diff --git a/docs/CHANGELOG.md b/docs/CHANGELOG.md
index 43fd3dc..7f80d74 100644
--- a/docs/CHANGELOG.md
+++ b/docs/CHANGELOG.md
@@ -2,6 +2,23 @@
 
 > **Purpose**: Historical record of all significant infrastructure changes
 
+## 2025-12-22
+
+### NAT Reflection & External Access Fix
+- **Root cause**: Traefik (LXC 104) had gateway set to 10.4.2.254 (Asus) instead of 10.4.2.1 (OPNsense)
+- **Symptom**: External traffic and VLAN traffic to Traefik via WAN IP failed (asymmetric routing)
+- **Fix**: Changed Traefik gateway to 10.4.2.1 in both runtime and `/etc/pve/lxc/104.conf`
+
+### OPNsense NAT Configuration
+- Enabled NAT reflection (Pure NAT mode) in Firewall → Settings → Advanced
+- Enabled automatic outbound NAT for reflection
+- Port forwards for HTTPS (443) → Traefik (10.4.2.10) now work from all VLANs and external
+
+### NFS Storage Issues
+- KavNas has two NICs with different IPs; primary is 10.4.2.13
+- Fixed stale NFS mounts on pm2 and pm4 by updating `/etc/pve/storage.cfg` to correct IP
+- Pi-hole (LXC 103) and other containers recovered after NFS fix
+
 ## 2025-12-21
 
 ### Traefik Updates