Using public IP address ranges for private network

[herot]

I have been working for a small business as IT Everythinger for about 5 years now. Our local LAN was setup here before I started. Our local LAN is using 192.0.0.0 IP blocks (ie. 192.0.2.10). Is this going to bring Hell down upon my head? 200+- computers/devices BTW.

[YeOldeStonecat]

What is between your network and the internet?

Those are unusual IP ranges....still reserved...but not typical private IP ranges.

[herot]

Well one network was based on frame relay. We are in the process of killing that one. The other network is for users (one gateway Untangle server router DHCP Firewall, etc) and servers (another gateway router Firewall, etc). We have two different business class static IP internet connections, each with their own aforementioned gateway devices. The gateways do NAT. Every device has a 192.0.2.0 IP address and most have 255.255.255.0 subnets.

[YeOldeStonecat]

Untangle...cool! Love that product....use it a quite a few clients of mine, just placed an order for another one to setup at a school system.

You're behind NAT...so your computers aren't directly on public IP addresses (which was my fear based on your subject).

Your IP address isn't really public either...call it a very unique one, reserved, but not reserved as private. Try to trace route it...or enter it in an IP locator...you'll see you don't go very far.

Technically the only "damage" or bad effect that would occur if you built your "private" network using a public IP scheme...is if you needed to connect to a service on that IP address...your router wouldn't know how to deal with that. Example...say you happen to build your internal network with the same IP range as one of the ranges Google uses...such as 64.233.160.0 - 64.233.191.255. If one of your workstations launched a browser...typed in www.google.com and that was the IP range your DNS told you to go to...your router would get confused...because the same IP range is on both sides of it. (that's one of Googles IP ranges but it's probably not the range used for their www near you)

[herot]

SO, I can get by without having to change all of my 192's to 10's for now? Is this likely to be a problem in the future? I suppose with IPv6 coming IANA probably won't assign 192.0.10.0's out? You're basically saying that if there were a website out there that was 192.0.10.40 and thats a computer on my network, then I would have a problem. But, since there's not then I don't?

[YeOldeStonecat]

Shouldn't be a problem.....but at some point when the next big network/server upgrade/overhaul is...I might redo it to be more proper and rest better at night.

[herot]

Yeah, I would like to. I just don't know how I would coordinate the downtime. I have never executed a network change like that. Probably would be a weekend cram job and a week of fixing problems during the business days.

[drumstyx]

I know wikipedia's not the best of sources, but according to wikipedia, 192.0.2.x is reserved. The whole 192.x.x.x block is not. Technically there are also huge chunks up around the top of the spectrum you could use for internal routing too, though I wouldn't think any internal network needs more than the 16 million addresses in the 10.x.x.x space.

Basically; 192.0.2.x is perfectly fine, but don't assume you can use 192.0.3.x, it's very possible that it's publicly routed.

[Philip]

See RFC 5735

According to IETF:

192.0.2.0/24 - This block is assigned as "TEST-NET-1" for use in
documentation and example code. It is often used in conjunction with
domain names example.com or example.net in vendor and protocol
documentation. As described in [RFC5737], addresses within this
block do not legitimately appear on the public Internet and can be
used without any coordination with IANA or an Internet registry. See
[RFC1166].

Still, I'd rather use a non-routable addy in a proper private range if feasible as Stonecat pointed out.