What are RFC 1918 private IP ranges?

If you've ever typed ipconfig on Windows, run ip addr on Linux, or opened your router's admin page, you've seen an address like 192.168.1.1 or 10.0.0.5. These aren't randomly assigned. They come from three ranges deliberately reserved for private use in 1996 by a networking standard called RFC 1918.

"RFC" stands for Request for Comments — the document series the internet engineering community uses to define how things work. RFC 1918 is short, clear, and still just as relevant as when it was published. It set aside three blocks of IPv4 addresses that anyone can use inside a network without registering them or coordinating with any central authority, with one condition: those addresses must never appear on the public internet.

The three ranges

RFC 1918 defines exactly three private address blocks:

• 10.0.0.0/8 — covers 10.0.0.0 through 10.255.255.255, about 16.7 million addresses
• 172.16.0.0/12 — covers 172.16.0.0 through 172.31.255.255, about 1 million addresses
• 192.168.0.0/16 — covers 192.168.0.0 through 192.168.255.255, about 65,000 addresses

The /8, /12, and /16 numbers are CIDR prefix lengths — they describe how much of the address is fixed and how much is available for individual hosts within the block. A /8 locks in the first 8 bits and leaves 24 bits free, giving 2²⁴ = 16,777,216 possible addresses. A /16 locks in 16 bits and leaves 16, giving 2¹⁶ = 65,536. The CIDR calculator can break down any prefix into its network address, broadcast address, usable host range, and total count.

Any of these three ranges can be used freely inside any private network. You can split them into smaller subnets, use the same addresses in two separate organisations, overlap them in disconnected networks — there is no global registry tracking how private addresses are used, because by definition they never leave the network they're assigned to.

Why these ranges exist

By the early 1990s, it was already clear that IPv4 had a serious problem. The protocol was designed in 1981 with a 32-bit address space — about 4.3 billion unique addresses. That seemed like enough. But the growth of the commercial internet was relentless: every server, every workstation, every new network device was consuming addresses from the same global pool, and IANA (the body that hands out allocations) was burning through blocks far faster than anyone had modelled.

IPv6 — the real long-term fix, with its 128-bit address space — was being designed, but it was years from being deployable at scale. The internet needed a way to keep growing in the meantime.

RFC 1918, published in February 1996, formalised a solution that had already been happening informally: carve out address ranges that could be reused freely inside private networks without consuming anything from the global pool. Organisations had been doing this ad hoc, using whatever ranges they felt like — which created interoperability headaches when private networks connected to each other. RFC 1918 designated the specific three blocks, documented the rules, and gave everyone a common baseline to work from.

The crucial insight is that most devices don't need to be directly reachable from the internet. Your laptop, phone, printer, and smart TV all need to reach the internet, but very few things on the internet need to initiate a connection back to them. Private addresses are sufficient for everything that only ever makes outbound connections.

How NAT ties in

Private addresses only work in practice because of NAT — network address translation. The two technologies arrived around the same time and are deeply complementary.

Your home router has a single public IP address assigned by your ISP. Inside your network, it assigns RFC 1918 addresses to every device via DHCP — your laptop might get 192.168.1.42, your phone 192.168.1.55, and so on. When your laptop sends a request to a website, the router intercepts the outbound packet and rewrites the source address from 192.168.1.42 to its own public IP. It records the substitution in a translation table, so when the response comes back addressed to the public IP, it knows to rewrite the destination back to 192.168.1.42 and forward it to your laptop.

To the website, only one device made the request: the router. Every device behind the router — laptop, phone, TV, thermostat — is invisible to the outside world. All of them share that single public IP for outbound traffic.

This is also why your 192.168.x.x address is meaningless to any outside service. If you tell someone "my IP is 192.168.1.42", they have no way to reach you — that address exists on your local network and nowhere else. For the address the rest of the internet actually sees, check out the What Is My IP Address guide.

Why 192.168 is everywhere in home networks

There's nothing in RFC 1918 that says home routers should use the 192.168.0.0/16 range. Any of the three blocks would work. The standard just says all three are valid.

The dominance of 192.168 on home networks is pure convention. Consumer routers from Linksys, Netgear, D-Link, and others — the devices that flooded homes in the late 1990s and early 2000s — shipped from the factory configured with 192.168.0.1 or 192.168.1.1 as the default gateway address. That was an arbitrary choice by early router manufacturers, and it stuck. Subsequent manufacturers kept it partly because it was the de facto standard, and partly because changing it from 192.168 to something else would confuse users who'd been trained to expect it.

ISPs and enterprises tend to use the much larger 10.0.0.0/8 block when they have many devices to address — a cable company provisioning thousands of home routers across a city needs more room than 192.168 can comfortably offer. Corporate IT departments often also prefer 10.x.x.x because it's visually distinct from the 192.168.x.x addresses on employee home networks, which matters when people connect via VPN and both address spaces are simultaneously visible.

The 172.16.0.0/12 range is the least-used of the three in practice. It's an awkward middle size: bigger than most home networks need, smaller than what large enterprises tend to plan for. Docker chose it for default container networks partly because it's less likely to conflict with the 10.x or 192.168.x ranges already in use on the host machine.

Ranges often confused with RFC 1918

Several other reserved address ranges behave similarly to RFC 1918 private addresses but come from different standards and serve different purposes.

169.254.0.0/16 — link-local addresses. If you've seen a 169.254.x.x address with a message about "limited connectivity", this is why. When a device fails to get an IP from a DHCP server — because the server is unreachable, or there isn't one, or you've just unplugged from the network — it assigns itself an address from this range using a protocol called APIPA on Windows or zeroconf on other systems. Link-local addresses are valid only on the immediately connected network segment; they don't route, not even within your local network. They're a fallback for device discovery when no infrastructure exists. Defined by RFC 3927.

127.0.0.0/8 — loopback. The address 127.0.0.1 — also accessible as localhost — is how your machine refers to itself. Software running locally can open a connection to "a server on this machine" using the loopback address without sending any traffic out of the network interface. The entire /8 block is reserved for loopback, though only 127.0.0.1 sees any real use. Traffic sent to any loopback address goes directly to the local networking stack and never reaches the wire.

100.64.0.0/10 — carrier-grade NAT. This one genuinely looks like RFC 1918 but is a distinct standard defined much later by RFC 6598. When ISPs began running out of public IPv4 addresses to assign to customers, some started adding a second layer of NAT at the carrier level: assigning addresses from 100.64.0.0/10 to customers' routers, and then doing their own NAT translation before that traffic reaches the public internet. The result is CGNAT — carrier-grade NAT — where devices in a customer's home are behind two layers of translation. If you ever do a traceroute and see 100.64.x.x or 100.65.x.x in the first hop or two, your ISP is using CGNAT. This range is technically not RFC 1918 "private" — it has its own designation as "shared address space" — but it solves the same fundamental problem one layer up.

IPv6 and private addresses

RFC 1918 is a purely IPv4 concept. The problems it was designed to solve — address scarcity, the need for internal-only ranges — don't exist in IPv6, whose address space is large enough that every device on earth can have its own globally routable address with room to spare.

IPv6 does have an equivalent, though: fc00::/7, the Unique Local Address (ULA) range defined by RFC 4193. Addresses starting with fc or fd are analogous to RFC 1918 private addresses — locally routable, not meant to appear on the public internet, and free for anyone to use internally without coordination. In practice ULA addresses are less commonly deployed than their IPv4 equivalents, partly because IPv6 makes globally routable addresses available to everyone and the whole point is to not need the NAT-and-private-address workaround.

If you want to understand IPv6 addressing in depth — the multiple addresses your device holds simultaneously, what link-local means in that context, and how privacy extensions work — the IPv6 address guide covers it in detail.