Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
• Status: Solved
• Priority: Medium
• Security: Public
• Views: 470

Hi.
I need to let a range of 10 IP addresses through my firewall, but currently I only know how to let one through at a time.

The interface is browser based and has has the following fields (dummy data used ! ):

111.111.111.005   |  255.255.255.255(/32)  | =             |                  |

My question is:
If I want to allow through 10 IPs in the range the range from 111.111.111.001 to 111.111.111.010, can I do this by changing the subnet mask?

Thanks.
0
gjok
• 8
• 8
• 4
• +4
4 Solutions

Commented:
if you put a mask of 255.255.255.240 you are letting through .0 up to .15
if you put a mask of 255.255.255.248 you are letting through 0 up to 7

these are the only possibilities you have with the subnet mask
0

Commented:
Hi gjok,
A subnet mask of 255.255.255.224(/27) will let through 16 addresses (less 2 for network ip and broadcast=14) giving you 14 addresses. The option before that (255.255.255.240/28) would only give you 8 address (6 usable).

Cheers!
0

Commented:
gjok,
Yikes. Sorry I am wrong neteducation is right. Dodgy arithmetic.
0

Commented:
Well  ... let's see:
1 - 10 in binnary is ...

0000 0001 to
0000 1010

As you can see you've got the first 4 bits in common. Therefore, your subnet mask should have the last byte 1111 000 which is 240. Concluding, your subnet mask is: 255.255.255.240.

Of course, you are also including the address range (in binary) from 0000 1011 (11) to 0000 1111 (15). But then, nothing you can do about it unless you block the last range of addresses, one by one!

The idea is that you can block addr blocks of 2^2, 2^3, 2^4, 2^5, ... etc. addresses only.

Cheers.
0

Commented:
Why don't you use 255.255.255.0 and leave 250+ IP's available?
0

Technical ConsultantCommented:
you cant start wildcard masking with a 32 bit subnet - give us an example of the IP address and subnet you are using

0

Commented:
:D ... I haven't even noticed that!!! Excelent!
Cheers.
0

Author Commented:
Wow lots of feedback!
I am just asking my client for the exact range. Give me a half hour or so....
0

Commented:
If you wanted to be precise and only allow those address then you cannot use a one line policy entry, you would need to add several. If they are the only deices that need that access then thats what I would allow.

and
111.111.111.10 255.255.255.254 for addressess 10 and 11.

The only other way to include them would be to open up a larger portion of the IP address range then needed, i.e

harbor235

0

Commented:
PeteLong: what do you mean by this?
"you cant start wildcard masking with a 32 bit subnet - give us an example of the IP address and subnet you are using "
If he changes the subnet mask then it won't be a 32 bit subnet anymore will it?
Are you saying he might not own the addresses he wants to let through?
0

Commented:
He is saying that the example the author gave is wrong. I'll copy&paste it for you:

"The interface is browser based and has has the following fields (dummy data used ! ):

111.111.111.005   |  255.255.255.255(/32)  | =             |                  |"

Cheers.
0

Commented:
Still not getting it. I take that (255.255.255.255/32) to mean only let this specific address through.
0

Commented:
Yes. That's why PeteLong was saying this is not appropiate for subneting! Well ... I'll let PeteLong explain that ...
Sorry PeteLong for that.

Cheers
0

Commented:
But the asker was saying the subnet mask wants changing anyway so I can't see it's an issue.
0

Author Commented:
The subnet mask has never been changed. Whats there is the default when creating a new entry.

Anyway, the client has come back and said they cant supply a range because "the servers are segregated into VLANS." (whatever that means), so I cant supply an actual range to demonstrate with.

0

Author Commented:
Although my question no longer need answering, I can still use this information for future reference.

I need to work out who to give the points to - to be honest I really dont understand enough about this stuff to know who to award them too ?!?!? :(

0

Commented:
I would say that neteducation & harbor235 deserve the points.
0

Commented:
If I may ... I believe some of us left here usefull information, ... others just repeated it!
I believe it's fair enough just to split the points among all of us who realy contributed ...

Cheers.
0

Commented:
Sorry rafael_acc I was just looking for straight answers to the original question to help the asker close it.
I have no axe to grind as I don't deserve any points so hopefully feel fairly objective here.
As I see it neteducation gave a workable answer to the original question.
rafael_acc gave an explanation in binary.
Then harbor235 gave an expansion to allow just the 10 addresses. Down to the asker in the end I guess.
just my 2% of a dollar
0

Commented:
Ah ????

So why are you sorry ??? I saw your post after I submitted mine ... So, my post is not related to yours or whatever ... I don't get what's your point on the ...

"Sorry rafael_acc I was just looking for straight answers to the original question to help the asker close it.
I have no axe to grind as I don't deserve any points so hopefully feel fairly objective here"

Cheers
0

Commented:
I suggested neteducation & harbor235 and thought your post was objecting to my suggestion. I was saying sorry in case I had offended you by not including you in my suggestion.
0

Commented:
Don't worry! Is good to get some points but that's not my main objective being here! Thanks for the consideration anyway.
Cheers.
0

Author Commented:
Hi.
Well that was hard work. I ended up splitting the point 50 each to the guys I thought helpd me most (especially rafael_acc for explaining it in great detail)
I chose harbor235 as the main answer as he demonstrated how to allow exactly 10 which was what I (originally) needed.

I hope you are all OK with this.
Many thanks to all.
0

Commented:
Thanks. Good Luck!
Cheers.
0

## Featured Post

• 8
• 8
• 4
• +4
Tackle projects and never again get stuck behind a technical roadblock.