_--___-_
                                    /        \
    vps1.wern128.internal -------- | INTERNET | --- Road Warrior
              \                     \__-__--_/      /
               \                      |            /
                \                     |           /
                 \                    |          /
                  \                   |         /
                   \                  |      WireGuard
                WireGuard             |      L2TP/IPSec
                     \                |      /
                      \               |     /
                       \              |    /
                        \             |   /
                        Mikrotik hEX S (R1) ===trunk=== tp-link AP  o))
                               ||
                               ||
                              trunk
                               ||
                               ||
                          HPE 1920-24G JG924A --------- fs1.ipa.wern128.internal
                           |                            hv1.ipa.wern128.internal
                           |
                           |
                omega.ipa.wern128.internal
                kappa.ipa.wern128.internal
                flatmate devices

172.16.1.0/24 - Network devices without WAN Access
172.16.2.0/24 - Servers
172.16.3.0/24 - Clients
172.16.4.0/24 - Guests
172.17.1.0/24 - Road Warrior with WireGuard
172.17.2.0/24 - Various subnets for P2P connections
172.17.3.0/24 - Road Warrior with L2TP