Comment by rtkwe

Comment by rtkwe 4 days ago

22 replies

View on Hacker News

I recently just changed my default subnet to 10.X.Y.... rolling two random numbers to make it highly unlikely my home subnet through wireguard would conflict with the subnet where I am connecting from.

trollbridge 4 days ago

I just use /24s in the lower-middle range of 172.16. Very unlikely to have a conflict there.

Reply View 12 replies
  • dmd 4 days ago

    My (very large) corporate network uses 172.16 and 10. heavily, which has lead me to set my docker/daemon.json default-address-pools to 84.54.64.0/18, as it's very unlikely we need to communicate with any IPs in Uzbekistan.

    Reply View 4 replies
    • fuzzfactor 2 days ago

      When I separated my scientific instruments from IT, I went to fixed IP and set each device to 192.A.B.x where x is different for each instrument or PC. And A & B are for my lab only, but definitely not the same as the "generic" address range IT is using.

      One day somebody working days or nights "helpfully" plugged one of IT's loose office-machine-network cables into one of my little lab ethernet switches which had a vacant spot :\

      With separate IP subnets it really kept the traffic from crossing, no damage was done, and nobody ever knew until a PC configured for DHCP was plugged into the lab network, and their router wanted to autoassign an IP address to it.

      Reply View 0 replies
    • dijit 4 days ago

      So, uh.

      I kinda don't want to share this because:

      A) it's a bad idea

      B) it means it will be less unique

      and

      C) I got teased for it a long time ago by my other nerd friends.

      But the US DOD has huge blocks of prefixes that it doesn't do anything with, presumably they use it for internal routing so every device they have could publicly route without NAT..

      One of those prefixes is 7.0.0.0/8.

      My home network uses that. I have never had an issue with S2S VPNs.

      However, there have been a few bits of software (pfsense for example) which have RFC1918 hardcoded in some areas and treat it like a public network and overwriting it means doing the entire network setup manually without the helping hand of the system to build-out a working boilerplate.

      Reply View 2 replies
      • x0 4 days ago

        In this vein there's also 3 TEST-NETs, all /24 but still useful. I've been known to use TEST-NET 1 for Wireguard: 192.0.2.0/24. The other two are 198.51.100.0/24 and 203.0.113.0/24.

        There's also 198.18.0.0/15, Wikipedia says it's "Used for benchmark testing of inter-network communications between two separate subnets"[1]. Use this if you really want to thumb your nose at the RFC police.

        [1] https://en.wikipedia.org/wiki/List_of_reserved_IP_addresses

        Reply View 0 replies
      • pcarroll 4 days ago

        I actually looked at using those before the CGNAT range, but many of those blocks have been returned to the public Internet.

        Reply View 0 replies
  • OptionOfT 4 days ago

    Do you run Docker? Because I remember having to VPN out to a client that used that range, and it caused conflicts where our docker containers couldn't reach the client side to fetch data.

    Docker defaults to 172.16.0.0/16.

    Reply View 3 replies
    • pcarroll 4 days ago

      We chose Go as the development language. Go produces statically compiled binaries that include all dependencies. The only external deps are wireguard, nftables, nmap, etc. All easy stuff. So we have no need for Docker. We publish binaries for ARM64 and AMD64. Avoiding Docker has made it much easier to work with.

      Reply View 0 replies
    • doubled112 4 days ago

      I had this happen at home. I'm not convinced it was a good idea to choose default subnets as /20.

      It was pretty easy to cause myself problems with Docker compose. Eventually I run out of subnets in the 172.16 range and it happily created subnets in the 192.168. range. Some of them overlapped with subnets on my LAN.

      Reply View 0 replies
    • trollbridge 3 days ago

      Yes, we use Docker (or podman) but generally never rely on Docker’s internal address ranges.

      Reply View 0 replies
  • pclmulqdq 4 days ago

    I often use 172.31/16 for subnets and have never seen a conflict. I have seen 172.24 and 172.16 used before, though.

    Reply View 0 replies
  • EvanAnderson 4 days ago

    I find a lot of Docker containers using subnets inside 172.16.0.0/16.

    Reply View 1 reply
    • notpushkin 4 days ago

      Probably for the same reason – 172.16/12 is not as widely used for other networks :-)

      Reply View 0 replies
9dev 3 days ago

I’ll never not use 10.0.0.0/24 for the sole benefit of being able to collapse the zero and go ping 10.1.

Plus, most network admins think of you and aren’t so bold as to use the first subnet in the range, so I never had problems yet :)

Reply View 0 replies
pcarroll 4 days ago

This works fine for your end. But the issue we are addressing is on the other end, when you don't control the network and need to reach devices. If all customer sites are running rfc-unroutable blocks, you eventually encounter conflicts. And the conflict will likely be with the 2nd one you try.

Reply View 1 reply
  • rtkwe 2 days ago

    I mostly wireguard in from my work's guest wifi and people's homes. The first I don't have access to anything internal anyways and it doesn't conflict and the latter mostly use default 192.168.1.0/24 so there's no conflicts I've hit there so far.

    Reply View 0 replies
ivanjermakov 4 days ago

I subtly remember that 10.x.y address space is widely used by CGNATs.

Reply View 5 replies
  • greyface- 4 days ago

    CGNATs should be using 100.64/10 instead of 10/8 to avoid this problem, but I don't doubt that there are significant deployments on 10/8 anyway.

    Reply View 2 replies
    • zinekeller 3 days ago

      The IETF really dragged their heels on CGNAT because they thought that IPv6 is easy™ (of course not, it's intentionally designed not to be "almost the same but wider" but include unworkable stuff like Mobile IPv6[1] which is just a fancy VPN) until they were forced to allocate 100.64.0.0/10 because some ISPs are not just using 10.0.0.0/8 but also US-DoD addresses (especially 11.0.0.0/8, because it's basically 10.0.0.0/7) as "private" addresses.

      [1] Not IPv6 on mobile devices but a fully-owned IPv6 range that is supposed to be the address for a device regardless of where it is, see RFC 3775

      Reply View 1 reply
      • pcarroll 3 days ago

        I wanted to use 11.0.0.0 and call the company "Eleven," but by that time the DOD had given up the block for general use... GCNAT is perfect.

        Reply View 0 replies
  • rtkwe 3 days ago

    Are those usually visible to clients sitting behind routers though? I'm not super familiar but the things I'm seeing make it seem like that should only be visible IPs on the internal network of carriers which is not a place I am ever connecting from.

    Reply View 0 replies
  • [removed] 4 days ago
    [deleted]
    Reply View 0 replies