Firewall Rule: Allow Office IP Range
Convert an office IP address range to CIDR notation for firewall rules. Learn best practices for allowlisting corporate IP ranges in network ACLs.
Detailed Explanation
Converting Office IP Ranges for Firewall Rules
When configuring firewalls, VPN gateways, or cloud security groups, you need to express your office's IP range in CIDR notation. ISPs typically assign a contiguous block of IPs to businesses, but the range may not align to a single CIDR block.
Example: Small Office
ISP Assignment: 198.51.100.64 - 198.51.100.95
CIDR: 198.51.100.64/27
Addresses: 32
A /27 is common for small offices — it provides 32 IP addresses (30 usable).
Example: Non-Aligned Range
ISP Assignment: 198.51.100.10 - 198.51.100.50
Results:
198.51.100.10/31 (2 IPs)
198.51.100.12/30 (4 IPs)
198.51.100.16/28 (16 IPs)
198.51.100.32/28 (16 IPs)
198.51.100.48/31 (2 IPs)
198.51.100.50/32 (1 IP)
Total: 41 IPs, 6 CIDR blocks
Non-aligned ranges often require multiple CIDR blocks. Each block must be added as a separate firewall rule.
Best Practices
- Use the minimal set: This tool calculates the minimum number of CIDR blocks
- Avoid over-permitting: Don't round up to a larger CIDR (e.g., /24) just for convenience
- Document the mapping: Keep a record of which CIDR blocks map to which office locations
- Review regularly: Office IP ranges can change when ISPs re-assign addresses
- Use batch mode: When updating multiple office locations at once
Common Firewall Platforms
| Platform | CIDR Format |
|---|---|
| iptables | -s 198.51.100.64/27 |
| AWS Security Group | Source: 198.51.100.64/27 |
| Azure NSG | Source: 198.51.100.64/27 |
| Palo Alto | 198.51.100.64/27 in address object |
| pfSense | Network: 198.51.100.64/27 |
Use Case
A systems administrator receives the office's public IP assignment (198.51.100.64 - 198.51.100.95) from the ISP and needs to create a firewall rule that allows SSH access from the office to production servers. They convert the range to 198.51.100.64/27.