VPN issue for work (VM Hub 5)

Sparx

Sparx

Sparx

Soldato
Joined
30 Jul 2007
Posts
5,261
Location
Lincolnshire
Hi folks, hoping someone more knowledgable than me who might have a clue on how to help resolve my conundrum :D (without buying a new router lol)

My ISP Virgin Media recently sent me the new Hub 5 the other week. I was WFH today on my work laptop which uses Sophos Connect VPN (IPsec). Now this connects fine, as do the network drives once on the VPN. However when I try access our SAS server e.g. \\ABCSAS01\ I just get a connection refused. Everything else works though in terms of the VPN and I can access everything else on my work's network.

After some trial and error, I tried hotspot my phone (EE) and all of a sudden I can now access our SAS server no problem. Hop back to my home VM WiFi and I can't get on our SAS server again... After some Google-fu I've found a bunch of threads on VM's community forum complaining about the same issue with the Hub 5 going back to the closed trials in 2021 I think it was, however most complaints were their work VPNs not connecting at all. My scenario is slightly less severe in that the VPN works, but the new VM Hub 5 seems to be stopping me from accessing an internal work server whilst on the VPN.

Some other posts suggested the issue is likely due to IPsec pass-through and some other firewall options being removed from the Hub 5. I've tried disabling the firewall completely and still have the issues. Have also tried port forwarding UDP 4000 and 4500 I think it was to no avail.

Be grateful for any ideas or potential solutions?! Having just got the Hub 5 and been happy with it (improved wifi and speeds) it does the job well. I'd rather not have to get my own router to fix this and have to home 2 routers somewhere, I've only just made room for 1 :p
 
Last edited:
It's always been \\ABCSAS01 on file explorer I believe, never changed it and worked fine under the previous VM Hub 4.

Actually just thought sorry, that probably won't help as the webpage to access it doesn't load either which has our domain...
https://abcsas01.mywork.local/SASStudioV/ (slightly altered for obvious reasons)

If I access the above via Chrome or Edge, or \\ABCSAS01 in file explorer - on my EE hotspot it connects. However the VM Hub 5 is providing a 'connection refused'.
 
Last edited:
Yeah it's hosted onsite, it doesn't use our public/website domain.

I've heard brief arguments on the interwebs about workplaces using .local, but I'm not gonna debate it when it's caused me no issues until now using a new picky VM router :p
 
I know what you mean, I did wonder that but thought why would it work prior - and still work on my EE hotspot? But not with the Hub 5 unless it's a configuration that's potentially firmware locked/hidden?

I've just done the nslookup whilst on the VPN, to our SAS server I linked above and got what looks to be it resolving to my work correctly? Unless I'm reading it wrong? Yet I still get conn refused on Chrome or file explorer trying to get on it...

I've tried pinging and I can ping it too whilst on the VPN.

C:\Users\Sparx>nslookup -debug abcsas01.mywork.local
------------
Got answer:
HEADER:
opcode = QUERY, id = 1, rcode = NOERROR
header flags: response, auth. answer, want recursion, recursion avail.
questions = 1, answers = 1, authority records = 0, additional = 0

QUESTIONS:
8.0.168.192.in-addr.arpa, type = PTR, class = IN
ANSWERS:
-> 8.0.168.192.in-addr.arpa
name = Ned.mywork.local
ttl = 1200 (20 mins)

------------
Server: Ned.mywork.local
Address: 192.168.0.8

------------
Got answer:
HEADER:
opcode = QUERY, id = 2, rcode = NXDOMAIN
header flags: response, auth. answer, want recursion, recursion avail.
questions = 1, answers = 0, authority records = 1, additional = 0

QUESTIONS:
abcsas01.mywork.local.mywork.local, type = A, class = IN
AUTHORITY RECORDS:
-> mywork.local
ttl = 3600 (1 hour)
primary name server = ned.mywork.local
responsible mail addr = hostmaster
serial = 108715
refresh = 900 (15 mins)
retry = 600 (10 mins)
expire = 86400 (1 day)
default TTL = 3600 (1 hour)

------------
------------
Got answer:
HEADER:
opcode = QUERY, id = 3, rcode = NXDOMAIN
header flags: response, auth. answer, want recursion, recursion avail.
questions = 1, answers = 0, authority records = 1, additional = 0

QUESTIONS:
abcsas01.mywork.local.mywork.local, type = AAAA, class = IN
AUTHORITY RECORDS:
-> mywork.local
ttl = 3600 (1 hour)
primary name server = ned.mywork.local
responsible mail addr = hostmaster
serial = 108715
refresh = 900 (15 mins)
retry = 600 (10 mins)
expire = 86400 (1 day)
default TTL = 3600 (1 hour)

------------
------------
Got answer:
HEADER:
opcode = QUERY, id = 4, rcode = NOERROR
header flags: response, auth. answer, want recursion, recursion avail.
questions = 1, answers = 1, authority records = 0, additional = 0

QUESTIONS:
abcsas01.mywork.local, type = A, class = IN
ANSWERS:
-> abcsas01.mywork.local
internet address = 192.168.0.20
ttl = 1200 (20 mins)

------------
------------
Got answer:
HEADER:
opcode = QUERY, id = 5, rcode = NOERROR
header flags: response, auth. answer, want recursion, recursion avail.
questions = 1, answers = 0, authority records = 1, additional = 0

QUESTIONS:
abcsas01.mywork.local, type = AAAA, class = IN
AUTHORITY RECORDS:
-> mywork.local
ttl = 3600 (1 hour)
primary name server = ned.mywork.local
responsible mail addr = hostmaster
serial = 108715
refresh = 900 (15 mins)
retry = 600 (10 mins)
expire = 86400 (1 day)
default TTL = 3600 (1 hour)

------------
Name: abcsas01.mywork.local
Address: 192.168.0.20
 
Last edited:
Hang on, does your Hub 5 use 192.168.0.x as the LAN address? Is it possible you changed that before when you had the previous Hub?

I know you can't change things at work, but using a VPN and having the work network use a really common address range that people's home LANs use, and the .local domain is pretty much the two worst configuration choices that it's possible to make.
 
Last edited:
Both previous and current hub used 192.168.0.x for LAN, why? I haven't changed either from default settings.

The only thing I've done today is assign my work laptop 192.168.0.100 so I could setup the port forwarding (which didn't help).
 
Would it be a massive problem to try changing your LAN address? I am not familiar with the Sophos client so not sure if it's a full tunnel or not.

I get what you're saying about it working before but I'm surprised it did really.
 
No wouldn’t bother me. I’ll give it a go tomorrow after work! I’ll just change it to 192.168.1.x
 
Had a quick look this morning and it seems I can only alter the DHCP range... Not the actual router IP... Sigh
 
Last edited:
If your work IP address scheme is the same as your home address scheme then this will be the issue. It can’t find work addresses due to routing. The router can’t see other addresses beyond the router on the same scheme.

A) Change router IP address.
B) Change work IP addresses.
C) Get a new router that allows change of router IP address scheme.
 
@Caged Legend, guest network created 192.168.1.x network (instead of 0.x on main network) - connected my laptop to that and boom I can load our SAS server now! Thanks man. :D

@GaryTheSnail Cheers that did seem to be the issue. But it's bizarre as the Hub 4 has the same 192.168.0.x network as the Hub 5, yet it worked fine? Unless my work changed their network IP range recently (unlikely) and I didn't realise. Who knows! I'm just glad it works now. :)

Appreciate the help folks.
 
Sparx said:
@Caged Legend, guest network created 192.168.1.x network (instead of 0.x on main network) - connected my laptop to that and boom I can load our SAS server now! Thanks man. :D
Click to expand...

You what's funny, you not supposed to be able to access LAN shares on guest networks so this should not have worked.

As for what I mentioned before there's no way that should have worked if it was the same address scheme it's just not possible, so somethings changed.

Either way it's working now. :)
 
It's possible if the VPN is full tunnel and at the highest priority in the connection list, but it could be unreliable and diagnosing problems it causes is a pain.
 
GaryTheSnail said:
You what's funny, you not supposed to be able to access LAN shares on guest networks so this should not have worked.

As for what I mentioned before there's no way that should have worked if it was the same address scheme it's just not possible, so somethings changed.

Either way it's working now. :)
Click to expand...

The guest network won't let you get access to shares on the main LAN (so anything in 192.168.0.0/24) but there's no reason at all why shares over a VPN connection won't work. The guest network is giving full access to the internet.
 
ChrisD. said:
Why oh why would a corporation choose one of the most common home network ranges for their internal network? Utter madness.
Click to expand...

Yeah, it's a right pain. I inherited (through acquisition) a site that used 192.168.0.0/24 and 192.168.1.0/24 so I made sure they changed and put them in the /16 that all the rest of our sites used. I had positive comments from people after the change as they could now print to their home network printer without having to disconnect their VPN session.
 
You must log in or register to reply here.
Back
Top Bottom