IP pool starting and ending .... question about

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

zero7404

Occasional Visitor
hello,

i am restructuring my router's settings (RT-AC87U) and i currently reserve IP addresses for all of my regularly connected devices (using the "Manually Assigned IP around the DHCP list" section).

i was curious to know how the router applies IP Pool starting and ending addresses. Specifically, can the start and end range be outside of the IP addresses I manually assigned ?

for instance, all my devices would be assigned IP's between the range 192.168.1.2 - 192.168.1.30. Can I specify an IP Pool start and end of 192.168.1.90 - 192.168.1.254 ?

i want to know because other misc devices that I don't consider a permanent part of my owned home network (friends/family/etc.) will be auto-assigned within the pool start and end range ...

my IP address layout is not as basic as this example, I am going to use a 255.255.0.0 subnet mask/layout so i will be reserving the last 2 groups of numbers for tiers/device types.
 

ColinTaylor

Part of the Furniture
i was curious to know how the router applies IP Pool starting and ending addresses. Specifically, can the start and end range be outside of the IP addresses I manually assigned ?

for instance, all my devices would be assigned IP's between the range 192.168.1.2 - 192.168.1.30. Can I specify an IP Pool start and end of 192.168.1.90 - 192.168.1.254 ?
Yes, the manually assigned addresses can be inside or outside of the pool.

my IP address layout is not as basic as this example, I am going to use a 255.255.0.0 subnet mask/layout so i will be reserving the last 2 groups of numbers for tiers/device types.
This is likely to cause problems. Various parts of the firmware are coded on the assumption that the netmask is /24. So things like the Network Map won't work properly with larger netmasks (unless they've fixed these bugs after many years).

Also, if you're planning on using 192.168.x.y that will conflict with the address range Asus uses for now guests networks (EDIT: I'm not sure that would apply to your router because your firmware is still using an older code base).
 
Last edited:

zero7404

Occasional Visitor
thanks for the responses ... i appreciate it.

planning to setup a 10.86.x.y arrangement rather than a 192.168.x.y arrangement. not sure if that will be an issue ?
 

ColinTaylor

Part of the Furniture
There is no problem using 192.168.x.y. My LAN uses 192.168.1.0 and the guest set itself to 192.168.101.0.
I think you're missing the point. He is going to be using a /16 subnet rather than a /24 subnet. But as he plans to use 10.86.0.0/16 that won't conflict with the guest networks anyway. Certain parts of the GUI might not accept such a large range though.
 

zero7404

Occasional Visitor
just to clarify, i don't need the 10. reservation for a million device IP's. just want to define something that's not an easy target for malware (as would be 192.168.x.y).

10.86 would be fixed, then I would increment the 3rd number according to some class of the device (i.e., home appliance, media device, gaming console, etc.). the 4th number would be the individual device (i.e. console #1, console #2, etc.).

this would help to keep open IP's for new devices that follow my criteria and it would help identify them mentally. i prefer it this way to see all my phones and tablets grouped into 10.86.XX.1, 2, 3, 4 .... etc. and when i have more to add, then i would just continue on to .5, .6, .7, etc. easier to group and locate.

i just need to take care that my computers know the IP's of those shared devices such as home appliances and printers, NAS, etc.
 

ColinTaylor

Part of the Furniture
Yes, I think we had already assumed that's what you were planning on doing. But you're still going to be using a /16 subnet regardless of the number of devices you have and there have been reports in the past that the GUI doesn't like subnets other than /24. It's just something to bear in mind in case you run into it.
 

zero7404

Occasional Visitor
ColinTaylor thanks for that input. what other private network LAN IP ranges are /24 ?

Is this a confirmed scenario with IP's that don't conform to 24 binary 1's ? Would it also extend to Merlin firmwares ?

I stated RT-AC87U but will move on to something else soon such as an AX86U or an AX88U (more modern hardware platform).
 

L&LD

Part of the Furniture
The RT-AX86U is the 'more modern' and a better router/buy than the 2-year older RT-AX88U. (Its newer SDK is what makes it superior).

192.168.0.0 – 192.168.255.255 (65,536 IP addresses)
172.16.0.0 – 172.31.255.255 (1,048,576 IP addresses)
10.0.0.0 – 10.255.255.255 (16,777,216 IP addresses)

All can be /24.
 

ColinTaylor

Part of the Furniture
ColinTaylor thanks for that input. what other private network LAN IP ranges are /24 ?
There are thousands of /24 networks to choose from: https://en.wikipedia.org/wiki/Private_network#Private_IPv4_addresses

For example,
192.168.1.x, 192.168.22.x, 192.168.111.x, etc.
172.16.0.x, 172.16.55.x – 172.31.222.x, etc.
10.1.1.x, 10.200.100.x, 10.55.55.x, etc.

Is this a confirmed scenario with IP's that don't conform to 24 binary 1's ? Would it also extend to Merlin firmwares ?
No I can't confirm this. Obviously it's not an intentional restriction (you can set whatever subnet size you want in the GUI) and over time any such bugs may have been fixed. However there may be some that are still present. The most famous one is the Network Map, which in turn populates a lot of the drop down lists in the GUI. I don't know whether Asus ever fixed that.
 

zero7404

Occasional Visitor
the issue i guess i created for myself is wanting to vary the 3rd and 4th octets according to a use case.

i would settle for the /24 bit setup, though not ideal for memory sake and not as easy to memorize as it would if i picked a fixed 3rd octet to assign to device tiers/types.

since it's getting to some level of complexity and risk of causing an issue, then i'll choose some other set like 10.15.20.x.

either way, i document the IP's i assign to each device/MAC in a note somewhere before i apply in the router, so i would lay out my tier'd list in some way that makes sense to me. may not be nice/easy to remember round numbers but if it works i'll manage the same as i have been before.
 

zero7404

Occasional Visitor
thanks all for your input on this.

one last thing i want to ask. if i put one LAN device in the DMZ, does the router-assigned device IP address appear to the outside world ?
 

toaruScar

Regular Contributor
thanks all for your input on this.

one last thing i want to ask. if i put one LAN device in the DMZ, does the router-assigned device IP address appear to the outside world ?
No, it won't. Asus's DMZ is based on NAT, which means your DMZ'ed device will receive a 10.15.20.0/24 address.
When a WAN-side device sends a packet to your DMZ'ed LAN device, the packet will be addressed to the router's WAN port IP.
The router will then rewrite the packet's destination address to the 10.15.20.0/24 address, then send it to your DMZ'ed LAN device.
When the DMZ'ed device replies to this packet, the reply packet will be addressed to the IP of the WAN-side device, and its source address will be the 10.15.20.0/24 address. Since the destination of this packet is not within 10.15.20.0/24, it will be delivered to the gateway, which is the router in this case. The router will then rewrite the source address of the packet from the 10.15.20.0/24 address to its WAN port IP.

Therefore to the eyes of that WAN-side device, it's completely oblivious to the 10.15.20.0/24 address that the router assigns to your DMZ'ed device.
 

zero7404

Occasional Visitor
you got me confused in that you answered “no” but the explanation tells me that the DMZ’d LAN device WILL reveal it’s LAN IP to the outside … ?

so if that is correct, then the IP is revealed and a ‘snooper’ or other interest looking at the traffic coming/going with my public WAN IP would know I have a numbering scheme of 10.15.20 and could assume that i am setup for 255.255.255.0. meaning outside malware could be written to target devices with IP’s 10.15.20.x.

this is another reason why i wanted to pursue a 255.255.0.0 mask.

if there is indeed confirmation that ASUS routers such as the AX86U, AX88U or newer would be able to handle a /16 subnet then I’d rather go with it but if not i’ll use the/24 arrangement.

is it possible to assign a completely different IP to specific devices, i.e. can i assign 1 device a 192.168.1.x while others live in 10.15.20.x ?
 

toaruScar

Regular Contributor
the DMZ’d LAN device WILL reveal it’s LAN IP to the outside … ?
You probably missed this sentence:
The router will then rewrite the source address of the packet from the 10.15.20.0/24 address to its WAN port IP.
This means that the packet sent out by DMZ'd device will contain its LAN IP in the source IP field. But upon leaving your router's WAN port, the packet has been modified by the router. The modification is to replace the LAN IP in the source field of the packet with the router's WAN IP.

Therefore although the DMZ'd LAN device is "revealing" its LAN IP, it's only revealed to your LAN, and this information never propagates beyond your LAN.

outside malware could be written to target devices with IP’s 10.15.20.x.
No, outside malware can't in this case, but inside malware can. 10.15.20.x/24 is the NAT'd IP range. This means that, outside your LAN, anything addressed to 10.15.20.0/24 will NOT be able to reach any of your LAN devices. Because, in order for a packet to reach your LAN device, it first needs to reach your router, meaning that the packet's destination address has to be your router's WAN IP when it was sent to internet to be routed to your router. That's also why the modification I mentioned above is necessary.
 

ColinTaylor

Part of the Furniture
The previous answer was correct. The IP address of the DMZ device (and all other devices on your LAN) is not sent over the internet*** because all internal addresses are replaced with the WAN address of the router.

*** The internal address of a client may still be contained in other data sent over the internet, by your browser for example, but that's an entirely different subject.

Changing your router's IP address range is not going to give any extra security. Any malware that gets onto your LAN can immediately detect what IP address range you are using and the address of the router. The malware authors don't need deploy state level surveillance and interception techniques.
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top