Why are subnet-masks relevant for the individual computer on the network?

49

12

I understand how subnet-masks are used to divide a network into sub-networks, but, why does every computer in the network need to know the subnet-mask and not just the router?

I could understand it, if each computer were physically connected to each other with a wire, but all packets needs to go through the router anyway.

Let's say that I have a computer on a network 192.168.0.0/255.255.255.0, which has the IP 192.168.0.1.

If that computer tries to reach a computer outside the sub-network, lets say 192.168.1.1, it transmits the message to the router, the router identifies that the IP is outside the sub-network IP-range, and rather than transmitting it on the sub-network, it transmits it to the network it is connected to (perhaps another router).

Orpedo

Posted 2017-03-22T09:51:51.507

Reputation: 612

31Computers do not need to go through a router in order to form a network. – Overmind – 2017-03-22T12:26:26.140

1@Overmind: True, but they can. Netmasks are indeed not strictly necessary, they're an optimization to ease the work for the router . – MSalters – 2017-03-23T15:41:35.973

3if each computer were physically connected to each other with a wire - you have to remember that tcp/ip was invented at a time where this is indeed the case. Google 10-base-2. There are other protocols that work differently from tcp/ip but over the last 20 years IPv4 won the protocol battle. – slebetman – 2017-03-24T02:08:30.030

You seem to have a misunderstanding of how computer networks work. I suggest you watch this video: https://www.youtube.com/watch?v=6i777lddg8s

– InterLinked – 2017-03-29T02:21:08.013

@InterLinked with a narrator with such a creepy voice? never. – devoured elysium – 2019-06-10T01:34:32.770

You can look up a token ring where all computers are connected in a circle. Then, they would need to know the subnet mask/ CIDR. Also, networks can use switches instead and all network traffic does not go through the gateway. – jonnyjandles – 2020-02-10T23:56:18.957

Answers

79

Your original assumptions are not entirely correct. What you call a "router" is two devices in one – a two-port router internally connected to a multiple-port Ethernet switch. (Here's an example diagram.)

This means that the computers are directly connected at layer 2, and can send packets to each other without going through the router core – they're simply relayed between ports by the switch chip. (The router has its own "port" in the switch.)

So if you look at the packets using Wireshark, you'll see that they directly use each other's MAC addresses, while "outside" packets always have the router's MAC as the destination.

(I'm assuming you're​ talking about the typical "wireless routers" found in most homes, which are the usual cause of this kind of question. A bigger network would have a separate router with one port per subnet, and a few separate switches (perhaps a master one plus one per floor/room), and several dozens of computers connected to those switches.)

It's roughly the same with Wi-Fi networks, except "switch" is replaced with "wireless bridge" aka "access point". In both cases, connected computers can send packets directly to each other at layer 2, without going through the router.


Comments:

When I stated router, I did actually mean switch. My mistake. My point beeing, that each computer in a subnetwork is not connected to each other, but rather to a switch, which then can pass on packages to the correct destination. An ethernet-frame does not contain the subnet-mask, as the switch already has this knowledge, and hence does not need it to do the correct switching.

That's again incorrect. Switches do not have this knowledge; their switching core works at layer 2 and does not know anything about IP – it forwards Ethernet frames purely based on the 'destination MAC address' field.

Therefore, hosts need the subnet mask to figure out what MAC address to use as the destination:

  • If the peer is within the same subnet, it's assumed to be on-link by definition – so the Ethernet frame will have peer's MAC as destination.

  • For peers outside the subnet, the Ethernet frame will have the gateway's MAC as destination.

(This applies to the default configuration. Some special-snowflake networks alter this – e.g. most operating systems allow adding extra "on-link" routes for additional subnets; conversely, some switches may be configured spoof ARP responses such that even "on-link" traffic is forced through the gateway.)

user1686

Posted 2017-03-22T09:51:51.507

Reputation: 283 655

Thanks, while the linked diagram wasn't clear to me, your explanation made sense and I learned something new. – Sir Adelaide – 2017-03-22T11:04:53.303

When I stated router, I did actually mean switch. My mistake.

My point beeing, that each computer in a subnetwork is not connected to each other, but rather to a switch, which then can pass on packages to the correct destination. An ethernet-frame does not contain the subnet-mask, as the switch already has this knowledge, and hence does not need it to do the correct switching. But why is the subnet-mask then given for the cuputer/device, when it does not need it for anything? – Orpedo – 2017-03-22T13:45:26.193

8When a packet is sent to an IP address that is not in the ARP cache, the subnet mask is used to decide whether to: 1. send an ARP request for the destination IP address, and use the result as the destination MAC address for the original packet; or 2. use the router's MAC address as the destination MAC address for the original packet. – None – 2017-03-22T14:03:48.830

7@Orpedo: Switches don't speak IP and do not know anything about subnet structure; they rely entirely on the destination MAC field. Therefore, the subnet mask is needed to figure out what MAC address (i.e. which recipient host's) to put on the Ethernet frame in the first place. – user1686 – 2017-03-22T14:21:01.517

3@Orpedo Switches are "Ethernet routers". They use Ethernet addresses (MAC addresses) to figure out where to send Ethernet packets. As opposed to IP routers which use IP addresses to figure out where to send IP packets. – user253751 – 2017-03-22T20:11:14.417

@user20574 that was a good illustration :) – Orpedo – 2017-03-24T08:49:18.903

1@Orpedo for historical reasons we typically run IP over Ethernet, so the Ethernet packet's payload is an IP packet, and the Ethernet packet's destination address is the Ethernet address of the next IP router. It goes further up, too. If you run Tor over IP then the IP packet's payload is a Tor packet* and the IP packet's destination address of the next Tor router. (*for the analogy to work you have to count TCP and Tor together) – user253751 – 2017-03-24T09:06:32.497

32

How does a computer know if a destination address is in the same subnet on in another?

Checking the local adddress and the subnet mask.

Let's check a couple examples:

If my computer has the IP 192.168.0.1 and the mask is 255.0.0.0 it means that any address from 192.0.0.0to 192.255.255.255 is in the same subnet. The packets to all those other computers don't need to go through the router, they can be send directly. Send an ARP packet to get the MAC adddress of the destination computer and then send the packet.

But, if my computer has the IP 192.168.0.1 and the mask is 255.255.255.128 then the computers in the same subnet are from IP adddress 192.168.0.0to 192.168.0.127 only. They can be reached directly (send ARP, find MAC address,etc.). Any other address, for example 192.168.0.200 must be reached passing through the router.

jcbermu

Posted 2017-03-22T09:51:51.507

Reputation: 15 868

1But why does it need to know whether it's in the same subnet? That's the actual question here. – user1686 – 2017-03-23T05:27:07.267

3If the destination is in the same subnet the computer will send the packet directly, otherwise it will send it to the router. That's all!!!! – jcbermu – 2017-03-23T08:42:53.967

@jcbermu But his question was based on the idea that for most home networks, packets are anyway indeed going to pass through the router anyway -- both when they need to be sent outside and when they need to be redirected to any other subnet-local devices. – devoured elysium – 2019-06-11T08:18:33.683

12

Something non-obvious about IP is that every IP device is itself a router.

This can be seen on a normal PC with the command "route print". You are connected to two networks: your local Ethernet or wifi segment, and the localhost network. Every packet needs to be subject to a decision as to which network to put it on.

This becomes more apparent if you put your computer on two networks, say a "public" and "private" one. Now you definitely need the subnet mask in order to decide which network to send the packet on.

Many people will accidentally discover that a PC with a single network connection may work with a wrongly configured submask: they just end up sending everything to the gateway.

pjc50

Posted 2017-03-22T09:51:51.507

Reputation: 5 786

1I think his point is that it's not necessary for every device to be a router. All the non-router devices could just send everything to the router, and it will forward it to the target, even if it's on the same network as the sender. – Barmar – 2017-03-24T17:37:53.337

@Barmar could you please quote who and what you are replying to otherwise your comment makes no sense if e.g. they delete their comment, which may have happened in your case. What you wrote there may be interesting if seeing the context, can you provide the context barmar. – barlop – 2017-03-25T10:05:20.277

@barlop I'm referring to the original question, not replying to a comment. – Barmar – 2017-03-25T10:07:47.007

Very interesting point in this answer.. but i'd note that linux machines have a setting called something along the lines of iprouting, and it's often by default off. And when it's off, what it means is that any packets that computer receives from another computer, don't get routed or forwarded on to anywhere. And also many wouldn't consider a device to be a router if it can't or won't receive packets from another computer and forward them on. Even if(as we see in windows and linux), it has a routing table. – barlop – 2017-03-25T10:08:42.697

1@Barmar oh, well if that's the a point or question you think hasn't been addressed - .. the answer is that having a hierarchy - switch, router, lessons the load on the router. But the questioner was confused by the incorrect thought that all packets go to the router anyway, and that was at the root of the question. – barlop – 2017-03-25T14:10:40.877

@barlop That's essentially the answer I posted myself. – Barmar – 2017-03-25T14:15:27.907

1"iprouting" setting: you can turn off forwarding but you need to have a routing table to know which interface to use for outgoing packets, even if the options are only "lo" and "eth0". Re "send everything to router": the advantages of not doing that are clearer with shared layer2 networks but nobody uses 10base2 any more. – pjc50 – 2017-03-25T19:13:31.630

1@Barmar: "All the non-router devices could just send everything to the router, and it will forward it to the target, even if it's on the same network as the sender." No. Wrong. It doesn't work that way. In theory, it could. In practice, it doesn't. Routers may try to optimize their resources by simply ignoring traffic that goes to the same subnet as where the traffic may come from. Since that is actually how (at least some) routers work, other devices must be complex enough to know that sending traffic to a router would be a waste of time, or else those other devices won't communicate right – TOOGAM – 2017-03-25T21:10:57.377

@TOOGAM My comment was meant to be in theory, not actual practice. This whole question is about why TCP/IP is designed as it is, so I was talking about how the original designers could have done otherwise. – Barmar – 2017-03-27T14:48:29.667

@TOOGAM Have you read my answer, not just my comments? I think I make essentially the same points there. – Barmar – 2017-03-27T14:51:27.757

@TOOGAM: In practice, it does sometimes work this way.

– user1686 – 2017-03-29T04:48:19.463

7

I see this mentioned in some of the other answers here but I think it could be clearer: On computers with multiple network interfaces, the subnet mask may be used to automatically determine which physical interface to send IP traffic on based on the destination IP address.

If you're sending a packet to a device on a LAN connected to one of the interfaces, in order to know which interface to send it on (if you haven't configured a route explicitly), the computer can check the interfaces to see if subnet_mask & destination_ip == subnet_mask & interface_ip (by & I mean bitwise-and and by == I mean to assert equality), and if there's a match, choose that interface.

That way if you've got e.g.:

  • Interface A with 192.168.1.42/24
  • Interface B with 10.0.0.15/24
  • Interface C with 192.168.2.97/24

And you send a packet to 192.168.2.123 and don't have a route set up, it can be determined that interface C should be used because 255.255.255.0 & 192.168.2.123 == 255.255.255.0 & 192.168.2.97.

This wouldn't be possible if the subnet mask wasn't known, and so you'd have to have a route set up for every single IP address you sent data to.

Jason C

Posted 2017-03-22T09:51:51.507

Reputation: 8 273

6

TCP/IP could have been designed as you suggest -- leaf nodes would send everything to the router, and it would forward it to the target, which might be on the same subnet as the sender.

But this would not be optimal design, for two reasons:

  1. It uses more bandwidth: Every packet between devices on the same subnet has to be transmitted twice: once from the sender to the router, and again from the router to the receiver. On networks where the router is also the network switch, this actually isn't any extra bandwidth, since it was going to go through the switch anyway. But not all network technologies work like that. The original Ethernet design was a bus technology, with no central switch or repeater.

  2. It puts more load on the router. Even if the router is also the switch, it's a little more work because it has go up to Layer 3 routing implementation, rather than the simpler Layer 2 switching.

A general philosophy embodying the design of TCP/IP is that end nodes are intelligent devices, so they're assumed to be able to do some of the work. They don't have to know the full network topology like backbone routers do, but they know enough about the local environment to take on some of the initial local-vs-remote routing task. It doesn't take much code to implement this simple initial routing.

Furthermore, non-router devices are not necessarily on just one subnet. You can easily have multiple network cards in a PC -- many have both Ethernet and WiFi. And each of those can be connected to a different subnet, and addresses plus subnet masks are used to determine which network card to use. If you run virtual machines, there's likely to be a virtual subnet connecting them to the host system.

Barmar

Posted 2017-03-22T09:51:51.507

Reputation: 1 913

Meanwhile, I think ATM networks were designed this way (probably as a result of being circuit-oriented) – there was no broadcast and no distinction between routers and switches; tree/star topology all the way. – user1686 – 2017-03-26T19:17:13.523

@grawity Indeed, in the 70's and 80's there was a big difference in philosophy between the telcos and academics when designing their networks. Telcos were used to smart networks with dumb end nodes (e.g. telephones), and they designed their networks with circuit switching managed by the core. – Barmar – 2017-03-27T15:01:19.463

5

If we look at a routing table (this happens to be my desktop machine):

ip route

default via 172.20.25.1 dev eth1 
172.20.25.0/24 dev eth1 proto kernel scope link src 172.20.25.33 
192.168.0.0/24 dev eth0 proto kernel scope link src 192.168.0.1

route

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         172.20.25.1     0.0.0.0         UG    0      0        0 eth1
172.20.25.0     0.0.0.0         255.255.255.0   U     0      0        0 eth1
192.168.0.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0

Either view conveys the same information. The subnet masks indicate which hosts are directly reachable on that network, and other hosts are found using a gateway. In particular, we have to know that the gateway is reachable, otherwise we couldn't send packets for it to forward.

You could, in principle, send everything via your gateway host. That would look like

default via 172.20.25.1 dev eth1 
172.20.25.1 dev eth1 proto kernel scope link src 172.20.25.33 

or

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         172.20.25.1     0.0.0.0         UG    0      0        0 eth1
172.20.25.1     0.0.0.0         255.255.255.255 U     0      0      

I've not tried that, but it can be used for MAC-Forced Forwarding.

Toby Speight

Posted 2017-03-22T09:51:51.507

Reputation: 4 090

The latter method is sometimes used deliberately; see MAC forced forwarding.

– user1686 – 2017-03-22T17:37:52.297

2

Okay, so I understand how subnet-masks are used to divide a network into sub-networks, but my question is, why does every computer in the network need to know the subnet-mask and not just the router?

well the devices people refer to as routers are usually not just routers.. hence people sometimes use terms like NAPT Router, or Home Router, or Consumer Router, to suggest that it's not purely a router. To make the point they're not just routers, these devices can do NAPT(which isn't routing), and they have a switch built in(a switch does bridging, which isn't routing - distinctions between a switch and a bridge are a bit not so well defined - one may say a bridge would often have 2 ports and connect different network mediums(e.g. ethernet and non-ethernet), whereas a switch would have multiple ports and the same network medium). A switch does bridging.

If the switch were separated from the "router", then indeed, it'd be more clear.. When the IP address is on the same network, then the packet is directed to goes down the cable to what is next physically which is the switch, and is ultimately destined to some other computer on the network(unless it was a managed switch and you were connecting to the switch e.g. telnet or http and the switch had its own ip), and since the packet is not destined for another network, the packet won't reach the router. When it's destined for a computer on a different network, then it of course still goes to the switch, but then continues after that to the router, (the switch directed the packet to the router and the destination MAC address of the packet coming in to the switch would've been the MAC address of the router), and the route would route it out of the correct interface of the router.

With these things typically called routers, that have switches inside them (like, not the professional style cisco/juniper routers), then the switch is inside.. But that's just the location of the switch.. It's still that when the IP is on the same network then the packet is addressed to the switch not to the router. And it goes only to the switch inside the router and doesn't reach the router.

I could understand it, if each computer were physically connected to each other with a wire,

what do you mean here.. If all computers on an entire network were physically connected with a wire.. then I guess you wouldn't need a switch or router. What you're describing sounds a bit like original ethernet.. and if they're all connected with a wire it would likely not be such a big network. And anyhow it won't be a wire like you are used to. It'd have computers connected along the way to it with "taps". So I don't know why you just threw that sentence in.

but all packets needs to go through the router anyway.

so you mean putting aside that idea of all computers connected with a wire with no router.

And no, even in your home set up, they don't go through the router every time. Even with your "home router" , call it an internet box. They go to the switch in it.

Lets say that I have a computer on a network 192.168.0.0/255.255.255.0, which have the IP 192.168.0.1.

If that computer try to reach a computer outside the sub-network, lets say 192.168.1.1, it transmits the message to the router,

to the switch then from the switch it goes to the router

the router identyfies that the IP is outside the sub-network IP-range, and rather than transmitting it on the sub-network, it transmits it to the network it is connected to (perhaps another router).

well the router identifies what network interface it's for. It sends from one interface to another interface. One distinction - besides which interface, would be whether a network is directly connected or not. It could send on to a switch then to a computer. Or it could send to a computer. Or if the network isn't directly connected it'd go to another router.

and your last sentence was

it transmits the message to the router,

and then what, did you suddenly decide to stop writing?

the router identyfies that the IP is outside the sub-network IP-range, and rather than transmitting it on the sub-network, it transmits it to the network it is connected to (perhaps another router).

well, I wouldn't put it like that. Each interface on the router has a different IP range.

But, with your consumer router or home router, what happens is it's like a router with two interfaces, one your side has a switch connected to it. And the multiple ports are ports of the switch.

So if you think in terms of the router part, it's not like oh this is inside the subnetwork and this is outside, 'cos there's potentially many networks. There's one on each interface. And the router is not going to be transmitting it back to the same network it came from. The reason why it reached the router in the first place is precisely because the switch (which it reached first), saw the MAC address and so saw that that's not the MAC address of the router.

The computer that sent the packet out, will check whether the destination IP of the packet is on its own network, or the same network, and will then based on that, choose the relevant MAC address. Either the MAC address of the computer it's destined to (that's if the computer is on the same network). Or (if the computer is on another interface of the router), then it'll be the MAC address of the router. I guess that might answer the title of your question quite directly, as to why the computer would need to know the subnet mask.. In the TCP/IP system as it is.. that's how it works, the computer picks the relevant layer 2 address e.g. for ethernet, the MAC address.

barlop

Posted 2017-03-22T09:51:51.507

Reputation: 18 677

1Rather condecending answer, but okay. If you think that was my last sentence, your browser is not loading the entire page. – Orpedo – 2017-03-22T13:37:27.807

@Orpedo ok I didn't notice that. i've removed that line asking if you stopped writing, and i've included and replied to the rest of that paragraph. That was actually quite a key paragraph funnily enough 'cos the answer to it addresses the subject of your question. – barlop – 2017-03-22T16:50:42.610

Re: switch vs bridge. Switch is typically used for transparent bridges, ie bridges that have a database (Forwarding Information Base IIRC) that relate MACs and ports, and fill the FIB by learning the MACs from the source MAC in ethernet frames. As opposed to other kinds of bridges, e.g. proxy-ARP bridges. Another meaning of switch is more generic, it can mean a device at any layer, e.g. an L7-switch routes connections based on application-level metadata, a router could also be called an L3-switch,... </lexicographic rant> – ninjalj – 2017-03-23T11:08:54.433

Re: a router not transmitting something to the same network it came from: indeed it can, and it will also transmit an ICMP-redirect telling the origin: "hey, the target is in your network, you can communicate with it directly". – ninjalj – 2017-03-23T11:15:58.587

@ninjalj I suppose if you have a hub connected to the router, then the router will receive a packet destined for the network that it came from.. But if you have a switch (I guess people rarely have hubs now apart from for diagnostic purposes).. then the switch won't be sending a packet to the router if the packet is destined to come back through that switch to the network that it originated from. And the boxes that combine routers and switches of course by definition, have a switch. There are no boxes that combine router and hub. – barlop – 2017-03-23T12:58:14.550

"When the IP address is on the same network, then the packet is directed to the switch" (and similar statements) - this is not the case. The packet is never "directed to the switch". Packets are directed to a MAC. The sender does not care (nor, probably, even know) whether there is a switch on the other side of the cable; it might well be a direct connection to the receiver with a single ethernet cable, and it would not change anything regarding this point. – AnoE – 2017-03-23T13:01:59.927

@AnoE good point, I had in mind not hitting the router, but I shouldn't have said directed to the switch 'cos yeah it'll hit the switch anyway, i'll correct now. – barlop – 2017-03-23T13:18:11.360

@AnoE good point, I had in mind not hitting the router, but I shouldn't have said directed to the switch 'cos yeah it'll hit the switch anyway, i'll correct now.. BTW, when it comes to switch directing packets, I wouldn't say packets are directed to a MAC (address), they're directed to the device with the MAC address.. yeah it's obvious but in case somebody has no clue then it's worth getting the terminology 100% correct. – barlop – 2017-03-23T13:29:38.260

Yes, the nomenclature is very confusing for your average joe these days because vendors keep calling their "switch + WLAN bridge + pseudo-router" thingamagicks just "router" these days. :D – AnoE – 2017-03-23T13:39:53.813

@barlop: a typical case when a router may receive a frame destined for the same network it receives that frame from, is when the subnet mask is not correctly configured in the sending host, which I would think would be relevant to this question. – ninjalj – 2017-03-23T18:00:18.427

1

But why is the subnet-mask then given for the cuputer/device, when it does not need it for anything? – Orpedo Mar 22 at 13:45

The computer/device does use the subnet mask in order to calculate the IP broadcast address.

IP interfaces not in promiscuous mode are configured to respond to the IP broadcast address as well as their own IP address.

Joe Inwap

Posted 2017-03-22T09:51:51.507

Reputation: 111

Already marked an answer, but this was actually quite a short and helpful answer. – Orpedo – 2017-03-29T09:11:00.970

1I believe that this is almost totally wrong.  Network interfaces don’t know anything about IP; they respond to (and automatically apply) MAC addresses.  That’s why we have ARP: so, if I know the IP address of a machine on my local network, I can learn its MAC address and use that to communicate to the machine.  Well, there’s a broadcast MAC address, which is used in all broadcasts.  The broadcast IP address exists just for uniformity. – G-Man Says 'Reinstate Monica' – 2017-04-15T21:29:29.980

-1

Created an account just to answer this, as I think others are over complicating the role of a subnet mask.

The subnet mask determines what other machines on a network a host will communicate with. If a host lies outside my subnet, then I will try to talk to that machine via my gateway. If that host is within my subnet, then I will talk to that host directly (no gateway needed). Additionally, if a machine outside of a host's subnet tries to talk to it, then those packets will fall on deaf ears and get immediately dropped.

Why is that relevant to you? Because if we didn't use netmasks, you trying to talk to Google's DNS server (8.8.8.8) would require you (and EVERY other host that talks to it) to know its physical address (MAC address). This would result in your computer and all others needing to create an ARP entry for every internet machine that you talk to. It would waste your RAM and slow down all networking as the physical address of machines gets passed much further than needed.

Szeraax

Posted 2017-03-22T09:51:51.507

Reputation: 9

I previously mentioned what would happen if we didn't use networks and gateways when I meant what would happen if we didn't use netmasks. If we didn't use Gateways and networks.... the internet would be a giant flat network and in order to talk to google's DNS server, you would have to broadcast the packet across the entire internet and see if Google responded. The internet would immediately break with everyone doing that kind of broadcast traffic. – Szeraax – 2017-03-24T18:37:06.433

1There are two modes of working without subnet masks – either the host tries to access everything at L2 directly, or uses the L3 gateway for everything. You're assuming the former would be the only option, but that's not true – the original question and all other answers are more about the latter mode, which is even used in practice in some networks. – user1686 – 2017-03-25T21:46:58.910