Document AirPlay cross-VLAN firewall rules and fix rule ordering

AirPlay from Main to IoT VLAN (Samsung Frame TV) required adding
established/related, AirPlay port, and dynamic reverse port rules —
but the root cause was rule ordering (allows appended after blocks).

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

docs/changelog.d/main.infra.md

@@ -0,0 +1 @@
+Document AirPlay cross-VLAN firewall rules for Samsung Frame TV (established/related, AirPlay ports, dynamic reverse) and fix rule ordering in segment-home-network plan.

docs/how-to/plans/completed/segment-home-network.md

@@ -1,6 +1,6 @@
 ---
 title: "Plan: Segment Home Network"
-modified: 2026-02-14
+modified: 2026-02-24
 tags:
   - how-to
   - plans
@@ -88,30 +88,29 @@ Configured at Settings → Policy Engine → Traffic & Firewall Rules, using Zon
 
 All three networks (Default, IoT, Guest) are in the **Internal** zone. Default inter-VLAN policy is **allow**, so we add **block** rules. **Rule ordering matters** — allow rules must come before matching block rules. Rules are combined where the UI supports multiple destinations.
 
+**Reordering rules:** The default Traffic & Firewall Rules view may grey out the Reorder button. Use the **Policy Engine → zone matrix view** (grid icon in the left sidebar under Policy Engine) instead — this view allows reordering.
+
 | # | Name | Action | Source | Destination | Protocol/Port | Notes |
 |---|------|--------|--------|-------------|---------------|-------|
-| 1 | Guest → Main,IoT block | Block | Guest | Default + IoT | All | Internet-only isolation, combined into one rule |
-| 2 | IoT → Main streaming allow | Allow | IoT | 192.168.1.99 (indri) | TCP 443, 8096 | Jellyfin direct (8096) and Caddy (443) — must be BEFORE the block rule |
-| 3 | IoT → Main block | Block | IoT | Default | All | Protect NFS and trusted devices |
+| 1 | Allow established/related | Allow | Any | Any | All (Return Traffic only) | Allows return traffic for initiated connections; must be first |
+| 2 | IoT → Main streaming allow | Allow | IoT | 192.168.1.99 (indri) | TCP 443, 8096 | Jellyfin direct (8096) and Caddy (443) |
+| 3 | Main → IoT AirPlay | Allow | Default | 192.168.3.62 (Frame TV) | TCP+UDP 80,443,554,3689,5000-5001,7000-7001,7100,5353,6001-6002,7010-7011 | AirPlay control and streaming; add more IoT IPs as needed |
+| 4 | IoT AirPlay → Main reverse | Allow | 192.168.3.62 (Frame TV) | Default | TCP+UDP 49152-65535 | AirPlay dynamic reverse connections; scoped to TV IP only. May be unnecessary — see note below |
+| 5 | Guest → Main,IoT block | Block | Guest | Default + IoT | All | Internet-only isolation, combined into one rule |
+| 6 | IoT → Main block | Block | IoT | Default | All | Protect NFS and trusted devices |
 
 ### Notes on Firewall Rules
 
-**IoT streaming:** Jellyfin listens on indri:8096 (HTTP). IoT devices (Frame TV) connect directly to `http://192.168.1.99:8096`. Rule 2 allows this specific port; all other Main network access from IoT is blocked by rule 3. The `*.ops.eblu.me` domain resolves to indri's Tailscale IP (100.x.x.x), which is unreachable from non-Tailscale devices, so IoT devices must use the LAN IP directly.
+**Rule ordering is critical.** The zone-based policy engine evaluates rules by their index (display order). Allow rules placed after block rules are never reached. When creating new rules, they are appended at the end — use the zone matrix view to reorder them above the block rules.
 
-**Indri static IP:** Set a DHCP reservation for indri at 192.168.1.99 in the UX7 client list to ensure the firewall rule remains valid.
+**AirPlay across VLANs** requires: (1) mDNS reflector enabled on both networks for device discovery, (2) allow rules for AirPlay control ports from Main → TV, and (3) the established/related rule (rule 1) to allow return traffic. Rule 4 (dynamic reverse ports) was added during troubleshooting but may not be necessary — the original failure was caused by rule ordering (allow rules placed after block rules), not missing port rules. If tightening the firewall in the future, try disabling rule 4 and testing whether AirPlay still works with just the established/related rule. The TV IP (192.168.3.62) has a fixed DHCP reservation.
+
+**IoT streaming:** Jellyfin listens on indri:8096 (HTTP). IoT devices (Frame TV) connect directly to `http://192.168.1.99:8096`. Rule 2 allows this specific port; all other Main network access from IoT is blocked by rule 6. The `*.ops.eblu.me` domain resolves to indri's Tailscale IP (100.x.x.x), which is unreachable from non-Tailscale devices, so IoT devices must use the LAN IP directly.
+
+**DHCP reservations:** Indri at 192.168.1.99 and Frame TV at 192.168.3.62 — both have fixed IPs to ensure firewall rules remain valid.
 
 **NFS exports:** No changes needed to sifaka's NFS configuration. The exports whitelist `192.168.1.0/24` — after segmentation, only Main network devices are on that subnet. IoT (192.168.3.0/24) and Guest (192.168.2.0/24) can't reach NFS because they're on different subnets. The firewall rules provide defense-in-depth.
 
-## Verification
-
-After applying the configuration:
-
-- [x] From Main device: internet works, can reach all services, can reach sifaka
-- [x] From IoT device: internet works, can stream Jellyfin (8096), CANNOT reach sifaka
-- [ ] From Guest device: internet works, CANNOT reach any internal service
-- [ ] AirPlay/casting from Main to IoT TV works (mDNS reflector)
-- [x] All wired devices (indri, sifaka, gilbert) unaffected on default VLAN
-
 ## Future Considerations
 
 - **UnPoller** — add Prometheus metrics exporter for UniFi gear, integrates with existing Grafana stack

docs/reference/infrastructure/unifi.md

@@ -1,6 +1,6 @@
 ---
 title: UniFi
-modified: 2026-02-14
+modified: 2026-02-24
 tags:
   - infrastructure
   - networking