Private IP Address Ranges, Subnets, and CIDR Notation Explained
The three RFC 1918 private ranges, what CIDR notation actually means, subnet masks, loopback, APIPA, and how to read your machine's network config.
If you’ve ever run ifconfig or ip addr and wondered why your machine has an address like 192.168.1.105 or 10.0.0.23, this post explains the full picture: where those ranges come from, what they mean, and how to read the subnet information that comes with them.
The three private IP ranges (RFC 1918)
In 1996, RFC 1918 defined three blocks of IPv4 addresses that would never be routed on the public internet. They exist solely for use within private networks — home LANs, corporate intranets, cloud VPCs, Docker networks. Routers on the internet simply drop packets destined for these addresses.
| Range | CIDR notation | Subnet mask | Address count |
|---|---|---|---|
| 10.0.0.0 – 10.255.255.255 | 10.0.0.0/8 | 255.0.0.0 | 16,777,216 |
| 172.16.0.0 – 172.31.255.255 | 172.16.0.0/12 | 255.240.0.0 | 1,048,576 |
| 192.168.0.0 – 192.168.255.255 | 192.168.0.0/16 | 255.255.0.0 | 65,536 |
10.0.0.0/8 — the big one
The 10.x.x.x block gives you roughly 16.7 million addresses. Cloud providers (AWS VPCs, GCP VPCs, Azure VNets) default to this block because it’s large enough to subdivide into many subnets without running out of space. A typical AWS VPC might be 10.0.0.0/16 split into /24 subnets per availability zone.
If you see a 10.x address on a machine, it’s almost certainly in a cloud or corporate environment.
172.16.0.0/12 — the middle ground
The 172.16–172.31 range is 16 class B blocks, giving just over a million addresses. It’s less commonly encountered in consumer contexts but frequently used in enterprise networks and Docker’s default bridge network (172.17.0.0/16).
Note the exact range: 172.16.0.0 to 172.31.255.255. 172.15.x.x and 172.32.x.x are public addresses. This is the range that trips up the most developers because the boundary doesn’t fall on a round number.
192.168.0.0/16 — home routers and small offices
The 192.168.x.x range is what you see on home networks and small office routers. With 65,536 total addresses, it’s large enough for any local network but small enough that your home router doesn’t need a complex subnetting plan. Your Wi-Fi router likely assigns addresses in 192.168.1.0/24 or 192.168.0.0/24.
CIDR notation explained
CIDR stands for Classless Inter-Domain Routing. The /N suffix on an IP address tells you how many leading bits of the address are the network portion — fixed for all hosts in that network. The remaining bits are the host portion — free to vary per device.
IPv4 addresses are 32 bits. A /24 network has 24 bits of network prefix and 8 bits of host identifier:
192.168.1.0/24
Network portion (24 bits): 11000000.10101000.00000001
Host portion (8 bits): .00000000
Available host bits: 8 → 2^8 = 256 total addresses
Usable hosts: 256 - 2 = 254
(first address = network address, last = broadcast)The smaller the prefix number, the more addresses in the block. /8 = 16.7M addresses. /30 = 4 addresses (2 usable — often used for point-to-point links).
What is a subnet mask?
A subnet mask is just a different notation for the same information as CIDR prefix length. It’s a 32-bit number where all the network bits are 1 and all the host bits are 0.
| CIDR | Subnet mask | Host bits | Total addresses | Usable hosts |
|---|---|---|---|---|
| /8 | 255.0.0.0 | 24 | 16,777,216 | 16,777,214 |
| /12 | 255.240.0.0 | 20 | 1,048,576 | 1,048,574 |
| /16 | 255.255.0.0 | 16 | 65,536 | 65,534 |
| /24 | 255.255.255.0 | 8 | 256 | 254 |
| /28 | 255.255.255.240 | 4 | 16 | 14 |
| /30 | 255.255.255.252 | 2 | 4 | 2 |
To go from CIDR to subnet mask: write N ones followed by (32-N) zeros, then split into four 8-bit octets. /24 = 11111111.11111111.11111111.00000000 = 255.255.255.0.
To go from subnet mask to CIDR: count the leading 1 bits. 255.255.240.0 in binary is 11111111.11111111.11110000.00000000 — that’s 20 leading ones, so /20.
The /255.240.0.0 for the 172.16.0.0/12 block is the one that surprises people. The third octet being 240 (= 11110000) means only the top 4 bits of that octet are part of the network portion, giving a range of 172.16 through 172.31 in the second-most-significant octet position.
Common subnet sizes at a glance
| Subnet | Usable hosts | Typical use |
|---|---|---|
| /16 | 65,534 | Large VPC, corporate campus |
| /20 | 4,094 | Large availability-zone subnet |
| /24 | 254 | Standard office floor / AZ subnet |
| /25 | 126 | Split a /24 in half |
| /26 | 62 | Small team subnet |
| /27 | 30 | Small subnet |
| /28 | 14 | Small group of servers |
| /29 | 6 | Very small group |
| /30 | 2 | Point-to-point link |
The Subnet Calculator tool computes these values instantly — paste any CIDR block and get the network address, broadcast address, usable range, and host count.
The loopback address: 127.0.0.1
127.0.0.1 is the loopback address — it always refers to the local machine. The entire 127.0.0.0/8 block is reserved for loopback, but 127.0.0.1 is the conventional address. Traffic sent to 127.0.0.1 never leaves the machine; the OS intercepts it at the network stack and loops it back.
When a service says it’s listening on 127.0.0.1:8080, it accepts connections only from the same machine. If it listens on 0.0.0.0:8080, it accepts connections from any interface. This is a meaningful security distinction: a database bound to 127.0.0.1 can’t be reached from outside, even if the firewall is misconfigured.
The hostname localhost typically resolves to 127.0.0.1 (and ::1 for IPv6) via /etc/hosts.
APIPA: 169.254.0.0/16
If you see an address in the 169.254.x.x range, it almost always means a network configuration failure. This range is called APIPA (Automatic Private IP Addressing) on Windows, or link-local in the broader RFC 3927 definition.
When a machine is configured to get its IP from DHCP and the DHCP server is unreachable, the OS assigns itself an address in 169.254.0.0/16 via a process of random selection and ARP-based conflict detection. It lets the machine communicate with other link-local hosts on the same segment, but not beyond — there’s no default gateway.
Seeing a 169.254.x.x address means: no DHCP response was received. This is a diagnostic signal. Check that:
- The DHCP server is running
- The network cable is connected / Wi-Fi is associated
- The DHCP service hasn’t run out of leases
The reserved link-local range is 169.254.0.0 through 169.254.255.255, with 169.254.0.x and 169.254.255.x reserved, leaving 169.254.1.0 through 169.254.254.255 for actual assignment.
IPv6 private equivalent: ULA (fc00::/7)
IPv6 has its own private address space called Unique Local Addresses (ULA), defined in RFC 4193. The range is fc00::/7, which covers fc00:: through fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff.
In practice you’ll see addresses starting with fd — the fc block requires a global ID assignment procedure that almost nobody follows. A typical ULA address looks like fd12:3456:789a:1::1.
ULA addresses are not routed on the global internet, analogous to RFC 1918 ranges. They’re used for internal services that need stable addresses within a network. However, unlike IPv6’s link-local (fe80::/10) addresses, ULA addresses survive interface restarts and are meant for inter-site traffic within an organization.
If your machine has an fe80:: address, that’s IPv6 link-local — automatically assigned to every IPv6 interface, usable only on the local network segment (like IPv4 169.254.x.x, but always present, not just during DHCP failure).
Reading your machine’s network config
Linux (ip addr)
$ ip addr show eth0
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP
link/ether 00:15:5d:01:ca:05 brd ff:ff:ff:ff:ff:ff
inet 10.0.0.4/24 brd 10.0.0.255 scope global eth0
valid_lft forever preferred_lft forever
inet6 fe80::215:5dff:fe01:ca05/64 scope link
valid_lft forever preferred_lft foreverKey fields:
inet 10.0.0.4/24— IPv4 address with CIDR prefixbrd 10.0.0.255— broadcast address (always the last address in the subnet)inet6 fe80::...— IPv6 link-local (always present on active interfaces)
macOS (ifconfig)
$ ifconfig en0
en0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
inet 192.168.1.105 netmask 0xffffff00 broadcast 192.168.1.255
inet6 fe80::1c2d:3e4f:5a6b:7c8d%en0 prefixlen 64 secured scopeid 0x6Note that macOS shows the subnet mask in hex: 0xffffff00 = 255.255.255.0 = /24.
Windows (ipconfig)
C:\> ipconfig
Ethernet adapter Ethernet:
IPv4 Address. . . . : 192.168.0.25
Subnet Mask . . . . : 255.255.255.0
Default Gateway . . : 192.168.0.1Windows shows the dotted-decimal subnet mask. To get the CIDR equivalent, count the 1 bits: 255.255.255.0 = /24.
To see more detail including DNS and lease information, use ipconfig /all.
Further reading
Related posts
- CIDR Notation Explained — What /24, /16, /8 Mean in IP Addresses — CIDR notation is the slash number after an IP address — /24, /16, /8. It specifi…
- DHCP IP Allocation — How Dynamic IP Assignment Works — DHCP (Dynamic Host Configuration Protocol) automatically assigns IP addresses, s…
- IP Address Calculator — Calculate Network and Host Ranges — An IP address calculator finds the network address, broadcast address, and usabl…
Related tool
Calculate IPv4 subnets — network, broadcast, usable range, wildcard mask. Input CIDR (/24) or dotted mask (255.255.255.0). Binary visualization.
Written by Mian Ali Khalid. Part of the Dev Productivity pillar.