I’ve come across a company this week, while sorting the SSL certificate on their RRAS server I noticed that all of their nodes had 192.169.0.0/24 IP addresses assigned in their network.
When I asked them about why they were using a public IP range as their LAN subnet, they seemed to be confused. “Isn’t it a private address?” - they asked? “192.168.0.0/24 is private, 169 instead of 168 could not possibly make such a great difference…”. From that experience I decided to put a little guide together on private and public addresses, why there is such a separation, what they are and how to use them.
Also, in this article I only touch IPv4 addressing. IPv6 is a little different and still less common, so a separate article will cover that.
What are IPv4 addresses? I’m sure most of the people who read this article are pretty familiar with the basics on IP addressing and subnetting so I try to only cover the most necessary concepts to understand how and why public addresses are built up.
In short, an IPv4 address consists of 4 octets, formally divided by full stops. As the name suggests, an octet is a number of 8 bits, so in decimal it can take a value between 0 – 255. For instance, technically any IP addresses between 0.0.0.0 and 255.255.255.255 are all valid IP addresses. That means 2^32, so over 4 billion addresses.
Now we need to talk about subnets. Subnets are dividing this one huge address space. Why is it necessary? Let’s assume that I have a computer and I need to access a server that has an IP address of 2.2.2.2. My computer needs to find that server to start communicate with it. If we, as humans, would need to do the same what do we do? I need to ask a guy named Peter about something but I don’t know him. What do I do? I shout: “Who is Peter?” to which he responds and communication starts. Computers do the same, only they use “broadcast messages”, shouting that out so everyone on the network hears me. When there are few computers involved that’s fine, but think about what would happen if the whole internet heard this shouting? The actual network traffic would stop as broadcasts would use up all the bandwidth.
This is where the concept of subnetting enters: by dividing this huge address pool into smaller chunks, all of those smaller subnets will have their own broadcast channels, which solves this congestion issue.
Now we arrived to the topic of public and private subnets. Let’s assume all offices in the world have their own subnets, appropriate to their size. So far so good, hosts inside their own network can communicate, no problem. But how can Bob from the office can reach a server in a different office? Let’s assume that each office has one host with an additional special IP address that is a member of a word-wide network. Bob’s computer can ask this special host (usually a firewall) to reach out to the other office, where a similar “public” device responds and passes Bob’s message through to the right destination server inside that local network.
This is how the internet works, the public machines use routing to find each other, not the same broadcasts we mentioned earlier, but that is a topic of a different article.
The important thing here is that there are publicly accessible machines that need globally unique addresses, this is how one server from the US finds another in Spain. However, private addresses are only important inside individual networks, remember, only our public device needs to know our local nodes in our local area network (LAN in short), if they ask the firewall to act publicly on behalf of them, it uses it’s public interface with a globally unique address to reach the rest of the world.
This is why there are millions of private networks with the same subnets, my computer here can have the same IP address as your home computer you are using this very moment.
So, can we use any subnets in our local office or home? In theory, yes. But what happens if you use one that is publicly used also?
As an example, this opentechtips.com website has the public IP of 95.217.160.138. You can absolutely use a subnet that contains it, say 95.217.160.128/28. I cannot stop you to do so. But what happens then? Your computers in your network will assume that this address is some computer inside your LAN, they won’t even contact the firewall to reach out to the public server, they will keep “shouting” for the host inside the network with the IP of 95.217.160.138, which doesn’t exist, so they get a “host not available” message back to you.
This is why IANA (Internet Assigned Number Authority) came up with 3 arbitrary IP ranges, making sure that they will never be used publicly, so that LANs can use them in their own networks without the risk of overlapping addresses.
These three subnets:
192.168.0.0/16
172.16.0.0/12
10.0.0.0/8
Each network can use any of there as a whole or divide them further up, usually using /24 subnets with 254 usable hosts as they are simple to count with, but smaller and bigger chunks are also popular. Especially if a company has multiple offices, with the need to connect them together, like LA can have the 10.0.0.0/24 subnet, NY the larger 10.0.2.0/23 then they can be connected easily locally with routers or L3 switches, or if they are physically far apart, they are connected with WAN technologies usually like MPLS or IPSec VPN tunnelling.
So as a conclusion, you can use any subnets in your network, if you fancy 1.1.1.1, you can use subnet 1.1.1.0/24, and assign this 1.1.1.1 IP to your computer and most of the time everything will work just fine, only you won’t be able to use the actual 1.1.1.1 Cloudflare DNS service or any of the services that have an IP in the same segment 🙂
Your decision 🙂
Comments