diff --git a/wiki/systems/pfsense.md b/wiki/systems/pfsense.md
new file mode 100644
index 0000000..e594415
--- /dev/null
+++ b/wiki/systems/pfsense.md
@@ -0,0 +1,65 @@
+---
+type: system
+name: pfsense
+display_name: pfsense (ACG Gateway/Firewall)
+last_compiled: 2026-05-25
+compiled_by: DESKTOP-0O8A1RL/claude-main
+sources:
+  - session-logs/2026-05-25-session.md
+backlinks:
+  - systems/gururmm-build
+  - systems/jupiter
+---
+
+# pfsense (ACG Gateway/Firewall)
+
+## Identity
+
+| Field | Value |
+|-------|-------|
+| Role | Primary gateway, firewall, and router for ACG office LAN |
+| LAN IP | **172.16.0.1** |
+| SSH port | **2248** |
+| Tailscale IP | 100.119.153.74 |
+| OS | FreeBSD (pfSense) |
+
+---
+
+## Network
+
+| Interface | Subnet | Notes |
+|-----------|--------|-------|
+| LAN | 172.16.0.0/22 | ACG office LAN (172.16.0.x – 172.16.3.x) |
+| WAN | (DHCP/static from ISP) | External IP 98.181.90.163 (as seen from Tailscale) |
+| Tailscale | 100.119.153.74 | Active peer, direct connection |
+
+pfsense is the **default gateway** for all ACG LAN devices. The build server (172.16.3.30) has `via 172.16.0.1` as its default route.
+
+---
+
+## Tailscale
+
+pfsense is a Tailscale peer (`active; direct 98.181.90.163:41641`). It serves as the Tailscale subnet router for the ACG LAN. LAN machines route Tailscale traffic (`100.0.0.0/8`) through pfsense.
+
+**Build server static route (added 2026-05-25):**
+```
+172.16.3.30 → 100.0.0.0/8 via 172.16.0.1
+```
+Persisted in `/etc/netplan/00-installer-config.yaml` on the build server. This allows the GuruRMM server to reach Beast's Ollama at `100.101.122.4:11434`.
+
+---
+
+## SSH Access
+
+```bash
+ssh -p 2248 <user>@172.16.0.1
+# From outside LAN, use Tailscale IP:
+ssh -p 2248 <user>@100.119.153.74
+```
+
+---
+
+## Key Rules
+
+- **Do not restart or apply firewall rules without user confirmation** — pfsense is the single point of failure for the entire ACG LAN.
+- Any changes to NAT, firewall rules, or routing should be confirmed before applying.