Need explanation on a subnet mask issue

ndidomenico used Ask the Experts™
Here's the scenario:

Small network home made of 3 PC's and 1 Linksys router for Internet access.
Linksys router IP:
PC1 IP address: (mine)
PC2 IP address: (my wife)
PC3 IP address: (my kid)
I've assigned all 3 PC's with: Subnet mask =  / Gateway:

I've used subnet mask in order to create 2 subnets. PC1 and PC2 are part of the 1st subnet ( while PC3 is on the second subnet ( I'm doing this so that I can somehow isolate a little bit more my son's pc from our 2 machines  (I actually got that suggestion from another post in EE earlier this week). So by doing this, he cannot ping our computers from his. Makes me feel a "little" more secure - we are also running Symantec firewall on our PC's.

Now here's the part I don't understand: while PC3 (my kid) is not able to ping adresses to 127 (works as expected), he IS ABLE to ping the router at (not expected), and his Internet access works too. Shouldn't not be reachable from his machine, like for adresses 2-127 ? Or is it because the Gateway IP address defined in his TCPIP properties takes precedence over the subnet mask ?

BTW, I'm quit happy that his Internet works in this scenario, but my understanding of this subnet configuration made me believe initially when I setup this up that he would not have access to the router / Internet.

Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®

What is subnet for router?


Change to same subnet and try it
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Are you sure his PC is getting a subnet mask of .128? If so, he should not be able to use the router as his gateway at all, as won't be in his subnet. The fact that he can reach the router (and the Internet) tells me that his subnet mask is really Subnet mask will always take precedence over gateways, as SM defines who is local to you (and a gateway MUST be local to you). Best way to check is to run "ipconfig-all" at a command prompt on PC3, and see what the subnet mask says.

The only other way PC3 could reach the router would be if you had two ip addresses on the router- one in the PC1 and PC2 subet, and one in the PC3 subnet.

If all is setup correctly (as you said), PC3 will not be able to see anyone but himself, as there's no one else on his subnet (not even the gateway).
A basic primer on how subnet masks relate to default gateways:

When a PC initiates communication to another host via name, the first step is to resolved the name to an IP address.  The PC then performs a logical AND of the destination IP address along with the local netmask.  If the result of the AND produces the same destination network as the PC, then the PC checks it arp cache.  If the arp cache is empty the PC sends and arp broadcast seeking the MAC address of target machine, and the packet can then be sent .  If the host is remote (the result of the AND'ing results in different network addresses between the PC and the target host) the PC then sends the packet to the default gateway.

In our current society we are using technology to compensate for peoples lack of understanding.  An example of this is something called "IP Proxy ARP', whereby routers can compensate for incorrectly configured hosts.  When an ip proxy-arp enabled router receives an arp request for a different subnet, it can respond to that request even thought the requesting PC is technically on a different subnet.  The router is assuming that since it is receiving the broadcast, it should be passing the packet along.

Now in your current config (router has netmask of the router THINKS it local to PC3, so all packets will be sent without problem FROM the router TO the pc.  Provided that your information above is correct (all three PC's have a netmask ending in .128) the only logical conclusion is that your router is proxy arping.

The easiest solution to cut off all internet access for PC3 is to change the netmask on the router to as xrok suggested.
Do you want to read GREAT article about subnetting?

And one more thing your going to love;

Enjoy and earn



Thanks for the help. I'm splitting the points between  1) xrok for having given first the answer, and 2) Genexen for confirming the answer with an excellent explanation that helped me understand more what was happening.

One comment if I may add:
How much protection am I getting from having my kid's computer on a different network in regards to viruses/worms ? Can they easily infect computers that are on a different network on my lan ? (like: "If i can't ping it, i can't infect it")


Oops - I forgot to mention when I closed this question, that by changing the subnet mask to on the router (, as suggested, my kid's PC did not have access to that address anymore. Thanks

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial