We have a customer that is getting a lot of tickets of their remote access not working
The customer has a rather large 192.168.1.x network
Sonicwall VPN IP’s are blocked out to 192.168.1.200 to 212
The end users typically have 192.168.1.1 networks at home
Got on an end users PC yesterday that could ping some internal devices and not others so I changed his home router to 192.168.10.1 and this solved his issue
I cannot re IP their entire corporate network and it’s not a good solution to change their home routers
It’s hit and miss with the end users working from home. Everything has been working for months and now suddenly everyone is having issues.
You’re over complicating this and so is everyone else here. You can configure the SSL-VPN clients to use a different network/subnet as their main LAN network and their home network. Go to SSL-VPN → Client Settings → Default Device Profile, under Zone select SSLVPN and under Network Address IP V4 select “Create New Network” and create a network on a different range, pick something you don’t think the users will have at home like 172.16.100.0/24 . Then make sure that DHCP is enabled for that scope in the SonicWall. It should automatically set up all the correct rules and everything else.
We never use 192.168.1.xxx for enterprise networks for this very reason. While there might be creative ways to accomplish this in my opinion you should find a new addressing scheme for the office.
The problem that you likely have is your vpn is likely doing “split tunneling” vpn. This means you only forward traffic for your office through vpn and internet destined traffic i.e. google/yahoo etc goes through the users ISP. Ideally, you do not want to split tunnel (allows bridging) but that means all traffic goes across your VPN. You’re running into IP conflict related issues. Your device is confused because you have local devices that are using the same subnet that you using your office. So your two solutions are either re-IP the customer or employee or do not use split tunneling however by turning off split tunneling you run the risk of saturating the Internet uplink of where your VPN is hosting.
You’re going to have to re-ip the network. You can NOT use 192.168.0.x, 192.168.1.x, 10.0.0.x, 10.1.10.x etc in a corporate network that is going to be remotely accessed.
This is an example of very poor network design, and there is no easy fix. Re-ip the network to 10.132.0.0/24 (or something similarly uncommon) and move on.
Also, whoever your network engineer is needs to be fired for allowing this client to be onboarded with VPN enabled firewall on 192.168.1.0/24 - this is a rookie mistake that should have been caught well before this point in time IMHO.
If you don’t have a network engineer involved, you probably should find one as a consultant to help keep this from happening in the future since remote access is becoming much more popular and needs to be taken into consideration on every new customers network.
Even if you give them a different subnet for the VPN, they still be connecting to the 192.168.1.XXX network for their machines whether or not client machine is getting a subnet from the VPN like 192.168.10.XXX . Your going to have to either changed your entire subnet setup for your corporate network OR plan to update each one of your client home network to something different.
We run into this too and we do the home network setup changed but then again, we have smaller employees at our clients so it not a huge issue for us but for a larger office, can be.
Suggest changing the subnet, do it on a weekend. See what you have on your network. Update the firewall, servers, DHCP server, printers.
Fix the corporate subnet as dozens have said. While you can bandaid hack up ways to get around it there’s so many reasons it will break that you’ll be chasing ghosts forever. Fix it. Once. Permanently.
Its a reaalllly not smart idea for a business to use a private subnet of 192.168.x.x when almost every router/firewall/AP defaults to these networks. Should be using 10.x.x.x
Cant you specify the VPN subnet? You should be able to put the VPN on whatever subnet you’d like.
How does that fix the routing to the destination IP? The IP they get for their VPN interface may be on a different subnet, but the destination IP is still on their home subnet so they’re back to square one.
I would not, under any circumstances, tunnel all internet traffic through the VPN. That’s going to cause problems for your VPN server by way of increasingly lacking bandwidth availability. If you’ve ever used TOR networks, it’s basically that level of speed and bandwidth when you stress the VPN like that.