RFC 1918: Private IP Address Ranges Explained

RFC 1918 is the Internet Engineering Task Force (IETF) standard that carved out three blocks of IPv4 addresses and declared them permanently reserved for private use. Published in February 1996, this document is the reason every home router can assign addresses like 192.168.1.x to your devices without worrying about conflicts with anyone else on the planet. The three ranges defined in RFC 1918 underpin every local area network in existence.

The standard solved a growing problem in the mid-1990s: the internet was expanding rapidly, and public IP addresses were being consumed faster than anticipated. By reserving specific blocks that would never appear on the public internet, RFC 1918 allowed organizations to build internal networks of any size without consuming public address space.

The Three Private Address Ranges

RFC 1918 designates exactly three IPv4 address blocks as private. Each block corresponds to a different scale of network, though any organization can use any of them regardless of size.

10.0.0.0/8 is the largest private block. It spans from 10.0.0.0 to 10.255.255.255, providing 16,777,216 addresses. The /8 prefix means only the first octet is fixed; the remaining three octets are available for subnetting and host addressing. This range aligns with the old Class A designation.

Large enterprises, cloud providers, and data centres favour the 10.x.x.x range because it provides enough space to create thousands of subnets across multiple locations without reusing addresses. AWS, Azure, and GCP all default to 10.x.x.x ranges for their virtual private cloud configurations. Some consumer routers (notably certain Comcast and Xfinity gateways) also use 10.0.0.x for the home LAN.

172.16.0.0/12 is the mid-sized private block. It covers 172.16.0.0 to 172.31.255.255, providing 1,048,576 addresses. The /12 prefix is less intuitive than the others because the boundary falls in the middle of the second octet. The second octet ranges from 16 to 31 (the lower 4 bits are part of the host space).

This range sees less use in consumer networking but appears frequently in container orchestration (Docker uses 172.17.0.0/16 by default), VPN tunnels, and medium-sized business networks. It is a good choice when you want private addressing that will not overlap with the 10.x.x.x or 192.168.x.x ranges already in use elsewhere in your environment.

192.168.0.0/16 is the smallest private block and the one most people encounter daily. It covers 192.168.0.0 to 192.168.255.255, providing 65,536 addresses. Nearly every consumer router ships with a default LAN address in this range, typically 192.168.0.1 or 192.168.1.1.

Home networks overwhelmingly use 192.168.x.x addresses. A typical setup uses 192.168.1.0/24 for the LAN, giving 254 usable host addresses. This is more than enough for residential use, even in smart-home-heavy households.

How Consumer Router Brands Picked Their Defaults

Within the 192.168.0.0/16 block, manufacturers had a free hand to choose any /24 subnet for the default LAN. Most converged on .1.x or .0.x for memorability, but the pattern is not random — it tracks brand history, regional convention, and competitive differentiation.

• Linksys, Netgear, Cisco, ZTE, Mercusys, Ubiquiti chose 192.168.1.x, with 192.168.1.1 as the gateway. This is the single most-deployed default IP worldwide — covered in depth on the busuk homepage.
• D-Link, Tenda, TP-Link (older Archer models), Sky (UK), Virgin Media (UK) chose 192.168.0.x, with 192.168.0.1 as the gateway.
• ASUS standardized on 192.168.50.x for ZenWiFi mesh and most modern RT-AX routers — a deliberate differentiation from the .1.x crowd.
• Huawei uses 192.168.8.x for mobile broadband and 4G/5G CPE products, 192.168.100.x for fibre ONTs, and 192.168.3.x for the AX series consumer routers.
• Xiaomi picked 192.168.31.x for Mi Router products.
• MikroTik uses 192.168.88.x — one of the more idiosyncratic picks in the consumer space.
• Belkin uses 192.168.2.x.
• Buffalo uses 192.168.11.x on AirStation models.
• AVM Fritz!Box uses 192.168.178.x — dominant in Germany, Austria, and Switzerland.
• TP-Link Deco mesh systems use 192.168.68.x — a deliberate split from the standard Archer .0.x default.

Some ISP-supplied routers route around the 192.168.x.x range entirely. Comcast Xfinity gateways and Apple AirPort stations historically used 10.0.0.x, drawing from the 10.0.0.0/8 block instead. British Telecom Smart Hub and TM Unifi in Malaysia put the gateway at 192.168.1.254 rather than .1. Frontier DSL/fibre equipment uses 192.168.0.254 for the same conflict-avoidance reason. The ISP-specific router guides document each provider’s exact convention.

Why Private Addresses Exist

The concept behind RFC 1918 is address conservation. When the internet was designed, IPv4’s 4.3 billion addresses seemed abundant. By the 1990s, it was clear that every organization, school, government agency, and eventually every household wanting internet access would exhaust the supply.

Not every device needs to be reachable from the public internet. Your printer, your smart thermostat, and your laptop do not need globally unique addresses. They only need to communicate within your local network and reach the internet through a gateway. Private addresses serve this purpose perfectly.

Because private addresses are guaranteed to never appear on the public internet, they can be reused infinitely. Every home in your neighbourhood can use 192.168.1.x internally. Every office building can use 10.x.x.x. There are no conflicts because these addresses never leave their respective networks without being translated first.

The translation mechanism is NAT (Network Address Translation). Your router takes outgoing packets from private addresses, swaps the source to its public IP, and reverses the process for incoming responses. NAT is what allows one public address to serve an entire network of privately addressed devices.

Without RFC 1918 and NAT, every single device on every network worldwide would need its own public IPv4 address. The internet would have run out of addresses years before IPv6 was ready for deployment.

How Routers Use RFC 1918 Addresses

Your router is the device that implements RFC 1918 addressing on your home network. It uses private addresses in three primary ways.

LAN interface address. The router assigns itself a private IP address on the local network side. This address (commonly 192.168.1.1) serves as the default gateway for all devices on the network. When your laptop needs to send traffic outside the LAN, it forwards the packet to this address.

DHCP pool. The router runs a DHCP server that automatically assigns private IP addresses to devices as they connect. The pool is drawn from the same RFC 1918 range as the router’s LAN address. A router at 192.168.1.1 typically hands out addresses from 192.168.1.2 through 192.168.1.254.

NAT translation. When a device with private address 192.168.1.100 sends a packet to the internet, the router replaces the source address with its public IP before forwarding. It maintains a mapping table so it can reverse the translation on incoming responses. The private address never appears on the public internet.

Internet backbone routers enforce the private address boundary. They are configured to drop any packet with an RFC 1918 source or destination address. If a private address somehow leaked onto the public internet, it would be discarded immediately. This enforcement is what makes the reuse guarantee work.

RFC 1918 and VPNs

VPN (Virtual Private Network) configurations interact directly with RFC 1918 addressing. When you connect to a corporate VPN, the VPN server assigns your device a private IP address from its own RFC 1918 range. This lets your device appear as if it is on the corporate network, with access to internal resources.

A common problem arises when your home network and the VPN use the same private range. If your home router uses 192.168.1.0/24 and the corporate VPN also uses 192.168.1.0/24, your device cannot distinguish between local and VPN destinations. Traffic intended for a corporate server at 192.168.1.50 might go to your local network instead.

The solution is to use different RFC 1918 ranges for different purposes. Organisations running VPN services often choose 10.x.x.x or 172.16.x.x to avoid overlap with the 192.168.x.x range that most home networks use. If you control both networks, changing one to a different range eliminates the conflict.

This overlap issue is also relevant for site-to-site VPNs that connect two offices. If both offices use 192.168.1.0/24, the VPN cannot route traffic correctly between them. Planning RFC 1918 usage across all connected sites is a basic requirement for VPN deployments.

RFC 1918 in the IPv6 Era

IPv6 provides enough addresses (340 undecillion) that every device on Earth could have billions of globally unique public addresses. In theory, this eliminates the need for private addressing and NAT entirely. In practice, the concept persists.

IPv6 includes Unique Local Addresses (ULAs), defined in RFC 4193. The ULA range fc00::/7 (practically fd00::/8) serves the same role as RFC 1918 addresses in IPv4: internal communication that should not be routed on the public internet. Organizations use ULAs for services that should remain internal, like printers, file shares, and management interfaces.

However, ULAs are used differently than RFC 1918 addresses. IPv6 devices typically receive both a global unicast address (publicly routable) and a ULA (locally scoped). Unlike IPv4 where NAT is required, IPv6 devices can communicate directly on the internet using their global address while using the ULA for internal traffic.

For home users, RFC 1918 remains the daily reality. IPv4 and its private address ranges will continue operating alongside IPv6 for years. Your router will keep assigning 192.168.x.x addresses via DHCP, running NAT for IPv4 traffic, and handling IPv6 separately. The RFC 1918 framework is not disappearing any time soon.

RFC 6598 and Carrier-Grade NAT

A separate RFC extends the private-addressing logic into the carrier space. RFC 6598 (published April 2012) reserved 100.64.0.0/10 for Carrier-Grade NAT (CGNAT) deployments by ISPs. This range is technically distinct from RFC 1918 — it is “shared address space”, not “private address space” — but it serves the same purpose at the ISP layer.

CGNAT lets an ISP put thousands of customers behind a smaller pool of public IPv4 addresses. Each customer’s home router still uses RFC 1918 addresses internally (192.168.x.x), but the ISP also wraps the customer in a second NAT layer using 100.64.x.x before reaching the public internet. The result is a double-NAT setup that conserves IPv4 addresses on the ISP side.

If your home router shows a WAN address starting with 100.64–100.127, your ISP has placed you behind CGNAT. This breaks inbound port forwarding and can disrupt some VPN configurations. Mobile and rural broadband providers use CGNAT most heavily.

Common RFC 1918 Confusions

A few related concepts get mistaken for RFC 1918 reservations:

• 169.254.x.x is not RFC 1918. This range is APIPA (Automatic Private IP Addressing) defined in RFC 3927. It is what your operating system assigns when DHCP fails. If you see your device at 169.254.something, your router is not handing out IPs — fix the DHCP server, do not configure 169.254.x.x manually.
• /16 versus /24. RFC 1918 reserves the entire 192.168.0.0/16 block (65,536 addresses), but most home routers only use a /24 slice of it (256 addresses). Saying “192.168.1.0/24” is a sub-allocation of the RFC 1918 block, not a separate reservation.
• RFC 1918 vs RFC 6890. RFC 6890 (published 2013) is a meta-document that catalogues ALL special-use IPv4 and IPv6 address blocks, including the RFC 1918 ranges plus loopback (127/8), link-local (169.254/16), CGNAT (100.64/10), and others. RFC 6890 did not replace RFC 1918 — it organized the existing reservations into a single registry.
• RFC 1918 vs RFC 1918bis. There is no “RFC 1918bis”. The reservation is stable as published in 1996 and has not been updated.

RFC 1918 in Daily Use

Every time you look up the default gateway for your router — whether that’s 192.168.1.1, 192.168.0.1, or 10.0.0.1 — you’re working with an RFC 1918 address. The same is true for the IP your laptop holds (192.168.x.something), the IP printed on your router’s sticker, and the IP your phone connects to over Wi-Fi. The full router brand directory maps which manufacturer chose which subnet within the reserved blocks.