diff --git a/infrastructure/calico/README.md b/infrastructure/calico/README.md
index acd3d9bd084971e946867dcc579fb5c1d69e4c9a..478841da358a7e66614e0cf298b4d854b28bd198 100644
--- a/infrastructure/calico/README.md
+++ b/infrastructure/calico/README.md
@@ -9,6 +9,8 @@ Nice to knows
 ---
 
 - <del>The operator provides its own set of CRDs, examples from the docs, won't work by default. Operator uses `crd.projectcalico.org/v1` while calico itself uses `projectcalico.org/v3`</del> You have to install the [calico API server](https://projectcalico.docs.tigera.io/maintenance/install-apiserver) in order to use the correct CRD versions. 
+- metallb is required to be setup as host-endpoint in case you want to protect hosts with a `GlobalNetworkPolicy`.
+- Additional network interfaces, like VPN interfaces, can confuse calico and result in routing everything over that VPN instead of the local network ports. Check the `projectcalico.org/IPv4Address`-annotation.
 
 Links
 ---