diff --git a/session-logs/2026-04-17-session.md b/session-logs/2026-04-17-session.md
index 6a64c1b..b070a63 100644
--- a/session-logs/2026-04-17-session.md
+++ b/session-logs/2026-04-17-session.md
@@ -173,3 +173,45 @@ Built `/syncro` slash command for ticket management via Syncro REST API.
 6. **MVAN other domains** — only mvaninc.com has DMARC; client has other domains needing protection
 7. **GoDaddy delegate API limitation** — can't manage delegate domains via API; need client's own API key for programmatic DNS
 8. **All carry-over items from 2026-04-16** (Howard onboarding, GuruRMM migration drift, Len's deployment, etc.)
+
+---
+
+## Update: 13:00 — vault fix, Ollama Tailscale, Howard review
+
+### Cascades pfSense vault fix
+- Deleted stale `clients/dataforth/cascades-router.sops.yaml` (wrong password `a6A6c6fe`, misfiled under dataforth)
+- Created `clients/cascades-tucson/pfsense-firewall.sops.yaml` with correct password `Th1nk3r^99`
+- Howard caught the discrepancy during Cascades onsite work
+
+### Ollama shared via Tailscale
+- Set `OLLAMA_HOST=0.0.0.0:11434` (User env var, persists)
+- Added Windows Firewall rule: port 11434 inbound, restricted to 100.0.0.0/8 (Tailscale subnet only)
+- Verified: `http://100.92.127.64:11434/` → "Ollama is running" via Tailscale IP
+- All 3 models accessible remotely (qwen3:14b, codestral:22b, nomic-embed-text)
+- CLAUDE.md updated: per-machine URL detection (localhost for DESKTOP-0O8A1RL, Tailscale IP for all others)
+- ONBOARDING.md updated: Howard doesn't need local Ollama install
+
+### Howard's session reviewed
+- Cascades: folder redirection (primary computer GPO issue) + WiFi (TP-Link USB driver + UniFi roaming)
+- EVS: Win11 right-click menu fix (was actually Mike's session, miscategorized)
+- Vault hygiene: caught wrong Cascades pfSense password — fixed above
+- Ollama: his ARM64 laptop can't run models locally — resolved via Tailscale sharing
+
+### jparkinsonaz.com DNS (continued)
+- IX DNS cluster sync required after zone edits: `/usr/local/cpanel/scripts/dnscluster synczone jparkinsonaz.com`
+- `pdns_control reload` needed on top of PowerDNS restart for zone changes to take effect
+- Certbot for autodiscover should work once root A record TTL (14400s) expires and propagates to 67.206.163.124
+
+### Credentials (this update)
+
+#### Cascades pfSense
+- Host: 192.168.0.1
+- Username: admin
+- Password: `Th1nk3r^99`
+- Vault: `clients/cascades-tucson/pfsense-firewall.sops.yaml`
+
+#### Ollama Tailscale access
+- Mike's Tailscale IP: 100.92.127.64
+- Ollama URL: `http://100.92.127.64:11434`
+- Firewall: inbound TCP 11434 from 100.0.0.0/8 only
+- Env var: `OLLAMA_HOST=0.0.0.0:11434` (User scope on DESKTOP-0O8A1RL)