Sustainable Sustworks - Tools for Internet Travel
Inspired Tools for the Mac


Net Masks and the Subnet Calculator

Determining the proper mask value to assign to router and client IP addresses is sometimes difficult. You are usually pretty safe using for your IPNetRouter gateway's private subnet, especially if you never intend to have more than 254 unique LAN clients on your LAN. The approved private LAN network ranges are described in RFC-1918.

In the simple case, if you lower the number of the subnet mask, the more open (or greater) the number of valid IP address in a subnetwork. Let's start with the standard, typical mask for a home LAN, It typically permits 254 clients on a LAN connected to the IPNetRouter gateway (eg x.y.z.1-x.y.z.254 are good IPs to use on the x.y.z subnet with mask; x.y.z.0 and x.y.z.255 are generally not because of the way IP routing works). If you up the last number of the subnet mask you lower the number of clients permitted on your LAN. For instance, if you set it to only three LAN clients and the gateway (four IP addresses) will be permitted to communicate with one another on that particular subnet. To route properly, the router should be one of the IP addresses in the same subnet as the clients.

If you understand binary operations the above will make more sense since the number of clients on a subnet is limited by performing a binary AND operation between the subnet mask and a given IP address.

Using the Subnet Calculator Tool

Using the Subnet Calculator tool in IPNetRouter or IPNetMonitor, you can see how many clients can be supported on an IP subnet based on a particular subnet mask. The prefix length set in the subnet calculator is equivalent to the shorthand value in the following table:

IP address Net Mask Mask Binary Shorthand Resulting network number /24 (254 hosts) /16 (65533 hosts) /32 (1 host) (the identity mask) /25 (128 hosts) /30 (4 hosts) /30 (4 hosts) /30 (4 hosts)


By experimenting with the last IP address in the example, you can see how the subnet and client ID can change by altering the mask while the IP address remains constant. It is the network number that is used to determine whether a client is on the same or a different subnet when determining whether to broadcast an IP packet to the local network or not.

For each increase in the shorthand mask number by one, halve the number of available clients for your local LAN. For each decrease of one in the mask (again, using the "/" syntax), the number of permitted clients on the LAN is doubled. This is a simplistic explanation, good enough for handling a subnet like with a mask short hand value of /24 thru /32 (long hand thru 255). The subnet calculator can determine the range of the clients local network by its IP address and network mask. Shorthand "/30" represents a sublan of four machines (hosts) with a network number determined by the machines IP address; shorthand "/31" is for a subnet of two clients; shorthand "/29" is for a network of eight clients, etc.

Some of the interfaces in IPNetRouter support the "/" syntax for masks, others support the "" type syntax. Using the Subnet Calculator, you can automatically do the conversion between the two without much hassle.

For filtering of IP packets, the net mask is used to designate a range of IP addresses to apply the filter to. In the last example, through .83 would be filtered if a "/30" mask was applied to

If you want to know more about network masks, RFC-950 is a good starting point. See the help text for the Subnet Calculator for more information on how it works.

Binary Subnet Masks and Routing--the Short Version

(The Internet was designed by mathematician's and people with strong mathematics backgrounds. If you are not well-versed in binary number theory but are interested in how routing really works, the best thing to find an easy guide to the Internet--your local librarian or bookstore may be able to recommend such a book (we hope). Maybe someday it will be easier. For now...)

If any 32-bit IP address is ANDed with (the equivalent of 24 "1" bits followed by eight "0" bits), you are left with only 255 valid client IDs in a given subnet (actually 254 since the all 1s and all 0s client host numbers are typically reserved). ANDing with an IP address, only four addresses will be valid for the local subnet. Doesn't make sense? Well, think of it this way. The destination address and the origination IP address are each ANDed with the origination IPs mask for any packet sent. The results of the two operations are then compared. The masks obliterate the client IDs (still kept in the packet header) and then are compared with one another. The following two examples take place on the originating host.

Destination of an IP datagram is on the same LAN
Origination is, mask is, the AND operation gives
Destination is, mask is, the AND operation gives

Since the packets originate on the same subnet, the machine sends the packet out on the LAN without asking the router what to do--its a local neighborhood destination (Yep, you don't need a router if you use the same network and masks for a local LAN when using straight IP addressing.)

Destination and originating hosts are on different LANs
Origination is, mask is, the AND operation gives
Destination is, mask is, the AND operation gives*

Since the source and destination networks are different the packet is sent to the router for further handling. (*NOTE: the origination mask is used for mask calculations to avoid problems when using different masks on the same subnetwork; if the sending host determines that the IP packet it is about to send is not on its subnet, it should send the packet to a router/gateway for handling.)

In the instance of an address with a mask of, there are only four local host IPs that are within the same subnetwork. All other addresses will result in the packet being sent to the local router for handling. The last number, 252, is equivalent to 11111100 in binary.