CIDR notation writes an IP address and a prefix length as one string, such as 192.168.0.0/22. The number after the slash is the prefix: it counts how many leading bits of the address are fixed as the network part. Everything after those bits is free for host addresses. That single number tells you the subnet mask, the size of the block and the range of addresses it spans. The CIDR to IP range converter turns any block into its first IP, last IP and address count, and turns a range back into CIDR blocks.
CIDR stands for Classless Inter-Domain Routing. The name points at the problem it solved. Before CIDR, addresses were handed out in fixed classes of /8, /16 and /24, which wasted huge amounts of space. CIDR let networks be sized at any prefix length, so a block could match the number of addresses actually needed.
Reading the prefix
An IPv4 address is 32 bits. The prefix says how many of those bits belong to the network. The rest belong to hosts.
192.168.0.0/22
^^ 22 network bits, 10 host bitsA /22 fixes the first 22 bits and leaves 10 for hosts. Two raised to the power of 10 is 1024, so a /22 holds 1024 addresses. The same logic gives you every other size:
| Prefix | Host bits | Total addresses |
|---|---|---|
| /24 | 8 | 256 |
| /23 | 9 | 512 |
| /22 | 10 | 1024 |
| /20 | 12 | 4096 |
| /16 | 16 | 65,536 |
A smaller prefix number means more host bits and a bigger block. A /16 is far larger than a /24. This trips people up at first, because the smaller number is the larger network.
Finding the address range
The prefix also pins down the exact range of addresses. Set every host bit to 0 and you get the first address, called the network address. Set every host bit to 1 and you get the last address, called the broadcast address.
For 192.168.0.0/22, the 10 host bits run from all zeros to all ones:
- First IP:
192.168.0.0 - Last IP:
192.168.3.255
That spans four full /24 blocks, which matches the 1024 count. Note that the third octet runs 0, 1, 2, 3, because the 22nd bit falls inside that octet. This is why a /22 is not as simple to read at a glance as a /24, where the boundary lands neatly between octets.
If you write a CIDR using a host address rather than the network address, such as 192.168.1.40/22, the block is still the same. The host bits get masked off, so the converter snaps it back to 192.168.0.0/22. The prefix decides the block, not the exact address you typed.
Turning a range back into CIDR
The reverse job comes up when a firewall or route table wants CIDR but you only have a start and end address. A CIDR block has two constraints: it must start on an aligned boundary, and its size must be a power of two. An arbitrary range rarely satisfies both with a single block, so it gets split.
Take the range 192.168.1.5 to 192.168.2.20. There is no single CIDR block that covers exactly those addresses, so the range is tiled with several aligned blocks. The method is greedy: at each step, emit the largest block that starts where you are and does not run past the end, then move on. That produces the shortest possible list, which keeps a route table or allowlist compact.
CIDR in firewall and routing rules
CIDR is the standard way to write address ranges in almost every network tool. Firewall allowlists, cloud security groups, routing tables and BGP announcements all take CIDR. A rule that allows 10.0.0.0/8 covers every address from 10.0.0.0 to 10.255.255.255 in one line. Without CIDR you would list ranges by hand.
The two directions cover most day-to-day needs. Going from CIDR to a range tells you which addresses a rule actually affects. Going from a range to CIDR gives you the blocks to paste into a rule when you only know the start and end. Enter either form into the CIDR to IP range converter and it returns the other, with the address count shown so you can sanity-check the size. To see how the prefix maps to a subnet mask in bits, the subnet mask guide walks through the same maths from the mask side.