Add pfSense backup utility and documentation

- Add backup-pfsense-config.sh script for automated config backups via SSH
- Auto-commits backups to git with timestamped filenames
- Includes validation, error handling, and troubleshooting guides
- Add scripts/README.md with detailed usage and crontab examples
- Add BACKUP-QUICKSTART.md for quick reference commands
- Update README.md to reference automated backup workflow
- Create backups/ directory structure

The script tests SSH connectivity successfully to pfSense.

zet.home.arpa/PROXY-SETUP.md

@@ -0,0 +1,66 @@
+# Transparent proxy notes for zet (172.27.0.35)
+
+Summary
+- Squid runs on 172.27.0.35 (zet). We'll intercept HTTP traffic from selected child IPs and forward it to Squid.
+- Approach: configure Squid for intercepted HTTP, create a pfSense Alias for children, add a NAT port-forward (80 -> 172.27.0.35:3128) limited to that Alias, and ensure appropriate firewall rules.
+
+Prerequisites
+- Squid installed and reachable from pfSense (172.27.0.35).
+- pfSense LAN interface used by children (pfSense at 172.27.0.1).
+- List of children IPs or an IP range (create Alias in pfSense).
+
+Squid minimal config (intercept HTTP)
+```
+http_port 3128 intercept
+acl localnet src 172.27.0.0/24
+acl children src 172.27.0.100-172.27.0.110  # replace with your child IPs/range
+http_access allow children
+http_access deny all
+access_log /var/log/squid/access.log
+```
+- Restart Squid after changes: `sudo systemctl restart squid` or `service squid restart`.
+
+pfSense steps (high level)
+1. Firewall → Aliases → Add
+   - Type: Hosts (or Network)
+   - Name: Children_Devices
+   - Add each child's static IP (or a range entry)
+   - Save
+
+2. Firewall → NAT → Port Forward → Add
+   - Interface: LAN (or interface children use)
+   - Protocol: TCP
+   - Source: Children_Devices (the Alias)
+   - Destination: any
+   - Destination port range: HTTP (80)
+   - Redirect target IP: 172.27.0.35
+   - Redirect target port: 3128
+   - Description: Redirect children HTTP -> Squid
+   - Save and Apply
+   - If prompted, allow pfSense to add the required firewall rule; otherwise add a LAN rule permitting Source=Children_Devices -> Destination=172.27.0.35 port 3128.
+
+3. Firewall rule: ensure the Alias is allowed outbound on LAN as needed. The NAT rule will create a rule; double-check to avoid accidental blocking.
+
+Verification
+- Watch Squid logs on `zet`:
+  - `sudo tail -F /var/log/squid/access.log`
+- From a child device, request an HTTP page and confirm the request appears in the access log.
+- On pfSense: Diagnostics → Packet Capture (interface LAN, filter host <child_ip> and port 80) to confirm redirection.
+- On `zet`: `sudo tcpdump -n -i any host <child_ip> and port 80` to see forwarded connections.
+
+Notes & caveats
+- This only intercepts plain HTTP (port 80). HTTPS (port 443) interception requires ssl-bump / TLS interception:
+  - Requires creating a CA, configuring Squid SSL bump, and installing the CA on every client — this is intrusive and may break some apps.
+  - Consider leaving HTTPS un-intercepted or using explicit proxying for HTTPS instead.
+- If clients have explicit proxy settings (via WPAD/DHCP 252), they will send traffic directly to the proxy and the NAT interception will not be used for those flows.
+- WPAD option: you can advertise a PAC via DHCP Option 252 (value `http://172.27.0.35/wpad.dat`) to auto-configure browsers instead of intercepting.
+
+Quick debug commands
+- Restart squid: `sudo systemctl restart squid` or `service squid restart`
+- Tail access log: `sudo tail -F /var/log/squid/access.log`
+- Test from a child: `curl -I http://example.com`
+- tcpdump on zet: `sudo tcpdump -n -i any host <child_ip> and port 80`
+
+If you want, provide the exact child IPs and I will give you the precise pfSense NAT rule fields and a ready-to-paste `squid.conf` snippet for your environment.
+
+-- notes written by assistant