docs: VLAN isolation working, OPNsense WAN cutover complete

- Updated INFRASTRUCTURE.md with VLAN traffic path and required configs
- Updated CHANGELOG.md with WAN cutover and VLAN troubleshooting fixes
- Updated TASKS.md to reflect completed network work
- pm4 bridge VLAN config made persistent via post-up commands
- Pi-hole listeningMode changed to ALL for multi-subnet DNS

Key fixes:
- pm4 vmbr0 bridge-vlan-aware with VLANs 10,20,30 on eno1
- Pi-hole veth added to VLANs for routed traffic
- Pi-hole gateway set to OPNsense (10.4.2.1)
- OPNsense default route fixed to use WAN gateway

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

docs/INFRASTRUCTURE.md

@@ -117,7 +117,18 @@ All `*.kavcorp.com` subdomains route through Traefik reverse proxy (10.4.2.10) f
 | 20 | 10.4.20.0/24 | 10.4.20.1 | .100-.200 | IoT (KavCorp-IOT SSID) |
 | 30 | 10.4.30.0/24 | 10.4.30.1 | .100-.200 | Guest (KavCorp-Guest SSID) |
 
-*VLANs configured on OPNsense. UniFi APs tag traffic per SSID. See DECISIONS.md for firewall rules.*
+**VLAN Traffic Path**: UniFi AP → Unmanaged Switch → pm4 vmbr0 → OPNsense vtnet0
+
+**Required pm4 vmbr0 Configuration**:
+- `bridge-vlan-aware yes` in /etc/network/interfaces
+- VLANs 10, 20, 30 added to eno1: `post-up bridge vlan add dev eno1 vid {10,20,30}`
+- VLANs 10, 20, 30 added to veth103i0 (Pi-hole): Manual after LXC start
+
+**Pi-hole Configuration** (LXC 103):
+- `listeningMode = "ALL"` in /etc/pihole/pihole.toml (to accept DNS from all subnets)
+- Gateway: 10.4.2.1 (OPNsense) for proper VLAN routing
+
+*See DECISIONS.md for firewall rules and network isolation strategy.*
 
 ## Access & Credentials