Networking / Beginners

Private subnets

Three IP network address ranges are reserved for private networks. The addresses are 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16. These addresses can be used by anyone setting up internal IP networks, such as a lab or home LAN behind a Network Address Translation (NAT) device, proxy server, or a router that provides NAT. Using these devices is always safe because routers on the Internet never forward packets coming from these addresses. This also means that these addresses cannot be used to access the Internet without some routable address attached to one of the devices listed above.

Tip The 192.168.x.x address is by far the most common. As you spend more time playing around with home networking gear, you will find this reserved range of class C addresses used as the default for most home networking equipment.

Figure below shows a private subnet in action.

Private Subnet

Subnetting an IP network can be done for a variety of reasons, including organization, use of different physical media (such as Ethernet, FDDI, WAN connection - like DSL or cable - and so on), preservation of address space, and security. The most common reason, from an ISP's perspective, is to control network traffic. From a corporation's perspective, the most common reason is to preserve address space.

In the end, it doesn't matter why your network has to be subnetted, just that it does.

Someday in the not-so-distant future, ISPs will move from today's version of IP (IPv4) to a new version called IPv6. IPv6 supports more IP addresses than today's system does - orders-of-magnitude more - so that every networkable device in the world (even if every person had thousands of such devices) can have a unique IP address. When this happens (and it will be years from now when it does), NAT will be unnecessary - all of the devices on your home network will be full peers on the Internet.

One advantage of NAT is that it provides a bit of firewall-like protection. Because computers out on the Internet cannot directly connect to your 192.168.xxx.xxx IP-addressed devices, hacking your networked equipment is a bit harder for the people using those computers. The NAT router is a bit picky about which traffic it lets through the Internet connection and onto your network, so that helps reduce hacking. Considering a router that goes beyond just NAT and also includes an SPI (stateful packet inspection) firewall is still sensible, however: It actually digs into the data packets hitting your Internet connection to help filter out the bad guys doing bad things.

Remember A firewall, whether it comes just from NAT or from an SPI firewall in a router (or even from firewall software on your PC or Mac) doesn't take care of the wireless-specific security. You need to both take care of securing your network from Internet-based attacks (with a firewall) and also secure it from over-the-air threats on the wireless connection.

[Previous] [Contents] [Next]