IP Addressing
Site supernets, temporary bootstrap networks, the per-/24 octet-band convention, and transit addresses for Site A and Site B.
Two /16 supernets divide the address space by site — 10.10.0.0/16 for Site A, 10.20.0.0/16 for Site B — with a fixed octet-band convention applied uniformly inside every routed /24. This page covers the supernet allocation, temporary bootstrap addresses used during initial node imaging, the per-/24 band assignment, and the transit subnets used for WireGuard and UniFi hand-off. For the full VLAN table see VLAN Reference; for per-host IP assignments see IP Tables.
No stretched L2 between sites
Never stretch L2 between Site A and Site B. All cross-site traffic is routed over WireGuard only. The two /16 supernets must never overlap.
Site Supernets
| Site | Supernet | WireGuard route advertised to peer |
|---|---|---|
| Site A | 10.10.0.0/16 | 10.10.0.0/16 → Site B |
| Site B | 10.20.0.0/16 | 10.20.0.0/16 → Site A |
| WireGuard transit | 10.255.0.0/24 | — |
The /16 boundary provides a large pool for Kubernetes machine networks, MetalLB VIPs, and future cluster expansion without subnet overlap across the WireGuard tunnel.
Bootstrap Networks
During initial node imaging (Phases 0–3), each site operates a single flat L2 network with no VLANs. Each node uses one management NIC; Supermicro boards also bring up their IPMI port on the flat network. All other NICs (10G trunk, Corosync, Ceph, storage, backup) are cabled but unconfigured until their VLAN is provisioned at Phase 4+.
Bootstrap IPMI address = bootstrap mgmt octet + 100 (for example, sa-edge-01 mgmt 192.168.1.10, IPMI 192.168.1.110).
| Site | Subnet | Gateway | Temporary router |
|---|---|---|---|
| Site A | 192.168.1.0/24 | 192.168.1.1 | UniFi Gateway Max |
| Site B | 192.168.16.0/24 | 192.168.16.1 | USG Pro |
IPMI stays on these flat bootstrap addresses through Phases 0–3 and migrates to its final VLAN 10 address only at Phase 4. For the full per-host bootstrap-to-final address mapping see IP Tables.
Never expose IPMI to the internet
During bootstrap, IPMI ports are on the flat 192.168.x network with no VLAN isolation. Confirm the temporary router blocks all inbound access to the 192.168.x range from the internet before powering on any node.
Per-/24 Address-Block Convention
Every routed /24 at both sites follows a fixed band assignment. The last octet of any address identifies its role without consulting the host table.
| Octet range | Role | Notes |
|---|---|---|
.1 | OPNsense L3 gateway | absent on VLANs 25 and 65 |
.2 – .9 | Network infrastructure | Switches, APs, demoted-router management |
.10 – .39 | Physical host interfaces | Host-octet convention — same octet on every VLAN a host terminates |
.40 – .49 | Infrastructure service VMs | Proxmox Backup Server (PBS), pinned DNS appliances |
.50 – .199 | DHCP pool / static services | Client VLANs use DHCP; server VLANs use static |
.200 – .254 | VIPs / MetalLB pools | Kubernetes API, ingress, and load-balancer VIPs |
Host-octet convention: a host reuses the same last octet on every VLAN it terminates. Site A octets: sa-edge-01 .10, sa-cmp-01 .11, sa-cmp-02 .12, sa-stor-01 .20. Site B octets: sb-edge-01 .10, sb-cmp-01 .20, sb-cmp-02 .21, sb-cmp-03 .30, sb-cmp-04 .31, sb-cmp-05 .32.
The /22 VLANs (VLAN 40 Kubernetes Nodes, VLAN 100 Lab / Trusted Client) span four /24 blocks and follow the same host-octet logic within them.
A Proxmox host gets an L3 IP only on the infrastructure VLANs it terminates (10, 20, 25, 60, 90 at both sites; 65 at Site B only). Guest and VM VLANs (30, 40, 50, 70, 80, 100, 110, 120) are bridged on the host with no host IP assigned.
For additional detail on the convention, including Kubernetes machine network allocation, see Addressing Convention.
Transit Networks
WireGuard Site-to-Site
The inter-site WireGuard tunnel uses 10.255.0.0/24. No NAT is applied to inter-site traffic.
| Endpoint | Address |
|---|---|
OPNsense Site A (sa-fw-01) | 10.255.0.1 |
OPNsense Site B (sb-fw-01) | 10.255.0.2 |
Site A advertises 10.10.0.0/16 to Site B; Site B advertises 10.20.0.0/16 to Site A. See WireGuard for full tunnel configuration.
UniFi WAN Transit (VLAN 253)
OPNsense sits upstream of the demoted UniFi routers at each site. VLAN 253 carries the WAN hand-off link between OPNsense and the UniFi router WAN port, following the standard infra-convention .1/.2 assignment.
| Role | Site A | Site B |
|---|---|---|
OPNsense gateway (.1) | 10.10.253.1 | 10.20.253.1 |
UniFi router WAN (.2) | 10.10.253.2 | 10.20.253.2 |
Related Pages
- VLAN Reference — full VLAN table with subnets, gateways, and switch carriage
- Addressing Convention — extended address-block convention detail
- WireGuard — site-to-site VPN configuration
- IP Tables — complete per-host IP reference across all VLANs