Netmasks: the truth is out there?

Bill Moran wmoran at
Tue Apr 29 10:56:24 PDT 2003

Steve Warwick wrote:
> Hi All, 
> I know someone out there knows the truth about netmasks. All the
> documentation I can find on the net talks about "masking off" part of the IP
> address and how you can tell network from subnet and host ids.
> However, I have knowledgeable friend who is telling me that the netmask is
> also dependant on how the hosting company has set up their routing tables
> and incorrect netmasking on my part can reduce or halt my connection.
> So the question is, who is right? Is it as simple as just masking off the
> first three octets or does the netmask interact with the router?
> Please point me to an authoritative source or if you have the time, a brief
> description of if or how the netmask has to match the router, as I am not
> sure what questions to ask my hosting company.

I don't know of any good primer for IP routing/netmasks, so I'll explain it

First, you need to know how to do a binary "and" operation.  (I'll use
& to represent and to save typing)  Basically, 1 & 1 = 1, 1 & 0 = 0,
0 & 0 = 0
On a larger scale: 255 & 240 = 240, 128 & 64 = 0, 15 & 3 = 3, 3 & 6 = 2

If you don't understand how those work out, you will not understand the
rest.  Find an explanation of binary operations such as "and" and study
it until those examples make sense to you.  Most of the people I know
who think they understand IP/netmasks and yet screw it up all the time
don't understand a basic binary and operation.

Now, once you've got that, there's a very simple equation:
IP & netmask = network number
It's that simple, but the implications are considerable:
1) When you configure a network card, you provide ip, netmask ... the
    system can calculate the network number, and from network number/
    netmask, it can determine whether or not any given IP is on that
    network or not.  This is how routing works.
2) Routers have many interfaces and netmasks.  If they're configured
    wrong, packets go the wrong way and network traffic works poorly
    (if at all)
3) On a workstation, routing is much simpler.  You have two routes of
    importance: The route to the local network and the default route
    Using the network number/netmask equation, each packet is checked
    to see if it's on the local network: if not, it's forwarded to the
    default gateway.  If your netmask is wrong on a workstation, it's
    possible (depending on how wrong it is) for networking not to work
    at all, or only fail occasionally.
4) On a gateway, it's still pretty simple:  You have two routes based
    on IP/netmask.  The system checks each packet to see if it belongs
    on one of those, if so, that's the network card the packet is sent
    out.  Othewise, it's forwarded to that gateway's default gateway.
    Bungled netmasks on a gateway can cause problems from complete
    failure to a few sites that are inaccessable.

Use "netstat -rn" to see your local routing table.  This should help

netstat uses a slightly different notation for netmasks, it uses the
/## notation (for example 172.16/16)  This means: "the first 16 bits
are ones and the rest are zeros".  The logic, math, etc is the same
as if you said, just the notation is shorter. (takes up
less space on the screen)

Hope this helps.

Bill Moran
Potential Technologies

More information about the freebsd-questions mailing list