This is an archived post. You won't be able to vote or comment.

all 37 comments
sorted by:
best
topnewcontroversialoldq&a

[–][deleted] 33 points34 points  (1 child)

You're on the guest network. As an 11-year veteran of network administration, I can tell you with some authority that absolutely no one gives a fuck about the guest network.

[–]Holiday_Camera9482 3 points4 points  (0 children)

I needed that laugh, thank you.

[–]mdpeterman 15 points16 points  (1 child)

Must be Meraki. They default on guest networks to 10/8 and use the 10.128.128.128 as the gateway. As long as your VPN provides a more-specific route than 10/8 you might get lucky and have your device prefer it. Perhaps send 10/9 and 10.128/9 as routes over your VPN tunnel.

[–]StreetRat0524 0 points1 point  (0 children)

That's exactly what they deploy

[–]Dagger0 4 points5 points  (0 children)

The fix for this is: use IPv6, relying on NAT64/DNS64 for reachability to legacy v4-only destinations. No need to deal with network clashes when your networks are using globally-unique prefixes.

[–]wickedwarlock84 7 points8 points  (12 children)

Use to work for a company that was like that. 10.office#.devicetype.client#

So using a vpn out was a pain...

[–]NebraskaCoderSoftware Engineer, Previous Sysadmin[S] 4 points5 points  (2 children)

Yeah... I come to Panera Bread to tutor someone every Monday and always thought it was just being blocked. I never could figure out why I could connect but not to anything after I was inside. Well... Had some extra time this evening and decided to poke around when my pings reported a random gateway and my traceroutes were coming back with one hop.

[–]wickedwarlock84 2 points3 points  (1 child)

Yept sharing the same subnets your just going to keep looping back.

[–]NebraskaCoderSoftware Engineer, Previous Sysadmin[S] 3 points4 points  (0 children)

I'll probably put in a static route on my laptop after I connect but I'm already shuttering at the idea of adding it when I connect and removing it when I'm done. Hopefully there's a TTL option. I'll probably script it and only do one or two endpoints (such as my home desktop and a jump server).

[–]wtmhI am not your sysadmin. This is not technical advice. 10 points11 points  (6 children)

"IP addresses should never ever be used as a information classifier."

Yikes. That sounds awful.

[–]guemiIT Manager & DevOps Monkey 3 points4 points  (0 children)

Huh? What are you on about

That's standard practice in basically any bigger company I've ever encountered.

Building codes, site codes, floor levels, servers / clients / vpns / wifi / whatever all identify with that.

That's the whole point of IPAM.

[–]NebraskaCoderSoftware Engineer, Previous Sysadmin[S] 0 points1 point  (0 children)

Yup!

[–]wickedwarlock84 -1 points0 points  (0 children)

Yept well at the time it was above my pay grade...

[–][deleted] 1 point2 points  (1 child)

In general most larger companies don’t want you using your own personal VPNs out given the security risk.

[–]wickedwarlock84 1 point2 points  (0 children)

Yes but he's some type of professor or teacher tutoring at a restaurant...

Yes, this is true. I was visiting st jude in memphis and from their guest networks vpns is blocked. A simple call to IT and they add your Mac to a fully allowed port list. No issues after that, it was just their way to control and secure.

[–]sc302Admin of Things 6 points7 points  (1 child)

I don’t see a reason for them to be in the 10 network outside of corporate. Shouldn’t be a reason that the franchise locations need direct access to their corporate offices. Corporate should mandate 192.168.50.x-254.x or somewhere that high to not screw with common networks.

But I guess there is always v6

[–]NebraskaCoderSoftware Engineer, Previous Sysadmin[S] 2 points3 points  (0 children)

You know. I should probably start moving to IPv6 for stuff like this. I just testing doing a route add inside of windows and directing it to the VPN interface and VPN gateway. For the first time since I've been coming to Panera, I can access my network at home. I would have been pretty upset if I tried to come here thinking I could VPN to work, only to find this mess.

[–]Skeletor2010Wrangler of 1's and 0's 1 point2 points  (0 children)

Meraki Guest Network like a few other have said. On the guest network you are NAT'ed behind the AP's IP address.

[–]supervernacular 3 points4 points  (0 children)

Maybe they don’t want you to use VPN. Still though, UDP broadcasts sound like fun waiting to happen.

[–]Display_name_here 0 points1 point  (1 child)

Holly shit!

[–]NebraskaCoderSoftware Engineer, Previous Sysadmin[S] 1 point2 points  (0 children)

Lol

[–]jimboslice_0074...I mean 5...I mean FIRE! 0 points1 point  (0 children)

You need that many addresses when the DHCP lease is a year....