23Running traceroute (tracert on Windows) to 10.10.10.140 might fill in some of the details. – Gordon Davisson – 2019-09-30T05:54:23.533

11It could even be another consumer's address (behind the same CGN)! They really should be firewalling that, but a lot of ISPs are amazingly incompetent. – Kevin – 2019-09-30T17:21:13.967

3@Kevin Uhh, why should they firewall one customer from another just because they're both behind CGNAT now? If you can talk to other ISPs' customers, you should be able to talk to the same ISP's customers. – user1686 – 2019-10-01T03:54:47.007

4@grawity - When you talk to other ISPs' customers, it goes through a firewall so that if you're trying Evil Stuff™ with your IP packets, the firewall should block those packets. (The definition of Evil Stuff™ is, of course, situation-dependent). When you're talking to other customers of your ISP, you shouldn't get more access privileges: those conversations should go through a firewall as well. What Kevin seems to be implying is that many ISPs don't put a firewall between two customers behind the same CGN, so any Evil Stuff™ you might try on those connections would work. – rmunn – 2019-10-01T11:03:49.267

4@rmunn: That's fine, but it shouldn't classify regular pings and TCP connections as Evil Stuff™. Even when customers get placed behind a CGNAT, they still have their own firewalls at home to block/allow regular inbound connections – the ISP should have no need to blanket forbid those. – user1686 – 2019-10-01T11:05:51.603

1T-Mobile does exactly this. I have a laptop here connected using tethering on my T-Mobile phone. Tracert to 8.8.8.8 shows my phone's lan connection in the 192.168.0.0/16 block, but the next 8 hops above that are all in various /16's in the 10.0.0.0/8 block. – dgnuff – 2019-10-02T00:17:22.393

1@rmunn The purpose of those firewalls is often not to protect their customers but to prevent them from having inconvenient coordination problems with other ISPs. In that case, it makes a lot of sense to filter traffic between your own customers more lightly than traffic you exchange with other ISPs. Also, it's often hard to filter all your customers from each other because they're all over the place. You meet peers at fewer points so it's easier to firewall there. – David Schwartz – 2019-10-02T03:45:05.827

You know it's interesting: I'm pretty sure when I went through the Network+ training back in 2009, it was 192.168.0.0/24, 172.16.0.0/16, and 10.0.0.0/8 for the Class C, B, and A networks. Did they expand it, or am I just remembering wrong? – duct_tape_coder – 2019-10-02T21:33:16.597

2@duct_tape: No, the total ranges were always the same. But in classful routing era, 192.168.0.0/16 was originally called "a block of 256 class-C networks", and each one of those networks was a /24 due to being class-C. (Same goes for 172.16.0.0/12 being a block of 16 consecutive class-B networks.) However, this system had already been some ten years obsolete when you took your training – and is even more obsolete now. So the range is still the same, but instead of calling it "256 consecutive /24s" it is now simply a /16 network, subnettable at any level. – user1686 – 2019-10-03T04:28:25.377

@duct_tape_coder See my answer at networkengineering.se for more about the history of the private network ranges.

4It's not routable over the internet, but it is routable over any private network which acknowledges its existence. It is possible that Ryan's ISP is using such a private network (CGNAT - Carrier Grade NAT), and that Ryan's router's external IP is the carrier's private 10/8 network. – Stobor – 2019-10-01T04:25:51.600

1Yeah that's accurate. I didn't consider that originally so I edited my answer to match. – ayao1337 – 2019-10-02T15:28:56.197

Even then, a connection between any two consumers should function identically, regardless of whether they share an ISP or not. – Weckar E. – 2019-10-02T23:47:28.483