I really dislike the json way to handle multiple public IPs on USG. The edgerouter has much more friendlier use with multiple IPs but the USG has more security features I'm into for my clients. What is the best way to set up a ipsec site to site from outside to reach any of the USGPRO LAN# spaces when it sits behind another router (ER6P)
Site1 ---> ER6P (Internet) eth0 192.0.0.1/24 --- eth1 10.1.1.1/24 ----> USGPRO WAN 10.1.1.2/24 --- LAN1 10.10.1.1/24
Site2 ---> ER6P (Internet) eth0 220.127.116.11/24 --- eth1 10.2.2.1/24 ----> USGPRO WAN 10.2.2.2/24 --- LAN1 10.20.2.1/24
Currently right now I'm seeing the USGPRO WAN (10.1.1.2 or 10.2.2.2) when sourcing on either end of the tunnel instead of the real IP from their LAN#. That not's good when needing to restrict IP's with multiple ipsec tunnels.