add: Guest VLAN access to Traefik HTTPS

Allow Guest VLAN to access Traefik on port 443 so guests can use
https://jellyfin.kavcorp.com etc. with valid Let's Encrypt certs.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

docs/CHANGELOG.md

@@ -4,6 +4,10 @@
 
 ## 2025-12-28
 
+### Guest VLAN Traefik Access
+- Added firewall rule allowing Guest VLAN to access Traefik (10.4.2.10:443)
+- Guests can now use `https://jellyfin.kavcorp.com` etc. with valid certs
+
 ### Internal DNS for kavcorp.com Domains
 - Added Pi-hole DNS entries for `*.kavcorp.com` pointing to Traefik (10.4.2.10)
 - Internal clients can now access `https://jellyfin.kavcorp.com` etc. with valid Let's Encrypt certs

docs/DECISIONS.md

@@ -124,6 +124,7 @@ All DHCP served by OPNsense:
 | Rule | Source | Destination | Action |
 |------|--------|-------------|--------|
 | Allow DNS | IoT/Guest | 10.4.2.11:53 | Pass |
+| Allow Guest→Traefik | 10.4.30.0/24 | 10.4.2.10:443 | Pass |
 | Allow Guest→Media | 10.4.30.0/24 | 10.4.2.25, 10.4.2.26 | Pass |
 | Block IoT→LAN | 10.4.20.0/24 | 10.4.2.0/24 | Block |
 | Block Guest→LAN | 10.4.30.0/24 | 10.4.2.0/24 | Block |