nColo Regional Provisioning

nColo provides Pro-tier users with routed public IPv4 prefixes. Unlike nSolo (which uses 1:1 NAT), nColo prefixes are pure Layer 3 routed — traffic flows directly to your router over WireGuard with no NAT translation.

This page describes how nColo prefixes are provisioned across Nekotopia's regional hub infrastructure.

Geographic Regions

~~nColo prefix pools are organised into three geographic regions. Each region has its own IPv4 pool, and users are automatically assigned to the pool closest to their hub.~~

Region	Hubs	Prefix Pool	Origin Hub	Status
AMER	Ohio, Oregon, São Paulo	`185.24.72.0/24`	Ohio (`us-east-2`)	Active
EMEA	London, Frankfurt, Bahrain	`185.65.116.0/24`	London (`eu-west-2`)	Active
APAC	Singapore, Mumbai, ~~Singapore,~~ Tokyo, Sydney	~~TBD~~`185.24.74.0/24`	~~Planned~~Singapore (`ap-southeast-1`)	Active

All three prefix pools are BYOIP-provisioned in their respective AWS regions, advertised under AS213811 via BYOASN.

Hub-to-Region Mapping

~~yet~~

AWS Region	Hub	Geo Region	nColo Pool	Role
`us-east-2`	Ohio	AMER	`185.24.72.0/24`	Origin — owns the prefix pool
`us-west-2`	Oregon	AMER	`185.24.72.0/24`	Delegated — routes via Ohio
`sa-east-1`	São Paulo	AMER	`185.24.72.0/24`	Delegated — routes via Ohio
`eu-west-2`	London	EMEA	`185.65.116.0/24`	Origin — owns the prefix pool
`eu-central-1`	Frankfurt	EMEA	`185.65.116.0/24`	Delegated — routes via London
`me-south-1`	Bahrain	EMEA	`185.65.116.0/24`	Delegated — routes via London
`ap-southeast-1`	Singapore	APAC	—`185.24.74.0/24`	NoOrigin — owns the prefix pool
`ap-south-1`	Mumbai	APAC	`185.24.74.0/24`	Delegated — routes via Singapore
`ap-northeast-1`	Tokyo	APAC	`185.24.74.0/24`	Delegated — routes via Singapore
`ap-southeast-2`	Sydney	APAC	`185.24.74.0/24`	Delegated — routes via Singapore

How ProvisioningIt Works

Origin Hubs

~~When~~Origin ahubs ~~Pro~~(Ohio, ~~user~~London, ~~requests~~Singapore) anhave the nColo ~~prefix,~~infrastructure directly provisioned:

BYOIP prefix advertised from the ~~system~~local ~~determines~~AWS ~~which pool to allocate from based on the user's current hub:~~

~~Direct Provisioning (Origin Hub)~~

~~If the user is on an~~ ~~origin hub~~ ~~(Ohio or London), provisioning is straightforward:~~
1. ~~A prefix is allocated from NetBox (the IPAM system) out of the hub's pool~~region
2. AMikroTik CHR with BGP peering ~~session is created on the hub's MikroTik CHR~~
3. ~~A per-customer routing filter ensures the user can only advertise their allocated prefix~~
4. ~~The prefix is added~~ to ~~the user's WireGuard peer allowed-address~~
5. ~~QoS mangle rules are applied for traffic shaping~~
```
Customer router (private ASN, e.g. 4200000001)
    ↓ BGPcustomers over WireGuard
```


tunnel
Hub CHR (AS64512, per-Per-customer prefix filter)filter ↓(only learnedaccept routethe viaallocated BGPprefix)
VPC →

IGW (gateway route table + BYOIP) ↓ Internet
~~Delegated Provisioning (Non-Origin Hub)~~

~~If the user is on a~~ ~~delegated hub~~ ~~(e.g. Oregon, Frankfurt),~~routing the prefix ~~still comes from~~to the ~~origin~~hub ~~hub's~~ENI

~~pool,~~

~~but~~

Delegated Hubs

Delegated hubs (Oregon, Frankfurt, etc.) do not have their own prefix pool. nColo traffic is policy-routed across the ~~mesh:~~

~~Prefix is allocated from the origin hub's pool in NetBox~~

~~BGP peering is created on the~~ ~~local~~ ~~(delegated) hub~~

~~Policy routing on the local hub marks nColo traffic and routes it via the~~WireGuard mesh back to the origin hub for BYOIP egress. The customer still peers BGP with their local hub — the delegation is transparent.

Provisioning Flow
1. User selects prefix size (/32, /31, /30, /29) in the dashboard
2. ASystem ~~return~~resolves ~~route on the origin~~user's hub ~~sends inbound traffic back through the mesh~~ to the ~~local~~correct regional origin hub

Prefix

Customerallocated routerfrom ↓NetBox IPAM under the regional pool


Private ASN assigned from the region's ASN range

MikroTik provisioned: WG allowed-address, BGP overconnection, WireGuardprefix Localfilter, hubQoS
(Oregon)User —receives BGP peering +details policyand routesample ↓router mangleconfigs
mark → bridged mesh
Origin hub (Ohio) — BYOIP egress
    ↓
Internet

~~The user experience is identical — the prefix works the same way regardless of whether the hub is an origin or delegate.~~

Hub Change Behaviour

~~WhenYouChangeHubs~~

~~Moving between hubs affects your nColo allocation differently depending on whether you're staying within the same geographic region:~~

~~(e.g.~~

~~Your prefix is~~

~~(e.g.~~

~~Your~~

~~region's~~~~pool~~~~via the dashboard~~
~~This is by design — a~~ 185.24.72.0/24 ~~(AMER) prefix cannot be routed from London (EMEA) infrastructure. You'll receive a prefix from~~ 185.65.116.0/24 ~~instead.~~

~~nSolo on Hub Change~~

Move Type	Example	What Happens
Same ~~Region~~region	Ohio → ~~Oregon)~~Oregon	Prefix preserved. ~~The system automatically:~~ ~~Deprovisions BGP peering~~Deprovisioned from ~~the~~ old ~~hub~~ hub, ~~Re-provisions BGP peering~~re-provisioned on ~~the new hub~~ ~~Sets up delegation routing if the new hub doesn't own the pool~~ ~~Updates the allocation record with your new WireGuard IP~~ ~~This is seamless — you keep the same prefix, same ASN, same configuration. Your router just needs to re-establish the BGP session after reconnecting to the~~ new hub.
Cross ~~Region~~region	Ohio → ~~London)~~London	Prefix ~~prefix is released.~~ ~~Because each geographic region has its own prefix pool:~~ ~~The old prefix is deprovisioned from the old hub~~ ~~The NetBox allocation is freed~~released (~~the~~AMER ~~prefix~~→ ~~returns~~EMEA). toUser ~~the pool)~~ ~~You can allocate~~allocates a new prefix from ~~your~~EMEA ~~new~~pool.

Move Type

Example

What Happens

Same ~~Region~~region

Ohio → ~~Oregon)~~Oregon

Prefix preserved. ~~The system automatically:~~

~~Deprovisions BGP peering~~Deprovisioned from ~~the~~ old ~~hub~~

hub,

~~Re-provisions BGP peering~~re-provisioned on ~~the new hub~~

~~Sets up delegation routing if the new hub doesn't own the pool~~

~~Updates the allocation record with your new WireGuard IP~~

~~This is seamless — you keep the same prefix, same ASN, same configuration. Your router just needs to re-establish the BGP session after reconnecting to the~~ new hub.

Cross ~~Region~~region

Ohio → ~~London)~~London

Prefix ~~prefix is released.~~ ~~Because each geographic region has its own prefix pool:~~

~~The old prefix is deprovisioned from the old hub~~

~~The NetBox allocation is freed~~released (~~the~~AMER ~~prefix~~→ ~~returns~~EMEA). toUser ~~the pool)~~

~~You can allocate~~allocates a new prefix from ~~your~~EMEA ~~new~~pool.

nSolo (dedicated NAT IP) is always released on any hub change, ~~regardless~~as ~~of region. The EIP~~it is tied to the old hub's NAT ~~infrastructure and cannot follow you. You can allocate a new dedicated IP from the dashboard after switching hubs.~~infrastructure.

~~Available~~ Prefix ~~Sizes~~Pricing
~~Cost~~

Size IPs ~~Monthly~~Price Per-IP

/32 1 $55/mo $5.00

/31 2 $99/mo $4.50

/30 4 $1212/mo $3.00

/29 8 $2020/mo $2.50

Pricing is the same across all ~~regions~~regions. ~~and~~Self-service, ~~all hubs. The tier gates access~~honour-based (~~Pro required), but the price is the~~ same ~~everywhere.~~model as bandwidth selection).

BGP Configuration

Each ~~nColo user~~customer receives:

A private 4-byte ASN (e.g. 4200000001 for ~~AMER,~~EMEA, 4200100001 for ~~Ohio-specific)~~AMER, 4200200001 for APAC)

~~The~~Hub ~~hub's~~ peer IPASN: (AS64512

Hub peer IP: the WireGuard gateway ~~address)~~
of
~~The~~the ~~hub's~~local ~~ASN~~ (AS64512)hub

~~Sample~~The ~~MikroTik~~dashboard ~~RouterOS~~provides ~~configuration:~~

/routing/bgp/connection add name=nekotopia-ncolo \ remote.address=<HUB_PEER_IP> remote.as=64512 \ local.address=<YOUR_WG_IP> local.role=ebgp \ hold-time=90s keepalive-time=30s /routing/filter/rule add chain=ncolo-out \ rule="if (dst == <YOUR_PREFIX>) { accept } else { reject }"

~~Full BGP details (including sample~~ready-to-paste configs for ~~FRR~~MikroTik RouterOS, FRRouting, and ~~BIRD)~~BIRD.

BYOIP Infrastructure

Region Prefix AWS Region IPAM Pool EC2 Pool ASN
EMEA 185.65.116.0/24 eu-west-2 ipam-pool-05345e5d2df4d7166 ipv4pool-ec2-0c0b4b0a21448be79 AS213811
AMER 185.24.72.0/24 us-east-2 ipam-pool-06905f53940df17e4 ipv4pool-ec2-01d3da50d8626f435 AS213811
APAC 185.24.74.0/24 ap-southeast-1 ipam-pool-08c5c1d00b22bd4f1 ipv4pool-ec2-044ee5c5992f681e0 AS213811

All prefixes are ~~available~~registered inwith ~~the~~RIPE ~~dashboard~~NCC ~~after~~with ~~allocation.~~appropriate geolocation (geoloc:) and geofeed entries. The geofeed CSV is served at https://www.nekotopia.io/geofeed.csv.

Reserve Capacity

The parent RIPE allocation 185.24.72.0/22 provides four /24 blocks:

Prefix Assignment Status
185.24.72.0/24 AMER (Ohio) Active
185.24.73.0/24 AMER expansion Reserved
185.24.74.0/24 APAC (Singapore) Active
185.24.75.0/24 APAC expansion Reserved

Size	IPs	~~Monthly~~Price	Per-IP
/32	1	$55/mo	$5.00
/31	2	$99/mo	$4.50
/30	4	$1212/mo	$3.00
/29	8	$2020/mo	$2.50

Region	Prefix	AWS Region	IPAM Pool	EC2 Pool	ASN
EMEA	`185.65.116.0/24`	eu-west-2	`ipam-pool-05345e5d2df4d7166`	`ipv4pool-ec2-0c0b4b0a21448be79`	AS213811
AMER	`185.24.72.0/24`	us-east-2	`ipam-pool-06905f53940df17e4`	`ipv4pool-ec2-01d3da50d8626f435`	AS213811
APAC	`185.24.74.0/24`	ap-southeast-1	`ipam-pool-08c5c1d00b22bd4f1`	`ipv4pool-ec2-044ee5c5992f681e0`	AS213811

Prefix	Assignment	Status
`185.24.72.0/24`	AMER (Ohio)	Active
`185.24.73.0/24`	AMER expansion	Reserved
`185.24.74.0/24`	APAC (Singapore)	Active
`185.24.75.0/24`	APAC expansion	Reserved

nColo Regional Provisioning

Geographic Regions

All three prefix pools are BYOIP-provisioned in their respective AWS regions, advertised under AS213811 via BYOASN.

Hub-to-Region Mapping

How ProvisioningIt Works

Origin Hubs

Direct Provisioning (Origin Hub)

Delegated Provisioning (Non-Origin Hub)

Delegated Hubs

Provisioning Flow

Hub Change Behaviour

nSolo on Hub Change

Available Prefix SizesPricing

BGP Configuration

BYOIP Infrastructure

Reserve Capacity