Solved

Posted on 2005-03-15
Medium Priority
462 Views
Hi.
I need to let a range of 10 IP addresses through my firewall, but currently I only know how to let one through at a time.

The interface is browser based and has has the following fields (dummy data used ! ):

111.111.111.005   |  255.255.255.255(/32)  | =             |                  |

My question is:
If I want to allow through 10 IPs in the range the range from 111.111.111.001 to 111.111.111.010, can I do this by changing the subnet mask?

Thanks.
0
Question by:gjok
[X]
###### Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

• Help others & share knowledge
• Earn cash & points
• 8
• 8
• 4
• +4

LVL 10

Assisted Solution

neteducation earned 200 total points
ID: 13543837
if you put a mask of 255.255.255.240 you are letting through .0 up to .15
if you put a mask of 255.255.255.248 you are letting through 0 up to 7

these are the only possibilities you have with the subnet mask
0

LVL 3

Assisted Solution

Caltor earned 200 total points
ID: 13543865
Hi gjok,
A subnet mask of 255.255.255.224(/27) will let through 16 addresses (less 2 for network ip and broadcast=14) giving you 14 addresses. The option before that (255.255.255.240/28) would only give you 8 address (6 usable).

Cheers!
0

LVL 3

Expert Comment

ID: 13543875
gjok,
Yikes. Sorry I am wrong neteducation is right. Dodgy arithmetic.
0

LVL 11

Assisted Solution

rafael_acc earned 200 total points
ID: 13543913
Well  ... let's see:
1 - 10 in binnary is ...

0000 0001 to
0000 1010

As you can see you've got the first 4 bits in common. Therefore, your subnet mask should have the last byte 1111 000 which is 240. Concluding, your subnet mask is: 255.255.255.240.

Of course, you are also including the address range (in binary) from 0000 1011 (11) to 0000 1111 (15). But then, nothing you can do about it unless you block the last range of addresses, one by one!

The idea is that you can block addr blocks of 2^2, 2^3, 2^4, 2^5, ... etc. addresses only.

Cheers.
0

LVL 7

Expert Comment

ID: 13543934
Why don't you use 255.255.255.0 and leave 250+ IP's available?
0

LVL 57

Expert Comment

ID: 13543946
you cant start wildcard masking with a 32 bit subnet - give us an example of the IP address and subnet you are using

0

LVL 11

Expert Comment

ID: 13543964
:D ... I haven't even noticed that!!! Excelent!
Cheers.
0

LVL 2

Author Comment

ID: 13543996
Wow lots of feedback!
I am just asking my client for the exact range. Give me a half hour or so....
0

LVL 32

Accepted Solution

harbor235 earned 200 total points
ID: 13544090
If you wanted to be precise and only allow those address then you cannot use a one line policy entry, you would need to add several. If they are the only deices that need that access then thats what I would allow.

and
111.111.111.10 255.255.255.254 for addressess 10 and 11.

The only other way to include them would be to open up a larger portion of the IP address range then needed, i.e

harbor235

0

LVL 3

Expert Comment

ID: 13544145
PeteLong: what do you mean by this?
"you cant start wildcard masking with a 32 bit subnet - give us an example of the IP address and subnet you are using "
If he changes the subnet mask then it won't be a 32 bit subnet anymore will it?
Are you saying he might not own the addresses he wants to let through?
0

LVL 11

Expert Comment

ID: 13544173
He is saying that the example the author gave is wrong. I'll copy&paste it for you:

"The interface is browser based and has has the following fields (dummy data used ! ):

111.111.111.005   |  255.255.255.255(/32)  | =             |                  |"

Cheers.
0

LVL 3

Expert Comment

ID: 13544251
Still not getting it. I take that (255.255.255.255/32) to mean only let this specific address through.
0

LVL 11

Expert Comment

ID: 13544287
Yes. That's why PeteLong was saying this is not appropiate for subneting! Well ... I'll let PeteLong explain that ...
Sorry PeteLong for that.

Cheers
0

LVL 3

Expert Comment

ID: 13544468
But the asker was saying the subnet mask wants changing anyway so I can't see it's an issue.
0

LVL 2

Author Comment

ID: 13544591
The subnet mask has never been changed. Whats there is the default when creating a new entry.

Anyway, the client has come back and said they cant supply a range because "the servers are segregated into VLANS." (whatever that means), so I cant supply an actual range to demonstrate with.

0

LVL 2

Author Comment

ID: 13544640
Although my question no longer need answering, I can still use this information for future reference.

I need to work out who to give the points to - to be honest I really dont understand enough about this stuff to know who to award them too ?!?!? :(

0

LVL 3

Expert Comment

ID: 13544782
I would say that neteducation & harbor235 deserve the points.
0

LVL 11

Expert Comment

ID: 13544788
If I may ... I believe some of us left here usefull information, ... others just repeated it!
I believe it's fair enough just to split the points among all of us who realy contributed ...

Cheers.
0

LVL 3

Expert Comment

ID: 13545142
Sorry rafael_acc I was just looking for straight answers to the original question to help the asker close it.
I have no axe to grind as I don't deserve any points so hopefully feel fairly objective here.
As I see it neteducation gave a workable answer to the original question.
rafael_acc gave an explanation in binary.
Then harbor235 gave an expansion to allow just the 10 addresses. Down to the asker in the end I guess.
just my 2% of a dollar
0

LVL 11

Expert Comment

ID: 13545247
Ah ????

So why are you sorry ??? I saw your post after I submitted mine ... So, my post is not related to yours or whatever ... I don't get what's your point on the ...

"Sorry rafael_acc I was just looking for straight answers to the original question to help the asker close it.
I have no axe to grind as I don't deserve any points so hopefully feel fairly objective here"

Cheers
0

LVL 3

Expert Comment

ID: 13545555
I suggested neteducation & harbor235 and thought your post was objecting to my suggestion. I was saying sorry in case I had offended you by not including you in my suggestion.
0

LVL 11

Expert Comment

ID: 13545645
Don't worry! Is good to get some points but that's not my main objective being here! Thanks for the consideration anyway.
Cheers.
0

LVL 2

Author Comment

ID: 13558579
Hi.
Well that was hard work. I ended up splitting the point 50 each to the guys I thought helpd me most (especially rafael_acc for explaining it in great detail)
I chose harbor235 as the main answer as he demonstrated how to allow exactly 10 which was what I (originally) needed.

I hope you are all OK with this.
Many thanks to all.
0

LVL 11

Expert Comment

ID: 13558665
Thanks. Good Luck!
Cheers.
0

## Featured Post

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I had an issue with InstallShield not being able to use Computer Browser service on Windows Server 2012. Here is the solution I found.
During and after that shift to cloud, one area that still poses a struggle for many organizations is what to do with their department file shares.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sitesâ€¦
Michael from AdRem Software outlines event notifications and Automatic Corrective Actions in network monitoring. Automatic Corrective Actions are scripts, which can automatically run upon discovery of a certain undesirable condition in your network.â€¦
###### Suggested Courses
Course of the Month12 days, 15 hours left to enroll