NAT & Private IP Address Ranges


An IP (Internet Protocol) Address is a 32-bit number broken up into "quads" of 1 byte each, separated by dots. 1 byte is 8 bits which in decimal is a number in the range 0 to 255. For example, is an IP Address. There are only so many "real" IP addresses, and they are (and have been) perpetually very close to being used up and thus are very difficult to get.

One of the solutions to this problem is so-called "private" IP Addresses. These are ranges of IP Addresses set aside expressly for use by a company or other entity internally. Private IP Addresses cannot be used to connect directly to the Internet--that is they are non-routable. These are also often called RFC1918 addresses.


You use a Private IP Address when you wish to use TCP/IP on your LAN, but do not wish to try and register enough legal or legitimate addresses for all your devices. Even if you do wish to get than many, you will not. Essentially all valid IP addresses are already owned, either by very large corporations (like AT&T) or by ISPs. When you contract for service from an ISP, you are allocated some number of legitimate IP Addresses out of that ISP’s pool of addresses.


  1. Increased security (since private IP addresses are not routable across the Internet).
  2. You conserve the world-wide pool of IP Addresses.
  3. You do not have to register or pay for these IP Addresses in any way (internal independence from ISP IP addresses).
  4. When you connect to the Internet via a Firewall and NAT (Network Address Translation, AKA IP Masquerading) you will not block any address ranges from yourself.
  5. Little or no performance degradation (depending on your Firewall).

See also my SOHO Information Security and Typical Home Network Designs pages.


  1. If you merge with a company that has chosen the same Private IP Address, one or both of you will have to re-number. This can be difficult and expensive.
  2. Some applications don't work with NAT.
  3. Anything using NBT (UDP 138), i.e. NT Networking cannot communicate behind a Firewall with NAT. See below for the reason.
  4. Some applications needing encryption and key exchange (specifically any application that embeds IPs in the datastream) may not work with NAT.
  5. It may require more work to plan and configure.

Private IP Address Ranges

This is the "classic" RFC1918.

Class From To CIDR Mask Decimal Mask
Class "A" or 24 Bit /8
Class "B" or 20 Bit /12 (or more typically /16) (or
Class "C" or 16 Bit /16 (or more typically /24) (or

Other useful Ranges

This table is a bit out of date and is downright WRONG in a few places (e.g., Refer to IANA: Internet Protocol v4 Address Space, RFC3330 and the Bogon List for more up-to-date information.

The following was adapted (a long time ago) from this comment associated with RFC1918 and RFC3330. See also the Bogon List.

Class/Type From To CIDR Mask Decimal Mask
Broadcast/This Net [RFC1700]
Null /8
Public-Data Networks [RFC1700] /8
Cable Television Networks /8
Loopback [RFC1700] 127.255.255 /8
Local-Link (for auto-DHCP) /16
Testnet addresses (for tests only) /24
6to4 Relay Anycast [RFC3068] /24
Network Interconnect/Testing [RFC2544] /15 (supernet)
Class "D" (IPv4 multicast) [RFC3171] /4 (supernet)
Class "E" (don't use) 247.255.255 /4 (supernet)

Network Address Translation (NAT) AKA IP Masquerading

NAT, AKA IP Masquerading, is the process by which a "private," "illegal," and non-routable IP Address is translated into a "legal," routable address. There are two kinds of NAT, often called static NAT and Hide NAT. Static NAT provides a one to one correlation between the illegal private address and the legal routable one. For example, the Web Server on may be statically mapped to Hide NAT is a many to one arrangement where the many illegal addresses behind some device appear to the Internet as one single address (often the legal address of the device itself). For example, the entire network may hide behind the single valid IP address of the device at

NAT Devices

There are three devices that typically perform NAT. They are routers, firewalls and proxy servers.

Hide Mode NAT

In hide mode, the external address of the NAT device "hides" most or all outgoing connections. To the Internet, it seems that all traffic originates from this single address, when it really comes from all different machines on the internal network. The traffic is differentiated at the NAT device by a table of port numbers. For example, the port used for Web Surfing is port 80 (http). If a client computer at surfs to, the NAT device may assign that to port 20,134. When the response comes back, the firewall knows that anything directed to port 20,134 really goes to the client at That way, more than one person can surf at the same time, using the same external IP address, but everything goes to the correct person.

Static Mode NAT

In static mode, there is a one to one correlation between internal (illegal, non-routable) and external (legal, routable) addresses. The must be the case if you wish top have an E-Mail server, Web server or any other service that is accessible from the Internet. DNS (Domain Name Service) published the IP Addresses of server (or services) that are accessible. These published addresses must be legal, and routable. The IP network of addresses available for this use is termed the "moat" network, below. A typical "moat" network looks like this:

IP Address Description Network Name Available IP Address (usually assigned to the internal router interface) Available IP Address (usually assigned to the external firewall interface) Available IP Address (may be Web server?) Available IP Address (may be E-Mail server?) Available IP Address Available IP Address Broadcast Address

A very interesting thing happens with static NAT, however. Since the router is at IP address, when it sees a packet destined for, it "arps" for the Web server. Since the router knows that it is on network and the Web server address is they should be on the same network. But they really aren’t. So when the router "arps" (uses the Address Resolution Protocol to find the Web server), the Web server will not answer, since it is really on network To solve this problem, devices that perform static NAT also perform "proxy arp".

Any device configured to do static NAT has a list of servers it will "answer for" when it hears an arp request. IT will essentially lie and say, "yes, I am that server, please send me the packet." When it get the packet, it forwards it to the real server.

A Typical Internet Connection Scenario

A very common small business-class (as opposed to home use) Internet connection looks like this following:

Figure 1: Common Firewalled Network Diagram--With Router
Figure 1: Common Firewalled Network Diagram--With Router

Figure 2: Common Firewalled Network Diagram--With Bridge
Figure 2: Common Firewalled Network Diagram--With Bridge

Description Network IP Range
Company LAN to
Service Network (DMZ) to
Moat to
Link Network to

Network or Device Default Gateway
Company LAN
Service Network (DMZ)
ISP Router
  • The Company LAN uses the private (RFC1918) address of
  • There is a "Service Network" (AKA DMZ) for hosting Web Servers, FTP Servers, extranet (partner) connections, etc.
  • The Firewall is performing both hide NAT and Static NAT.
    • Hide NAT is that all outgoing connections from the network are hidden behind the firewall’s address of
    • Static NAT is that the E-Mail server on the company LAN has a "routable," external IP address of, but an internal IP Address of
  • The "Moat" network is the network between the external interface of the firewall and the internal interface of the router.
  • There is confusion about the term DMZ. Originally, the term DMZ was used to denote the "moat" network. Recently, however, the common usage has been that the DMZ is the "Service Network". I have used "Service Network" and "Moat Network" to avoid confusion. The term "Moat Network" is not in common usage, however.
Service Internal Address External Address NAT Mode
Hide NAT Hide
E-Mail Server Static
Web Server Static


Subnet Masks: Decimal and CIDR

CIDR Decimal Mask Old A Subnets B Subnets C Subnets # Useable # Hosts
8 A 1 16,777,214 16,777,216
9 A 2 8,388,606 8,388,608
10 A 4 4,194,302 4,194,304
11 A 8 2,097,150 2,097,152
12 A 16 1,048,574 1,048,576
13 A 32 524,286 524,288
14 A 64 262,142 262,144
15 A 128 131,070 131,072
16 B 256 1 65,534 65,536
17 B 512 2 32,766 32,768
18 B 1,024 4 16,382 16,384
19 B 2,048 8 8,190 8,192
20 B 4,096 16 4,094 4,096
21 B 8,192 32 2,046 2,048
22 B 16,384 64 1,022 1,024
23 B 32,768 128 510 512
24 C 65,536 256 1 254 256
25 C 131,072 512 2 126 128
26 C 262,144 1,024 4 62 64
27 C 524,288 2,048 8 30 32
28 C 1,048,576 4,096 16 14 16
29 C 2,097,152 8,192 32 6 8
30 C 4,194,304 16,384 64 2 4
31 C N/A N/A N/A N/A N/A
32 C BC BC BC Broadcast Broadcast


  1. The "# Useable" series can be derived by "previous # Useable x 2 + 2".
  2. The "# Useable" series can be derived by "# Hosts - 2".
  3. The "# Hosts" series can be derived by "previous # Hosts * 2".
  4. The "# Hosts" series can be derived by "# Useable + 2".
  5. The number of subnets is only correct under CIDR. Using the old classfull numbers it is "# CIDR Subnets - 2".

RFC1918: Address Allocation for Private Internets



3. Private Address Space

   The Internet Assigned Numbers Authority (IANA) has reserved the
   following three blocks of the IP address space for private internets:        -  (10/8 prefix)      -  (172.16/12 prefix)     - (192.168/16 prefix)

   We will refer to the first block as "24-bit block", the second as
   "20-bit block", and to the third as "16-bit" block. Note that (in
   pre-CIDR notation) the first block is nothing but a single class A
   network number, while the second block is a set of 16 contiguous
   class B network numbers, and third block is a set of 256 contiguous
   class C network numbers.

   An enterprise that decides to use IP addresses out of the address
   space defined in this document can do so without any coordination
   with IANA or an Internet registry. The address space can thus be used
   by many enterprises. Addresses within this private address space will
   only be unique within the enterprise, or the set of enterprises which
   choose to cooperate over this space so they may communicate with each
   other in their own private internet.