Jet Mariano

Tag: networking

  • Subnetting Makes Sense When You Meet the ISP

    Subnetting in the real world.
    A /30 is the transit bridge to the ISP.
    The routed /29 is the public space you actually use behind the firewall.

    Excerpt
    Subnetting clicks when you stop treating it like math and start treating it like design. The moment you get public IPs from an ISP like Comcast, you realize there are two stories happening at once. The transit link that connects you to the ISP, and the routed public block you can actually use inside your firewall.

    Intro
    Subnetting is the practice of dividing an IP space into smaller networks so routing, security, and growth stay predictable. That sounds academic until you get a real ISP handoff and suddenly someone says, “Here’s a /30,” and you discover you only get one IP you can assign. Then they also give you a /29, and you are told those are your public LAN IPs, but they do not live on your WAN port the way you think they do.

    This post will make that feel normal.

    Notes from the Author
    Subnetting became real for me when Comcast handed us public IP space and the physical reality did not match the training diagrams. I learned there is a difference between an ISP transit network and a routed block. Once you see that difference, /29 and /30 stop being confusing and start being tools.

    Perspective
    What is subnetting
    Subnetting is splitting a network into smaller networks by borrowing bits from the host portion and adding them to the network portion. The prefix length, like /24 or /30, tells you how many bits are network bits.

    Why it is necessary

    1. Routing clarity
      Routers make decisions based on networks, not individual IPs.
    2. Security boundaries
      Separate systems by function. Users, servers, guests, printers, management.
    3. Broadcast control
      Smaller broadcast domains reduce noise and improve performance.
    4. Clean growth
      You can expand without renumbering everything if you plan.

    Two ISP stories you must separate
    Story 1: The transit link, often a /30 or /31
    This is the point to point connection between your firewall WAN interface and the ISP. It is not your “public LAN block.” It is just the link.

    Story 2: The routed block, often a /29, /28, or larger
    These are the public IPs you can use for NAT, 1:1 mappings, public services, or DMZ addresses. The ISP routes that block to you through the WAN link.

    This is why people say, “Comcast gave me a /30 and I only have one usable IP.”
    In a /30 there are 4 addresses total. Two are usable, but one is almost always used by the ISP side, and the other is used by your WAN interface. That leaves you with only one you can assign on your equipment, which makes it feel like “one usable.” That is normal.

    Practice Today (Not Someday)
    Here are easy to very difficult examples with answers. Read them in order. The goal is understanding, not speed.

    Example 1, easy
    Network: 192.168.1.0/24
    Question: How many usable IPs, and what is the usable range

    Answer
    Mask: 255.255.255.0
    Total: 256
    Usable: 254
    Network: 192.168.1.0
    Broadcast: 192.168.1.255
    Usable: 192.168.1.1 to 192.168.1.254

    Example 2, easy to medium
    Requirement: at least 50 devices
    Base: 192.168.10.0
    Question: What prefix fits, and what is the first subnet range

    Answer
    Need at least 50 hosts. Next power of two is 64 addresses.
    64 addresses means /26.
    Mask: 255.255.255.192
    First subnet: 192.168.10.0/26
    Network: 192.168.10.0
    Broadcast: 192.168.10.63
    Usable: 192.168.10.1 to 192.168.10.62

    Example 3, medium
    Network: 10.20.30.0/27
    Question: What is the usable range and how many usable IPs

    Answer
    /27 means 32 addresses
    Usable: 30
    Network: 10.20.30.0
    Broadcast: 10.20.30.31
    Usable: 10.20.30.1 to 10.20.30.30

    Example 4, public IP reality check, /30 transit
    Comcast gives you: 203.0.113.8/30
    Question: What are the four addresses, and which one do you typically put on your firewall WAN

    Answer
    /30 is 4 addresses total, increments of 4
    Block: 203.0.113.8 to 203.0.113.11

    Network: 203.0.113.8
    Usable: 203.0.113.9 and 203.0.113.10
    Broadcast: 203.0.113.11

    Typical assignment
    ISP gateway: 203.0.113.9
    Your firewall WAN: 203.0.113.10
    This is why it feels like you only got one usable IP. You only got one usable IP for your side. The other usable belongs to the ISP side.

    Example 5, common ISP setup, /30 transit plus routed /29
    Comcast gives you two things

    1. Transit: 198.51.100.0/30
    2. Routed block: 198.51.100.8/29 routed to your WAN IP

    Question A: What goes on the WAN interface
    Question B: What is the usable range of the /29 and how do you actually use it

    Answer A, WAN interface
    Transit /30 block is 198.51.100.0 to 198.51.100.3
    Network: 198.51.100.0
    Usable: 198.51.100.1 and 198.51.100.2
    Broadcast: 198.51.100.3

    Typical
    ISP gateway: 198.51.100.1
    Your WAN: 198.51.100.2

    Answer B, routed /29
    /29 is 8 addresses total, increments of 8
    Block: 198.51.100.8 to 198.51.100.15
    Network: 198.51.100.8
    Broadcast: 198.51.100.15
    Usable: 198.51.100.9 to 198.51.100.14

    How you use it
    These /29 addresses usually do not get placed directly on the WAN interface. Instead, the ISP routes that entire /29 to your WAN IP on the transit /30. Then inside your firewall you can use them for:

    • 1:1 NAT mappings to internal hosts
    • Public VIPs on a DMZ interface
    • NAT pools
    • Assigning a public IP to a specific service

    The key phrase you ask Comcast for is: “Confirm the routed block is routed to my WAN IP and provide the next hop.”
    That next hop is your WAN IP on the /30.

    Example 6, difficult, find the /29 block and answer fast
    Given public IP: 64.71.22.14/29
    Question: What is the network, broadcast, usable range

    Answer
    /29 increments by 8 in the last octet
    Find the nearest multiple of 8 less than or equal to 14
    8 and 16 bracket it, so network is 8

    Network: 64.71.22.8
    Broadcast: 64.71.22.15
    Usable: 64.71.22.9 to 64.71.22.14

    Example 7, difficult, build a WAN /30 from a random IP
    You are told your WAN IP is 75.120.44.6/30
    Question: What is the /30 block and what is the ISP gateway likely to be

    Answer
    /30 increments by 4
    Nearest multiple of 4 less than or equal to 6 is 4
    So block is 75.120.44.4 to 75.120.44.7

    Network: 75.120.44.4
    Usable: 75.120.44.5 and 75.120.44.6
    Broadcast: 75.120.44.7

    Likely
    ISP gateway: 75.120.44.5
    Your WAN: 75.120.44.6

    Example 8, very difficult, design for two ISPs with clean routing
    Requirement

    • ISP1 gives transit /30 and routed /29
    • ISP2 gives transit /30 and routed /29
      You want to publish two services, one primary on ISP1, one primary on ISP2, with failover possible later.

    Answer concept

    • Put only the transit /30 on each WAN interface
    • Confirm each routed /29 is routed to the correct WAN IP
    • Publish Service A using a public IP from ISP1 routed /29 with 1:1 NAT to internal host
    • Publish Service B using a public IP from ISP2 routed /29 with 1:1 NAT to internal host
    • Keep internal addressing private RFC1918 and do not mix public blocks inside LAN unless you have a real DMZ plan
    • Make sure the firewall supports policy based routing or proper default route tracking if you plan failover

    This is where subnetting meets design.

    Final Reflection
    Subnetting is not about counting. It is about ownership. When you know which addresses belong to the link, which belong to your routed block, and which belong to your internal network, you stop feeling confused. You start feeling calm.

    Pocket I’m Keeping
    The /30 is the bridge.
    The routed /29 is the usable land.

    What I Hear Now
    I can design this with intention.
    I can separate the transit from the routed block.
    I can explain it clearly to anyone on the team.

    © 2012–2026 Jet Mariano. All rights reserved.
    For usage terms, please see the Legal Disclaimer.

  • My Essential IT Troubleshooting Guide

    Simple Explanations for Real World Problems

    One of my favorite seasons of my life. Serving the city, keeping critical systems alive, and learning the foundations that shaped who I am as an engineer today. Every console screen taught me something new and every problem strengthened my desire to help others through technology.

    My Essential IT Troubleshooting Guide

    In every company I have worked for, the tools that saved the day were not fancy dashboards but simple commands and fundamentals I could trust.
    This is my personal troubleshooting arsenal, written so even a non technical reader can follow the logic behind what I do.

    Each section answers three things
    • What it is
    • Why it matters
    • How I use it in real life

    Name Resolution Basics

    A record

    What
    • A record is a phone book entry that says “this name belongs to this IP address.”

    Why
    • Users remember names better than numbers. If the A record is wrong or missing, they land in the wrong place or nowhere.

    How I use it
    • When a site is not loading, I ping the name and check if the IP address matches what we expect.
    • If it does not, I fix the A record in DNS and wait for it to replicate.

    CNAME

    What
    • A CNAME is a nickname that points one name to another name.

    Why
    • It lets you move services without breaking users. The public name stays the same while the target changes behind the scenes.

    How I use it
    • For services like autodiscover or app portals, I often see CNAMEs that point to Microsoft or another provider.
    • When something breaks after a cutover, CNAMEs are one of the first things I verify.

    DNS

    What
    • DNS is the global phone book that turns names into IP addresses.

    Why
    • If DNS fails, everything feels broken. Browsers, Outlook, file shares, all of them depend on DNS.

    How I use it
    • I run nslookup name.company.com to see which DNS server is answering and what IP it returns.
    • If users in one site can reach something and other users cannot, I compare DNS answers between locations.

    Hosts file

    What
    • The hosts file is a tiny local phone book on the computer.

    Why
    • It overrides DNS for that machine. One bad line can send traffic to the wrong place.

    How I use it
    • Location on Windows

    C:\Windows\System32\drivers\etc\hosts

    • I open it with Notepad as administrator.
    • If someone hard coded a testing IP and forgot about it, I comment it out or remove it, then flush DNS.

    Flush cache

    ipconfig /flushdns

    Nbtstat and TCP IP

    What
    • Nbtstat is an older tool for NetBIOS name resolution.
    • Hard coded TCP IP means a manual IP instead of DHCP.

    Why
    • Nbtstat helps when legacy name lookups act strange.
    • Hard coded IPs can cause conflicts or make VLAN changes painful.

    How I use it
    nbtstat -n to see local NetBIOS names.
    nbtstat -c to see the name cache.
    • When I find static IPs on client machines, I document them and move them to DHCP reservations so the network is easier to manage.

    Network control panel shortcut

    I still use this every week

    From Run

    ncp.cpl

    It opens the Network Connections window so I can quickly check adapters, enable or disable, or look at IPv4 settings.

    DHCP Essentials

    What
    • DHCP hands out IP addresses, gateways and DNS to clients.

    Why
    • If DHCP fails, users cannot get on the network or suddenly have duplicate addresses.

    Best practices
    • Use at least two DHCP servers where possible.
    • Define scopes with correct gateway and DNS.
    • Use reservations for printers and key servers.

    Commands I use on clients

    ipconfig /release
    ipconfig /renew

    If a user can reach the internet but not internal resources, I check that DNS from DHCP is internal and not a public resolver.

    MX, Autodiscover and Mail Flow

    MX record

    What
    • MX tells the world which server receives mail for your domain.

    Why
    • If MX points to the wrong place or has a low priority backup you forgot, email can vanish or queue.

    How I use it
    • I use MXToolbox to check MX records and verify that they point to Exchange Online or the correct email gateway.

    Autodiscover

    What
    • Autodiscover tells Outlook where to find the mailbox and settings.

    Why
    • A broken autodiscover record means constant password prompts or profile creation failures.

    How I use it
    • I verify the Autodiscover CNAME or SRV record.
    • I test with Outlook connectivity tools or Test-OutlookConnectivity when available.

    Hunting spam engines and bad SMTP

    Where malware hides
    • In browser extensions
    • In Outlook add ins
    • In unknown services or scheduled tasks that send mail through SMTP

    How I clean it without reimaging
    • Check Outlook add ins and disable anything suspicious.
    • Run msconfig and Task Manager to review startup items and tasks.
    • Review SMTP logs on the server to see which host is sending unexpected traffic.

    Certificates and SSL in Hybrid Environments

    Internal web apps depend on trusted certificates so browsers know the site is safe. When an SSL expires, internal apps stop working and Chrome or Edge will show warnings.

    Why we create new SSLs
    • Internal web apps must be trusted.
    • Intranet portals and legacy apps often stop working when an internal CA certificate expires.
    • External issued certs from DigiCert or GoDaddy are trusted by browsers.

    PowerShell to generate a CSR example

    $csr = New-ExchangeCertificate -GenerateRequest `
-SubjectName "CN=mail.contoso.com" `
-DomainName "mail.contoso.com","autodiscover.contoso.com"
Set-Content -Path "C:\Certs\mail_csr.req" -Value $csr

    After the CA signs it, import

    Import-ExchangeCertificate -FileData ([Byte[]]$(Get-Content "C:\Certs\mail_cer.cer" -Encoding byte -ReadCount 0)) -PrivateKeyExportable $true

    Enable for necessary services

    Enable-ExchangeCertificate -Thumbprint <Thumbprint> -Services IIS,POP,IMAP

    Where I keep it
    • C:\Certs or another controlled folder
    • Never leave certificates scattered in Downloads

    Core servers
    • I open Task Manager with Ctrl Shift Esc
    • File, Run, then mmc
    • Add the Certificates snap in and import there
    Or I import directly with PowerShell.

    Machine Trust Relationship Problems

    When Windows says “the trust relationship between this workstation and the primary domain failed,” the computer account and the domain no longer agree.

    On a traditional domain
    • Disable LAN and WiFi
    • Log in using cached credentials
    • Reset the local admin password if needed
    • Disjoin from the domain and put it in a workgroup
    • Reboot
    • Join it back to the domain

    For Azure AD joined devices

    Check status

    dsregcmd /status

    If broken

    dsregcmd /leave

    Then re join from Settings under Access work or school.

    RDP Session Cleanup

    Sometimes users cannot remote into their office desktop because a stale session is still connected.

    I run from my admin machine

    query session /server:192.168.10.25
logoff <SessionID> /server:192.168.10.25

    After that, they can reconnect without rebooting the server.

    Active Directory Tools

    ADSIEdit

    What
    • A low level editor for Active Directory objects.

    Why
    • Last resort for fixing broken attributes or lingering records when normal tools cannot reach them.

    How I use it
    • Only with full backups and a clear change plan.
    • I use it to clean up orphaned objects or legacy settings left behind.

    Event Viewer

    What
    • The black box recorder of Windows.

    Why
    • Every blue screen, login failure, replication problem and service crash leaves a trace here.

    How I use it
    eventvwr.msc
    • I focus on System and Directory Service logs on domain controllers, and Application logs on servers hosting apps.

    FSMO Roles

    What
    • Flexible Single Master Operations are special AD roles for schema, naming, PDC, RID and infrastructure.

    Why
    • These make sure there is one source of truth for sensitive changes.

    Best practice
    • Know exactly which DC holds each role.
    • Protect those DCs like crown jewels.

    If a FSMO owner is gone forever
    • You can seize the role to a healthy DC using ntdsutil.
    • After seizing you never bring the old DC back online.

    This is rare but every senior engineer should know the process in theory.

    AD and Entra ID Health

    On premise AD health

    dcdiag
    repadmin /replsummary
    repadmin /showrepl

    I always confirm
    • DNS is correct
    • SYSVOL is in sync
    • Time is correct and within a few minutes across all DCs

    Entra ID health

    Connect-MgGraph
    Get-MgUser
    Get-MgDirectoryAudit

    I check
    • Sign in logs for failures
    • Conditional Access for blocked locations
    • Device compliance for machines that suddenly appear non compliant

    AD controls computers and users on site.
    Entra controls cloud identity and device trust.
    In a hybrid world, both must be healthy.

    Azure and Terraform

    Azure CLI read only commands

    az login
    az account show
    az group list
    az vm list
    az storage account list

    These tell me what exists without changing anything.

    Terraform for infrastructure as code
    • Initialize the directory
    terraform init
    • Format
    terraform fmt
    • Validate
    terraform validate
    • Plan
    terraform plan

    Nothing changes until terraform apply is run.
    For interviews, being comfortable with init, plan and validate already shows good understanding.

    Microsoft 365 Services

    Group Policy

    Purpose
    • Central control of security and settings for on premise joined machines.

    How I create it
    gpmc.msc
    • New GPO
    • Edit with the settings I want
    • Link to the correct OU

    Universal Print

    What
    • Cloud based printing that removes the need for classic print servers.

    Why
    • Easier management for hybrid and remote users.

    I register printers in Universal Print and assign permissions based on groups, so users can get printers automatically.

    SharePoint Online

    Steps I follow
    • Go to Microsoft 365 admin center
    • Open SharePoint admin
    • Create a new site
    • Assign owners and members
    • Set sharing and retention policies

    This becomes the central place for team documents and intranet content.

    OneDrive and Data Migration

    OneDrive
    • Sync client installed on machines
    • Known Folder Move for Desktop, Documents and Pictures
    • Version history to protect from mistakes and ransomware

    Migrating data
    • I prefer SharePoint Migration Tool or Mover.
    • I clean old data first so I do not carry garbage into the cloud.
    • I communicate to users what will move and what will not.

    Why This Arsenal Matters

    These are the tools I have relied on in city government, banks, energy drinks, and manufacturing.
    They are not fancy, but they work.

    Every time I help a user reconnect, restore a service, or clean up a broken configuration, I am really doing three things

    • Protecting the company and its data
    • Supporting my teammates so they are not alone in the fire
    • Honoring the gift God gave me to understand and fix complex systems

    This arsenal is how I serve.
    Whether I am helping a small office or a multi site enterprise, the pattern is the same ask good questions, run the right checks, fix the root cause, and leave clear notes so the next engineer can see the path.

    © 2012–2025 Jet Mariano. All rights reserved.
    For usage terms, please see the Legal Disclaimer.

error: Content is protected !!