VLAN Reference
Complete VLAN table for Site A and Site B: IDs, names, subnets, gateways, and purpose for all 15 VLANs.
All 15 VLANs are shared between Site A and Site B using the same IDs. Site A subnets use 10.10.x.0; Site B subnets use 10.20.x.0. Two VLANs carry no default gateway: VLAN 25 (Corosync heartbeat) and VLAN 65 (Ceph cluster replication).
VLAN Table
| VLAN | Name | Site A | Site B | GW |
|---|---|---|---|---|
| 10 | Network Mgmt / IPMI | 10.10.10.0/24 | 10.20.10.0/24 | GW |
| 20 | Proxmox Management | 10.10.20.0/24 | 10.20.20.0/24 | GW |
| 25 | Corosync heartbeat | 10.10.25.0/24 | 10.20.25.0/24 | no GW |
| 30 | VM Services | 10.10.30.0/24 | 10.20.30.0/24 | GW |
| 40 | Kubernetes Nodes | 10.10.40.0/22 | 10.20.40.0/22 | GW |
| 50 | K8s LB / VIPs | 10.10.50.0/24 | 10.20.50.0/24 | GW |
| 60 | Storage / Ceph public | 10.10.60.0/24 | 10.20.60.0/24 | GW |
| 65 | Ceph cluster | 10.10.65.0/24 (reserved) | 10.20.65.0/24 | no GW |
| 70 | DMZ | 10.10.70.0/24 | 10.20.70.0/24 | GW |
| 80 | Monitoring | 10.10.80.0/24 | 10.20.80.0/24 | GW |
| 90 | Backup / Replication | 10.10.90.0/24 | 10.20.90.0/24 | GW |
| 100 | Lab / Trusted Client | 10.10.100.0/22 | 10.20.100.0/22 | GW |
| 110 | IoT | 10.10.110.0/24 | 10.20.110.0/24 | GW |
| 120 | Guest WiFi | 10.10.120.0/24 | 10.20.120.0/24 | GW |
| 253 | UniFi WAN transit | 10.10.253.0/24 | 10.20.253.0/24 | GW |
VLAN 65 — Site A reserved
VLAN 65 (Ceph cluster) is reserved at Site A but not actively used. Only Site B allocates Ceph cluster traffic on this VLAN. The Site A /24 is held to maintain symmetric VLAN IDs across both sites.
No GW on Corosync and Ceph cluster VLANs
VLANs 25 and 65 have no OPNsense gateway by design. Corosync and Ceph cluster replication traffic must stay local — never route these VLANs across WireGuard.
Address-Block Convention
Every routed /24 in the plan follows a fixed band assignment by last octet. This applies at both sites.
| Octet range | Purpose |
|---|---|
.1 | OPNsense L3 gateway (not present on VLANs 25 and 65) |
.2 – .9 | Network infrastructure: switches, APs, demoted-router management |
.10 – .39 | Physical host interfaces (host-octet convention — same octet on every VLAN) |
.40 – .49 | Infrastructure service VMs: PBS, pinned DNS appliances |
.50 – .199 | DHCP pool (client/guest) or additional static services |
.200 – .254 | VIPs, MetalLB, load-balancer pools |
The /22 VLANs (40, 100) follow the same host-octet logic but span four /24 blocks to provide room for K8s machine networks and lab clients.
Host-octet convention: the same last octet appears on every VLAN a host terminates. Site A: sa-edge-01 .10, sa-cmp-01 .11, sa-cmp-02 .12, sa-stor-01 .20. Site B: sb-edge-01 .10, sb-cmp-01 .20, sb-cmp-02 .21, sb-cmp-03 .30, sb-cmp-04 .31, sb-cmp-05 .32.
Per-Site Management IPs (VLAN 10 — Network Mgmt / IPMI)
| Device | Site A | Site B |
|---|---|---|
| OPNsense gateway | 10.10.10.1 | 10.20.10.1 |
Netgear core switch (sa-sw-01 / sb-sw-01) | 10.10.10.2 | 10.20.10.2 |
Access switch #1 (sa-sw-02 / sb-sw-02) | 10.10.10.3 | 10.20.10.3 |
Access switch #2 (sa-sw-03) | 10.10.10.4 | — |
Demoted router mgmt (sa-gw / sb-gw) | 10.10.10.5 | 10.20.10.4 |
sa-ap-01 (U7 Pro XGS) | 10.10.10.6 | — |
Per-Site Proxmox Management IPs (VLAN 20)
| Host | Site A | Site B |
|---|---|---|
Edge (sa-edge-01 / sb-edge-01) | 10.10.20.10 | 10.20.20.10 |
Compute #1 (sa-cmp-01 / sb-cmp-01) | 10.10.20.11 | 10.20.20.20 |
Compute #2 (sa-cmp-02 / sb-cmp-02) | 10.10.20.12 | 10.20.20.21 |
Storage / Compute #3 (sa-stor-01 / sb-cmp-03) | 10.10.20.20 | 10.20.20.30 |
Compute #4 (sb-cmp-04) | — | 10.20.20.31 |
Compute #5 (sb-cmp-05) | — | 10.20.20.32 |
WireGuard Transit
The inter-site WireGuard tunnel uses 10.255.0.0/24:
| Endpoint | Address |
|---|---|
OPNsense Site A (sa-fw-01) | 10.255.0.1 |
OPNsense Site B (sb-fw-01) | 10.255.0.2 |
Site A advertises 10.10.0.0/16 to Site B; Site B advertises 10.20.0.0/16 to Site A. No NAT on inter-site traffic. See WireGuard for full configuration.
UniFi WAN Transit (VLAN 253)
OPNsense sits upstream of the demoted UniFi routers. VLAN 253 carries this WAN transit link: OPNsense gateway .1, UniFi router WAN .2. Example: Site A OPNsense 10.10.253.1, UniFi WAN 10.10.253.2.
Related Pages
- IP Addressing — supernets, bootstrap networks, and the per-/24 address-block convention
- Addressing Convention — full address-block convention detail
- WireGuard — site-to-site VPN configuration
- IP Tables — machine-readable master IP reference
IP Addressing
Site supernets, temporary bootstrap networks, the per-/24 octet-band convention, and transit addresses for Site A and Site B.
Address-Block Convention
The per-/24 octet-band convention governing every routed subnet: gateways at .1, switches at .2–.9, host interfaces at .10–.39, service VMs at .40–.49, DHCP/static at .50–.199, and VIPs at .200–.254.