docs: Add DHCP-based network isolation strategy

- Document OPNsense WAN configuration (pm4 vmbr1 with USB NIC)
- Add DHCP-based isolation workaround for unmanaged Gigabyte switches
- Plan subnet scheme: LAN (10.4.2.0/24), IoT (10.4.10.0/24), Guest (10.4.20.0/24)
- Document planned OPNsense firewall rules for isolation
- Update tasks with OPNsense migration and isolation steps
- Fix Claude Code hooks settings (remove matcher from Stop hook)

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

docs/TASKS.md

@@ -1,6 +1,6 @@
 # Current Tasks
 
-> **Last Updated**: 2025-12-18
+> **Last Updated**: 2025-12-21
 
 ## In Progress
 
@@ -8,16 +8,35 @@ None currently.
 
 ## Pending
 
-### Network Upgrade (Priority)
-See [NETWORK-UPGRADE-PLAN.md](NETWORK-UPGRADE-PLAN.md) for full details.
+### OPNsense Migration (Priority)
+OPNsense VM 130 deployed on pm4 with vmbr1 (USB NIC) for WAN.
 
-- [ ] Order hardware (2× GiGaPlus 10G PoE, 2× U7 Pro)
-- [ ] Test Cat6 cable for 10G capability
-- [ ] Install switches and verify 10G backhaul
-- [ ] Deploy OPNsense VM on Elantris
-- [ ] Deploy UniFi Controller LXC
-- [ ] Configure VLANs and migrate services
-- [ ] Remove Asus mesh routers
+**Pending:**
+- [ ] Connect USB NIC to AT&T modem (WAN cutover)
+- [ ] Configure OPNsense WAN interface (DHCP or PPPoE from AT&T)
+- [ ] Configure OPNsense as DHCP server for LAN (10.4.2.0/24)
+- [ ] Test internet connectivity through OPNsense
+- [ ] Update gateway on all devices from 10.4.2.254 → 10.4.2.1
+
+### Network Isolation (DHCP Workaround)
+Using DHCP-based isolation due to unmanaged Gigabyte switches. See DECISIONS.md.
+
+**Pending:**
+- [ ] Configure OPNsense DHCP scope for IoT (10.4.10.0/24)
+- [ ] Configure OPNsense DHCP scope for Guest (10.4.20.0/24)
+- [ ] Configure UniFi to assign IoT/Guest clients to correct subnets (via DHCP options or UniFi DHCP)
+- [ ] Create OPNsense firewall rules:
+  - Block IoT → LAN
+  - Block Guest → LAN
+  - Block Guest → IoT
+  - Allow Smart Home VMs → IoT
+- [ ] Test isolation (IoT device cannot ping LAN device)
+- [ ] Test Smart Home access (Home Assistant can reach IoT)
+
+### Future Network Upgrades
+- [ ] Order hardware (2× GiGaPlus 10G PoE, 2× U7 Pro) for 10G backhaul
+- [ ] Consider managed 2.5G PoE switches for proper VLAN support
+- [ ] Consider OPNsense HA (CARP) with second USB NIC on another node
 
 ### Media Organization
 - [ ] Verify Jellyfin can see all imported media
@@ -35,6 +54,10 @@ See [NETWORK-UPGRADE-PLAN.md](NETWORK-UPGRADE-PLAN.md) for full details.
 
 ## Completed (Recent)
 
+- [x] Configured pm4 vmbr1 bridge with USB 2.5G NIC for OPNsense WAN
+- [x] Added net1 (vmbr1) to OPNsense VM 130
+- [x] Documented DHCP-based network isolation strategy
+- [x] Deployed UniFi Controller LXC 111 on pm4
 - [x] Fixed SSH access between cluster nodes (pm2 can access all nodes)
 - [x] Fixed NZBGet permissions (UMask=0000 for 777 files)
 - [x] Fixed Sonarr permissions (chmod 777 on imports)