diff --git a/docs/CHANGELOG.md b/docs/CHANGELOG.md
index 5fc1d68..be6e4c8 100644
--- a/docs/CHANGELOG.md
+++ b/docs/CHANGELOG.md
@@ -81,6 +81,23 @@
- OPNsense now sole DHCP server for LAN (10.4.2.0/24)
- LAN DHCP range: 10.4.2.100-200, DNS: 10.4.2.129 (Pi-hole)
+### Firewall Rule Fixes
+- **LAN → IoT Access**: Added rule allowing LAN net (10.4.2.0/24) to reach IoT subnet (10.4.20.0/24)
+ - Enables Home Assistant, Frigate, and other LAN services to access IoT devices
+ - Rule added via OPNsense UI: Firewall → Rules → LAN
+ - Interface must be `opt1` (not `lan`) in config.xml
+
+- **Broken IPv6 Rule Fix**: Fixed "Default allow LAN IPv6" rule
+ - Was using IPv4 address (10.4.2.0/24) with inet6 protocol
+ - Changed source from `10.4.2.0/24` to `opt1`
+ - This was preventing all custom firewall rules from loading
+
+- **Interface Naming Discovery**: OPNsense interface names in config.xml:
+ - `opt1` = LAN (vtnet0, 10.4.2.0/24)
+ - `opt2` = Trusted (vlan01, 10.4.10.0/24)
+ - `opt3` = IoT (vlan02, 10.4.20.0/24)
+ - `opt4` = Guest (vlan03, 10.4.30.0/24)
+
### Verified Working
- All VLANs (10, 20, 30) receiving DHCP from OPNsense
- LAN (10.4.2.0/24) receiving DHCP from OPNsense
diff --git a/docs/DECISIONS.md b/docs/DECISIONS.md
index 67caea7..de40911 100644
--- a/docs/DECISIONS.md
+++ b/docs/DECISIONS.md
@@ -74,10 +74,12 @@ All DHCP served by OPNsense:
| Block IoT→LAN | 10.4.20.0/24 | 10.4.2.0/24 | Block |
| Block Guest→LAN | 10.4.30.0/24 | 10.4.2.0/24 | Block |
| Block Guest→IoT | 10.4.30.0/24 | 10.4.20.0/24 | Block |
-| Allow Home Assistant→IoT | 10.4.2.62 | 10.4.20.0/24 | Pass |
+| Allow LAN→IoT | 10.4.2.0/24 | 10.4.20.0/24 | Pass |
| Allow IoT Internet | 10.4.20.0/24 | any | Pass |
| Allow Guest Internet | 10.4.30.0/24 | any | Pass |
+**Note**: LAN→IoT rule allows Home Assistant, Frigate, and other LAN services to access IoT devices (cameras, sensors, etc.).
+
#### Network Segmentation Philosophy
| Network | Contains | Access Level |
@@ -154,6 +156,39 @@ All DHCP served by OPNsense:
**Controller**: LXC on Proxmox (free) via community helper script
+### OPNsense Configuration Patterns
+
+**Interface Names in config.xml** (IMPORTANT):
+| UI Name | config.xml | Physical | Subnet |
+|---------|------------|----------|--------|
+| LAN | opt1 | vtnet0 | 10.4.2.0/24 |
+| WAN | wan | vtnet1 | DHCP |
+| Trusted | opt2 | vlan01 | 10.4.10.0/24 |
+| IoT | opt3 | vlan02 | 10.4.20.0/24 |
+| Guest | opt4 | vlan03 | 10.4.30.0/24 |
+
+**Why This Matters**: When editing config.xml directly, use `opt1` not `lan`. Using the wrong name causes rules to fail silently.
+
+**Firewall Rule Reload Commands**:
+```bash
+# Reload all services (safe, full reload)
+configctl filter reload
+
+# Check active rules
+pfctl -sr
+
+# Test rules file for syntax errors
+pfctl -nf /tmp/rules.debug
+
+# View generated rules before loading
+cat /tmp/rules.debug
+```
+
+**Common Gotchas**:
+1. IPv6 rules with IPv4 addresses cause entire ruleset to fail loading
+2. Rules added via config.xml need proper interface names (opt1, not lan)
+3. After config.xml edits, run `configctl filter reload` to apply
+
### Reverse Proxy
**Decision**: Single Traefik instance handles all external access
diff --git a/docs/TASKS.md b/docs/TASKS.md
index 4ced4a3..b63b29e 100644
--- a/docs/TASKS.md
+++ b/docs/TASKS.md
@@ -10,8 +10,9 @@ None currently.
### Remaining Network Tasks
- [x] Disable DHCP on Asus router and switch LAN to OPNsense DHCP
-- [ ] Test firewall isolation (IoT device cannot ping LAN device)
-- [ ] Test Smart Home access (Home Assistant can reach IoT devices)
+- [x] Test firewall isolation (IoT device cannot ping LAN device)
+- [x] Test LAN access to IoT (Home Assistant, Frigate can reach IoT devices)
+- [ ] Migrate devices from Asus APs to UniFi APs (to retire Asus routers)
### Future Network Upgrades
- [ ] Order hardware (2× GiGaPlus 10G PoE, 2× U7 Pro) for 10G backhaul