Subnet Addresses

Chapter 7 Firewall : Firewall objects : Addresses : Subnet Addresses

Subnet Addresses

The subnet type of address is expressed using a host address and a subnet mask. From a strickly mathematical stand point this is the most flexible of the types because it can refer to as little as the address for one computer or as many as all of them.

It is usally used when refering to your own internal addresses because you know what they are and they are usually administered in groups that are nicely deferentiated along the lines of the old A, B, and C classes of IPv4 addresses. They are also addresses that are not likely to change with the changing of Internet Service Providers (ISP).

When representing hosts by an IP address with a netmask, the IP address can represent one or more hosts. For example, a firewall address can be:

• A single host such as a single computer with the address 192.45.46.45

• A range of hosts such as all of the hosts on the subnet 192.45.46.1 to 192.45.46.255

• All hosts, represented by 0.0.0.0 which matches any IP address

The netmask corresponds to the subnet class of the address being added, and can be represented in either dotted decimal or CIDR format. The FortiGate unit automatically converts CIDR formatted netmasks to dotted decimal format. Example formats:

• Netmask for a class A subnet of 16,777,214 usable addresses: 255.0.0.0, or /8

• Netmask for a class B subnet of 65,534 usable addresses: 255.255.0.0, or /16

• Netmask for a class C subnet of 254 usable addresses: 255.255.255.0, or /24

• Netmask for subnetted class C of 126 usable addresses: 255.255.255.128, or /25

• Netmask for subnetted class C of 62 usable addresses: 255.255.255.128, or /26

• Netmask for subnetted class C of 30 usable addresses: 255.255.255.128, or /27

• Netmask for subnetted class C of 14 usable addresses: 255.255.255.128, or /28

• Netmask for subnetted class C of 6 usable addresses: 255.255.255.128, or /29

• Netmask for subnetted class C of 2 usable addresses: 255.255.255.128, or /30

• Netmask for a single computer: 255.255.255.255, or /32

• Netmask used with 0.0.0.0 to include all IP addresses: 0.0.0.0, or /0

So for a single host or subnet the valid format of IP address and netmask could be either:

x.x.x.x/x.x.x.x, such as 192.168.1.0/255.255.255.0

x.x.x.x/x, such as 192.168.1.0/24