diff --git a/10-systems/networks/pfsense-router.md b/10-systems/networks/pfsense-router.md
index 02d4bf2..f37801e 100644
--- a/10-systems/networks/pfsense-router.md
+++ b/10-systems/networks/pfsense-router.md
@@ -1,10 +1,10 @@
 ---
 owner: gmikcon
 status: active
-last_reviewed: 2026-05-09
+last_reviewed: 2026-05-10
 review_interval: 90d
-confidence: medium
-source_of_truth: owner-confirmed
+confidence: high
+source_of_truth: owner-confirmed-and-ssh-pfsense
 ---
 
 # pfSense Router
@@ -14,14 +14,62 @@
 ## Access
 
 - Web UI: `https://192.168.1.1/`
+- SSH: `ai_agent_ro@192.168.1.1:22`, read-only access for documentation agents.
+- SSH authentication: owner-managed key.
 - Secret values are not stored in this repository.
 
 ## Role
 
 - Local network edge.
 - Firewall and routing point for internal infrastructure.
+- DHCP server for `home-lan` and `home-iot-lan`.
+- Local DNS resolver through Unbound.
+- Local NTP endpoint.
 - Part of the path between local infrastructure and services reachable through trusted network paths.
 
+## Platform
+
+- Hostname: `pfSense.home.arpa`.
+- OS: pfSense CE `2.7.2`.
+- Base system observed over SSH: FreeBSD `14.0-CURRENT`, amd64.
+
+## Interfaces
+
+| Interface | Description | Role | Address | MAC | Status |
+| --- | --- | --- | --- | --- | --- |
+| `re0` | `LANTECH` | `home-iot-lan` | `192.168.2.1/24` | `00:e0:4c:68:07:9f` | active, 1000baseT full-duplex |
+| `re1` | none | unused | none | `00:e0:4c:68:39:03` | no carrier |
+| `re2` | `LANMAIN` | `home-lan` | `192.168.1.1/24` | `00:e0:4c:68:35:ba` | active, 1000baseT full-duplex |
+| `re3` | `WAN` | WAN uplink | `172.32.2.78/24` | `70:85:c2:24:ee:4b` | active, 1000baseT full-duplex |
+
+## Routing
+
+Observed routes:
+
+- Default route: `172.32.2.1` through `re3`.
+- `192.168.1.0/24` is directly connected through `re2`.
+- `192.168.2.0/24` is directly connected through `re0`.
+- Host routes for `8.8.8.8` and `2.2.2.2` are present through `re3`.
+
+## Local Services
+
+Observed listening services:
+
+- SSH: `*:22`.
+- Web UI through nginx: `*:80`, `*:443`.
+- DHCPv4 through Kea: `192.168.1.1:67`, `192.168.2.1:67`.
+- DNS resolver through Unbound: `*:53`.
+- Unbound control: `127.0.0.1:953`.
+- Syslog: UDP `*:514`.
+- NTP: UDP `*:123`, including bindings on `192.168.1.1`, `192.168.2.1`, `172.32.2.78`, and `127.0.0.1`.
+
+Resolver configuration:
+
+- `127.0.0.1`
+- `8.8.8.8`
+- `2.2.2.2`
+- Search domain: `home.arpa`
+
 ## Local Network Topology
 
 The home network currently consists of two local networks implemented through one custom router with multiple network interfaces.
@@ -33,6 +81,7 @@
 - Inventory id: `home-lan`.
 - CIDR: `192.168.1.0/24`.
 - Gateway: `192.168.1.1`.
+- Router interface: `re2` / `LANMAIN`.
 - Main Wi-Fi SSID: `home`.
 - Wi-Fi mode: access points, not a separate routed Wi-Fi network.
 - Access points: 2 nodes.
@@ -43,6 +92,7 @@
 - Inventory id: `home-iot-lan`.
 - CIDR: `192.168.2.0/24`.
 - Gateway: `192.168.2.1`.
+- Router interface: `re0` / `LANTECH`.
 - Purpose: service network for smart-home and IoT devices.
 - Wi-Fi mode: access points.
 - Mesh mode: intentionally disabled.
@@ -70,4 +120,4 @@
 - `192.168.1.101` on `home-lan`;
 - `192.168.2.101` on `home-iot-lan`.
 
-Further details still need to be documented: exact router OS/configuration, interface names, firewall rules, port forwards, VPN routes, and DNS behavior.
+Further details still need to be documented: firewall rules, port forwards, VPN routes, DHCP static mappings, and DNS host overrides.
diff --git a/40-inventory/endpoints.yml b/40-inventory/endpoints.yml
index 8adcc77..8ac06a8 100644
--- a/40-inventory/endpoints.yml
+++ b/40-inventory/endpoints.yml
@@ -28,8 +28,26 @@
   purpose: Local router and firewall administration.
   auth: required
   docs: ../10-systems/networks/pfsense-router.md
-  last_reviewed: 2026-05-09
-  source_of_truth: owner-confirmed
+  last_reviewed: 2026-05-10
+  source_of_truth: owner-confirmed-and-ssh-pfsense
+
+- id: pfsense-ssh
+  name: pfSense read-only SSH
+  type: ssh
+  status: active
+  exposure: local
+  protocol: ssh
+  host: 192.168.1.1
+  port: 22
+  owner_host: pfsense-router
+  purpose: Read-only SSH access for infrastructure documentation agents.
+  auth: ssh-key
+  user: ai_agent_ro
+  access: read-only
+  credential_reference: owner-managed
+  docs: ../10-systems/networks/pfsense-router.md
+  last_reviewed: 2026-05-10
+  source_of_truth: ssh-pfsense
 
 - id: external-vps-http
   name: External VPS HTTP endpoint
diff --git a/40-inventory/hardware.yml b/40-inventory/hardware.yml
index 35553b0..2c4a4ea 100644
--- a/40-inventory/hardware.yml
+++ b/40-inventory/hardware.yml
@@ -61,11 +61,49 @@
     - router
     - firewall
     - local-network-edge
+    - dhcp-server
+    - dns-resolver
+    - ntp-server
+  os: pfSense CE 2.7.2
+  kernel: FreeBSD 14.0-CURRENT
   management:
     web:
       url: https://192.168.1.1/
-  network_interfaces: []
+    ssh:
+      host: 192.168.1.1
+      port: 22
+      user: ai_agent_ro
+      access: read-only
+      auth: ssh-key
+      credential_reference: owner-managed
+  network_interfaces:
+    - name: re0
+      description: LANTECH
+      role: home-iot-lan
+      mac: 00:e0:4c:68:07:9f
+      ipv4: 192.168.2.1/24
+      status: active
+      media: 1000baseT full-duplex
+    - name: re1
+      role: unused
+      mac: 00:e0:4c:68:39:03
+      status: no-carrier
+      media: 10baseT half-duplex
+    - name: re2
+      description: LANMAIN
+      role: home-lan
+      mac: 00:e0:4c:68:35:ba
+      ipv4: 192.168.1.1/24
+      status: active
+      media: 1000baseT full-duplex
+    - name: re3
+      description: WAN
+      role: wan-uplink
+      mac: 70:85:c2:24:ee:4b
+      ipv4: 172.32.2.78/24
+      status: active
+      media: 1000baseT full-duplex
   runs_hosts: []
   docs: ../10-systems/networks/pfsense-router.md
-  last_reviewed: 2026-05-09
-  source_of_truth: owner-confirmed
+  last_reviewed: 2026-05-10
+  source_of_truth: ssh-pfsense
diff --git a/40-inventory/networks.yml b/40-inventory/networks.yml
index 02a1ae4..0052914 100644
--- a/40-inventory/networks.yml
+++ b/40-inventory/networks.yml
@@ -15,6 +15,9 @@
   cidr: 192.168.1.0/24
   gateway: 192.168.1.1
   owner_host: pfsense-router
+  router_interface: re2
+  router_interface_description: LANMAIN
+  router_interface_mac: 00:e0:4c:68:35:ba
   access_layer:
     switches: true
     wired_devices:
@@ -29,7 +32,7 @@
       node_count: 2
   docs: ../10-systems/networks/pfsense-router.md
   last_reviewed: 2026-05-10
-  source_of_truth: owner-confirmed
+  source_of_truth: owner-confirmed-and-ssh-pfsense
 
 - id: home-iot-lan
   name: Home IoT LAN
@@ -38,6 +41,9 @@
   cidr: 192.168.2.0/24
   gateway: 192.168.2.1
   owner_host: pfsense-router
+  router_interface: re0
+  router_interface_description: LANTECH
+  router_interface_mac: 00:e0:4c:68:07:9f
   purpose: Service network for smart-home and other IoT devices.
   access_layer:
     switches: true
@@ -56,7 +62,22 @@
     internet_access: likely-denied
   docs: ../10-systems/networks/pfsense-router.md
   last_reviewed: 2026-05-10
-  source_of_truth: owner-confirmed
+  source_of_truth: owner-confirmed-and-ssh-pfsense
+
+- id: wan-uplink
+  name: pfSense WAN uplink
+  type: wan-uplink
+  status: active
+  cidr: 172.32.2.0/24
+  gateway: 172.32.2.1
+  owner_host: pfsense-router
+  router_interface: re3
+  router_interface_description: WAN
+  router_interface_mac: 70:85:c2:24:ee:4b
+  router_interface_ipv4: 172.32.2.78/24
+  docs: ../10-systems/networks/pfsense-router.md
+  last_reviewed: 2026-05-10
+  source_of_truth: ssh-pfsense
 
 - id: libvirt-default
   name: default
diff --git a/90-maintenance/discovery-observations/local-network-scan-2026-05-10.md b/90-maintenance/discovery-observations/local-network-scan-2026-05-10.md
index decffbf..f197e84 100644
--- a/90-maintenance/discovery-observations/local-network-scan-2026-05-10.md
+++ b/90-maintenance/discovery-observations/local-network-scan-2026-05-10.md
@@ -55,6 +55,50 @@
 - Addresses on dynamic household devices may change and should be treated as observations only.
 - Unknown Ubuntu hosts are good candidates for SSH-based identification before being added to `hosts.yml`.
 
+## pfSense ARP Snapshot
+
+Observed from `pfSense.home.arpa` over read-only SSH. These are observations, not canonical inventory records.
+
+Home LAN on `re2`:
+
+- `192.168.1.2`
+- `192.168.1.3`
+- `192.168.1.75`
+- `192.168.1.102`
+- `192.168.1.130`
+- `192.168.1.150`
+- `192.168.1.152`
+- `192.168.1.154`
+- `192.168.1.168`
+- `192.168.1.191`
+- `192.168.1.202`
+- `192.168.1.204`
+- `192.168.1.226`
+- `192.168.1.245`
+- `192.168.1.251`
+
+IoT LAN on `re0`:
+
+- `192.168.2.17`
+- `192.168.2.21`
+- `192.168.2.32`
+- `192.168.2.43`
+- `192.168.2.50`
+- `192.168.2.55`
+- `192.168.2.57`
+- `192.168.2.66`
+- `192.168.2.71`
+- `192.168.2.75`
+- `192.168.2.80`
+- `192.168.2.101`
+- `192.168.2.110`
+- `192.168.2.115`
+- `192.168.2.116`
+- `192.168.2.118`
+- `192.168.2.124`
+- `192.168.2.128`
+- `192.168.2.133`
+
 ## Candidates For Follow-Up
 
 - `192.168.1.131`