AORXI Homelab
Networking

VLAN Reference

Complete VLAN table for Site A and Site B: IDs, names, subnets, gateways, and purpose for all 15 VLANs.

All 15 VLANs are shared between Site A and Site B using the same IDs. Site A subnets use 10.10.x.0; Site B subnets use 10.20.x.0. Two VLANs carry no default gateway: VLAN 25 (Corosync heartbeat) and VLAN 65 (Ceph cluster replication).

VLAN Table

VLANNameSite ASite BGW
10Network Mgmt / IPMI10.10.10.0/2410.20.10.0/24GW
20Proxmox Management10.10.20.0/2410.20.20.0/24GW
25Corosync heartbeat10.10.25.0/2410.20.25.0/24no GW
30VM Services10.10.30.0/2410.20.30.0/24GW
40Kubernetes Nodes10.10.40.0/2210.20.40.0/22GW
50K8s LB / VIPs10.10.50.0/2410.20.50.0/24GW
60Storage / Ceph public10.10.60.0/2410.20.60.0/24GW
65Ceph cluster10.10.65.0/24 (reserved)10.20.65.0/24no GW
70DMZ10.10.70.0/2410.20.70.0/24GW
80Monitoring10.10.80.0/2410.20.80.0/24GW
90Backup / Replication10.10.90.0/2410.20.90.0/24GW
100Lab / Trusted Client10.10.100.0/2210.20.100.0/22GW
110IoT10.10.110.0/2410.20.110.0/24GW
120Guest WiFi10.10.120.0/2410.20.120.0/24GW
253UniFi WAN transit10.10.253.0/2410.20.253.0/24GW

VLAN 65 — Site A reserved

VLAN 65 (Ceph cluster) is reserved at Site A but not actively used. Only Site B allocates Ceph cluster traffic on this VLAN. The Site A /24 is held to maintain symmetric VLAN IDs across both sites.

No GW on Corosync and Ceph cluster VLANs

VLANs 25 and 65 have no OPNsense gateway by design. Corosync and Ceph cluster replication traffic must stay local — never route these VLANs across WireGuard.

Address-Block Convention

Every routed /24 in the plan follows a fixed band assignment by last octet. This applies at both sites.

Octet rangePurpose
.1OPNsense L3 gateway (not present on VLANs 25 and 65)
.2 – .9Network infrastructure: switches, APs, demoted-router management
.10 – .39Physical host interfaces (host-octet convention — same octet on every VLAN)
.40 – .49Infrastructure service VMs: PBS, pinned DNS appliances
.50 – .199DHCP pool (client/guest) or additional static services
.200 – .254VIPs, MetalLB, load-balancer pools

The /22 VLANs (40, 100) follow the same host-octet logic but span four /24 blocks to provide room for K8s machine networks and lab clients.

Host-octet convention: the same last octet appears on every VLAN a host terminates. Site A: sa-edge-01 .10, sa-cmp-01 .11, sa-cmp-02 .12, sa-stor-01 .20. Site B: sb-edge-01 .10, sb-cmp-01 .20, sb-cmp-02 .21, sb-cmp-03 .30, sb-cmp-04 .31, sb-cmp-05 .32.

Per-Site Management IPs (VLAN 10 — Network Mgmt / IPMI)

DeviceSite ASite B
OPNsense gateway10.10.10.110.20.10.1
Netgear core switch (sa-sw-01 / sb-sw-01)10.10.10.210.20.10.2
Access switch #1 (sa-sw-02 / sb-sw-02)10.10.10.310.20.10.3
Access switch #2 (sa-sw-03)10.10.10.4
Demoted router mgmt (sa-gw / sb-gw)10.10.10.510.20.10.4
sa-ap-01 (U7 Pro XGS)10.10.10.6

Per-Site Proxmox Management IPs (VLAN 20)

HostSite ASite B
Edge (sa-edge-01 / sb-edge-01)10.10.20.1010.20.20.10
Compute #1 (sa-cmp-01 / sb-cmp-01)10.10.20.1110.20.20.20
Compute #2 (sa-cmp-02 / sb-cmp-02)10.10.20.1210.20.20.21
Storage / Compute #3 (sa-stor-01 / sb-cmp-03)10.10.20.2010.20.20.30
Compute #4 (sb-cmp-04)10.20.20.31
Compute #5 (sb-cmp-05)10.20.20.32

WireGuard Transit

The inter-site WireGuard tunnel uses 10.255.0.0/24:

EndpointAddress
OPNsense Site A (sa-fw-01)10.255.0.1
OPNsense Site B (sb-fw-01)10.255.0.2

Site A advertises 10.10.0.0/16 to Site B; Site B advertises 10.20.0.0/16 to Site A. No NAT on inter-site traffic. See WireGuard for full configuration.

UniFi WAN Transit (VLAN 253)

OPNsense sits upstream of the demoted UniFi routers. VLAN 253 carries this WAN transit link: OPNsense gateway .1, UniFi router WAN .2. Example: Site A OPNsense 10.10.253.1, UniFi WAN 10.10.253.2.

On this page