Stop Googling It: How to Tell If an IP Address Is Public or Private
"Cloud security Engineer ☁️ | Writing about security & cloud topics ✍️ | Let's connect and dive into the exciting world of security and the cloud! ✨"
In the past, I have had difficulty understanding when an IP address is public or private, and I end up doing a Google search for every IP address I encounter.
Although it's easier to understand the meaning of the concept literally, and what it means in computer networking. But when an address like "203.0.113.45" is used, I could not figure out which one it was.
And that is the focus of the article: the guide here explains how to differentiate IP addresses in a simplified manner.
Which one is it?
In simple words, the real skill is in memorizing the exclusions. If you can get past that hurdle, then it gets easier to know the differences.
Let's dive into the exclusions.
Major/common exclusions
The first Rule is that there are only three specific reserved blocks for Private IP addresses (
10.x.x.x,172.16.x.x,192.168.x.x).
There are exactly three of them:10.0.0.0to10.255.255.255172.16.0.0to172.31.255.255192.168.0.0to192.168.255.255
Now we have the muscle memory of the private ip addresses.
2. Second Rule: is the loopback address, the 127.x.x.x which falls under the range 127.0.0.0 to 127.255.255.255
This is referred to as "localhost"; this address simply means "talk to myself".
It allows a device to test its own network configuration and communicate with locally hosted services without sending data over a physical network or the internet.
So it never goes anywhere near the internet. It's not private, and it's definitely not public; it's its own category.
most times, we tend to use the first one which is the most popular loopback address
127.0.0.1but that's not the only one we have.
3. Third Rule: The Automatic Private IP Addressing (APIPA), also known as link-local addressing, has a reserved block 169.254.x.x
Oftentimes, people confuse it for a type of private address, but it's different.
Because for private addresses, you have an option of using a NAT Gateway when you have to communicate with the internet, but with APIPA, it's not possible.
The APIPA address is a networking feature that indicates that something is wrong, and it is also a fallback mechanism.
Here's the scenario: your laptop connects to Wi-Fi, but for some reason it can't reach the DHCP server (the thing that's supposed to hand it a real IP address, like
192.168.1.23). The laptop still needs some address to function on the local network — so it makes one up.
Therefore, addresses within the range 169.254.0.0 - 169.254.255.255 are an APIPA address.
When Will You See It
Your router or DHCP server is turned off or malfunctioning.
There are loose Ethernet cables, bad Wi-Fi credentials, or hardware issues preventing your device from reaching the router.
There is a misconfigured or restrictive firewall blocking the DHCP, etc.
In most cases, restarting the network fixes the address drift.
Other exclusions
The Multicast address
one sender → a specific group of receivers who opted in to listen, without sending separate copies to each one.
An example is a video conferencing or live IPTV streaming. Instead of the server sending 1,000 separate copies of a video stream to 1,000 viewers (wasteful), it sends one stream to a multicast address (like230.0.0.1), and the network itself handles delivering that one stream to every device that's subscribed to it.
It falls under the range224.0.0.0 - 239.255.255.255Reserved/future-use :
Just as the name suggests, these are classes of IP addresses reserved but never actually activated for use, it's not usable on any real network, public or private.
It has a reserved block240.x.x.xand falls under the range240.0.0.0 - 255.255.255.255Documentation/Test-Net:
The Internet Assigned Numbers Authority (IANA) reserved three specific/24blocks purely for use in documentation and examples. These addresses are guaranteed to never be assigned to anyone, ever.
They exist solely so writers (like you and me) can use them safely in articles, RFCs, and textbooks, knowing they'll never collide with a real device.-
192.0.2.0/24
-198.51.100.0/24
-203.0.113.0/24CGNAT (Carrier-Grade NAT) address :
Internet service Providers (ISPs) ran into the problem of having more customers than the available IPv4 addresses to hand out.
It is an ISP-level scaling-up of regular NAT, so that many customers (each doing their own separate, unrelated browsing) can share a limited pool of public IPs.
So instead of giving each customer's router a public IP like before, the ISP puts thousands of customers behind shared infrastructure, using this special reserved block100.64.0.0/10
This falls under the range100.64.0.0 - 100.127.255.255
Public IP Addresses
There's no list to memorize for "public."
Everything else, every single IP address that is not inside any of the above categories, falls under a Public IP address.
How will I remember all these?
Personally, I find it easier to remember them when I use CIDR notation. This makes it easy to determine the ranges.
Before diving in, here's the foundation:
A full IPv4 address is 32 bits, split into 4 octets of 8 bits each (8 × 4 = 32). So when you see a CIDR number like /4, /12, or /24 That number tells you exactly how many of those 32 bits are "fixed," counting from the left. Since each octet is 8 bits, /4 falls entirely within the first octet (because 4 is less than 8), while something like /12 spills over into the second octet (8 bits from the first octet, plus 4 more from the second)
Let's do a quick example using the multicast address (224.0.0.0/4) to understand what that means.
224.0.0.0/4 — take the first octet, 224, in binary: 11100000.
/4 means only the first 4 bits are fixed. Split it:
1110 0000
Left 4 bits (fixed):
1110Right 4 bits (free to vary):
0000
Your turn: lock in 1110 and attach the smallest possible last-4-bits (0000), then the largest possible (1111). Write out both full 8-bit numbers, convert each to decimal, and tell me what range that gives you for the first octet.
1110 and 0000 = 11100000 (smallest possible combination)
1110 and 1111 = 11101111 (largest possible combination)
in octet format (8 bit) : 11100000 - 11101111
in decimal format : 224 - 239
Answer: With that in mind, you have the range 224.0.0.0 - 239.255.255.255
available as the multicast address.
Using this format, all you need is to know the CIDR notation for each of the exclusions, and you can do the CIDR math to get their range.
The Summary Table
| CIDR Notation | Range | Type of Address |
|---|---|---|
| 10.0.0.0/8 | 10.0.0.0 - 10.255.255.255 | Private |
| 172.16.0.0/12 | 172.16.0.0 - 172.31.255.255 | Private |
| 192.168.0.0/16 | 192.168.0.0 - 192.168.255.255 | Private |
| 127.0.0.0/8 | 127.0.0.0 - 127.255.255.255 | Loopback |
| 169.254.0.0/16 | 169.254.0.0 - 169.254.255.255 | Link-local (APIPA) |
| 224.0.0.0/4 | 224.0.0.0 - 239.255.255.255 | Multicast |
| 240.0.0.0/4 | 240.0.0.0 - 255.255.255.255 | Reserved/Future use |
| 100.64.0.0/10 | 100.64.0.0 - 100.127.255.255 | CGNAT shared space |
| 192.0.2.0/24 | 192.0.2.0 - 192.0.2.255 | Documentation/Test-Net |
| 198.51.100.0/24 | 198.51.100.0 - 198.51.100.255 | Documentation/Test-Net |
| 203.0.113.0/24 | 203.0.113.0 - 203.0.113.255 | Documentation/Test-Net |
FAQ
A quick question for you:
If you have a network in your house, your router, laptop, phone, etc., and a completely separate network in someone else's house on the other side of the world, what would happen if both networks decided, independently, to use the address 192.168.1.1 for their router?
Answer:
That is a private IP address, and they are unique only within a network, so if another network completely in a different country is using it in its own network, there will not be any clash.
Another one:
The intro of this article referenced this IP address, 203.0.113.45 With what you have learned so far, what IP address is it?
Answer:
It is neither a private nor a public address; instead, it falls within 203.0.113.0/24, which is one of the three reserved Documentation/Test-Net blocks (IANA set these aside specifically so writers can use example IPs without risk of colliding with a real device).
