Network Design¶
The network uses a managed switch with 802.1Q trunking and OpenWrt for routing and firewalling between zones.
Key principle: IP ranges encode trust zones, while hostnames encode physical placement.
flowchart TB
I[Internet] --> R[OpenWrt Router]
R --> SW[Managed Switch 2.5G Trunk]
SW --> A[ando]
SW --> B[ban]
SW --> C[corbu]
A -.10G backhaul.- X[Isolated 10G Switch]
B -.10G backhaul.- X
C -.10G backhaul.- XNetwork components¶
| Device | Role | Notes |
|---|---|---|
| OpenWrt router | Gateway, VLAN routing, firewall, DHCP | Zone-based rules enforce one-way trust boundaries. |
| Managed switch (2.5G) | VLAN trunking to all hosts | 802.1Q trunk ports to all Proxmox nodes. |
| Isolated switch (10G) | Backhaul only | No router uplink. Reserved for inter-node replication and future distributed control-plane traffic. |
| Netbird LXC | VPN routing peer | Advertises 10.42.0.0/16 into mesh, enabling edge-to-on-prem reachability. |
Note
IP addresses encode trust zones; hostnames encode physical location. This lets firewall policy scale without per-host exceptions.