AORXI Homelab
Networking

Networking

Overview of the two-site network design: site supernets, VLAN segmentation, address-block convention, WireGuard site-to-site routing, internal DNS, and CGNAT.

The networking layer segments each site into routed VLANs carved from a /16 supernet — 10.10.0.0/16 at Site A, 10.20.0.0/16 at Site B — with WireGuard providing routed inter-site connectivity over 10.255.0.0/24. The same VLAN IDs and address-block conventions apply at both sites.

No stretched L2 between sites

Inter-site connectivity is routed only (WireGuard 10.255.0.0/24). Never bridge L2 across sites.

Site Supernets

Each site receives a /16 summary allocation, subdivided into routed VLANs. The large block provides room for multiple Kubernetes machine networks, VIP pools, and future clusters without subnet overlap across the WireGuard tunnel.

SiteSupernet
Site A10.10.0.0/16
Site B10.20.0.0/16
WireGuard transit10.255.0.0/24

VLAN Plan

Fifteen VLANs are defined; the same IDs run at both sites. Site A uses 10.10.x.0 subnets; Site B uses 10.20.x.0. See VLAN Reference for gateway addresses and switch-carriage details.

VLANPurposeSite ASite B
10Network Mgmt / IPMI10.10.10.0/2410.20.10.0/24
20Proxmox Management10.10.20.0/2410.20.20.0/24
25Corosync heartbeat10.10.25.0/24 no GW10.20.25.0/24 no GW
30VM Services10.10.30.0/2410.20.30.0/24
40Kubernetes Nodes10.10.40.0/2210.20.40.0/22
50K8s LB / VIPs10.10.50.0/2410.20.50.0/24
60Storage / Ceph public10.10.60.0/2410.20.60.0/24
65Ceph cluster10.10.65.0/24 reserved no GW10.20.65.0/24 no GW
70DMZ10.10.70.0/2410.20.70.0/24
80Monitoring10.10.80.0/2410.20.80.0/24
90Backup / Replication10.10.90.0/2410.20.90.0/24
100Lab / Trusted Client10.10.100.0/2210.20.100.0/22
110IoT10.10.110.0/2410.20.110.0/24
120Guest WiFi10.10.120.0/2410.20.120.0/24
253UniFi WAN transit10.10.253.0/2410.20.253.0/24

Address-Block Convention

Every routed /24 follows the same last-octet banding at both sites. The host-octet convention means the same last octet (sa-stor-01 = .20, sb-cmp-03 = .30, etc.) is reused on every VLAN the host appears on.

RangeRole
.1OPNsense gateway (VLANs 25 and 65 have no gateway)
.2 – .9Network infrastructure — switches, APs, demoted router mgmt
.10 – .39Physical host interfaces (host-octet convention)
.40 – .49Infrastructure service VMs — Proxmox Backup Server, pinned DNS
.50 – .199DHCP pool or additional static services
.200 – .254VIPs / MetalLB / load-balancer pools

A Proxmox host gets an L3 IP only on the VLANs it terminates (10, 20, 25, 60, 65, 90). Guest and VM VLANs (30, 40, 50, 70, 80, 100, 110, 120) are bridged on the host with no host IP. See Addressing Convention for the full per-host assignment table.

WireGuard Transit

OPNsense at each site acts as the WireGuard endpoint. Inter-site traffic is fully routed with no NAT. Site A advertises 10.10.0.0/16 into the tunnel; Site B advertises 10.20.0.0/16. Only required inter-site flows are permitted — management, Proxmox Backup Server replication, DNS, and monitoring.

EndpointWireGuard IP
sa-fw-01 (Site A OPNsense)10.255.0.1
sb-fw-01 (Site B OPNsense)10.255.0.2

See WireGuard for configuration and firewall policy details.

Internal DNS

The internal DNS zone is core.aorxi.io, served initially by OPNsense Unbound and eventually by four Technitium DNS VMs: sa-dns-01 and sa-dns-02 at Site A (10.10.30.10 / 10.10.30.11) and sb-dns-01 and sb-dns-02 at Site B (10.20.30.10 / 10.20.30.11). sa-dns-01 is primary; the others replicate via AXFR. Certificates use Let's Encrypt DNS-01 challenge through Cloudflare — no private CA is required. See DNS.

CGNAT & Gaming

ISP CGNAT implications and gaming network setup are covered in CGNAT & Gaming.

In This Section

  • IP Addressing — supernets, bootstrap networks, and the per-/24 address-block convention; for per-host IPs see IP Tables
  • VLAN Reference — full VLAN table with subnets, gateways, and switch carriage
  • Addressing Convention — last-octet banding and per-host IP assignment rules
  • WireGuard — site-to-site VPN endpoints, routing, and firewall policy
  • DNS — internal zone, Technitium VMs, and certificate strategy
  • CGNAT & Gaming — CGNAT implications and gaming network considerations

On this page