What does a CIDR mask mean in the context of "ip address add"?

Question

I'm attempting to learn to set up Wireguard properly (not just by copy-pasting). I've come across this line on the quickstart page:

ip address add dev wg0 192.168.2.1/24

Reading the man page for ip, it appears that address add assigns the given address to the given device. That makes sense, except that the example address includes a CIDR mask. I'm struggling to wrap my head around what this means in this context and my google-fu is failing me.

Are we saying we want the address to be 192.168.2.0, or... I don't even know. What else could it mean?

EDIT: Wait, I just realised this could be a way of specifying the subnet. Maybe this is obvious to Linux people but I'm a Windows guy and in the Windows GUI you specify subnet mask separately to IP. I'll leave this question here though in case I'm wrong.

score 5 · Accepted Answer · answered Jan 16 '24 at 11:25

ip address add dev wg0 192.168.2.1/24

That adds the IP address 192.168.2.1 to the indicated interface, with a subnet mask of /24 or 255.255.255.0. The possible IP addresses for wg clients are 192.168.2.2 through 192.168.2.254.

Essentially, the /24 defines the maximum number of clients that may connect simultaneously.

Romeo Ninov · Answer 2 · 2024-01-16T10:38:34.377

3

You are right, this is the UNIX/Linux (and probably other operating systems) to define with one record IP address and netmask. The decoding is:

192.168.2.1/24

This is the IP address

192.168.2.1

This define the number of constant bits of IP address:

For example if its 16 you have constant 192.168 and the rest is variable.

edited Jan 16 '24 at 10:38

answered Jan 16 '24 at 10:25

Romeo Ninov

6,677

score 1 · Answer 3 · edited Jan 16 '24 at 21:48

1

CIDR denotes the subnet mask. Most of the people find it difficult to work with CIDR values unless it's a round number like 8,16,24,32.

You can use this website to get a better understanding

Many network admins use this.

edited Jan 16 '24 at 21:48

Criggie

2,328
15
27

answered Jan 16 '24 at 12:38

biplab

57

score 1 · Answer 4 · answered Jan 17 '24 at 16:17

In IPv4, you have:

Addresses, which are 32-bit identifiers, usually represented in the "dotted quad" representation, like 192.168.1.2.
Networks, which are a range of IP addresses, and are defined by a start address and a netmask.

The netmask is used as a 32-bit value, but its binary representation will always starts with 0 or more 1 bits, and the rest will be 0 bits.

Being a 32-bit value like an IP address, it used to be the norm to represent netmasks like IP addresses, using the "dotted-quad" notation, like 255.255.240.0.

But this is a lot of data to type when there are only 33 possible values (see below), and more recently people just give the number of "1" bits, also called the "prefix length".

255.255.240.0 in binary is 11111111 11111111 11110000 00000000, i.e. 20 1 bits and 12 0 bits.

So instead of using the pretty long 255.255.240.0 notation, only will just give the prefix-length: 20.

The prefix-length is usually appended to the end of the start IP address, separated by a /.

So the following are different representations of the same network:

10.1.16.0 netmask 255.255.240.0 (start address + netmask)
10.1.16.0/20 (start address + prefix length)
10.1.16.0 - 10.1.31.255 (start and end addresses)

An IP address, per se, does not have a subnet mask or prefix length, but to configure an interface you need to define not only the IP address, but also the network (as this is required to know which other addresses are on the same network, or need to be sent to the gateway for further routing).

Given the subnet mask (or prefix length) and the IP address, one can find the network (just "AND" the binary representation of the IP address and the subnet mask, and you'll get the starting IP).

So:

192.168.2.1/24
192.168.2.1 netmask 255.255.255.0

both mean:

The IP address is 192.168.2.1
The network is 192.168.2.0/24, also known as 192.168.2.0 netmask 255.255.255.0, also known as the 192.168.2.0 - 192.168.2.255 range.

Here are the equivalents between prefix lengths and netmasks, and the associated network size:

/0  0.0.0.0         the whole IP address space, over 4 billion values
/1  128.0.0.0       half of it, over 2 billion values
/2  192.0.0.0       half again, over 1 billion values
/3  224.0.0.0       over 536 million
/4  240.0.0.0       over 268 million
/5  248.0.0.0       over 134 million
/6  252.0.0.0       over 67 million
/7  254.0.0.0       over 33 million
/8  255.0.0.0       over 16 million
/9  255.128.0.0     over 8 million
/10 255.192.0.0     over 4 million
/11 255.224.0.0     over 2 million
/12 255.240.0.0     over 1 million
/13 255.248.0.0     524288
/14 255.252.0.0     262144
/15 255.254.0.0     131072
/16 255.255.0.0     65536
/17 255.255.128.0   32768
/18 255.255.192.0   16384
/19 255.255.224.0   8192
/20 255.255.240.0   4096
/21 255.255.248.0   2048
/22 255.255.252.0   1024
/23 255.255.254.0   512
/24 255.255.255.0   256
/25 255.255.255.128 128
/26 255.255.255.192 64
/27 255.255.255.224 32
/28 255.255.255.240 16
/29 255.255.255.248 8
/30 255.255.255.252 4
/31 255.255.255.254 2
/32 255.255.255.255 1

Note that on an Ethernet LAN (and some other similar networks), the first and last address of a network are reserved.

/31s are a special case used for point-to-point links on routers which support it.

/32s designate a single IP address, so they have specific use-cases (anycast, router IDs in networks using unnumbered interfaces...).

Turdie · Answer 5 · 2024-01-17T20:27:10.760

It's a bit concerning when you don't know what CIDR is when trying to configure wireguard. CIDR is a term in ip subnetting, and refers to the basics of ip subnetting. CIDR (Classless Inter-Domain Routing) notation rather than the common subnet mask 255.x.x.x when configuring addresses and networks. https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing

The CIDR notation combines the IP address and the subnet mask into a single concise format. The format is represented as follows:IP_address/Prefix_Length. IP_address: This is the specific IP address.

Prefix_Length: This indicates the number of bits set to 1 in the subnet mask. It determines the size of the network and the number of available IP addresses within that network.

For example, consider the CIDR notation "192.168.1.0/24":

The IP address is "192.168.1.0."
The prefix length is "/24," which means the first 24 bits are used for the network portion, leaving 8 bits for individual host addresses within that network.

So, in this example, the CIDR notation "192.168.1.0/24" represents a network with IP addresses ranging from 192.168.1.0 to 192.168.1.255, where the last octet (8 bits) is available for host addresses.

I would recommend to watch a basic ip networking course/basic ip subnetting on YouTube, especially when configuring wireguard, so you understand the basics that are the foundation of a vpn and wireguard https://youtu.be/CMdkW3agFn0?si=SX_hKoTDbwerxfSI

Edit: In terms of the add command, it has logic to translate a cidr mask to a proper network adapter config, or logic to translate a config with cidr mask to a proper ip address assignment for an interface.

What does a CIDR mask mean in the context of "ip address add"?

5 Answers5