What is CIDR notation?

CIDR (Classless Inter-Domain Routing) notation is a compact way to represent an IP address and its associated network mask. It uses the format IP/prefix, where the prefix length (0–32) indicates how many leading bits define the network portion. For example, 192.168.1.0/24 means the first 24 bits are the network address, leaving 8 bits (256 addresses) for hosts.

How do you calculate the number of hosts in a subnet?

The total number of addresses in a subnet is 2^(32 - prefix). For usable host addresses, subtract 2 (network address and broadcast address), so usable hosts = 2^(32 - prefix) - 2. For example, a /24 has 256 total addresses and 254 usable hosts. Exceptions: a /31 has 2 usable hosts (point-to-point links, RFC 3021), and a /32 represents a single host.

What is a wildcard mask?

A wildcard mask is the bitwise inverse of a subnet mask. Where a subnet mask has 1s for network bits and 0s for host bits, a wildcard mask flips them: 0s for network bits and 1s for host bits. They are commonly used in access control lists (ACLs) on routers and firewalls. For example, a /24 subnet mask of 255.255.255.0 has a wildcard mask of 0.0.0.255.

Subnet Calculator

Calculate network addresses, convert IP ranges to CIDR blocks, and check subnet membership. Free, client-side, no data sent to any server.

Prefix

/24

Total Addresses

256

Usable Hosts

254

IP Class

Addresses

Network

192.168.1.0

Broadcast

192.168.1.255

First Host

192.168.1.1

Last Host

192.168.1.254

IP Range

192.168.1.0 – 192.168.1.255

Masks

Subnet Mask

255.255.255.0

Wildcard

0.0.0.255

Hex Mask

0xffffff00

Type

Private (RFC 1918)

Binary Representation24 network bits / 8 host bits

network (24)

host (8)

Network portion

Host portion

Address11000000.10101000.00000001.00000000192.168.1.0

Netmask11111111.11111111.11111111.00000000255.255.255.0

Wildcard00000000.00000000.00000000.111111110.0.0.255

Is this range attacking your infrastructure? Check any IP against our threat database.

IP Lookup

What Is a Subnet Calculator?

A subnet calculator takes a CIDR block like 10.0.0.0/8 and breaks it down into its network address, broadcast address, usable host range, subnet mask, and wildcard mask. It’s essential for network engineers configuring routers, firewalls, and access control lists — and for security teams scoping which addresses fall within monitored ranges.

This calculator runs entirely in your browser. No data is sent to any server. It supports all IPv4 prefix lengths from /0 to /32, including iptables and Fail2Ban configurations where CIDR notation is used to define blocked or allowed ranges.

How CIDR Notation Works

CIDR (Classless Inter-Domain Routing) replaced the old class-based system (Class A/B/C) in 1993. Instead of fixed 8-, 16-, or 24-bit boundaries, CIDR lets you define a network with any prefix length from 0 to 32. The prefix tells you how many leading bits are the network portion; the remaining bits are for host addresses.

The formula is straightforward: a /n prefix gives you 2³²⁻ⁿ total addresses. Subtract 2 for the network and broadcast addresses, and you get usable hosts. A /24 gives 254 usable hosts, a /28 gives 14, and a /32 is a single host. The special case /31 (RFC 3021) provides 2 usable addresses for point-to-point links.

Prefix	Subnet Mask	Addresses	Usable Hosts
/8	255.0.0.0	16,777,216	16,777,214
/16	255.255.0.0	65,536	65,534
/24	255.255.255.0	256	254
/28	255.255.255.240	16	14
/30	255.255.255.252	4	2
/32	255.255.255.255	1	1

Using Subnet Calculations for Security

Subnet calculations are foundational to network security. When you receive a threat intelligence report about a malicious IP range, you need to know which CIDR blocks to feed into your firewall rules. Use our IP threat lookup to check whether a specific address has been observed attacking our global honeypot network, or browse top attacking IPs to see which addresses are most active.

If you’re working with Fail2Ban, iptables, or Nginx deny lists, this calculator helps you convert between IP ranges and CIDR blocks — a common task when translating incident reports into actionable firewall rules.

For programmatic access, our IP check API lets you query individual IPs or ranges directly from your scripts. Protect entire networks with SikkerGuard, or monitor your infrastructure ranges with range alerts that notify you when IPs in your subnets appear in attack traffic. Browse top attacking IPs, detection patterns, or targeted emails for a broader view of the threat landscape.

Get started free View pricing