+| Network | VLAN id | Extra subnets |
+|------------|---------|------------------|
+| Management | 32 | -- |
+| IoT | 33 | -- |
+| Services | 34 | -- |
+| Public | 36 | 89.106.211.64/27 |
+| Guests | 127 | -- |
+| Members | 128 | 89.106.211.32/27 |
+| `0xFF` | 255 | -- |
+
+
+### Conventions
+
+We use a number of conventions to make things more consistent:
+
+- The DNS zone for a given network is `NET.realraum.at`, with the exception
+ of the public services network (which uses `realraum.at`) and of the Funkfeuer
+ VLAN (which has no `realraum.at` zone).
+- Networks using RFC 1918 IP space use the 192.168.VID.0/24 subnet;
+ for instance, the IoT network has id 33 and uses the 192.168.33.0/24 subnet.
+- The gateway for a network is on the last IP for the subnet.
+
+
+### Routing and firewall rules
+
+This network diagram represents networks, and the connection flows between them:
+an arrow from A to B means that a connection can be opened from network A to
+network B. In all cases, a subset of ICMP (ECHO, ...) is allowed.
+
+Note that any given system might have interfaces in several of these networks.
+
+[[!img Network/overview.svg alt="r³ network overview"]]