Root cause: OPNsense DHCP and firewall rules referenced 10.4.2.129
for Pi-hole DNS, but that IP doesn't exist. Pi-hole is at 10.4.2.11.
Updated all references in OPNsense config.xml and documentation.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- LXC 129 on pm2 with static IP 10.4.2.36
- Local DNS: rustdesk.kav
- Updated INFRASTRUCTURE.md and CHANGELOG.md
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Complete static IP migration for all containers
- Configure Pi-hole local DNS with .kav hostnames
- Add SSH provisioning script for all containers
- Create NETWORK-MAP.md with complete IP allocation
- Create network-map.sh for dynamic map generation
- Update INFRASTRUCTURE.md with new service map
- Add .kav TLD and SSH policy decisions to DECISIONS.md
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Root cause was Traefik using Asus (10.4.2.254) as gateway instead of OPNsense (10.4.2.1)
- Enabled NAT reflection in OPNsense for VLAN access via WAN IP
- Fixed NFS mount issues with KavNas
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Pure NAT mode doesn't work when clients/servers on same subnet
- Must use enablenatreflectionhelper for proper source NAT
- Added to Common Gotchas in DECISIONS.md
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Migrated all port forwards from Asus router to OPNsense
- Documented port range NAT syntax (local-port must be starting port only)
- Added Common Gotcha #4 for port range rules in DECISIONS.md
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- WireGuard configured on OPNsense (port 51820, 10.10.10.0/24)
- AT&T IP Passthrough enabled for public IP on OPNsense
- qemu-guest-agent and tailscale plugins installed
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Document LAN→IoT firewall rule for HA/Frigate access
- Add OPNsense interface naming (opt1, not lan in config.xml)
- Document IPv6 rule fix that was blocking ruleset loading
- Add pfctl troubleshooting commands
- Mark network isolation tests complete
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Updated INFRASTRUCTURE.md with VLAN traffic path and required configs
- Updated CHANGELOG.md with WAN cutover and VLAN troubleshooting fixes
- Updated TASKS.md to reflect completed network work
- pm4 bridge VLAN config made persistent via post-up commands
- Pi-hole listeningMode changed to ALL for multi-subnet DNS
Key fixes:
- pm4 vmbr0 bridge-vlan-aware with VLANs 10,20,30 on eno1
- Pi-hole veth added to VLANs for routed traffic
- Pi-hole gateway set to OPNsense (10.4.2.1)
- OPNsense default route fixed to use WAN gateway
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Updated CHANGELOG with implemented VLAN config (VLANs 10, 20, 30)
- Updated DECISIONS with complete VLAN architecture and firewall rules
- Updated INFRASTRUCTURE with VLANs/subnets table and bridge configs
- Updated TASKS to mark VLAN/firewall work complete, add UniFi VLAN tasks
- Updated README last updated date
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Document OPNsense WAN configuration (pm4 vmbr1 with USB NIC)
- Add DHCP-based isolation workaround for unmanaged Gigabyte switches
- Plan subnet scheme: LAN (10.4.2.0/24), IoT (10.4.10.0/24), Guest (10.4.20.0/24)
- Document planned OPNsense firewall rules for isolation
- Update tasks with OPNsense migration and isolation steps
- Fix Claude Code hooks settings (remove matcher from Stop hook)
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- OPNsense VM 130 on pm4 (KavSense, 10.4.2.1)
- VLAN 10 configured (10.4.10.0/24) for future use
- pm4 vmbr0 now VLAN-aware
- UniFi SSIDs: Trusted, IOT, Guest
- VLAN testing paused until GiGaPlus switches arrive
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Created NETWORK-UPGRADE-PLAN.md with full topology and VLAN design
- Hardware: 2× GiGaPlus 10G PoE ($202), 2× U7 Pro ($378) = $580 total
- 10G backhaul between server closet and basement
- VLANs: Trusted (1), Servers (10), IoT (20), Guest (30)
- OPNsense VM for routing, UniFi Controller LXC for APs
- Updated TASKS.md with implementation checklist
- Updated DECISIONS.md with architecture rationale
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Added Pi-hole section to CONFIGURATIONS.md
- Includes Traefik config, DNS setup, and Asus router instructions
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- IP: 10.4.2.129 on pm2
- Domain: pihole.kavcorp.com
- Unbound configured for recursive DNS resolution
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Frigate migrated to LXC 128 (Docker) with auth enabled
- Updated IP to 10.4.2.8, port 8971 for authenticated access
- Traefik uses HTTPS backend with insecureSkipVerify for self-signed cert
- Added logrotate for Traefik logs (50MB max, 3 rotations)
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Added Gitea (LXC 127) to service map
- Added changelog entry for Gitea setup
- Traefik routing configured for git.kavcorp.com
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
