diff --git a/docs/CHANGELOG.md b/docs/CHANGELOG.md
index 244dd42..f1f9e16 100644
--- a/docs/CHANGELOG.md
+++ b/docs/CHANGELOG.md
@@ -4,6 +4,13 @@
 
 ## 2025-12-28
 
+### Guest VLAN Internet Fix
+- Fixed Guest VLAN (10.4.30.0/24) having no internet access
+- Root cause: OPNsense DHCP and firewall rules referenced non-existent 10.4.2.129 for DNS
+- Fix: Updated all DNS references in OPNsense config.xml from 10.4.2.129 to 10.4.2.11 (Pi-hole)
+- Affected: DHCP DNS server settings for all VLANs, firewall DNS allow rules
+- Guest clients need DHCP lease renewal to get correct DNS server
+
 ### RustDesk Server Deployment
 - Deployed RustDesk server LXC 129 on pm2 via ProxmoxVE helper script
 - Configured static IP: 10.4.2.36
diff --git a/docs/DECISIONS.md b/docs/DECISIONS.md
index e1045a0..760400f 100644
--- a/docs/DECISIONS.md
+++ b/docs/DECISIONS.md
@@ -107,16 +107,16 @@ Unmanaged Gigabyte switches pass VLAN tags through (they just don't understand t
 #### DHCP Configuration
 
 All DHCP served by OPNsense:
-- LAN: 10.4.2.100-200, DNS: 10.4.2.129 (Pi-hole)
-- Trusted: 10.4.10.100-200, DNS: 10.4.2.129
-- IoT: 10.4.20.100-200, DNS: 10.4.2.129
-- Guest: 10.4.30.100-200, DNS: 10.4.2.129
+- LAN: 10.4.2.100-200, DNS: 10.4.2.11 (Pi-hole)
+- Trusted: 10.4.10.100-200, DNS: 10.4.2.11
+- IoT: 10.4.20.100-200, DNS: 10.4.2.11
+- Guest: 10.4.30.100-200, DNS: 10.4.2.11
 
 #### OPNsense Firewall Rules (Implemented)
 
 | Rule | Source | Destination | Action |
 |------|--------|-------------|--------|
-| Allow DNS | IoT/Guest | 10.4.2.129:53 | Pass |
+| Allow DNS | IoT/Guest | 10.4.2.11:53 | Pass |
 | Block IoT→LAN | 10.4.20.0/24 | 10.4.2.0/24 | Block |
 | Block Guest→LAN | 10.4.30.0/24 | 10.4.2.0/24 | Block |
 | Block Guest→IoT | 10.4.30.0/24 | 10.4.20.0/24 | Block |