Understanding IPv4, IPv6, Subnets, and VPNs – A Rambling-but-(Hopefully)-Useful Crash Course
This post was born from a late-night conversation about networking—why IPv4 feels like a cramped tavern, how IPv6 tried to clean up the mess, and how packets wander through their digital woods.
IPv4 – The Cramped Tavern
Early IPv4 networks behaved like a noisy bar where every patron yelled their business across the room. Before switches became common, network traffic was broadcast across the entire segment, and your NIC had to catch every single packet. Anything that slipped past went straight to the CPU, chewing up processing time.
Subnets were invented to quiet the room.
A subnet mask is nothing more than a fast binary filter. The NIC checks an incoming packet’s destination with a simple bitwise AND. If the result matches the local network’s address, the packet stays. If not, the NIC drops it on the floor and the CPU never sees it.
CIDR: The Subnet Shorthand
CIDR notation (/8, /16, /24, etc.) is a compact way to say how many leading bits describe the network. This prefix length determines the boundary between the Network and Host portions of the IP. Historically, IPv4 was sliced into rigid classes, but CIDR (Classless Inter-Domain Routing) fixed this by letting admins choose arbitrary prefix lengths—/12, /20, /28, whatever suited the job.
Historical IPv4 Classes
| Class | Y, fixed, for network name, X for your hosts | Usable Hosts |
|---|---|---|
| A (a /8) | Y.X.X.X |
256^3-2 |
| B (a /16) | Y.Y.X.X |
256^2-2 |
| C (a /24) | Y.Y.Y.X |
256-2 |
| CIDR | Subnet Mask | Usable Hosts |
|---|---|---|
| /24 | 255.255.255.0 | 254 |
| /28 | 255.255.255.240 | 14 |
| /30 | 255.255.255.252 | 2 |
Every IPv4 subnet has two addresses soaked into its foundations:
- Network address – the canonical name of the segment (all host bits are zero).
- Broadcast address – the “everybody listen up” shout (all host bits are one).
Broadcasting was necessary but noisy. IPv4 networks spent decades swimming in that noise.
Let’s walk this through with a concrete example — not just conceptually, but bit-by-bit, so you can actually see where the canonical network address and broadcast come from.
Example network: 192.168.14.37/28
Step 1: Convert everything to binary
- 192 → 11000000
- 168 → 10101000
- 14 → 00001110
- 37 → 00100101
So the full IP is:
11000000.10101000.00001110.00100101
Step 2: Build the subnet mask
A /28 means the first 28 bits are 1’s:
11111111.11111111.11111111.11110000
Which is 255.255.255.240.
Step 3: Bitwise AND — finding the canonical network address We AND the IP and the subnet mask:
IP: 11000000.10101000.00001110.00100101
MASK: 11111111.11111111.11111111.11110000
------------------------------------------------ AND
11000000.10101000.00001110.00100000
Now convert back:
- 11000000 → 192
- 10101000 → 168
- 00001110 → 14
- 00100000 → 32
Canonical network address: 192.168.14.32/28
Step 4: Broadcast address Take the canonical address and set all host bits (the last 4 bits, because $32 – 28 = 4$) to 1:
0010 0000 → 0010 1111
Which is decimal 47.
Broadcast address: 192.168.14.47
Range: usable hosts are 33 through 46.
This is the rhythm IPv4 always dances to: mask → AND → canonical; invert mask → OR → broadcast.
Firewalls, NAT, and Who Actually Says “No” – The Big Illusion
IPv4 was designed with the assumption that every device would have its own globally routable address. That dream collapsed as the internet grew. NAT (Network Address Translation) arrived as a desperate but clever hack: a gateway pretending to be all your devices at once.
Inside your home, business, and private networks in general your devices will have an IPv4 address from these ranges:
10.0.0.0/8172.16.0.0/12192.168.0.0/16
All NAT networks live inside these three ranges.
Outside: one solitary public IPv4 address.
The router rewrites every outgoing packet with its public IP and keeps a ledger of port numbers to remember who started what. It’s stateful, CPU-heavy work. People treat NAT as security, but it’s really just an address juggler that forces a moment of inspection.
So let’s clear the fog here.
A firewall is the bouncer. Its entire job is to enforce policy:
- “These packets may enter.”
- “These packets must die in the parking lot.”
A NAT device is something entirely different: it’s a translator and, accidentally, a very fussy chaperone.
- NAT rewrites internal IPs into a single external IP.
- NAT keeps a state table of every outbound connection.
- If a packet arrives that doesn’t match an entry in the state table, it gets dropped — not because NAT is a security device, but because it literally has no idea who requested that packet.
So NAT ends up acting like a firewall even though that’s not its intention.
In practice, consumer routers mush both together. You get:
- Firewall rules layered on top of
- NAT session tracking layered on top of
- Routing.
Which order actually happens internally? The process is complex and called the packet flow. While it varies by device, generally:
- Packet arrives.
- Destination NAT (DNAT) is performed (if needed, to translate a public IP/Port to a private IP/Port).
- Firewall rules inspect it.
- Routing decision sends it where it belongs.
- Source NAT (SNAT) is performed (if needed, to translate a private IP to a public one, just before the packet leaves the device).
Example topology (simplified):
Internet → Firewall/DNAT → NAT State Table → Routing → SNAT → LAN
Small offices and homes compress all these into one little plastic box.
IPv6 – The Internet Grows Up
IPv6 is what happens when engineers finally get to sweep the floor. It has 128-bit addresses, enough to give every star in the Milky Way its own /64.
An IPv6 address looks like:
aaaa:bbbb:cccc:dddd:eeee:ffff:gggg:hhhh
All of the symbols are hexadecimal and you rarely have to write it all because IPv6 allows zero-compression and prefixes.
- Example: The address
2001:0db8:0000:0000:130f:0000:0000:140bcan be compressed to2001:db8::130f:0:0:140busing the double-colon (::) once to replace the longest string of consecutive zero-quartets.
The Sacred Rule: Every LAN Gets a /64
IPv6 drew a hard line in the sand: standard subnets are /64.
- Upper 64 bits: the network prefix.
- Lower 64 bits: the interface ID.
The lower half exists specifically for autoconfiguration and unique identifiers. Slicing it smaller—/72, /80, /96—is technically possible but cosmically discouraged. It breaks the logic of the design by separating host networks. Slicing it bigger is how you connect network segments—/52’s show up in Data Centers, /48 at tier 2 ISP’s, /32 is doable but only the big boys connecting worlds together need that many network segments.
A /52 for an entire data center would provide for 4,096 separate IPv6 networks and 75,557,863,725,914,323,419,136 IP addresses. A /32 provides for 4,294,967,296 networks and a truly incomprehensible number of IP addresses at 79,228,162,514,264,337,593,543,950,336. Just for fun a /31 provides 8,589,934,592 networks (1 per person in the world right now!) and /30 provides over 17 billion networks. Each network has 64 bits (~18 quadrillion) worth of addresses in it.
IPv6 Bans Broadcast
IPv6 doesn’t shout. It uses multicast: targeted messages sent to specific groups.
Neighbor Discovery, Router Advertisements, and DHCPv6 all use multicast addresses (those starting with ff). The result is a network that feels more like quiet conversation than a tavern brawl.
Autoconfiguration as a First-Class Citizen
Devices can generate their own IPv6 addresses just by listening (SLAAC - Stateless Address Autoconfiguration). They often wind up with multiple addresses at once—some temporary and privacy-friendly, some stable. DNS steps in so humans don’t have to memorize anything.
IPv6 and the New Shape of Firewalls, NAT, and VPNs – The Trench Coats of Networking
IPv6 tosses NAT out the window — not because NAT was evil, but because NAT was a symptom of scarcity. With IPv6, every device gets a globally unique address. Suddenly:
- Firewalls matter more. There’s no NAT to “accidentally” drop unsolicited traffic. The firewall is the sole line of decision-making.
- Inbound traffic is possible everywhere. But only if the firewall allows it.
A VPN is a packet in a trench coat. Your device wraps its real packet in an encrypted wrapper and sends it through the public internet. The VPN endpoint unwraps it and forwards it internally as though it originated there.
The wrapper increases packet size, which is why VPNs often hit MTU (Maximum Transmission Unit) issues. If the resulting packet exceeds the common 1500-byte limit, it gets fragmented or dropped, so VPN links usually need a reduced MTU.
In IPv6, a VPN becomes more of a prefix delegation or routing exercise instead of “shove everything into this fake IPv4 address and hope.” You’re transporting subnets, not masquerading hosts.
Conclusion
IPv4 is a creature of tight constraints: tiny subnets, scavenged address space, NAT duct-tape, broadcast domains, and constant creative cheating. You fight the forest and domesticate it as best you can.
IPv6 is what happens when the forest is replanted with intent. No scarcity, no NAT, no weird contortions — but also no accidental safety nets. You have to be deliberate again: deliberate in firewall rules, deliberate in routing, deliberate in how you carve space.