I’ll share some basics here:
All computers and devices on a network are each called a host. Each must
have a unique IP address just like each house has a unique address.
IP addresses are broken into the older IP version 4 (IPv4) which has
four numbers separated by a period ‘.’ like this 8.8.8.8.
Each number must be in the range of 0 to 255, but no host can have an IP
that ends on 0 or 255.
There are three main ranges of IP addresses which will not be routed
(forwarded) across the internet. These ranges are intended to be used in
local networks, which in practice means you can have a number of
computers with their own IP address on your network without it being
open to the world.
In other words these ranges will not work across the internet and is a
direct solution to not wanting to give up a “routeable” address for each
internal device. Otherwise the available IP addresses would be used up
very rapidly by large corporations. Plus, this way we have a layer of
security. There is a technology called Network Address Translation (NAT)
which ensures internal communication traveling from the inside of a
network to the outside is properly tracked.
The three ranges are:
10.0.0.0 – 10.255.255.255 with 16,777,216 IPs
172.16.0.0 – 172.32.255.255 with 1,048,576 IPs
192.168.0.0 – 195.168.255.255 with 65,536 IPs
There is an address for all computers to test networking without needing a
network card which is 127.0.0.1. It is called the loopback device.
The new IP version is called IPv6 and in theory allows for 2 to the
power of 128 (128 digits) versus IPv4 which only have about 4.3 billion
addresses. I’m not going into the details of it here.
A network that is under another one or is internal is generally referred
to as a subnet.
Each network reserves a few IPs for its own use:
For a network able to use all 256 addresses on a subnet , for example, 192.168.1.0 is called the network address, which obviously is the beginning of it.
Usable addresses then would be 1 through 254, except generally the first
usable one is usually the gateway to the network “above” it. So .1 is
usually reserved as the gateway IP.
Then the last IP is usually the broadcast address. The purpose with that
is when a device needs to reach another computer and does now know has
the IP sends out a broadcast asking “who has (IP)?” which is sent to the
.255 address. The gateway will then answer.
192.168.1.0 is the network IP
192.168.1.1 is the gateway
192.168.1.255 is the broadcast IP
We humans have a hard time tracking IP addresses so a system was
designed to allow up to use names instead. A server function called
Domain Name Server (DNS) translates the name to an IP address which is
needed to actually reach another computer.
Now for a computer to save time and not bother the DNS with questions
that it could answer a network mask was created which by its design can
tell if the computer you are trying to reach is on the local network or
needs to be sent to the gateway server to figure out. (And if it does
not know it sends it up to its gateway and so on.)
It is called subnet mask and for the above example it would look like
this 255.255.255.0. Thereby knowing that any host on 192.168.1.0-192.168.1.255 can be sent directly, anything else would need to be sent to the gateway, 192.168.1.1 for it to forward up the line.
Due to criminal elements online it is crucial that you have layers of
security. The first one is called a border firewall and is the first
layer of security. Other layers can be local firewalls on each computer,
educated users on what to do and not, log files that are monitored,
security patches applied in a timely fashion (immediately) and so on.
You do NOT need a separate subnet for VMs unless you WANT to have it. I
rarely do it. But if you do then simply assign IPs for the VMs that are
on the same subnet. If they need to go outside that subnet then make
sure you have a gateway assigned which sits across both subnets. That
will have port forwarding turned on which allows traffic to flow between
the network cards. (Google linux router.)
When you use virtual machines they too will each need an IP to talk to
any other host.
(You could create a subnet which does not have the ability to talk
outside that specific network, which could be handy when testing
something that could be interrupting other hosts on the main network.
Being totally isolated means it cannot be hacked nor leak something
outside that network.)
When you sit inside your subnet you may not allow random external (on
the internet) traffic to reach your internal computers unless there is a
hole on the firewall to allow some traffic in. For example, you might
have a web server which is reachable from the outside, which in turn
uses a database. Access to the database must be guarded to ensure it’s not reachable directly or via a flaw in the code.
You have to make the call if you can or should allow the VMs access to other networks.