Question : Need explanation on a subnet mask issue

Here's the scenario:

Small network home made of 3 PC's and 1 Linksys router for Internet access.
Linksys router IP: 192.168.1.1
PC1 IP address: 192.168.1.10 (mine)
PC2 IP address: 192.168.1.11 (my wife)
PC3 IP address: 192.168.1.150 (my kid)
I've assigned all 3 PC's with: Subnet mask = 255.255.255.128 / Gateway: 192.168.1.1

I've used subnet mask 255.255.255.128 in order to create 2 subnets. PC1 and PC2 are part of the 1st subnet (192.168.1.1-127) while PC3 is on the second subnet (192.168.1.128-255). I'm doing this so that I can somehow isolate a little bit more my son's pc from our 2 machines (I actually got that suggestion from another post in EE earlier this week). So by doing this, he cannot ping our computers from his. Makes me feel a "little" more secure - we are also running Symantec firewall on our PC's.

Now here's the part I don't understand: while PC3 (my kid) is not able to ping adresses 192.168.1.2 to 127 (works as expected), he IS ABLE to ping the router at 192.168.1.1 (not expected), and his Internet access works too. Shouldn't 192.168.1.1 not be reachable from his machine, like for adresses 2-127 ? Or is it because the Gateway IP address defined in his TCPIP properties takes precedence over the subnet mask ?

BTW, I'm quit happy that his Internet works in this scenario, but my understanding of this subnet configuration made me believe initially when I setup this up that he would not have access to the router / Internet.

Answer : Need explanation on a subnet mask issue

A basic primer on how subnet masks relate to default gateways:

When a PC initiates communication to another host via name, the first step is to resolved the name to an IP address. The PC then performs a logical AND of the destination IP address along with the local netmask. If the result of the AND produces the same destination network as the PC, then the PC checks it arp cache. If the arp cache is empty the PC sends and arp broadcast seeking the MAC address of target machine, and the packet can then be sent . If the host is remote (the result of the AND'ing results in different network addresses between the PC and the target host) the PC then sends the packet to the default gateway.

In our current society we are using technology to compensate for peoples lack of understanding. An example of this is something called "IP Proxy ARP', whereby routers can compensate for incorrectly configured hosts. When an ip proxy-arp enabled router receives an arp request for a different subnet, it can respond to that request even thought the requesting PC is technically on a different subnet. The router is assuming that since it is receiving the broadcast, it should be passing the packet along.

Now in your current config (router has netmask of 255.255.255.0) the router THINKS it local to PC3, so all packets will be sent without problem FROM the router TO the pc. Provided that your information above is correct (all three PC's have a netmask ending in .128) the only logical conclusion is that your router is proxy arping.

The easiest solution to cut off all internet access for PC3 is to change the netmask on the router to 255.255.255.128 as xrok suggested.

Random Solutions

Troubleshooting JMS Queues

How do I find rogue IP addresses?

Best service to have online voice mail in the US?

Mail enable enterprise manager takes over 5 minutes to load

Exchange 2003 send a NDR error 554 5.7.1 Helo invalid

VPN help: error 721, the remote computer did not respond

Network card - can be ping-ed but cannot ftp a file over.

How to define a cluster alias on Windows 2003 or XP

e-mail sharing w/Outlook Express

Setup of DNS on Win2003 Server