Arrowmail - Email Services for today's Business

Also On This Page


Advice on Choosing the best Range of IP Addresses
to use on your LAN

How Network Address Translation saved the Internet

In order for a computer to connect to the Internet it must have an IP address.
There are around 4 billion possible IP addresses ranging between:- and
and, excluding a few ranges set aside for special purposes, most are valid for use on the Internet.

Even 12 years ago it looked as though this large amount of IP addresses would soon be
used up - then Network Address Translation (NAT) came to the rescue.
This allows hundreds of computers to connect to the Internet, at the same time, through a single computer, or router, which needs only one of the precious Internet IP addresses.

A NAT Router forwards requests from an internal computer onto the Internet using its single Internet IP address as the source address. When the reply comes back from the Internet site, the NAT Router remembers which internal PC issued the original request and routes the
reply back to this originating computer
By using different source TCP ports, a NAT Router can handle simultaneous requests to the same Internet destination from multiple internal computers.
All these internal computers still need to have IP addresses, so several IP address ranges
have been withdrawn from use on the Internet itself and reserved for use on internal
networks, operating from behind a NAT Router.
These reserved IP addresses can be used, over and over again, on tens of thousands of LANs throughout the world.
The reserved IP address ranges are shown in the table below:-

In theory, 64,000 PCs can operate behind one NAT router.

NAT is sometimes and perhaps more accurately, called Port Address Translation (PAT) but NAT is what it's commonly known as.

Internet IP addresses are sometimes called Public IP addresses
while Internal LAN IP addresses are sometimes called Private IP addresses.

Start Address

End Address

Number of Individual
IP Addresses




There is another range of IP addresses that don't appear on the Internet and are reserved for private networks:- to

This is called the APIPA range (Ah-peep-ah) - Automatic Private IP Addressing.
Microsoft has incorporated this into all versions of Windows.
The theory is that if a workstation has been set to get its IP address from DHCP, but no DHCP server responds to the workstation's broadcast, then, using the principle that any IP address is better than none, the workstation picks an IP address for itself, at random, from the APIPA range.
The workstation may then be able to communicate with other workstations in a similar situation but it almost certainly won't be able to access any server resources or the Internet.
In my experience the APIPA system gives nothing but trouble!
I would much prefer that a DHCP-enabled computer that can't contact a DHCP server throws up a warning message on the screen rather than silently deciding to take an APIPA address and pretend everything's OK.
You can disable APIPA or even set static IP parameters to use, should no answer be forthcoming from a DHCP server, but APIPA is enabled by default.

Don't purposely choose to use any of the APIPA IP addresses on your internal network unless your express aim is to cause confusion.

Loopback IP Addresses

For completeness I'll also mention another range of IP addresses not found on either the Internet or on private LANs:- to

This range is called the Loopback Address Range.
Every PC running TCP/IP has a virtual network adaptor (one that is implemented in software but not connected to any real hardware) and all the IP addresses in the Loopback range, except the first and last, are assigned to this adaptor, although we normally only refer to address which has the DNS name "localhost".
Loopback IP addresses are only used for testing and to allow processes running on a single computer to talk to each other, as any data sent out on this interface is immediately received back on it again (it's looped back).
As far as this discussion is concerned, Loopback Addresses are not suitable for use on any network and are just another 16 million addresses lost from the available pool.


Which range of IP addresses should I choose for my LAN?

The choice is so big it's hard to know which range you should choose for your own network.
Does it matter which one you choose?
Generally no, they'll all probably work in most situations but there are some factors to consider when making your decision, particularly as you don't want to make the wrong choice now and then have to change them all again in 6 months time.

My recommendations are:-

Don't use addresses in the 172.16/172.31 range simply because I've never come across any network that uses them .
Choosing this range is therefore only likely to cause confusion.
It's also a middle-sized range that's not really required: small networks use the 192.168 range and larger networks use the range.

If your network will never ever have more than 200 computers on it, choose a range of 256 x IP addresses from the 192.168 values.

If your network has any chance of growing beyond 200 computers, may need multiple separate networks, perhaps at different locations, or requires anything at all
complicated then choose a suitable range of IP addresses from the range.

When you've chosen between the 192.168 and 10 ranges of IP addresses, which exact one should you choose?

Don't choose to as this is the most common range that is used.

Don't choose to as this is the second most common range that
is used.

Choosing these common IP ranges has 2 problems:-

In some people's minds an address range starting with 10 sounds more professional than one starting with 192.168

If you use the Windows Internet Connection Sharing feature then there is no choice, to is the only range you can use.

1 -

If knowing the internal IP range that is used on your LAN can help a hacker break into your network, they will surely try these 2 ranges.

2 -

If you need to connect to another private network via a VPN which happens to be using the same internal range on their LAN as you are on yours, the VPN will connect but no traffic will flow between the 2 LANs.
This is because when you try to connect to a device on the remote LAN, the IP routing part of Windows on your PC will assume the device is located on the local LAN.


Similarly to is another common range to avoid.

Choose an unusual, easy to remember range such as:- to
or to

Network range shorthand

To specify the range of IP addresses used on a network you usually write the first IP address in the range followed by the subnet mask such as:-

You may come across a shorthand way of writing this:-

Why does equal 24?
24 is the number of ones, counting from the left, of the subnet mask when it's represented as a binary number.
The network  subnet mask
can also be represented as:-

What to do if your LAN is larger or more complicated than normal

When you use an IP range with a subnet mask of you get 256 different IP addresses.
The very lowest one in the range is not normally assigned to a device but is used for the network name.
The very highest one in the range is also not normally used for a device and is called the Broadcast Address - every device on the LAN listens to IP packets sent to the broadcast address.
On the network with subnet mask then is the network name and is the network Broadcast Address which leaves 254 other IP addresses that can be assigned to devices.

You may see subnet masks where the 4th digit is something other than zero. This reduces the amount of IP addresses available in a network. If you ask for a block of 8 Public IP addresses from your ISP they will be allocated on a small network with a subnet mask of

Internet IP addresses are precious and can't be wasted while internal IP addresses don't
need be conserved. There is therefore no good reason to ever limit an internal IP address range to less than 256 addresses and so the 4th digit of the subnet mask should always be zero.

If you need more than 254 devices on your internal network you have 2 choices:-

"Device" is a term denoting a piece of equipment that requires an IP address.

This includes servers, workstations, printers, routers and switches.

1 -

Have 2 internal networks, both with subnet masks of connected by a router.

2 -

Reduce the 3rd digit of the subnet mask to allow more IP addresses to be available for devices on your network.

The problem with Option 1 is that you now need to purchase, configure and maintain a router.
The problem with Option 2 is that too many devices on the same network can reduce performance.

My advice is that with modern network switches you can have as many as 1022 devices on the same network.
If you have a network bigger than this then you probably also have a big enough IT department that a router or 2 won't be a problem.

The subnet mask 255.255.252 allows 1022 IP addresses for devices.
An example of such a network range is:- to

(Although to would also work, it's not traditional and so can only cause confusion.)

My recommendations are:-

If you need a network with more than 254 devices then use a network range beginning with 10 and the subnet mask of and be prepared for the differences from the networks you are familiar with.

In a network with a subnet mask where the 3rd digit smaller than 255, the "IP maths" can be confusing and look odd.
In the previous example, both of the following IP addresses are valid to use for devices:-

Detailed recommendations of how to assign the internal IP addresses
on a typical LAN

Let's assume that you've chosen to as your internal IP address range.
You still need to assign IP addresses within this range to the different types of network devices.

My recommendations are:- Your Router or whatever you set as your gateway to the Internet Your main server. If this is also your router to the Internet then keep it as 5 A second server, if you have one Your network switch. Not all switches can have (or need) an IP address assigned to them to Other special devices that require a static IP address to Your DHCP address pool for workstations A Network Attached Storage (NAS) Drive A network-attached printer A second printer

This scheme allows room for the various categories of devices to expand as required.
For larger networks, keep the same categories, in the same order but increase the amount of IP addresses in each category, as necessary.
One very large pool of DHCP addresses is OK.

Tips on configuring a DHCP server on your network

Definitely have one. It's not hard to set up and it makes managing your network's IP addresses easier.

Have only one. Router's and other devices often come with a built-in DHCP server.
If you have a Windows network then make the Windows Server your DHCP server and disable all other DHCP servers on your network.

If you have multiple servers and want a second DHCP server for redundancy then use another Windows Server as the second DCHP server and make sure that the range of IP addresses available to clients is different on each server.
As an alternative, set up a second DHCP server with identical settings to the first but keep it disabled and only enable it if the first one fails.

In the Scope Options set values for the following options:-


Default Gateway. This is your Internet router.


The main DNS server plus a second one if your network has one.
Use Windows Servers running the DNS service in preference to any other DNS server, such as those at your ISP.
It's usual for the Windows DNS server to use the router or the DNS servers at your ISP as Forwarders to resolve addresses not on your network.


Your local network's DNS name e.g. mycompany.local


Your network's WINS server. Most networks still use this service and it should be provided by a Windows server.


Set it as 0x8

Don't forget to actually install a WINS server.

On Windows Server 2003 also set these options:-

  Recommended settings for the DHCP server DNS tab

On the Advanced tab set administrator level credentials:-

  Supply administrator-level credentials to allow the DHCP server to modify DNS settings

If you are using a Windows 2003 Active Directory controller as your DHCP server, make the server a member of the built-in DNS Proxy group.

If the number of workstations requiring DHCP addresses exceed 75% of the available address pool then increase the address pool and/or reduce the lease time from the default value of 8 days to 4 days or less.

If you have server, printers etc that have static IP addresses then also set these up as reservations in the DHCP server. This has the advantages that:-


1 -

If the devices loses its settings and reverts to DHCP it will still get the correct IP settings.


2 -

The DHCP management console has a complete record of all the IP and MAC addresses used on your network.

Make sure that any firewall running on the DHCP server computer isn't blocking incoming DHCP requests to the broadcast address on UDP ports 67 and 68.


How many static IP addresses should I get from my ISP?

To allow remote access to your network, or the operation of an in-house mail-server, you need a static Public Internet IP address from your ISP.
A static IP address is one whose value never changes as opposed to a dynamic IP address where a different address is assigned every time your Internet service connects.
A static IP address usually costs between £2 and £5 extra per month.
If you want to send emails directly you should also have a DNS name assigned to your static IP address
Most ISPs offer businesses a choice of a single IP address or a group of 8.
So how many do you need?
Because Internet IP addresses are precious, a whole range of techniques have evolved to allow you to perform a multitude of different functions from behind a single IP address.
The only good reasons I can think of for having more than one Public IP address are:-

You want to operate multiple SSL websites.

You need to have 2 or more of the same type of server, using the same TCP port,  accessible from the Internet - such as 2 Terminal Servers.

I've seen several companies that opted for a block of 8 Internet addresses but only ever use one and so, for simplicity and cheapness, go for a single IP address unless you are sure that you need more.
With a single Public IP address you can use a standard ADSL/Cable router while with a block of 8 you need a special router or 2 standard routers back-to-back.

To check if a DNS name is assigned to your IP address, at the command prompt type:-
nslookup <your IP address>

This DNS name should be entered as your mail-server's masquerade name.

(Arrowmail needs 15 public IP addresses to run all of its services.)

What about using IPv6 addresses?

Everything on this webpage, besides this section, talks about Internet Protocol version 4. However, a new system called Internet Protocol version 6 (IPv6) has been designed, trialled, universally agreed on and built into the latest versions of operating systems.
There are routers and switches available that work with IPv6 which also perform any necessary IPv4-to-IPv6 conversions.
IPv6 was designed to overcome the limitations of IPv4, most notably the number of IP addresses available. Here's a comparison:-

  Number of Available IP addresses




A typical IPv6 address looks like this:-


It's 8 blocks of 4-digit hexadecimal numbers with leading zeroes omitted, and any block that is all zeroes is also omitted - hence the "double colon".

However, right now, IPv6 isn't used on the Internet and no ISP will assign you a public IPv6 address.
IPv6 is the solution to the ongoing expansion of the Internet but it's probably going to be another 20 years before it will have replaced IPv4 on the Internet.

What does this mean for your company's LAN IP address scheme?

At the moment nothing.
You could if you wished use IPv6 addresses on your LAN and buy IPv6 enabled switches and routers, but you would need to go through an IPv6-to-IPv4 convertor to access the Internet.
In the vast majority of cases this would be madness.

When IPv6 addresses go live on the Internet your ISP will probably do the conversion for you to start with, and later you'd have your own IPv6 Internet Router and IPv4 convertor.
Finally, when the Internet has completely changed over to IPv6, private LANs will use IPv6 addresses and the information and recommendations on this page will then be irrelevant.


The Prisoner on the Internet

So you've chosen the IP range for your LAN, set up the static IP address devices, configured a DHCP scope and established a DNS server on your LAN to resolve local DNS names.
Is there anything else you've forgotten to do?
Many people forget to set up a reverse DNS zone on the local DNS server.
A reverse DNS zone allows your LAN's DNS server to answer questions such as:-
"What is the name of the computer with IP address"
The answer might be something like:-

With no reverse DNS zone, your DNS server does what it does with all questions it doesn't know the answer to: it asks its big brother on the Internet who then passes the query around other DNS servers until, after a minute or so, the answer comes back "Don't know".
Because there are 10s of 1000s of computers around the world with the IP address, each with a different name, it's not a question that Internet DNS servers can ever answer.
There are so many request for DNS names of private IP addresses sent out to the Internet that a special DNS server has been set up to answer them all.
It has the the striking DNS name of and it relieves other DNS servers from the burden of answering these requests.
What answer does give in reply to requests for the DNS name of a private IP address?

It blows a raspberry.

It gives the Buddhist answer "mu" - un-ask the question.


It shouts "stop wasting my time with stupid questions."

A more technically accurate explanation is that it tells the requesting server that it's failed to authenticate when trying to register its DNS record.
This shows up as in the Event Viewer system log which an administrator might eventually spot, work out and then rectify the problem:-

Event log from

^ Top of Page ^

The server is a prisoner of other people's stupidity.

Feedback Form

Type your message below:-

Anonymous feedback is fine. If you'd like a reply then we'll need an email address to send it to.
We'll only use it to reply to your feedback, nothing else!


Email Address:

We sometimes like to publish visitor feedback, but only if you give us your permission:-

Choose a Screen Name for Published Comments:


If you prefer, you can, instead, email your comments to

^ Top of Page ^


© 2018 Arrowmail Ltd, a UK-registered company, number 4079706, registered VAT Number GB 895 0987 60
We welcome any comments about this website, good or bad. Send them to