docs: Add NAT port forward migration and port range fix

- Migrated all port forwards from Asus router to OPNsense
- Documented port range NAT syntax (local-port must be starting port only)
- Added Common Gotcha #4 for port range rules in DECISIONS.md

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

docs/CHANGELOG.md

@@ -114,6 +114,19 @@
   - os-qemu-guest-agent (for Proxmox integration)
   - os-tailscale (backup VPN, not yet configured)
 
+### NAT Port Forwards Migrated
+- **Port forwards migrated from Asus router** to OPNsense:
+  - HTTP (80) → Traefik (10.4.2.10)
+  - HTTPS (443) → Traefik (10.4.2.10)
+  - Game server ports → AMP (10.4.2.26):
+    - 2223-2323, 2456-2556, 5678-5778, 7777-7877, 8766-8866 (AMP)
+    - 25565-25570 (Minecraft), 27004-27025 (CS/Steam)
+    - 15637 (Enshrouded), 16261-16262 (Project Zomboid)
+    - 9876-9877 (V Rising), 8211 (Palworld), 25576 (Palworld RCON)
+    - 27016 (Palworld Query), 26900-26910 (7 Days to Die)
+
+- **Port range NAT fix**: OPNsense config.xml requires `<local-port>` to contain only the **starting port** (e.g., `2223`), not the full range (e.g., `2223-2323`). OPNsense maps ranges 1:1 automatically.
+
 ### Verified Working
 - All VLANs (10, 20, 30) receiving DHCP from OPNsense
 - LAN (10.4.2.0/24) receiving DHCP from OPNsense

docs/DECISIONS.md

@@ -188,6 +188,9 @@ cat /tmp/rules.debug
 1. IPv6 rules with IPv4 addresses cause entire ruleset to fail loading
 2. Rules added via config.xml need proper interface names (opt1, not lan)
 3. After config.xml edits, run `configctl filter reload` to apply
+4. NAT port range rules: `<local-port>` must be just the starting port, not the full range
+   - Correct: `<port>2223-2323</port>` with `<local-port>2223</local-port>`
+   - Wrong: `<port>2223-2323</port>` with `<local-port>2223-2323</local-port>` (rule will be commented out)
 
 ### Reverse Proxy