diff --git a/docs/NETWORK.md b/docs/NETWORK.md
index ccfafaa..38a6a85 100644
--- a/docs/NETWORK.md
+++ b/docs/NETWORK.md
@@ -12,7 +12,7 @@ VLAN map, firewall policy, DNS architecture, and physical topology. See [README]
 | 1030 | Guests | 10.3.0.0/24 | 10.3.0.1 | 10.3.0.100–250 | Pi-hole → pfSense |
 | 1040 | IoT | 10.4.0.0/24 | 10.4.0.1 | 10.4.0.100–250 | Pi-hole → pfSense |
 | 1050 | WFH | 10.5.0.0/24 | 10.5.0.1 | 10.5.0.100–200 | pfSense only |
-| 1 | DMZ | 10.99.0.0/24 | 10.99.0.1 | static only | pfSense only |
+| 1099 | DMZ | 10.99.0.0/24 | 10.99.0.1 | static only | pfSense only |
 | — | VPN | 10.200.0.0/24 | pfSense | assigned by WG | Pi-hole → pfSense |
 
 ## Firewall Policy
@@ -27,7 +27,7 @@ Default: **deny all inter-VLAN unless explicitly allowed.**
 | IoT (1040) | Internet + Home Assistant (explicit rule); blocked from LAN |
 | WFH (1050) | Internet only; pfSense DNS only; no personal network access |
 | MGMT (1000) | Updates + NTP outbound; inbound from LAN + VPN only |
-| DMZ (1) | HTTP/S + NTP outbound; hard-blocked from all internal VLANs |
+| DMZ (1099) | HTTP/S + NTP outbound; hard-blocked from all internal VLANs |
 | VPN (10.200.0.0/24) | Same as LAN: Homelab + MGMT web GUI + Pi-hole DNS |
 
 ## Static IP Reservations
@@ -55,10 +55,10 @@ Default: **deny all inter-VLAN unless explicitly allowed.**
 | 10.2.0.10 | Proxmox |
 | 10.2.0.11 | Pi-hole |
 | 10.2.0.20 | Caddy (infra LXC) |
+| 10.2.0.21 | Vaultwarden (vault LXC) |
 | 10.2.0.25 | Authentik (auth LXC) |
 | 10.2.0.51 | Monitor LXC |
 | 10.2.0.60 | Apps LXC |
-| 10.2.0.X | Vaultwarden (vault LXC) |
 
 ### VLAN 1 — DMZ
 
@@ -115,7 +115,7 @@ Omada Managed Switch
   ├── VLAN 1030 — Guest WiFi AP
   ├── VLAN 1040 — IoT WiFi AP
   ├── VLAN 1050 — Work laptop
-  └── VLAN 1 — DMZ
+  └── VLAN 1099 — DMZ
 ```
 
 ## WireGuard VPN