Ya, I thought so. Can you believe Bell set this network up. They are on CRACK. That's the first thing I thought, wow, this is a beginner's mistake.
Well, I think I will tell him that I want to renumber the network, maybe I can somehow do it just to the 192.168.1.x and leave the telecom VLAN 192.168.200.x... I've always used the 10.x.x.x series... it's the least characters.... 10.10.9.9, etc... Thanks for the confirmation. Regards, Chuck -----Original Message----- From: Dave Donovan [mailto:donovan.da...@gmail.com] Sent: Friday, February 27, 2009 6:16 PM To: support@pfsense.com Subject: Re: [pfSense Support] Simple Firewall that needs to allow VPN access to the network and a VLAN on the network. On Fri, Feb 27, 2009 at 4:36 PM, Chuck Mariotti <cmario...@xunity.com> wrote: > I have a firewall that needs replacing on short notice and I would like to > use pfSense. The network is 192.168.1.x... (Servers, Printers, etc...) there > is a VLAN on that same network (for their Nortel BCM / phones) that is > 192.168.200.x. > > I recall way back that having a remote user on a network with 192.168.1.x > series trying to VPN into another network with the same number scheme, would > cause conflicts and problems (basically mixing up thinking they're on the > same subnet). I haven't used the 192.168 series of IPs for that one reason > for the past 10+ years (all the Linksys/Dlink/consumer stuff does by > default). Is this still the case? > Chuck, >From my experience, you're likely to have problems accessing that 192.168.1.x network. When I moved to my current employer, I inherited a network with that numbering scheme and it was a frequent problem, especially with users at hotels and other hotspots which favoured that number range. (I know that's not exactly your application) There are just too many Linksys, D-Link and other such devices out there using those numbers. I the we were able to address the problem for some users by adding a route to their windows box that aimed at a specific machine (like the file server where their home drive lived). If the file server was 192.168.1.10, we would send them home with a batch file that looked like: REM Allow users with overlapping IP scheme to connect to fileserver at MyCompany REM Add a route that tells the local PC to go over the VPN for the filserver route add 192.168.1.10 mask 255.255.255.255 gateway [far end of VPN] metric 1 Then we could map a drive to a share on \\192.168.1.10. That's just from memory so I wouldn't bet my life on the syntax. This is on an IP by IP basis and if you want to access dozens of printers, servers and other resources, it's going to be a problem nuisance and you increase the risk of overlapping an IP that the home user is actually using on their net. We ended up renumbering our network into the 172.x.y.z scheme and it solved those issues. I'd still avoid 172.16 because lots of people use it and if you ever want to interoperate, you might be running into the same issues. Off the top of my head I think values of 16-31 are valid for the second octet. Sorry, not guidance here on the VLAN issues. Best Regards, Dave --------------------------------------------------------------------- To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org --------------------------------------------------------------------- To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org