49

I understand how subnet-masks are used to divide a network into sub-networks, but, why does every computer in the network need to know the subnet-mask and not just the router?

I could understand it, if each computer were physically connected to each other with a wire, but all packets needs to go through the router anyway.

Let's say that I have a computer on a network 192.168.0.0/255.255.255.0, which has the IP 192.168.0.1.

If that computer tries to reach a computer outside the sub-network, lets say 192.168.1.1, it transmits the message to the router, the router identifies that the IP is outside the sub-network IP-range, and rather than transmitting it on the sub-network, it transmits it to the network it is connected to (perhaps another router).

Orpedo
  • 612

9 Answers9

78

Your original assumptions are not entirely correct. What you call a "router" is two devices in one – a two-port router internally connected to a multiple-port Ethernet switch. (Here's an example diagram.)

This means that the computers are directly connected at layer 2, and can send packets to each other without going through the router core – they're simply relayed between ports by the switch chip. (The router has its own "port" in the switch.)

So if you look at the packets using Wireshark, you'll see that they directly use each other's MAC addresses, while "outside" packets always have the router's MAC as the destination.

(I'm assuming you're​ talking about the typical "wireless routers" found in most homes, which are the usual cause of this kind of question. A bigger network would have a separate router with one port per subnet, and a few separate switches (perhaps a master one plus one per floor/room), and several dozens of computers connected to those switches.)

It's roughly the same with Wi-Fi networks, except "switch" is replaced with "wireless bridge" aka "access point". In both cases, connected computers can send packets directly to each other at layer 2, without going through the router.

Comments:

When I stated router, I did actually mean switch. My mistake. My point beeing, that each computer in a subnetwork is not connected to each other, but rather to a switch, which then can pass on packages to the correct destination. An ethernet-frame does not contain the subnet-mask, as the switch already has this knowledge, and hence does not need it to do the correct switching.

That's again incorrect. Switches do not have this knowledge; their switching core works at layer 2 and does not know anything about IP – it forwards Ethernet frames purely based on the 'destination MAC address' field.

Therefore, hosts need the subnet mask to figure out what MAC address to use as the destination:

  • If the peer is within the same subnet, it's assumed to be on-link by definition – so the Ethernet frame will have peer's MAC as destination.

  • For peers outside the subnet, the Ethernet frame will have the gateway's MAC as destination.

(This applies to the default configuration. Some special-snowflake networks alter this – e.g. most operating systems allow adding extra "on-link" routes for additional subnets; conversely, some switches may be configured spoof ARP responses such that even "on-link" traffic is forced through the gateway.)

grawity
  • 501,077
31

How does a computer know if a destination address is in the same subnet on in another?

Checking the local adddress and the subnet mask.

Let's check a couple examples:

If my computer has the IP 192.168.0.1 and the mask is 255.0.0.0 it means that any address from 192.0.0.0to 192.255.255.255 is in the same subnet. The packets to all those other computers don't need to go through the router, they can be send directly. Send an ARP packet to get the MAC adddress of the destination computer and then send the packet.

But, if my computer has the IP 192.168.0.1 and the mask is 255.255.255.128 then the computers in the same subnet are from IP adddress 192.168.0.0to 192.168.0.127 only. They can be reached directly (send ARP, find MAC address,etc.). Any other address, for example 192.168.0.200 must be reached passing through the router.

jcbermu
  • 17,822
11

Something non-obvious about IP is that every IP device is itself a router.

This can be seen on a normal PC with the command "route print". You are connected to two networks: your local Ethernet or wifi segment, and the localhost network. Every packet needs to be subject to a decision as to which network to put it on.

This becomes more apparent if you put your computer on two networks, say a "public" and "private" one. Now you definitely need the subnet mask in order to decide which network to send the packet on.

Many people will accidentally discover that a PC with a single network connection may work with a wrongly configured submask: they just end up sending everything to the gateway.

pjc50
  • 6,186
7

I see this mentioned in some of the other answers here but I think it could be clearer: On computers with multiple network interfaces, the subnet mask may be used to automatically determine which physical interface to send IP traffic on based on the destination IP address.

If you're sending a packet to a device on a LAN connected to one of the interfaces, in order to know which interface to send it on (if you haven't configured a route explicitly), the computer can check the interfaces to see if subnet_mask & destination_ip == subnet_mask & interface_ip (by & I mean bitwise-and and by == I mean to assert equality), and if there's a match, choose that interface.

That way if you've got e.g.:

  • Interface A with 192.168.1.42/24
  • Interface B with 10.0.0.15/24
  • Interface C with 192.168.2.97/24

And you send a packet to 192.168.2.123 and don't have a route set up, it can be determined that interface C should be used because 255.255.255.0 & 192.168.2.123 == 255.255.255.0 & 192.168.2.97.

This wouldn't be possible if the subnet mask wasn't known, and so you'd have to have a route set up for every single IP address you sent data to.

Jason C
  • 11,385
6

TCP/IP could have been designed as you suggest -- leaf nodes would send everything to the router, and it would forward it to the target, which might be on the same subnet as the sender.

But this would not be optimal design, for two reasons:

  1. It uses more bandwidth: Every packet between devices on the same subnet has to be transmitted twice: once from the sender to the router, and again from the router to the receiver. On networks where the router is also the network switch, this actually isn't any extra bandwidth, since it was going to go through the switch anyway. But not all network technologies work like that. The original Ethernet design was a bus technology, with no central switch or repeater.

  2. It puts more load on the router. Even if the router is also the switch, it's a little more work because it has go up to Layer 3 routing implementation, rather than the simpler Layer 2 switching.

A general philosophy embodying the design of TCP/IP is that end nodes are intelligent devices, so they're assumed to be able to do some of the work. They don't have to know the full network topology like backbone routers do, but they know enough about the local environment to take on some of the initial local-vs-remote routing task. It doesn't take much code to implement this simple initial routing.

Furthermore, non-router devices are not necessarily on just one subnet. You can easily have multiple network cards in a PC -- many have both Ethernet and WiFi. And each of those can be connected to a different subnet, and addresses plus subnet masks are used to determine which network card to use. If you run virtual machines, there's likely to be a virtual subnet connecting them to the host system.

Barmar
  • 2,545
5

If we look at a routing table (this happens to be my desktop machine):

ip route

default via 172.20.25.1 dev eth1 
172.20.25.0/24 dev eth1 proto kernel scope link src 172.20.25.33 
192.168.0.0/24 dev eth0 proto kernel scope link src 192.168.0.1

route

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         172.20.25.1     0.0.0.0         UG    0      0        0 eth1
172.20.25.0     0.0.0.0         255.255.255.0   U     0      0        0 eth1
192.168.0.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0

Either view conveys the same information. The subnet masks indicate which hosts are directly reachable on that network, and other hosts are found using a gateway. In particular, we have to know that the gateway is reachable, otherwise we couldn't send packets for it to forward.

You could, in principle, send everything via your gateway host. That would look like

default via 172.20.25.1 dev eth1 
172.20.25.1 dev eth1 proto kernel scope link src 172.20.25.33

or

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         172.20.25.1     0.0.0.0         UG    0      0        0 eth1
172.20.25.1     0.0.0.0         255.255.255.255 U     0      0

I've not tried that, but it can be used for MAC-Forced Forwarding.

Toby Speight
  • 5,213
2

Okay, so I understand how subnet-masks are used to divide a network into sub-networks, but my question is, why does every computer in the network need to know the subnet-mask and not just the router?

well the devices people refer to as routers are usually not just routers.. hence people sometimes use terms like NAPT Router, or Home Router, or Consumer Router, to suggest that it's not purely a router. To make the point they're not just routers, these devices can do NAPT(which isn't routing), and they have a switch built in(a switch does bridging, which isn't routing - distinctions between a switch and a bridge are a bit not so well defined - one may say a bridge would often have 2 ports and connect different network mediums(e.g. ethernet and non-ethernet), whereas a switch would have multiple ports and the same network medium). A switch does bridging.

If the switch were separated from the "router", then indeed, it'd be more clear.. When the IP address is on the same network, then the packet is directed to goes down the cable to what is next physically which is the switch, and is ultimately destined to some other computer on the network(unless it was a managed switch and you were connecting to the switch e.g. telnet or http and the switch had its own ip), and since the packet is not destined for another network, the packet won't reach the router. When it's destined for a computer on a different network, then it of course still goes to the switch, but then continues after that to the router, (the switch directed the packet to the router and the destination MAC address of the packet coming in to the switch would've been the MAC address of the router), and the route would route it out of the correct interface of the router.

With these things typically called routers, that have switches inside them (like, not the professional style cisco/juniper routers), then the switch is inside.. But that's just the location of the switch.. It's still that when the IP is on the same network then the packet is addressed to the switch not to the router. And it goes only to the switch inside the router and doesn't reach the router.

I could understand it, if each computer were physically connected to each other with a wire,

what do you mean here.. If all computers on an entire network were physically connected with a wire.. then I guess you wouldn't need a switch or router. What you're describing sounds a bit like original ethernet.. and if they're all connected with a wire it would likely not be such a big network. And anyhow it won't be a wire like you are used to. It'd have computers connected along the way to it with "taps". So I don't know why you just threw that sentence in.

but all packets needs to go through the router anyway.

so you mean putting aside that idea of all computers connected with a wire with no router.

And no, even in your home set up, they don't go through the router every time. Even with your "home router" , call it an internet box. They go to the switch in it.

Lets say that I have a computer on a network 192.168.0.0/255.255.255.0, which have the IP 192.168.0.1.

If that computer try to reach a computer outside the sub-network, lets say 192.168.1.1, it transmits the message to the router,

to the switch then from the switch it goes to the router

the router identyfies that the IP is outside the sub-network IP-range, and rather than transmitting it on the sub-network, it transmits it to the network it is connected to (perhaps another router).

well the router identifies what network interface it's for. It sends from one interface to another interface. One distinction - besides which interface, would be whether a network is directly connected or not. It could send on to a switch then to a computer. Or it could send to a computer. Or if the network isn't directly connected it'd go to another router.

and your last sentence was

it transmits the message to the router,

and then what, did you suddenly decide to stop writing?

the router identyfies that the IP is outside the sub-network IP-range, and rather than transmitting it on the sub-network, it transmits it to the network it is connected to (perhaps another router).

well, I wouldn't put it like that. Each interface on the router has a different IP range.

But, with your consumer router or home router, what happens is it's like a router with two interfaces, one your side has a switch connected to it. And the multiple ports are ports of the switch.

So if you think in terms of the router part, it's not like oh this is inside the subnetwork and this is outside, 'cos there's potentially many networks. There's one on each interface. And the router is not going to be transmitting it back to the same network it came from. The reason why it reached the router in the first place is precisely because the switch (which it reached first), saw the MAC address and so saw that that's not the MAC address of the router.

The computer that sent the packet out, will check whether the destination IP of the packet is on its own network, or the same network, and will then based on that, choose the relevant MAC address. Either the MAC address of the computer it's destined to (that's if the computer is on the same network). Or (if the computer is on another interface of the router), then it'll be the MAC address of the router. I guess that might answer the title of your question quite directly, as to why the computer would need to know the subnet mask.. In the TCP/IP system as it is.. that's how it works, the computer picks the relevant layer 2 address e.g. for ethernet, the MAC address.

barlop
  • 25,198
1

But why is the subnet-mask then given for the cuputer/device, when it does not need it for anything? – Orpedo Mar 22 at 13:45

The computer/device does use the subnet mask in order to calculate the IP broadcast address.

IP interfaces not in promiscuous mode are configured to respond to the IP broadcast address as well as their own IP address.

Joe Inwap
  • 111
-1

Created an account just to answer this, as I think others are over complicating the role of a subnet mask.

The subnet mask determines what other machines on a network a host will communicate with. If a host lies outside my subnet, then I will try to talk to that machine via my gateway. If that host is within my subnet, then I will talk to that host directly (no gateway needed). Additionally, if a machine outside of a host's subnet tries to talk to it, then those packets will fall on deaf ears and get immediately dropped.

Why is that relevant to you? Because if we didn't use netmasks, you trying to talk to Google's DNS server (8.8.8.8) would require you (and EVERY other host that talks to it) to know its physical address (MAC address). This would result in your computer and all others needing to create an ARP entry for every internet machine that you talk to. It would waste your RAM and slow down all networking as the physical address of machines gets passed much further than needed.

Szeraax
  • 9