+| Name | ID | DNS | CIDR | Comment |
+|----------|-----|-----|------------------------------------|--------------------------------------|
+| realfunk | 6 | n | 192.168.6.0/24 | realfunk management network |
+| mgmt | 32 | y | 192.168.32.0/24 | management network |
+| iot | 33 | y | 192.168.33.0/24 | IoT devices, room infrastructure |
+| svc | 34 | y | 192.168.34.0/24 | Services LAN, see below |
+| [HAMNET] | 44 | n | 44.0.0.0/8 | Amateur Radio Digital Communications |
+| guests | 127 | y | 192.168.127.0/24 | Exposed through the “realraum” SSIDs |
+| members | 128 | y | 89.106.211.32/27, 192.168.128.0/24 | Accessed with per-member credentials |
+| pub | 130 | y | 89.106.211.64/27 | Publicly-available services |
+| UPC | 168 | n | <dynamically assigned> | UPC DOCSIS Internet |
+| `0xFF` | 255 | n | 10.12.240.240/28 | Funkfeuer VLAN |
+
+[HAMNET]: https://wiki.oevsv.at/index.php/Kategorie:Digitaler_Backbone
+
+
+### `realfunk` -- realfunk management network
+
+This network will be used by realfunk to communicate between the ground station
+and things like SDR or similar stuff mounted on the roof. For now this network
+does not need DNS or connection to any other network. There also won't be any
+network services such as DHCP or recursive DNS. realfunk will probably run their
+own DHCP server.
+
+
+### `svc` -- Services LAN
+
+This network is intended for services that aren't directly exposed to users
+(be they humans or machines); this includes services exposed through a frontend
+(like realraum web services) and services only meant to be consumed by another
+service (like a database server).
+
+
+### `pub` -- Publicly-available services
+
+This network is intended for services that can be consumed by non-NOC systems,
+including our HTTP(S) frontend -- `entrance`, `mqtt`, ...
+
+Services in this network can restrict availability, for instance by only
+allowing clients connecting from our LANs, or by requiring authentication.
+
+No RFC 1918 subnet is used on this network, only `89.106.211.64/27`.
+
+
+### Conventions
+
+- The DNS zone for a given network is `NET.realraum.at`, with the exception of
+ `pub` (which uses `realraum.at`) and VLANs which have no `realraum.at` zone.
+- When a network uses RFC 1918 IP space, it is the 192.168.VID.0/24 subnet;
+ for instance, the `iot` network has id 33 and uses the 192.168.33.0/24 subnet.
+- The gateway for a network is on the last IP for the subnet.
+
+
+### Routing and firewall rules
+
+This network diagram represents networks, and the connection flows between them:
+an arrow from A to B means that a connection can be opened from network A to
+network B. In all cases, a subset of ICMP (ECHO, ...) is allowed.
+
+Note that any given system might have interfaces in several of these networks.
+
+[[!img Network/overview.svg alt="r³ network overview"]]