VPN Site to SIte Ipsec, subnet questions

[argint]

Dear All,

We have 2 small satellite offices. I will be installing pfsense in both offices to upgrade from the consumer equipment we are currently using, as we have found pfsense to be a very solid workhorse, providing excellent metrics etc.

Pfsense, has great VPN capabilities (for a free product), and having researched the issue, for site to site, it seems IPsec is the preferred way here (according to pfsense book).

My question is, our local LAN is set to 192.168.2.1 and the other branch LANS will have to change their subnet to avoid conflict with our main office.

Does anyone have any recommendations for good subnet ranges for other offices?

I am correct in that they have to change? Also, does anyone know of other changes that may be required so that the branch offices will work as per normal?

What we want is to be able to log in to check printers and especially the firewall to determine what is going on at offices. We wont be doing remote assistance over vpn as we already use LogmeinCentral with logmein pro2

Many thanks for any tipe you can provide

Regards
Argint

 

[thiggins]

Yes, you'll need to use different subnets on each LAN. You can use any private IP range. So if your main office is 192.168.2.X, the other router could use 192.168.Y.X where Y is 1 or 3-254.

 

[YeOldeStonecat]

I try to make them a bit more "non-common" IP ranges.
Most home and SMB grade routers ship with 192.168.1.xxx or 192.168.0.xxx

Now, many people may want to "VPN to the office" from home. Most VPN setups need different IP ranges on both ends, they won't work with the same IP range on both ends.

So, taking that into consideration, when I build/setup a network for an office, I will make it a different IP range that is most likely never used by the home user. Something like 192.168.10.xxx or 192.168.11.xxx.

This way, it's easier to start/build the office network from scratch..and then when home users have to VPN in, I don't need to bother with reconfiguring all of them.

So for clients that have multiple locations, I'll often do...
*Main site...(mothership)...192.168.10.1
*Site B (branch office) 192.168.11.1
*Site C (another branch office) 192.168.12.1
etc etc

You don't need to go in sequence...you can toss a 192.168.100.1 in the mix
And you don't even need to have a similar IP range, you can have site A at 192.168.10.1 and site B at 10.1.1.1
As long as they're different in the last octet..assuming we're talking about smaller class C networks here.

 

[Markwirez]

I try to make them a bit more "non-common" IP ranges.
Most home and SMB grade routers ship with 192.168.1.xxx or 192.168.0.xxx

Now, many people may want to "VPN to the office" from home. Most VPN setups need different IP ranges on both ends, they won't work with the same IP range on both ends.

So, taking that into consideration, when I build/setup a network for an office, I will make it a different IP range that is most likely never used by the home user. Something like 192.168.10.xxx or 192.168.11.xxx.

This way, it's easier to start/build the office network from scratch..and then when home users have to VPN in, I don't need to bother with reconfiguring all of them.

So for clients that have multiple locations, I'll often do...
*Main site...(mothership)...192.168.10.1
*Site B (branch office) 192.168.11.1
*Site C (another branch office) 192.168.12.1
etc etc

You don't need to go in sequence...you can toss a 192.168.100.1 in the mix
And you don't even need to have a similar IP range, you can have site A at 192.168.10.1 and site B at 10.1.1.1
As long as they're different in the last octet..assuming we're talking about smaller class C networks here.

As a hosting provider with multiple clients with LOTS of SA peers, I have found that it easier to recommend a random 10.X.X.X range with 5-10 /24 subnets in succession for growth. changing subnets is alot easier when combined with DHCP and using it more as an "assignment tool" than just a blanket response.

 

[YeOldeStonecat]

As a hosting provider with multiple clients with LOTS of SA peers, I have found that it easier to recommend a random 10.X.X.X range with 5-10 /24 subnets in succession for growth. changing subnets is alot easier when combined with DHCP and using it more as an "assignment tool" than just a blanket response.

10. is fine....I have lots of clients in that range. Dunno if I'd call it easier though....class C is class C is class C. OP started thread with the standard 192. range, so I utilized that so they could follow the example easier.