right way is to handle this.
For some reason a certain level of networking has always escaped my knowledge… I break down around routes and multiple network per machine priority and whatnot. :(
-
What is the router on the industrial equipment side, is it your WiFi access point or some other dedicated device?
You mention the machinery:
VPN's "back home" to our pfSense implementation, and gets a 10.0.8.0 address
Is this VPN connection across the internet or between buildings, same office?
What is the subnet of your "home" pfsense network? If it's the same as the machinery's (192.168.1.0/24) you're going to have issues.
Switching the machinery's subnet to something else is the fastest solution - unless that breaks other things….. -
Thanks, I'll probably just change the subnet over since its more or less arbitrary.
Here is how the network works:
Industrial Machine (192.168.1.x/24) <=> NAT Wifi 4G Hot spot "Puck" <=> INTERNET <=> pFSense at Office <=> Office LAN (192.168.1.x/24)
-
just create a 1:1 NAT to the destination LAN with a subnet that is not common.
-
I never really understood 1:1 NAT, I will do some reading.
Thanks for the suggestion.
-
Sorry to bring up an old topic, but originally to solve this I simply changed subnets on the industrial machinery… no problem, worked great.
Now, I'm in a similar situation, but I don't control the remote subnet now, and they again conflict.
So, can someone kindly help me with the how and why a 1:1 NAT would work in this case?
A quick recap:
Local LAN at HQ = 192.168.1.0/24 Local OpenVPN running at HQ = 10.0.8.0/24 (tunnel network) Client LAN at Remote site = 192.168.1.x Client Runs OpenVPN client on Windows behind NAT firewall to connect to HQ pfsense.
When the client connects, it gets a static 10.0.8.* address, and can communicate with HQ. The problem is it cannot communicate with its own local 192.168.1.1 (for instance) because it conflicts with the 192.168.1.1 server on the HQ network.
I think 1:1 NAT can work through this problem, but I don't really get how it works or how to configure it. The remote client never needs to contact our HQ servers, but I need to be able to RDP to the remote client. Can I do a client override of a route or something like that?
Thanks.
-
Could IPv6 be the answer to my conflicted IPv4 subnetting issues? If I simply disable IPv4 on the client?
-
Why don't you just move yourself out of the net that conflicts with half of the world?
-
Haha, that is on my TODO list. The company is older than my employment here… though it is a small company, so that change will be made eventually, it just never seems like a good time to make it.
We often integrate our machines into much larger industrial automation networks, so the chance of conflicting again is pretty high no mater what my subnet is. I think maybe another answer is a dedicated OpenVPN server for these machines at does not reach our LAN. Even that has road blocks here and there.
I was hoping for a solution where I don't have to go re-set all the static IPs of my printers and servers. Thanks for the suggestion however, it will be strongly considered.
I'm also trying to dive deeper into networking but it is not coming all that easily at a certain point for me.
-
You can assign the tun interface and do 1:1 NAT there… I don't see how's this a good solution though.
-
Me either, but I don't see how it will help me at all. I guess it translates all the IPs on the HQ subnet over to a different range maybe?
-
I wonder…
If I bring up a second OpenVPN instance on the server, but on a different port, I could just not pass the route to the LAN on that instance. Then, to access these 'problem machines' with the conflicting networks, I could just have my client computers connect to that instance instead, and talk on the virtual IPs for what we need to get done.
Seems legit, see why that would not work? Not as nice of course, but... could get me through the trouble.
-
I guess it translates all the IPs on the HQ subnet over to a different range maybe?
Yes of course, that is the whole point… you point the remote site to the NATed ones, instead of the conflicting subnet.