Public/Private IP addresses

There is something I've always been mixed up about with IP addressing. When a company purchases internet access from an ISP and obtains their inside global IP address that they'll use for NAT (lets say they're just using PAT and only in need of 1 inside global address to make things easy), do your private IP address schemes have to stick within the class of network you purchased from your ISP? When purchasing internet access from your ISP, does it coincide with network classes?

I'm mixed up about the process itself, considering my public IP at home for instance is 24.x.x.x (which traditionally is a class A network 0-127 range), but at home obviously we all have class C networks, so I'm confused about the whole thing.

I notice most companies use a 172.16-31.0.0 private address scheme and subnet further from there. Which is a class B private address scheme, but is this because they purchased a class B network? Or as a result of CIDR, there are no classes of networks to be purchased, the internet access is the only thing needing purchasing which you will then be given a public IP from your ISP, and the private scheme is left up to the company and Network Engineers to determine. Could a company purchase internet access from their ISP for instance, then make the internal network 10.0.0.0 and subnet from there giving themselves as many subnets and host IPs they could ever use?

If you're totally confused by my questions by now, just to sum up, I want to know basically whether or not the public IP a company is administered from their ISP when they purchase internet access (inside global IP) has any influence on your private IP address scheme (for instance, having to use 172.16.0.0/16 as a starting point instead of being able to use anything I want because of your inside global address), and then subnetting from there. Any clarity on this would be greatly appreciated. I apologize for the enormous length of this post! Thanks everyone.

Mike

Posted 2013-03-27T20:28:52.017

Reputation: 21

1Please edit the question to make reading easier. Remember, a blank line separates paragraphs. – Kruug – 2013-03-27T20:50:20.997

1Classful addressing simply doesn't exist anymore in the Internet. It's dead and gone. The first nail its coffin was VLSM. The last nail in its coffin was CIDR. Now it only exists on certification exams because there are some people who refuse to let it die. – David Schwartz – 2013-03-27T21:03:58.233

Answers

First, understand that any idea of network classes lost its relevance sometime in the mid 1990's. Protocols where classes were significant have versions that accept subnet masks as additional parameters and do not care about what class an IP address is in.

There are three ranges of private IP addresses, and one for each class, but the class doesn't have any meaning anymore, unless you are using an ancient protocol that doesn't let you specify a subnet mask with IP addresses. What does have meaning is the subnet associated with each "class":

RFC1918 name    IP address range                subnet mask     
24-bit block    10.0.0.0 - 10.255.255.255       /8  or 255.0.0.0
20-bit block    172.16.0.0 - 172.31.255.255     /12 or 255.240.0.0
16-bit block    192.168.0.0 - 192.168.255.255   /16 or 255.255.0.0

If your company is really distributing private addresses to customers (this is called Carrier Grade NAT), then you are stuck with what your ISP provides as far as the interface where your computer or network connects to the ISP.

Second, your router has two interfaces. One faces the IP and receives an IP from your ISP's DHCP server. The other is facing your network and completely up to you what you do with. Now, if you are going to reuse any addresses your ISP is using, then you will have to juggle some complex NAT rules. A consumer-level router may not support such complex NAT rules - a Linux PC with iptables can do it but it's difficult to set up.

So, it is possible, but usually a lot easier to just select a range your ISP is not using. It doesn't matter which one. 10.0.0.0/8 is typically what businesses choose by convention, but it is just a convention.

Now, with the right NAT setup, you could pick any IP range out of thin air and use it on your home network. However, if your configuration has an error, traffic destined for your home network may go to external hosts instead. The above "private" IP ranges are agreed to be "non-routable" - if they happen to make it to your ISP, your ISP is supposed to drop them. With carrier-grade NAT being an exception of course. So if you use a private IP range that your ISP is not using, it protects you from a consequence of accidental misconfiguration.

LawrenceC

Posted 2013-03-27T20:28:52.017

Reputation: 63 487

How to port forward when I'm behind a CGNAT? Without buying a static IP service or without buying a VPN with port forwarding capabilities? Can such a thing be done with complex iptable rules as you suggested? @LawrenceC – Shayan – 2019-08-13T14:08:37.027

1No. If you are behind a CGNAT you have no other options. – LawrenceC – 2019-08-13T14:22:45.030

Should the last sentence say "that your ISP is not using"? – cpast – 2013-03-27T21:03:51.433

Indeed it should. Corrected. – LawrenceC – 2013-03-27T21:58:14.597

Think of the private/public IP thing like a set of concentric/nested circles (circles inside one another).

Assume that, for the purposes of this analogy, every circle has exactly 365 possible angles that can be made between a straight line drawn across the radius of the circle and another line. So this is similar to the IP space, except for the number of available IPs vs. the number of available angles.

The outermost circle is the public IP space, which means that anybody connected to IPv4 can reach these IPs, and this IP is the same everywhere, no matter what. When any computer anywhere tries to access an IP on the public IP space, it will get routed to the same physical and logical computer on the public Internet.

However, within the outer circle there are a few "holes" in the circle. These holes are IP addresses which may not be assigned at all, ever to the public IP address space. These holes are what are known as the private subnets.

Now, in our diagram, you have the public IP address space with a little hole in it, let's call this hole the "10.0.0.0/8" space. You mentioned CIDR in your question so I assume you know what that is.

Think of each successive inner circle as a NAT or private LAN (same concept). Each of these inner circles can declare that it is on any subnet it wants, but it will only be a valid network configuration if it's on a designated private subnet, like 192.168.1.0/24 or 10.10.0.0/16 (these are just two examples).

There are a few rules about these nested levels that generally apply:

It is an error for an inner circle to declare that its private subnet contains IP addresses which were already declared as part of the subnet of an outer circle. For example, if a first-level NAT declares that it wants 10.10.0.0/16, and a second-level NAT tries to claim 10.10.6.0/24, there will be a problem.
Except for the gateway (the host that is a member of both the outer and inner NAT), a host that is assigned an IP address within a given subnet cannot reach hosts within any inner subnets unless explicit routing rules are set up (e.g., port forwarding). For example, if the first-layer NAT is on 192.168.1.0/24, the first-layer gateway is 192.168.1.1, and a host, 192.168.1.2, creates a private subnet 192.168.2.0/24 and assigns itself 192.168.2.1, a host on 192.168.1.0/24 will not normally be able to access anything within 192.168.2.0/24 -- again, unless explicit configuration in the software provides rules for when and how to do the routing.

allquixotic

Posted 2013-03-27T20:28:52.017

Reputation: 32 256

"When any computer anywhere tries to access an IP on the public IP space, it will get routed to the same physical and logical computer on the public Internet." Surely, this can't be true. If I have a private network I can certainly assign this address to some host. Apart from that point, the analogy is hard to parse (I don't know why I should think of 365 degrees). – polarise – 2014-11-14T10:51:11.640

So if an ISP is using CG-NAT or any other Double-NAT, the user can not forward his ports unless there is some routing done by the ISP itself? @allquixotic – Shayan – 2019-08-13T16:23:46.500