Add pfSense backup utility and documentation

- Add backup-pfsense-config.sh script for automated config backups via SSH
- Auto-commits backups to git with timestamped filenames
- Includes validation, error handling, and troubleshooting guides
- Add scripts/README.md with detailed usage and crontab examples
- Add BACKUP-QUICKSTART.md for quick reference commands
- Update README.md to reference automated backup workflow
- Create backups/ directory structure

The script tests SSH connectivity successfully to pfSense.

pfsense.home.arpa/VLAN-QUICKSTART.md

@@ -0,0 +1,291 @@
+# VLAN Implementation Quickstart
+
+Step-by-step checklist for configuring VLANs on pfSense. Use this guide to implement your 3-VLAN network.
+
+## Pre-Implementation
+
+Before you start, gather this information:
+
+- [ ] pfSense WebUI URL (usually `https://192.168.1.1` or similar)
+- [ ] Admin credentials for pfSense
+- [ ] Your WAN/LAN interface names (check: **Interfaces → Assignments**)
+- [ ] Backup your current pfSense config (download before making changes)
+- [ ] Physical switch info (if you have one) — check if it supports VLAN tagging
+
+## Phase 1: Create VLANs (5 minutes)
+
+1. **Log into pfSense WebUI**
+   - [ ] Open `https://[pfSense-IP]`
+   - [ ] Enter admin credentials
+
+2. **Navigate to VLAN Creation**
+   - [ ] Go: **Interfaces → VLANs**
+   - [ ] Click **Display Advanced**
+
+3. **Create VLAN_AIWORKLOAD**
+   - [ ] Click **+ Add**
+   - [ ] Parent Interface: `em0` (or your LAN NIC name)
+   - [ ] VLAN Tag: `2`
+   - [ ] VLAN Priority: `0`
+   - [ ] Description: `VLAN_AIWORKLOAD`
+   - [ ] Click **Save**
+
+4. **Create VLAN_IOT**
+   - [ ] Click **+ Add**
+   - [ ] Parent Interface: `em0`
+   - [ ] VLAN Tag: `3`
+   - [ ] VLAN Priority: `0`
+   - [ ] Description: `VLAN_IOT`
+   - [ ] Click **Save**
+
+5. **Apply Changes**
+   - [ ] Click **Apply Changes** button
+   - [ ] Wait for reboot/apply to complete
+
+## Phase 2: Assign Virtual Interfaces (5 minutes)
+
+1. **Navigate to Assignments**
+   - [ ] Go: **Interfaces → Assignments**
+
+2. **Note down the OPT interfaces created**
+   - [ ] You should see two new entries: e.g., `em0.2` and `em0.3`
+   - [ ] These will be assigned as `OPT1` and `OPT2` (or similar)
+
+3. **Click the OPT1 link** (VLAN_AIWORKLOAD)
+   - [ ] Description: `VLAN_AIWORKLOAD`
+   - [ ] IPv4 Configuration Type: `Static IPv4`
+   - [ ] IPv4 Address: `172.27.2.1`
+   - [ ] IPv4 Subnet Mask: `255.255.255.0`
+   - [ ] IPv6 Configuration Type: `None`
+   - [ ] **Enable Interface**: ✓ Check this box
+   - [ ] Scroll down and click **Save**
+
+4. **Repeat for OPT2** (VLAN_IOT)
+   - [ ] Description: `VLAN_IOT`
+   - [ ] IPv4 Configuration Type: `Static IPv4`
+   - [ ] IPv4 Address: `172.27.3.1`
+   - [ ] IPv4 Subnet Mask: `255.255.255.0`
+   - [ ] **Enable Interface**: ✓ Check this box
+   - [ ] Scroll down and click **Save**
+
+5. **Apply Changes**
+   - [ ] Click **Apply Changes** button
+
+## Phase 3: Configure DHCP (10 minutes)
+
+1. **Navigate to DHCP Server**
+   - [ ] Go: **Services → DHCP Server**
+
+2. **Configure VLAN_AIWORKLOAD DHCP**
+   - [ ] Click **VLAN_AIWORKLOAD** tab
+   - [ ] **Enable DHCP server on VLAN_AIWORKLOAD interface**: ✓ Check
+   - [ ] **Range Start**: `172.27.2.100`
+   - [ ] **Range End**: `172.27.2.200`
+   - [ ] Scroll down to **Servers** section
+   - [ ] **DNS 1**: `172.27.0.1` (pfSense)
+   - [ ] **DNS 2**: `8.8.8.8` (optional backup)
+   - [ ] **Gateway**: Should auto-populate as `172.27.2.1`
+   - [ ] Scroll down and click **Save**
+
+3. **Configure VLAN_IOT DHCP**
+   - [ ] Click **VLAN_IOT** tab
+   - [ ] **Enable DHCP server on VLAN_IOT interface**: ✓ Check
+   - [ ] **Range Start**: `172.27.3.100`
+   - [ ] **Range End**: `172.27.3.200`
+   - [ ] Scroll down to **Servers** section
+   - [ ] **DNS 1**: `172.27.0.1`
+   - [ ] **DNS 2**: `8.8.8.8`
+   - [ ] **Gateway**: Should auto-populate as `172.27.3.1`
+   - [ ] Scroll down and click **Save**
+
+4. **Verify LAN DHCP**
+   - [ ] Click **LAN** tab
+   - [ ] Confirm **Enable DHCP server on LAN interface** is ✓ checked
+   - [ ] Verify gateway is `172.27.0.1`
+   - [ ] Click **Save**
+
+5. **Apply Changes**
+   - [ ] Click **Apply Changes** button
+
+## Phase 4: Configure Firewall Rules (15 minutes)
+
+### LAN → VLAN Rules
+
+1. **Go to LAN rules**
+   - [ ] **Firewall → Rules → LAN**
+
+2. **Add rule: Block LAN → VLAN_AIWORKLOAD**
+   - [ ] Click **+ Add** (at bottom)
+   - [ ] Action: `Block`
+   - [ ] Interface: `LAN`
+   - [ ] Direction: `in`
+   - [ ] Address Family: `IPv4`
+   - [ ] Protocol: `any`
+   - [ ] Source: `LAN subnet` (or specify `172.27.0.0/24`)
+   - [ ] Destination: `VLAN_AIWORKLOAD subnet` (specify `172.27.2.0/24`)
+   - [ ] Description: `Block LAN → VLAN_AIWORKLOAD`
+   - [ ] Click **Save**
+
+3. **Add rule: Block LAN → VLAN_IOT**
+   - [ ] Click **+ Add**
+   - [ ] Action: `Block`
+   - [ ] Interface: `LAN`
+   - [ ] Source: `172.27.0.0/24`
+   - [ ] Destination: `172.27.3.0/24`
+   - [ ] Description: `Block LAN → VLAN_IOT`
+   - [ ] Click **Save**
+
+### VLAN_AIWORKLOAD Rules
+
+1. **Go to VLAN_AIWORKLOAD rules**
+   - [ ] **Firewall → Rules → VLAN_AIWORKLOAD** (or OPT1)
+
+2. **Add rule: Block VLAN_AIWORKLOAD → LAN**
+   - [ ] Click **+ Add**
+   - [ ] Action: `Block`
+   - [ ] Interface: `VLAN_AIWORKLOAD`
+   - [ ] Source: `VLAN_AIWORKLOAD subnet` (specify `172.27.2.0/24`)
+   - [ ] Destination: `LAN subnet` (specify `172.27.0.0/24`)
+   - [ ] Description: `Block VLAN_AIWORKLOAD → LAN`
+   - [ ] Click **Save**
+
+3. **Add rule: Allow VLAN_AIWORKLOAD → WAN**
+   - [ ] Click **+ Add**
+   - [ ] Action: `Pass`
+   - [ ] Interface: `VLAN_AIWORKLOAD`
+   - [ ] Source: `VLAN_AIWORKLOAD subnet` (specify `172.27.2.0/24`)
+   - [ ] Destination: `any`
+   - [ ] Protocol: `any`
+   - [ ] Description: `Allow VLAN_AIWORKLOAD → Internet`
+   - [ ] Click **Save**
+
+### VLAN_IOT Rules
+
+1. **Go to VLAN_IOT rules**
+   - [ ] **Firewall → Rules → VLAN_IOT** (or OPT2)
+
+2. **Add rule: Block VLAN_IOT → LAN**
+   - [ ] Click **+ Add**
+   - [ ] Action: `Block`
+   - [ ] Interface: `VLAN_IOT`
+   - [ ] Source: `VLAN_IOT subnet` (specify `172.27.3.0/24`)
+   - [ ] Destination: `LAN subnet` (specify `172.27.0.0/24`)
+   - [ ] Description: `Block VLAN_IOT → LAN`
+   - [ ] Click **Save**
+
+3. **Add rule: Block VLAN_IOT → VLAN_AIWORKLOAD**
+   - [ ] Click **+ Add**
+   - [ ] Action: `Block`
+   - [ ] Source: `172.27.3.0/24`
+   - [ ] Destination: `172.27.2.0/24`
+   - [ ] Description: `Block VLAN_IOT → VLAN_AIWORKLOAD`
+   - [ ] Click **Save**
+
+4. **Add rule: Allow VLAN_IOT → WAN**
+   - [ ] Click **+ Add**
+   - [ ] Action: `Pass`
+   - [ ] Source: `VLAN_IOT subnet` (specify `172.27.3.0/24`)
+   - [ ] Destination: `any`
+   - [ ] Protocol: `any`
+   - [ ] Description: `Allow VLAN_IOT → Internet`
+   - [ ] Click **Save**
+
+### Apply Firewall Changes
+
+- [ ] Click **Apply Changes** button (usually at top of rules)
+
+## Phase 5: Testing (10 minutes)
+
+### Test DHCP
+
+1. **Connect a test device to VLAN_AIWORKLOAD**
+   - [ ] Assign a device to this VLAN (via switch port or manually)
+   - [ ] Check if device gets IP in range 172.27.2.100-200
+   - [ ] Verify gateway shows 172.27.2.1
+   - [ ] Test ping to gateway: `ping 172.27.2.1` ✓
+
+2. **Connect a test device to VLAN_IOT**
+   - [ ] Assign a device to this VLAN
+   - [ ] Check if device gets IP in range 172.27.3.100-200
+   - [ ] Verify gateway shows 172.27.3.1
+   - [ ] Test ping to gateway: `ping 172.27.3.1` ✓
+
+### Test Inter-VLAN Isolation
+
+1. **Test VLAN_AIWORKLOAD cannot reach LAN**
+   - [ ] From device on VLAN_AIWORKLOAD (172.27.2.x)
+   - [ ] Try ping to LAN device (172.27.0.x)
+   - [ ] Should timeout/fail ✗ (expected)
+
+2. **Test VLAN_IOT cannot reach LAN**
+   - [ ] From device on VLAN_IOT (172.27.3.x)
+   - [ ] Try ping to LAN device (172.27.0.x)
+   - [ ] Should timeout/fail ✗ (expected)
+
+3. **Test LAN cannot reach VLANs**
+   - [ ] From LAN device (172.27.0.x)
+   - [ ] Try ping to VLAN_AIWORKLOAD device (172.27.2.x)
+   - [ ] Should timeout/fail ✗ (expected)
+
+### Test Internet Access
+
+1. **Test VLAN_AIWORKLOAD → Internet**
+   - [ ] From device on VLAN_AIWORKLOAD
+   - [ ] Test DNS: `nslookup google.com` ✓
+   - [ ] Test internet: `ping 8.8.8.8` ✓
+
+2. **Test VLAN_IOT → Internet**
+   - [ ] From device on VLAN_IOT
+   - [ ] Test DNS: `nslookup google.com` ✓
+   - [ ] Test internet: `ping 8.8.8.8` ✓
+
+## Phase 6: Backup & Documentation (5 minutes)
+
+1. **Backup pfSense Configuration**
+   - [ ] Go: **Diagnostics → Backup & Restore**
+   - [ ] Click **Download configuration as XML**
+   - [ ] Save as: `pfsense-config-vlan-setup-2026-04-22.xml`
+
+2. **Commit to Git**
+   ```bash
+   cd /Users/kenjim/workspace/src/personal/appa-net
+   git add pfsense.home.arpa/
+   git commit -m "pfSense: Initial VLAN configuration (VLAN_AIWORKLOAD, VLAN_IOT)"
+   git push
+   ```
+   - [ ] Commit completed
+
+3. **Document Completion**
+   - [ ] Update this file with completion date
+   - [ ] Note any deviations from plan
+   - [ ] Record interface names if different from expected
+
+## Troubleshooting
+
+| Issue | Solution |
+|-------|----------|
+| Device not getting DHCP | Check DHCP is enabled for that VLAN in **Services → DHCP Server** |
+| Can't ping gateway | Verify virtual interface is enabled (**Interfaces → Assignments**) |
+| Can't reach internet | Check WAN allow rules in firewall |
+| Still can reach between VLANs | Check firewall rules order (first match wins); rules may be in wrong order |
+| Switch not forwarding VLAN traffic | Verify trunk port on switch is tagged for all VLANs |
+
+## Post-Implementation
+
+Once everything is working:
+
+1. **Assign your devices** to VLANs via DHCP static mappings
+   - See [VLAN-CONFIG.md](VLAN-CONFIG.md) for device list
+
+2. **Monitor firewall logs** for unexpected traffic
+   - Go: **Status → System Logs → Firewall**
+
+3. **Update your documentation** as you add more devices
+
+4. **Schedule regular backups**
+   - Monthly: Export pfSense config to `backups/pfsense-config-YYYY-MM-DD.xml`
+
+---
+
+**Estimated Total Time**: 45 minutes  
+**Last Updated**: 2026-04-22