metallb:
  controller:
    enabled: true
  speaker:
    enabled: true
    hostNetwork: true
    podAnnotations:
      sidecar.istio.io/inject: "false"
    tolerations:
      - operator: Exists
    securityContext:
      allowPrivilegeEscalation: false
      privileged: false
      capabilities:
        drop: ["ALL"]
  # keep FRR disabled – GoBGP mode works fine and avoids NET_ADMIN
  frr:
    enabled: false
  configInline:
    peers:
      - peer-address: 10.1.10.1 # OPNsense LAN IP
        peer-asn: 65551 # ASN you set on OPNsense
        my-asn: 64512 # <<< MUST MATCH “Remote AS” on OPNsense
        hold-time: 90s
        source-address: 10.1.10.3 # Talos node IP (optional but fine)
      - peer-address: 10.1.10.1 # OPNsense LAN IP
        peer-asn: 65551 # ASN you set on OPNsense
        my-asn: 64512 # <<< MUST MATCH “Remote AS” on OPNsense
        hold-time: 90s
        source-address: 10.1.10.4 # Talos node IP (optional but fine)
      - peer-address: 10.1.10.1 # OPNsense LAN IP
        peer-asn: 65551 # ASN you set on OPNsense
        my-asn: 64512 # <<< MUST MATCH “Remote AS” on OPNsense
        hold-time: 90s
        source-address: 10.1.10.5 # Talos node IP (optional but fine)
      - peer-address: 10.1.10.1 # OPNsense LAN IP
        peer-asn: 65551 # ASN you set on OPNsense
        my-asn: 64512 # <<< MUST MATCH “Remote AS” on OPNsense
        hold-time: 90s
        source-address: 10.1.10.6 # Talos node IP (optional but fine)
        # router-id optional – can omit or make unique per node
    address-pools:
      - name: default
        protocol: bgp
        addresses:
          - 10.1.10.50-10.1.10.100