docs: Add firewall fixes and OPNsense config patterns

- Document LAN→IoT firewall rule for HA/Frigate access - Add OPNsense interface naming (opt1, not lan in config.xml) - Document IPv6 rule fix that was blocking ruleset loading - Add pfctl troubleshooting commands - Mark network isolation tests complete 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2025-12-21 23:01:34 -05:00
parent e6ad3bcf1d
commit 13966f2b09
3 changed files with 56 additions and 3 deletions
--- a/docs/DECISIONS.md
+++ b/docs/DECISIONS.md
@@ -74,10 +74,12 @@ All DHCP served by OPNsense:
 | Block IoT→LAN | 10.4.20.0/24 | 10.4.2.0/24 | Block |
 | Block Guest→LAN | 10.4.30.0/24 | 10.4.2.0/24 | Block |
 | Block Guest→IoT | 10.4.30.0/24 | 10.4.20.0/24 | Block |
-| Allow Home Assistant→IoT | 10.4.2.62 | 10.4.20.0/24 | Pass |
+| Allow LAN→IoT | 10.4.2.0/24 | 10.4.20.0/24 | Pass |
 | Allow IoT Internet | 10.4.20.0/24 | any | Pass |
 | Allow Guest Internet | 10.4.30.0/24 | any | Pass |

+**Note**: LAN→IoT rule allows Home Assistant, Frigate, and other LAN services to access IoT devices (cameras, sensors, etc.).
+
 #### Network Segmentation Philosophy

 | Network | Contains | Access Level |
@@ -154,6 +156,39 @@ All DHCP served by OPNsense:

 **Controller**: LXC on Proxmox (free) via community helper script

+### OPNsense Configuration Patterns
+
+**Interface Names in config.xml** (IMPORTANT):
+| UI Name | config.xml | Physical | Subnet |
+|---------|------------|----------|--------|
+| LAN | opt1 | vtnet0 | 10.4.2.0/24 |
+| WAN | wan | vtnet1 | DHCP |
+| Trusted | opt2 | vlan01 | 10.4.10.0/24 |
+| IoT | opt3 | vlan02 | 10.4.20.0/24 |
+| Guest | opt4 | vlan03 | 10.4.30.0/24 |
+
+**Why This Matters**: When editing config.xml directly, use `opt1` not `lan`. Using the wrong name causes rules to fail silently.
+
+**Firewall Rule Reload Commands**:
+```bash
+# Reload all services (safe, full reload)
+configctl filter reload
+
+# Check active rules
+pfctl -sr
+
+# Test rules file for syntax errors
+pfctl -nf /tmp/rules.debug
+
+# View generated rules before loading
+cat /tmp/rules.debug
+```
+
+**Common Gotchas**:
+1. IPv6 rules with IPv4 addresses cause entire ruleset to fail loading
+2. Rules added via config.xml need proper interface names (opt1, not lan)
+3. After config.xml edits, run `configctl filter reload` to apply
+
 ### Reverse Proxy

 **Decision**: Single Traefik instance handles all external access