diff --git a/docs/IP-MIGRATION-PLAN.md b/docs/IP-MIGRATION-PLAN.md
new file mode 100644
index 0000000..afeffe6
--- /dev/null
+++ b/docs/IP-MIGRATION-PLAN.md
@@ -0,0 +1,113 @@
+# IP Address Migration Plan
+
+## New IP Allocation Scheme
+
+| Range | Purpose |
+|-------|---------|
+| 10.4.2.1 | OPNsense gateway |
+| 10.4.2.2-9 | Proxmox nodes |
+| 10.4.2.10-19 | **Core Infrastructure** (proxy, DNS, auth, NAS) |
+| 10.4.2.20-39 | **Services** (media stack, apps) |
+| 10.4.2.40-49 | **Game servers / AMP** |
+| 10.4.2.50-99 | **Reserved / Future** |
+| 10.4.2.100-199 | **DHCP Dynamic Pool** |
+| 10.4.2.200-239 | **Docker hosts / VMs** |
+| 10.4.2.240-249 | **IoT / Network controllers** |
+| 10.4.2.250-254 | **Network gear** |
+
+## Migration Table
+
+### Core Infrastructure (10.4.2.10-19)
+
+| Service | VMID | Node | Current IP | New IP | Gateway Fix |
+|---------|------|------|------------|--------|-------------|
+| Traefik | 104 | pm2 | 10.4.2.10 | 10.4.2.10 | Already 10.4.2.1 |
+| Pi-hole | 103 | pm4 | 10.4.2.129 | 10.4.2.11 | Already 10.4.2.1 |
+| Authelia | 116 | pm2 | 10.4.2.19 | 10.4.2.12 | 10.4.2.254→10.4.2.1 |
+| KavNas | - | NAS | 10.4.2.13 | 10.4.2.13 | N/A (DHCP static) |
+| Gitea | 127 | pm4 | 10.4.2.7 (DHCP) | 10.4.2.14 | Set to 10.4.2.1 |
+| Vaultwarden | 125 | pm4 | 10.4.2.212 | 10.4.2.15 | 10.4.2.254→10.4.2.1 |
+| UniFi | 111 | pm4 | 10.4.2.242 (DHCP) | 10.4.2.16 | Set to 10.4.2.1 |
+
+### Services - Media Stack (10.4.2.20-29)
+
+| Service | VMID | Node | Current IP | New IP | Gateway Fix |
+|---------|------|------|------------|--------|-------------|
+| Sonarr | 105 | pm2 | 10.4.2.15 | 10.4.2.20 | 10.4.2.254→10.4.2.1 |
+| Radarr | 108 | pm2 | 10.4.2.16 | 10.4.2.21 | 10.4.2.254→10.4.2.1 |
+| Prowlarr | 114 | pm2 | 10.4.2.17 | 10.4.2.22 | 10.4.2.254→10.4.2.1 |
+| Bazarr | 119 | pm2 | 10.4.2.22 | 10.4.2.23 | 10.4.2.254→10.4.2.1 |
+| Whisparr | 117 | pm2 | 10.4.2.20 | 10.4.2.24 | 10.4.2.254→10.4.2.1 |
+| Jellyseerr | 115 | pm2 | 10.4.2.18 | 10.4.2.25 | 10.4.2.254→10.4.2.1 |
+| Jellyfin | 121 | elantris | 10.4.2.21 | 10.4.2.26 | Check |
+| Kometa | 120 | pm2 | 10.4.2.23 | 10.4.2.27 | 10.4.2.254→10.4.2.1 |
+| Recyclarr | 122 | pm2 | 10.4.2.25 | 10.4.2.28 | 10.4.2.254→10.4.2.1 |
+| Notifiarr | 118 | pm2 | 10.4.2.21 | 10.4.2.29 | 10.4.2.254→10.4.2.1 |
+| Immich | 126 | pm4 | DHCP | 10.4.2.30 | Set to 10.4.2.1 |
+
+### Services - Other (10.4.2.30-39)
+
+| Service | VMID | Node | Current IP | New IP | Gateway Fix |
+|---------|------|------|------------|--------|-------------|
+| Immich | 126 | pm4 | DHCP | 10.4.2.30 | Set to 10.4.2.1 |
+| Frigate | 128 | pm3 | 10.4.2.8 | 10.4.2.31 | Check |
+| Foundry VTT | 112 | pm3 | 10.4.2.37 | 10.4.2.32 | Check |
+| Home Assistant | 100 | pm1 | 10.4.2.62 | 10.4.2.33 | Check |
+| llama.cpp | 123 | elantris | 10.4.2.224 | 10.4.2.34 | Check |
+
+### Game Servers (10.4.2.40-49)
+
+| Service | VMID | Node | Current IP | New IP | Gateway Fix |
+|---------|------|------|------------|--------|-------------|
+| AMP | 124 | elantris | 10.4.2.26 | 10.4.2.40 | Check |
+
+### Docker Hosts (10.4.2.200-209)
+
+| Service | VMID | Node | Current IP | New IP | Gateway Fix |
+|---------|------|------|------------|--------|-------------|
+| docker-pm2 | 113 | pm2 | 10.4.2.203 | 10.4.2.200 | 10.4.2.254→10.4.2.1 |
+| docker-pm4 | 110 | pm4 | 10.4.2.204 | 10.4.2.201 | 10.4.2.254→10.4.2.1 |
+| docker-pm3 | 109 | pm3 | ? | 10.4.2.202 | Check |
+| dockge | 107 | pm3 | ? | 10.4.2.203 | Check |
+
+## Migration Order
+
+**Phase 1: Fix gateways only (no IP changes)**
+- Restart not required, just config update
+
+**Phase 2: Migrate non-critical services**
+1. Media stack (Sonarr, Radarr, etc.) - low impact
+2. Docker hosts
+3. Game servers
+
+**Phase 3: Migrate core services (brief downtime)**
+1. Authelia
+2. Vaultwarden
+3. UniFi
+4. Gitea
+
+**Phase 4: Migrate DNS (coordinate carefully)**
+1. Update all DHCP clients to use new Pi-hole IP FIRST
+2. Then migrate Pi-hole
+
+**Phase 5: Update Traefik configs**
+- Update all backend IPs in Traefik route configs
+
+## Post-Migration
+
+1. Update OPNsense DHCP static mappings
+2. Update docs/INFRASTRUCTURE.md
+3. Update Traefik configs
+4. Test all services
+5. Delete this migration plan file
+
+## Commands Reference
+
+**Change LXC IP and gateway:**
+```bash
+pct set <vmid> --net0 name=eth0,bridge=vmbr0,gw=10.4.2.1,ip=<NEW_IP>/24,type=veth
+pct reboot <vmid>
+```
+
+**Add DHCP static mapping in OPNsense:**
+Via UI: Services → DHCPv4 → [LAN] → Static Mappings