Subnetting & Netmasking (was Re: Firewall)

[Bolan Meek <Bolan.Meek@wcom.com>]

Derek Wueppelmann wrote:
> 
> > You missed his point of having the NIC on the "inside" in
> > a different subnet than that of the NIC on the "outside".
> >
> > But let me ask first:  isn't the IP on the ISP's side one
> > out of the ISP's net?  Or are you allocating one of your
> > IP to your ISP's router?

Have you considered this question?  It really _is_ a key point.

> If you could point me to a good resource on subnetting that
> would be very helpful.

Subnetting is included in these:

http://www.linuxdoc.org/HOWTO/Networking-Overview-HOWTO.html
http://www.linuxdoc.org/HOWTO/Net-HOWTO.html
http://www.linuxdoc.org/HOWTO/NET3-4-HOWTO.html

but I think it would be helpful for me to make a summary or
expansion, however it may be...

> I tried to create a subnet, it didn't seem to work, however
> I don't think I created it correctly. What I've read has so
> far gone completely over my head, I am just picking up a few
> of the small details of subnetting but not actually enough
> to create one using the tools "route" and "ifconfig", etc. 
> thanks again.

Subnetting is a routing aid, to "break" up an Internet-classed
network into smaller networks.  The Internet has three size
classes of networks, A, B & C.  The A networks have addresses
like AA.0.0.0, with 1048574 (1048576 - 2) hosts, B class
networks have addresses like AA.BB.0.0, with 65534 (65536 - 2)
hosts, and C class networks have addresses like AA.BB.CC.0,
with 254 (256 - 2) hosts.  Host addresses of all ones and
of all zeros (binary) are not supposed to be used, since
these mean "broadcast" (to all the hosts) and "the network",
hence the "- 2"'s above.  The class of network is determined
by the first few (most significant) bits.

The networking drivers of a host know how to send packets
to another host on the same network, based on the address
of interface connecting the host to that network.  In the
case of a destination _not_ on the same network, the host
must send the packets to a router to get it to the intended
destination.  For each possible destination network, the
network drivers will consult routing information to find
a router that should get the packets there.  At last resort,
a _default_ router could be designated, which is supposed
to know how to get packets to any arbitrary network.

Subnetting is a scheme to break up networks, for various
reasons, including isolation, by extending the number of
bits used to identify the network portion of an address,
by "robbing" them from the host portion of the address.
The number of bits robbed is completely arbitrary, but
in any subnetwork, there are always two host addresses
that should not be used: all zeros, and all ones.  Hence
a network that was uniformly subnetted all the way down
to only two bits of host address would have half of
the total address space within the overall network
unusable for hosts.

The network portion of an address can be identified by
the netmask, expressed in all ones in binary, usually
translated to decimal or hexidecimal, from the most
significant bit, to the least significant used bit of
the complete address.  Hence the netmask for a class
A address is 11111111.0.0.0=FF.0.0.0=255.0.0.0, class
B has 11111111.11111111.0.0=FF.FF.0.0=255.255.0.0, and
class C has 11111111.11111111.11111111.0=FF.FF.FF.0=
255.255.255.0.  These netmasks are implied by the
class of address, and therefore, do not usually need
to be specified in interface address settings or
routing information settings.  Netmasks are also
oftem symbolized by something like A.B.C.0/N, where
N is the number of bits of netmasking.

Subnetting effectively ignores Internet classes, and
therefore requires explicit netmasking specification.
For an example of subnetting, a given class C might
be broken into four subnets: A.B.C.0, A.B.C.64,
A.B.C.128, and A.B.C.192.  In binary: A.B.C.00000000,
A.B.C.01000000, A.B.C.10000000, & A.B.C.11000000 .
In each of these subnets, there could be up to 62 hosts.
The netmasks for these are 255.255.255.192

Subnetting doesn't require that each subnet be equal.
Remember, the number of bits extending the Internet-class
network address are arbitrary.  The above network might
be subnetted into nets A.B.C.0, A.B.C.8, each masked
255.255.255.248, having upto 6 hosts each, net A.B.C.16,
masked at 255.255.255.240, having up to 14 hosts, nets
A.B.C.32, A.B.C.64, and A.B.C.96, each masked 255.255.255.224,
having up to 30 hosts and a net A.B.C.128,  masked
255.255.255.128, having up to 126 hosts.

There can even be subnets of subnets.  For a given host,
if there are sub-subnets, the netmasking with the most
bits ought to be tested first against the destination
address to ensure that packets get sent to the appropriate
router.

At _really_ helps to use binary to figure the netmasking:
255.128.0.0 = 11111111.10000000.0.0, hosts 0.0.1 - 127.255.254
255.192.0.0 = 11111111.11000000.0.0, hosts 0.0.1 - 63.255.254
255.224.0.0 = 11111111.11100000.0.0, hosts 0.0.1 - 31.255.254
255.240.0.0 = 11111111.11110000.0.0, hosts 0.0.1 - 15.255.254
 .
 .  [henceforth using hexidecimal for all-1 octets]
 .
255.255.255.248 = FF.FF.FF.11111000, hosts 1 - 6
255.255.255.252 = FF.FF.FF.11111100, hosts 1,2
255.255.255.254 = FF.FF.FF.11111110, no hosts, really
255.255.255.255 = FF.FF.FF.FF, ho hosts, really

The last two are only usable on host-to-host connections,
with the same address on both ends.