Network Topology
Site-to-site VPNs, customer tunnels, and the public-facing endpoints that matter.
The connections between SuperHiTech sites and customer infrastructure.
Site-to-site VPNs
SH ↔ WB (primary corporate tunnel)
| Field | Value |
|---|---|
| SH endpoint | SonicWall TZ80 at WAN 168.75.130.97 |
| WB endpoint | pfSense at 207.32.0.217 |
| Type | IKEv2 |
| Stability options | make_before_break, staggered Phase 2 lifetimes, aligned traffic selectors |
This tunnel was unstable until the make-before-break setting and staggered lifetimes were added. Don’t change Phase 2 lifetimes without re-staggering or the tunnel will start flapping again.
Van Wyk Veeam replication tunnel
Veeam backup replication from a customer site (Van Wyk) into SuperHiTech storage. Subnet collision required NAT translation.
| Field | Value |
|---|---|
| Customer subnet | 192.168.10.0/24 |
| NAT translation | 10.99.10.0/24 (what SuperHiTech-side sees) |
| Purpose | Veeam replication only — not general bidirectional traffic |
Whenever this tunnel comes up in conversation, remember the NAT — Van Wyk’s
real 192.168.10.0/24 is not what shows up on our side.
Public-facing endpoints
Hostnames in the SuperHiTech orbit that resolve from the internet:
| Hostname | Purpose |
|---|---|
super-ht.com | Corporate WordPress — Cloudflare-proxied, origin 34.67.240.14 (Google Cloud). Admin via ssh super-ht.com. (Previously documented as SiteGround; the live origin is GCP.) |
webserver.super-ht.com | Virtualmin / Postfix mail server with DKIM + SPF (168.75.130.100 / .99) |
mcp.super-ht.com | Cloudflare Tunnel → Leif FastMCP server |
leif.super-ht.com | Cloudflare Tunnel → Leif (legacy ops console + MCP alias). Same tunnel as mcp (CNAME 08a0fea5-…cfargotunnel.com). |
docs.leif.super-ht.com | This documentation site — CNAME → leif-docs.pages.dev (Cloudflare Pages) |
ntfy.super-ht.com / shtops.super-ht.com | Tunnel-exposed obs/ops services (ntfy alerting, SHTops dashboard) |
odyssey.super-ht.com / rs-webhook.super-ht.com / deals / money | Tunnel-exposed EDU/pricing app surfaces |
168.75.130.97 | SH-site SonicWall TZ80 WAN |
168.75.130.98 | FreePBX public IP |
Inbound mail for super-ht.com is MX’d to Proofpoint Essentials
(mx1-us1.ppe-hosted.com / mx2-us1.ppe-hosted.com); SPF also authorizes
Google Workspace. DMARC is currently p=none (monitor-only). The whole
super-ht.com zone is one of 12 zones on the Cloudflare account (the others
are customer domains: vanwyk.com, sanbornpropane.com, sheldongolf.com, …).
VoIP infrastructure
FreePBX deployment serving SuperHiTech and select customers.
| Field | Value |
|---|---|
| Internal IP | 192.168.5.24 |
| Public IP | 168.75.130.98 |
| SIP trunk | Flowroute |
| Security | Fail2Ban + SonicWall policy drops (resolved past lockout issues) |
| Internal extension DNS | Hairpin via SonicWall (extensions resolve internally) |
Monitoring
| System | Notes |
|---|---|
| LibreNMS | Distributed monitoring with WireGuard VPN to customer sites |
| Aruba 6000 switches | SNMP configured (AOS-Switch — not AOS-CX, NAE not supported) |
| UniFi | Cached on SHTops; reachable via unifi_* and unifi_search tools |
Customer site reachability
Customer infrastructure is reached from the Leif host primarily via:
- WireGuard VPN tunnels — for LibreNMS monitoring, occasional admin access
- SSH — for direct command execution (when WireGuard is up and a shell user exists)
- Vendor APIs — UniFi, ConnectWise Automate (
cwa_*), Hudu (hudu_*), Verkada — when the vendor exposes a remote API
Related pages
- Hosts — host inventory and tool routing
- Cron Schedule — scheduled jobs across hosts
Last verified against live systems: 2026-06-01 — see doc freshness.