IP Wildcard Mask Address Objects

SARowe_NZ · ‎09-06-2022

Hey,

This properly confuses me every time I look at it. Is anyone able to explain in very simple terms how to work out what the mask should be?

For example: We have an IP scheme that looks like 10.x.128.0/24 where the x changes for each site. We have been using an IP Wildcard address object of 10.128.128.0/0.127.127.255 which seems to have been working for sites 10.[128-201].128.0/24 but now we have a site that uses 10.224.128.0/24 and the wildcard address object does not seem to match it.

What is our address object of 10.128.128.0/0.127.127.255 actually covering?

How can I understand easily how to work out what a mask should be?

Thanks!

Shannon

rmfalconer · ‎11-21-2022

It's not quite as easy as it may seem with the wildcard mask you're using. You need to understand how the wildcard mask works to figure out which subnets will be matched.

If your wildcard mask was 0.127.255.255, then everything from 10.128.128.0-10.255.255.255 would match. But your mask is 0.127.127.255, which means some subnets are not going to match in that range.

You'll need to do some binary comparisons to figure out what matches and what doesn't. The matching logic is opposite of subnet masking.

SARowe_NZ · ‎11-21-2022

Yeah thanks - this is my challenge. I am wanting to find an easy/repeatable way of working out what a mask covers, and also what mask would be required to cover a certain range.

Any tips or tools that can be used to do this easily without going through and trying to work out binary and correlating it?

SaurabhB · ‎11-21-2022

You can use online wildcard subnet calculator
IPv4 Wildcard Calculator - SubnetOnline.com

rmfalconer · ‎11-22-2022

Online calculators don't provide for unusual wc masks like you have. I don't know of any that would make it easier in this case.

Do you know why it was set this way originally? Any reason you can't change to 0.127.255.255, which would simplify knowing what would match? Or you could create a new object that will match 10.224+

How is that object being used? You're matching on a lot of potentially unnecessary addresses.

SARowe_NZ · ‎11-22-2022

Yeah, that is the challenge; we're not just trying to match on standard CIDR's so the traditional calculators don't seem to cover our scenario's.

We have a number of sites that use a common scheme for IP addresses, we are wanting to use these wildcards to accurately match traffic for all sites without needing to create individual objects for each site/network. e.g.

Site A:

Corp Clients = 10.224.10.0/24

Corp WiFi = 10.224.88.0/24

Corp Security = 10.224.26.0/24

SCADA = 10.224.128.0/24

PLC = 10.224.129.0/24

Management = 10.224.3.0/24

etc x 20ish

Site B:

Corp Clients = 10.225.10.0/24

Corp WiFi = 10.225.88.0/24

Corp Security = 10.225.26.0/24

SCADA = 10.225.128.0/24

PLC = 10.225.129.0/24

Management = 10.225.3.0/24

etc x 20ish

So the 2nd Octet changes for each site, but the 3rd octet is always the same. We want wildcard masks that match the different address objects (10.x.10.0/24, 10.x.88.0/24) etc. so we only need one address object in the policies for all sites, rather than creating 50-100 address objects for each network to cover all the sites.

To complicate it further we only want to look at addresses where the 2nd octet is 128-255 as lower numbers are unrelated to this use case.

IP Wildcard Mask Address Objects

IP Wildcard Mask Address Objects

Show your appreciation!