01 IP addressing scheme
All homelab networks (except AREDN node LANs) use 172.20.Y.Z:
172— RFC 1918 private range20— site identifier (this homelab)Y— VLAN ID and network designator (same number)Z— host address
This means you can read any IP and immediately know which VLAN it's on. 172.20.100.15 = VLAN 100 (IoT), host 15. No lookup required.
AREDN exception. AREDN node LANs use their own mesh-assigned ranges (e.g.
10.6.229.8/29). These are assigned by the AREDN network and not under local control.02 VLAN table
| Network | VLAN | Subnet | Purpose | Isolation |
|---|---|---|---|---|
| Management | 1 | 172.20.1.0/24 | Network gear only — UDR7, switches, APs | Restricted — no general devices · no DHCP |
| AREDN-DtD | 2 | self-assigned | Device-to-Device AREDN links | No DHCP — devices self-assign IPs. See note ↓ |
| Personal | 10 | 172.20.10.0/24 | Personal computers, phones, tablets | Can access Servers |
| VPN | 15 | 172.20.15.0/24 | Remote access clients | Same trust as Personal |
| Servers | 20 | 172.20.20.0/24 | NAS, Proxmox lab server, k3s cluster | Accessible from Personal & VPN |
| Work | 30 | 172.20.30.0/24 | Work-issued devices | Fully isolated — internet only |
| AREDN-WAN | 40 | 172.20.40.0/24 | Uplink to AREDN mesh node | Connects UDR7 to AREDN WAN |
| AREDN-LAN-1 | 41 | 10.6.229.8/29 | AREDN node LAN (node-managed addresses) | Managed by AREDN firmware |
| IoT | 100 | 172.20.100.0/24 | Untrusted smart home / IoT devices | Isolated; selective access to Servers |
| Guest | 200 | 172.20.200.0/24 | Guest devices | Fully isolated — internet only |
AREDN-DtD uses VLAN 2 — an exception to the 172.20.Y.Z scheme. AREDN firmware defaults to VLAN 2 for Device-to-Device (DtD) links between nodes, so VLAN 2 was chosen here to stay compatible with AREDN's own convention, even though it breaks local numbering. Future AREDN LAN VLANs will be numbered 42, 43, etc.
03 Trust hierarchy
VLANs form a tiered trust model enforced by the UDR7 zone-based firewall:
| Tier | VLANs | Access |
|---|---|---|
| Trusted | Personal (10), VPN (15) | Can reach Servers. Can reach internet. Can access self-hosted services. |
| Infrastructure | Servers (20), Management (1) | Servers can be reached by Trusted. Management is admin-only. |
| Restricted | IoT (100) | Internet access only. Selective outbound to specific Servers IPs (e.g. Home Assistant). No inbound from other VLANs. |
| Isolated | Guest (200), Work (30) | Internet only. No access to any local VLANs. No inter-device communication. |
| Mesh | AREDN-WAN (40), AREDN-LAN-1 (41) | AREDN mesh traffic. Isolated from all other homelab VLANs. |
04 Device IP reference
| Device | VLAN | IP | Notes |
|---|---|---|---|
| UDR7 | Management (1) | 172.20.1.1 | Gateway for all VLANs |
| UniFi Flex 2.5G | Management (1) | 172.20.1.x | 8-port + 2 trunk. Managed via UDR7. |
| UniFi Flex Mini 2.5G | Management (1) | 172.20.1.x | 5-port. Managed via UDR7. |
| UniFi UNAS 4 (NAS) | Servers (20) | 172.20.20.2 | Static reserved |
| GMKtec NucBox M8 (k3s) | Servers (20) | 172.20.20.3 | Ubuntu 26.04 bare-metal. Kubernetes cluster node. See rebuild guide. |
| Beelink (Proxmox) | Servers (20) | 172.20.20.10 | Lab hypervisor. VMs reserved at .11–.19. |
| AREDN node WAN | AREDN-WAN (40) | 172.20.40.2 | Node's WAN interface |
| AREDN node LAN | AREDN-LAN-1 (41) | 10.6.229.9 | Node's LAN interface (mesh-assigned by AREDN firmware — see arednmesh.org) |
| UDR7 on AREDN LAN | AREDN-LAN-1 (41) | 10.6.229.10 | UDR7 as gateway on AREDN LAN |
last updated 2026-06-08