nColo Regional Provisioning
nColo provides Pro-tier users with routed public IPv4 prefixes. Unlike nSolo (which uses 1:1 NAT), nColo prefixes are pure Layer 3 routed — traffic flows directly to your router over WireGuard with no NAT translation.
This page describes how nColo prefixes are provisioned across Nekotopia's regional hub infrastructure.
Geographic Regions
nColo prefix pools are organised into three geographic regions. Each region has its own IPv4 pool, and users are automatically assigned to the pool closest to their hub.
| Region | Hubs | Prefix Pool | Status |
|---|---|---|---|
| AMER | Ohio, Oregon, São Paulo | 185.24.72.0/24 |
Active |
| EMEA | London, Frankfurt, Bahrain | 185.65.116.0/24 |
Active |
| APAC | Mumbai, Singapore, Tokyo, Sydney | TBD | Planned |
Hub-to-Region Mapping
| AWS Region | Hub | Geo Region | nColo Pool | Role |
|---|---|---|---|---|
us-east-2 |
Ohio | AMER | 185.24.72.0/24 |
Origin — owns the prefix pool |
us-west-2 |
Oregon | AMER | 185.24.72.0/24 |
Delegated — routes via Ohio |
sa-east-1 |
São Paulo | AMER | 185.24.72.0/24 |
Delegated — routes via Ohio |
eu-west-2 |
London | EMEA | 185.65.116.0/24 |
Origin — owns the prefix pool |
eu-central-1 |
Frankfurt | EMEA | 185.65.116.0/24 |
Delegated — routes via London |
me-south-1 |
Bahrain | EMEA | 185.65.116.0/24 |
Delegated — routes via London |
ap-southeast-1 |
Singapore | APAC | — | No pool yet |
How Provisioning Works
When a Pro user requests an nColo prefix, the system determines which pool to allocate from based on the user's current hub:
Direct Provisioning (Origin Hub)
If the user is on an origin hub (Ohio or London), provisioning is straightforward:
- A prefix is allocated from NetBox (the IPAM system) out of the hub's pool
- A BGP peering session is created on the hub's MikroTik CHR
- A per-customer routing filter ensures the user can only advertise their allocated prefix
- The prefix is added to the user's WireGuard peer allowed-address
- QoS mangle rules are applied for traffic shaping
Customer router (private ASN, e.g. 4200000001)
↓ BGP over WireGuard tunnel
Hub CHR (AS64512, per-customer prefix filter)
↓ learned route via BGP
VPC → IGW (gateway route table + BYOIP)
↓
Internet
Delegated Provisioning (Non-Origin Hub)
If the user is on a delegated hub (e.g. Oregon, Frankfurt), the prefix still comes from the origin hub's pool, but traffic is policy-routed across the mesh:
- Prefix is allocated from the origin hub's pool in NetBox
- BGP peering is created on the local (delegated) hub
- Policy routing on the local hub marks nColo traffic and routes it via the mesh to the origin hub
- A return route on the origin hub sends inbound traffic back through the mesh to the local hub
Customer router
↓ BGP over WireGuard
Local hub (Oregon) — BGP peering + policy route
↓ mangle mark → bridged mesh
Origin hub (Ohio) — BYOIP egress
↓
Internet
The user experience is identical — the prefix works the same way regardless of whether the hub is an origin or delegate.
What Happens When You Change Hubs
Moving between hubs affects your nColo allocation differently depending on whether you're staying within the same geographic region:
Same Region (e.g. Ohio → Oregon)
Your prefix is preserved. The system automatically:
- Deprovisions BGP peering from the old hub
- Re-provisions BGP peering on the new hub
- Sets up delegation routing if the new hub doesn't own the pool
- Updates the allocation record with your new WireGuard IP
This is seamless — you keep the same prefix, same ASN, same configuration. Your router just needs to re-establish the BGP session after reconnecting to the new hub.
Cross Region (e.g. Ohio → London)
Your prefix is released. Because each geographic region has its own prefix pool:
- The old prefix is deprovisioned from the old hub
- The NetBox allocation is freed (the prefix returns to the pool)
- You can allocate a new prefix from your new region's pool via the dashboard
This is by design — a 185.24.72.0/24 (AMER) prefix cannot be routed from London (EMEA) infrastructure. You'll receive a prefix from 185.65.116.0/24 instead.
nSolo on Hub Change
nSolo (dedicated IP) is always released on hub change, regardless of region. The EIP is tied to the old hub's NAT infrastructure and cannot follow you. You can allocate a new dedicated IP from the dashboard after switching hubs.
Available Prefix Sizes
| Size | IPs | Monthly Cost |
|---|---|---|
| /32 | 1 | $5 |
| /31 | 2 | $9 |
| /30 | 4 | $12 |
| /29 | 8 | $20 |
Pricing is the same across all regions and all hubs. The tier gates access (Pro required), but the price is the same everywhere.
BGP Configuration
Each nColo user receives:
- A private 4-byte ASN (e.g.
4200000001for AMER,4200100001for Ohio-specific) - The hub's peer IP (the WireGuard gateway address)
- The hub's ASN (
AS64512)
Sample MikroTik RouterOS configuration:
/routing/bgp/connection add name=nekotopia-ncolo \
remote.address=<HUB_PEER_IP> remote.as=64512 \
local.address=<YOUR_WG_IP> local.role=ebgp \
hold-time=90s keepalive-time=30s
/routing/filter/rule add chain=ncolo-out \
rule="if (dst == <YOUR_PREFIX>) { accept } else { reject }"
Full BGP details (including sample configs for FRR and BIRD) are available in the dashboard after allocation.