From c12c531c33abdf0baaa4940627a3766e5b216153 Mon Sep 17 00:00:00 2001
From: kavren <cory.bailey87@gmail.com>
Date: Sun, 28 Dec 2025 22:06:17 -0500
Subject: [PATCH] add: Guest VLAN access to Traefik HTTPS
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Allow Guest VLAN to access Traefik on port 443 so guests can use
https://jellyfin.kavcorp.com etc. with valid Let's Encrypt certs.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
---
 docs/CHANGELOG.md | 4 ++++
 docs/DECISIONS.md | 1 +
 2 files changed, 5 insertions(+)

diff --git a/docs/CHANGELOG.md b/docs/CHANGELOG.md
index 34d545a..ba9dfa7 100644
--- a/docs/CHANGELOG.md
+++ b/docs/CHANGELOG.md
@@ -4,6 +4,10 @@
 
 ## 2025-12-28
 
+### Guest VLAN Traefik Access
+- Added firewall rule allowing Guest VLAN to access Traefik (10.4.2.10:443)
+- Guests can now use `https://jellyfin.kavcorp.com` etc. with valid certs
+
 ### Internal DNS for kavcorp.com Domains
 - Added Pi-hole DNS entries for `*.kavcorp.com` pointing to Traefik (10.4.2.10)
 - Internal clients can now access `https://jellyfin.kavcorp.com` etc. with valid Let's Encrypt certs
diff --git a/docs/DECISIONS.md b/docs/DECISIONS.md
index 33f5e6d..1b3e9cc 100644
--- a/docs/DECISIONS.md
+++ b/docs/DECISIONS.md
@@ -124,6 +124,7 @@ All DHCP served by OPNsense:
 | Rule | Source | Destination | Action |
 |------|--------|-------------|--------|
 | Allow DNS | IoT/Guest | 10.4.2.11:53 | Pass |
+| Allow Guest→Traefik | 10.4.30.0/24 | 10.4.2.10:443 | Pass |
 | Allow Guest→Media | 10.4.30.0/24 | 10.4.2.25, 10.4.2.26 | Pass |
 | Block IoT→LAN | 10.4.20.0/24 | 10.4.2.0/24 | Block |
 | Block Guest→LAN | 10.4.30.0/24 | 10.4.2.0/24 | Block |