What would be the easiest way to provide access to the "End devices" on the picture? I need accessing just a few TCP/IP ports.
I can use SSH port forwarding, maybe using
security/autossh to make it persistent (in pfSense?). Would it be reliable? A fully functional VPN maybe an overkill for this case (are there good how-tos for FreeBSD anyway?).
Thanks for advises!
The reason I didn't get into the discussion was that I am confused by your network topology. You also didn't tell us what is your end device. Is it a UNIX/UNIX-like workstation or Windows or some kind Android or other handheld device (even ROKY).
In general your choices are SSH, L2TP/IPsec, OpenVPN, PPTP, tinc, poptop, ocserv (open source server implementing the AnyConnect SSL VPN protocol), server implementing the AnyConnect SSL VPN protocol, mlvpn. I have worked with most of those things. IIRC pfSence comes with pre-installed, semi-configured OpenVPN, L2TP/IPsec, and PPTP (PPTP should never be used in this day and age).
If your end device is UNIX like workstation then for connection which should last up to a week SSH is perfectly fine. If you need VPN connection which will be stable for many months possibly years OpenVPN (which we use in my lab to isolate our desktop machines from the rest of our university infrastructure) is a good choice and a connection, once established, is generally stable up to 6 months when I typically upgrade our OpenVPN server which runs on OpenBSD.
L2TP/IPsec is the way to go with Windows clients less so with Linux/FreeBSD (I am not a fan of OpenSWAN). Setting L2TP/IPSec server on OpenBSD is 10 minute thing. I am not sure about FreeBSD.
I have never played with ocserv but I have long experience with Cisco VPN appliances. They are crappy but plug and play which makes them a first choice where money is not an issue but the knowledge is in short supply.
I have hard a good things about
tinc but never used in production on a paid job. I have never played with
mlvpn.
In general IPSec should be the number one choice if you are connecting routers and creating true private networks with multiple subnets over the Internet. I am not sure how easy is to set up IPSec on FreeBSD but on OpenBSD is a breeze.