10.233.100.0/2410.100.100.0/24 over the tunnel to RZ10.100.0.0/24 + 10.200.0.0/24 over the tunnel to HomeSingle tunnel between the two sites. A redundant tunnel via the same
physical pfSense pair adds no resilience — both endpoints would die together
if either pfSense VM did. A redundant tunnel would only help against
ISP-level path failure. Accepted SPoF per
Standards / No-compromises baseline.
There are 3 separate OpenVPN servers on RZ pfSense for user remote access
(separate from the site-to-site). Document per-server in a follow-up page.