So... uh... I've been implementing WANs and security environments since 1993.
My company has been teaching networking courses since 1998; I taught them at first and have trained a half-dozen other trainers and we have collectively trained a few dozen "network engineers", many of whom are considered "best we've worked with" by pretty experienced folk. We continue to support and train on networks and are considered pretty good at the doing as well as the training. Does that make me a "network guru"?
I can confirm the theoretical correct configurations for your network settings and I can describe in detail exactly what's making it work and how you'd go about establishing that to be true - that is all part of the networking issues we deal with every day in our company, where we support 2000+ networking devices (not PCs / servers - just networking devices) throughout the world.
Your configuration is not as it should be. Very astute to notice. Your gateway should always be on your network. That said, the network you are running is a very unusual network to run. There is little or no reason to subnet to that level of detail when using private addresses. Private address ranges (per RFC spec) are 10.x, 127.x, 172.16-31.x, and 192.168.x. There is a simple binary pattern that makes it those addresses, but we'll save that for the whiteboard sessions; in short, none of those are to be used in the public space ever. So, since you're dealing with 172.16.x - a native 16-bit network that is private and allows 256 networks of 254 devices with an 8-bit subnet mask (technically, the first 16-bits are a standard "net mask" for a "Class B" address range - meaning first and second bits high in first octet address - thus all bits of net mask beyond 16 are "sub-net" bits). So, it'd be pretty normal to run a 24-bit mask and get 256 nets of 254 devices from a 172.16 net. Why the deep subnet?
The important thing about the gateway - as suggested by huggy - is that the system in question has that IP in its ARP table and thus thinks it has a route to talk to it. That can be done by manual manipulation of the ARP table or by Proxy response to a request to get to the address. The method for requesting a MAC in an ARP sequence is lengthy but pretty simple:
I need to talk to another IP device.
Is it on my network?
--YES -
----L2 my source, broadcast destination
----L3 my source, direct destination
----response will come from the device, thus putting its MAC in my ARP table
--NO -
----Do I know the MAC of my gateway of last resort (or GWOLR - AKA "default gateway" - a misnomer, really)
------YES -
--------L2 my source, GWOLR destination
--------L3 my source, final destination
------NO - ARP GWOLR
--------L2 my source, broadcast destination
--------L3 my source, GWOLR destination
The end result of this sequence is that you are either talking directly to a device on your network via the direct L2 path or you are talking L2 to your gateway and L3 to the destination.
Proxy ARP devices change all this by responding to all L2 broadcast requests as though they are the L3 destination (or at least for any that they're configured to do so for). This is also the means to a man-in-the-middle data capture scheme when using an ethernet switch... but that's a more complicated story.
So... how's it working? Prolly something acting as a proxy ARP device because your config is technically "wrong".
Want to know a bit more? Type "arp -a" from command line as well as the "route print" command. Note that ARP will only report things you've actually talked to within the time-out window, so do it after something "worked". The MAC addy will tell us what brand of device it is - sometimes what model. The route info will give us a clue if there's something else going on route-wise that may be "over-riding" the config you showed us.
Fun exercise! I'm not involved on the techy stuff any more; I miss it. Thanks!
My company has been teaching networking courses since 1998; I taught them at first and have trained a half-dozen other trainers and we have collectively trained a few dozen "network engineers", many of whom are considered "best we've worked with" by pretty experienced folk. We continue to support and train on networks and are considered pretty good at the doing as well as the training. Does that make me a "network guru"?
I can confirm the theoretical correct configurations for your network settings and I can describe in detail exactly what's making it work and how you'd go about establishing that to be true - that is all part of the networking issues we deal with every day in our company, where we support 2000+ networking devices (not PCs / servers - just networking devices) throughout the world.
Your configuration is not as it should be. Very astute to notice. Your gateway should always be on your network. That said, the network you are running is a very unusual network to run. There is little or no reason to subnet to that level of detail when using private addresses. Private address ranges (per RFC spec) are 10.x, 127.x, 172.16-31.x, and 192.168.x. There is a simple binary pattern that makes it those addresses, but we'll save that for the whiteboard sessions; in short, none of those are to be used in the public space ever. So, since you're dealing with 172.16.x - a native 16-bit network that is private and allows 256 networks of 254 devices with an 8-bit subnet mask (technically, the first 16-bits are a standard "net mask" for a "Class B" address range - meaning first and second bits high in first octet address - thus all bits of net mask beyond 16 are "sub-net" bits). So, it'd be pretty normal to run a 24-bit mask and get 256 nets of 254 devices from a 172.16 net. Why the deep subnet?
The important thing about the gateway - as suggested by huggy - is that the system in question has that IP in its ARP table and thus thinks it has a route to talk to it. That can be done by manual manipulation of the ARP table or by Proxy response to a request to get to the address. The method for requesting a MAC in an ARP sequence is lengthy but pretty simple:
I need to talk to another IP device.
Is it on my network?
--YES -
----L2 my source, broadcast destination
----L3 my source, direct destination
----response will come from the device, thus putting its MAC in my ARP table
--NO -
----Do I know the MAC of my gateway of last resort (or GWOLR - AKA "default gateway" - a misnomer, really)
------YES -
--------L2 my source, GWOLR destination
--------L3 my source, final destination
------NO - ARP GWOLR
--------L2 my source, broadcast destination
--------L3 my source, GWOLR destination
The end result of this sequence is that you are either talking directly to a device on your network via the direct L2 path or you are talking L2 to your gateway and L3 to the destination.
Proxy ARP devices change all this by responding to all L2 broadcast requests as though they are the L3 destination (or at least for any that they're configured to do so for). This is also the means to a man-in-the-middle data capture scheme when using an ethernet switch... but that's a more complicated story.
So... how's it working? Prolly something acting as a proxy ARP device because your config is technically "wrong".
Want to know a bit more? Type "arp -a" from command line as well as the "route print" command. Note that ARP will only report things you've actually talked to within the time-out window, so do it after something "worked". The MAC addy will tell us what brand of device it is - sometimes what model. The route info will give us a clue if there's something else going on route-wise that may be "over-riding" the config you showed us.
Fun exercise! I'm not involved on the techy stuff any more; I miss it. Thanks!