docs: Add firewall fixes and OPNsense config patterns

- Document LAN→IoT firewall rule for HA/Frigate access - Add OPNsense interface naming (opt1, not lan in config.xml) - Document IPv6 rule fix that was blocking ruleset loading - Add pfctl troubleshooting commands - Mark network isolation tests complete 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2025-12-21 23:01:34 -05:00
parent e6ad3bcf1d
commit 13966f2b09
3 changed files with 56 additions and 3 deletions
--- a/docs/CHANGELOG.md
+++ b/docs/CHANGELOG.md
@@ -81,6 +81,23 @@
 - OPNsense now sole DHCP server for LAN (10.4.2.0/24)
 - LAN DHCP range: 10.4.2.100-200, DNS: 10.4.2.129 (Pi-hole)

+### Firewall Rule Fixes
+- **LAN → IoT Access**: Added rule allowing LAN net (10.4.2.0/24) to reach IoT subnet (10.4.20.0/24)
+  - Enables Home Assistant, Frigate, and other LAN services to access IoT devices
+  - Rule added via OPNsense UI: Firewall → Rules → LAN
+  - Interface must be `opt1` (not `lan`) in config.xml
+
+- **Broken IPv6 Rule Fix**: Fixed "Default allow LAN IPv6" rule
+  - Was using IPv4 address (10.4.2.0/24) with inet6 protocol
+  - Changed source from `<address>10.4.2.0/24</address>` to `<network>opt1</network>`
+  - This was preventing all custom firewall rules from loading
+
+- **Interface Naming Discovery**: OPNsense interface names in config.xml:
+  - `opt1` = LAN (vtnet0, 10.4.2.0/24)
+  - `opt2` = Trusted (vlan01, 10.4.10.0/24)
+  - `opt3` = IoT (vlan02, 10.4.20.0/24)
+  - `opt4` = Guest (vlan03, 10.4.30.0/24)
+
 ### Verified Working
 - All VLANs (10, 20, 30) receiving DHCP from OPNsense
 - LAN (10.4.2.0/24) receiving DHCP from OPNsense