docs: Complete OPNsense VLAN and firewall configuration

- Updated CHANGELOG with implemented VLAN config (VLANs 10, 20, 30)
- Updated DECISIONS with complete VLAN architecture and firewall rules
- Updated INFRASTRUCTURE with VLANs/subnets table and bridge configs
- Updated TASKS to mark VLAN/firewall work complete, add UniFi VLAN tasks
- Updated README last updated date

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

docs/INFRASTRUCTURE.md

@@ -108,15 +108,16 @@ All `*.kavcorp.com` subdomains route through Traefik reverse proxy (10.4.2.10) f
 | Purpose | WAN uplink to AT&T modem |
 | Used by | VM 130 (OPNsense) net1 |
 
-### Planned Subnets (DHCP-based Isolation)
+### VLANs and Subnets
 
-| Subnet | Range | Purpose | Gateway |
-|--------|-------|---------|---------|
-| Main LAN | 10.4.2.0/24 | Trusted devices, Proxmox, services | 10.4.2.1 (OPNsense) |
-| IoT | 10.4.10.0/24 | KavCorp-IOT WiFi devices | 10.4.10.1 (OPNsense) |
-| Guest | 10.4.20.0/24 | KavCorp-Guest WiFi devices | 10.4.20.1 (OPNsense) |
+| VLAN | Subnet | Gateway | DHCP Range | Purpose |
+|------|--------|---------|------------|---------|
+| - | 10.4.2.0/24 | 10.4.2.1 | .100-.200 | Infrastructure (Proxmox, core services) |
+| 10 | 10.4.10.0/24 | 10.4.10.1 | .100-.200 | Trusted (user devices) |
+| 20 | 10.4.20.0/24 | 10.4.20.1 | .100-.200 | IoT (KavCorp-IOT SSID) |
+| 30 | 10.4.30.0/24 | 10.4.30.1 | .100-.200 | Guest (KavCorp-Guest SSID) |
 
-*Note: Using DHCP-based isolation due to unmanaged Gigabyte switches (no VLAN support). See DECISIONS.md for details.*
+*VLANs configured on OPNsense. UniFi APs tag traffic per SSID. See DECISIONS.md for firewall rules.*
 
 ## Access & Credentials