diff --git a/agents.tf b/agents.tf
index 0242a0d..58f3af5 100644
--- a/agents.tf
+++ b/agents.tf
@@ -58,7 +58,7 @@ resource "hcloud_server" "agents" {
       token         = random_password.k3s_token.result
       kubelet-arg   = "cloud-provider=external"
       flannel-iface = "eth1"
-      node-ip       = cidrhost(hcloud_network_subnet.k3s.ip_range, 257 + count.index)
+      node-ip       = cidrhost(hcloud_network_subnet.k3s.ip_range, 513 + count.index)
       node-label    = var.automatically_upgrade_k3s ? ["k3s-upgrade=true"] : []
     })
     destination = "/tmp/config.yaml"
@@ -100,7 +100,7 @@ resource "hcloud_server" "agents" {
 
   network {
     network_id = hcloud_network.k3s.id
-    ip         = cidrhost(hcloud_network_subnet.k3s.ip_range, 257 + count.index)
+    ip         = cidrhost(hcloud_network_subnet.k3s.ip_range, 513 + count.index)
   }
 
   depends_on = [
diff --git a/locals.tf b/locals.tf
index e9a90ac..6afe266 100644
--- a/locals.tf
+++ b/locals.tf
@@ -1,5 +1,5 @@
 locals {
-  first_control_plane_network_ip = cidrhost(hcloud_network_subnet.k3s.ip_range, 2)
+  first_control_plane_network_ip = cidrhost(hcloud_network_subnet.k3s.ip_range, 257)
   hcloud_image_name              = "ubuntu-20.04"
 
   ssh_public_key = trimspace(file(var.public_key))
diff --git a/servers.tf b/servers.tf
index 65294c2..f85a617 100644
--- a/servers.tf
+++ b/servers.tf
@@ -60,9 +60,9 @@ resource "hcloud_server" "control_planes" {
       disable                  = "servicelb, local-storage"
       flannel-iface            = "eth1"
       kubelet-arg              = "cloud-provider=external"
-      node-ip                  = cidrhost(hcloud_network_subnet.k3s.ip_range, 3 + count.index)
-      advertise-address        = cidrhost(hcloud_network_subnet.k3s.ip_range, 3 + count.index)
-      tls-san                  = cidrhost(hcloud_network_subnet.k3s.ip_range, 3 + count.index)
+      node-ip                  = cidrhost(hcloud_network_subnet.k3s.ip_range, 258 + count.index)
+      advertise-address        = cidrhost(hcloud_network_subnet.k3s.ip_range, 258 + count.index)
+      tls-san                  = cidrhost(hcloud_network_subnet.k3s.ip_range, 258 + count.index)
       node-taint               = var.allow_scheduling_on_control_plane ? [] : ["node-role.kubernetes.io/master:NoSchedule"]
       node-label               = var.automatically_upgrade_k3s ? ["k3s-upgrade=true"] : []
     })
@@ -104,7 +104,7 @@ resource "hcloud_server" "control_planes" {
 
   network {
     network_id = hcloud_network.k3s.id
-    ip         = cidrhost(hcloud_network_subnet.k3s.ip_range, 3 + count.index)
+    ip         = cidrhost(hcloud_network_subnet.k3s.ip_range, 258 + count.index)
   }
 
   depends_on = [
diff --git a/templates/traefik_config.yaml.tpl b/templates/traefik_config.yaml.tpl
index 62e9c26..f8156f8 100644
--- a/templates/traefik_config.yaml.tpl
+++ b/templates/traefik_config.yaml.tpl
@@ -10,9 +10,9 @@ spec:
       type: LoadBalancer
       annotations:
         "load-balancer.hetzner.cloud/name": "traefik"
-        # make hetzners load-balancer connect to our nodes via our private k3s-net.
+        # make hetzners load-balancer connect to our nodes via our private k3s
         "load-balancer.hetzner.cloud/use-private-ip": "true"
-        # keep hetzner-ccm from exposing our private ingress ip, which in general isn't routeable from the public internet.
+        # keep hetzner-ccm from exposing our private ingress ip, which in general isn't routeable from the public internet
         "load-balancer.hetzner.cloud/disable-private-ingress": "true"
         # disable ipv6 by default, because external-dns doesn't support AAAA for hcloud yet https://github.com/kubernetes-sigs/external-dns/issues/2044
         "load-balancer.hetzner.cloud/ipv6-disabled": "${lb_disable_ipv6}"