fix: Guest VLAN internet - DNS pointed to non-existent IP

Root cause: OPNsense DHCP and firewall rules referenced 10.4.2.129
for Pi-hole DNS, but that IP doesn't exist. Pi-hole is at 10.4.2.11.

Updated all references in OPNsense config.xml and documentation.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

docs/CHANGELOG.md

@@ -4,6 +4,13 @@
 
 ## 2025-12-28
 
+### Guest VLAN Internet Fix
+- Fixed Guest VLAN (10.4.30.0/24) having no internet access
+- Root cause: OPNsense DHCP and firewall rules referenced non-existent 10.4.2.129 for DNS
+- Fix: Updated all DNS references in OPNsense config.xml from 10.4.2.129 to 10.4.2.11 (Pi-hole)
+- Affected: DHCP DNS server settings for all VLANs, firewall DNS allow rules
+- Guest clients need DHCP lease renewal to get correct DNS server
+
 ### RustDesk Server Deployment
 - Deployed RustDesk server LXC 129 on pm2 via ProxmoxVE helper script
 - Configured static IP: 10.4.2.36

docs/DECISIONS.md

@@ -107,16 +107,16 @@ Unmanaged Gigabyte switches pass VLAN tags through (they just don't understand t
 #### DHCP Configuration
 
 All DHCP served by OPNsense:
-- LAN: 10.4.2.100-200, DNS: 10.4.2.129 (Pi-hole)
-- Trusted: 10.4.10.100-200, DNS: 10.4.2.129
-- IoT: 10.4.20.100-200, DNS: 10.4.2.129
-- Guest: 10.4.30.100-200, DNS: 10.4.2.129
+- LAN: 10.4.2.100-200, DNS: 10.4.2.11 (Pi-hole)
+- Trusted: 10.4.10.100-200, DNS: 10.4.2.11
+- IoT: 10.4.20.100-200, DNS: 10.4.2.11
+- Guest: 10.4.30.100-200, DNS: 10.4.2.11
 
 #### OPNsense Firewall Rules (Implemented)
 
 | Rule | Source | Destination | Action |
 |------|--------|-------------|--------|
-| Allow DNS | IoT/Guest | 10.4.2.129:53 | Pass |
+| Allow DNS | IoT/Guest | 10.4.2.11:53 | Pass |
 | Block IoT→LAN | 10.4.20.0/24 | 10.4.2.0/24 | Block |
 | Block Guest→LAN | 10.4.30.0/24 | 10.4.2.0/24 | Block |
 | Block Guest→IoT | 10.4.30.0/24 | 10.4.20.0/24 | Block |