Clients on LAN lose connectivity to each other when one connects to VPN



  • First of all, I am a complete noob to pfsense. So please be patient. I put together a pc with parts I had lying around and decided to create a pfSense box out of it. So far everything looks great and I hope to learn a lot more, except one very annoying thing. Let me explain the setup first:

    My Setup up until yesterday:
    I have a modem provided by the ISP. The LAN port from there goes into a 48 port un-managed switch to which all the wall jacks are plugged in. There are a bunch of PCs running different OSs and IoT devices and media servers and all that jazz. the two devices in question however are a Desktop PC ( Lets call it DPC) running Windows 10 Professions 64 Bit and a laptop (Lets calls this one LPC) running Windows 7 Enterprise 64 bit.

    DPC had the Local LAN IP of 192.168.1.15 and LPC had 192.168.1.39. These two PCs can see each other and ping each other and see each other's file shares.

    LPC is my work laptop and needs to be connected to my work VPN to be able to do work. When I connect LPC to VPN, the two PCs still can talk to each other exactly as they did if LPC was not connected to VPN.

    My Setup as of yesterday:

    Yesterday I built my pfSense box and set up changed a little. The LAN port from the modem now goes into the pfSense box's WAN port. pfSense box's LAN port goes to the un-managed switch and everything works great. pfSense Box's DHCP server now serves up 10.10.10.XX IP addresses, which is something I like.

    DPC now has the Local LAN IP of 10.10.10.15 and LPC had 10.10.10.39. These two PCs can see each other and ping each other and see each other's file shares, but the minute I connect LPC to my work VPN, the two PCs cant see each other. They can't even ping each other let alone access file shares and such. This is driving me crazy and I have spent a whole day fighting with this. I do not have any custom firewall rules yet, apart from the default the pfSense adds.

    Any help in getting this issue resolved, would be greatly appreciated and if we ever meet I will buy you beers  :)

    Thanks in advance

    r0xcc1



  • My work VPN redirects all ip ranges through the VPN except for a couple of common home network IP ranges so you can still get to your home printer and so on when you are connected.  Yours probably does something similar.

    Try changing pfsense to use 192.168.0.X, 192.168.1.X, or 10.0.0.X and see if things start working again.  192.168.1.X will certainly work because that is what you had before, but you might also have luck with lower 10.0.Y.X subnets.  When in doubt, your corp IT should hopefully be able to tell you what ranges they have exempted from the forwarding.



  • Also, references because everyone likes references.

    IP Address Classes:
    https://technet.microsoft.com/en-us/library/cc940018.aspx

    Private Class A, B, C subnets:
    https://www.arin.net/knowledge/address_filters.html

    Your work is probably using the private class A range even if their network isn't that big.  The comment at the end of that article about the private class B range means they might have just skipped it just to keep things easy even if your network would fit.  192.168.0.X and 192.168.1.X are commonly used by home routers, so your corp IT will have known to exempt those from the VPN config.

    I've set up linksys, netgear, dlink, and asus routers for other people and I don't think I've ever seen one using the 10.0.0.0/8 range out of the box.  But one of the network admins might use 10.0.0.X or 10.0.1.X on their own home net and exempted the range for their own convenience.



  • Hello mattyd

    I kinda get what you are saying and I am also confused a bit, especially by this part "I've ever seen one using the 10.0.0.0/8 range out of the box". 10.10.10.0/8 is a perfectly viable private IP Address range, so why should this be a problem? Could you please shed some light on this?

    Here is some additional info. When my work computer connects to VPN it connects to a 10. IP address and my local PFSense DHCP provided LAN is also a 10. IP address. If I do an IPCONFIG when connected to VPN, it gives me two separate local LAN IP Addresses, one with the work IP lets say 10.224.221.XX and one with my own LAN IP lets say 10.23.23.YY. Could this be causing the problem? Being that the two addresses are both in the 10. IP scheme?

    thanks
    r0xcc1



  • What I meant by your bolded text is that the routers that most of the other employees at your work use do not use addresses in the 10.0.0.0/8 range.

    From the additional information you provided, your company is using at least part of the 10.0.0.0/8 range for their internal network.  In the configuration for the VPN client, your company has likely specified a setting that routes all IP addresses through the VPN, with the exception of some common home ranges (the 192.168.0.X and 192.168.1.X ranges most likely.)  Since the IP range you are using is not a common one used by home users, it is not excluded from having the traffic piped through the VPN, which leads to your problem.

    In order to access your home computers while you are connected to the VPN, your home network will need to be on an ip range that is A) not used by work and B) exempted from being forced through the VPN by the VPN client config. You are at the mercy of whatever your corp IT has configured here, so you can't just use whatever you want.

    If you switch to 192.168.1.X range for your home network, you already know that range IS excluded from being forced through the VPN, so you'll be able to access your other home computers on the local LAN.  If you would prefer to use something in the 10.0.0.0/8 range, your current choice is clearly not working.  However, you might have better luck trying 10.0.0.X or 10.0.1.X for your home lan.  I've seen 10.0.0.X excluded before.  But you should keep in mind that since your work is also using the 10.0.0.0/8 network for their own ip ranges, stuff might break for you in the future.

    If you don't want to experiment randomly, contact your corporate IT department and ask them which IP ranges are excluded from being forced through the VPN connection, and then simply select from one of those options.  Those are the options they will support and minimizes the risk of future problems.



  • mattyd, thanks for all the help. I changed my LAN to use 172.xx.xx.xx ip and that resolved the issue. You were right the fact that both the VPN and LAN were using 10.x.x.x IPs was the problem. Much appreciated.