AORXI Homelab
Networking

IP Addressing

Site supernets, temporary bootstrap networks, the per-/24 octet-band convention, and transit addresses for Site A and Site B.

Two /16 supernets divide the address space by site — 10.10.0.0/16 for Site A, 10.20.0.0/16 for Site B — with a fixed octet-band convention applied uniformly inside every routed /24. This page covers the supernet allocation, temporary bootstrap addresses used during initial node imaging, the per-/24 band assignment, and the transit subnets used for WireGuard and UniFi hand-off. For the full VLAN table see VLAN Reference; for per-host IP assignments see IP Tables.

No stretched L2 between sites

Never stretch L2 between Site A and Site B. All cross-site traffic is routed over WireGuard only. The two /16 supernets must never overlap.

Site Supernets

SiteSupernetWireGuard route advertised to peer
Site A10.10.0.0/1610.10.0.0/16 → Site B
Site B10.20.0.0/1610.20.0.0/16 → Site A
WireGuard transit10.255.0.0/24

The /16 boundary provides a large pool for Kubernetes machine networks, MetalLB VIPs, and future cluster expansion without subnet overlap across the WireGuard tunnel.

Bootstrap Networks

During initial node imaging (Phases 0–3), each site operates a single flat L2 network with no VLANs. Each node uses one management NIC; Supermicro boards also bring up their IPMI port on the flat network. All other NICs (10G trunk, Corosync, Ceph, storage, backup) are cabled but unconfigured until their VLAN is provisioned at Phase 4+.

Bootstrap IPMI address = bootstrap mgmt octet + 100 (for example, sa-edge-01 mgmt 192.168.1.10, IPMI 192.168.1.110).

SiteSubnetGatewayTemporary router
Site A192.168.1.0/24192.168.1.1UniFi Gateway Max
Site B192.168.16.0/24192.168.16.1USG Pro

IPMI stays on these flat bootstrap addresses through Phases 0–3 and migrates to its final VLAN 10 address only at Phase 4. For the full per-host bootstrap-to-final address mapping see IP Tables.

Never expose IPMI to the internet

During bootstrap, IPMI ports are on the flat 192.168.x network with no VLAN isolation. Confirm the temporary router blocks all inbound access to the 192.168.x range from the internet before powering on any node.

Per-/24 Address-Block Convention

Every routed /24 at both sites follows a fixed band assignment. The last octet of any address identifies its role without consulting the host table.

Octet rangeRoleNotes
.1OPNsense L3 gatewayabsent on VLANs 25 and 65
.2 – .9Network infrastructureSwitches, APs, demoted-router management
.10 – .39Physical host interfacesHost-octet convention — same octet on every VLAN a host terminates
.40 – .49Infrastructure service VMsProxmox Backup Server (PBS), pinned DNS appliances
.50 – .199DHCP pool / static servicesClient VLANs use DHCP; server VLANs use static
.200 – .254VIPs / MetalLB poolsKubernetes API, ingress, and load-balancer VIPs

Host-octet convention: a host reuses the same last octet on every VLAN it terminates. Site A octets: sa-edge-01 .10, sa-cmp-01 .11, sa-cmp-02 .12, sa-stor-01 .20. Site B octets: sb-edge-01 .10, sb-cmp-01 .20, sb-cmp-02 .21, sb-cmp-03 .30, sb-cmp-04 .31, sb-cmp-05 .32.

The /22 VLANs (VLAN 40 Kubernetes Nodes, VLAN 100 Lab / Trusted Client) span four /24 blocks and follow the same host-octet logic within them.

A Proxmox host gets an L3 IP only on the infrastructure VLANs it terminates (10, 20, 25, 60, 90 at both sites; 65 at Site B only). Guest and VM VLANs (30, 40, 50, 70, 80, 100, 110, 120) are bridged on the host with no host IP assigned.

For additional detail on the convention, including Kubernetes machine network allocation, see Addressing Convention.

Transit Networks

WireGuard Site-to-Site

The inter-site WireGuard tunnel uses 10.255.0.0/24. No NAT is applied to inter-site traffic.

EndpointAddress
OPNsense Site A (sa-fw-01)10.255.0.1
OPNsense Site B (sb-fw-01)10.255.0.2

Site A advertises 10.10.0.0/16 to Site B; Site B advertises 10.20.0.0/16 to Site A. See WireGuard for full tunnel configuration.

UniFi WAN Transit (VLAN 253)

OPNsense sits upstream of the demoted UniFi routers at each site. VLAN 253 carries the WAN hand-off link between OPNsense and the UniFi router WAN port, following the standard infra-convention .1/.2 assignment.

RoleSite ASite B
OPNsense gateway (.1)10.10.253.110.20.253.1
UniFi router WAN (.2)10.10.253.210.20.253.2

On this page