Question about netmasks

I'm trying to wrap my head around subnets. I think I've finally got
the thing about 10.0.0.0 with the netmask 255.0.0.0 gives me a
local address pool of 10.0.0.1 to 10.255.255.254, is that accurate?
So, it's functionally equivalent to

0000 1010.0000 0000.0000 0000.0000 0001
through
0000 1010.1111 1111.1111 1111.1111 1110;

so it could be looked at like within the 10 network, I have 0xFFFFFE
unique addresses available, flat, and the 255.255 etc is just an
artifact, right?

But now, I could use netmasks and make subnets, right? I'm still
rereading the paragraph about how the netmask makes certain computers
visible or invisible to others based on some algorithm, right?

Now, I was wondering, since there's 4 computers up front, plugged
into my own personal server in my office, IP # 10.0.0.1, and
they're variations of subnets:

10.0.0.1 Thunderbird

10.13.8.1 Vehicle
10.13.33.1 Entheos

These 3 are in my office, and my own hardware.

These other ones are up front, and nominally Joe's. (Well, except
for Quality, which is Don's.)
10.254.129.1 ABI_Chief
10.254.130.1 ABI_Front
10.254.131.1 ABI_OPS
10.254.132.1 ABI_Quality

And Thunderbird is the default gateway for all of them, and I know
it's at least a router, because it's routing this :-) but I wonder
if "router" is like a subset of "server", and then wonder about
things like, well, it's got httpd and ftpd going and answering,
does that make it a server? Well, the other two also have apache,
so they're all web servers, but I think you get my point. (or maybe
it doesn't make any difference - is it more prestigious to say,
"I run the server on our LAN" than to say, "I run the router on
our LAN"? ;-)

So I have the power to do a lot of playing around here, with IPs and
DHCP and DNS and I think I'm going to have to learn what NIS means -
I'm pretty sure NFS means Network(ed) File System, but am I supposed
to have it running, and do I? Well, anyway, I'll get to that. The
actual point of this post is a fundamental question: does it make
any kind of sense at all to split up a physical network into logical
subnets, or is it more a thing about getting past two gateways?
(i.e, can I make it so that I can see all 7 computers, but they
can only see the 4 up front and Thunderbird)

Maybe I'm looking for some philosophical grounding, so that when
I read those Fantastic Manuals ;-), the new information has some
kind of substrate to stick to. :-)

Thanks!
Rich

(Partly I'm writing this for me, because it's been a while since I
actually described this to anyone. Please, feel free to correct me if I
misexplain something.)

On Wed, 25 Feb 2004 06:07:01 +0000, Rich Grise wrote:

> I'm trying to wrap my head around subnets. I think I've finally got the
> thing about 10.0.0.0 with the netmask 255.0.0.0 gives me a local address
> pool of 10.0.0.1 to 10.255.255.254, is that accurate? So, it's
> functionally equivalent to
>
> 0000 1010.0000 0000.0000 0000.0000 0001 through 0000 1010.1111 1111.1111
> 1111.1111 1110;
>
> so it could be looked at like within the 10 network, I have 0xFFFFFE
> unique addresses available, flat, and the 255.255 etc is just an
> artifact, right?

Technically you have 10.0.0.0-10.255.255.255 available, but the address
containing all-zeros in the host portion is reserved for the network
address and the address containing all-ones in the host portion is
reserved for the broadcast address. Your perception of the usable range
is accurate.

> But now, I could use netmasks and make subnets, right? I'm still
> rereading the paragraph about how the netmask makes certain computers
> visible or invisible to others based on some algorithm, right?

Network masks don't control visibility. They control routing. The
difference is important: in theory hosts on the same segment with
different IPs can always communicate with each other, network address
differences notwithstanding. However, (a) this isn't always the case (b)
it's unwise at best and (c) it's not what subnet masks are designed to do.

The algorithm is pretty simple: it's just bitwise-AND. Consider:

10.13.8.1: 0000 1010.0000 1101.0000 1000.0000 0001
& 255.0.0.0: 1111 1111.0000 0000.0000 0000.0000 0000
----------------------------------------------------
10.0.0.0: 0000 1010.0000 0000.0000 0000.0000 0000

Network masks generally must be continuous from the left-hand side of the
mask, so the usual notation is simply ip.ad.dr.ess/bits -- the network
mask is "bits" bits long, from the right. for instance: your example
network is 10.0.0.0/8.

> Now, I was wondering, since there's 4 computers up front, plugged into
> my own personal server in my office, IP # 10.0.0.1, and they're
> variations of subnets:
>
> 10.0.0.1 Thunderbird
>
> 10.13.8.1 Vehicle
> 10.13.33.1 Entheos
>
> These 3 are in my office, and my own hardware.

Easily 10.0.0.0/9's bottom end...

> These other ones are up front, and nominally Joe's. (Well, except for
> Quality, which is Don's.)
> 10.254.129.1 ABI_Chief
> 10.254.130.1 ABI_Front
> 10.254.131.1 ABI_OPS
> 10.254.132.1 ABI_Quality

....and the top of 10.128.0.0/9.

> And Thunderbird is the default gateway for all of them.

So far, so good.

> I wonder if "router" is like a subset of "server"

The roles are orthogonal. A router is a host that routes packets. A
server is a host that provides an end service that waits to be connected
to[0]. As you've noticed, one host can fill both roles.

> it's got httpd and ftpd going and answering, does that make it a server?

Yes. Specifically it makes it a web and ftp server.

> Well, the other two also have apache, so they're all web servers

Yes.

> So I have the power to do a lot of playing around here, with IPs and
> DHCP and DNS and I think I'm going to have to learn what NIS means

It's one of a number of methods of centralising user information (logons,
addresses, etc) on a network.

> I'm pretty sure NFS means Network File System, but am I supposed to have
> it running, and do I?

Supposed to: if you want to provide network-accessible file storage that
integrates with the unix directory structure. This is not the only way to
do this.

Are you: probably not.

> Well, anyway, I'll get to that. The actual point of this post is a
> fundamental question: does it make any kind of sense at all to split up
> a physical network into logical subnets, or is it more a thing about
> getting past two gateways? (i.e, can I make it so that I can see all 7
> computers, but they can only see the 4 up front and Thunderbird)

The way you'd do this is probably like this[1]:

+---------------------+
Your ISP | eth1|--10.1.0.0/16--Vehicle, Entheos
----x.x.x.x-|eth0 Thunderbird |
| eth2|--10.2.0.0/16--"The 4 up front"
+---------------------+

Notably this means that Thunderbird has *three*, not two, IP addresses --
one in each network it's attached to (10.1.0.1 and 10.2.0.1 are good
choices). Also note that 10.1.0.0/16 and 10.2.0.0/16 are
physically-separate networks. You *can* run them over the same piece of
cable (same wireless connection, etc) but it's difficult and not really
worthwhile.

Thunderbird would also have to be set up to route between the two
10.x.0.0/16 networks as well as to the internet connection.

Once you've got that, you can control visiblity between subnets using
iptables to selectively DROP or REJECT packets destined from one network
to the other based on some criterion while ACCEPTing others.

From a theoretical standpoint, subnets make more sense for breaking your
network up by physical location than by role, unless the hosts sharing a
role are also (relatively) clustered physically. In your case that's
actually true, but the wording of your question doesn't make that too
clear.

[0] General definition.
[1] ...wonderful ascii-vision diagram, brought to you by Mr. Clean!
Remember to view using a fixed-width font.

--
Some say the Wired doesn't have political borders like the real world,
but there are far too many nonsense-spouting anarchists or idiots who
think that pranks are a revolution.

On Wed, 25 Feb 2004 07:51:06 +0000, Owen Jacobson wrote:

> the network mask is "bits" bits long, from the right. for instance:
^^^^^
> your example network is 10.0.0.0/8.

Shoot me.

In article <9YW_b.6316$(E-Mail Removed)>,
Rich Grise <(E-Mail Removed)> wrote:
> So, it's functionally equivalent to
>
> 0000 1010.0000 0000.0000 0000.0000 0001
> through
> 0000 1010.1111 1111.1111 1111.1111 1110;
>
> so it could be looked at like within the 10 network, I have 0xFFFFFE
> unique addresses available, flat, and the 255.255 etc is just an
> artifact, right?

Not really an artifact; binary 1111 1111 = decimal 255 = 0xFF .

--
-eben (E-Mail Removed)m home.tampabay.rr.com/hactar
TAURUS: You will never find true happiness - what you gonna
do, cry about it? The stars predict tomorrow you'll wake up,
do a bunch of stuff and then go back to sleep. -- Weird Al