What Are RFC 1918 Private IP Addresses? A Guide for IT Professionals
If you work in IT or manage a network of any size, you have assigned IP addresses in ranges like 192.168.1.x or 10.0.0.x hundreds of times. But the document that defines those ranges — RFC 1918 — is something many working IT professionals have never actually read. That is understandable. RFCs are not light reading.
This article covers what RFC 1918 is, why it exists, what the three private ranges are and how they differ, how NAT makes private addressing work, and when to choose each range. There is also a section on CGNAT and RFC 6598, which is the "fourth private range" that your ISP is almost certainly using without advertising it.
What RFC 1918 Is and Why It Exists
RFC stands for Request for Comments. It is the document format the IETF (Internet Engineering Task Force) uses to define internet standards. RFC 1918, published in 1996, is titled "Address Allocation for Private Internets." It is a short document — about eight pages — that reserves three blocks of IPv4 address space for use inside private networks.
The reason RFC 1918 exists is simple: there are not enough IPv4 addresses to give every device in the world a unique public address. The IPv4 address space has roughly 4.3 billion addresses. That sounds like a lot until you consider that the internet now connects billions of devices. Without private addressing, the address pool would have been exhausted long before IPv6 was widely deployed.
The solution was to designate certain address blocks as private — usable inside any private network, not routable on the public internet, and recyclable. A 192.168.1.1 address inside a Kingston law firm's office has nothing to do with the 192.168.1.1 inside a Montego Bay hotel's network. They are separate spaces, both using the same addressing scheme, both hidden behind their own public IPs.
The Three Private Ranges
RFC 1918 defines exactly three blocks.
10.0.0.0/8
- Range: 10.0.0.0 to 10.255.255.255
- Total addresses: 16,777,216
- Subnet mask: 255.0.0.0
This is the largest private block. The entire 10.x.x.x space is yours to subdivide however you need. It is the natural choice for enterprise networks, data centres, and any environment where you need to carve up a large address space across multiple sites, VLANs, and departments without running out of room.
A typical enterprise might assign 10.1.0.0/24 to the Kingston office, 10.2.0.0/24 to Montego Bay, 10.3.0.0/24 to the server VLAN, 10.4.0.0/24 to management interfaces, and so on. With 16 million addresses available, you have enough room to grow the business significantly before address planning becomes a constraint.
172.16.0.0/12
- Range: 172.16.0.0 to 172.31.255.255
- Total addresses: 1,048,576
- Subnet mask: 255.240.0.0
This is the most misunderstood of the three ranges. Many people think the 172.16.x.x block ends at 172.16.255.255, but the /12 mask means the entire range from 172.16.x.x through 172.31.x.x is private. About one million addresses total.
In practice, the 172.16.0.0/12 range is used less often than the other two. It is large enough for medium-sized enterprise deployments but smaller than the 10.x.x.x space, and it lacks the clean memorable quality of 192.168.x.x. You will see it used in cloud environments — AWS and GCP use this range in some default VPC configurations — and in organisations that want a range that will not conflict with common consumer device defaults.
192.168.0.0/16
- Range: 192.168.0.0 to 192.168.255.255
- Total addresses: 65,536
- Subnet mask: 255.255.0.0
This is the range almost every consumer router defaults to. If you have ever set up a home network or a small office network and seen addresses like 192.168.0.1, 192.168.1.1, or 192.168.100.x, you are looking at this range.
65,536 addresses across 256 possible /24 subnets (192.168.0.0/24 through 192.168.255.0/24) is plenty for small to medium office environments. The limitation shows up when you start connecting networks together — if two sites both use 192.168.1.0/24, you have an overlap that complicates VPN tunnels and routing. This is one of the most common problems we see when taking over network management for a Jamaican SMB that outgrew its original setup: every office was assigned 192.168.1.x years ago and nobody thought about the day they would need to connect them.
Why Private IPs Never Appear on the Public Internet: NAT Explained
Private IP addresses are non-routable on the public internet. If a packet with a 192.168.x.x source address were sent across the internet, routers would drop it. The public internet has no way to deliver a response to a private address because private addresses are not unique — the same address exists on millions of different private networks.
NAT — Network Address Translation — is what bridges private and public addressing. Your router or firewall performs NAT by rewriting the source IP on outgoing packets, replacing the private source address with the router's public IP. When the response arrives, the router checks its NAT table, reverses the translation, and forwards the packet to the correct internal device.
From the internet's perspective, all traffic from your office comes from a single public IP (or a small pool of them). The private addresses are completely invisible. The entire private network is effectively hidden behind the public IP that Flow or Digicel has assigned to your router.
This matters for security as well as address conservation. Devices on a private network behind NAT are not directly reachable from the internet unless a port forwarding rule explicitly allows it. That provides a basic level of protection — not a substitute for a proper firewall, but a meaningful barrier against casual inbound probing.
CGNAT (RFC 6598): The Fourth "Private" Range
There is a range that behaves like a private range but is not defined in RFC 1918. It is 100.64.0.0/10, covering 100.64.0.0 through 100.127.255.255. This is defined in RFC 6598 and is called CGNAT — Carrier-Grade NAT — or sometimes Shared Address Space.
CGNAT is what ISPs use when they run out of public IPv4 addresses to assign to customers. Instead of giving each customer a unique public IP, the ISP assigns addresses from the 100.64.0.0/10 range and performs NAT at the carrier level before traffic reaches the actual internet. The customer's router gets a 100.64.x.x address rather than a real public IP. The router then performs another round of NAT for the devices inside the home or office.
This double-NAT arrangement — CGNAT at the ISP, NAT at the router — creates complications for anything that requires inbound connections: VPN servers, hosted game servers, certain VoIP configurations, and remote access setups. If your clients in Jamaica are telling you their port forwarding rules are not working despite being correctly configured, CGNAT is often the explanation.
Both Flow and Digicel use CGNAT on their residential and some business connections. If a client needs a stable public IP with no CGNAT, they typically need to request a static IP add-on from the ISP, which is available on business-grade plans.
The practical test: check your current public IP and ISP. If the IP reported by an external site is different from the IP shown in your router's WAN settings, you are behind CGNAT.
Subnetting Basics: How to Calculate Network Ranges
Understanding the three RFC 1918 blocks is straightforward. Subnetting within them is where the arithmetic gets involved.
A subnet mask determines how many addresses are available in a given subnet and which addresses belong to the same network. The mask is written in CIDR notation as a /number (the prefix length) or in dotted decimal (255.255.255.0, etc.).
The prefix length tells you how many bits are fixed (the network portion) and how many bits are available for host addresses. An IPv4 address is 32 bits, so a /24 subnet has 24 network bits and 8 host bits, giving 2^8 = 256 addresses, of which 254 are usable (the first is the network address, the last is the broadcast).
Key subnet sizes for reference:
| CIDR | Usable Hosts | Typical Use |
|---|---|---|
| /30 | 2 | Point-to-point links |
| /29 | 6 | Small clusters |
| /28 | 14 | Small office segment |
| /27 | 30 | Small department |
| /26 | 62 | Medium office floor |
| /25 | 126 | Large office segment |
| /24 | 254 | Standard office subnet |
| /23 | 510 | Two merged /24s |
| /22 | 1,022 | Campus segment |
| /16 | 65,534 | Full 192.168.x.x space |
| /8 | 16,777,214 | Full 10.x.x.x space |
Manual subnet calculation is fine for the examples above. For anything more complex — checking whether two ranges overlap, breaking down a large block into variable-length subnets, or planning an address scheme across multiple sites — a dedicated tool is faster and less error-prone. You can calculate any subnet instantly using CheckMiIP's free subnet calculator, which handles both IPv4 and IPv6.
Common Use Cases for Each Range in Real Networks
10.0.0.0/8 — enterprise, multi-site, and data centre environments.
Use this range when you are designing a network that will grow, span multiple locations, or need clean separation between many different segments. Assign a /24 or /23 per site, per VLAN, per function. The abundant address space means you can be generous with allocations and leave room for growth without reworking the scheme.
Example scheme for a Jamaican company with three offices:
- 10.10.0.0/24 — Kingston office, user devices
- 10.10.1.0/24 — Kingston office, servers
- 10.10.2.0/24 — Kingston office, management/OOB
- 10.20.0.0/24 — Montego Bay office, user devices
- 10.30.0.0/24 — Spanish Town office, user devices
- 10.0.0.0/24 — WAN/point-to-point links
172.16.0.0/12 — cloud VPCs and environments requiring separation from consumer ranges.
If you are provisioning VPCs in AWS or Google Cloud, you will often see default assignments from this range. It is also useful when you need a range that will not conflict with the 192.168.x.x addresses that almost every client's home router uses, which matters if your staff are VPNing in from home networks.
192.168.0.0/16 — small offices, remote sites, and consumer-grade equipment.
This is appropriate for networks with a single site, fewer than a couple of hundred devices, and no plans to connect to other private networks. Understand the limitation: if this site ever needs to be connected to another site also using 192.168.x.x addresses, you will have an overlap problem to solve.
The answer to that problem is consistent address planning at the start of a project, not a refactor after the fact. For small Jamaican businesses setting up their first proper office network, the right choice is usually a /24 from the 10.x.x.x space — it costs nothing extra and avoids the overlap problem entirely if they grow.
For a full reference covering RFC 1918, RFC 6598, APIPA (169.254.x.x), loopback (127.0.0.1), and other special-use address blocks, see the full RFC 1918 and special-use IP reference at CheckMiIP.
Use the Free Subnet Calculator
IP address planning does not need to be done by hand. Use CheckMiIP's free subnet calculator for instant IPv4 and IPv6 subnet breakdowns — network address, broadcast, usable range, wildcard mask, and host count in one place.
If you are building out a new office network for a Jamaican business and want a second set of eyes on your address scheme before you commit to it, or if you have inherited a network with address conflicts and need help working through a clean redesign, get in touch with us. We work with businesses across Kingston, Montego Bay, and the wider island on exactly this kind of network planning work.