Private vs Public IPs (RFC 1918 Explained)

ByChirag

Your laptop probably has an IP like 192.168.1.42 or 10.0.0.5. Sudoflare’s server has something like 190.92.174.34. Why the difference? One is a private address (only valid inside your network), the other is a public address (reachable from anywhere on the internet).

The 3 private ranges (RFC 1918)

Range CIDR IPs Common use
10.0.0.0 – 10.255.255.255 10.0.0.0/8 ~16M Large enterprises, cloud VPCs
172.16.0.0 – 172.31.255.255 172.16.0.0/12 ~1M Mid-size networks, Docker default
192.168.0.0 – 192.168.255.255 192.168.0.0/16 ~65K Home routers, small offices

Why these ranges

RFC 1918 (1996) reserved them specifically for private use. Internet routers will NOT forward packets with these source or destination IPs. They’re guaranteed never to conflict with public IPs.

How private IPs reach the internet (NAT)

Your laptop at 192.168.1.42 can browse the web because your router does NAT (Network Address Translation):

  1. Your laptop sends a packet from 192.168.1.42 to 1.1.1.1:443
  2. Your router rewrites the source IP to its public IP and a random port: 198.51.100.5:54321
  3. 1.1.1.1 sees the request as coming from your router
  4. The reply comes back to 198.51.100.5:54321
  5. Your router looks up its NAT table and forwards the reply to 192.168.1.42

NAT deserves its own deep dive — coming up.

Other reserved ranges to know

  • 127.0.0.0/8 — loopback (your own machine)
  • 169.254.0.0/16 — link-local (auto-config when DHCP fails)
  • 100.64.0.0/10 — Carrier-Grade NAT (your ISP uses this when they’re out of public IPs)
  • 0.0.0.0/8 — “this network” / wildcard

Common confusion: cloud “private” IPs

AWS, GCP, Azure all give you private IPs inside your VPC. These are still RFC 1918 addresses. They’re “private” to your VPC, not the internet. They become “public” only via NAT, an Internet Gateway, or Elastic IPs.

Find your IPs

# Your private IP (LAN-side)
ip addr show              # Linux
ipconfig getifaddr en0    # macOS
ipconfig                  # Windows

# Your public IP (what the internet sees)
curl ifconfig.me
curl https://api.ipify.org
curl -s https://ipinfo.io/ip

Common mistakes

  • Trying to SSH into a private IP from outside — won’t work. The internet has no idea where 192.168.x.x is.
  • Using overlapping ranges — if your home is 192.168.1.0/24 AND your VPN’s office network is 192.168.1.0/24, routes break.
  • Confusing local IP with public IP in firewall rules — allow rules need the source as the attacker sees it (after NAT).

What to learn next

NAT and PAT — how the magic of one public IP serving thousands of devices actually works. Up next.

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *