August IceKimo: 2025

2025年3月13日星期四

The Answer: Yes, It's Highly Recommended to Avoid Overlapping IP Ranges

Here's why:

Routing Conflicts:
- If your IPsec VPN tunnel uses the same IP address range as your ISP's CGNAT, you'll create routing conflicts.
- Your computer or network devices won't know whether to send traffic through the VPN tunnel or to the ISP's CGNAT.
- This will result in unpredictable behavior, connectivity problems, and potential security issues.
Packet Confusion:
- When packets travel through a network, routers rely on IP addresses to determine their destination.
- Overlapping IP ranges can lead to confusion and incorrect routing, causing packets to be lost or delivered to the wrong destination.
Troubleshooting Nightmares:
- Diagnosing network problems becomes incredibly difficult when IP ranges overlap.
- It's hard to distinguish between issues caused by your VPN and issues caused by the ISP's CGNAT.

How to Avoid Overlapping IP Ranges:

Choose Private IP Ranges:
- Stick to the standard private IP address ranges defined in RFC 1918:
  - 10.0.0.0/8
  - 172.16.0.0/12
  - 192.168.0.0/16
Use Unique Subnets:
- Even within the private IP ranges, use unique subnets for your VPN tunnel.
- For example, if your home network uses 192.168.1.1/24, use 10.10.10.0/24 or 172.17.0.0/24 for your VPN tunnel.
Check ISP Documentation (If Possible):
- Some ISPs might publish information about the IP address ranges they use for CGNAT.
- If you can find this information, avoid those ranges.
Use less common Private Ranges:
- If you are extra paranoid, you could use a range inside of the 172.16.0.0/12, that is not commonly used by home routers. For example 172.30.0.0/24.

In essence:

Avoid any IP address ranges that you see in traceroute results when you're behind CGNAT.
Using standard private IP ranges and unique subnets will help you avoid routing conflicts and ensure a stable VPN connection.

August IceKimo