Hello, Crown Clients and Friends!
For more than a year and a half now, remote connections and VPNs have become increasingly important parts of enterprise and personal computing. There are a lot of challenges in extending access to your network to new branches and remote workers; subnet settings can be one of them, and are especially easy to overlook because they are usually hidden away in your router configuration. It’s also possible that totally valid settings for both your home network and the VPN just don’t work together because they confuse the two networks for one another. When this is a problem, usually nothing will pop up to tell you about the problem and network connections will just not work correctly, even when devices seem connected.
What is a Subnet?
A subnet is a portion of available addresses for hosts (connected devices). This may sound very general, but that’s because the structure of subnets is inherently pretty generic too. That’s by design, because network structures like subnets have to do with both a) connecting to devices locally on our network, and b) connecting to devices “out on” the internet, remotely. Putting it this way, we can see how setting up a VPN might be tricky: we want to go “out on” the internet to access our company’s “local” network.
What we’re talking about here is IP addresses, which we’ve thought of as phone numbers for a network (or the internet) in a previous post. The IP address is what each connected device gets as its unique location on a network. When workstations or other devices need to access a shared location, they use the ip address to connect to it (or a DNS server to look it up for them). In this post, we’ll use IPv4 addresses since they’re still commonly used, even if they are slowly being replaced with IPv6.
Subnet Conflicts and Private Network Addresses
Just like an area code groups together a bunch of 7-digit phone numbers, private internet IP address space gives us blocks of local network addresses. These private IP addresses, though, are common to every local network. The most common one–used by almost any consumer-grade router by default–is 192.168.1/24, which is the range of addresses from 192.168.1.0 to 192.168.1.255 (providing addresses for 254 hosts). The point of this space is to make local networks consistent; any addresses outside of 192.168/16, 172.16/12, or 10/8 should be an internet or remote connection. For example, if you are trying to get to a server at the address 192.168.1.2, then it is on your network, not the internet; the same is true for me when I go to 192.168.1.2, which is an address on my network.
If I’m using a VPN, things get tricky because I’m using two local networks at the same time: my home network and the VPN network (my company’s network). If they happen to use the same block of IP addresses as one another, then two devices may get the same address, and the network will start to fail. In a typical setup, if I hop onto my home network then my router gives me 192.168.1.2 for my workstation, my phone gets 192.168.1.3, etc. My router keeps track of which device is at which address, and routes traffic to whichever device it’s addressed to. If I connect to my office’s network with a VPN and it is also set up to give out 192.168.1.x addresses, then maybe my phone conflicts with a workstation at the office, for instance. If this happens, then the router won’t know which is the “real” 192.168.1.3, and devices’ network connections become unusable.
Use a Different Block of Addresses for DHCP
It’s likely that in a larger organization, on a larger network, the network uses addresses like the ones in the 10/8 range, which has more than 16 million possible addresses to use and makes it unlikely that it uses the same range as other networks. If your VPN does use a common block, though, it’s likely that it will cause conflicts when remote users try to connect. If your home network and the VPN (your company’s network) are using the same IP addresses, you’ll likely just want to change the addresses that your home router uses.
DHCP (Dynamic Host Configuration Protocol) is commonly used on home networks to give out IP addresses to devices on the network. Your router is typically the hardware that handles this job, so log into the administrator page and find its DHCP or subnets section. Next, you’ll see something like this, which asks you which addresses to give to your devices.
(Note that my router’s DHCP server is off because my router is not the device that handles this for my network.)
I could change the DHCP Start Address here to something like 172.16.192.65 and the End Address to 172.16.192.253 to make my private addresses more unique than others. The chances that our VPN uses this block of addresses is much smaller than the 192.168.1/24 block, since it contains 65536 possible addresses (even if we only need a tiny fraction of that). This is probably good enough for most networks, but the only way to be sure is to ask the VPN’s administrator which block of addresses are unused in the network.
-Written by Derek Jeppsen on Behalf of Sean Goss and Crown Computers Team