As a best practice, we recommend that you do not use the private network ranges 192.168.0.0/24 or 192.168.1.0/24 on your corporate or guest networks. These ranges are commonly used on home networks.
If a mobile VPN user has a home network range that overlaps with your corporate network range, traffic from the user does not go through the VPN tunnel. To resolve this issue, we recommend that you migrate to a new local network range on your corporate network.
To complete the Firebox configuration steps shown here, we highly recommend that you use Policy Manager. Policy Manager is an offline configuration tool, which means you can make multiple configuration changes before you save the configuration to the Firebox. In Fireware Web UI, you must save the configuration after each change. If you use Fireware Web UI, and you do not configure DHCP or VLAN tagging correctly, you could become locked out of Fireware Web UI.
Step 1—Configure the Firebox interface settings (from Policy Manager)
- Select Network > Configuration > Interfaces.
- Select the interface configured to use the 192.168.x.x/x range.
- Click Configure.
- Click the Secondary tab.
- Click Add.
- In the IP Address text box, type the 192.168.x.x/x network address.
- Click the IPv4 tab.
- In the IP Address text box, specify a different private network. For information about private network ranges, see RFC 1918.
- If the Firebox is your DHCP server, specify the new DHCP range for clients. For information about DHCP server configuration, see Configure an IPv4 DHCP Server.
If the Firebox is not your DHCP server, configure your DHCP server to use a DHCP range on the new network.
For detailed information about secondary networks, see Add a Secondary Network IP Address.
Step 2—Configure hosts assigned with static IP addresses
For hosts on your network that are assigned static IP addresses, such as network equipment and servers, assign an IP address from the new network range.
Step 3—Monitor your network
After enough time has elapsed for your DHCP clients to receive a new DHCP lease:
- Verify that all DHCP clients on your network have an IP address in the new range. You can use WatchGuard Dimension or WatchGuard Cloud to do this.
- If any DHCP clients or other hosts on your network have an IP address in the old 192.168.x.x/x range, manually configure those hosts to use an IP address from the new range.
Step 4—Remove the old network from the Firebox
After you verify that no hosts on your network use the old network range, remove the secondary network from the Firebox interface configuration.