Network Architecture

Source: Marc Mercer (SRE Lead) — sre-iac repository + Bryan Lee (Engineering Director), Rev 2.0, 2026-03-22

For full VLAN/IP detail see VLAN & IP Allocation. For device-level port cabling see Port Mappings.

Current Reality [ACTIVE — 2026-03-22]

This section describes what is actually running today — not the designed target state.

The network is currently a flat, unmanaged Layer 2 domain. No VLANs, no segmentation, no firewall. The design described in the rest of this document is the target state being worked toward.

CURRENT STATE — Flat /20, No VLANs

    Internet (ISP — Clackamas County, OR)
          |  65.182.226.97 (uplink)
    [Cisco Router — 10.10.96.1]
       |                    |
       |                    | 192.168.125.1 (bridged — NO firewall)
  10.10.96.0/20 (flat)   [Homestead — 192.168.125.0/24]
       |
  3× Juniper EX2200 (operating as unmanaged L2 switches, no VLANs)
       |
  All devices on flat 10.10.96.0/20:
    pmx-01 (10.10.96.5), dc-01 (10.10.96.11), dc-02 (10.10.96.12)
    rp-01 (10.10.96.22), gitlab-01 (10.10.96.41), qnap-01 (10.10.96.31)
    K8s nodes (10.10.97.x and 10.10.98.x), MetalLB VIP (10.10.98.40)
    iLO ports (10.10.96.235, 10.10.96.236, 10.10.96.237)

Item	Current Reality	Risk
Segmentation	None — flat /20	All devices reachable from all other devices
Homestead isolation	None — Cisco bridges lab and home	Home network has full access to lab infrastructure
Storage isolation	None — Ceph ports (when deployed) would be on flat network	N/A until Ceph deployed
OOB isolation	None — iLO ports on same flat segment	iLO accessible from any device on the /20
Firewall	Cisco router provides internet NAT only — no zone-based policy	No intra-lab firewall
VLANs	None configured	—

Immediate priority: Deploy the Juniper SRX320 (config ready at sre-iac/network/interim/srx320-01.conf) to replace the Cisco bridge. This establishes the homestead firewall boundary and enables VLAN segmentation on the EX2200 switches.

Design Principles

The network architecture follows six governing rules that apply to both the interim (Juniper) and target (Omada) hardware phases. VLAN IDs and IP allocations are identical across both phases — only the underlying physical equipment changes.

VLAN ID equals second octet — VLAN 200 maps to 10.20.0.0/16, VLAN 300 maps to 10.30.0.0/16, and so on. This convention eliminates guesswork when troubleshooting.
Each functional network owns a /16 — Day-1 deployment uses a /24 within each /16. Expansion never requires renumbering.
Spaced VLAN numbering — IDs at 100-unit intervals (100, 200, 300, 400, 500, 600) leave room for sub-VLANs within each functional range.
Three physical switch planes — Network, Storage, and OOB. Each carries only the VLANs relevant to its function.
Storage is never routed — VLANs 300 and 400 have no path to any router or the internet. They exist only on the isolated storage switch.
Management is never routed — VLAN 100 has no path to any router or the internet. It is reachable only from the physical workstation via a tagged VLAN interface.

VLAN Allocation Summary

VLAN	Purpose	Allocated Range	Day-1 Subnet	Switch Plane	Routed via Edge?
100	Management / OOB	192.168.168.0/23	192.168.168.0/24 + 192.168.169.0/24	OOB	No — completely isolated
200	OpenStack Control Plane	10.20.0.0/16	10.20.0.0/24	Network	Internal only (TRUST zone)
300	Ceph Public	10.30.0.0/16	10.30.0.0/24	Storage	No — isolated storage fabric
400	Ceph Cluster	10.40.0.0/16	10.40.0.0/24	Storage	No — isolated storage fabric
500	Provider Network	10.50.0.0/16	10.50.0.0/24	Network	Yes — VM external connectivity
600	DMZ	10.60.0.0/16	10.60.0.0/24	Network	Yes — controlled (DMZ zone)
610	DMZ HA Sync	10.61.0.0/16	10.61.0.0/29	Network	No — point-to-point only
1000-1099	Tenant Networks	10.100.0.0/16	/20 blocks (Neutron managed)	Network	Via Neutron virtual router
—	Homestead (Lee)	192.168.125.0/24	192.168.125.0/24	Dedicated port	Internet only (HOMESTEAD zone)

Security Zones

The edge firewall enforces zone-based security policy:

Zone	VLANs	Policy
UNTRUST	WAN /32	Inbound: only to DMZ (TCP 80/443). Outbound: SNAT for all zones.
DMZ	600	Inbound from UNTRUST (HTTP/S only). Outbound to TRUST (proxied to VLAN 500). No access to storage, management, or tenant networks.
TRUST	200, 500, 1000-1099	Outbound to internet via SNAT. Inbound from DMZ (proxied). Inter-VLAN routing between 200/500/1000+ as needed.
HOMESTEAD	192.168.125.0/24	Internet only. No routing to TRUST, DMZ, or any other zone.
MGMT	100	Management traffic only. No routing to TRUST, DMZ, HOMESTEAD, or internet.
STORAGE	300, 400	Not on the edge firewall at all. Completely isolated on the storage switch.

Physical Topology — Interim (Juniper) [PENDING DEPLOYMENT]

Same hardware as current state, but with SRX320 deployed and EX2200 switches VLAN-configured. This is the next step — configs are ready to deploy in sre-iac/network/interim/.

Device	Hostname	Model	Role
Edge Firewall	srx320-01	Juniper SRX320	WAN, inter-VLAN routing, security zones
Network Switch	ex2200t-01	Juniper EX2200-24T	Network plane (VLANs 200, 500, 600, 610, 1000+)
Storage Switch	ex2200t-02	Juniper EX2200-24T	Storage plane (VLANs 300, 400) — no router uplink
OOB Switch	ex2200p-01	Juniper EX2200-24P	Management plane (VLAN 100) — isolated

                         WAN (ISP/FTTH)
                              |
                        [srx320-01]
                         /    |    \
                        /     |     \
              HOMESTEAD    LACP ae0   irb.100
              (ge-0/0/5)     |         |
                        [ex2200t-01]---[ex2200p-01]
                         (Network)    (OOB Mgmt)
                              |             |
                              |        iLO x4, UPS x4
                              |
                        [ex2200t-02]
                         (Storage)
                         (isolated)

All four servers connect to both the network switch (bond-net: eno1+eno2) and storage switch (bond-stor: eno3+eno4) via LACP bonds.

Physical Topology — Target (OPNsense HA Edge + Omada Switches + Juniper OOB)

No TP-Link ER Router in this design

OPNsense on 2× Beelink EQ12 Pro replaces the TP-Link ER router entirely. OPNsense provides WAN, firewall, IDS/IPS, VPN, CARP HA, and inter-VLAN routing — all free, no licenses. Omada SDN manages only the switch fabric. See Network Edge Security for full detail.

Device	Hostname	Model	Role
Firewall Primary	opnsense-01	Beelink EQ12 Pro + OPNsense CE	WAN edge, IDS/IPS, VPN, CARP primary, HAProxy
Firewall Standby	opnsense-02	Beelink EQ12 Pro + OPNsense CE	CARP standby — auto-failover in <2 seconds
10G Network Switch	sx3008-01	TP-Link TL-SX3008F	Network plane (10G SFP+ server uplinks + OPNsense LAN)
10G Storage Switch	sx3008-02	TP-Link TL-SX3008F	Storage plane (10G SFP+) — no WAN/router uplink, isolated
1G Network Switch	sg3428-01	TP-Link TL-SG3428	Network plane 1G access (VMs, workstations)
1G Storage Switch	sg3428-02	TP-Link TL-SG3428	Storage plane 1G fallback — isolated
OOB Switch	ex2200p-01	Juniper EX2200-24P	Management plane (VLAN 100) — repurposed from interim
Homestead Switch	sg3452-01	TP-Link TL-SG3452	Residential network (isolated from lab)
SDN Controller	oc200-01	TP-Link OC200	Omada SDN controller — manages all TP-Link switches

  Fiber WAN A          Fiber WAN B
       │                    │
       └──────────┬──────────┘
                  │
    ┌─────────────▼─────────────┐
    │  opnsense-01  (PRIMARY)   │ BeeLink EQ12 Pro #1
    │  CARP MASTER              │ 10.10.96.51
    └──────────────┬────────────┘
                   │ CARP sync link (direct Cat6)
    ┌──────────────▼────────────┐
    │  opnsense-02  (STANDBY)   │ BeeLink EQ12 Pro #2
    │  CARP BACKUP              │ 10.10.96.52
    └──────────────┬────────────┘
                   │ CARP VIP: 10.10.96.1 (gateway for all VLANs)
                   │
        ┌──────────▼──────────────────────────┐
        │         sx3008-01 (Network 10G)     │
        │         + sg3428-01 (Network 1G)    │
        └──────────┬──────────────────────────┘
                   │ (isolated — no WAN path)
        ┌──────────▼──────────────────────────┐
        │         sx3008-02 (Storage 10G)     │
        │         + sg3428-02 (Storage 1G)    │
        └──────────────────────────────────────┘

        All servers: 2× 10G SFP+ (bond-net → sx3008-01, bond-stor → sx3008-02)
        OOB: ex2200p-01 (VLAN 100, iLO × 4, UPS × 4)
        Homestead: sg3452-01 (isolated VLAN, no lab access)

In the target configuration, each server has dual paths per plane:

Network: 10G SFP+ to sx3008-01 + 2× 1G LACP to sg3428-01
Storage: 10G SFP+ to sx3008-02 + 2× 1G LACP to sg3428-02

Server NIC Allocation

Servers 1-3 (m35g9-stk01 / stk02 / stk03) — OpenStack + Ceph

NIC	Bond	Destination	VLANs	Purpose
eno1	bond-net	Network switch	200, 500, 600, 610, 1000-1099	Control plane, provider, DMZ, tenant
eno2	bond-net	Network switch	(same)	LACP pair with eno1
eno3	bond-stor	Storage switch	300, 400	Ceph public + cluster
eno4	bond-stor	Storage switch	(same)	LACP pair with eno3
iLO	—	OOB switch	100	Out-of-band management

Server 4 (m35g9-pmx01) — GPU / Proxmox

NIC	Bond	Destination	VLANs	Purpose
eno1	bond-net	Network switch	200, 500, 600, 610, 1000-1099	Control plane, provider, DMZ, tenant
eno2	bond-net	Network switch	(same)	LACP pair with eno1
eno3	bond-stor	Storage switch	300, 400	Ceph client access (no local OSDs)
eno4	bond-stor	Storage switch	(same)	LACP pair with eno3
iLO	—	OOB switch	100	Out-of-band management

DMZ Architecture

OPNsense HA Pair

The DMZ is fronted by an OPNsense high-availability pair providing reverse proxy, load balancing, SSL termination, WAF, and rate limiting. HA mechanism: CARP for virtual IP failover, pfsync for firewall state synchronization.

Interim: OPNsense runs as a VM pair on the OpenStack cluster with two interfaces each (VLAN 600 DMZ-facing, VLAN 500 provider-facing). CARP/pfsync traffic on VLAN 610.

Target: OPNsense runs on 2× Beelink SER7 bare-metal appliances, direct-attach 2.5G to ER7412-M2. Cross-connected SER7-to-SER7 for HA sync. No switch in the DMZ path.

Inbound Traffic Flow

Internet → WAN → Edge Router (IDS/IDP) → DMZ (VLAN 600)
  → OPNsense HA (SSL termination, WAF, rate limit)
  → Provider Network (VLAN 500) → Backend VMs

Homestead Isolation

Bryan's residential network (192.168.125.0/24) is physically and logically separate from all Anshin infrastructure:

Dedicated physical port on the edge firewall — not trunked with any infrastructure VLAN
HOMESTEAD zone — internet access only, no routing to TRUST, DMZ, MGMT, or STORAGE
Access to Anshin services via WireGuard tunnel only (keypair authenticated, per-device)
Management VLAN (100) not exposed over WireGuard — requires physical workstation

Addressing Quick Reference

VLAN	Network	Gateway	Usable Range (day-1 /24)
100	192.168.168.0/23	— (no gateway)	.1-.254 per /24
200	10.20.0.0/24	10.20.0.1	10.20.0.2-10.20.0.254
300	10.30.0.0/24	— (no gateway)	10.30.0.1-10.30.0.254
400	10.40.0.0/24	— (no gateway)	10.40.0.1-10.40.0.254
500	10.50.0.0/24	10.50.0.1	10.50.0.2-10.50.0.254
600	10.60.0.0/24	10.60.0.1	10.60.0.2-10.60.0.254
610	10.61.0.0/29	— (no gateway)	10.61.0.1-10.61.0.6
1000+	10.100.0.0/16	per-subnet	Neutron managed
—	192.168.125.0/24	192.168.125.1	Homestead DHCP

Gateways exist only on routed VLANs (200, 500, 600, Homestead). Storage and management VLANs have no gateway — they are isolated L2 domains.

Document Control

Rev	Date	Author	Description
1.0	2026-02-24	Marc Mercer	Initial release

Current Reality [ACTIVE — 2026-03-22]​

Design Principles​

VLAN Allocation Summary​

Security Zones​

Physical Topology — Interim (Juniper) [PENDING DEPLOYMENT]​

Physical Topology — Target (OPNsense HA Edge + Omada Switches + Juniper OOB)​

Server NIC Allocation​

Servers 1-3 (m35g9-stk01 / stk02 / stk03) — OpenStack + Ceph​

Server 4 (m35g9-pmx01) — GPU / Proxmox​

DMZ Architecture​

OPNsense HA Pair​

Inbound Traffic Flow​

Homestead Isolation​

Addressing Quick Reference​

Document Control​