ELI5 subnets please!

[asbath]

Please help me understand subnets and subnet masks! Are there any dumbed down resources out there that can break it down better than scouring Reddit threads?

I'm currently planning on completely revamping my network. Thinking of switching over to UniFi everything, as currently I'm just using Asus wireless routers for a mesh network.

For the private IP space I'm planning on going down the simpler route of 192.168.xxx.yyy IP addresses. Until now I've always just used 192.168.1.yyy because it's simple and it works. But now I want to start segmenting my network better with VLANs and such.

The one thing I'm still struggling to wrap my brain around is subnetting and masks. I've always just had the default 255.255.255.0 for everything. I just know that as an example, 192.168.1.11/255.255.255.0 can talk to 192.168.1.12/255.255.255.0. But 192.168.1.12/255.255.255.0 cannot talk to 192.168.2.10/255.255.254.0. I'm just not sure why the devices in the second example cannot talk to each other, and why is that important (other than wanting to keep the devices from communicating to each other).

 

[Paladin]

Every time this come up for home network use:

1. Most people have zero need for VLANs at home.
2. Most routers have a guest wifi feature for most of the times you want to add something to a separate network, that will work fine for IoT devices if they use wifi.
3. If you really do need VLANs, you need a gateway, switch(es) and wifi access point that also support VLANs.
4. Putting things in separate networks/VLANs is designed to make them incapable of connecting to each other unless you allow it via the gateway device and even then, the default Windows firewall will prevent it on most computers (maybe apple too, not sure).

With that out of the way, your specific question is answered thus: the Subnet Mask defines the length (or size) of a network. A /24 (255.255.255.0) mask indicates a network with 256 possible addresses on it. Anything outside that contiguous 256 addresses is only accessible via the default gateway address or another gateway that might have been learned/configured on the device in question.

So for example, 192.168.1.11/24 knows it can reach 192.168.1.0-255 on its own local network without the use of a gateway, and any other address of any kind must be reached via a gateway. So 192.168.2.10 is basically 'the internet' as far as the routing is concerned, under a simple configuration that most home users would have. The PC with 192.168.1.11/24 configured on it should also have a default gateway, probably 192.168.1.1 or 192.168.1.254 (by common habit) so the computer would say to itself, "Well, 192.168.2.10 is outside my local connected network, I'll send my connection attempts to the gateway and hope it knows how to reach 192.168.2.10." If the gateway knows (via its own connected or configured route table, or via its default gateway) then it will forward that traffic on to the appropriate network interface and address. If it doesn't have any matching route table entry, it will report back an 'unreachable' error or simply drop the traffic.

Then there is the concept of access control/security policies on the various devices involved but that is not related specifically to the subnet mask/network length definitions. It is simply a policy on what to allow to talk to what.

 

[ERIFNOMI]

The mask is literally a bitmask. When trying to figure out if a host is in the same subnet as you, you take their address, bitwise AND it with your subnet mask, and if the result is your network address (which you can get by doing the same operation with your IP and subnet mask) you know it's an IP on your subnet and it doesn't need to be routed. From there you get to do arp to find the MAC to form your frame destined to that host instead of looking up where it should go per your routing table. Yada yada yada.

I'll try to do this on mobile...
We'll use your 192.168.1.0/24 example. Your network address is 192.168.1.0, your mask is 255.255.255.0, and you want to send something to 192.168.1.100.

Network: 1100 0000 1010 1000 0000 0001 0000 0000

Address: 1100 0000 1010 1000 0000 0001 0110 0100
Submask: 1111 1111 1111 1111 1111 1111 0000 0000
Bit-and: 1100 0000 1010 1000 0000 0001 0000 0000

Match. Great, so you know it's on the same subnet as you and you don't need to route.

What about the famous 8.8.8.8?

Network: 1100 0000 1010 1000 0000 0001 0000 0000


Address: 0000 1000 0000 1000 0000 1000 0000 1000

Submask: 1111 1111 1111 1111 1111 1111 0000 0000

Bit-and: 0000 1000 0000 1000 0000 1000 0000 0000

No match. Needs to be routed.

Hopefully those binary numbers are right. That's hard to do on mobile.

Now with the technical details out of the way, time for the practical...
You might be setting yourself up for failure. No offense, if you don't understand what a subnet is, a complicated network like this is going to be a challenge for you to set up. By all means, jump in and get learning, but you should probably build a second network that isn't your "production" environment. It's not going to be fun if a, ehm, learning opportunity means your network is down. That goes 10-fold if anyone else is using that network.

Consider what you're actually trying to do. Without a deep understanding of networking, you are going to run into problems where you don't even understand where to start looking. Here's an easy example. Do you use Chromecasts? Or AirPlay? Those rely on broadcast and multicast traffic, which is confined to a subnet. If you want to use those across subnets, you need to repeat mDNS/DNS-SD traffic across subnets. That's not a huge task, but you need to know that to even understand what the problem is. You might have thought all you had to do was allow traffic from subnet A to your Chromecast on subnet B, but that wouldn't have helped you. If you didn't even know what mDNS was, or that Chromecasts use it to announce themselves to the network, you'd have a hell of a time getting there on your own.

 

[Lord Evermore]

Kind of a big topic, and there are LOTS of actual educational pages if you search for them, rather than trying to learn through forums posts that are about a specific piece of the puzzle.

If you have that first 1.11/24 address (255.255.255.0 in CIDR notation is /24) then the device is only aware of the local existence of other devices in the 1.x range. The subnet "tells" the device how big its network is, and by design it can't just send packets to anything outside that block. For anything outside that range, the device has to send the packets to a gateway device which routes them to wherever the other IP address is located. Since 2.10 is not within the block of 192.168.1.0 to 1.255, the 1.11 device has to send it to the router and the router then forwards it to wherever 2.10 is located, whether that be somewhere beyond the router on another network or on a local interface.

Conversely, 2.10/23 (255.255.254.0) can only see 2.0 through 3.255, so it also has to respond through the router. (Note that layer-3 switches can also handle this traffic.) This is the basis of how the entire Internet and LANs work.

Technically, they can all be on the same physical network with no VLANs. They still couldn't talk directly, though, and without VLANs someone could just assign an IP to a device in the other subnet and gain access to devices they shouldn't. VLANs allow them to use the same physical network while being separated for security and management purposes. A lot of the use of VLANs is for management, making IP allocation and physical routing easier (and preventing unnecessary traffic passing), while also preventing devices from reaching resources they shouldn't and ensuring that traffic passes through security devices in some cases.

 

[brendan_kearney]

https://www.ncpnetwork.com/packetlife-cheat-sheet.html

 

[Paladin]

Oh and just as a side note: I would avoid using 192.168.x.x at all when possible. Everything for home networking and a lot of other random networks use 192.168.0.0/24 and 192.168.1.0/24 so when you have the same network configuration as a million other networks, the chance to have overlap issues (when doing VPN, setting up new hardware that comes with a default IP, joining networks, or just for general confusion) goes up.

For home use, 172.16.100.0/24 is great, or something like it. Personally I like 172.20.20.0/24

 

[ERIFNOMI]

Oh and just as a side note: I would avoid using 192.168.x.x at all when possible. Everything for home networking and a lot of other random networks use 192.168.0.0/24 and 192.168.1.0/24 so when you have the same network configuration as a million other networks, the chance to have overlap issues (when doing VPN, setting up new hardware that comes with a default IP, joining networks, or just for general confusion) goes up.

For home use, 172.16.100.0/24 is great, or something like it. Personally I like 172.20.20.0/24

Shhhh. 172.16/12 is my secret weapon. It's annoying enough that Docker default networks end up in there.

 

[Odomitus]

2. Most routers have a guest wifi feature for most of the times you want to add something to a separate network, that will work fine for IoT devices if they use wifi.

This may not be a good option. There's a setting on most Guest WiFi that will prevent devices from talking to each other as a security concern, and ostensibly if one is putting their IoT devices on WiFi, they probably want them to be able to communicate with a controller.

More at the OP: There's little practical point in limiting your home network to this degree. Most enterprise environments with VLANs do this to limit broadcast traffic with many thousands of devices which most don't actually need to talk to each other. VLANs help to manage this traffic by requiring the VLAN to be specified on any switch to which you want that traffic to reach. A good example is a large business with users spread across multiple buildings on a single LAN; apart from management traffic(which is most likely coming from a single VLAN anyway) and services like email and VoIP phone calls, you really don't need end user devices in most of those buildings to be able to speak directly to each other. So you specify the voice VLAN and the management VLAN on all the switches, but each building gets it's own VLAN, so end user devices and printers, etc can all talk within that building, but nothing else leaves that local switch unless you've specified the VLAN to an upstream switch elsewhere.

The same is true for subnets, but instead of simply needing to specify the VLAN, you need to add a route to any routers or layer 3 switches in between, as subnets behave as disparate networks otherwise.

A VLAN will almost always overlap completely with a subnet, though the two are not the same. The only way I've seen them used, VLANs become an easier way of managing subnets than manual routes.

TL;DR: You should be fine to simply adjust your subnet mask on all your home devices to 255.255.0.0, giving you something like 64,000 device IP addresses to play with. You could also go with something in between, like a 255.255.240.0, which would instead give you 16 subnets with ~4000 address each. Then, just use the first subnet in that range, which would extend from 192.168.0.1 through 192.168.15.254. This could also be a good solution by giving you several more subnets to play with as development space.

https://www.calculator.net/ip-subnet-calculator.html

 

[steelghost]

I've ended up going to a /22 on my LAN, so I have 192.168.0.1-255 with all my static stuff in it, then DHCP is able to operate in 192.168.1.1-192.168.3.255. Honestly I could have just used a /23 as I really don't have that many DHCP clients, but equally there's no harm in it being like that.

I have definitely encountered the LAN IP clash issue that @Paladin mentions, I should really re-address mine to some other non-routable address space (I'd probably go with 10.10.10.1-10.10.11.255 for ease of typing) but at the moment the hassle involved in re-doing all the addressing is way more than I'm encountering with the occasional VPN clash...

 

[KD5MDK]

I have a weird idea, curious about feedback:
Set /22 as default netmask.
Have router be 192.168.3.254
Have DHCP range be 192.168.2.1 to 192.168.2.254
Additional VLANs/subnets (security cameras is the immediate use case) can be above that range.

Is the whole concept flawed because the default which defaults to 192.168.0.10 or whatever will not be able to reply to my device because it probably also defaulted to 255.255.255.0 as well?

 

[ERIFNOMI]

I have a weird idea, curious about feedback:
Set /22 as default netmask.
Have router be 192.168.3.254
Have DHCP range be 192.168.2.1 to 192.168.2.254
Additional VLANs/subnets (security cameras is the immediate use case) can be above that range.

Is the whole concept flawed because the default which defaults to 192.168.0.10 or whatever will not be able to reply to my device because it probably also defaulted to 255.255.255.0 as well?

There's no need to contort your network to fit around the default assumptions of other devices. You can set your IP to be within the same subnet as whatever some device uses for default, regardless of what the rest of the network uses. It doesn't matter what the rest of the network is using. Nothing says everything connected to a switch has to be in the same subnet. Yes, for your actual, in use network that's what you want, but you can set your network to be 10.0.0.0/24, connect a device that gives itself 192.168.1.10/24, and manually set your IP to 192.168.1.11/24 and connect to it. Configure it to fit in with your network correctly (ideally use DHCP so you don't have to fuck with it again), then reset your config.

Also, VLANs are how you chop up shared L1 and L2 to get multiple subnets on the same hardware. If you have a 192.168.0.0/22, you don't "make a VLAN" in any of that address space. You go to 192.168.4.0 or higher, or something in 10/8 or 12.16/12.

One of my pet peeves is calling subnets "VLANs." I try my best not to shorten "multiple subnets on the same switches" to VLANs because it confuses people who know just enough to get themselves into trouble. What people mean when they say VLANs is subnets. They just know that somehow they have to use VLANs to keep them separated on the same switch or to carry multiple over the same cables without them seeing each other.

 

[Lord Evermore]

As described, you wouldn't need more than a /23. (Of course room for growth is good, and you could expand your DHCP range down to 1.x then 0.x if needed. 3.x could be used for static assignments working down from the top.

If you mean the camera default is 192.168.0.10/24, then correct, it won't be able to communicate with anything that isn't 192.168.0.x (assuming it doesn't first try to get an IP via DHCP before using its default). But that doesn't make the whole network design flawed. You could manually configure an interface on a PC with a 0.x/22 address and have its network port be in the same VLAN as the camera's port; even though they're in different subnets, they both can access each other because they're in that same range and know it's a local subnet. You could even keep the PC on its normal range and use a second interface (like a USB Ethernet adapter you only plug in to configure cameras, or a second NIC) with a 0.x/24 address, which is more specific and will cause traffic bound for 0.10 to use that interface, though you might need to modify the interface metric. This would however complicate communication to other devices on the 0.x range because they also wouldn't be seeing the primary IP of the PC. An even more specific subnet that includes .10 would mitigate that for the most part, and it would only matter while the adapter was connected.

You could even just put a secondary 0.x address on the PC's interface, but you might need to configure routing in weird ways to ensure that's the source IP used when talking to 0.10, so that the camera could respond to it.

2.x would presumably just be the DHCP range for the default VLAN (which is usually 1 at first, but it's considered better to change it). You could also configure the DHCP server to hand out DHCP on other VLANs (in totally different subnets), if the server is capable of doing so, so that you can just plug a camera into the appropriate switch port or have it be based on other identifiers when the port used is on multiple VLANs. If the camera checks for DHCP first then it could be automatically assigned an IP from the appropriate subnet.

 

[KD5MDK]

Yes, for your actual, in use network that's what you want, but you can set your network to be 10.0.0.0/24, connect a device that gives itself 192.168.1.10/24, and manually set your IP to 192.168.1.11/24 and connect to it. Configure it to fit in with your network correctly (ideally use DHCP so you don't have to fuck with it again), then reset your config.

This is what I do already, but it’s annoying now that Network Locations are no longer a thing in macOS. I was hoping my silly idea would allow me to avoid that reconfiguration on my desktop while allowing me to immediately connect to devices which default to a .0.x or .1.x address instead of respecting DHCP.

Also, VLANs are how you chop up shared L1 and L2 to get multiple subnets on the same hardware. If you have a 192.168.0.0/22, you don't "make a VLAN" in any of that address space. You go to 192.168.4.0 or higher, or something in 10/8 or 12.16/12.

That’s what I meant. Default subnet would be that /22 and then the other two subnets (cameras post-configuration w/o external internet access, and the FX show production betwork) are higher as described. Neither of those should need more than a /24.

 

[Lord Evermore]

That’s what I meant. Default subnet would be that /22 and then the other two subnets (cameras post-configuration w/o external internet access, and the FX show production betwork) are higher as described. Neither of those should need more than a /24.

I think there was a misunderstanding, same as I had, when you said "above that range", which made me think you meant it would just be above the DHCP range, meaning it would be in 3.x, and you seemed to be indicating VLAN and subnet were the same thing with "VLANs/subnets". I didn't read that as meaning you've create a different layer 2 VLAN and also give it a subnet like 10.x/24.

In that case, then yeah, you would have to initially plug the camera into a port that is in VLAN using the /22 subnet in order to communicate with it from a PC in order to do the initial configuration, and you'd have to have that PC configured with a 0.x/22 or 0.x/24 address as I described. Or you'd plug the camera into its normal VLAN port and move the PC to that VLAN with a 0.x/24 address as well. Doing it my way with a secondary IP or secondary interface on the PC means not completely disconnecting your PC from the rest of the network during the time that you're configuring the camera or other devices, but does require the PC's both VLANs (either on the same switch port or different ones).

If you use a secondary interface on the PC and assign it 192.168.0.11/31, it would be so specific that it would only allow the PC and the camera on 0.10 to communicate, and routing to the rest of the /22 subnet would go out the main interface on the PC as usual. You could actually just plug the camera directly into the PC that way (possibly needing a crossover cable, depending on whether the PC NIC or camera are auto-MDIX), with no concern for VLANs.

Neither of those should need more than a /24.

Well now you've just fucked yourself and they're each going to need a /21 six months from now, including the original /22 needing to expand.

 

[KD5MDK]

I think there was a misunderstanding, same as I had, when you said "above that range", which made me think you meant it would just be above the DHCP range, meaning it would be in 3.x, and you seemed to be indicating VLAN and subnet were the same thing with "VLANs/subnets". I didn't read that as meaning you've create a different layer 2 VLAN and also give it a subnet like 10.x/24.

Yeah, I reread my message and can see how that was confusing. I'll start over to try and revise:

Functional Range means a mental allocation of addresses to a particular purpose, it has no technical meaning or implementation.

Subnet 1:
Default Gateway & DHCP server: 192.168.3.254
Subnet Mask: 255.255.252.0
VLAN 1
Functional Range A within Subnet 1: 192.168.0.1 to 192.168.1.254 // Left unused, may get claimed by newly added devices before being reconfigured.
Functional Range B within Subnet 1: 192.168.2.1 to 192.168.2.254 // DCHP pool for general use.
Functional range C within Subnet 1: 192.168.3.1 to 192.168.3.254 // Also in DHCP pool but create DHCP reservations for all addresses here so they're contiguously available for any use cases that can benefit from a reserved IP.

Subnet 2:
Default Gateway & DHCP server: 192.168.5.1
Subnet Mask: 255.255.255.0
VLAN 500
Functional Range D within Subnet 2: 192.168.5.2 to 192.168.5.254 // FX production network. I'll let them decide any reservations they need.

Subnet 3:
Default Gateway & DHCP server: 192.168.7.1
Subnet Mask: 255.255.255.0
VLAN 700
Functional Range D within Subnet 2: 192.168.7.2 to 192.168.7.254 // Security Camera network. I'll let them decide any reservations they need.

In that case, then yeah, you would have to initially plug the camera into a port that is in VLAN using the /22 subnet in order to communicate with it from a PC in order to do the initial configuration, and you'd have to have that PC configured with a 0.x/22 or 0.x/24 address as I described. Or you'd plug the camera into its normal VLAN port and move the PC to that VLAN with a 0.x/24 address as well. Doing it my way with a secondary IP or secondary interface on the PC means not completely disconnecting your PC from the rest of the network during the time that you're configuring the camera or other devices, but does require the PC's both VLANs (either on the same switch port or different ones).

Definitely would prefer not to be popping back and forth between ports. I'd prefer to have the steps be:
1) Plug new device into a VLAN 1 port.
2) Check that switch port on the Omada Controller and see if the device successfully used DHCP or if I need to login with default credentials
3) If needed, immediately connect to the device and switch it to use DHCP. Possibly create a DHCP reservation in its future subnet if it will need one.
4) Physically deploy the device to the location it will be used and connect it to a port on the appropriate VLAN based on use case.

My suspicion is this plan won't do any good because any device not successfully using DHCP out of the box will have ALSO have decided its default subnet mask is 255.255.255.0 and the default gateway is 192.168.[0,1].1 so it won't send me any responses unless my packets are coming from inside that range and not from a .2.x or .3.x address.

If you use a secondary interface on the PC and assign it 192.168.0.11/31, it would be so specific that it would only allow the PC and the camera on 0.10 to communicate, and routing to the rest of the /22 subnet would go out the main interface on the PC as usual. You could actually just plug the camera directly into the PC that way (possibly needing a crossover cable, depending on whether the PC NIC or camera are auto-MDIX), with no concern for VLANs.

That would be possible but only actually useful if all the cameras are using that 192.168.0.10 default address and I'm definitely not confident that will be consistent across brands and model lines.

Well now you've just fucked yourself and they're each going to need a /21 six months from now, including the original /22 needing to expand.

There's only 75 buildings & sheds total so I doubt we'll be putting more than 2 cameras and 2 devices at each of them.

 

[ERIFNOMI]

You could always keep whatever device you're doing setup from in 192.268.1.0/24. 192.168.1.1 would probably be safe.

But you're making a fucking huge subnet just to get around not having to connect directly to a device when on first setup. How often is this coming up? This just sounds like a really weird way to solve a really uncommon issue. I use a completely different address space and I'll just manually set my PC's IP to something in 192.168.1.0/24 to do the config then switch back when I'm done. Takes 3 seconds and doesn't involve physically moving anything.

 

[KD5MDK]

If I connect directly to a device immediately I don't know whether DHCP is working or not, unless I set up a DHCP server on that interface and check its output.

Takes 3 seconds and doesn't involve physically moving anything.

System Settings -> Network -> select interface -> Details -> TCP/IP -> Configure IPv4 -> type temporary values in, click OK.
Then to remember to switch it back after I'm done.

 

[ERIFNOMI]

If I connect directly to a device immediately I don't know whether DHCP is working or not, unless I set up a DHCP server on that interface and check its output.

System Settings -> Network -> select interface -> Details -> TCP/IP -> Configure IPv4 -> type temporary values in, click OK.
Then to remember to switch it back after I'm done.

macOS? Yeah, pain in the ass to do anything, in my experience.

Ok, 30 seconds.

Set up your network however you want. You asked for advice and mine is don't contort your entire network to the needs of a few shit devices. Are you doing this 100 times a day? Then I'd probably just assign two addresses to my machine so it could talk to these devices when the need comes up. If it's one device once in a blue moon, like I do now, I'd do it as needed. What I wouldn't do is create a /22 and throw away the bottom /23 just for provisioning a device that doesn't use DHCP. Mostly because I'm not tying my ass to that network address. Everyone and their mother uses 192.168.1.0/24, so you get address conflicts of you use a VPN from one.

 

[KD5MDK]

It seemed like a wild idea when I had it, I just wasn’t sure if it work work at all. So I’ll just create a /24 at 192.168.3.x and stop trying to mess with things.

 

[Lord Evermore]

Really, a random block in 172.16/12 or 10.x/8 would be the best choice for security and avoiding possible conflicts. There's no need to stick with the 192.168 range if you've decided you don't want to use the usual subnet. (Except this one time when a client had an AT&T gateway that simply would not allow me to give it anything that wasn't a 192.168 address, but it could be ANY 3rd octet in that block.)

And if it was a small business network, where VLANs are just a bit too much, then go ahead and use a /22 so that you NEVER will have to worry about having to do a renumber in order to expand, even if it's currently not all that large a company, unless it could potentially grow even more outrageously large. At my job we discovered a /24 simply wasn't enough anymore even for modestly-sized companies when you considered that so many people had company PCs, company laptops, company phones or personal phones used for company work, access points, servers, network printers, managed switches (that weren't set up with a separate management subnet), and guest wireless devices that in some cases still used the same subnet by DHCP but were isolated, and DHCP not being expired in a stupidly short amount of time to ensure that temporary usage would be freed quickly . And then they would be a growing company so they'd be hiring more people.

 

[ERIFNOMI]

Really, a random block in 172.16/12 or 10.x/8 would be the best choice for security and avoiding possible conflicts. There's no need to stick with the 192.168 range if you've decided you don't want to use the usual subnet. (Except this one time when a client had an AT&T gateway that simply would not allow me to give it anything that wasn't a 192.168 address, but it could be ANY 3rd octet in that block.)

And if it was a small business network, where VLANs are just a bit too much, then go ahead and use a /22 so that you NEVER will have to worry about having to do a renumber in order to expand, even if it's currently not all that large a company, unless it could potentially grow even more outrageously large. At my job we discovered a /24 simply wasn't enough anymore even for modestly-sized companies when you considered that so many people had company PCs, company laptops, company phones or personal phones used for company work, access points, servers, network printers, managed switches (that weren't set up with a separate management subnet), and guest wireless devices that in some cases still used the same subnet by DHCP but were isolated, and DHCP not being expired in a stupidly short amount of time to ensure that temporary usage would be freed quickly . And then they would be a growing company so they'd be hiring more people.

I've never had ATT, but from what I've gathered, they have always used the absolute worst fucking hardware they could get their hands on, configured in the least user-friendly way they could imagine.

 

[Lord Evermore]

I've never had ATT, but from what I've gathered, they have always used the absolute worst fucking hardware they could get their hands on, configured in the least user-friendly way they could imagine.

And that was a business-class service fiber gateway. But my residential fiber gateway (5 years later) is pretty functional for being ISP-provided, with the usual lack of more technical capabilities and details. And the interface is a hell of a lot more responsive than any cable device I've ever used.

 

[waqar]

whoa nelly this is a big topic and a good one to get your head around. Whether in the home or anywhere
I would deffo recommend having a go at it.
If you are working in IT, I personally think you should know what a network is, what a broadcast address is, and what the gateway address is.
But it's one of those that you need to do a course on I'd say.
Well worth knowing and using as well.
Like many of the salty old wire monkeys in here it's a second nature, but I'll still use a subnet calculater at a design phase.