The two sites are connected by an IPSec hardware tunnel implemented in two pfsense 2.4.4 appliances. One side is 192.168.0.0/24, and the other side is 192.168.1.0/24:
I use the VPN daily for WFH activities that require access to the fileserver, etc., and now I have my backup copy jobs running over it as well.
But I'd like to guard further against a malware attack at the office by making my remote repo harder to get to.
Would it help if I assigned a 2nd IP address on the 2nd LAN port of VeeamBox1, say 172.16.0.2, and then used something like 172.16.1.2 on VeeamBox2, with a separate tunnel defined for them, so that the only path to the backup repo is through the VeeamBox1, and so that nothing else on either network "knows" about the remote repo, other than VeeamBox1 and the pfsense routers?* Both of the Veeam boxes have 2 Ethernet ports.
I'll shortly have all 3 of the backup boxes out of the work domain, as well, so that they can't be compromised by the domain admin password.
*(VeeamBox1 manages the job that backs up the S12R2E box to VeeamBox2, so the S12R2E doesn't talk to VeeamBox2 directly. Or at least I don't think it does. Would the data from the S12R2E box pass through VeeamBox1 on its way to VeeamBox2? Or would VeeamBox1 attempt to get S12R2E connected directly to VeeamBox2 and then get out of the way? If they do talk directly, then I suppose I could assign a 2nd 172.16.0.x address to the S12R2E box, as it also has 2 Ethernet ports. )
Does pfsense support two tunnels like this? The Netgate APU appliance on one side has 3 Ethernet ports, WAN, LAN, and OPT, the latter of which I'm not using for anything. The Netgate MBT-2220 on the other side has only WAN and LAN.