[ previous ] [ next ] [ threads ]
 From:  Chris Buechler <cbuechler at gmail dot com>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] PPTP client and server on same subnet...
 Date:  Thu, 28 Oct 2004 03:11:29 -0400
On Wed, 27 Oct 2004 23:40:47 -0700, sylikc <sylikc at gmail dot com> wrote:
> Mitchel,
> > I recently set up a  monowall firewall at my office and am trying to get
> > the PPTP vpn server working.  The problem I'm running into is that my
> > office subnet is set to the very popular 192.168.1.x.  This ofcourse is
> > the default setting that linksys, and may other, routers are set to.  So
> > when I log into the VPN from my home network (via my linksys router and
> > it's 192.168.1.x subnet) it doesn't work, of course. Changing my home
> > network to something like 192.168.0.x solved the problem for myself, but
> > we have many people who travel and log in via networks that they have no
> > control over.  So next you are going to tell me to change my office
> > network to something obscure like 192.168.87.x right?  Well that is
> > easier said than done because our office network consists of  at least
> > 10 servers, 6 printers, 4 access points, 2 dhcp servers, 1 wireless
> > bridge and a partridge in a pear tree.  Reconfiguring our network would
> > be difficult, especially reconfiguring  each computer to recognize the
> > new static ip of the printers.  So my questions ars... Is there any
> > other way  to get this vpn to work?  Will the new software with OpenVPN
> > solve this?  Do I have to reconfigure my subnet?
> Well, this is an interesting thing I ran into also in locations that I
> travel to.  I use a 10.A.B.x/24 subnet as LAN for my m0n0.  I often
> end up in places that use 10.x.x.x/8, the full class A.  I figured out
> a type of hack job in terms of how to get around the fact that the
> full class A encapsulates just my subnet.
> I haven't particularly confirmed that this works in other
> environments, but I've gotten it working on my mobile computer at
> least.  I run WinXP.  Now, I take the DHCP assigned address on the
> remote network, copy down all the details, and then change it to
> static with exactly the same details.  GW, DNS, IP, everything but the
> subnet mask.  I shift the subnet mask in such a way that it doesn't
> overlap with the internal LAN of the m0n0 I try to connect to.
> Now, after doing this, you'll probably run into the situation where
> your subnet is different than your gateway's.  I've always wondered
> how this could still work, but it does.  With most applications this
> is OK... Windows somehow finds the gateway.  I'm aware win98 also
> displays this property.  It also shows when you set the gateway to the
> IP of the machine you're on.  If someone could explain why it works to
> me... I'm listening...

Wow, what a hack job.  :)  But yeah, that's the only way to get around
that issue.  But in the case of the on both ends, you
won't be able to get around that doing something like this.

Windows doesn't care if the gateway IP is within the subnet or not. 
So when it does an ARP lookup on that MAC address, it broadcasts and
ARP request for the gateway's IP.  This goes out to all hosts on the
broadcast domain, which includes the firewall/router.  It responds to
your machine, and from that point your machine uses its MAC address in
association with the gateway IP.  It doesn't really need to know the
IP of the default gateway, just the MAC address.  If the router
actually were on a different broadcast domain, it wouldn't work.

I've even inherited networks at clients where the LAN was using a
private subnet, but a previous consultant put a public IP in for the
default gateway for everything.  It was working fine.  In that case,
it'll only work if the router/firewall is using proxy ARP on the LAN. 
Your machine tries to do a ARP lookup on the gateway's IP, to which
the router/firewall responds since the IP your machine is looking for
isn't on the local LAN.  Your machine then uses that MAC in
association with the gateway IP.

BSD and Linux don't permit this madness because it's not valid and you
shouldn't ever set up a network that way. (though some less than
clueful admins do)

Though in times like this where a bad idea becomes the only way to do
something, that Windows "feature" can come in handy.  :)