IP Conflicts on LAN of VPN Client… Advice?
-
just create a 1:1 NAT to the destination LAN with a subnet that is not common.
-
I never really understood 1:1 NAT, I will do some reading.
Thanks for the suggestion.
-
Sorry to bring up an old topic, but originally to solve this I simply changed subnets on the industrial machinery… no problem, worked great.
Now, I'm in a similar situation, but I don't control the remote subnet now, and they again conflict.
So, can someone kindly help me with the how and why a 1:1 NAT would work in this case?
A quick recap:
Local LAN at HQ = 192.168.1.0/24 Local OpenVPN running at HQ = 10.0.8.0/24 (tunnel network) Client LAN at Remote site = 192.168.1.x Client Runs OpenVPN client on Windows behind NAT firewall to connect to HQ pfsense.
When the client connects, it gets a static 10.0.8.* address, and can communicate with HQ. The problem is it cannot communicate with its own local 192.168.1.1 (for instance) because it conflicts with the 192.168.1.1 server on the HQ network.
I think 1:1 NAT can work through this problem, but I don't really get how it works or how to configure it. The remote client never needs to contact our HQ servers, but I need to be able to RDP to the remote client. Can I do a client override of a route or something like that?
Thanks.
-
Could IPv6 be the answer to my conflicted IPv4 subnetting issues? If I simply disable IPv4 on the client?
-
Why don't you just move yourself out of the net that conflicts with half of the world?
-
Haha, that is on my TODO list. The company is older than my employment here… though it is a small company, so that change will be made eventually, it just never seems like a good time to make it.
We often integrate our machines into much larger industrial automation networks, so the chance of conflicting again is pretty high no mater what my subnet is. I think maybe another answer is a dedicated OpenVPN server for these machines at does not reach our LAN. Even that has road blocks here and there.
I was hoping for a solution where I don't have to go re-set all the static IPs of my printers and servers. Thanks for the suggestion however, it will be strongly considered.
I'm also trying to dive deeper into networking but it is not coming all that easily at a certain point for me.
-
You can assign the tun interface and do 1:1 NAT there… I don't see how's this a good solution though.
-
Me either, but I don't see how it will help me at all. I guess it translates all the IPs on the HQ subnet over to a different range maybe?
-
I wonder…
If I bring up a second OpenVPN instance on the server, but on a different port, I could just not pass the route to the LAN on that instance. Then, to access these 'problem machines' with the conflicting networks, I could just have my client computers connect to that instance instead, and talk on the virtual IPs for what we need to get done.
Seems legit, see why that would not work? Not as nice of course, but... could get me through the trouble.
-
I guess it translates all the IPs on the HQ subnet over to a different range maybe?
Yes of course, that is the whole point… you point the remote site to the NATed ones, instead of the conflicting subnet.