- Radarr moved from 10.4.2.16 to 10.4.2.24 to resolve UniFi conflict
- UniFi, Immich, Gitea verified working through Traefik
- Updated current IP maps
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Created IP-MIGRATION-PLAN.md with new allocation scheme
- Fixed all LXC gateways from 10.4.2.254 (Asus) to 10.4.2.1 (OPNsense)
- Set static IPs: UniFi (.16), Gitea (.17), Immich (.30)
- Migrated critical containers to local-lvm storage
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Root cause was Traefik using Asus (10.4.2.254) as gateway instead of OPNsense (10.4.2.1)
- Enabled NAT reflection in OPNsense for VLAN access via WAN IP
- Fixed NFS mount issues with KavNas
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Pure NAT mode doesn't work when clients/servers on same subnet
- Must use enablenatreflectionhelper for proper source NAT
- Added to Common Gotchas in DECISIONS.md
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Migrated all port forwards from Asus router to OPNsense
- Documented port range NAT syntax (local-port must be starting port only)
- Added Common Gotcha #4 for port range rules in DECISIONS.md
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- WireGuard configured on OPNsense (port 51820, 10.10.10.0/24)
- AT&T IP Passthrough enabled for public IP on OPNsense
- qemu-guest-agent and tailscale plugins installed
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Document LAN→IoT firewall rule for HA/Frigate access
- Add OPNsense interface naming (opt1, not lan in config.xml)
- Document IPv6 rule fix that was blocking ruleset loading
- Add pfctl troubleshooting commands
- Mark network isolation tests complete
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Updated INFRASTRUCTURE.md with VLAN traffic path and required configs
- Updated CHANGELOG.md with WAN cutover and VLAN troubleshooting fixes
- Updated TASKS.md to reflect completed network work
- pm4 bridge VLAN config made persistent via post-up commands
- Pi-hole listeningMode changed to ALL for multi-subnet DNS
Key fixes:
- pm4 vmbr0 bridge-vlan-aware with VLANs 10,20,30 on eno1
- Pi-hole veth added to VLANs for routed traffic
- Pi-hole gateway set to OPNsense (10.4.2.1)
- OPNsense default route fixed to use WAN gateway
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Updated CHANGELOG with implemented VLAN config (VLANs 10, 20, 30)
- Updated DECISIONS with complete VLAN architecture and firewall rules
- Updated INFRASTRUCTURE with VLANs/subnets table and bridge configs
- Updated TASKS to mark VLAN/firewall work complete, add UniFi VLAN tasks
- Updated README last updated date
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Document OPNsense WAN configuration (pm4 vmbr1 with USB NIC)
- Add DHCP-based isolation workaround for unmanaged Gigabyte switches
- Plan subnet scheme: LAN (10.4.2.0/24), IoT (10.4.10.0/24), Guest (10.4.20.0/24)
- Document planned OPNsense firewall rules for isolation
- Update tasks with OPNsense migration and isolation steps
- Fix Claude Code hooks settings (remove matcher from Stop hook)
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- OPNsense VM 130 on pm4 (KavSense, 10.4.2.1)
- VLAN 10 configured (10.4.10.0/24) for future use
- pm4 vmbr0 now VLAN-aware
- UniFi SSIDs: Trusted, IOT, Guest
- VLAN testing paused until GiGaPlus switches arrive
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- pm1 uses 10G port (auto-negotiates 2.5G, no PoE needed)
- pm2, pm3, pm4, U6 Enterprise use 2.5G PoE ports
- All 6 ports utilized, no injector needed
- GS308EP dedicated to cameras
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- pm1, pm2, pm3 connect via GS308EP (1G managed PoE)
- GS308EP uplinks to GiGaPlus for 10G backhaul access
- pm4 connects directly to GiGaPlus at 2.5G (OPNsense host)
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- NICs use bridges (not passthrough) so other LXCs can share
- vmbr0 (Intel) shared by OPNsense LAN + all pm4 LXCs
- vmbr1 (USB) dedicated to OPNsense WAN
- Added diagram showing LXC connectivity
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- OPNsense moves to pm4 (server closet, next to AT&T modem)
- USB 2.5G NIC for WAN (~$25), Intel I226-V for LAN
- pm4 has USB 3.1 (10Gbps) - verified
- Updated topology diagram with pm4/OPNsense placement
- Total cost now ~$605
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Created NETWORK-UPGRADE-PLAN.md with full topology and VLAN design
- Hardware: 2× GiGaPlus 10G PoE ($202), 2× U7 Pro ($378) = $580 total
- 10G backhaul between server closet and basement
- VLANs: Trusted (1), Servers (10), IoT (20), Guest (30)
- OPNsense VM for routing, UniFi Controller LXC for APs
- Updated TASKS.md with implementation checklist
- Updated DECISIONS.md with architecture rationale
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Added Pi-hole section to CONFIGURATIONS.md
- Includes Traefik config, DNS setup, and Asus router instructions
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- IP: 10.4.2.129 on pm2
- Domain: pihole.kavcorp.com
- Unbound configured for recursive DNS resolution
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Frigate migrated to LXC 128 (Docker) with auth enabled
- Updated IP to 10.4.2.8, port 8971 for authenticated access
- Traefik uses HTTPS backend with insecureSkipVerify for self-signed cert
- Added logrotate for Traefik logs (50MB max, 3 rotations)
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Added Gitea (LXC 127) to service map
- Added changelog entry for Gitea setup
- Traefik routing configured for git.kavcorp.com
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
