diff --git a/docs/architecture/networking.md b/docs/architecture/networking.md
index 34f2424a..6313229f 100644
--- a/docs/architecture/networking.md
+++ b/docs/architecture/networking.md
@@ -115,6 +115,14 @@ VMs tag traffic on vmbr1 to isolate workloads. pfSense bridges VLAN 20 to the up
 - Client source IPs are preserved (no SNAT on 192.168.1.x → 10.0.20.x path)
 - Technitium logs show real per-device IPs for analytics
 
+**Split Horizon / Hairpin NAT fix (192.168.1.0/24 → *.viktorbarzin.me)**:
+- TP-Link router does NOT support hairpin NAT — LAN clients can't reach the public IP (176.12.22.76) for non-proxied domains
+- Technitium's Split Horizon `AddressTranslation` post-processor translates `176.12.22.76 → 10.0.20.200` (Traefik LB) in DNS responses for 192.168.1.0/24 clients
+- DNS Rebinding Protection has `viktorbarzin.me` in `privateDomains` to allow the translated private IP
+- Only affects non-proxied domains (ha-sofia, immich, headscale, etc.) — Cloudflare-proxied domains resolve to Cloudflare IPs and are unaffected
+- Other clients (10.0.x.x, K8s pods) are NOT translated — they reach the public IP via pfSense outbound NAT
+- Config synced to all 3 Technitium instances by CronJob `technitium-split-horizon-sync` (every 6h)
+
 **K8s cluster DNS path**:
 - CoreDNS forwards `.viktorbarzin.lan` to Technitium ClusterIP (10.96.0.53)
 - CoreDNS forwards public queries to pfSense (10.0.20.1), 8.8.8.8, 1.1.1.1