docs: Add DHCP-based network isolation strategy

- Document OPNsense WAN configuration (pm4 vmbr1 with USB NIC)
- Add DHCP-based isolation workaround for unmanaged Gigabyte switches
- Plan subnet scheme: LAN (10.4.2.0/24), IoT (10.4.10.0/24), Guest (10.4.20.0/24)
- Document planned OPNsense firewall rules for isolation
- Update tasks with OPNsense migration and isolation steps
- Fix Claude Code hooks settings (remove matcher from Stop hook)

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

docs/CHANGELOG.md

@@ -2,6 +2,40 @@
 
 > **Purpose**: Historical record of all significant infrastructure changes
 
+## 2025-12-21
+
+### OPNsense WAN Configuration
+- **pm4 vmbr1**: Created new bridge for OPNsense WAN interface
+  - Physical NIC: enx6c1ff76e4d47 (USB 2.5G adapter)
+  - Added to `/etc/network/interfaces` on pm4
+  - Bridge is UP and connected to switch
+
+- **OPNsense VM 130**: Added second network interface
+  - net0: vmbr0 (LAN - 10.4.2.0/24)
+  - net1: vmbr1 (WAN - to AT&T modem)
+  - Ready for WAN cutover when AT&T modem is connected
+
+### Network Isolation Strategy
+- **Decision**: Use DHCP-based isolation instead of VLANs
+  - Constraint: Gigabyte 10G switches are unmanaged (no VLAN support)
+  - Workaround: Assign different subnets via DHCP, use OPNsense firewall rules
+
+- **Planned Subnets**:
+  - Main LAN: 10.4.2.0/24 (existing)
+  - IoT (KavCorp-IOT): 10.4.10.0/24
+  - Guest (KavCorp-Guest): 10.4.20.0/24
+
+- **Planned Firewall Rules**:
+  - Block IoT/Guest → LAN
+  - Block Guest → IoT
+  - Allow Smart Home VMs → IoT
+  - Allow IoT/Guest → Internet
+
+- **Documentation Updated**:
+  - DECISIONS.md: Network isolation strategy and constraints
+  - INFRASTRUCTURE.md: pm4 bridges and subnet plan
+  - TASKS.md: OPNsense migration and isolation tasks
+
 ## 2025-12-19
 
 ### Network Upgrade Progress