Add cross-VLAN casting docs, update device assignments

- New doc: 11-CROSS-VLAN-CASTING.md with full MikroTik config
  (firewall rules, FastTrack exclusion, mDNS, IGMP proxy,
  AirPlay/Chromecast troubleshooting)
- Update device IPs: LG TV .40/.41, Chromecast .42
- Move HP printer from VLAN 40 to VLAN 30 at .30

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

docs/06-VLAN-DEVICE-ASSIGNMENT.md

@@ -67,9 +67,10 @@
 | IP | MAC Address | Device | Location | Comment |
 |----|-------------|--------|----------|---------|
 | 192.168.30.10 | 50:2C:C6:7A:55:39 | Air Conditioner | Living Room | GREE Electric |
-| 192.168.30.11 | B0:37:95:79:AF:9B | LG TV | Living Room | LAN (not connected) |
+| 192.168.30.30 | 64:4E:D7:D8:43:3E | HP LaserJet M110w | Office | WiFi printer |
-| 192.168.30.12 | DC:03:98:6B:5A:3A | LG TV | Living Room | WiFi (active) |
+| 192.168.30.40 | B0:37:95:79:AF:9B | LG TV (Ethernet) | Living Room | Use ONE interface only for AirPlay |
-| 192.168.30.13 | D0:E7:82:F7:65:DD | Chromecast | Living Room | Streaming |
+| 192.168.30.41 | DC:03:98:6B:5A:3A | LG TV (WiFi) | Living Room | Use ONE interface only for AirPlay |
+| 192.168.30.42 | D0:E7:82:F7:65:DD | Chromecast | Living Room | Requires WPA2+AES (no TKIP) |
 | 192.168.30.14 | B0:4A:39:3F:9A:14 | Roborock S7 Vacuum | Living Room | Needs cloud access |
 | 192.168.30.20 | 94:27:70:1E:0C:EE | Bosch Smart Oven | Kitchen | Home Connect app |
 | 192.168.30.21 | C8:D7:78:40:65:40 | Bosch Dishwasher | Kitchen | Home Connect app |
@@ -95,7 +96,7 @@
 
 | IP | MAC Address | Device | Purpose | Comment |
 |----|-------------|--------|---------|---------|
-| 192.168.40.19 | 64:4E:D7:D8:43:3E | HP LaserJet | Network printer | Wired connection |
+| — | — | — | — | Printer moved to VLAN 30 |
 
 ---
 
@@ -140,7 +141,8 @@ A4:D1:D2:7B:52:BE  Compusbg iPad
 
 **VLAN 30 - IoT:**
 ```
-B0:37:95:79:AF:9B  LG TV (LAN)
+64:4E:D7:D8:43:3E  HP LaserJet M110w
+B0:37:95:79:AF:9B  LG TV (Ethernet)
 DC:03:98:6B:5A:3A  LG TV (WiFi)
 D0:E7:82:F7:65:DD  Chromecast
 B0:4A:39:3F:9A:14  Roborock Vacuum
@@ -163,7 +165,7 @@ FC:D5:D9:EB:6A:82  Settop Box (LAN)
 
 **VLAN 40 - Servers:**
 ```
-64:4E:D7:D8:43:3E  HP LaserJet
+(empty - printer moved to VLAN 30)
 ```
 
 **VLAN 50 - Guest:**

docs/11-CROSS-VLAN-CASTING.md

@@ -0,0 +1,167 @@
+# Cross-VLAN Casting & Streaming
+
+Configuration for casting/streaming from VLANs 10 (Mgmt), 20 (Trusted), and 25 (Kids) to devices on VLAN 30 (IoT).
+
+## Casting Devices
+
+| Device | MAC (Ethernet) | MAC (WiFi) | Static IP | VLAN |
+|--------|---------------|------------|-----------|------|
+| LG TV (webOS) | B0:37:95:79:AF:9B | DC:03:98:6B:5A:3A | .40 (eth) / .41 (wifi) | 30 |
+| Chromecast | — | D0:E7:82:F7:65:DD | .42 | 30 |
+
+All IPs in subnet `192.168.30.0/24`.
+
+## What Works
+
+| Feature | From VLAN 20/25/10 | Notes |
+|---------|-------------------|-------|
+| AirPlay (Mac → LG TV) | Yes | TV must use ONE interface only (see below) |
+| Smart View (Samsung → LG TV) | Yes | Works without issues |
+| YouTube Cast (phone → TV/Chromecast) | Yes | Via TV Link Code, not device discovery |
+| Chromecast casting | Yes | Requires mDNS repeater |
+
+## What Doesn't Work
+
+| Feature | Reason |
+|---------|--------|
+| LG ThinQ remote app | Client-side subnet check — app refuses if phone and TV are on different subnets. No workaround. |
+
+## MikroTik Configuration
+
+### 1. Address List
+
+```routeros
+/ip/firewall/address-list
+add list=casting-devices address=192.168.30.40 comment="LG TV Ethernet"
+add list=casting-devices address=192.168.30.41 comment="LG TV WiFi"
+add list=casting-devices address=192.168.30.42 comment="Chromecast"
+```
+
+### 2. Firewall Rules (Forward Chain)
+
+Bidirectional rules — casting devices need to initiate connections back (AirPlay uses separate UDP channels for timing/control).
+
+```routeros
+/ip/firewall/filter
+# Forward: source VLANs → IoT
+add chain=forward action=accept src-address=192.168.20.0/24 dst-address=192.168.30.0/24 comment="Allow Trusted to IoT (casting)"
+add chain=forward action=accept src-address=192.168.25.0/24 dst-address=192.168.30.0/24 comment="Allow Kids to IoT (casting)"
+add chain=forward action=accept src-address=192.168.10.0/24 dst-address=192.168.30.0/24 comment="Allow Mgmt to IoT"
+
+# Return: casting devices → source VLANs
+add chain=forward action=accept src-address-list=casting-devices dst-address=192.168.20.0/24 comment="Allow casting devices to Trusted (casting return)"
+add chain=forward action=accept src-address-list=casting-devices dst-address=192.168.25.0/24 comment="Allow casting devices to Kids (casting return)"
+add chain=forward action=accept src-address-list=casting-devices dst-address=192.168.10.0/24 comment="Allow casting devices to Mgmt (casting return)"
+```
+
+These rules must be **before** the IoT block rules:
+```routeros
+# Block IoT → other VLANs (AFTER the return rules above)
+add chain=forward action=drop src-address=192.168.30.0/24 dst-address=192.168.10.0/24 comment="Block IoT to Management"
+add chain=forward action=drop src-address=192.168.30.0/24 dst-address=192.168.20.0/24 comment="Block IoT to Trusted"
+```
+
+### 3. FastTrack Exclusion (Mangle)
+
+FastTrack bypasses conntrack/firewall — must exclude inter-VLAN casting traffic.
+
+```routeros
+/ip/firewall/mangle
+add chain=forward action=mark-connection new-connection-mark=no-fasttrack passthrough=yes src-address=192.168.20.0/24 dst-address=192.168.30.0/24 comment="No FastTrack: Trusted<->IoT (casting)"
+add chain=forward action=mark-connection new-connection-mark=no-fasttrack passthrough=yes src-address=192.168.30.0/24 dst-address=192.168.20.0/24 comment="No FastTrack: IoT<->Trusted (casting)"
+add chain=forward action=mark-connection new-connection-mark=no-fasttrack passthrough=yes src-address=192.168.25.0/24 dst-address=192.168.30.0/24 comment="No FastTrack: Kids<->IoT (casting)"
+add chain=forward action=mark-connection new-connection-mark=no-fasttrack passthrough=yes src-address=192.168.30.0/24 dst-address=192.168.25.0/24 comment="No FastTrack: IoT<->Kids (casting)"
+add chain=forward action=mark-connection new-connection-mark=no-fasttrack passthrough=yes src-address=192.168.10.0/24 dst-address=192.168.30.0/24 comment="No FastTrack: Mgmt<->IoT (casting)"
+add chain=forward action=mark-connection new-connection-mark=no-fasttrack passthrough=yes src-address=192.168.30.0/24 dst-address=192.168.10.0/24 comment="No FastTrack: IoT<->Mgmt (casting)"
+```
+
+FastTrack rule must use `connection-mark=no-mark`:
+```routeros
+/ip/firewall/filter
+add chain=forward action=fasttrack-connection connection-state=established,related connection-mark=no-mark comment="defconf: fasttrack"
+```
+
+### 4. mDNS Repeater
+
+Enables cross-VLAN device discovery (AirPlay, Chromecast).
+
+```routeros
+/ip/dns/set mdns-repeat-ifaces=1-vlan10-mgmt,2-vlan20-trusted,3-vlan25-family,4-vlan30-iot
+```
+
+### 5. IGMP Proxy
+
+Enables multicast forwarding (SSDP/UPnP discovery).
+
+```routeros
+/routing/igmp-proxy/interface
+add interface=4-vlan30-iot upstream=yes threshold=1
+add interface=2-vlan20-trusted upstream=no threshold=1
+add interface=3-vlan25-family upstream=no threshold=1
+add interface=1-vlan10-mgmt upstream=no threshold=1
+```
+
+### 6. DHCP Static Leases
+
+```routeros
+/ip/dhcp-server/lease
+add address=192.168.30.40 mac-address=B0:37:95:79:AF:9B server=dhcp-vlan30 comment="LG TV Ethernet"
+add address=192.168.30.41 mac-address=DC:03:98:6B:5A:3A server=dhcp-vlan30 comment="LG TV WiFi"
+add address=192.168.30.42 mac-address=D0:E7:82:F7:65:DD server=dhcp-vlan30 comment="Chromecast"
+```
+
+### 7. WiFi Access List
+
+```routeros
+/interface/wifi/access-list
+add mac-address=DC:03:98:6B:5A:3A action=accept vlan-id=30 comment="LG TV WiFi"
+add mac-address=D0:E7:82:F7:65:DD action=accept vlan-id=30 comment="Chromecast"
+```
+
+## Troubleshooting
+
+### AirPlay Black Screen on LG TV
+
+**Root cause**: LG TV connected via both Ethernet AND WiFi simultaneously.
+
+The TV advertises AirPlay via mDNS on one interface but streams on the other, creating asymmetric routing. The Mac connects to one IP, but the TV sends return traffic from a different IP.
+
+**Fix**: Use only ONE connection on the TV — either Ethernet or WiFi, not both. Disconnect the unused one in TV settings.
+
+- Ethernet MAC: `B0:37:95:79:AF:9B` → 192.168.30.40
+- WiFi MAC: `DC:03:98:6B:5A:3A` → 192.168.30.41
+
+### Do NOT Use Masquerade NAT
+
+Masquerade (srcnat) was tried to make cross-VLAN traffic appear local. This breaks AirPlay because:
+
+- AirPlay negotiates separate UDP feedback channels (timing port 7010, control 6001, timing 6002)
+- With masquerade, TV sends feedback to the router IP (192.168.30.1) instead of the Mac's real IP
+- Result: control channel works but video/audio never arrives → black screen
+
+### Chromecast Setup Issues
+
+The Chromecast can only be set up via the Google Home app (no web interface).
+
+**Common setup failure**: Google Home app finds the Chromecast via Bluetooth, connects to its setup WiFi hotspot, but then says "Could not communicate with your Chromecast."
+
+**Fix** (on phone before setup):
+1. Disable mobile data
+2. Disable VPN
+3. Turn off "Switch to mobile data when WiFi is unstable"
+4. Enable Location services (required by Google Home)
+5. Clear Google Home app cache
+
+**WiFi requirements**: Chromecast requires **WPA2 with AES/CCMP** encryption. It will NOT connect to networks using TKIP. The XTRM2 (2.4GHz) security profile was changed from TKIP to CCMP to support this:
+
+```routeros
+/interface/wifi/security/set sec-xtrm2 encryption=ccmp
+```
+
+### VPN Interference
+
+If your Mac is connected to WireGuard VPN, the VPN overrides the default route — local traffic bypasses WiFi and goes through the VPN tunnel. Disconnect VPN before casting.
+
+### CAP VLAN Limit
+
+The CAP XL ac may show "maximum VLAN count for interface was reached." If a device can't connect to WiFi, try disabling the CAP interfaces temporarily to force connection to the HAP's radio directly.