What is a Subnet Mask?

A subnet mask is one of the three essential numbers every device on a network needs, alongside an IP address and a default gateway. You see it in network settings as something like 255.255.255.0, and most people skip right past it. But the subnet mask controls something fundamental: it tells your device which other devices it can talk to directly and which ones require routing through a gateway.

Without a properly configured subnet mask, your computer cannot determine whether the device it wants to reach is sitting on the same local network or located somewhere across the internet. That one distinction drives every routing decision your device makes.

How a Subnet Mask Splits an IP Address

A subnet mask works by dividing an IP address into two parts: the network portion and the host portion. The network portion is shared by every device on the same subnet. The host portion is unique to each device within that subnet.

Take the IP address 192.168.1.45 with a subnet mask of 255.255.255.0. The mask says: the first three octets (192.168.1) are the network, and the last octet (.45) is the host. Every device with an IP address starting with 192.168.1.x is on the same local subnet and can communicate directly without going through a router.

In binary, the subnet mask 255.255.255.0 looks like this: 11111111.11111111.11111111.00000000. The 1s represent the network bits. The 0s represent the host bits. Your device performs a bitwise AND operation between the IP address and the subnet mask to extract the network address. If two devices produce the same network address after this operation, they are on the same subnet.

For the address 192.168.1.45 with mask 255.255.255.0:

• Network address: 192.168.1.0
• Broadcast address: 192.168.1.255
• Usable host range: 192.168.1.1 through 192.168.1.254
• Total usable hosts: 254

The first address in the range is reserved as the network identifier, and the last is reserved as the broadcast address. That is why you lose two addresses from the theoretical total of 256.

Common Subnet Masks and Their Sizes

Subnet masks come in different sizes, and each one carves out a different number of host addresses. The most common masks for home and small business networks are well established.

255.255.255.0 (/24) is by far the most common home network mask. It provides 254 usable addresses, which is more than enough for a typical household. Your router almost certainly uses this as its default.

255.255.0.0 (/16) provides 65,534 usable addresses. Corporate networks and data centres use this when they need large flat networks. The entire 192.168.0.0 to 192.168.255.255 private address range fits within a single /16 subnet.

255.0.0.0 (/8) provides over 16 million usable addresses. The 10.0.0.0/8 private range uses this mask. Cloud providers and very large enterprise networks deploy /8 subnets.

255.255.255.128 (/25) splits a standard /24 in half, giving 126 usable addresses per subnet. Network administrators use this to segment departments or separate guest Wi-Fi from internal traffic.

255.255.255.252 (/30) provides exactly 2 usable addresses. This is standard for point-to-point links between two routers, where only two devices need to communicate on the link.

Each step up in mask size halves the number of available host addresses while doubling the number of possible subnets you can create within a larger block.

CIDR Notation: The Shorthand

Writing out full subnet masks is tedious. CIDR (Classless Inter-Domain Routing) notation provides a compact alternative. Instead of writing 255.255.255.0, you write /24. The number represents how many consecutive bits in the mask are set to 1.

CIDR notation attaches directly to an IP address: 192.168.1.0/24 describes both the network address and the mask in one expression. This is how network engineers, firewall rules, and routing tables represent subnets.

Converting between the two formats is straightforward. Count the number of 1-bits in the mask’s binary representation:

• 255.0.0.0 = 8 ones = /8
• 255.255.0.0 = 16 ones = /16
• 255.255.255.0 = 24 ones = /24
• 255.255.255.128 = 25 ones = /25
• 255.255.255.192 = 26 ones = /26
• 255.255.255.252 = 30 ones = /30

For a deeper look at how CIDR changed IP addressing and how to calculate host counts from any prefix length, see the CIDR notation guide.

How Your Router Uses the Subnet Mask

Your router relies on the subnet mask for its most basic function: determining where to send each packet. Every time your device generates traffic, the subnet mask drives a simple but critical decision tree.

When your laptop (192.168.1.45/24) wants to reach 192.168.1.1 (your router’s LAN address), it applies the subnet mask and finds that 192.168.1.1 is on the same /24 network. The traffic is delivered directly on the local network using the destination device’s MAC address, resolved via ARP (Address Resolution Protocol).

When your laptop wants to reach 8.8.8.8 (Google’s DNS server), it applies the subnet mask and finds that 8.8.8.8 is not on the 192.168.1.0/24 network. The traffic must leave the local network. Your laptop sends the packet to the default gateway (your router at 192.168.1.1), which then forwards it toward the destination across the internet.

This local-vs-remote determination happens for every single packet. It is the reason you configure a subnet mask, a default gateway, and a DNS server when setting up a static IP. With DHCP (which most home networks use), the router sends all three values to your device automatically, so you never have to think about it.

If a device gets the wrong subnet mask, problems follow quickly. A mask that is too small (like /25 instead of /24) will make the device think some local devices are on a different network, and it will try to route local traffic through the gateway. A mask that is too large (like /16 instead of /24) will make the device think remote addresses are local, and it will try to reach them directly via ARP, which will fail.

Subnetting for Home Users

Most home networks run a single flat subnet with a /24 mask, and that works perfectly fine for 10, 20, or even 100 devices. There is rarely a reason to change it.

That said, some home users split their network into multiple subnets for security or organization. A common setup is putting IoT devices (smart thermostats, cameras, voice assistants) on a separate subnet from computers and phones. This limits the damage if a compromised IoT device tries to attack other devices on the network.

To create multiple subnets at home, you need a router that supports VLANs (Virtual LANs) or multiple DHCP scopes. Some consumer mesh systems and most prosumer routers offer this. You might run 192.168.1.0/24 for trusted devices and 192.168.2.0/24 for IoT, with firewall rules controlling what traffic can pass between them.

The subnet mask in each case defines the boundary. Devices on one subnet cannot see devices on the other subnet without routing through the gateway. That isolation is the whole point of subnetting, whether you are securing a home network or segmenting a corporate campus with thousands of employees.