Network Design
Before touching a single config file, it is worth spending time on paper. Network design decisions made early have a habit of becoming permanent and getting the addressing scheme, the VLAN structure, and the naming conventions right at the start saves a significant amount of pain later, especially when adding new services or troubleshooting something at 11pm.
This network spans three physical locations, each with its own Ubiquiti UniFi router, its own subnet range, and its own VLAN structure. All three sites are connected via VPN, creating a single logical network across multiple physical locations. The design is consistent by intention: the same VLAN naming convention appears at every site, making it immediately obvious what a subnet does just from looking at its address.
Locations
Three sites, each named in a way that makes them easy to distinguish without giving too much away. Each runs a Ubiquiti UniFi router as the site gateway, managing local VLANs and the VPN tunnel that ties the sites together.
| Location | Router | Address Space |
|---|---|---|
| Site 1 | Spring | 10.1.0.0/16 |
| Site 2 | Summer | 10.2.0.0/16 |
| Site 3 | Autumn | 10.3.0.0/16 |
The router names (Spring, Summer, Autumn) follow a specific naming convension as using abstract names rather than descriptive ones means a router can change role or location without its name becoming misleading.
VLAN structure
Each site uses the same VLAN naming convention, mapped to a consistent set of /24 subnets within that site’s address space. The pattern makes the design readable at a glance: the second octet tells you which site you are at, and the third tells you which VLAN you are on.
Consistency in subnetting is not pedantry. It is the thing that makes troubleshooting at midnight significantly less awful.
VLANs 1 through 13 are reserved as internal infrastructure subnets, not yet assigned to named roles. These sit in the 10.0.0.0 space and are available for future use across all sites. Named VLANs begin at VLAN 14 and follow a consistent structure at each location.
Site 1 — Spring (10.1.0.0/16)
| Name | VLAN | Subnet |
|---|---|---|
| Core | 14 | 10.1.0.0/24 |
| Fury | 15 | 10.1.10.0/24 |
| Apex | 16 | 10.1.20.0/24 |
| Collision | 17 | 10.1.30.0/24 |
| Skyforth | 18 | 10.1.40.0/24 |
| Twilight | 19 | 10.1.50.0/24 |
| Flow | 20 | 10.1.60.0/24 |
| Earth | 21 | 10.1.70.0/24 |
| Glide | 22 | 10.1.80.0/24 |
| Visitor | 23 | 10.1.90.0/24 |
| (reserved) | 24 | 10.1.100.0/24 |
| Testnet | 25 | 10.1.200.0/24 |
| Divided | 26 | 192.168.1.0/24 |
Site 2 — Summer (10.2.0.0/16)
| Name | VLAN | Subnet |
|---|---|---|
| Core | 27 | 10.2.0.0/24 |
| Vicetone | 28 | 10.2.10.0/24 |
| Gryffin | 29 | 10.2.20.0/24 |
| Monody | 30 | 10.2.30.0/24 |
| Halsey | 31 | 10.2.40.0/24 |
| Shovel | 32 | 10.2.50.0/24 |
| Regular | 33 | 10.2.60.0/24 |
| Sabai | 34 | 10.2.70.0/24 |
| Kastra | 35 | 10.2.80.0/24 |
| Walker | 36 | 10.2.90.0/24 |
| Tobu | 37 | 10.2.100.0/24 |
| Testnet | 38 | 10.2.200.0/24 |
| Divided | 39 | 192.168.3.0/24 |
Site 3 — Autumn (10.3.0.0/16)
| Name | VLAN | Subnet |
|---|---|---|
| Core | 40 | 10.3.0.0/24 |
| Aurum | 41 | 10.3.10.0/24 |
| Arnyd | 42 | 10.3.20.0/24 |
| Skyline | 43 | 10.3.30.0/24 |
| Lazarus | 44 | 10.3.40.0/24 |
| Nikita | 45 | 10.3.50.0/24 |
| Etsu | 46 | 10.3.60.0/24 |
| Ecepta | 47 | 10.3.70.0/24 |
| Rtik | 48 | 10.3.80.0/24 |
| Guest | 49 | 10.3.90.0/24 |
| Divided | 50 | 10.3.100.0/24 |
| Testnet | 51 | 10.3.200.0/24 |
| (reserved) | 52 | 192.168.4.0/24 |
A few things worth noting
Each site has a dedicated Testnet VLAN (25, 38, 51) sitting at the .200.0/24 address within its block. This is intentional. Having a consistent, isolated testing subnet at every site means you can experiment without touching anything live, and the address makes it immediately obvious what you are looking at in a packet capture or a log file.
Each site also has a Divided VLAN, sitting in 192.168.x.0/24 space rather than the 10.x.x.x space used everywhere else. This is the segment that faces the ISP side of the router, keeping provider-assigned addressing cleanly separated from the internal scheme.
The Visitor and Guest VLANs (VLAN 23 at Site 1, VLAN 49 at Site 3) are isolated from the rest of the network by design. Devices on these segments get internet access and nothing else. No visibility into internal VLANs, no access to self-hosted services unless explicitly permitted.
A guest network that can see your NAS is not a guest network. It is just a slightly less trusted internal network.
Inter-site connectivity
All three sites are connected via VPN, with each Ubiquiti router acting as a VPN gateway for its site. This creates a single routable network across all three locations. Traffic between sites is encrypted in transit. From the perspective of any device on the network, the other two sites are just subnets, reachable in the same way as any local VLAN.
The VPN configuration itself is covered in the router section. The important thing at the design stage is that inter-site routing is planned for from the start, which is exactly why the address spaces are kept cleanly separated: 10.1.x.x for Site 1, 10.2.x.x for Site 2, 10.3.x.x for Site 3.