Hello, my first post here.
I have two opnsense A and B running with fixed IP addresses and VPN ipsec net-to-net. The tunnels are running well with IPv4 tunnel. I can access all machines from one network A to the other network B. Also I have some web-services behind the haproxy in network B with let's encrypt ACME which is running well also and is available from internet.
What I'm trying to do: have a "server A" with a webservice in network A (behind firewall) and want to access this webservice as a "real server" from haproxy B. That does not work. When I go by using SSH onto OPNSense B and try to ping this (Server A) address - it is NOT reachable. Other adresses in network A are also NOT reachable by ping from firewall. Is that normal? There is just "no response" from the other side when pinging from firewall itself.
Server A with Webservice (192.168.112.112:80)
Network A (192.168.112.0/24) 
   |
   |
OPNSense A (LAN 192.168.112.1)
   |
   |
VPN Internet
   |
   |
haproxy B
OPNSense B  (LAN 192.168.111.1)
   |
   |
Network B (192.168.111.0/24)
Open SSH session to OPNSense B:
root@ext-firewall:~ # ping 192.168.112.112
PING 192.168.112.112 (192.168.112.112): 56 data bytes
^C
--- 192.168.112.112 ping statistics ---
7 packets transmitted, 0 packets received, 100.0% packet loss
So it seems that the route goes NOT thru the IPV4 Tunnel when access from local firewall or may be is blocked by firewall rule.
When I ping that host with webservice in network A from another host in network B that is possible and also I can access that webservice on host in network A from a browser in network B.
What must be configured to get this connection from haproxy in firewall B to reach a service behind firewall A - routed by IPV4 tunnel?
Thank you in advance
			
			
			
				Hello guys.
I updated my original post and made an illustration. Anyone an idea why I can not ping other side from local OPNSense?
			
			
			
				Hi
Sorry, don't use ipsec anymore and can confuse something but I think this applies to all freebsd systems: you need to add a static route to route traffic from site-to-site ipsec-endpoint  itself. like https://docs.netgate.com/pfsense/en/latest/recipes/ipsec-s2s-psk.html#ipsec-pfsensetraffic
			
			
			
				Thank you. That did the trick. No firewall rules needed - thanks god  ;)
I did on each side:
1. System -> Gateways -> Single
-> Add a Gateway. Leave all Fields default. Type a name like "Firewall_Myself" and use the LAN IP Address as "IP Address"
2. System -> Routes -> Configuration
-> Add a Network Address like 192.168.111.0/24 which is the remote LAN of the other Network "behind" the tunnel.  Select the local Gateway from (1)
Works great!
Case solved