Public/Private IP addresses

Solution 1:

First, understand that any idea of network classes lost its relevance sometime in the mid 1990's. Protocols where classes were significant have versions that accept subnet masks as additional parameters and do not care about what class an IP address is in.

There are three ranges of private IP addresses, and one for each class, but the class doesn't have any meaning anymore, unless you are using an ancient protocol that doesn't let you specify a subnet mask with IP addresses. What does have meaning is the subnet associated with each "class":

RFC1918 name    IP address range                subnet mask     
24-bit block    10.0.0.0 - 10.255.255.255       /8  or 255.0.0.0
20-bit block    172.16.0.0 - 172.31.255.255     /12 or 255.240.0.0
16-bit block    192.168.0.0 - 192.168.255.255   /16 or 255.255.0.0

If your company is really distributing private addresses to customers (this is called Carrier Grade NAT), then you are stuck with what your ISP provides as far as the interface where your computer or network connects to the ISP.

Second, your router has two interfaces. One faces the IP and receives an IP from your ISP's DHCP server. The other is facing your network and completely up to you what you do with. Now, if you are going to reuse any addresses your ISP is using, then you will have to juggle some complex NAT rules. A consumer-level router may not support such complex NAT rules - a Linux PC with iptables can do it but it's difficult to set up.

So, it is possible, but usually a lot easier to just select a range your ISP is not using. It doesn't matter which one. 10.0.0.0/8 is typically what businesses choose by convention, but it is just a convention.

Now, with the right NAT setup, you could pick any IP range out of thin air and use it on your home network. However, if your configuration has an error, traffic destined for your home network may go to external hosts instead. The above "private" IP ranges are agreed to be "non-routable" - if they happen to make it to your ISP, your ISP is supposed to drop them. With carrier-grade NAT being an exception of course. So if you use a private IP range that your ISP is not using, it protects you from a consequence of accidental misconfiguration.

Solution 2:

Think of the private/public IP thing like a set of concentric/nested circles (circles inside one another).

Assume that, for the purposes of this analogy, every circle has exactly 365 possible angles that can be made between a straight line drawn across the radius of the circle and another line. So this is similar to the IP space, except for the number of available IPs vs. the number of available angles.

The outermost circle is the public IP space, which means that anybody connected to IPv4 can reach these IPs, and this IP is the same everywhere, no matter what. When any computer anywhere tries to access an IP on the public IP space, it will get routed to the same physical and logical computer on the public Internet.

However, within the outer circle there are a few "holes" in the circle. These holes are IP addresses which may not be assigned at all, ever to the public IP address space. These holes are what are known as the private subnets.

Now, in our diagram, you have the public IP address space with a little hole in it, let's call this hole the "10.0.0.0/8" space. You mentioned CIDR in your question so I assume you know what that is.

Think of each successive inner circle as a NAT or private LAN (same concept). Each of these inner circles can declare that it is on any subnet it wants, but it will only be a valid network configuration if it's on a designated private subnet, like 192.168.1.0/24 or 10.10.0.0/16 (these are just two examples).

There are a few rules about these nested levels that generally apply:

  • It is an error for an inner circle to declare that its private subnet contains IP addresses which were already declared as part of the subnet of an outer circle. For example, if a first-level NAT declares that it wants 10.10.0.0/16, and a second-level NAT tries to claim 10.10.6.0/24, there will be a problem.

  • Except for the gateway (the host that is a member of both the outer and inner NAT), a host that is assigned an IP address within a given subnet cannot reach hosts within any inner subnets unless explicit routing rules are set up (e.g., port forwarding). For example, if the first-layer NAT is on 192.168.1.0/24, the first-layer gateway is 192.168.1.1, and a host, 192.168.1.2, creates a private subnet 192.168.2.0/24 and assigns itself 192.168.2.1, a host on 192.168.1.0/24 will not normally be able to access anything within 192.168.2.0/24 -- again, unless explicit configuration in the software provides rules for when and how to do the routing.