docs: Add firewall fixes and OPNsense config patterns

- Document LAN→IoT firewall rule for HA/Frigate access
- Add OPNsense interface naming (opt1, not lan in config.xml)
- Document IPv6 rule fix that was blocking ruleset loading
- Add pfctl troubleshooting commands
- Mark network isolation tests complete

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

docs/CHANGELOG.md

@@ -81,6 +81,23 @@
 - OPNsense now sole DHCP server for LAN (10.4.2.0/24)
 - LAN DHCP range: 10.4.2.100-200, DNS: 10.4.2.129 (Pi-hole)
 
+### Firewall Rule Fixes
+- **LAN → IoT Access**: Added rule allowing LAN net (10.4.2.0/24) to reach IoT subnet (10.4.20.0/24)
+  - Enables Home Assistant, Frigate, and other LAN services to access IoT devices
+  - Rule added via OPNsense UI: Firewall → Rules → LAN
+  - Interface must be `opt1` (not `lan`) in config.xml
+
+- **Broken IPv6 Rule Fix**: Fixed "Default allow LAN IPv6" rule
+  - Was using IPv4 address (10.4.2.0/24) with inet6 protocol
+  - Changed source from `<address>10.4.2.0/24</address>` to `<network>opt1</network>`
+  - This was preventing all custom firewall rules from loading
+
+- **Interface Naming Discovery**: OPNsense interface names in config.xml:
+  - `opt1` = LAN (vtnet0, 10.4.2.0/24)
+  - `opt2` = Trusted (vlan01, 10.4.10.0/24)
+  - `opt3` = IoT (vlan02, 10.4.20.0/24)
+  - `opt4` = Guest (vlan03, 10.4.30.0/24)
+
 ### Verified Working
 - All VLANs (10, 20, 30) receiving DHCP from OPNsense
 - LAN (10.4.2.0/24) receiving DHCP from OPNsense

docs/DECISIONS.md

@@ -74,10 +74,12 @@ All DHCP served by OPNsense:
 | Block IoT→LAN | 10.4.20.0/24 | 10.4.2.0/24 | Block |
 | Block Guest→LAN | 10.4.30.0/24 | 10.4.2.0/24 | Block |
 | Block Guest→IoT | 10.4.30.0/24 | 10.4.20.0/24 | Block |
-| Allow Home Assistant→IoT | 10.4.2.62 | 10.4.20.0/24 | Pass |
+| Allow LAN→IoT | 10.4.2.0/24 | 10.4.20.0/24 | Pass |
 | Allow IoT Internet | 10.4.20.0/24 | any | Pass |
 | Allow Guest Internet | 10.4.30.0/24 | any | Pass |
 
+**Note**: LAN→IoT rule allows Home Assistant, Frigate, and other LAN services to access IoT devices (cameras, sensors, etc.).
+
 #### Network Segmentation Philosophy
 
 | Network | Contains | Access Level |
@@ -154,6 +156,39 @@ All DHCP served by OPNsense:
 
 **Controller**: LXC on Proxmox (free) via community helper script
 
+### OPNsense Configuration Patterns
+
+**Interface Names in config.xml** (IMPORTANT):
+| UI Name | config.xml | Physical | Subnet |
+|---------|------------|----------|--------|
+| LAN | opt1 | vtnet0 | 10.4.2.0/24 |
+| WAN | wan | vtnet1 | DHCP |
+| Trusted | opt2 | vlan01 | 10.4.10.0/24 |
+| IoT | opt3 | vlan02 | 10.4.20.0/24 |
+| Guest | opt4 | vlan03 | 10.4.30.0/24 |
+
+**Why This Matters**: When editing config.xml directly, use `opt1` not `lan`. Using the wrong name causes rules to fail silently.
+
+**Firewall Rule Reload Commands**:
+```bash
+# Reload all services (safe, full reload)
+configctl filter reload
+
+# Check active rules
+pfctl -sr
+
+# Test rules file for syntax errors
+pfctl -nf /tmp/rules.debug
+
+# View generated rules before loading
+cat /tmp/rules.debug
+```
+
+**Common Gotchas**:
+1. IPv6 rules with IPv4 addresses cause entire ruleset to fail loading
+2. Rules added via config.xml need proper interface names (opt1, not lan)
+3. After config.xml edits, run `configctl filter reload` to apply
+
 ### Reverse Proxy
 
 **Decision**: Single Traefik instance handles all external access

docs/TASKS.md

@@ -10,8 +10,9 @@ None currently.
 
 ### Remaining Network Tasks
 - [x] Disable DHCP on Asus router and switch LAN to OPNsense DHCP
-- [ ] Test firewall isolation (IoT device cannot ping LAN device)
+- [x] Test firewall isolation (IoT device cannot ping LAN device)
-- [ ] Test Smart Home access (Home Assistant can reach IoT devices)
+- [x] Test LAN access to IoT (Home Assistant, Frigate can reach IoT devices)
+- [ ] Migrate devices from Asus APs to UniFi APs (to retire Asus routers)
 
 ### Future Network Upgrades
 - [ ] Order hardware (2× GiGaPlus 10G PoE, 2× U7 Pro) for 10G backhaul