10

My internal network is 192.168.0.x with a gateway of 192.168.0.1.

I have users that VPN into our firewall which then essentially adds them to the network.

However, if their home router has an IP address of 192.168.0.1 then of course we have all kinds of issues.

So, what is the ideal networking address setup to avoid this? I have seen setups where the remote users have router addresses in the 10.x range also so not sure what i can do to prevent this.

Any comments very welcome!

John
  • 212
  • 2
  • 6

5 Answers5

14

Techspot has A List of Common Default Router IP Addresses that helps with this. Usually home routers uses /24 subnets. Nowadays mobile phones are often used for sharing network connection, so we must take these ranges into account, too. According to the list we can deduce we should avoid:

  • 192.168.0.0/19 - most of the routers seems to use some of these, above 192.168.31.255.
  • 10.0.0.0/24 is also widely used, and Apple uses 10.0.1.0/24.
  • 192.168.100.0/24 is used by Motorola, ZTE, Huawei and Thomson.
  • Motorola uses (in addition) 192.168.62.0/24 and 192.168.102.0/24.
  • 192.168.123.0/24 is used by LevelOne, Repotec, Sitecom and U.S. Robotics (less common)
  • Some D-Links have 10.1.1.0/24 and 10.90.90.0/24.

We have three ranges reserved for private networks; we still have plenty of space to avoid these in:

  • 10.0.0.0/8
  • 172.16.0.0/12
  • 192.168.0.0/16

Some random upper range from 10.0.0.0/8 could be the safest choice for avoiding collisions. You may also want to avoid number 42 in any part of the IP address range: it might be the most common "random" number, as it's the Answer to the Ultimate Question of Life, The Universe, and Everything.

Esa Jokinen
  • 46,944
  • 3
  • 83
  • 129
  • 4
    My experience is that 172.16.0.0/12 is the least common used, so I would select a /24 from that, but the upper end of 10.0.0.0/8 is also a good suggestion. – Henrik supports the community Jun 06 '17 at 09:29
  • 1
    Pick some digits from your office main phone number or static IP address or street number, as long as they are under 255. So 10.246.x.y or 172.25.54.y would be a perfectly legitimate IP range to use. Another dirty hack is to use subnets that are larger or smaller than a /24, for more-specific routing. But this is not ideal and breaks in many ways. – Criggie Jun 06 '17 at 10:32
  • 172.16/12 is rarely used because its not a nice multiple of 8. So 172.16-through-31.x.y are valid private IP addresses. – Criggie Jun 06 '17 at 10:33
  • 2
    I am glad that you mentioned 42, it is extremely important to remember. – Tero Kilkanen Jun 07 '17 at 21:48
  • 10.42.0.0/16 is indeed used by NetworkManager hotspot connections. – gvl May 05 '23 at 23:40
1

The best you can do is to use a range for the network that you give vpn access to, that you expect none of your users use. There's a good chance a lot of your users won't have changed that their routers use 192.168.0.0/24 or 192.168.1.0/24 (the two ranges I have seen the most in consumer gear), if you have an idea of some who might have chosen to use a different range, ask them what they use, but users who have done so will also know how to change the setup of their own router to avoid the conflict.

Henrik supports the community
  • 318
  • 2
  • 10
  • The problem i have is that some of my users are using an ISP supplied router that they cannot change the IP addressing system on. The second issue i have is that users have various addressing systems which i cannot predict nor control. So a few may be on 10.x or 192.x etc. I fear that if i change the office network to one thing, it may not be future proof for a user as yet to be. – John Jun 06 '17 at 09:14
  • 1
    The only reasonably futureproof solution is to use IPv6, but that might quickly cause other problems. You can only hope that you won't get users with ISP supplied routers that use the same addresses as you and can't be changed. – Henrik supports the community Jun 06 '17 at 09:26
1

You can never be 100% sure but you can minimise the risk by avoiding using the same subnets everyone else does.

I would avoid using the subnets at the bottom of blocks as many people start numbering their networks from the beggining of a block.

IMO your safest bet for avoiding conflicts is to use a subnet from somewhere in the middle of the 172.16.0.0/12 block. I have never seen a home router come preconfigured with a subnet from that block.

A random subnet from 10.0.0.0/8 is also relatively safe but I did once use a home router that allocated the whole of 10.0.0.0/8 to the lan by default and would only allow masks that matched the classful default.

192.168 is the most vulnerable to conflicts because it is a relatively small block and is widely used on home routers.

Peter Green
  • 4,211
  • 12
  • 30
0

To avoid all the issues mentioned above, I'd definitely plump for an IP range in the 172.16.n.n or 10.n.n.n range. For example, in the server config file for the VPN server, I'd allocate an IP address range of say 10.66.77.0, with mask 255.255.255.0 - the VPN server itself will take 10.66.77.1, each VPN client will get the next free IP above this. Works for me, no conflicts from connections using 'home' routers, which are mainly in 192.168.n.n range.

Trader0
  • 1
  • 4
-2

This is slightly bemusing to me because in most of the environments that I've come across for remote users to have VPN access the administrator needs to to have control/management over connecting users to ensure that the network remains secure. That means administrative access, control, etc... of connecting machines and users. This means that the administrator can control the IP address range which means the chances of what you are describing is basically impossible.

That said, your solution does seem workable but very difficult with regards to using different IP ranges.

One option is creating a script that you run on connecting systems to overwrite routing tables to reduce the chances of a possible conflict (am aware that certain VPN solutions are able to do this). Effectively, the organisational network setup will take precedence over the local network setup.

https://unix.stackexchange.com/questions/263678/openvpn-understand-the-routing-table-how-to-route-only-the-traffic-to-a-spec

openvpn client override default gateway for vpn sever

This leads to other possibilities. Assuming users don't connect directly to IP addresses you can modify DNS configurations/host file entries so that they technically override the existing local network setup.

https://hostsfileeditor.codeplex.com/

https://support.rackspace.com/how-to/modify-your-hosts-file/

Another way is to change your organisational setup to have a less common IP address backbone. Since you have administrative access you should be able to do this quickly and easily (though I've since read another comment which brings IPv6 issue into play).

Obviously, you'll need to change the type of VPN setup you have to give you some of the options that I'm outlining above if you don't already have them.

dtbnguyen
  • 322
  • 1
  • 6