diff --git a/network/opnsense-checklist.md b/network/opnsense-checklist.md
index 4639eab..95d481e 100644
--- a/network/opnsense-checklist.md
+++ b/network/opnsense-checklist.md
@@ -14,24 +14,26 @@ should be worked through systematically.
 
 | Router | Role | Status |
 |--------|------|--------|
-| Primary OPNsense | Core network routing, VLANs, WireGuard | Needs audit |
+| Primary OPNsense | Core network routing, WireGuard | Needs audit |
 | Secondary OPNsense | Failover / redundancy | Needs audit |
 
 ---
 
-## VLAN Structure (Verify)
+## Network Model
 
-Expected VLANs — confirm these match actual config:
+ZeroLagHub does not use VLANs. Each network is a separate subnet tied to a
+dedicated Linux bridge (`vmbr`) on the Proxmox host. OPNsense routes between
+these bridges.
 
-| VLAN | Subnet | Purpose |
-|------|--------|---------|
-| Management | 10.60.0.0/24 | API, portal, core services |
-| Game/Dev containers | 10.100.0.0/24 | LXC containers |
-| Proxy/Edge | 10.70.0.0/24 | Traefik, zpack-proxy |
-| WireGuard | 10.x.x.x/24 | Admin VPN access |
+| Bridge | Subnet | Purpose |
+|--------|--------|---------|
+| vmbr? | 10.60.0.0/24 | Core services — API, portal, DNS, artifacts |
+| vmbr? | 10.70.0.0/24 | Proxy/edge — Traefik, zpack-proxy |
+| vmbr? | 10.100.0.0/24 | Game/dev containers — LXC |
+| vmbr? | WireGuard range | Admin VPN access |
 
-**Action:** Log into OPNsense dashboard and confirm actual VLAN assignments
-match the above. Update this table if different.
+**Action:** Fill in actual `vmbr` numbers from Proxmox network config.
+Check: Proxmox → Node → Network tab.
 
 ---
 
@@ -48,7 +50,7 @@ match the above. Update this table if different.
 ### Must be confirmed blocked:
 
 - [ ] Direct container access from internet (no public IP on container VMs)
-- [ ] Cross-VLAN access that bypasses API (containers cannot reach API directly)
+- [ ] Containers cannot reach management subnet directly (should go via API)
 
 ---
 
@@ -65,7 +67,7 @@ match the above. Update this table if different.
 
 - [ ] Confirm whether CARP/VRRP is configured between primary and secondary
 - [ ] Test failover: shut down primary router, verify traffic continues
-- [ ] Confirm secondary has identical VLAN and firewall config
+- [ ] Confirm secondary has identical interface and firewall config
 - [ ] Document failover behavior — is it automatic or manual?
 
 ---
@@ -110,11 +112,12 @@ nslookup zerolaghub.dev                    # DNS working
 
 ## Action Items (Priority Order)
 
-1. Audit both router configs — document actual VLAN and firewall rules
-2. Run connectivity matrix above and confirm all pass
-3. Test WireGuard reconnect after router restart
-4. Test failover between primary and secondary
-5. Document any gaps found and remediate
+1. Fill in actual `vmbr` numbers in network model table above
+2. Audit both router configs — document actual interfaces and firewall rules
+3. Run connectivity matrix above and confirm all pass
+4. Test WireGuard reconnect after router restart
+5. Test failover between primary and secondary
+6. Document any gaps found and remediate
 
 ---