Netmasks (or subnet masks) are a shorthand for referring to ranges of consecutive IP addresses in the Internet Protocol. They used for defining networking rules in e.g. routers and firewalls.
Every entity (server or client) communicating on the internet will have a
unique Internet Protocol (IP) address. Most commonly, these addresses are
written human-readable notation as follows:
192.168.0.1. This describes
and IP version 4 addess. (The internet
is moving towards the IP version 6 standard
to allow for more resources to be addressed).
An IP address is actually just a unique binary number - IPv4 allows for around 4.3 billion addresses and one time, IPv6 expands the address space to 3.4×1038 addresses.
In networking, it is convenient to talk about groups of addresses to help with networking. For instance, different internet providers will be awarded ‘chunks’ of consecutive addresses, so internet routers need only read the start of each IP address before deciding to pass TCP packets off to known network node.
A netmask is a shorthand for describing a range of IP addresses. A netmask may describe just a single IP address:
192.168.0.1/32: just the address
Or all possible IP addresses:
192.168.0.1/0: all 4.3 billion addresses from
More usefully, it does something in between:
192.168.0.1/31: the IP addresses
How to read a netmask
The left hand side of a netmask (e.g.
192.168.0.1) specifies a the host IP
address. The right hand side specifies (e.g.
/32) how many digits of the host
address are significant, when considered as a binary number. Non-significant
bits in the binary form are treated as a wild-card.
For instance, in the netmask
192.168.0.1/32, the host address is
This can be written in binary as
match this netmask, an address must have match exactly 32 digits - i.e. have the
same binary digit in each position. This means only one address will be
matched by this pattern.
192.168.0.1/31 states that the last binary digit is not
significant, so will match two addresses:
(written more readably as
192.168.0.1/30 states that the last two binary digits are not
significant, so will match four different addresses.