Add pfSense backup utility and documentation

- Add backup-pfsense-config.sh script for automated config backups via SSH
- Auto-commits backups to git with timestamped filenames
- Includes validation, error handling, and troubleshooting guides
- Add scripts/README.md with detailed usage and crontab examples
- Add BACKUP-QUICKSTART.md for quick reference commands
- Update README.md to reference automated backup workflow
- Create backups/ directory structure

The script tests SSH connectivity successfully to pfSense.

pfsense.home.arpa/VLAN-CONFIG.md

@@ -0,0 +1,173 @@
+# VLAN Configuration Reference
+
+Network segmentation configuration for pfsense.home.arpa router.
+
+## VLAN Definitions
+
+```yaml
+vlans:
+  lan_secure:
+    vlan_id: 1
+    description: "Main trusted network"
+    subnet: "172.27.0.0/24"
+    gateway: "172.27.0.1"
+    dhcp_start: "172.27.0.100"
+    dhcp_end: "172.27.0.200"
+    purpose: "Primary network for personal/trusted devices"
+    isolation: "Gateway to WAN, can access VLANs as configured"
+    firewall_default: "allow_outbound"
+
+  vlan_aiworkload:
+    vlan_id: 2
+    description: "AI/ML Workload (Dangerous/OpenClaw)"
+    subnet: "172.27.2.0/24"
+    gateway: "172.27.2.1"
+    dhcp_start: "172.27.2.100"
+    dhcp_end: "172.27.2.200"
+    purpose: "Isolated workload for AI/ML experiments, sandbox for untrusted code"
+    isolation: "Blocked from LAN_SECURE, can access WAN"
+    firewall_default: "deny_incoming, allow_outbound_to_wan"
+    access_from_secure: "none"  # LAN_SECURE cannot reach this VLAN
+
+  vlan_iot:
+    vlan_id: 3
+    description: "IoT Devices"
+    subnet: "172.27.3.0/24"
+    gateway: "172.27.3.1"
+    dhcp_start: "172.27.3.100"
+    dhcp_end: "172.27.3.200"
+    purpose: "Smart home devices (cameras, sensors, thermostats, etc.)"
+    isolation: "Blocked from LAN_SECURE, can access WAN for updates/APIs"
+    firewall_default: "deny_incoming, allow_outbound_to_wan"
+    access_from_secure: "none"  # LAN_SECURE cannot reach this VLAN
+```
+
+## Firewall Rule Summary
+
+### From LAN_SECURE (172.27.0.0/24)
+- ✓ To Internet (WAN)
+- ✗ To VLAN_AIWORKLOAD (blocked)
+- ✗ To VLAN_IOT (blocked)
+- ✓ Internal (same subnet)
+
+### From VLAN_AIWORKLOAD (172.27.2.0/24)
+- ✓ To Internet (WAN)
+- ✗ To LAN_SECURE (blocked)
+- ✗ To VLAN_IOT (blocked)
+- ✓ Internal (same subnet)
+
+### From VLAN_IOT (172.27.3.0/24)
+- ✓ To Internet (WAN)
+- ✗ To LAN_SECURE (blocked)
+- ✗ To VLAN_AIWORKLOAD (blocked)
+- ✓ Internal (same subnet)
+
+## DHCP Configuration
+
+Each VLAN has its own DHCP server:
+
+```
+VLAN_SECURE:      172.27.0.100   - 172.27.0.200   (Gateway: 172.27.0.1)
+VLAN_AIWORKLOAD:  172.27.2.100   - 172.27.2.200   (Gateway: 172.27.2.1)
+VLAN_IOT:         172.27.3.100   - 172.27.3.200   (Gateway: 172.27.3.1)
+```
+
+**DNS Server** (for all VLANs): 172.27.0.1 (pfSense resolver)
+
+## Physical Switch Configuration (If Applicable)
+
+If using a managed switch, configure VLAN tagging:
+
+```
+Port 1 (LAN_SECURE):
+  - Mode: Access
+  - VLAN: 1 (untagged, native)
+  - Devices: Personal computers, laptops
+
+Port 2 (VLAN_AIWORKLOAD):
+  - Mode: Access
+  - VLAN: 2 (untagged)
+  - Devices: Openclaw server, GPU workstations
+  - OR: Trunk (if pfSense applies tags)
+
+Port 3 (VLAN_IOT):
+  - Mode: Access
+  - VLAN: 3 (untagged)
+  - Devices: Smart home devices, cameras, sensors
+  - OR: Trunk (if pfSense applies tags)
+
+Port 4 (Uplink to pfSense):
+  - Mode: Trunk
+  - VLANs: 1, 2, 3
+  - Tagged: 2, 3 (VLAN 1 typically untagged on trunk)
+```
+
+## Device Assignments
+
+Assign devices to VLANs using DHCP static mappings or by setting up switch port VLANs.
+
+### Planned Devices
+
+**VLAN_SECURE (LAN_SECURE):**
+- [ ] Your personal laptop/desktop
+- [ ] Network printer (if any)
+- [ ] Home automation controller (if trusted)
+
+**VLAN_AIWORKLOAD (VLAN_AIWORKLOAD):**
+- [ ] Openclaw server / AI workstation
+- [ ] GPU compute server
+- [ ] Experimental machine learning environment
+
+**VLAN_IOT (VLAN_IOT):**
+- [ ] Smart home cameras
+- [ ] Temperature/humidity sensors
+- [ ] Smart thermostat
+- [ ] IoT gateway (if not trusted)
+- [ ] Smart switches/outlets
+
+## Implementation Checklist
+
+- [ ] Create VLAN 2 (VLAN_AIWORKLOAD) on parent interface
+- [ ] Create VLAN 3 (VLAN_IOT) on parent interface
+- [ ] Apply VLAN changes
+- [ ] Create virtual interface for VLAN_AIWORKLOAD (OPT1)
+  - [ ] Set IP: 172.27.2.1/24
+  - [ ] Enable interface
+  - [ ] Apply changes
+- [ ] Create virtual interface for VLAN_IOT (OPT2)
+  - [ ] Set IP: 172.27.3.1/24
+  - [ ] Enable interface
+  - [ ] Apply changes
+- [ ] Configure DHCP for VLAN_AIWORKLOAD
+- [ ] Configure DHCP for VLAN_IOT
+- [ ] Configure firewall rules for LAN_SECURE
+- [ ] Configure firewall rules for VLAN_AIWORKLOAD
+- [ ] Configure firewall rules for VLAN_IOT
+- [ ] Test DHCP on each VLAN
+- [ ] Test inter-VLAN isolation
+- [ ] Backup pfSense configuration
+- [ ] Commit configuration to git
+
+## Notes & Decisions
+
+### Why These Subnets?
+- **172.27.x.x/16**: Private RFC 1918 range (172.16.0.0 - 172.31.255.255)
+- Each VLAN gets a /24 subnet (254 usable IPs per VLAN)
+- Easy to route and remember (VLAN ID = third octet)
+
+### Why This Isolation?
+- **LAN_SECURE** ↔ **VLAN_AIWORKLOAD**: Complete isolation prevents compromised AI workload from reaching trusted devices
+- **LAN_SECURE** ↔ **VLAN_IOT**: IoT devices have broader vulnerabilities; isolation prevents lateral movement
+- **VLAN_AIWORKLOAD** ↔ **VLAN_IOT**: Reduces attack surface between untrusted zones
+- All VLANs → WAN: Allows devices to update, phone home, or reach cloud services
+
+### Future Enhancements
+- Add guest VLAN for visitors
+- Configure VPN access to VLAN_SECURE only
+- Implement QoS rules per VLAN
+- Add Intrusion Detection (Suricata) on VLAN boundaries
+- Monitor inter-VLAN traffic in firewall logs
+
+---
+
+**Last Updated:** 2026-04-22