Skip to content

Overlapping subnets

Why would subnets overlap ?

Connect allows you to access subnets behind an Endpoint.

This is useful because it allows you to reach services on a network without having to install Connect on every device that provides them. Perhaps because the devices are not capable of running additional software, or because of other restrictions on the network.

Subnets configured behind Endpoints would typically (but not always) be using private address space, which by its nature is capable of being reused in different physical locations.

Since release 3.8.0, it is also possible to configure Connect to give access to the same subnet behind multiple Endpoints.

The same subnet, or different ?

When we say the same subnet, we mean the same physical subnet.

Here is an example of two Endpoints in the same subnet:

An example of two Endpoints in the same subnet.

Contrast this with an example of two Endpoints in different subnets. Although they have the same private address space, the subnets are behind different public IP addresses, and for the purposes of this example, are considered to be in different physical locations:

An example of two Endpoints in different subnets.

Note that it's really the physical location which is the key here. In some networks, it is possible for the same subnet to be reachable via multiple public IP addresses. This type of arrangement is known as dual-WAN or multi-WAN. We plan to provide support for this in an upcoming release.

So how to approach different subnets with the same private address space ?

Good question. The answer is, it depends what you are trying to achieve.

If you are aiming to make the entirety of both subnets available behind Endpoints, it's not currently possible. We may introduce features in future releases of Connect to help with this. For now, it's simply not possible to address logically-identical but physically-different subnets.

You can, however, address different parts of the logically-identical but physically-different subnets in an overlapping, or non-overlapping, fashion.

Consider a situation like the one above, where both Alice and Bob have a 10.0.1.0/24 subnet in different physical locations.

You could make non-overlapping parts of the subnet available behind different Endpoints. In this case, it works, since from the perspective of Endpoints wishing to reach the subnet-behind-endpoint, there is no overlap:

Non-overlapping parts of the subnet.

  • Make Alice's fileserver on 10.0.1.201/32 available behind Endpoint "alice1"
  • Make Bob's fileserver on 10.0.1.177/32 available behind Endpoint "bob1".

Alternatively, you could make overlapping parts of the subnet available behind different Endpoints. The subnet-behind-endpoint definitions are different, and so Endpoints will be able to reach them via the relevant Endpoint. Although there is an overlap, the routing will work using Longest Prefix Match. Because 10.0.1.201/32 has a longer prefix than 10.0.1.0/24, it will take precedence when trying to reach 10.0.1.201:

Overlapping parts of the subnet.

  • Make Alice's fileserver on 10.0.1.201/32 available behind Endpoint "alice1"
  • Make Bob's entire network 10.0.1.0/24 available behind Endpoint "bob1".

Hopefully this explainer has been helpful in understanding how Connect can be used to address overlapping subnets behind Endpoints.