In the diagram below, I am trying to connect to the Client VLAN from Site B. Site B is connected to a Balance at Site A via PepVPN. From the Balance, traffic should go out through LAN2, which is set up as Access using the Routing VLAN, and hit the gateway to the router. I have a static route set up on the Balance for 192.168.199.0/24 to pass to 192.168.207.3. I can ping the .3 address from the Balance, but not from the BR1 at Site B. In the list of networks that are broadcast over the VPN, I can see the the 192.168.207.0/24 network.
Assuming there is no ACL on the “corporate network router” this seems to me either a missing route, or there is NAT at some stage that is making things not as clear.
Some quick things to look at:
- What is the subnet on the LAN side of the BR1 at Site B?
- Does that route exist on the Balance at Site ?
- Is there NAT on the PepVPN tunnel at all?
I’d expect you’d need a route on your “Corporate network router” to tell it to send traffic for the Site B subnet via the Balance.
- Network on LAN side of BR1 is 10.0.45.0/24
- Route on Balance forwards 192.168.199.0/24 to 192.168.207.3
- I don’t believe there is NAT on the VPN tunnel.
Some other notes… I can ping from the “Routing VLAN” interface on the Balance all the way to the client in the ClientVLAN, using the route. I can ping from the Client VLAN all the way to the clients on the LAN side of the BR1.
Interesting - but you say it does not work the other way around, as in a client behind the BR1 cannot initiate a connection to a client in 192.168.199.0/24 - to me that suggests maybe an ACL, or a missing return route if you are sure there is no NAT on the PepVPN (sounds like you are correct as you can ping end to end from the Balance to a client behind the BR1).
I’d verify what the “corporate network router” has in its routing table for 10.0.45.0/24 and if that looks good I’d possibly check for an ACL - is the “corporate network router” really a firewall and therefore stateful in one direction, as in clients behind it are allowed to establish connections but it drops traffic coming in if there is no related outbound connection?
What happens if you trace route from a client behind the BR1 to an address in the 192.168.199.0/24 subnet - where does the traffic stop?
It stops at the BR1 lan interface. I even added an Outbound Policy pointing both the routing vlan and the destination vlan to the Routing VLAN address. I still can’t ping the gateway address on the “corp router”.
I did just get it working… by adding a static route on the “corp network router”. I am trying to use policy based routing on it (pfsense). This is fine too… will just have to lock down the firewall rules harder…
Well at least it’s working… I would be tempted to say try the FRR package on pfSense and turn up dynamic routing to the Balance using OSPF or BGP 
Bear in mind that pfSense is a stateful firewall out of the box, as well as the default config will perform source NAT on traffic passing from the LAN to WAN interfaces so depending on how you have that configured you may need some explicit config to make sure traffic going through it is not NAT’d unnecessarily and also rules in both directions to permit traffic.
I am not using the WAN interface on the firewall. Have LAN1 connected to the aggregation switch on the corp network side and LAN2 connected to the LAN2 on the Balance.