Link to home
Start Free TrialLog in
Avatar of CipherIS
CipherISFlag for United States of America

asked on

IP 10.0.1.2 / 255.0.0.0

What does IP 10.0.1.2 / 255.0.0.0 mean?

If I have this IP in a on a linux server for access does this mean that any computer

from 10.0.1.2
to 10.0.255.255

will have access?
Avatar of Early Learning Coalition
Early Learning Coalition

/255.0.0.0 is the subnet mask same as 10.0.1.2/8
Avatar of Tom Cieslik
Bottom line is if you see 255.0.0.0 it mean that on last 3 positions numbers can change from 0 to 254
So you can have 10.0.1.2 .....254
then 10.0.1.......254.2.....254
and 10.0......254.0....254.2......254
Avatar of CipherIS

ASKER

What would 10.0.1.0/24 do?

Would it include all IP's in 10.0.1.X and all subnet's (255.255.255.255)?
would include all IP from 10.0.1.1 to 10.0.1.254
/24 will change numbers ONLY on last position from 1....254

10.0.1.1........254  same like 255.255.255.0
/24 represent 255.255.255.0
How do I include 255.255.255.255?
255.255.255.255 is brodcast...why would you want that?
This mask will lack all IP so NO IP can be changed
What are you trying to accomplish?
How do I include 255.255.255.255?

If I have an IP set on a server to

172.0.1.2/24

Would a person who's IP of 172.0.1.62 with subnet of 255.255.255.252 be blocked because of the 172.0.1.0/24?
I user is trying to access an internal website.  I was provided the VPN w/subnet.  I was provided 172.0.1.0/24 as an example.

I had the user perform a ipconfig /all

I am looking at the result.

DHCP Server = 172.0.2.62
DNS Server = 10.29.0.1
Subnet Mask = 255.255.255.252

User can't access the site via VPN.
255.255.255.252 gives you about two usable IPs.
I'm not a network person so I don't understand

255.255.255.252 gives you about two usable IPs.

So, does adding access to IP 172.0.2.0/24 give access to 172.0.2.62/255.255.255.252?
ASKER CERTIFIED SOLUTION
Avatar of Patrick Bogers
Patrick Bogers
Flag of Netherlands image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
no it doesnt. because 172.0.2.0/24 is same as saying anything with the IP range of 172.0.2.0 to 172.0.2.254 and subnetmask of 255.255.255.0 can access
1. What is internal IP for your site ?
2. Did he log on successfully ?
3. There is another settings that he should set on VPN connection properties - Use gateway on remote network - should be disabled.
No, can't access the site.  Looks like I closed too early.  I'll ask a related question.
@luis Mena
255.255.255.252 gives you about two usable IPs.

Know your facts. .252 leaves you with 3 usable bits for the hosts.
2*2*2 -2 teaches you 8-2= 6 usable ip addresses. (-2 is one for network and one for broadcast)
.252 or /30 gives you 4 address -2 for network and broadcast...where you get 3 usable from?
0-3
4-7
8-11
12-15 and so on
So, If I use 172.0.2.0/30

that would give me

172.0.0.0 -> 172.255.255.255

and subnet

255.255.255.255?
no if you want to allow 172.0.2.62 with mask of 255.255.255.252 then it will be 172.0.2.60/30
You can't just use

172.0.2.0/30 to get the same result?
Luis. You have your facts wrong!!
So, what is the correct answer then?
172.0.2.0/30 to get the same result? will give you 172.0.2.1-172.0.2.2
So that won't give me 172.0.2.62 / 255.255.255.252?
no. /30 gives you 2 usable host IP and 64 subnets
172.0.2.62 is on subnet 172.0.2.60/30 with 172.0.2.63 being broadcast and 172.0.2.60 being the network
I found this

    /8 = 255.0.0.0

    /16 = 255.255.0.0

    /24 = 255.255.255.0

    /32 = 255.255.255.255

    192.168.1.0/24 = 192.168.1.0-192.168.1.255

    192.168.1.5/24 is still in the same network as above we would have to go to 192.168.2.0 to be on a different network.

    192.168.1.1/16 = 192.168.1.0-192.168.255.255

When you have a network you lose two IP addresses one for broadcast and one for the network. The first IP is reserved to refer to the network while the last ip of the range is reserved for the broadcast address.

I've attached users IPconfig.

Would example 192.168.1.0/24 give user access if the IP was added correctly to the file in Apache or do I need to use 192.168.1.0/34?
config01.jpg
Ok let me try to answer since the second question is not completely clear.

172.0.2.0/30 Is the same as 172.0.2.0 255.255.255.253

Here you choose your network to be 172.0.2.0 with 2 bits for hosts.
So 2*2-2 = 2 usable ip address
172.0.2.0 is your network identifier (cannot use it)
172.0.2.1 is useable
172.0.2.2 is useable
172.0.2.3 is broadcast for this network (not useable)

This statement from Luis would be correct if the mask was 255.255.255.253
no if you want to allow 172.0.2.62 with mask of 255.255.255.252 then it will be 172.0.2.60/30
Ok, thanks.

And if I use 172.0.2.0/34?  I'm guessing it would allow more subnets?
/32 is the last
You cannot use mask 34, 32 is max.
The ipconfig from the picture is part off the 172.16.2.60/30 network.
So 172.16.2.61+ 62 are useable.

62 is in use so the computer with ip 172.16.2.61 can access this machine.
Ok, I changed the IP in the file to

172.16.2.0/32

Still can't access via VPN.
With mask /32 there are NO available ip address to use
Also make sure your subnet is same as on target. So 172.16.2.61/30
Ok, will change to 30.  I was checking the error log on the server.  It says below access is denied when accessing http://internal.xxxx.com/site.

70.112.220.102:53777
70.112.220.102:53776
70.195.200.221:12654

Do I need to add permission for 70.x.x.x?

If so how would I do it?

70.0.0.0/30?

For 172.16.2.61/30 I want to add 172.16.2.0 - 172.16.2.255.  Would 172.16.2.0/30 do that?
I dont get it... 70.x.x.x is a completely different range
I dont see how you want to whitelist this range (ufw?) but the range is 70.0.0.0/8

Ah, you login via vpn... that explains it?.. no 70.x.x.x is a public ip address.
With VPN established, can you connect to 172.16.2.61?
I, unfortunately can't test it.  I'm relying on other people to test.  In the config file 172.16.2.61 is what one user is using.  IT said to add

172.16.2.0/24

but still getting 403 Forbidden.

So, I want to add 172.16.2.0 -> 172.16.2.255 so any user VPNing will be able to access.

The 70.?.?.? is what I saw in the log so I'm thinking I probably need to add that too.  

70.112.220.102:53777
70.112.220.102:53776
70.195.200.221:12654

Looking at top 2 it starts with 70.112.x.x but last one is 70.195.x.x so my question is how do I add those IP's?  I was thinking of adding 70.x.x.x so anything that starts with a 70 would have access.

Does that make sense?
I dont understand what IT advice is about.

Lets get Some things clear. 70.112.220.102 Is from Austin USA do you recognize it?

Next, do i understand you try to open a website? Hence the 403?!
If Yes, the connection is working, authentication/firewall/filtering is refusing you, thats another issue.
When a user VPN's to our network and accesses a site -> http://internal.mysite.com/mypage they receive a 403 forbidden error.

I logged onto the apache server and looked at the conf file.  When looking for the website configuration it had IP's that it would allow.  

My understanding is adding the VPN IP should allow the user to access the website.  I was provided the VPN IP by the IT Dept.

I added the 172.16.2.0/32 and no one can access via VPN only internally.

So internally they can access the site but VPN they can't.

That is what I'm trying to resolve.

I looked at the error log and that is how I saw the 70.x.x.x IP's.
If you want access for 172.16.2.0 - 255 if should be 172.16.2.0/24
Remember these are private (internal) ip adresses, it is not Said you have one off these ip adressess.

Check with ipconfig or ifconfig.
You did not answer my previous question, Autin USA rings a Bell?
Yes, Austin rings a bell.

Ok, I had it set to 172.16.2.0/24 but users still get 403 Forbidden.

Any idea what the issue is?
Yes, that range is internally so you probably get assigned another ip address over VPN.

Check your ip adressess with VPN and without VPN, you Will find 1 ip address more with VPN connected.
That range should be allowed.

Not sure high secret that website is but i think if you temperarely allow 0.0.0.0/32 you open the site to the world but then you know if ip filtering is your issue.
From my computer the IP is 10.29.x.x.  

That IP is allowed.  The setting is 10.0.0.0 / 255.0.0.0 in the conf file.

The below file shows the user who is attempting to VPN in.
config01.jpg
Is that ip only present while VPN is connected?

You could allow 0.0.0.0/32 to test if ip addressing is your problem. Dont forget to delete that entry since it opens the site to the world.
Damn what a complicated story.
The picture is from the client that tries to login?!
.62 is its ip address and .61 is a dhcp server, for just one workstation?
*gordon Ramsey would say fxxxx me!*
Yes, so I'm trying to figure out why the user VPN's and access website internal.mysite.com/mypage and receives a 403 forbidden.

I added the 172.16.2.0/24 as the IT dept and you recommended and they still receive 403 Forbidden.

Any ideas?
I still have the same question about your ip address, does it only excists when connected via VPN?
Your local ip address is local significant only.
I tried 0.0.0.0/32 and still receive 403 Forbidden access to /mypage
I don't know how to answer your question regarding IP address.  I don't understand the question.
0.0.0.0/32 still forbidden? I assume you changed that in web config file and reloaded Apache right?
If yes you need to check why 403 is being issued.

Regarding ip address, check ipconfig or ifconfig with and without VPN connected.
In the output from VPN CONNECTED should be one extra ip address. What is that address?
Not sure if we must persue this way since 0.0.0.0 would bypass this check.
Here is a simplified answer.... Your ip  address/ subnet combination tells your network stack that it can reach any other address in the same subnet directly, while all other addresses will have to go out the default route, or a route assigned to get to that other subnet....  Think of it like this.... The subnet is your own house.... If you want to send a note to the bedroom from the kitchen, you can just walk over there.... But if you want to send a note to a different house, it goes thru the postman....

If you can be a little more specific on what you are trying to do, it will help us answer. Otherwise, you will need someone on site to figure it out for you...
Yes, I added the 0.0.0.0/32.  I restarted Apache.  I tried logging in from phone and had someone else VPN.

Both receive http:// 403 forbidden.
Could you try 0.0.0.0/0 as a last try? My bed is calling.....
If that also fails ip addressing/filetering is not your issue.
I added 0.0.0.0/0.  When I attempted to restart I received an error saying 0.0.0.0/0 appears invalid.

So, if the IP is correct that I added to the file what would cause the problem for VPN?
I've attached the ipconfig from user trying to access via VPN.  

My conf file has below

<VirtualHost *:80>
        DocumentRoot "/home/webserver/www/internal.mysite.com"
        ServerName internal.mysite.com
        <Directory "/home/webserver/www/internal.mysite.com">
                Require ip 10.0.0.0/255.0.0.0
                Require ip 127.0.0.1
                Require ip 172.16.2.0/24
                Require ip 172.16.10.0/24
                Require ip 172.16.20.0/24
        </Directory>
</VirtualHost>

Still can't access.
config.txt
I tried to dig back... Can the vpn user ping the webhost by name and ip address?

If not, no amount of config changes on webhost will fix that.
Also, this might seem simple but I have seen the error many times... Did you restart apache after config changes?
I am in the process of testing to see if the site can be ping while logged onto the VPN.

Yes, I restarted apache every time after config changes.

sudo service apache2 restart
I connected computer to my phone using it as a hotspot.  

I connected to VPN.  Disconnected from internal network.  I pinged the IP to the website.  The ping failed.

I did perform a nslookup on the site and I did receive the IP address of the site via nslookup..
That means your vpn connection doesn't have a route available to the websites subnet... You would need to make sure the vpn server has not only a route to the webserver, but the subnet you create for the vpn also has a route that works.
Are10.0.0.0.1, 10.0.0.1 and 10.0.0.2  also subnet masks ? Like as told in here by one of the members:
/255.0.0.0 is the subnet mask same as 10.0.1.2/8
10.0.0.1 or 10.0.0.2 are just ip addresses. 10.0.0.0.1 is nothing as it has too many octets.
But yes, /8 and /2255.0.0.0 are 2 different ways of expressing the subnet mask. /8 is a representation of the bit mask in binary.
It says that the first 8 bits are ones as a subnet can also be represented in binary like xxxxxxxx.xxxxxxxx.xxxxxxxx.xxxxxxxx where x equals either 0 or 1.  /8 would be equivalent to 11111111.00000000.00000000.00000000. This is used in a calculation called an XOR, but we are getting very deep into the binary world of computers...