Address-Block Convention
The per-/24 octet-band convention governing every routed subnet: gateways at .1, switches at .2–.9, host interfaces at .10–.39, service VMs at .40–.49, DHCP/static at .50–.199, and VIPs at .200–.254.
Every routed /24 in this homelab follows a fixed band assignment by last octet, so any IP address's final octet immediately identifies its role. The same bands apply at Site A (10.10.x.0) and Site B (10.20.x.0).
Convention at a Glance
| Octet range | Purpose |
|---|---|
.1 | OPNsense L3 gateway — absent on VLAN 25 (Corosync heartbeat) and VLAN 65 (Ceph cluster) |
.2 – .9 | Network infrastructure: switches, APs, demoted-router management |
.10 – .39 | Physical host interfaces — host-octet convention (same octet on every VLAN the host terminates) |
.40 – .49 | Infrastructure service VMs: Proxmox Backup Server (PBS), pinned DNS appliances |
.50 – .199 | DHCP pool (client/guest VLANs) or static services (server VLANs) |
.200 – .254 | VIPs, MetalLB pools, load-balancer addresses |
No gateway on VLAN 25 and VLAN 65
Corosync heartbeat (VLAN 25) and Ceph cluster replication (VLAN 65) carry no OPNsense gateway — no .1 address is assigned on these VLANs. Traffic must remain local to each site and must never be routed across WireGuard.
/22 blocks: VLAN 40 and VLAN 100
VLAN 40 (Kubernetes Nodes) and VLAN 100 (Lab / Trusted Client) are /22 blocks rather than /24 blocks, spanning four consecutive /24 networks. The same band logic applies within the first /24 of each block. K8s node IPs on VLAN 40 follow the host-octet rule: 10.x0.40.<octet>. For example, sa-cmp-01 appears as 10.10.40.11; sb-cmp-03 appears as 10.20.40.30.
Host-Octet Convention
A physical Proxmox host uses the same last octet on every VLAN it terminates. This makes the octet a stable identifier across the entire address plan: seeing .20 on any infrastructure VLAN at Site A identifies sa-stor-01, regardless of which subnet is being inspected.
| Host | Site | Octet | Proxmox mgmt (VLAN 20) | IPMI (VLAN 10) |
|---|---|---|---|---|
sa-edge-01 | Site A | 10 | 10.10.20.10 | 10.10.10.10 |
sa-cmp-01 | Site A | 11 | 10.10.20.11 | — |
sa-cmp-02 | Site A | 12 | 10.10.20.12 | — |
sa-stor-01 | Site A | 20 | 10.10.20.20 | 10.10.10.20 |
sb-edge-01 | Site B | 10 | 10.20.20.10 | 10.20.10.10 |
sb-cmp-01 | Site B | 20 | 10.20.20.20 | 10.20.10.20 |
sb-cmp-02 | Site B | 21 | 10.20.20.21 | 10.20.10.21 |
sb-cmp-03 | Site B | 30 | 10.20.20.30 | 10.20.10.30 |
sb-cmp-04 | Site B | 31 | 10.20.20.31 | 10.20.10.31 |
sb-cmp-05 | Site B | 32 | 10.20.20.32 | 10.20.10.32 |
The octet carries through to every infra VLAN the host terminates. For example, sa-stor-01 octet .20 appears on VLAN 20 (10.10.20.20), VLAN 25 (10.10.25.20), VLAN 60 (10.10.60.20), and VLAN 90 (10.10.90.20).
Host IP Policy
A Proxmox host receives an L3 address only on the infrastructure VLANs it physically terminates. Guest and VM VLANs are trunked to the host's Linux bridge, but the bridge holds no host IP on those segments.
Infrastructure VLANs — host IP assigned
| VLAN | Name | Notes |
|---|---|---|
| 10 | Network Mgmt / IPMI | All Supermicro nodes (IPMI); all nodes for switch/AP management |
| 20 | Proxmox Management | All Proxmox nodes |
| 25 | Corosync heartbeat | All Proxmox nodes — no GW |
| 60 | Storage / Ceph public | Storage and compute nodes; edge nodes excluded |
| 65 | Ceph cluster | Site B compute nodes only — no GW; VLAN 65 reserved at Site A |
| 90 | Backup / Replication | Storage and compute nodes; edge nodes excluded |
Guest and VM VLANs — bridged, no host IP
| VLAN | Name |
|---|---|
| 30 | VM Services |
| 40 | Kubernetes Nodes |
| 50 | K8s LB / VIPs |
| 70 | DMZ |
| 80 | Monitoring |
| 100 | Lab / Trusted Client |
| 110 | IoT |
| 120 | Guest WiFi |
Related Pages
- VLAN Reference — full VLAN table with subnets and gateways
- IP Addressing — site supernets and bootstrap networks
- IP Tables — machine-readable per-host IP reference