IP, Subnets, DHCP, NAT: Building a Network That Works

MAC addresses get you across one local network. IP addresses get you across the planet.

This chapter is about Layer 3 — the Internet layer — and the small handful of supporting characters that make it actually work: subnet masks, gateways, DNS, DHCP, and NAT. Together, these are what turn a pile of cables and switches into "the internet."

IP addresses, in two flavors.

You almost certainly know what an IPv4 address looks like: four numbers from 0 to 255, separated by dots, like 192.168.1.5. Behind the dots, that is 32 bits — four octets of 8 bits each. The number of possible IPv4 addresses is therefore 2³² ≈ 4.3 billion. That sounded enormous in the 1980s. It is now about half of the number of humans on the planet.

To solve this exhaustion, the world designed IPv6 — a 128-bit address space, written as eight groups of four hex digits (e.g. 2001:0db8:85a3::8a2e:0370:7334). The address space is large enough that we will not run out in our lifetimes — or arguably ever.

IPv6 has been "the future" for about twenty years. As of today, adoption is real but partial. A significant minority of internet traffic is IPv6; the majority is still IPv4. Why hasn't the world moved over?

Because IPv6 is not backwards compatible with IPv4. Every router, every server, every device, every piece of network software has to support IPv6 to talk IPv6. For decades, the world worked around the IPv4 shortage with NAT (which we'll get to in a moment), and the workaround was good enough that the transition pressure was never quite enough to win.

There has even been talk in standards bodies of an alternative path forward — sometimes called IPv8 — that would extend IPv4 directly by adding more bits while staying compatible with the existing IPv4 ecosystem. As of the writing of this book this idea is in active discussion, not consensus, and the merits and demerits are still being argued. You should treat anything you read about IPv8 with extra skepticism — it is exactly the kind of fast-evolving topic where rumor outruns fact. Verify before you quote.

Subnet masks — slicing the address space.

An IP address by itself is not enough to make a network function. You also need a subnet mask, which tells your computer which part of the address is the network and which part is the host.

A common netmask is 255.255.255.0. In binary, that is twenty-four 1 bits followed by eight 0 bits. The 1 bits mark "network." The 0 bits mark "host." So if your IP is 192.168.1.5 with mask 255.255.255.0, then:

• The network portion is 192.168.1 — every machine in your local network starts with this.
• The host portion is 5 — that's your specific machine within that network.
• The total range of hosts on this network is 192.168.1.0 through 192.168.1.255, of which .0 is typically the network address and .255 is the broadcast address — leaving 254 usable IPs.

A bigger network needs a shorter mask. 255.255.0.0 lets you have 65,534 usable hosts. 255.0.0.0 lets you have over 16 million. You can also write masks in CIDR notation: 192.168.1.0/24 means "the network 192.168.1.0 with a 24-bit netmask." /24 is the same as 255.255.255.0. /16 is the same as 255.255.0.0. CIDR is shorter and more flexible because it lets you use masks that don't fall on octet boundaries (/22, /27, etc.).

Private vs. public IP ranges.

Not every IP address is reachable from the public internet. There are specific ranges reserved for private use:

• 10.0.0.0/8 — about 16 million addresses
• 172.16.0.0/12 — about 1 million addresses
• 192.168.0.0/16 — about 65,000 addresses

If you look at your laptop's IP right now, it almost certainly falls inside one of these ranges. Home Wi-Fi routers typically hand out addresses in 192.168.x.x. Office networks often use 10.x.x.x. Cloud VPC defaults often use 172.16.x.x.

These addresses do not get routed on the public internet. A packet destined for 192.168.1.5 will be silently dropped by any router on the public internet, because that address could be referring to any one of millions of laptops behind millions of routers in the world. Private addresses are only meaningful within their own local network.

There is also a special range — 127.0.0.0/8, of which 127.0.0.1 is by far the most common — that is reserved for the loopback interface. Any traffic to 127.0.0.1 never leaves your own machine. When you run a development server on localhost:3000, you are listening on 127.0.0.1 on port 3000.

So you actually live inside three IP scopes at once: the loopback inside your machine, the private network you are attached to, and the public internet beyond the gateway.

DHCP — who hands out IPs?

A laptop joining a network does not know what IP address it should use. It has to be told. The protocol that tells it is called DHCP — Dynamic Host Configuration Protocol.

When your laptop comes online, it broadcasts a DHCP request: "Hi, I am new. Can someone give me a network configuration?" Somewhere on the network there is a DHCP server — usually built into your router. The DHCP server responds with: "Here is your IP address. Here is your subnet mask. Here is your default gateway. Here is the DNS server you should use. This lease is valid for X hours."

Your laptop accepts the offer, configures its network interface, and from then on it can participate in the network.

A question worth chewing on: what happens if there are two DHCP servers on the same network?

Briefly: it depends. They may hand out conflicting addresses; they may hand out non-overlapping ranges that work fine; they may compete for the same requests. The exact result depends on the timing and the configuration of each server. In a well-designed network, you either run one DHCP server, or you carefully partition the address space and the failover behavior. Running multiple DHCP servers by accident is one of the classic ways to wreck a network. I am leaving the rest of the edge cases as deliberate homework. Go find them.

Default gateway — who do you ask when the destination isn't local?

Your computer has an IP. It has a subnet mask. It can talk directly to anything in its own subnet, using ARP and the local switch.

But what about packets to anywhere else? What about a packet to 8.8.8.8 (Google DNS) when your machine is 192.168.1.5?

That is what the default gateway is for. The DHCP server tells your computer the gateway's IP address — typically the router on your local network, often something like 192.168.1.1. Whenever your computer wants to reach an IP that does not match its own subnet, it sends the packet to the default gateway. The gateway, which is sitting on multiple networks (your private LAN and the upstream ISP link), forwards the packet onward.

If you remove or misconfigure the gateway, your local machine can still talk to other local machines, but it cannot reach the wider internet at all. This is one of the most common configurations to break and one of the easiest to diagnose: ping to a local IP works; ping to an external IP fails immediately, before any DNS resolution.

NAT — the trick that saved IPv4.

There are only ~4 billion IPv4 addresses. There are far more devices than that. So how does everyone fit?

NAT — Network Address Translation. It is one of the most consequential hacks in the history of computing.

Your router has one public IP address — the one your ISP assigned to it. Behind that router, on your private network, are potentially dozens of devices, each with a private IP. When any of those devices sends a packet out to the internet, the router:

1. Rewrites the source address of the packet from the private IP to the router's public IP.
2. Picks an unused source port and writes it into the packet.
3. Records a mapping in its NAT table: "private IP X, port Y" ↔ "public IP me, port Z."
4. Forwards the packet onward.

When the response comes back, addressed to the router's public IP on port Z, the router consults its NAT table, rewrites the destination address back to the original private IP and port, and forwards it onto the LAN. To the device on the LAN, the conversation looks normal. To the public internet, it looks like all the traffic from your house is coming from one IP — the router.

This is how a billion homes' worth of devices share a few hundred million IPv4 addresses. NAT is a brilliant, ugly, load-bearing hack.

It also has consequences. Devices behind NAT are not directly reachable from the public internet. That is a feature for security but a bug for any peer-to-peer use case — video calls, multiplayer games, IoT. The workarounds (STUN, TURN, hole punching, relays) are an entire subindustry. If you ever wondered why video calling protocols seem complicated, NAT is a large part of the reason.

DNS — names instead of numbers.

One more piece of glue before we leave Layer 3.

You do not type 142.250.183.110 into your browser. You type google.com. The system that translates the name to the address is DNS — the Domain Name System. Your DHCP-assigned DNS server (or a globally famous one like 8.8.8.8, 1.1.1.1) is the directory you consult to find IPs from names.

DNS deserves an entire chapter of its own (caching, TTLs, hierarchy, record types, recursion, security) but for our purposes here, just know that the moment you type a URL, your computer does a DNS lookup first, then does the rest of the work. Every visible "internet outage" you have ever had was, more often than not, actually a DNS outage.

Push On It

1. Find your current IP address, subnet mask, default gateway, and DNS servers. (ipconfig /all on Windows, ifconfig/ip addr plus route -n plus /etc/resolv.conf on Linux/macOS.)
2. Calculate by hand: how many usable host addresses are there in a /24? A /22? A /19? A /30? Do this without looking it up.
3. Run ping 8.8.8.8. Then run ping google.com. Are the latencies similar or different? Why?
4. Read about hairpin NAT and explain to yourself why hosting a web server in your bedroom while testing it from your laptop in the same house can be surprisingly tricky.