Loading learning content...
Network Address Translation would be meaningless without a clear boundary between "private" and "public" address spaces. How does a NAT device know which addresses to translate? How can millions of independent organizations use the same IP addresses without causing global routing chaos?
The answer lies in RFC 1918, published in 1996, which formally defined three blocks of IPv4 addresses reserved exclusively for private networks. These addresses—never routed on the public Internet—form the foundation upon which NAT operates. Every home network, every corporate LAN, every data center private subnet uses these addresses.
This page provides comprehensive coverage of private address spaces: their definition, design rationale, proper usage, and the critical relationship between private addressing and NAT.
By the end of this page, you will understand the three RFC 1918 private address ranges, why these specific ranges were chosen, how to select the appropriate range for different network sizes, best practices for private address allocation, and common pitfalls to avoid. You'll also understand the relationship between private addresses and NAT operation.
Before RFC 1918, organizations had only two choices for IP addressing:
Both approaches had serious problems:
The public address problem:
The ad-hoc private address problem:
RFC 1918's solution:
Reserve specific address blocks that:
RFC 1918 was published in February 1996, replacing the earlier RFC 1597. The timing coincided with the explosive growth of the commercial Internet. The combination of private addresses (RFC 1918) and NAT (defined in RFC 1631/RFC 3022) provided the address conservation mechanism that allowed the Internet to grow from millions to billions of connected devices.
RFC 1918 designates three address blocks for private use, each from a different classful network class. This design accommodates organizations of vastly different sizes—from home networks to massive enterprises.
| Range | CIDR Notation | Address Count | First Usable | Last Usable | Original Class |
|---|---|---|---|---|---|
| 10.0.0.0 – 10.255.255.255 | 10.0.0.0/8 | 16,777,216 | 10.0.0.1 | 10.255.255.254 | Class A |
| 172.16.0.0 – 172.31.255.255 | 172.16.0.0/12 | 1,048,576 | 172.16.0.1 | 172.31.255.254 | Class B |
| 192.168.0.0 – 192.168.255.255 | 192.168.0.0/16 | 65,536 | 192.168.0.1 | 192.168.255.254 | Class C |
Understanding each range:
10.0.0.0/8 — The Enterprise Block
This single Class A network provides over 16 million addresses. It's the largest private address block and the most flexible for large-scale private networks.
172.16.0.0/12 — The Mid-Size Block
This range spans 16 contiguous Class B networks (172.16.x.x through 172.31.x.x), providing about 1 million addresses.
192.168.0.0/16 — The Small Network Block
This range has become synonymous with home and small office networks, providing about 65,000 addresses.
A frequent error is assuming all 172.x.x.x addresses are private. Only 172.16.0.0 through 172.31.255.255 are private. The ranges 172.0.0.0-172.15.255.255 and 172.32.0.0-172.255.255.255 are public IPv4 addresses owned by various organizations. Configuring addresses like 172.32.1.1 internally will cause routing conflicts with legitimate Internet destinations.
Let's examine each range in greater depth, including how to calculate subnets, determine usable addresses, and understand the binary structure.
Binary Structure:
10.0.0.0/8 in binary:
Network portion (8 bits) | Host portion (24 bits)
0 0 0 0 1 0 1 0 | X X X X X X X X . X X X X X X X X . X X X X X X X X
(10) | (0-255) . (0-255) . (0-255)
Address Range Breakdown:
Subnetting Examples:
| Subnet | Addresses | Typical Use Case |
|---|---|---|
| 10.0.0.0/8 | 16,777,216 | Entire private block |
| 10.0.0.0/16 | 65,536 | Large regional/datacenter segment |
| 10.0.0.0/24 | 256 | Typical LAN subnet |
| 10.1.0.0/16 | 65,536 | Second data center |
| 10.100.0.0/16 | 65,536 | Cloud workload segment |
| 10.254.0.0/16 | 65,536 | Management network |
Selecting the appropriate private address range requires considering current needs, future growth, potential conflicts, and organizational structure. This is an architectural decision with long-term implications.
| Consideration | 10.0.0.0/8 | 172.16.0.0/12 | 192.168.0.0/16 |
|---|---|---|---|
| Organization Size | Large enterprise, cloud | Mid-size company | Small business, home |
| Expected Growth | Massive scalability | Moderate growth | Limited growth |
| VPN/Partner Conflicts | Less common conflicts | Moderate conflict risk | High conflict probability |
| Subnet Flexibility | Excellent | Good | Adequate |
| Recognition/Familiarity | Enterprise standard | Less common | Universally known |
The VPN Conflict Problem:
When organizations establish VPN connections—whether site-to-site or remote access—overlapping address spaces create routing nightmares. Consider this scenario:
Scenario: Company A (192.168.1.0/24) needs VPN access to Company B (also 192.168.1.0/24)
Problem: When a host in Company A (192.168.1.50) tries to reach a host in Company B (192.168.1.100), the local routing table sends traffic to the local subnet, not through the VPN tunnel. Both networks claim the same address space!
Solutions:
For enterprises, use 10.0.0.0/8 with an internal allocation strategy:
• 10.{region}.{site}.{subnet}/24 — Embed location in address (e.g., 10.1.1.0 = Region 1, Site 1) • 10.{department}.{vlan}.0/24 — Encode organizational structure • Reserve specific ranges — Keep 10.0.0.0/16 for infrastructure, 10.255.0.0/16 for management
Document your allocation scheme in a central IPAM (IP Address Management) system.
While RFC 1918 defines the primary private address ranges, several other special-purpose address blocks exist that network engineers must understand. These serve specific functions and should never be used for general private networking.
| Range | CIDR | Purpose | RFC |
|---|---|---|---|
| 127.0.0.0 – 127.255.255.255 | 127.0.0.0/8 | Loopback (localhost) | RFC 1122 |
| 169.254.0.0 – 169.254.255.255 | 169.254.0.0/16 | Link-local (APIPA) | RFC 3927 |
| 100.64.0.0 – 100.127.255.255 | 100.64.0.0/10 | Carrier-grade NAT (CGNAT) | RFC 6598 |
| 192.0.0.0 – 192.0.0.255 | 192.0.0.0/24 | IETF protocol assignments | RFC 6890 |
| 192.0.2.0 – 192.0.2.255 | 192.0.2.0/24 | Documentation (TEST-NET-1) | RFC 5737 |
| 198.51.100.0 – 198.51.100.255 | 198.51.100.0/24 | Documentation (TEST-NET-2) | RFC 5737 |
| 203.0.113.0 – 203.0.113.255 | 203.0.113.0/24 | Documentation (TEST-NET-3) | RFC 5737 |
| 224.0.0.0 – 239.255.255.255 | 224.0.0.0/4 | Multicast | RFC 5771 |
| 240.0.0.0 – 255.255.255.254 | 240.0.0.0/4 | Reserved (future use) | RFC 1112 |
| 255.255.255.255 | /32 | Limited broadcast | RFC 919 |
Key ranges to understand:
127.0.0.0/8 — Loopback
Traffic destined for any address in this range never leaves the host. It's used for local testing and inter-process communication. While the entire /8 is reserved, 127.0.0.1 ("localhost") is the conventional address.
169.254.0.0/16 — Link-Local (APIPA)
When a device cannot obtain an IP address via DHCP, it may self-assign an address from this range (Automatic Private IP Addressing). These addresses are only valid on the local link and are never routed.
100.64.0.0/10 — Carrier-Grade NAT (CGNAT)
Added in RFC 6598 (2012) for ISPs implementing NAT between customers and the Internet. This allows ISPs to share scarce public IPv4 addresses among multiple customers. This range exists specifically to avoid conflicts with customer private networks that might use RFC 1918 addresses.
Documentation Ranges (TEST-NETs)
These three ranges are reserved exclusively for use in documentation, examples, and educational materials. Using these addresses in actual networks won't cause Internet conflicts since they're never routed publicly.
If you see a device with a 169.254.x.x address, it typically indicates DHCP failure. The device couldn't reach a DHCP server and fell back to link-local self-assignment. This is a troubleshooting hint: check DHCP server availability, network connectivity to the DHCP server, and DHCP scope exhaustion.
Private addresses and NAT form an inseparable partnership. Understanding their relationship clarifies why both technologies must work together.
Why private addresses REQUIRE NAT:
Private addresses are, by design, non-routable on the public Internet. ISPs and Internet backbone routers are configured to drop packets with private source or destination addresses. This means:
NAT bridges this gap by translating private addresses to public addresses at the network boundary.
The RFC 1918 filtering requirement:
RFC 1918 explicitly states that routers at network boundaries should filter these address ranges:
"Because private addresses have no global meaning, routing information about private networks shall not be propagated on inter-enterprise links, and packets with private source or destination addresses should not be forwarded across such links." — RFC 1918, Section 5
This means:
In practice: Most responsible ISPs implement this filtering, though enforcement varies. Private addresses occasionally "leak" due to misconfiguration, but cannot establish bidirectional communication.
The NAT dependency matrix:
| Source | Destination | Without NAT | With NAT |
|---|---|---|---|
| Private → Private (same network) | Internal host | ✓ Works (local routing) | ✓ Works |
| Private → Private (different networks) | Internal host (routed) | ✓ Works if routed internally | ✓ Works |
| Private → Public | Internet host | ✗ Blocked at ISP | ✓ Works |
| Public → Private | Internal server | ✗ Unroutable | ✓ With Static NAT/Port Forward |
Effective private address management prevents conflicts, simplifies troubleshooting, and scales with organizational growth. These best practices reflect industry experience from thousands of network deployments.
Enterprise IPv4 Addressing Plan Example========================================== Master Range: 10.0.0.0/8 Hierarchical Structure: 10.{Region}.{Site}.0/24 Region Codes: 10.1.x.x - North America 10.2.x.x - Europe 10.3.x.x - Asia Pacific 10.254.x.x - Global Infrastructure 10.255.x.x - Reserved Site Codes (within region): 10.1.1.x - NA Headquarters 10.1.2.x - NA Data Center 10.1.10.x - NA Branch Office 1 10.2.1.x - EU Headquarters 10.2.2.x - EU Data Center Subnet Purpose Codes (last octet patterns): x.x.1-10 - Network infrastructure (routers, switches) x.x.11-50 - Servers x.x.51-200 - DHCP range for workstations x.x.201-250 - Static devices (printers, IoT) x.x.251-254 - Reserved for gateways Example Allocations: 10.1.1.1 - NA HQ primary gateway 10.1.1.11 - NA HQ DNS server 10.1.1.12 - NA HQ domain controller 10.1.1.51-200 - NA HQ workstation DHCP pool 10.2.2.11 - EU DC web server cluster VIPThe following subnets are extremely common in home networks and should be avoided for corporate use to prevent remote access VPN conflicts:
• 192.168.0.0/24 • 192.168.1.0/24 • 192.168.2.0/24 • 10.0.0.0/24 • 10.0.1.0/24
Instead, use less common ranges like 10.47.x.x, 172.17.x.x, or 192.168.100+.x.
We've thoroughly covered the RFC 1918 private address spaces that form the foundation for NAT deployments worldwide. Let's consolidate the essential knowledge.
What's Next:
With private addresses understood, we'll explore the first NAT type in detail: Static NAT. Static NAT creates a permanent, one-to-one mapping between an internal host and a public IP address—essential for servers that must be consistently reachable from the Internet. We'll examine its configuration, use cases, and trade-offs compared to other NAT types.
You now have comprehensive understanding of RFC 1918 private address spaces. You know the three ranges, their sizes and purposes, why they cannot be routed on the Internet, and how to select and allocate private addresses effectively. This knowledge is essential for designing networks that work correctly with NAT.