Understanding CIDR Subnet Mask Notation¶
pfSense® firewalls use CIDR (Classless Inter-Domain Routing) notation rather than the common subnet mask 255.x.x.x when configuring addresses and networks. Refer to the CIDR Subnet Table to find the CIDR equivalent of a decimal subnet mask.
Subnet Mask |
CIDR Prefix |
Total IP Addresses |
Usable IP Addresses |
Number of /24 networks |
|---|---|---|---|---|
255.255.255.255 |
/32 |
1 |
1 |
1/256th |
255.255.255.254 |
/31 |
2 |
2* |
1/128th |
255.255.255.252 |
/30 |
4 |
2 |
1/64th |
255.255.255.248 |
/29 |
8 |
6 |
1/32nd |
255.255.255.240 |
/28 |
16 |
14 |
1/16th |
255.255.255.224 |
/27 |
32 |
30 |
1/8th |
255.255.255.192 |
/26 |
64 |
62 |
1/4th |
255.255.255.128 |
/25 |
128 |
126 |
1 half |
255.255.255.0 |
/24 |
256 |
254 |
1 |
255.255.254.0 |
/23 |
512 |
510 |
2 |
255.255.252.0 |
/22 |
1024 |
1022 |
4 |
255.255.248.0 |
/21 |
2048 |
2046 |
8 |
255.255.240.0 |
/20 |
4096 |
4094 |
16 |
255.255.224.0 |
/19 |
8192 |
8190 |
32 |
255.255.192.0 |
/18 |
16,384 |
16,382 |
64 |
255.255.128.0 |
/17 |
32,768 |
32,766 |
128 |
255.255.0.0 |
/16 |
65,536 |
65,534 |
256 |
255.254.0.0 |
/15 |
131,072 |
131,070 |
512 |
255.252.0.0 |
/14 |
262,144 |
262,142 |
1024 |
255.248.0.0 |
/13 |
524,288 |
524,286 |
2048 |
255.240.0.0 |
/12 |
1,048,576 |
1,048,574 |
4096 |
255.224.0 0 |
/11 |
2,097,152 |
2,097,150 |
8192 |
255.192.0.0 |
/10 |
4,194,304 |
4,194,302 |
16,384 |
255.128.0.0 |
/9 |
8,388,608 |
8,388,606 |
32,768 |
255.0.0.0 |
/8 |
16,777,216 |
16,777,214 |
65,536 |
254.0.0.0 |
/7 |
33,554,432 |
33,554,430 |
131,072 |
252.0.0.0 |
/6 |
67,108,864 |
67,108,862 |
262,144 |
248.0.0.0 |
/5 |
134,217,728 |
134,217,726 |
1,048,576 |
240.0.0.0 |
/4 |
268,435,456 |
268,435,454 |
2,097,152 |
224.0.0.0 |
/3 |
536,870,912 |
536,870,910 |
4,194,304 |
192.0.0.0 |
/2 |
1,073,741,824 |
1,073,741,822 |
8,388,608 |
128.0.0.0 |
/1 |
2,147,483,648 |
2,147,483,646 |
16,777,216 |
0.0.0.0 |
/0 |
4,294,967,296 |
4,294,967,294 |
33,554,432 |
Note
The use of /31 networks is a special case defined by RFC 3021 where the two IP addresses in the subnet are usable for point-to-point links to conserve IPv4 address space. Not all operating systems support RFC 3021, so use it with caution. On systems that do not support RFC 3021, the subnet is unusable because the only two addresses defined by the subnet mask are the null route and broadcast and no usable host addresses.
pfSense 2.4.5-RELEASE-p1 supports the use of /31 networks for interfaces and Virtual IP addresses.
Where do CIDR numbers come from?¶
The CIDR number comes from the number of ones in the subnet mask when converted to binary.
The common subnet mask 255.255.255.0 is 11111111.11111111.11111111.00000000 in binary. This adds up to 24 ones, or /24 (pronounced ‘slash twenty four’).
A subnet mask of 255.255.255.192 is 11111111.11111111.11111111.11000000 in binary, or 26 ones, hence /26.