You mean your vpn endpoint to these remote sites is to some device inside 2lan?
Or do these remote vpns actually endpoint to pfsense and you only allow traffic to and from 2lan?
That makes no sense..
Draw a picture I am stupid ;) What do you mean by termination to 2lan?
You have this?
So you advertise 192.168.2 and 192.168.1 to the left side, and right side knows that 192.168.0/24 is down the tunnel?
Well what does your routing table look like in pfsense?
Are you forcing lan out a gateway - what does the lan rules look like? What are the 2lan rules?
Well then not going to work, how would 2lan be getting there then??? And your saying these remote sites use public IP space inside their network?
nic2, 3 and 4 are all in the same segment?? 192.168.0/24 WTF??? Makes ZERO sense!! and pfsense wouldn't even let you set that up..
And your networks at your remote sites are all the same 192.168.0/24
Yeah that is clearly not correct…
So where are you rules on your lan? And sorry but pfsense would have to have routes showing that it needs to go down the vpn to get to those remote sites or lan2 would never be able to get there.
My guess is your forcing your lan out your wan gateway via rule on lan interface.