Every home router uses 192.168.x.x. Every cloud VPC uses 10.x.x.x. Every corporate network uses 172.16.x.x. These aren’t arbitrary — they’re the three ranges defined by RFC 1918 as “private address space.” Reserved by IANA, never globally routable, free for anyone to use internally without conflict.
This post explains where these ranges come from, the differences between them, common conventions, and how they interact with NAT, IPv6, and the public internet.
The Three Ranges
RFC 1918 (published in 1996) reserves three IPv4 ranges:
10.0.0.0/8— 16,777,216 addresses (one Class A).172.16.0.0/12— 1,048,576 addresses (16 Class Bs).192.168.0.0/16— 65,536 addresses (one Class B).
These are guaranteed never to be used as public IP addresses anywhere on the internet. Routers on the internet drop packets to or from these ranges. You can use them freely inside your own network.
Why They Exist
In the mid-1990s, IPv4 was already running out. RFC 1918 was a partial solution: let organizations use private addresses internally and only consume public addresses where they actually face the public internet. Combined with NAT, this allowed networks of arbitrary size to share a small number of public IPs.
The result: every home, office, and data center uses RFC 1918 internally. Public IPs are used only at network borders (the router/firewall). NAT translates between the two.
Conventions for Each Range
People use these three ranges differently by convention:
10.0.0.0/8
- Used by large enterprises and cloud providers.
- AWS VPCs default to
10.x.x.xranges. - GCP VPCs and Azure VNets similarly.
- Subnets typically
/24to/16within the /8.
The /8 is huge — 16 million addresses. Enough for any organization’s needs. The flexibility is why hyperscalers prefer it.
172.16.0.0/12
- Used by small-to-medium businesses.
- Docker’s default bridge network uses
172.17.0.0/16. - Less common than 10/8 or 192.168/16.
Range: 172.16.0.0 to 172.31.255.255. The /12 spans 16 Class Bs.
192.168.0.0/16
- Used by home networks and small offices.
- Default for most consumer routers:
192.168.0.0/24or192.168.1.0/24. - Common subnets:
192.168.0.1(router),192.168.1.1(router),192.168.50.0/24(small office).
Range: 192.168.0.0 to 192.168.255.255. The smallest of the three; sufficient for home/small business.
What Makes Them Special
Three properties define “private” in RFC 1918:
1. Never globally routable
ISPs and backbone routers are configured to drop traffic to/from these ranges. A packet to 10.0.0.5 from the internet goes nowhere.
2. Free to reuse
Anyone can use them. Your home router uses 192.168.1.1; my home router also uses 192.168.1.1. They don’t conflict because neither leaks to the internet.
3. NAT-required for internet access
If a device on 192.168.1.5 wants to reach the internet, NAT translates its source to a public IP. The internet sees the public IP; only the local network sees 192.168.1.5.
Common Subnet Choices
A practical reference for subnet sizing:
/24 (256 addresses)
- Small office network.
- Single Wi-Fi network.
- Typical home network.
- Container/pod subnet for small clusters.
/16 (65,536 addresses)
- Medium-sized enterprise LAN.
- Cloud VPC for a small organization.
- Docker default bridge network.
/22 (1,024 addresses)
- Medium subnet.
- AWS VPC subnet for a region.
/20 (4,096 addresses)
- Departmental subnet.
- AWS VPC subnet for a larger region.
For more on subnet sizing, see subnet mask CIDR explained.
Reserved Private Address Considerations
A few specifics:
127.0.0.0/8 (loopback)
Not RFC 1918; reserved separately. 127.0.0.1 is the loopback address — “myself.” Used for local-only communication.
169.254.0.0/16 (link-local)
Used when DHCP fails. Hosts auto-assign within this range to talk to each other on the local link, but no broader routing.
224.0.0.0/4 (multicast)
Reserved for multicast addressing.
100.64.0.0/10 (CGNAT)
Reserved by RFC 6598 specifically for CGNAT deployments. ISPs use this between subscriber CPE and the CGNAT gateway.
These aren’t RFC 1918 but are also not public-routable.
Conflicts to Avoid
When designing private networks:
Multi-site connectivity
If you connect Site A (uses 10.0.0.0/24) with Site B (uses 10.0.0.0/24) via VPN, you have a routing conflict. Design subnets so they don’t overlap.
Cloud VPC peering
Peering two AWS VPCs with overlapping CIDRs fails. Pick non-overlapping ranges when designing your account’s network architecture.
Home network + corporate VPN
If your home uses 192.168.1.0/24 and your corporate VPN also uses 192.168.1.0/24, your VPN can’t reach company resources. Either side has to renumber.
The general practice: for any network you might one day connect to another network, pick uncommon ranges. 10.99.42.0/24 is much safer than 10.0.0.0/24 because nobody else picks it.
IPv6 Equivalents
IPv6 has a similar concept but plays out differently:
Unique Local Addresses (ULA)
Range: fc00::/7 (typically fd00::/8 in practice).
Generated with a random 40-bit identifier so different organizations’ ULAs don’t collide. Functionally like RFC 1918 but with much lower collision risk by design.
Link-Local Addresses
Range: fe80::/10.
Used for communication within a single network segment. Every IPv6 interface has a link-local address automatically.
No NAT (mostly)
IPv6 has enough addresses that every host can have a globally unique address. Most IPv6 deployments don’t NAT — they firewall instead. This is one of the meaningful differences in IPv6 deployment.
Application Layer Implications
For application developers, RFC 1918 mostly affects:
Identifying the user’s “real” IP
If your code sees 192.168.1.5 as the source, you’re talking to someone on a local network — not the internet. Real internet IPs are public. If you read req.ip and get an RFC 1918 address, the proxy in front of you isn’t passing the real IP correctly. See X-Forwarded-For header.
Geolocation
You can’t geolocate a private IP. The Ip2Geo API and similar return errors or no-data for RFC 1918 addresses because there’s no global meaning. If your application receives a request from an apparent private IP, something’s wrong upstream.
Service binding
Listening on 192.168.1.5:8080 makes a service available only on that local network. Listening on 0.0.0.0:8080 makes it available on all interfaces (including public if you have one). Listening on 127.0.0.1:8080 makes it local-only.
Logging
Logging RFC 1918 addresses is usually safe — they don’t identify individuals on the public internet. But internal addresses can reveal infrastructure topology, which is sometimes sensitive.
A Common Mistake
A frequent confusion: thinking private IPs are inherently more secure. They’re not — they’re harder to reach from outside (NAT acts as a coarse firewall) but anyone who can reach the local network can interact with them directly.
“Behind a firewall” is the security property; “private IP” is just an addressing choice. A misconfigured firewall makes RFC 1918 IPs accessible. A properly configured firewall makes even public IPs unreachable.
TL;DR
- RFC 1918 defines three private IPv4 ranges: 10/8, 172.16/12, 192.168/16.
- Never globally routable — internet drops traffic to/from them.
- Free to reuse — anyone can use them inside their own network.
- NAT required for these hosts to reach the internet.
- Conventions: 10/8 for clouds/enterprises, 172.16/12 less common, 192.168/16 for home.
- Avoid overlapping ranges in networks you might connect together.
- IPv6 equivalents are ULA (
fc00::/7) but IPv6 mostly doesn’t NAT. - Geolocation doesn’t work on private IPs.
RFC 1918 is one of those internet foundations that’s transparently essential. Every connected device in the world depends on these ranges existing. For the broader public/private distinction, see public IP vs private IP; for the NAT that bridges them to the public internet, NAT and CGNAT explained.