Networking
Overview of the two-site network design: site supernets, VLAN segmentation, address-block convention, WireGuard site-to-site routing, internal DNS, and CGNAT.
The networking layer segments each site into routed VLANs carved from a /16 supernet — 10.10.0.0/16 at Site A, 10.20.0.0/16 at Site B — with WireGuard providing routed inter-site connectivity over 10.255.0.0/24. The same VLAN IDs and address-block conventions apply at both sites.
No stretched L2 between sites
Inter-site connectivity is routed only (WireGuard 10.255.0.0/24). Never bridge L2 across sites.
Site Supernets
Each site receives a /16 summary allocation, subdivided into routed VLANs. The large block provides room for multiple Kubernetes machine networks, VIP pools, and future clusters without subnet overlap across the WireGuard tunnel.
| Site | Supernet |
|---|---|
| Site A | 10.10.0.0/16 |
| Site B | 10.20.0.0/16 |
| WireGuard transit | 10.255.0.0/24 |
VLAN Plan
Fifteen VLANs are defined; the same IDs run at both sites. Site A uses 10.10.x.0 subnets; Site B uses 10.20.x.0. See VLAN Reference for gateway addresses and switch-carriage details.
| VLAN | Purpose | Site A | Site B |
|---|---|---|---|
| 10 | Network Mgmt / IPMI | 10.10.10.0/24 | 10.20.10.0/24 |
| 20 | Proxmox Management | 10.10.20.0/24 | 10.20.20.0/24 |
| 25 | Corosync heartbeat | 10.10.25.0/24 no GW | 10.20.25.0/24 no GW |
| 30 | VM Services | 10.10.30.0/24 | 10.20.30.0/24 |
| 40 | Kubernetes Nodes | 10.10.40.0/22 | 10.20.40.0/22 |
| 50 | K8s LB / VIPs | 10.10.50.0/24 | 10.20.50.0/24 |
| 60 | Storage / Ceph public | 10.10.60.0/24 | 10.20.60.0/24 |
| 65 | Ceph cluster | 10.10.65.0/24 reserved no GW | 10.20.65.0/24 no GW |
| 70 | DMZ | 10.10.70.0/24 | 10.20.70.0/24 |
| 80 | Monitoring | 10.10.80.0/24 | 10.20.80.0/24 |
| 90 | Backup / Replication | 10.10.90.0/24 | 10.20.90.0/24 |
| 100 | Lab / Trusted Client | 10.10.100.0/22 | 10.20.100.0/22 |
| 110 | IoT | 10.10.110.0/24 | 10.20.110.0/24 |
| 120 | Guest WiFi | 10.10.120.0/24 | 10.20.120.0/24 |
| 253 | UniFi WAN transit | 10.10.253.0/24 | 10.20.253.0/24 |
Address-Block Convention
Every routed /24 follows the same last-octet banding at both sites. The host-octet convention means the same last octet (sa-stor-01 = .20, sb-cmp-03 = .30, etc.) is reused on every VLAN the host appears on.
| Range | Role |
|---|---|
.1 | OPNsense gateway (VLANs 25 and 65 have no gateway) |
.2 – .9 | Network infrastructure — switches, APs, demoted router mgmt |
.10 – .39 | Physical host interfaces (host-octet convention) |
.40 – .49 | Infrastructure service VMs — Proxmox Backup Server, pinned DNS |
.50 – .199 | DHCP pool or additional static services |
.200 – .254 | VIPs / MetalLB / load-balancer pools |
A Proxmox host gets an L3 IP only on the VLANs it terminates (10, 20, 25, 60, 65, 90). Guest and VM VLANs (30, 40, 50, 70, 80, 100, 110, 120) are bridged on the host with no host IP. See Addressing Convention for the full per-host assignment table.
WireGuard Transit
OPNsense at each site acts as the WireGuard endpoint. Inter-site traffic is fully routed with no NAT. Site A advertises 10.10.0.0/16 into the tunnel; Site B advertises 10.20.0.0/16. Only required inter-site flows are permitted — management, Proxmox Backup Server replication, DNS, and monitoring.
| Endpoint | WireGuard IP |
|---|---|
sa-fw-01 (Site A OPNsense) | 10.255.0.1 |
sb-fw-01 (Site B OPNsense) | 10.255.0.2 |
See WireGuard for configuration and firewall policy details.
Internal DNS
The internal DNS zone is core.aorxi.io, served initially by OPNsense Unbound and eventually by four Technitium DNS VMs: sa-dns-01 and sa-dns-02 at Site A (10.10.30.10 / 10.10.30.11) and sb-dns-01 and sb-dns-02 at Site B (10.20.30.10 / 10.20.30.11). sa-dns-01 is primary; the others replicate via AXFR. Certificates use Let's Encrypt DNS-01 challenge through Cloudflare — no private CA is required. See DNS.
CGNAT & Gaming
ISP CGNAT implications and gaming network setup are covered in CGNAT & Gaming.
In This Section
- IP Addressing — supernets, bootstrap networks, and the per-/24 address-block convention; for per-host IPs see IP Tables
- VLAN Reference — full VLAN table with subnets, gateways, and switch carriage
- Addressing Convention — last-octet banding and per-host IP assignment rules
- WireGuard — site-to-site VPN endpoints, routing, and firewall policy
- DNS — internal zone, Technitium VMs, and certificate strategy
- CGNAT & Gaming — CGNAT implications and gaming network considerations
Network Topology
Physical and logical topology of both sites: the ISP-to-host data path, Netgear 10 Gb core and access switch hierarchy, WireGuard inter-site link, and UniFi WAN-transit branch.
IP Addressing
Site supernets, temporary bootstrap networks, the per-/24 octet-band convention, and transit addresses for Site A and Site B.