Site Types

HYDRA venues fall into two categories based on who manages the local network infrastructure. Both types use the same streaming software and connect to the same district server.

Partner Managed Locations

A managed network partner (telco, ISP, or managed services provider) manages the full site network: provider edge router, VLANs, switching, and the WireGuard tunnel to the district server.

Characteristics

provider edge router configured and maintained by the partner
VLANs for management, Bodies, and Heads provisioned by the partner
WireGuard tunnel from provider edge router to district server using peer profile supplied by HYDRA
Local Head-to-Body traffic allowed via partner firewall rules
The partner's own management VPN (to their datacenter) runs in parallel but is completely separate
Can be a 100% HYDRA location or a shared location with existing tenant/office networks

HydraGuard Configuration

Partner-managed venues are registered in HydraGuard with a partner guard type. The CLI accepts citymesh for this category today (the rename to the generic partner is tracked separately; see the footnote in partner-network-design.md):

hydraguard venue add museum-x --location brussels --guard citymesh

The partner guard type generates a minimal WireGuard peer config (public key, endpoint, allowed IPs) without PostUp/PostDown scripts, since the provider edge router is managed by the partner, not by HYDRA.

Full enrollment procedure (peer profile export, partner handover bundle, verification, troubleshooting): hydraguard/docs/runbooks/citymesh-venue.md.

VLAN Layout (typical)

VLAN	Purpose	CIDR	Example
Management	Site infrastructure, switches	`10.10X.0.0/20`	`10.101.0.0/20`
Body	Render nodes	`10.10X.0.0/24` subset	`10.101.1.0/24`
Head / Wireless	Display devices, kiosks	`10.10X.4.0/20`	`10.101.4.0/20`

What HYDRA Provides

WireGuard peer profile for the site tunnel
Per-site CIDR allocation
Body WireGuard configs (Bodies manage their own tunnels independently)
Streaming software (Sunshine on Bodies, HydraHead on Heads)

HYDRA Managed Locations

HYDRA does full network management at these locations. No managed network partner involved.

Characteristics

HYDRA installs and configures the router/gateway
Full control over VLANs, DHCP, routing, and firewall rules
WireGuard tunnel managed directly by HYDRA
Suitable for smaller venues or locations without a network partner

Router Types

Guard Type	Router	Use Case
`omada`	TP-Link Omada controller	Fixed venues with Omada hardware
`citymesh`	Partner-managed MikroTik	Partner-managed sites (also: telco, ISP, MSP) — see Partner Managed Locations above
`linuxvm`	Linux VM gateway	Cloud gateways (Azure, GCP, AWS)
`gateway`	FortiGate/on-prem	Enterprise venues with existing FortiGate or other on-prem WireGuard gateway
`neckair`	MikroTik router	Mobile venue-in-a-box (NeckAir units); separate peer type, not a `venue` guard type

HydraGuard Configuration

# Fixed venue with Omada controller
hydraguard venue add exhibition-y --location antwerp --guard omada

# Mobile unit with MikroTik
hydraguard neckair add 050

# Standalone Body (no site gateway)
hydraguard air add 001

MikroTik (NeckAir) Details

For mobile deployments, HYDRA uses MikroTik routers:

HYDRA configures WireGuard directly on the MikroTik via RouterOS API
WireGuard tunnel to district server managed from HydraNeck
Each NeckAir unit has its own WireGuard address (10.10.50-99.1/32) and LAN (10.0.50-99.0/24)
Fully portable: plug in at any location with internet access

Standalone Bodies (Air)

Bodies can also connect to the district server without any site gateway:

Each Body gets its own WireGuard peer in the Air range (10.10.100.x)
Direct WireGuard tunnel from the Body to the district server
No LAN routing through a venue gateway
Used for standalone render nodes at HYDRA-managed locations or Bodies not behind a managed router
Provisioned automatically via HydraCluster when a Body enrolls

Comparison

Feature	Partner Managed	HYDRA Managed	Standalone Body
Network management	Partner	HYDRA	N/A (direct)
WireGuard site tunnel	Partner configures	HYDRA configures	Body-direct
Body WireGuard tunnel	HYDRA (independent)	HYDRA (independent)	HYDRA (same tunnel)
Local Head-to-Body	Partner firewall	HYDRA router	Not applicable
Router hardware	Partner provider edge	Omada/MikroTik/Linux	None
HydraGuard type	`venue (partner)`	`venue (omada/linuxvm)` or `neckair`	`air`

HydraNeck

Site Types

Partner Managed Locations

Characteristics

HydraGuard Configuration

VLAN Layout (typical)

What HYDRA Provides

HYDRA Managed Locations

Characteristics

Router Types

HydraGuard Configuration

MikroTik (NeckAir) Details

Standalone Bodies (Air)

Comparison