Network Topology
Site-to-site VPNs, customer tunnels, and the public-facing endpoints that matter.
The connections between SuperHiTech sites and customer infrastructure.
Site-to-site VPNs
SH ↔ WB (primary corporate tunnel)
| Field | Value |
|---|---|
| SH endpoint | SonicWall TZ80 at WAN 168.75.130.97 |
| WB endpoint | pfSense at 207.32.0.217 |
| Type | IKEv2 |
| Stability options | make_before_break, staggered Phase 2 lifetimes, aligned traffic selectors |
This tunnel was unstable until the make-before-break setting and staggered lifetimes were added. Don’t change Phase 2 lifetimes without re-staggering or the tunnel will start flapping again.
Van Wyk Veeam replication tunnel
Veeam backup replication from a customer site (Van Wyk) into SuperHiTech storage. Subnet collision required NAT translation.
| Field | Value |
|---|---|
| Customer subnet | 192.168.10.0/24 |
| NAT translation | 10.99.10.0/24 (what SuperHiTech-side sees) |
| Purpose | Veeam replication only — not general bidirectional traffic |
Whenever this tunnel comes up in conversation, remember the NAT — Van Wyk’s
real 192.168.10.0/24 is not what shows up on our side.
Public-facing endpoints
Hostnames in the SuperHiTech orbit that resolve from the internet:
| Hostname | Purpose |
|---|---|
super-ht.com | Corporate WordPress site, hosted on SiteGround |
webserver.super-ht.com | Virtualmin / Postfix mail server with DKIM + SPF |
mcp.super-ht.com | Cloudflare Tunnel → Leif FastMCP server |
leif.super-ht.com | Cloudflare Tunnel → Leif (legacy ops console + MCP alias) |
docs.leif.super-ht.com | This documentation site, on Cloudflare Pages |
168.75.130.97 | SH-site SonicWall TZ80 WAN |
168.75.130.98 | FreePBX public IP |
VoIP infrastructure
FreePBX deployment serving SuperHiTech and select customers.
| Field | Value |
|---|---|
| Internal IP | 192.168.5.24 |
| Public IP | 168.75.130.98 |
| SIP trunk | Flowroute |
| Security | Fail2Ban + SonicWall policy drops (resolved past lockout issues) |
| Internal extension DNS | Hairpin via SonicWall (extensions resolve internally) |
::: callout
Flowroute number port-out: the gaining carrier needs the account number
and PIN from manage.flowroute.com. No proactive approval step on Flowroute’s
side — once the gaining carrier submits, the port proceeds.
:::
Monitoring
| System | Notes |
|---|---|
| LibreNMS | Distributed monitoring with WireGuard VPN to customer sites |
| Aruba 6000 switches | SNMP configured (AOS-Switch — not AOS-CX, NAE not supported) |
| UniFi | Cached on SHTops; reachable via unifi_* and unifi_search tools |
Customer site reachability
Customer infrastructure is reached from the Leif host primarily via:
- WireGuard VPN tunnels — for LibreNMS monitoring, occasional admin access
- SSH — for direct command execution (when WireGuard is up and a shell user exists)
- Vendor APIs — UniFi, ConnectWise Automate (
cwa_*), Hudu (hudu_*), Verkada — when the vendor exposes a remote API
Related pages
- Hosts — host inventory and tool routing
- Cron Schedule — scheduled jobs across hosts