diff --git a/docs/CHANGELOG.md b/docs/CHANGELOG.md
index 34d545a..ba9dfa7 100644
--- a/docs/CHANGELOG.md
+++ b/docs/CHANGELOG.md
@@ -4,6 +4,10 @@
 
 ## 2025-12-28
 
+### Guest VLAN Traefik Access
+- Added firewall rule allowing Guest VLAN to access Traefik (10.4.2.10:443)
+- Guests can now use `https://jellyfin.kavcorp.com` etc. with valid certs
+
 ### Internal DNS for kavcorp.com Domains
 - Added Pi-hole DNS entries for `*.kavcorp.com` pointing to Traefik (10.4.2.10)
 - Internal clients can now access `https://jellyfin.kavcorp.com` etc. with valid Let's Encrypt certs
diff --git a/docs/DECISIONS.md b/docs/DECISIONS.md
index 33f5e6d..1b3e9cc 100644
--- a/docs/DECISIONS.md
+++ b/docs/DECISIONS.md
@@ -124,6 +124,7 @@ All DHCP served by OPNsense:
 | Rule | Source | Destination | Action |
 |------|--------|-------------|--------|
 | Allow DNS | IoT/Guest | 10.4.2.11:53 | Pass |
+| Allow Guest→Traefik | 10.4.30.0/24 | 10.4.2.10:443 | Pass |
 | Allow Guest→Media | 10.4.30.0/24 | 10.4.2.25, 10.4.2.26 | Pass |
 | Block IoT→LAN | 10.4.20.0/24 | 10.4.2.0/24 | Block |
 | Block Guest→LAN | 10.4.30.0/24 | 10.4.2.0/24 | Block |