Hello,
Yes, your understanding is correct.
For a setup where PfSense needs to reach a remote network through the RUTM10 using IPsec and SNAT, you normally must add a manual SNAT rule on the RUT so that traffic from the PfSense (10.20.30.0/24) is translated into an address known to the remote network, like the RUTM10 LAN IP (172.20.0.1). This is typically done by adding a custom iptables rule via WebUI (Network → Firewall → Custom Rules).
Additionally, I suggest reviewing similar example threads that might bring useful insights and be helpful here:
- Access via VPN without Default gwateway
- NAT Through IPSEC Tunnel
- Specify source interface for BGP learned routes
Feel free to reach out if you need assistance with setting up iptables or struggle with anything.
Kind Regards,