Network Infrastructure¶
Network configuration and routing for the Tower Fleet homelab.
Overview¶
Router/Firewall: OPNsense Primary Subnet: 10.89.97.0/24 Gateway: 10.89.97.1
Network Topology¶
Internet
│
├─ Hetzner VPS (5.161.45.147) ──── WireGuard ────┐
│ *.bogocat.com │
│ │
└─ OPNsense (10.89.97.1) ◄────────────────────────┘
│ 10.22.95.1 (WireGuard)
│
├─ Proxmox Host(s) (10.89.97.x)
├─ LXC Containers (10.89.97.97, .101, .239, .241, etc.)
├─ VMs (10.89.97.50, .221-.223, etc.)
└─ Kubernetes Services (MetalLB: 10.89.97.210+)
IP Address Allocation¶
Reserved Ranges¶
| Range | Purpose | Notes |
|---|---|---|
| 10.89.97.1 | Gateway | OPNsense router |
| 10.89.97.2-49 | Infrastructure | Proxmox hosts, switches, APs |
| 10.89.97.50-99 | VMs | Virtual machines |
| 10.89.97.100-199 | LXC Containers | Container services |
| 10.89.97.200-229 | Kubernetes VMs | k3s cluster nodes |
| 10.89.97.230-249 | Kubernetes Services | MetalLB pool |
| 10.89.97.250+ | DHCP/Dynamic | Temporary devices |
Key IP Addresses¶
Infrastructure: - 10.89.97.1 - OPNsense gateway
Virtual Machines: - 10.89.97.50 - VM 100 (arr-stack media automation) - 10.89.97.221 - VM 201 (k3s-master) - 10.89.97.222 - VM 202 (k3s-worker-1) - 10.89.97.223 - VM 203 (k3s-worker-2)
LXC Containers: - 10.89.97.97 - LXC 113 (Jellyfin media server) - 10.89.97.101 - LXC 101 (NAS storage server) - 10.89.97.240 - LXC 411 (documentation server)
External (VPS): - 5.161.45.147 - Hetzner VPS (reverse proxy for bogocat.com) - 10.22.95.10 - VPS WireGuard tunnel IP
Kubernetes Services (MetalLB): - 10.89.97.210 - Longhorn UI (storage dashboard) - 10.89.97.211 - Grafana (monitoring dashboard) - 10.89.97.212 - Kubernetes Dashboard - 10.89.97.214 - Supabase (Kong API Gateway) - 10.89.97.215 - Supabase Studio - 10.89.97.216 - Prometheus (metrics database) - 10.89.97.217 - Alertmanager (alert routing) - 10.89.97.220 - NGINX Ingress Controller (*.internal apps)
MetalLB IP Pool: 10.89.97.210-229 (20 IPs total, 12 available)
DNS Configuration¶
Internal DNS: Handled by OPNsense Unbound DNS External DNS: (if configured)
Local DNS Records¶
Infrastructure (static IPs):
- nas.local → 10.89.97.101
- docs.local → 10.89.97.240
- arr-stack.local → 10.89.97.50
Kubernetes Apps (via NGINX Ingress - 10.89.97.220):
- home.internal → 10.89.97.220 (NGINX Ingress → home-portal)
- money.internal → 10.89.97.220 (NGINX Ingress → money-tracker)
- travel.internal → 10.89.97.220 (NGINX Ingress → trip-planner)
Note: .internal domain apps use hostname-based routing through NGINX Ingress Controller.
See: NGINX Ingress Documentation
Firewall Rules¶
Default Policy: - LAN → WAN: Allow (with NAT) - WAN → LAN: Deny (except established connections) - LAN → LAN: Allow
Key Rules: - LXC/VMs have unrestricted LAN access - Kubernetes pods can access LAN services - External access disabled (homelab only)
VLANs¶
(Document VLANs if configured)
Example VLAN segmentation: - VLAN 1: Management (Proxmox, OPNsense) - VLAN 10: Services (LXC, VMs) - VLAN 20: IoT devices - VLAN 30: Guest network
MetalLB Configuration¶
MetalLB provides LoadBalancer services for Kubernetes using Layer 2 mode.
IP Pool: 10.89.97.230-10.89.97.249 (20 addresses) Mode: Layer 2 (ARP)
Services automatically receive IPs from this pool when type LoadBalancer is specified.
Routing¶
Default Gateway: 10.89.97.1 (OPNsense)
Static Routes: - Kubernetes pod network (10.42.0.0/16) routed via k3s nodes - Kubernetes service network (10.43.0.0/16) internal to cluster
Network Troubleshooting¶
Check Connectivity¶
# From Proxmox host
ping 10.89.97.1 # Gateway
ping 10.89.97.101 # NAS
ping 10.89.97.230 # Kubernetes service
# Check routing
ip route
ip neigh # ARP table
# DNS resolution
nslookup docs.local
dig @10.89.97.1 example.com
Common Issues¶
LXC container no network:
# Check container config
pct config <ID>
# Should show: net0: name=eth0,bridge=vmbr0,ip=dhcp (or static)
# Restart container
pct restart <ID>
Kubernetes service unreachable:
# Check MetalLB status
kubectl get pods -n metallb-system
# Check service external IP
kubectl get svc -A
# Verify IP is in MetalLB pool
kubectl get ipaddresspool -n metallb-system
Network Performance¶
Expected Throughput: - LXC ↔ NAS: ~1 Gbps (depending on hardware) - VM ↔ LAN: ~1 Gbps - Kubernetes pod ↔ LAN: ~1 Gbps
Latency: - LXC ↔ LXC: <1ms - VM ↔ LXC: <1ms - External ↔ LAN: Variable (internet dependent)
Security Considerations¶
External Access via VPS: - Public services exposed through Hetzner VPS (5.161.45.147) - Home IP never exposed - all DNS points to VPS - WireGuard tunnel encrypts all VPS ↔ homelab traffic - See VPS Reverse Proxy for details
No Direct WAN Exposure: - No port forwarding from home WAN - All external traffic routed through VPS
Download Clients: - Deluge/SABnzbd route through Gluetun VPN (Mullvad) - Prevents ISP visibility of download traffic
Future Enhancements¶
See Tower Fleet Roadmap - Networking for planned network improvements including: - VLANs for network segmentation - DNS hostname standardization - WireGuard VPN for remote access - Network monitoring and QoS policies
Related Documentation: - Infrastructure Overview - VPS Reverse Proxy - Proxmox Operations - Kubernetes Core Infrastructure