I have a site with 13 BM3.6 sites connected via site to site VPN,
another 3 sites are BM3.8 working in slave mode connecting to the BM3.6
master also.

I would like a client VPN connection to the master site and for the
connection to be able to traverse the site to site VPN without a
problem. I know this will not work using the existing bm3.6 so I would
I would like to install a second BM3.8 server on the internal net and
configure the BM3.6 server to forward all VPN requests to it.

1. Will BM3.6 (acting as the firewall) be able to forward all the
necessary traffic to the internal server
2. Will BM3.8 work when using a private IP (I will static NAT a public
address to it using the 3.6 server)
3. Am I right in thinking this will enable the connected user to browse
the entire WAN?
4. Since this is only for 1 user, can I get away with one BM license?

I cannot upgrade the existing 3.6 in the master site to 3.8 at the
moment so that is out of the question.