MetalLB in L2 mode

MetalLB has two modes: BGP (it speaks routing protocols to your network gear) and L2 (it answers ARP for the service IPs). For a flat single-subnet lab, L2 is the obvious pick — no router configuration, it just works on the local network.

The config is two small objects: a pool of addresses, and an advertisement telling MetalLB to announce that pool over L2.

IPAddressPool   lab-pool    addresses: 10.100.100.100-10.100.100.110
L2Advertisement lab-l2      -> lab-pool

That carves out eleven addresses, separate from where the VMs live, for services to claim. When a LoadBalancer service appears, MetalLB leases it the next free address (the Kong gateway, for instance, took 10.100.100.100) and one node becomes the responder that answers ARP for it. Because the jump host and pfSense are on the same L2 segment, they can reach these service IPs directly.

Lesson learned: carve the LoadBalancer pool out of the subnet deliberately and write it down. These IPs must not collide with VMs or DHCP. Here the plan is explicit: VMs live in the low addresses, the LB pool owns .100-.110. A five-minute decision that prevents a very confusing afternoon of IP conflicts later.

Diagram