docs: Clarify NIC bridging for pm4 LXCs

- NICs use bridges (not passthrough) so other LXCs can share
- vmbr0 (Intel) shared by OPNsense LAN + all pm4 LXCs
- vmbr1 (USB) dedicated to OPNsense WAN
- Added diagram showing LXC connectivity

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

docs/NETWORK-UPGRADE-PLAN.md

@@ -192,19 +192,47 @@ net0: name=eth0,bridge=vmbr0,tag=10,type=veth
 
 ### Proxmox Setup on pm4
 
-1. Create bridge for USB NIC (WAN):
+**Important**: NICs are NOT passed through directly. They use bridges so other LXCs can share.
+
+```
+USB 2.5G NIC ──► vmbr1 (WAN bridge) ──► OPNsense WAN only
+
+Intel I226-V ──► vmbr0 (LAN bridge) ──► OPNsense LAN
+                       │
+                       ├──► Pi-hole (LXC 103)
+                       ├──► Vaultwarden (LXC 125)
+                       ├──► Immich (LXC 126)
+                       ├──► Gitea (LXC 127)
+                       └──► GiGaPlus switch (physical uplink)
+```
+
+1. Create WAN bridge for USB NIC:
    ```bash
    # /etc/network/interfaces on pm4
+
+   # Existing LAN bridge (Intel NIC) - shared by all LXCs
+   auto vmbr0
+   iface vmbr0 inet manual
+       bridge-ports eno1
+       bridge-stp off
+       bridge-fd 0
+       bridge-vlan-aware yes
+
+   # New WAN bridge (USB NIC) - OPNsense only
    auto vmbr1
    iface vmbr1 inet manual
-       bridge-ports enxXXXXXX  # USB NIC device name
+       bridge-ports enxXXXXXX  # USB NIC device name (check with `ip link`)
        bridge-stp off
        bridge-fd 0
    ```
 
-2. Passthrough bridges to OPNsense VM:
-   - vmbr1 → WAN
-   - vmbr0 → LAN (VLAN-aware)
+2. OPNsense VM network config:
+   - net0: bridge=vmbr1 (WAN - USB NIC)
+   - net1: bridge=vmbr0 (LAN - shared Intel NIC, VLAN-aware)
+
+3. Other LXCs on pm4 stay on vmbr0:
+   - No changes needed to LXC network config
+   - Just update gateway from Asus router IP → OPNsense (10.4.2.1)
 
 ### Firewall Rules (High Level)