In the wild, I'm seeing a an increasing number of crappy consumer/ISP routers with subnets that conflict with ours (10../8). Comcast appears to be a common offender, curiously allocating the largest private subnet to their smallest customers. Of course this breaks VPN due to address ambiguity/conflicts.
We're usually able to talk non-tech people through changing their LAN subnet. That doesn't work when a user isn't the network administrator, such as in a hotel. Using 1:1 NAT on the VPN *server* interface is workable (making the resources "unambiguous"), but this is ugly because it means resources need to be referenced with a different IP addresses (depending on whether inside or outside of the office). A seemingly obvious solution would be client-side NAT. For example if the client were placed behind a private NAT, (with the physical adapter on the 'native' (10../n) network and a virtual LAN adapter in a non-conflicting subnet (say 192.168../n). Looking around, this doesn't appear to "be a thing". I think it would make sense to have client side NAT be part of a VPN client to invoke if needed. Maybe it exists, and I'm just looking in the wrong places. Anyone seen this? _______________________________________________ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
