When are non-routable IP addresses routable?

Factual Questions
1

or, I’m obviously not understanding something.

So I have a private IP address of 10.x.x.x, and I’m reaching another machine with an IP of 192.168.x.x:



$ ipconfig /all
...
        IP Address. . . . . . . . . . . . : 10.x.x.x
        Subnet Mask . . . . . . . . . . . : 255.255.255.0
...

$ ping 192.168.x.x

Pinging 192.168.x.x with 32 bytes of data:

Reply from 192.168.x.x: bytes=32 time=85ms TTL=57
Reply from 192.168.x.x: bytes=32 time=86ms TTL=57
Tracing route to 192.168.x.x over a maximum of 30 hops

  1     7 ms     1 ms     2 ms  10.x.x.1
  2    <1 ms    <1 ms    <1 ms  10.x.y.1
  3    12 ms    11 ms    11 ms  63.xxx.xx.xx
  4    85 ms    84 ms    83 ms  65.xxx.xxx.xxx
  5    78 ms    78 ms    78 ms  10.xx.xxx.25
  6    79 ms    79 ms    78 ms  10.xx.xxx.77
  7    78 ms    78 ms    78 ms  10.xx.xxx.142
  8    78 ms    78 ms    79 ms  192.168.x.x

Trace complete.

I thought the whole point of “10.x.x.x” and “192.168.x.x” addresses was that you can’t get there from here, hence the thread title. What am I not understanding?

Any “Networking / Routing for dummies” references would be appreciated!

2

“Non-routable” (or better, “non-routed”) simply means that these networks are not routed on the Internet in general. RFC 1989 says:

Essentially, Internet routers should not route private addresses. This doesn’t necessarily apply to home or intranet routers. I assume you’re seeing this on a home router, in which case this is a common configuration if your DSL or cable modem happen to be using an address in 192.168.0.0/16. Some routers automatically use a different private network (10.0.0.0/24 in your case) to avoid IP conflicts with the modem.

You can see your current routing table in Windows by using


route print

You should see a route to 192.168.0.0 (the network your DSL or cable modem is on) via your router’s IP on 10.0.0.0/24 (probably 10.0.0.1). This isn’t a route that a normal Internet router would ever provide.

3

Oops, I missed this the first time. There’s something wrong at your ISP. Either they have a misconfigured router, or something’s advertising bogus routes. You shouldn’t be able to get back onto a private nework (hop 5) from a public network (the 63 and 65 networks).

4

As previously mentioned, non-routable addresses are not allowed on the internet. 10.x.x.x and 192.168.x.x are the typical ones. home routers, and even fancy CISCO routers, will route these addresses on internal networks. Partly the addresses are blocked on the internet, and partly the routing tables passed around by internet routers simply do not allow advertising of routes that contain those IP numbers.

If you are getting to the internet from a machine, consider scenarios:

(a) you have a real internet address; these are somewhat rare and expensive. The packet from your machine to wherever contains your real address as the internet address. The other machine replies to your internet address. As a DSL or cable modem user, your connection uses one of these addresses typically.

(b) you have an extensive network (at work) or a small one (at home) that uses a non-routable address and a router. My home network, say, uses 192.168.0.x; when I want to go out on the internet, my packet is translated (called “NAT” Natural Address Translation) by my router. Out on the internet, my router substitutes it’s own real address as the “source” address in my packets. It keeps a table - for this conversation (based on IP port numbers), any reply packets to (router address) are routed to (PC address on network).

(c) for incoming, the process is somewhat different. The router needs to be programmed with a forwarding table. If a unsolicited packet arrives for port X, it was sent to the router’s external internet IP address, since that’s the only address the world knows about for my network; the router then forward it to 192.168.x.X; it basically puts the packet onto the home network, but susbtitutes the internal non-routable destination address (from the forwarding table) for the external internet IP.
This is what makes a router an excellent first line of defense firewall. By default, no unsolicited packets are forwarded; only packets for the right IP port# service are forwarded.
You can see the obvious problem - I have one address on the internet, I can only have one destination for, say, port 80 (HTTP) or port 25 (eMail). I can’t put 2+ web servers or 2+ SMTP servers behind the router on non-routable addresses unless the extra ones use non-standard ports. (I.e. http://www.foo.us:8080 uses port 8080).
To generate money, DSL/cable providers use 2 tricks - they use DHCP so your home IP address may change unpredictably - making it harder to have a fixed address on the internet. Or, business internet packages will charge you for each fixed internet IP address you need. Fancy routers can have multiple IP’s on the incoming port, and route the packet to different internal IP’s depending on the destination internet address and port.

the there’s VPN, or “tunneling” - my packets from my home network to the office network are “wrapped” in an encryption and forwarded router to router to the office, where that router unwraps them and puts them on that network as if my home router were plugged in to the office router. (hence “tunnelling”) The downside of this is that either (a) you still have to use NAT or (b) I better not have the same address range as the office - but everyone seems to use 192.168.1.X or 0.X so plan ahead or change everything later; the upside is that my packets are encrypted, so nobody can snoop; others from outside internet can’t join my network; and if I don’t need NAT, then I don’t have that “one server per port” problem; good for combining a small office’s network with a bigger one.

5

Do you know what 192.168 device you are pinging, or is this just a random IP address?

6

I’m still missing something here, so permit me a more general question: Assume I have 2 machines, 192.168.1.10 and 192.168.1.20, going through my home router. We have one person at each IP browsing the dope and let’s say one person in GQ and one person in the Pit. How does the router get the correct packets to each person?

I know what the device is. This is a corporate network. I’m not responsible for it, but it’s not doing what I expect & I hate it when that happens :smiley:

Thanks for the help

7

  1. the router uses NAT, which remaps the outgoing and incoming ports to keep track of which machine made which request.

  2. Since you are on a private network, I would guess that your router is routing all IP adresses.

8

Your corporate network can have all sorts of interesting routing set up in teh dozens of devices which drive the network.

The “route print” suggestion above applies to settings in your PC. There is, generally speaking, no useful way to troubleshoot infrastructure problems just from your PC. Yes, things like Ping & tracert can be useful to discover the edge of what you can reach, but they’re not informative for how to resolve that, nor are tehy helpful if somebody has inadvertently set up a routing loop.

Not also that it’s entirely possible for an environment to have multiple independent 10.0.x.x networks. So something which looks like a loop may not be one at all.

9

Wouldn’t both be coming from port 80 on the LAN side? Are you saying that a HTTP request from one computer is sent out by the router on, say, port 1423 and from the other, on port 2351 and that their replies come back on those same ports?

10

NAT can be complicated.

11

Aha.
The corporate network guys (possibly gals too, but I’m guessing mostly guys) can use any scheme they like internally. 63.x.x.x and 65.x.x.x would presumably be some of their public addresses, but internally they are also using various 10.x.x.x and 192.168.x.x networks which can’t be routed to from outside, but which their internal routers are quite happy with.

12

Usually, the mechanism is that the two machines’ source ports will be changed.

So you start with internal IP address 1 + source port 1, and internal IP address 2 + source port 2. They must share the same external IP addres, so what the NAT device does is map another source port to each combination of internal IP address and source port, and keeps these mappings in a table. It then knows that “my source port 27665 = internal address 192.168.1.7 + source port 17004”, for example. In other words, it collapses “source port + IP address” into just “source port”, so that it can use the same external IP address for both machines.

This works for protocols that employ ports, such as TCP and UDP, which will cover most of what you would want to do on the internet. Other protocols, such as those used in Microsoft PPTP VPNs, do not uses ports as such, but do have similar mechanisms that can be exploited by NAT.

13

Your router is the only one. Everyone else on Earth calls it ‘Network Address Translation’.

14

I think that you’re a bit confused. The destination port is port 80, but the source port for HTTP(or any protocol) is undefined, so the initiator of the socket gets to choose one arbitrarily.

What happens is:

Initiator sends a packet
Src IP 192.168.1.100
Src Port 18596

Dst IP 1.0.0.1
Dst Port 80

Packet arrives at NAT. NAT sends the packet with this header
Src IP 2.0.0.1
Src Port 20596

Dst IP 1.0.0.1
Dst Port 80

Packet arrives at web server. Server sends a response
Src IP 1.0.0.1
Src Port 80

Dst IP 2.0.0.1
Dst Port 20596

Response arrives at NAT. NAT translates this to
Src IP 1.0.0.1
Src Port 80

Dst IP 192.168.1.100
Dst Port 18596

15

*Your router is the only one. Everyone else on Earth calls it ‘Network Address Translation’. *
DOH!
Yes - each conversation on an IP network is from a source IP/port to a destination IP/port.
Destinations that serve specific services are tied to known ports.
Source ports are assigned randomly.
NAT can modify the ports if necessary to prevent overlap in the outside world. Usually this is the source ports, as destination ports are usually needed to ensure the packet is interpreted properly. (My packed to straightdope.com has to go to port 80 id it is meant for http.)

The idea of 2 machines behind a NAT router is no different than 2 separate IE windows or tabs open on your desktop. One can be on one forum and the other on another forum of the same site. The responding site keeps the conversations separate based on those port numbers (randomly chosen by source IP device).

To go back to the original question, yes it’'s most likely that the whole path is internal and the IT guys have just used 63.x and 65.x addresses even though they were valid outside addresses. Our company did this for years because they owned the addresses, and originally did not know or care that they could use internal non-routable addersses instead; they only recently switched to 10.x.x.x; however, whole chunks of the server room still have the old numbering because it’s a pain to change the servers over and fix all the clients.

Internet routers will not route unroutable numbers, but internal networks have no problem routing among a bunch of 192’s and 10’s.

The danger is that if they do NOT own those outside number ranges (63.x is allegedly owned by Internic) then those ranges could be unreachable internally; and if DNS info or routing info accidentally escapes to the outside internet, it could mess up those clients worldwide.