Private IP Ranges Explained: 192.168.x, 10.x, 172.16-31 and How They Work
Private IP ranges are three reserved IPv4 blocks defined by RFC 1918: 10.0.0.0/8, 172.16.0.0/12 and 192.168.0.0/16. They are routable inside private networks but never on the public internet. Home routers use 192.168.0.0/24 or 192.168.1.0/24 by default. Larger networks use the 10.x block. They exist because IPv4 ran out of addresses years ago, and NAT lets thousands of devices share one public IP.
Every home router on the planet hands out addresses that start with 192.168. Most office laptops sit behind 10.something. Mobile hotspots default to 192.168.43 for reasons nobody remembers. These three ranges are not arbitrary. They were carved out of the IPv4 address space in 1996 by RFC 1918 as a deliberate response to the realisation that IPv4 was running out long before the world was ready π .
The three blocks total about 17.9 million addresses. They never appear on the public internet. Any router worth its firmware drops a packet sourced from 10.0.0.5 the moment it tries to leave for the wider world. That isolation is what makes them safe to use simultaneously in millions of separate networks without conflict.
The three RFC 1918 blocks
The three reserved ranges are not random sizes. Each was picked to serve a different use case in 1996, although in practice they have all blended together over time.
| CIDR | Range | Total addresses | Typical use |
|---|---|---|---|
| 10.0.0.0/8 | 10.0.0.0 to 10.255.255.255 | 16 777 216 | Large enterprises, data centres, cloud VPCs |
| 172.16.0.0/12 | 172.16.0.0 to 172.31.255.255 | 1 048 576 | Mid-size networks, Docker default, some VPN vendors |
| 192.168.0.0/16 | 192.168.0.0 to 192.168.255.255 | 65 536 | Home routers, small offices, default everything |
One detail that consistently confuses newcomers is the 172 block. It does not run from 172.0 to 172.255. It runs from 172.16 to 172.31, a span of exactly sixteen /16 networks, which together form a /12. The math comes straight from CIDR arithmetic: a /12 prefix lets the third octet vary between binary 0001 0000 and 0001 1111, which decoded is 16 through 31. Everything outside that window, like 172.15.x or 172.32.x, is regular public address space allocated to some organisation through the regional registries.
Why these ranges exist at all
By the mid-1990s, the IETF could see that 4.3 billion IPv4 addresses would not survive the coming decade of consumer internet adoption. Two parallel solutions launched. The long-term one was IPv6 with its 128-bit addresses, covered in detail in the IPv4 versus IPv6 deep dive. The short-term one was Network Address Translation combined with reserved private ranges, which let an organisation use one public IP at the edge and hand out millions of private addresses internally.
The clever part is that the private ranges are reused. Every home router can pick 192.168.1.0/24 because the addresses never leave the home. Two neighbours both running 192.168.1.0/24 do not conflict because no packet from house A is ever routed to house B at the private address layer. The public internet sees only the two ISP-assigned addresses on the WAN side. NAT does the translation. The piece on WHOIS lookups covers the public side of that equation, where every household appears as a single ISP-allocated address.
How NAT actually moves the packets
A laptop at 192.168.1.50 wants to fetch a page from example.com at 93.184.216.34. The flow goes like this:
- The laptop sends a TCP SYN from 192.168.1.50:55432 to 93.184.216.34:443.
- The router rewrites the source to the WAN public IP, say 203.0.113.7, and records the mapping in a connection tracking table along with a new ephemeral port.
- The internet sees a packet from 203.0.113.7:60001 to 93.184.216.34:443 and responds back.
- The router receives 93.184.216.34:443 to 203.0.113.7:60001, consults the table, and rewrites the destination back to 192.168.1.50:55432.
- The laptop receives the response and never knows the rewrite happened.
This works for outbound connections automatically. Inbound connections require port forwarding because the router has no idea which internal device should receive an unsolicited incoming packet. Gamers, self-hosters and anyone running a home server have memorised this quirk. The same mechanism is one reason an outside observer cannot reach a private IP directly, which feeds the question explored in who can find you with your IP.
The default addresses every router uses
Almost every consumer router ships with one of three default subnets on the LAN side: 192.168.0.0/24, 192.168.1.0/24, or sometimes 192.168.2.0/24. The router itself sits at .1 of its chosen subnet. The pattern of vendor defaults is mostly historical accident reinforced by manuals:
- Netgear, TP-Link, ASUS: 192.168.1.1
- Linksys, Belkin: 192.168.1.1 or 192.168.0.1
- D-Link: 192.168.0.1
- Xfinity, many ISP-supplied gateways: 10.0.0.1
- Some Huawei and ZTE modems: 192.168.100.1
Larger deployments avoid these defaults precisely because they collide constantly when site-to-site VPNs join two offices. A consulting firm that buys five small startups and tries to merge their networks finds three of them on 192.168.1.0/24 and has to renumber everyone. The 10.0.0.0/8 range is large enough to give every site its own /16 and never overlap. The CIDR explainer walks through the math of carving that block sensibly.
π‘ If you want to find your own private IP right now: Windows uses ipconfig in a command prompt, macOS and Linux use ip addr or the older ifconfig. Look for an address starting with 10, 172.16 to 172.31, or 192.168. Anything else on a Wi-Fi or Ethernet interface is unusual. Your public IP, the one the wider internet sees, lives on the router's WAN side and is best checked with the homepage IP tool.
Reaching a private IP from outside
The short answer is you cannot, not directly. Public routers drop traffic destined for RFC 1918 addresses. The internet has no path to 192.168.1.50 because every backbone router treats those prefixes as unroutable. To reach a private IP from outside, traffic must pass through some kind of agreed gateway: port forwarding on the home router, a reverse proxy, a VPN that places the remote user inside the same private network, or a hole-punching service like Tailscale or Cloudflare Tunnel.
The mechanics of a VPN doing exactly this are covered in how a VPN works. When a corporate laptop connects to a company VPN, the user's machine gets a virtual interface with an IP from the company's internal range, and the routing table is rewritten to send corporate subnets through the tunnel. From that moment, 10.50.0.0/16 reaches the file server in the head office just as if the laptop were physically there.
Cousins of RFC 1918
Three more reserved IPv4 blocks behave like private ranges but serve different niches.
Loopback. 127.0.0.0/8, reserved by RFC 1122. Only 127.0.0.1 is used in practice and points at the local machine. Web developers know it as localhost. The whole /8 is wasteful by modern standards but nobody is going to renumber the internet's loopback.
Link-local. 169.254.0.0/16, defined in RFC 3927. When a device cannot reach a DHCP server, it picks a random address in this range so basic peer-to-peer communication still works. Seeing 169.254 on a network adapter means DHCP failed, which is usually a wiring or router problem.
Carrier-grade NAT shared space. 100.64.0.0/10, defined in RFC 6598. ISPs use this block for the inside of their CGNAT deployment, separating customer-side private space from the customer's own RFC 1918 space. It looks public but is not. If your home router's WAN interface shows a 100.x address, you are behind CGNAT, which affects geolocation accuracy and inbound connectivity equally.
IPv6 does it differently
IPv6 has its own private-equivalent space called Unique Local Addresses, defined in RFC 4193. The block is fc00::/7, which in practice means addresses starting with fd. Unlike IPv4 private space, every organisation is supposed to pick a globally unique 40-bit identifier inside the prefix to avoid collisions when networks merge. The collision problem that plagues 192.168.1.0/24 mergers is mostly solved at design level.
IPv6 also has link-local addresses in the fe80::/10 range, which every IPv6 interface generates automatically. The result is that an IPv6-enabled machine has at least two addresses on every interface, a link-local one and a global or unique-local one. The number of devices using IPv6 has crossed forty percent of internet users globally and continues to climb, which slowly reduces the reliance on NAT and the urgency of the RFC 1918 trick.
β οΈ Never assume a private IP cannot be hostile. Once a single device inside a network is compromised, every other device on the LAN is reachable from it at the private layer. The whole NAT-as-firewall myth dissolves when the attack starts inside. Treat 192.168.x machines as potentially adversarial in the same way as public addresses, especially on Wi-Fi networks shared with guests.
The future of private addressing
Private IP ranges will outlive most current network engineers. The RFC 1918 ranges are baked into every router firmware, every cloud VPC default, every IoT device documentation page. The shift to IPv6 reduces the pressure but does not remove the use case for private addressing, which solves real problems beyond address scarcity: namespace isolation, security boundary by default, simpler internal renumbering when ISPs change.
For everyday users, the practical takeaways are simple. Your laptop carries a private address indoors and the world sees only your router's public address. Two networks can reuse the same private range freely. Reaching anything private from outside requires either a forwarded port, a reverse proxy or a VPN tunnel. And the public face of your network, the one that geolocation services and basic IP trackers see, is just one address regardless of how many devices live behind it. That asymmetry, between one public address and many private ones, is what the original RFC 1918 authors built in 1996 and what every modern network still relies on three decades later.
Reading about IP, VPN and privacy? Lock down yours in 5 minutes
NordVPN ranks first on AV-TEST's privacy benchmark and blocks malware, ads and trackers at the network level. 30-day money-back guarantee, audited no-logs policy.
- 6,400+ servers, 111 countries
- Audited no-logs policy
- Built-in threat protection
- 10 devices per account
Frequently asked questions
What is the difference between 192.168.1.1 and 192.168.0.1?
Nothing functional. Both are valid private IP addresses inside the 192.168.0.0/16 range reserved by RFC 1918. Router manufacturers picked one or the other as a default for their consumer hardware, usually for historical reasons or to differentiate from competitors. Netgear, TP-Link and ASUS tend to ship with 192.168.1.1. D-Link and Linksys often ship with 192.168.0.1. Either address can be reached from a device on the same subnet by typing the address into a browser. Both work identically as router management interfaces. The only requirement is that the device trying to reach the router holds an address in the same subnet, which DHCP usually arranges automatically.
How do I find my own private IP address?
On Windows, open Command Prompt and type ipconfig. The IPv4 Address line under your active network adapter shows the private IP, typically starting with 192.168 or 10. On macOS and most Linux distributions, open Terminal and type ip addr or the older ifconfig. Look for the inet entry on the active interface, usually en0, eth0 or wlan0. iPhones and Android phones display the private IP under Wi-Fi network details in Settings. The address shown is the one your router assigned over DHCP. Your public IP, the one the rest of the internet sees, is different and can be checked through the homepage IP tool on this site.
Can someone reach my private IP from the internet?
Not directly. Public internet routers drop any packet destined for an RFC 1918 address because those prefixes are not routable on the global internet. To reach a private device from outside, traffic has to pass through a configured gateway: port forwarding on the home router, a reverse proxy, a VPN that places the remote user inside the same private network, or a service like Cloudflare Tunnel or Tailscale that creates a managed connection. The default for an unconfigured home network is that no inbound traffic reaches the private IPs. That is one of the reasons NAT routers function as a basic firewall in practice, although it is not a substitute for a real firewall.
Why does the 172 private range stop at 172.31?
The 172.16.0.0/12 block uses a 12-bit network prefix, which means the third octet has 4 fixed bits and 4 free bits. The fixed bits are 0001, so the third octet ranges from binary 0001 0000 to 0001 1111, which is 16 to 31 in decimal. Everything from 172.0 to 172.15 and from 172.32 to 172.255 sits outside the private range and is regular public IPv4 space allocated through the regional internet registries. Trying to use 172.32.0.0 internally would conflict with whichever organisation actually holds that public block. The /12 prefix was a deliberate compromise between the larger /8 of the 10.x block and the smaller /16 of the 192.168.x block.