IP Addressing - Private Network Addresses

[dweiss]

Are there any particular pros and cons to consider in choosing which private IP address space to use for a network using NAT to distribute internet access from one WAN address to a number of LAN clients?

In particular, aside from the total address space available, is there a good reason to choose a 10.x.x.x space over a 192.x.x.x space, or vise-versa?

Does that fact that the 192.x.x.x space is more commonly used than the other options available suggest any pluses or minuses regarding security, for example, or other issues involved in using one address scheme over another?

Thanks,

 

[azazel1024]

Makes absolutely no difference. You also don't really have more addresses using 10.x.x.x versus 192.168.x.x

Just about all consumer routers are going to be limited to a single /24 address pool and you'd have to route between /24s (/24 is the x.x.x.1-254 range).

Some people use 10.0.0.1-254 simply because that is easy to remember. Others use 192.168.0 or 1.x because that is what most routers come with as the default IP range.

 

[jdabbs]

IP overlap is a concern that can be partially addressed by choosing a less common subnet. It is considerably easier to connect two sites over a VPN if they are on different subnets. Same goes for home users trying to access resources to the office using a VPN.

You can also make some bad choices with subnets; for 10.0.0.0, the default is /8, or 16.7 million hosts. The problem is not the number of hosts, but that the /8 will now conflict with every other network in 10.0.0.0 space. I've found that people that notice this problem go "A-ha! I'll use 10.10.10.0/24 instead, aren't I clever?" which works until they run into the next similarly clever individual (and happens fairly often). If overlap is a concern, pick a subnet that someone else is unlikely to choose, like 172.27.172.0/24.

 

[Samir]

The only advantage I've found that if you're using a router that you don't want everyone to dial into, you can set it to 192.168.1.1 and it will conflict with almost all public hotspots and not allow someone to connect to your network because their local default gateway is also 192.168.1.1. Just adds a small layer of security.

 

[AdvHomeServer]

About the only thing to consider is to limit the range for DHCP if your router allows you.

For example, if you are 192.168.1.0/24, limit the DHCP range from, maybe, 192.168.1.50 to 192.168.1.150, This provides a range you will probably not fill and allows you to manually assign addresses outside of that range without fear of a conflict.

 

[System Error Message]

or you can build an L3 only network using 255.255.255.255 masks if you are really concerned about security but you would need a firewall like mikrotik routerOS or pfsense to regulate the packets passing through. mikrotik has L2 firewall for even further control but only if you bridge instead of switch chip. many routers dynamically add routes based on the IPs that it is expecting.

 

[Samir]

or you can build an L3 only network using 255.255.255.255 masks if you are really concerned about security...

That's killer security, but boy what a lot of work the router would be doing...

 

[System Error Message]

That's killer security, but boy what a lot of work the router would be doing...

600Mhz MIPS 24K can route 1 Gb/s of 1500byte packets (L3 switching) in software. So not really a problem but it does when you start adding firewalls. Ofcourse routers nowadays are much faster.

 

[Samir]

600Mhz MIPS 24K can route 1 Gb/s of 1500byte packets (L3 switching) in software. So not really a problem but it does when you start adding firewalls. Ofcourse routers nowadays are much faster.

But that's raw. Factor in routing table lookups and whatnot and it will slow down.

 

[System Error Message]

i took that from various experiences in using such devices so that is what i factored in. NAT and routing involve table lookups. L3 switching = routing. L2 across CPU = bridging. Hence some switches that are L3 do route but only by looking at the netmask and corresponding IP segment. So if the netmask is /24 it will only look at the last 3 digits of the ip address. a L3 switch however only doesnt route across networks but in general the correct term for L3 switch is a router so L3 switches that dont route are only partial L3.